Shellcode Loader

Shellcode Loader is a simple command-line tool to test shellcodes.
It is written in C and provided open source.
Works on any Windows from WinXP up to Win10.

Shellcode Loader

More info and Download on its page

CryptoGear encryption algorithm
Symmetric-key block encryption cipher developed by BreakingSecurity.

You can find its C++ implementation here.

RC4 class in C++

Standard RC4 encryption algorithm.
Simple and fast, it is a famous algorithm used in many applications.

cRC4.h :

/***********************************************************
* Standard RC4 Encryption
* C++ Class
* Coded by Viotto © BreakingSecurity.net
***********************************************************/
#include <string>
using namespace std;
class CRC4
{
public:
	CRC4(unsigned char* pKey, unsigned int lenKey);
	CRC4();
	void RC4(unsigned char pData[], unsigned long lenData);
	string RC4Str(unsigned char* pInputData, unsigned long InputSize);
	void Initialize(unsigned char* pKey, unsigned int lenKey);
private:
	int m_sBox[256]; //substitution-box
	int a, b;	
	unsigned char swap;
};

 

cRC4.cpp :

/***********************************************************
* Standard RC4 Encryption
* C++ Class
* Coded by Viotto © BreakingSecurity.net
***********************************************************/

#include "cRC4.h"
// Constructor. It will generate s-box based on the provided key.
// This way future encryption/decryptions routines will not have to recreate s-box each time.
CRC4::CRC4(unsigned char* pKey, unsigned int lenKey)
{
	Initialize(pKey, lenKey);
}
/* Overloaded costructor with no arguments.
   Must initialize s-box manually.           */
CRC4::CRC4()
{}

void CRC4::Initialize(unsigned char* pKey, unsigned int lenKey)
{
	// Initialize substitution box, based on the provided key.
	b = 0;
	for (a = 0; a < 256; a++)
	{
		m_sBox[a] = a;
	}
	for (a = 0; a < 256; a++)
	{
		b = (b + m_sBox[a] + pKey[a % lenKey]) % 256;
		swap = m_sBox[a];
		m_sBox[a] = m_sBox[b];
		m_sBox[b] = swap;
	}
}

void CRC4::RC4(unsigned char pData[], unsigned long lenData)
{
	int sBox[256];
	int i = 0, j = 0;
	long Offset;
	// Create a local copy of the s-box. Better than recreating each time before encrypting/decrypting.
	memcpy(sBox, m_sBox, 256 * sizeof(int));
	//Encrypt the data
	for (Offset = 0; Offset < lenData; Offset++)
	{
		i = (i + 1) % 256;
		j = (j + sBox[i]) % 256;
		swap = sBox[i];
		sBox[i] = sBox[j];
		sBox[j] = swap;
		pData[Offset] ^= sBox[(sBox[i] + sBox[j]) % 256];
	}
}

// This function does not overwrite input with output, but saves it on a separate string.
string CRC4::RC4Str(unsigned char* pInputData, unsigned long InputSize)
{
	string sInputOutputData((char*)pInputData, InputSize);
	RC4((unsigned char*)sInputOutputData.c_str(), InputSize);
	return sInputOutputData;
}
C++ FileSearch

A simple and fast recursive function which can be used to search for a filename or part of it,
inside a specified folder and all of its subdirectories.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#include <windows.h>
#include <algorithm>
#include <string>
using namespace std;
//_____________________________________________
//
// FileSearch Function
// 
// This function will search for a filename or part of it,
// inside the specified directory and in all of the subdirectories.
// © BreakingSecurity.net
//
// PARAMETERS:
// sSearch: String which specifies a filename, or a part of filename to be searched for.
// sDir: Path to search in (ex: "C:\\Windows")
//_____________________________________________
//
bool FileSearch(string sSearch, string sDir)
{
	// Convert all characters to lowercase
	std::transform(sSearch.begin(), sSearch.end(), sSearch.begin(), ::tolower);
	
	// Check for final slash in path and append it if missing
	if (sDir[sDir.length() -1] != '\\')
	{
		sDir += "\\";
	}
	
	WIN32_FIND_DATA FileInfo;
	HANDLE hFind = FindFirstFileA(string(sDir + "*").c_str(), &FileInfo);
	if (hFind == INVALID_HANDLE_VALUE)
	{
		FindClose(hFind);
		return false;
	}
	string sFileInfo;
	while (FindNextFile(hFind, &FileInfo) != 0)
	{
		if (FileInfo.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY
			&& strcmp(FileInfo.cFileName, ".") != 0
			&& strcmp(FileInfo.cFileName, "..") != 0)
		{
			// Recursive seach inside subdirectory
			string sRecursiveDir = sDir + string(FileInfo.cFileName);
			FileSearch(sSearch, sRecursiveDir);
		}
		
		string sFileName(FileInfo.cFileName);
		
		// Convert all characters to lowercase
		std::transform(sFileName.begin(), sFileName.end(), sFileName.begin(), ::tolower);
		
		// Check if filename contains search string
		if (sFileName.find(sSearch) != string::npos)
		{
			//Search string has been found inside file name
			printf(string(sDir + FileInfo.cFileName + "\n").c_str());
		}
	}
	FindClose(hFind);
	return true;
}
// Usage example:
// FileSearch.exe "Notepad" "C:Windows"
void main(int argc, char* argv[])
{
	if (argc == 3)
	{
		FileSearch(argv[1], argv[2]);
		printf("Search finished!\n");
	}
	else printf("Wrong number of parameters\n");
	system("pause");
}
[ C ] Get Process path from PID at kernel level

At user-level, such a simple task is straightforward as it should, by the use of APIs like GetModuleFileNameEx().

However, there’s no documented way to do it at kernel level.
I found a lot of people asking for it, but didn’t find any clear functioning snippet, so I figured it could be useful to share mine.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
BOOLEAN KrnGetProcessPath(HANDLE hProcessId)
// ProcessID handle can be get using PsGetCurrentProcessId(),
// or by using process callback routines such as PsSetCreateProcessNotifyRoutine()
{
	HANDLE hProcess = NULL;
	OBJECT_ATTRIBUTES obj_attr;
	CLIENT_ID cid;
	cid.UniqueProcess = hProcessId; 
	cid.UniqueThread = NULL;
	InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
	ZwOpenProcess(&hProcess, GENERIC_READ, &obj_attr, &cid);
	// When the ProcessInformationClass parameter is ProcessImageFileName, 
	//	the buffer pointed to by the ProcessInformation parameter should be large enough to hold a UNICODE_STRING structure, 
	//	as well as the string itself.
	WCHAR ustrBuffer[(sizeof(UNICODE_STRING) / sizeof(WCHAR)) + 260];
	UNICODE_STRING ustrPath;
	// Initialize UNICODE_STRING
	ustrPath.Buffer = ustrBuffer;
	ustrPath.Length = 0x0;
	ustrPath.MaximumLength = sizeof(ustrBuffer);
	// Process path will be saved inside the unicode string.
	NTSTATUS ret = ZwQueryInformationProcess(hProcess, ProcessImageFileName, &ustrPath, sizeof(ustrBuffer), NULL);
	if (NT_SUCCESS(ret))
	{
		DbgPrintEx(DPFLTR_IHVDRIVER_ID, 0, "[DEBUG] process path: %wZ\n", ustrPath);
		return TRUE;
	}
	else
	{
		DbgPrintEx(DPFLTR_IHVDRIVER_ID, 0, "[ERROR] error getting process path: %x\n", ret);
		return FALSE;
	}
}
LoadDll: LoadLibrary alternative in C

The following code is a replacement for the Windows LoadLibrary() function, an alternative way to load a DLL in our address space.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#include <Windows.h>
// UNICODE_STRING structure
typedef struct _UNICODE_STRING 
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
//LdrLoadDll function prototype 
typedef NTSTATUS (WINAPI *fLdrLoadDll) 
(
	IN PWCHAR PathToFile OPTIONAL,
	IN ULONG Flags OPTIONAL, 
	IN PUNICODE_STRING ModuleFileName, 
	OUT PHANDLE ModuleHandle 
); 
//RtlInitUnicodeString function prototype
typedef VOID (WINAPI *fRtlInitUnicodeString) 
(
	PUNICODE_STRING DestinationString,
	PCWSTR SourceString
);
HMODULE hNtDll;
fLdrLoadDll _LdrLoadDll;
fRtlInitUnicodeString _RtlInitUnicodeString;
//_____________________________________________
//
// LoadDll: LoadLibrary replacement
// 
// This function loads the specified DLL into our process.
// This function is a replacement for the Windows LoadLibrary() function. 
//
// PARAMETERS:
// szFileName: path of the DLL to load.
//
// RETURN VALUE:
// HMODULE DllHandle: An handle to the DLL module in memory.
//_____________________________________________
//
HMODULE LoadDll( LPCSTR szFileName) 
{  
   // Load required functions dinamically
   hNtDll = GetModuleHandleA("ntdll.dll");
   _LdrLoadDll = (fLdrLoadDll) GetProcAddress( hNtDll, "LdrLoadDll");
   _RtlInitUnicodeString = (fRtlInitUnicodeString) GetProcAddress( hNtDll, "RtlInitUnicodeString");
   int StrLen = lstrlenA(szFileName);
   BSTR WideStr = SysAllocStringLen(NULL, StrLen);
   MultiByteToWideChar(CP_ACP, 0, szFileName, StrLen, WideStr, StrLen);
   UNICODE_STRING usDllName;
   _RtlInitUnicodeString(&usDllName, WideStr);
   SysFreeString(WideStr);
   HANDLE DllHandle; 
   _LdrLoadDll(0, 0, &usDllName, &DllHandle);
   return (HMODULE)DllHandle;
}
int main() //Usage example
{
   HMODULE hmodule = LoadDll("Kernel32.dll");
   return (int)hmodule;
}
Viotto .OCX Registrator

Viotto OCX Registrator is a simple tool to install, register and unregister OCX files.
It is released free and open source.
It is coded in Embarcadero C++.
You can find it here.