Shellcode Loader with Sandbox Evasion

Shellcode Loader with Sandbox Evasion

Configurable loader that executes shellcode only in real environments:

• Environment Checks — Detects virtual machines (VMware, VirtualBox, Hyper-V) through CPUID instructions, registry artifacts, MAC address prefixes, and device driver enumeration.
• Timing Checks — Measures execution timing with RDTSC to detect single-step debugging and accelerated sleep in sandboxes. Aborts if time manipulation is detected.
• User Interaction — Requires genuine user interaction (mouse movement, keyboard input, screen resolution above 1024x768, multiple monitors) before decrypting and executing the payload.
• Process Checks — Scans running processes for analysis tools (x64dbg, IDA, Wireshark, Procmon, Fiddler) and security products. Adapts behavior or exits based on findings.
• Payload Decryption — Shellcode is AES-256-GCM encrypted at rest. Decryption key is derived from environment-specific values (hostname, domain, username) ensuring the payload only decrypts on the intended target.
• Execution Methods — Multiple injection techniques: direct syscalls (NtAllocateVirtualMemory), callback-based execution (EnumWindows), fiber-based execution, and module stomping.