“Stealthy shellcode injection using not-so-new evasion techniques on Windows.”
DISCLAIMER!
This project was developed for educational purposes only in a controlled environment.
Do not use it in production environments or on systems/infrastructures that you do not own, or without explicit authorization.
I am not responsible for any misuse of this code.
Hell Code Loader is a lightweight proof-of-concept tool for injecting and executing shellcode on Windows systems with "minimal" detection. It leverages indirect NT syscalls, hardware breakpoints, VEH, and other evasive tactics.
“I know there are better ways to apply this, but I follow a simple logic: if it works for me, that's what matters.”
- Indirect NTAPI Syscalls
- Bypass user-mode API hooks.
- AsmHalosGate
- Resolution of syscall service numbers (SSNs) in NTDLL.
- Hardware Breakpoints (HWBP)
- Place breakpoints on
AmsiScanBufferandNtTraceEventfor on-the-fly patching.
- Place breakpoints on
- Thread-Pool DLL Loading
- RC4 Payload Decryption
- Vectored Exception Handling (VEH)
- Redirecting the VEH handler's RIP to execute shellcode.
Historically it has been able to bypass the following list of antivirus/edr:
Note:
- This can't be considered a 100% bypass since I only tested it by running Mimikatz commands!
- In a properly configured EDR environment, things are different!
- This ranking list was generated by AI, so I can't guarantee the data is 100% accurate :)
Antivirus Ranking 2024 AV-Comparatives Recognition ESET HOME Security Essential 🥇 1st place Product of the Year 2024 Sophos Endpoint 🥈 2nd place Approved Enterprise & Business Security Bitdefender Endpoint Security 🥉 3rd place Approved Enterprise & Business Security Trend Micro Max Security 4th place Top-Rated Product 2024 Bitdefender Total Security 5th place Top-Rated Product 2024 Avira Antivirus Pro 6th place Approved Security Product 2024 Malwarebytes Standard 7th place Approved Security Product 2024 TotalAV 8th place Approved Security Product 2024 F-Secure Anti-Virus 9th place Approved Security Product 2024
-
Shellcode Execution : YouTube
Executed Mimikatz shellcode (converted via donut) without AV detection. -
DLL Proxy + Hell Code Loader : YouTube
To bypass Bitdefender Total Security and Endpoint Security, I had to implement loader injection through a DLL proxy.
- Influenced by various GitHub projects and community research 🗿
- Awesome Malware Blogs 🦐