{"id":17383317,"url":"https://github.com/vasco0x4/shadeloader","last_synced_at":"2025-04-15T05:51:30.310Z","repository":{"id":247421435,"uuid":"825807532","full_name":"Vasco0x4/ShadeLoader","owner":"Vasco0x4","description":"ShadeLoader is a shellcode loader designed to bypass most antivirus software.  壳代码,  杀毒软件, 绕过","archived":false,"fork":false,"pushed_at":"2024-08-05T20:50:20.000Z","size":24,"stargazers_count":39,"open_issues_count":1,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-28T16:37:51.271Z","etag":null,"topics":["antivirus","antivirus-bypass","antivirus-evasion","shellcode","shellcode-injection","shellcode-loader"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Vasco0x4.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-08T14:35:35.000Z","updated_at":"2025-01-16T11:01:30.000Z","dependencies_parsed_at":"2024-07-08T18:19:24.564Z","dependency_job_id":"5f6c4fe4-4748-47c0-9b85-8af184db2f7a","html_url":"https://github.com/Vasco0x4/ShadeLoader","commit_stats":null,"previous_names":["vasco0x4/shadeloader"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vasco0x4%2FShadeLoader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vasco0x4%2FShadeLoader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vasco0x4%2FShadeLoader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vasco0x4%2FShadeLoader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Vasco0x4","download_url":"https://codeload.github.com/Vasco0x4/ShadeLoader/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249016316,"owners_count":21198832,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus","antivirus-bypass","antivirus-evasion","shellcode","shellcode-injection","shellcode-loader"],"created_at":"2024-10-16T07:41:16.704Z","updated_at":"2025-04-15T05:51:30.294Z","avatar_url":"https://github.com/Vasco0x4.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ShadeLoader\n\n## Description\n\nShadeLoader is a shellcode loader that utilizes **process hollowing** and **XOR encryption** techniques to download, decrypt, and inject shellcode into a legitimate process.\n\n\n![345470702-c013f61b-a0ef-42dd-9583-9b66548fbb5d](https://github.com/Vasco0x4/ShadeLoader/assets/63432221/0e3c9d4b-c227-4592-94b6-9b5f7b85220e)\n\n## How It Works \u0026 Features\n\n1. **Initial Access (main.exe)**:\n    - `main.exe` starts a legitimate process, `cmd.exe`, in suspended mode.\n\n2. **Downloading and Decrypting Shellcode**:\n    - `cmd.exe` downloads the encrypted shellcode from a specified URL.\n    - The shellcode is encrypted using XOR to obfuscate its content during transport.\n    - Once downloaded, `cmd.exe` decrypts the shellcode using a key to obtain the clear executable code.\n\n3. **Process Hollowing (Injection into RuntimeBroker.exe)**:\n    - `cmd.exe` creates a new process, `RuntimeBroker.exe`, in suspended mode.\n    - The decrypted shellcode is injected into the allocated memory of `RuntimeBroker.exe`.\n    - `cmd.exe` creates a thread in `RuntimeBroker.exe` to execute the injected shellcode.\n\n4. **Self-destruction**:\n    - Once the shellcode is injected and executed, `main.exe` self-destructs.\n  \n5. **VM Protection and Anti-Debugging**\n   \n   The shellcode loader detect and protect against virtual machine environments and debugging tools.\n\n    - If the malware detects that it is running in a virtual machine (VM) environment.\n    - If the malware detects the presence of a debugger.\n    - If the malware detects common VM artifacts or tools indicating analysis.\n\n## How to setup\n\n### config.h\nyou can setup shellcode loader 0 = disable | 1 = enable \n\n```\nENABLE_DEBUG 0 //  if enable its open windows with debug logs \nAUTODESTRUCT 1  // auto destuct after execution \nSUSPEND_DOWNLOAD 1  //  waiting time before download shellcode from web \nPROTECTION 1 // anti VM / disable IF YOU USE IN ON VM !!! \n\n```\n### main.cpp\nin main file you need to configure 2 think \n- shellcode URL | line 49\n- XOR key use same key for encryption !!! | line 59\n  \n*The `encrypt.py` file is included in the project. You can use it to encrypt your shellcode before uploading it.*\n\n### demo / exemple \n\nDebug mode \n\n```cpp\n#define ENABLE_DEBUG 1\n#define AUTODESTRUCT 1 \n#define SUSPEND_DOWNLOAD 0 \n#define PROTECTION 0 \n```\n\n\n[Debug mode ](https://github.com/Vasco0x4/ShadeLoader/assets/63432221/abb22b64-c835-4ddc-8bb0-4b2abe450ca5)\n\n\n\n__________________________________________________________________________________________\n\n\n\nAnti VM\n```cpp\n#define ENABLE_DEBUG 1\n#define AUTODESTRUCT 1  \n#define SUSPEND_DOWNLOAD 0 \n#define PROTECTION 1 \n\n```\n[Anti VM](https://github.com/Vasco0x4/ShadeLoader/assets/63432221/a5c6a2ed-88d5-4114-9224-e77d3869e294)\n\n\n\n__________________________________________________________________________________________\n\n\nSilent  \n```cpp\n#define ENABLE_DEBUG 0\n#define AUTODESTRUCT 1\n#define SUSPEND_DOWNLOAD 1\n#define PROTECTION 0\n```\n\n\n[Silent](https://github.com/Vasco0x4/ShadeLoader/assets/63432221/4f167e13-8dd0-4b68-b8c3-76923f6df320)\n\n\n\n\n__________________________________________________________________________________________\n\n\n### ShadeLoader vs AVs 2/40\n\nhttps://kleenscan.com/scan_result/e116638a3bac264968b2a86f32e6a24db53f7f27335810caba68233ca5771e4d\n\n### Disclaimer\nThis project is for educational purposes only. Any malicious use of this code is strictly prohibited\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvasco0x4%2Fshadeloader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvasco0x4%2Fshadeloader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvasco0x4%2Fshadeloader/lists"}