APCShellcodeLoaderPOC is a Windows-based shellcode loader that bypasses Event Tracing for Windows (ETW) monitoring and utilizes direct system calls & APC ineject technique for process injection. The project incorporates multiple anti-debugging, anti-sandbox, and virtual machine detection techniques along with dynamic NT API resolution. It is designed solely for research and educational purposes in the areas of reverse engineering and system security.
Important Disclaimer
This project is provided for educational and research purposes only. Any use for illegal or malicious activities is strictly prohibited. The user is solely responsible for any consequences arising from its use, and the author assumes no legal liability.
-
ETW Bypass
The project circumvents ETW monitoring by replacing the initial instruction ofEtwEventWritewith aRETinstruction. -
Anti-Debugging and Anti-Sandbox Measures
Techniques includingIsDebuggerPresent,CheckRemoteDebuggerPresent, and checks for physical memory, processor cores, and sandbox-specific modules (e.g., Sandboxie) are employed to detect hostile analysis environments. -
Dynamic API Resolution
The loader dynamically parses the export table ofntdll.dllto resolve critical NT API addresses based on computed hashes. This method enhances stealth by avoiding static API imports. -
Process Injection via APC
The shellcode (XOR encrypted with key0xAA) is decrypted and injected into a target process (such asexplorer.exe) using Asynchronous Procedure Call (APC) injection. This involves allocating memory in the remote process, writing the shellcode, and queuing an APC for execution. -
Delayed Execution Strategy
A non-traditional delay mechanism (instead of using Sleep) is implemented to further complicate static and dynamic analysis.
BypassETWDirectSyscallShellcodeLoader/
├── README.md # Project description and documentation
├── main.cpp # Main source code file
- Operating System: Windows
- Development Environment: Microsoft Visual Studio with the appropriate Windows SDK installed
-
Source Code Acquisition
Download themain.cppfile and any other necessary files to your local development directory. -
Project Setup
Create a new C/C++ project in Visual Studio and add the downloaded source files to your project. -
Compilation
Build the project using Visual Studio’s default settings. Be aware that the resulting binary might be flagged by some antivirus engines due to its low-level operations.
- Run the compiled executable directly.
- On execution, the program performs several security checks (anti-debug, anti-sandbox, and VM detection), then bypasses ETW monitoring, elevates process privileges, and dynamically resolves required NT APIs.
- After decryption, the shellcode is injected into a target process through APC injection, and the program cleans up its memory and optionally self-deletes.
-
Educational Use Only
The techniques and code provided in this project are solely for security research and reverse engineering education. It is imperative not to use this code for any unauthorized or criminal activities. -
Potential False Positives
Given the low-level operations and bypassing of standard security mechanisms, the compiled binary may be detected by certain antivirus solutions. Testing should only be conducted in controlled, secure environments. -
Legal Considerations
Users must ensure compliance with all applicable laws and regulations. The author is not liable for any legal or security issues arising from the use of this project.
Contributions, suggestions, and enhancements are welcome. Please report any issues or propose improvements via GitHub Issues or by submitting a Pull Request.
For further discussion or inquiries, please contact the author at: fadouse@turings.org
Disclaimer: This project and its accompanying documentation are provided solely for research and educational purposes. The author assumes no responsibility for any legal or security issues that may arise from its use.
Additional Note:
This project documentation was generated with the assistance of ChatGPT and related research tools.