Shellter Pro contains all the awesomeness of the community edition of Shellter, and on top of that introduces some extra advanced features that make it even more powerful, user-friendly, effective and, as always, unique. Download in PDF format.
Console window hiding
When infecting console applications, if stealth mode is not enabled, hence the original functionality is not maintained, Shellter Pro will disable the console window in the infected binary. This allows to effectively work with console applications in non-stealth mode settings, since the console window will not appear anymore. This feature was added in version 4.5.
Supports both 32 & 64-bit binaries
Support for 64-bit binaries was added in version 4.2. It allows to process 64-bit executables and DLLs in order to execute 64-bit payloads directly. Please note, the 64-bit build is offered separately.
Usability Enhancements
Many things have been optimised to provide more reliability and make the software even more user friendly when operated in ‘Auto mode’.
This mode will now only require the absolute minimum input by the user, thus making it even more fun. This is also the recommended way for most users to operate our software.
Embedded Stagers MSF5/6 Support + Randomised URI Generator
The embedded stagers have been updated to support latest MSF
releases.
We also added an MSF-compatible randomised URI generator that is applied internally by the injection engine to those embedded stagers that require an identification URI by the MSF listener.
Stealth mode reliability improvements
The beloved ‘Stealth Mode’ feature that maintains the original functionality of the infected binary, which may be the required behaviour in some scenarios, has been made even more reliable.
The process of restoring the original code functionality on runtime while the payloads execute in the background is more sophisticated than before.
It now takes into consideration other threads that might be already active by the time the injected code is reached and synchronises everything accordingly.
Multi-payload synchronised execution
Our ‘Multi-payload Injection‘ has been improved so that payloads are now executed in a synchronised manner. This means that payloads will still execute in order of injection but now each payload will execute only after the main thread of the previous one has exited. This gives you more control over what actions will be taken, when, and in what order.
Relocations Fixup Support
Added run-time ‘Relocations Fixup’ functionality in order to maintain the dynamic base of the infected binary and allow it to blend even better among modern clean binaries found on a system.
This will work with both DLLs and EXEs and of course, it can be used with any combination of available features.
When operating in ‘Manual Mode’ the user can also optionally ‘fake’ relocations support for a relocatable binary. This will make the binary look like it is still ASLR compatible, but it will always load using the predefined image base as set in the PE header.
Enhanced Anti-AV Signature Technology
Several parts of the payload hiding, encoder, and obfuscation engines have been updated for this release.
These updates make writing AV signatures for Shelltered binaries an even more challenging task.
Furthermore, the updates applied to all aforementioned engines allow them to take further advantage of the overall design and architecture of the infection engine of Shellter Pro.
Putting all these together, a natural balance of binary art is created to make this version of Shellter Pro the best release ever in terms of anti-AV signatures technology.
Large Payloads Support
What about being able to inject full stageless meterpreter payloads and other custom-built DLLs without much hassle?
Now you can!
Some parts of the injection engine has been re-engineered to allow more flexibility with regards to the size of the payload(s) that can being injected into a binary. This is an optional feature and doesn’t have to be enabled all the time as explained below.
Shellter Pro will now offer the option to enable large payloads support.
In fact, you will be able to inject payloads that are up to 4MBs each, when this feature is enabled.
Well, you won’t have to use anything that big, but now you can just do it.
Upgraded Encoder
Shellter Pro will now support multiple layers of encoding for both embedded and custom payloads.
This allows the user to encode multiple times on the fly a payload during injection as there is no need to only rely on ‘Standalone Encoder’ functionality anymore for multi-layered encoding.
Furthermore, the encoding engine will now use multiple keys for each encoding layer, when DTCK is not used.
CertPlay
This feature allows Shellter Pro to save, restore, and re-use the certificates table from PE targets that are digitally signed.
Shellter Pro will now create a directory called “ShellterPro_CRTs” and will store there the certificate table of the PE file that is currently infecting, if that is signed.
By default, Shellter removes the digital signature and other artifacts from the PE header that indicate that the PE file was signed.
With this new functionality, the user is now able to optionally either restore the digital signature of the target PE file once the payload injection has been completed, and/or use the digital signature of another signed PE target that was previously saved in the aforementioned directory.
This new feature makes an infected PE file to appear as digitally signed which in many cases can increase the chances of evading certain AV products.
MSF Console Scripts Generator
This feature enhances further the automation capabilities of Shellter Pro for advanced users that enjoy using Shellter Pro via customised scripts. This feature was suggested by one of our users.
When you use some of the embedded metasploit stagers, Shellter Pro will now create an MSF console script file (.rc) which allows the user to automatically configure the listeners based on the options used during injection.
Scripts are saved inside the “ShellterPro_MSF” directory which is created in the installation directory of Shellter Pro.
Execution Flow Tracing Using Executable-Specific Arguments
This is an experimental feature, suggested by one of our users, that allows to trace the execution flow of an executable by using also specific arguments supported by the executable
itself.
This allows to perform even more dynamic injection that can be potentially triggered only when the infected binary is launched by using the same arguments.
As you understand, this feature can be a great weapon against automatic analysis sandboxes, and AV emulation engines in general, as the payload will not be reached unless the correct arguments have been used.
Dynamic Payload Injection In DLLs
Payload delivery via executables is cool, but DLLs can be more fun.
This gives more flexibility to the user and an extra boost to the AV evasion and persistence capabilities of Shellter Pro.
Perfect post-exploitation way to demonstrate persistence in Red Team scenarios and/or for extra payload delivery during Pentesting.
Execution Flow Data Files
Time is important. We all know this very well.
Shellter Pro introduces the ‘EFD’ files. These are special files created by Shellter once the first stage filtering of the execution flow has been completed.
They keep all the necessary information that Shellter needs to perform dynamic PE infection of the same quality without requiring to go through the tracing stage each time you want to use an application known to Shellter.
By completely eliminating the tracing stage for all your favorite PE targets, you get dynamic PE infection in a blink of an eye.
Combining this feature with command line usage makes Shellter Pro the best thing that can happen to you, whenever you need to deliver an executable on the target host, either directly or via office macros and powershell scripts.
Multi-Payload Chaining
Sometimes you might only have one shot. So why waste it by relying on a single payload?
Shellter Pro introduces a unique feature that allows the user to chain up to five payloads in a single injection. Each payload will run independently on a separate thread, so if one fails it will not affect the others.
Note: Not to be confused with the multi-payload infection capability that is supported also in the standard build of Shellter. That one requires to re-start Shellter and repeat the entire injection process for each payload. Even though it could be useful, it’s not as fast, effective and advanced as the Multi-Payload Chaining feature of the Pro build.
More Built-In Payloads
In the context of time is money, Shellter Pro introduces a few extra built-in payloads.
Run ‘shellter ––list’ to see all the built-in payloads.
New built-in payloads:
meterpreter_reverse_winhttp
meterpreter_reverse_winhttps
meterpreter_reverse_tcp_dns
shell_reverse_tcp_dns
Standalone Encoder
Encoding your payload is extremely important, but you might want to use another method of delivery, or maybe you want to submit the payload to Shellter as an already encoded blob of data.
Shellter Pro, exposes its proprietary encoder generator to the user as a standalone feature. You can now instruct Shellter Pro to encode a custom payload saved in a file using either a randomly created encoding sequence, or just by defining your own encoding sequence (see the documentation about the supported encoding operators).
The standalone encoder can even take advantage of some of the polymoprhic code generation engine features by adding the ‘––polydecoder’ parameter at the end of the command line.
The output will be a standalone encoded payload merged with a dynamically generated decoder.
Fast PE Compatibility Check
A tool has to work, but it also needs to be as user-friendly as possible. For this reason, Shellter Pro introduces a fast check against your chosen PE target, that you can easily use from command line.
PE File Size Increase
Size matters. Sometimes.
Shellter Pro introduces a unique feature that allows you to increase the size of the the PE target whenever this is required/appropriate, and there is a reason behind this.
You would be surprised if you knew about how many AV signatures rely on certain file size ranges in order to decide if the engine needs to dig deeper into a PE file or not. This, is not an effective solution by itself, but combined with the the rest of Shellter’s features, it does give some extra value.
Extra Command Line Arguments
Nobody likes typing long command lines.
For this reason Shellter Pro introduces a couple of extra arguments that can be used to bundle together multiple features in a single argument.
i. ––polyAll
This enables both ‘––polyIAT’ and ‘––polyDecoder’.
ii. ––polyExtra
This enables ‘––polyIAT’, ––polyDecoder’ and ‘––Junk’.
Furthermore, a couple of shorter argument name aliases have been introduced:
i) ––pd for ––polyDecoder
ii) ––pi for ––polyIAT
You can still use the long argument names if you prefer.
Enjoy,
kyREcon
Disclaimer
We do not support nor condone illegal activities in any shape or form.
This software is offered with the sole purpose to assist ethical hackers in their daily jobs during Penetration Testing and/or Red Team engagements. The author of this software and INSAINTED LTD assume no responsibility for any unlawful actions taken and any damages caused by using this software.