Blank-c / Blank-Grabber

The most powerful stealer written in Python 3 and packed with a lot of features.
MIT License
756 stars 208 forks source link

Better bypass #321

Closed ExecutivePrograms closed 1 year ago

ExecutivePrograms commented 1 year ago

Hello,

I have submitted obfuscation error some days ago.

You told me that it gets detected since people scan it in Virus Total etc.

So to make it less detectable you shall create a discord server and create a channel for people who has starred the grabber.

It will make it less detectable because random people won't scan it on virus total and even if these people scan it there, theres much less people who'll scan it on virus total.

Blank-c commented 1 year ago

If it is scanned even a single time, it would get detected. I cannot prevent people to scan it. Sometimes the victims scan it too.

ghost commented 1 year ago

@Blank-c just use a fud pyinetaller

Blank-c commented 1 year ago

There is not anything like that.

ghost commented 1 year ago

@Blank-c try cx freeze or nukis py to exe

Blank-c commented 1 year ago

cxfreeze cannot generate single file executable, nuitka require backend C compiler and manual modifications during conversion and py to exe is just a front end for Pyinstaller (which Blank Grabber currently uses).

noahmajors commented 1 year ago

if you are looking to make any modifications to pyinstaller, replicate these steps (per executable generated). this method has been proven (for me) to reduce detections significantly.

  1. python.exe -m pip uninstall pyinstaller this removes the public version of pyinstaller which many users just install from pip (blank installs it like this by default)

  2. install c++ build tools from here if you havent already installed them. http://visualstudio.microsoft.com/vs/features/cplusplus/ this is needed for the next step

  3. navigate to the official pyinstaller repo and download as zip http://github.com/pyinstaller/pyinstaller/releases

  4. Unzip this to where you want Pyinstaller to be installed on your machine.

  5. In CMD, cd to the install directory where you unzipped Pyinstaller. cd to the bootloader folder. if you know what you're doing, you can attempt to obfuscate pyinstaller before continuing, which may help your .exe stay undetected for longer)

  6. python.exe ./waf all

  7. cd to root Pyinstaller directory

  8. python.exe setup.py install (make sure you pip install wheel before this step)

the grabber may or may not attempt to update pyinstaller, so for personal use, i recommend removing the pyinstaller value from requirements.txt before you build your exe.

hope this helps temporarily

Blank-c commented 1 year ago

use mingw instead of C++ build tools. It drops more detections.

noahmajors commented 1 year ago

would we be able to modify my steps above (using mingw) to automate this process into the grabber?

Blank-c commented 1 year ago

One can simply install mingw with gcc support (add to path too) and let wafscript handle that.

Blank-c commented 1 year ago

would we be able to modify my steps above (using mingw) to automate this process into the grabber?

I don't think it woukd be useful, it would take a lot of time.

noahmajors commented 1 year ago

while it would result in longer build times, it would help with detection status

ghost commented 1 year ago

Atleast it would be fud

noahmajors commented 1 year ago

not necessarily

ghost commented 1 year ago

@Blank-c and @noahmajors how does other grabbers get (almost) fud?

Blank-c commented 1 year ago

while it would result in longer build times, it would help with detection status

Also, even if we are compiling the bootloader, the archive appended to it would be the same. So I don't think it would be enough.

Try to do it yourself, see if the detection rate goes down.

Blank-c commented 1 year ago

@Blank-c and @noahmajors how does other grabbers get (almost) fud?

what are you talking about?

noahmajors commented 1 year ago

while it would result in longer build times, it would help with detection status

Also, even if we are compiling the bootloader, the archive appended to it would be the same. So I don't think it would be enough.

Try to do it yourself, see if the detection rate goes down.

When I last did this, it reduced detections by 3, including Defender. It was only valid for one VT scan before it became detected. I’m sure if we make some more in depth modifications, and perhaps some slight obfuscation, we could drop detections more

Blank-c commented 1 year ago

Lets instead make it as a green option in the grabber. It would only work if msvc or gcc is found in PATH.

ghost commented 1 year ago

@Blank-c and @noahmajors how does other grabbers get (almost) fud?

what are you talking about?

Some grabbers i saw have or claim to have fud

Blank-c commented 1 year ago

If you confirmed it yourself, do you have link for them?

If they just claimed, then there is no proof of it.