Skip to content
/ FALCONSTRIKE Public

A stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected

slaeryan.github.io/posts/falcon-zero-alpha.html

License

AGPL-3.0 license
6 stars 51 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Wannabe99/FALCONSTRIKE

BranchesTags

Repository files navigation

FalconZero

Introducing FalconZero v1.0 - a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected - first public release version Loader/Dropper of the FALCONSTRIKE project

Features

  • Dynamic shellcode execution
  • Usage of Github as the payload storage area - the payload is fetched from Github
  • Targeted implant Loader - only execute on targeted assets - thwart automated malware analysis and hinder reverse engineering on non-targeted assets
  • Killdates - implant expires after a specific date
  • Stealthy shellcode injection technique without allocating RWX memory pages in victim process to evade AV/EDRs - currently injects to explorer.exe
  • Sensitive strings encrypted using XOR

Demo

GIF demo

Usage

There are many hard things in life but generating an implant shouldn't be one. This is the reason the generate_implant.py script has been created to make your life a breeze. The process is as simple as:

First generate your shellcode as a hex string
Upload it on Github and copy the Github raw URL
For testing(MessageBox shellcode): https://raw.githubusercontent.com/slaeryan/DigitalOceanTest/master/messagebox_shellcode_hex_32.txt
git clone https://github.com/slaeryan/FALCONSTRIKE.git
cd FALCONSTRIKE
pip3 install -r requirements.txt
python3 generate_implant.py

Follow the on-screen instructions and you'll find the output in bin directory if everything goes well.

AV Scan of FalconZero implant

FalconZero v1.0 Antiscan Result

TO-DO

This is an alpha release version and depending on the response many more upgrades to existing functionalities are coming soon.

Some of them are:

  • Integrate various Sandbox detection algorithms
  • Integrate support for more stealthy shellcode injection techniques
  • Integrate function obfuscation to make it stealthier
  • Include a network component to callback to a C2 when a Stage-2 payload is released or to change targets/payloads and configure other options on-the-fly
  • Inject to a remote process from where network activity is not unusual for fetching the shellcode - better OPSEC
  • Include active hours functionality - Loader becomes active during a specified period of day etc.

Feel free to communicate any further feature that you want to see in the next release. Suggestions for improving existing features are also warmly welcome :)

Read more

Author

Upayan (@slaeryan) [slaeryan.github.io]

License

All the code included in this project is licensed under the terms of the GNU AGPLv3 license.

About

A stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected

slaeryan.github.io/posts/falcon-zero-alpha.html

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

6 stars

Watchers

0 watching

Forks

51 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages