Analysis updated 2026-05-18
Generate an AES-256-encrypted shellcode loader for an authorized red team engagement by providing a .bin payload and a JSON profile
Test which injection technique bypasses endpoint detection on a Windows target in an authorized lab environment
Build a DLL sideloading payload using the hollow template system for an authorized Windows pentest
Dump the substituted C source before compilation to inspect or modify the loader code before building the final binary
| chaelsoo/hollow | mitchellh/tree-sitter-proto | nirvanaon/spotifyc2 | |
|---|---|---|---|
| Stars | 80 | 75 | 98 |
| Language | C | C | C |
| Last pushed | — | 2024-06-21 | — |
| Maintenance | — | Dormant | — |
| Setup difficulty | moderate | moderate | moderate |
| Complexity | 3/5 | 2/5 | 3/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Go and the MinGW cross-compiler (mingw-w64-gcc) for generating Windows PE binaries from Linux.
Hollow is a command-line tool written in Go that generates Windows executable files with shellcode embedded inside. You provide a raw shellcode binary and a JSON profile specifying how you want it packaged, and Hollow outputs a compiled EXE or DLL ready to run on a target Windows machine. The shellcode is encrypted with AES-256 using a randomly generated key and initialization vector on every run, so each generated binary is unique. The tool works through a three-step pipeline: encrypt the shellcode, substitute it into a C source template, and compile the result into a Windows binary using the MinGW cross-compiler. Six injection technique templates are included: two variants of remote thread injection into a newly spawned process (one using standard Windows API calls, one using direct kernel syscalls), two variants of classic remote thread injection into an already-running process, an early-bird APC injection that fires the shellcode before a process entry point runs, and a DLL sideloading template that produces a DLL instead of an EXE. The direct-syscall variants bypass Windows API hooking by resolving kernel function numbers at runtime directly from ntdll and calling into the kernel without going through Win32. The README includes benchmark results on Windows 10 with Defender enabled, showing that the APC injection, DLL sideloading, and direct-syscall templates avoided behavioral detection in those tests. Profiles are JSON files that configure the template, target process path, compiler settings, and output format. Setting the compile flag to false dumps the substituted C source to disk instead of compiling, letting you modify it before building. Custom templates can be added by dropping C source files into the templates directory. Building the tool requires Go and the MinGW cross-compiler for generating Windows binaries from Linux. The project is framed explicitly for authorized red team use.
A Go tool that generates AES-256-encrypted Windows shellcode loaders across six injection techniques using C templates and MinGW, built for authorized red team engagements.
Mainly C. The stack also includes Go, C, MinGW.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.