{"id":17383393,"url":"https://github.com/gemesa/shadow-shell","last_synced_at":"2025-10-29T18:05:41.599Z","repository":{"id":204966758,"uuid":"712871379","full_name":"gemesa/shadow-shell","owner":"gemesa","description":"Cyber lab designed for analyzing shellcode and supporting malware analysis","archived":false,"fork":false,"pushed_at":"2025-07-27T14:57:55.000Z","size":208,"stargazers_count":8,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-27T16:46:12.577Z","etag":null,"topics":["aarch64","amd64","arm64","assembly","exploit","frida","frida-scripts","malware-analysis","malware-research","reverse-engineering","rust","shellcode","shellcode-development","stack-smashing","x64","x86-64"],"latest_commit_sha":null,"homepage":"https://shadowshell.io/","language":"Assembly","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gemesa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-11-01T11:26:15.000Z","updated_at":"2025-07-27T14:57:59.000Z","dependencies_parsed_at":"2024-06-01T10:59:17.630Z","dependency_job_id":"bb05edc9-3f38-4dec-93aa-5babdc0cf8a1","html_url":"https://github.com/gemesa/shadow-shell","commit_stats":null,"previous_names":["gemesa/shadow-shell"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/gemesa/shadow-shell","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fshadow-shell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fshadow-shell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fshadow-shell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fshadow-shell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gemesa","download_url":"https://codeload.github.com/gemesa/shadow-shell/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fshadow-shell/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267997183,"owners_count":24178251,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-31T02:00:08.723Z","response_time":66,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aarch64","amd64","arm64","assembly","exploit","frida","frida-scripts","malware-analysis","malware-research","reverse-engineering","rust","shellcode","shellcode-development","stack-smashing","x64","x86-64"],"created_at":"2024-10-16T07:41:30.065Z","updated_at":"2025-10-29T18:05:36.547Z","avatar_url":"https://github.com/gemesa.png","language":"Assembly","readme":"# Introduction\n\nshadow-shell is a cyber lab designed for:\n\n- analyzing shellcode\n- supporting malware analysis\n\n# Repository structure\n\nThe repository contains two main parts:\n\n- **arsenal**: command line tools to support malware analysis\n    - `shexec`: a shellcode runner that can be combined with other tools like `strace` (Linux), `ProcMon` and `TCPView` (Windows) to analyze shellcode functionality\n    - `stalk-syscalls.js`: A Frida syscall tracer script that can be used as an alternative to `strace`\n- **lab**: experimental code snippets, some are documented while others are not\n\n:warning: You should **never** execute untrusted shellcode on your system. Use an emulator, hardened VM or container for this purpose.\n\n```\narsenal/\n├── linux/\n│   ├── arm64/\n│   │   ├── shexec.s: Linux ARM64 shellcode runner\n│   │   ├── shcode-hello.s: Linux ARM64 shellcode that prints \"Hello!\"\n│   │   ├── shcode-shell.s: Linux ARM64 shellcode that opens a shell\n│   │   └── stalk-syscalls.js: Frida ARM64 syscall tracer script\n│   ├── x64/\n│   │   ├── shexec.s: Linux x64 shellcode runner\n│   │   ├── shcode-hello.s: Linux x64 shellcode that prints \"Hello, World!\"\n│   │   ├── shcode-shell.s: Linux x64 shellcode that opens a shell\n│   │   └── stalk-syscalls.js: Frida x64 syscall tracer script\n│   └── shexec.c: Linux shellcode runner (used as a reference while implementing shexec.s for different architectures)\n└── windows/\n    └── shexec.c: Windows shellcode runner\n```\n\n```\nlab/\n├── linux/\n│   └── frida/: experimental Frida scripts\n└── windows/\n    └── shellcode/: proof of concept for basic shellcode execution\n```\nThe POC is documented in detail on my blog:\n\n- https://shadowshell.io/diving-into-shellcodes\n\n# Workflow\n\n## Shellcode analysis\n\n1. **Emulate the shellcode**  \n   Use an emulator like [Qiling](https://github.com/qilingframework/qiling) to analyze the shellcode.\n\n2. **Fallback to `shexec` + `strace` / `shexec` + `Sysinternals`**  \n   If you suspect the shellcode may detect the emulator (and behave differently as a result) switch to using `shexec` with `strace` (Linux) or `shexec` + `Sysinternals` (Windows).\n\n3. **Fallback to `frida`**  \n   If the shellcode seems to detect tracing by `strace` or `Sysinternals` use `frida`.\n\n4. **Fallback to eBPF tracing (Linux only)**  \n   If the shellcode seems to detect tracing by `frida` use [eBPF tracing](https://github.com/gemesa/sys-scout). If you do not want to implement the eBPF probes yourself, you can use tools like [Stratoshark](https://wiki.wireshark.org/Stratoshark).\n\n# How to build\n\n## Prerequisites\n\n```\n$ sudo dnf install docker\n$ sudo dnf install mingw64-gcc\n$ sudo dnf install llvm\n$ pip install frida-tools\n$ rustup target add x86_64-pc-windows-gnu\n```\n\n## x64 codebase\n\n```\n$ make x64\n```\n\n## ARM64 codebase\n\nI have an x64 PC so to quickly build ARM64 binaries my preference is to use an ARM64v8 Docker container.\n\n```\n$ sudo docker build --platform=linux/arm64 -t arm64 .\n$ sudo docker run --platform=linux/arm64 --user $(id -u):$(id -g) --rm -it -v \"$(pwd)\":/workspace arm64 /bin/bash\n$ make arm64\n```\n\nThe image is also available on Docker Hub:\n\n```\n$ docker pull gemesa/arm64:latest\n```\n\nAlternatively an ARM64 cross-compiler could also be used.\n\n```\n$ dnf search *aarch64*\n$ sudo dnf install gcc-aarch64-linux-gnu\n$ sudo dnf install binutils-aarch64-linux-gnu\n$ sudo dnf install sysroot-aarch64-fc41-glibc\n```\n\nQuick guide:\n\n```\n$ aarch64-linux-gnu-gcc -L /usr/aarch64-redhat-linux/sys-root/fc41/lib64 -L /usr/aarch64-redhat-linux/sys-root/fc41/lib --sysroot=/usr/aarch64-redhat-linux/sys-root/fc41 arsenal/linux/arm64/shexec.s -o shexec\n$ aarch64-linux-gnu-as arsenal/linux/arm64/shcode-hello.s -o shcode-hello.o\n$ aarch64-linux-gnu-ld shcode-hello.o -o shcode-hello\n$ llvm-objcopy -O binary --only-section=.text shcode-hello shcode-hello.bin\n```\n\nTo build the ARM64 binaries simply use the following command (ensure that the ARM64 cross-compiler is installed):\n\n```\n$ make arm64x\n```\n\n# How to run\n\n## Linux ARM64\n\n### `shexec`\n\n#### `strace` (QEMU)\n\n```\n$ sudo dnf install qemu-user\n$ sudo dnf install qemu-user-static\n$ dnf search *aarch64*\n$ sudo dnf install qemu-system-aarch64\n$ sudo dnf install qemu-system-aarch64-core\n$ sudo dnf install qemu-user-static-aarch64\n```\n\n```\n$ qemu-aarch64 -L /usr/aarch64-redhat-linux/sys-root/fc41/usr build/linux/arm64x/shexec build/linux/arm64x/shcode-hello.bin\nfile size: 52 bytes\nHello!\n$ strace qemu-aarch64 -L /usr/aarch64-redhat-linux/sys-root/fc41/usr build/linux/arm64x/shexec build/linux/arm64x/shcode-hello.bin\n...\nmprotect(0x7f4956b7c000, 4096, PROT_READ) = 0\nwrite(1, \"Hello!\\n\", 7Hello!\n)                 = 7\nrt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], NULL, 8) = 0\nexit_group(0)                           = ?\n+++ exited with 0 +++\n```\n\n#### `gdb` (QEMU)\n\n```\n$ qemu-aarch64 -L /usr/aarch64-redhat-linux/sys-root/fc41/usr -g 1234 build/linux/arm64x/shexec build/linux/arm64x/shcode-hello.bin \u0026\n$ gdb\ngef➤  set architecture aarch64\ngef➤  target remote localhost:1234\n(remote) gef➤ b _start\n(remote) gef➤ c\n```\n\n#### `strace` (Docker on arm64 host)\n\n```\n$ sudo docker build --platform=linux/arm64 -t arm64 .\n$ sudo docker run --platform=linux/arm64 --user $(id -u):$(id -g) --rm -it -v \"$(pwd)\":/workspace arm64 /bin/bash\n$ strace build/linux/arm64/shexec build/linux/arm64/shcode-hello.bin\n...\nopenat(AT_FDCWD, \"build/linux/arm64/shcode-hello.bin\", O_RDONLY) = 3\nfstat(3, {st_mode=S_IFREG|0755, st_size=52, ...}) = 0\nfstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0\ngetrandom(\"\\x96\\x76\\xa8\\x10\\x42\\x3b\\x3b\\x85\", 8, GRND_NONBLOCK) = 8\nbrk(NULL)                               = 0x556f3c0000\nbrk(0x556f3e1000)                       = 0x556f3e1000\nwrite(1, \"file size: 52 bytes\\n\", 20file size: 52 bytes\n)   = 20\nmmap(NULL, 52, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f987c6000\nread(3, \"\\1\\251\\214\\322\\201\\215\\255\\362\\341-\\304\\362A\\1\\340\\362\\341\\217\\37\\370 \\0\\200\\322\\341\\3\\0\\221\\342\\0\\200\\322\"..., 52) = 52\nclose(3)                                = 0\nmprotect(0x7f987c6000, 52, PROT_READ|PROT_WRITE|PROT_EXEC) = 0\nwrite(1, \"Hello!\\n\", 7Hello!\n)                 = 7\nexit(0)                                 = ?\n+++ exited with 0 +++\n```\n\n#### `strace` (native)\n\n```\n$ ./build/linux/arm64/shexec build/linux/arm64/shcode-hello.bin\nfile size: 52 bytes\nHello!\n$ echo $$\n1918\n$ ./build/linux/arm64/shexec build/linux/arm64/shcode-shell.bin\nfile size: 40 bytes\n$ echo $$\n19341\n$ exit\n$ strace ./build/linux/arm64/shexec build/linux/arm64/shcode-hello.bin\n...\nopenat(AT_FDCWD, \"build/linux/arm64/shcode-hello.bin\", O_RDONLY) = 3\nnewfstatat(3, \"\", {st_mode=S_IFREG|0755, st_size=52, ...}, AT_EMPTY_PATH) = 0\nnewfstatat(1, \"\", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}, AT_EMPTY_PATH) = 0\ngetrandom(\"\\x20\\xc3\\xbe\\x6a\\x9d\\x68\\x76\\xf9\", 8, GRND_NONBLOCK) = 8\nbrk(NULL)                               = 0x55754e8000\nbrk(0x5575509000)                       = 0x5575509000\nwrite(1, \"file size: 52 bytes\\n\", 20file size: 52 bytes\n)   = 20\nmmap(NULL, 52, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7facfe6000\nread(3, \"\\1\\251\\214\\322\\201\\215\\255\\362\\341-\\304\\362A\\1\\340\\362\\341\\217\\37\\370 \\0\\200\\322\\341\\3\\0\\221\\342\\0\\200\\322\"..., 52) = 52\nclose(3)                                = 0\nmprotect(0x7facfe6000, 52, PROT_READ|PROT_WRITE|PROT_EXEC) = 0\nwrite(1, \"Hello!\\n\", 7Hello!\n)                 = 7\nexit(0)                                 = ?\n```\n\n#### `frida` (native)\n\n```\n$ frida -l arsenal/linux/arm64/stalk-syscalls.js -f build/linux/arm64/shexec build/linux/arm64/shcode-hello.bin\n     ____\n    / _  |   Frida 16.5.9 - A world-class dynamic instrumentation toolkit\n   | (_| |\n    \u003e _  |   Commands:\n   /_/ |_|       help      -\u003e Displays the help system\n   . . . .       object?   -\u003e Display information about 'object'\n   . . . .       exit/quit -\u003e Exit\n   . . . .\n   . . . .   More info at https://frida.re/docs/home/\n   . . . .\n   . . . .   Connected to Local System (id=local)\nSpawned `build/linux/arm64/shexec build/linux/arm64/shcode-hello.bin`. Resuming main thread!\nfile size: 52 bytes\nsyscall @ 0x7f94453ac8, X8: 0xe2 (226)\n[Local::shexec ]-\u003e syscall @ 0x7f9452d024, X8: 0x40 (64) -\u003e write()\n    X0: 0x1\n    X1: Hello!\n\n    X2: 0x7\nProcess terminated\n[Local::shexec ]-\u003e\n\nThank you for using Frida!\n```\n\n#### `frida` (Docker on arm64 host)\n\n```\n$ sudo docker build --platform=linux/arm64 -t arm64 .\n$ sudo docker run --platform=linux/arm64 --user $(id -u):$(id -g) --rm -it -v \"$(pwd)\":/workspace arm64 /bin/bash\n$ frida -l arsenal/linux/arm64/stalk-syscalls.js -f build/linux/arm64/shexec build/linux/arm64/shcode-hello.bin\n     ____\n    / _  |   Frida 16.5.9 - A world-class dynamic instrumentation toolkit\n   | (_| |\n    \u003e _  |   Commands:\n   /_/ |_|       help      -\u003e Displays the help system\n   . . . .       object?   -\u003e Display information about 'object'\n   . . . .       exit/quit -\u003e Exit\n   . . . .\n   . . . .   More info at https://frida.re/docs/home/\n   . . . .\n   . . . .   Connected to Local System (id=local)\nSpawned `build/linux/arm64/shexec build/linux/arm64/shcode-hello.bin`. Resuming main thread!\nfile size: 52 bytes\nsyscall @ 0x7f9d977b08, X8: 0xe2 (226)\n[Local::shexec ]-\u003e syscall @ 0x7f9da4f024, X8: 0x40 (64) -\u003e write()\n    X0: 0x1\n    X1: Hello!\n\n    X2: 0x7\nProcess terminated\n[Local::shexec ]-\u003e\n\nThank you for using Frida!\n```\n\n## Linux x64\n\n### `shexec`\n\n#### `strace` (QEMU)\n\n```\n$ sudo dnf install qemu-user\n$ sudo dnf install qemu-user-static\n```\n\n```\n$ qemu-x86_64 build/linux/x64/shexec build/linux/x64/shcode-hello.bin\nfile size: 57 bytes\nHello, World!\n$ strace qemu-x86_64 build/linux/x64/shexec build/linux/x64/shcode-hello.bin\n...\nmprotect(0x7f6f75e27000, 4096, PROT_READ) = 0\nwrite(1, \"Hello, World!\\n\\0\", 15Hello, World!\n)       = 15\nrt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], NULL, 8) = 0\nexit_group(0)                           = ?\n+++ exited with 0 +++\n```\n\n#### `gdb` (QEMU)\n\n```\n$ qemu-x86_64 -g 1234 build/linux/x64/shexec build/linux/x64/shcode-hello.bin \u0026\n$ gdb\ngef➤  target remote localhost:1234\n(remote) gef➤ b _start\n(remote) gef➤ c\n```\n\n#### `strace` (Docker on x64 host)\n\n```\n$ sudo docker build -f Dockerfile-x64 -t x64 .\n$ sudo docker run --user $(id -u):$(id -g) --rm -it -v \"$(pwd)\":/workspace x64 /bin/bash\n$ strace build/linux/x64/shexec build/linux/x64/shcode-hello.bin\n...\nopenat(AT_FDCWD, \"build/linux/x64/shcode-hello.bin\", O_RDONLY) = 3\nfstat(3, {st_mode=S_IFREG|0755, st_size=57, ...}) = 0\nfstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0\ngetrandom(\"\\x02\\xc8\\x9f\\xe0\\xfd\\xfa\\x65\\x34\", 8, GRND_NONBLOCK) = 8\nbrk(NULL)                               = 0x55d90b4ff000\nbrk(0x55d90b520000)                     = 0x55d90b520000\nwrite(1, \"file size: 57 bytes\\n\", 20file size: 57 bytes\n)   = 20\nmmap(NULL, 57, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a41a40000\nread(3, \"H\\307\\300\\1\\0\\0\\0H\\307\\307\\1\\0\\0\\0H\\2155\\25\\0\\0\\0H\\307\\302\\17\\0\\0\\0\\17\\5H\\307\"..., 57) = 57\nclose(3)                                = 0\nmprotect(0x7f3a41a40000, 57, PROT_READ|PROT_WRITE|PROT_EXEC) = 0\nwrite(1, \"Hello, World!\\n\\0\", 15Hello, World!\n)       = 15\nexit(0)                                 = ?\n+++ exited with 0 +++\n```\n\n#### `strace` (native)\n\n```\n$ ./build/linux/x64/shexec build/linux/x64/shcode-hello.bin\nfile size: 57 bytes\nHello, World!\n$ msfvenom -p linux/x64/exec CMD='echo \\\"Hello, World!\\\"' -f raw -o shellcode.bin\n$ ./build/linux/x64/shexec shellcode.bin\nfile size: 57 bytes\nHello, World!\n$ strace ./build/linux/x64/shexec build/linux/x64/shcode-hello.bin \n...\nopenat(AT_FDCWD, \"build/linux/x64/shcode-hello.bin\", O_RDONLY) = 3\nfstat(3, {st_mode=S_IFREG|0755, st_size=57, ...}) = 0\nfstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x1), ...}) = 0\ngetrandom(\"\\xae\\x28\\x5d\\xfd\\xd1\\xae\\x82\\x68\", 8, GRND_NONBLOCK) = 8\nbrk(NULL)                               = 0x55c7bbc4d000\nbrk(0x55c7bbc6e000)                     = 0x55c7bbc6e000\nwrite(1, \"file size: 57 bytes\\n\", 20file size: 57 bytes\n)   = 20\nmmap(NULL, 57, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f94405b3000\nread(3, \"H\\307\\300\\1\\0\\0\\0H\\307\\307\\1\\0\\0\\0H\\2155\\25\\0\\0\\0H\\307\\302\\17\\0\\0\\0\\17\\5H\\307\"..., 57) = 57\nclose(3)                                = 0\nmprotect(0x7f94405b3000, 57, PROT_READ|PROT_WRITE|PROT_EXEC) = 0\nwrite(1, \"Hello, World!\\n\\0\", 15Hello, World!\n)       = 15\nexit(0)                                 = ?\n```\n\n#### `frida` (native)\n\n```\n$ frida -l arsenal/linux/x64/stalk-syscalls.js -f build/linux/x64/shexec build/linux/x64/shcode-hello.bin\n     ____\n    / _  |   Frida 16.5.9 - A world-class dynamic instrumentation toolkit\n   | (_| |\n    \u003e _  |   Commands:\n   /_/ |_|       help      -\u003e Displays the help system\n   . . . .       object?   -\u003e Display information about 'object'\n   . . . .       exit/quit -\u003e Exit\n   . . . .\n   . . . .   More info at https://frida.re/docs/home/\n   . . . .\n   . . . .   Connected to Local System (id=local)\nSpawned `build/linux/x64/shexec build/linux/x64/shcode-hello.bin`. Resuming main thread!\nfile size: 57 bytes\nHello, World!\n[Local::shexec ]-\u003e syscall @ 0x7f8cf16e3839, RAX: 0xa (10)\nsyscall @ 0x7f8cf001b01c, RAX: 0x1 (1) -\u003e write()\n    RDI: 0x1\n    RSI: Hello, World!\n\n    RDX: 0xf\nsyscall @ 0x7f8cf001b028, RAX: 0x3c (60)\n```\n\n#### `frida` (Docker on x64 host)\n\n```\n$ sudo docker build -f Dockerfile-x64 -t x64 .\n$ sudo docker run --user $(id -u):$(id -g) --rm -it -v \"$(pwd)\":/workspace x64 /bin/bash\n$ frida -l arsenal/linux/x64/stalk-syscalls.js -f build/linux/x64/shexec build/linux/x64/shcode-hello.bin\n     ____\n    / _  |   Frida 16.5.9 - A world-class dynamic instrumentation toolkit\n   | (_| |\n    \u003e _  |   Commands:\n   /_/ |_|       help      -\u003e Displays the help system\n   . . . .       object?   -\u003e Display information about 'object'\n   . . . .       exit/quit -\u003e Exit\n   . . . .\n   . . . .   More info at https://frida.re/docs/home/\n   . . . .\n   . . . .   Connected to Local System (id=local)\nSpawned `build/linux/x64/shexec build/linux/x64/shcode-hello.bin`. Resuming main thread!\nfile size: 57 bytes\nHello, World!\n[Local::shexec ]-\u003e syscall @ 0x7f8c4c216c19, RAX: 0xa (10)\nsyscall @ 0x7f8c4c30401c, RAX: 0x1 (1) -\u003e write()\n    RDI: 0x1\n    RSI: Hello, World!\n\n    RDX: 0xf\nsyscall @ 0x7f8c4c304028, RAX: 0x3c (60)\n```\n\n## Windows x64\n\n### `shexec.exe`\n\n#### Native\n\n```\n$ msfconsole\nmsf6 \u003e info payload/windows/x64/shell_bind_tcp\n...\nBasic options:\nName      Current Setting  Required  Description\n----      ---------------  --------  -----------\nEXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)\nLPORT     4444             yes       The listen port\nRHOST                      no        The target address\n\nDescription:\n  Listen for a connection and spawn a command shell (Windows x64)\n...\nmsf6 \u003e exit\n$ msfvenom -p windows/x64/shell_bind_tcp -f raw -o shellcode.bin\n```\n\nOpen `ProcMon` and `TCPView` then:\n\n```\n\u003e .\\shexec.exe shellcode.bin\n```\n\n![TCPView](img/tcpview.png)\n\n# References\n\n- https://chromium.googlesource.com/chromiumos/docs/+/HEAD/constants/syscalls.md\n- https://wiki.osdev.org/Calling_Conventions\n- https://en.wikipedia.org/wiki/X86_calling_conventions\n- https://www.felixcloutier.com/x86/\n- https://www.ibm.com/docs/en/aix/7.1?topic=volumes-using-file-descriptors\n- https://www.ibm.com/docs/en/i/7.5?topic=extensions-standard-c-library-functions-table-by-name\n- https://cs.lmu.edu/~ray/notes/gasexamples/\n- https://web.stanford.edu/class/cs107/guide/x86-64.html\n- http://unixwiz.net/techtips/x86-jumps.html\n- https://cs.brown.edu/courses/cs033/docs/guides/x64_cheatsheet.pdf\n- https://stackoverflow.com/questions/38335212/calling-printf-in-x86-64-using-gnu-assembler\n- https://github.com/reg1reg1/Shellcode\n- https://godbolt.org/\n- https://dogbolt.org/\n- https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/\n- https://ivanitlearning.wordpress.com/2018/10/14/shellcoding-with-msfvenom/\n- https://security.stackexchange.com/questions/176495/executing-a-msfvenom-shellcode-in-c-program\n- http://0xdabbad00.com/2012/12/07/dep-data-execution-prevention-explanation/\n- https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc\n- https://crates.io/crates/windows\n- https://github.com/microsoft/windows-rs\n- https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/System/Memory/fn.VirtualAlloc.html\n- https://stackoverflow.com/questions/31492799/cross-compile-a-rust-application-from-linux-to-windows\n- https://doc.rust-lang.org/core/ptr/fn.copy_nonoverlapping.html\n- https://github.com/muhammet-mucahit/Security-Exercises\n- https://lettieri.iet.unipi.it/hacking/aslr-pie.pdf\n- https://reverseengineering.stackexchange.com/questions/19598/find-base-address-and-memory-size-of-program-debugged-in-gdb\n- https://syscall.sh/\n- https://developer.arm.com/documentation\n- https://gist.github.com/luk6xff/9f8d2520530a823944355e59343eadc1\n- https://www.exploit-db.com/exploits/47048\n- https://stackoverflow.com/a/18483795\n- https://learnfrida.info/advanced_usage/#getting-ret-addresses\n- https://frida.re/docs/javascript-api/#memory\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgemesa%2Fshadow-shell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgemesa%2Fshadow-shell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgemesa%2Fshadow-shell/lists"}