├── DllToShellCode.sln
├── DllToShellCode
├── DllToShellCode.c
├── DllToShellCode.vcxproj
├── DllToShellCode.vcxproj.filters
├── DllToShellCode.vcxproj.user
├── ReadMe.txt
├── aplib.h
├── aplib_x64.lib
├── aplib_x86.lib
├── compress.c
├── compress.h
├── shellcode_data.c
└── shellcode_data.h
├── README.md
├── ShellCode_Aplib
├── ReadMe.txt
├── ShellCode_Aplib.c
├── ShellCode_Aplib.vcxproj
├── ShellCode_Aplib.vcxproj.filters
├── ShellCode_Aplib.vcxproj.user
└── order.txt
├── ShellCode_Main
├── ReadMe.txt
├── ShellCode_Main.c
├── ShellCode_Main.vcxproj
├── ShellCode_Main.vcxproj.filters
├── ShellCode_Main.vcxproj.user
├── order.txt
├── shellcode_base.c
├── shellcode_base.h
└── shellcode_global.h
├── ShellCode_Ntdll
├── ReadMe.txt
├── ShellCode_Ntdll.c
├── ShellCode_Ntdll.vcxproj
├── ShellCode_Ntdll.vcxproj.filters
├── ShellCode_Ntdll.vcxproj.user
├── order.txt
├── shellcode_base.c
├── shellcode_base.h
└── shellcode_global.h
└── Tester
├── gen.bat
├── tester_aplib_mode1.asm
├── tester_aplib_mode2.asm
├── tester_main_mode1.asm
├── tester_main_mode2.asm
├── tester_nt_mode1.asm
└── tester_nt_mode2.asm
/DllToShellCode.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.40629.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DllToShellCode", "DllToShellCode\DllToShellCode.vcxproj", "{AD8ADA7E-617D-46DC-94E7-8ACA302372DF}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ShellCode_Aplib", "ShellCode_Aplib\ShellCode_Aplib.vcxproj", "{659AA5AB-887E-4F13-B85F-DE6017E9F0AC}"
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ShellCode_Main", "ShellCode_Main\ShellCode_Main.vcxproj", "{20FB1CAA-A718-478F-8B8D-75110C77B56B}"
11 | EndProject
12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ShellCode_Ntdll", "ShellCode_Ntdll\ShellCode_Ntdll.vcxproj", "{DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}"
13 | EndProject
14 | Global
15 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
16 | Debug|Win32 = Debug|Win32
17 | Debug|x64 = Debug|x64
18 | Release|Win32 = Release|Win32
19 | Release|x64 = Release|x64
20 | EndGlobalSection
21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
22 | {AD8ADA7E-617D-46DC-94E7-8ACA302372DF}.Debug|Win32.ActiveCfg = Debug|Win32
23 | {AD8ADA7E-617D-46DC-94E7-8ACA302372DF}.Debug|Win32.Build.0 = Debug|Win32
24 | {AD8ADA7E-617D-46DC-94E7-8ACA302372DF}.Debug|x64.ActiveCfg = Debug|x64
25 | {AD8ADA7E-617D-46DC-94E7-8ACA302372DF}.Debug|x64.Build.0 = Debug|x64
26 | {AD8ADA7E-617D-46DC-94E7-8ACA302372DF}.Release|Win32.ActiveCfg = Release|Win32
27 | {AD8ADA7E-617D-46DC-94E7-8ACA302372DF}.Release|Win32.Build.0 = Release|Win32
28 | {AD8ADA7E-617D-46DC-94E7-8ACA302372DF}.Release|x64.ActiveCfg = Release|x64
29 | {AD8ADA7E-617D-46DC-94E7-8ACA302372DF}.Release|x64.Build.0 = Release|x64
30 | {659AA5AB-887E-4F13-B85F-DE6017E9F0AC}.Debug|Win32.ActiveCfg = Debug|Win32
31 | {659AA5AB-887E-4F13-B85F-DE6017E9F0AC}.Debug|Win32.Build.0 = Debug|Win32
32 | {659AA5AB-887E-4F13-B85F-DE6017E9F0AC}.Debug|x64.ActiveCfg = Debug|x64
33 | {659AA5AB-887E-4F13-B85F-DE6017E9F0AC}.Debug|x64.Build.0 = Debug|x64
34 | {659AA5AB-887E-4F13-B85F-DE6017E9F0AC}.Release|Win32.ActiveCfg = Release|Win32
35 | {659AA5AB-887E-4F13-B85F-DE6017E9F0AC}.Release|Win32.Build.0 = Release|Win32
36 | {659AA5AB-887E-4F13-B85F-DE6017E9F0AC}.Release|x64.ActiveCfg = Release|x64
37 | {659AA5AB-887E-4F13-B85F-DE6017E9F0AC}.Release|x64.Build.0 = Release|x64
38 | {20FB1CAA-A718-478F-8B8D-75110C77B56B}.Debug|Win32.ActiveCfg = Debug|Win32
39 | {20FB1CAA-A718-478F-8B8D-75110C77B56B}.Debug|Win32.Build.0 = Debug|Win32
40 | {20FB1CAA-A718-478F-8B8D-75110C77B56B}.Debug|x64.ActiveCfg = Debug|x64
41 | {20FB1CAA-A718-478F-8B8D-75110C77B56B}.Debug|x64.Build.0 = Debug|x64
42 | {20FB1CAA-A718-478F-8B8D-75110C77B56B}.Release|Win32.ActiveCfg = Release|Win32
43 | {20FB1CAA-A718-478F-8B8D-75110C77B56B}.Release|Win32.Build.0 = Release|Win32
44 | {20FB1CAA-A718-478F-8B8D-75110C77B56B}.Release|x64.ActiveCfg = Release|x64
45 | {20FB1CAA-A718-478F-8B8D-75110C77B56B}.Release|x64.Build.0 = Release|x64
46 | {DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}.Debug|Win32.ActiveCfg = Debug|Win32
47 | {DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}.Debug|Win32.Build.0 = Debug|Win32
48 | {DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}.Debug|x64.ActiveCfg = Debug|x64
49 | {DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}.Debug|x64.Build.0 = Debug|x64
50 | {DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}.Release|Win32.ActiveCfg = Release|Win32
51 | {DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}.Release|Win32.Build.0 = Release|Win32
52 | {DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}.Release|x64.ActiveCfg = Release|x64
53 | {DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}.Release|x64.Build.0 = Release|x64
54 | EndGlobalSection
55 | GlobalSection(SolutionProperties) = preSolution
56 | HideSolutionNode = FALSE
57 | EndGlobalSection
58 | EndGlobal
59 |
--------------------------------------------------------------------------------
/DllToShellCode/DllToShellCode.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killeven/DllToShellCode/e9490e1f187efce92107582e56633247a28d25f4/DllToShellCode/DllToShellCode.c
--------------------------------------------------------------------------------
/DllToShellCode/DllToShellCode.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {AD8ADA7E-617D-46DC-94E7-8ACA302372DF}
23 | Win32Proj
24 | DllToShellCode
25 |
26 |
27 |
28 | Application
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v120
43 | true
44 | MultiByte
45 |
46 |
47 | Application
48 | false
49 | v120
50 | true
51 | MultiByte
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
87 | true
88 |
89 |
90 | Console
91 | true
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
100 | true
101 |
102 |
103 | Console
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 | NotUsing
111 | MaxSpeed
112 | true
113 | true
114 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
115 | true
116 | MultiThreaded
117 |
118 |
119 | Console
120 | true
121 | true
122 | true
123 | false
124 |
125 |
126 |
127 |
128 | Level3
129 | NotUsing
130 | MaxSpeed
131 | true
132 | true
133 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
134 | true
135 | MultiThreaded
136 |
137 |
138 | Console
139 | true
140 | true
141 | true
142 | false
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
--------------------------------------------------------------------------------
/DllToShellCode/DllToShellCode.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | 头文件
23 |
24 |
25 | 头文件
26 |
27 |
28 |
29 |
30 | 源文件
31 |
32 |
33 | 源文件
34 |
35 |
36 | 源文件
37 |
38 |
39 |
--------------------------------------------------------------------------------
/DllToShellCode/DllToShellCode.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/DllToShellCode/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 控制台应用程序:DllToShellCode 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 DllToShellCode 应用程序。
6 |
7 | 本文件概要介绍组成 DllToShellCode 应用程序的每个文件的内容。
8 |
9 |
10 | DllToShellCode.vcxproj
11 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
12 |
13 | DllToShellCode.vcxproj.filters
14 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
15 |
16 | DllToShellCode.cpp
17 | 这是主应用程序源文件。
18 |
19 | /////////////////////////////////////////////////////////////////////////////
20 | 其他标准文件:
21 |
22 | StdAfx.h, StdAfx.cpp
23 | 这些文件用于生成名为 DllToShellCode.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
24 |
25 | /////////////////////////////////////////////////////////////////////////////
26 | 其他注释:
27 |
28 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
29 |
30 | /////////////////////////////////////////////////////////////////////////////
31 |
--------------------------------------------------------------------------------
/DllToShellCode/aplib.h:
--------------------------------------------------------------------------------
1 | /*
2 | * aPLib compression library - the smaller the better :)
3 | *
4 | * COFF 64-bit format header file
5 | *
6 | * Copyright (c) 1998-2014 Joergen Ibsen
7 | * All Rights Reserved
8 | *
9 | * http://www.ibsensoftware.com/
10 | */
11 |
12 | #ifndef APLIB_H_INCLUDED
13 | #define APLIB_H_INCLUDED
14 |
15 | #ifdef __cplusplus
16 | extern "C" {
17 | #endif
18 |
19 | #ifndef APLIB_ERROR
20 | # define APLIB_ERROR ((unsigned int) (-1))
21 | #endif
22 |
23 | unsigned int aP_pack(const void *source,
24 | void *destination,
25 | unsigned int length,
26 | void *workmem,
27 | int (*callback)(unsigned int, unsigned int, unsigned int, void *),
28 | void *cbparam);
29 |
30 | unsigned int aP_workmem_size(unsigned int inputsize);
31 |
32 | unsigned int aP_max_packed_size(unsigned int inputsize);
33 |
34 | unsigned int aP_depack_asm(const void *source, void *destination);
35 |
36 | unsigned int aP_depack_asm_fast(const void *source, void *destination);
37 |
38 | unsigned int aP_depack_asm_safe(const void *source,
39 | unsigned int srclen,
40 | void *destination,
41 | unsigned int dstlen);
42 |
43 | unsigned int aP_crc32(const void *source, unsigned int length);
44 |
45 | unsigned int aPsafe_pack(const void *source,
46 | void *destination,
47 | unsigned int length,
48 | void *workmem,
49 | int (*callback)(unsigned int, unsigned int, unsigned int, void *),
50 | void *cbparam);
51 |
52 | unsigned int aPsafe_check(const void *source);
53 |
54 | unsigned int aPsafe_get_orig_size(const void *source);
55 |
56 | unsigned int aPsafe_depack(const void *source,
57 | unsigned int srclen,
58 | void *destination,
59 | unsigned int dstlen);
60 |
61 | #ifdef __cplusplus
62 | } /* extern "C" */
63 | #endif
64 |
65 | #endif /* APLIB_H_INCLUDED */
66 |
--------------------------------------------------------------------------------
/DllToShellCode/aplib_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killeven/DllToShellCode/e9490e1f187efce92107582e56633247a28d25f4/DllToShellCode/aplib_x64.lib
--------------------------------------------------------------------------------
/DllToShellCode/aplib_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killeven/DllToShellCode/e9490e1f187efce92107582e56633247a28d25f4/DllToShellCode/aplib_x86.lib
--------------------------------------------------------------------------------
/DllToShellCode/compress.c:
--------------------------------------------------------------------------------
1 | #include "compress.h"
2 | #include "aplib.h"
3 | #include
4 | #include
5 |
6 | #ifdef _WIN64
7 | # pragma comment(lib, "aplib_x64.lib")
8 | #else
9 | # pragma comment(lib, "aplib_x86.lib")
10 | #endif // _WIN64
11 |
12 | #ifndef NT_SUCCESS
13 | # define NT_SUCCESS(s) ((NTSTATUS)(s)>=0)
14 | #endif // NT_SUCCESS
15 |
16 | typedef NTSTATUS(__stdcall *_RtlCompressBuffer)(
17 | USHORT CompressionFormatAndEngine,
18 | PUCHAR UncompressedBuffer,
19 | ULONG UncompressedBufferSize,
20 | PUCHAR CompressedBuffer,
21 | ULONG CompressedBufferSize,
22 | ULONG UncompressedChunkSize,
23 | PULONG FinalCompressedSize,
24 | PVOID WorkSpace
25 | );
26 |
27 | typedef NTSTATUS(__stdcall *_RtlGetCompressionWorkSpaceSize)(
28 | USHORT CompressionFormatAndEngine,
29 | PULONG CompressBufferWorkSpaceSize,
30 | PULONG CompressFragmentWorkSpaceSize
31 | );
32 |
33 | unsigned int nt_compress(void *src, unsigned int srclen, void *dest, unsigned int destlen) {
34 | HMODULE ntdll = GetModuleHandle("ntdll");
35 | _RtlGetCompressionWorkSpaceSize xRtlGetCompressionWorkSpaceSize = (_RtlGetCompressionWorkSpaceSize)GetProcAddress(ntdll, "RtlGetCompressionWorkSpaceSize");
36 | _RtlCompressBuffer xRtlCompressBuffer = (_RtlCompressBuffer)GetProcAddress(ntdll, "RtlCompressBuffer");
37 | if (xRtlCompressBuffer == 0 || xRtlCompressBuffer == 0) {
38 | printf("get compress function error.\n");
39 | return COMPRESS_ERROR;
40 | }
41 | ULONG compressWorkSpaceSize = 0, compressFragmentSpaceSize;
42 | NTSTATUS ret = xRtlGetCompressionWorkSpaceSize(COMPRESSION_FORMAT_LZNT1 | COMPRESSION_ENGINE_MAXIMUM,
43 | &compressWorkSpaceSize,
44 | &compressFragmentSpaceSize);
45 | if (!NT_SUCCESS(ret)) {
46 | printf("get compression work space size error.\n");
47 | return COMPRESS_ERROR;
48 | }
49 | void *compressWorkSpace = malloc(compressWorkSpaceSize);
50 | if (compressWorkSpace == 0) {
51 | printf("malloc work space error.\n");
52 | return COMPRESS_ERROR;
53 | }
54 | ULONG compressedSize;
55 | ret = xRtlCompressBuffer(COMPRESSION_FORMAT_LZNT1 | COMPRESSION_ENGINE_MAXIMUM,
56 | (PUCHAR)src,
57 | srclen,
58 | (PUCHAR)dest,
59 | destlen,
60 | 0,
61 | &compressedSize,
62 | compressWorkSpace);
63 | free(compressWorkSpace);
64 | if (!NT_SUCCESS(ret)) {
65 | printf("compress buffer error.\n");
66 | return COMPRESS_ERROR;
67 | }
68 | return (unsigned int)compressedSize;
69 | };
70 |
71 | unsigned int aplib_compress(void *src, unsigned int srclen, void *dest, unsigned int destlen) {
72 | void *workMemory = malloc(aP_workmem_size(srclen));
73 | if (workMemory == 0) {
74 | printf("get compression work space size error.\n");
75 | return COMPRESS_ERROR;
76 | }
77 | unsigned int ret = aP_pack(src, dest, srclen, workMemory, 0, 0);
78 | free(workMemory);
79 | return ret;
80 | };
--------------------------------------------------------------------------------
/DllToShellCode/compress.h:
--------------------------------------------------------------------------------
1 | #ifndef COMPRESS_H
2 | #define COMPRESS_H
3 |
4 | #ifndef COMPRESS_ERROR
5 | # define COMPRESS_ERROR ((unsigned int)-1)
6 | #endif // COMPRESS_ERROR
7 |
8 | #ifdef __cplusplus
9 | extern "C" {
10 | #endif // __cplusplus
11 | unsigned int nt_compress(void *src, unsigned int srclen, void *dest, unsigned int destlen);
12 | unsigned int aplib_compress(void *src, unsigned int srclen, void *dest, unsigned int destlen);
13 | #ifdef __cplusplus
14 | }
15 | #endif // __cplusplus
16 |
17 | #endif // COMPRESS_H
--------------------------------------------------------------------------------
/DllToShellCode/shellcode_data.c:
--------------------------------------------------------------------------------
1 | #include "shellcode_data.h"
2 | #include
3 |
4 | char shellcode_main_x86[1354] = {
5 | "\xe9\x92\x04\x00\x00\x55\x8b\xec\x83\xec\x18\x53\x56\x8b\x71\x3c\x57\x89\x55\xf4\x8b\x44\x0e\x78\x85\xc0\x74\x6d\x83\x7c"
6 | "\x0e\x7c\x00\x74\x66\x8b\x5c\x08\x18\x89\x5d\xf8\x85\xdb\x74\x5b\x8b\x54\x08\x1c\x8b\x74\x08\x20\x03\xd1\x8b\x44\x08\x24"
7 | "\x03\xf1\x89\x55\xe8\x03\xc1\x33\xd2\x89\x75\xf0\x89\x45\xec\x85\xdb\x74\x3a\x8b\x3c\x96\x33\xf6\x03\xf9\x89\x7d\xfc\x8a"
8 | "\x07\x84\xc0\x74\x17\x8b\xdf\x69\xf6\x83\x00\x00\x00\x0f\xbe\xc0\x03\xf0\x43\x8a\x03\x84\xc0\x75\xee\x8b\x5d\xf8\x81\xe6"
9 | "\xff\xff\xff\x7f\x3b\x75\xf4\x74\x11\x8b\x75\xf0\x42\x3b\xd3\x72\xc6\x33\xc0\x5f\x5e\x5b\x8b\xe5\x5d\xc3\x83\x7d\x08\x00"
10 | "\x75\x11\x8b\x45\xec\x0f\xb7\x04\x50\x8b\x55\xe8\x8b\x04\x82\x03\xc1\xeb\xe2\x57\x51\xff\x55\x08\xeb\xdb\x55\x8b\xec\x51"
11 | "\x83\x65\xfc\x00\xe8\x00\x00\x00\x00\x58\x2d\xbd\x10\xba\x00\x89\x45\xfc\x8b\x45\xfc\x8b\xe5\x5d\xc3\x55\x8b\xec\x51\x51"
12 | "\x64\xa1\x30\x00\x00\x00\x53\x56\x57\x8b\x40\x0c\x8b\xd9\x8b\x50\x14\xeb\x41\x0f\xb7\x72\x24\x33\xc9\x8b\x7a\x28\xd1\xee"
13 | "\x85\xf6\x7e\x1e\x0f\xb7\x07\x8d\x7f\x02\x83\xf8\x61\x72\x05\x05\xe0\xff\x00\x00\x69\xc9\x83\x00\x00\x00\x0f\xb7\xc0\x03"
14 | "\xc8\x4e\x75\xe2\x81\xe1\xff\xff\xff\x7f\x81\xf9\xe6\x9c\xca\x1c\x0f\x84\x9f\x00\x00\x00\x8b\x12\x85\xd2\x75\xbb\x33\xf6"
15 | "\x6a\x00\xba\x54\xb8\xb9\x1a\x8b\xce\xe8\xcb\xfe\xff\xff\x50\xba\x78\x1f\x20\x7f\x89\x03\x8b\xce\xe8\xbc\xfe\xff\xff\xff"
16 | "\x33\xba\x62\x34\x89\x5e\x89\x43\x04\x8b\xce\xe8\xab\xfe\xff\xff\xff\x33\xba\x73\x80\x48\x06\x89\x43\x08\x8b\xce\xe8\x9a"
17 | "\xfe\xff\xff\xff\x33\xba\xa5\xf2\x5c\x70\x89\x43\x0c\x8b\xce\xe8\x89\xfe\xff\xff\x83\xc4\x14\x89\x43\x10\x8d\x45\xf8\xc7"
18 | "\x45\xf8\x6e\x74\x64\x6c\x66\xc7\x45\xfc\x6c\x00\x50\xff\x53\x04\xff\x33\x8b\xf0\xba\xcb\x79\xb5\x0d\x8b\xce\xe8\x5f\xfe"
19 | "\xff\xff\xff\x33\xba\xc0\xe9\x18\x15\x89\x43\x14\x8b\xce\xe8\x4e\xfe\xff\xff\x59\x59\x5f\x5e\x89\x43\x18\x5b\x8b\xe5\x5d"
20 | "\xc3\x8b\x72\x10\xe9\x61\xff\xff\xff\x55\x8b\xec\x83\xec\x18\x8b\xc2\x89\x4d\xfc\x89\x45\xf4\x53\x56\x85\xc0\x75\x07\x33"
21 | "\xc0\xe9\x92\x02\x00\x00\xba\x4d\x5a\x00\x00\x66\x39\x10\x75\xef\x57\x8b\x78\x3c\x03\xf8\x81\x3f\x50\x45\x00\x00\x0f\x85"
22 | "\x73\x02\x00\x00\xb8\x4c\x01\x00\x00\x66\x39\x47\x04\x0f\x85\x64\x02\x00\x00\x83\xc0\xbf\x66\x39\x47\x18\x0f\x85\x57\x02"
23 | "\x00\x00\x6a\x40\x68\x00\x10\x00\x00\xff\x77\x50\x33\xdb\x53\xff\x51\x08\x8b\xf0\x85\xf6\x0f\x84\x3d\x02\x00\x00\xff\x77"
24 | "\x54\x8b\x45\xfc\xff\x75\xf4\x56\xff\x50\x18\x8b\x7e\x3c\x33\xc0\x03\xfe\x89\x5d\xf0\x89\x7d\xec\x66\x3b\x47\x06\x73\x58"
25 | "\x8b\x5d\xf4\x8d\x87\x08\x01\x00\x00\x89\x45\xf8\x8b\x48\xfc\x85\xc9\x74\x2b\x03\xce\x83\x38\x00\x74\x11\xff\x30\x8b\x40"
26 | "\x04\x03\xc3\x50\x8b\x45\xfc\x51\xff\x50\x18\xeb\x10\x83\x7f\x38\x00\x76\x0d\xff\x77\x38\x8b\x45\xfc\x51\xff\x50\x14\x8b"
27 | "\x45\xf8\x8b\x4d\xf0\x83\xc0\x28\x89\x45\xf8\x41\x0f\xb7\x47\x06\x3b\xc8\x89\x4d\xf0\x8b\x45\xf8\x7c\xb6\x33\xdb\x8b\x87"
28 | "\xa0\x00\x00\x00\x85\xc0\x74\x60\x39\x9f\xa4\x00\x00\x00\x74\x58\x8d\x0c\x30\xeb\x45\x8d\x42\xf8\x89\x5d\xf4\xd1\xe8\x89"
29 | "\x45\xf8\x85\xc0\x7e\x31\x0f\xb7\x54\x59\x08\x8b\xc2\xc7\x45\xf4\x00\x30\x00\x00\x25\x00\xf0\x00\x00\x66\x3b\x45\xf4\x75"
30 | "\x10\x81\xe2\xff\x0f\x00\x00\x8b\xc6\x03\x11\x2b\x47\x34\x01\x04\x32\x43\x3b\x5d\xf8\x7c\xd1\x33\xdb\x8b\x45\xf0\x03\x08"
31 | "\x8d\x41\x04\x8b\x10\x89\x45\xf0\x8b\x01\x03\xc2\x75\xad\x8b\x87\x80\x00\x00\x00\x85\xc0\x74\x7f\x39\x9f\x84\x00\x00\x00"
32 | "\x74\x77\x03\xc6\xeb\x69\x03\xc6\x50\x8b\x45\xfc\xff\x50\x04\x89\x45\xe8\x85\xc0\x0f\x84\x22\x01\x00\x00\x8b\x45\xf8\x8b"
33 | "\x08\x85\xc9\x75\x03\x8b\x48\x10\x8b\x50\x10\x03\xce\x89\x4d\xf0\x03\xd6\x89\x55\xf4\x8b\x09\x85\xc9\x74\x33\x8b\x5d\xfc"
34 | "\x8b\xfa\x79\x05\x0f\xb7\xc1\xeb\x05\x8d\x46\x02\x03\xc1\x50\xff\x75\xe8\xff\x13\x89\x07\x83\xc7\x04\x8b\x45\xf0\x83\xc0"
35 | "\x04\x89\x45\xf0\x8b\x08\x85\xc9\x75\xda\x8b\x7d\xec\x33\xdb\x8b\x45\xf8\x83\xc0\x14\x89\x45\xf8\x8b\x40\x0c\x85\xc0\x75"
36 | "\x8d\x8b\x8f\xc0\x00\x00\x00\x85\xc9\x74\x3f\x8b\x4c\x31\x0c\x33\xd2\x6a\x03\x58\x2b\xc1\x89\x4d\xf0\xc1\xe8\x02\x85\xc9"
37 | "\x89\x5d\xf4\x0f\x45\xc2\x89\x45\xe8\x85\xc0\x74\x1f\x8b\xf8\x53\x6a\x01\x56\xff\x11\x8b\x4d\xf0\x8b\x45\xf4\x83\xc1\x04"
38 | "\x40\x89\x4d\xf0\x89\x45\xf4\x3b\xc7\x75\xe6\x8b\x7d\xec\x8b\x47\x28\x03\xc6\x74\x08\xff\x75\x08\x6a\x01\x56\xff\xd0\x83"
39 | "\x7d\x0c\x00\x0f\x84\x8d\x00\x00\x00\x8b\x45\x10\x85\xc0\x0f\x84\x82\x00\x00\x00\x89\x18\x8b\x47\x78\x85\xc0\x74\x79\x39"
40 | "\x5f\x7c\x74\x74\x39\x5c\x30\x18\x74\x6e\x8b\x4c\x30\x1c\x8b\x54\x30\x20\x03\xce\x89\x4d\xf4\x03\xd6\x8b\x4c\x30\x24\x03"
41 | "\xce\x89\x55\xec\x89\x4d\xf0\x39\x5c\x30\x14\x76\x4d\x8b\xf8\x8b\x04\x9a\xff\x75\x0c\x03\xc6\x50\x8b\x45\xfc\xff\x50\x10"
42 | "\x85\xc0\x74\x24\x8b\x55\xec\x43\x3b\x5c\x37\x14\x72\xe3\xeb\x2c\x8b\x45\xfc\x68\x00\x40\x00\x00\xff\x77\x50\x56\xff\x50"
43 | "\x0c\x33\xc0\x5f\x5e\x5b\x8b\xe5\x5d\xc3\x8b\x45\xf0\x8b\x4d\xf4\x0f\xb7\x04\x58\x8b\x04\x81\x8b\x4d\x10\x03\xc6\x89\x01"
44 | "\x33\xc0\x40\xeb\xe0\x55\x8b\xec\x83\xec\x24\x53\x56\x57\x8d\x4d\xdc\xe8\x25\xfc\xff\xff\xe8\x03\xfc\xff\xff\x83\x65\xfc"
45 | "\x00\x8b\xf0\x81\xc6\x4a\x15\xba\x00\x33\xdb\x8b\x7e\x0d\x8b\x46\x01\x03\xfe\x85\xc0\x74\x3a\x6a\x04\x68\x00\x10\x00\x00"
46 | "\xff\x76\x05\x03\xc6\x53\x89\x45\xf8\xff\x55\xe4\x8b\xd8\x85\xdb\x75\x04\x33\xc0\xeb\x5f\xff\x76\x05\x53\xff\x76\x09\x57"
47 | "\xff\x55\xf8\x83\xc4\x10\x83\xf8\xff\x74\x20\x3b\x46\x05\x75\x1b\x8b\xfb\x33\xdb\x43\x80\x3e\x00\x8d\x45\xfc\x50\x8b\xd7"
48 | "\x8d\x4d\xdc\x8d\x46\x11\x75\x13\x6a\x00\x50\xeb\x11\x68\x00\x40\x00\x00\xff\x76\x05\x53\xff\x55\xe8\xeb\xbb\x50\x6a\x00"
49 | "\xe8\x9e\xfc\xff\xff\x83\xc4\x0c\x85\xdb\x74\x0c\x68\x00\x40\x00\x00\xff\x76\x05\x57\xff\x55\xe8\x8b\x45\xfc\x5f\x5e\x5b"
50 | "\x8b\xe5\x5d\xc3"
51 | };
52 |
53 | char shellcode_main_x64[1628] = {
54 | "\xe9\x43\x04\x00\x00\xcc\xcc\xcc\x48\x8b\xc4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48"
55 | "\x83\xec\x20\x48\x63\x41\x3c\x4c\x8b\xc9\x49\x8b\xd8\x8b\x8c\x08\x88\x00\x00\x00\x8b\xea\x85\xc9\x74\x6a\x42\x83\xbc\x08"
56 | "\x8c\x00\x00\x00\x00\x74\x5f\x49\x8d\x04\x09\x44\x8b\x58\x18\x45\x85\xdb\x74\x52\x44\x8b\x40\x20\x8b\x78\x1c\x8b\x70\x24"
57 | "\x4d\x03\xc1\x49\x03\xf9\x49\x03\xf1\x33\xd2\x45\x85\xdb\x74\x38\x45\x8b\x10\x4d\x03\xd1\x33\xc9\x41\x8a\x02\x4d\x8b\xf2"
58 | "\xeb\x11\x69\xc9\x83\x00\x00\x00\x0f\xbe\xc0\x03\xc8\x49\xff\xc6\x41\x8a\x06\x84\xc0\x75\xeb\x0f\xba\xf1\x1f\x3b\xcd\x74"
59 | "\x28\xff\xc2\x49\x83\xc0\x04\x41\x3b\xd3\x72\xc8\x33\xc0\x48\x8b\x5c\x24\x30\x48\x8b\x6c\x24\x38\x48\x8b\x74\x24\x40\x48"
60 | "\x8b\x7c\x24\x48\x48\x83\xc4\x20\x41\x5e\xc3\x48\x85\xdb\x75\x0c\x0f\xb7\x0c\x56\x8b\x04\x8f\x49\x03\xc1\xeb\xd4\x49\x8b"
61 | "\xd2\x49\x8b\xc9\xff\xd3\xeb\xca\xcc\xcc\x48\x8b\xc4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x4c\x89\x48\x20\x57"
62 | "\x41\x54\x41\x55\x41\x56\x41\x57\x48\x83\xec\x20\xb8\x4d\x5a\x00\x00\x4d\x8b\xf9\x4d\x8b\xe0\x48\x8b\xf2\x4c\x8b\xe9\x66"
63 | "\x39\x02\x0f\x85\xfa\x02\x00\x00\x48\x63\x7a\x3c\x48\x03\xfa\x81\x3f\x50\x45\x00\x00\x0f\x85\xe7\x02\x00\x00\xb8\x64\x86"
64 | "\x00\x00\x66\x39\x47\x04\x0f\x85\xd8\x02\x00\x00\xb8\x0b\x02\x00\x00\x66\x39\x47\x18\x0f\x85\xc9\x02\x00\x00\x8b\x57\x50"
65 | "\x33\xc9\x41\xb8\x00\x10\x00\x00\x44\x8d\x49\x40\x41\xff\x55\x10\x48\x8b\xd8\x33\xc0\x48\x85\xdb\x0f\x84\xaa\x02\x00\x00"
66 | "\x44\x8b\x47\x54\x48\x8b\xd6\x48\x8b\xcb\x41\xff\x55\x30\x48\x63\x7b\x3c\x45\x33\xdb\x48\x03\xfb\x41\x8b\xeb\x66\x44\x3b"
67 | "\x5f\x06\x73\x47\x4c\x8d\xb7\x18\x01\x00\x00\x45\x39\x5e\xfc\x74\x2c\x41\x8b\x4e\xfc\x48\x03\xcb\x45\x39\x1e\x74\x10\x41"
68 | "\x8b\x56\x04\x45\x8b\x06\x48\x03\xd6\x41\xff\x55\x30\xeb\x0d\x44\x39\x5f\x38\x76\x0a\x8b\x57\x38\x41\xff\x55\x28\x45\x33"
69 | "\xdb\x0f\xb7\x47\x06\xff\xc5\x49\x83\xc6\x28\x3b\xe8\x7c\xc0\x8b\x87\xb0\x00\x00\x00\x85\xc0\x0f\x84\xb2\x00\x00\x00\x44"
70 | "\x39\x9f\xb4\x00\x00\x00\x0f\x84\xa5\x00\x00\x00\x48\x8d\x14\x03\x44\x8b\x4a\x04\x8b\x0a\x41\x03\xc9\x0f\x84\x92\x00\x00"
71 | "\x00\xbe\x00\xf0\x00\x00\xbd\xff\x0f\x00\x00\x41\x8b\xc1\x4d\x8b\xc3\x48\x83\xe8\x08\x48\xd1\xe8\x4c\x63\xd0\x85\xc0\x7e"
72 | "\x5f\x46\x0f\xb7\x4c\x42\x08\xb9\x00\x30\x00\x00\x41\x0f\xb7\xc1\x66\x23\xc6\x66\x3b\xc1\x75\x13\x8b\x0a\x4c\x23\xcd\x4a"
73 | "\x8d\x04\x0b\x48\x03\xc8\x8b\xc3\x2b\x47\x30\x01\x01\x46\x0f\xb7\x4c\x42\x08\xb9\x00\xa0\x00\x00\x41\x0f\xb7\xc1\x66\x23"
74 | "\xc6\x66\x3b\xc1\x75\x16\x8b\x0a\x4c\x23\xcd\x4a\x8d\x04\x0b\x48\x03\xc8\x48\x8b\xc3\x48\x2b\x47\x30\x48\x01\x01\x49\xff"
75 | "\xc0\x4d\x3b\xc2\x7c\xa1\x8b\x42\x04\x48\x03\xd0\x44\x8b\x4a\x04\x8b\x0a\x41\x03\xc9\x0f\x85\x78\xff\xff\xff\x8b\x87\x90"
76 | "\x00\x00\x00\x85\xc0\x0f\x84\x90\x00\x00\x00\x44\x39\x9f\x94\x00\x00\x00\x0f\x84\x83\x00\x00\x00\x48\x8d\x34\x03\x8b\x46"
77 | "\x0c\x85\xc0\x74\x78\x8b\xc8\x48\x03\xcb\x41\xff\x55\x08\x45\x33\xdb\x48\x8b\xe8\x48\x85\xc0\x0f\x84\x31\x01\x00\x00\x8b"
78 | "\x0e\x85\xc9\x75\x03\x8b\x4e\x10\x44\x8b\x7e\x10\x44\x8b\xf1\x4c\x03\xf3\x4c\x03\xfb\xeb\x30\x48\xb9\x00\x00\x00\x00\x00"
79 | "\x00\x00\x80\x48\x85\xc1\x74\x05\x0f\xb7\xd0\xeb\x07\x48\x8d\x53\x02\x48\x03\xd0\x48\x8b\xcd\x41\xff\x55\x00\x49\x83\xc6"
80 | "\x08\x49\x89\x07\x49\x83\xc7\x08\x45\x33\xdb\x49\x8b\x06\x48\x85\xc0\x75\xc8\x8b\x46\x20\x48\x83\xc6\x14\x85\xc0\x75\x8d"
81 | "\x4c\x8b\x7c\x24\x68\x8b\x87\xd0\x00\x00\x00\x85\xc0\x74\x39\x48\x8b\x6c\x18\x18\xbe\x07\x00\x00\x00\x4d\x8b\xf3\x48\x2b"
82 | "\xf5\x48\xc1\xee\x03\x48\x85\xed\x49\x0f\x45\xf3\x48\x85\xf6\x74\x19\x45\x33\xc0\x48\x8b\xcb\x41\x8d\x50\x01\xff\x55\x00"
83 | "\x49\xff\xc6\x48\x8d\x6d\x08\x4c\x3b\xf6\x75\xe7\x8b\x47\x28\x48\x03\xc3\x74\x0d\x4d\x8b\xc4\xba\x01\x00\x00\x00\x48\x8b"
84 | "\xcb\xff\xd0\x33\xc0\x4d\x85\xff\x0f\x84\xae\x00\x00\x00\x4c\x8b\x74\x24\x70\x4d\x85\xf6\x0f\x84\xa0\x00\x00\x00\x8b\x8f"
85 | "\x88\x00\x00\x00\x49\x89\x06\x85\xc9\x0f\x84\x8f\x00\x00\x00\x39\x87\x8c\x00\x00\x00\x0f\x84\x83\x00\x00\x00\x48\x8d\x3c"
86 | "\x0b\x39\x47\x18\x74\x7a\x44\x8b\x67\x20\x8b\x6f\x1c\x44\x8b\x7f\x24\x4c\x03\xe3\x48\x03\xeb\x4c\x03\xfb\x8b\xf0\x39\x47"
87 | "\x14\x76\x5f\x48\x8b\x54\x24\x68\x8b\xc6\x41\x8b\x0c\x84\x48\x03\xcb\x41\xff\x55\x20\x85\xc0\x74\x38\xff\xc6\x3b\x77\x14"
88 | "\x72\xe3\xeb\x40\x8b\x57\x50\x41\xb8\x00\x40\x00\x00\x48\x8b\xcb\x41\xff\x55\x18\x33\xc0\x48\x8b\x5c\x24\x50\x48\x8b\x6c"
89 | "\x24\x58\x48\x8b\x74\x24\x60\x48\x83\xc4\x20\x41\x5f\x41\x5e\x41\x5d\x41\x5c\x5f\xc3\x8b\xc6\x41\x0f\xb7\x0c\x47\x8b\x44"
90 | "\x8d\x00\x48\x03\xc3\x49\x89\x06\xb8\x01\x00\x00\x00\xeb\xcb\xcc\x48\x89\x5c\x24\x18\x48\x89\x74\x24\x20\x55\x57\x41\x54"
91 | "\x41\x56\x41\x57\x48\x8b\xec\x48\x83\xec\x70\x65\x48\x8b\x04\x25\x60\x00\x00\x00\x48\x8b\x48\x18\x48\x8b\x51\x20\xeb\x4e"
92 | "\x0f\xb7\x42\x48\x4c\x8b\x42\x50\x33\xc9\xd1\xe8\x85\xc0\x7e\x2b\x44\x8b\xc8\x41\x0f\xb7\x00\x4d\x8d\x40\x02\x66\x83\xf8"
93 | "\x61\x72\x0a\x41\xba\xe0\xff\x00\x00\x66\x41\x03\xc2\x69\xc9\x83\x00\x00\x00\x0f\xb7\xc0\x03\xc8\x49\xff\xc9\x75\xd8\x0f"
94 | "\xba\xf1\x1f\x81\xf9\xe6\x9c\xca\x1c\x0f\x84\xf9\x00\x00\x00\x48\x8b\x12\x48\x85\xd2\x75\xad\x33\xf6\x45\x33\xc0\xba\x54"
95 | "\xb8\xb9\x1a\x48\x8b\xce\xe8\x2f\xfb\xff\xff\xba\x78\x1f\x20\x7f\x48\x8b\xce\x4c\x8b\xc0\x48\x8b\xf8\x48\x89\x45\xc0\xe8"
96 | "\x18\xfb\xff\xff\x4c\x8b\xc7\xba\x62\x34\x89\x5e\x48\x8b\xce\x48\x8b\xd8\x48\x89\x45\xc8\xe8\x01\xfb\xff\xff\x4c\x8b\xc7"
97 | "\xba\x73\x80\x48\x06\x48\x8b\xce\x4c\x8b\xf0\x48\x89\x45\xd0\xe8\xea\xfa\xff\xff\x4c\x8b\xc7\xba\xa5\xf2\x5c\x70\x48\x8b"
98 | "\xce\x4c\x8b\xf8\x48\x89\x45\xd8\xe8\xd3\xfa\xff\xff\x48\x8d\x4d\x30\xc7\x45\x30\x6e\x74\x64\x6c\x48\x89\x45\xe0\x66\xc7"
99 | "\x45\x34\x6c\x00\xff\xd3\x4c\x8b\xc7\xba\xcb\x79\xb5\x0d\x48\x8b\xc8\x48\x8b\xd8\xe8\xa9\xfa\xff\xff\x4c\x8b\xc7\xba\xc0"
100 | "\xe9\x18\x15\x48\x8b\xcb\x48\x89\x45\xe8\xe8\x95\xfa\xff\xff\x48\x83\x65\x38\x00\x48\x8d\x1d\xdd\x00\x00\x00\x8b\x7b\x0d"
101 | "\x33\xf6\x48\x89\x45\xf0\x48\x03\xfb\x39\x73\x01\x74\x53\x44\x8b\x63\x01\x8b\x53\x05\x44\x8d\x4e\x04\x33\xc9\x41\xb8\x00"
102 | "\x10\x00\x00\x4c\x03\xe3\x41\xff\xd6\x4c\x8b\xf0\x48\x85\xc0\x75\x10\x33\xc0\xe9\x8b\x00\x00\x00\x48\x8b\x72\x20\xe9\x08"
103 | "\xff\xff\xff\x44\x8b\x4b\x05\x8b\x53\x09\x4c\x8b\xc0\x48\x8b\xcf\x41\xff\xd4\x83\xf8\xff\x74\x20\x3b\x43\x05\x75\x1b\x49"
104 | "\x8b\xfe\xbe\x01\x00\x00\x00\x80\x3b\x00\x75\x1f\x48\x85\xff\x74\x3f\x4c\x8d\x43\x11\x45\x33\xc9\xeb\x1d\x8b\x53\x05\x41"
105 | "\xb8\x00\x40\x00\x00\x49\x8b\xce\x41\xff\xd7\xeb\xaa\x48\x85\xff\x74\x20\x4c\x8d\x4b\x11\x45\x33\xc0\x48\x8d\x45\x38\x48"
106 | "\x8d\x4d\xc0\x48\x8b\xd7\x48\x89\x44\x24\x20\xe8\xb4\xfa\xff\xff\x4c\x8b\x7d\xd8\x85\xf6\x74\x0f\x8b\x53\x05\x41\xb8\x00"
107 | "\x40\x00\x00\x48\x8b\xcf\x41\xff\xd7\x48\x8b\x45\x38\x4c\x8d\x5c\x24\x70\x49\x8b\x5b\x40\x49\x8b\x73\x48\x49\x8b\xe3\x41"
108 | "\x5f\x41\x5e\x41\x5c\x5f\x5d\xc3"
109 | };
110 |
111 | char shellcode_aplib_x86[504] = {
112 | "\x55\x8b\xec\x51\xff\x75\x10\x8b\x4d\x08\xe8\x5b\x00\x00\x00\x59\x59\x5d\xc3\x56\x8b\xf1\x8b\x56\x0c\x8d\x42\xff\x89\x46"
113 | "\x0c\x85\xd2\x75\x14\x8b\x16\xc7\x46\x0c\x07\x00\x00\x00\x0f\xb6\x02\x89\x46\x08\x8d\x42\x01\x89\x06\x8b\x4e\x08\x8b\xc1"
114 | "\x03\xc9\xc1\xe8\x07\x89\x4e\x08\x83\xe0\x01\x5e\xc3\x56\x33\xf6\x57\x8b\xf9\x46\x8b\xcf\xe8\xbc\xff\xff\xff\x8b\xcf\x8d"
115 | "\x34\x70\xe8\xb2\xff\xff\xff\x85\xc0\x75\xeb\x5f\x8b\xc6\x5e\xc3\x55\x8b\xec\x83\xe4\xf8\x83\xec\x14\x8b\x55\x08\x8a\x01"
116 | "\x83\x64\x24\x10\x00\x53\x56\x88\x02\x83\xce\xff\x8d\x42\x01\x57\x33\xff\x89\x44\x24\x14\x33\xdb\x8d\x41\x01\x89\x5c\x24"
117 | "\x0c\x89\x44\x24\x10\x8d\x4c\x24\x10\xe8\x6f\xff\xff\xff\x85\xc0\x0f\x84\x20\x01\x00\x00\x8d\x4c\x24\x10\xe8\x5e\xff\xff"
118 | "\xff\x8d\x4c\x24\x10\x85\xc0\x74\x7e\xe8\x51\xff\xff\xff\x85\xc0\x74\x33\x6a\x04\x33\xff\x5b\x8d\x4c\x24\x10\xe8\x3f\xff"
119 | "\xff\xff\x8d\x3c\x78\x4b\x75\xf1\x8b\x54\x24\x14\x85\xff\x74\x0a\x8b\xc2\x2b\xc7\x8a\x00\x88\x02\xeb\x03\xc6\x02\x00\x8b"
120 | "\x5c\x24\x0c\x42\xe9\xe5\x00\x00\x00\x8b\x44\x24\x10\x8b\x54\x24\x14\x0f\xb6\x30\x40\x8b\xce\x89\x44\x24\x10\x83\xe1\x01"
121 | "\x83\xc1\x02\xd1\xee\x74\x1a\x85\xc9\x0f\x84\xaa\x00\x00\x00\x8b\xfa\x2b\xfe\x8a\x07\x88\x02\x42\x47\x49\x75\xf7\xe9\x94"
122 | "\x00\x00\x00\x33\xdb\x43\x89\x5c\x24\x0c\xe9\x8c\x00\x00\x00\xe8\x09\xff\xff\xff\x85\xff\x75\x2c\x83\xf8\x02\x75\x22\x8d"
123 | "\x4c\x24\x10\xe8\xf7\xfe\xff\xff\x8b\x54\x24\x14\x8b\xf8\x85\xff\x74\x6b\x8b\xca\x2b\xce\x8a\x01\x88\x02\x42\x41\x4f\x75"
124 | "\xf7\xeb\x58\x83\xe8\x03\xeb\x03\x83\xe8\x02\x8b\x4c\x24\x10\x8b\xf0\xc1\xe6\x08\x0f\xb6\x01\x03\xf0\x41\x89\x4c\x24\x10"
125 | "\x8d\x4c\x24\x10\xe8\xba\xfe\xff\xff\x8b\xc8\x81\xfe\x00\x7d\x00\x00\x72\x01\x41\x81\xfe\x00\x05\x00\x00\x72\x01\x41\x81"
126 | "\xfe\x80\x00\x00\x00\x73\x03\x83\xc1\x02\x8b\x54\x24\x14\x85\xc9\x74\x11\x8b\xfa\x2b\xfe\x8a\x07\x88\x02\x42\x47\x49\x75"
127 | "\xf7\x89\x54\x24\x14\x33\xff\x47\xeb\x18\x8b\x4c\x24\x10\x8b\x54\x24\x14\x8a\x01\x88\x02\x42\x41\x89\x4c\x24\x10\x33\xff"
128 | "\x89\x54\x24\x14\x85\xdb\x0f\x84\xaf\xfe\xff\xff\x2b\x55\x08\x5f\x5e\x8b\xc2\x5b\x8b\xe5\x5d\xc3"
129 | };
130 |
131 | char shellcode_aplib_x64[632] = {
132 | "\xe9\x3f\x00\x00\x00\xcc\xcc\xcc\x8b\x51\x14\x4c\x8b\xc1\x8d\x42\xff\x89\x41\x14\x85\xd2\x75\x17\x48\x8b\x11\xc7\x41\x14"
133 | "\x07\x00\x00\x00\x0f\xb6\x02\x89\x41\x10\x48\x8d\x42\x01\x48\x89\x01\x8b\x49\x10\x8b\xc1\x03\xc9\xc1\xe8\x07\x41\x89\x48"
134 | "\x10\x83\xe0\x01\xc3\xcc\xcc\xcc\x48\x8b\xc4\x48\x89\x58\x08\x48\x89\x70\x10\x48\x89\x78\x18\x4c\x89\x70\x20\x55\x48\x8b"
135 | "\xec\x48\x83\xec\x40\x8a\x01\x83\x65\xf4\x00\x41\x83\xce\xff\x41\x88\x00\x49\x8d\x40\x01\x45\x33\xdb\x48\x89\x45\xe8\x48"
136 | "\x8d\x41\x01\x33\xff\x49\x8b\xd8\x45\x8b\xd6\x48\x89\x45\xe0\x8d\x77\x01\x48\x8d\x4d\xe0\xe8\x75\xff\xff\xff\x85\xc0\x0f"
137 | "\x84\x96\x01\x00\x00\x48\x8d\x4d\xe0\xe8\x64\xff\xff\xff\x85\xc0\x0f\x84\x94\x00\x00\x00\x48\x8d\x4d\xe0\xe8\x53\xff\xff"
138 | "\xff\x85\xc0\x74\x3e\x45\x33\xc9\x45\x8d\x59\x04\x48\x8d\x4d\xe0\xe8\x3f\xff\xff\xff\x46\x8d\x0c\x48\x44\x2b\xde\x75\xee"
139 | "\x4c\x8b\x45\xe8\x45\x85\xc9\x74\x13\x41\x8b\xc9\x49\x8b\xc0\x48\x2b\xc1\x8a\x00\x41\x88\x00\xe9\x57\x01\x00\x00\x41\xc6"
140 | "\x00\x00\xe9\x4e\x01\x00\x00\x48\x8b\x45\xe0\x4c\x8b\x45\xe8\x44\x0f\xb6\x10\x48\x03\xc6\x41\x8b\xca\x48\x89\x45\xe0\x23"
141 | "\xce\x83\xc1\x02\x41\xd1\xea\x74\x22\x85\xc9\x0f\x84\x0d\x01\x00\x00\x41\x8b\xd2\x48\xf7\xda\x42\x8a\x04\x02\x41\x88\x00"
142 | "\x4c\x03\xc6\x41\x03\xce\x75\xf1\xe9\xef\x00\x00\x00\x8b\xfe\xe9\xec\x00\x00\x00\x44\x8b\xce\x48\x8d\x4d\xe0\xe8\xbc\xfe"
143 | "\xff\xff\x48\x8d\x4d\xe0\x46\x8d\x0c\x48\xe8\xaf\xfe\xff\xff\x85\xc0\x75\xe6\x45\x85\xdb\x75\x4d\x41\x83\xf9\x02\x75\x41"
144 | "\x44\x8b\xce\x48\x8d\x4d\xe0\xe8\x94\xfe\xff\xff\x48\x8d\x4d\xe0\x46\x8d\x0c\x48\xe8\x87\xfe\xff\xff\x85\xc0\x75\xe6\x4c"
145 | "\x8b\x45\xe8\x45\x85\xc9\x0f\x84\x9a\x00\x00\x00\x41\x8b\xca\x48\xf7\xd9\x42\x8a\x04\x01\x41\x88\x00\x4c\x03\xc6\x45\x03"
146 | "\xce\x75\xf1\xeb\x7f\x45\x8d\x51\xfd\xeb\x04\x45\x8d\x51\xfe\x48\x8b\x4d\xe0\x41\xc1\xe2\x08\x44\x8b\xce\x0f\xb6\x01\x44"
147 | "\x03\xd0\x48\x03\xce\x48\x89\x4d\xe0\x48\x8d\x4d\xe0\xe8\x34\xfe\xff\xff\x48\x8d\x4d\xe0\x46\x8d\x0c\x48\xe8\x27\xfe\xff"
148 | "\xff\x85\xc0\x75\xe6\x41\x81\xfa\x00\x7d\x00\x00\x72\x03\x41\xff\xc1\x41\x81\xfa\x00\x05\x00\x00\x72\x03\x44\x03\xce\x41"
149 | "\x81\xfa\x80\x00\x00\x00\x73\x04\x41\x83\xc1\x02\x4c\x8b\x45\xe8\x45\x85\xc9\x74\x19\x41\x8b\xca\x48\xf7\xd9\x42\x8a\x04"
150 | "\x01\x41\x88\x00\x4c\x03\xc6\x45\x03\xce\x75\xf1\x4c\x89\x45\xe8\x44\x8b\xde\xeb\x1e\x48\x8b\x55\xe0\x4c\x8b\x45\xe8\x8a"
151 | "\x0a\x48\x03\xd6\x41\x88\x08\x48\x89\x55\xe0\x4c\x03\xc6\x45\x33\xdb\x4c\x89\x45\xe8\x85\xff\x0f\x84\x33\xfe\xff\xff\x48"
152 | "\x8b\x74\x24\x58\x48\x8b\x7c\x24\x60\x4c\x8b\x74\x24\x68\x4c\x2b\xc3\x48\x8b\x5c\x24\x50\x41\x8b\xc0\x48\x83\xc4\x40\x5d"
153 | "\xc3\xcc"
154 | };
155 |
156 | char shellcode_ntdll_x86[404] = {
157 | "\x55\x8b\xec\x83\xec\x10\x56\x8d\x4d\xf0\xe8\x2c\x00\x00\x00\x8b\x75\x14\x8d\x45\xfc\x50\xff\x75\x0c\xff\x75\x08\x56\xff"
158 | "\x75\x10\x68\x02\x01\x00\x00\xff\x55\xf8\x85\xc0\x78\x05\x39\x75\xfc\x74\x03\x83\xce\xff\x8b\xc6\x5e\x8b\xe5\x5d\xc3\x55"
159 | "\x8b\xec\x51\x51\x64\xa1\x30\x00\x00\x00\x53\x56\x57\x8b\x40\x0c\x8b\xd9\x8b\x50\x14\xeb\x3d\x0f\xb7\x72\x24\x33\xc9\x8b"
160 | "\x7a\x28\xd1\xee\x85\xf6\x7e\x1e\x0f\xb7\x07\x8d\x7f\x02\x83\xf8\x61\x72\x05\x05\xe0\xff\x00\x00\x69\xc9\x83\x00\x00\x00"
161 | "\x0f\xb7\xc0\x03\xc8\x4e\x75\xe2\x81\xe1\xff\xff\xff\x7f\x81\xf9\xe6\x9c\xca\x1c\x74\x56\x8b\x12\x85\xd2\x75\xbf\x33\xf6"
162 | "\x6a\x00\xba\x54\xb8\xb9\x1a\x8b\xce\xe8\x45\x00\x00\x00\x50\xba\x78\x1f\x20\x7f\x89\x03\x8b\xce\xe8\x36\x00\x00\x00\x59"
163 | "\x59\x8d\x4d\xf8\x89\x43\x04\x51\xc7\x45\xf8\x6e\x74\x64\x6c\x66\xc7\x45\xfc\x6c\x00\xff\xd0\xff\x33\xba\x65\x62\x10\x4b"
164 | "\x8b\xc8\xe8\x10\x00\x00\x00\x59\x5f\x5e\x89\x43\x08\x5b\x8b\xe5\x5d\xc3\x8b\x72\x10\xeb\xad\x55\x8b\xec\x83\xec\x18\x53"
165 | "\x56\x8b\x71\x3c\x57\x89\x55\xf4\x8b\x44\x0e\x78\x85\xc0\x74\x6d\x83\x7c\x0e\x7c\x00\x74\x66\x8b\x5c\x08\x18\x89\x5d\xf8"
166 | "\x85\xdb\x74\x5b\x8b\x54\x08\x1c\x8b\x74\x08\x20\x03\xd1\x8b\x44\x08\x24\x03\xf1\x89\x55\xe8\x03\xc1\x33\xd2\x89\x75\xf0"
167 | "\x89\x45\xec\x85\xdb\x74\x3a\x8b\x3c\x96\x33\xf6\x03\xf9\x89\x7d\xfc\x8a\x07\x84\xc0\x74\x17\x8b\xdf\x69\xf6\x83\x00\x00"
168 | "\x00\x0f\xbe\xc0\x03\xf0\x43\x8a\x03\x84\xc0\x75\xee\x8b\x5d\xf8\x81\xe6\xff\xff\xff\x7f\x3b\x75\xf4\x74\x11\x8b\x75\xf0"
169 | "\x42\x3b\xd3\x72\xc6\x33\xc0\x5f\x5e\x5b\x8b\xe5\x5d\xc3\x83\x7d\x08\x00\x75\x11\x8b\x45\xec\x0f\xb7\x04\x50\x8b\x55\xe8"
170 | "\x8b\x04\x82\x03\xc1\xeb\xe2\x57\x51\xff\x55\x08\xeb\xdb"
171 | };
172 |
173 | char shellcode_ntdll_x64[508] = {
174 | "\x48\x89\x5c\x24\x08\x48\x89\x6c\x24\x10\x48\x89\x74\x24\x18\x57\x41\x56\x41\x57\x48\x83\xec\x40\x65\x48\x8b\x04\x25\x60"
175 | "\x00\x00\x00\x41\x8b\xf9\x49\x8b\xe8\x4c\x8b\x48\x18\x44\x8b\xf2\x4c\x8b\xf9\x4d\x8b\x51\x20\xeb\x51\x41\x0f\xb7\x42\x48"
176 | "\x4d\x8b\x5a\x50\x45\x33\xc9\xd1\xe8\x85\xc0\x7e\x2a\x8b\xc8\x41\x0f\xb7\x03\x4d\x8d\x5b\x02\x66\x83\xf8\x61\x72\x08\xba"
177 | "\xe0\xff\x00\x00\x66\x03\xc2\x45\x69\xc9\x83\x00\x00\x00\x0f\xb7\xc0\x44\x03\xc8\x48\xff\xc9\x75\xd8\x41\x0f\xba\xf1\x1f"
178 | "\x41\x81\xf9\xe6\x9c\xca\x1c\x0f\x84\x9a\x00\x00\x00\x4d\x8b\x12\x4d\x85\xd2\x75\xaa\x33\xf6\x45\x33\xc0\xba\x54\xb8\xb9"
179 | "\x1a\x48\x8b\xce\xe8\x89\x00\x00\x00\xba\x78\x1f\x20\x7f\x48\x8b\xce\x4c\x8b\xc0\x48\x8b\xd8\xe8\x76\x00\x00\x00\x48\x8d"
180 | "\x4c\x24\x34\xc7\x44\x24\x34\x6e\x74\x64\x6c\x66\xc7\x44\x24\x38\x6c\x00\xff\xd0\x4c\x8b\xc3\x48\x8b\xc8\xba\x65\x62\x10"
181 | "\x4b\xe8\x50\x00\x00\x00\x48\x8d\x54\x24\x30\xb9\x02\x01\x00\x00\x48\x89\x54\x24\x28\x4d\x8b\xcf\x44\x8b\xc7\x48\x8b\xd5"
182 | "\x44\x89\x74\x24\x20\xff\xd0\x85\xc0\x78\x06\x39\x7c\x24\x30\x74\x03\x83\xcf\xff\x48\x8b\x5c\x24\x60\x48\x8b\x6c\x24\x68"
183 | "\x48\x8b\x74\x24\x70\x8b\xc7\x48\x83\xc4\x40\x41\x5f\x41\x5e\x5f\xc3\x49\x8b\x72\x20\xe9\x67\xff\xff\xff\x48\x8b\xc4\x48"
184 | "\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xec\x20\x48\x63\x41\x3c\x4c\x8b\xc9\x49\x8b"
185 | "\xd8\x8b\x8c\x08\x88\x00\x00\x00\x8b\xea\x85\xc9\x74\x6a\x42\x83\xbc\x08\x8c\x00\x00\x00\x00\x74\x5f\x49\x8d\x04\x09\x44"
186 | "\x8b\x58\x18\x45\x85\xdb\x74\x52\x44\x8b\x40\x20\x8b\x78\x1c\x8b\x70\x24\x4d\x03\xc1\x49\x03\xf9\x49\x03\xf1\x33\xd2\x45"
187 | "\x85\xdb\x74\x38\x45\x8b\x10\x4d\x03\xd1\x33\xc9\x41\x8a\x02\x4d\x8b\xf2\xeb\x11\x69\xc9\x83\x00\x00\x00\x0f\xbe\xc0\x03"
188 | "\xc8\x49\xff\xc6\x41\x8a\x06\x84\xc0\x75\xeb\x0f\xba\xf1\x1f\x3b\xcd\x74\x28\xff\xc2\x49\x83\xc0\x04\x41\x3b\xd3\x72\xc8"
189 | "\x33\xc0\x48\x8b\x5c\x24\x30\x48\x8b\x6c\x24\x38\x48\x8b\x74\x24\x40\x48\x8b\x7c\x24\x48\x48\x83\xc4\x20\x41\x5e\xc3\x48"
190 | "\x85\xdb\x75\x0c\x0f\xb7\x0c\x56\x8b\x04\x8f\x49\x03\xc1\xeb\xd4\x49\x8b\xd2\x49\x8b\xc9\xff\xd3\xeb\xca\xcc\xcc"
191 | };
192 |
193 | void *get_shellcode_main(int is_x64, int *osize) {
194 | if (is_x64 == 0) {
195 | *osize = sizeof(shellcode_main_x86);
196 | return (void *)shellcode_main_x86;
197 | }
198 | *osize = sizeof(shellcode_main_x64);
199 | return (void *)shellcode_main_x64;
200 | };
201 |
202 | void *get_shellcode_aplib(int is_x64, int *osize) {
203 | if (is_x64 == 0) {
204 | *osize = sizeof(shellcode_aplib_x86);
205 | return (void *)shellcode_aplib_x86;
206 | }
207 | *osize = sizeof(shellcode_aplib_x64);
208 | return (void *)shellcode_aplib_x64;
209 | };
210 |
211 | void *get_shellcode_ntdll(int is_x64, int *osize) {
212 | if (is_x64 == 0) {
213 | *osize = sizeof(shellcode_ntdll_x86);
214 | return (void *)shellcode_ntdll_x86;
215 | }
216 | *osize = sizeof(shellcode_ntdll_x64);
217 | return (void *)shellcode_ntdll_x64;
218 | };
--------------------------------------------------------------------------------
/DllToShellCode/shellcode_data.h:
--------------------------------------------------------------------------------
1 | #ifndef SHELLCODE_DATA_H
2 | #define SHELLCODE_DATA_H
3 |
4 | #ifdef __cplusplus
5 | extern "C" {
6 | #endif // __cplusplus
7 | // can't modify return pointer
8 | void *get_shellcode_main(int is_x64, int *osize);
9 | void *get_shellcode_aplib(int is_x64, int *osize);
10 | void *get_shellcode_ntdll(int is_x64, int *osize);
11 | #ifdef __cplusplus
12 | }
13 | #endif // __cplusplus
14 |
15 | #endif // SHELLCODE_DATA_H
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # DllToShellCode
2 | Fast Conversion Windows Dynamic Link Library To ShellCode
3 | ## Features
4 | * Support 32-bits and 64-bits
5 | * Support Compression(using ntdll RtlCompressBuffer function or aplib)
6 | * Support two modes
7 | * Direct invoke dllmain(lpReserved as parameter),if you don't want using the dll internal functions
8 | * Invoke the shellcode will return the address of export function, so you can use it in anywhere
9 | ## OverView
10 | >Few Assembly used, almost all code are developed in C language(only use assembly language in 32-bits self-delta)
11 | >Develop by Visual Studio 2013
12 |
13 | ## Usage
14 | BinToHex: DllToShellCode b
15 | Compress File: DllToShellCode c mode
16 | Dll To ShellCode: DllToShellCode d shellcode_mode compress_mode
17 | Compress File mode
18 | 0 = compress with ntdll
19 | 1 = compress with aplib
20 | DllToShellCode shellcode_mode
21 | 0 = only call dllmain, is the dllmain param lpReserved
22 | 1 = return export address, is the export name
23 | DllToShellCode compress_mode
24 | 0 = no compress
25 | 1 = compress with ntdll
26 | 2 = compress with aplib
27 |
--------------------------------------------------------------------------------
/ShellCode_Aplib/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 控制台应用程序:ShellCode_Aplib 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 ShellCode_Aplib 应用程序。
6 |
7 | 本文件概要介绍组成 ShellCode_Aplib 应用程序的每个文件的内容。
8 |
9 |
10 | ShellCode_Aplib.vcxproj
11 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
12 |
13 | ShellCode_Aplib.vcxproj.filters
14 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
15 |
16 | ShellCode_Aplib.cpp
17 | 这是主应用程序源文件。
18 |
19 | /////////////////////////////////////////////////////////////////////////////
20 | 其他标准文件:
21 |
22 | StdAfx.h, StdAfx.cpp
23 | 这些文件用于生成名为 ShellCode_Aplib.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
24 |
25 | /////////////////////////////////////////////////////////////////////////////
26 | 其他注释:
27 |
28 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
29 |
30 | /////////////////////////////////////////////////////////////////////////////
31 |
--------------------------------------------------------------------------------
/ShellCode_Aplib/ShellCode_Aplib.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killeven/DllToShellCode/e9490e1f187efce92107582e56633247a28d25f4/ShellCode_Aplib/ShellCode_Aplib.c
--------------------------------------------------------------------------------
/ShellCode_Aplib/ShellCode_Aplib.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {659AA5AB-887E-4F13-B85F-DE6017E9F0AC}
23 | Win32Proj
24 | ShellCode_Aplib
25 |
26 |
27 |
28 | Application
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
87 | true
88 |
89 |
90 | Console
91 | true
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
100 | true
101 |
102 |
103 | Console
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 | NotUsing
111 | MinSpace
112 | true
113 | true
114 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
115 | true
116 | false
117 | false
118 |
119 |
120 | Console
121 | true
122 | true
123 | true
124 | true
125 |
126 |
127 |
128 |
129 | Level3
130 | NotUsing
131 | MinSpace
132 | true
133 | true
134 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
135 | true
136 | false
137 | false
138 |
139 |
140 | Console
141 | true
142 | true
143 | true
144 | true
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
--------------------------------------------------------------------------------
/ShellCode_Aplib/ShellCode_Aplib.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | 源文件
24 |
25 |
26 |
--------------------------------------------------------------------------------
/ShellCode_Aplib/ShellCode_Aplib.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/ShellCode_Aplib/order.txt:
--------------------------------------------------------------------------------
1 | aplib_entry
2 | aP_getbit
3 | aP_getgamma
4 | aplib_main
5 | aplib_end
--------------------------------------------------------------------------------
/ShellCode_Main/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 控制台应用程序:ShellCode_Main 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 ShellCode_Main 应用程序。
6 |
7 | 本文件概要介绍组成 ShellCode_Main 应用程序的每个文件的内容。
8 |
9 |
10 | ShellCode_Main.vcxproj
11 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
12 |
13 | ShellCode_Main.vcxproj.filters
14 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
15 |
16 | ShellCode_Main.cpp
17 | 这是主应用程序源文件。
18 |
19 | /////////////////////////////////////////////////////////////////////////////
20 | 其他标准文件:
21 |
22 | StdAfx.h, StdAfx.cpp
23 | 这些文件用于生成名为 ShellCode_Main.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
24 |
25 | /////////////////////////////////////////////////////////////////////////////
26 | 其他注释:
27 |
28 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
29 |
30 | /////////////////////////////////////////////////////////////////////////////
31 |
--------------------------------------------------------------------------------
/ShellCode_Main/ShellCode_Main.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killeven/DllToShellCode/e9490e1f187efce92107582e56633247a28d25f4/ShellCode_Main/ShellCode_Main.c
--------------------------------------------------------------------------------
/ShellCode_Main/ShellCode_Main.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {20FB1CAA-A718-478F-8B8D-75110C77B56B}
23 | Win32Proj
24 | ShellCode_Main
25 |
26 |
27 |
28 | Application
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
87 | true
88 |
89 |
90 | Console
91 | true
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
100 | true
101 |
102 |
103 | Console
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 | NotUsing
111 | MinSpace
112 | true
113 | true
114 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
115 | true
116 | false
117 |
118 |
119 | Console
120 | true
121 | true
122 | true
123 | true
124 | order.txt
125 |
126 |
127 |
128 |
129 | Level3
130 | NotUsing
131 | MinSpace
132 | true
133 | true
134 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
135 | true
136 | false
137 |
138 |
139 | Console
140 | true
141 | true
142 | true
143 | true
144 | order.txt
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
--------------------------------------------------------------------------------
/ShellCode_Main/ShellCode_Main.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | 头文件
24 |
25 |
26 | 头文件
27 |
28 |
29 |
30 |
31 | 源文件
32 |
33 |
34 | 源文件
35 |
36 |
37 |
--------------------------------------------------------------------------------
/ShellCode_Main/ShellCode_Main.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/ShellCode_Main/order.txt:
--------------------------------------------------------------------------------
1 | main_entry
2 | get_kernel32_base
3 | get_proc_address_from_hash
4 | get_delta
5 | calc_hash
6 | calc_hashW2
7 | init_func
8 | memory_loadlibrary
9 | main_main
10 | main_end
--------------------------------------------------------------------------------
/ShellCode_Main/shellcode_base.c:
--------------------------------------------------------------------------------
1 | #include "shellcode_base.h"
2 |
3 | //===============================================================================================//
4 | typedef struct _UNICODE_STR {
5 | USHORT Length;
6 | USHORT MaximumLength;
7 | PWSTR pBuffer;
8 | } UNICODE_STR, *PUNICODE_STR;
9 |
10 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
11 | //__declspec( align(8) )
12 | typedef struct _LDR_DATA_TABLE_ENTRY {
13 | // LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first
14 | // entry.
15 | LIST_ENTRY InMemoryOrderModuleList;
16 | LIST_ENTRY InInitializationOrderModuleList;
17 | PVOID DllBase;
18 | PVOID EntryPoint;
19 | ULONG SizeOfImage;
20 | UNICODE_STR FullDllName;
21 | UNICODE_STR BaseDllName;
22 | ULONG Flags;
23 | SHORT LoadCount;
24 | SHORT TlsIndex;
25 | LIST_ENTRY HashTableEntry;
26 | ULONG TimeDateStamp;
27 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
28 |
29 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
30 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
31 | {
32 | DWORD dwLength;
33 | DWORD dwInitialized;
34 | LPVOID lpSsHandle;
35 | LIST_ENTRY InLoadOrderModuleList;
36 | LIST_ENTRY InMemoryOrderModuleList;
37 | LIST_ENTRY InInitializationOrderModuleList;
38 | LPVOID lpEntryInProgress;
39 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
40 |
41 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
42 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
43 | {
44 | struct _PEB_FREE_BLOCK *pNext;
45 | DWORD dwSize;
46 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
47 |
48 | // struct _PEB is defined in Winternl.h but it is incomplete
49 | // WinDbg> dt -v ntdll!_PEB
50 | typedef struct __PEB // 65 elements, 0x210 bytes
51 | {
52 | BYTE bInheritedAddressSpace;
53 | BYTE bReadImageFileExecOptions;
54 | BYTE bBeingDebugged;
55 | BYTE bSpareBool;
56 | LPVOID lpMutant;
57 | LPVOID lpImageBaseAddress;
58 | PPEB_LDR_DATA pLdr;
59 | LPVOID lpProcessParameters;
60 | LPVOID lpSubSystemData;
61 | LPVOID lpProcessHeap;
62 | PRTL_CRITICAL_SECTION pFastPebLock;
63 | LPVOID lpFastPebLockRoutine;
64 | LPVOID lpFastPebUnlockRoutine;
65 | DWORD dwEnvironmentUpdateCount;
66 | LPVOID lpKernelCallbackTable;
67 | DWORD dwSystemReserved;
68 | DWORD dwAtlThunkSListPtr32;
69 | PPEB_FREE_BLOCK pFreeList;
70 | DWORD dwTlsExpansionCounter;
71 | LPVOID lpTlsBitmap;
72 | DWORD dwTlsBitmapBits[2];
73 | LPVOID lpReadOnlySharedMemoryBase;
74 | LPVOID lpReadOnlySharedMemoryHeap;
75 | LPVOID lpReadOnlyStaticServerData;
76 | LPVOID lpAnsiCodePageData;
77 | LPVOID lpOemCodePageData;
78 | LPVOID lpUnicodeCaseTableData;
79 | DWORD dwNumberOfProcessors;
80 | DWORD dwNtGlobalFlag;
81 | LARGE_INTEGER liCriticalSectionTimeout;
82 | DWORD dwHeapSegmentReserve;
83 | DWORD dwHeapSegmentCommit;
84 | DWORD dwHeapDeCommitTotalFreeThreshold;
85 | DWORD dwHeapDeCommitFreeBlockThreshold;
86 | DWORD dwNumberOfHeaps;
87 | DWORD dwMaximumNumberOfHeaps;
88 | LPVOID lpProcessHeaps;
89 | LPVOID lpGdiSharedHandleTable;
90 | LPVOID lpProcessStarterHelper;
91 | DWORD dwGdiDCAttributeList;
92 | LPVOID lpLoaderLock;
93 | DWORD dwOSMajorVersion;
94 | DWORD dwOSMinorVersion;
95 | WORD wOSBuildNumber;
96 | WORD wOSCSDVersion;
97 | DWORD dwOSPlatformId;
98 | DWORD dwImageSubsystem;
99 | DWORD dwImageSubsystemMajorVersion;
100 | DWORD dwImageSubsystemMinorVersion;
101 | DWORD dwImageProcessAffinityMask;
102 | DWORD dwGdiHandleBuffer[34];
103 | LPVOID lpPostProcessInitRoutine;
104 | LPVOID lpTlsExpansionBitmap;
105 | DWORD dwTlsExpansionBitmapBits[32];
106 | DWORD dwSessionId;
107 | ULARGE_INTEGER liAppCompatFlags;
108 | ULARGE_INTEGER liAppCompatFlagsUser;
109 | LPVOID lppShimData;
110 | LPVOID lpAppCompatInfo;
111 | UNICODE_STR usCSDVersion;
112 | LPVOID lpActivationContextData;
113 | LPVOID lpProcessAssemblyStorageMap;
114 | LPVOID lpSystemDefaultActivationContextData;
115 | LPVOID lpSystemAssemblyStorageMap;
116 | DWORD dwMinimumStackCommit;
117 | } _PEB, *_PPEB;
118 |
119 | typedef struct {
120 | WORD offset : 12;
121 | WORD type : 4;
122 | } IMAGE_RELOC, *PIMAGE_RELOC;
123 |
124 | #define cast(t, a) ((t)(a))
125 | #define cast_offset(t, p, o) ((t)((uint8_t *)(p) + (o)))
126 |
127 | uint32_t get_delta() {
128 | uint32_t r = 0;
129 | #ifndef _WIN64
130 | __asm {
131 | call delta;
132 | delta:
133 | pop eax;
134 | sub eax, offset delta;
135 | mov r, eax
136 | }
137 | #endif
138 | return r;
139 | }
140 |
141 | uint32_t calc_hashW2(wchar_t *str, int len) {
142 | uint32_t seed = 131; // 31 131 1313 13131 131313 etc..
143 | uint32_t hash = 0;
144 | for (int i = 0; i < len; i++) {
145 | wchar_t s = *str++;
146 | if (s >= 'a') s = s - 0x20;
147 | hash = hash * seed + s;
148 | }
149 | return (hash & 0x7FFFFFFF);
150 | }
151 |
152 | HMODULE get_kernel32_base() {
153 | _PPEB peb = 0;
154 | #ifdef _WIN64
155 | peb = (_PPEB)__readgsqword(0x60); // peb
156 | #else
157 | peb = (_PPEB)__readfsdword(0x30);
158 | #endif
159 | LIST_ENTRY *entry = peb->pLdr->InMemoryOrderModuleList.Flink;
160 | while (entry) {
161 | PLDR_DATA_TABLE_ENTRY e = (PLDR_DATA_TABLE_ENTRY)entry;
162 | if (calc_hashW2(e->BaseDllName.pBuffer, e->BaseDllName.Length / 2) == Kernel32Lib_Hash) {
163 | return (HMODULE)e->DllBase;
164 | }
165 | entry = entry->Flink;
166 | }
167 | return 0;
168 | };
169 |
170 | // BKDRHash
171 | uint32_t calc_hash(char *str) {
172 | uint32_t seed = 131; // 31 131 1313 13131 131313 etc..
173 | uint32_t hash = 0;
174 | while (*str) {
175 | hash = hash * seed + (*str++);
176 | }
177 | return (hash & 0x7FFFFFFF);
178 | }
179 |
180 | void *get_proc_address_from_hash(HMODULE module, uint32_t func_hash, _GetProcAddress get_proc_address) {
181 | PIMAGE_DOS_HEADER dosh = cast(PIMAGE_DOS_HEADER, module);
182 | PIMAGE_NT_HEADERS nth = cast_offset(PIMAGE_NT_HEADERS, module, dosh->e_lfanew);
183 | PIMAGE_DATA_DIRECTORY dataDict = &nth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
184 | if (dataDict->VirtualAddress == 0 || dataDict->Size == 0) return 0;
185 | PIMAGE_EXPORT_DIRECTORY exportDict = cast_offset(PIMAGE_EXPORT_DIRECTORY, module, dataDict->VirtualAddress);
186 | if(exportDict->NumberOfNames == 0) return 0;
187 | uint32_t *fn = cast_offset(uint32_t *, module, exportDict->AddressOfNames);
188 | uint32_t *fa = cast_offset(uint32_t *, module, exportDict->AddressOfFunctions);
189 | uint16_t *ord = cast_offset(uint16_t *, module, exportDict->AddressOfNameOrdinals);
190 | for (uint32_t i = 0; i < exportDict->NumberOfNames; i++) {
191 | char *name = cast_offset(char *, module, fn[i]);
192 | if (calc_hash(name) != func_hash) continue;
193 | return get_proc_address == 0 ? cast_offset(void*, module, fa[ord[i]]) : get_proc_address(module, name);
194 | }
195 | return 0;
196 | }
--------------------------------------------------------------------------------
/ShellCode_Main/shellcode_base.h:
--------------------------------------------------------------------------------
1 | #ifndef SHELLCODE_BASE_H
2 | #define SHELLCODE_BASE_H
3 | #include "shellcode_global.h"
4 |
5 | #ifdef __cplusplus
6 | extern "C" {
7 | #endif // __cplusplus
8 | uint32_t get_delta();
9 | HMODULE get_kernel32_base();
10 | uint32_t calc_hash(char *str);
11 | void *get_proc_address_from_hash(HMODULE module, uint32_t func_hash, _GetProcAddress get_proc_address);
12 | #ifdef __cplusplus
13 | }
14 | #endif // __cplusplus
15 |
16 | #endif // SHELLCODE_BASE_H
--------------------------------------------------------------------------------
/ShellCode_Main/shellcode_global.h:
--------------------------------------------------------------------------------
1 | #ifndef SHELLCODE_GLOBAL_H
2 | #define SHELLCODE_GLOBAL_H
3 | #include
4 | #include
5 |
6 | // kernel32
7 | #define GetProcAddress_Hash 0x1AB9B854
8 | typedef void* (__stdcall *_GetProcAddress)(HMODULE, char *);
9 |
10 | #define LoadLibraryA_Hash 0x7F201F78
11 | typedef HMODULE(__stdcall *_LoadLibraryA)(LPCSTR lpLibFileName);
12 |
13 | #define VirtualAlloc_Hash 0x5E893462
14 | typedef LPVOID(__stdcall *_VirtualAlloc)(LPVOID lpAddress, // region to reserve or commit
15 | SIZE_T dwSize, // size of region
16 | DWORD flAllocationType, // type of allocation
17 | DWORD flProtect // type of access protection
18 | );
19 |
20 | #define VirtualFree_Hash 0x6488073
21 | typedef BOOL(__stdcall *_VirtualFree)(LPVOID lpAddress, // address of region
22 | SIZE_T dwSize, // size of region
23 | DWORD dwFreeType // operation type
24 | );
25 |
26 | #define lstrcmpiA_Hash 0x705CF2A5
27 | typedef int (__stdcall *_lstrcmpiA)(
28 | _In_ LPCSTR lpString1,
29 | _In_ LPCSTR lpString2
30 | );
31 |
32 | // user32
33 | #define MessageBoxA_Hash 0x6DBE321
34 | typedef int(__stdcall *_MessageBoxA)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
35 |
36 | // ntdll
37 | #define RtlDecompressBuffer_Hash 0x4B106265
38 | typedef NTSTATUS(__stdcall *_RtlDecompressBuffer)(
39 | USHORT CompressionFormat,
40 | PUCHAR UncompressedBuffer,
41 | ULONG UncompressedBufferSize,
42 | PUCHAR CompressedBuffer,
43 | ULONG CompressedBufferSize,
44 | PULONG FinalUncompressedSize
45 | );
46 |
47 | #define RtlGetCompressionWorkSpaceSize_Hash 0x8FC8E20
48 | typedef NTSTATUS(__stdcall *_RtlGetCompressionWorkSpaceSize)(
49 | USHORT CompressionFormatAndEngine,
50 | PULONG CompressBufferWorkSpaceSize,
51 | PULONG CompressFragmentWorkSpaceSize
52 | );
53 |
54 | #define RtlZeroMemory_Hash 0xDB579CB
55 | typedef void (__stdcall *_RtlZeroMemory)(IN VOID UNALIGNED *Destination, IN SIZE_T Length
56 | );
57 |
58 | #define RtlCopyMemory_Hash 0x20484894
59 | typedef void (__stdcall *_RtlCopyMemory)(IN VOID UNALIGNED *Destination,
60 | IN CONST VOID UNALIGNED *Source, IN SIZE_T Length);
61 |
62 | #define RtlMoveMemory_Hash 0x1518E9C0
63 | typedef void(__stdcall *_RtlMoveMemory)(IN VOID UNALIGNED *Destination,
64 | IN CONST VOID UNALIGNED *Source, IN SIZE_T Length);
65 |
66 | #define Kernel32Lib_Hash 0x1cca9ce6
67 |
68 | #endif // SHELLCODE_GLOBAL_H
--------------------------------------------------------------------------------
/ShellCode_Ntdll/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 控制台应用程序:ShellCode_Ntdll 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 ShellCode_Ntdll 应用程序。
6 |
7 | 本文件概要介绍组成 ShellCode_Ntdll 应用程序的每个文件的内容。
8 |
9 |
10 | ShellCode_Ntdll.vcxproj
11 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
12 |
13 | ShellCode_Ntdll.vcxproj.filters
14 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
15 |
16 | ShellCode_Ntdll.cpp
17 | 这是主应用程序源文件。
18 |
19 | /////////////////////////////////////////////////////////////////////////////
20 | 其他标准文件:
21 |
22 | StdAfx.h, StdAfx.cpp
23 | 这些文件用于生成名为 ShellCode_Ntdll.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
24 |
25 | /////////////////////////////////////////////////////////////////////////////
26 | 其他注释:
27 |
28 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
29 |
30 | /////////////////////////////////////////////////////////////////////////////
31 |
--------------------------------------------------------------------------------
/ShellCode_Ntdll/ShellCode_Ntdll.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killeven/DllToShellCode/e9490e1f187efce92107582e56633247a28d25f4/ShellCode_Ntdll/ShellCode_Ntdll.c
--------------------------------------------------------------------------------
/ShellCode_Ntdll/ShellCode_Ntdll.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {DB54F4C7-3909-4E06-BA3B-B5F8459FA5C6}
23 | Win32Proj
24 | ShellCode_Ntdll
25 |
26 |
27 |
28 | Application
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
87 | true
88 |
89 |
90 | Console
91 | true
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
100 | true
101 |
102 |
103 | Console
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 | NotUsing
111 | MinSpace
112 | true
113 | true
114 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
115 | true
116 | false
117 | false
118 |
119 |
120 | Console
121 | true
122 | true
123 | true
124 | order.txt
125 | true
126 |
127 |
128 |
129 |
130 | Level3
131 | NotUsing
132 | MinSpace
133 | true
134 | true
135 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
136 | true
137 | false
138 | false
139 |
140 |
141 | Console
142 | true
143 | true
144 | true
145 | order.txt
146 | true
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
--------------------------------------------------------------------------------
/ShellCode_Ntdll/ShellCode_Ntdll.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | 头文件
24 |
25 |
26 | 头文件
27 |
28 |
29 |
30 |
31 | 源文件
32 |
33 |
34 | 源文件
35 |
36 |
37 |
--------------------------------------------------------------------------------
/ShellCode_Ntdll/ShellCode_Ntdll.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/ShellCode_Ntdll/order.txt:
--------------------------------------------------------------------------------
1 | ntdll_entry
2 | init_func
3 | calc_hash
4 | calc_hashW2
5 | get_kernel32_base
6 | get_proc_address_from_hash
7 | ntdll_main
8 | ntdll_end
--------------------------------------------------------------------------------
/ShellCode_Ntdll/shellcode_base.c:
--------------------------------------------------------------------------------
1 | #include "shellcode_base.h"
2 |
3 | //===============================================================================================//
4 | typedef struct _UNICODE_STR {
5 | USHORT Length;
6 | USHORT MaximumLength;
7 | PWSTR pBuffer;
8 | } UNICODE_STR, *PUNICODE_STR;
9 |
10 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
11 | //__declspec( align(8) )
12 | typedef struct _LDR_DATA_TABLE_ENTRY {
13 | // LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first
14 | // entry.
15 | LIST_ENTRY InMemoryOrderModuleList;
16 | LIST_ENTRY InInitializationOrderModuleList;
17 | PVOID DllBase;
18 | PVOID EntryPoint;
19 | ULONG SizeOfImage;
20 | UNICODE_STR FullDllName;
21 | UNICODE_STR BaseDllName;
22 | ULONG Flags;
23 | SHORT LoadCount;
24 | SHORT TlsIndex;
25 | LIST_ENTRY HashTableEntry;
26 | ULONG TimeDateStamp;
27 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
28 |
29 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
30 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
31 | {
32 | DWORD dwLength;
33 | DWORD dwInitialized;
34 | LPVOID lpSsHandle;
35 | LIST_ENTRY InLoadOrderModuleList;
36 | LIST_ENTRY InMemoryOrderModuleList;
37 | LIST_ENTRY InInitializationOrderModuleList;
38 | LPVOID lpEntryInProgress;
39 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
40 |
41 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
42 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
43 | {
44 | struct _PEB_FREE_BLOCK *pNext;
45 | DWORD dwSize;
46 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
47 |
48 | // struct _PEB is defined in Winternl.h but it is incomplete
49 | // WinDbg> dt -v ntdll!_PEB
50 | typedef struct __PEB // 65 elements, 0x210 bytes
51 | {
52 | BYTE bInheritedAddressSpace;
53 | BYTE bReadImageFileExecOptions;
54 | BYTE bBeingDebugged;
55 | BYTE bSpareBool;
56 | LPVOID lpMutant;
57 | LPVOID lpImageBaseAddress;
58 | PPEB_LDR_DATA pLdr;
59 | LPVOID lpProcessParameters;
60 | LPVOID lpSubSystemData;
61 | LPVOID lpProcessHeap;
62 | PRTL_CRITICAL_SECTION pFastPebLock;
63 | LPVOID lpFastPebLockRoutine;
64 | LPVOID lpFastPebUnlockRoutine;
65 | DWORD dwEnvironmentUpdateCount;
66 | LPVOID lpKernelCallbackTable;
67 | DWORD dwSystemReserved;
68 | DWORD dwAtlThunkSListPtr32;
69 | PPEB_FREE_BLOCK pFreeList;
70 | DWORD dwTlsExpansionCounter;
71 | LPVOID lpTlsBitmap;
72 | DWORD dwTlsBitmapBits[2];
73 | LPVOID lpReadOnlySharedMemoryBase;
74 | LPVOID lpReadOnlySharedMemoryHeap;
75 | LPVOID lpReadOnlyStaticServerData;
76 | LPVOID lpAnsiCodePageData;
77 | LPVOID lpOemCodePageData;
78 | LPVOID lpUnicodeCaseTableData;
79 | DWORD dwNumberOfProcessors;
80 | DWORD dwNtGlobalFlag;
81 | LARGE_INTEGER liCriticalSectionTimeout;
82 | DWORD dwHeapSegmentReserve;
83 | DWORD dwHeapSegmentCommit;
84 | DWORD dwHeapDeCommitTotalFreeThreshold;
85 | DWORD dwHeapDeCommitFreeBlockThreshold;
86 | DWORD dwNumberOfHeaps;
87 | DWORD dwMaximumNumberOfHeaps;
88 | LPVOID lpProcessHeaps;
89 | LPVOID lpGdiSharedHandleTable;
90 | LPVOID lpProcessStarterHelper;
91 | DWORD dwGdiDCAttributeList;
92 | LPVOID lpLoaderLock;
93 | DWORD dwOSMajorVersion;
94 | DWORD dwOSMinorVersion;
95 | WORD wOSBuildNumber;
96 | WORD wOSCSDVersion;
97 | DWORD dwOSPlatformId;
98 | DWORD dwImageSubsystem;
99 | DWORD dwImageSubsystemMajorVersion;
100 | DWORD dwImageSubsystemMinorVersion;
101 | DWORD dwImageProcessAffinityMask;
102 | DWORD dwGdiHandleBuffer[34];
103 | LPVOID lpPostProcessInitRoutine;
104 | LPVOID lpTlsExpansionBitmap;
105 | DWORD dwTlsExpansionBitmapBits[32];
106 | DWORD dwSessionId;
107 | ULARGE_INTEGER liAppCompatFlags;
108 | ULARGE_INTEGER liAppCompatFlagsUser;
109 | LPVOID lppShimData;
110 | LPVOID lpAppCompatInfo;
111 | UNICODE_STR usCSDVersion;
112 | LPVOID lpActivationContextData;
113 | LPVOID lpProcessAssemblyStorageMap;
114 | LPVOID lpSystemDefaultActivationContextData;
115 | LPVOID lpSystemAssemblyStorageMap;
116 | DWORD dwMinimumStackCommit;
117 | } _PEB, *_PPEB;
118 |
119 | typedef struct {
120 | WORD offset : 12;
121 | WORD type : 4;
122 | } IMAGE_RELOC, *PIMAGE_RELOC;
123 |
124 | #define cast(t, a) ((t)(a))
125 | #define cast_offset(t, p, o) ((t)((uint8_t *)(p) + (o)))
126 |
127 | uint32_t get_delta() {
128 | uint32_t r = 0;
129 | #ifndef _WIN64
130 | __asm {
131 | call delta;
132 | delta:
133 | pop eax;
134 | sub eax, offset delta;
135 | mov r, eax
136 | }
137 | #endif
138 | return r;
139 | }
140 |
141 | uint32_t calc_hashW2(wchar_t *str, int len) {
142 | uint32_t seed = 131; // 31 131 1313 13131 131313 etc..
143 | uint32_t hash = 0;
144 | for (int i = 0; i < len; i++) {
145 | wchar_t s = *str++;
146 | if (s >= 'a') s = s - 0x20;
147 | hash = hash * seed + s;
148 | }
149 | return (hash & 0x7FFFFFFF);
150 | }
151 |
152 | HMODULE get_kernel32_base() {
153 | _PPEB peb = 0;
154 | #ifdef _WIN64
155 | peb = (_PPEB)__readgsqword(0x60); // peb
156 | #else
157 | peb = (_PPEB)__readfsdword(0x30);
158 | #endif
159 | LIST_ENTRY *entry = peb->pLdr->InMemoryOrderModuleList.Flink;
160 | while (entry) {
161 | PLDR_DATA_TABLE_ENTRY e = (PLDR_DATA_TABLE_ENTRY)entry;
162 | if (calc_hashW2(e->BaseDllName.pBuffer, e->BaseDllName.Length / 2) == Kernel32Lib_Hash) {
163 | return (HMODULE)e->DllBase;
164 | }
165 | entry = entry->Flink;
166 | }
167 | return 0;
168 | };
169 |
170 | // BKDRHash
171 | uint32_t calc_hash(char *str) {
172 | uint32_t seed = 131; // 31 131 1313 13131 131313 etc..
173 | uint32_t hash = 0;
174 | while (*str) {
175 | hash = hash * seed + (*str++);
176 | }
177 | return (hash & 0x7FFFFFFF);
178 | }
179 |
180 | void *get_proc_address_from_hash(HMODULE module, uint32_t func_hash, _GetProcAddress get_proc_address) {
181 | PIMAGE_DOS_HEADER dosh = cast(PIMAGE_DOS_HEADER, module);
182 | PIMAGE_NT_HEADERS nth = cast_offset(PIMAGE_NT_HEADERS, module, dosh->e_lfanew);
183 | PIMAGE_DATA_DIRECTORY dataDict = &nth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
184 | if (dataDict->VirtualAddress == 0 || dataDict->Size == 0) return 0;
185 | PIMAGE_EXPORT_DIRECTORY exportDict = cast_offset(PIMAGE_EXPORT_DIRECTORY, module, dataDict->VirtualAddress);
186 | if(exportDict->NumberOfNames == 0) return 0;
187 | uint32_t *fn = cast_offset(uint32_t *, module, exportDict->AddressOfNames);
188 | uint32_t *fa = cast_offset(uint32_t *, module, exportDict->AddressOfFunctions);
189 | uint16_t *ord = cast_offset(uint16_t *, module, exportDict->AddressOfNameOrdinals);
190 | for (uint32_t i = 0; i < exportDict->NumberOfNames; i++) {
191 | char *name = cast_offset(char *, module, fn[i]);
192 | if (calc_hash(name) != func_hash) continue;
193 | return get_proc_address == 0 ? cast_offset(void*, module, fa[ord[i]]) : get_proc_address(module, name);
194 | }
195 | return 0;
196 | }
--------------------------------------------------------------------------------
/ShellCode_Ntdll/shellcode_base.h:
--------------------------------------------------------------------------------
1 | #ifndef SHELLCODE_BASE_H
2 | #define SHELLCODE_BASE_H
3 | #include "shellcode_global.h"
4 |
5 | #ifdef __cplusplus
6 | extern "C" {
7 | #endif // __cplusplus
8 | uint32_t get_delta();
9 | HMODULE get_kernel32_base();
10 | uint32_t calc_hash(char *str);
11 | void *get_proc_address_from_hash(HMODULE module, uint32_t func_hash, _GetProcAddress get_proc_address);
12 | #ifdef __cplusplus
13 | }
14 | #endif // __cplusplus
15 |
16 | #endif // SHELLCODE_BASE_H
--------------------------------------------------------------------------------
/ShellCode_Ntdll/shellcode_global.h:
--------------------------------------------------------------------------------
1 | #ifndef SHELLCODE_GLOBAL_H
2 | #define SHELLCODE_GLOBAL_H
3 | #include
4 | #include
5 |
6 | // kernel32
7 | #define GetProcAddress_Hash 0x1AB9B854
8 | typedef void* (__stdcall *_GetProcAddress)(HMODULE, char *);
9 |
10 | #define LoadLibraryA_Hash 0x7F201F78
11 | typedef HMODULE(__stdcall *_LoadLibraryA)(LPCSTR lpLibFileName);
12 |
13 | #define VirtualAlloc_Hash 0x5E893462
14 | typedef LPVOID(__stdcall *_VirtualAlloc)(LPVOID lpAddress, // region to reserve or commit
15 | SIZE_T dwSize, // size of region
16 | DWORD flAllocationType, // type of allocation
17 | DWORD flProtect // type of access protection
18 | );
19 |
20 | #define VirtualFree_Hash 0x6488073
21 | typedef BOOL(__stdcall *_VirtualFree)(LPVOID lpAddress, // address of region
22 | SIZE_T dwSize, // size of region
23 | DWORD dwFreeType // operation type
24 | );
25 |
26 | #define lstrcmpiA_Hash 0x705CF2A5
27 | typedef int (__stdcall *_lstrcmpiA)(
28 | _In_ LPCSTR lpString1,
29 | _In_ LPCSTR lpString2
30 | );
31 |
32 | // user32
33 | #define MessageBoxA_Hash 0x6DBE321
34 | typedef int(__stdcall *_MessageBoxA)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
35 |
36 | // ntdll
37 | #define RtlDecompressBuffer_Hash 0x4B106265
38 | typedef NTSTATUS(__stdcall *_RtlDecompressBuffer)(
39 | USHORT CompressionFormat,
40 | PUCHAR UncompressedBuffer,
41 | ULONG UncompressedBufferSize,
42 | PUCHAR CompressedBuffer,
43 | ULONG CompressedBufferSize,
44 | PULONG FinalUncompressedSize
45 | );
46 |
47 | #define RtlGetCompressionWorkSpaceSize_Hash 0x8FC8E20
48 | typedef NTSTATUS(__stdcall *_RtlGetCompressionWorkSpaceSize)(
49 | USHORT CompressionFormatAndEngine,
50 | PULONG CompressBufferWorkSpaceSize,
51 | PULONG CompressFragmentWorkSpaceSize
52 | );
53 |
54 | #define RtlZeroMemory_Hash 0xDB579CB
55 | typedef void (__stdcall *_RtlZeroMemory)(IN VOID UNALIGNED *Destination, IN SIZE_T Length
56 | );
57 |
58 | #define RtlCopyMemory_Hash 0x20484894
59 | typedef void (__stdcall *_RtlCopyMemory)(IN VOID UNALIGNED *Destination,
60 | IN CONST VOID UNALIGNED *Source, IN SIZE_T Length);
61 |
62 | #define RtlMoveMemory_Hash 0x1518E9C0
63 | typedef void(__stdcall *_RtlMoveMemory)(IN VOID UNALIGNED *Destination,
64 | IN CONST VOID UNALIGNED *Source, IN SIZE_T Length);
65 |
66 | #define Kernel32Lib_Hash 0x1cca9ce6
67 |
68 | #endif // SHELLCODE_GLOBAL_H
--------------------------------------------------------------------------------
/Tester/gen.bat:
--------------------------------------------------------------------------------
1 | del aplib_x86.bin
2 | del ntdll_x86.bin
3 | del main_x86.bin
4 | del aplib_x86.h
5 | del ntdll_x86.h
6 | del main_x86.h
7 | del TestDll_aplib.dll
8 | del TestDll_nt.dll
9 | ShellCode_Aplib.exe
10 | ShellCode_Ntdll.exe
11 | ShellCode_Main.exe
12 | DllToShellCode.exe c 1 TestDll.dll TestDll_nt.dll
13 | DllToShellCode.exe c 2 TestDll.dll TestDll_aplib.dll
14 | DllToShellCode.exe b aplib_x86.bin aplib_x86.h
15 | DllToShellCode.exe b ntdll_x86.bin ntdll_x86.h
16 | DllToShellCode.exe b main_x86.bin main_x86.h
17 | fasm tester_main_mode1.asm
18 | fasm tester_main_mode2.asm
19 | fasm tester_aplib_mode1.asm
20 | fasm tester_aplib_mode2.asm
21 | fasm tester_nt_mode1.asm
22 | fasm tester_nt_mode2.asm
23 | @pause
--------------------------------------------------------------------------------
/Tester/tester_aplib_mode1.asm:
--------------------------------------------------------------------------------
1 | format PE
2 |
3 | entry start
4 |
5 | section '.text' code readable executable
6 |
7 | tester:
8 | file 'main_x86.bin'
9 |
10 | param_data:
11 | invokeMode db 0
12 | depackCodeOffset dd aplib_unpack_code - param_data
13 | unpackSize dd 179712
14 | packedSize dd dll_data_end - dll_data_start
15 | dllDataOffset dd dll_data_start - param_data
16 | param db 'Tester'
17 | reserved rb 100 - 6
18 |
19 | start:
20 | call tester
21 | ret
22 |
23 | aplib_unpack_code:
24 | file 'aplib_x86.bin'
25 |
26 | dll_data_start:
27 | file 'TestDll_aplib.dll'
28 |
29 | dll_data_end:
--------------------------------------------------------------------------------
/Tester/tester_aplib_mode2.asm:
--------------------------------------------------------------------------------
1 | format PE
2 |
3 | entry start
4 |
5 | section '.text' code readable executable
6 |
7 | tester:
8 | file 'main_x86.bin'
9 |
10 | param_data:
11 | invokeMode db 1
12 | depackCodeOffset dd aplib_unpack_code - param_data
13 | unpackSize dd 179712
14 | packedSize dd dll_data_end - dll_data_start
15 | dllDataOffset dd dll_data_start - param_data
16 | param db 'Test'
17 | reserved rb 100 - 4
18 |
19 | start:
20 | call tester
21 | call eax
22 | ret
23 |
24 | aplib_unpack_code:
25 | file 'aplib_x86.bin'
26 |
27 | dll_data_start:
28 | file 'TestDll_aplib.dll'
29 |
30 | dll_data_end:
--------------------------------------------------------------------------------
/Tester/tester_main_mode1.asm:
--------------------------------------------------------------------------------
1 | format PE
2 |
3 | entry start
4 |
5 | section '.text' code readable executable
6 |
7 | tester:
8 | file 'main_x86.bin'
9 |
10 | param_data:
11 | invokeMode db 0
12 | depackCodeOffset dd 0
13 | unpackSize dd dll_data_end - dll_data_start
14 | packedSize dd dll_data_end - dll_data_start
15 | dllDataOffset dd dll_data_start - param_data
16 | param db 'Tester'
17 | reserved rb 100 - 6
18 |
19 | start:
20 | call tester
21 | ret
22 | dll_data_start:
23 | file 'TestDll.dll'
24 |
25 | dll_data_end:
--------------------------------------------------------------------------------
/Tester/tester_main_mode2.asm:
--------------------------------------------------------------------------------
1 | format PE
2 |
3 | entry start
4 |
5 | section '.text' code readable executable
6 |
7 | tester:
8 | file 'main_x86.bin'
9 |
10 | param_data:
11 | invokeMode db 1
12 | depackCodeOffset dd 0
13 | unpackSize dd dll_data_end - dll_data_start
14 | packedSize dd dll_data_end - dll_data_start
15 | dllDataOffset dd dll_data_start - param_data
16 | param db 'Test'
17 | reserved rb 100 - 4
18 |
19 | start:
20 | call tester
21 | call eax
22 | ret
23 | dll_data_start:
24 | file 'TestDll.dll'
25 |
26 | dll_data_end:
--------------------------------------------------------------------------------
/Tester/tester_nt_mode1.asm:
--------------------------------------------------------------------------------
1 | format PE
2 |
3 | entry start
4 |
5 | section '.text' code readable executable
6 |
7 | tester:
8 | file 'main_x86.bin'
9 |
10 | param_data:
11 | invokeMode db 0
12 | depackCodeOffset dd nt_unpack_code - param_data
13 | unpackSize dd 179712
14 | packedSize dd dll_data_end - dll_data_start
15 | dllDataOffset dd dll_data_start - param_data
16 | param db 'Tester'
17 | reserved rb 100 - 6
18 |
19 | start:
20 | call tester
21 | ret
22 |
23 | nt_unpack_code:
24 | file 'ntdll_x86.bin'
25 |
26 | dll_data_start:
27 | file 'TestDll_nt.dll'
28 |
29 | dll_data_end:
--------------------------------------------------------------------------------
/Tester/tester_nt_mode2.asm:
--------------------------------------------------------------------------------
1 | format PE
2 |
3 | entry start
4 |
5 | section '.text' code readable executable
6 |
7 | tester:
8 | file 'main_x86.bin'
9 |
10 | param_data:
11 | invokeMode db 1
12 | depackCodeOffset dd nt_unpack_code - param_data
13 | unpackSize dd 179712
14 | packedSize dd dll_data_end - dll_data_start
15 | dllDataOffset dd dll_data_start - param_data
16 | param db 'Test'
17 | reserved rb 100 - 4
18 |
19 | start:
20 | call tester
21 | call eax
22 | ret
23 |
24 | nt_unpack_code:
25 | file 'ntdll_x86.bin'
26 |
27 | dll_data_start:
28 | file 'TestDll_nt.dll'
29 |
30 | dll_data_end:
--------------------------------------------------------------------------------