explaingit

chaelsoo/hollow

Analysis updated 2026-05-18

80CAudience · developerComplexity · 3/5Setup · moderate

TLDR

A Go tool that generates AES-256-encrypted Windows shellcode loaders across six injection techniques using C templates and MinGW, built for authorized red team engagements.

Mindmap

mindmap
  root((Hollow))
    How It Works
      Encrypt shellcode
      Substitute template
      Compile to PE
    Injection Templates
      Remote thread injection
      Direct syscall variants
      Early Bird APC
      DLL sideloading
    Encryption
      AES-256-CBC
      Random key and IV
      BCrypt at runtime
    Configuration
      JSON profiles
      Target process
      Output type exe or dll
    Tech Stack
      Go
      C
      MinGW
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Generate an AES-256-encrypted shellcode loader for an authorized red team engagement by providing a .bin payload and a JSON profile

USE CASE 2

Test which injection technique bypasses endpoint detection on a Windows target in an authorized lab environment

USE CASE 3

Build a DLL sideloading payload using the hollow template system for an authorized Windows pentest

USE CASE 4

Dump the substituted C source before compilation to inspect or modify the loader code before building the final binary

What is it built with?

GoCMinGWWindows APIAES-256-CBC

How does it compare?

chaelsoo/hollowmitchellh/tree-sitter-protonirvanaon/spotifyc2
Stars807598
LanguageCCC
Last pushed2024-06-21
MaintenanceDormant
Setup difficultymoderatemoderatemoderate
Complexity3/52/53/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Go and the MinGW cross-compiler (mingw-w64-gcc) for generating Windows PE binaries from Linux.

In plain English

Hollow is a command-line tool written in Go that generates Windows executable files with shellcode embedded inside. You provide a raw shellcode binary and a JSON profile specifying how you want it packaged, and Hollow outputs a compiled EXE or DLL ready to run on a target Windows machine. The shellcode is encrypted with AES-256 using a randomly generated key and initialization vector on every run, so each generated binary is unique. The tool works through a three-step pipeline: encrypt the shellcode, substitute it into a C source template, and compile the result into a Windows binary using the MinGW cross-compiler. Six injection technique templates are included: two variants of remote thread injection into a newly spawned process (one using standard Windows API calls, one using direct kernel syscalls), two variants of classic remote thread injection into an already-running process, an early-bird APC injection that fires the shellcode before a process entry point runs, and a DLL sideloading template that produces a DLL instead of an EXE. The direct-syscall variants bypass Windows API hooking by resolving kernel function numbers at runtime directly from ntdll and calling into the kernel without going through Win32. The README includes benchmark results on Windows 10 with Defender enabled, showing that the APC injection, DLL sideloading, and direct-syscall templates avoided behavioral detection in those tests. Profiles are JSON files that configure the template, target process path, compiler settings, and output format. Setting the compile flag to false dumps the substituted C source to disk instead of compiling, letting you modify it before building. Custom templates can be added by dropping C source files into the templates directory. Building the tool requires Go and the MinGW cross-compiler for generating Windows binaries from Linux. The project is framed explicitly for authorized red team use.

Copy-paste prompts

Prompt 1
Using hollow with the earlybird_apc template, generate a shellcode loader for payload.bin targeting C:\Windows\System32\cmd.exe. Show me the profile JSON I need.
Prompt 2
Explain the difference between hollow's new_process_injection and new_process_injection_sc templates. When should I use the direct-syscall variant?
Prompt 3
How do I write a custom injection template for hollow? What placeholder tokens do I need to include in the C source file?
Prompt 4
Walk me through building hollow from source on Debian. What MinGW packages do I need and how do I cross-compile for a Windows PE target?
Prompt 5
I want to use hollow's dll_sideload template. What conditions does the target Windows machine need for DLL sideloading to work?

Frequently asked questions

What is hollow?

A Go tool that generates AES-256-encrypted Windows shellcode loaders across six injection techniques using C templates and MinGW, built for authorized red team engagements.

What language is hollow written in?

Mainly C. The stack also includes Go, C, MinGW.

How hard is hollow to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is hollow for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub chaelsoo on gitmyhub

Verify against the repo before relying on details.