🛠 Adventures in Shellcode Obfuscation
This series of articles explores various methods for hiding shellcode, emphasizing techniques to avoid detection. The focus is on demonstrating diverse approaches to conceal shellcode.
🔗 Part 1: Overview
🔗 Part 2: Hail Caesar
🔗 Part 3: Encryption
🔗 Part 4: RC4 with a Twist
🔗 Part 5: Base64
🔗 Part 6: Two Array Method
#shellcode #obfuscation #clang #maldev
This series of articles explores various methods for hiding shellcode, emphasizing techniques to avoid detection. The focus is on demonstrating diverse approaches to conceal shellcode.
🔗 Part 1: Overview
🔗 Part 2: Hail Caesar
🔗 Part 3: Encryption
🔗 Part 4: RC4 with a Twist
🔗 Part 5: Base64
🔗 Part 6: Two Array Method
#shellcode #obfuscation #clang #maldev
If you want to take a happy little journey through PEB structs, PE headers and kernel32.dll Export Table to spawn some "calc.exe" on x64 using Assembly, here it is.
📚 What you will learn:
— WinAPI function manual location with Assembly;
— PEB Structure and PEB_LDR_DATA;
— PE File Structure;
— Relative Virtual Address calculation;
— Export Address Table (EAT);
— Windows x64 calling-convention in practice;
— Writing in Assembly like a real Giga-Chad...
🔗 Source:
https://print3m.github.io/blog/x64-winapi-shellcoding
#maldev #winapi #x64 #shellcode #assembly
Please open Telegram to view this post
VIEW IN TELEGRAM
👎2
The Anti-EDR Compendium
#edr #shellcode #loader #bypass @reconcore
EDR functionality and bypasses in 2024, with focus on undetected shellcode loader.
#edr #shellcode #loader #bypass @reconcore
👍1
Ghost: Shellcode Loader
Ghost is a shellcode loader project designed to bypass multiple detection capabilities that are usually implemented by an EDR.
#edr #shellcode #loader #kernel #memory #evasion @reconcore
Ghost is a shellcode loader project designed to bypass multiple detection capabilities that are usually implemented by an EDR.
Feature:
— Bypassing kernel callbacks with fiber threads
— Stack spoofing (Return Address Spoofing and Function Hooking)
— Hiding shellcode within large, randomized memory regions
— Disabling ETW
— Removing EDR function hooks with suspended processes
— Custom API hashing for resolving functions
#edr #shellcode #loader #kernel #memory #evasion @reconcore
👍1
AlphabeticalPolyShellGen
Generates and executes a polymorphic shellcode variant of a specified shellcode file.
#shellcode
Generates and executes a polymorphic shellcode variant of a specified shellcode file.
#shellcode
DotnetNoVirtualProtectShellcodeLoader
load shellcode without P/D Invoke and VirtualProtect call.
How
This code leverages built-in .NET functionality to allocate an RWX memory region and overwrite a C# method with your own shellcode using the RuntimeHelpers.PrepareMethod(handle) method.
#github #shellcode #loader #methods @reconcore
load shellcode without P/D Invoke and VirtualProtect call.
How
This code leverages built-in .NET functionality to allocate an RWX memory region and overwrite a C# method with your own shellcode using the RuntimeHelpers.PrepareMethod(handle) method.
#github #shellcode #loader #methods @reconcore
GitHub
GitHub - Mr-Un1k0d3r/DotnetNoVirtualProtectShellcodeLoader: load shellcode without P/D Invoke and VirtualProtect call.
load shellcode without P/D Invoke and VirtualProtect call. - Mr-Un1k0d3r/DotnetNoVirtualProtectShellcodeLoader
Invoke-SPSI - Simple PowerShell Shellcode Injector
Basic PowerShell script that decrypts an XOR-encrypted payload in memory, then uses a .NET-based D/Invoke implementation to call Win32 APIs for injecting shellcode into a remote process.
#github #tools #shellcode #payload #powershell #injector @reconcore
Basic PowerShell script that decrypts an XOR-encrypted payload in memory, then uses a .NET-based D/Invoke implementation to call Win32 APIs for injecting shellcode into a remote process.
#github #tools #shellcode #payload #powershell #injector @reconcore
GitHub
GitHub - t1Sh1n4/Invoke-SPSI: Invoke-SPSI - Simple PowerShell Shellcode Injector
Invoke-SPSI - Simple PowerShell Shellcode Injector - t1Sh1n4/Invoke-SPSI
This media is not supported in your browser
VIEW IN TELEGRAM
AsmLdr
#shellcode #payload #loader #edr #evasion @reconcore
Dynamic shellcode loader with sophisticated evasion capabilities.
#shellcode #payload #loader #edr #evasion @reconcore
PIC Shellcode from the Ground up - Part 1
November 5, 2025
PIC Shellcode from the Ground up - Part 2
November 25, 2025
#shellcode #cpp #pic @reconcore
November 5, 2025
PIC Shellcode from the Ground up - Part 2
November 25, 2025
#shellcode #cpp #pic @reconcore
G3tSyst3m's Infosec Blog
PIC Shellcode from the Ground up - Part 1
Have you ever wondered how the popularized PIC (position independent code) actually works? I can answer that question alongside you with a resounding YES! You are exposed to PIC based shellcode constantly in today’s widely used C2 platforms. Then there’s…
Linux hacking part 9: Linux password-protected reverse shell. Simple NASM example
#assembly #linux #malware #redteam #shellcode #blueteam #purpleteam @reconcore
#assembly #linux #malware #redteam #shellcode #blueteam #purpleteam @reconcore
AMSI-Bypass-via-Page-Guard-Exceptions
Blog post: Patchless AMSI Bypass via Page Guard Exceptions
#research #bypass #asmi #av #shellcode #poc @reconcore
Shellcode and In-PowerShell solution for patching AMSI via Page Guard Exceptions
Blog post: Patchless AMSI Bypass via Page Guard Exceptions
#research #bypass #asmi #av #shellcode #poc @reconcore
实战 | 通过VEH异常处理规避内存扫描实现免杀
我之前有个误区是以为睡眠规避必须用套件或者改beacon.c,结果发现hooksleep就行。如果需要远程注入其他进程的话可以注入一个带hook功能的完整pe进去再在里面加载C2的shellcode.
不过私有内存不断被virtualprotect修改也比较可疑,所以不如把shellcode拆开写在image的代码洞里面,那这样甚至不用睡眠混淆了
学习笔记-hooksleep-2023年11月28日
#c2 #beacon #shellcode @reconcore
我之前有个误区是以为睡眠规避必须用套件或者改beacon.c,结果发现hooksleep就行。如果需要远程注入其他进程的话可以注入一个带hook功能的完整pe进去再在里面加载C2的shellcode.
不过私有内存不断被virtualprotect修改也比较可疑,所以不如把shellcode拆开写在image的代码洞里面,那这样甚至不用睡眠混淆了
学习笔记-hooksleep-2023年11月28日
#c2 #beacon #shellcode @reconcore
小玉玉的博客
学习笔记-hooksleep-2023年11月28日
参考链接1 参考链接2 思路 下载器–下载两个文件–执行两个文件 下载器实现12345678910111213141516171819202122232425262728293031323334353637#include <windows.h>#include <urlmon.h>#include <iostream>#pragma comment(lib,
🎉1
2Pack Rust Based PE & Shellcode Packer
#pe #malware #shellcode @reconcore
2Pack is a simple packing tool designed for malware hobbyists. It supports both PE files (EXE/DLL) and raw shellcode. The tool employs multiple layers of protection including AES encryption, XOR obfuscation, and compression before embedding payloads in the .rsrc sections of template loaders.
#pe #malware #shellcode @reconcore
❤1
Living off the Process
CodefromBlog
#technique #shellcode #asm @reconcore
This is a technique that does as the name implies: We use what is already available to us in the remote process of our choosing to accomplish a given goal. In this case, the goal will be to write shellcode indirectly into the remote process with as low of a footprint as possible. When I say indirectly, I mean we won’t be using WriteProcessMemory to write the shellcode. That API does play a small role, but ultimately we will be indirectly writing our shellcode in 8 byte chunks using ROP gadgets and assembly stubs all made available in the remote process. We will also avoid the creation of RWX regions of memory.
CodefromBlog
#technique #shellcode #asm @reconcore
🤯1🎉1