Shhhloader v1.7.2 releases: SysWhispers Shellcode Loader

Shhhloader

Shhhloader is a SysWhispers/GetSyscallStub Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub that uses syscalls to try and bypass AV/EDR. The included Python builder will work on any Linux system that has Mingw-w64 installed.

The tool has been confirmed to successfully load a Meterpreter and a Cobalt Strike beacon on fully updated systems with Windows Defender enabled. The project itself is still in a PoC/WIP state, as it currently doesn’t work with all payloads.

New major features include GetSyscallStub integration, Obfuscator-LLVM support, Module Stomping, automatic DLL Proxy generation, new sandbox evasion methods, and storing shellcode as an English word array.

Features:

• 10 Different Shellcode Execution Methods (PoolParty, PoolPartyModuleStomping, ThreadlessInject, ModuleStomping, QueueUserAPC, ProcessHollow, EnumDisplayMonitors, RemoteThreadContext, RemoteThreadSuspended, CurrentThread)
• PPID Spoofing
• Block 3rd Party DLLs
• Unhook NTDLL via KnownDLLs
• SysWhispers2, SysWhispers3, & GetSyscallStub
• API Hashing for SW2 & SW3
• Compile-Time String Encryption
• Obfuscator-LLVM (OLLVM) Support
• Automatic DLL Proxy Generation
• Havoc C2 Framework Integration
• Syscall Name Randomization
• Store Shellcode as English Word Array
• XOR Encoding with Dynamic Key Generation
• Sandbox Evasion via Loaded DLL, Domain, User, Hostname, and System Enumeration

Tested and Confirmed Working on:

• Windows 10 21H1 (10.0.19043)
• Windows 10 20H2 (10.0.19042)
• Windows Server 2019 (10.0.17763)

Changelog v1.7.2

• Fixed support for Obfuscator-LLVM (OLLVM)

Download

git clone https://github.com/icyguider/Shhhloader.git

Use

Copyright (C) 2022 icyguider 

Source: https://github.com/icyguider/