mirror of
https://github.com/Answerr/shellcode_loader_bypass.git
synced 2026-02-05 16:19:43 +08:00
Update README.md
This commit is contained in:
秋裤小清新
GitHub
97
README.md
97
README.md
@@ -1,63 +1,66 @@
|
|||||||
**Shellcode Loader Bypass Techniques**
|
# Shellcode Loader Bypass Techniques
|
||||||
This repository contains examples of advanced Shellcode Loader bypass techniques implemented in test.cpp and bypass1.cpp. These techniques are designed to evade detection and bypass modern security mechanisms such as EDR (Endpoint Detection and Response) and AV (Antivirus) solutions.
|
|
||||||
Note: Using binary files smaller than 100kb tends to be more stable due to memory allocation limits imposed by thread pool execution; otherwise, you may need to sacrifice stealth.
|
|
||||||
|
|
||||||
**Techniques in test.cpp**
|
This repository contains examples of advanced Shellcode Loader bypass techniques implemented in `test.cpp` and `bypass1.cpp`. These techniques are designed to evade detection and bypass modern security mechanisms such as EDR (Endpoint Detection and Response) and AV (Antivirus) solutions.
|
||||||
The following bypass techniques are implemented in test.cpp:
|
|
||||||
|
|
||||||
API Resolution and Dynamic Invocation
|
**Note:** Using binary files smaller than 100kb tends to be more stable due to memory allocation limits imposed by thread pool execution; otherwise, you may need to sacrifice stealth.
|
||||||
Dynamically resolve and call APIs at runtime to avoid static detection.
|
|
||||||
|
|
||||||
API Hammering
|
## Techniques in `test.cpp`
|
||||||
Repeatedly call benign APIs to obfuscate behavior-based detection mechanisms.
|
|
||||||
|
|
||||||
String Obfuscation and Decryption
|
The following bypass techniques are implemented in `test.cpp`:
|
||||||
Obfuscate sensitive strings (such as API names and Shellcode) and decrypt them at runtime to evade static analysis.
|
|
||||||
|
|
||||||
NTDLL Recovery and Unhooking
|
1. **API Resolution and Dynamic Invocation**
|
||||||
Restore the original, unhooked ntdll.dll to bypass user-mode hooks placed by EDR.
|
Dynamically resolve and call APIs at runtime to avoid static detection.
|
||||||
|
|
||||||
Thread Pool Execution of Shellcode
|
2. **API Hammering**
|
||||||
Use a thread pool to execute Shellcode, mimicking legitimate application behavior.
|
Repeatedly call benign APIs to obfuscate behavior-based detection mechanisms.
|
||||||
|
|
||||||
Remote Thread Injection
|
3. **String Obfuscation and Decryption**
|
||||||
Inject Shellcode into a remote process to execute the payload stealthily.
|
Obfuscate sensitive strings (such as API names and Shellcode) and decrypt them at runtime to evade static analysis.
|
||||||
|
|
||||||
Encrypted Shellcode File Loading (shellcode.bin)
|
4. **NTDLL Recovery and Unhooking**
|
||||||
Load and decrypt an encrypted Shellcode file (shellcode.bin) at runtime to avoid detection.
|
Restore the original, unhooked `ntdll.dll` to bypass user-mode hooks placed by EDR.
|
||||||
|
|
||||||
Techniques in bypass1.cpp
|
5. **Thread Pool Execution of Shellcode**
|
||||||
The following bypass techniques are implemented in bypass1.cpp:
|
Use a thread pool to execute Shellcode, mimicking legitimate application behavior.
|
||||||
|
|
||||||
API Hash Resolution Function
|
6. **Remote Thread Injection**
|
||||||
Use hashed names instead of plaintext strings to resolve API functions, circumventing static analysis.
|
Inject Shellcode into a remote process to execute the payload stealthily.
|
||||||
|
|
||||||
API Hammering
|
7. **Encrypted Shellcode File Loading (`shellcode.bin`)**
|
||||||
Similar to test.cpp, repeatedly call benign APIs to obfuscate behavior-based detection mechanisms.
|
Load and decrypt an encrypted Shellcode file (`shellcode.bin`) at runtime to avoid detection.
|
||||||
|
|
||||||
Dynamic API Resolution
|
## Techniques in `bypass1.cpp`
|
||||||
Dynamically resolve API functions at runtime to avoid static detection.
|
|
||||||
|
|
||||||
Unhooking ntdll.dll
|
The following bypass techniques are implemented in `bypass1.cpp`:
|
||||||
Restore the original, unhooked ntdll.dll to bypass user-mode hooks.
|
|
||||||
|
|
||||||
Encrypted Shellcode File Loading (shellcode.bin)
|
1. **API Hash Resolution Function**
|
||||||
Load and decrypt an encrypted Shellcode file (shellcode.bin) at runtime to avoid detection.
|
Use hashed names instead of plaintext strings to resolve API functions, circumventing static analysis.
|
||||||
|
|
||||||
Thread Pool Execution
|
2. **API Hammering**
|
||||||
Use a thread pool to execute Shellcode, mimicking legitimate application behavior.
|
Similar to `test.cpp`, repeatedly call benign APIs to obfuscate behavior-based detection mechanisms.
|
||||||
|
|
||||||
Stealthy Memory Allocation
|
3. **Dynamic API Resolution**
|
||||||
Allocate memory for Shellcode in a stealthy manner to avoid triggering detection caused by suspicious patterns.
|
Dynamically resolve API functions at runtime to avoid static detection.
|
||||||
|
|
||||||
Usage Instructions
|
4. **Unhooking `ntdll.dll`**
|
||||||
Use your preferred method to generate a .bin file of the raw Shellcode.
|
Restore the original, unhooked `ntdll.dll` to bypass user-mode hooks.
|
||||||
|
|
||||||
Rename the file to input.bin and run xor.py. This will generate an encrypted file named output.bin.
|
5. **Encrypted Shellcode File Loading (`shellcode.bin`)**
|
||||||
|
Load and decrypt an encrypted Shellcode file (`shellcode.bin`) at runtime to avoid detection.
|
||||||
|
|
||||||
Rename output.bin to shellcode.bin and place it in the same directory as the executable.
|
6. **Thread Pool Execution**
|
||||||
|
Use a thread pool to execute Shellcode, mimicking legitimate application behavior.
|
||||||
|
|
||||||
|
7. **Stealthy Memory Allocation**
|
||||||
|
Allocate memory for Shellcode in a stealthy manner to avoid triggering detection caused by suspicious patterns.
|
||||||
|
|
||||||
|
## Usage Instructions
|
||||||
|
|
||||||
|
1. Use your preferred method to generate a `.bin` file of the raw Shellcode.
|
||||||
|
2. Rename the file to `input.bin` and run `xor.py`. This will generate an encrypted file named `output.bin`.
|
||||||
|
3. Rename `output.bin` to `shellcode.bin` and place it in the same directory as the executable.
|
||||||
|
4. Execute the payload.
|
||||||
|
|
||||||
Execute the payload.
|
|
||||||
|
|
||||||
Shellcode Loader Bypass Screenshots
|
Shellcode Loader Bypass Screenshots
|
||||||
|
|
||||||
@@ -73,14 +76,12 @@ Shellcode Loader Bypass Screenshots
|
|||||||
### 4. Tencent Bypass
|
### 4. Tencent Bypass
|
||||||
|
|
||||||
|
|
||||||
Summary
|
# Summary
|
||||||
test.cpp: Can bypass Tencent, Huorong, and Defender, but fails to bypass 360 due to the addition of remote injection targeting RuntimeBroker.exe.
|
|
||||||
|
|
||||||
bypass1.cpp: Can bypass Tencent, Huorong, and 360, but fails to bypass Defender.
|
- **`test.cpp`:** Can bypass Tencent, Huorong, and Defender, but fails to bypass 360 due to the addition of remote injection targeting `RuntimeBroker.exe`.
|
||||||
|
|
||||||
|
- **`bypass1.cpp`:** Can bypass Tencent, Huorong, and 360, but fails to bypass Defender.
|
||||||
|
|
||||||
|
## Disclaimer
|
||||||
|
|
||||||
Disclaimer:
|
|
||||||
This repository is for educational and research purposes only. The techniques demonstrated here should not be used for malicious purposes. Always ensure compliance with applicable laws and regulations.
|
This repository is for educational and research purposes only. The techniques demonstrated here should not be used for malicious purposes. Always ensure compliance with applicable laws and regulations.
|
||||||
> **Disclaimer:**
|
|
||||||
> This repository is for educational and research purposes only. The techniques demonstrated here should not be used for malicious purposes. Always ensure compliance with applicable laws and regulations.
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|||||||
Reference in New Issue
Block a user