Custom shellcode runner builder w/ CobaltStrike integration

Related tags

CLI Custom_Builder
Overview

Custom_Builder

Custom shellcode runner builder w/ CobaltStrike integration.

Compile builder.c using gcc:

gcc -o Builder Builder.c

Edit the .cna script and replace the $builder variable at the top with the full path to the Builder executable you just compiled. Make sure you keep the compiled Builder program in the same folder as everything else in this repo!

Load the .cna script into Cobaltstrike. You should see a "Custom Builder" menu item appear on the tool bar. Follow the menu's to create your payload!

How it works

The aggressor script creates a Stageless Cobaltstrike beacon shellcode file in .bin format and passes it along with the architecture to the Builder program. The Builder program takes the .bin file and architecture as arguments. It opens the .bin file and generates a random AES-128 Key and IV and encrypts the shellcode. The Builder program then opens up the exe.c template file and places the encrypted shellcode, key, and IV values into the template and saves that file as "customexe.c". It then calls the appropriate mingw compiler (based on the architecture passed as an arg) to compile the payload and write it to the location selected in the CobaltStrike menu option.

Payload features

The current template (exe.c) works by creating a new process (werfault.exe) with a spoofed PPID and Block non-Microsoft DLL's enabled. The Parent PID is selected by the payload by determing the current user context of the running process; if it determines that the payload is running with high integrity, Winlogon is selected as the parent process. Otherwise Explorer is chosen as the parent of the werfault.exe process. Once werfault.exe has been created (suspended), the shellcode is injected into the new process before execution is resumed using the QueAPCThread technique. All API call's related to shellcode injection performed by the runner are done so using the NT API's.

To Do

  1. Integrate Direct Syscalls
  2. Disable EtwEventWrite
  3. Add DLL template
FUD shellcode Injector

EVA fully undetectable injector Update on Monday, July 12 : USE EVA2 INSTEAD . [+] antiscan.me YOUR MOM IS A -BITCH- IF YOU UPLOADED THIS TO ANY WEBSI

null 186 Aug 3, 2022
sc4cpp is a shellcode framework based on C++

sc4cpp is a shellcode framework based on C++

null 59 Aug 2, 2022
Encrypted shellcode injector with basic virtual machine evasion using C++

C++ PE Injector Overview Fully undetectable shellcode injector written in C++ with customizable XOR payload encryption/decryption and basic antivirus

Kampourakis Emmanouil 5 Apr 5, 2022
shellcode injector

What is Process Injection? It is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of

anas 69 Jul 19, 2022
This is a brand-new technique for shellcode injection to evade AVs and EDRs

This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stomping and has some similarities. As to this date (23-01-2022) also hollows-hunter doesn't find it.

Idov 567 Aug 11, 2022
POC tool to convert CobaltStrike BOF files to raw shellcode

BOF2Shellcode POC tool to convert a Cobalt Strike BOF into raw shellcode. Introduction This code was written as part of a blog tutorial on how to conv

FalconForce 55 Aug 5, 2022
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Bobby Cooke 318 Aug 6, 2022
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Bobby Cooke 318 Aug 6, 2022
This API uses both composition and inheritance to provide a generic way to set up a custom server with a custom communication protocol and custom middlewares

Ziapi Summary Introduction Installation Introduction This API uses both composition and inheritance to provide a generic way to set up a custom server

Aurélien Boch 8 Apr 22, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 190 Jul 27, 2022
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 224 Aug 3, 2022
Cobaltstrike addons to interact with clipboard

Cobalt-Clip Cobalt-clip is clipboard addons for cobaltstrike to interact with clipboard. With this you can dump, edit and monitor the content of q cli

null 71 Aug 5, 2022
🦖This is a C port of Chrome's offline T-Rex Runner

?? Chrome T-Rex Runner (ported to C)

Shlomi Nissan 118 Jul 8, 2022
sampctl-runner: Easy way to build and run package..

sampctl-runner Easy way to build and run package.. Usage Just enter the name of the repository from pawn.json and let the program do other things.. Ex

Emmett 1 Apr 17, 2022
o/ ImGui Builder is a graphical framework for assembling imgui codes in your interface easily

IMGUI BUILDER The project consists a gui editor of the Imgui framework EDITOR Menu Export 1 - Export cpp file 2 - Cpp file Credits Credits for Shadowy

Code Building 358 Aug 9, 2022
LiteX is a Migen/MiSoC based Core/SoC builder that provides the infrastructure to easily create Cores/SoCs (with or without CPU).

LiteX is a Migen/MiSoC based Core/SoC builder that provides the infrastructure to easily create Cores/SoCs (with or without CPU). The common components of a SoC are provided directly: Buses and Streams (Wishbone, AXI, Avalon-ST), Interconnect, Common cores (RAM, ROM, Timer, UART, etc...), CPU wrappers/integration, etc... and SoC creation capabilities can be greatly extended with the ecosystem of LiteX cores (DRAM, PCIe, Ethernet, SATA, etc...) that can be integrated/simulated/build easily with LiteX.

null 1.7k Aug 10, 2022
64-bit LKM Rootkit builder based on yaml prescription

1337kit - LKM Rootkit Builder About project 1337kit is 64-bit LKM Rootkit builder based on yaml prescription Fully tested on: Linux 5.11.0-34-generic

Lukas Balazik 16 Jul 17, 2022
SRL-CPP is a Simple Regex Language builder library written in C++11 that provides an easy to use interface for constructing both simple and complex regex expressions.

SRL-CPP SRL-CPP is a Simple Regex Language builder library written in C++11 that provides an easy to use interface for constructing both simple and co

Telepati 0 Mar 9, 2022
Advanced discord token grabber builder with GUI

Token-Grabber-Builder Advanced discord token grabber builder with GUI Screenshot Features Hidden console High execution speed Grab discord tokens Stea

RadonCoding 2 Dec 2, 2021
Buffer reader/builder for C

ubuf ubuf is a simple interface for reading/writing binary data. It handles automatically expanding the buffer and byte order for you, but that's abou

adrian 2 Jan 10, 2022
Simple web interface builder for esp8266 and ESP32

GyverPortal Простой конструктор веб интерфейса для esp8266 и ESP32 Простой конструктор - делаем страницы без знаний HTML и CSS Библиотека является обё

Alex 111 Aug 4, 2022
With xshellex you can paste any kind of c-shellcode strings in x64dbg, ollydbg & immunity debugger

With xshellex you can paste any kind of c-shellcode strings in x64dbg, ollydbg & immunity debugger. Also you can convert the "binary-copied-clipboard" to c-shellcode string.

David Reguera Garcia aka Dreg 29 Jul 27, 2022
Remote Download and Memory Execute for shellcode framework

RmExecute Remote Download and Memory Execute for shellcode framework 远程下载并内存加载的ShellCode框架,暂不支持X64 参(抄)考(袭)项目 windows下shellcode提取模板的实现 主要抄袭来源,直接使用这位大佬

null 42 Jul 28, 2022
POCs for Shellcode Injection via Callbacks

Callback_Shellcode_Injection POCs for Shellcode Injection via Callbacks. Working APIs 1, EnumTimeFormatsA Works 2, EnumWindows Works 3, EnumD

Chaitanya Haritash 305 Aug 5, 2022
C-shellcode to hex converter, handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydbg, x64dbg, immunity debugger & 010 editor

shellex WARNING: the ugliest code in the world C-shellcode to hex converter. Handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydb

David Reguera Garcia aka Dreg 85 Aug 8, 2022
Hijack Printconfig.dll to execute shellcode

printjacker Printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The

Red Section 84 Jul 19, 2022
Alternative Shellcode Execution Via Callbacks

Alternative Code Execution This is gaining more popularity than expected, so I just wanted to give a shoutout to alfarom256 for informing me about cal

null 820 Aug 7, 2022
Building and Executing Position Independent Shellcode from Object Files in Memory

PIC-Privileges Building and Executing Position Independent Shellcode from Object Files in Memory. This is a pingback to the blogpost I wrote at https:

Paranoid Ninja 77 Aug 9, 2022
runsc loads 32/64 bit shellcode (depending on how runsc is compiled) in a way that makes it easy to load in a debugger. This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras.

runsc This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras and contains additional functionality. T

null 25 Jul 27, 2022