├── OLD.md
├── README.md
└── readme-img
    ├── 0.png
    ├── 1.png
    ├── 2.png
    ├── 3.png
    ├── a
    ├── exe.png
    ├── go.png
    └── gorun.png


/OLD.md:
--------------------------------------------------------------------------------
  1 | # Shipwreck
  2 | 
  3 | Input a raw file to bypass av and execute.
  4 | 
  5 | 一个只需要提供shellcode文件的免杀框架，可输出exe/dll/ps1
  6 | 
  7 | **编译需要mingw套件**
  8 | 
  9 | ![image-20230114140441567](./readme-img/0.png)
 10 | 
 11 | ## Usage
 12 | 
 13 | ```sh
 14 | usage:
 15 |   ____  _     _  ____  _      ____  _____ ____ _  __
 16 |  / ___\/ \ /|/ \/  __\/ \  /|/  __\/  __//   _Y |/ /
 17 |  |    \| |_||| ||  \/|| |  |||  \/||  \  |  / |   /
 18 |  \___ || | ||| ||  __/| |/\|||    /|  /_ |  \_|   \
 19 |  \____/\_/ \|\_/\_/   \_/  \|\_/\_\\____\\____|_|\_\
 20 | 
 21 | 							  By: BlueWhaleLab@王半仙
 22 | 
 23 | Input a raw file to bypass av and execute.
 24 | 
 25 | optional arguments:
 26 |   -h, --help            show this help message and exit
 27 |   -f FILENAME, --filename FILENAME
 28 |                         Provide a shellcode in raw format.
 29 |   -e ENCRYPTTYPE, --encryptType ENCRYPTTYPE
 30 |                         Shellcode encryption method(e.g. b64, xor, aes, uuid, mac, ipv4, diy...)
 31 |   --alloc ALLOC         Function for allocating memory(e.g. Virtualalloc, MapViewOfFile, malloc...)
 32 |   --callback CALLBACK   Callback function used to execute your shellcode.
 33 |   --syscall             Replace VirtualAlloc, the VritualProtect function is called by syscall.(Only x64)
 34 |   --bit BIT             Is the shellcode 32-bit or 64-bit? Default is x64. (e.g. x86/x64)
 35 |   --script SCRIPT       Generate binary file type. (e.g. cpp/dll)
 36 |   --obf                 Powershell file easyObf...
 37 | ```
 38 | 
 39 | ### Filename
 40 | 
 41 | 默认为**payload.bin**, raw格式
 42 | 
 43 | ```sh
 44 | -f FILENAME, --filename FILENAME
 45 |                         Provide a shellcode in raw format.
 46 | ```
 47 | 
 48 | ### EncryptType
 49 | 
 50 | 当前只完成了b64、xor、uuid、mac、ipv4。aes尚未完成、diy自己写算法。
 51 | 
 52 | 该参数为必选
 53 | 
 54 | ```sh
 55 | -e ENCRYPTTYPE, --encryptType ENCRYPTTYPE
 56 |                         Shellcode encryption method(e.g. b64,xor,aes,diy...)
 57 | ```
 58 | 
 59 | - Base64
 60 | - Xor
 61 | - ~~Aes~~
 62 | - Uuid
 63 | - Mac
 64 | - IPv4
 65 | - DIY
 66 | 
 67 | ### Alloc
 68 | 
 69 | 默认申请内存为VirtualAllocExNuma，不可与syscall同用
 70 | 
 71 | 申请内存方式参考[Schrodinger-s-Cat](https://github.com/idiotc4t/Schrodinger-s-Cat)，malloc，calloc，MapViewOfFile申请内存方式存在问题，有成功了的交流一下
 72 | 
 73 | ```sh
 74 | --alloc ALLOC         Function for allocating memory(e.g. Virtualalloc, HeapAlloc)
 75 | ```
 76 | 
 77 | - VirtualAllocExNuma
 78 | - Virtualalloc
 79 | - HeapAlloc
 80 | - ~~Malloc~~
 81 | - ~~Calloc~~
 82 | - ~~MapViewOfFile~~
 83 | 
 84 | ### CallBack
 85 | 
 86 | 选定回调函数、template目录下的cpp皆可，可自己添加，默认为CertEnumSystemStore
 87 | 
 88 | 当前有36个可用callback，用来代替经典的CreateThread来执行shellcode
 89 | 
 90 | ```sh
 91 | --callback CALLBACK   Callback function used to execute your shellcode.
 92 | ```
 93 | 
 94 | - CertEnumSystemStore         
 95 | - CertEnumSystemStoreLocation 
 96 | - CopyFile2                   
 97 | - CreateThreadPoolWait        
 98 | - CreateTimerQueueTimer       
 99 | - CryptEnumOIDInfo            
100 | - EnumChildWindows            
101 | - EnumDesktopWindows          
102 | - EnumDesktopsW               
103 | - EnumDirTreeW                
104 | - EnumDisplayMonitors         
105 | - EnumFontFamiliesExW         
106 | - EnumFontFamiliesW           
107 | - EnumFontsW                  
108 | - EnumLanguageGroupLocalesW   
109 | - EnumObjects                 
110 | - EnumPageFilesW              
111 | - EnumPropsExW                
112 | - EnumPropsW                  
113 | - EnumPwrSchemes              
114 | - EnumResourceTypesExW        
115 | - EnumResourceTypesW          
116 | - EnumSystemLocalesEx         
117 | - EnumTimeFormatsEx           
118 | - EnumUILanguagesW            
119 | - EnumWindowStationsW         
120 | - EnumWindows                 
121 | - EnumerateLoadedModules      
122 | - ImageGetDigestStream        
123 | - ImmEnumInputContext         
124 | - InitOnceExecuteOnce         
125 | - SetTimer                    
126 | - SetupCommitFileQueueW       
127 | - SymEnumProcesses            
128 | - SymFindFileInPath           
129 | - VerifierEnumResource        
130 | 
131 | ### Syscall
132 | 
133 | 修改VirtualAlloc、VritualProtect为syscall调用，仅支持64位
134 | 
135 | 使用了[SysWhispers2](https://github.com/jthuraisamy/SysWhispers2)项目生成syscall.h，有精力可以用[SysWhispers3](https://github.com/klezVirus/SysWhispers3)重新生成一个，SysWhispers3已支持32位
136 | 
137 | ```sh
138 | --syscall             Replace VirtualAlloc, the VritualProtect function is called by syscall.(Only x64)
139 | ```
140 | 
141 | ### BIT
142 | 
143 | shellcode位数，32位需更换output/lib下sdk为32位，目前放的都是64位的
144 | 
145 | 默认为64位
146 | 
147 | ```sh
148 | --bit BIT             Is the shellcode 32-bit or 64-bit? Default is x64. (e.g. x86/x64)
149 | ```
150 | 
151 | ### Script
152 | 
153 | 输出结果类型 exe/dll/ps1，默认为exe
154 | 
155 | ```sh
156 | --script SCRIPT       Generate binary file type. (e.g. cpp/dll/ps1)
157 | ```
158 | 
159 | - cpp
160 | - dll
161 | - ps1
162 | 
163 | 一个go版本的callback加载器库，可以集成进来。
164 | 
165 | [golang实现的回调函数加载器库](https://github.com/nu1r/GolangCallbackLoader)
166 | 
167 | #### EXE
168 | 
169 | 不指定`--script`默认为exe，切换到output目录下，使用输出信息中的`Compile-Command`编译即可
170 | 
171 | gcc去除黑窗口：`-mwindows`
172 | 
173 | ![image-20230114142347101](./readme-img/exe.png)
174 | 
175 | #### DLL
176 | 
177 | 指定`--script`为dll，切换到output目录下，使用输出信息中的`Compile-Command`编译即可
178 | 
179 | 生成的dll导出函数为`StartW`
180 | 
181 | ![image-20220224110038528](./readme-img/1.png)
182 | 
183 | #### PS1
184 | 
185 | 指定`--script`为ps1, 可使用`--obf`参数对生成的ps1文件进行混淆
186 | 
187 | ![image-20220314144016113](./readme-img/3.png)
188 | 
189 | ## Technology
190 | 
191 | - Shellcode加密，应对静态查杀
192 | - 同功能可替代api替换，应对api hook
193 | - ...
194 | 
195 | ## Update
196 | 
197 | [2022-03-14 1.1.1] 增加输出ps1功能，使用`--script ps1`参数，默认为ps1
198 | 
199 | [2022-02-24 1.1.0] 增加输出dll功能，使用`--script dll`参数，默认为cpp
200 | 
201 | [2022-01-17 1.0.2] 增加VirtualAlloc、HeapAlloc申请内存方式，使用`--alloc`参数
202 | 
203 | [2022-01-01 1.0.1] 增加uuid、Mac、ipv4内存加载，使用`-e`参数 
204 | 
205 | [2021-12-15 1.0] Shipwreck1.0完成
206 | 
207 | 22年年初刚写完这个框架的测试图
208 | 
209 | ![1](./readme-img/2.png)
210 | 
211 | ## TODO
212 | 
213 | 1. 完善AES加密
214 | 2. 添加内存混淆
215 | 3. 输出vba、~~ps1~~、py等脚本
216 | 4. ...
217 | 
218 | ## 不要传VT/WB...！
219 | 
220 | ## 不要传VT/WB...！
221 | 
222 | ## 不要传VT/WB...！
223 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # 1.2.0
 2 | 
 3 | 用法参照[这里](https://github.com/Awrrays/Shipwreck/blob/main/OLD.md)
 4 | 
 5 | 新增go bypass
 6 | 
 7 | ```sh
 8 | python Shipwreck.py -e b64 --script go
 9 | ```
10 | 
11 | ![image-20230321142326095](./readme-img/go.png)
12 | 
13 | ![image-20230321142518481](./readme-img/gorun.png)
14 | 
15 | 可用Callback参照：
16 | 
17 | https://github.com/nu1r/GolangCallbackLoader
18 | 
19 | 


--------------------------------------------------------------------------------
/readme-img/0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Awrrays/Shipwreck/6f58b4e1dfdca8de86625a9bb666c07b587ae59a/readme-img/0.png


--------------------------------------------------------------------------------
/readme-img/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Awrrays/Shipwreck/6f58b4e1dfdca8de86625a9bb666c07b587ae59a/readme-img/1.png


--------------------------------------------------------------------------------
/readme-img/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Awrrays/Shipwreck/6f58b4e1dfdca8de86625a9bb666c07b587ae59a/readme-img/2.png


--------------------------------------------------------------------------------
/readme-img/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Awrrays/Shipwreck/6f58b4e1dfdca8de86625a9bb666c07b587ae59a/readme-img/3.png


--------------------------------------------------------------------------------
/readme-img/a:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/readme-img/exe.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Awrrays/Shipwreck/6f58b4e1dfdca8de86625a9bb666c07b587ae59a/readme-img/exe.png


--------------------------------------------------------------------------------
/readme-img/go.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Awrrays/Shipwreck/6f58b4e1dfdca8de86625a9bb666c07b587ae59a/readme-img/go.png


--------------------------------------------------------------------------------
/readme-img/gorun.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Awrrays/Shipwreck/6f58b4e1dfdca8de86625a9bb666c07b587ae59a/readme-img/gorun.png


--------------------------------------------------------------------------------