A collection of open source shellcode tools
Shellcodes database
- 0x4ndr3/SLAE64_Assignments - shellcode with auth/encryption
- blog: Win32 Shellcode - Hashed Reverse Shell
- MortenSchenk/ACL_Edit - Assembly code to use for Windows kernel shellcode to edit winlogon.exe ACL
- boku7/winx64-InjectAllProcessesMeterpreter-Shellcode - 64bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells
Generator
- Bw3ll/ShellWasp - a new tool to faciliate creating shellcode utilizing syscalls, released at DEF CON 30
- tombkeeper/Shellcode_Template_in_C
- nologic/shellcc - Building optimized shellcode using GCC. Suited for learning assembly and playing with the ABI
- merrychap/shellen - Interactive shellcoding environment to easily craft shellcodes
- NytroRST/ShellcodeCompiler - compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows
- TonyChen56/ShellCodeFrame - 使用纯C/C++编写的ShellCode生成框架 - 这个似乎支持Win64
- mai1zhi2/ShellCodeFramework - 绕3环的shellcode免杀框架 - 这个有自定义hash算法,自定义kernel32寻址
- hasherezade/pe_to_shellcode - Converts PE into a shellcode
- wetw0rk/Sickle - Payload development tool
- whatsbcn/shellforge4 - Enhanced version of secdev's shellforge G3. More platforms and architectures supported.
- bats3c/darkarmour - PE改OEP注入的工具
- hasherezade/masm_shc - A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints
- From a C project, through assembly, to shellcode v1.2 - by hasherezade for @vxunderground
ROP
- JonathanSalwan/ROPgadget - search your gadgets on your binaries to facilitate your ROP exploitation
- 0vercl0k/rp - rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM binaries
- sashs/Ropper - Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework - 1.1K star
- kokjo/universalrop - Small tool for generating ropchains using unicorn and z3
- orppra/ropa - GUI tool to create ROP chains using the ropper API
- Boyan-MILANOV/ropgenerator - a tool that helps you building ROP exploits by finding and chaining gadgets together
Encoders
- DavidBuchanan314/monomorph - MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash
- EgeBalci/sgn - Shikata ga nai (仕方がない) encoder ported into go with several improvements - go实现的编码器
- aniqfakhrul/Sharperner - Simple executable generator with encrypted shellcode
- pureqh/bypassAV - 免杀shellcode加载器
- knownsec/shellcodeloader
- viraintel/OWASP-ZSC - Shellcode/Obfuscate Code Generator
- hlldz/SpookFlare - Meterpreter loader generator with multiple features for bypassing client-side and network-side countermeasures
- SkyLined/alpha3 - a tool for transforming any x86 machine code into 100% alphanumeric code with similar functionality
- kgretzky/obfusion - C++ X86 Code Obfuscation Library
- cryptolok/MorphAES - IDPS & SandBox & AntiVirus STEALTH KILLER. MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent
- slaeryan/FALCONSTRIKE - A stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected
Debugger
- dzzie/SCDBG - 基于libemu执行shellcode的工具,2019停更
- Bw3ll/sharem - SHAREM is a shellcode analysis framework, capable of emulating more than 20,000 WinAPIs and virutally all Windows syscalls - defcon发布的,还有一个ghirda插件
- ohjeongwook/ShellCodeEmulator - Shellcode emulator written with Unicorn
- OALabs/BlobRunner - Quickly debug shellcode extracted during malware analysis
- emptymonkey/drinkme - A shellcode testing harness
- sh4hin/GoPurple - Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions
Evasion
- RtlDallas/Jomungand - Shellcode Loader with memory evasion
- ORCA000/toasterloader - Just A Fun Way To Run Your Shellcode
- S3cur3Th1sSh1t/Caro-Kann - Encrypted shellcode Injection to avoid Kernel triggered memory scans
- florylsk/NtRemoteLoad - Remote shellcode injector, based on HWSyscalls by ShorSec, leveraging undetectable (currently) indirect native syscalls to inject shellcode into another process, creating a thread and executing it
- lem0nSec/ShellGhost - A memory-based evasion technique which makes shellcode invisible from process start to end
- 4ra1n/java-gate - Java JNI HellsGate/HalosGate/TartarusGate/RecycledGate/SSN Syscall/Many Shellcode Loaders
- timwhitez/Doge-Gabh - GetProcAddressByHash/remap/full dll unhooking/Tartaru's Gate/Spoofing Gate/universal/Perun's Fart/Spoofing-Gate/EGG/RecycledGate/syswhisper/RefleXXion golang implementation
- aahmad097/AlternativeShellcodeExec - Alternative Shellcode Execution Via Callbacks - 这个很全
- TheD1rkMtr/Shellcode-Hide - This repo contains : simple shellcode Loader , Encoders (base64 - custom - UUID - IPv4 - MAC), Encryptors (AES), Fileless Loader (Winhttp, socket)
- nixpal/ProcInjectSyscall - Process Injection using Windows SYSCALLS
- capt-meelo/KernelCallbackTable-Injection - 修改PEB KernelCallbackTable字段来执行shellcode
- pwn1sher/RTImplant - Just another casual shellcode native loader
- ORCA666/T.D.P - Using Thread Description To Hide Shellcode
- snovvcrash/DInjector - Collection of shellcode injection techniques packed in a D/Invoke weaponized DLL
- boku7/Ninja_UUID_Dropper - Module Stomping, No New Thread, HellsGate syscaller, UUID Dropper for x64 Windows 10
- xinbailu/DripLoader - Evasive shellcode loader for bypassing event-based injection detection (PoC) - 从固定地址执行shellcode,绕过EDR监控
- ChoiSG/UuidShellcodeExec - PoC for UUID shellcode execution using DInvoke - 有个python脚本将原始shellcode转换成uuid数组
- cribdragg3r/Alaris - A protective and Low Level Shellcode Loader the defeats modern EDR systems - shellcode加密、直接系统调用、blockdlls策略、shellcode覆盖写入
- One thousand and one ways to copy your shellcode to memory (VBA Macros) - 基于EnumSystemCodePagesW的shellcode执行,包含C++/VBA两个版本
- D00MFist/Go4aRun - About Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process
- zeroSteiner/crimson-forge - Sustainable shellcode evasion
- D4Vinci/Dr0p1t-Framework - create an advanced stealthy dropper that bypass most AVs and have a lot of tricks
- oddcod3/Phantom-Evasion - Python AV evasion tool capable to generate FUD executable even with the most common 32 bit metasploit payload(exe/elf/dmg/apk)
- Genetic-Malware/Ebowla - Framework for Making Environmental Keyed Payloads
- leoloobeek/GoGreen - Environmental (and http) keying for scripting languages
- Memory scanning
Uncategorized
- senzee1984/InflativeLoading - Dynamically convert a native EXE to PIC shellcode by prepending a shellcode stub
- Wra7h/ARCInject - Overwrite a process's recovery callback and execute with WER
- naksyn/python-bof-runner/injector.py - 包含一个python运行shellcode的例子
- leoloobeek/COMRunner - A simple COM server which provides a component to run shellcode
- Kara-4search/HellgateLoader_CSharp - Load shelcode via HELLGATE, rewrite hellgate for learning purpose
- malware-unicorn/macho_shellcode_extractor - extracts shellcode from a nasm compile macho binary
- 0xd4d/iced - High performance and correct x86/x64 disassembler, assembler, decoder, encoder for .NET, Rust, Python, JavaScript
- slyd0g/UrbanBishopLocal - A port of FuzzySecurity's UrbanBishop project for inline shellcode execution
- DownWithUp/DynamicKernelShellcode - An example of how x64 kernel shellcode can dynamically find and use APIs
- secretsquirrel/fido - Teaching old shellcode new tricks
- TheSecondSun/Shellab - Linux and Windows shellcode enrichment utility
- Arno0x/17d1705ecfc945088579c84994a652d3 - XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code