|
1 | 1 | # Shellcode Injector |
2 | | -A PoC shellcode injector using clean syscalls to bypass user-mode hooks in ntdll.dll. |
3 | | - |
4 | | -### Goals |
5 | | -- Activity obfuscation |
6 | | -- Demonstrate injecting shellcode into a process via raw syscall; ret stubs from ntdll.dll |
7 | | -- Bypass user-mode hooks on Win32 APIs (LoadLibrary, VirtualAlloc, WriteProcessMemory) |
8 | | -- Automatically generate and insert a shellcode payload to download and execute a PE file |
9 | | - |
10 | | -### How It Works |
11 | | -- Uses the Windows Thread Pool API to “hide” the call stack: instead of a direct syscall from code, the call originates from a trusted region inside ntdll tpWorker. |
12 | | -- No direct native API calls are made—instead, jmp to a syscall stub found in ntdll. |
13 | | - |
14 | | -### Project Files |
15 | | -- include/PEB.h — Definitions for PEB/TEB structures, LDR_MODULE |
16 | | -- include/Callbacks.h — Prototypes for callbacks and argument structs for three syscalls |
17 | | -- Callbacks.asm — NASM routines: locate raw syscall stubs and unpack arguments → syscall; ret |
18 | | -- Shellcode.h.template — DSL (Intel syntax) between SHELLCODE_START/SHELLCODE_END markers |
19 | | -- generate_shellcode_header.py — Assembles the DSL from the template and overwrites Shellcode.h with a byte array |
20 | | -- main.cpp — C++ wrapper EnableDebugPrivilege, SSN lookup, ThreadPool callbacks, wrappers for NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx |
21 | | -- Makefile — Automation for: |
22 | | - 1. Generating Shellcode.h |
23 | | - 2. Assembling ASM routines |
24 | | - 3. Compiling and linking into injector.exe |
25 | | - |
26 | | -### Technologies & Dependencies |
27 | | -- Windows x64 MSVC / Visual Studio Build Tools |
28 | | -- NASM -f win64 |
29 | | -- Python 3.x + keystone-engine |
| 2 | + |
| 3 | +A proof-of-concept **shellcode injector** that uses *clean syscalls* to bypass user-mode hooks in **`ntdll.dll`**. |
| 4 | + |
| 5 | +## 🎯 Goals |
| 6 | + |
| 7 | +- **Activity obfuscation** |
| 8 | +- Inject shellcode into a target process via **raw syscalls** (ret stubs from `ntdll.dll`) |
| 9 | +- **Bypass** common user-mode hooks on Win32 APIs (`LoadLibrary`, `VirtualAlloc`, `WriteProcessMemory`, …) |
| 10 | +- **Auto-generate** & embed a shellcode payload that **downloads and executes a PE file** |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +## 🛠️ How It Works |
| 15 | + |
| 16 | +1. Leverages the **Windows Thread Pool API** to *hide the call-stack*: |
| 17 | + - The syscall appears to originate from a *trusted* region inside **`ntdll!TpWorker`** rather than from our code. |
| 18 | +2. No direct native API calls are made; instead, the injector **jumps to syscall stubs** discovered in `ntdll.dll`. |
| 19 | + |
| 20 | +--- |
| 21 | + |
| 22 | +## 📁 Project Files |
| 23 | + |
| 24 | +| Path | Purpose | |
| 25 | +|------|---------| |
| 26 | +| `include/PEB.h` | Struct definitions for **PEB / TEB / LDR_MODULE** | |
| 27 | +| `include/Callbacks.h` | Prototypes & argument structs for the three syscalls | |
| 28 | +| `Callbacks.asm` | NASM routines: locate raw syscall stubs → unpack args → `syscall; ret` | |
| 29 | +| `Shellcode.h.template` | DSL (Intel syntax) between `SHELLCODE_START / END` markers | |
| 30 | +| `generate_shellcode_header.py` | Assembles the DSL → overwrites **`Shellcode.h`** with a byte array | |
| 31 | +| `main.cpp` | C++ wrapper: `EnableDebugPrivilege`, SSN lookup, Thread Pool callbacks, wrappers for<br>`NtAllocateVirtualMemory`, `NtWriteVirtualMemory`, `NtCreateThreadEx` | |
| 32 | +| `Makefile` | Automation: <br>1️⃣ Generate `Shellcode.h`<br>2️⃣ Assemble ASM routines<br>3️⃣ Compile & link → **`injector.exe`** | |
| 33 | + |
| 34 | +--- |
| 35 | + |
| 36 | +## ⚙️ Technologies & Dependencies |
| 37 | + |
| 38 | +- **Windows x64** – MSVC / Visual Studio Build Tools |
| 39 | +- **NASM** `-f win64` |
| 40 | +- **Python 3.x** + **Keystone-engine** |
| 41 | + ```bash |
30 | 42 | pip install keystone-engine |
31 | 43 |
|
32 | | -### Build & Run |
33 | 44 |
|
34 | | -1. Install dependencies NASM, MSVC, Python + Keystone |
35 | | -2. Generate Shellcode.h from the template: |
36 | | - python generate_shellcode_header.py Shellcode.h.template Shellcode.h |
37 | | -3. Build the project: |
38 | | - make |
39 | | -4. Run the injector: |
40 | | - injector.exe |
| 45 | +--- |
| 46 | + |
| 47 | +## 🚀 Build & Run |
| 48 | + |
| 49 | +```bash |
| 50 | +# 1) Install NASM, MSVC, Python + Keystone beforehand |
| 51 | +
|
| 52 | +# 2) Generate Shellcode.h from the template |
| 53 | +python generate_shellcode_header.py Shellcode.h.template Shellcode.h |
| 54 | +
|
| 55 | +# 3) Build everything |
| 56 | +make |
| 57 | +
|
| 58 | +# 4) Launch the injector |
| 59 | +injector.exe |
| 60 | +``` |
| 61 | + |
| 62 | +--- |
41 | 63 |
|
42 | 64 | ## 🚫 Disclaimer |
43 | 65 |
|
44 | 66 | This repository is provided for **educational purposes only** and intended for **authorized security research**. |
45 | 67 | Use of these materials in unauthorized or illegal activities is **strictly prohibited**. |
46 | 68 |
|
| 69 | + |
0 commit comments