c2sc is a specialized framework designed for security researchers and red teamers to compile C code directly into position-independent shellcode (PIC) for Windows x86 and x64 architectures. Unlike traditional methods that rely on writing complex Assembly or using heavy Reflective DLL Injection techniques, c2sc allows you to leverage the full power of C while producing extremely compact, stealthy, and analysis-resistant payloads.
In modern offensive security, executing code stealthily is paramount. Traditional shellcode development in Assembly is time-consuming and error-prone. While Reflective DLL Injection allows using high-level languages, it introduces significant overhead and forensic artifacts (PE headers, sections) that are easily flagged by EDR/AV solutions.
c2sc bridges this gap by leveraging advanced compiler and linker configurations to fundamentally reorganize the PE structure. Instead of a standard executable, it generates a highly optimized binary where the Import Address Table (IAT) and Relocation Table are compressed and minimized. This approach strips away the bulk of the PE header and structural overhead, resulting in a raw, position-independent shellcode blob that is significantly smaller and stealthier than traditional payloads.
- Cross-Architecture Support: Seamlessly compiles for both x86 and x64 Windows environments.
- Pure C Development: Write your payload logic in standard C (
main.c), avoiding the complexity of Assembly. - Position Independent: Generated shellcode is fully position-independent and can be injected into any process memory.
- No CRT Dependencies: Uses custom compiler flags and linking options to eliminate dependencies on the C Runtime (CRT), resulting in minimal payload size.
- Dynamic API Resolution: Implements custom hashing (ROR13) to resolve Windows APIs dynamically, hiding import tables from static analysis.
- Automated Extraction: Includes a dedicated tool (
tools/c2sc.c) to parse the compiled PE and extract the executable shellcode into.binand C header (.h) formats.
The framework consists of the following key components:
This is where you write your payload. It exposes a Main function that is called by the startup routine.
#include <stdio.h>
#include <windows.h>
WCHAR HelloWorldText[] = L"Hello, World! 123";
WCHAR ProcessPath[MAX_PATH] = {0};
// The entry point for your payload logic
EXTERN_C VOID Main(PVOID parameter) {
// Example: Resolve API and execute logic
GetModuleFileName(NULL, ProcessPath, MAX_PATH);
printf("Process path: %ls\n", ProcessPath);
MessageBox(NULL, HelloWorldText, L"Hello, World!", MB_OK);
}This file handles the low-level initialization. It walks the PEB (Process Environment Block) to find kernel32.dll, resolves necessary APIs (like LoadLibrary, GetProcAddress) using hash comparisons, and prepares the environment before calling Main.
// (Snippet from src/startup.c)
// Walks the PEB to find loaded modules
typedef struct _PEB_LDR_DATA { ... } PEB_LDR_DATA, *PPEB_LDR_DATA;
// Custom hash function for API resolution
#define HASH_KEY 17
#define HASH_ROUND(h, c) (_rotr((h), HASH_KEY) + (c))
...The build script configures the MSVC compiler with specific flags to disable security checks (/GS-), optimize for size (/O1), and remove default libraries, ensuring the output is suitable for shellcode conversion.
set CC_FLAGS=/nologo /O1 /Os /Oi /GS- /Zc:inline /permissive- /W3 ...
cl src\startup.c src\main.c %CC_FLAGS% /Fe"bin\myshellcode.x86.exe" ...A custom utility that reads the compiled PE file, extracts the .text section (code), and handles final formatting to produce the raw shellcode files.
- Microsoft Visual Studio (MSVC compiler
cl.exemust be in your PATH or run from a Developer Command Prompt).
- Modify Payload: Edit
src/main.cto include your desired functionality. - Compile: Run the build script from the project root.
build.bat
- Retrieve Shellcode: The output files will be generated in the
bin/directory.bin/myshellcode_x64.bin: Raw shellcode binary.bin/myshellcode_x64.h: C header file containing the shellcode as a byte array.
c2sc offers significant advantages over traditional Reflective DLL Injection (RDI) techniques, particularly in evasion and size.
| Feature | Reflective DLL Injection (RDI) | c2sc (Shellcode) |
|---|---|---|
| Payload Structure | Full PE File (DLL) | Raw Binary Code |
| Size | Large (Headers, Sections, Padding) | Tiny (Only code & data) |
| Headers | Contains DOS/NT Headers (MZ, PE) |
No Headers |
| Memory Footprint | Easy to fingerprint (RWX sections, PE headers in heap) | Minimal, looks like random data until execution |
| Analysis | Parsers can easily read imports/exports | Opaque, requires disassembly/emulation |
| Development | Standard C/C++ DLL | C with constraints (PIC, no CRT) |
- Volume: RDI payloads often range from 10KB to 100KB+ due to the PE structure and CRT. c2sc payloads can be as small as a few hundred bytes.
- Anti-Forensics: Security tools often scan memory for the
MZmagic bytes or characteristic PE header patterns. Since c2sc generates raw shellcode, these artifacts simply do not exist. - Flexibility: The resulting shellcode can be easily embedded into other exploits, macros, or loaders (e.g., Donut, Cobalt Strike) without the complexity of a reflective loader stub.
Disclaimer: This tool is intended for educational purposes and authorized security testing only. Misuse of this software for malicious purposes is strictly prohibited.