Shellcode Loader

Shellcode Loader is a simple command-line tool to test shellcodes.
It is written in C and provided open source.
Works on any Windows from WinXP up to Win10.

Shellcode Loader

More info and Download on its page

CryptoGear encryption algorithm
Symmetric-key block encryption cipher developed by BreakingSecurity.

You can find its C++ implementation here.

RC4 class in C++

Standard RC4 encryption algorithm.
Simple and fast, it is a famous algorithm used in many applications.

cRC4.h :

* Standard RC4 Encryption
* C++ Class
* Coded by Viotto ©

#include <string>
using namespace std;

class CRC4

	CRC4(unsigned char* pKey, unsigned int lenKey);

	void RC4(unsigned char pData[], unsigned long lenData);
	string RC4Str(unsigned char* pInputData, unsigned long InputSize);
	void Initialize(unsigned char* pKey, unsigned int lenKey);

	int m_sBox[256]; //substitution-box
	int a, b;	
	unsigned char swap;


cRC4.cpp :

* Standard RC4 Encryption
* C++ Class
* Coded by Viotto ©

#include "cRC4.h"

// Constructor. It will generate s-box based on the provided key.
// This way future encryption/decryptions routines will not have to recreate s-box each time.
CRC4::CRC4(unsigned char* pKey, unsigned int lenKey)
	Initialize(pKey, lenKey);

/* Overloaded costructor with no arguments.
   Must initialize s-box manually.           */

void CRC4::Initialize(unsigned char* pKey, unsigned int lenKey)
	// Initialize substitution box, based on the provided key.

	b = 0;

	for (a = 0; a < 256; a++)
		m_sBox[a] = a;

	for (a = 0; a < 256; a++)
		b = (b + m_sBox[a] + pKey[a % lenKey]) % 256;
		swap = m_sBox[a];
		m_sBox[a] = m_sBox[b];
		m_sBox[b] = swap;

void CRC4::RC4(unsigned char pData[], unsigned long lenData)
	int sBox[256];
	int i = 0, j = 0;
	long Offset;

	// Create a local copy of the s-box. Better than recreating each time before encrypting/decrypting.
	memcpy(sBox, m_sBox, 256 * sizeof(int));

	//Encrypt the data
	for (Offset = 0; Offset < lenData; Offset++)
		i = (i + 1) % 256;
		j = (j + sBox[i]) % 256;
		swap = sBox[i];
		sBox[i] = sBox[j];
		sBox[j] = swap;
		pData[Offset] ^= sBox[(sBox[i] + sBox[j]) % 256];

// This function does not overwrite input with output, but saves it on a separate string.
string CRC4::RC4Str(unsigned char* pInputData, unsigned long InputSize)
	string sInputOutputData((char*)pInputData, InputSize);
	RC4((unsigned char*)sInputOutputData.c_str(), InputSize);
	return sInputOutputData;
C++ FileSearch

A simple and fast recursive function which can be used to search for a filename or part of it,
inside a specified folder and all of its subdirectories.

#include <windows.h>
#include <algorithm>
#include <string>
using namespace std;

bool FileSearch(string sSearch, string sFolder)
	// This recursive function will search for a filename or part of it,
	// inside the specified folder and in all its subfolders.
	// Coded by Viotto -

	std::transform(sSearch.begin(), sSearch.end(), sSearch.begin(), ::tolower);

	// Check for final slash in path and append it if missing
	if (sFolder[sFolder.length() -1] != '\')
		sFolder += "\";

	WIN32_FIND_DATA FileInfo;
	HANDLE hFind = FindFirstFileA(string(sFolder + "*").c_str(), &FileInfo);

		return false;
	string sFileInfo;

	while (FindNextFile(hFind, &FileInfo) != 0)
		if (FileInfo.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY
			&& strcmp(FileInfo.cFileName, ".") != 0
			&& strcmp(FileInfo.cFileName, "..") != 0)
			string sRecursiveDir = sFolder + string(FileInfo.cFileName);
			FileSearch(sSearch, sRecursiveDir);

		string sFileName(FileInfo.cFileName);
		std::transform(sFileName.begin(), sFileName.end(), sFileName.begin(), ::tolower);
		if (sFileName.find(sSearch) != string::npos)
			//Search string has been found inside file name
			printf(string(sFolder + FileInfo.cFileName + "n").c_str());
	return true;

// Usage example:
// filesearch "Notepad" "C:Windows"
void main(int argc, char* argv[])
	if (argc == 3)
		FileSearch(argv[1], argv[2]);
		printf("Search finished!n");
	else printf("Wrong number of parametersn");

[ C ] Get Process path from PID at kernel level

At user-level, such a simple task is straightforward as it should, by the use of APIs like GetModuleFileNameEx().

However, there’s no documented way to do it at kernel level.
I found a lot of people asking for it, but didn’t find any clear functioning snippet, so I figured it could be useful to share mine.

BOOLEAN KrnGetProcessPath(HANDLE hProcessId)
// ProcessID handle can be get using PsGetCurrentProcessId(),
// or by using process callback routines such as PsSetCreateProcessNotifyRoutine()
	HANDLE hProcess = NULL;

	cid.UniqueProcess = hProcessId; 
	cid.UniqueThread = NULL;
	InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
	ZwOpenProcess(&hProcess, GENERIC_READ, &obj_attr, &cid);

	// When the ProcessInformationClass parameter is ProcessImageFileName, 
	//	the buffer pointed to by the ProcessInformation parameter should be large enough to hold a UNICODE_STRING structure, 
	//	as well as the string itself.
	WCHAR ustrBuffer[(sizeof(UNICODE_STRING) / sizeof(WCHAR)) + 260];

	// Initialize UNICODE_STRING
	ustrPath.Buffer = ustrBuffer;
	ustrPath.Length = 0x0;
	ustrPath.MaximumLength = sizeof(ustrBuffer);

	// Process path will be saved inside the unicode string.
	NTSTATUS ret = ZwQueryInformationProcess(hProcess, ProcessImageFileName, &ustrPath, sizeof(ustrBuffer), NULL);

	if (NT_SUCCESS(ret))
		DbgPrintEx(DPFLTR_IHVDRIVER_ID, 0, "[DEBUG] process path: %wZn", ustrPath);
		return TRUE;
		DbgPrintEx(DPFLTR_IHVDRIVER_ID, 0, "[ERROR] error getting process path: %xn", ret);
		return FALSE;
LoadDll: LoadLibrary alternative in C

The following code is a replacement for the Windows LoadLibrary() function, an alternative way to load a DLL in our address space.

#include <Windows.h>

typedef struct _UNICODE_STRING 
{ // UNICODE_STRING structure
         USHORT Length;
         USHORT MaximumLength;
         PWSTR  Buffer;

typedef NTSTATUS (WINAPI *fLdrLoadDll) //LdrLoadDll function prototype 
         IN PWCHAR PathToFile OPTIONAL,
         IN ULONG Flags OPTIONAL, 
         IN PUNICODE_STRING ModuleFileName, 
         OUT PHANDLE ModuleHandle 

typedef VOID (WINAPI *fRtlInitUnicodeString) //RtlInitUnicodeString function prototype
         PUNICODE_STRING DestinationString,
         PCWSTR SourceString

HMODULE hntdll;
fLdrLoadDll _LdrLoadDll;
fRtlInitUnicodeString _RtlInitUnicodeString;

HMODULE LoadDll( LPCSTR lpFileName) 
   //by Viotto -

   if (hntdll      == NULL) { hntdll = GetModuleHandleA("ntdll.dll"); }
   if (_LdrLoadDll == NULL) { _LdrLoadDll = (fLdrLoadDll) GetProcAddress ( hntdll, "LdrLoadDll"); }
   if (_RtlInitUnicodeString == NULL) 
   { _RtlInitUnicodeString = (fRtlInitUnicodeString) GetProcAddress ( hntdll, "RtlInitUnicodeString"); }

   int StrLen = lstrlenA(lpFileName);
   BSTR WideStr = SysAllocStringLen(NULL, StrLen);
   MultiByteToWideChar(CP_ACP, 0, lpFileName, StrLen, WideStr, StrLen);

   _RtlInitUnicodeString(&usDllName, WideStr);

   HANDLE DllHandle; 
   _LdrLoadDll(0, 0, &usDllName, &DllHandle);

   return (HMODULE)DllHandle;

int main() //Usage example
   HMODULE hmodule = LoadDll("Kernel32.dll");
   //HMODULE hmodule = LoadLibraryA("Kernel32.dll");
   return (int)hmodule;
Viotto .OCX Registrator

Viotto OCX Registrator is a simple tool to install, register and unregister OCX files.
It is released free and open source.
It is coded in Embarcadero C++.
You can find it here.