r00t
Cover Image

Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only). The shellcode can be something yours or something generated through a framework, such as Metasploit.

Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.

Shellter uses a unique dynamic approach which is based on the execution flow of the target application, and this is just the tip of the iceberg. Shellter is not just an EPO infector that tries to find a location to insert an instruction to redirect execution to the payload. Unlike any other infector, Shellter’s advanced infection engine never transfers the execution flow to a code cave or to an added section in the infected PE file.

Main Features

  • Compatible with Windows x86/x64 (XP SP3 and above) & Wine/CrossOver for Linux/Mac.
  • Portable – No setup is required.
  • Doesn’t require extra dependencies (python, .net, etc…).
  • No static PE templates, framework wrappers etc…
  • Supports any 32-bit payload (generated either by metasploit or custom ones by the user).
  • Compatible with all types of encoding by metasploit.
  • Compatible with custom encoding created by the user.
  • Stealth Mode – Preserves Original Functionality.
  • Multi-Payload PE infection.
  • Proprietary Encoding + User Defined Encoding Sequence.
  • Dynamic Thread Context Keys.
  • Supports Reflective DLL loaders.
  • Embedded Metasploit Payloads.
  • Junk code Polymorphic engine.
  • Thread context aware Polymorphic engine.
  • User can use custom Polymorphic code of his own.
  • Takes advantage of Dynamic Thread Context information for anti-static analysis.
  • Detects self-modifying code.
  • Traces single and multi-thread applications.
  • Fully dynamic injection locations based on the execution flow.
  • Disassembles and shows to the user available injection points.
  • User chooses what to inject, when, and where.
  • Command Line support.
  • Free

Click here to read more.

Tips & Tricks

Find a few 32-bit standalone legitimate executables that always work for you and stick with them for as long as they do the job. Unless you are using the Steath Mode for a RedTeam job because you want to trick the victim to run a specific backdoored application, there is no reason to use a different executable every time. Just make sure you use a clean one.

Before using a legitimate executable, try to scan it using an online multi-AV scanner. Sometimes AVs do produce false positives, so it’s good to know that your chosen executable wasn’t detected as something malicious in the first place.

Don’t use packed executables! If you get a notification that the executable is probably packed, then get another one.

Don’t use Shellter with executables produced by other pentesting tools or frameworks. These have possibly been flagged already by many AV vendors. Since Shellter actually traces the execution flow of the target application, you also risk to ‘infect’ yourself if you do that.

If you just need to execute your payload during a pentesting job, you don’t need to enable the Stealth mode feature. This feature is useful during Red Team engagements, since it enables Shellter to maintain the original functionality of the infected application.

If you decide to use the Dynamic Thread Context Keys (DTCK) feature then try to avoid enabling obfuscation for every single step. This feature enables an extra filtering stage which reduces even more the available injection locations, so it’s better not to increase a lot the size of the code to be injected. So as a rule of thumb, in this case just choose to obfuscate the IAT handler. If you use command line just add ‘––polyIAT’ and don’t enable any other obfuscation features.

If you want to inject a DLL with a reflective loader, try to keep your DLL as small as possible and use an executable that has a section, where the code has been traced, that can fit it. Think before you do!

If you are not sure about how to use Shellter, and what each feature does, then use the Auto Mode. It has been put there for this purpose. Use it!

If you are just interested in bypassing the AV and execute your payload, hence not looking at the Stealth Mode feature, then various uninstallers dropped by installed programs might be what you need. These are generally standalone and small in size, which makes them perfect for generic usage.

If you really want to use the Manual Mode, make sure you understand enough what each feature does. Reading the documentation about Shellter is also something you should do first.

If you use the Manual Mode, don’t just trace for a very small number of instructions. The point and one of the unique features of Shellter are it’s ability to trace down the execution flow so that it doesn’t inject into predictable locations. Don’t ruin it for yourself. Usually, 50k instructions should be fine, but as you go deeper in the execution flow the better it gets. If you think that reaching the amount of instructions that you chose it takes too long, you can always interrupt the tracing stage by pressing CTRL+C and proceed with the rest of the injection process.

PS: Shellter tries its best to avoid any mistakes while completely automating the process of dynamic PE infection. However, this is a complicated task and for that reason there is always a small possibility for failure. Following the list of tips and tricks presented here, will give you a good starting point for using Shellter. Keep in mind that while Shellter will try to handle everything for you, it does need your common sense to give you its best.

Download

Please take some time to read carefully the License Agreement and the documentation before using Shellter.

By using this tool, it is implied that you agree with all the terms of use mentioned in the License Agreement.

Shellter VI [6.8]

Compatible with: Windows & Wine/CrossOver for Linux/Mac.

Executable - SHA256: 3784396A8E7EF1FF021FCCA847B7EC86D13A243669A7100FF0609CB64F5CC17F

Note: You can perform a cross-integrity check of the main executable by checking also the SHA256 stored in the twitter account.

Linux Packages

Warning: Linux Distros repositories might be outdated. Use the download link that is provided at the top of this page to always get the latest version.

Kali Linux:

apt-get update
apt-get install shellter

BackBox Linux:

apt-get update
apt-get install shellter

Make sure you have the following two entries in your BackBox system software sources: deb http://ppa.launchpad.net/backbox/four/ubuntu trusty main deb-src http://ppa.launchpad.net/backbox/four/ubuntu trusty main

Arch Linux: yaourt -Syy yaourt -S aur/shellter

Many thanks to my friend Borja (@Borjiviri) for creating the following packages:

Debian Linux

Arch Linux

Note: The Debian package currently installs v2.0, the Arch package should download the latest version (VI [6.5]). Keep in mind that Shellter runs under Wine and it doesn’t require any extra dependencies. You can always use the download link on top of the page, either if you plan to use it in a native Windows host or through Wine in Linux. Repositories for linux packages might also take some time before they are updated, and I am also not spending any time on this. In case your distro includes an earlier version of Shellter in its repositories, after installation you can substitute the shellter.exe module with the latest binary using the aforementioned download link.

Enjoy, kyREcon www.shellterproject.com