{"id":17466,"date":"2021-08-11T19:42:24","date_gmt":"2021-08-11T14:12:24","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=15681"},"modified":"2021-08-11T19:42:24","modified_gmt":"2021-08-11T14:12:24","slug":"go-shellcode","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/","title":{"rendered":"Go-Shellcode : A Repository Of Windows Shellcode Runners And Supporting Utilities"},"content":{"rendered":"\n

Go-Shellcode<\/strong><\/code> is a repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.<\/p>\n\n\n\n

The available Shellcode runners include:<\/p>\n\n\n\n

<\/a>CreateFiber<\/strong><\/p>\n\n\n\n

This application leverages the Windows CreateFiber function from the Kernel32.dll<\/strong><\/code> to execute shellcode within this application’s process. This is usefull when you want to avoid remote process injection and want to avoid calling CreateThread<\/strong><\/code>. This application DOES NOT<\/strong> leverage functions from the golang.org\/x\/sys\/windows<\/strong><\/code> package. The most significant difference is that this application loads all the necessary DLLs and Procedures itself and uses the procedure’s Call() function.<\/p>\n\n\n\n

NOTE:<\/strong> I have not figured out way to have the process exit and you will have to manually terminate it.<\/p>\n\n\n\n

The application can be compiled with the following command on a Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o CreateFiber.exe .\\cmd\\CreateFiber\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>CreateProcess<\/strong><\/p>\n\n\n\n

This application leverages the Windows CreateProcess function from Kernel32.dll<\/code>.<\/strong> The process is created in a suspended state, the AddressOfEntryPoint in the IMAGE_OPTIONAL_HEADER<\/strong><\/code> structure is updated to execute shellcode in the childprocess, and then the process is resumed. This is a type of process hollowing but the existing PE is NOT<\/strong> unmapped and the ThreadContext is NOT<\/strong> updated. The provided shellcode architecture (i.e. x86 or x64) must match the architecture of the child process.<\/p>\n\n\n\n

The application can be compiled with the following command on a Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o CreateProcess.exe .\\cmd\\CreateProcess\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>CreateProcessWithPipe<\/strong><\/p>\n\n\n\n

This application leverages the Windows CreateProcess function from Kernel32.dll<\/code>. The process is created in a suspended state, the AddressOfEntryPoint in the IMAGE_OPTIONAL_HEADER<\/strong><\/code> structure is updated to execute shellcode in the childprocess, and then the process is resumed. This is a type of process hollowing but the existing PE is NOT<\/strong> unmapped and the ThreadContext is NOT<\/strong> updated. The provided shellcode architecture (i.e. x86 or x64) must match the architecture of the child process.<\/p>\n\n\n\n

This application differs from CreateProcess because it will collect any data written to STDOUT<\/strong> or STDERR<\/strong> in the child process and return it to the parent process. Data is collected by using the CreatePipe function to create an anonymous pipe that the parent and child process communicate over. This is usefull when using tools like Donut to execute a .NET assembly in a child process as shellcode and to retrieve the output of the executed program. The following command can be used to generate position-independent shellcode to run Seatbelt with Donut v0.9.3:<\/p>\n\n\n\n

.\\donut.exe -o donut_v0.9.3_Seatbelt.bin -x 2 -c Seatbelt.Program -m Main -p \"ARPTable\" Seatbelt.exe<\/strong><\/code><\/p>\n\n\n\n

The application can be compiled with the following command on a Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o CreateProcessWithPipe.exe .\\cmd\\CreateProcessWithPipe\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>CreateRemoteThread<\/strong><\/p>\n\n\n\n

This application leverages the Windows CreateRemoteThread function from Kernel32.dll<\/strong><\/code> to execute shellocde in a remote process. The application requires that the target process to inject into is already running. The targe Process Identifier (PID) can provided at runtime for testing using the -pid<\/strong><\/code> command line flag. Hardcode the PID in the following line of code for operational use by replacing the 0<\/strong><\/code> with your target PID:<\/p>\n\n\n\n

pid := flag.Int(\"pid\", 0, \"Process ID to inject shellcode into\")<\/strong><\/code><\/p>\n\n\n\n

This application leverages functions from the golang.org\/x\/sys\/windows<\/strong><\/code> package, where feasible, like the windows.OpenProcess()<\/strong><\/code>. The application can be compiled wit the following command on a Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o CreateRemoteThread.exe .\\cmd\\CreateRemoteThread\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>CreateRemoteThreadNative<\/strong><\/p>\n\n\n\n

This application leverages the Windows CreateRemoteThread function from Kernel32.dll<\/strong><\/code> to execute shellocde in a remote process. The application requires that the target process to inject into is already running. The targe Process Identifier (PID) can provided at runtime for testing using the -pid<\/strong><\/code> command line flag. Hardcode the PID in the following line of code for operational use by replacing the 0<\/strong><\/code> with your target PID:<\/p>\n\n\n\n

pid := flag.Int(\"pid\", 0, \"Process ID to inject shellcode into\")<\/strong><\/code><\/p>\n\n\n\n

This application DOES NOT<\/strong> leverage functions from the golang.org\/x\/sys\/windows<\/strong><\/code> package. The most significant difference is that this application loads all the necessary DLLs and Procedures itself and uses the procedure’s Call() function. The application can be compiled with the following command on Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o CreateRemoteThreadNative.exe .\\cmd\\CreateRemoteThreadNative\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>CreateThread<\/strong><\/p>\n\n\n\n

This application leverages the Windows CreateThread function from Kernel32.dll<\/strong><\/code> to execute shellcode within this application’s process. This is usefull when you want to avoid remote process injection. This application leverages functions from the golang.org\/x\/sys\/windows<\/strong><\/code> package, where feasible, like the windows.VirtualAlloc()`. The application can be compiled with the following command on Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o CreateThread.exe .\\cmd\\CreateThread\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>CreateThreadNative<\/strong><\/p>\n\n\n\n

This application leverages the Windows CreateThread function from the Kernel32.dll<\/strong><\/code> to execute shellcode within this application’s process. This is usefull when you want to avoid remote process injection. This application DOES NOT<\/strong> leverage functions from the golang.org\/x\/sys\/windows<\/strong><\/code> package. The most significant difference is that this application loads all the necessary DLLs and Procedures itself and uses the procedure’s Call() function. The application can be compiled with the following command on Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o CreateThreadNative.exe .\\cmd\\CreateThreadNative\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>EarlyBird<\/strong><\/p>\n\n\n\n

The application leverages the Windows CreateProcess function to create a process in a suspended state. Once the child process is suspended, the Windows QueueUserAPC function is used to add a UserAPC to the child process that points to the allocate shellcode. Next, ResumeThread is called, which subsequently calls the undocumented NtTestAlert function that will execute the created UserAPC and in turn the shellcode. This is usefull because the shellcode will execute before AV\/EDR can hook functions to support detection. Reference New ‘Early Bird’ Code Injection Technique Discovered. The application can be compiled with the following command on Windows host from the project’s root directory:<\/p>\n\n\n\n

export GOOS=windows GOARCH=amd64;go build -o goEarlyBird.exe cmd\\EarlyBird\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>EtwpCreateEtwThread<\/strong><\/p>\n\n\n\n

This application leverages the Windows EtwpCreateEtwThread function from ntdll.dll<\/strong><\/code> to execute shellcode within this application’s process. Original work by TheWover. This is usefull when you want to avoid remote process injection. This application DOES NOT<\/strong> leverage functions from the golang.org\/x\/sys\/windows<\/strong><\/code> package. The most significant difference is that this application loads all the necessary DLLs and Procedures itself and uses the procedure’s Call() function. The application can be compiled with the following command on a Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o EtwpCreateEtwThread.exe .\\cmd\\EtwpCreateEtwThread\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>NtQueueApcThreadEx (local)<\/strong><\/p>\n\n\n\n

This application uses the undocumented NtQueueApcThreadEx to create a “Special User APC” in the current thread of the current process to execute shellcode. Because the shellcode is loaded and executed in the current process, it is “local”. This same technique can be used for a remote process. NOTE:<\/em> This will only work on Windows 7 or later. Reference APC Series: User APC API.<\/p>\n\n\n\n

export GOOS=windows GOARCH=amd64;go build -o goNtQueueApcThreadEx-Local.exe cmd\\NtQueueApcThreadEx-Local\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>RtlCreateUserThread<\/strong><\/p>\n\n\n\n

This application leverages the Windows RtlCreateUserThread function from ntdll.dll<\/strong><\/code> to execute shellocde in a remote process. The application requires that the target process to inject into is already running. The targe Process Identifier (PID) can provided at runtime for testing using the -pid<\/strong><\/code> command line flag. Hardcode the PID in the following line of code for operational use by replacing the 0<\/code> with your target PID:<\/p>\n\n\n\n

pid := flag.Int(\"pid\", 0, \"Process ID to inject shellcode into\")<\/strong><\/code><\/p>\n\n\n\n

This application DOES NOT<\/strong> leverage functions from the golang.org\/x\/sys\/windows<\/strong><\/code> package. The most significant difference is that this application loads all the necessary DLLs and Procedures itself and uses the procedure’s Call() function. The application can be compiled with the following command on a Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o RtlCreateUserThread.exe .\\cmd\\RtlCreateUserThread\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>Syscall<\/strong><\/p>\n\n\n\n

This application executes Shellcode in the current running proccess by making a Syscall on the Shellcode’s entry point. This application DOES NOT<\/strong> leverage functions from the golang.org\/x\/sys\/windows<\/code> <\/strong>package. The application can be compiled with the following command on a Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o Syscall.exe .\\cmd\\Syscall\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>UuidFromStringA<\/strong><\/p>\n\n\n\n

This application leverages the Windows UuidFromStringA function to load shellcode to a memory address and then calls the EnumSystemLocalesA function to execute the shellcode. This method of loading and executing shellcode was derived from nccgroup’s RIFT: Analysing a Lazarus Shellcode Execution Method. For this application, memory is allocated on the heap and it does not use VirtualAlloc. The application can be compiled with the following command on a Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o UuidFromString.exe .\\cmd\\UuidFromString\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/a>ShellcodeUtils<\/strong><\/p>\n\n\n\n

This application is used to transform shellcode binary files. The program depends that the input file is a binary file (.bin) that contains the hex bytes of the shellcode. ShellcodeUtils can just base64 encode your input file or it can XOR, RC4, or AES256-GCM encrypt it. The tools can also be used to decrypt files as well.<\/p>\n\n\n\n

ShellcodeUtils help menu:<\/p>\n\n\n\n

-base64
Base64 encode the output. Can be used with or without encryption
-i string
Input file path of binary file
-key string
Encryption key
-mode string
Mode of operation to perform on the input file encrypt,decrypt<\/a>
-nonce string
Nonce, in hex, used to decrypt an AES256 input file. Only used during decryption
-o string
Output file path
-salt string
Salt, in hex, used to generate an AES256 32-byte key through Argon2. Only used during decryption
-type string
The type of encryption to use [xor, aes256, rc4, null]
-v Enable verbose output<\/strong><\/p>\n\n\n\n

Example of only Base64 encoding the input file and saving it a text file:<\/p>\n\n\n\n

PS C:\\Users\\bob> .\\ShellcodeUtils.exe -i C:\\Users\\bob\\calc.bin -o C:\\Users\\bob\\calc.b64.txt -base64 -v
[-]Output directory: C:\\Users\\bob\\
[-]Output file name: calc.b64.txt
[-]File contents (hex): 505152535657556a605a6863616c6354594883ec2865488b32488b7618488b761048ad488b30488b7e3003573c8b5c17288b741f204801fe8b541f240fb72c178d5202ad813c0757696e4575ef8b741f1c4801fe8b34ae4801f799ffd74883c4305d5f5e5b5a5958c3
[-]No encryption type provided, continuing on\u2026
[+]Output (string):
UFFSU1ZXVWpgWmhjYWxjVFlIg+woZUiLMkiLdhhIi3YQSK1IizBIi34wA1c8i1wXKIt0HyBIAf6LVB8kD7csF41SAq2BPAdXaW5Fde+LdB8cSAH+izSuSAH3mf\/XSIPEMF1fXltaWVjD
[+] encrypt input and wrote 140 bytes to: C:\\Users\\bob\\calc.b64.txt<\/strong><\/p>\n\n\n\n

Example XOR encrypting input file with a key of Sh3!1z<\/strong><\/code> AND base64 encoding the output:<\/p>\n\n\n\n

PS C:\\Users\\bob> .\\ShellcodeUtils.exe -i C:\\Users\\bob\\calc.bin -o C:\\Users\\bob\\calc.xor.b64.txt -mode encrypt -type xor -key Sh3!1z -v
[-]Output directory: C:\\Users\\bob\\
[-]Output file name: calc.xor.b64.txt
[-]File contents (hex): 505152535657556a605a6863616c6354594883ec2865488b32488b7618488b761048ad488b30488b7e3003573c8b5c17288b741f204801fe8b541f240fb72c178d5202ad813c0757696e4575ef8b741f1c4801fe8b34ae4801f799ffd74883c4305d5f5e5b5a5958c3
[-]XOR encrypting input file with key: Sh3!1z
[+]Output (hex):
03396172672d0602537b5919320450756832d0841b4479f16120b8572932d81e23699c32d8587baa4f4a503f0faa6d6d7be3473e11325296b8752e5e5cdf1f36bc2851c5b21d362d3a067654def127772f693084d85c9d69308dca97e469b2be63356c7f6a200a30f0
[+]xor encrypt input and wrote 105 bytes to: C:\\Users\\bob\\calc.xor.b64.txt<\/strong><\/p>\n\n\n\n

Example AES256-GCM encrypting the input file with a password of Sh3!1z<\/strong><\/code> WITHOUT base64 encoding the ouput:<\/p>\n\n\n\n

PS C:\\Users\\bob> .\\ShellcodeUtils.exe -i C:\\Users\\bob\\calc.bin -o C:\\Users\\bob\\calc.aes.bin -mode encrypt -type aes256 -key Sh3!1z -v
[-]Output directory: C:\\Users\\bob\\
[-]Output file name: calc.aes.bin
[-]File contents (hex): 505152535657556a605a6863616c6354594883ec2865488b32488b7618488b761048ad488b30488b7e3003573c8b5c17288b741f204801fe8b541f240fb72c178d5202ad813c0757696e4575ef8b741f1c4801fe8b34ae4801f799ffd74883c4305d5f5e5b5a5958c3
[-]AES256 encrypting input file
[+]Argon2 salt (hex): db6126d3ac640f8aaa67cda74b8cf1d2c54513db7bf4fbe3422d1b276af1367e
[+]AES256 key (32-bytes) derived from input password Sh3!1z (hex): 096a40f1aef38dd9b5d63284acc19727c4420dd98f21ea052112bef63eb7d94a
[+]AES256 nonce (hex): 13802153c4b2fb6a3e545ff4
[+]Output (hex):
44a974233e37b460dc2181b16846f265e8e3a07959abf9c8760f7d0ac8029575e67571ea5b313bc8b011739db57c690ec156a4b0bba4e4d632c35c1490aeaac24f5ae05e90934adf57798ee3c702a3c27073fe976fbcc6ee5db355da186c1add58913e41a8c5716a0fcfc27371f0cae906e50e680366496a00
[+]aes256 encrypt input and wrote 121 bytes to: C:\\Users\\bob\\calc.aes.bin<\/strong><\/p>\n\n\n\n

AES256 requires a 32-byte key. This program uses the Argon2 ID algorithm to take the password provided with the -key<\/code> input paramter to derive a 32-byte key while using a randomly generate salt. You will need the same input password and the salt used with the Argon2 algorithm and the same nonce used with the AES256 algorithm to successfull decrypt the file. Alternatively, the decryption function could<\/em> be updated to just use the 32-byte Argon2 key instead of the input password and salt.<\/p>\n\n\n\n

NOTE:<\/strong> It is up to the operator to decide to just use the generated Argon2 key or to use the password and salt that are used to generate the password.<\/p>\n\n\n\n

Example AES256 decrypting the input file:<\/p>\n\n\n\n

PS C:\\Users\\bob> .\\ShellcodeUtils.exe -i C:\\Users\\bob\\calc.aes.bin -o C:\\Users\\bob\\calc.aes.decrypted.bin -mode decrypt -type aes256 -key Sh3!1z -nonce 13802153c4b2fb6a3e545ff4 -salt db6126d3ac640f8aaa67cda74b8cf1d2c54513db7bf4fbe3422d1b276af1367e -v
[-]Output directory: C:\\Users\\bob\\
[-]Output file name: calc.aes.decrypted.bin
[-]File contents (hex): 44a974233e37b460dc2181b16846f265e8e3a07959abf9c8760f7d0ac8029575e67571ea5b313bc8b011739db57c690ec156a4b0bba4e4d632c35c1490aeaac24f5ae05e90934adf57798ee3c702a3c27073fe976fbcc6ee5db355da186c1add58913e41a8c5716a0fcfc27371f0cae906e50e680366496a00
[-]AES256 decrypting input file
[-]Argon2 salt (hex): db6126d3ac640f8aaa67cda74b8cf1d2c54513db7bf4fbe3422d1b276af1367e
[-]AES256 key (hex): 096a40f1aef38dd9b5d63284acc19727c4420dd98f21ea052112bef63eb7d94a
[-]AES256 nonce (hex): 13802153c4b2fb6a3e545ff4
[+]Output (hex):
505152535657556a605a6863616c6354594883ec2865488b32488b7618488b761048ad488b30488b7e3003573c8b5c17288b741f204801fe8b541f240fb72c178d5202ad813c0757696e4575ef8b741f1c4801fe8b34ae4801f799ffd74883c4305d5f5e5b5a5958c3
[+]aes256 decrypt input and wrote 105 bytes to: C:\\Users\\bob\\calc.aes.decrypted.bin<\/strong><\/p>\n\n\n\n

The application can be compiled with the following command on a Windows host from the project’s root directory:<\/p>\n\n\n\n

set GOOS=windows GOARCH=amd64;go build -o ShellcodeUtils.exe .\\cmd\\ShellcodeUtils\\main.go<\/strong><\/code><\/p>\n\n\n\n

<\/div>\n","protected":false},"excerpt":{"rendered":"

Go-Shellcode is a repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques. The available Shellcode runners include: CreateFiber This application leverages the Windows CreateFiber function from the Kernel32.dll to execute shellcode within this application’s process. This is usefull when you want to avoid remote process injection and want to […]<\/p>\n","protected":false},"author":4,"featured_media":15686,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-GK6r9MEDewk\/YQ9sHA0jNgI\/AAAAAAAAKZM\/GyafsSRa-gERUteb7tbXbDA2zXp7r9ziQCLcBGAsYHQ\/s728\/Go-Shellcode%2B%25281%2529.png","fifu_image_alt":"Go-Shellcode : A Repository Of Windows Shellcode Runners And Supporting Utilities","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[3990,2816,3991,3992],"class_list":["post-17466","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-go-shellcode","tag-repository","tag-supporting-utilities","tag-windows-shellcode-runners"],"yoast_head":"\nGo-Shellcode : A Repository Of W S R And Supporting Utilities.<\/title>\n<meta name=\"description\" content=\"Go-Shellcode is a repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Go-Shellcode : A Repository Of W S R And Supporting Utilities.\" \/>\n<meta property=\"og:description\" content=\"Go-Shellcode is a repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-11T14:12:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-GK6r9MEDewk\/YQ9sHA0jNgI\/AAAAAAAAKZM\/GyafsSRa-gERUteb7tbXbDA2zXp7r9ziQCLcBGAsYHQ\/s728\/Go-Shellcode%2B%25281%2529.png\" \/><meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-GK6r9MEDewk\/YQ9sHA0jNgI\/AAAAAAAAKZM\/GyafsSRa-gERUteb7tbXbDA2zXp7r9ziQCLcBGAsYHQ\/s728\/Go-Shellcode%2B%25281%2529.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1\" \/>\n\t<meta property=\"og:image:height\" content=\"1\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-GK6r9MEDewk\/YQ9sHA0jNgI\/AAAAAAAAKZM\/GyafsSRa-gERUteb7tbXbDA2zXp7r9ziQCLcBGAsYHQ\/s728\/Go-Shellcode%2B%25281%2529.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"Go-Shellcode : A Repository Of Windows Shellcode Runners And Supporting Utilities\",\"datePublished\":\"2021-08-11T14:12:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/\"},\"wordCount\":2453,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-1yLc5idIQ8I\/XS_nnJvqyuI\/AAAAAAAABZY\/2awztfABrBIzKgblOYmi5s7gWtXZeJvpACLcBGAs\/s1600\/RedGhost.PNG\",\"keywords\":[\"Go-Shellcode\",\"Repository\",\"Supporting Utilities\",\"Windows Shellcode Runners\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/\",\"name\":\"Go-Shellcode : A Repository Of W S R And Supporting Utilities.\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-1yLc5idIQ8I\/XS_nnJvqyuI\/AAAAAAAABZY\/2awztfABrBIzKgblOYmi5s7gWtXZeJvpACLcBGAs\/s1600\/RedGhost.PNG\",\"datePublished\":\"2021-08-11T14:12:24+00:00\",\"description\":\"Go-Shellcode is a repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#primaryimage\",\"url\":\"https:\/\/1.bp.blogspot.com\/-1yLc5idIQ8I\/XS_nnJvqyuI\/AAAAAAAABZY\/2awztfABrBIzKgblOYmi5s7gWtXZeJvpACLcBGAs\/s1600\/RedGhost.PNG\",\"contentUrl\":\"https:\/\/1.bp.blogspot.com\/-1yLc5idIQ8I\/XS_nnJvqyuI\/AAAAAAAABZY\/2awztfABrBIzKgblOYmi5s7gWtXZeJvpACLcBGAs\/s1600\/RedGhost.PNG\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Go-Shellcode : A Repository Of W S R And Supporting Utilities.","description":"Go-Shellcode is a repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/","og_locale":"en_US","og_type":"article","og_title":"Go-Shellcode : A Repository Of W S R And Supporting Utilities.","og_description":"Go-Shellcode is a repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.","og_url":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2021-08-11T14:12:24+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-GK6r9MEDewk\/YQ9sHA0jNgI\/AAAAAAAAKZM\/GyafsSRa-gERUteb7tbXbDA2zXp7r9ziQCLcBGAsYHQ\/s728\/Go-Shellcode%2B%25281%2529.png","type":"","width":"","height":""},{"url":"https:\/\/1.bp.blogspot.com\/-GK6r9MEDewk\/YQ9sHA0jNgI\/AAAAAAAAKZM\/GyafsSRa-gERUteb7tbXbDA2zXp7r9ziQCLcBGAsYHQ\/s728\/Go-Shellcode%2B%25281%2529.png","width":1,"height":1,"type":"image\/jpeg"}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-GK6r9MEDewk\/YQ9sHA0jNgI\/AAAAAAAAKZM\/GyafsSRa-gERUteb7tbXbDA2zXp7r9ziQCLcBGAsYHQ\/s728\/Go-Shellcode%2B%25281%2529.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"Go-Shellcode : A Repository Of Windows Shellcode Runners And Supporting Utilities","datePublished":"2021-08-11T14:12:24+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/"},"wordCount":2453,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-1yLc5idIQ8I\/XS_nnJvqyuI\/AAAAAAAABZY\/2awztfABrBIzKgblOYmi5s7gWtXZeJvpACLcBGAs\/s1600\/RedGhost.PNG","keywords":["Go-Shellcode","Repository","Supporting Utilities","Windows Shellcode Runners"],"articleSection":["Kali Linux"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/","url":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/","name":"Go-Shellcode : A Repository Of W S R And Supporting Utilities.","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-1yLc5idIQ8I\/XS_nnJvqyuI\/AAAAAAAABZY\/2awztfABrBIzKgblOYmi5s7gWtXZeJvpACLcBGAs\/s1600\/RedGhost.PNG","datePublished":"2021-08-11T14:12:24+00:00","description":"Go-Shellcode is a repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/go-shellcode\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/go-shellcode\/#primaryimage","url":"https:\/\/1.bp.blogspot.com\/-1yLc5idIQ8I\/XS_nnJvqyuI\/AAAAAAAABZY\/2awztfABrBIzKgblOYmi5s7gWtXZeJvpACLcBGAs\/s1600\/RedGhost.PNG","contentUrl":"https:\/\/1.bp.blogspot.com\/-1yLc5idIQ8I\/XS_nnJvqyuI\/AAAAAAAABZY\/2awztfABrBIzKgblOYmi5s7gWtXZeJvpACLcBGAs\/s1600\/RedGhost.PNG"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/1.bp.blogspot.com\/-1yLc5idIQ8I\/XS_nnJvqyuI\/AAAAAAAABZY\/2awztfABrBIzKgblOYmi5s7gWtXZeJvpACLcBGAs\/s1600\/RedGhost.PNG","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":35685,"url":"https:\/\/kalilinuxtutorials.com\/rwx_memory_hunt_and_injection_dv\/","url_meta":{"origin":17466,"position":0},"title":"RWX_MEMORY_HUNT_AND_INJECTION_DV : Exploiting OneDrive.exe To Inject Shellcode Without New RWX Allocations","author":"Varshini","date":"January 13, 2025","format":false,"excerpt":"Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region. This technique is finding RWX region in already running processes in this case OneDrive.exe and Write shellcode into that region and execute it without calling VirtualProtect, VirtualAllocEx, VirtualAlloc. Usage Just compile the\u2026","rel":"","context":"In "Exploitation Tools"","block_context":{"text":"Exploitation Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/et\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/RWX_MEMORY_HUNT_AND_INJECTION_DV-.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/RWX_MEMORY_HUNT_AND_INJECTION_DV-.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/RWX_MEMORY_HUNT_AND_INJECTION_DV-.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/RWX_MEMORY_HUNT_AND_INJECTION_DV-.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/RWX_MEMORY_HUNT_AND_INJECTION_DV-.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/RWX_MEMORY_HUNT_AND_INJECTION_DV-.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":36045,"url":"https:\/\/kalilinuxtutorials.com\/relocatable\/","url_meta":{"origin":17466,"position":1},"title":"Relocatable : A Tool For Position Independent Code","author":"Varshini","date":"February 4, 2025","format":false,"excerpt":"Relocatable is an innovative tool designed to simplify the creation of Position Independent Code (PIC) in C. This tool enables developers to write C code that is directly compiled into raw shellcode, which can be loaded into any process without requiring external utilities like Donut or sRDI. The result is\u2026","rel":"","context":"In "Exploitation Tools"","block_context":{"text":"Exploitation Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/et\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/Relocatable.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/Relocatable.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/Relocatable.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/Relocatable.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/Relocatable.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/Relocatable.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":30515,"url":"https:\/\/kalilinuxtutorials.com\/mshikaki-advanced-shellcode-injection-tool-for-bypassing-amsi\/","url_meta":{"origin":17466,"position":2},"title":"Mshikaki – Advanced Shellcode Injection Tool for Bypassing AMSI","author":"Varshini","date":"September 28, 2023","format":false,"excerpt":"\"Mshikaki - kebab (skewered meat, especially beef)\" yum yum. In the realm of cybersecurity, stealth and efficiency are paramount. Enter 'Mshikaki', an advanced shellcode injection tool that stands out for its ability to seamlessly bypass the Antimalware Scan Interface (AMSI). Designed for both security researchers and penetration testers, Mshikaki ensures\u2026","rel":"","context":"In "Exploitation Tools"","block_context":{"text":"Exploitation Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/et\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgHRUlpukkWuIS4Cl7tOs22eiYHfgYkgGdWH9d9RLBdAvYbCdFHPsS1WzfCbPDwhb5IVu8PF-ivPcenQbhavFTr5z1zghngDR6zRlqbegf7IGBISE7w0ubQHEwHgwp1Oa8zWFpCl4ojqakrj3D2Jo-lhinIjuNrpAmhUHt0Z_LcfnFiGmR5bvW8iwZy4g\/s16000\/mshikaki.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgHRUlpukkWuIS4Cl7tOs22eiYHfgYkgGdWH9d9RLBdAvYbCdFHPsS1WzfCbPDwhb5IVu8PF-ivPcenQbhavFTr5z1zghngDR6zRlqbegf7IGBISE7w0ubQHEwHgwp1Oa8zWFpCl4ojqakrj3D2Jo-lhinIjuNrpAmhUHt0Z_LcfnFiGmR5bvW8iwZy4g\/s16000\/mshikaki.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgHRUlpukkWuIS4Cl7tOs22eiYHfgYkgGdWH9d9RLBdAvYbCdFHPsS1WzfCbPDwhb5IVu8PF-ivPcenQbhavFTr5z1zghngDR6zRlqbegf7IGBISE7w0ubQHEwHgwp1Oa8zWFpCl4ojqakrj3D2Jo-lhinIjuNrpAmhUHt0Z_LcfnFiGmR5bvW8iwZy4g\/s16000\/mshikaki.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgHRUlpukkWuIS4Cl7tOs22eiYHfgYkgGdWH9d9RLBdAvYbCdFHPsS1WzfCbPDwhb5IVu8PF-ivPcenQbhavFTr5z1zghngDR6zRlqbegf7IGBISE7w0ubQHEwHgwp1Oa8zWFpCl4ojqakrj3D2Jo-lhinIjuNrpAmhUHt0Z_LcfnFiGmR5bvW8iwZy4g\/s16000\/mshikaki.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgHRUlpukkWuIS4Cl7tOs22eiYHfgYkgGdWH9d9RLBdAvYbCdFHPsS1WzfCbPDwhb5IVu8PF-ivPcenQbhavFTr5z1zghngDR6zRlqbegf7IGBISE7w0ubQHEwHgwp1Oa8zWFpCl4ojqakrj3D2Jo-lhinIjuNrpAmhUHt0Z_LcfnFiGmR5bvW8iwZy4g\/s16000\/mshikaki.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgHRUlpukkWuIS4Cl7tOs22eiYHfgYkgGdWH9d9RLBdAvYbCdFHPsS1WzfCbPDwhb5IVu8PF-ivPcenQbhavFTr5z1zghngDR6zRlqbegf7IGBISE7w0ubQHEwHgwp1Oa8zWFpCl4ojqakrj3D2Jo-lhinIjuNrpAmhUHt0Z_LcfnFiGmR5bvW8iwZy4g\/s16000\/mshikaki.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":21766,"url":"https:\/\/kalilinuxtutorials.com\/jektor\/","url_meta":{"origin":17466,"position":3},"title":"Jektor : A Windows User-Mode Shellcode Execution Tool That Demonstrates Various Techniques That Malware Uses","author":"R K","date":"February 14, 2022","format":false,"excerpt":"Jektor utility focuses on shellcode injection techniques to demonstrate methods that malware may use to execute shellcode on a victim system \u00a0Dynamically resolves API functions to evade IAT inclusion\u00a0Includes usage of undocumented NT Windows API functions\u00a0Supports local shellcode execution via CreateThread\u00a0Supports remote shellcode execution via CreateRemoteThread\u00a0Supports local shellcode injection via\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh16vEZ6PH-I-ZrsBFnWcCoddD1_0xRZcFAcs-XGffqVnINIl9AnvBH477KhNWOJPBCVL_mzVIZjDIx7lkkvPnRWDK2KIfYhKDw4zVu1xaiquW79Rw06fJZ_09pPTLl6UW-vMAz_ZwZbwt8R4HzbJU3qTkQAws20XD0IC7yoERPYm21Xkf1e3PH8jYs=s1706","width":350,"height":200,"srcset":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh16vEZ6PH-I-ZrsBFnWcCoddD1_0xRZcFAcs-XGffqVnINIl9AnvBH477KhNWOJPBCVL_mzVIZjDIx7lkkvPnRWDK2KIfYhKDw4zVu1xaiquW79Rw06fJZ_09pPTLl6UW-vMAz_ZwZbwt8R4HzbJU3qTkQAws20XD0IC7yoERPYm21Xkf1e3PH8jYs=s1706 1x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh16vEZ6PH-I-ZrsBFnWcCoddD1_0xRZcFAcs-XGffqVnINIl9AnvBH477KhNWOJPBCVL_mzVIZjDIx7lkkvPnRWDK2KIfYhKDw4zVu1xaiquW79Rw06fJZ_09pPTLl6UW-vMAz_ZwZbwt8R4HzbJU3qTkQAws20XD0IC7yoERPYm21Xkf1e3PH8jYs=s1706 1.5x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh16vEZ6PH-I-ZrsBFnWcCoddD1_0xRZcFAcs-XGffqVnINIl9AnvBH477KhNWOJPBCVL_mzVIZjDIx7lkkvPnRWDK2KIfYhKDw4zVu1xaiquW79Rw06fJZ_09pPTLl6UW-vMAz_ZwZbwt8R4HzbJU3qTkQAws20XD0IC7yoERPYm21Xkf1e3PH8jYs=s1706 2x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh16vEZ6PH-I-ZrsBFnWcCoddD1_0xRZcFAcs-XGffqVnINIl9AnvBH477KhNWOJPBCVL_mzVIZjDIx7lkkvPnRWDK2KIfYhKDw4zVu1xaiquW79Rw06fJZ_09pPTLl6UW-vMAz_ZwZbwt8R4HzbJU3qTkQAws20XD0IC7yoERPYm21Xkf1e3PH8jYs=s1706 3x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh16vEZ6PH-I-ZrsBFnWcCoddD1_0xRZcFAcs-XGffqVnINIl9AnvBH477KhNWOJPBCVL_mzVIZjDIx7lkkvPnRWDK2KIfYhKDw4zVu1xaiquW79Rw06fJZ_09pPTLl6UW-vMAz_ZwZbwt8R4HzbJU3qTkQAws20XD0IC7yoERPYm21Xkf1e3PH8jYs=s1706 4x"},"classes":[]},{"id":34639,"url":"https:\/\/kalilinuxtutorials.com\/rs-shellcode\/","url_meta":{"origin":17466,"position":4},"title":"RS-Shellcode : A Comprehensive Guide To Shellcode Execution With Rust","author":"Varshini","date":"August 29, 2024","format":false,"excerpt":"Dive into the world of cybersecurity with \"RS-Shellcode,\" a robust shellcode runner crafted in Rust. This tool leverages the windows-rs library to efficiently execute shellcode on Windows platforms. Ideal for security researchers and penetration testers, RS-Shellcode simplifies the process of testing and debugging shellcode, enhancing your exploitation toolkit. A shellcode\u2026","rel":"","context":"In "Exploitation Tools"","block_context":{"text":"Exploitation Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/et\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEga1U2aZI3YoGmmxzTeHfCF8U562qVAuIVa7zWoASRmrsoNnA4AemZz2CMaLKtoA3XXmzZOFLdQ3takwf0lIYRmRH19Vtm7KdrMZxDyaeHNGF6nZM4lpMFC52xGHtuYjdjSYV0gt2ql2K6gdA-Chl5aFUkbXpUFA3-L_Yco6E6LcdHzFikHXzn1tjm4qdP2\/s16000\/RS-Shellcode.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEga1U2aZI3YoGmmxzTeHfCF8U562qVAuIVa7zWoASRmrsoNnA4AemZz2CMaLKtoA3XXmzZOFLdQ3takwf0lIYRmRH19Vtm7KdrMZxDyaeHNGF6nZM4lpMFC52xGHtuYjdjSYV0gt2ql2K6gdA-Chl5aFUkbXpUFA3-L_Yco6E6LcdHzFikHXzn1tjm4qdP2\/s16000\/RS-Shellcode.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEga1U2aZI3YoGmmxzTeHfCF8U562qVAuIVa7zWoASRmrsoNnA4AemZz2CMaLKtoA3XXmzZOFLdQ3takwf0lIYRmRH19Vtm7KdrMZxDyaeHNGF6nZM4lpMFC52xGHtuYjdjSYV0gt2ql2K6gdA-Chl5aFUkbXpUFA3-L_Yco6E6LcdHzFikHXzn1tjm4qdP2\/s16000\/RS-Shellcode.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEga1U2aZI3YoGmmxzTeHfCF8U562qVAuIVa7zWoASRmrsoNnA4AemZz2CMaLKtoA3XXmzZOFLdQ3takwf0lIYRmRH19Vtm7KdrMZxDyaeHNGF6nZM4lpMFC52xGHtuYjdjSYV0gt2ql2K6gdA-Chl5aFUkbXpUFA3-L_Yco6E6LcdHzFikHXzn1tjm4qdP2\/s16000\/RS-Shellcode.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEga1U2aZI3YoGmmxzTeHfCF8U562qVAuIVa7zWoASRmrsoNnA4AemZz2CMaLKtoA3XXmzZOFLdQ3takwf0lIYRmRH19Vtm7KdrMZxDyaeHNGF6nZM4lpMFC52xGHtuYjdjSYV0gt2ql2K6gdA-Chl5aFUkbXpUFA3-L_Yco6E6LcdHzFikHXzn1tjm4qdP2\/s16000\/RS-Shellcode.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEga1U2aZI3YoGmmxzTeHfCF8U562qVAuIVa7zWoASRmrsoNnA4AemZz2CMaLKtoA3XXmzZOFLdQ3takwf0lIYRmRH19Vtm7KdrMZxDyaeHNGF6nZM4lpMFC52xGHtuYjdjSYV0gt2ql2K6gdA-Chl5aFUkbXpUFA3-L_Yco6E6LcdHzFikHXzn1tjm4qdP2\/s16000\/RS-Shellcode.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":21615,"url":"https:\/\/kalilinuxtutorials.com\/dinjector\/","url_meta":{"origin":17466,"position":5},"title":"DInjector : Collection Of Shellcode Injection Techniques Packed In A D\/Invoke Weaponized DLL","author":"R K","date":"February 9, 2022","format":false,"excerpt":"DInjector repository is an accumulation of my code snippets for various\u00a0shellcode injection\u00a0techniques using fantastic\u00a0D\/Invoke\u00a0API by @TheWover and @FuzzySecurity. Features: Fully ported to D\/Invoke APIEncrypted payloads which can be invoked from a URL or passed in base64 as an argumentBuilt-in AMSI bypassPPID spoofing\u00a0and\u00a0block non-Microsoft DLLs\u00a0(stolen from\u00a0TikiTorch, write-up is\u00a0here)Sandbox detection & evasion\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh9vfiGxWLVHrF9dV78Rro4FVv-NXFbmvvTWYDlPyFebZP5QTQ7cHIr5lgt8K491po9jFG5dUB0VEaCrMD8NXjqYyuvSE-AsLLAZZ30Iej9QxTbuXYkbP4wC3olNadxkvUNUcu8csnZ7ItpeJz-hHPvld0mC1dziyRwzuhvh06m4V4sW3Zq0sO0-oAF=s633","width":350,"height":200,"srcset":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh9vfiGxWLVHrF9dV78Rro4FVv-NXFbmvvTWYDlPyFebZP5QTQ7cHIr5lgt8K491po9jFG5dUB0VEaCrMD8NXjqYyuvSE-AsLLAZZ30Iej9QxTbuXYkbP4wC3olNadxkvUNUcu8csnZ7ItpeJz-hHPvld0mC1dziyRwzuhvh06m4V4sW3Zq0sO0-oAF=s633 1x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh9vfiGxWLVHrF9dV78Rro4FVv-NXFbmvvTWYDlPyFebZP5QTQ7cHIr5lgt8K491po9jFG5dUB0VEaCrMD8NXjqYyuvSE-AsLLAZZ30Iej9QxTbuXYkbP4wC3olNadxkvUNUcu8csnZ7ItpeJz-hHPvld0mC1dziyRwzuhvh06m4V4sW3Zq0sO0-oAF=s633 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/17466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=17466"}],"version-history":[{"count":0,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/17466\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/15686"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=17466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=17466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=17466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}