{"id":18062119,"url":"https://github.com/hackercalico/rat_obfuscator","last_synced_at":"2025-09-13T22:43:49.350Z","repository":{"id":260212090,"uuid":"865450011","full_name":"HackerCalico/RAT_Obfuscator","owner":"HackerCalico","description":"Magical obfuscator, supports obfuscating EXE, BOF, and ShellCode.","archived":false,"fork":false,"pushed_at":"2024-11-25T08:45:40.000Z","size":552,"stargazers_count":153,"open_issues_count":2,"forks_count":13,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-25T09:06:03.383Z","etag":null,"topics":["antivirus-evasion","bof","bypass-antivirus","bypass-av","bypass-edr","obfuscator","rat","red-team","shellcode"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HackerCalico.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-30T14:50:04.000Z","updated_at":"2025-05-09T06:42:53.000Z","dependencies_parsed_at":"2024-12-24T15:11:18.730Z","dependency_job_id":"fb1585d1-6296-4311-9a50-b88d09f8034c","html_url":"https://github.com/HackerCalico/RAT_Obfuscator","commit_stats":null,"previous_names":["hackercalico/rat_obfuscator"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/HackerCalico/RAT_Obfuscator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackerCalico%2FRAT_Obfuscator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackerCalico%2FRAT_Obfuscator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackerCalico%2FRAT_Obfuscator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackerCalico%2FRAT_Obfuscator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HackerCalico","download_url":"https://codeload.github.com/HackerCalico/RAT_Obfuscator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackerCalico%2FRAT_Obfuscator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275038262,"owners_count":25394640,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-13T02:00:10.085Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-evasion","bof","bypass-antivirus","bypass-av","bypass-edr","obfuscator","rat","red-team","shellcode"],"created_at":"2024-10-31T05:05:45.543Z","updated_at":"2025-09-13T22:43:49.138Z","avatar_url":"https://github.com/HackerCalico.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RAT_Obfuscator\n\n### 请给我 Star 🌟，非常感谢！这对我很重要！\n\n### Please give me Star 🌟, thank you very much! It is very important to me!\n\n### 1. 介绍\n\nhttps://github.com/HackerCalico/RAT_Obfuscator\n\nMagical 二进制混淆器，支持混淆 x64 的 EXE、BOF、ShellCode。\n\n![RAT_Obfuscator.jpg (1000×300)](https://raw.githubusercontent.com/HackerCalico/RAT_Obfuscator/refs/heads/main/Image/RAT_Obfuscator.jpg)\n\n### 2. 效果 \u0026 优势\n\n(1) 不存在自解密等任何加解密操作，所以无需 RWX。\n\n如果是 BOF、EXE，混淆后不再需要睡眠加密。\n\n如果是 ShellCode，混淆后可直接通过内联汇编调用，无需进行任何内存操作。\n\n(2) 逐条指令混淆，先将所有汇编指令替换为随机生成的等效指令序列，再随机分片打乱。\n\n保证每次混淆结果截然不同，并且不会额外添加混淆器特有的函数。\n\n### 3. 使用方法\n\n\u003cmark\u003e请先尝试 Example 中的样例：\u003c/mark\u003e\n\n(1) Example\\ShellCode 无需解释。\n\n(2) Example\\BOF\\bof.o 包含两个可调用的 BOF 函数。编译使用的 clang 来自 llvm-mingw-20240903-ucrt-x86_64，将 bin 添加至环境变量即可。\n\nhttps://github.com/mstorsjo/llvm-mingw/releases/download/20240903/llvm-mingw-20240903-ucrt-x86_64.zip\n\n(3) Example\\BOF_Loader 用于加载运行本项目混淆后的 BOF，当然该加载器本身也可以被混淆，需要配置 clang 以支持 x64 内联汇编。\n\nVisual Studio Installer ---\u003e 单个组件 ---\u003e LLVM (clang-cl) 和 Clang ---\u003e 安装\n\n\u003cmark\u003e混淆 ShellCode\u003c/mark\u003e\n\n将 Example\\ShellCode\\x64\\Release\\ShellCode.exe 的 .shell 复制到 Obfuscator\\shellcode.txt\n\n反汇编：\n\n```bash\n\u003e python Obfuscator.py\n1.Disassembly\n2.Obfuscate BOF\n3.Obfuscate ShellCode\n4.Obfuscate EXE functions\n5.Instruction obfuscation test\nchoice: 1\nPath: shellcode.txt\n[+] Save to Disassembly folder.\n```\n\n混淆：\n\n```bash\n\u003e python Obfuscator.py\n1.Disassembly\n2.Obfuscate BOF\n3.Obfuscate ShellCode\n4.Obfuscate EXE functions\n5.Instruction obfuscation test\nchoice: 3\n....\n[+] ObfShellCode:\n__attribute__((naked)) void ShellCode(...) {\n__asm {\nsnippet58:\nmov rdi, rax\n....\nsub r8, -0x25\njmp snippet57\n}\n}\n((void(*)(...))((PBYTE)ShellCode + 1050))(LoadLibraryA(\"user32\"));\n[!] Inline assembly requires the /O2 flag.\n[+] Save to ObfShellCode.bin\n```\n\n创建一个 C++ 项目粘贴生成的代码即可调用，LoadLibraryA(\"user32\") 是样例 ShellCode 的参数。\n\n需要开启优化(/O2)，以及配置 clang 以支持 x64 内联汇编：Visual Studio Installer ---\u003e 单个组件 ---\u003e LLVM (clang-cl) 和 Clang ---\u003e 安装\n\n\u003cmark\u003e混淆 BOF\u003c/mark\u003e\n\n将 Example\\BOF\\bof.o 复制到 Obfuscator\\bof.o\n\n反汇编：\n\n```bash\n\u003e python Obfuscator.py\n1.Disassembly\n2.Obfuscate BOF\n3.Obfuscate ShellCode\n4.Obfuscate EXE functions\n5.Instruction obfuscation test\nchoice: 1\nPath: bof.o\n[+] Save to Disassembly folder.\n```\n\n混淆：\n\n```bash\n\u003e python Obfuscator.py\n1.Disassembly\n2.Obfuscate BOF\n3.Obfuscate ShellCode\n4.Obfuscate EXE functions\n5.Instruction obfuscation test\nchoice: 2\n....\nExecuteCmd$$ Hash: -504283653\nGetFileInfoList$$ Hash: 1280936002\nBOF Hash: 1169983540\n[!] Obfuscation of .rdata is not supported.\n[!] Please use the BOF_Loader from the example to load.\n[+] Save to ObfBOF.bin\n```\n\n运行 Example\\BOF_Loader 即可调用两个 BOF 函数。\n\n\u003cmark\u003e混淆 EXE 函数\u003c/mark\u003e\n\n将 Example\\BOF_Loader\\x64\\Release\\BOF_Loader.exe 复制到 Example\\BOF_Loader\\BOF_Loader.exe\n\n将 BOF_Loader.exe 的 .func 复制到 Obfuscator\\func.txt，删除末尾所有的 48 C7 C0 00 00 00 00 以及 CC，它们仅起占位作用，因为混淆后指令集会更长。\n\n反汇编：\n\n```bash\n\u003e python Obfuscator.py\n1.Disassembly\n2.Obfuscate BOF\n3.Obfuscate ShellCode\n4.Obfuscate EXE functions\n5.Instruction obfuscation test\nchoice: 1\nPath: func.txt\n[+] Save to Disassembly folder.\n```\n\n混淆：\n\n```bash\n\u003e python Obfuscator.py\n1.Disassembly\n2.Obfuscate BOF\n3.Obfuscate ShellCode\n4.Obfuscate EXE functions\n5.Instruction obfuscation test\nchoice: 4\n....\n[+] Save to ObfFunc.bin\n```\n\n将 ObfFunc.bin 的机器码覆盖 Example\\BOF_Loader\\BOF_Loader.exe 原本的 .func。\n\n\u003cmark\u003e指令混淆测试\u003c/mark\u003e\n\n测试单条指令的混淆情况：\n\n```bash\n\u003e python Obfuscator.py\n1.Disassembly\n2.Obfuscate BOF\n3.Obfuscate ShellCode\n4.Obfuscate EXE functions\n5.Instruction obfuscation test\nchoice: 5\nInstruction: mov rax, rcx\n\n1th obfuscate:\n\nOriginal:\nmov rax, rcx\nObfMnemonic:\nxor rax, rax\nxor rax, rcx\nObfOps:\nxor rax, rax\nxor rax, rcx\n....\n10th obfuscate:\n\nOriginal:\nmov rax, rcx\nObfMnemonic:\nmov rax, 0\nadd rax, rcx\nObfOps:\nmov rax, 0xab\npush rbx\nmov rbx, rax\nsub rbx, -0x54\nlea rax, [rbx - 0x54 - 0xab]\npop rbx\nadd rax, rcx\n```\n\n### 4. 注意事项\n\n(1) 建议自行混淆 .rdata。\n\n(2) 建议自行编写栈欺骗来调用 DLL 函数。\n\n(3) 建议混淆 EXE 函数后在 .func 上方自行添加乱码来掩护 .func 开头的 jmp。","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackercalico%2Frat_obfuscator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhackercalico%2Frat_obfuscator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackercalico%2Frat_obfuscator/lists"}