ShellGhost

// Single-Instruction Memory Evasion Masterclass

Modules

Language

x64

Architecture

Difficulty Tiers

Master the art of making shellcode invisible to memory scanners. Learn how ShellGhost by lem0nSec combines Vectored Exception Handling with software breakpoints (INT3) to execute shellcode one instruction at a time — ensuring that the full payload is never decrypted in memory simultaneously. A deep dive into VEH, shellcode mapping preprocessing, SystemFunction032 (RC4) per-instruction encryption, and RW/RX memory toggling.

01 Beginner

Memory Scanner Evasion Goals

Why full decryption is risky, the concept of minimal decryption surface, threat models for in-memory shellcode, and the problem ShellGhost solves.

02 Beginner

Software Breakpoints & INT3

The 0xCC opcode, how debuggers use INT3, EXCEPTION_BREAKPOINT (0x80000003), exception dispatch flow from CPU to user-mode handler.

03 Beginner

Vectored Exception Handling Deep Dive

AddVectoredExceptionHandler, handler registration and priority, EXCEPTION_POINTERS, CONTEXT structure manipulation, and VEH vs SEH.

04 Intermediate

The ShellGhost Concept

Replace each instruction with 0xCC, on breakpoint: re-encrypt previous instruction, decrypt current instruction, execute, advance. The one-exception-per-instruction model.

05 Intermediate

SystemFunction032 & Shellcode Mapping

How ShellGhost_mapping.py pre-processes shellcode into per-instruction CRYPT_BYTES_QUOTA structs, and how SystemFunction032 handles RC4 encryption/decryption.

06 Intermediate

The VEH Handler Implementation

Reading ContextRecord->Rip, re-encrypting the previous instruction, decrypting the current instruction via SystemFunction032, RW/RX toggling with VirtualProtect, and CONTEXT manipulation.

07 Advanced

Background: x86 Trap Flag & Single-Stepping

EFLAGS TF bit (bit 8), EXCEPTION_SINGLE_STEP (0x80000004), how debuggers use single-step — general x86 knowledge for context (not used by ShellGhost).

08 Advanced

Full Chain, Performance & Detection

Complete execution flow walkthrough, performance impact analysis, detection vectors, VEH registration monitoring, and comparison with other memory evasion techniques.

References & Resources

ShellGhost Repository — github.com/lem0nSec/ShellGhost
lem0nSec Blog — lem0nsec.github.io
INT3 / Breakpoint Opcode — Intel SDM Vol. 2, INT 3 (0xCC) instruction reference
Vectored Exception Handling (MSDN) — AddVectoredExceptionHandler function documentation
EXCEPTION_POINTERS (MSDN) — EXCEPTION_POINTERS structure reference
CONTEXT Structure (MSDN) — CONTEXT structure, EFlags field documentation
SystemFunction032 — advapi32.dll RC4 encryption/decryption API
RC4 Stream Cipher — RFC 7465 / Rivest Cipher 4 specification
Windows Exception Dispatching — KiUserExceptionDispatcher internals