└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # X-AV
  2 | X系列安全工具-AV免杀框架-BypassAV
  3 | 
  4 | 源码在知识星球RedTeaming
  5 | 
  6 | <img width="672" alt="image" src="https://user-images.githubusercontent.com/25416365/194206098-49417456-f535-420b-bec2-57931c89b6f2.png">
  7 | 
  8 | 
  9 | 
 10 | ## 加载方式
 11 | - Syscall
 12 | - Uuid
 13 | - CreateFiber
 14 | - CreateProcessWithPipe
 15 | - EtwpCreateEtwThread
 16 | - 等
 17 | 
 18 | ## 加密方式
 19 | - XOR
 20 | - RC4
 21 | - AES256
 22 | 
 23 | ## 沙盒检测,动态防御
 24 | 
 25 | ## 符号表混淆,静态分析防御
 26 | 
 27 | 
 28 | ## 权限维持
 29 | 权限维持功能目前还没有加入
 30 | ## 生成伪造证书
 31 | 有点多余,可选项。
 32 | ## 使用方法
 33 | 
 34 | ```
 35 | ❯ ./X-AV -h
 36 | 
 37 |  ____  _          _ _  ____          _     _____           _
 38 | / ___|| |__   ___| | |/ ___|___   __| | __|_   _|__   ___ | |___
 39 | \___ \| '_ \ / _ \ | | |   / _ \ / _` |/ _ \| |/ _ \ / _ \| / __|
 40 | ___) | | | |  __/ | | |__| (_) | (_| |  __/| | (_) | (_) | \__ \
 41 | |____/|_| |_|\___|_|_|\____\___/ \__,_|\___||_|\___/ \___/|_|___/
 42 | 
 43 | Version 1.0-RedTeamWing
 44 | 						Loader Method:
 45 | 						CreateFiber
 46 | 						Syscall
 47 | 						CreateProcess
 48 | 						CreateProcessWithPipe
 49 | 						CreateRemoteTread
 50 | 						CreateRemoteTreadNative
 51 | 						CreateThread
 52 | 						CreateThreadNative
 53 | 						UUIDFromString
 54 | 						RtlCreateUserThread
 55 | 						EtwpCreateEtwThread
 56 | 
 57 | 						Encryption Method:
 58 | 						Xor
 59 | 						AES256
 60 | 						RC4
 61 | 
 62 | Usage of ./X-AV:
 63 |   -domain string
 64 |     	fake domain
 65 |   -encrypt string
 66 |     	chose encryption (default "hex")
 67 |   -key string
 68 |     	encryption key (default "1314")
 69 |   -loadermethod string
 70 |     	选择shellcode加载方式 (default "CREATEFIBER")
 71 |   -o string
 72 |     	output path (default "boomsec.exe")
 73 |   -password string
 74 |     	fake domain cert password (default "201314")
 75 |   -persistence
 76 |     	Persistence[True or False]
 77 |   -salt string
 78 |     	aes 加密的salt
 79 |   -sandbox
 80 |     	Bypass Sandbox Check (default true)
 81 |   -shellcodepath string
 82 |     	shellcode path (default "shellcode.bin")
 83 |   -v	display detail infomation
 84 |   ```
 85 |   
 86 |  ### XOR加密
 87 |   每种加密都支持前面五种加载方法
 88 | ```
 89 | ./X-AV -shellcodepath cdn.bin -o xor.exe -key wing -encrypt xor  -loadermethod uuid
 90 | ```
 91 | ![](https://i.loli.net/2021/05/14/2HfmgtLoRdKiWkG.png)
 92 |  ### AES加密
 93 |  aes需要加salt
 94 | ```
 95 | ./X-AV -shellcodepath cdn.bin -o aes.exe -key wing -encrypt aes  -loadermethod uuid -salt wing
 96 | ```
 97 | ### RC4
 98 | ```
 99 | ./X-AV -shellcodepath cdn.bin -o rc4.exe -key wing -encrypt rc4  -loadermethod uuid
100 | ```
101 | 
102 | ## 测试结果
103 | 对象：WindowsDefender
104 | 基本测试这个AV就行了
105 | ![](https://i.loli.net/2021/05/14/Q8RvafxMIFKGXWU.png)
106 | 
107 | ![image](https://user-images.githubusercontent.com/25416365/118236750-0ded1700-b4c9-11eb-8e63-1b92b6f668b5.png)
108 | 
109 | 
110 | 


--------------------------------------------------------------------------------