├── .gitignore ├── Images ├── android_preview.jpg ├── clang_preview.jpg ├── shellcode_binja.png ├── shellcode_source.png ├── shellcode_source_2.png └── vsc++preview.jpg ├── LICENSE ├── Loader ├── Loader.cpp ├── Loader.vcxproj ├── Loader.vcxproj.filters ├── Loader.vcxproj.user ├── Release │ ├── Loader.exe.recipe │ ├── Loader.iobj │ ├── Loader.ipdb │ ├── Loader.log │ ├── Loader.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── Loader.lastbuildstate │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ └── link.write.1.tlog │ └── vc142.pdb ├── shcutils.h └── x64 │ └── Release │ ├── Loader.Build.CppClean.log │ ├── Loader.exe.recipe │ ├── Loader.log │ ├── Loader.tlog │ ├── CL.command.1.tlog │ └── Loader.lastbuildstate │ ├── Loader.vcxproj.FileListAbsolute.txt │ └── vc142.pdb ├── README.md ├── Shellcode ├── Debug │ ├── Shellcode.Build.CppClean.log │ ├── Shellcode.exe.recipe │ ├── Shellcode.ilk │ ├── Shellcode.log │ ├── Shellcode.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── Shellcode.lastbuildstate │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ └── link.write.1.tlog │ ├── Shellcode.vcxproj.FileListAbsolute.txt │ ├── vc142.idb │ └── vc142.pdb ├── Release │ ├── Shellcode.Build.CppClean.log │ ├── Shellcode.exe.recipe │ ├── Shellcode.log │ └── Shellcode.vcxproj.FileListAbsolute.txt ├── Shellcode.vcxproj ├── Shellcode.vcxproj.filters ├── Shellcode.vcxproj.user ├── shcutils.h ├── shellcode.asm ├── shellcode.bin ├── shellcode.cpp └── x64 │ └── Release │ ├── Shellcode.Build.CppClean.log │ ├── Shellcode.exe.recipe │ ├── Shellcode.log │ ├── Shellcode.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── Shellcode.lastbuildstate │ ├── link.command.1.tlog │ ├── link.read.1.tlog │ └── link.write.1.tlog │ ├── Shellcode.vcxproj.FileListAbsolute.txt │ └── vc142.pdb └── c2shell.sln /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | *.exe 13 | *.log 14 | *.tlog 15 | *.idb 16 | *.asm 17 | 18 | # User-specific files (MonoDevelop/Xamarin Studio) 19 | *.userprefs 20 | 21 | # Mono auto generated files 22 | mono_crash.* 23 | 24 | # Build results 25 | [Dd]ebug/ 26 | [Dd]ebugPublic/ 27 | [Rr]elease/ 28 | [Rr]eleases/ 29 | x64/ 30 | x86/ 31 | [Ww][Ii][Nn]32/ 32 | [Aa][Rr][Mm]/ 33 | [Aa][Rr][Mm]64/ 34 | bld/ 35 | [Bb]in/ 36 | [Oo]bj/ 37 | [Ll]og/ 38 | [Ll]ogs/ 39 | 40 | # Visual Studio 2015/2017 cache/options directory 41 | .vs/ 42 | # Uncomment if you have tasks that create the project's static files in wwwroot 43 | #wwwroot/ 44 | 45 | # Visual Studio 2017 auto generated files 46 | Generated\ Files/ 47 | 48 | # MSTest test Results 49 | [Tt]est[Rr]esult*/ 50 | [Bb]uild[Ll]og.* 51 | 52 | # NUnit 53 | *.VisualState.xml 54 | TestResult.xml 55 | nunit-*.xml 56 | 57 | # Build Results of an ATL Project 58 | [Dd]ebugPS/ 59 | [Rr]eleasePS/ 60 | dlldata.c 61 | 62 | # Benchmark Results 63 | BenchmarkDotNet.Artifacts/ 64 | 65 | # .NET Core 66 | project.lock.json 67 | project.fragment.lock.json 68 | artifacts/ 69 | 70 | # ASP.NET Scaffolding 71 | ScaffoldingReadMe.txt 72 | 73 | # StyleCop 74 | StyleCopReport.xml 75 | 76 | # Files built by Visual Studio 77 | *_i.c 78 | *_p.c 79 | *_h.h 80 | *.ilk 81 | *.meta 82 | *.obj 83 | *.iobj 84 | *.pch 85 | *.pdb 86 | *.ipdb 87 | *.pgc 88 | *.pgd 89 | *.rsp 90 | *.sbr 91 | *.tlb 92 | *.tli 93 | *.tlh 94 | *.tmp 95 | *.tmp_proj 96 | *_wpftmp.csproj 97 | *.log 98 | *.tlog 99 | *.vspscc 100 | *.vssscc 101 | .builds 102 | *.pidb 103 | *.svclog 104 | *.scc 105 | 106 | # Chutzpah Test files 107 | _Chutzpah* 108 | 109 | # Visual C++ cache files 110 | ipch/ 111 | *.aps 112 | *.ncb 113 | *.opendb 114 | *.opensdf 115 | *.sdf 116 | *.cachefile 117 | *.VC.db 118 | *.VC.VC.opendb 119 | 120 | # Visual Studio profiler 121 | *.psess 122 | *.vsp 123 | *.vspx 124 | *.sap 125 | 126 | # Visual Studio Trace Files 127 | *.e2e 128 | 129 | # TFS 2012 Local Workspace 130 | $tf/ 131 | 132 | # Guidance Automation Toolkit 133 | *.gpState 134 | 135 | # ReSharper is a .NET coding add-in 136 | _ReSharper*/ 137 | *.[Rr]e[Ss]harper 138 | *.DotSettings.user 139 | 140 | # TeamCity is a build add-in 141 | _TeamCity* 142 | 143 | # DotCover is a Code Coverage Tool 144 | *.dotCover 145 | 146 | # AxoCover is a Code Coverage Tool 147 | .axoCover/* 148 | !.axoCover/settings.json 149 | 150 | # Coverlet is a free, cross platform Code Coverage Tool 151 | coverage*.json 152 | coverage*.xml 153 | coverage*.info 154 | 155 | # Visual Studio code coverage results 156 | *.coverage 157 | *.coveragexml 158 | 159 | # NCrunch 160 | _NCrunch_* 161 | .*crunch*.local.xml 162 | nCrunchTemp_* 163 | 164 | # MightyMoose 165 | *.mm.* 166 | AutoTest.Net/ 167 | 168 | # Web workbench (sass) 169 | .sass-cache/ 170 | 171 | # Installshield output folder 172 | [Ee]xpress/ 173 | 174 | # DocProject is a documentation generator add-in 175 | DocProject/buildhelp/ 176 | DocProject/Help/*.HxT 177 | DocProject/Help/*.HxC 178 | DocProject/Help/*.hhc 179 | DocProject/Help/*.hhk 180 | DocProject/Help/*.hhp 181 | DocProject/Help/Html2 182 | DocProject/Help/html 183 | 184 | # Click-Once directory 185 | publish/ 186 | 187 | # Publish Web Output 188 | *.[Pp]ublish.xml 189 | *.azurePubxml 190 | # Note: Comment the next line if you want to checkin your web deploy settings, 191 | # but database connection strings (with potential passwords) will be unencrypted 192 | *.pubxml 193 | *.publishproj 194 | 195 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 196 | # checkin your Azure Web App publish settings, but sensitive information contained 197 | # in these scripts will be unencrypted 198 | PublishScripts/ 199 | 200 | # NuGet Packages 201 | *.nupkg 202 | # NuGet Symbol Packages 203 | *.snupkg 204 | # The packages folder can be ignored because of Package Restore 205 | **/[Pp]ackages/* 206 | # except build/, which is used as an MSBuild target. 207 | !**/[Pp]ackages/build/ 208 | # Uncomment if necessary however generally it will be regenerated when needed 209 | #!**/[Pp]ackages/repositories.config 210 | # NuGet v3's project.json files produces more ignorable files 211 | *.nuget.props 212 | *.nuget.targets 213 | 214 | # Microsoft Azure Build Output 215 | csx/ 216 | *.build.csdef 217 | 218 | # Microsoft Azure Emulator 219 | ecf/ 220 | rcf/ 221 | 222 | # Windows Store app package directories and files 223 | AppPackages/ 224 | BundleArtifacts/ 225 | Package.StoreAssociation.xml 226 | _pkginfo.txt 227 | *.appx 228 | *.appxbundle 229 | *.appxupload 230 | 231 | # Visual Studio cache files 232 | # files ending in .cache can be ignored 233 | *.[Cc]ache 234 | # but keep track of directories ending in .cache 235 | !?*.[Cc]ache/ 236 | 237 | # Others 238 | ClientBin/ 239 | ~$* 240 | *~ 241 | *.dbmdl 242 | *.dbproj.schemaview 243 | *.jfm 244 | *.pfx 245 | *.publishsettings 246 | orleans.codegen.cs 247 | 248 | # Including strong name files can present a security risk 249 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 250 | #*.snk 251 | 252 | # Since there are multiple workflows, uncomment next line to ignore bower_components 253 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 254 | #bower_components/ 255 | 256 | # RIA/Silverlight projects 257 | Generated_Code/ 258 | 259 | # Backup & report files from converting an old project file 260 | # to a newer Visual Studio version. Backup files are not needed, 261 | # because we have git ;-) 262 | _UpgradeReport_Files/ 263 | Backup*/ 264 | UpgradeLog*.XML 265 | UpgradeLog*.htm 266 | ServiceFabricBackup/ 267 | *.rptproj.bak 268 | 269 | # SQL Server files 270 | *.mdf 271 | *.ldf 272 | *.ndf 273 | 274 | # Business Intelligence projects 275 | *.rdl.data 276 | *.bim.layout 277 | *.bim_*.settings 278 | *.rptproj.rsuser 279 | *- [Bb]ackup.rdl 280 | *- [Bb]ackup ([0-9]).rdl 281 | *- [Bb]ackup ([0-9][0-9]).rdl 282 | 283 | # Microsoft Fakes 284 | FakesAssemblies/ 285 | 286 | # GhostDoc plugin setting file 287 | *.GhostDoc.xml 288 | 289 | # Node.js Tools for Visual Studio 290 | .ntvs_analysis.dat 291 | node_modules/ 292 | 293 | # Visual Studio 6 build log 294 | *.plg 295 | 296 | # Visual Studio 6 workspace options file 297 | *.opt 298 | 299 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 300 | *.vbw 301 | 302 | # Visual Studio 6 auto-generated project file (contains which files were open etc.) 303 | *.vbp 304 | 305 | # Visual Studio 6 workspace and project file (working project files containing files to include in project) 306 | *.dsw 307 | *.dsp 308 | 309 | # Visual Studio 6 technical files 310 | *.ncb 311 | *.aps 312 | 313 | # Visual Studio LightSwitch build output 314 | **/*.HTMLClient/GeneratedArtifacts 315 | **/*.DesktopClient/GeneratedArtifacts 316 | **/*.DesktopClient/ModelManifest.xml 317 | **/*.Server/GeneratedArtifacts 318 | **/*.Server/ModelManifest.xml 319 | _Pvt_Extensions 320 | 321 | # Paket dependency manager 322 | .paket/paket.exe 323 | paket-files/ 324 | 325 | # FAKE - F# Make 326 | .fake/ 327 | 328 | # CodeRush personal settings 329 | .cr/personal 330 | 331 | # Python Tools for Visual Studio (PTVS) 332 | __pycache__/ 333 | *.pyc 334 | 335 | # Cake - Uncomment if you are using it 336 | # tools/** 337 | # !tools/packages.config 338 | 339 | # Tabs Studio 340 | *.tss 341 | 342 | # Telerik's JustMock configuration file 343 | *.jmconfig 344 | 345 | # BizTalk build output 346 | *.btp.cs 347 | *.btm.cs 348 | *.odx.cs 349 | *.xsd.cs 350 | 351 | # OpenCover UI analysis results 352 | OpenCover/ 353 | 354 | # Azure Stream Analytics local run output 355 | ASALocalRun/ 356 | 357 | # MSBuild Binary and Structured Log 358 | *.binlog 359 | 360 | # NVidia Nsight GPU debugger configuration file 361 | *.nvuser 362 | 363 | # MFractors (Xamarin productivity tool) working folder 364 | .mfractor/ 365 | 366 | # Local History for Visual Studio 367 | .localhistory/ 368 | 369 | # Visual Studio History (VSHistory) files 370 | .vshistory/ 371 | 372 | # BeatPulse healthcheck temp database 373 | healthchecksdb 374 | 375 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 376 | MigrationBackup/ 377 | 378 | # Ionide (cross platform F# VS Code tools) working folder 379 | .ionide/ 380 | 381 | # Fody - auto-generated XML schema 382 | FodyWeavers.xsd 383 | 384 | # VS Code files for those working on multiple tools 385 | .vscode/* 386 | !.vscode/settings.json 387 | !.vscode/tasks.json 388 | !.vscode/launch.json 389 | !.vscode/extensions.json 390 | *.code-workspace 391 | 392 | # Local History for Visual Studio Code 393 | .history/ 394 | 395 | # Windows Installer files from build outputs 396 | *.cab 397 | *.msi 398 | *.msix 399 | *.msm 400 | *.msp 401 | 402 | # JetBrains Rider 403 | *.sln.iml -------------------------------------------------------------------------------- /Images/android_preview.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Images/android_preview.jpg -------------------------------------------------------------------------------- /Images/clang_preview.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Images/clang_preview.jpg -------------------------------------------------------------------------------- /Images/shellcode_binja.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Images/shellcode_binja.png -------------------------------------------------------------------------------- /Images/shellcode_source.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Images/shellcode_source.png -------------------------------------------------------------------------------- /Images/shellcode_source_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Images/shellcode_source_2.png -------------------------------------------------------------------------------- /Images/vsc++preview.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Images/vsc++preview.jpg -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Loader/Loader.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "shcutils.h" 4 | 5 | int main() { 6 | typedef int(*VirtualProtect_t)(void*, int, unsigned long, unsigned long*); 7 | char shellcode[] = 8 | "\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\x00\x00\x00" 9 | "\x48\x8D\x0D\x52\x00\x00\x00\xE8\x9E\x00\x00\x00\x4C\x8B\xF8" 10 | "\x48\x8D\x0D\x5D\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00" 11 | "\x00\x48\x8D\x0D\x4D\x00\x00\x00\xE8\x7F\x00\x00\x00\x4D\x33" 12 | "\xC9\x4C\x8D\x05\x61\x00\x00\x00\x48\x8D\x15\x4E\x00\x00\x00" 13 | "\x48\x33\xC9\xFF\xD0\x48\x8D\x15\x56\x00\x00\x00\x48\x8D\x0D" 14 | "\x0A\x00\x00\x00\xE8\x56\x00\x00\x00\x48\x33\xC9\xFF\xD0\x4B" 15 | "\x45\x52\x4E\x45\x4C\x33\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61" 16 | "\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x55\x53\x45\x52\x33" 17 | "\x32\x2E\x44\x4C\x4C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F" 18 | "\x78\x41\x00\x48\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x00" 19 | "\x4D\x65\x73\x73\x61\x67\x65\x00\x45\x78\x69\x74\x50\x72\x6F" 20 | "\x63\x65\x73\x73\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60" 21 | "\x00\x00\x00\x4D\x8B\x40\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24" 22 | "\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26\x8A\x27" 23 | "\x80\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7" 24 | "\x48\xFF\xC7\xEB\xE5\x4D\x8B\x00\x4D\x3B\xC4\x75\xD6\x48\x33" 25 | "\xC0\xE9\xA7\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C" 26 | "\x03\xCB\x49\x81\xC1\x88\x00\x00\x00\x45\x8B\x29\x4D\x85\xED" 27 | "\x75\x08\x48\x33\xC0\xE9\x85\x00\x00\x00\x4E\x8D\x04\x2B\x45" 28 | "\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C" 29 | "\x03\xD3\xFF\xC9\x4D\x8D\x0C\x8A\x41\x8B\x39\x48\x03\xFB\x48" 30 | "\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB\xF5\xE2\xE6" 31 | "\x48\x33\xC0\xEB\x4E\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B" 32 | "\x0C\x49\x45\x8B\x48\x1C\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B" 33 | "\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x18\x48\x8D\x7C" 34 | "\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75\xFA\xA4\xC7\x07\x44" 35 | "\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7\x49\x8B\xCC\x48\x8B\xD6" 36 | "\xE9\x14\xFF\xFF\xFF\x48\x03\xC3\x48\x83\xC4\x28\xC3"; 37 | 38 | wchar_t kernel32_dll_name[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0 }; 39 | void* base = get_module_handle(kernel32_dll_name); 40 | if (base) { 41 | VirtualProtect_t VMProtect = (VirtualProtect_t) get_proc_address(base, HASH("VirtualProtect")); 42 | if (VMProtect) { 43 | DWORD flOldProtect; 44 | VMProtect(shellcode, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &flOldProtect); 45 | (*(void (*)()) & shellcode)(); 46 | } 47 | } 48 | return 0; 49 | } -------------------------------------------------------------------------------- /Loader/Loader.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {7cbe89fc-447e-47aa-a613-3f2ea193587c} 25 | Loader 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /Loader/Loader.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Исходные файлы 20 | 21 | 22 | 23 | 24 | Файлы заголовков 25 | 26 | 27 | -------------------------------------------------------------------------------- /Loader/Loader.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Loader/Release/Loader.exe.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Users\admin\Desktop\Shellcode funnies\Shellcode\Release\Loader.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Loader/Release/Loader.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/Release/Loader.iobj -------------------------------------------------------------------------------- /Loader/Release/Loader.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/Release/Loader.ipdb -------------------------------------------------------------------------------- /Loader/Release/Loader.log: -------------------------------------------------------------------------------- 1 |  Loader.cpp 2 | Создание кода 3 | 1 of 1 functions (100.0%) were compiled. 4 | 0 functions were new in current compilation 5 | 0 functions had inline decision re-evaluated but remain unchanged 6 | Создание кода завершено 7 | Loader.vcxproj -> C:\Users\admin\Desktop\Shellcode funnies\Shellcode\Release\Loader.exe 8 | -------------------------------------------------------------------------------- /Loader/Release/Loader.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/Release/Loader.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /Loader/Release/Loader.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/Release/Loader.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /Loader/Release/Loader.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/Release/Loader.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /Loader/Release/Loader.tlog/Loader.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.29.30133:TargetPlatformVersion=10.0.19041.0: 2 | Release|Win32|C:\Users\admin\Desktop\Shellcode funnies\Shellcode\| 3 | -------------------------------------------------------------------------------- /Loader/Release/Loader.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/Release/Loader.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /Loader/Release/Loader.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/Release/Loader.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /Loader/Release/Loader.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/Release/Loader.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /Loader/Release/vc142.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/Release/vc142.pdb -------------------------------------------------------------------------------- /Loader/shcutils.h: -------------------------------------------------------------------------------- 1 | #ifndef PEB_H 2 | #define PEB_H 3 | 4 | #if defined(_WIN64) || defined(WIN64) || defined(WIN32) || defined(_WIN32) || defined(__WIN32__) || defined(__NT__) 5 | #define _WINDOWS 6 | #elif defined(__linux__) || defined(__ANDROID__) 7 | #define _LINUX 8 | #endif 9 | 10 | #ifdef _WINDOWS 11 | #include 12 | #elif defined(_LINUX) 13 | #include 14 | #include 15 | #endif 16 | 17 | // Create custom sections on both clang & msc++ 18 | #if defined(_MSC_VER) 19 | #define SECTION_CODE(x) __declspec(code_seg(x)) 20 | #define SECTION_FLD(x) __declspec(allocate(x)) 21 | #else 22 | #define SECTION_CODE(x) __attribute__((section(x))) 23 | #define SECTION_FLD(x) __attribute__((section(x))) 24 | #endif 25 | 26 | #if defined(_MSC_VER) && !defined(__llvm__) 27 | #define INLINE __forceinline // Visual C++ 28 | #else 29 | #define INLINE __attribute__((always_inline)) inline // GCC/G++/CLANG 30 | #endif 31 | 32 | // Prevents functions from inlining forcefully 33 | #if defined(_MSC_VER) 34 | #define NOINLINE __declspec(noinline) 35 | #else 36 | #define NOINLINE __attribute__((noinline)) 37 | #endif 38 | 39 | #ifdef _MSC_VER 40 | #ifdef defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86) 41 | #define NAKED __declspec (naked) 42 | #else // no naked on x64 w0mp w0mp (note that's the reason why it will crash) 43 | #define NAKED 44 | #endif 45 | #else 46 | #define NAKED __attribute__((naked)) 47 | #endif 48 | 49 | // We can hash in compile-time to avoid using string comparing in the shellcode. That saves time & space 50 | template 51 | INLINE constexpr T ensure_constexpr() { return value; } 52 | #define CONSTEXPR(x) ensure_constexpr() 53 | 54 | INLINE constexpr int adler32(const char* data) { 55 | long kModulus = 65521, a = 1, b = 0; 56 | for (int i = 0; data[i] != 0; i++) { 57 | a = (a + data[i]) % kModulus; 58 | b = (b + a) % kModulus; 59 | } 60 | return (b << 16) | a; 61 | } 62 | 63 | #define HASH(x) CONSTEXPR(adler32(x)) 64 | 65 | // On windows we use PEB & TEB 66 | #ifdef _WINDOWS 67 | #include 68 | 69 | #ifndef __NTDLL_H__ 70 | 71 | #ifndef TO_LOWERCASE 72 | #define TO_LOWERCASE(out, c1) (out = (c1 <= 'Z' && c1 >= 'A') ? c1 = (c1 - 'A') + 'a': c1) 73 | #endif 74 | 75 | typedef struct _UNICODE_STRING { 76 | USHORT Length; 77 | USHORT MaximumLength; 78 | PWSTR Buffer; 79 | 80 | } UNICODE_STRING, * PUNICODE_STRING; 81 | 82 | typedef struct _PEB_LDR_DATA { 83 | ULONG Length; 84 | BOOLEAN Initialized; 85 | HANDLE SsHandle; 86 | LIST_ENTRY InLoadOrderModuleList; 87 | LIST_ENTRY InMemoryOrderModuleList; 88 | LIST_ENTRY InInitializationOrderModuleList; 89 | PVOID EntryInProgress; 90 | 91 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 92 | 93 | //here we don't want to use any functions imported form extenal modules 94 | 95 | typedef struct _LDR_DATA_TABLE_ENTRY { 96 | LIST_ENTRY InLoadOrderModuleList; 97 | LIST_ENTRY InMemoryOrderModuleList; 98 | LIST_ENTRY InInitializationOrderModuleList; 99 | void* BaseAddress; 100 | void* EntryPoint; 101 | ULONG SizeOfImage; 102 | UNICODE_STRING FullDllName; 103 | UNICODE_STRING BaseDllName; 104 | ULONG Flags; 105 | SHORT LoadCount; 106 | SHORT TlsIndex; 107 | HANDLE SectionHandle; 108 | ULONG CheckSum; 109 | ULONG TimeDateStamp; 110 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 111 | 112 | 113 | typedef struct _PEB { 114 | BOOLEAN InheritedAddressSpace; 115 | BOOLEAN ReadImageFileExecOptions; 116 | BOOLEAN BeingDebugged; 117 | BOOLEAN SpareBool; 118 | HANDLE Mutant; 119 | 120 | PVOID ImageBaseAddress; 121 | PPEB_LDR_DATA Ldr; 122 | // ... 123 | 124 | } PEB, * PPEB; 125 | 126 | #endif //__NTDLL_H__ 127 | 128 | INLINE LPVOID get_module_handle(WCHAR* module_name) { 129 | PPEB peb = NULL; 130 | #if defined(_WIN64) 131 | peb = reinterpret_cast(__readgsqword(0x60)); 132 | #else 133 | peb = reinterpret_cast(__readfsdword(0x30)); 134 | #endif 135 | PPEB_LDR_DATA ldr = peb->Ldr; 136 | LIST_ENTRY list = ldr->InLoadOrderModuleList; 137 | 138 | PLDR_DATA_TABLE_ENTRY Flink = *((PLDR_DATA_TABLE_ENTRY*)(&list)); 139 | PLDR_DATA_TABLE_ENTRY curr_module = Flink; 140 | 141 | while (curr_module != NULL && curr_module->BaseAddress != NULL) { 142 | if (curr_module->BaseDllName.Buffer == NULL) continue; 143 | WCHAR* curr_name = curr_module->BaseDllName.Buffer; 144 | 145 | size_t i = 0; 146 | for (i = 0; module_name[i] != 0 && curr_name[i] != 0; i++) { 147 | WCHAR c1, c2; 148 | TO_LOWERCASE(c1, module_name[i]); 149 | TO_LOWERCASE(c2, curr_name[i]); 150 | if (c1 != c2) break; 151 | } 152 | if (module_name[i] == 0 && curr_name[i] == 0) 153 | return curr_module->BaseAddress; 154 | curr_module = (PLDR_DATA_TABLE_ENTRY)curr_module->InLoadOrderModuleList.Flink; 155 | } 156 | return NULL; 157 | } 158 | 159 | INLINE LPVOID get_proc_address(LPVOID module, int hash) { 160 | IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)module; 161 | if (idh->e_magic != IMAGE_DOS_SIGNATURE) return NULL; 162 | 163 | IMAGE_NT_HEADERS* nt_headers = (IMAGE_NT_HEADERS*)((BYTE*)module + idh->e_lfanew); 164 | IMAGE_DATA_DIRECTORY* exportsDir = &(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); 165 | if (exportsDir->VirtualAddress == NULL) return NULL; 166 | 167 | IMAGE_EXPORT_DIRECTORY* exp = (IMAGE_EXPORT_DIRECTORY*)(exportsDir->VirtualAddress + (ULONG_PTR)module); 168 | 169 | // Iterate through names 170 | for (SIZE_T i = 0; i < exp->NumberOfNames; i++) { 171 | DWORD* nameRVA = (DWORD*)((exp->AddressOfNames + (BYTE*)module) + i * sizeof(DWORD)); 172 | WORD* nameIndex = (WORD*)((exp->AddressOfNameOrdinals + (BYTE*)module) + i * sizeof(WORD)); 173 | DWORD* funcRVA = (DWORD*)((exp->AddressOfFunctions + (BYTE*)module) + (*nameIndex) * sizeof(DWORD)); 174 | LPSTR curr_name = (LPSTR)(*nameRVA + (BYTE*)module); 175 | 176 | if (adler32(curr_name) == hash) return (BYTE*)module + (*funcRVA); 177 | } 178 | return NULL; 179 | } 180 | 181 | /* 182 | int dump_pe_section(char* file, char* section, char* output) { 183 | FILE* inputFile = fopen(file, "rb"); 184 | if (inputFile == NULL) { 185 | printf("Unable to open input file.\n"); 186 | return 1; 187 | } 188 | 189 | FILE* outputFile = fopen(output, "wb"); 190 | if (outputFile == NULL) { 191 | printf("Unable to open output file.\n"); 192 | fclose(inputFile); 193 | return 2; 194 | } 195 | 196 | IMAGE_DOS_HEADER dosHeader; 197 | fread(&dosHeader, sizeof(IMAGE_DOS_HEADER), 1, inputFile); 198 | 199 | fseek(inputFile, dosHeader.e_lfanew, SEEK_SET); 200 | 201 | IMAGE_NT_HEADERS ntHeader; 202 | fread(&ntHeader, sizeof(IMAGE_NT_HEADERS), 1, inputFile); 203 | 204 | IMAGE_SECTION_HEADER sectionHeader; 205 | for (int i = 0; i < ntHeader.FileHeader.NumberOfSections; i++) { 206 | fread(§ionHeader, sizeof(IMAGE_SECTION_HEADER), 1, inputFile); 207 | if (strncmp((char*)sectionHeader.Name, section, 8) == 0) { 208 | char* buffer = (char*)malloc(sectionHeader.SizeOfRawData); 209 | fseek(inputFile, sectionHeader.PointerToRawData, SEEK_SET); 210 | fread(buffer, sectionHeader.SizeOfRawData, 1, inputFile); 211 | fwrite(buffer, sectionHeader.SizeOfRawData, 1, outputFile); 212 | free(buffer); 213 | fclose(outputFile); 214 | fclose(inputFile); 215 | return 0; 216 | } 217 | } 218 | fclose(outputFile); 219 | fclose(inputFile); 220 | return 3; 221 | }*/ 222 | 223 | #elif defined(_LINUX) 224 | 225 | #define SYSCALL(...) inline_syscall(__VA_ARGS__) 226 | 227 | INLINE long inline_syscall(long syscall_number, long arg1, long arg2, long arg3, long arg4, long arg5) { 228 | long ret; 229 | #if defined(__x86_64__) 230 | __asm__ volatile ( 231 | "mov %1, %%rax;" 232 | "mov %2, %%rdi;" 233 | "mov %3, %%rsi;" 234 | "mov %4, %%rdx;" 235 | "mov %5, %%r10;" 236 | "mov %6, %%r8;" 237 | "syscall;" 238 | "mov %%rax, %0;" 239 | : "=m" (ret) 240 | : "g" (syscall_number), "g" (arg1), "g" (arg2), "g" (arg3), "g" (arg4), "g" (arg5) 241 | : "%rax", "%rdi", "%rsi", "%rdx", "%r10", "%r8" 242 | ); 243 | #elif defined(__i386__) 244 | __asm__ volatile ( 245 | "mov %1, %%eax;" 246 | "mov %2, %%ebx;" 247 | "mov %3, %%ecx;" 248 | "mov %4, %%edx;" 249 | "mov %5, %%esi;" 250 | "mov %6, %%edi;" 251 | "int $0x80;" 252 | "mov %%eax, %0;" 253 | : "=m" (ret) 254 | : "g" (syscall_number), "g" (arg1), "g" (arg2), "g" (arg3), "g" (arg4), "g" (arg5) 255 | : "%eax", "%ebx", "%ecx", "%edx", "%esi", "%edi" 256 | ); 257 | #elif defined(__arm__) 258 | __asm__ volatile ( 259 | "mov r7, %1;" 260 | "mov r0, %2;" 261 | "mov r1, %3;" 262 | "mov r2, %4;" 263 | "mov r3, %5;" 264 | "mov r4, %6;" 265 | "swi 0;" 266 | "mov %0, r0;" 267 | : "=r" (ret) 268 | : "r" (syscall_number), "r" (arg1), "r" (arg2), "r" (arg3), "r" (arg4), "r" (arg5) 269 | : "r0", "r1", "r2", "r3", "r4", "r7" 270 | ); 271 | #elif defined(__aarch64__) 272 | __asm__ volatile ( 273 | "mov x8, %1;" 274 | "mov x0, %2;" 275 | "mov x1, %3;" 276 | "mov x2, %4;" 277 | "mov x3, %5;" 278 | "mov x4, %6;" 279 | "svc 0;" 280 | "mov %0, x0;" 281 | : "=r" (ret) 282 | : "r" (syscall_number), "r" (arg1), "r" (arg2), "r" (arg3), "r" (arg4), "r" (arg5) 283 | : "x0", "x1", "x2", "x3", "x4", "x8" 284 | ); 285 | #else 286 | #error "Unsupported architecture" 287 | #endif 288 | return ret; 289 | } 290 | #endif 291 | 292 | #endif -------------------------------------------------------------------------------- /Loader/x64/Release/Loader.Build.CppClean.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/x64/Release/Loader.Build.CppClean.log -------------------------------------------------------------------------------- /Loader/x64/Release/Loader.exe.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Users\admin\Documents\GitHub\ShellcodeLab\x64\Release\Loader.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Loader/x64/Release/Loader.log: -------------------------------------------------------------------------------- 1 |  Loader.cpp 2 | C:\Users\admin\Documents\GitHub\ShellcodeLab\Loader\shcutils.h(40,1): warning C4067: непредвиденные лексемы за директивой препроцессора, требуется newline 3 | Создание кода 4 | Previous IPDB not found, fall back to full compilation. 5 | All 5 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 6 | Создание кода завершено 7 | Loader.vcxproj -> C:\Users\admin\Documents\GitHub\ShellcodeLab\x64\Release\Loader.exe 8 | -------------------------------------------------------------------------------- /Loader/x64/Release/Loader.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/x64/Release/Loader.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /Loader/x64/Release/Loader.tlog/Loader.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.29.30133:TargetPlatformVersion=10.0.19041.0: 2 | Release|x64|C:\Users\admin\Documents\GitHub\ShellcodeLab\| 3 | -------------------------------------------------------------------------------- /Loader/x64/Release/Loader.vcxproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/x64/Release/Loader.vcxproj.FileListAbsolute.txt -------------------------------------------------------------------------------- /Loader/x64/Release/vc142.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Loader/x64/Release/vc142.pdb -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # c2shell 2 | A C/C++ framework designed to simplify shellcode creation on any compilers and platforms using C. Supports Windows & Linux, and practically any existing architecture. 3 | 4 | ## ℹ️ Overview & theory 5 | A shellcode is an offset-independent assembly code which can be executed from any part of program. Those are commonly used by cyber-security engineers, hackers and lowlevel developers (anticheats, protections, etc). This project presents a way to create shellcodes easily in pure C, without any ASM usage, allowing to write universal shellcodes across architectures/platforms. On windows PEB (Process Environment Block) and TEB (Thread Environment Block) can be used to obtain function addresses without using any externals. On linux you can just use syscalls. 6 | 7 |
8 | 9 | Two methods are used to mark & dump shellcode from a compiled C method 10 |
11 |
12 |
13 | 14 | When compiled, the shellcode is placed in a separete section 15 |

16 | 17 | This way the shellcode can be extracted via 2 methods: function address substraction during runtime, or PE/ELF section parsing. I prefer the first one, since it's easier + more universal. 18 | 19 |
20 | 21 | Function address substraction to extract shellcode 22 |
23 | 24 | ## ℹ️ Demonstration 25 |
26 | 27 | Microsoft Visual C++ compiler 28 |
29 |
30 |
31 | 32 | Clang (LLVM/MinGW) compiler 33 |
34 |
35 |
36 | 37 | Clang ARM64 (Android) compiler 38 |
39 | -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.Build.CppClean.log: -------------------------------------------------------------------------------- 1 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\debug\vc142.pdb 2 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\debug\vc142.idb 3 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\debug\shellcode.obj 4 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\debug\shellcode.ilk 5 | c:\users\admin\desktop\shellcode funnies\shellcode\debug\shellcode.exe 6 | c:\users\admin\desktop\shellcode funnies\shellcode\debug\shellcode.pdb 7 | c:\users\admin\documents\github\shellcodelab\shellcode\debug\shellcode.ilk 8 | c:\users\admin\documents\github\shellcodelab\shellcode\debug\vc142.idb 9 | c:\users\admin\documents\github\shellcodelab\shellcode\debug\vc142.pdb 10 | c:\users\admin\documents\github\shellcodelab\shellcode\debug\shellcode.tlog\cl.command.1.tlog 11 | c:\users\admin\documents\github\shellcodelab\shellcode\debug\shellcode.tlog\cl.read.1.tlog 12 | c:\users\admin\documents\github\shellcodelab\shellcode\debug\shellcode.tlog\cl.write.1.tlog 13 | c:\users\admin\documents\github\shellcodelab\shellcode\debug\shellcode.tlog\link.command.1.tlog 14 | c:\users\admin\documents\github\shellcodelab\shellcode\debug\shellcode.tlog\link.read.1.tlog 15 | c:\users\admin\documents\github\shellcodelab\shellcode\debug\shellcode.tlog\link.write.1.tlog 16 | -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.exe.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Users\admin\Documents\GitHub\ShellcodeLab\Debug\Shellcode.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.ilk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/Shellcode.ilk -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.log: -------------------------------------------------------------------------------- 1 |  shellcode.cpp 2 | C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h(40,1): warning C4067: непредвиденные лексемы за директивой препроцессора, требуется newline 3 | Shellcode.vcxproj -> C:\Users\admin\Documents\GitHub\ShellcodeLab\Debug\Shellcode.exe 4 | -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/Shellcode.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/Shellcode.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/Shellcode.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.tlog/Shellcode.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.29.30133:TargetPlatformVersion=10.0.19041.0: 2 | Debug|Win32|C:\Users\admin\Documents\GitHub\ShellcodeLab\| 3 | -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/Shellcode.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/Shellcode.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/Shellcode.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /Shellcode/Debug/Shellcode.vcxproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/Shellcode.vcxproj.FileListAbsolute.txt -------------------------------------------------------------------------------- /Shellcode/Debug/vc142.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/vc142.idb -------------------------------------------------------------------------------- /Shellcode/Debug/vc142.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Debug/vc142.pdb -------------------------------------------------------------------------------- /Shellcode/Release/Shellcode.Build.CppClean.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Release/Shellcode.Build.CppClean.log -------------------------------------------------------------------------------- /Shellcode/Release/Shellcode.exe.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Users\admin\Documents\GitHub\ShellcodeLab\Release\Shellcode.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Shellcode/Release/Shellcode.log: -------------------------------------------------------------------------------- 1 | cl : командная строка warning D9025: переопределение "/GS" на "/GS-" 2 | cl : командная строка warning D9025: переопределение "/sdl" на "/GS-" 3 | shellcode.cpp 4 | C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h(40,1): warning C4067: непредвиденные лексемы за директивой препроцессора, требуется newline 5 | Shellcode.vcxproj -> C:\Users\admin\Documents\GitHub\ShellcodeLab\Release\Shellcode.exe 6 | -------------------------------------------------------------------------------- /Shellcode/Release/Shellcode.vcxproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/Release/Shellcode.vcxproj.FileListAbsolute.txt -------------------------------------------------------------------------------- /Shellcode/Shellcode.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {62cad85a-3cd3-4cd5-8837-0410f3478dbe} 25 | Shellcode 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | false 79 | 80 | 81 | true 82 | 83 | 84 | false 85 | 86 | 87 | 88 | Level3 89 | true 90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 91 | true 92 | MultiThreaded 93 | 94 | 95 | Console 96 | true 97 | 98 | 99 | 100 | 101 | Level3 102 | true 103 | true 104 | true 105 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | /c /FA /GS- %(AdditionalOptions) 108 | false 109 | MinSpace 110 | OnlyExplicitInline 111 | Size 112 | 113 | 114 | Console 115 | false 116 | Default 117 | true 118 | true 119 | 120 | 121 | 122 | 123 | Level3 124 | true 125 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 126 | true 127 | 128 | 129 | Console 130 | true 131 | 132 | 133 | 134 | 135 | Level3 136 | true 137 | true 138 | true 139 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 140 | true 141 | MinSpace 142 | false 143 | Size 144 | 145 | 146 | Console 147 | true 148 | true 149 | true 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | -------------------------------------------------------------------------------- /Shellcode/Shellcode.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Исходные файлы 20 | 21 | 22 | 23 | 24 | Файлы заголовков 25 | 26 | 27 | -------------------------------------------------------------------------------- /Shellcode/Shellcode.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Shellcode/shcutils.h: -------------------------------------------------------------------------------- 1 | #ifndef PEB_H 2 | #define PEB_H 3 | 4 | #if defined(_WIN64) || defined(WIN64) || defined(WIN32) || defined(_WIN32) || defined(__WIN32__) || defined(__NT__) 5 | #define _WINDOWS 6 | #elif defined(__linux__) || defined(__ANDROID__) 7 | #define _LINUX 8 | #endif 9 | 10 | #ifdef _WINDOWS 11 | #include 12 | #elif defined(_LINUX) 13 | #include 14 | #include 15 | #endif 16 | 17 | // Create custom sections on both clang & msc++ 18 | #if defined(_MSC_VER) 19 | #define SECTION_CODE(x) __declspec(code_seg(x)) 20 | #define SECTION_FLD(x) __declspec(allocate(x)) 21 | #else 22 | #define SECTION_CODE(x) __attribute__((section(x))) 23 | #define SECTION_FLD(x) __attribute__((section(x))) 24 | #endif 25 | 26 | #if defined(_MSC_VER) && !defined(__llvm__) 27 | #define INLINE __forceinline // Visual C++ 28 | #else 29 | #define INLINE __attribute__((always_inline)) inline // GCC/G++/CLANG 30 | #endif 31 | 32 | // Prevents functions from inlining forcefully 33 | #if defined(_MSC_VER) && !defined(__llvm__) 34 | #define NOINLINE __declspec(noinline) 35 | #else 36 | #define NOINLINE __attribute__((noinline)) 37 | #endif 38 | 39 | #if defined(_MSC_VER) && !defined(__llvm__) 40 | #ifdef defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86) 41 | #define NAKED __declspec (naked) 42 | #else // no naked on x64 for visual C++ w0mp w0mp (note that's the reason why it will crash) 43 | #define NAKED 44 | #endif 45 | #else 46 | #define NAKED __attribute__((naked)) 47 | #endif 48 | 49 | #define TO_LOWERCASE(c1) (c1 <= (char)'Z' && c1 >= (char)'A' ? (c1 - (char)'A') + (char)'a' : c1) 50 | 51 | // We can hash in compile-time to avoid using string comparing in the shellcode. That saves time & space 52 | template 53 | INLINE constexpr T ensure_constexpr() { return value; } 54 | #define CONSTEXPR(x) ensure_constexpr() 55 | 56 | template 57 | INLINE constexpr int adler32(const T* data) { 58 | long kModulus = 65521, a = 1, b = 0; 59 | for (int i = 0; data[i] != 0; i++) { 60 | a = (a + data[i]) % kModulus; 61 | b = (b + a) % kModulus; 62 | } 63 | return (b << 16) | a; 64 | } 65 | 66 | #define HASH(x) CONSTEXPR(adler32(x)) 67 | 68 | // On windows we use PEB & TEB 69 | #ifdef _WINDOWS 70 | 71 | #ifndef __NTDLL_H__ 72 | 73 | typedef struct _UNICODE_STRING { 74 | USHORT Length; 75 | USHORT MaximumLength; 76 | PWSTR Buffer; 77 | 78 | } UNICODE_STRING, * PUNICODE_STRING; 79 | 80 | typedef struct _PEB_LDR_DATA { 81 | ULONG Length; 82 | BOOLEAN Initialized; 83 | HANDLE SsHandle; 84 | LIST_ENTRY InLoadOrderModuleList; 85 | LIST_ENTRY InMemoryOrderModuleList; 86 | LIST_ENTRY InInitializationOrderModuleList; 87 | PVOID EntryInProgress; 88 | 89 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 90 | 91 | //here we don't want to use any functions imported form extenal modules 92 | 93 | typedef struct _LDR_DATA_TABLE_ENTRY { 94 | LIST_ENTRY InLoadOrderModuleList; 95 | LIST_ENTRY InMemoryOrderModuleList; 96 | LIST_ENTRY InInitializationOrderModuleList; 97 | void* BaseAddress; 98 | void* EntryPoint; 99 | ULONG SizeOfImage; 100 | UNICODE_STRING FullDllName; 101 | UNICODE_STRING BaseDllName; 102 | ULONG Flags; 103 | SHORT LoadCount; 104 | SHORT TlsIndex; 105 | HANDLE SectionHandle; 106 | ULONG CheckSum; 107 | ULONG TimeDateStamp; 108 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 109 | 110 | 111 | typedef struct _PEB { 112 | BOOLEAN InheritedAddressSpace; 113 | BOOLEAN ReadImageFileExecOptions; 114 | BOOLEAN BeingDebugged; 115 | BOOLEAN SpareBool; 116 | HANDLE Mutant; 117 | 118 | PVOID ImageBaseAddress; 119 | PPEB_LDR_DATA Ldr; 120 | // ... 121 | 122 | } PEB, * PPEB; 123 | 124 | #endif //__NTDLL_H__ 125 | 126 | INLINE LPVOID get_module_handle(int hash) { 127 | PPEB peb = NULL; 128 | #if defined(_WIN64) 129 | peb = reinterpret_cast(__readgsqword(0x60)); 130 | #else 131 | peb = reinterpret_cast(__readfsdword(0x30)); 132 | #endif 133 | PPEB_LDR_DATA ldr = peb->Ldr; 134 | LIST_ENTRY list = ldr->InLoadOrderModuleList; 135 | 136 | PLDR_DATA_TABLE_ENTRY Flink = *((PLDR_DATA_TABLE_ENTRY*)(&list)); 137 | PLDR_DATA_TABLE_ENTRY curr_module = Flink; 138 | 139 | while (curr_module != NULL && curr_module->BaseAddress != NULL) { 140 | if (curr_module->BaseDllName.Buffer == NULL) continue; 141 | 142 | WCHAR temp[64]; 143 | for (volatile int i = 0; i < curr_module->BaseDllName.Length; i++) 144 | temp[i] = TO_LOWERCASE(curr_module->BaseDllName.Buffer[i]); 145 | 146 | if (adler32(temp) == hash) 147 | return curr_module->BaseAddress; 148 | 149 | curr_module = (PLDR_DATA_TABLE_ENTRY)curr_module->InLoadOrderModuleList.Flink; 150 | } 151 | return NULL; 152 | } 153 | 154 | INLINE LPVOID get_proc_address(LPVOID module, int hash) { 155 | IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)module; 156 | if (idh->e_magic != IMAGE_DOS_SIGNATURE) return NULL; 157 | 158 | IMAGE_NT_HEADERS* nt_headers = (IMAGE_NT_HEADERS*)((BYTE*)module + idh->e_lfanew); 159 | IMAGE_DATA_DIRECTORY* exportsDir = &(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); 160 | if (exportsDir->VirtualAddress == NULL) return NULL; 161 | 162 | IMAGE_EXPORT_DIRECTORY* exp = (IMAGE_EXPORT_DIRECTORY*)(exportsDir->VirtualAddress + (ULONG_PTR)module); 163 | 164 | // Iterate through names 165 | for (SIZE_T i = 0; i < exp->NumberOfNames; i++) { 166 | DWORD* nameRVA = (DWORD*)((exp->AddressOfNames + (BYTE*)module) + i * sizeof(DWORD)); 167 | WORD* nameIndex = (WORD*)((exp->AddressOfNameOrdinals + (BYTE*)module) + i * sizeof(WORD)); 168 | DWORD* funcRVA = (DWORD*)((exp->AddressOfFunctions + (BYTE*)module) + (*nameIndex) * sizeof(DWORD)); 169 | LPSTR curr_name = (LPSTR)(*nameRVA + (BYTE*)module); 170 | 171 | if (adler32(curr_name) == hash) return (BYTE*)module + (*funcRVA); 172 | } 173 | return NULL; 174 | } 175 | 176 | /* 177 | int dump_pe_section(char* file, char* section, char* output) { 178 | FILE* inputFile = fopen(file, "rb"); 179 | if (inputFile == NULL) { 180 | printf("Unable to open input file.\n"); 181 | return 1; 182 | } 183 | 184 | FILE* outputFile = fopen(output, "wb"); 185 | if (outputFile == NULL) { 186 | printf("Unable to open output file.\n"); 187 | fclose(inputFile); 188 | return 2; 189 | } 190 | 191 | IMAGE_DOS_HEADER dosHeader; 192 | fread(&dosHeader, sizeof(IMAGE_DOS_HEADER), 1, inputFile); 193 | 194 | fseek(inputFile, dosHeader.e_lfanew, SEEK_SET); 195 | 196 | IMAGE_NT_HEADERS ntHeader; 197 | fread(&ntHeader, sizeof(IMAGE_NT_HEADERS), 1, inputFile); 198 | 199 | IMAGE_SECTION_HEADER sectionHeader; 200 | for (int i = 0; i < ntHeader.FileHeader.NumberOfSections; i++) { 201 | fread(§ionHeader, sizeof(IMAGE_SECTION_HEADER), 1, inputFile); 202 | if (strncmp((char*)sectionHeader.Name, section, 8) == 0) { 203 | char* buffer = (char*)malloc(sectionHeader.SizeOfRawData); 204 | fseek(inputFile, sectionHeader.PointerToRawData, SEEK_SET); 205 | fread(buffer, sectionHeader.SizeOfRawData, 1, inputFile); 206 | fwrite(buffer, sectionHeader.SizeOfRawData, 1, outputFile); 207 | free(buffer); 208 | fclose(outputFile); 209 | fclose(inputFile); 210 | return 0; 211 | } 212 | } 213 | fclose(outputFile); 214 | fclose(inputFile); 215 | return 3; 216 | }*/ 217 | 218 | #elif defined(_LINUX) 219 | 220 | #define SYSCALL(...) inline_syscall(__VA_ARGS__) 221 | 222 | INLINE long inline_syscall(long syscall_number, long arg1, long arg2, long arg3, long arg4, long arg5) { 223 | long ret; 224 | #if defined(__x86_64__) 225 | __asm__ volatile ( 226 | "mov %1, %%rax;" 227 | "mov %2, %%rdi;" 228 | "mov %3, %%rsi;" 229 | "mov %4, %%rdx;" 230 | "mov %5, %%r10;" 231 | "mov %6, %%r8;" 232 | "syscall;" 233 | "mov %%rax, %0;" 234 | : "=m" (ret) 235 | : "g" (syscall_number), "g" (arg1), "g" (arg2), "g" (arg3), "g" (arg4), "g" (arg5) 236 | : "%rax", "%rdi", "%rsi", "%rdx", "%r10", "%r8" 237 | ); 238 | #elif defined(__i386__) 239 | __asm__ volatile ( 240 | "mov %1, %%eax;" 241 | "mov %2, %%ebx;" 242 | "mov %3, %%ecx;" 243 | "mov %4, %%edx;" 244 | "mov %5, %%esi;" 245 | "mov %6, %%edi;" 246 | "int $0x80;" 247 | "mov %%eax, %0;" 248 | : "=m" (ret) 249 | : "g" (syscall_number), "g" (arg1), "g" (arg2), "g" (arg3), "g" (arg4), "g" (arg5) 250 | : "%eax", "%ebx", "%ecx", "%edx", "%esi", "%edi" 251 | ); 252 | #elif defined(__arm__) 253 | __asm__ volatile ( 254 | "mov r7, %1;" 255 | "mov r0, %2;" 256 | "mov r1, %3;" 257 | "mov r2, %4;" 258 | "mov r3, %5;" 259 | "mov r4, %6;" 260 | "swi 0;" 261 | "mov %0, r0;" 262 | : "=r" (ret) 263 | : "r" (syscall_number), "r" (arg1), "r" (arg2), "r" (arg3), "r" (arg4), "r" (arg5) 264 | : "r0", "r1", "r2", "r3", "r4", "r7" 265 | ); 266 | #elif defined(__aarch64__) 267 | __asm__ volatile ( 268 | "mov x8, %1;" 269 | "mov x0, %2;" 270 | "mov x1, %3;" 271 | "mov x2, %4;" 272 | "mov x3, %5;" 273 | "mov x4, %6;" 274 | "svc 0;" 275 | "mov %0, x0;" 276 | : "=r" (ret) 277 | : "r" (syscall_number), "r" (arg1), "r" (arg2), "r" (arg3), "r" (arg4), "r" (arg5) 278 | : "x0", "x1", "x2", "x3", "x4", "x8" 279 | ); 280 | #else 281 | #error "Unsupported architecture" 282 | #endif 283 | return ret; 284 | } 285 | #endif 286 | 287 | #endif -------------------------------------------------------------------------------- /Shellcode/shellcode.asm: -------------------------------------------------------------------------------- 1 | ; Listing generated by Microsoft (R) Optimizing Compiler Version 19.29.30154.0 2 | 3 | TITLE C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\Release\shellcode.obj 4 | .686P 5 | .XMM 6 | include listing.inc 7 | .model flat 8 | 9 | INCLUDELIB MSVCRT 10 | INCLUDELIB OLDNAMES 11 | 12 | PUBLIC ___local_stdio_printf_options 13 | PUBLIC __vfprintf_l 14 | PUBLIC _fprintf 15 | PUBLIC _printf 16 | PUBLIC ?shellcode@@YAHXZ ; shellcode 17 | PUBLIC ?shellcode_end@@YAXXZ ; shellcode_end 18 | PUBLIC _main 19 | PUBLIC ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA ; `__local_stdio_printf_options'::`2'::_OptionsStorage 20 | PUBLIC ??_C@_02GMLFBBN@wb@ ; `string' 21 | PUBLIC ??_C@_0O@NFBNADIO@shellcode?4bin@ ; `string' 22 | PUBLIC ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@ ; `string' 23 | PUBLIC ??_C@_0CK@CNHACEFP@?$FLi?$FN?5Shellcode?5size?3?5?$CFlu?0?5locate@ ; `string' 24 | PUBLIC ??_C@_0EF@MOLEIFGD@?$FLe?$FN?5Failed?5to?5dump?5shellcode?5to@ ; `string' 25 | PUBLIC ??_C@_0CM@JHEGLBMC@?$FLi?$FN?5Shellcode?5saved?5to?5file?5she@ ; `string' 26 | PUBLIC ??_C@_02JDPG@rb@ ; `string' 27 | PUBLIC ??_C@_0CN@KKANALMI@?$FLe?$FN?5Failed?5to?5allocate?5memory?5f@ ; `string' 28 | PUBLIC ??_C@_0BO@KJKJAGIL@?$FLe?$FN?5Failed?5to?5read?5shellcode?6@ ; `string' 29 | PUBLIC ??_C@_0CA@FFCIEFBF@?$FLi?$FN?5Loaded?5shellcode?5size?3?5?$CFld?6@ ; `string' 30 | PUBLIC ??_C@_0CI@GCOJCDBI@?$FLe?$FN?5Failed?5to?5change?5memory?5pro@ ; `string' 31 | PUBLIC ??_C@_0M@LDNOBAB@Result?3?5?$CFd?6@ ; `string' 32 | PUBLIC ??_C@_0CN@CMKKBCPN@Shellcode?5execution?5completed?5s@ ; `string' 33 | EXTRN __imp____acrt_iob_func:PROC 34 | EXTRN __imp__fclose:PROC 35 | EXTRN __imp__fopen:PROC 36 | EXTRN __imp__fread:PROC 37 | EXTRN __imp__fseek:PROC 38 | EXTRN __imp__ftell:PROC 39 | EXTRN __imp__fwrite:PROC 40 | EXTRN __imp____stdio_common_vfprintf:PROC 41 | EXTRN __imp__malloc:PROC 42 | EXTRN __imp__VirtualProtect@16:PROC 43 | EXTRN __imp__VirtualFree@12:PROC 44 | ; COMDAT ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA 45 | _BSS SEGMENT 46 | ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA DQ 01H DUP (?) ; `__local_stdio_printf_options'::`2'::_OptionsStorage 47 | _BSS ENDS 48 | ; COMDAT ??_C@_0CN@CMKKBCPN@Shellcode?5execution?5completed?5s@ 49 | CONST SEGMENT 50 | ??_C@_0CN@CMKKBCPN@Shellcode?5execution?5completed?5s@ DB 'Shellcode exec' 51 | DB 'ution completed successfully.', 0aH, 00H ; `string' 52 | CONST ENDS 53 | ; COMDAT ??_C@_0M@LDNOBAB@Result?3?5?$CFd?6@ 54 | CONST SEGMENT 55 | ??_C@_0M@LDNOBAB@Result?3?5?$CFd?6@ DB 'Result: %d', 0aH, 00H ; `string' 56 | CONST ENDS 57 | ; COMDAT ??_C@_0CI@GCOJCDBI@?$FLe?$FN?5Failed?5to?5change?5memory?5pro@ 58 | CONST SEGMENT 59 | ??_C@_0CI@GCOJCDBI@?$FLe?$FN?5Failed?5to?5change?5memory?5pro@ DB '[e] Fa' 60 | DB 'iled to change memory protection', 0aH, 00H ; `string' 61 | CONST ENDS 62 | ; COMDAT ??_C@_0CA@FFCIEFBF@?$FLi?$FN?5Loaded?5shellcode?5size?3?5?$CFld?6@ 63 | CONST SEGMENT 64 | ??_C@_0CA@FFCIEFBF@?$FLi?$FN?5Loaded?5shellcode?5size?3?5?$CFld?6@ DB '[i' 65 | DB '] Loaded shellcode size: %ld', 0aH, 00H ; `string' 66 | CONST ENDS 67 | ; COMDAT ??_C@_0BO@KJKJAGIL@?$FLe?$FN?5Failed?5to?5read?5shellcode?6@ 68 | CONST SEGMENT 69 | ??_C@_0BO@KJKJAGIL@?$FLe?$FN?5Failed?5to?5read?5shellcode?6@ DB '[e] Fail' 70 | DB 'ed to read shellcode', 0aH, 00H ; `string' 71 | CONST ENDS 72 | ; COMDAT ??_C@_0CN@KKANALMI@?$FLe?$FN?5Failed?5to?5allocate?5memory?5f@ 73 | CONST SEGMENT 74 | ??_C@_0CN@KKANALMI@?$FLe?$FN?5Failed?5to?5allocate?5memory?5f@ DB '[e] Fa' 75 | DB 'iled to allocate memory for shellcode', 0aH, 00H ; `string' 76 | CONST ENDS 77 | ; COMDAT ??_C@_02JDPG@rb@ 78 | CONST SEGMENT 79 | ??_C@_02JDPG@rb@ DB 'rb', 00H ; `string' 80 | CONST ENDS 81 | ; COMDAT ??_C@_0CM@JHEGLBMC@?$FLi?$FN?5Shellcode?5saved?5to?5file?5she@ 82 | CONST SEGMENT 83 | ??_C@_0CM@JHEGLBMC@?$FLi?$FN?5Shellcode?5saved?5to?5file?5she@ DB '[i] Sh' 84 | DB 'ellcode saved to file shellcode.bin.', 0aH, 00H ; `string' 85 | CONST ENDS 86 | ; COMDAT ??_C@_0EF@MOLEIFGD@?$FLe?$FN?5Failed?5to?5dump?5shellcode?5to@ 87 | CONST SEGMENT 88 | ??_C@_0EF@MOLEIFGD@?$FLe?$FN?5Failed?5to?5dump?5shellcode?5to@ DB '[e] Fa' 89 | DB 'iled to dump shellcode to disk. Check your compiler settings.' 90 | DB 0aH, 00H ; `string' 91 | CONST ENDS 92 | ; COMDAT ??_C@_0CK@CNHACEFP@?$FLi?$FN?5Shellcode?5size?3?5?$CFlu?0?5locate@ 93 | CONST SEGMENT 94 | ??_C@_0CK@CNHACEFP@?$FLi?$FN?5Shellcode?5size?3?5?$CFlu?0?5locate@ DB '[i' 95 | DB '] Shellcode size: %lu, located at 0x%p', 0aH, 00H ; `string' 96 | CONST ENDS 97 | ; COMDAT ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@ 98 | CONST SEGMENT 99 | ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@ DB '[e] Fa' 100 | DB 'iled to open shellcode.bin', 0aH, 00H ; `string' 101 | CONST ENDS 102 | ; COMDAT ??_C@_0O@NFBNADIO@shellcode?4bin@ 103 | CONST SEGMENT 104 | ??_C@_0O@NFBNADIO@shellcode?4bin@ DB 'shellcode.bin', 00H ; `string' 105 | CONST ENDS 106 | ; COMDAT ??_C@_02GMLFBBN@wb@ 107 | CONST SEGMENT 108 | ??_C@_02GMLFBBN@wb@ DB 'wb', 00H ; `string' 109 | CONST ENDS 110 | ; COMDAT voltbl 111 | voltbl SEGMENT 112 | _volmd DW 0bH 113 | DW 0eH 114 | DW 015H 115 | DW 01aH 116 | DW 01dH 117 | DW 022H 118 | DW 027H 119 | DW 02aH 120 | DW 02dH 121 | DW 032H 122 | DW 035H 123 | DW 038H 124 | DW 03dH 125 | DW 040H 126 | DW 043H 127 | DW 048H 128 | DW 04bH 129 | DW 04eH 130 | DW 053H 131 | DW 056H 132 | DW 059H 133 | DW 05eH 134 | DW 061H 135 | DW 064H 136 | DW 069H 137 | DW 06cH 138 | DW 06fH 139 | DW 074H 140 | DW 077H 141 | DW 07aH 142 | DW 07fH 143 | DW 082H 144 | DW 085H 145 | DW 089H 146 | DW 08cH 147 | DW 08fH 148 | DW 092H 149 | DW 097H 150 | DW 09aH 151 | DW 09dH 152 | DW 0a2H 153 | DW 0a5H 154 | DW 0a8H 155 | DW 0adH 156 | DW 0b0H 157 | DW 0b3H 158 | DW 0b8H 159 | DW 0bbH 160 | DW 0beH 161 | DW 0c2H 162 | DW 0e8H 163 | DW 0edH 164 | DW 0faH 165 | DW 0107H 166 | DW 011aH 167 | DW 0124H 168 | DW 012fH 169 | DW 0136H 170 | voltbl ENDS 171 | ; COMDAT voltbl 172 | voltbl SEGMENT 173 | _volmd DB 031H 174 | DB 03aH 175 | DB 047H 176 | DB 054H 177 | DB 067H 178 | DB 071H 179 | DB 07cH 180 | DB 083H 181 | voltbl ENDS 182 | ; Function compile flags: /Ogsp 183 | ; COMDAT _main 184 | _TEXT SEGMENT 185 | _flOldProtect$ = -8 ; size = 4 186 | _fileSize$1$ = -4 ; size = 4 187 | _main PROC ; COMDAT 188 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp 189 | ; Line 74 190 | push ebp 191 | mov ebp, esp 192 | push ecx 193 | push ecx 194 | push ebx 195 | ; Line 76 196 | push OFFSET ??_C@_02GMLFBBN@wb@ 197 | push OFFSET ??_C@_0O@NFBNADIO@shellcode?4bin@ 198 | call DWORD PTR __imp__fopen 199 | mov ebx, eax 200 | pop ecx 201 | pop ecx 202 | ; Line 77 203 | test ebx, ebx 204 | jne SHORT $LN2@main 205 | ; Line 78 206 | push OFFSET ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@ 207 | push 2 208 | call DWORD PTR __imp____acrt_iob_func 209 | pop ecx 210 | push eax 211 | call _fprintf 212 | pop ecx 213 | ; Line 79 214 | xor eax, eax 215 | pop ecx 216 | inc eax 217 | jmp $LN1@main 218 | $LN2@main: 219 | push esi 220 | push edi 221 | ; Line 81 222 | mov esi, OFFSET ?shellcode@@YAHXZ ; shellcode 223 | mov edi, OFFSET ?shellcode_end@@YAXXZ ; shellcode_end 224 | ; Line 82 225 | push esi 226 | sub edi, esi 227 | push edi 228 | push OFFSET ??_C@_0CK@CNHACEFP@?$FLi?$FN?5Shellcode?5size?3?5?$CFlu?0?5locate@ 229 | call _printf 230 | ; Line 83 231 | push ebx 232 | push 1 233 | push edi 234 | push esi 235 | mov esi, DWORD PTR __imp__fwrite 236 | call esi 237 | ; Line 85 238 | push ebx 239 | push 1 240 | push edi 241 | push OFFSET ?shellcode@@YAHXZ ; shellcode 242 | call esi 243 | add esp, 44 ; 0000002cH 244 | test eax, eax 245 | jne SHORT $LN3@main 246 | ; Line 86 247 | push OFFSET ??_C@_0EF@MOLEIFGD@?$FLe?$FN?5Failed?5to?5dump?5shellcode?5to@ 248 | push 2 249 | call DWORD PTR __imp____acrt_iob_func 250 | pop ecx 251 | push eax 252 | call _fprintf 253 | ; Line 87 254 | push ebx 255 | call DWORD PTR __imp__fclose 256 | ; Line 88 257 | jmp $LN13@main 258 | $LN3@main: 259 | ; Line 90 260 | push ebx 261 | mov ebx, DWORD PTR __imp__fclose 262 | call ebx 263 | ; Line 91 264 | mov DWORD PTR [esp], OFFSET ??_C@_0CM@JHEGLBMC@?$FLi?$FN?5Shellcode?5saved?5to?5file?5she@ 265 | call _printf 266 | ; Line 93 267 | mov DWORD PTR [esp], OFFSET ??_C@_02JDPG@rb@ 268 | push OFFSET ??_C@_0O@NFBNADIO@shellcode?4bin@ 269 | call DWORD PTR __imp__fopen 270 | mov edi, eax 271 | pop ecx 272 | pop ecx 273 | ; Line 94 274 | test edi, edi 275 | jne SHORT $LN4@main 276 | ; Line 95 277 | push OFFSET ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@ 278 | push 2 279 | call DWORD PTR __imp____acrt_iob_func 280 | pop ecx 281 | push eax 282 | call _fprintf 283 | pop ecx 284 | ; Line 96 285 | jmp $LN12@main 286 | $LN4@main: 287 | ; Line 98 288 | mov esi, DWORD PTR __imp__fseek 289 | push 2 290 | push 0 291 | push edi 292 | call esi 293 | ; Line 99 294 | push edi 295 | call DWORD PTR __imp__ftell 296 | ; Line 100 297 | push 0 298 | push 0 299 | push edi 300 | mov DWORD PTR _fileSize$1$[ebp], eax 301 | call esi 302 | ; Line 102 303 | push DWORD PTR _fileSize$1$[ebp] 304 | call DWORD PTR __imp__malloc 305 | mov esi, eax 306 | add esp, 32 ; 00000020H 307 | ; Line 104 308 | test esi, esi 309 | jne SHORT $LN5@main 310 | ; Line 105 311 | push OFFSET ??_C@_0CN@KKANALMI@?$FLe?$FN?5Failed?5to?5allocate?5memory?5f@ 312 | push 2 313 | call DWORD PTR __imp____acrt_iob_func 314 | pop ecx 315 | push eax 316 | call _fprintf 317 | ; Line 106 318 | push edi 319 | call ebx 320 | $LN13@main: 321 | ; Line 127 322 | add esp, 12 ; 0000000cH 323 | jmp $LN11@main 324 | $LN5@main: 325 | ; Line 109 326 | push edi 327 | push DWORD PTR _fileSize$1$[ebp] 328 | push 1 329 | push esi 330 | call DWORD PTR __imp__fread 331 | add esp, 16 ; 00000010H 332 | cmp eax, DWORD PTR _fileSize$1$[ebp] 333 | je SHORT $LN6@main 334 | ; Line 110 335 | push OFFSET ??_C@_0BO@KJKJAGIL@?$FLe?$FN?5Failed?5to?5read?5shellcode?6@ 336 | push 2 337 | call DWORD PTR __imp____acrt_iob_func 338 | pop ecx 339 | push eax 340 | call _fprintf 341 | pop ecx 342 | pop ecx 343 | ; Line 112 344 | push 32768 ; 00008000H 345 | push 0 346 | push esi 347 | call DWORD PTR __imp__VirtualFree@12 348 | ; Line 116 349 | push edi 350 | call ebx 351 | $LN12@main: 352 | ; Line 127 353 | pop ecx 354 | jmp SHORT $LN11@main 355 | $LN6@main: 356 | ; Line 119 357 | push edi 358 | call ebx 359 | ; Line 120 360 | mov ebx, DWORD PTR _fileSize$1$[ebp] 361 | push ebx 362 | push OFFSET ??_C@_0CA@FFCIEFBF@?$FLi?$FN?5Loaded?5shellcode?5size?3?5?$CFld?6@ 363 | call _printf 364 | add esp, 12 ; 0000000cH 365 | ; Line 124 366 | lea eax, DWORD PTR _flOldProtect$[ebp] 367 | push eax 368 | push 64 ; 00000040H 369 | push ebx 370 | push esi 371 | call DWORD PTR __imp__VirtualProtect@16 372 | test eax, eax 373 | jne SHORT $LN7@main 374 | ; Line 125 375 | push OFFSET ??_C@_0CI@GCOJCDBI@?$FLe?$FN?5Failed?5to?5change?5memory?5pro@ 376 | push 2 377 | call DWORD PTR __imp____acrt_iob_func 378 | pop ecx 379 | push eax 380 | call _fprintf 381 | pop ecx 382 | pop ecx 383 | ; Line 126 384 | push 32768 ; 00008000H 385 | push 0 386 | push esi 387 | call DWORD PTR __imp__VirtualFree@12 388 | $LN11@main: 389 | ; Line 127 390 | xor eax, eax 391 | inc eax 392 | jmp SHORT $LN9@main 393 | $LN7@main: 394 | ; Line 138 395 | call esi 396 | push eax 397 | push OFFSET ??_C@_0M@LDNOBAB@Result?3?5?$CFd?6@ 398 | call _printf 399 | ; Line 140 400 | push OFFSET ??_C@_0CN@CMKKBCPN@Shellcode?5execution?5completed?5s@ 401 | call _printf 402 | add esp, 12 ; 0000000cH 403 | ; Line 142 404 | xor eax, eax 405 | $LN9@main: 406 | pop edi 407 | pop esi 408 | $LN1@main: 409 | pop ebx 410 | ; Line 143 411 | leave 412 | ret 0 413 | _main ENDP 414 | _TEXT ENDS 415 | ; Function compile flags: /Ogsp 416 | ; COMDAT ?shellcode_end@@YAXXZ 417 | shcode SEGMENT 418 | ?shellcode_end@@YAXXZ PROC ; shellcode_end, COMDAT 419 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp 420 | ; Line 70 421 | ret 0 422 | ?shellcode_end@@YAXXZ ENDP ; shellcode_end 423 | shcode ENDS 424 | ; Function compile flags: /Ogsp 425 | ; COMDAT ?shellcode@@YAHXZ 426 | shcode SEGMENT 427 | _temp$1 = -228 ; size = 128 428 | _msg$ = -100 ; size = 30 429 | _u32$ = -68 ; size = 30 430 | _curr_name$1$ = -36 ; size = 4 431 | _funcRVA$1$ = -36 ; size = 4 432 | tv1151 = -32 ; size = 4 433 | _handle$1$ = -32 ; size = 4 434 | $T2 = -28 ; size = 4 435 | $T3 = -28 ; size = 4 436 | tv1149 = -24 ; size = 4 437 | _base$1$ = -24 ; size = 4 438 | _funcRVA$1$ = -20 ; size = 4 439 | _curr_name$1$ = -20 ; size = 4 440 | _i$1$ = -16 ; size = 4 441 | tv1142 = -16 ; size = 4 442 | tv1141 = -12 ; size = 4 443 | tv1136 = -12 ; size = 4 444 | tv1137 = -8 ; size = 4 445 | _i$1$ = -8 ; size = 4 446 | _curr_module$1$ = -8 ; size = 4 447 | _a$1$ = -4 ; size = 4 448 | _a$1$ = -4 ; size = 4 449 | _i$4 = -4 ; size = 4 450 | _i$ = -4 ; size = 4 451 | ?shellcode@@YAHXZ PROC ; shellcode, COMDAT 452 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp 453 | ; Line 19 454 | push ebp 455 | mov ebp, esp 456 | sub esp, 228 ; 000000e4H 457 | ; Line 26 458 | xor edx, edx 459 | mov DWORD PTR _i$[ebp], edx 460 | ; Line 27 461 | mov eax, DWORD PTR _i$[ebp] 462 | push ebx 463 | xor ebx, ebx 464 | inc ebx 465 | mov BYTE PTR _u32$[ebp+eax], 117 ; 00000075H 466 | add DWORD PTR _i$[ebp], ebx 467 | mov eax, DWORD PTR _i$[ebp] 468 | push esi 469 | push edi 470 | mov BYTE PTR _u32$[ebp+eax], 115 ; 00000073H 471 | add DWORD PTR _i$[ebp], ebx 472 | mov eax, DWORD PTR _i$[ebp] 473 | mov BYTE PTR _u32$[ebp+eax], 101 ; 00000065H 474 | add DWORD PTR _i$[ebp], ebx 475 | mov eax, DWORD PTR _i$[ebp] 476 | mov BYTE PTR _u32$[ebp+eax], 114 ; 00000072H 477 | add DWORD PTR _i$[ebp], ebx 478 | mov eax, DWORD PTR _i$[ebp] 479 | mov BYTE PTR _u32$[ebp+eax], 51 ; 00000033H 480 | add DWORD PTR _i$[ebp], ebx 481 | mov eax, DWORD PTR _i$[ebp] 482 | mov BYTE PTR _u32$[ebp+eax], 50 ; 00000032H 483 | add DWORD PTR _i$[ebp], ebx 484 | ; Line 28 485 | mov eax, DWORD PTR _i$[ebp] 486 | mov BYTE PTR _u32$[ebp+eax], 46 ; 0000002eH 487 | add DWORD PTR _i$[ebp], ebx 488 | mov eax, DWORD PTR _i$[ebp] 489 | mov BYTE PTR _u32$[ebp+eax], 100 ; 00000064H 490 | add DWORD PTR _i$[ebp], ebx 491 | mov eax, DWORD PTR _i$[ebp] 492 | mov BYTE PTR _u32$[ebp+eax], 108 ; 0000006cH 493 | add DWORD PTR _i$[ebp], ebx 494 | mov eax, DWORD PTR _i$[ebp] 495 | mov BYTE PTR _u32$[ebp+eax], 108 ; 0000006cH 496 | add DWORD PTR _i$[ebp], ebx 497 | mov eax, DWORD PTR _i$[ebp] 498 | mov BYTE PTR _u32$[ebp+eax], dl 499 | add DWORD PTR _i$[ebp], ebx 500 | ; Line 29 501 | mov DWORD PTR _i$[ebp], edx 502 | ; Line 30 503 | mov eax, DWORD PTR _i$[ebp] 504 | mov BYTE PTR _msg$[ebp+eax], 116 ; 00000074H 505 | add DWORD PTR _i$[ebp], ebx 506 | mov eax, DWORD PTR _i$[ebp] 507 | mov BYTE PTR _msg$[ebp+eax], 101 ; 00000065H 508 | add DWORD PTR _i$[ebp], ebx 509 | mov eax, DWORD PTR _i$[ebp] 510 | mov BYTE PTR _msg$[ebp+eax], 115 ; 00000073H 511 | add DWORD PTR _i$[ebp], ebx 512 | mov eax, DWORD PTR _i$[ebp] 513 | mov BYTE PTR _msg$[ebp+eax], 116 ; 00000074H 514 | add DWORD PTR _i$[ebp], ebx 515 | mov eax, DWORD PTR _i$[ebp] 516 | mov BYTE PTR _msg$[ebp+eax], dl 517 | add DWORD PTR _i$[ebp], ebx 518 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h 519 | ; Line 133 520 | mov eax, DWORD PTR fs:48 521 | ; Line 139 522 | mov eax, DWORD PTR [eax+12] 523 | mov esi, DWORD PTR [eax+12] 524 | jmp $LN87@shellcode 525 | $LL7@shellcode: 526 | ; Line 141 527 | cmp DWORD PTR [esi+24], edx 528 | je $LN84@shellcode 529 | ; Line 142 530 | cmp DWORD PTR [esi+48], edx 531 | je $LN86@shellcode 532 | ; Line 145 533 | mov DWORD PTR _i$4[ebp], edx 534 | jmp SHORT $LN89@shellcode 535 | $LL11@shellcode: 536 | ; Line 146 537 | mov ecx, DWORD PTR _i$4[ebp] 538 | mov eax, DWORD PTR [esi+48] 539 | cmp WORD PTR [eax+ecx*2], 90 ; 0000005aH 540 | ja SHORT $LN15@shellcode 541 | mov ecx, DWORD PTR _i$4[ebp] 542 | mov eax, DWORD PTR [esi+48] 543 | cmp WORD PTR [eax+ecx*2], 65 ; 00000041H 544 | jb SHORT $LN15@shellcode 545 | mov ecx, DWORD PTR _i$4[ebp] 546 | mov eax, DWORD PTR [esi+48] 547 | mov ax, WORD PTR [eax+ecx*2] 548 | add ax, 32 ; 00000020H 549 | movzx ecx, ax 550 | jmp SHORT $LN16@shellcode 551 | $LN15@shellcode: 552 | mov ecx, DWORD PTR _i$4[ebp] 553 | mov eax, DWORD PTR [esi+48] 554 | movzx ecx, WORD PTR [eax+ecx*2] 555 | $LN16@shellcode: 556 | mov eax, DWORD PTR _i$4[ebp] 557 | mov WORD PTR _temp$1[ebp+eax*2], cx 558 | add DWORD PTR _i$4[ebp], ebx 559 | $LN89@shellcode: 560 | ; Line 145 561 | movzx eax, WORD PTR [esi+44] 562 | cmp DWORD PTR _i$4[ebp], eax 563 | jl SHORT $LL11@shellcode 564 | ; Line 61 565 | mov ax, WORD PTR _temp$1[ebp] 566 | mov edi, ebx 567 | mov ecx, edx 568 | mov ebx, edx 569 | test ax, ax 570 | je SHORT $LN82@shellcode 571 | movzx eax, ax 572 | mov esi, 65521 ; 0000fff1H 573 | $LL20@shellcode: 574 | ; Line 62 575 | movzx eax, ax 576 | add eax, edi 577 | cdq 578 | idiv esi 579 | mov edi, edx 580 | ; Line 63 581 | lea eax, DWORD PTR [ecx+edi] 582 | cdq 583 | idiv esi 584 | movzx eax, WORD PTR _temp$1[ebp+ebx*2+2] 585 | inc ebx 586 | mov ecx, edx 587 | test ax, ax 588 | jne SHORT $LL20@shellcode 589 | mov esi, DWORD PTR _curr_module$1$[ebp] 590 | ; Line 65 591 | shl ecx, 16 ; 00000010H 592 | or ecx, edi 593 | ; Line 148 594 | cmp ecx, 489227345 ; 1d290451H 595 | je SHORT $LN56@shellcode 596 | xor edx, edx 597 | $LN82@shellcode: 598 | ; Line 151 599 | mov esi, DWORD PTR [esi] 600 | xor ebx, ebx 601 | inc ebx 602 | $LN87@shellcode: 603 | ; Line 141 604 | mov DWORD PTR _curr_module$1$[ebp], esi 605 | $LN86@shellcode: 606 | test esi, esi 607 | jne $LL7@shellcode 608 | $LN84@shellcode: 609 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp 610 | ; Line 67 611 | xor eax, eax 612 | inc eax 613 | $LN1@shellcode: 614 | ; Line 68 615 | pop edi 616 | pop esi 617 | pop ebx 618 | leave 619 | ret 0 620 | $LN56@shellcode: 621 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h 622 | ; Line 149 623 | mov ecx, DWORD PTR [esi+24] 624 | mov DWORD PTR _base$1$[ebp], ecx 625 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp 626 | ; Line 48 627 | test ecx, ecx 628 | je SHORT $LN84@shellcode 629 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h 630 | ; Line 158 631 | mov eax, 23117 ; 00005a4dH 632 | cmp WORD PTR [ecx], ax 633 | jne SHORT $LN84@shellcode 634 | ; Line 162 635 | mov eax, DWORD PTR [ecx+60] 636 | mov eax, DWORD PTR [eax+ecx+120] 637 | test eax, eax 638 | je SHORT $LN84@shellcode 639 | ; Line 167 640 | mov ebx, DWORD PTR [eax+ecx+24] 641 | xor edx, edx 642 | mov DWORD PTR _i$1$[ebp], edx 643 | mov DWORD PTR $T2[ebp], ebx 644 | test ebx, ebx 645 | je SHORT $LN84@shellcode 646 | ; Line 169 647 | mov edi, DWORD PTR [eax+ecx+32] 648 | mov ebx, DWORD PTR [eax+ecx+36] 649 | add edi, ecx 650 | ; Line 170 651 | mov esi, DWORD PTR [eax+ecx+28] 652 | add ebx, ecx 653 | mov DWORD PTR tv1151[ebp], esi 654 | mov DWORD PTR tv1142[ebp], edi 655 | mov DWORD PTR tv1141[ebp], ebx 656 | $LL25@shellcode: 657 | movzx eax, WORD PTR [ebx] 658 | ; Line 60 659 | mov DWORD PTR _a$1$[ebp], 1 660 | ; Line 170 661 | lea eax, DWORD PTR [esi+eax*4] 662 | ; Line 60 663 | xor esi, esi 664 | ; Line 170 665 | add eax, ecx 666 | mov DWORD PTR _funcRVA$1$[ebp], eax 667 | ; Line 171 668 | mov eax, DWORD PTR [edi] 669 | add eax, ecx 670 | mov DWORD PTR _curr_name$1$[ebp], eax 671 | ; Line 61 672 | mov al, BYTE PTR [eax] 673 | test al, al 674 | je SHORT $LN81@shellcode 675 | mov ecx, DWORD PTR _curr_name$1$[ebp] 676 | ; Line 169 677 | mov edi, 65521 ; 0000fff1H 678 | mov ebx, DWORD PTR _a$1$[ebp] 679 | $LL33@shellcode: 680 | ; Line 62 681 | movsx eax, al 682 | add eax, ebx 683 | cdq 684 | idiv edi 685 | mov ebx, edx 686 | ; Line 63 687 | lea eax, DWORD PTR [esi+ebx] 688 | cdq 689 | idiv edi 690 | inc ecx 691 | mov esi, edx 692 | mov al, BYTE PTR [ecx] 693 | test al, al 694 | jne SHORT $LL33@shellcode 695 | mov ecx, DWORD PTR _base$1$[ebp] 696 | mov edi, DWORD PTR tv1142[ebp] 697 | mov DWORD PTR _a$1$[ebp], ebx 698 | mov ebx, DWORD PTR tv1141[ebp] 699 | ; Line 65 700 | shl esi, 16 ; 00000010H 701 | or esi, DWORD PTR _a$1$[ebp] 702 | ; Line 173 703 | cmp esi, 494994583 ; 1d810497H 704 | je SHORT $LN57@shellcode 705 | mov edx, DWORD PTR _i$1$[ebp] 706 | $LN81@shellcode: 707 | ; Line 167 708 | inc edx 709 | add ebx, 2 710 | add edi, 4 711 | mov DWORD PTR _i$1$[ebp], edx 712 | mov DWORD PTR tv1141[ebp], ebx 713 | mov DWORD PTR tv1142[ebp], edi 714 | cmp edx, DWORD PTR $T2[ebp] 715 | jae $LN84@shellcode 716 | mov esi, DWORD PTR tv1151[ebp] 717 | jmp SHORT $LL25@shellcode 718 | $LN57@shellcode: 719 | ; Line 173 720 | mov eax, DWORD PTR _funcRVA$1$[ebp] 721 | mov eax, DWORD PTR [eax] 722 | add eax, ecx 723 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp 724 | ; Line 50 725 | je $LN84@shellcode 726 | ; Line 51 727 | lea ecx, DWORD PTR _u32$[ebp] 728 | push ecx 729 | call eax 730 | pop ecx 731 | mov ecx, eax 732 | mov DWORD PTR _handle$1$[ebp], ecx 733 | ; Line 52 734 | test ecx, ecx 735 | je $LN84@shellcode 736 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h 737 | ; Line 158 738 | mov eax, 23117 ; 00005a4dH 739 | cmp WORD PTR [ecx], ax 740 | jne $LN85@shellcode 741 | ; Line 162 742 | mov eax, DWORD PTR [ecx+60] 743 | mov eax, DWORD PTR [eax+ecx+120] 744 | test eax, eax 745 | je $LN85@shellcode 746 | ; Line 167 747 | mov ebx, DWORD PTR [eax+ecx+24] 748 | xor edx, edx 749 | mov DWORD PTR _i$1$[ebp], edx 750 | mov DWORD PTR $T3[ebp], ebx 751 | test ebx, ebx 752 | je $LN85@shellcode 753 | ; Line 169 754 | mov edi, DWORD PTR [eax+ecx+32] 755 | mov ebx, DWORD PTR [eax+ecx+36] 756 | add edi, ecx 757 | ; Line 170 758 | mov esi, DWORD PTR [eax+ecx+28] 759 | add ebx, ecx 760 | mov DWORD PTR tv1149[ebp], esi 761 | mov DWORD PTR tv1137[ebp], edi 762 | mov DWORD PTR tv1136[ebp], ebx 763 | $LL38@shellcode: 764 | movzx eax, WORD PTR [ebx] 765 | ; Line 60 766 | mov DWORD PTR _a$1$[ebp], 1 767 | ; Line 170 768 | lea eax, DWORD PTR [esi+eax*4] 769 | ; Line 60 770 | xor esi, esi 771 | ; Line 170 772 | add eax, ecx 773 | mov DWORD PTR _funcRVA$1$[ebp], eax 774 | ; Line 171 775 | mov eax, DWORD PTR [edi] 776 | add eax, ecx 777 | mov DWORD PTR _curr_name$1$[ebp], eax 778 | ; Line 61 779 | mov al, BYTE PTR [eax] 780 | test al, al 781 | je SHORT $LN80@shellcode 782 | mov ecx, DWORD PTR _curr_name$1$[ebp] 783 | ; Line 169 784 | mov edi, 65521 ; 0000fff1H 785 | mov ebx, DWORD PTR _a$1$[ebp] 786 | $LL46@shellcode: 787 | ; Line 62 788 | movsx eax, al 789 | add eax, ebx 790 | cdq 791 | idiv edi 792 | mov ebx, edx 793 | ; Line 63 794 | lea eax, DWORD PTR [esi+ebx] 795 | cdq 796 | idiv edi 797 | inc ecx 798 | mov esi, edx 799 | mov al, BYTE PTR [ecx] 800 | test al, al 801 | jne SHORT $LL46@shellcode 802 | mov ecx, DWORD PTR _handle$1$[ebp] 803 | mov edi, DWORD PTR tv1137[ebp] 804 | mov DWORD PTR _a$1$[ebp], ebx 805 | mov ebx, DWORD PTR tv1136[ebp] 806 | ; Line 65 807 | shl esi, 16 ; 00000010H 808 | or esi, DWORD PTR _a$1$[ebp] 809 | ; Line 173 810 | cmp esi, 427754544 ; 197f0430H 811 | je SHORT $LN58@shellcode 812 | mov edx, DWORD PTR _i$1$[ebp] 813 | $LN80@shellcode: 814 | ; Line 167 815 | inc edx 816 | add ebx, 2 817 | add edi, 4 818 | mov DWORD PTR _i$1$[ebp], edx 819 | mov DWORD PTR tv1136[ebp], ebx 820 | mov DWORD PTR tv1137[ebp], edi 821 | cmp edx, DWORD PTR $T3[ebp] 822 | jae SHORT $LN85@shellcode 823 | mov esi, DWORD PTR tv1149[ebp] 824 | jmp SHORT $LL38@shellcode 825 | $LN58@shellcode: 826 | ; Line 173 827 | mov eax, DWORD PTR _funcRVA$1$[ebp] 828 | mov eax, DWORD PTR [eax] 829 | add eax, ecx 830 | jmp SHORT $LN35@shellcode 831 | $LN85@shellcode: 832 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp 833 | ; Line 54 834 | xor eax, eax 835 | $LN35@shellcode: 836 | push 0 837 | lea ecx, DWORD PTR _msg$[ebp] 838 | push ecx 839 | push ecx 840 | push 0 841 | call eax 842 | add esp, 16 ; 00000010H 843 | ; Line 55 844 | xor eax, eax 845 | jmp $LN1@shellcode 846 | ?shellcode@@YAHXZ ENDP ; shellcode 847 | shcode ENDS 848 | ; Function compile flags: /Ogsp 849 | ; COMDAT _printf 850 | _TEXT SEGMENT 851 | __Format$ = 8 ; size = 4 852 | _printf PROC ; COMDAT 853 | ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h 854 | ; Line 956 855 | push ebp 856 | mov ebp, esp 857 | ; Line 960 858 | lea eax, DWORD PTR __Format$[ebp+4] 859 | push eax 860 | push 0 861 | push DWORD PTR __Format$[ebp] 862 | push 1 863 | call DWORD PTR __imp____acrt_iob_func 864 | pop ecx 865 | push eax 866 | call __vfprintf_l 867 | add esp, 16 ; 00000010H 868 | ; Line 963 869 | pop ebp 870 | ret 0 871 | _printf ENDP 872 | _TEXT ENDS 873 | ; Function compile flags: /Ogsp 874 | ; COMDAT _fprintf 875 | _TEXT SEGMENT 876 | __Stream$ = 8 ; size = 4 877 | __Format$ = 12 ; size = 4 878 | _fprintf PROC ; COMDAT 879 | ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h 880 | ; Line 837 881 | push ebp 882 | mov ebp, esp 883 | ; Line 841 884 | lea eax, DWORD PTR __Format$[ebp+4] 885 | push eax 886 | push 0 887 | push DWORD PTR __Format$[ebp] 888 | push DWORD PTR __Stream$[ebp] 889 | call __vfprintf_l 890 | add esp, 16 ; 00000010H 891 | ; Line 844 892 | pop ebp 893 | ret 0 894 | _fprintf ENDP 895 | _TEXT ENDS 896 | ; Function compile flags: /Ogsp 897 | ; COMDAT __vfprintf_l 898 | _TEXT SEGMENT 899 | __Stream$ = 8 ; size = 4 900 | __Format$ = 12 ; size = 4 901 | __Locale$ = 16 ; size = 4 902 | __ArgList$ = 20 ; size = 4 903 | __vfprintf_l PROC ; COMDAT 904 | ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h 905 | ; Line 644 906 | push ebp 907 | mov ebp, esp 908 | ; Line 645 909 | push DWORD PTR __ArgList$[ebp] 910 | push DWORD PTR __Locale$[ebp] 911 | push DWORD PTR __Format$[ebp] 912 | push DWORD PTR __Stream$[ebp] 913 | call ___local_stdio_printf_options 914 | push DWORD PTR [eax+4] 915 | push DWORD PTR [eax] 916 | call DWORD PTR __imp____stdio_common_vfprintf 917 | add esp, 24 ; 00000018H 918 | ; Line 646 919 | pop ebp 920 | ret 0 921 | __vfprintf_l ENDP 922 | _TEXT ENDS 923 | ; Function compile flags: /Ogsp 924 | ; COMDAT ___local_stdio_printf_options 925 | _TEXT SEGMENT 926 | ___local_stdio_printf_options PROC ; COMDAT 927 | ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\corecrt_stdio_config.h 928 | ; Line 92 929 | mov eax, OFFSET ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA ; `__local_stdio_printf_options'::`2'::_OptionsStorage 930 | ; Line 93 931 | ret 0 932 | ___local_stdio_printf_options ENDP 933 | _TEXT ENDS 934 | END 935 | -------------------------------------------------------------------------------- /Shellcode/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/shellcode.bin -------------------------------------------------------------------------------- /Shellcode/shellcode.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #ifdef _WIN32 6 | #include 7 | #else 8 | #include 9 | #endif 10 | #include "shcutils.h" 11 | 12 | #ifdef _MSC_VER 13 | #pragma warning(disable:4996) 14 | #pragma section("shcode", execute) 15 | #endif 16 | 17 | // This method should be fully inline. No use of static fields & external methods is allowed since the shellcode 18 | // Is supposed to be fully inline & offset independent (use PEB for windows & syscalls for linux) 19 | SECTION_CODE("shcode") NOINLINE int /*_fastcall*/ shellcode() { 20 | #ifdef _WINDOWS 21 | // Typedefs for all the required methods 22 | typedef void* (*LoadLibraryA_t)(char*); 23 | typedef void* (*MessageBoxA_t)(int, char*, char*, int); 24 | 25 | // Some compilers insert the strings into the .data no matter what you do. So we need to trick em 26 | volatile char u32[30]; volatile int i = 0; 27 | u32[i++] = 'u'; u32[i++] = 's'; u32[i++] = 'e'; u32[i++] = 'r'; u32[i++] = '3'; u32[i++] = '2'; 28 | u32[i++] = '.'; u32[i++] = 'd'; u32[i++] = 'l'; u32[i++] = 'l', u32[i++] = '\0'; 29 | volatile char msg[30]; i = 0; 30 | msg[i++] = 't'; msg[i++] = 'e'; msg[i++] = 's'; msg[i++] = 't', msg[i++] = '\0'; 31 | 32 | /* Note that any definitions should remain stack only. Otherwise the shellcode will be invalid 33 | 34 | // This gets stored to .data section 100% 35 | char s1[] = "test"; 36 | 37 | // This gets stored to .data section 50/50 on different compilers 38 | char s2[] = {'t', 'e', 's', 't', 0}; 39 | 40 | // This is stored to stack in 100% cases. Allows to trick the compiler 41 | char s3[32]; int i = 0; 42 | s3[i++] = 't', s3[i++] = 'e', s3[i++] = 's', s3[i++] = 't',s3[i++] = '\0'; 43 | 44 | */ 45 | 46 | void* base = get_module_handle(HASH("kernel32.dll")); 47 | 48 | if (base) { 49 | LoadLibraryA_t LoadLibA = (LoadLibraryA_t) get_proc_address(base, HASH("LoadLibraryA")); 50 | if (LoadLibA) { 51 | void* handle = LoadLibA((char*)u32); 52 | if (handle) { 53 | MessageBoxA_t MsgBoxA = (MessageBoxA_t) get_proc_address(handle, HASH("MessageBoxA")); 54 | MsgBoxA(0, (char*)msg, (char*)msg, MB_OK); 55 | return 0; 56 | } 57 | } 58 | } 59 | #elif defined(_LINUX) 60 | volatile char msg[30]; volatile int i = 0; 61 | msg[i++] = 'H'; msg[i++] = 'e'; msg[i++] = 'l'; msg[i++] = 'l' , msg[i++] = 'o', msg[i++] = ' ', 62 | msg[i++] = 'f', msg[i++] = 'r', msg[i++] = 'o', msg[i++] = 'm', msg[i++] = ' ', msg[i++] = 's', msg[i++] = 'h', msg[i++] = 'e', msg[i++] = 'l', msg[i++] = 'l', 63 | msg[i++] = '!', msg[i++] = '\n' , msg[i++] = '\0'; 64 | inline_syscall(SYS_write, STDOUT_FILENO, (long)msg, i, 0, 0); 65 | return 0; 66 | #endif 67 | return 1; 68 | } 69 | // Next function goes directly after the shellcode, this allows to figure out shellcode size & dump it 70 | SECTION_CODE("shcode") NAKED void shellcode_end(void) {} 71 | 72 | typedef int (*shellcode_t)(); 73 | 74 | int main() { 75 | 76 | FILE* output_file = fopen("shellcode.bin", "wb"); 77 | if (!output_file) { 78 | fprintf(stderr, "[e] Failed to open shellcode.bin\n"); 79 | return 1; 80 | } 81 | size_t shellcode_size = (uintptr_t)shellcode_end - (uintptr_t)shellcode; 82 | printf("[i] Shellcode size: %lu, located at 0x%p\n", shellcode_size, shellcode); 83 | fwrite((char*)&shellcode, shellcode_size, 1, output_file); 84 | 85 | if (!fwrite((char*)&shellcode, shellcode_size, 1, output_file)) { 86 | fprintf(stderr, "[e] Failed to dump shellcode to disk. Check your compiler settings.\n"); 87 | fclose(output_file); 88 | return 1; 89 | } 90 | fclose(output_file); 91 | printf("[i] Shellcode saved to file shellcode.bin.\n"); 92 | 93 | FILE* file = fopen("shellcode.bin", "rb"); 94 | if (!file) { 95 | fprintf(stderr, "[e] Failed to open shellcode.bin\n"); 96 | return 1; 97 | } 98 | fseek(file, 0, SEEK_END); 99 | long fileSize = ftell(file); 100 | fseek(file, 0, SEEK_SET); 101 | 102 | char* shellcode_buff = (char*)malloc(fileSize); 103 | 104 | if (!shellcode_buff) { 105 | fprintf(stderr, "[e] Failed to allocate memory for shellcode\n"); 106 | fclose(file); 107 | return 1; 108 | } 109 | if (fread(shellcode_buff, 1, fileSize, file) != fileSize) { 110 | fprintf(stderr, "[e] Failed to read shellcode\n"); 111 | #ifdef _WIN32 112 | VirtualFree(shellcode_buff, 0, MEM_RELEASE); 113 | #else 114 | free(shellcode_buff); 115 | #endif 116 | fclose(file); 117 | return 1; 118 | } 119 | fclose(file); 120 | printf("[i] Loaded shellcode size: %ld\n", fileSize); 121 | 122 | #ifdef _WIN32 123 | DWORD flOldProtect; 124 | if (!VirtualProtect(shellcode_buff, fileSize, PAGE_EXECUTE_READWRITE, &flOldProtect)) { 125 | fprintf(stderr, "[e] Failed to change memory protection\n"); 126 | VirtualFree(shellcode_buff, 0, MEM_RELEASE); 127 | return 1; 128 | } 129 | #else 130 | if (mprotect(shellcode_buff, fileSize, PROT_EXEC | PROT_READ | PROT_WRITE) == -1) { 131 | fprintf(stderr, "[e] Failed to change memory protection\n"); 132 | free(shellcode_buff); 133 | return 1; 134 | } 135 | #endif 136 | 137 | shellcode_t code = (shellcode_t)shellcode_buff; 138 | printf("Result: %d\n", code()); 139 | 140 | printf("Shellcode execution completed successfully.\n"); 141 | 142 | return 0; 143 | } -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.Build.CppClean.log: -------------------------------------------------------------------------------- 1 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\x64\release\vc142.pdb 2 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\x64\release\shellcode.obj 3 | c:\users\admin\desktop\shellcode funnies\shellcode\x64\release\shellcode.exe 4 | c:\users\admin\desktop\shellcode funnies\shellcode\x64\release\shellcode.pdb 5 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\x64\release\shellcode.tlog\cl.command.1.tlog 6 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\x64\release\shellcode.tlog\cl.read.1.tlog 7 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\x64\release\shellcode.tlog\cl.write.1.tlog 8 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\x64\release\shellcode.tlog\link.command.1.tlog 9 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\x64\release\shellcode.tlog\link.read.1.tlog 10 | c:\users\admin\desktop\shellcode funnies\shellcode\shellcode\x64\release\shellcode.tlog\link.write.1.tlog 11 | -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.exe.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Users\admin\Desktop\Shellcode funnies\Shellcode\x64\Release\Shellcode.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.log: -------------------------------------------------------------------------------- 1 |  shellcode.cpp 2 | C:\Users\admin\Desktop\Shellcode funnies\Shellcode\Shellcode\shcutils.h(22,1): warning C4067: непредвиденные лексемы за директивой препроцессора, требуется newline 3 | C:\Users\admin\Desktop\Shellcode funnies\Shellcode\Shellcode\shellcode.cpp(57,12): warning C4477: "printf": в строке форматирования "%lu" требуется аргумент типа "unsigned long", но вариативный аргумент "1" имеет тип "size_t" 4 | C:\Users\admin\Desktop\Shellcode funnies\Shellcode\Shellcode\shellcode.cpp(57,12): message : рекомендуется использовать "%zu" в строке форматирования 5 | LINK : указан параметр /LTCG, но не требуется создание кода; удалите /LTCG из командной строки компоновки для повышения производительности компоновщика 6 | Shellcode.vcxproj -> C:\Users\admin\Desktop\Shellcode funnies\Shellcode\x64\Release\Shellcode.exe 7 | -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/x64/Release/Shellcode.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/x64/Release/Shellcode.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/x64/Release/Shellcode.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.tlog/Shellcode.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.29.30133:TargetPlatformVersion=10.0.19041.0: 2 | Release|x64|C:\Users\admin\Desktop\Shellcode funnies\Shellcode\| 3 | -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/x64/Release/Shellcode.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/x64/Release/Shellcode.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/x64/Release/Shellcode.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /Shellcode/x64/Release/Shellcode.vcxproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/x64/Release/Shellcode.vcxproj.FileListAbsolute.txt -------------------------------------------------------------------------------- /Shellcode/x64/Release/vc142.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ac3ss0r/c2shell/f71c9ade9e675bc7c9cc62c298aad47a5921ca4e/Shellcode/x64/Release/vc142.pdb -------------------------------------------------------------------------------- /c2shell.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.34301.259 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Shellcode", "Shellcode\Shellcode.vcxproj", "{62CAD85A-3CD3-4CD5-8837-0410F3478DBE}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Loader", "Loader\Loader.vcxproj", "{7CBE89FC-447E-47AA-A613-3F2EA193587C}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Any CPU = Debug|Any CPU 13 | Debug|x64 = Debug|x64 14 | Debug|x86 = Debug|x86 15 | Release|Any CPU = Release|Any CPU 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|Any CPU.ActiveCfg = Debug|Win32 21 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|x64.ActiveCfg = Debug|x64 22 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|x64.Build.0 = Debug|x64 23 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|x86.ActiveCfg = Debug|Win32 24 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|x86.Build.0 = Debug|Win32 25 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|Any CPU.ActiveCfg = Release|Win32 26 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|x64.ActiveCfg = Release|x64 27 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|x64.Build.0 = Release|x64 28 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|x86.ActiveCfg = Release|Win32 29 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|x86.Build.0 = Release|Win32 30 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|Any CPU.ActiveCfg = Debug|Win32 31 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|x64.ActiveCfg = Debug|x64 32 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|x64.Build.0 = Debug|x64 33 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|x86.ActiveCfg = Debug|Win32 34 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|x86.Build.0 = Debug|Win32 35 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|Any CPU.ActiveCfg = Release|Win32 36 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|x64.ActiveCfg = Release|x64 37 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|x64.Build.0 = Release|x64 38 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|x86.ActiveCfg = Release|Win32 39 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|x86.Build.0 = Release|Win32 40 | EndGlobalSection 41 | GlobalSection(SolutionProperties) = preSolution 42 | HideSolutionNode = FALSE 43 | EndGlobalSection 44 | GlobalSection(ExtensibilityGlobals) = postSolution 45 | SolutionGuid = {79F4B827-2AE4-40EE-B69C-77BA3679697B} 46 | EndGlobalSection 47 | EndGlobal 48 | --------------------------------------------------------------------------------