⚠️ Disclaimer: This repository is intended strictly for educational purposes and security research. All techniques presented here are to be used only on systems you own or have explicit written authorization to test. The author takes no responsibility for any misuse of this material. Use at your own risk.
A personal collection of shellcode loaders built as a learning project alongside MalDevAcademy coursework. Each project implements a specific combination of injection technique, encryption, and evasion measures.
Testing environment: All loaders were tested against Windows Defender on Windows 10/11 using Metasploit Framework shellcode. Results may vary across different AV/EDR configurations.
Language breakdown: Most loaders are written in C, with one exception in C# (NtAPIXOR). Several projects use MASM for syscall stubs.
📁 Note on missing
.slnfiles: Solution files are intentionally omitted from most projects. The source code is provided for study and reference — you are expected to read and understand it, not compile it blindly. If you need to build a project, set up your own VS solution.
The loaders are ordered roughly by increasing complexity. Starting from basic CRT/remote injection, progressing through APC techniques, encryption, sandbox evasion, and finally syscall-based approaches that avoid userland hooks entirely.
| No. | Loader Name | Lang | Encryption | Staged | Evasion Measures | Description |
|---|---|---|---|---|---|---|
| 1 | ProcInjShellcodeInternetAPI | C | None | ✅ | • Remote injection • CRT |
Remote process injection via CRT with staged payload downloaded from a remote server |
| 2 | ProcInjShellcodeNtQuerySystemInfo | C | None | ✅ | • IPv6 obfuscation • Direct syscall usage • Process enumeration |
Remote process injection via CRT with IPv6-obfuscated payload; uses NtQuerySystemInformation syscall for process enumeration |
| 3 | ThreadHijackIPv6Obf | C | None | ❌ | • Thread hijacking • IPv6 obfuscation |
Remote process thread hijacking with IPv6-obfuscated payload |
| 4 | RC4APCInjection | C | RC4 | ❌ | • APC injection • Alertable thread |
APC injection via alertable sacrificial thread with RC4-encrypted shellcode |
| 5 | EarlyBirdAPCInjection | C | None | ✅ | • Early Bird technique • Debugged-state spawn |
Early Bird APC injection spawning a target process in debugged state; payload fetched from staging server |
| 6 | RC4EarlyBirdAPCInjectionStaged | C | RC4 | ✅ | • Early Bird technique • Debugged-state spawn |
Early Bird APC injection with RC4-encrypted staged shellcode fetched from a web server |
| 7 | AESCRTSleep | C | AES | ❌ | • CRT injection • Random sleep timing • Remote injection |
CRT injection with AES-encrypted payload; sleeps a random interval before execution to evade sandbox timeouts |
| 8 | XORCRTInj | C | XOR | ❌ | • CRT injection | CRT injection with XOR-encrypted payload; includes a separate encryption utility |
| 9 | NtAPIXOR | C# | XOR | ❌ | • Native API usage • Remote injection |
Remote process injection using Native API calls (C#) with XOR-encrypted payload |
| 10 | XORProcessHypnosis | C | XOR | ❌ | • Process Hypnosis • Application Setup Strings • Remote injection • API emulation • Debugger check • Sleep check |
Process Hypnosis technique with XOR-encrypted payload and sandbox evasion checks |
| 11 | ProcessHypnosisStaged | C | None | ✅ | • Process Hypnosis | Process Hypnosis technique with staged payload — minimal evasion, baseline implementation |
| 12 | XORProcessHypnosisStaged | C | XOR | ✅ | • Process Hypnosis • Staged key • Application Setup Strings • Remote injection • API emulation • Sleep check • Debugger check |
Process Hypnosis with XOR-encrypted staged payload and separately staged encryption key |
| 13 | EarlyBirdAPCInjectionStagedSpoofControl | C | RC4 | ✅ | • Early Bird technique • PPID spoofing • API emulation • Execution control • Payload execution check • Remote injection • Sleep check |
Early Bird APC injection with RC4-encrypted staged payload, PPID spoofing, and execution flow control |
| 14 | ProcessHypnosisStagedObfuscated | C | None | ✅ | • Process Hypnosis • API hashing • Custom GetModuleHandle/GetProcAddress • Runtime API resolution • Execution control • API emulation • Debugger check • Sleep check |
Process Hypnosis with staged payload, API hashing, and custom GMH/GPA implementations to evade static analysis |
| 15 | EarlyBirdAPCEvasion | C | None | ✅ | • Early Bird technique • API hashing • API emulation • PPID spoofing • Custom GMH/GPA • Runtime API resolution • Execution control • API Hammering • Debugger check • Sleep check |
Early Bird APC with comprehensive evasion stack: API hashing, hammering, PPID spoofing, runtime resolution, execution control |
| 16 | EarlyBirdAPCInjectionSyscalls | C + ASM | None | ✅ | • Early Bird technique • Direct syscalls (SysWhispers3) • Custom GMH/GPA • Runtime API resolution • API hashing • Execution control • API emulation • Debugger check • Sleep check |
Early Bird APC injection using direct syscalls via SysWhispers3, bypassing userland hooks |
| 17 | HGRemoteMappingInjection | C | None | ❌ | • HellsGate technique • Remote mapping injection |
Remote mapping injection using HellsGate for dynamic syscall number resolution |
| 18 | DLL-ProcessHypnosisEv | C | XOR | ❌ | • Process Hypnosis • DLL export • Application Setup Strings • Sleep check • API emulation • Execution control |
Process Hypnosis technique delivered as a DLL with XOR-encrypted shellcode and evasion |
| 19 | SysWhispRemoteMappingInjection | C + ASM | None | ❌ | • SysWhispers3 • Remote mapping injection • API unhooking • Custom GMH/GPA • API hashing • Runtime API resolution • Execution control • API Hammering • API emulation • Debugger check • Sleep check |
Remote mapping injection using SysWhispers3 syscalls with a full evasion stack including API unhooking |
| 20 | APCInjection-IndirectSyscalls | C + ASM | XOR | ❌ | • APC injection • HellsHall technique • Indirect syscalls • Custom GMH/GPA • API hashing • Runtime API resolution • Execution control • API Hammering • API emulation • Debugger check • Sleep check |
APC injection with indirect syscalls via HellsHall; most advanced evasion stack in the repo |
| 21 | FreshyCalls-RemoteMappingInjection | C | None | ❌ | • FreshyCalls technique • Remote mapping injection |
Remote mapping injection using FreshyCalls for syscall-based userland hook bypass |
| Term | Description |
|---|---|
| CRT Injection | CreateRemoteThread-based shellcode injection into a remote process |
| APC Injection | Queuing shellcode execution via Asynchronous Procedure Calls |
| Early Bird APC | APC injection into a newly spawned suspended process before its entry point runs |
| Process Hypnosis | Replacing the image of a suspended process before it executes |
| Remote Mapping Injection | Mapping a shellcode section into a remote process without using WriteProcessMemory |
| PPID Spoofing | Spawning a process with a forged parent PID to blend into process trees |
| API Hashing | Resolving API addresses at runtime using hashed function names to avoid import table artifacts |
| API Hammering | Calling benign APIs in a loop to inflate execution time and evade sandbox timeouts |
| HellsGate / HellsHall | Techniques for resolving SSNs (syscall numbers) dynamically from ntdll to enable direct/indirect syscalls |
| SysWhispers3 | A tool to generate direct/indirect syscall stubs, avoiding userland hooks in ntdll |
| FreshyCalls | Technique for sorting syscall stubs to determine SSNs without reading hooked ntdll |
Projects and resources that informed this work:
- MalDevAcademy — primary learning resource
- SysWhispers3 — direct/indirect syscall generation
- HellsGate — dynamic SSN resolution
- HellsHall — indirect syscall variant
- FreshyCalls — syscall stub sorting technique
- Process Hypnosis — technique reference