Ulfberht: Shellcode loader

by ddos ·

Ulfberht

Shellcode loader

Indirect syscall

Features :

  • Indirect syscall.
  • Module stomping.
  • Load a stomped module using APC.
  • Execute the payload with a direct jump (jmp) without creating a new thread.
  • API hashing implemented using the DJB2 algorithm.
  • Payload encrypted with RC4 and encoded in UUID format, implemented directly in the loader without loading rpcrt4.dll.
  • No CRT is used.

Evasion Tips

Compiling this executable and using it directly can be risky, as it may expose potential Indicators of Compromise (IOCs), such as:

  • The file was compiled within the last 5 minutes.
  • The Import Address Table (IAT) is empty.

Also

  • If you’re using a beacon, avoid using an IP for C2 communication. Instead, use a redirector with a good reputation.
  • Add an icon to the executable.
  • Sign the executable; ideally, use a trusted signature.
  • Add delay and sandbox detection.

How to use :

python3 utils.py C:\Path\To\beacon.bin

Copy the output in payload.h and build the project

NB :

  • If your shellcode lacks evasion features (e.g., Cobalt Strike without UDRL), it can be detected by AV/EDR

Download

Tags: Indirect syscallshellcode loader