├── .gitignore
├── BypassAV-1.sln
├── BypassAV-1
├── BypassAV-1.cpp
├── BypassAV-1.vcxproj
└── BypassAV-1.vcxproj.filters
├── README.assets
├── demo.gif
├── img1.png
└── img2.png
├── README.md
├── calc.bin
├── calc_encrypted.bin
└── xorencrypt.py
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Ll]og/
33 | [Ll]ogs/
34 |
35 | # Visual Studio 2015/2017 cache/options directory
36 | .vs/
37 | # Uncomment if you have tasks that create the project's static files in wwwroot
38 | #wwwroot/
39 |
40 | # Visual Studio 2017 auto generated files
41 | Generated\ Files/
42 |
43 | # MSTest test Results
44 | [Tt]est[Rr]esult*/
45 | [Bb]uild[Ll]og.*
46 |
47 | # NUnit
48 | *.VisualState.xml
49 | TestResult.xml
50 | nunit-*.xml
51 |
52 | # Build Results of an ATL Project
53 | [Dd]ebugPS/
54 | [Rr]eleasePS/
55 | dlldata.c
56 |
57 | # Benchmark Results
58 | BenchmarkDotNet.Artifacts/
59 |
60 | # .NET Core
61 | project.lock.json
62 | project.fragment.lock.json
63 | artifacts/
64 |
65 | # ASP.NET Scaffolding
66 | ScaffoldingReadMe.txt
67 |
68 | # StyleCop
69 | StyleCopReport.xml
70 |
71 | # Files built by Visual Studio
72 | *_i.c
73 | *_p.c
74 | *_h.h
75 | *.ilk
76 | *.meta
77 | *.obj
78 | *.iobj
79 | *.pch
80 | *.pdb
81 | *.ipdb
82 | *.pgc
83 | *.pgd
84 | *.rsp
85 | *.sbr
86 | *.tlb
87 | *.tli
88 | *.tlh
89 | *.tmp
90 | *.tmp_proj
91 | *_wpftmp.csproj
92 | *.log
93 | *.vspscc
94 | *.vssscc
95 | .builds
96 | *.pidb
97 | *.svclog
98 | *.scc
99 |
100 | # Chutzpah Test files
101 | _Chutzpah*
102 |
103 | # Visual C++ cache files
104 | ipch/
105 | *.aps
106 | *.ncb
107 | *.opendb
108 | *.opensdf
109 | *.sdf
110 | *.cachefile
111 | *.VC.db
112 | *.VC.VC.opendb
113 |
114 | # Visual Studio profiler
115 | *.psess
116 | *.vsp
117 | *.vspx
118 | *.sap
119 |
120 | # Visual Studio Trace Files
121 | *.e2e
122 |
123 | # TFS 2012 Local Workspace
124 | $tf/
125 |
126 | # Guidance Automation Toolkit
127 | *.gpState
128 |
129 | # ReSharper is a .NET coding add-in
130 | _ReSharper*/
131 | *.[Rr]e[Ss]harper
132 | *.DotSettings.user
133 |
134 | # TeamCity is a build add-in
135 | _TeamCity*
136 |
137 | # DotCover is a Code Coverage Tool
138 | *.dotCover
139 |
140 | # AxoCover is a Code Coverage Tool
141 | .axoCover/*
142 | !.axoCover/settings.json
143 |
144 | # Coverlet is a free, cross platform Code Coverage Tool
145 | coverage*[.json, .xml, .info]
146 |
147 | # Visual Studio code coverage results
148 | *.coverage
149 | *.coveragexml
150 |
151 | # NCrunch
152 | _NCrunch_*
153 | .*crunch*.local.xml
154 | nCrunchTemp_*
155 |
156 | # MightyMoose
157 | *.mm.*
158 | AutoTest.Net/
159 |
160 | # Web workbench (sass)
161 | .sass-cache/
162 |
163 | # Installshield output folder
164 | [Ee]xpress/
165 |
166 | # DocProject is a documentation generator add-in
167 | DocProject/buildhelp/
168 | DocProject/Help/*.HxT
169 | DocProject/Help/*.HxC
170 | DocProject/Help/*.hhc
171 | DocProject/Help/*.hhk
172 | DocProject/Help/*.hhp
173 | DocProject/Help/Html2
174 | DocProject/Help/html
175 |
176 | # Click-Once directory
177 | publish/
178 |
179 | # Publish Web Output
180 | *.[Pp]ublish.xml
181 | *.azurePubxml
182 | # Note: Comment the next line if you want to checkin your web deploy settings,
183 | # but database connection strings (with potential passwords) will be unencrypted
184 | *.pubxml
185 | *.publishproj
186 |
187 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
188 | # checkin your Azure Web App publish settings, but sensitive information contained
189 | # in these scripts will be unencrypted
190 | PublishScripts/
191 |
192 | # NuGet Packages
193 | *.nupkg
194 | # NuGet Symbol Packages
195 | *.snupkg
196 | # The packages folder can be ignored because of Package Restore
197 | **/[Pp]ackages/*
198 | # except build/, which is used as an MSBuild target.
199 | !**/[Pp]ackages/build/
200 | # Uncomment if necessary however generally it will be regenerated when needed
201 | #!**/[Pp]ackages/repositories.config
202 | # NuGet v3's project.json files produces more ignorable files
203 | *.nuget.props
204 | *.nuget.targets
205 |
206 | # Microsoft Azure Build Output
207 | csx/
208 | *.build.csdef
209 |
210 | # Microsoft Azure Emulator
211 | ecf/
212 | rcf/
213 |
214 | # Windows Store app package directories and files
215 | AppPackages/
216 | BundleArtifacts/
217 | Package.StoreAssociation.xml
218 | _pkginfo.txt
219 | *.appx
220 | *.appxbundle
221 | *.appxupload
222 |
223 | # Visual Studio cache files
224 | # files ending in .cache can be ignored
225 | *.[Cc]ache
226 | # but keep track of directories ending in .cache
227 | !?*.[Cc]ache/
228 |
229 | # Others
230 | ClientBin/
231 | ~$*
232 | *~
233 | *.dbmdl
234 | *.dbproj.schemaview
235 | *.jfm
236 | *.pfx
237 | *.publishsettings
238 | orleans.codegen.cs
239 |
240 | # Including strong name files can present a security risk
241 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
242 | #*.snk
243 |
244 | # Since there are multiple workflows, uncomment next line to ignore bower_components
245 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
246 | #bower_components/
247 |
248 | # RIA/Silverlight projects
249 | Generated_Code/
250 |
251 | # Backup & report files from converting an old project file
252 | # to a newer Visual Studio version. Backup files are not needed,
253 | # because we have git ;-)
254 | _UpgradeReport_Files/
255 | Backup*/
256 | UpgradeLog*.XML
257 | UpgradeLog*.htm
258 | ServiceFabricBackup/
259 | *.rptproj.bak
260 |
261 | # SQL Server files
262 | *.mdf
263 | *.ldf
264 | *.ndf
265 |
266 | # Business Intelligence projects
267 | *.rdl.data
268 | *.bim.layout
269 | *.bim_*.settings
270 | *.rptproj.rsuser
271 | *- [Bb]ackup.rdl
272 | *- [Bb]ackup ([0-9]).rdl
273 | *- [Bb]ackup ([0-9][0-9]).rdl
274 |
275 | # Microsoft Fakes
276 | FakesAssemblies/
277 |
278 | # GhostDoc plugin setting file
279 | *.GhostDoc.xml
280 |
281 | # Node.js Tools for Visual Studio
282 | .ntvs_analysis.dat
283 | node_modules/
284 |
285 | # Visual Studio 6 build log
286 | *.plg
287 |
288 | # Visual Studio 6 workspace options file
289 | *.opt
290 |
291 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
292 | *.vbw
293 |
294 | # Visual Studio LightSwitch build output
295 | **/*.HTMLClient/GeneratedArtifacts
296 | **/*.DesktopClient/GeneratedArtifacts
297 | **/*.DesktopClient/ModelManifest.xml
298 | **/*.Server/GeneratedArtifacts
299 | **/*.Server/ModelManifest.xml
300 | _Pvt_Extensions
301 |
302 | # Paket dependency manager
303 | .paket/paket.exe
304 | paket-files/
305 |
306 | # FAKE - F# Make
307 | .fake/
308 |
309 | # CodeRush personal settings
310 | .cr/personal
311 |
312 | # Python Tools for Visual Studio (PTVS)
313 | __pycache__/
314 | *.pyc
315 |
316 | # Cake - Uncomment if you are using it
317 | # tools/**
318 | # !tools/packages.config
319 |
320 | # Tabs Studio
321 | *.tss
322 |
323 | # Telerik's JustMock configuration file
324 | *.jmconfig
325 |
326 | # BizTalk build output
327 | *.btp.cs
328 | *.btm.cs
329 | *.odx.cs
330 | *.xsd.cs
331 |
332 | # OpenCover UI analysis results
333 | OpenCover/
334 |
335 | # Azure Stream Analytics local run output
336 | ASALocalRun/
337 |
338 | # MSBuild Binary and Structured Log
339 | *.binlog
340 |
341 | # NVidia Nsight GPU debugger configuration file
342 | *.nvuser
343 |
344 | # MFractors (Xamarin productivity tool) working folder
345 | .mfractor/
346 |
347 | # Local History for Visual Studio
348 | .localhistory/
349 |
350 | # BeatPulse healthcheck temp database
351 | healthchecksdb
352 |
353 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
354 | MigrationBackup/
355 |
356 | # Ionide (cross platform F# VS Code tools) working folder
357 | .ionide/
358 |
359 | # Fody - auto-generated XML schema
360 | FodyWeavers.xsd
361 |
--------------------------------------------------------------------------------
/BypassAV-1.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.6.33815.320
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BypassAV-1", "BypassAV-1\BypassAV-1.vcxproj", "{A4FDA835-8C3B-4B94-8401-6076BE29F74C}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {A4FDA835-8C3B-4B94-8401-6076BE29F74C}.Debug|x64.ActiveCfg = Debug|x64
17 | {A4FDA835-8C3B-4B94-8401-6076BE29F74C}.Debug|x64.Build.0 = Debug|x64
18 | {A4FDA835-8C3B-4B94-8401-6076BE29F74C}.Debug|x86.ActiveCfg = Debug|Win32
19 | {A4FDA835-8C3B-4B94-8401-6076BE29F74C}.Debug|x86.Build.0 = Debug|Win32
20 | {A4FDA835-8C3B-4B94-8401-6076BE29F74C}.Release|x64.ActiveCfg = Release|x64
21 | {A4FDA835-8C3B-4B94-8401-6076BE29F74C}.Release|x64.Build.0 = Release|x64
22 | {A4FDA835-8C3B-4B94-8401-6076BE29F74C}.Release|x86.ActiveCfg = Release|Win32
23 | {A4FDA835-8C3B-4B94-8401-6076BE29F74C}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {C2136316-A907-4D5A-AA87-1F0C9C176841}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/BypassAV-1/BypassAV-1.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yutianqaq/x1Ldr/e6bb067b0d43eddb7cbeb8b3246309c41db1372f/BypassAV-1/BypassAV-1.cpp
--------------------------------------------------------------------------------
/BypassAV-1/BypassAV-1.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {a4fda835-8c3b-4b94-8401-6076be29f74c}
25 | BypassAV1
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | true
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
--------------------------------------------------------------------------------
/BypassAV-1/BypassAV-1.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/README.assets/demo.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yutianqaq/x1Ldr/e6bb067b0d43eddb7cbeb8b3246309c41db1372f/README.assets/demo.gif
--------------------------------------------------------------------------------
/README.assets/img1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yutianqaq/x1Ldr/e6bb067b0d43eddb7cbeb8b3246309c41db1372f/README.assets/img1.png
--------------------------------------------------------------------------------
/README.assets/img2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yutianqaq/x1Ldr/e6bb067b0d43eddb7cbeb8b3246309c41db1372f/README.assets/img2.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | > 免责声明:本工具仅用于安全研究和教学目的,用户应自行承担因使用该工具而引起的一切法律和相关责任。作者不对任何法律责任承担责任。
2 |
3 |
4 | # 更新日志
5 |
6 | https://mp.weixin.qq.com/s/L3d7w-u__T1zeL5rze4M0A
7 |
8 | 经过删除 pdb 信息,加 icon 运行时库改为 /MT 后,可以某步全绿
9 |
10 | 读文件的方法改为 WINAPI
11 |
12 | # BypassAV-1
13 | 通过分离的方式规避杀软
14 |
15 | 读入 Msfvenom 或 Cobalt Strike 等 C2 的 Shellcode 方式分离免杀
16 |
17 | 或者配合 donut 可以将 exe、dll 转为 Shellcode 载入 MimiKatz 等工具
18 |
19 | # 使用方法
20 | 使用 Visual Studio 2022 打开,然后选择 Release 编译
21 |
22 | 自定义一个 key,然后使用 xorencrypt.py 将 Shellcode 加密
23 |
24 | ```sh
25 | > python .\xorencrypt.py .\calc.bin
26 | > xor encrypted : .\calc_encrypted.bin
27 | ```
28 |
29 | 将加密后的文件名作为参数传递给 fopen
30 |
31 | ```cpp
32 | //修改这里
33 | char key[] = "key";
34 |
35 | //修改这里
36 | fp = fopen("user.dat", "rb");
37 | ```
38 |
39 |
40 |
41 | # 效果
42 | 
43 |
44 | 其他杀软请自测
45 |
46 | 
47 |
48 |
49 |
50 | 
51 |
52 | # 更新记录
53 |
54 | 增加 xor 加密
55 |
--------------------------------------------------------------------------------
/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yutianqaq/x1Ldr/e6bb067b0d43eddb7cbeb8b3246309c41db1372f/calc.bin
--------------------------------------------------------------------------------
/calc_encrypted.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yutianqaq/x1Ldr/e6bb067b0d43eddb7cbeb8b3246309c41db1372f/calc_encrypted.bin
--------------------------------------------------------------------------------
/xorencrypt.py:
--------------------------------------------------------------------------------
1 | import sys
2 |
3 | def xor_encrypt(plaintext, key):
4 | ciphertext = bytearray()
5 | key_length = len(key)
6 | for i, byte in enumerate(plaintext):
7 | key_byte = key[i % key_length]
8 | encrypted_byte = byte ^ key_byte
9 | ciphertext.append(encrypted_byte)
10 | return bytes(ciphertext)
11 |
12 | # 读取二进制文件
13 | try:
14 | filename = sys.argv[1]
15 | except Exception as e:
16 | print("Usage: python .\\xorencrypt.py .\\calc.bin")
17 | exit()
18 |
19 |
20 | with open(filename, "rb") as file:
21 | plaintext = file.read()
22 |
23 | # 设置加密密钥
24 | key = b"key" # 替换为实际的密钥
25 |
26 | # 加密
27 | ciphertext = xor_encrypt(plaintext, key)
28 |
29 | # 将加密后的结果写入文件
30 | output_filename = f"{filename[:-4]}_encrypted.bin"
31 | with open(output_filename, "wb") as file:
32 | file.write(ciphertext)
33 | print(f"xor encrypted : {output_filename}")
34 |
--------------------------------------------------------------------------------