{"id":19369422,"url":"https://github.com/kara-4search/syscall_shellcodeload_csharp","last_synced_at":"2025-06-15T15:37:24.515Z","repository":{"id":136107266,"uuid":"373754784","full_name":"Kara-4search/SysCall_ShellcodeLoad_Csharp","owner":"Kara-4search","description":"Load shellcode via syscall ","archived":false,"fork":false,"pushed_at":"2021-07-28T06:59:14.000Z","size":85,"stargazers_count":47,"open_issues_count":0,"forks_count":11,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-02T17:01:35.522Z","etag":null,"topics":["avatar","bypass","bypass-antivirus","bypass-windows-defender","csharp","redteam","shellcode","shellcode-loader","syscall"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kara-4search.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-04T07:16:08.000Z","updated_at":"2024-08-06T05:40:53.000Z","dependencies_parsed_at":null,"dependency_job_id":"f65445f5-c38f-458f-8cfc-c567e841021c","html_url":"https://github.com/Kara-4search/SysCall_ShellcodeLoad_Csharp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FSysCall_ShellcodeLoad_Csharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FSysCall_ShellcodeLoad_Csharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FSysCall_ShellcodeLoad_Csharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FSysCall_ShellcodeLoad_Csharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kara-4search","download_url":"https://codeload.github.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250460412,"owners_count":21434247,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["avatar","bypass","bypass-antivirus","bypass-windows-defender","csharp","redteam","shellcode","shellcode-loader","syscall"],"created_at":"2024-11-10T08:11:13.279Z","updated_at":"2025-04-23T15:31:35.622Z","avatar_url":"https://github.com/Kara-4search.png","language":"C#","readme":"# SysCall_ShellcodeLoad_Csharp\n\nBlog link: working on it.\n\nGithub Link: https://github.com/Kara-4search/SysCall_ShellcodeLoad_Csharp\n\n- Base on my another project: https://github.com/Kara-4search/Simple_ShellCodeLoader_CSharp\n- A shellcode loader written in CSharp, the main purpose is to bypass the EDR API hook.\n- Only tested in Win10_x64, may not gonna work in x86.\n- Loading shellcode with direct syscall.\n- You need to replace the \"syscall identifier\" with your syscall ID, which you could find on your system\n- About how to find the syscall ID on your system, check the link below:\n\n   1. Use windbg: https://jhalon.github.io/utilizing-syscalls-in-csharp-2/\n   2. Check the system call table: https://j00ru.vexillium.org/syscalls/nt/64/\n   3. Find the syscall ID automatically(DONE)\n      - If the AV/EDRs hooked level is higher than the NTDLL level, the \"Auto_NativeCode\" works fine.\n      - If the AV/EDRs already hooked some functions in NTDLL, in this case, the \"Auto_NativeCode\" is not gonna works, cause \"GetModuleHandle\" loads NTDLL from memory, which is actually the hooked version.\n\n- Original shellcode is a Message\n\t```\n            /*   Messagebox shellcode   */\n            \n            byte[] buf1 = new byte[328] {\n                0xfc, 0x48, 0x81, 0xe4, 0xf0, 0xff, 0xff, 0xff, 0xe8, 0xd0, 0x00, 0x00,\n                0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65,\n                0x48, 0x8b, 0x52, 0x60, 0x3e, 0x48, 0x8b, 0x52, 0x18, 0x3e, 0x48, 0x8b,\n                0x52, 0x20, 0x3e, 0x48, 0x8b, 0x72, 0x50, 0x3e, 0x48, 0x0f, 0xb7, 0x4a,\n                0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02,\n                0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52,\n                0x41, 0x51, 0x3e, 0x48, 0x8b, 0x52, 0x20, 0x3e, 0x8b, 0x42, 0x3c, 0x48,\n                0x01, 0xd0, 0x3e, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0,\n                0x74, 0x6f, 0x48, 0x01, 0xd0, 0x50, 0x3e, 0x8b, 0x48, 0x18, 0x3e, 0x44,\n                0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x5c, 0x48, 0xff, 0xc9, 0x3e,\n                0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31,\n                0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75,\n                0xf1, 0x3e, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd6,\n                0x58, 0x3e, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x3e, 0x41,\n                0x8b, 0x0c, 0x48, 0x3e, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x3e,\n                0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e,\n                0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20,\n                0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x3e, 0x48, 0x8b, 0x12,\n                0xe9, 0x49, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xc7, 0xc1, 0x00, 0x00, 0x00,\n                0x00, 0x3e, 0x48, 0x8d, 0x95, 0x1a, 0x01, 0x00, 0x00, 0x3e, 0x4c, 0x8d,\n                0x85, 0x35, 0x01, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x45, 0x83,\n                0x56, 0x07, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x41, 0xba, 0xa6,\n                0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c,\n                0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a,\n                0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x48, 0x65, 0x6C, 0x6C, 0x6F, \n                0x20, 0x77, 0x6F, 0x72, 0x6C, 0x64, 0x20, 0x76, 0x69, 0x61, 0x20, 0x73, \n                0x79, 0x73, 0x63, 0x61, 0x6C, 0x6C, 0x00, 0x41, 0x50, 0x49, 0x20, 0x54, \n                0x65, 0x73, 0x74, 0x00 \n            };\n\t\n\t```\n- You may need to read those posts below **the Reference link** so you could understand how it works.\n- Feel free to make any issues.\n\n\n## Usage\n1. I updated the SysCall_ShellcodeLoad, now it's gonna find the syscall ID automatically(Check the file - Auto_NativeCode.cs).\n2. If you want to test the old verison SysCall_ShellcodeLoad，\n\t* You just need to remove all the \"Auto_NativeCode\" from Program.cs \n\t* And Replace the syscall ID with your own.\n3. Replace the \"buf1\" with your own shellcode.\n   ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/SysCall_ShellcodeLoad_buf1.png)\n4. Replace the syscall ID with your own in NativeCode.cs(Only when you use NativeCode in steal of Auto_NativeCode).\n* There are three syscall IDs you need to replace.\n\t- 1). NtAllocateVirtualMemory\n  ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/SysCall_ShellcodeLoad_CUntAVM.png)\n\t- 2). NtCreateThreadEx\n  ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/SysCall_ShellcodeLoad_CUntCT.png)\n\t- 3). NtWaitForSingleObject\n  ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/SysCall_ShellcodeLoad_CUntWFSO.png)\n\n## TO-DO list\n\n1. ~~Working on both x64 and x86~~\n\n2. Make the syscall array more flexible\n\n   \n\n\n## Reference link:\n\n1. https://github.com/SolomonSklash/SyscallPOC\n2. https://jhalon.github.io/utilizing-syscalls-in-csharp-1/\n3. https://jhalon.github.io/utilizing-syscalls-in-csharp-2/\n4. https://www.solomonsklash.io/syscalls-for-shellcode-injection.html\n5. https://www.pinvoke.net/default.aspx\n6. https://github.com/jhalon/SharpCall/blob/master/Syscalls.cs\n7. https://github.com/badBounty/directInjectorPOC\n8. https://j00ru.vexillium.org/syscalls/nt/64/\n9. http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtAllocateVirtualMemory.html\n\n   ","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fsyscall_shellcodeload_csharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkara-4search%2Fsyscall_shellcodeload_csharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fsyscall_shellcodeload_csharp/lists"}