Analysis updated 2026-05-18
Learn how to write position-independent Windows shellcode using C instead of raw assembly.
Study how Windows API functions can be located at runtime without a standard import table.
Follow along with a course on malware development for ethical hacking to understand offensive techniques defensively.
Read a small, well-commented codebase (about 500 lines) as a reference for shellcode fundamentals.
| cocomelonc/tabby | qhencoder/sysrestoredriver | ar0x4/tunnel-vision-toolkit | |
|---|---|---|---|
| Stars | 29 | 29 | 30 |
| Language | C | C | C |
| Setup difficulty | moderate | hard | hard |
| Complexity | 5/5 | 5/5 | 5/5 |
| Audience | researcher | ops devops | researcher |
Figures from each repo's GitHub metadata at analysis time.
Build toolchain is Linux-based using mingw-w64 and nasm, output is Windows shellcode meant for manual memory-loading during study, not a standalone app.
Tabby is a small educational framework for writing shellcode in C, aimed at students of a course called Malware Development for Ethical Hackers. Shellcode is a type of very low-level executable code, typically a compact blob of raw machine instructions, that security researchers and penetration testers use to study how software vulnerabilities can be exploited on Windows systems. Tabby is explicitly described as a teaching tool, not an offensive product. The framework solves a practical problem for people learning this subject: writing shellcode normally requires working in raw assembly language, which is tedious and hard to read. Tabby lets a developer write the main logic in C instead, and handles the complicated parts automatically. Those complicated parts include making sure the code can run from any memory location (called position-independent code), finding Windows system functions at runtime without relying on the standard import table that normal programs use, and issuing low-level system calls in a way that avoids leaving obvious fingerprints that endpoint security software looks for. The build toolchain runs entirely on Linux using two freely available tools: mingw-w64 (a cross-compiler for Windows targets) and nasm (an assembler). The output is a raw binary file with no Windows executable header, ready to be loaded into memory manually for testing purposes. The README walks through each technical component and explains why it was designed the way it was. It describes how the code finds its own location in memory at startup, how Windows API functions are located by walking internal process data structures and comparing name hashes rather than strings, and how system calls are issued by jumping into existing code inside ntdll rather than running the syscall instruction directly. The goal is for each technique to be readable and understandable, contrasting with larger tools where these mechanisms are hidden. The project is around 500 lines of C and 80 lines of assembly.
Tabby is a small educational C framework that lets students write Windows shellcode in C instead of raw assembly, for a course on ethical malware development.
Mainly C. The stack also includes C, Assembly, mingw-w64.
The README does not state a specific license.
Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.