{"id":13841863,"url":"https://github.com/safe6Sec/GolangBypassAV","last_synced_at":"2025-07-11T13:32:52.764Z","repository":{"id":37646883,"uuid":"393908801","full_name":"safe6Sec/GolangBypassAV","owner":"safe6Sec","description":"研究利用golang各种姿势bypassAV","archived":false,"fork":false,"pushed_at":"2022-04-11T13:26:03.000Z","size":663,"stargazers_count":798,"open_issues_count":6,"forks_count":140,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-11-07T12:10:02.869Z","etag":null,"topics":["bypass-antivirus","bypass-av"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/safe6Sec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-08-08T08:53:30.000Z","updated_at":"2024-11-06T00:49:20.000Z","dependencies_parsed_at":"2022-08-08T21:15:19.252Z","dependency_job_id":null,"html_url":"https://github.com/safe6Sec/GolangBypassAV","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safe6Sec%2FGolangBypassAV","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safe6Sec%2FGolangBypassAV/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safe6Sec%2FGolangBypassAV/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safe6Sec%2FGolangBypassAV/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/safe6Sec","download_url":"https://codeload.github.com/safe6Sec/GolangBypassAV/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729732,"owners_count":17515158,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass-antivirus","bypass-av"],"created_at":"2024-08-04T17:01:23.092Z","updated_at":"2024-11-21T12:30:33.957Z","avatar_url":"https://github.com/safe6Sec.png","language":"Go","funding_links":[],"categories":["杀毒免杀、逆向工程","Go"],"sub_categories":["网络服务_其他"],"readme":"# GolangBypassAV\n\n\n![GolangBypassAV](https://socialify.git.ci/safe6Sec/GolangBypassAV/image?description=1\u0026font=Inter\u0026forks=1\u0026issues=1\u0026language=1\u0026owner=1\u0026pattern=Plus\u0026stargazers=1\u0026theme=Light)\n\n研究利用golang来bypassAV\n## 前言\n免杀这块本来就不是web狗擅长的，而且作为一个web狗也没必要花太多时间来折腾这个，达到能用就行，不要追求全部免杀，能免杀目标就行。\n\n## 说明\n- 如对本项目感兴趣，那么学习顺序如下：\n    1. 先看test目录的东西，里面都是些简单的常见的东西\n    2. 看完test目录后，可以看看bypass目录下的东西，里面是各种免杀姿势\n    3. 如果只想使用的话，直接看gen目录就行。\n\n\n## 免杀思路\n### 静态\n静态免杀比较简单，可选加密payload或者分离payload。  \n核心：   \n把特征去除即可过静态，某些杀毒软件带沙箱，还需要考虑反沙箱。   \n除此之外还可以考虑如下方式（由于要引入net包，导致文件大小比较大.我不做测试了.）：\n- 把payload分离远程服务器   \n- 把payload进行隐写    \n- 把shellcode，放在自定义段里面\n总之就是各种分离  \n\n### 动态   \n敏感api越少越好比如注册表操作、添加启动项、添加服务、添加用户、注入、劫持、创建进程、加载DLL等等    \n核心：   \n- 想法设法的把shellcode加载到内存里面。    \n- 使用系统调用+sysid\n- 敏感api脱钩，如地狱之门，二次加载\n- 敏感操作可以分步进行，如申请内存先申请读写(rw)，再改成可以执行(rwx)。不要一来就直接申请读写执行的内存。\n\n\n\n\n## 使用\n**暂时只支持windows系统编译!!!!**\n\n默认payload位置C:\\\\Users\\\\Administrator\\\\Desktop\\\\payload.bin  \n执行下面命令,即可生成免杀(game.exe)\n```cmd\n指定payload\nmain.exe payload.bin\n\n不指定payload，直接运行即可\nmain.exe\n```\n\n\n\n## 更新\n\n2022.1.13\n学习并添加光环之门免杀。真香\n\n2021.8.29\n完善生成命令，不用手动改特征。已经支持全部动态生成，只需要指定payload即可生成免杀。   \n源码在gen目录下面   \n默认生成的是带弹窗，想不带弹窗，自行修改源码。\n\n\n2021.8.24  \n直接用gen里面代码进行生成,演示视频已经放公众号，目前免杀已达目的更新会放缓。   \n注意：建议每次使用之前手动改一下key,如果被杀改一下关键字即可。    \n\n\n\n\n\n\n\n## 编译命令\n\n\n```bash\n免杀效果最好,缺点文件最大\ngo build main.go\n\n加了race参数,文件更大比原始的还大,效果很垃圾\ngo build -ldflags=\"-s -w\" -o main1.exe -race main.go\n\n常用编译命令,免杀效果较好,可以减少文件体积\ngo build -ldflags=\"-s -w\" -o main1.exe\n\n常用编译命令,免杀效果一般,减少文件体积+隐藏窗口\ngo build -ldflags=\"-s -w -H=windowsgui\" -o main2.exe\n\n\nset GOOS=windows GOARCH=amd64;go build -o main.exe\n\n```\n\n\n\n## 参考\n- https://github.com/Ne0nd0g/go-shellcode     \n- https://github.com/Rvn0xsy/BadCode    \n- https://github.com/timwhitez/Doge-Gabh    \n- https://github.com/Airboi/bypass-av-note    \n- https://github.com/brimstone/go-shellcode            \n- https://github.com/timwhitez/Doge-Loader            \n- https://github.com/fcre1938/goShellCodeByPassVT            \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsafe6Sec%2FGolangBypassAV","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsafe6Sec%2FGolangBypassAV","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsafe6Sec%2FGolangBypassAV/lists"}