Recently, ZorigoN’s open source shell code generator – that was released a long time ago – was updated! It now has a GUI. Thought that it should be shared here.
/* Shell Code Generator v1.3 by ZorgioN. v1.3 (January 29, 2011 - by karmany) - Fixed getFileName - Add TextBox for end-line - Add button: About - Initial window in center of screen v1.2 - Fixed some bugs and rebuild some parts of the code. v1.1 - Rebuild because of problems and to remove all error messageboxes. v1.0 - First release Some credits for the shellcode gen. goes out to JoeK. */ #include <windows.h> #include <stdio.h> #define IDC_ABOUT 1001 #define IDC_CLEAR 1002 #define IDC_CLOSE 1003 #define IDC_EXIT 1004 #define IDC_GENERATE 1005 #define IDC_INFOBOX 1006 #define IDC_OPEN 1007 #define IDC_TEXT 1008 #define IDC_LABEL 1009 #define CLASS_NAME "SCG-GEN" #define TITLE_NAME "Shell Code-Generator v1.3" struct FILE_INFORMATION { char cIn_[MAX_PATH]; char cOut_[MAX_PATH]; char cName_[MAX_PATH]; char cType_[MAX_PATH]; unsigned int uiSize; }; FILE_INFORMATION File; HANDLE threadHandle = NULL; HWND hEdit = NULL; HFONT hFont = CreateFont(15,NULL,NULL,NULL,FW_DONTCARE,FALSE,FALSE,FALSE,ANSI_CHARSET,OUT_TT_PRECIS,CLIP_TT_ALWAYS,DEFAULT_QUALITY,FF_DONTCARE,"Arial"); HWND listboxWindow = NULL; BOOL fileBrowser(bool bToggle,char *cProgram,char *cType,char *cTitle); BOOL getFileName(char *cString,char *cReturn); BOOL getFileType(char *cString,char *cReturn); DWORD getFileSize(HANDLE fileHandle); HWND createButton(HWND windowHandle,char *cName,DWORD dwStyle,int iX_axe,int iY_axe,int iWidth,int iHeight,int iItem); LRESULT CALLBACK mainWindow(HWND windowHandle,UINT uiMessage,WPARAM wParam,LPARAM lParam); LRESULT resetListBox(HWND windowHandle); LRESULT setFont(HWND windowHandle,int iItem,HFONT Font); LRESULT setListBoxFont(HWND windowHandle,DWORD dwFont); LRESULT sendMessage(HWND windowHandle,char *cMessage, ... ); void makeShellCode(LPVOID); int WINAPI WinMain(HINSTANCE instanceHandle,HINSTANCE Null,LPSTR lpArgument,int iShowCmd) { RECT rc; HANDLE mutexHandle = CreateMutex(NULL,TRUE,"SCG"); if(mutexHandle == NULL) ExitProcess(NULL); ZeroMemory(&File,sizeof(FILE_INFORMATION)); HWND windowHandle = {NULL}; MSG msg = {NULL}; WNDCLASSEX wincl = {NULL}; wincl.hInstance = instanceHandle; wincl.lpszClassName = CLASS_NAME; wincl.lpfnWndProc = mainWindow; wincl.style = CS_DBLCLKS; wincl.cbSize = sizeof(WNDCLASSEX); wincl.hIcon = LoadIcon(NULL,IDI_APPLICATION); wincl.hIconSm = LoadIcon(NULL,IDI_APPLICATION); wincl.hCursor = LoadCursor(NULL,IDC_ARROW); wincl.lpszMenuName = NULL; wincl.cbClsExtra = NULL; wincl.cbWndExtra = NULL; wincl.hbrBackground = (HBRUSH)COLOR_BACKGROUND; if(!RegisterClassEx(&wincl)) return NULL; windowHandle = CreateWindowEx(WS_EX_CLIENTEDGE,CLASS_NAME,TITLE_NAME,WS_SYSMENU|WS_MINIMIZEBOX,CW_USEDEFAULT,CW_USEDEFAULT,325,353,HWND_DESKTOP,NULL,instanceHandle,NULL); int screenWidth = GetSystemMetrics(SM_CXSCREEN); int screenHeight = GetSystemMetrics(SM_CYSCREEN); GetWindowRect(windowHandle, &rc); SetWindowPos(windowHandle, 0, (screenWidth - rc.right)/2, (screenHeight - rc.bottom)/2, 0, 0, SWP_NOZORDER|SWP_NOSIZE); ShowWindow(windowHandle,iShowCmd); while(GetMessage(&msg,NULL,NULL,NULL)) { TranslateMessage(&msg); DispatchMessage(&msg); } CloseHandle(mutexHandle); return msg.wParam; } BOOL fileBrowser(bool bToggle,char *cProgram,char *cType,char *cTitle) { char cDirectory[MAX_PATH] = ""; OPENFILENAME ofn = {NULL}; GetCurrentDirectory(sizeof(cDirectory),cDirectory); ofn.lStructSize = sizeof(OPENFILENAME); ofn.lpstrFile = cProgram; ofn.hInstance = NULL; ofn.lpstrFile[0] = '\0'; ofn.nMaxFile = MAX_PATH; ofn.lpstrInitialDir = cDirectory; ofn.lpstrFilter = cType; ofn.lpstrTitle = cTitle; ofn.Flags = OFN_PATHMUSTEXIST|OFN_FILEMUSTEXIST; if(bToggle) return GetOpenFileName(&ofn); else return GetSaveFileName(&ofn); } BOOL getFileName(char *cString,char *cReturn) { int iEndOffset = NULL; int i = NULL; for( i = ((int)strlen(cString)); i >= 0; --i ) { if(cString[ i ] == '.' && iEndOffset == NULL) iEndOffset = i; if(cString[ i ] == '\') break; } memcpy(&cReturn[0],&cString[i+1],iEndOffset-i-1); if(i == 0) strcat(cReturn,"*.*"); return TRUE; } BOOL getFileType(char *cString,char *cReturn) { int iOffset = NULL; int x = NULL; int i = NULL; if(strlen(cString) == 0) return FALSE; for(i = (int)(strlen(cString)-1); i != 0;i--) { if(cString[i] == '.') { iOffset = x; break; } x++; } for(i = 0; i < iOffset; i++) cReturn[i] = cString[(strlen(cString)-iOffset+i)]; if(strcmp("",cReturn) == NULL) { ZeroMemory(cReturn,sizeof(cReturn)); strcpy(cReturn,"unknown"); } return TRUE; } DWORD getFileSize(HANDLE fileHandle) { DWORD dwHigh = NULL; DWORD dwLow = GetFileSize(fileHandle, &dwHigh); return dwLow; } HWND createButton(HWND windowHandle,char *cName,DWORD dwStyle,int iX_axe,int iY_axe,int iWidth,int iHeight,int iItem) { return CreateWindowEx(NULL,"Button",cName,dwStyle,iX_axe,iY_axe,iWidth,iHeight,windowHandle,(HMENU)iItem,NULL,NULL); } HWND createTextBox(HWND windowHandle,char *cName,DWORD dwStyle,int iX_axe,int iY_axe,int iWidth,int iHeight,int iItem) { return CreateWindowEx(NULL,"EDIT",cName,dwStyle,iX_axe,iY_axe,iWidth,iHeight,windowHandle,(HMENU)iItem,NULL,NULL); } HWND createLabel(HWND windowHandle,char *cName,DWORD dwStyle,int iX_axe,int iY_axe,int iWidth,int iHeight,int iItem) { return CreateWindowEx(NULL,"STATIC",cName,dwStyle,iX_axe,iY_axe,iWidth,iHeight,windowHandle,(HMENU)iItem,NULL,NULL); } LRESULT CALLBACK mainWindow(HWND windowHandle,UINT uiMessage,WPARAM wParam,LPARAM lParam) { switch(uiMessage) { case WM_DESTROY: { PostQuitMessage(NULL); break; } case WM_CREATE: { createButton(windowHandle,"Open",WS_VISIBLE|WS_CHILD|WS_BORDER,8,251,149,20,IDC_OPEN); createButton(windowHandle,"Generate",WS_VISIBLE|WS_CHILD|WS_BORDER,159,272,149,20,IDC_GENERATE); createButton(windowHandle,"Close File",WS_VISIBLE|WS_CHILD|WS_BORDER,8,272,149,20,IDC_CLOSE); createButton(windowHandle,"Clear",WS_VISIBLE|WS_CHILD|WS_BORDER,8,293,149,20,IDC_CLEAR); createButton(windowHandle,"About...",WS_VISIBLE|WS_CHILD|BS_PUSHBUTTON|WS_BORDER,159,293,149,20,IDC_ABOUT); createLabel(windowHandle,"End of line:",WS_VISIBLE|WS_CHILD|WS_BORDER|SS_CENTER,159,251,75,20,IDC_LABEL); hEdit = createTextBox(windowHandle," & _", WS_VISIBLE|WS_CHILD|WS_BORDER|SS_CENTER,233,251,75,20,IDC_TEXT); SendMessage(hEdit, EM_LIMITTEXT, WPARAM(5), 0); setFont(windowHandle,IDC_OPEN,hFont); setFont(windowHandle,IDC_CLOSE,hFont); setFont(windowHandle,IDC_CLEAR,hFont); setFont(windowHandle,IDC_GENERATE,hFont); setFont(windowHandle,IDC_TEXT,hFont); setFont(windowHandle,IDC_LABEL,hFont); listboxWindow = CreateWindowEx(NULL,"ListBox",NULL,WS_VISIBLE|WS_CHILD|WS_BORDER|WS_VSCROLL,8,8,300,250,windowHandle,(HMENU)IDC_INFOBOX,NULL,NULL); setListBoxFont(listboxWindow,SYSTEM_FIXED_FONT); sendMessage(listboxWindow,"Welcome to SCG v1.3"); break; } case WM_COMMAND: { switch(LOWORD(wParam)) { case IDC_EXIT: { PostQuitMessage(NULL); break; } case IDC_ABOUT: { MessageBox(windowHandle, "n" "Shell Code Generator v1.3n" "nProgram made by ZorgioN, but some credits goes to JoeK for help with the SCG-function출처 : pentestit.comn" "nVersion 1.3 (A small modification) by karmany","About", MB_OK|MB_ICONINFORMATION ); break; } case IDC_CLOSE: { if(strcmp("",File.cIn_) == NULL) { sendMessage(listboxWindow,"Error: No file open or already closed!"); break; } ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); break; } case IDC_OPEN: { if(strcmp("",File.cIn_) != NULL) { sendMessage(listboxWindow,"Error: You already got a file open!"); break; } fileBrowser(TRUE,File.cIn_,"*.*\0", "Select file"); if(strcmp("",File.cIn_) == NULL) { sendMessage(listboxWindow,"Error: No file selected !"); break; } HANDLE fileHandle = CreateFile(File.cIn_,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if(fileHandle == INVALID_HANDLE_VALUE) { sendMessage(listboxWindow,"Error: File selected does not exist!"); ZeroMemory(&File,sizeof(FILE_INFORMATION)); break; } if(getFileName(File.cIn_,File.cName_) == TRUE) sendMessage(listboxWindow,"Info: File name = %s",File.cName_); else { sendMessage(listboxWindow,"Error: No file name found!"); ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); } if(getFileType(File.cIn_,File.cType_) == TRUE) sendMessage(listboxWindow,"Info: File type = %s",File.cType_); else { sendMessage(listboxWindow,"Error: No file type found!"); ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); } File.uiSize = getFileSize(fileHandle); if(File.uiSize == 0) { sendMessage(listboxWindow,"Error: No file size found!"); ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); } else if(File.uiSize < 1000 && File.uiSize < 1000000) sendMessage(listboxWindow,"Info: File size = %d byte.",File.uiSize); else if(File.uiSize > 1000 && File.uiSize < 1000000) { File.uiSize = (File.uiSize / 1000); sendMessage(listboxWindow,"Info: File size = %d KB.",File.uiSize); } else if(File.uiSize > 1000000) { File.uiSize = (File.uiSize / 1000000); sendMessage(listboxWindow,"Info: File size = %d MB.",File.uiSize); } CloseHandle(fileHandle); break; } case IDC_CLEAR: { resetListBox(listboxWindow); sendMessage(listboxWindow,"Welcome to SCG v1.3"); break; } case IDC_GENERATE: { if(strcmp("",File.cIn_) == NULL) { sendMessage(listboxWindow,"Error: You must first open a file!"); break; } if(strcmp("",File.cOut_) != NULL) { sendMessage(listboxWindow,"Error: Output file already set."); sendMessage(listboxWindow,"...... You must close current open file too continue!"); break; } fileBrowser(FALSE,File.cOut_,"*.*\0","Select output-file"); if(strcmp("",File.cOut_) == NULL) { sendMessage(listboxWindow,"Error: No file selected!"); break; } threadHandle = CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)makeShellCode,NULL,NULL,NULL); if(threadHandle == NULL) sendMessage(listboxWindow,"Error: Unable to create thread."); break; } } break; } default: return DefWindowProc(windowHandle,uiMessage,wParam,lParam); } return NULL; } LRESULT resetListBox(HWND windowHandle) { return SendMessage(windowHandle,LB_RESETCONTENT,(WPARAM)-1,(LPARAM)NULL); } LRESULT sendMessage(HWND windowHandle,char *cMessage, ... ) { va_list va_alist; char cBuffer[1024] = ""; va_start(va_alist,cMessage); _vsnprintf(cBuffer,sizeof(cBuffer),cMessage,va_alist); va_end(va_alist); return SendMessage(windowHandle,LB_INSERTSTRING,(WPARAM)-1,(LPARAM)cBuffer); } LRESULT setFont(HWND windowHandle,int iItem,HFONT Font) { return SendDlgItemMessage(windowHandle,iItem,WM_SETFONT,(WPARAM)Font,(LPARAM)NULL); } LRESULT setListBoxFont(HWND windowHandle,DWORD dwFont) { return SendMessage(windowHandle,WM_SETFONT,(WPARAM)GetStockObject(dwFont),(LPARAM)1); } void makeShellCode(LPVOID) { char cFormat[4] = ""; char line_end[5] = ""; char text[50] = ""; int len_text = 0; DWORD dwBytesRead; // We cannot set this value to zero, because by some strange way the program gets in a loop then and writes the same buffer over and over again. DWORD dwFileSize = NULL; int iByteCounter = 0; HANDLE fileHandle = CreateFile(File.cIn_,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if(fileHandle == INVALID_HANDLE_VALUE) { sendMessage(listboxWindow,"Error: Could not open input-file!"); ZeroMemory(&File,sizeof(FILE_INFORMATION)); TerminateThread(threadHandle,NULL); } SendMessage(hEdit,WM_GETTEXT, sizeof(line_end),(LPARAM)line_end); strcpy(text, """); strcat(text, line_end); strcat(text, "rntt ""); len_text = strlen(text); dwFileSize = getFileSize(fileHandle); BYTE* buffer = new BYTE[dwFileSize]; if(ReadFile(fileHandle,buffer,dwFileSize,&dwBytesRead,NULL) == 0) { sendMessage(listboxWindow,"Error: Problems reading input-file!"); CloseHandle(fileHandle); delete buffer; ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); TerminateThread(threadHandle,NULL); } CloseHandle(fileHandle); fileHandle = CreateFile(File.cOut_,GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL); if(fileHandle == INVALID_HANDLE_VALUE) { sendMessage(listboxWindow,"Error: Could not create output-file!"); delete buffer; ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); TerminateThread(threadHandle,NULL); } if(WriteFile(fileHandle,"BYTE ShellCode[] = "",20,&dwBytesRead,NULL) == 0) { sendMessage(listboxWindow,"Error: Problems writing to output-file !"); CloseHandle(fileHandle); delete buffer; ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); TerminateThread(threadHandle,NULL); } for(int i = 0; i < dwFileSize; i++) { iByteCounter++; sprintf(cFormat,"\x%02x",buffer[i]); if(WriteFile(fileHandle,cFormat,4,&dwBytesRead,NULL) == 0) { sendMessage(listboxWindow,"Error: Error occur while writing to output-file !n"); sendMessage(listboxWindow,"...... Closing and deleting output-file !"); CloseHandle(fileHandle); delete buffer; DeleteFile(File.cOut_); ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); TerminateThread(threadHandle,NULL); } if(iByteCounter == 20) { //if(WriteFile(fileHandle,""rn "",23,&dwBytesRead,NULL) == 0) { if(WriteFile(fileHandle, text, len_text, &dwBytesRead,NULL) == 0) { sendMessage(listboxWindow,"Error: Error occur while writing to output-file !n"); sendMessage(listboxWindow,"...... Closing and deleting output-file !"); CloseHandle(fileHandle); delete buffer; DeleteFile(File.cOut_); ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); TerminateThread(threadHandle,NULL); } iByteCounter = 0; } } if(iByteCounter != 0) WriteFile(fileHandle,""",1,&dwBytesRead,NULL); sendMessage(listboxWindow,"Info: Shellcode generated !"); CloseHandle(fileHandle); delete buffer; ZeroMemory(&File,sizeof(FILE_INFORMATION)); sendMessage(listboxWindow,"Info: File closed!"); TerminateThread(threadHandle,NULL); }
728x90
댓글