[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1849":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":14,"forks30d":14,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":14,"starSnapshotCount":14,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},1849,"Beatrice.py","raskolnikov90\u002FBeatrice.py","raskolnikov90","Modify machine code in binaries with alternative x64 assembly opcodes for AV evasion",null,"Python",197,27,1,0,4,8,31,12,56.44,false,"main",true,[],"2026-06-12 04:00:11","# Beatrice.py\n\nTo bypass detection methods like YARA rules that look for certain bytes and memory scanners Beatrice.py patches machine code in binaries with alternative x64 assembly opcodes of the same size. This tool was also designed to modify machine code of executables or complex binaries that contain strings and other data, it will strictly match machine code to avoid breaking binaries.\n\n![image](https:\u002F\u002Fi.imgur.com\u002FBTunLsS.gif)\n\n# Usage\n\n```\npython3 beatrice.py           \n                                                                                                  \n@@@@@@@   @@@@@@@@   @@@@@@   @@@@@@@  @@@@@@@   @@@   @@@@@@@  @@@@@@@@       @@@@@@@   @@@ @@@  \n@@@@@@@@  @@@@@@@@  @@@@@@@@  @@@@@@@  @@@@@@@@  @@@  @@@@@@@@  @@@@@@@@       @@@@@@@@  @@@ @@@  \n@@!  @@@  @@!       @@!  @@@    @@!    @@!  @@@  @@!  !@@       @@!            @@!  @@@  @@! !@@  \n!@   @!@  !@!       !@!  @!@    !@!    !@!  @!@  !@!  !@!       !@!            !@!  @!@  !@! @!!  \n@!@!@!@   @!!!:!    @!@!@!@!    @!!    @!@!!@!   !!@  !@!       @!!!:!         @!@@!@!    !@!@!   \n!!!@!!!!  !!!!!:    !!!@!!!!    !!!    !!@!@!    !!!  !!!       !!!!!:         !!@!!!      @!!!   \n!!:  !!!  !!:       !!:  !!!    !!:    !!: :!!   !!:  :!!       !!:            !!:         !!:    \n:!:  !:!  :!:       :!:  !:!    :!:    :!:  !:!  :!:  :!:       :!:       :!:  :!:         :!:    \n :: ::::   :: ::::  ::   :::     ::    ::   :::   ::   ::: :::   :: ::::  :::   ::          ::    \n:: : ::   : :: ::    :   : :     :      :   : :  :     :: :: :  : :: ::   :::   :           :     \n                                                                                                  \nUsage: beatrice.py \u003Cbinary>\n-h for usage and flags\n-v for Verbose mode\n-s for Safer mode, normal mode already mostly safe but still may break some binaries\n```\n\n# What this tool does\n\n### It will:\n\n- Generate patterns of simple assembly x64 instructions and their alternative instructions, turn them into machine code and patch the machine code if it matches.\n- Build different lists of assembly instructions that contain immediate values and other instructions that can’t be easily turned into patterns and apply appropriate changes to them.\n- Apply alternative ways to encode instructions whenever possible.\n- Create an identical binary functionality wise but with the above patches applied that will help evade YARA rules and some Antivirus solutions.\n\n### It will NOT:\n\n- Be a one size fits all solution.\n- Modify strings, only on the Pro Edition\n- Modify imports or calls to Windows API functions that can be detected by some AVs and EDRs.\n- Completely evade behavior based detection. While this modifies the machine code enough to sometimes trick behavior based detection it won’t change the core functionality leading to still possibilities for detection.\n\nWhile this tool can make some binaries evade AVs on its own, it is best used combined with other evasion techniques (Examples: Modify shellcode to be used with a loader, help with custom or modified tooling)\n# Pro Edition\nA paid version of this tool is available at: https:\u002F\u002Fbuymeacoffee.com\u002Flainkusanagi\u002Fe\u002F531266 \n\n### Pro Edition features:\n\n- Rewritten and improved alternative encodings for assembly instructions.\n- Parse bytes from YARA rules and DefenderCheck output and use them to generate more patches.\n- Parse strings from YARA rules to modify strings on binaries and executable.\n- Obfuscate Import Address Table.\n- Generate new potential detection bytes that can be used to create YARA rules.\n- Includes a PDF showing how the tool can be used for Antivirus and EDR evasion as well as how to use it to test and create detection rules.\n\n# Tests against Windows Defender and Elastic YARA rules ( April 2026 Public Version )\n\n### Executables (.exe)\n\n**Mimikatz with obfuscated strings** → [Evades Defender, see my Medium article.](https:\u002F\u002Fmedium.com\u002F@luisgerardomoret_69654\u002Fmodifying-mimikatz-to-evade-defender-2026-dc701000289d)\n\n**Metasploit** stageless reverse shell tcp → Inconsistent results against Defender sometimes it evades Defender sometimes it’s detected, evades Elastic YARA rules.\n\n**Havoc** payload with default profile and no modification  → Evades Defender (shown on gif above), detected by Elastic YARA due to default hashing and default profile.\n\n**Sliver** payload using its default obfuscation → Detected by Defender due to using Garble for obfuscation, evades Elastic YARA Rules.\n\n**Sliver** with skip-symbols option → Detected by both Defender and Elastic YARA due to strings.\n\n**AdaptixC2** payload with IAT Hiding → Already evasive against Defender but tool may help if Microsoft creates more signatures, evades Elastic YARA rules.\n\n**CobaltStrike** stageless payload → Bypassed detection bytes but still detected by few strings.\n\n### Raw binaries \u002F Shellcode (.bin)\n\nUsing [DefenderYara](https:\u002F\u002Fgithub.com\u002Froadwy\u002FDefenderYara\u002Ftree\u002Fmain\u002FTrojan\u002FWin64), [defender2yara](https:\u002F\u002Fgithub.com\u002Ft-tani\u002Fdefender2yara\u002Ftree\u002Fyara-rules\u002FWin64\u002FTrojan) and [Elastic rules](https:\u002F\u002Fgithub.com\u002Felastic\u002Fprotections-artifacts) to test.\n\n**Metasploit** stageless reverse shell tcp → Evades YARA rules.\n\n**Havoc** payload with custom profile and no modification  → Evades Defender YARA rules, detected by Elastic YARA due to default hashing and default profile.\n\n**Sliver** payload using its default obfuscation → Evades YARA rules.\n\n**Sliver** with skip-symbols option → Detected by both Defender and Elastic YARA due to strings.\n\n**AdaptixC2** payload with IAT Hiding → Evades YARA rules.\n\n**CobaltStrike** stageless payload → Bypassed detection bytes but still detected by few strings.\n\n**Donut** shellcode  → Evades YARA rules.\n\nNotes on Havoc: Ran on Docker to solve compiler compatibility issues so payloads compile as they originally do before using the tool.\n\nNotes on CobaltStrike: I don’t own license, I have access to a course that provides labs and includes CobaltStrike.\n\n# Known Issues\n\nGolang compiled binaries that use Garble for obfuscation may break. \n\nDespite working most of the time some binaries may still break, that’s why safe mode was added as an option to just use the most basic features.\n\n","Beatrice.py 是一个用于修改二进制文件中的机器码以替代 x64 汇编指令的工具，旨在帮助绕过基于 YARA 规则和其他内存扫描器的检测。其核心功能包括生成简单的 x64 指令及其替代指令模式，并将这些模式转换为机器码后进行替换；同时构建包含立即数及其他难以模式化的指令列表并作出相应调整。此外，该工具还尽可能地采用不同的方式编码指令。适用于需要对可执行文件或复杂二进制文件（特别是那些包含字符串和其他数据的部分）进行修改以避免被反病毒软件检测到的场景。需要注意的是，虽然 Beatrice.py 在一定程度上可以帮助规避静态特征检测，但它并不能修改字符串、导入表或调用 Windows API 函数，也不能完全逃避基于行为的检测。因此，建议与其他逃避技术结合使用以达到最佳效果。",2,"2026-06-11 02:46:24","CREATED_QUERY"]