Process Injection & Shellcode Loader

Open Source Loaders with Track Record of Successful Callbacks with Light Customization

This assumes that you're doing your due diligence check on potential detections using tools such as: ThreatCheck, Non-Distributed Checks (Kleenscan, Litterbox) and YARA.

Assuming control over a compromised laptop, there are two ways I usually deploy to get an initial C2 callback:

1. Custom UDRL

   1. https://github.com/NtDallas/OdinLdr

   2. https://github.com/boku7/BokuLoader

2. C2 Generated Shellcode + Custom Shellcode Runner or Process Injector

   1. https://github.com/cpu0x00/Ghost

   2. https://github.com/Swayampadhy/ExceptionBITS

   3. https://github.com/monsieurPale/KhimairaLdr

If you wish to write your own glorified version of Reflective DLL Loader, you might wanna consider fetching the shellcode remotely using one of the following download cradle library.

Language	Library/API/Class	Proxy-Aware	Notes
PowerShell	Invoke-WebRequest Invoke-RestMethod	⚙️	Can be set via -Proxy flag, or the HTTP_PROXY environment variable
PowerShell	System.Net.WebClient	⚙️	Can be set via .Proxy property
PowerShell	System.Net.WebRequest	⚙️	Can be set via .Proxy property
PowerShell	System.Net.Http.HttpClient	⚙️	Uses HttpClientHandler; a WebProxy object must be configured manually
C++	WinHttpOpen WinHttpConnect	✅	Uses WinHTTP; can detect auto-proxy settings via WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY
C++	InternetOpen InternetOpenUrl	⚙️	Controlled by the INTERNET_OPEN_TYPE_PROXY flag
C# (.NET)	WebClient	⚙️	Can be set via WebClient.Proxy property
C# (.NET)	HttpWebRequest	✅	Default proxy via WebRequest.DefaultWebProxy, but can override
C# (.NET)	HttpClient	⚙️	Uses HttpClientHandler; a WebProxy object must be configured manually
Rust	reqwest	⚙️	Can be set via the Proxy struct
Rust	ureq	⚙️	Can be set via the Proxy struct