_____ _ _ _____ ______ _____ _ _ ______ _ _
/ ____| | | | /\ | __ \| ____|/ ____| | | | ____| | | |
| (___ | |__| | / \ | | | | |__ | (___ | |__| | |__ | | | |
\___ \| __ | / /\ \ | | | | __| \___ \| __ | __| | | | |
____) | | | |/ ____ \| |__| | |____ ____) | | | | |____| |____| |____
|_____/|_| |_/_/ \_\_____/|______|_____/|_| |_|______|______|______|
A Windows shellcode encryption, obfuscation, and encoding tool for red team operators.
ShadeShell is a command-line tool designed to help red team operators encrypt, obfuscate, and encode shellcode payloads before embedding them into loaders. It supports multiple encryption algorithms, obfuscation formats, and a custom bit-streaming encoding scheme.
It also generates ready-to-use decryption/deobfuscation code snippets that can be directly copy-pasted into loader source code.
Inspired by HellShell by NUL0x4C — a fantastic shellcode obfuscation tool from the malware development community. ShadeShell extends similar concepts with additional encryption layers, a modular CLI, and template-based loader code generation.
| Category | Supported |
|---|---|
| Encryption | XOR, AES-256-CBC, ChaCha20, Salsa20 |
| Obfuscation | UUID, IPv6 |
| Encoding | BaseN (custom 5-bit stream encoder) |
| Templates | XOR, AES, ChaCha20, Salsa20, UUID, IPv6, BaseN |
| Analysis | Shannon entropy analysis with visual progress bar |
| Export | Read (console output) / Write (binary file) |
ShadeShell/
│
├── src/
│ ├── ShadeShell.c # Entry point & main pipeline
│ ├── CLI.c # Argument parsing & usage
│ ├── Common.c # Shared utilities (file I/O, entropy, hex dump)
│ ├── Encryptions.c # XOR, AES, ChaCha20, Salsa20
│ ├── Obfuscations.c # UUID, IPv6 array generation
│ ├── Encoding.c # BaseN bit-streaming encoder/decoder
│ └── Templates.c # Loader code snippet generators
│
├── include/
│ └── Common.h # Shared definitions, structs, prototypes
│
└── lib/
├── aes.c / aes.h # tiny-aes-c (AES-256-CBC)
├── ChaCha.c / ChaCha.h # ChaCha20 stream cipher
└── Salsa20.c / Salsa20.h # Salsa20 stream cipher
- Windows 10/11
- Visual Studio 2019 or later (MSVC toolchain)
- Windows SDK
- Clone the repository:
git clone https://github.com/yourusername/ShadeShell.git
cd ShadeShell-
Open
ShadeShell.slnin Visual Studio. -
Set configuration to Release and platform to x64.
-
Build → Build Solution (
Ctrl+Shift+B) -
Output binary will be at:
x64\Release\ShadeShell.exe
ShadeShell.exe --file <input> --filemode <read|write> [Operation] [Options]
Modes:
--filemode read : Process and display output to console.
--filemode write : Process and save output to file (requires --output).
Encrypt Operations:
--encrypt <algo> : XOR, AES, ChaCha20, Salsa20
--obfuscate <algo> : UUID, IPv6
--encode <algo> : BaseN
Decrypt Operations:
--decrypt <algo> : XOR, AES, ChaCha20, Salsa20
--deobfuscate <algo>: UUID, IPv6
--decode <algo> : BaseN
Options:
--output <file> : Output file path (required for write mode).
Encrypt with XOR and obfuscate as UUID:
ShadeShell.exe --file payload.bin --filemode read --encrypt xor --obfuscate uuid
Encrypt with AES-256-CBC and export to file:
ShadeShell.exe --file payload.bin --filemode write --encrypt aes --output encrypted.bin
Encrypt with ChaCha20 and encode with BaseN:
ShadeShell.exe --file payload.bin --filemode read --encrypt chacha20 --encode baseN
Encrypt with Salsa20 and obfuscate as IPv6:
ShadeShell.exe --file payload.bin --filemode read --encrypt salsa20 --obfuscate ipv6
Generate AES decryption template for loader:
ShadeShell.exe --file payload.bin --filemode read --decrypt aes
Generate UUID deobfuscation template for loader:
ShadeShell.exe --file payload.bin --filemode read --deobfuscate uuid
[*] Mapping Payload From Disk : payload.bin
[+] Payload Size : 276 bytes
[*] Encrypting with : aes
unsigned char CipherText[] = {
0x4A, 0x3F, 0x91, 0xBC, ...
};
unsigned char AesKey[] = {
0xDE, 0xAD, 0xBE, 0xEF, ...
};
unsigned char AesIv[] = {
0x1A, 0x2B, 0x3C, 0x4D, ...
};
+-----------------------------------------------+
| ENTROPY ANALYSIS |
+-----------------------------------------------+
| Rate : 7.9821 [####################] |
| Level : HIGH |
| Status : Payload is likely encrypted or compressed (Suspicious) |
+-----------------------------------------------+
| Library | Author | License | Usage |
|---|---|---|---|
| tiny-aes-c | kokke | The Unlicense | AES-256-CBC encryption |
| LibTomCrypt (ChaCha20) | libtom | WTFPL | ChaCha20 stream cipher |
| Salsa20 | D.J. Bernstein | Public Domain | Salsa20 stream cipher |
- HellShell by NUL0x4C — The original inspiration for ShadeShell's obfuscation approach (UUID, IPv4, IPv6 shellcode formatting).
- MalDev Academy — Concepts around shellcode encryption, entropy analysis, and loader development referenced throughout the codebase.
This tool is intended strictly for educational purposes and authorized red team engagements. The author takes no responsibility for any misuse or illegal activity conducted with this software. Always obtain proper authorization before conducting security testing.
See LICENSE for details. Unauthorized commercial use and redistribution are prohibited.