Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /////////////////////////////////////////
- //PART 2:
- /////////////////////////////////////////
- //NTCREATETHREADEX X64:
- BYTE Shellcode[] =
- {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // - 0x10 -> argument / returned value
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // - 0x08 -> pRoutine
- 0x48, 0x8B, 0xC1, // + 0x00 -> mov rax, rcx
- 0x48, 0x8B, 0x08, // + 0x03 -> mov rcx, [rax]
- 0x48, 0x83, 0xEC, 0x28, // + 0x06 -> sub rsp, 0x28
- 0xFF, 0x50, 0x08, // + 0x0A -> call qword ptr [rax + 0x08]
- 0x48, 0x83, 0xC4, 0x28, // + 0x0D -> add rsp, 0x28
- 0x48, 0x8D, 0x0D, 0xD8, 0xFF, 0xFF, 0xFF, // + 0x11 -> lea rcx, [pCodecave]
- 0x48, 0x89, 0x01, // + 0x18 -> mov [rcx], rax
- 0x48, 0x31, 0xC0, // + 0x1B -> xor rax, rax
- 0xC3 // + 0x1E -> ret
- }; // SIZE = 0x1F (+ 0x10)
- /////////////////////////////////////////
- //PART 3:
- /////////////////////////////////////////
- //THREADHIJACKING X64:
- BYTE Shellcode[] =
- {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // - 0x08 -> returned value
- 0x48, 0x83, 0xEC, 0x08, // + 0x00 -> sub rsp, 0x08
- 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, // + 0x04 (+ 0x07) -> mov [rsp], RipLowPart
- 0xC7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, // + 0x0B (+ 0x0F) -> mov [rsp + 0x04], RipHighPart
- 0x50, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, // + 0x13 -> push r(a/c/d)x / r(8 - 11)
- 0x9C, // + 0x1E -> pushfq
- 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // + 0x1F (+ 0x21) -> mov rax, pRoutine
- 0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // + 0x29 (+ 0x2B) -> mov rcx, pArg
- 0x48, 0x83, 0xEC, 0x20, // + 0x33 -> sub rsp, 0x20
- 0xFF, 0xD0, // + 0x37 -> call rax
- 0x48, 0x83, 0xC4, 0x20, // + 0x39 -> add rsp, 0x20
- 0x48, 0x8D, 0x0D, 0xB4, 0xFF, 0xFF, 0xFF, // + 0x3D -> lea rcx, [pCodecave]
- 0x48, 0x89, 0x01, // + 0x44 -> mov [rcx], rax
- 0x9D, // + 0x47 -> popfq
- 0x41, 0x5B, 0x41, 0x5A, 0x41, 0x59, 0x41, 0x58, 0x5A, 0x59, 0x58, // + 0x48 -> pop r(11-8) / r(d/c/a)x
- 0xC6, 0x05, 0xA9, 0xFF, 0xFF, 0xFF, 0x00, // + 0x53 -> mov byte ptr[$ - 0x57], 0
- 0xC3 // + 0x5A -> ret
- }; // SIZE = 0x5B (+ 0x08)
- /////////////////////////////////////////
- //THREADHIJACKING X86:
- BYTE Shellcode[] =
- {
- 0x00, 0x00, 0x00, 0x00, // - 0x04 (pCodecave) -> returned value ;buffer to store returned value (eax)
- 0x83, 0xEC, 0x04, // + 0x00 -> sub esp, 0x04 ;prepare stack for ret
- 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, // + 0x03 (+ 0x06) -> mov [esp], OldEip ;store old eip as return address
- 0x50, 0x51, 0x52, // + 0x0A -> psuh e(a/c/d) ;save e(a/c/d)x
- 0x9C, // + 0x0D -> pushfd ;save flags register
- 0xB9, 0x00, 0x00, 0x00, 0x00, // + 0x0E (+ 0x0F) -> mov ecx, pArg ;load pArg into ecx
- 0xB8, 0x00, 0x00, 0x00, 0x00, // + 0x13 (+ 0x14) -> mov eax, pRoutine
- 0x51, // + 0x18 -> push ecx ;push pArg
- 0xFF, 0xD0, // + 0x19 -> call eax ;call target function
- 0xA3, 0x00, 0x00, 0x00, 0x00, // + 0x1B (+ 0x1C) -> mov dword ptr[pCodecave], eax ;store returned value
- 0x9D, // + 0x20 -> popfd ;restore flags register
- 0x5A, 0x59, 0x58, // + 0x21 -> pop e(d/c/a) ;restore e(d/c/a)x
- 0xC6, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, // + 0x24 (+ 0x26) -> mov byte ptr[pCodecave + 0x06], 0x00 ;set checkbyte to 0
- 0xC3 // + 0x2B -> ret ;return to OldEip
- }; // SIZE = 0x2C (+ 0x04)
- /////////////////////////////////////////
- //PART 4:
- /////////////////////////////////////////
- //SETWINDOWSHOOKEX X64:
- BYTE Shellcode[] =
- {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // - 0x18 -> pArg / returned value / rax ;buffer
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // - 0x10 -> pRoutine ;pointer to target function
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // - 0x08 -> CallNextHookEx ;pointer to CallNextHookEx
- 0x55, // + 0x00 -> push rbp ;save important registers
- 0x54, // + 0x01 -> push rsp
- 0x53, // + 0x02 -> push rbx
- 0x48, 0x8D, 0x1D, 0xDE, 0xFF, 0xFF, 0xFF, // + 0x03 -> lea rbx, [pArg] ;load pointer into rbx
- 0x48, 0x83, 0xEC, 0x20, // + 0x0A -> sub rsp, 0x20 ;reserve stack
- 0x4D, 0x8B, 0xC8, // + 0x0E -> mov r9,r8 ;set up arguments for CallNextHookEx
- 0x4C, 0x8B, 0xC2, // + 0x11 -> mov r8, rdx
- 0x48, 0x8B, 0xD1, // + 0x14 -> mov rdx,rcx
- 0xFF, 0x53, 0x10, // + 0x17 -> call [rbx + 0x10] ;call CallNextHookEx
- 0x48, 0x83, 0xC4, 0x20, // + 0x1A -> add rsp, 0x20 ;update stack
- 0x48, 0x8B, 0xC8, // + 0x1E -> mov rcx, rax ;copy retval into rcx
- 0xEB, 0x00, // + 0x21 -> jmp $ + 0x02 ;jmp to next instruction
- 0xC6, 0x05, 0xF8, 0xFF, 0xFF, 0xFF, 0x18, // + 0x23 -> mov byte ptr[$ - 0x01], 0x1A ;hotpatch jmp above to skip shellcode
- 0x48, 0x87, 0x0B, // + 0x2A -> xchg [rbx], rcx ;store CallNextHookEx retval, load pArg
- 0x48, 0x83, 0xEC, 0x20, // + 0x2D -> sub rsp, 0x20 ;reserve stack
- 0xFF, 0x53, 0x08, // + 0x31 -> call [rbx + 0x08] ;call pRoutine
- 0x48, 0x83, 0xC4, 0x20, // + 0x34 -> add rsp, 0x20 ;update stack
- 0x48, 0x87, 0x03, // + 0x38 -> xchg [rbx], rax ;store pRoutine retval, restore CallNextHookEx retval
- 0x5B, // + 0x3B -> pop rbx ;restore important registers
- 0x5C, // + 0x3C -> pop rsp
- 0x5D, // + 0x3D -> pop rbp
- 0xC3 // + 0x3E -> ret ;return
- }; // SIZE = 0x3F (+ 0x18)
- /////////////////////////////////////////
- //SETWINDOWSHOOKEX X86:
- BYTE Shellcode[] =
- {
- 0x00, 0x00, 0x00, 0x00, // - 0x08 -> pArg ;pointer to argument
- 0x00, 0x00, 0x00, 0x00, // - 0x04 -> pRoutine ;pointer to target function
- 0x55, // + 0x00 -> push ebp ;x86 stack frame creation
- 0x8B, 0xEC, // + 0x01 -> mov ebp, esp
- 0xFF, 0x75, 0x10, // + 0x03 -> push [ebp + 0x10] ;push CallNextHookEx arguments
- 0xFF, 0x75, 0x0C, // + 0x06 -> push [ebp + 0x0C]
- 0xFF, 0x75, 0x08, // + 0x09 -> push [ebp + 0x08]
- 0x6A, 0x00, // + 0x0C -> push 0x00
- 0xE8, 0x00, 0x00, 0x00, 0x00, // + 0x0E (+ 0x0F) -> call CallNextHookEx ;call CallNextHookEx
- 0xEB, 0x00, // + 0x13 -> jmp $ + 0x02 ;jmp to next instruction
- 0x50, // + 0x15 -> push eax ;save eax (CallNextHookEx retval)
- 0x53, // + 0x16 -> push ebx ;save ebx (non volatile)
- 0xBB, 0x00, 0x00, 0x00, 0x00, // + 0x17 (+ 0x18) -> mov ebx, pArg ;move pArg (pCodecave) into ebx
- 0xC6, 0x43, 0x1C, 0x14, // + 0x1C -> mov [ebx + 0x1C], 0x17 ;hotpatch jmp above to skip shellcode
- 0xFF, 0x33, // + 0x20 -> push [ebx] ;push pArg (__stdcall)
- 0xFF, 0x53, 0x04, // + 0x22 -> call [ebx + 0x04] ;call target function
- 0x89, 0x03, // + 0x25 -> mov [ebx], eax ;store returned value
- 0x5B, // + 0x27 -> pop ebx ;restore old ebx
- 0x58, // + 0x28 -> pop eax ;restore eax (CallNextHookEx retval)
- 0x5D, // + 0x29 -> pop ebp ;restore ebp
- 0xC2, 0x0C, 0x00 // + 0x2A -> ret 0x000C ;return
- }; // SIZE = 0x3D (+ 0x08)
- /////////////////////////////////////////
- //PART 5:
- /////////////////////////////////////////
- //QUEUEUSERAPC X64:
- BYTE Shellcode[] =
- {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // - 0x18 -> returned value ;buffer to store returned value
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // - 0x10 -> pArg ;buffer to store argument
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // - 0x08 -> pRoutine ;pointer to the rouinte to call
- 0xEB, 0x00, // + 0x00 -> jmp $+0x02 ;jump to the next instruction
- 0x48, 0x8B, 0x41, 0x10, // + 0x02 -> mov rax, [rcx + 0x10] ;move pRoutine into rax
- 0x48, 0x8B, 0x49, 0x08, // + 0x06 -> mov rcx, [rcx + 0x08] ;move pArg into rcx
- 0x48, 0x83, 0xEC, 0x28, // + 0x0A -> sub rsp, 0x28 ;reserve stack
- 0xFF, 0xD0, // + 0x0E -> call rax ;call pRoutine
- 0x48, 0x83, 0xC4, 0x28, // + 0x10 -> add rsp, 0x28 ;update stack
- 0x48, 0x85, 0xC0, // + 0x14 -> test rax, rax ;check if rax indicates success/failure
- 0x74, 0x11, // + 0x17 -> je pCodecave + 0x2A ;jmp to ret if routine failed
- 0x48, 0x8D, 0x0D, 0xC8, 0xFF, 0xFF, 0xFF, // + 0x19 -> lea rcx, [pCodecave] ;load pointer to codecave into rcx
- 0x48, 0x89, 0x01, // + 0x20 -> mov [rcx], rax ;store returned value
- 0xC6, 0x05, 0xD7, 0xFF, 0xFF, 0xFF, 0x28, // + 0x23 -> mov byte ptr[pCodecave + 0x18], 0x28 ;hot patch jump to skip shellcode
- 0xC3 // + 0x2A -> ret ;return
- }; // SIZE = 0x2B (+ 0x10)
- /////////////////////////////////////////
- //QUEUEUSERAPC X86:
- BYTE Shellcode[] =
- {
- 0x00, 0x00, 0x00, 0x00, // - 0x0C -> returned value ;buffer to store returned value
- 0x00, 0x00, 0x00, 0x00, // - 0x08 -> pArg ;buffer to store argument
- 0x00, 0x00, 0x00, 0x00, // - 0x04 -> pRoutine ;pointer to the routine to call
- 0x55, // + 0x00 -> push ebp ;x86 stack frame creation
- 0x8B, 0xEC, // + 0x01 -> mov ebp, esp
- 0xEB, 0x00, // + 0x03 -> jmp pCodecave + 0x05 (+ 0x0C) ;jump to next instruction
- 0x53, // + 0x05 -> push ebx ;save ebx
- 0x8B, 0x5D, 0x08, // + 0x06 -> mov ebx, [ebp + 0x08] ;move pCodecave into ebx (non volatile)
- 0xFF, 0x73, 0x04, // + 0x09 -> push [ebx + 0x04] ;push pArg on stack
- 0xFF, 0x53, 0x08, // + 0x0C -> call dword ptr[ebx + 0x08] ;call pRoutine
- 0x85, 0xC0, // + 0x0F -> test eax, eax ;check if eax indicates success/failure
- 0x74, 0x06, // + 0x11 -> je pCodecave + 0x19 (+ 0x0C) ;jmp to cleanup if routine failed
- 0x89, 0x03, // + 0x13 -> mov [ebx], eax ;store returned value
- 0xC6, 0x43, 0x10, 0x15, // + 0x15 -> mov byte ptr [ebx + 0x10], 0x15 ;hot patch jump to skip shellcode
- 0x5B, // + 0x19 -> pop ebx ;restore old ebx
- 0x5D, // + 0x1A -> pop ebp ;restore ebp
- 0xC2, 0x04, 0x00 // + 0x1B -> ret 0x0004 ;return
- }; // SIZE = 0x1E (+ 0x0C)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
