Please refer to the Shellter_Pro_Plus_Exclusive_Features.pdf for more information about these updates.
Shellter Pro Plus v10.1
Date: 20d/11m/2024
[+] Added the ability to use a custom proxy for fetching AES decryption keys.
[+] Updated the unhooking functions.
All loaded modules will be processed when option “--ForceDecoyFileMapping” is set, and not just modules in “KnownDLLs” section objects directory.
[+] VM/Host-Whitelisting are now two separate features.
This provides a more intuitive way of white-listing a specific VM in order to test the infected binary, without disabling VM detection entirely.
[+] Multiple enhancements in order to boost runtime evasion capabilities of payloads generated by popular C2 frameworks.
[+] Fixed a bug in unhooking stage affecting 32-bit binaries under certain circumstances.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v10
Date: 16d/10m/2024
[+] CallStack Scan Evasion
Tampers with callstack information in order to evade detection rules that are based on kernel ETW information.
[+] Force Unhooking System Modules via File-Mappings
Offers an alternative unhooking method while simultaneously evading kernel mode callbacks inserted by EDRs to monitor new module loading events.
[+] Force Preload System Modules
Provides a safer method for preloading system modules commonly used by C2 beacons and other third-party payloads to perform various system-level tasks.
[+] Enhanced AMSI Evasion
Added a new method that avoids both in-memory patching of the AMSI module and the use of hardware breakpoints.
[+] Enhanced Memory Scan Evasion Polymorphism
This update implements a dynamic key mechanism. Once the memory scan evasion feature kicks off, the key changes with each execution. Consequently, the protected code and data will always look different in memory, even for the same binary.
[+] Self-Disarm
This feature enables users to specify a number of days after which the infected binary will deactivate itself. Essentially, if the binary is executed beyond the initially set timeframe, no payloads will be triggered.
[+] Targeted Runtime Evasion II
Our original feature was enhanced further to include additional runtime evasion settings that were introduced afterwards. In addition, this feature can now be explicitly enabled by the user, depending on the expected EDR present on the target host, whenever this is known.
[+] TimeBomb
This feature allows the user to specify a delay in milliseconds for the payloads execution to begin.
[+] Slow Loris
This feature enables lazy loading by inserting delays in frequently executed paths of our code. This behaviour may help to exhaust default timing threshold values used by EDR software to monitor specific combinations of various events that are logged via Kernel ETW monitoring and/or kernel mode callbacks.
[+] Host WhiteListing
This feature allows to activate payload execution only inside a specific VM and/or physical host. It should be very useful when you perform your own pre-engagement tests against EDRs inside your own VMs. This helps prevent your binaries from being compromised during testing, particularly when they are uploaded to the cloud by security software for automated sandbox analysis.
[+] Fixed a logic bug in the code obfuscation engine when inserting dummy ‘CALL’ instructions.
[+] Fixed a logic bug in the ‘Memory Scan Evasion’ feature that could cause the process to crash under specific circumstances.
[+] Fixed a logic bug in the “DLL Load Monitoring” feature where the target executable path was not properly quoted when starting the second stage of the feature. If the path had any spaces, then the second stage would fail to complete.
[+] Fixed a bug in ‘Total Recall’ feature where some dynamically generated code stub was truncated in Windows 10 x86 builds.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v9.2
Date: 26d/06m/2024
[+] Added ‘Code Signing’ feature.
Automates the process of generating customised self-signed certificates, and signs the infected binaries once the payload injection stages are completed.
[+] Fixed a logic bug that affected VM detection checks in certain scenarios. If HW resources profiling was disabled by the user, then also the advanced VM detection options would be skipped. This was introduced in version 8.3 while refactoring and optimizing some blocks of source code.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v9.1
Date: 22d/05m/2024
[+] Option to set command-line arguments for the target executable when doing ‘DLL Load Monitoring‘.
[+] Option to set user-defined watermark in infected binaries.
[+] Option to limit the execution time of the poly-junk code when stealth mode is not enabled.
Shellter Pro Plus v9.0
Date: 17d/04m/2024
[+] Memory Scan Evasion
All functions that are required for the lifetime of the running process will now be encoded/decoded on-the-fly as needed. In addition, a lot of important data structure members such as, but not limited to function pointers will always be encoded. These will be fetched and decoded on the-fly as well, while the original copies will always remain encoded. Finally, all dynamically-built strings will be cleared off the current thread’s stack memory after usage
[+] Total Recall
This feature was implemented in order to further eradicate in-memory traces of our code under certain circumstances. There may be scenarios where none of the payloads will execute for various reasons such as, VM/DBG detection on process start, and/or failure to fetch remote AES keys for payload decryption. When this is the case, this feature will kick in and remove all of our executable code from memory, while cleaning up also memory areas that may store additional data.
[+] Updated the output of “DLL Load Monitor” to mark displayed modules as ‘User’/’System’. Any logged module that is originally loaded from a directory under “C:\Windows*” will be marked as ‘System’ module.
[+] Fixed a logic bug where some runtime evasion features remained disabled in ‘Auto’ mode. This did not affect CLI/GUI operation modes.
[+] Added some dynamic debugger detection checks that now also apply for the entire lifetime of the process. This allows to detect a debugger that has been attached at post-process-initialisation.
[+] Set the maximum limit of additional data to be added for the ‘Binary Size Increase’ feature to 500MB. This enables users to do extensive testing against security software scan rules that depend on the binary size.
[+] DTCK encoding feature has been deprecated and it will be removed in a future software release.
[+] Fixed a logic bug where ‘DTCK’ encoding and ‘EFD’ files could have been enabled together while they are not compatible which each other.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.6
Date: 20d/12m/2023
[+] Fixed a compatibility issue with Wine.
Please note, that it is not recommended to operate Shellter inside Wine and other Windows environment emulators. Compatibility with Wine is mainly offered as a way to operate our software when a Windows host/VM are not immediately available.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.5
Date: 30d/11m/2023
[+] Enhanced Application DLL Backdooring II.
[+] Targeted Runtime Evasion.
[+] License Expiration Check Updates.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.4
Date: 14d/11m/2023
[+] Enhanced Windows Built-In Modules Compatibility.
The imports table parser was updated to recognise the imports mechanism used by built-in Windows executables and DLLs.
Please refer to the “Shellter_Pro_Plus_Exclusive_Features.pdf” for more information about this update.
[+] Updated imports table parser to do a more thorough scan of the imports table of the target PE binary.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.3
Date: 06d/11m/2023
[+] Enhanced Application DLL Backdooring.
Introduces monitoring for DLL loading and exports calling events. It provides the necessary information to the user for a much more efficient backdooring of an application through a proprietary and/or system DLL. Arguments added: --monitorDllLoading/--MDLL.
Please refer to the “Shellter_Pro_Plus_Exclusive_Features.pdf” for more information about this update.
[+] Several compatibility updates for DLLs that may be loaded by a process that has one or more of CFG features enabled.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.2
Date: 11d/10m/2023
[+] Added extra validation for the chosen DLL that will be used for the Ambush feature. The additional check will also verify that the specified DLL is not included in the list of modules that are statically linked to the target PE file.
For more information, please refer to the “Shellter_Pro_Plus_Exclusive_Features.pdf” and to the dedicated demo video that is listed on our website.
[+] Added the ability to optionally enable/disable some runtime evasion features. These were previously always enabled when they were supported by the target PE file.
[+] Added new command line arguments: --evadeETW, --evadeAMSI, --redirectNativeImports. These allow to optionally enable the corresponding runtime evasion features. In Auto mode these are always enabled by default.
[+] Added the ability to conceal some internal functionality.
If a Debugger/VM detected some runtime evasion features will not have any effect even if they are enabled by the user.
[+] Fixed a potential race condition bug in unhooking functionality.
[+] Fixed a bug that triggers when choosing to modify PE section permissions instead of using an IAT handler. In that case the infected binary would crash. Using this method, is not recommended anyway, but the issue has been fixed.
[+] Fixed a bug that could cause infected 32-bit binaries to crash when they load DLLs (i.e comctl32.dll) that may be found under both WinSxS and system32/syswow64 directories.
[+] Fixed a bug in the feature that generates the appropriate MSF launching script when one of the listed payload stagers are used.
Please note, these payloads should mainly be used only for demo purposes.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.1
Date: 11d/07m/2023
[+] Fixed a logic bug that caused one of our runtime evasion techniques to become technically disabled. This issue affects versions 7.0 and 8.0.
Shellter Pro Plus v8.0
Date: 28d/06m/2023
[+] Multiple updates towards runtime evasion.
Suspicious access permissions are now removed from all proprietary memory allocations.
[+] Fixed compatibility issues with third-party payloads generated by popular C2 frameworks. In particular, some CB payloads may have freed memory that did not own exclusively, causing the process to crash. Payloads are now moved to their own private allocations in order to avoid similar issues in the future.
[+] Fixed an issue with ‘Wine mode’ where console font adjustment by Shellter would fail due to incompatibility issues. The user had to start our software via ‘wineconsole’ because using ‘wine’ would not work due to the font adjustment issues. Both options are now working fine again.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v7.0
Date: 27d/04m/2023
[+] Multiple updates towards runtime evasion.
[+] Dynamic inspection of newly loaded modules.
Advanced payloads may load additional modules in order to complete certain tasks. Newly loaded modules will now be checked against hooks, and tampered exports table data.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v6.0
Date: 17d/03m/2023
[+] Multiple updates towards runtime evasion.
These apply against various techniques used by security software to intercept system function calls; especially those exported by kernel32, kernelbase, and ntdll DLLs.
[+] Ambush payload execution.
This is a special feature that allows to set the injected payload(s) into hibernation until a specific benign DLL module is loaded by the process. Please see the documentation for more details.
[+] Anti-DLL Load Monitoring.
This feature removes user-mode registered callbacks that may be set by modules injected by security software inside the process in order to monitor for new DLL loading events.
[+] Fixed a bug in the function that fetches the AES keys for payload decryption through a URL.
[+] Fixed a bug in the function that checks latest version available on our website. If you have version 5.0, then it will display that your version is up to date.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v5.0
Date: 01d/02m/2023
[+] First official release of Shellter Pro Plus series.