Proof-of-concept shellcode injector that uses clean syscalls to bypass user-mode hooks in ntdll
- Activity obfuscation
- Inject shellcode into a target process via raw syscalls
- Bypass common user-mode hooks on Win32 APIs LoadLibrary, VirtualAlloc, WriteProcessMemory
- Auto-generate & embed a shellcode payload that downloads and executes a PE file
- Leverages the Windows Thread Pool API to hide the call-stack:
- The syscall appears to originate from a trusted region inside ntdll!TpWorker rather than from our code.
- No direct native API calls are made; instead, the injector jumps to syscall stubs discovered in ntdll.
| Path | Purpose |
|---|---|
include/PEB.h |
Struct definitions for PEB / TEB / LDR_MODULE |
include/Callbacks.h |
Prototypes & argument structs for the three syscalls |
Callbacks.asm |
NASM routines: locate raw syscall stubs → unpack args → syscall; ret |
Shellcode.h.template |
DSL (Intel syntax) between SHELLCODE_START / END markers |
generate_shellcode_header.py |
Assembles the DSL → overwrites Shellcode.h with a byte array |
main.cpp |
C++ wrapper: EnableDebugPrivilege, SSN lookup, Thread Pool callbacks, wrappers for NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx |
Makefile |
Automation: 1 Generate Shellcode.h 2 Assemble ASM routines 3 Compile & link → injector.exe |
- Windows x64 – MSVC / Visual Studio Build Tools
- NASM -f win64
- Python 3.x + Keystone-engine pip install keystone-engine
-
Install NASM, MSVC, Python + Keystone beforehand
-
Generate Shellcode.h from the template python generate_shellcode_header.py Shellcode.h.template Shellcode.h
-
Build everything make
-
Launch the injector injector.exe
This repository is provided for educational purposes only and intended for authorized security research. Use of these materials in unauthorized or illegal activities is strictly prohibited.