Rakshita Gupta | Cybersecurity Analyst

Overview

Shellcode-Loader is a Windows-based proof-of-concept that demonstrates in-memory shellcode execution using native Windows API (NTAPI) calls sourced directly from ntdll.dll.
Instead of relying on high-level .NET or Win32 APIs, it invokes low-level functions to allocate memory, write shellcode, flip permissions, and spin up a thread, all within the current process, establishing a Meterpreter reverse TCP session back to the attacker machine.

Features

Direct NTAPI Execution

Bypasses high-level Win32 APIs by calling ntdll.dll functions via P/Invoke
Uses NtAllocateVirtualMemory, NtWriteVirtualMemory, and NtCreateThreadEx directly

In-Memory Payload Delivery

Shellcode never touches disk, executes entirely in process memory
No compiled binary or intermediate file required
Single self-contained PowerShell script

Metasploit Integration

Compatible with msfvenom-generated windows/x64/meterpreter/reverse_tcp payloads
Pairs with exploit/multi/handler in msfconsole for receiving sessions
Keepalive loop maintains the process alive for persistent session handling

Execution flow:

P/Invoke Definitions (ntdll.dll)
        ↓
NtAllocateVirtualMemory   → Allocate RW memory in current process
        ↓
NtWriteVirtualMemory      → Write shellcode bytes into allocated region
        ↓
NtVirtualProtectMemory    → Flip protection: RW → Execute
        ↓
NtCreateThreadEx          → Spawn thread at shellcode address
        ↓
Sleep loop (60s)          → Keep process alive for session persistence

Implementation Details

NTAPI over Win32 API — AV/EDR products commonly hook high-level Win32 calls like VirtualAlloc, WriteProcessMemory, and CreateRemoteThread in user space. Calling the equivalent Nt* functions directly from ntdll.dll sits one layer below those hooks, making detection harder without kernel-level interception.

Self-targeting with handle -1 — All memory operations use the pseudo-handle -1, which Windows resolves to the current process at the kernel level. This avoids opening an explicit process handle (a noisy, logged event) while achieving the same result.

RW → Execute permission flip — Memory is first allocated as PAGE_READWRITE to write the shellcode in, then flipped to PAGE_EXECUTE before the thread is spawned. Allocating memory as directly executable (PAGE_EXECUTE_READWRITE) is a well-known red flag that many security tools alert on — the two-step approach is less conspicuous.

Sample Output

[*] Started reverse TCP handler on <LHOST>:<LPORT>
[*] Sending stage to <TARGET_IP>
[*] Meterpreter session 1 opened

meterpreter > sysinfo
meterpreter > getuid