C_Shot

C_Shot is an offensive security tool written in C which is designed to download, inject, and execute shellcode in memory. Depending on the arguments used, this can be accomplished via two different methods:

1. Inject into its own process

C_Shot will download your remote .bin file, inject and execute it inside C_Shot’s own process.

2. Inject into child process using parent process spoofing

C_Shot will download your remote .bin file, spoof a specified parent process, open a specified child process (with optional commandline args) under the specified parent process, then inject and execute it inside the child process.

Important Notes

1. The architecture of C_Shot and the shellcode you are retrieving should be the same.

2. This tool is written in C which is an unmanaged language.

3. PAGE_EXECUTE_READWRITE permissions are used in this open-source POC, among other IOCs. This was done intentionally and as always, I would suggest going through and modifying the code to help get around signature/behavior-based analysis.

4. While C_Shot can absolutely help you on your journey of executing shellcode successfully, it can only help you with so much. If you choose to execute, for example, the widely known default staged meterpreter payload, decent EDR products (but not all) will most likely flag it upon execution of the shellcode due to known behaviors or signatures. In most cases (but not all) this will not be a C_Shot problem but a shellcode behavior/obfuscation problem. This however is usually easily fixed.

Download & Use

Author: @anthemtotheego