shellter Package Description

Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only). The shellcode can be something yours or something generated through a framework, such as Metasploit.

shellter Homepage | Kali shellter Repo

  • Author: Kyriakos Economou
  • License: special

Tools included in the shellter package

shellter – Dynamic shellcode injection tool and dynamic PE infector
root@kali:~# shellter.exe -h
* Command Line Usage *

Help: -h, --help

Action: Shows the command line help menu.

List Payloads: --list

Action: Shows a list of the embedded payloads.

Verbose Mode: -v

Action: Shows Real-Time Tracing.

Operation Mode: -a / -m

Action: Sets the Operation Mode to use.

-a: Auto Mode, -m: Manual Mode. (See Remarks)

Note: Manual Mode requires user interaction for all options.

Online version check: --VersionCheck

Action: Retrieves version information from the official website.

Note: Requires internet connection. Not available in Wine mode.

PE target: -f <filename>

Action: Sets the PE target.

Stealth Mode: -s / --stealth

Action: Enables Stealth Mode feature. Preserves original functionality of
        the infected PE file.

Note: If this feature is enabled then --enc, --encode, and --handler IAT
      are implied as set.

Payload: -p <filename>/<listed payload>

Action: Sets the payload. Must be in RAW format.

Metasploit: generate -t raw.

The following payloads can be used directly through Shellter.

* Payloads *

[1] Meterpreter_Reverse_TCP   [stager]
[2] Meterpreter_Reverse_HTTP  [stager]
[3] Meterpreter_Reverse_HTTPS [stager]
[4] Meterpreter_Bind_TCP      [stager]
[5] Shell_Reverse_TCP         [stager]
[6] Shell_Bind_TCP            [stager]
[7] WinExec

Example: -p meterpreter_reverse_tcp --lhost --port 4444

LHOST: --lhost <IP address>/<Domain Name>

Action: Sets the IP address or the Domain Name for the embedded payloads
        that use reverse connection.

Note: Domain names can be used with the reverse_http and reverse_https
      payloads, or with custom payloads generated by the user.

Port: --port <Port number>

Action: Sets the port number for the embedded payloads that
        either use reverse connection, or listen locally for
        inbound connections.

CMD: --cmd <cmd argument>

Action: Sets the command to execute argument for the embedded
        windows command execution payload.

Example: -p winexec --cmd "cmd.exe /c net user evil password /ADD"

Enable DLL Reflective Loader support: --reflective <FuncName>

Action: Marks the payload as DLL and sets the reflective loader function.

This flag automatically enables encoded-payload support because the loader
might require RW permissions to itself. You will have to set the --handler
argument as well.

Note: Function names are case sensitive.

Threads tracing: --trace main / all

Action: Sets the threads to be traced.

main: Main Thread, all: All Threads Tracing.

Note: It is recommended to enable all threads tracing. This is enabled
      by default when auto mode is used without command line arguments.

Enable encoded-payload support: --enc

Action: Handles encoded payloads.

Note: If you use an encoded payload, this flag is mandatory! However,
      it is enabled by default when auto mode is used without command
      line arguments.
      It is recommended to always use encoded payloads, unless they
      are completely custom, thus not known to AVs.

Note: You can choose to apply Shellter's encoder by using the --encode
      arument. It can also be used on top of already encoded payloads.

Proprietary Shellter Encoding: --encode / --encode {<encoding sequence>}

Action: Applies an extra encoding layer.
        It is enabled by default when using auto mode without command
        line arguments.

* Supported Encoding Operators *

XOR --> x
ADD --> +
SUB --> -
NOT --> !

Example #1: x!+x

Note: When the encoding sequence is defined from the command line, the
      operators need to be enclosed between '{}'.

      Example #2: --encode {x!+}

Note: In Manual mode you must not include the '{}' characters, just as in the
      first example shown above.

Remarks: The number of operators defined, must be between a minimum of 1 and
         a maximum of 12 operators.
         If you just use the --encode switch without defining a custom
         sequence of encoding operations, Shellter will randomly create
         and apply an encoding scheme by itself.
         If you enable stealth mode using --stealh/-s switches, then the
         --encode switch is implied, but if you want to use a custom one
         then you need to explicitly use the --encode switch as shown
         in Example #2.

Note: You will have to set the --handler argument as well.

Note: If you set --encode switch, then --enc is implied as set.

Encode using Dynamic Thread Context Key: --DTCK

Action: Encodes the payload using dynamic thread context information.

Note: This is an experimental feature that logs the content of some
      CPU registers and then filters all that data in order to keep
      injection locations where at least one of the logged registers
      has a value that can be reliably used for encoding and later
      for decoding the payload on runtime.

Note: If you set this flag, then --encode and --enc are implied as set.
      In Auto mode, this feature can only be activated by using command
      line arguments.

Proprietary Decoder Obfuscation: --polyDecoder

Action: Obfuscates the decoder generated by Shellter using
        Thread Context Aware Polymorphic code.

Note: This only applies if --encode option has been set. It is
      enabled by default when using auto mode without command
      line arguments.

Encoded Payload Handling Type: --handler iat / section

Action: Defines how the encoded payload will be handled.

iat: Use IAT pointers, section: Give to section RWE permissions.

Note: If you use an encoded payload, this flag is mandatory! However,
      when you use auto mode without command line arguments, this is
      enabled by default.

Obfuscate IAT type handler: --polyIAT

Action: Enables obfuscation of IAT type handlers for encoded payloads
        using Thread Context Aware Polymorphic code.

Note: Contributes towards a much more polymorphic output! It is enabled
      by default when using auto mode without command line arguments.

Generate & Bind PolyMorphic Junk Code: --junk

Action: Enables PolyMorphic Junk Code.

Note: It is recommended to enable this option in order to produce
      a more complex output. This type of code added also serves
      for timing-out some emulators and sandboxes. You might have
      to wait for a few seconds before the payload gets executed.

Note: This feature is enabled by default when using automode without
      command line arguments.


i. When running inside Wine, the compatible Engine is selected automatically.

ii. If Manual Mode has been selected, all other options are ignored.

iii. If no Operation Mode (-a/-m) has been selected though command line,
     then Auto Mode applies.

iv. If '--enc' and/or '--encode' and/or --DTCK are set, then '--handler' must
    be also set.

v. Tracing of all threads is enabled by default when using the Auto Mode.
   You can disable it by specifying '--trace main' -Not Recommended-.

vi. If Stealth Mode is enabled (-s/--stealth), the injected payload will
    always be encoded by Shellter and --handler IAT is set by default.

vii. Arguments can be passed in any order. If the same argument is used more
     than once, then only the first occurence is taken in consideration.

shellter Usage Examples

root@kali:~# dpkg --add-architecture i386
root@kali:~# apt update && apt install wine32
root@kali:~# shellter