SkillAgentSearch skills...

Shellcoderunner

A simple research-focused AES-based shellcode loader demonstrating in-memory execution and NTAPI techniques to help understand how custom loaders can bypass Windows Defender–based detection.

GenerateConvertImprove

Install / Use

/learn @jaytiwari05/Shellcoderunner
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

ShellcodeRunner (AES)

Overview

ShellcodeRunner is a research-focused project designed to help security enthusiasts, red teamers, and malware researchers understand how custom shellcode loaders work on Windows.

pipx install shellcoderunner-aes

This repository demonstrates:

  • Encrypting raw shellcode using AES
  • Generating a native C++ loader
  • Executing shellcode fully from memory
  • Leveraging NT Native APIs for execution

Primary Goal: To provide a practical idea of how shellcode loaders can be built in a way that can easily bypass Windows Defender–based solutions by avoiding static signatures, plaintext payloads, and common high-level APIs.

This project is intended for educational and defensive research purposes only.

Proof of Concept [Video]

Using Adaptix C2

https://github.com/user-attachments/assets/23aa3960-ae08-41a4-9295-fe64b1468e25

Using Sliver C2

https://github.com/user-attachments/assets/26a17f65-a135-4e0f-a5c2-2c916daac91b

Installation

Recommended Method

sudo apt update && sudo apt install -y python3 python3-pip mingw-w64 && python3 -m pip install --user pipx
python3 -m pipx ensurepath
pipx install shellcoderunner-aes

shellcoderunneraes <C2_shellcode>.bin --aes pain05 --compile

OR

Required Dependencies (Linux):

sudo apt update && sudo apt install -y python3 python3-pip mingw-w64
python3 -m pip install pycryptodome

Clone the repository:

git clone https://github.com/jaytiwari05/shellcoderunner.git
cd shellcoderunner

Make the script globally accessible:

cp shellcoderunneraes.py /usr/local/bin/shellcoderunneraes.py && chmod +x /usr/local/bin/shellcoderunneraes.py

Usage

Generate and compile a shellcode loader using AES encryption:

shellcoderunneraes.py <C2_shellcode>.bin --aes pain05 --compile

Key Features

  • AES-128-CBC encrypted shellcode
  • Password-based key derivation (SHA-256)
  • No plaintext shellcode on disk
  • Native Windows CryptoAPI decryption
  • NTAPI-based memory allocation and execution
  • Simple and clean workflow

Repository Structure

shellcoderunner/
├── shellcoderunneraes.py   # Python builder (encrypts shellcode & generates C++ loader)
├── aes_nt_runner.cpp       # Generated C++ loader
├── meow.inc                # Encrypted shellcode + IV (auto-generated)
└── runner.exe              # Final compiled executable

Arguments

  • <C2_shellcode>.bin — Raw shellcode file generated by a C2 framework (e.g., Sliver, Adaptix, Cobalt Strike).
  • --aes — Password used for AES key derivation
  • --compile — Compiles the generated C++ loader into an executable

The final output will be a standalone Windows executable that decrypts and executes the shellcode entirely in memory.

Why This Works Against Defender

This project highlights techniques commonly used to bypass Windows Defender–based detection:

  • Encrypted payload stored on disk
  • Runtime decryption using legitimate Windows APIs
  • No RWX memory allocation
  • Execution via NT Native APIs
  • No use of high-level Win32 execution helpers

These techniques help reduce static signatures and behavioral indicators commonly relied upon by Defender.

Disclaimer

This project is provided strictly for educational, research, and defensive security purposes. Do not use this code for unauthorized or malicious activities. The author is not responsible for misuse.

Please do not raise issues if the loader gets detected in the future, as detection timelines vary and there is no guarantee how long this technique will remain effective.

Detection Validation (Informational)

The generated executable was tested using common open-source tools for basic detection visibility:

  • YARA rule scanning (community rulesets)
  • ThreadCheck (Defender heuristics)
  • AMSI inspection checks <img width="953" height="210" alt="ThreadCheck" src="https://github.com/user-attachments/assets/cfc255f9-e41f-4ef3-9f35-aa147d1c75ce" />
<img width="657" height="261" alt="yara-rules" src="https://github.com/user-attachments/assets/e751c924-e457-4c85-a6fd-f3008a6ef68c" />

At the time of testing, no alerts were triggered by these tools.

Note: Detection results may vary based on environment, signatures, and security product versions. This does not imply full evasion of all AV/EDR solutions.

Author

PaiN05 Security Research | Offensive Tradecraft | Malware Development Research

Pypi Link :- https://pypi.org/project/shellcoderunner-aes/

Related Skills

YC-Killer

2.7k

A library of enterprise-grade AI agents designed to democratize artificial intelligence and provide free, open-source alternatives to overvalued Y Combinator startups. If you are excited about democratizing AI access & AI agents, please star ⭐️ this repository and use the link in the readme to join our open source AI research team.

best-practices-researcher

The most comprehensive Claude Code skills registry | Web Search: https://skills-registry-web.vercel.app

groundhog

399

Groundhog's primary purpose is to teach people how Cursor and all these other coding agents work under the hood. If you understand how these coding assistants work from first principles, then you can drive these tools harder (or perhaps make your own!).

workshop-rules

Materials used to teach the summer camp <Data Science for Kids>

jaytiwari05

View profile

View on GitHub
GitHub Stars41
CategoryEducation
Updated3d ago
Forks5
jaytiwari05/shellcoderunner

Languages

Python

Security Score

75/100

Audited on Mar 23, 2026

No findings