Mirrors_Framework/shellcode_loader_bypass
1
0
Fork 0
mirror of https://github.com/Answerr/shellcode_loader_bypass.git synced 2025-12-06 17:25:16 +08:00
Code Issues Packages Projects Releases Wiki Activity
24 Commits 1 Branch 2 Tags
c482455d902ba32e919d0df0f5617c7179208033
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
秋裤小清新 c482455d90 Update README.md
2025-01-20 17:28:38 +08:00
bypass1
Add files via upload
2024-12-11 17:19:20 +08:00
images
Add files via upload
2024-12-11 11:54:54 +08:00
test
videos
Add files via upload
2024-12-11 12:19:56 +08:00
LICENSE
README.md
Update README.md
2025-01-20 17:28:38 +08:00
xor.py
Add files via upload
2024-12-11 12:30:50 +08:00

README.md

Shellcode Loader Bypass Techniques This repository contains examples of advanced Shellcode Loader bypass techniques implemented in test.cpp and bypass1.cpp. These techniques are designed to evade detection and bypass modern security mechanisms such as EDR (Endpoint Detection and Response) and AV (Antivirus) solutions. Note: Using binary files smaller than 100kb tends to be more stable due to memory allocation limits imposed by thread pool execution; otherwise, you may need to sacrifice stealth.

Techniques in test.cpp The following bypass techniques are implemented in test.cpp:

API Resolution and Dynamic Invocation Dynamically resolve and call APIs at runtime to avoid static detection.

API Hammering Repeatedly call benign APIs to obfuscate behavior-based detection mechanisms.

String Obfuscation and Decryption Obfuscate sensitive strings (such as API names and Shellcode) and decrypt them at runtime to evade static analysis.

NTDLL Recovery and Unhooking Restore the original, unhooked ntdll.dll to bypass user-mode hooks placed by EDR.

Thread Pool Execution of Shellcode Use a thread pool to execute Shellcode, mimicking legitimate application behavior.

Remote Thread Injection Inject Shellcode into a remote process to execute the payload stealthily.

Encrypted Shellcode File Loading (shellcode.bin) Load and decrypt an encrypted Shellcode file (shellcode.bin) at runtime to avoid detection.

Techniques in bypass1.cpp The following bypass techniques are implemented in bypass1.cpp:

API Hash Resolution Function Use hashed names instead of plaintext strings to resolve API functions, circumventing static analysis.

API Hammering Similar to test.cpp, repeatedly call benign APIs to obfuscate behavior-based detection mechanisms.

Dynamic API Resolution Dynamically resolve API functions at runtime to avoid static detection.

Unhooking ntdll.dll Restore the original, unhooked ntdll.dll to bypass user-mode hooks.

Encrypted Shellcode File Loading (shellcode.bin) Load and decrypt an encrypted Shellcode file (shellcode.bin) at runtime to avoid detection.

Thread Pool Execution Use a thread pool to execute Shellcode, mimicking legitimate application behavior.

Stealthy Memory Allocation Allocate memory for Shellcode in a stealthy manner to avoid triggering detection caused by suspicious patterns.

Usage Instructions Use your preferred method to generate a .bin file of the raw Shellcode.

Rename the file to input.bin and run xor.py. This will generate an encrypted file named output.bin.

Rename output.bin to shellcode.bin and place it in the same directory as the executable.

Execute the payload.

Shellcode Loader Bypass Screenshots

1. 360 Bypass

360 Bypass

2. Defender Test

Defender Test

3. Huorong Bypass

Huorong Bypass

4. Tencent Bypass

Tencent Bypass

Summary test.cpp: Can bypass Tencent, Huorong, and Defender, but fails to bypass 360 due to the addition of remote injection targeting RuntimeBroker.exe.

bypass1.cpp: Can bypass Tencent, Huorong, and 360, but fails to bypass Defender.

Disclaimer: This repository is for educational and research purposes only. The techniques demonstrated here should not be used for malicious purposes. Always ensure compliance with applicable laws and regulations.

Disclaimer:
This repository is for educational and research purposes only. The techniques demonstrated here should not be used for malicious purposes. Always ensure compliance with applicable laws and regulations.

Reference in New Issue View Git Blame Copy Permalink
Description
bypass 360,huorong,tencent,defender with Split loading technique and unhooking
Readme MIT 37 MiB
Languages
C++ 92.7%
Python 7.3%