Sometimes, you need a fast way to encode your shellcode and execute it easily without being blocked by AV/EDR. Junkshell is a tool designed to encode your shellcode and execute it directly in memory by generating a Powershell script. The best part is the powershell script is different on each generation, so it's hard to detect.
Junkshell utilizes an old technique based on junk codes
. Essentially, it involves reserving a large chunk of memory and filling it with junk code. The shellcode is then placed at the end of this junk code
and executed. This approach allows for bypassing AV/EDR detection, as the trick lies in using valid instructions instead of traditional NOPs
to fill the memory. While NOPs
are typically ignored by AV/EDR, using instructions like xor eax, 0
or sub eax, 0
, which do nothing but are still valid instructions, helps achieve successful execution of the shellcode. Check my blog post for more details.
Finally the AV/EDR stops the analysis because the payload is too long to be analyzed. The ammount of junk code
is generate randomly always above 10000 bytes.
python3 junkshell.py -s shellcode.bin -o revshell.ps1
It will generate a powershell script that you can run directly on the target machine.
This is an example bypassing a meterpreter reverse shell in Sophos.
[!] Powershell script generated [!]
You should run the powershell script below:
>> powershell.exe -exec Bypass -File data.ps1 <<