Shhhloader - SysWhispers Shellcode Loader

2 years ago 133
BOOK THIS SPACE FOR AD
ARTICLE AD

Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub that has been integrated with SysWhispers in order to bypass AV/EDR. The included python builder will work on any Linux system that has Mingw-w64 installed.

The tool has been confirmed to successfully load Meterpreter and a Cobalt Strike beacon on fully updated systems with Windows Defender enabled. The project itself is still in a PoC/WIP state, as it currently doesn't work with all payloads.

2/9/22 EDIT: Shhhloader now includes 5 different ways to execute your shellcode! See below for updated usage. Big thanks to @Snovvcrash and their DInjector project for inspiration! I highly recommend taking a look at it for more information regarding the shellcode injection techniques and code that this tool is now based on.

┳┻|
┻┳|
┳┻|
┻┳|
┳┻| _
┻┳| •.•) - Shhhhh, AV might hear us!
┳┻|⊂ノ
┻┳|
usage: Shhhloader.py [-h] [-p explorer.exe] [-m QueueUserAPC] [-nr] [-v] [-d] [-o a.exe] file

ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER

positional arguments:
file File containing raw shellcode

optional arguments:
-h, --help show this help message and exit
-p explorer.exe, --process explorer.exe
Process to inject into (Default: explorer.exe)
-m QueueUserAPC, --method QueueUserAPC
Method for shellcode execution (Options: ProcessHollow, QueueUserAPC,
RemoteThreadContext, RemoteThreadSuspended, CurrentThread) (Default: QueueUserAPC)
-nr , --no-randomize Disable syscall name randomization
-v, --verbose Enable debugging messages upon execution
-d, --dll-sandbox Use DLL based sandbox checks instead of the standard ones
-o a.exe, --outfile a.exe
Name of compiled file

Video Demo: https://www.youtube.com/watch?v=-KLGV_aGYbw

Features:

5 Different Shellcode Execution Methods (ProcessHollow, QueueUserAPC, RemoteThreadContext, RemoteThreadSuspended, CurrentThread) PPID Spoofing Block 3rd Party DLLs Syscall Name Randomization XOR Encryption with Dynamic Key Generation Sandbox Evasion via Loaded DLL Enumeration Sandbox Evasion via Checking Processors, Memory, and Time

Tested and Confirmed Working on:

Windows 10 21H1 (10.0.19043) Windows 10 20H2 (10.0.19042) Windows Server 2019 (10.0.17763)

Scan Results as of 2/9/22 (x64 Meterpreter QueueUserAPC): https://antiscan.me/scan/new/result?id=tntuLnCkTCwz

Greetz & Credit:

Jthuraisamy for his amazing project SysWhispers: https://github.com/jthuraisamy/SysWhispers OutFlank for creating InlineWhispers (Mingw-w64 Compatible SysWhispers): https://github.com/outflanknl/InlineWhispers FalconForceTeam for their syscall generation tool that supports SysWhispers2: https://github.com/FalconForceTeam/SysWhispers2BOF Snovvcrash for their NimHollow project, which I used as a template for process hollowing: https://github.com/snovvcrash/NimHollow Snovvcrash again for their DInjector project, which I used as a template for many of the included injection techniques: https://github.com/snovvcrash/DInjector Cerbersec for their Ares project, whose code I used for PPID Spoofing, Blocking 3rd Party DLLs and Sandbox Evasion: https://github.com/Cerbersec/Ares

Shhhloader - SysWhispers Shellcode Loader Shhhloader - SysWhispers Shellcode Loader Reviewed by Zion3R on 5:30 PM Rating: 5

Read Entire Article