• Stars
    star
    1,668
  • Rank 28,022 (Top 0.6 %)
  • Language
    C++
  • Created about 4 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

shellcodeloader

ShellcodeLoader

语言: 中文

ShellcodeLoader of windows can bypass AV.

Features

  1. It has many loading modes. There are 13 loading modes in 32 bits and 12 loading modes in 64 bits.

  2. Support development. If a new attack means is found, you can develop template according to the specified method.

  3. Shellcode is automatically encrypted.The md5 of loaders that come from the same shellcode are different,because the generator uses time as seed to randomly generate 128-bit keys for encryption.

To do list

Environment: The generator uses MFC to implement UI, the generator and loader templates are developed with C + +, and statically compiled by VS2015.

Methods: Use vs2015 to open the project solution (. sln), and then compile.Of course,You can download the product from realse .

Files

The tool is composed of a generator (Shellcodeloader.exe) and numerous loader templates. Different loader templates need to be placed in the corresponding arch of directories. And finally put into the DATA folder under the same directory of the generator.

image-20201124160121278

How to use

  1. Open the generator(shellcode.exe)

    image-20201130105542851

  2. Drag your raw shellcode(.bin) into the generator

    image-20201130105623219

  3. Choose the loader's arch (default x86),And select the configuration options you want, whether you want to autostart(which comes with a registry), and whether you want to antisandbox(This option is not required for most 64-bit loaders)

  4. Choose how you want to load it. Different loading methos depending on the loading template in the DATA floder.

    image-20201130105735363

  5. **Click Generate and the final loader will be generated on the desktop. **

    image-20201124161035698

How to expand

  1. include public.hpp in your cpp.

  2. Call the GetShellcodeFromRes() function to get shellcode,the number 100 is immutable,unless you change the resourceID in generator.

    image-20201130105338767

    It will return the pointer of shellcode in resource,and shellcodesize is size of sehllcode.In most cases, this step doesn't need to be changed, you can do anything after you get the shellcode.

  3. Loading shellcode in your method ,and compile(PS:Make sure you compile statically and cancel the debug symbolic link)

    image-20201130105408030

  4. Use method name your template,this name will be loading method's name on UI,and change its format to "DAT",,Put it in correct arch in DATA folder ,The generator will automatically get the loading method.

    image-20201130105439913

About public.hpp

public.hpp contains the necessary comments.If you want other ways of anti sandbox, you can change the content of anti sandbox function; if you want other ways of self starting, you can change the content of autostart function. In most cases, the contents of other function bodies do not need to be changed.

Result

Virus total detection results,based on Cobalt Strike original shellcode without anti-sandbox option as an example:

Loading methods Detected
CreateThreadpoolWait Load 3/72
Fiber Load 4/72
NtTestAlert Load 5/70
SEH Except Load 2/72
TLS CallBack Load 28/71
Dynamic Load 1/72
Dynamic Load plus 28/71
Syscall Load 1/69
APC-Inject Load 6/72
Early Brid APC-Inject Load 4/72
NtCreateSection-Inject Load 2/71
OEP Hiijack-Inject Load 3/72
Thread Hiijack-Inject Load 6/72

After clieck the anti-sandbox option in the dynamic loading mode, the results are as follows:

1fef278889c961331a185698c35d220

Bypass network interception of norton's smart firewall,and online by this tool.

image-20201124163815942

Ref

More Repositories

1

404StarLink

404StarLink - 推荐优质、有意义、有趣、坚持维护的安全开源项目
8,436
star
2

KCon

KCon is a famous Hacker Con powered by Knownsec Team.
JavaScript
4,578
star
3

pocsuite3

pocsuite3 is an open-sourced remote vulnerability testing framework developed by the Knownsec 404 Team.
Python
3,641
star
4

ksubdomain

无状态子域名爆破工具
Go
2,242
star
5

Pocsuite

This project has stopped to maintenance, please to https://github.com/knownsec/pocsuite3 project.
Python
1,828
star
6

Kunyu

Kunyu, more efficient corporate asset collection
Python
1,011
star
7

RD_Checklist

知道创宇研发技能表
Python
828
star
8

404StarLink-Project

Focus on promoting the evolution of tools in different aspects of security research.专注于推动安全研究各个领域工具化.(项目收录逐步迁移至 https://github.com/knownsec/404StarLink)
813
star
9

rtcp

利用 Python 的 Socket 端口转发,用于远程维护
Python
709
star
10

ZoomEye-python

ZoomEye-python: The official Python library and CLI by Knownsec 404 Team.
Python
530
star
11

LSpider

LSpider 一个为被动扫描器定制的前端爬虫
Python
345
star
12

gsm

使用树莓派配合硬件来进行短信转发
Go
342
star
13

wam

Web App Monitor
JavaScript
228
star
14

Ethereum-Smart-Contracts-Security-CheckList

Ethereum Smart Contracts Security CheckList From Knownsec 404 Team
155
star
15

VxPwn

VxWorks漏洞挖掘相关
Python
154
star
16

PortForward

The port forwarding tool developed by Golang solves the problem that the internal and external networks cannot communicate in certain scenarios
Go
135
star
17

ct

简单易用的域名爆破工具
Rust
102
star
18

Zoomeye-Tools

Zoomeye Tools是配合Zoomeye使用的Chrome插件
JavaScript
42
star
19

Decrypt-ransomware

Python
37
star
20

Minitools-bin_extractor

A simple script for quickly mining sensitive information in binary files.
Python
29
star
21

LBot

A simple xss bot template
Python
23
star
22

ZoomeyeGPT

JavaScript
21
star
23

404-Team-ShowCase

19
star
24

Minitools-cidrgen

cidrgen is based on cidr's subnet IP list generator
Go
15
star
25

Minitools-ipstatistics

ipstatistics is a script based on the ipip library that is used to quickly filter the ip list.
Python
14
star
26

workin

workin tornado
JavaScript
14
star
27

Minitools-CookieTest

A script used to quickly test APIs or required parameters and cookies for a certain request.
Python
9
star
28

helloworld

一些经典的笔试题目,进入知道创宇的 Hello World!
2
star