Skip to content

Commit 4404b41

Browse files
vvswiftvvswift
authored
Update README.md
1 parent fbfdc6c commit 4404b41

File tree

1 file changed

+13
-13
lines changed

1 file changed

+13
-13
lines changed

README.md

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,20 @@
11
# Shellcode Injector
22

3-
A proof-of-concept **shellcode injector** that uses *clean syscalls* to bypass user-mode hooks in **`ntdll.dll`**.
3+
A proof-of-concept **shellcode injector** that uses *clean syscalls* to bypass user-mode hooks in **ntdll.dll**.
44

55
## Goals
66

77
- **Activity obfuscation**
8-
- Inject shellcode into a target process via **raw syscalls** (ret stubs from `ntdll.dll`)
9-
- **Bypass** common user-mode hooks on Win32 APIs (`LoadLibrary`, `VirtualAlloc`, `WriteProcessMemory`, …)
8+
- Inject shellcode into a target process via **raw syscalls**
9+
- **Bypass** common user-mode hooks on Win32 APIs (LoadLibrary, VirtualAlloc, WriteProcessMemory)
1010
- **Auto-generate** & embed a shellcode payload that **downloads and executes a PE file**
1111

1212
---
1313

1414
## How It Works
1515

1616
1. Leverages the **Windows Thread Pool API** to *hide the call-stack*:
17-
- The syscall appears to originate from a *trusted* region inside **`ntdll!TpWorker`** rather than from our code.
17+
- The syscall appears to originate from a *trusted* region inside **ntdll!TpWorker** rather than from our code.
1818
2. No direct native API calls are made; instead, the injector **jumps to syscall stubs** discovered in `ntdll.dll`.
1919

2020
---
@@ -26,10 +26,10 @@ A proof-of-concept **shellcode injector** that uses *clean syscalls* to bypass u
2626
| `include/PEB.h` | Struct definitions for **PEB / TEB / LDR_MODULE** |
2727
| `include/Callbacks.h` | Prototypes & argument structs for the three syscalls |
2828
| `Callbacks.asm` | NASM routines: locate raw syscall stubs → unpack args → `syscall; ret` |
29-
| `Shellcode.h.template` | DSL (Intel syntax) between `SHELLCODE_START / END` markers |
30-
| `generate_shellcode_header.py` | Assembles the DSL → overwrites **`Shellcode.h`** with a byte array |
31-
| `main.cpp` | C++ wrapper: `EnableDebugPrivilege`, SSN lookup, Thread Pool callbacks, wrappers for<br>`NtAllocateVirtualMemory`, `NtWriteVirtualMemory`, `NtCreateThreadEx` |
32-
| `Makefile` | Automation: <br>1 Generate `Shellcode.h`<br>2 Assemble ASM routines<br>3 Compile & link → **`injector.exe`** |
29+
| `Shellcode.h.template` | DSL (Intel syntax) between SHELLCODE_START / END markers |
30+
| `generate_shellcode_header.py` | Assembles the DSL → overwrites **Shellcode.h** with a byte array |
31+
| `main.cpp` | C++ wrapper: `EnableDebugPrivilege`, SSN lookup, Thread Pool callbacks, wrappers for<br>NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx |
32+
| `Makefile` | Automation: <br>1 Generate `Shellcode.h`<br>2 Assemble ASM routines<br>3 Compile & link → **injector.exe** |
3333

3434
---
3535

@@ -46,16 +46,16 @@ A proof-of-concept **shellcode injector** that uses *clean syscalls* to bypass u
4646

4747
## Build & Run
4848

49-
```bash
50-
# 1) Install NASM, MSVC, Python + Keystone beforehand
49+
```
50+
1) Install NASM, MSVC, Python + Keystone beforehand
5151

52-
# 2) Generate Shellcode.h from the template
52+
2) Generate Shellcode.h from the template
5353
python generate_shellcode_header.py Shellcode.h.template Shellcode.h
5454

55-
# 3) Build everything
55+
3) Build everything
5656
make
5757

58-
# 4) Launch the injector
58+
4) Launch the injector
5959
injector.exe
6060
```
6161

0 commit comments

Comments
 (0)