Skip to content
/ ShadeLoader Public

ShadeLoader is a shellcode loader designed to bypass most antivirus software. 壳代码, 杀毒软件, 绕过

37 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Vasco0x4/ShadeLoader

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
ShadeLoader
ShadeLoader
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
ShadeLoader.sln
ShadeLoader.sln
 
 

Repository files navigation

ShadeLoader

Description

ShadeLoader is a shellcode loader that utilizes process hollowing and XOR encryption techniques to download, decrypt, and inject shellcode into a legitimate process.

345470702-c013f61b-a0ef-42dd-9583-9b66548fbb5d

How It Works & Features

  1. Initial Access (main.exe):

    • main.exe starts a legitimate process, cmd.exe, in suspended mode.

  2. Downloading and Decrypting Shellcode:

    • cmd.exe downloads the encrypted shellcode from a specified URL.
    • The shellcode is encrypted using XOR to obfuscate its content during transport.
    • Once downloaded, cmd.exe decrypts the shellcode using a key to obtain the clear executable code.

  3. Process Hollowing (Injection into RuntimeBroker.exe):

    • cmd.exe creates a new process, RuntimeBroker.exe, in suspended mode.
    • The decrypted shellcode is injected into the allocated memory of RuntimeBroker.exe.
    • cmd.exe creates a thread in RuntimeBroker.exe to execute the injected shellcode.

  4. Self-destruction:

    • Once the shellcode is injected and executed, main.exe self-destructs.

  5. VM Protection and Anti-Debugging

    The shellcode loader detect and protect against virtual machine environments and debugging tools.

    • If the malware detects that it is running in a virtual machine (VM) environment.
    • If the malware detects the presence of a debugger.
    • If the malware detects common VM artifacts or tools indicating analysis.

How to setup

config.h

you can setup shellcode loader 0 = disable | 1 = enable

ENABLE_DEBUG 0 //  if enable its open windows with debug logs 
AUTODESTRUCT 1  // auto destuct after execution 
SUSPEND_DOWNLOAD 1  //  waiting time before download shellcode from web 
PROTECTION 1 // anti VM / disable IF YOU USE IN ON VM !!!

main.cpp

in main file you need to configure 2 think

  • shellcode URL | line 49
  • XOR key use same key for encryption !!! | line 59

The encrypt.py file is included in the project. You can use it to encrypt your shellcode before uploading it.

demo / exemple

Debug mode

#define ENABLE_DEBUG 1
#define AUTODESTRUCT 1 
#define SUSPEND_DOWNLOAD 0 
#define PROTECTION 0
345540556-a53b4fe9-71f4-40e5-8207-d6568e47824f.mp4

Anti VM

#define ENABLE_DEBUG 1
#define AUTODESTRUCT 1  
#define SUSPEND_DOWNLOAD 0 
#define PROTECTION 1
345540589-8f202f91-f72d-480e-8323-21484ff65427.mp4

Silent

#define ENABLE_DEBUG 0
#define AUTODESTRUCT 1
#define SUSPEND_DOWNLOAD 1
#define PROTECTION 0
345540636-b04bf295-2723-4992-8547-673753c6674c.mp4

ShadeLoader vs AVs 2/40

https://kleenscan.com/scan_result/e116638a3bac264968b2a86f32e6a24db53f7f27335810caba68233ca5771e4d

Disclaimer

This project is for educational purposes only. Any malicious use of this code is strictly prohibited

About

ShadeLoader is a shellcode loader designed to bypass most antivirus software. 壳代码, 杀毒软件, 绕过

Topics

antivirus shellcode shellcode-loader antivirus-evasion shellcode-injection antivirus-bypass

Resources

Readme
Activity

Stars

37 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages