ShellcodeRunner is a research-focused project designed to help security enthusiasts, red teamers, and malware researchers understand how custom shellcode loaders work on Windows.
pipx install shellcoderunner-aesThis repository demonstrates:
- Encrypting raw shellcode using AES
- Generating a native C++ loader
- Executing shellcode fully from memory
- Leveraging NT Native APIs for execution
Primary Goal: To provide a practical idea of how shellcode loaders can be built in a way that can easily bypass Windows Defender–based solutions by avoiding static signatures, plaintext payloads, and common high-level APIs.
This project is intended for educational and defensive research purposes only.
AdaptixC2.mp4
SliverC2.mp4
sudo apt update && sudo apt install -y python3 python3-pip mingw-w64 && python3 -m pip install --user pipx
python3 -m pipx ensurepath
pipx install shellcoderunner-aesshellcoderunneraes <C2_shellcode>.bin --aes pain05 --compileRequired Dependencies (Linux):
sudo apt update && sudo apt install -y python3 python3-pip mingw-w64
python3 -m pip install pycryptodomeClone the repository:
git clone https://github.com/jaytiwari05/shellcoderunner.git
cd shellcoderunnerMake the script globally accessible:
cp shellcoderunneraes.py /usr/local/bin/shellcoderunneraes.py && chmod +x /usr/local/bin/shellcoderunneraes.pyGenerate and compile a shellcode loader using AES encryption:
shellcoderunneraes.py <C2_shellcode>.bin --aes pain05 --compile- AES-128-CBC encrypted shellcode
- Password-based key derivation (SHA-256)
- No plaintext shellcode on disk
- Native Windows CryptoAPI decryption
- NTAPI-based memory allocation and execution
- Simple and clean workflow
shellcoderunner/
├── shellcoderunneraes.py # Python builder (encrypts shellcode & generates C++ loader)
├── aes_nt_runner.cpp # Generated C++ loader
├── meow.inc # Encrypted shellcode + IV (auto-generated)
└── runner.exe # Final compiled executable
<C2_shellcode>.bin— Raw shellcode file generated by a C2 framework (e.g., Sliver, Adaptix, Cobalt Strike).--aes— Password used for AES key derivation--compile— Compiles the generated C++ loader into an executable
The final output will be a standalone Windows executable that decrypts and executes the shellcode entirely in memory.
This project highlights techniques commonly used to bypass Windows Defender–based detection:
- Encrypted payload stored on disk
- Runtime decryption using legitimate Windows APIs
- No RWX memory allocation
- Execution via NT Native APIs
- No use of high-level Win32 execution helpers
These techniques help reduce static signatures and behavioral indicators commonly relied upon by Defender.
This project is provided strictly for educational, research, and defensive security purposes. Do not use this code for unauthorized or malicious activities. The author is not responsible for misuse.
Please do not raise issues if the loader gets detected in the future, as detection timelines vary and there is no guarantee how long this technique will remain effective.
The generated executable was tested using common open-source tools for basic detection visibility:
- YARA rule scanning (community rulesets)
- ThreadCheck (Defender heuristics)
- AMSI inspection checks
At the time of testing, no alerts were triggered by these tools.
Note: Detection results may vary based on environment, signatures, and security product versions. This does not imply full evasion of all AV/EDR solutions.
PaiN05 Security Research | Offensive Tradecraft | Malware Development Research
Pypi Link :- https://pypi.org/project/shellcoderunner-aes/