MCPcopy Create free account
hub / github.com/NtDallas/Svartalfheim

github.com/NtDallas/Svartalfheim @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
326 symbols 341 edges 11 files 0 documented · 0% updated 19mo ago★ 1701 open issues

Browse by type

Functions 28 Types & classes 298
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Svartalfheim

Stage 0 Shellcode to Download a Remote Payload and Execute it in Memory

The Nt API calls NtAllocateVirtualMemory and NtProtectVirtualMemory are made using indirect syscalls.

LoadLibraryA and WinHTTP calls are performed with return address spoofing.

When the shellcode is executed in a spoofed thread, the stage 0 self-deletes from memory.

Usage

Option Description Required Default Value
-e Http endpoint Yes
-u Http uri Yes
-p Http port Yes
-a User agent No Mozilla/5.0 (Windows NT 10.0; Win64; x64)
-s Use TLS No Empty
-v View shellcode at C format No Empty

Example : - python3 builder.py -u 10.10.100.121 -u /path/to/shellcode.bin -p 80 - python3 builder.py -u 10.10.100.121 -u /path/to/shellcode.bin -p 443 -s - python3 builder.py -u 10.10.100.121 -u /path/to/shellcode.bin -p 8080 -v

Credit

  • https://github.com/kyleavery/AceLdr
  • https://github.com/realoriginal/titanldr-ng
  • https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html
  • https://github.com/trickster0/TartarusGate

Core symbols most depended-on inside this repo

Shape

Class 248
Enum 50
Function 28

Languages

C++96%
C3%
Python1%

Modules by API surface

include/ntdll.h310 symbols
src/Api.c8 symbols
src/RetAddr.c2 symbols
include/Instance.h2 symbols
builder.py2 symbols
src/PreMain.c1 symbols
include/Structs.h1 symbols

For agents

$ claude mcp add Svartalfheim \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page