Shhhloader v1.5 releases: SysWhispers Shellcode Loader
Shhhloader is a SysWhispers/GetSyscallStub Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub that uses syscalls to try and bypass AV/EDR. The included python builder will work on any Linux system that has Mingw-w64 installed.
The tool has been confirmed to successfully load Meterpreter and a Cobalt Strike beacon on fully updated systems with Windows Defender enabled. The project itself is still in a PoC/WIP state, as it currently doesn’t work with all payloads.
New major features include GetSyscallStub integration, Obfuscator-LLVM support, Module Stomping, automatic DLL Proxy generation, new sandbox evasion methods, and storing shellcode as an English word array.
- 7 Different Shellcode Execution Methods (ModuleStomping, QueueUserAPC, ProcessHollow, EnumDisplayMonitors, RemoteThreadContext, RemoteThreadSuspended, CurrentThread)
- PPID Spoofing
- Block 3rd Party DLLs
- GetSyscallStub & SysWhispers2
- Obfuscator-LLVM (OLLVM) Support
- Automatic DLL Proxy Generation
- Syscall Name Randomization
- Store Shellcode as English Word Array
- XOR Encryption with Dynamic Key Generation
- Sandbox Evasion via Loaded DLL, Domain, User, Hostname, and System Enumeration
Tested and Confirmed Working on:
- Windows 10 21H1 (10.0.19043)
- Windows 10 20H2 (10.0.19042)
- Windows Server 2019 (10.0.17763)
Added GetSyscallStub integration, Obfuscator-LLVM support, Module Stomping, automatic DLL Proxy generation, new sandbox evasion methods, and storing shellcode as an English word array.
git clone https://github.com/icyguider/Shhhloader.git
Copyright (C) 2022 icyguider