Shellcode Loader With a Cocktail of Techniques
- Indirect Syscalls
- Halos Gate for rebuilding ntdll
- RC4 encryption for the shellcode
- OLLVM compilation for Obfuscation
- Fetch shellcode and key from a remote source
- Use Function callback
- EnumWindows
- EnumDisplayMonitors
- Sign the Binary (Legitimate Certificate or LazySign)
- This will fetch the shellcode and the rc4 key from a remote source
- The execution will be done by a Function callback. The current function being used for callback is EnumDisplayMonitors
- Add Branch for AES Encryption for the shellcode
- Add Branch for PEB Parsing and shutting down if the binary is being debugged (detected by Microsoft Defender Cloud Protection)
- Add sleep obfuscation
- Windows Defender + Cloud Delivered Protection [Windows 11] (September 2025)
- Elastic EDR
The current configuration picks the clang-cl.exe binary from a github repo
- Compile O-LLVM yourself
Total time taken for compilation: 30:26.489 minutes
-D__CUDACC__ -D_ALLOW_COMPILER_AND_STL_VERSION_MISMATCH -mllvm -bcf -mllvm -bcf_prob=73 -mllvm -bcf_loop=3 -mllvm -sub -mllvm -sub_loop=5 -mllvm -fla -mllvm -split_num=5 -mllvm -aesSeed=CAFEBEEFDEADBABEDEADBABECAFEBEEF