Shellcode loader written in rust. Strives to evade modern EDR solutions.

Overview

Pestilence

What is pestilence?

Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions.

How does it work?

It loads AES-128-CFB encrypted shellcode (including the key and IV) into the .text PE section during the build stage. During the execution, it first checks for "activated" cmdline argument. If present, it decrypts the shellcode stub, copies it gradually (mixed with custom sleeps) and proceeds to execute it in memory by using NTDLL.DLL functions (mixed with custom sleeps).

Installation

Requirements

  • python3 (tested with 3.10) + pycryptodomex
  • rust (nightly-x86_64-pc-windows-msvc toolchain)
  • visual studio 2019 build tools

How to install them

vs2019 build tools

Download and install vs2019 build tools from here:

https://visualstudio.microsoft.com/downloads/#build-tools-for-visual-studio-2019

Make sure that you select "Desktop development with C++" option.

python3 + pycryptodome

Download and install python using this link (do not forget to add it to PATH):

https://www.python.org/ftp/python/3.10.0/python-3.10.0-amd64.exe

Install pycryptodomex:

pip3 install pycryptodomex

rust

Install rust using rustup from this link:

https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe
  • Install the C++ build tools if asked.
  • Be sure to choose "customize installation".

Modify install settings:

Default host triple? [x86_64-pc-windows-msvc]
Default toolchain? [nightly]
Profile? [default]
Modify PATH variable? [Y]

Proceed with installation.

Build & Usage

Build

Open powershell and thrive:

git clone https://github.com/cr7pt0pl4gu3/Pestilence
cd Pestilence
cp /path/to/raw/shellcode.bin shellcode.bin
python encrypt_shellcode.py
cargo build --release

Note: shellcode must be named "shellcode.bin"!

Usage

On target, execute:

pestilence.exe activate

Done!

Good luck! I hope that pestilence helped you.

Issues
  • Improve FileMappingLoadShellcode. Remove disgraceful PAGE_EXECUTE_READWRITE in CreateFileMapping.

    Improve FileMappingLoadShellcode. Remove disgraceful PAGE_EXECUTE_READWRITE in CreateFileMapping.

    Ideally, after private namespacing, FileMappingLoadShellcode should do things in the following way (for stealth):

    1. CreateFileMapping with read & write permissions;
    2. MapViewOfFile with FILE_MAP_WRITE permissions;
    3. RtlMoveMemory our shellcode to that mapped file;
    4. UnmapViewOfFile our mapped file;
    5. MapViewOfFile with FILE_MAP_EXECUTE permissions;
    6. CreateThread with LPTHREAD_START_ROUTINE of our mapped file.

    However, I am not sure if that is possible, tried with no success.

    enhancement help wanted good first issue question 
    opened by cr7pt0pl4gu3 0
Owner
Daniil Nababkin
Cybersecurity enthusiast from Kyiv Penetration Tester | OSCP |
Daniil Nababkin
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Filip Olszak 520 Aug 3, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

JUICY 21 Nov 5, 2021
Evasive shellcode loader for bypassing event-based injection detection (PoC)

DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project

Filip Olszak 519 Jul 27, 2022
SysWhispers Shellcode Loader (Work in Progress)

Shhhloader Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub

icyguider 370 Jul 27, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 190 Jul 27, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 583 Aug 7, 2022
udbg's windows driver written in rust

This is the code of windows driver used in udbg, it contains the basic function used in udbg's 'krnl' adaptor, such as memory read/write, and it integ

null 3 Nov 3, 2021
⚡️Lightning-fast linter for .env files. Written in Rust 🦀

⚡️ Lightning-fast linter for .env files. Written in Rust ?? Dotenv-linter can check / fix / compare .env files for problems that may cause the applica

dotenv-linter 1.4k Jul 28, 2022
Project to check which Nt/Zw functions your local EDR is hooking

Probatorum EDR Userland Hook Checker Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonS

null 145 Jul 25, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 119 Jul 29, 2022
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.

Sheng-Hao Ma 370 Jul 27, 2022
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Halil Dalabasmaz 367 Jul 27, 2022
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

SysmonSimulator SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the att

Scarred Monk 628 Jul 24, 2022
Modern C++ solutions for Advent of Code 2021

Modern C++ Solutions for Advent of Code 2021 This repository contains solution for the Advent of Code 2021 and serve as base for articles with explana

RNDr. Simon Toth 26 Jul 22, 2022
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Bobby Cooke 757 Jul 27, 2022
BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Bobby Cooke 763 Aug 5, 2022
KaynLdr is a Reflective Loader written in C/ASM

KaynLdr About KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It era

C5pider 368 Jul 20, 2022
Backtrace support for Rust `no_std` and embedded programs.

mini-backtrace This crate provides backtrace support for no_std and embedded programs. This is done through by compiling LLVM's libunwind with certain

Amanieu d'Antras 23 Jul 31, 2022
Rust External Cheat

rust-external-cheat Rust External Cheat neden bu projedesiniz hemen anlatayım; daha type casting nedir bilmeyen pasterların pastelediği sourcedir. tam

Orçun 23 Jun 27, 2022