{"id":29721096,"url":"https://github.com/maxdcb/dreamwalkers","last_synced_at":"2025-07-24T14:19:00.173Z","repository":{"id":303606573,"uuid":"1013233564","full_name":"maxDcb/DreamWalkers","owner":"maxDcb","description":"Reflective shellcode loaderwith advanced call stack spoofing and .NET support.","archived":false,"fork":false,"pushed_at":"2025-07-08T12:48:09.000Z","size":402,"stargazers_count":128,"open_issues_count":0,"forks_count":25,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-07-08T13:58:06.900Z","etag":null,"topics":["malware-research","redteam","windows"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/maxDcb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-03T15:03:40.000Z","updated_at":"2025-07-08T13:47:00.000Z","dependencies_parsed_at":"2025-07-08T13:58:24.928Z","dependency_job_id":"96f4bd05-9099-4a46-aa42-d7a0393c7969","html_url":"https://github.com/maxDcb/DreamWalkers","commit_stats":null,"previous_names":["maxdcb/dreamwalkers"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/maxDcb/DreamWalkers","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maxDcb%2FDreamWalkers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maxDcb%2FDreamWalkers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maxDcb%2FDreamWalkers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maxDcb%2FDreamWalkers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/maxDcb","download_url":"https://codeload.github.com/maxDcb/DreamWalkers/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maxDcb%2FDreamWalkers/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266854944,"owners_count":23995491,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-24T02:00:09.469Z","response_time":99,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware-research","redteam","windows"],"created_at":"2025-07-24T14:18:55.853Z","updated_at":"2025-07-24T14:19:00.165Z","avatar_url":"https://github.com/maxDcb.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DreamWalkers\n\n\u003e Reflective shellcode loader inspired by [MemoryModule](https://github.com/fancycode/MemoryModule) and [Donut](https://github.com/TheWover/donut), with advanced call stack spoofing and .NET support.\n\nCheck the blog post that is related: [DreamWalkers](https://maxdcb.github.io/DreamWalkers/)\n\nUnlike traditional call stack spoofing, which often fails within reflectively loaded modules due to missing unwind metadata, DreamWalkers introduces a novel approach that enables clean and believable call stacks even during execution of shellcode-mapped payloads. By manually parsing the PE structure and registering custom unwind information via RtlAddFunctionTable, our loader restores proper stack unwinding — a capability that I didn't see achieved in reflective loading contexts. This allows our shellcode to blend in more effectively, even under the scrutiny of modern EDR and debugging tools.\n\n![WithoutSpoofing](./images/WithoutSpoofing.png)\n\n![WithoutRtlAddFunctionTable](./images/WithoutRtlAddFunctionTable.png)\n\n![WithoutMS](./images/WithoutMS.png)\n\n![CleanStack](./images/CleanStack.png)\n\n---\n\n## 🌘 Introduction\n\nDreamWalkers is a research-grade project that blends ideas from Donut and MemoryModule to create a fully position-independent, reflective PE loader capable of clean call stack spoofing and modular payload execution — including .NET assemblies.\n\nMy goal was to understand how these components work under the hood, then reimplement and extend them with novel functionality. This includes position independence, command-line argument handling, .NET hosting using C++, and spoofed call stacks even in reflectively loaded code.\n\nBig thanks to [@almounah](https://github.com/almounah) for his early support (even if he fell into the Go trap), and credit due to the original authors of Donut, MemoryModule, and [Being-A-Good-CLR-Host](https://github.com/passthehashbrowns/Being-A-Good-CLR-Host) as well as [SilentMoonwalk](https://github.com/klezVirus/SilentMoonwalk), LoudSunRun and others.\n\n---\n\n## 📦 Features\n\n- 🧬 Position-independent shellcode extracted from a modified `MemoryModule`\n- 🛠️ Shellcode generator inspired by Donut's stub generation\n- 📝 Custom command-line argument handling for EXEs\n- ☁️ .NET loader via intermediate native DLL (.NET logic not directly embedded in shellcode)\n- 🎭 Clean and spoofed call stacks, even in reflectively loaded modules\n- 🔥 Module stomping + unwind info registration using `RtlAddFunctionTable`\n\n---\n\n## 📁 Project Structure\n\n```\n/DreamWalkers\n├── bin/                   # Output folder for compiled binaries and shellcode\n├── common/                # Shared code or headers\n├── compile.bat            # Windows batch script to compile components\n├── dotnetLoader/          # C++ CLR host loader for .NET payloads\n├── exe2h/                 # Tool for extracting TEXT section of binaries\n├── finalShellcode.bin     # Final compiled shellcode output\n├── GenerateShellcode.py   # Python script to generate shellcode and input structure\n├── memoryModule/          # Modified, position-independent MemoryModule loader\n├── shellcodeTester/       # Shellcode testing utilities \n├── testDll/               # Sample DLL payloads for testing loader\n├── testExe/               # Sample EXE payloads for testing loader\n\n```\n\n---\n\n## 🚀 How to Use\n\nThe project includes a Python script, `GenerateShellcode.py`, that bundles your payload (EXE or DLL) together with the position-independent loader, builds the required structure, and outputs a standalone shellcode blob.\n\n### 📦 Basic Usage\n\n```powershell\nPS B:\\framework\\DreamWalkers\u003e python .\\GenerateShellcode.py -f .\\Rubeus.exe -c help\n````\n\n* `-f`: Path to the payload (EXE or DLL)\n* `-c`: Command-line arguments passed to the loaded module\n* `-m`: (Optional) Method name to call if the payload is a DLL\n\n### 🧠 Example Output\n\n```text\nFile is a .NET (managed) executable.\nCommand line argument:  help\npadding_length  11\nExtracted 4954 bytes.\nInstance struct size: 3552 bytes\nLoader size: 4954 bytes\nfinal shellcode  591173  bytes\n```\n\nThe output `finalShellcode.bin` is a standalone, reflectively loadable shellcode. To test it you can use the very simple shellcodeTester.exe provided or use any shellcode injector.\n\n### 📘 Help Menu\n\n```powershell\nPS B:\\framework\\DreamWalkers\u003e python .\\GenerateShellcode.py\nusage: GenerateShellcode.py [-h] -f FILE [-m METHOD] [-c CMD]\n\nOptions:\n  -f FILE       Path to EXE or DLL to embed\n  -m METHOD     Exported method to call (DLL only)\n  -c CMD        Command-line argument string\n```\n\nMake sure to build the shellcode after any changes to the loader or input structure.\n\n---\n\n## 🚀 How to Build\n\nFrom \"x64 Native Tools Command Prompt for VS 2022\":\n\n```\n.\\compile.bat \n```\n\n---\n\n## 🧠 Credits\n\n- [TheWover](https://github.com/TheWover) [modexp/odzhan](https://modexp.wordpress.com/) – Donut\n- [fancycode](https://github.com/fancycode) – MemoryModule\n- [passthehashbrowns](https://github.com/passthehashbrowns) – Being-A-Good-CLR-Host\n- ChatGPT – For helping with stack unwinding research\n\n---\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaxdcb%2Fdreamwalkers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmaxdcb%2Fdreamwalkers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaxdcb%2Fdreamwalkers/lists"}