Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/evilbytecode/ebyte-shellcode-loader
shellcode loader that uses indirect syscalls written in D Lang The loader bypasses user-mode hooks by resolving system calls manually from NTDLL using a hash-based method.
https://github.com/evilbytecode/ebyte-shellcode-loader
av-evasion evasion fud indirect-syscall indirect-syscalls shellcode shellcode-laoder shellcode-runner
Last synced: 2 months ago
JSON representation
shellcode loader that uses indirect syscalls written in D Lang The loader bypasses user-mode hooks by resolving system calls manually from NTDLL using a hash-based method.
- Host: GitHub
- URL: https://github.com/evilbytecode/ebyte-shellcode-loader
- Owner: EvilBytecode
- License: apache-2.0
- Created: 2024-09-16T19:22:08.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2024-09-16T19:28:41.000Z (3 months ago)
- Last Synced: 2024-09-17T00:38:34.230Z (3 months ago)
- Topics: av-evasion, evasion, fud, indirect-syscall, indirect-syscalls, shellcode, shellcode-laoder, shellcode-runner
- Language: D
- Homepage:
- Size: 142 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# EByte-Shellcode-Loader
**EByte-Shellcode-Loader** is a shellcode loader that uses indirect syscalls written in **D language**. The loader bypasses user-mode hooks by resolving system calls manually from NTDLL using a hash-based method. The project includes various tools written in **Go** and **Python** to generate shellcode from executables and automate the shellcode extraction and loader compilation process.
## Project Structure
The project consists of the following files:
- **`syscalls.d`**: Implements indirect syscalls using manually resolved system calls from NTDLL. It uses a hash-based approach to identify syscalls like `NtAllocateVirtualMemory`, `NtWriteVirtualMemory`, and `NtCreateThreadEx`.
- **`loader.d`**: The main loader script written in **D**. It uses the syscalls implemented in `syscalls.d` to allocate memory, write shellcode, change memory protections, and execute the shellcode via a newly created thread.- **`donut.exe`**: A tool for generating shellcode from an executable (PE file). The shellcode is position-independent and can be injected using the loader.
- **`generate_bin_file.go`**: A **Go** script that automates the generation of a binary file from an executable using the Donut tool. This binary file will then be used for shellcode extraction.
- **`generate_shellcode_and_compile.py`**: A **Python** script that automates the extraction of shellcode from a binary file and compiles the loader with the extracted shellcode.
## Usage
### Prerequisites
- **D Language Compiler (`dmd`)**: To compile the D scripts (`loader.d` and `syscalls.d`).
- **Go**: To run the Go script that generates binary files from executables.
- **Python**: To execute the script for shellcode extraction and loader compilation.
- **Donut**: The Donut tool (`donut.exe`) is used to generate shellcode from executables.### License:
Apache License 2.0## Detections (Static : Virustotal) (Runtime: Scanner.to) :
![image](https://github.com/user-attachments/assets/da6a788b-2712-4ce9-8473-57ecf1a0e21b)
![image](https://github.com/user-attachments/assets/c1d03232-e696-4062-80dc-d9f497466e92)