Add Shellcode to any program

• I first wrote a little program Test.exe ( Note: Because I use the console program does not import user32.dll so I use the direct add Shellcode is not, either in Shellcode import user32.dll or load in the program, if not the following test is unsuccessful .

Test.exe Source Code
#include <stdio.h>#include<windows.h>intMainintargcChar*argv[]) {LoadLibrary ("Kernel32.dll"); LoadLibrary ("user32.dll"); MessageBox (NULL,"Http://cnblogs/ONDragon","Ondragon",0); printf ("test\n"); return 0;}

• Open with UE and add the shellcode we want to add (pops up another MessageBox).

0x0        xx 0x0 to         0x0-0x0                      xxcall771bea11   E8 XXXX

• Explain call 771bea11 This address is my local MessageBox address, even address will not find, then first check yourself to learn this bar (and the back of the oep look for what), there is a small complex to write a novice.
• E8 is a hard-coded call, and 6 a 00 is hard-coded for push 0x00.
• Since the MessageBox needs 4 parameters and is simplifying, we'll give it a push4 of 0, just a simplification.
• All we have to do is add this hard-coded instruction to the program, so where do we add it? We probably learned the PE structure, we just have to find a section of the empty position to add.

• We simply add the hard code above to the program, but it is not added directly, and requires a conversion.
• Address to jump = E8 The address of the next instruction + XXXX. (E9 the same, will encounter below)!!!
• XXXX = Address to jump-E8 the address of the next instruction. (E9 the same, will encounter below)!!!
• For example, we want to jump to the address is the MessageBox address 771bea11, we can not directly write E8 (call) 771BEA11, the need for formula conversion, the address to jump is (771BEA11)-E8 the next instruction address.
• Example:
• We add our shellcode at the address of the file offset to 5940.
• 6A 6A, 6A, 6A xx (note the format of the size end )
• XXXX (the value that will be filled in after E8) = 771BEA11-0040594D (the address of the next instruction of E8).
• Also note that it must be minus 0040594D, which is the memory address RVA is not a file offset.

• However, the program does not run itself to this location to run the code, so to let the program itself open to run the code here, so to modify the Oep.

• So the program will run to our shellcode to execute our code, but, in order not to let the Discovery program be modified, we have to let it execute after our code, and then to normal execution of their own code, so we have to jump back to the normal entrance oep.

• So we use E9 (JMP hard Code) program to execute our code unconditionally jump to normal entry oep, so xxxx = normal Oep-e9 The address of the next instruction = 401071-405952 = ffffb71f.
• Then save the run, and the Shellcode will pop up first. Ok.

• Summarize

1. Attention is not suitable for beginners.
2. Be careful, be LoadLibrary ("User32.dll"), and only for the console program.
3. Note the size-end format.
4. Note the conversion of the address behind E8 (E9).
5. Note The Add code address is (in-memory address) RVA.
6. or learn to learn PE.

Add Shellcode to any program