A n Advanced antivirus evasion tool that uses process hollowing on dllhost.exe and XOR encryption to bypass detection. Bypassed Latest versions of Kaspersky, Sophos and Windows Defender.
- Process Hollowing: Creates a suspended
dllhost.exeprocess - Shellcode Injection: Injects encrypted shellcode into the process
- XOR Encryption: Bypasses static signature detection
- Memory Permissions: Sets RX permissions for execution
- Windows 10/11
- .NET Framework 4.7.2+
- Administrative privileges
dotnet build --configuration ReleaseByeByeAV.exe-
Encrypt your shellcode using the provided
xor.pyscript by replacing shellcode with HTTPS meterpreter shellcode in csharp format and then run :python xor.py
-
Replace the shellcode in the source code:
byte[] buf = new byte[YOUR_SIZE] { // Paste your encrypted bytes here };
-
Recompile the project:
dotnet build --configuration Release
The xor.py script makes it easy to encrypt/decrypt shellcode:
- Windows Defender
- Sophos Antivirus
- Kaspersky Antivirus
This tool is for defensive research and academic purposes only. Use responsibly and only on systems you own or have permission to test.