Shhhloader is a work in progress shellcode loader. It takes raw shellcode as input and compiles a C++ stub that does a bunch of different things to try and bypass AV/EDR. The included python builder will work on any Linux system that has Mingw-w64 installed.
1/25/24 EDIT: Shhhloader now supports PoolParty variant 7! An option was also added that will combine PoolParty with Module Stomping to prevent the executed shellcode from residing in unbacked memory. See below for a video demonstrating this new injection method against Defender ATP:
┳┻|
┻┳|
┳┻|
┻┳|
┳┻| _
┻┳| •.•) - Shhhhh, AV might hear us!
┳┻|⊂ノ
┻┳|
usage: Shhhloader.py [-h] [-p explorer.exe] [-m QueueUserAPC] [-u] [-w] [-nr] [-ns] [-l] [-v] [-sc GetSyscallStub] [-d] [-dp apphelp.dll] [-s domain]
[-sa testlab.local] [-o a.exe] [-pp explorer.exe] [-ppv] [-np] [-cp] [-td ntdll.dll] [-ef NtClose]
file
ICYGUIDER'S CUSTOM SYSCALL SHELLCODE LOADER
positional arguments:
file File containing raw shellcode
options:
-h, --help show this help message and exit
-p explorer.exe, --process explorer.exe
Process to inject into (Default: explorer.exe)
-m QueueUserAPC, --method QueueUserAPC
Method for shellcode execution (Options: PoolPartyModuleStomping, PoolParty, ThreadlessInject, ModuleStomping, QueueUserAPC,
ProcessHollow, EnumDisplayMonitors, RemoteThreadContext, RemoteThreadSuspended, CurrentThread) (Default: QueueUserAPC)
-u, --unhook Unhook NTDLL in current process
-w, --word-encode Save shellcode in stub as array of English words
-nr, --no-randomize Disable syscall name randomization
-ns, --no-sandbox Disable sandbox checks
-l, --llvm-obfuscator
Use Obfuscator-LLVM to compile stub
-v, --verbose Enable debugging messages upon execution
-sc GetSyscallStub, --syscall GetSyscallStub
Syscall execution method (Options: SysWhispers2, SysWhispers3, GetSyscallStub, None) (Default: GetSyscallStub)
-d, --dll Generate a DLL instead of EXE
-dp apphelp.dll, --dll-proxy apphelp.dll
Create Proxy DLL using supplied legitimate DLL (File must exist in current dir)
-s domain, --sandbox domain
Sandbox evasion technique (Options: sleep, domain, hostname, username, dll) (Default: sleep)
-sa testlab.local, --sandbox-arg testlab.local
Argument for sandbox evasion technique (Ex: WIN10CO-DESKTOP, testlab.local)
-o a.exe, --outfile a.exe
Name of compiled file
PPID Spoofing:
-pp explorer.exe, --ppid explorer.exe
Parent process to use for PPID Spoofing (Default: explorer.exe)
-ppv, --ppid-priv Enable spoofing for privileged parent process (Disabled by default)
-np, --no-ppid-spoof Disable PPID spoofing
ThreadlessInject:
-cp, --create-process
Create process instead of injecting into existing one
-td ntdll.dll, --target-dll ntdll.dll
Target DLL containing export function to overwrite
-ef NtClose, --export-function NtClose
Export function to overwrite
Features:
See below for a PoC video of the ThreadlessInject method being used to inject a Havoc beacon into IE without generating any alerts and minimal events in Microsoft Defender for Endpoint (MDE) EDR (Recorded 4/3/2023):
See below video demonstrating the Module Stomping injection technique executed via DLL Proxying (Recorded 8/9/2022):
Shhhloader has also been integrated into the Havoc C2 Framework via a module by @jakobfriedl. See below for a video demonstrating the module:
Known Issues/Notes:
-p
flag to supply the name of a process that you know or suspect is already running on the target system.Planned Updates:
OPTIONAL: To use the Obfuscator-LLVM flag, you must have it installed on your system alongside wclang. I've found this to be a bit of a pain but you should be able to do it with a little perseverance. Here's a step-by-step that I used to install the llvm-13.x branch of OLLVM on my Kali Linux system:
There is probably a better way to do this but this is what worked for me. If you have issues, just keep trying and ensure that you can run x86_64-w64-mingw32-clang++ -v
and it contains either "Obfuscator-LLVM" or "heroims" in the output. Unfortunately I do not have the time to assist individuals who may need more help, but you can try reading this issue on my Nimcrypt2 repo where a couple of users figured out how to do it on their systems.
Greetz & Credit: