https://github.com/mirralis/x64-calc-popper-shellcode

x64 Windows PEB walker in NASM. Resolves exports by hash comparison without importing any APIs. Features a custom salted hash function and XOR-obfuscated payload string.
https://github.com/mirralis/x64-calc-popper-shellcode

apihashing assembly calc-popper obfuscation pebwalking shellcode windows x64 x86-64

Last synced: 17 days ago
JSON representation

x64 Windows PEB walker in NASM. Resolves exports by hash comparison without importing any APIs. Features a custom salted hash function and XOR-obfuscated payload string.

• Host: GitHub
• URL: https://github.com/mirralis/x64-calc-popper-shellcode
• Owner: MirraLis
• License: mit
• Created: 2026-04-29T17:59:12.000Z (2 months ago)
• Default Branch: main
• Last Pushed: 2026-04-29T20:04:28.000Z (2 months ago)
• Last Synced: 2026-04-29T20:04:50.731Z (2 months ago)
• Topics: apihashing, assembly, calc-popper, obfuscation, pebwalking, shellcode, windows, x64, x86-64
• Language: Assembly
• Homepage:
• Size: 26.4 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# x64-calc-popper-shellcode — NASM Shellcode Demo

A position-independent x64 Windows shellcode implementation demonstrating 

PEB walking, custom hash-based API resolution, and XOR string obfuscation.

Written in NASM as a learning exercise to understand what happens below 

the C abstraction layer.

## What it does

Resolves `WinExec` from `kernel32.dll` at runtime without using the Windows 

Import Address Table, then executes a XOR-encoded command string.

## Techniques demonstrated

**PEB Walking**  

Traverses the Process Environment Block's `InMemoryOrderModuleList` to locate 

loaded modules without calling `LoadLibrary` or `GetProcAddress`. Handles the 

`LDR_DATA_TABLE_ENTRY` offset arithmetic manually to recover module base addresses.

**Custom Hash-based API Resolution**  

Instead of storing plaintext API names, a custom salted hash function identifies 

target functions by comparing computed hashes against stored constants. Supports 

both ASCII and wide string inputs for handling module names (wide) and export 

names (ASCII).

Hash algorithm: `hash = char + (SALT ^ SALT_2 ^ i) + (hash << 6) + (hash << 16) - hash`  

Final XOR step applied to the result for additional obfuscation.

Its basically a sdbm derivative.

**XOR String Obfuscation**  

Target command string is stored XOR-encoded in the `.text` section and decoded 

at runtime onto the stack, avoiding plaintext strings in the binary.

**PE Export Directory Parsing**  

Manually walks the PE export directory structures (`AddressOfNames`, 

`AddressOfFunctions`, `AddressOfNameOrdinals`) to resolve function addresses 

from the export table RVAs.

## Build

## As an executable

```nasm

nasm -f win64 calc_peb.nasm -o calc_peb.obj

gcc calc_peb.obj -o calc_peb.exe -nostartfiles

```

## As shellcode

```nasm

nasm -f bin calc_peb.nasm -o calc_peb.bin

```

You can also used the compiled calc_peb.bin in the Releases if you like.

## Notes

- Written as a learning exercise — payload target is calc.exe

- Hash constants and XOR key are visible in source by design for educational clarity

## Closing Note

I left my comments in there. They show my thought process while i was making it. I hope it helps in understanding the code if analyse it.

This binary is for educational security research only. Do not run it on any system you do not own.