Howdy!
From time to time, I receive emails with questions regarding the usage of Shellter.
Sometimes, I also see people using it in a totally wrong way which either totally ruins its effectiveness, or the output just won’t work.
With this in mind, I decided to release some tips and tricks on how to use Shellter in order to get the best out of it. I will try to update this page accordingly from time to time.
Tips & Tricks
- Find a few 32-bit standalone legitimate executables that always work for you and stick with them for as long as they do the job.
However, take in serious consideration what is discussed in this article, thus avoid using executables of popular applications when not needed.
Unless you are using the Steath Mode for a RedTeam job because you want to trick the victim to run a specific backdoored application, there is no reason to use a different executable every time. Just make sure you use a clean one. - Before using a legitimate executable, try to scan it using an online multi-AV scanner. Sometimes AVs do produce false positives, so it’s good to know that your chosen executable wasn’t detected as something malicious in the first place.
- Don’t use packed executables!
If you get a notification that the executable is probably packed, then get another one. - Don’t use Shellter with executables produced by other pentesting tools or frameworks. These have possibly been flagged already by many AV vendors. Since Shellter actually traces the execution flow of the target application, you also risk to ‘infect’ yourself if you do that.
- If you just need to execute your payload during a pentesting job, you don’t need to enable the Stealth mode feature. This feature is useful during Red Team engagements, since it enables Shellter to maintain the original functionality of the infected application.
- If you decide to use the Dynamic Thread Context Keys (DTCK) feature then try to avoid enabling obfuscation for every single step. This feature enables an extra filtering stage which reduces even more the available injection locations, so it’s better not to increase a lot the size of the code to be injected.
So as a rule of thumb, in this case just choose to obfuscate the IAT handler. If you use command line just add ‘––polyIAT’ and don’t enable any other obfuscation features. - If you want to inject a DLL with a reflective loader, try to keep your DLL as small as possible and use an executable that has a section, where the code has been traced, that can fit it.
Think before you do! - If you are not sure about how to use Shellter, and what each feature does, then use the Auto Mode. It has been put there for this purpose. Use it!
- If you are just interested in bypassing the AV and execute your payload, hence not looking at the Stealth Mode feature, then various uninstallers dropped by installed programs might be what you need.
These are generally standalone and small in size, which makes them perfect for generic usage. - If you really want to use the Manual Mode, make sure you understand enough what each feature does. Reading the documentation about Shellter is also something you should do first.
- If you use the Manual Mode, don’t just trace for a very small number of instructions. The point and one of the unique features of Shellter are it’s ability to trace down the execution flow so that it doesn’t inject into predictable locations. Don’t ruin it for yourself.
Usually, 50k instructions should be fine, but as you go deeper in the execution flow the better it gets.
If you think that reaching the amount of instructions that you chose it takes too long, you can always interrupt the tracing stage by pressing CTRL+C and proceed with the rest of the injection process.
PS: Shellter tries its best to avoid any mistakes while completely automating the process of dynamic PE infection. However, this is a complicated task and for that reason there is always a small possibility for failure. Following the list of tips and tricks presented here, will give you a good starting point for using Shellter. Keep in mind that while Shellter will try to handle everything for you, it does require your common sense and knowledge to give you its best.
Cheers,
kyREcon
Disclaimer
We do not support nor condone illegal activities in any shape or form. This software is offered with the sole purpose to assist ethical hackers in their daily jobs during Penetration Testing and/or Red Team engagements. The author of this software and INSAINTED LTD assume no responsibility for any unlawful actions taken and any damages caused by using this software.