offensive-shellcode

## Shellcode Development Workflow

1. Define concept and target platform (x86/x64, Windows/Linux/macOS)
2. Write assembly using position-independent techniques
3. Extract binary and test in controlled environment
4. Apply null byte avoidance and optimizations
5. Encode/encrypt to evade static detection
6. Package with loader and choose delivery method

---

## Basic Concepts

### Execution Pattern (Allocate-Write-Execute)

Avoid direct `PAGE_EXECUTE_READWRITE` — prefer:
1. Allocate with `PAGE_READWRITE`
2. Write shellcode to allocated region
3. Call `VirtualProtect` to switch to `PAGE_EXECUTE_READ`

```c
char *dest = VirtualAlloc(NULL, 0x1234, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
memcpy(dest, shellcode, 0x1234);
VirtualProtect(dest, 0x1234, PAGE_EXECUTE_READ, &old);
((void(*)())dest)();
```

### Position-Independent Code (PIC) Techniques

| Method | Platform | Notes |
|--------|----------|-------|
| Call/Pop | Windows | Push next addr, pop into register |
| FPU state | Windows | `fstenv` saves instruction pointer |
| SEH | Windows | Exception handler stores EIP |
| GOT | Linux | Global Offset Table |
| VDSO | Linux | Kernel-provided shared object |

---

## Windows API Resolution (PEB Walk)

Identifying `kernel32.dll` without imports:

1. Get `PEB` via `gs:[0x60]` (x64) or `fs:[0x30]` (x86)
2. Walk `PEB->Ldr.InMemoryOrderModuleList` — order: exe → ntdll → kernel32
3. Hash-compare module names to locate `kernel32`
4. Parse the Export Address Table (EAT)
5. Find `GetProcAddress` by name hash, then resolve `LoadLibraryA`
6. Use `LoadLibraryA` to load `WS2_32.dll`, resolve Winsock functions

**WinDbg helpers for debugging PEB walk:**
```bash
dt nt!_TEB -y ProcessEnvironmentBlock @$teb
dt nt!_PEB -y Ldr <peb_addr>
dt -r _PEB_LDR_DATA <ldr_addr>
dt _LDR_DATA_TABLE_ENTRY (<init_flink_addr> - 0x10)
lm m kernel32   # verify base address
r @r8           # check register
```

---

## Shellcode Loaders

### Loader Responsibilities

- Environment verification / keying (sandbox detection)
- Shellcode decryption
- Safe memory allocation and injection
- Ends its duties after injecting

**Recommended languages:** Zig (small, no runtime), Rust (secure), Nim, Go (watch for runtime signatures)

### Allocation Phase

Avoid `RWX` allocations — use two-step:
- `VirtualAllocEx` / `NtAllocateVirtualMemory` — allocate `RW`
- `ZwCreateSection` + `NtMapViewOfSection` — alternative approach
- After writing: `VirtualProtectEx` to switch to `RX`

**Other options:** code caves, stack/heap (with DEP disabled)

### Write Phase

- `WriteProcessMemory` / `NtWriteVirtualMemory`
- `memcpy` to mapped section

**Evasion tips:**
- Prepend shellcode with dummy opcodes
- Split into chunks, write in randomized order
- Add delays between writes

### Execute Phase

Most scrutinized step — EDR checks thread start address against image-backed memory:

| Technique | Notes |
|-----------|-------|
| `CreateRemoteThread` / `ZwCreateThreadEx` | Loud, heavily monitored |
| `NtSetContextThread` | Hijack suspended thread |
| `NtQueueApcThreadEx` | APC injection |
| API trampolines | Overwrite function prologue |
| ThreadlessInject | No new threads created |

**Indirect execution resources:**
- [FlavorTown](https://github.com/Wra7h/FlavorTown)
- [AlternativeShellcodeExec](https://github.com/aahmad097/AlternativeShellcodeExec)
- [ThreadlessInject](https://github.com/epi052/ThreadlessInject)

---

## PE-to-Shellcode Conversion

| Tool | Purpose |
|------|---------|
| [Donut](https://github.com/TheWover/donut) | EXE/DLL → shellcode |
| [sRDI](https://github.com/monoxgas/sRDI) | DLL → position-independent shellcode |
| [Pe2shc](https://github.com/hasherezade/pe_to_shellcode) | PE → shellcode |
| [Amber](https://github.com/EgeBalci/amber) | Reflective PE packer |

**Open-source loaders:**
- [ScareCrow](https://github.com/optiv/ScareCrow)
- [NimPackt-v1](https://github.com/chvancooten/NimPackt-v1)
- [NullGate](https://github.com/specterops/NullGate) — indirect syscalls + junk-write sequencing
- [DripLoader](https://github.com/xuanxuan0/DripLoader) — chunked RW writes + direct syscalls + JMP trampoline
- [ProtectMyTooling](https://github.com/mgeeky/ProtectMyTooling) — chain multiple protections
- Direct-syscall helpers: SysWhispers3, FreshyCalls (now baseline requirements)

---

## Shellcode Storage & Hiding

| Location | Risk | Notes |
|----------|------|-------|
| Hardcoded in `.text` | Medium | Requires recompile; stored `RW/RO` |
| PE Resources (`RCDATA`) | High | Most scanned by AV |
| Extra PE section | Medium | Use second-to-last section |
| Certificate Table | Low | Keeps signed PE signature intact |
| Internet-hosted | Variable | [SharpShooter](https://github.com/mdsecactivebreach/SharpShooter) |

**Certificate Table technique** (recommended):
- Pad Certificate Table with shellcode bytes; update PE headers
- Backdoor only the loader DLL (e.g., `ffmpeg.dll` in `teams.exe`)
- Main executable signature remains valid; only the DLL signature breaks

**Protection:** Compress with LZMA; encrypt with XOR32, RC4, or AES before storing.

> **Windows 11 24H2 note:** AMSI heap scanning is active. Allocate with `PAGE_NOACCESS`, decrypt in place, then switch to `PAGE_EXECUTE_READ` to avoid live-heap scans.

---

## Evasion

### Progressive Evasion Escalation

1. Basic shellcode execution (baseline)
2. Add XOR/AES encryption + obfuscation
3. Direct syscalls to bypass userland hooks
4. Remote process injection as last resort

### Local vs Remote Injection

Remote injection is more detectable:
- `CFG` / `CIG` enforcement
- ETW Ti feeds
- EDR call-stack back-tracing (`NtOpenProcess` invocation source)
- More scrutinized steps: OpenProcess → Allocate → Write → Execute

**Defender bypass tools** ([DefenderBypass](https://github.com/hackmosphere/DefenderBypass)):
- `myEncoder3.py` — XOR-encrypt binary shellcode
- `InjectBasic.cpp` — basic C++ injector
- `InjectCryptXOR.cpp` — XOR decrypt + inject
- `InjectSyscall-LocalProcess.cpp` — direct syscalls, no susp