A tool for automatic patch shellcode into binary file to bypass AV.
一个自动patch shellcode到二进制文件的工具
- Two Fuzz Modes
- Auto Analysis: CFG + Call Chain + Symbolic Execution verification
- Fuzz All: Test all large functions directly
- Smart Function Filtering - Filter by call depth, function size, and symbolic execution reachability
- Symbolic Execution Verification - Verify functions are actually reachable from entry point
- Digital Signature Removal - Remove PE signature with auto backup
- Modern Dark Theme UI - Multiple theme options with ttkbootstrap
- Multi-language Support - Chinese/English interface
- Cache System - Speed up repeated analysis
pip install pefile angr psutil ttkbootstrap- Select target PE file
- Select patch source (or use built-in test patch)
- Choose Fuzz mode:
- Auto Analysis: Recommended for most cases
- Fuzz All: Brute force all large functions
- Configure parameters:
- Test Delay: Time to wait for process spawn
- Monitor Process: Process name to detect (e.g.,
calc.exe) - Max Call Depth: Filter functions by call depth
- Min Function Size: Minimum function size to test
- Symbolic Execution Steps: Only when symbolic execution is enabled
- Click Start Fuzz
| Feature | Auto Analysis | Fuzz All |
|---|---|---|
| CFG Analysis | Full | Basic |
| Call Chain Tracking | Yes | No |
| Symbolic Execution | Optional | No |
| Call Depth Filter | Yes | No |
| Function Size Filter | Yes | Yes |
| Speed | Slower | Faster |
| Parameter | Description |
|---|---|
| Test Delay | Seconds to wait before checking if target process spawned |
| Monitor Process | Process name(s) to monitor, comma separated (e.g.,calc.exe,CalculatorApp.exe) |
| Max Call Depth | Only test functions within this depth from entry point |
| Min Function Size | Only test functions larger than this size |
| Sym Exec Steps | Maximum steps for symbolic execution verification |
Available dark themes:
cyborg- Dark gray/cyan (default)darkly- Dark blue/whitevapor- Dark purple/pinksuperhero- Dark gray/orangepulse- Dark gray/blue
- Use larger PE files as targets
- Prefer PE files with GUI subsystem (no console window)
- Keep shellcode small for better results
- For custom shellcode, use CppDevShellcode
Entry Point → CRT → Main → Target Functions
↓
CFG Analysis
↓
Call Chain Tracking
↓
Symbolic Execution (optional)
↓
Fuzz Testing
↓
Success Detection
This project is for educational and authorized security testing purposes only. Users are responsible for ensuring compliance with applicable laws and regulations. The author assumes no liability for any misuse or damage caused by this tool.
