免杀中用到的工具
🟢 绝大部分无法直接生成免杀木马,开发、测试免杀时会用到。
| 工具简称 | 概述 | 工具来源 | 下载路径 |
| x64dbg 中文版安装程序(Jan 6 2024).exe | 52pojie | ||
| hellshell | 官方的加密或混淆shellcode | github | Releases · ORCA / HellShell · GitLab |
| hellshell-网络版本 | github | GitHub - SenSecurity/Hellshell-with-more-fuctionality: HellShell with More functionality | |
| Dependencies.AheadLib.Plugin | 在dependencies上额外加了导出函数 | 看雪 | [原创]我在Dependencies项目上做了个Aheadlib插件-编程技术-看雪-安全社区|安全招聘|kanxue.com |
| Dependencies | github | GitHub - lucasg/Dependencies: A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues. | |
| ChangeTimestamp.exe | 更改时间戳 | ||
| sgn_windows_amd64_2.0.1 | 对二进制文件编码免杀shellcode | github | GitHub - EgeBalci/sgn: Shikata ga nai (仕方がない) encoder ported into go with several improvements |
| Resource Hacker | |||
| BeaconEye_x64 | 通过扫描CobaltStrike中的内存特征,并进行Beacon Config扫描解析出对应的Beacon信息 | github | Releases · CCob/BeaconEye · GitHub |
| Hunt-Sleeping-Beacons | github | GitHub - thefLink/Hunt-Sleeping-Beacons: Aims to identify sleeping beacons | |
| yara-master-2298-win64 | 分类恶意软件样本的工具 | github | GitHub - VirusTotal/yara: The pattern matching swiss knife |
| Windows_Trojan_CobaltStrike.yar | Elastic安全公司开源检测CobaltStrike的yara规则 | github | protections-artifacts/yara/rules/Windows_Trojan_CobaltStrike.yar at main · elastic/protections-artifacts · GitHub |
| hollows_hunter64 | github | GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). | |
| arsenal_kit | telegram | ||
| DLLSpy | 检测正在运行的进程、服务及其二进制文件中的 DLL 劫持 | github | |
| Process Hacker 2 | 查看进程 | ||
| Alcatraz | 没下载, x64 二进制混淆器,能够混淆各种不同的 pe 文件 | github | GitHub - weak1337/Alcatraz: x64 binary obfuscator |
| pestudio-9.58 | 查看文件熵值等信息,逆向等可用 | 官网下载 | Winitor |
| https://junkcode.gehaxelt.in/ | 垃圾代码生成器,降低熵值 | github | GitHub - gehaxelt/PHP-C---JunkCodeGenerator: A junkcode generator for C++ classes written in PHP |
| sgn_windows_amd64_2.0.1 | 编码shellcode | github | |
| ChangeTimestamp.exe | 改时间 | ||
| SigThief | 把签名撕取下来 | github | GitHub - secretsquirrel/SigThief: Stealing Signatures and Making One Invalid Signature at a Time |
| Restorator2018 | 伪造图标 | https://www.sqlsec.com/tools.html | https://www.sqlsec.com/tools.html |
| BeCyIconGrabber.exe | 伪造图标 | https://www.sqlsec.com/tools.html | https://www.sqlsec.com/tools.html |
| SourcePoint | 自生成Malleable C2 profile | github | GitHub - Tylous/SourcePoint: SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. |
| S-inject | DLL+Shellcode的Windows注入免杀工具 | github | GitHub - Joe1sn/S-inject: 支持x86/x64的DLL和Shellcode 的Windows注入的免杀工具,支持图形化界面 |
| RingQ | 免杀,exe2shellcode | github | GitHub - T4y1oR/RingQ: 一款后渗透免杀工具,助力每一位像我这样的脚本小子快速实现免杀,支持bypass AV/EDR 360 火绒 Windows Defender Shellcode Loader |
| pe2shc.exe | pe_to_shellcode | github | GitHub - hasherezade/pe_to_shellcode: Converts PE into a shellcode |