Proof of concept shellcode injector that uses clean syscalls to bypass user-mode hooks in ntdll
- Activity obfuscation
- Inject shellcode into a target process via raw syscalls
- Bypass common user-mode hooks on Win32 APIs LoadLibrary, VirtualAlloc, WriteProcessMemory
- Auto generate & embed a shellcode payload that downloads and executes a PE file
- Leverages the Windows Thread Pool API to hide the call stack:
- The syscall appears to originate from a trusted region inside ntdll!TpWorker rather than from our code.
- No direct native API calls are made; instead, the injector jumps to syscall stubs discovered in ntdll.
| Path | Purpose |
|---|---|
| include/PEB.h | Struct definitions for PEB / TEB / LDR_MODULE |
| include/Callbacks.h | Prototypes & argument structs for the three syscalls |
| Callbacks.asm | NASM routines: locate raw syscall stubs → unpack args → syscall; ret |
| Shellcode.h.template | DSL Intel syntax between SHELLCODE_START / END markers |
| generate_shellcode_header.py | Assembles the DSL → overwrites Shellcode.h with a byte array |
| main.cpp | C++ wrapper: EnableDebugPrivilege, SSN lookup, Thread Pool callbacks, wrappers for NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx |
| Makefile | Automation: 1 Generate Shellcode.h 2 Assemble ASM routines 3 Compile & link → injector.exe |
- Windows x64 – MSVC / Visual Studio Build Tools
- NASM -f win64
- Python 3 + Keystone-engine pip install keystone-engine
-
Install NASM, MSVC, Python + Keystone beforehand
-
Generate Shellcode.h from the template python generate_shellcode_header.py Shellcode.h.template Shellcode.h
-
Build everything make
-
Launch the injector injector.exe
This repository is provided for educational purposes only and intended for authorized security research. Use of these materials in unauthorized or illegal activities is strictly prohibited.