Mirrors_Framework/shellcode_loader_bypass
1
0
Fork 0
mirror of https://github.com/Answerr/shellcode_loader_bypass.git synced 2025-12-10 21:37:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
14 Commits 1 Branch 2 Tags
8d005dd10cb13a3fcdfb4a994a67e31a61f8350c
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
jason123 8d005dd10c Update README.md
2024-12-11 12:30:25 +08:00
bypass1
Add files via upload
2024-12-11 11:47:37 +08:00
images
Add files via upload
2024-12-11 11:54:54 +08:00
test
videos
Add files via upload
2024-12-11 12:19:56 +08:00
LICENSE
README.md
Update README.md
2024-12-11 12:30:25 +08:00

README.md

Shellcode Loader Bypass Techniques

This repository contains examples of advanced shellcode loader bypass techniques implemented in test.cpp and bypass1.cpp. These techniques are designed to evade detection and bypass modern security mechanisms, such as EDR (Endpoint Detection and Response) and AV (Antivirus) solutions.

Techniques in test.cpp

The following bypass techniques are implemented in test.cpp:

  1. API Resolution and Dynamic Invocation
    Resolves and invokes APIs dynamically at runtime to avoid static detection.

  2. API Hammering
    Repeatedly calls benign APIs to confuse behavior-based detection mechanisms.

  3. String Obfuscation and Decryption
    Obfuscates sensitive strings (e.g., API names, shellcode) and decrypts them at runtime to evade static analysis.

  4. NTDLL Restoration and Anti-Hooking
    Restores the original, unhooked version of ntdll.dll to bypass user-mode hooks placed by EDRs.

  5. Thread Pool Execution of Shellcode
    Executes shellcode using thread pools to blend in with legitimate application behavior.

  6. Remote Thread Injection
    Injects shellcode into a remote process to execute payloads stealthily.

  7. Encrypted Shellcode File Loading (shellcode.bin)
    Loads and decrypts an encrypted shellcode file (shellcode.bin) at runtime to avoid detection.

Techniques in bypass1.cpp

The following bypass techniques are implemented in bypass1.cpp:

  1. API Hashing for Function Resolution
    Resolves API functions using hashed names instead of plaintext strings to evade static analysis.

  2. API Hammering
    Similar to test.cpp, repeatedly calls benign APIs to confuse behavior-based detection mechanisms.

  3. Dynamic API Resolution
    Dynamically resolves API functions at runtime to avoid static detection.

  4. Unhooking ntdll.dll
    Restores the original, unhooked version of ntdll.dll to bypass user-mode hooks.

  5. Encrypted Shellcode File Loading (shellcode.bin)
    Loads and decrypts an encrypted shellcode file (shellcode.bin) at runtime to avoid detection.

  6. Thread Pool Execution
    Executes shellcode using thread pools to mimic legitimate application behavior.

  7. Stealthy Memory Allocation
    Allocates memory for shellcode in a stealthy manner, avoiding suspicious patterns that could trigger detection.

How to Use Generate your raw shellcode as a .bin file using your preferred method. Rename the file to input.bin and run xor.py. This will generate an encrypted file named output.bin. Rename output.bin to shellcode.bin and place it in the same directory as the executable. Execute the payload.

Shellcode Loader Bypass Images

1. 360 Bypass

360 Bypass

2. Defender Test

Defender Test

3. Huorong Bypass

Huorong Bypass

4. Tencent Bypass

Tencent Bypass

Summary test.cpp: Can bypass Tencent, Huorong, and Defender, but not 360 due to the addition of a remote injection function targeting RuntimeBroker.exe. bypass1.cpp: Can bypass Tencent, Huorong, and 360, but not Defender.

Disclaimer:
This repository is for educational and research purposes only. The techniques demonstrated here should not be used for malicious purposes. Always ensure compliance with applicable laws and regulations.

Reference in New Issue View Git Blame Copy Permalink
Description
bypass 360,huorong,tencent,defender with Split loading technique and unhooking
Readme MIT 37 MiB
Languages
C++ 92.7%
Python 7.3%