Sometimes, you need a fast way to encode your shellcode and execute it easily without being blocked by AV/EDR. Junkshell is a tool designed to encode your shellcode and execute it directly in memory by generating a Powershell script. The best part is the powershell script is different on each generation, so it's hard to detect.
Junkshell utilizes an old technique based on junk codes. Essentially, it involves reserving a large chunk of memory and filling it with junk code. The shellcode is then placed at the end of this junk code and executed. This approach allows for bypassing AV/EDR detection, as the trick lies in using valid instructions instead of traditional NOPs to fill the memory. While NOPs are typically ignored by AV/EDR, using instructions like xor eax, 0 or sub eax, 0, which do nothing but are still valid instructions, helps achieve successful execution of the shellcode. Check my blog post for more details.
Finally the AV/EDR stops the analysis because the payload is too long to be analyzed. The ammount of junk code is generate randomly always above 10000 bytes.
python3 junkshell.py -s shellcode.bin -o revshell.ps1It will generate a powershell script that you can run directly on the target machine.
This is an example bypassing a meterpreter reverse shell in Sophos.
[!] Powershell script generated [!]
You should run the powershell script below:
>> powershell.exe -exec Bypass -File data.ps1 <<