{"id":17383454,"url":"https://github.com/preemptdev/bluffy","last_synced_at":"2025-04-06T14:12:08.582Z","repository":{"id":38247656,"uuid":"428450325","full_name":"preemptdev/bluffy","owner":"preemptdev","description":"Convert shellcode into :sparkles: different :sparkles: formats!","archived":false,"fork":false,"pushed_at":"2023-01-24T13:58:32.000Z","size":283,"stargazers_count":349,"open_issues_count":0,"forks_count":62,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-03-30T12:11:11.504Z","etag":null,"topics":["evasion","python","shellcode"],"latest_commit_sha":null,"homepage":"https://pre.empt.blog/2022/bluffy-the-av-slayer","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/preemptdev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-11-15T23:13:46.000Z","updated_at":"2025-03-18T11:25:24.000Z","dependencies_parsed_at":"2023-02-13T22:01:16.000Z","dependency_job_id":null,"html_url":"https://github.com/preemptdev/bluffy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/preemptdev%2Fbluffy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/preemptdev%2Fbluffy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/preemptdev%2Fbluffy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/preemptdev%2Fbluffy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/preemptdev","download_url":"https://codeload.github.com/preemptdev/bluffy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247492557,"owners_count":20947545,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["evasion","python","shellcode"],"created_at":"2024-10-16T07:42:17.150Z","updated_at":"2025-04-06T14:12:08.552Z","avatar_url":"https://github.com/preemptdev.png","language":"Python","readme":"# Bluffy\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"bluffy\" src=\"https://media.giphy.com/media/11Mj6P6WqWnnuU/giphy.gif\" height=\"140\" /\u003e\n  \u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/ad-995/bluffy/blob/master/LICENSE\"\u003e\u003cimg alt=\"Software License\" src=\"https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ad-995/bluffy/issues\"\u003e\u003cimg alt=\"GitHub issues\" src=\"https://img.shields.io/github/issues/ad-995/bluffy.svg?style=flat-square\"\u003e\u003c/a\u003e\n    \u003c/p\u003e\n\u003c/p\u003e\n\n\u003ch5 align=\"center\"\u003e\u003ci\u003eConvert shellcode into ✨ different ✨ formats!\u003c/i\u003e\u003c/h5\u003e\n\nBluffy is a utility which was used in experiments to bypass Anti-Virus products (statically) by formatting shellcode into realistic looking data formats.\n\nProof-of-concept tools, such as [0xBoku](https://twitter.com/0xBoku)'s [Ninja_UUID_Runner](https://github.com/boku7/Ninja_UUID_Runner) and [ChoiSG](https://github.com/ChoiSG)'s [UuidShellcodeExec](https://github.com/ChoiSG/UuidShellcodeExec), inspired the initial concept for Bluffy.\n\nSo far, we implemented:\n\n1. UUID\n2. CLSID\n3. SVG\n4. CSS\n5. CSV\n\n## Help\n\n```\n$ python3 bluffy.py -h\n\n  ⣇⣿⠘⣿⣿⣿⡿⡿⣟⣟⢟⢟⢝⠵⡝⣿⡿⢂⣼⣿⣷⣌⠩⡫⡻⣝⠹⢿⣿⣷\n  ⡆⣿⣆⠱⣝⡵⣝⢅⠙⣿⢕⢕⢕⢕⢝⣥⢒⠅⣿⣿⣿⡿⣳⣌⠪⡪⣡⢑⢝⣇\n  ⡆⣿⣿⣦⠹⣳⣳⣕⢅⠈⢗⢕⢕⢕⢕⢕⢈⢆⠟⠋⠉⠁⠉⠉⠁⠈⠼⢐⢕⢽\n  ⡗⢰⣶⣶⣦⣝⢝⢕⢕⠅⡆⢕⢕⢕⢕⢕⣴⠏⣠⡶⠛⡉⡉⡛⢶⣦⡀⠐⣕⢕\n  ⡝⡄⢻⢟⣿⣿⣷⣕⣕⣅⣿⣔⣕⣵⣵⣿⣿⢠⣿⢠⣮⡈⣌⠨⠅⠹⣷⡀⢱⢕\n  ⡝⡵⠟⠈⢀⣀⣀⡀⠉⢿⣿⣿⣿⣿⣿⣿⣿⣼⣿⢈⡋⠴⢿⡟⣡⡇⣿⡇⡀⢕\n  ⡝⠁⣠⣾⠟⡉⡉⡉⠻⣦⣻⣿⣿⣿⣿⣿⣿⣿⣿⣧⠸⣿⣦⣥⣿⡇⡿⣰⢗⢄\n  ⠁⢰⣿⡏⣴⣌⠈⣌⠡⠈⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣬⣉⣉⣁⣄⢖⢕⢕⢕\n  ⡀⢻⣿⡇⢙⠁⠴⢿⡟⣡⡆⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣵⣵⣿\n  ⡻⣄⣻⣿⣌⠘⢿⣷⣥⣿⠇⣿⣿⣿⣿⣿⣿⠛⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿\n  ⣷⢄⠻⣿⣟⠿⠦⠍⠉⣡⣾⣿⣿⣿⣿⣿⣿⢸⣿⣦⠙⣿⣿⣿⣿⣿⣿⣿⣿⠟\n  ⡕⡑⣑⣈⣻⢗⢟⢞⢝⣻⣿⣿⣿⣿⣿⣿⣿⠸⣿⠿⠃⣿⣿⣿⣿⣿⣿⡿⠁⣠\n  ⡝⡵⡈⢟⢕⢕⢕⢕⣵⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣿⣿⣿⣿⣿⠿⠋⣀⣈⠙\n  ⡝⡵⡕⡀⠑⠳⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠛⢉⡠⡲⡫⡪⡪⡣\n\nConvert shellcode into ✨ different ✨ formats!\n\nWritten by:\n  ~ Mez0\n  ~ Michael Ranaldo\n\nusage: Bluffy [-h] -b  -o  -m\n\noptional arguments:\n  -h, --help              show this help message and exit\n  -b , --bin              Specify bin file to load\n  -m , --mask             Specify the mask for the shellcode\n  -x , --xor              XOR the payload\n  -p , --preview          Preview the created format\n  -pp, --payload_preview  Preview the payload prior to C formatting\n  --list                  List all the available masks\n```\n\nWritten by:\n- [Michael Ranaldo](https://twitter.com/michaeljranaldo)\n- [Mez0](https://twitter.com/__mez0__)\n\n## Requirements and installation\n\nThe following items must be installed prior to using Bluff:\n\n### python3.9 or greater:\n```bash\nsudo apt install python3.9\n```\n\n### rich:\n```bash\nsudo pip3 install rich\n````\n\n### pcre2.8:\n\nDepending on whether its going to be ran on Kali, Ubuntu 18, 19, 20, and so on, the process of getting and building with `pcre2.8` may be different.\n\nFor us on Ubuntu, it was developed on:\n```\n$ lsb_release -a\nNo LSB modules are available.\nDistributor ID: Ubuntu\nDescription:  Ubuntu 21.04\nRelease:  21.04\nCodename: hirsute\n```\n\nIn order to link `libpcre2-8.a`, the `.a` file had to be included within:\n```\n/usr/lib/gcc/x86_64-w64-mingw32/10-win32\n```\n\nAs for obtaining the header and lib files, [MSYS2](https://packages.msys2.org/base/mingw-w64-pcre2) was used. But if you're smarter than us, then just do it from source for Mingw64: https://pcre.org/.\n\n\nThe simplest way to thus acquire and install is to run the following commands (after double checking your architecture etc.):\n\n```bash\nsudo apt install mingw-64\nsudo wget https://packages.msys2.org/package/mingw-w64-x86_64-pcre2?repo=mingw64 -P /usr/lib/gcc/x86_64-w64-mingw32/10-win32\n```\n\n## Using Bluffy\n\nTo build a payload, get your binary file. For this example, we used calc.bin, which just loads calc.exe as a proof of concept. As Bluffy only seeks to evade _static_ analysis using steganography, by hiding the binary within an otherwise innocuous file, you will need to do further research to ensure that your payload also evades _dynamic_ detection.\n\nRun `bluffy`, choosing a mask of your choice and providing your .bin file:\n```bash\npython ./bluffy.py -b calc.bin -m css -x\n```\n\nCheck your payload, then build it. To build your payload, copy the .h file bluffy creates, rename it css.c, run make to build it to an executable, then test using the included examples directory:\n\n```\nmv css.h examples/css/css.h\ncd examples/css\nmake\n```\n\nThis will use the included \"main.c\" to build an Windows executable. Test this to confirm. If you have also used calc.bin, you should be greeted by a new Calc window opening. If so, congratulations!\n\nFor more details on using Bluffy and a walkthrough of how it works and what the output looks like, check out our [blog](https://pre.empt.dev/posts/bluffy/).\n\nHere is a full example:\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ad-995/bluffy/raw/main/images/bluffy.gif\" width=\"550\"\u003e\u003c/p\u003e\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpreemptdev%2Fbluffy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpreemptdev%2Fbluffy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpreemptdev%2Fbluffy/lists"}