Do not work with MSF shellcode.

[FunnyWolf]

All is good if use project with CS,but if I use project to load an MSF shellcode,it will shutdown and proecess exit. here is log from ShellcodeFluctuation

.\ShellcodeFluctuation.exe .\shell.raw 1
[.] Reading shellcode bytes...
[.] Hooking kernel32!Sleep...
[.] Injecting shellcode...
[+] Shellcode is now running. PID = 22944
[+] Fluctuation initialized.
    Shellcode resides at 0x000002060B820000 and occupies 311296 bytes. XOR32 key: 0x19df2617
[>] shellcodeAddr:000002060B820000
[>] shellcodeSize:311296
[>] Flipped to RW. Encoding...

===> MySleep(0)

[>] shellcodeAddr:000002060B820000
[>] shellcodeSize:311296
[.] Decoding...
[>] Flipped to RX.
[>] shellcodeAddr:000002060B820000
[>] shellcodeSize:311296
[>] Flipped to RW. Encoding...

===> MySleep(20)

[>] shellcodeAddr:000002060B820000
[>] shellcodeSize:311296
[.] Decoding...
[>] Flipped to RX.
[>] shellcodeAddr:000002060B820000
[>] shellcodeSize:311296
[>] Flipped to RW. Encoding...

===> MySleep(0)

[>] shellcodeAddr:000002060B820000
[>] shellcodeSize:311296
[.] Decoding...
[>] Flipped to RX.
[>] shellcodeAddr:000002060B820000
[>] shellcodeSize:311296
[>] Flipped to RW. Encoding...

===> MySleep(0)

[>] shellcodeAddr:000002060B820000
[>] shellcodeSize:311296
[.] Decoding...
[>] Flipped to RX.
[>] shellcodeAddr:000002060B820000
[>] shellcodeSize:311296
[>] Flipped to RW. Encoding...

and here is log from meterpreter:

I think hook works normally, but encrypted memory may destroy the execution of meterpreter

[mgeeky]

This project merely shows the concept on the base example for Cobalt Strike's Beacon.

In order to work with other C2 frameworks, shellcodes - you may need to define other WinAPI that should be hooked to intercept shellcode's execution right in the middle.

Since this is a PoC showing the concept, I don't plan on adding support for any other product in the market.

Hopefully you'll understand, Thanks. M.