Shellcode Weaponization
ShellcodePack logo

ShellcodePack

Shellcode and third party tools Weaponization

ShellcodePack turns shellcode and PE files (including Go, Rust, and DotNET) into deployment-ready payloads with layered advanced evasion (including assembly-level evasion). No custom bypass code required. Multiple output formats, configurable stacking, consistent results across operations, compatible with all commercial and opensource C2s. It also provides social engineering options.

€875 / year per user · Volume discounts available
Contact UsView Pricing
Dashboard overview
1 / 6

What ShellcodePack Does

ShellcodePack sits between a binary code and execution-ready payloads. Where MacroPack Pro handles mostly the delivery format and initial access vector, ShellcodePack handles what is inside: making the shellcode itself survive memory scanning, behavioral analysis, and assembly-level detection.

The core problem it addresses is consistency. Manual shellcode obfuscation is done differently by different operators. Varying quality, varying evasion effectiveness, varying time investment. ShellcodePack standardizes that process. Anything you feed in is turned into a weaponized output with documented, tested evasion layers applied uniformly.

ShellcodePack generates payloads in multiple formats and is compatible with common offensive frameworks/ tools such as Merlin and Sliver, among others. Users feed ShellcodePack a third party shellcode or use one of the ready-to-use templates. ShellcodePack also implements features to help vulnerability research and exploitation such as DLL proxy, service generation, etc. ShellcodePack is regularly tested to evade Antivirus and advanced EDR products. ShellcodePack is delivered with ready to use bypass profiles which you can select to bypass a targeted EDR

Features Overview

ShellcodePack features by category
CategoryFeatures
Input.bin, .exe (including Go and Rust), .dll, .NET assemblies, .asm, .c, .py, .txt
Output.bin, .exe (native or .NET), .scr, .dll (native or .NET), .cpl, .xll, .c, .py, .asm, .txt, trojan existing binaries
Architecturex86, x64, x96 (dual-architecture 32+64-bit)
EDR EvasionEvade static and runtime detections. Tested in real operations against multiple EDRs and Antivirus.
Social EngineeringAdd decoy, spoof extension, spoof icon, spoof certificate, etc, Mark Of the Web evasion help
Payload CustomizationMultiple methods to launch or stage shellcodes, Guardrails (such as domain name, validy dates, etc), possibility to add custom code, different ways to run a payload
DeliveryPayload packing, DLL proxying/sideloading, Windows Service, TCP/HTTPS stagers, AppDomain Injection
PlatformsGUI and CLI, tested on Windows 10 and 11

Key Capabilities

Advanced Delivery

DLL proxying / sideloading
Generate DLL proxy stubs that forward exports while executing shellcode alongside
AppDomain Injection
Generate .NET payload to target a given assembly
Binary Trojaning
Inject weaponized shellcode into existing EXE or DLL
Windows Service generation
Wrap shellcode in a Windows Service executable for persistence scenarios
Built-in TCP and HTTPS stagers
Embedded stager servers for staged shellcode delivery without external tooling
Certificate handling
Sign output with real or spoofed code-signing certificates to appear legitimate
File Spoofing
Spoof icons, manifest, access dates, and extensions
Multiple Guardrails
Payload can be launched ony if domain, username, file, date, etc. matches given values
x96 dual-architecture
Single output binary code that executes correctly as both 32-bit and 64-bit

EDR Evasion Methods

Asembly level obfuscation
Encryption, polymorphic mutation, and various obfuscation tricks
Machine Learning Detection Evasion
Methods to reduce entropy and transform the payload to appear legitimate
Multiple AV emulation bypass techniques
Multiple options to break AV emulation Dynamic analysis
Indirect syscalls
Syscall invocation via legitimate ntdll.dll trampolines
Callstack spoofing
Falsify call stack to evade stack-based behavioral detection to reduce runtime detection
ETW patching
Event Tracing for Windows disabled before execution
DLL unhooking
Restore clean ntdll in-memory to remove userland EDR hooks
AMSI bypass
In-memory AMSI provider neutralization methods
.NET runtime control
Control .NET runtime initialization for assembly-based payloads

Output Formats

Export weaponized shellcode in any format to match your loader or delivery method.

.bin

Raw binary for any external loader

.exe

Standalone PE with embedded loader (C++ or .NET Loader)

.scr / .pif

Screen-saver and program info PE variants

.dll

Reflective DLL for process injection (C++ or .NET Loader)

.cpl

Control Panel applet for lure scenarios

.xll

Excel Add-In for Office delivery

.c

C source with shellcode array and loader stub

.py

Python script with ctypes-based execution

.asm

Assembly source for custom integration

Bypass Profiles and Presets

Pre-built, production-tested profiles for major EDRs and Antivirus. Select a profile for your target environment and ShellcodePack applies the appropriate bypass chain automatically.

Per-target profiles

Each profile is tuned to the specific detection logic of the target EDR, not a generic bypass.

Profile combinations

Profiles combines format, execution method, and evasion technique for common engagement scenarios.

Profile updates

Profiles are updated as EDR vendors release new detection improvements. Licenses include regular profile updates.

Manual Approach vs ShellcodePack

Comparison of manual shellcode weaponization versus ShellcodePack
TaskManual ApproachShellcodePack
Basic launcher XOR encoding30-60 min (custom script)Under 1 min
Runtime Evasion Implementation (ex Indirect Syscalls)Several hours (per implementation)Configurable, instant
EDR-specific tuningFull research cycle per EDRSelect from tested profile
Consistency across teamVaries by operator skillIdentical output
Multi-layer stackingError-prone manual stepsSingle command
Output format conversionSeparate tooling requiredBuilt-in multi-format
TIBER-EU

ShellcodePack for TIBER-EU Weaponization

TIBER requires that simulated attack techniques accurately reflect the threat actor's known TTPs. ShellcodePack's configurable obfuscation stack allows red teams to match threat-actor-specific shellcode characteristics documented in the Threat Intelligence Report - producing technically accurate weaponization rather than generic bypasses.

Learn how BallisKit supports TIBER-EU

Pricing

€875
per user / per year
  • All evasion and customization methods
  • All 11+ output formats
  • All EDR bypass profiles and presets
  • Regular updates including EDR evasion
  • Customization, history, and custom presets
  • Discord and Email support

Bundle pricing available with MacroPack Pro and DarwinOps.

Volume licensing for 3+ users. Contact contact@balliskit.com.

Professional email required. Anonymized or consumer domains not accepted.

Contact Us

Tutorials and Resources

Tutorial: Adaptix C2 with ShellcodePack and MacroPack

Tutorial: Adaptix C2 with ShellcodePack and MacroPack

Learn how to weaponize Adaptix C2 Agents with BallisKit redteaming tools

08/04/20266 min read
AppDomain Injection -Backdooring .NET Framework Applications

AppDomain Injection -Backdooring .NET Framework Applications

AppDomain Injection is a technique that allows you to execute arbitrary code within .NET Framework applications by hijacking the AppDomain…

17/03/20266 min read
DLL Sideloading and function proxying with ShellcodePack

DLL Sideloading and function proxying with ShellcodePack

DLL sideloading is a technique that allows an attacker to have a legitimate signed application run some malicious code on Windows. It work…

19/12/20256 min read

Read more ShellcodePack tutorials on our blog →

See It in Action

See more ShellcodePack videos on Vimeo →