In windows i have some tools of exe , But i cant get them source code . It must be start with some commandline args .
How to pass the args to shellcode ?
Thanks ! Please help me ,Good bless you !

Hi hasherezade!

I have found a weird problem adding some std headers.
for example if you add < string > nothing happens and the dll is loaded 10/10 times, but if you add < thread > < mutex > or < condition_variable > the dll mostly crash before injection is complited. (works 1 of 10 times).

I have tested the dll compiled on VS 2013,2015 both /MT.
works just fine without < mutex >

basic dll code taked from ShellCodeRDI for testing.

#include <Windows.h>
#include <stdio.h>
#include <string>
#include <mutex>

DWORD threadID;

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		MessageBoxA(NULL, "DLLMain :D!", "We've started.", 0);
		break;
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

//extern "C" to prevent C++ name mangling
extern "C" __declspec(dllexport) BOOL SayGoodbye(LPVOID lpUserdata, DWORD nUserdataLen)
{
	std::mutex testMutex;
	try {
		int i = 0, j = 1;
		j /= i;   // This will throw a SE (divide by zero).
	}
	catch (...) {
		MessageBoxA(NULL, "C++ Exception Thrown!", "Caught it", 0);
	}

	MessageBoxA(NULL, "I'm Leaving!", "Goodbye", 0);
	
	return TRUE;
}

can you share some light about this.
thank you!

edit: forgot to add my test steps.

1. pe2shc.exe TestDLL_x64.dll
2. runshc64.exe TestDLL_x64.shc.dll

Currently the stub is a rip-off the compiled code of ReflectiveLoader: https://github.com/stephenfewer/ReflectiveDLLInjection/blob/master/dll/src/ReflectiveLoader.c
It should be rewritten in assembler, in order to minimize its size and increase stability.

you can refer to this project bb107/MemoryModulePP

Is there any tool that can convert the driver to shellcode?My driver is written in c ++.I heard that you can use llvm to compile the driver into shellcode, I don't know how to use it, do you know?

Hi,

I noticed that the output files are different from the one I got when I compile your source and your release. It seems that the release is bigger ans incorporate the runtime library?

If this is the case, can you share your CmakeLists for release?

Thank, and good job for your project again.

BR

I tried to convert files packed with upx to reduce shellcode size but doesn't just not work but increases shell code size than normal file to shell code link to upx : https://github.com/upx/upx

I got an error saying the pe must have relocations

I'm using net framework 4.8

Hello I build a x64 rust Demo, and use pe2shc convert to shellcode ,but the shellcode cannot execute right. Error:thread panicked while processing panic. aborting. why ? thanks

I'm trying to get this working out-of-the-box, and hitting a snag. When I try to run it against both calc.exe and a simple "Hello World" file, I get the following error.

[-] Stub not loaded
[-] Adding the stub failed!

I recompiled with debug in the peconv library, and the error being returned comes from this block:
HRSRC res = FindResourceA(hInstance, MAKEINTRESOURCEA(res_id), res_type);
if (!res) {
#ifdef _DEBUG
std::cerr << "Cannot find resource" << std::endl;
#endif
return nullptr;
}

Am I feeding something incorrect to the program? My arguments are just calc.exe and HelloWorld.exe, making sure those exe files are local to the execution directory.

hi there.
why doesn't inject you project to OneDrive? Is it bug?

I have a problem to compile in Linux (Fodora)

pe_to_shellcode/libpeconv/libpeconv/include/peconv/pe_hdrs_helper.h:8:10: fatal error: Windows.h: No such file or directory 8 | #include <Windows.h> | ^~~~~~~~~~~

I tried to set a an C=i686-w64-mingw32-gcc

But I keep getting this error. What is correct way to set my env?

I create a PE from python code using pyinstaller, and this is the error I am getting:

PS C:\safe> .\transfer\pe2shc.exe .\dist\client.exe .\dist\client_shellcode.exe
Using: Loader v2
Reading module from: .\dist\client.exe
[INFO] This is a console application.
[INFO] Saved as: .\dist\client_shellcode.exe

PS C:\safe> .\dist\client_shellcode.exe -h
[23976] Cannot open PyInstaller archive from executable (C:\safe\dist\client_shellcode.exe) or external archive (C:\safe\dist\client_shellcode.pkg)

PS C:\safe> .\dist\client.exe -h
usage: client [-h] -s SERVER_IP [-p SERVER_PORT] [--secure]
[...]
[~] Good Bye!

PS C:\safe> .\transfer\runshc64.exe .\dist\client_shellcode.exe
[*] Reading module from: .\dist\client_shellcode.exe
>>> Creating a new thread...
[*] Running the shellcode [1f4da000000 - 1f4da054600]
[17556] Cannot open PyInstaller archive from executable (C:\safe\transfer\runshc64.exe) or external archive (C:\safe\transfer\runshc64.pkg)

I am at a loss, I would really appreciate any help!

as we know,PE file in golang is big(than c/c++),so we will use upx to compress it ,however,after compressed by upx ,pe2shc.exe can not convert it to shellcode,and pe2shc.exe do not provide a compression option;on other hand,if a shellcode generated by pe2shc.exe continue to be compressed by upx,the compressed shellcode can not run in process injection.so i wana pe2shc.exe can add a feature to compress or be compatiable with upx ,thank you

Hi,

I found a way to manage my last problem, but I have a problem now with my main exe, that required libcurl.dll to run.

Your code works perfectly when there is a single executable, but cannot work with a, exe that need to use dll files.

I see that your code call peconv::load_file() and peconv::load_pe_executable() for the main exe, is it something I need to do with every dll files the main exe required?

BR

Is this generated shellcode supported as payload by Metasploit ?

Thanks for your amazing repo.
I'm not an expert, but probably may suggest a little improvements.

1. You have a call to VirtualAlloc in your shellcode. Since some windows processes have an option "Dynamic code prohibited" (DCP), so you can't do this. Such case may be handled if memory allocation is done by an external process. Thus external process allocate memory for shellcode+image size, then shellcode checks if allocation was unsuccessfull and futher pointing RAX to the end of shellcode, where memory for image is located.

2. Before calling EP you are flushing instructions. Again you can't do this for the processes with DCP. Probably, you don't need this call, because your newly mapped instructions are never executed before, so they are not in the processor cache, so it is not a "self-modifying" code. Moreover, because this code is for Windows platforms, it is limited to a number of processors. And in most cases (always?) flushing will be done automatically.

With this two things it is possible to run this sc in DCP processes.

Hi, I am running into some issues generating shellcode from my rust binary.

It works when run in a copy of the same process using a built-in shellcode runner command (VirtualAlloc, CreateThread), but when executed in the context of another process, either injected or using runshc64, it does not work.

I am thinking that it could be some kind of pre-main entrypoint that is relying on the current process' environment but I cannot figure out how to skip over it the past few days.

Have you run into this before?

For context the raw code can be found here https://github.com/Path-17/diet-c2/tree/main/implants/implant-v2/src

Thank you! I attached a copy of the executable (not the output of pe2shc.exe) as well

implant-v2.zip

我把你的runsh.exe.修改成dll,通过dll运行生成的shellcode,有时会失败,也不报错,会卡住,有的时候可以,不知道这是为什么

Let say if I inject the shellcode to remote process DLL. May I know if i can execute it using CreateRemoteThread? I tired but the remote process crashed immediately. Thanks!

Hello,

Appreciate your work so much. I'd ask if you could add instructions on the loader as well? What it is/intent, how to use it?

Thanks.

A simple program compiled with VC2010 (settings: "Use MFC in a Static Library"):

#include <windows.h>
#pragma comment (lib, "user32.lib")
#ifdef _M_X64
int __fastcall wWinMain
#else
int __stdcall wWinMain
#endif
(
  HINSTANCE hInstance,
  HINSTANCE hPrevInstance,
  LPWSTR    lpCmdLine,
  int       nShowCmd
)
{
	MessageBoxW(0,0,0,0);
	return 0;
}

After conversion, I use "runshc" and "injector" to execute the shellcode, But after showing the message box, "runshc" will be exited without displaying return value, the process being injected will also be exited.

If I don't want this consequence, I have to call "SuspendThread()" before "return 0", but it means that the injection thread cannot be exited.

Should some special settings be made when compiling EXE files?

Several undefined references errors...why not just publish the sln files like everyone else on GitHub?

excuse me,my english is poor!
i use pe2sh to generate a golang-compiled exe to shellcode,then i inject the shellcode and it can run normally on c-compiled shell loader,but when i inject the shellcode with golang-compiled shell loader,i can spawn a process,but the new process will exit immediately, so iwanna know how to solve it.both c and golang use a same method to inject process

Hi. I haven't had yet time to test but does this also work with DLL's?

Hello,

Im using the latest windows 10 and pe2shc version and my problem is, i cant get a successfull injection with pe2shc to work.

I have added my sample golang script, which uses createremotethread for injecting. If i do "donut -i calc.exe" and load it with my golang script, calc is popping up. But if i do "pe2shc calc.exe" and load it with my script, nothing happens. If i run the generated file from pe2shc and run it with a double click it works too.

package main

import (
	"fmt"
	"unsafe"
	"syscall"
	"os"
	"bufio"
	"io"

	"golang.org/x/sys/windows"
)

func CreateProcess() *syscall.ProcessInformation{
	var si syscall.StartupInfo
	var pi syscall.ProcessInformation

	commandLine, err := syscall.UTF16PtrFromString(`c:\windows\system32\notepad.exe`)

	if err != nil {
		fmt.Println(err)
	}

	err = syscall.CreateProcess(
		nil,
		commandLine,
		nil,
		nil,
		false,
		windows.CREATE_SUSPENDED | windows.CREATE_NO_WINDOW,
		nil,
		nil,
		&si,
		&pi)

	if err != nil {
		fmt.Println(err)
	}

	return &pi
}

func CreateRemoteThread(shellcode []byte) {

	kernel32 := windows.NewLazySystemDLL("kernel32.dll")
	virtualAllocEx := kernel32.NewProc("VirtualAllocEx")
	virtualProtectEx := kernel32.NewProc("VirtualProtectEx")
	writeProcessMemory := kernel32.NewProc("WriteProcessMemory")
	createRemoteThread := kernel32.NewProc("CreateRemoteThread")
	closeHandle := kernel32.NewProc("CloseHandle")

	pi := CreateProcess()
	oldProtect := windows.PAGE_READWRITE

	lpBaseAddress, _, errVirtualAllocEx := virtualAllocEx.Call(uintptr(pi.Process), 0, uintptr(len(shellcode)), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE)
	if errVirtualAllocEx.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling VirtualAllocEx:\r\n%s", errVirtualAllocEx.Error())
	}

	_, _, errWriteProcessMemory := writeProcessMemory.Call(uintptr(pi.Process), lpBaseAddress, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0)
	if errWriteProcessMemory.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling WriteProcessMemory:\r\n%s", errWriteProcessMemory.Error())
	}

	_, _, errVirtualProtectEx := virtualProtectEx.Call(uintptr(pi.Process), lpBaseAddress, uintptr(len(shellcode)), windows.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect)))
	if errVirtualProtectEx.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling VirtualProtectEx:\r\n%s", errVirtualProtectEx.Error())
	}

	_, _, errCreateRemoteThreadEx := createRemoteThread.Call(uintptr(pi.Process), 0, 0, lpBaseAddress, 0, 0, 0)
	if errCreateRemoteThreadEx.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling CreateRemoteThreadEx:\r\n%s", errCreateRemoteThreadEx.Error())
	}

	_, _, errCloseHandle := closeHandle.Call(uintptr(pi.Process))
	if errCloseHandle.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling CloseHandle:\r\n%s", errCloseHandle.Error())
	}

	fmt.Println("INJECTED!")
}

func main() {
	file, err := os.Open("calc.shc.exe")
	if err != nil {
		fmt.Println(err)
	   	return
	}
	defer file.Close()
 
	// Get the file size
	stat, err := file.Stat()
	if err != nil {
	   fmt.Println(err)
	   return
	}
 
	// Read the file into a byte slice
	shellcode := make([]byte, stat.Size())
	_, err = bufio.NewReader(file).Read(shellcode)
	if err != nil && err != io.EOF {
	   fmt.Println(err)
	   return
	}

	CreateRemoteThread(shellcode)
}

C:\Users\Administrator\Desktop>pe2shc.exe sasa.exe
Using: Loader v2
Reading module from: sasa.exe
[ERROR] The PE must have relocations!
[ERROR] Not supported input file!

when i attemp to convert a 64 bit pe file, it has above error...

fancycode/MemoryModule#116

not really an issue but a question:
both compiled script with the code you provided as pe2sh.exe and runshc.exe i see have a different size of the same files you provided as releases.
i did compile with:
Microsoft Visual Studio Enterprise 2019
Version 16.8.2
VisualStudio.16.Release/16.8.2+30717.126
Microsoft .NET Framework
Version 4.8.04084
Installed Version: Enterprise
Visual C++ 2019 00433-90000-00004-AA023
Microsoft Visual C++ 2019
ASP.NET and Web Tools 2019 16.8.553.28003
ASP.NET and Web Tools 2019
ASP.NET Core Razor Language Services 16.1.0.2052803+84e121f1403378489b842e1797df2f3f5a49ac3c
Provides languages services for ASP.NET Core Razor.
Azure App Service Tools v3.0.0 16.8.553.28003
Azure App Service Tools v3.0.0
C# Tools 3.8.0-5.20567.16+53c5d7d3cf13d88978744a32a27c5f8350a8400a
C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
GitHub.VisualStudio 2.11.106.19330
A Visual Studio Extension that brings the GitHub Flow into Visual Studio.
IntelliCode Extension 1.0
IntelliCode Visual Studio Extension Detailed Info
Microsoft JVM Debugger 1.0
Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines
Microsoft Library Manager 2.1.113+g422d40002e.RR
Install client-side libraries easily to any web project
Microsoft MI-Based Debugger 1.0
Provides support for connecting Visual Studio to MI compatible debuggers
Microsoft Visual C++ Wizards 1.0
Microsoft Visual C++ Wizards
Microsoft Visual Studio Tools for Containers 1.1
Develop, run, validate your ASP.NET Core applications in the target environment. F5 your application directly into a container with debugging, or CTRL + F5 to edit & refresh your app without having to rebuild the container.
Microsoft Visual Studio VC Package 1.0
Microsoft Visual Studio VC Package
NuGet Package Manager 5.8.0
NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/
ProjectServicesPackage Extension 1.0
ProjectServicesPackage Visual Studio Extension Detailed Info
Visual Studio Code Debug Adapter Host Package 1.0
Interop layer for hosting Visual Studio Code debug adapters in Visual Studio
Visual Studio Container Tools Extensions 1.0
View, manage, and diagnose containers within Visual Studio.
Visual Studio Tools for CMake 1.0
Visual Studio Tools for CMake
Visual Studio Tools for Containers 1.0
Visual Studio Tools for Containers

them both are working within my machine but once i try to execute them in a different machine a messagebox (see attachment)

your same files downloaded runsch64.exe have different size than mine and working just as good as expected:

my file compiled:
Mode LastWriteTime Length Name

-a---- 12/8/2020 4:16 PM 89600 runshc.exe

your file downloaded:
Mode LastWriteTime Length Name

-a---- 8/13/2020 1:19 PM 264192 runshc64.exe

i do something wrong ?
can't figure out why different size..
thanks

This is probably a big noob question and I apologize ahead of time, but I am unsure how to get to the point of using pe2shc.exe as written out in the docs. I have cloned the repository into VS, but I am unsure what to do from here as I am a pretty green when it comes to compiled languages. Any help from anyone more experienced would be greatly appreciated. Thank you!

Hello
I tried to convert the PE file without imports (base-independent file)
If the file is built in x86 mode, then no problem, it is launched through runshc32.exe
But if x64, then it fails and crashes. I don’t understand what’s the matter. This seems to be a bug.
Source code of .exe file (entrypoint - CodeRun function):

#include <Windows.h>
#include <winternl.h>

#define ROTR32(value, shift) (((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))

typedef struct _MY_PEB_LDR_DATA {
	ULONG Length;
	BOOL Initialized;
	PVOID SsHandle;
	LIST_ENTRY InLoadOrderModuleList;
	LIST_ENTRY InMemoryOrderModuleList;
	LIST_ENTRY InInitializationOrderModuleList;
} MY_PEB_LDR_DATA, * PMY_PEB_LDR_DATA;

typedef struct _MY_LDR_DATA_TABLE_ENTRY
{
	LIST_ENTRY InLoadOrderLinks;
	LIST_ENTRY InMemoryOrderLinks;
	LIST_ENTRY InInitializationOrderLinks;
	PVOID DllBase;
	PVOID EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING FullDllName;
	UNICODE_STRING BaseDllName;
} MY_LDR_DATA_TABLE_ENTRY, * PMY_LDR_DATA_TABLE_ENTRY;

typedef HMODULE(WINAPI* FuncLoadLibraryA) (LPCSTR lpFileName);
typedef int(WINAPI* FuncMessageBoxA)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);

HMODULE GetProcAddressByHash(_In_ DWORD dwModuleFunctionHash)
{
	PPEB PebAddress;
	PMY_PEB_LDR_DATA pLdr;
	
```PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry;
	PVOID pModuleBase;
	PIMAGE_NT_HEADERS pNTHeader;
	DWORD dwExportDirRVA;
	PIMAGE_EXPORT_DIRECTORY pExportDir;
	PLIST_ENTRY pNextModule;
	DWORD dwNumFunctions;
	USHORT usOrdinalTableIndex;
	PDWORD pdwFunctionNameBase;
	PCSTR pFunctionName;
	UNICODE_STRING BaseDllName;
	DWORD dwModuleHash;
	DWORD dwFunctionHash;
	PCSTR pTempChar;
	DWORD i;

#if defined(_WIN64)
	PebAddress = (PPEB)__readgsqword(0x60);
#elif defined(_M_ARM)
	// I can assure you that this is not a mistake. The C compiler improperly emits the proper opcodes
	// necessary to get the PEB.Ldr address
	PebAddress = (PPEB)((ULONG_PTR)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0);
	__emit(0x00006B1B);
#else
	PebAddress = (PPEB)__readfsdword(0x30);
#endif

	pLdr = (PMY_PEB_LDR_DATA)PebAddress->Ldr;
	pNextModule = pLdr->InLoadOrderModuleList.Flink;
	pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pNextModule;

	while (pDataTableEntry->DllBase != NULL)
	{
		dwModuleHash = 0;
		pModuleBase = pDataTableEntry->DllBase;
		BaseDllName = pDataTableEntry->BaseDllName;
		pNTHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)pModuleBase + ((PIMAGE_DOS_HEADER)pModuleBase)->e_lfanew);
		dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress;

		// Get the next loaded module entry
		pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pDataTableEntry->InLoadOrderLinks.Flink;

		// If the current module does not export any functions, move on to the next module.
		if (dwExportDirRVA == 0)
		{
			continue;
		}

		// Calculate the module hash
		for (i = 0; i < BaseDllName.MaximumLength; i++)
		{
			pTempChar = ((PCSTR)BaseDllName.Buffer + i);

			dwModuleHash = ROTR32(dwModuleHash, 13);

			if (*pTempChar >= 0x61)
			{
				dwModuleHash += *pTempChar - 0x20;
			}
			else
			{
				dwModuleHash += *pTempChar;
			}
		}

		pExportDir = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)pModuleBase + dwExportDirRVA);

		dwNumFunctions = pExportDir->NumberOfNames;
		pdwFunctionNameBase = (PDWORD)((PCHAR)pModuleBase + pExportDir->AddressOfNames);

		for (i = 0; i < dwNumFunctions; i++)
		{
			dwFunctionHash = 0;
			pFunctionName = (PCSTR)(*pdwFunctionNameBase + (ULONG_PTR)pModuleBase);
			pdwFunctionNameBase++;

			pTempChar = pFunctionName;

			do
			{
				dwFunctionHash = ROTR32(dwFunctionHash, 13);
				dwFunctionHash += *pTempChar;
				pTempChar++;
			} while (*(pTempChar - 1) != 0);

			dwFunctionHash += dwModuleHash;

			if (dwFunctionHash == dwModuleFunctionHash)
			{
				usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR)pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i));
				return (HMODULE)((ULONG_PTR)pModuleBase + *(PDWORD)(((ULONG_PTR)pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex)));
			}
		}
	}

	// All modules have been exhausted and the function was not found.
	return NULL;
}

// this string need to add .reloc table to x64 .exe file
const char* data = "reloc_fix";

VOID CodeRun(VOID)
{
	char module[] = { 'u', 's', 'e', 'r', '3', '2', '.', 'd', 'l', 'l', 0 };
	FuncLoadLibraryA MyLoadLibraryA = (FuncLoadLibraryA)GetProcAddressByHash(0x0726774C);
	MyLoadLibraryA((LPCSTR)module);
	FuncMessageBoxA MyMessageBoxA = (FuncMessageBoxA)GetProcAddressByHash(0x07568345);
	MyMessageBoxA(0, 0, 0, 0);
}

Hi Hasherezade
I encountered a weird problem when using your project on a machine with Avast antivirus installed
The ShellCode breaks soon after being run due to an issue with the stub ,, Something related to aswhook.dll which Avast injects into all running processes .
The ShellCode Breaks due to Access Violation error
The ShellCode works fine when tested on other machines even with other Antivirus software installed and also works fine in case Avast is paused

I would be grateful if you could help with such issue

我用cs生成beacon.exe，在将其转为shc时报错。

Hi,

I read your README.md, and I found this sentence:

"(*)Warning: remember to use the version of runshc with a bitness appropriate to your converted application (32 or 64 bit) - otherwise the application will crash!"

Can you tell me more about this? What does it mean? What is appropriate bitness?

BR

Currently only 32bit PE files can be converted.
A new stub should be added to support 64bit PE files too.

**
......

DWORD offset = 1;
LPBYTE* lpBuffer = (LPBYTE*)VirtualAlloc(0, 1024 * 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

fread(lpBuffer + offset, 1, size, file);

((void (*)())(lpBuffer + offset))();

**

Hi,

First, congrats for your excellent job. I decided to use your code with a .dll files. I allowed me to execute my code, but the execution stopped after the execution, which means I cannot get the exit code, or do more actions.

Even in your code, when I use your executable (runshc.exe) with my code, the execution stop before your code line" the shellcode finished with a return value: ", which means there is a problem here. I tried with a sample putty.exe executable and the results is the same..

Can you help me with this?

your pe coverter has limitations but i was able to get from https://github.com/daVinci13/Exe2shell . when testing converted with runshc to check converted PE it keep crashing but showing

[] Reading module from: shell.txt
[] Running the shellcode:

any idea why this happened?