HackTricks
Search…
🤩
Generic Methodologies & Resources
🐧
Linux Hardening
🍏
MacOS Hardening
🪟
Windows Hardening
📱
Mobile Pentesting
👽
Network Services Pentesting
🕸
Pentesting Web
⛈
Cloud Security
😎
Hardware/Physical Access
🦅
Reversing & Exploiting
🔮
Crypto & Stego
🧐
External Platforms Reviews/Writeups
✍
TODO
Blobrunner
Support HackTricks and get benefits!
The only modified line from the original code is the line 10.
In order to compile it just create a C/C++ project in Visual Studio Code, copy and paste the code and build it.
1
#include <stdio.h>
2
#include <windows.h>
3
#include <stdlib.h>
4
5
#ifdef _WIN64
6
#include <WinBase.h>
7
#endif
8
9
// Define bool
10
#pragma warning(disable:4996)
11
#define true 1
12
#define false 0
13
14
const char* _version = "0.0.5";
15
16
const char* _banner = " __________.__ ___. __________\n"
17
" \\______ \\ | ____\\_ |__\\______ \\__ __ ____ ____ ___________ \n"
18
" | | _/ | / _ \\| __ \\| _/ | \\/ \\ / \\_/ __ \\_ __ \\ \n"
19
" | | \\ |_( <_> ) \\_\\ \\ | \\ | / | \\ | \\ ___/| | \\/ \n"
20
" |______ /____/\\____/|___ /____|_ /____/|___| /___| /\\___ >__| \n"
21
" \\/ \\/ \\/ \\/ \\/ \\/ \n\n"
22
" %s \n\n";
23
24
25
void banner() {
26
system("cls");
27
printf(_banner, _version);
28
return;
29
}
30
31
LPVOID process_file(char* inputfile_name, bool jit, int offset, bool debug) {
32
LPVOID lpvBase;
33
FILE* file;
34
unsigned long fileLen;
35
char* buffer;
36
DWORD dummy;
37
38
file = fopen(inputfile_name, "rb");
39
40
if (!file) {
41
printf(" [!] Error: Unable to open %s\n", inputfile_name);
42
43
return (LPVOID)NULL;
44
}
45
46
printf(" [*] Reading file...\n");
47
fseek(file, 0, SEEK_END);
48
fileLen = ftell(file); //Get Length
49
50
printf(" [*] File Size: 0x%04x\n", fileLen);
51
fseek(file, 0, SEEK_SET); //Reset
52
53
fileLen += 1;
54
55
buffer = (char*)malloc(fileLen); //Create Buffer
56
fread(buffer, fileLen, 1, file);
57
fclose(file);
58
59
printf(" [*] Allocating Memory...");
60
61
lpvBase = VirtualAlloc(NULL, fileLen, 0x3000, 0x40);
62
63
printf(".Allocated!\n");
64
printf(" [*] |-Base: 0x%08x\n", (int)(size_t)lpvBase);
65
printf(" [*] Copying input data...\n");
66
67
CopyMemory(lpvBase, buffer, fileLen);
68
return lpvBase;
69
}
70
71
void execute(LPVOID base, int offset, bool nopause, bool jit, bool debug)
72
{
73
LPVOID shell_entry;
74
75
#ifdef _WIN64
76
DWORD thread_id;
77
HANDLE thread_handle;
78
const char msg[] = " [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n";
79
#else
80
const char msg[] = " [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\n";
81
#endif
82
83
shell_entry = (LPVOID)((UINT_PTR)base + offset);
84
85
#ifdef _WIN64
86
87
printf(" [*] Creating Suspended Thread...\n");
88
thread_handle = CreateThread(
89
NULL, // Attributes
90
0, // Stack size (Default)
91
shell_entry, // Thread EP
92
NULL, // Arguments
93
0x4, // Create Suspended
94
&thread_id); // Thread identifier
95
96
if (thread_handle == NULL) {
97
printf(" [!] Error Creating thread...");
98
return;
99
}
100
printf(" [*] Created Thread: [%d]\n", thread_id);
101
printf(" [*] Thread Entry: 0x%016x\n", (int)(size_t)shell_entry);
102
103
#endif
104
105
if (nopause == false) {
106
printf("%s", msg);
107
getchar();
108
}
109
else
110
{
111
if (jit == true) {
112
// Force an exception by making the first byte not executable.
113
// This will cause
114
DWORD oldp;
115
116
printf(" [*] Removing EXECUTE access to trigger exception...\n");
117
118
VirtualProtect(shell_entry, 1 , PAGE_READWRITE, &oldp);
119
}
120
}
121
122
#ifdef _WIN64
123
printf(" [*] Resuming Thread..\n");
124
ResumeThread(thread_handle);
125
#else
126
printf(" [*] Entry: 0x%08x\n", (int)(size_t)shell_entry);
127
printf(" [*] Jumping to shellcode\n");
128
__asm jmp shell_entry;
129
#endif
130
}
131
132
void print_help() {
133
printf(" [!] Error: No file!\n\n");
134
printf(" Required args: <inputfile>\n\n");
135
printf(" Optional Args:\n");
136
printf(" --offset <offset> The offset to jump into.\n");
137
printf(" --nopause Don't pause before jumping to shellcode. Danger!!! \n");
138
printf(" --jit Forces an exception by removing the EXECUTE permission from the alloacted memory.\n");
139
printf(" --debug Verbose logging.\n");
140
printf(" --version Print version and exit.\n\n");
141
}
142
143
int main(int argc, char* argv[])
144
{
145
LPVOID base;
146
int i;
147
int offset = 0;
148
bool nopause = false;
149
bool debug = false;
150
bool jit = false;
151
char* nptr;
152
153
banner();
154
155
if (argc < 2) {
156
print_help();
157
return -1;
158
}
159
160
printf(" [*] Using file: %s \n", argv[1]);
161
162
for (i = 2; i < argc; i++) {
163
if (strcmp(argv[i], "--offset") == 0) {
164
printf(" [*] Parsing offset...\n");
165
i = i + 1;
166
if (strncmp(argv[i], "0x", 2) == 0) {
167
offset = strtol(argv[i], &nptr, 16);
168
}
169
else {
170
offset = strtol(argv[i], &nptr, 10);
171
}
172
}
173
else if (strcmp(argv[i], "--nopause") == 0) {
174
nopause = true;
175
}
176
else if (strcmp(argv[i], "--jit") == 0) {
177
jit = true;
178
nopause = true;
179
}
180
else if (strcmp(argv[i], "--debug") == 0) {
181
debug = true;
182
}
183
else if (strcmp(argv[i], "--version") == 0) {
184
printf("Version: %s", _version);
185
}
186
else {
187
printf("[!] Warning: Unknown arg: %s\n", argv[i]);
188
}
189
}
190
191
base = process_file(argv[1], jit, offset, debug);
192
if (base == NULL) {
193
printf(" [!] Exiting...");
194
return -1;
195
}
196
printf(" [*] Using offset: 0x%08x\n", offset);
197
execute(base, offset, nopause, jit, debug);
198
printf("Pausing - Press any key to quit.\n");
199
getchar();
200
return 0;
201
}
Copied!
Support HackTricks and get benefits!
Last modified 2mo ago
Copy link