这个工具实际在22年年初就写完了,现在才上传到Github,是因为目前的工作实际上大部分时间都在二线,以及以当前所掌握的知识没办法继续更新了,当然有一些零碎的点没有加到工具里,比如IAT导入表擦除等,后续如果学到了新的知识再来继续写下去。也希望有兴趣的同伴一起来改,比如用python/go等语言执行shellcode。
Input a raw file to bypass av and execute.
一个只需要提供shellcode文件的免杀框架,可输出exe/dll/ps1
编译需要mingw套件
usage:____ _ _ ____ _ ____ _____ ____ _ __/ ___\/ \ /|/ \/ __\/ \ /|/ __\/ __// _Y |/ /| \| |_||| || \/|| | ||| \/|| \ | / | /\___ || | ||| || __/| |/\||| /| /_ | \_| \\____/\_/ \|\_/\_/ \_/ \|\_/\_\\____\\____|_|\_\By: [email protected]王半仙Input a raw file to bypass av and execute.optional arguments: -h, --help show this help message and exit -f FILENAME, --filename FILENAME Provide a shellcode in raw format. -e ENCRYPTTYPE, --encryptType ENCRYPTTYPE Shellcode encryption method(e.g. b64, xor, aes, uuid, mac, ipv4, diy...) --alloc ALLOC Function for allocating memory(e.g. Virtualalloc, MapViewOfFile, malloc...) --callback CALLBACK Callback function used to execute your shellcode. --syscall Replace VirtualAlloc, the VritualProtect function is called by syscall.(Only x64) --bit BIT Is the shellcode 32-bit or 64-bit? Default is x64. (e.g. x86/x64) --script SCRIPT Generate binary file type. (e.g. cpp/dll) --obf Powershell file easyObf...-f FILENAME, --filename FILENAME Provide a shellcode in raw format.-e ENCRYPTTYPE, --encryptType ENCRYPTTYPEShellcode encryption method(e.g. b64,xor,aes,diy...)
Base64 Xor Aes Uuid Mac IPv4 DIY
默认申请内存为VirtualAllocExNuma,不可与syscall同用
申请内存方式参考Schrodinger-s-Cat,malloc,calloc,MapViewOfFile申请内存方式存在问题,有成功了的交流一下
--alloc ALLOC Function for allocating memory(e.g. Virtualalloc, HeapAlloc)
VirtualAllocExNuma Virtualalloc HeapAlloc Malloc Calloc MapViewOfFile
选定回调函数、template目录下的cpp皆可,可自己添加,默认为CertEnumSystemStore
当前有36个可用callback,用来代替经典的CreateThread来执行shellcode
--callback CALLBACK Callback function used to execute your shellcode.
CertEnumSystemStore CertEnumSystemStoreLocation CopyFile2 CreateThreadPoolWait CreateTimerQueueTimer CryptEnumOIDInfo EnumChildWindows EnumDesktopWindows EnumDesktopsW EnumDirTreeW EnumDisplayMonitors EnumFontFamiliesExW EnumFontFamiliesW EnumFontsW EnumLanguageGroupLocalesW EnumObjects EnumPageFilesW EnumPropsExW EnumPropsW EnumPwrSchemes EnumResourceTypesExW EnumResourceTypesW EnumSystemLocalesEx EnumTimeFormatsEx EnumUILanguagesW EnumWindowStationsW EnumWindows EnumerateLoadedModules ImageGetDigestStream ImmEnumInputContext InitOnceExecuteOnce SetTimer SetupCommitFileQueueW SymEnumProcesses SymFindFileInPath VerifierEnumResource
--syscall Replace VirtualAlloc, the VritualProtect function is called by syscall.(Only x64)
--bit BIT Is the shellcode 32-bit or 64-bit? Default is x64. (e.g. x86/x64)
--script SCRIPT Generate binary file type. (e.g. cpp/dll/ps1)
cpp dll ps1
不指定--script默认为exe,切换到output目录下,使用输出信息中的Compile-Command编译即可
Shellcode加密,应对静态查杀 同功能可替代api替换,应对api hook ...
文章来源: http://mp.weixin.qq.com/s?__biz=Mzg3NjYwNDgzMQ==&mid=2247485754&idx=1&sn=0f3f18f1df3271b997f25bcc9a0c1ae7&chksm=cf2ef5caf8597cdcbe5bc07226be2ab1531b522696346f5703baa77e2b1936de1c25ad560610#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh