A PoC shellcode injector using clean syscalls to bypass user-mode hooks in ntdll.dll.
- Activity obfuscation
- Demonstrate injecting shellcode into a process via raw syscall; ret stubs from ntdll.dll
- Bypass user-mode hooks on Win32 APIs (LoadLibrary, VirtualAlloc, WriteProcessMemory)
- Automatically generate and insert a shellcode payload to download and execute a PE file
- Uses the Windows Thread Pool API to “hide” the call stack: instead of a direct syscall from code, the call originates from a trusted region inside ntdll tpWorker.
- No direct native API calls are made—instead, jmp to a syscall stub found in ntdll.
- include/PEB.h — Definitions for PEB/TEB structures, LDR_MODULE
- include/Callbacks.h — Prototypes for callbacks and argument structs for three syscalls
- Callbacks.asm — NASM routines: locate raw syscall stubs and unpack arguments → syscall; ret
- Shellcode.h.template — DSL (Intel syntax) between SHELLCODE_START/SHELLCODE_END markers
- generate_shellcode_header.py — Assembles the DSL from the template and overwrites Shellcode.h with a byte array
- main.cpp — C++ wrapper EnableDebugPrivilege, SSN lookup, ThreadPool callbacks, wrappers for NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx
- Makefile — Automation for:
- Generating Shellcode.h
- Assembling ASM routines
- Compiling and linking into injector.exe
- Windows x64 MSVC / Visual Studio Build Tools
- NASM -f win64
- Python 3.x + keystone-engine
pip install keystone-engine
- Install dependencies NASM, MSVC, Python + Keystone
- Generate Shellcode.h from the template: python generate_shellcode_header.py Shellcode.h.template Shellcode.h
- Build the project: make
- Run the injector: injector.exe
This repository is provided for educational purposes only and intended for authorized security research. Use of these materials in unauthorized or illegal activities is strictly prohibited.