Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/evilbytecode/ebyte-shellcode-loader

shellcode loader that uses indirect syscalls written in D Lang The loader bypasses user-mode hooks by resolving system calls manually from NTDLL using a hash-based method.
https://github.com/evilbytecode/ebyte-shellcode-loader

av-evasion evasion fud indirect-syscall indirect-syscalls shellcode shellcode-laoder shellcode-runner

Last synced: about 1 month ago
JSON representation

shellcode loader that uses indirect syscalls written in D Lang The loader bypasses user-mode hooks by resolving system calls manually from NTDLL using a hash-based method.

Host: GitHub
URL: https://github.com/evilbytecode/ebyte-shellcode-loader
Owner: EvilBytecode
License: apache-2.0
Created: 2024-09-16T19:22:08.000Z (about 2 months ago)
Default Branch: main
Last Pushed: 2024-09-16T19:28:41.000Z (about 2 months ago)
Last Synced: 2024-09-17T00:38:34.230Z (about 2 months ago)
Topics: av-evasion, evasion, fud, indirect-syscall, indirect-syscalls, shellcode, shellcode-laoder, shellcode-runner
Language: D
Homepage:
Size: 142 KB
Stars: 2
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# EByte-Shellcode-Loader

**EByte-Shellcode-Loader** is a shellcode loader that uses indirect syscalls written in **D language**. The loader bypasses user-mode hooks by resolving system calls manually from NTDLL using a hash-based method. The project includes various tools written in **Go** and **Python** to generate shellcode from executables and automate the shellcode extraction and loader compilation process.

## Project Structure

The project consists of the following files:

- **`syscalls.d`**: Implements indirect syscalls using manually resolved system calls from NTDLL. It uses a hash-based approach to identify syscalls like `NtAllocateVirtualMemory`, `NtWriteVirtualMemory`, and `NtCreateThreadEx`.

- **`loader.d`**: The main loader script written in **D**. It uses the syscalls implemented in `syscalls.d` to allocate memory, write shellcode, change memory protections, and execute the shellcode via a newly created thread.

- **`donut.exe`**: A tool for generating shellcode from an executable (PE file). The shellcode is position-independent and can be injected using the loader.

- **`generate_bin_file.go`**: A **Go** script that automates the generation of a binary file from an executable using the Donut tool. This binary file will then be used for shellcode extraction.

- **`generate_shellcode_and_compile.py`**: A **Python** script that automates the extraction of shellcode from a binary file and compiles the loader with the extracted shellcode.

## Usage

### Prerequisites

- **D Language Compiler (`dmd`)**: To compile the D scripts (`loader.d` and `syscalls.d`).
- **Go**: To run the Go script that generates binary files from executables.
- **Python**: To execute the script for shellcode extraction and loader compilation.
- **Donut**: The Donut tool (`donut.exe`) is used to generate shellcode from executables.

### License:
Apache License 2.0

## Detections (Static : Virustotal) (Runtime: Scanner.to) :
![image](https://github.com/user-attachments/assets/da6a788b-2712-4ce9-8473-57ecf1a0e21b)
![image](https://github.com/user-attachments/assets/c1d03232-e696-4062-80dc-d9f497466e92)