{"id":17383323,"url":"https://github.com/evilbytecode/ebyte-shellcode-loader","last_synced_at":"2025-04-15T09:45:16.802Z","repository":{"id":257470293,"uuid":"858370484","full_name":"EvilBytecode/EByte-Shellcode-Loader","owner":"EvilBytecode","description":"shellcode loader that uses indirect syscalls written in D Lang The loader bypasses user-mode hooks by resolving system calls manually from NTDLL using a hash-based method.","archived":false,"fork":false,"pushed_at":"2024-09-16T19:28:41.000Z","size":145,"stargazers_count":9,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-28T18:54:11.548Z","etag":null,"topics":["av-evasion","evasion","fud","indirect-syscall","indirect-syscalls","shellcode","shellcode-laoder","shellcode-runner"],"latest_commit_sha":null,"homepage":"","language":"D","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EvilBytecode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-16T19:22:08.000Z","updated_at":"2025-03-18T17:59:34.000Z","dependencies_parsed_at":"2024-09-17T00:38:35.414Z","dependency_job_id":"b262f9d8-a7ad-4c1a-9be5-5d80dbdf85f7","html_url":"https://github.com/EvilBytecode/EByte-Shellcode-Loader","commit_stats":null,"previous_names":["evilbytecode/ebyte-shellcode-loader"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FEByte-Shellcode-Loader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FEByte-Shellcode-Loader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FEByte-Shellcode-Loader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FEByte-Shellcode-Loader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EvilBytecode","download_url":"https://codeload.github.com/EvilBytecode/EByte-Shellcode-Loader/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249048086,"owners_count":21204303,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["av-evasion","evasion","fud","indirect-syscall","indirect-syscalls","shellcode","shellcode-laoder","shellcode-runner"],"created_at":"2024-10-16T07:41:17.608Z","updated_at":"2025-04-15T09:45:16.767Z","avatar_url":"https://github.com/EvilBytecode.png","language":"D","readme":"# EByte-Shellcode-Loader\n\n**EByte-Shellcode-Loader** is a shellcode loader that uses indirect syscalls written in **D language**. The loader bypasses user-mode hooks by resolving system calls manually from NTDLL using a hash-based method. The project includes various tools written in **Go** and **Python** to generate shellcode from executables and automate the shellcode extraction and loader compilation process.\n\n## Project Structure\n\nThe project consists of the following files:\n\n- **`syscalls.d`**: Implements indirect syscalls using manually resolved system calls from NTDLL. It uses a hash-based approach to identify syscalls like `NtAllocateVirtualMemory`, `NtWriteVirtualMemory`, and `NtCreateThreadEx`.\n  \n- **`loader.d`**: The main loader script written in **D**. It uses the syscalls implemented in `syscalls.d` to allocate memory, write shellcode, change memory protections, and execute the shellcode via a newly created thread.\n\n- **`donut.exe`**: A tool for generating shellcode from an executable (PE file). The shellcode is position-independent and can be injected using the loader.\n\n- **`generate_bin_file.go`**: A **Go** script that automates the generation of a binary file from an executable using the Donut tool. This binary file will then be used for shellcode extraction.\n\n- **`generate_shellcode_and_compile.py`**: A **Python** script that automates the extraction of shellcode from a binary file and compiles the loader with the extracted shellcode.\n\n## Usage\n\n### Prerequisites\n\n- **D Language Compiler (`dmd`)**: To compile the D scripts (`loader.d` and `syscalls.d`).\n- **Go**: To run the Go script that generates binary files from executables.\n- **Python**: To execute the script for shellcode extraction and loader compilation.\n- **Donut**: The Donut tool (`donut.exe`) is used to generate shellcode from executables.\n\n### License:\nApache License 2.0\n\n## Detections (Static : Virustotal) (Runtime: Scanner.to) :\n![image](https://github.com/user-attachments/assets/da6a788b-2712-4ce9-8473-57ecf1a0e21b)\n![image](https://github.com/user-attachments/assets/c1d03232-e696-4062-80dc-d9f497466e92)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilbytecode%2Febyte-shellcode-loader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fevilbytecode%2Febyte-shellcode-loader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilbytecode%2Febyte-shellcode-loader/lists"}