shellcoderunner-aes 2.0.0

AES-based shellcode loader generator for Windows security research

ShellcodeRunner (AES)

Overview

ShellcodeRunner is a research-focused project designed to help security enthusiasts, red teamers, and malware researchers understand how custom shellcode loaders work on Windows.

This repository demonstrates:

• Encrypting raw shellcode using AES
• Generating a native C++ loader
• Executing shellcode fully from memory
• Leveraging NT Native APIs for execution

Primary Goal: To provide a practical idea of how shellcode loaders can be built in a way that can easily bypass Windows Defender–based solutions by avoiding static signatures, plaintext payloads, and common high-level APIs.

This project is intended for educational and defensive research purposes only.

---

Proof of Concept [Video]

---

Key Features

• AES-128-CBC encrypted shellcode
• Password-based key derivation (SHA-256)
• No plaintext shellcode on disk
• Native Windows CryptoAPI decryption
• NTAPI-based memory allocation and execution
• Simple and clean workflow

---

Repository Structure

shellcoderunner/
├── shellcoderunneraes.py   # Python builder (encrypts shellcode & generates C++ loader)
├── aes_nt_runner.cpp       # Generated C++ loader
├── meow.inc                # Encrypted shellcode + IV (auto-generated)
└── runner.exe              # Final compiled executable

---

Installation

Required Dependencies (Linux):

sudo apt update && sudo apt install -y python3 python3-pip mingw-w64
python3 -m pip install pycryptodome

Clone the repository:

git clone https://github.com/jaytiwari05/shellcoderunner.git
cd shellcoderunner

Make the script globally accessible:

cp shellcoderunneraes.py /usr/local/bin/shellcoderunneraes.py && chmod +x /usr/local/bin/shellcoderunneraes.py

---

Usage

Generate and compile a shellcode loader using AES encryption:

shellcoderunneraes.py <C2_shellcode>.bin --aes pain05 --compile

Arguments

• <C2_shellcode>.bin — Raw shellcode file generated by a C2 framework (e.g., Sliver, Adaptix, Cobalt Strike).
• --aes — Password used for AES key derivation
• --compile — Compiles the generated C++ loader into an executable

The final output will be a standalone Windows executable that decrypts and executes the shellcode entirely in memory.

---

Why This Works Against Defender

This project highlights techniques commonly used to bypass Windows Defender–based detection:

• Encrypted payload stored on disk
• Runtime decryption using legitimate Windows APIs
• No RWX memory allocation
• Execution via NT Native APIs
• No use of high-level Win32 execution helpers

These techniques help reduce static signatures and behavioral indicators commonly relied upon by Defender.

---

Disclaimer

This project is provided strictly for educational, research, and defensive security purposes. Do not use this code for unauthorized or malicious activities. The author is not responsible for misuse.

---

Author

PaiN05 Security Research | Offensive Tradecraft | Malware Development Research