Metadata-Version: 2.4
Name: shellcoderunner-aes
Version: 1.1.0
Summary: AES-based shellcode loader generator for Windows security research
Author: PaiN05
License: MIT
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Security
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: pycryptodome
Dynamic: author
Dynamic: classifier
Dynamic: description
Dynamic: description-content-type
Dynamic: license
Dynamic: license-file
Dynamic: requires-dist
Dynamic: summary

# ShellcodeRunner (AES)

## Overview

**ShellcodeRunner** is a research-focused project designed to help security enthusiasts, red teamers, and malware researchers understand **how custom shellcode loaders work on Windows**.

This repository demonstrates:

* Encrypting raw shellcode using **AES**
* Generating a **native C++ loader**
* Executing shellcode fully **from memory**
* Leveraging **NT Native APIs** for execution

> **Primary Goal:**
> To provide a practical idea of how shellcode loaders can be built in a way that can **easily bypass Windows Defender–based solutions** by avoiding static signatures, plaintext payloads, and common high-level APIs.

This project is intended for **educational and defensive research purposes only**.

---

## Proof of Concept [Video]

[![PoC Video](https://i9.ytimg.com/vi/xlK_TSLLuHA/mqdefault.jpg?sqp=CNT5jcsG-oaymwEmCMACELQB8quKqQMa8AEB-AH-CYAC0AWKAgwIABABGEsgWyhlMA8=&rs=AOn4CLBZW3D_awnEWD14nexvk2pHm5QF_g)](https://www.youtube.com/watch?v=xlK_TSLLuHA) 

---

## Key Features

* AES-128-CBC encrypted shellcode
* Password-based key derivation (SHA-256)
* No plaintext shellcode on disk
* Native Windows CryptoAPI decryption
* NTAPI-based memory allocation and execution
* Simple and clean workflow

---

## Repository Structure

```
shellcoderunner/
├── shellcoderunneraes.py   # Python builder (encrypts shellcode & generates C++ loader)
├── aes_nt_runner.cpp       # Generated C++ loader
├── meow.inc                # Encrypted shellcode + IV (auto-generated)
└── runner.exe              # Final compiled executable
```

---

## Installation

Required Dependencies (Linux):
```bash
sudo apt update && sudo apt install -y python3 python3-pip mingw-w64
python3 -m pip install pycryptodome
```

Clone the repository:

```bash
git clone https://github.com/jaytiwari05/shellcoderunner.git
cd shellcoderunner
```

Make the script globally accessible:

```bash
cp shellcoderunneraes.py /usr/local/bin/shellcoderunneraes.py && chmod +x /usr/local/bin/shellcoderunneraes.py
```

---

## Usage

Generate and compile a shellcode loader using AES encryption:

```bash
shellcoderunneraes.py <C2_shellcode>.bin --aes pain05 --compile
```

### Arguments

* `<C2_shellcode>.bin` — Raw shellcode file generated by a C2 framework (e.g., Sliver, Adaptix, Cobalt Strike).
* `--aes` — Password used for AES key derivation
* `--compile` — Compiles the generated C++ loader into an executable

The final output will be a **standalone Windows executable** that decrypts and executes the shellcode entirely in memory.

---

## Why This Works Against Defender

This project highlights techniques commonly used to bypass Windows Defender–based detection:

* Encrypted payload stored on disk
* Runtime decryption using legitimate Windows APIs
* No RWX memory allocation
* Execution via NT Native APIs
* No use of high-level Win32 execution helpers

These techniques help reduce static signatures and behavioral indicators commonly relied upon by Defender.

---

## Disclaimer

This project is provided **strictly for educational, research, and defensive security purposes**.
Do not use this code for unauthorized or malicious activities.
The author is not responsible for misuse.

---

## Author

**PaiN05**
Security Research | Offensive Tradecraft | Malware Development Research
