8 |
9 | Two methods are used to mark & dump shellcode from a compiled C method
10 |
11 |
12 |
13 |
14 | When compiled, the shellcode is placed in a separete section
15 |
16 |
17 | This way the shellcode can be extracted via 2 methods: function address substraction during runtime, or PE/ELF section parsing. I prefer the first one, since it's easier + more universal.
18 |
19 |
20 |
21 | Function address substraction to extract shellcode
22 |
23 |
24 | ## ℹ️ Demonstration
25 |
26 |
27 | Microsoft Visual C++ compiler
28 |
29 |
30 |
31 |
32 | Clang (LLVM/MinGW) compiler
33 |
34 |
35 |
36 |
37 | Clang ARM64 (Android) compiler
38 |
39 |
--------------------------------------------------------------------------------
/c2shell.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.34301.259
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Shellcode", "Shellcode\Shellcode.vcxproj", "{62CAD85A-3CD3-4CD5-8837-0410F3478DBE}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Loader", "Loader\Loader.vcxproj", "{7CBE89FC-447E-47AA-A613-3F2EA193587C}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Any CPU = Debug|Any CPU
13 | Debug|x64 = Debug|x64
14 | Debug|x86 = Debug|x86
15 | Release|Any CPU = Release|Any CPU
16 | Release|x64 = Release|x64
17 | Release|x86 = Release|x86
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|Any CPU.ActiveCfg = Debug|Win32
21 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|x64.ActiveCfg = Debug|x64
22 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|x64.Build.0 = Debug|x64
23 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|x86.ActiveCfg = Debug|Win32
24 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Debug|x86.Build.0 = Debug|Win32
25 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|Any CPU.ActiveCfg = Release|Win32
26 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|x64.ActiveCfg = Release|x64
27 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|x64.Build.0 = Release|x64
28 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|x86.ActiveCfg = Release|Win32
29 | {62CAD85A-3CD3-4CD5-8837-0410F3478DBE}.Release|x86.Build.0 = Release|Win32
30 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|Any CPU.ActiveCfg = Debug|Win32
31 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|x64.ActiveCfg = Debug|x64
32 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|x64.Build.0 = Debug|x64
33 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|x86.ActiveCfg = Debug|Win32
34 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Debug|x86.Build.0 = Debug|Win32
35 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|Any CPU.ActiveCfg = Release|Win32
36 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|x64.ActiveCfg = Release|x64
37 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|x64.Build.0 = Release|x64
38 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|x86.ActiveCfg = Release|Win32
39 | {7CBE89FC-447E-47AA-A613-3F2EA193587C}.Release|x86.Build.0 = Release|Win32
40 | EndGlobalSection
41 | GlobalSection(SolutionProperties) = preSolution
42 | HideSolutionNode = FALSE
43 | EndGlobalSection
44 | GlobalSection(ExtensibilityGlobals) = postSolution
45 | SolutionGuid = {79F4B827-2AE4-40EE-B69C-77BA3679697B}
46 | EndGlobalSection
47 | EndGlobal
48 |
--------------------------------------------------------------------------------
/Loader/Loader.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include "shcutils.h"
4 |
5 | int main() {
6 | typedef int(*VirtualProtect_t)(void*, int, unsigned long, unsigned long*);
7 | char shellcode[] =
8 | "\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\x00\x00\x00"
9 | "\x48\x8D\x0D\x52\x00\x00\x00\xE8\x9E\x00\x00\x00\x4C\x8B\xF8"
10 | "\x48\x8D\x0D\x5D\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00"
11 | "\x00\x48\x8D\x0D\x4D\x00\x00\x00\xE8\x7F\x00\x00\x00\x4D\x33"
12 | "\xC9\x4C\x8D\x05\x61\x00\x00\x00\x48\x8D\x15\x4E\x00\x00\x00"
13 | "\x48\x33\xC9\xFF\xD0\x48\x8D\x15\x56\x00\x00\x00\x48\x8D\x0D"
14 | "\x0A\x00\x00\x00\xE8\x56\x00\x00\x00\x48\x33\xC9\xFF\xD0\x4B"
15 | "\x45\x52\x4E\x45\x4C\x33\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61"
16 | "\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x55\x53\x45\x52\x33"
17 | "\x32\x2E\x44\x4C\x4C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F"
18 | "\x78\x41\x00\x48\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x00"
19 | "\x4D\x65\x73\x73\x61\x67\x65\x00\x45\x78\x69\x74\x50\x72\x6F"
20 | "\x63\x65\x73\x73\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60"
21 | "\x00\x00\x00\x4D\x8B\x40\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24"
22 | "\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26\x8A\x27"
23 | "\x80\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7"
24 | "\x48\xFF\xC7\xEB\xE5\x4D\x8B\x00\x4D\x3B\xC4\x75\xD6\x48\x33"
25 | "\xC0\xE9\xA7\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C"
26 | "\x03\xCB\x49\x81\xC1\x88\x00\x00\x00\x45\x8B\x29\x4D\x85\xED"
27 | "\x75\x08\x48\x33\xC0\xE9\x85\x00\x00\x00\x4E\x8D\x04\x2B\x45"
28 | "\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C"
29 | "\x03\xD3\xFF\xC9\x4D\x8D\x0C\x8A\x41\x8B\x39\x48\x03\xFB\x48"
30 | "\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB\xF5\xE2\xE6"
31 | "\x48\x33\xC0\xEB\x4E\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B"
32 | "\x0C\x49\x45\x8B\x48\x1C\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B"
33 | "\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x18\x48\x8D\x7C"
34 | "\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75\xFA\xA4\xC7\x07\x44"
35 | "\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7\x49\x8B\xCC\x48\x8B\xD6"
36 | "\xE9\x14\xFF\xFF\xFF\x48\x03\xC3\x48\x83\xC4\x28\xC3";
37 |
38 | wchar_t kernel32_dll_name[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0 };
39 | void* base = get_module_handle(kernel32_dll_name);
40 | if (base) {
41 | VirtualProtect_t VMProtect = (VirtualProtect_t) get_proc_address(base, HASH("VirtualProtect"));
42 | if (VMProtect) {
43 | DWORD flOldProtect;
44 | VMProtect(shellcode, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &flOldProtect);
45 | (*(void (*)()) & shellcode)();
46 | }
47 | }
48 | return 0;
49 | }
--------------------------------------------------------------------------------
/Shellcode/shellcode.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #ifdef _WIN32
6 | #include
7 | #else
8 | #include
9 | #endif
10 | #include "shcutils.h"
11 |
12 | #ifdef _MSC_VER
13 | #pragma warning(disable:4996)
14 | #pragma section("shcode", execute)
15 | #endif
16 |
17 | // This method should be fully inline. No use of static fields & external methods is allowed since the shellcode
18 | // Is supposed to be fully inline & offset independent (use PEB for windows & syscalls for linux)
19 | SECTION_CODE("shcode") NOINLINE int /*_fastcall*/ shellcode() {
20 | #ifdef _WINDOWS
21 | // Typedefs for all the required methods
22 | typedef void* (*LoadLibraryA_t)(char*);
23 | typedef void* (*MessageBoxA_t)(int, char*, char*, int);
24 |
25 | // Some compilers insert the strings into the .data no matter what you do. So we need to trick em
26 | volatile char u32[30]; volatile int i = 0;
27 | u32[i++] = 'u'; u32[i++] = 's'; u32[i++] = 'e'; u32[i++] = 'r'; u32[i++] = '3'; u32[i++] = '2';
28 | u32[i++] = '.'; u32[i++] = 'd'; u32[i++] = 'l'; u32[i++] = 'l', u32[i++] = '\0';
29 | volatile char msg[30]; i = 0;
30 | msg[i++] = 't'; msg[i++] = 'e'; msg[i++] = 's'; msg[i++] = 't', msg[i++] = '\0';
31 |
32 | /* Note that any definitions should remain stack only. Otherwise the shellcode will be invalid
33 |
34 | // This gets stored to .data section 100%
35 | char s1[] = "test";
36 |
37 | // This gets stored to .data section 50/50 on different compilers
38 | char s2[] = {'t', 'e', 's', 't', 0};
39 |
40 | // This is stored to stack in 100% cases. Allows to trick the compiler
41 | char s3[32]; int i = 0;
42 | s3[i++] = 't', s3[i++] = 'e', s3[i++] = 's', s3[i++] = 't',s3[i++] = '\0';
43 |
44 | */
45 |
46 | void* base = get_module_handle(HASH("kernel32.dll"));
47 |
48 | if (base) {
49 | LoadLibraryA_t LoadLibA = (LoadLibraryA_t) get_proc_address(base, HASH("LoadLibraryA"));
50 | if (LoadLibA) {
51 | void* handle = LoadLibA((char*)u32);
52 | if (handle) {
53 | MessageBoxA_t MsgBoxA = (MessageBoxA_t) get_proc_address(handle, HASH("MessageBoxA"));
54 | MsgBoxA(0, (char*)msg, (char*)msg, MB_OK);
55 | return 0;
56 | }
57 | }
58 | }
59 | #elif defined(_LINUX)
60 | volatile char msg[30]; volatile int i = 0;
61 | msg[i++] = 'H'; msg[i++] = 'e'; msg[i++] = 'l'; msg[i++] = 'l' , msg[i++] = 'o', msg[i++] = ' ',
62 | msg[i++] = 'f', msg[i++] = 'r', msg[i++] = 'o', msg[i++] = 'm', msg[i++] = ' ', msg[i++] = 's', msg[i++] = 'h', msg[i++] = 'e', msg[i++] = 'l', msg[i++] = 'l',
63 | msg[i++] = '!', msg[i++] = '\n' , msg[i++] = '\0';
64 | inline_syscall(SYS_write, STDOUT_FILENO, (long)msg, i, 0, 0);
65 | return 0;
66 | #endif
67 | return 1;
68 | }
69 | // Next function goes directly after the shellcode, this allows to figure out shellcode size & dump it
70 | SECTION_CODE("shcode") NAKED void shellcode_end(void) {}
71 |
72 | typedef int (*shellcode_t)();
73 |
74 | int main() {
75 |
76 | FILE* output_file = fopen("shellcode.bin", "wb");
77 | if (!output_file) {
78 | fprintf(stderr, "[e] Failed to open shellcode.bin\n");
79 | return 1;
80 | }
81 | size_t shellcode_size = (uintptr_t)shellcode_end - (uintptr_t)shellcode;
82 | printf("[i] Shellcode size: %lu, located at 0x%p\n", shellcode_size, shellcode);
83 | fwrite((char*)&shellcode, shellcode_size, 1, output_file);
84 |
85 | if (!fwrite((char*)&shellcode, shellcode_size, 1, output_file)) {
86 | fprintf(stderr, "[e] Failed to dump shellcode to disk. Check your compiler settings.\n");
87 | fclose(output_file);
88 | return 1;
89 | }
90 | fclose(output_file);
91 | printf("[i] Shellcode saved to file shellcode.bin.\n");
92 |
93 | FILE* file = fopen("shellcode.bin", "rb");
94 | if (!file) {
95 | fprintf(stderr, "[e] Failed to open shellcode.bin\n");
96 | return 1;
97 | }
98 | fseek(file, 0, SEEK_END);
99 | long fileSize = ftell(file);
100 | fseek(file, 0, SEEK_SET);
101 |
102 | char* shellcode_buff = (char*)malloc(fileSize);
103 |
104 | if (!shellcode_buff) {
105 | fprintf(stderr, "[e] Failed to allocate memory for shellcode\n");
106 | fclose(file);
107 | return 1;
108 | }
109 | if (fread(shellcode_buff, 1, fileSize, file) != fileSize) {
110 | fprintf(stderr, "[e] Failed to read shellcode\n");
111 | #ifdef _WIN32
112 | VirtualFree(shellcode_buff, 0, MEM_RELEASE);
113 | #else
114 | free(shellcode_buff);
115 | #endif
116 | fclose(file);
117 | return 1;
118 | }
119 | fclose(file);
120 | printf("[i] Loaded shellcode size: %ld\n", fileSize);
121 |
122 | #ifdef _WIN32
123 | DWORD flOldProtect;
124 | if (!VirtualProtect(shellcode_buff, fileSize, PAGE_EXECUTE_READWRITE, &flOldProtect)) {
125 | fprintf(stderr, "[e] Failed to change memory protection\n");
126 | VirtualFree(shellcode_buff, 0, MEM_RELEASE);
127 | return 1;
128 | }
129 | #else
130 | if (mprotect(shellcode_buff, fileSize, PROT_EXEC | PROT_READ | PROT_WRITE) == -1) {
131 | fprintf(stderr, "[e] Failed to change memory protection\n");
132 | free(shellcode_buff);
133 | return 1;
134 | }
135 | #endif
136 |
137 | shellcode_t code = (shellcode_t)shellcode_buff;
138 | printf("Result: %d\n", code());
139 |
140 | printf("Shellcode execution completed successfully.\n");
141 |
142 | return 0;
143 | }
--------------------------------------------------------------------------------
/Loader/Loader.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {7cbe89fc-447e-47aa-a613-3f2ea193587c}
25 | Loader
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
--------------------------------------------------------------------------------
/Shellcode/Shellcode.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {62cad85a-3cd3-4cd5-8837-0410f3478dbe}
25 | Shellcode
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 | false
79 |
80 |
81 | true
82 |
83 |
84 | false
85 |
86 |
87 |
88 | Level3
89 | true
90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 | MultiThreaded
93 |
94 |
95 | Console
96 | true
97 |
98 |
99 |
100 |
101 | Level3
102 | true
103 | true
104 | true
105 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 | /c /FA /GS- %(AdditionalOptions)
108 | false
109 | MinSpace
110 | OnlyExplicitInline
111 | Size
112 |
113 |
114 | Console
115 | false
116 | Default
117 | true
118 | true
119 |
120 |
121 |
122 |
123 | Level3
124 | true
125 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
126 | true
127 |
128 |
129 | Console
130 | true
131 |
132 |
133 |
134 |
135 | Level3
136 | true
137 | true
138 | true
139 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
140 | true
141 | MinSpace
142 | false
143 | Size
144 |
145 |
146 | Console
147 | true
148 | true
149 | true
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 | *.exe
13 | *.log
14 | *.tlog
15 | *.idb
16 | *.asm
17 |
18 | # User-specific files (MonoDevelop/Xamarin Studio)
19 | *.userprefs
20 |
21 | # Mono auto generated files
22 | mono_crash.*
23 |
24 | # Build results
25 | [Dd]ebug/
26 | [Dd]ebugPublic/
27 | [Rr]elease/
28 | [Rr]eleases/
29 | x64/
30 | x86/
31 | [Ww][Ii][Nn]32/
32 | [Aa][Rr][Mm]/
33 | [Aa][Rr][Mm]64/
34 | bld/
35 | [Bb]in/
36 | [Oo]bj/
37 | [Ll]og/
38 | [Ll]ogs/
39 |
40 | # Visual Studio 2015/2017 cache/options directory
41 | .vs/
42 | # Uncomment if you have tasks that create the project's static files in wwwroot
43 | #wwwroot/
44 |
45 | # Visual Studio 2017 auto generated files
46 | Generated\ Files/
47 |
48 | # MSTest test Results
49 | [Tt]est[Rr]esult*/
50 | [Bb]uild[Ll]og.*
51 |
52 | # NUnit
53 | *.VisualState.xml
54 | TestResult.xml
55 | nunit-*.xml
56 |
57 | # Build Results of an ATL Project
58 | [Dd]ebugPS/
59 | [Rr]eleasePS/
60 | dlldata.c
61 |
62 | # Benchmark Results
63 | BenchmarkDotNet.Artifacts/
64 |
65 | # .NET Core
66 | project.lock.json
67 | project.fragment.lock.json
68 | artifacts/
69 |
70 | # ASP.NET Scaffolding
71 | ScaffoldingReadMe.txt
72 |
73 | # StyleCop
74 | StyleCopReport.xml
75 |
76 | # Files built by Visual Studio
77 | *_i.c
78 | *_p.c
79 | *_h.h
80 | *.ilk
81 | *.meta
82 | *.obj
83 | *.iobj
84 | *.pch
85 | *.pdb
86 | *.ipdb
87 | *.pgc
88 | *.pgd
89 | *.rsp
90 | *.sbr
91 | *.tlb
92 | *.tli
93 | *.tlh
94 | *.tmp
95 | *.tmp_proj
96 | *_wpftmp.csproj
97 | *.log
98 | *.tlog
99 | *.vspscc
100 | *.vssscc
101 | .builds
102 | *.pidb
103 | *.svclog
104 | *.scc
105 |
106 | # Chutzpah Test files
107 | _Chutzpah*
108 |
109 | # Visual C++ cache files
110 | ipch/
111 | *.aps
112 | *.ncb
113 | *.opendb
114 | *.opensdf
115 | *.sdf
116 | *.cachefile
117 | *.VC.db
118 | *.VC.VC.opendb
119 |
120 | # Visual Studio profiler
121 | *.psess
122 | *.vsp
123 | *.vspx
124 | *.sap
125 |
126 | # Visual Studio Trace Files
127 | *.e2e
128 |
129 | # TFS 2012 Local Workspace
130 | $tf/
131 |
132 | # Guidance Automation Toolkit
133 | *.gpState
134 |
135 | # ReSharper is a .NET coding add-in
136 | _ReSharper*/
137 | *.[Rr]e[Ss]harper
138 | *.DotSettings.user
139 |
140 | # TeamCity is a build add-in
141 | _TeamCity*
142 |
143 | # DotCover is a Code Coverage Tool
144 | *.dotCover
145 |
146 | # AxoCover is a Code Coverage Tool
147 | .axoCover/*
148 | !.axoCover/settings.json
149 |
150 | # Coverlet is a free, cross platform Code Coverage Tool
151 | coverage*.json
152 | coverage*.xml
153 | coverage*.info
154 |
155 | # Visual Studio code coverage results
156 | *.coverage
157 | *.coveragexml
158 |
159 | # NCrunch
160 | _NCrunch_*
161 | .*crunch*.local.xml
162 | nCrunchTemp_*
163 |
164 | # MightyMoose
165 | *.mm.*
166 | AutoTest.Net/
167 |
168 | # Web workbench (sass)
169 | .sass-cache/
170 |
171 | # Installshield output folder
172 | [Ee]xpress/
173 |
174 | # DocProject is a documentation generator add-in
175 | DocProject/buildhelp/
176 | DocProject/Help/*.HxT
177 | DocProject/Help/*.HxC
178 | DocProject/Help/*.hhc
179 | DocProject/Help/*.hhk
180 | DocProject/Help/*.hhp
181 | DocProject/Help/Html2
182 | DocProject/Help/html
183 |
184 | # Click-Once directory
185 | publish/
186 |
187 | # Publish Web Output
188 | *.[Pp]ublish.xml
189 | *.azurePubxml
190 | # Note: Comment the next line if you want to checkin your web deploy settings,
191 | # but database connection strings (with potential passwords) will be unencrypted
192 | *.pubxml
193 | *.publishproj
194 |
195 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
196 | # checkin your Azure Web App publish settings, but sensitive information contained
197 | # in these scripts will be unencrypted
198 | PublishScripts/
199 |
200 | # NuGet Packages
201 | *.nupkg
202 | # NuGet Symbol Packages
203 | *.snupkg
204 | # The packages folder can be ignored because of Package Restore
205 | **/[Pp]ackages/*
206 | # except build/, which is used as an MSBuild target.
207 | !**/[Pp]ackages/build/
208 | # Uncomment if necessary however generally it will be regenerated when needed
209 | #!**/[Pp]ackages/repositories.config
210 | # NuGet v3's project.json files produces more ignorable files
211 | *.nuget.props
212 | *.nuget.targets
213 |
214 | # Microsoft Azure Build Output
215 | csx/
216 | *.build.csdef
217 |
218 | # Microsoft Azure Emulator
219 | ecf/
220 | rcf/
221 |
222 | # Windows Store app package directories and files
223 | AppPackages/
224 | BundleArtifacts/
225 | Package.StoreAssociation.xml
226 | _pkginfo.txt
227 | *.appx
228 | *.appxbundle
229 | *.appxupload
230 |
231 | # Visual Studio cache files
232 | # files ending in .cache can be ignored
233 | *.[Cc]ache
234 | # but keep track of directories ending in .cache
235 | !?*.[Cc]ache/
236 |
237 | # Others
238 | ClientBin/
239 | ~$*
240 | *~
241 | *.dbmdl
242 | *.dbproj.schemaview
243 | *.jfm
244 | *.pfx
245 | *.publishsettings
246 | orleans.codegen.cs
247 |
248 | # Including strong name files can present a security risk
249 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
250 | #*.snk
251 |
252 | # Since there are multiple workflows, uncomment next line to ignore bower_components
253 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
254 | #bower_components/
255 |
256 | # RIA/Silverlight projects
257 | Generated_Code/
258 |
259 | # Backup & report files from converting an old project file
260 | # to a newer Visual Studio version. Backup files are not needed,
261 | # because we have git ;-)
262 | _UpgradeReport_Files/
263 | Backup*/
264 | UpgradeLog*.XML
265 | UpgradeLog*.htm
266 | ServiceFabricBackup/
267 | *.rptproj.bak
268 |
269 | # SQL Server files
270 | *.mdf
271 | *.ldf
272 | *.ndf
273 |
274 | # Business Intelligence projects
275 | *.rdl.data
276 | *.bim.layout
277 | *.bim_*.settings
278 | *.rptproj.rsuser
279 | *- [Bb]ackup.rdl
280 | *- [Bb]ackup ([0-9]).rdl
281 | *- [Bb]ackup ([0-9][0-9]).rdl
282 |
283 | # Microsoft Fakes
284 | FakesAssemblies/
285 |
286 | # GhostDoc plugin setting file
287 | *.GhostDoc.xml
288 |
289 | # Node.js Tools for Visual Studio
290 | .ntvs_analysis.dat
291 | node_modules/
292 |
293 | # Visual Studio 6 build log
294 | *.plg
295 |
296 | # Visual Studio 6 workspace options file
297 | *.opt
298 |
299 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
300 | *.vbw
301 |
302 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
303 | *.vbp
304 |
305 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
306 | *.dsw
307 | *.dsp
308 |
309 | # Visual Studio 6 technical files
310 | *.ncb
311 | *.aps
312 |
313 | # Visual Studio LightSwitch build output
314 | **/*.HTMLClient/GeneratedArtifacts
315 | **/*.DesktopClient/GeneratedArtifacts
316 | **/*.DesktopClient/ModelManifest.xml
317 | **/*.Server/GeneratedArtifacts
318 | **/*.Server/ModelManifest.xml
319 | _Pvt_Extensions
320 |
321 | # Paket dependency manager
322 | .paket/paket.exe
323 | paket-files/
324 |
325 | # FAKE - F# Make
326 | .fake/
327 |
328 | # CodeRush personal settings
329 | .cr/personal
330 |
331 | # Python Tools for Visual Studio (PTVS)
332 | __pycache__/
333 | *.pyc
334 |
335 | # Cake - Uncomment if you are using it
336 | # tools/**
337 | # !tools/packages.config
338 |
339 | # Tabs Studio
340 | *.tss
341 |
342 | # Telerik's JustMock configuration file
343 | *.jmconfig
344 |
345 | # BizTalk build output
346 | *.btp.cs
347 | *.btm.cs
348 | *.odx.cs
349 | *.xsd.cs
350 |
351 | # OpenCover UI analysis results
352 | OpenCover/
353 |
354 | # Azure Stream Analytics local run output
355 | ASALocalRun/
356 |
357 | # MSBuild Binary and Structured Log
358 | *.binlog
359 |
360 | # NVidia Nsight GPU debugger configuration file
361 | *.nvuser
362 |
363 | # MFractors (Xamarin productivity tool) working folder
364 | .mfractor/
365 |
366 | # Local History for Visual Studio
367 | .localhistory/
368 |
369 | # Visual Studio History (VSHistory) files
370 | .vshistory/
371 |
372 | # BeatPulse healthcheck temp database
373 | healthchecksdb
374 |
375 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
376 | MigrationBackup/
377 |
378 | # Ionide (cross platform F# VS Code tools) working folder
379 | .ionide/
380 |
381 | # Fody - auto-generated XML schema
382 | FodyWeavers.xsd
383 |
384 | # VS Code files for those working on multiple tools
385 | .vscode/*
386 | !.vscode/settings.json
387 | !.vscode/tasks.json
388 | !.vscode/launch.json
389 | !.vscode/extensions.json
390 | *.code-workspace
391 |
392 | # Local History for Visual Studio Code
393 | .history/
394 |
395 | # Windows Installer files from build outputs
396 | *.cab
397 | *.msi
398 | *.msix
399 | *.msm
400 | *.msp
401 |
402 | # JetBrains Rider
403 | *.sln.iml
--------------------------------------------------------------------------------
/Loader/shcutils.h:
--------------------------------------------------------------------------------
1 | #ifndef PEB_H
2 | #define PEB_H
3 |
4 | #if defined(_WIN64) || defined(WIN64) || defined(WIN32) || defined(_WIN32) || defined(__WIN32__) || defined(__NT__)
5 | #define _WINDOWS
6 | #elif defined(__linux__) || defined(__ANDROID__)
7 | #define _LINUX
8 | #endif
9 |
10 | #ifdef _WINDOWS
11 | #include
12 | #elif defined(_LINUX)
13 | #include
14 | #include
15 | #endif
16 |
17 | // Create custom sections on both clang & msc++
18 | #if defined(_MSC_VER)
19 | #define SECTION_CODE(x) __declspec(code_seg(x))
20 | #define SECTION_FLD(x) __declspec(allocate(x))
21 | #else
22 | #define SECTION_CODE(x) __attribute__((section(x)))
23 | #define SECTION_FLD(x) __attribute__((section(x)))
24 | #endif
25 |
26 | #if defined(_MSC_VER) && !defined(__llvm__)
27 | #define INLINE __forceinline // Visual C++
28 | #else
29 | #define INLINE __attribute__((always_inline)) inline // GCC/G++/CLANG
30 | #endif
31 |
32 | // Prevents functions from inlining forcefully
33 | #if defined(_MSC_VER)
34 | #define NOINLINE __declspec(noinline)
35 | #else
36 | #define NOINLINE __attribute__((noinline))
37 | #endif
38 |
39 | #ifdef _MSC_VER
40 | #ifdef defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86)
41 | #define NAKED __declspec (naked)
42 | #else // no naked on x64 w0mp w0mp (note that's the reason why it will crash)
43 | #define NAKED
44 | #endif
45 | #else
46 | #define NAKED __attribute__((naked))
47 | #endif
48 |
49 | // We can hash in compile-time to avoid using string comparing in the shellcode. That saves time & space
50 | template
51 | INLINE constexpr T ensure_constexpr() { return value; }
52 | #define CONSTEXPR(x) ensure_constexpr()
53 |
54 | INLINE constexpr int adler32(const char* data) {
55 | long kModulus = 65521, a = 1, b = 0;
56 | for (int i = 0; data[i] != 0; i++) {
57 | a = (a + data[i]) % kModulus;
58 | b = (b + a) % kModulus;
59 | }
60 | return (b << 16) | a;
61 | }
62 |
63 | #define HASH(x) CONSTEXPR(adler32(x))
64 |
65 | // On windows we use PEB & TEB
66 | #ifdef _WINDOWS
67 | #include
68 |
69 | #ifndef __NTDLL_H__
70 |
71 | #ifndef TO_LOWERCASE
72 | #define TO_LOWERCASE(out, c1) (out = (c1 <= 'Z' && c1 >= 'A') ? c1 = (c1 - 'A') + 'a': c1)
73 | #endif
74 |
75 | typedef struct _UNICODE_STRING {
76 | USHORT Length;
77 | USHORT MaximumLength;
78 | PWSTR Buffer;
79 |
80 | } UNICODE_STRING, * PUNICODE_STRING;
81 |
82 | typedef struct _PEB_LDR_DATA {
83 | ULONG Length;
84 | BOOLEAN Initialized;
85 | HANDLE SsHandle;
86 | LIST_ENTRY InLoadOrderModuleList;
87 | LIST_ENTRY InMemoryOrderModuleList;
88 | LIST_ENTRY InInitializationOrderModuleList;
89 | PVOID EntryInProgress;
90 |
91 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
92 |
93 | //here we don't want to use any functions imported form extenal modules
94 |
95 | typedef struct _LDR_DATA_TABLE_ENTRY {
96 | LIST_ENTRY InLoadOrderModuleList;
97 | LIST_ENTRY InMemoryOrderModuleList;
98 | LIST_ENTRY InInitializationOrderModuleList;
99 | void* BaseAddress;
100 | void* EntryPoint;
101 | ULONG SizeOfImage;
102 | UNICODE_STRING FullDllName;
103 | UNICODE_STRING BaseDllName;
104 | ULONG Flags;
105 | SHORT LoadCount;
106 | SHORT TlsIndex;
107 | HANDLE SectionHandle;
108 | ULONG CheckSum;
109 | ULONG TimeDateStamp;
110 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
111 |
112 |
113 | typedef struct _PEB {
114 | BOOLEAN InheritedAddressSpace;
115 | BOOLEAN ReadImageFileExecOptions;
116 | BOOLEAN BeingDebugged;
117 | BOOLEAN SpareBool;
118 | HANDLE Mutant;
119 |
120 | PVOID ImageBaseAddress;
121 | PPEB_LDR_DATA Ldr;
122 | // ...
123 |
124 | } PEB, * PPEB;
125 |
126 | #endif //__NTDLL_H__
127 |
128 | INLINE LPVOID get_module_handle(WCHAR* module_name) {
129 | PPEB peb = NULL;
130 | #if defined(_WIN64)
131 | peb = reinterpret_cast(__readgsqword(0x60));
132 | #else
133 | peb = reinterpret_cast(__readfsdword(0x30));
134 | #endif
135 | PPEB_LDR_DATA ldr = peb->Ldr;
136 | LIST_ENTRY list = ldr->InLoadOrderModuleList;
137 |
138 | PLDR_DATA_TABLE_ENTRY Flink = *((PLDR_DATA_TABLE_ENTRY*)(&list));
139 | PLDR_DATA_TABLE_ENTRY curr_module = Flink;
140 |
141 | while (curr_module != NULL && curr_module->BaseAddress != NULL) {
142 | if (curr_module->BaseDllName.Buffer == NULL) continue;
143 | WCHAR* curr_name = curr_module->BaseDllName.Buffer;
144 |
145 | size_t i = 0;
146 | for (i = 0; module_name[i] != 0 && curr_name[i] != 0; i++) {
147 | WCHAR c1, c2;
148 | TO_LOWERCASE(c1, module_name[i]);
149 | TO_LOWERCASE(c2, curr_name[i]);
150 | if (c1 != c2) break;
151 | }
152 | if (module_name[i] == 0 && curr_name[i] == 0)
153 | return curr_module->BaseAddress;
154 | curr_module = (PLDR_DATA_TABLE_ENTRY)curr_module->InLoadOrderModuleList.Flink;
155 | }
156 | return NULL;
157 | }
158 |
159 | INLINE LPVOID get_proc_address(LPVOID module, int hash) {
160 | IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)module;
161 | if (idh->e_magic != IMAGE_DOS_SIGNATURE) return NULL;
162 |
163 | IMAGE_NT_HEADERS* nt_headers = (IMAGE_NT_HEADERS*)((BYTE*)module + idh->e_lfanew);
164 | IMAGE_DATA_DIRECTORY* exportsDir = &(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
165 | if (exportsDir->VirtualAddress == NULL) return NULL;
166 |
167 | IMAGE_EXPORT_DIRECTORY* exp = (IMAGE_EXPORT_DIRECTORY*)(exportsDir->VirtualAddress + (ULONG_PTR)module);
168 |
169 | // Iterate through names
170 | for (SIZE_T i = 0; i < exp->NumberOfNames; i++) {
171 | DWORD* nameRVA = (DWORD*)((exp->AddressOfNames + (BYTE*)module) + i * sizeof(DWORD));
172 | WORD* nameIndex = (WORD*)((exp->AddressOfNameOrdinals + (BYTE*)module) + i * sizeof(WORD));
173 | DWORD* funcRVA = (DWORD*)((exp->AddressOfFunctions + (BYTE*)module) + (*nameIndex) * sizeof(DWORD));
174 | LPSTR curr_name = (LPSTR)(*nameRVA + (BYTE*)module);
175 |
176 | if (adler32(curr_name) == hash) return (BYTE*)module + (*funcRVA);
177 | }
178 | return NULL;
179 | }
180 |
181 | /*
182 | int dump_pe_section(char* file, char* section, char* output) {
183 | FILE* inputFile = fopen(file, "rb");
184 | if (inputFile == NULL) {
185 | printf("Unable to open input file.\n");
186 | return 1;
187 | }
188 |
189 | FILE* outputFile = fopen(output, "wb");
190 | if (outputFile == NULL) {
191 | printf("Unable to open output file.\n");
192 | fclose(inputFile);
193 | return 2;
194 | }
195 |
196 | IMAGE_DOS_HEADER dosHeader;
197 | fread(&dosHeader, sizeof(IMAGE_DOS_HEADER), 1, inputFile);
198 |
199 | fseek(inputFile, dosHeader.e_lfanew, SEEK_SET);
200 |
201 | IMAGE_NT_HEADERS ntHeader;
202 | fread(&ntHeader, sizeof(IMAGE_NT_HEADERS), 1, inputFile);
203 |
204 | IMAGE_SECTION_HEADER sectionHeader;
205 | for (int i = 0; i < ntHeader.FileHeader.NumberOfSections; i++) {
206 | fread(§ionHeader, sizeof(IMAGE_SECTION_HEADER), 1, inputFile);
207 | if (strncmp((char*)sectionHeader.Name, section, 8) == 0) {
208 | char* buffer = (char*)malloc(sectionHeader.SizeOfRawData);
209 | fseek(inputFile, sectionHeader.PointerToRawData, SEEK_SET);
210 | fread(buffer, sectionHeader.SizeOfRawData, 1, inputFile);
211 | fwrite(buffer, sectionHeader.SizeOfRawData, 1, outputFile);
212 | free(buffer);
213 | fclose(outputFile);
214 | fclose(inputFile);
215 | return 0;
216 | }
217 | }
218 | fclose(outputFile);
219 | fclose(inputFile);
220 | return 3;
221 | }*/
222 |
223 | #elif defined(_LINUX)
224 |
225 | #define SYSCALL(...) inline_syscall(__VA_ARGS__)
226 |
227 | INLINE long inline_syscall(long syscall_number, long arg1, long arg2, long arg3, long arg4, long arg5) {
228 | long ret;
229 | #if defined(__x86_64__)
230 | __asm__ volatile (
231 | "mov %1, %%rax;"
232 | "mov %2, %%rdi;"
233 | "mov %3, %%rsi;"
234 | "mov %4, %%rdx;"
235 | "mov %5, %%r10;"
236 | "mov %6, %%r8;"
237 | "syscall;"
238 | "mov %%rax, %0;"
239 | : "=m" (ret)
240 | : "g" (syscall_number), "g" (arg1), "g" (arg2), "g" (arg3), "g" (arg4), "g" (arg5)
241 | : "%rax", "%rdi", "%rsi", "%rdx", "%r10", "%r8"
242 | );
243 | #elif defined(__i386__)
244 | __asm__ volatile (
245 | "mov %1, %%eax;"
246 | "mov %2, %%ebx;"
247 | "mov %3, %%ecx;"
248 | "mov %4, %%edx;"
249 | "mov %5, %%esi;"
250 | "mov %6, %%edi;"
251 | "int $0x80;"
252 | "mov %%eax, %0;"
253 | : "=m" (ret)
254 | : "g" (syscall_number), "g" (arg1), "g" (arg2), "g" (arg3), "g" (arg4), "g" (arg5)
255 | : "%eax", "%ebx", "%ecx", "%edx", "%esi", "%edi"
256 | );
257 | #elif defined(__arm__)
258 | __asm__ volatile (
259 | "mov r7, %1;"
260 | "mov r0, %2;"
261 | "mov r1, %3;"
262 | "mov r2, %4;"
263 | "mov r3, %5;"
264 | "mov r4, %6;"
265 | "swi 0;"
266 | "mov %0, r0;"
267 | : "=r" (ret)
268 | : "r" (syscall_number), "r" (arg1), "r" (arg2), "r" (arg3), "r" (arg4), "r" (arg5)
269 | : "r0", "r1", "r2", "r3", "r4", "r7"
270 | );
271 | #elif defined(__aarch64__)
272 | __asm__ volatile (
273 | "mov x8, %1;"
274 | "mov x0, %2;"
275 | "mov x1, %3;"
276 | "mov x2, %4;"
277 | "mov x3, %5;"
278 | "mov x4, %6;"
279 | "svc 0;"
280 | "mov %0, x0;"
281 | : "=r" (ret)
282 | : "r" (syscall_number), "r" (arg1), "r" (arg2), "r" (arg3), "r" (arg4), "r" (arg5)
283 | : "x0", "x1", "x2", "x3", "x4", "x8"
284 | );
285 | #else
286 | #error "Unsupported architecture"
287 | #endif
288 | return ret;
289 | }
290 | #endif
291 |
292 | #endif
--------------------------------------------------------------------------------
/Shellcode/shcutils.h:
--------------------------------------------------------------------------------
1 | #ifndef PEB_H
2 | #define PEB_H
3 |
4 | #if defined(_WIN64) || defined(WIN64) || defined(WIN32) || defined(_WIN32) || defined(__WIN32__) || defined(__NT__)
5 | #define _WINDOWS
6 | #elif defined(__linux__) || defined(__ANDROID__)
7 | #define _LINUX
8 | #endif
9 |
10 | #ifdef _WINDOWS
11 | #include
12 | #elif defined(_LINUX)
13 | #include
14 | #include
15 | #endif
16 |
17 | // Create custom sections on both clang & msc++
18 | #if defined(_MSC_VER)
19 | #define SECTION_CODE(x) __declspec(code_seg(x))
20 | #define SECTION_FLD(x) __declspec(allocate(x))
21 | #else
22 | #define SECTION_CODE(x) __attribute__((section(x)))
23 | #define SECTION_FLD(x) __attribute__((section(x)))
24 | #endif
25 |
26 | #if defined(_MSC_VER) && !defined(__llvm__)
27 | #define INLINE __forceinline // Visual C++
28 | #else
29 | #define INLINE __attribute__((always_inline)) inline // GCC/G++/CLANG
30 | #endif
31 |
32 | // Prevents functions from inlining forcefully
33 | #if defined(_MSC_VER) && !defined(__llvm__)
34 | #define NOINLINE __declspec(noinline)
35 | #else
36 | #define NOINLINE __attribute__((noinline))
37 | #endif
38 |
39 | #if defined(_MSC_VER) && !defined(__llvm__)
40 | #ifdef defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86)
41 | #define NAKED __declspec (naked)
42 | #else // no naked on x64 for visual C++ w0mp w0mp (note that's the reason why it will crash)
43 | #define NAKED
44 | #endif
45 | #else
46 | #define NAKED __attribute__((naked))
47 | #endif
48 |
49 | #define TO_LOWERCASE(c1) (c1 <= (char)'Z' && c1 >= (char)'A' ? (c1 - (char)'A') + (char)'a' : c1)
50 |
51 | // We can hash in compile-time to avoid using string comparing in the shellcode. That saves time & space
52 | template
53 | INLINE constexpr T ensure_constexpr() { return value; }
54 | #define CONSTEXPR(x) ensure_constexpr()
55 |
56 | template
57 | INLINE constexpr int adler32(const T* data) {
58 | long kModulus = 65521, a = 1, b = 0;
59 | for (int i = 0; data[i] != 0; i++) {
60 | a = (a + data[i]) % kModulus;
61 | b = (b + a) % kModulus;
62 | }
63 | return (b << 16) | a;
64 | }
65 |
66 | #define HASH(x) CONSTEXPR(adler32(x))
67 |
68 | // On windows we use PEB & TEB
69 | #ifdef _WINDOWS
70 |
71 | #ifndef __NTDLL_H__
72 |
73 | typedef struct _UNICODE_STRING {
74 | USHORT Length;
75 | USHORT MaximumLength;
76 | PWSTR Buffer;
77 |
78 | } UNICODE_STRING, * PUNICODE_STRING;
79 |
80 | typedef struct _PEB_LDR_DATA {
81 | ULONG Length;
82 | BOOLEAN Initialized;
83 | HANDLE SsHandle;
84 | LIST_ENTRY InLoadOrderModuleList;
85 | LIST_ENTRY InMemoryOrderModuleList;
86 | LIST_ENTRY InInitializationOrderModuleList;
87 | PVOID EntryInProgress;
88 |
89 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
90 |
91 | //here we don't want to use any functions imported form extenal modules
92 |
93 | typedef struct _LDR_DATA_TABLE_ENTRY {
94 | LIST_ENTRY InLoadOrderModuleList;
95 | LIST_ENTRY InMemoryOrderModuleList;
96 | LIST_ENTRY InInitializationOrderModuleList;
97 | void* BaseAddress;
98 | void* EntryPoint;
99 | ULONG SizeOfImage;
100 | UNICODE_STRING FullDllName;
101 | UNICODE_STRING BaseDllName;
102 | ULONG Flags;
103 | SHORT LoadCount;
104 | SHORT TlsIndex;
105 | HANDLE SectionHandle;
106 | ULONG CheckSum;
107 | ULONG TimeDateStamp;
108 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
109 |
110 |
111 | typedef struct _PEB {
112 | BOOLEAN InheritedAddressSpace;
113 | BOOLEAN ReadImageFileExecOptions;
114 | BOOLEAN BeingDebugged;
115 | BOOLEAN SpareBool;
116 | HANDLE Mutant;
117 |
118 | PVOID ImageBaseAddress;
119 | PPEB_LDR_DATA Ldr;
120 | // ...
121 |
122 | } PEB, * PPEB;
123 |
124 | #endif //__NTDLL_H__
125 |
126 | INLINE LPVOID get_module_handle(int hash) {
127 | PPEB peb = NULL;
128 | #if defined(_WIN64)
129 | peb = reinterpret_cast(__readgsqword(0x60));
130 | #else
131 | peb = reinterpret_cast(__readfsdword(0x30));
132 | #endif
133 | PPEB_LDR_DATA ldr = peb->Ldr;
134 | LIST_ENTRY list = ldr->InLoadOrderModuleList;
135 |
136 | PLDR_DATA_TABLE_ENTRY Flink = *((PLDR_DATA_TABLE_ENTRY*)(&list));
137 | PLDR_DATA_TABLE_ENTRY curr_module = Flink;
138 |
139 | while (curr_module != NULL && curr_module->BaseAddress != NULL) {
140 | if (curr_module->BaseDllName.Buffer == NULL) continue;
141 |
142 | WCHAR temp[64];
143 | for (volatile int i = 0; i < curr_module->BaseDllName.Length; i++)
144 | temp[i] = TO_LOWERCASE(curr_module->BaseDllName.Buffer[i]);
145 |
146 | if (adler32(temp) == hash)
147 | return curr_module->BaseAddress;
148 |
149 | curr_module = (PLDR_DATA_TABLE_ENTRY)curr_module->InLoadOrderModuleList.Flink;
150 | }
151 | return NULL;
152 | }
153 |
154 | INLINE LPVOID get_proc_address(LPVOID module, int hash) {
155 | IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)module;
156 | if (idh->e_magic != IMAGE_DOS_SIGNATURE) return NULL;
157 |
158 | IMAGE_NT_HEADERS* nt_headers = (IMAGE_NT_HEADERS*)((BYTE*)module + idh->e_lfanew);
159 | IMAGE_DATA_DIRECTORY* exportsDir = &(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
160 | if (exportsDir->VirtualAddress == NULL) return NULL;
161 |
162 | IMAGE_EXPORT_DIRECTORY* exp = (IMAGE_EXPORT_DIRECTORY*)(exportsDir->VirtualAddress + (ULONG_PTR)module);
163 |
164 | // Iterate through names
165 | for (SIZE_T i = 0; i < exp->NumberOfNames; i++) {
166 | DWORD* nameRVA = (DWORD*)((exp->AddressOfNames + (BYTE*)module) + i * sizeof(DWORD));
167 | WORD* nameIndex = (WORD*)((exp->AddressOfNameOrdinals + (BYTE*)module) + i * sizeof(WORD));
168 | DWORD* funcRVA = (DWORD*)((exp->AddressOfFunctions + (BYTE*)module) + (*nameIndex) * sizeof(DWORD));
169 | LPSTR curr_name = (LPSTR)(*nameRVA + (BYTE*)module);
170 |
171 | if (adler32(curr_name) == hash) return (BYTE*)module + (*funcRVA);
172 | }
173 | return NULL;
174 | }
175 |
176 | /*
177 | int dump_pe_section(char* file, char* section, char* output) {
178 | FILE* inputFile = fopen(file, "rb");
179 | if (inputFile == NULL) {
180 | printf("Unable to open input file.\n");
181 | return 1;
182 | }
183 |
184 | FILE* outputFile = fopen(output, "wb");
185 | if (outputFile == NULL) {
186 | printf("Unable to open output file.\n");
187 | fclose(inputFile);
188 | return 2;
189 | }
190 |
191 | IMAGE_DOS_HEADER dosHeader;
192 | fread(&dosHeader, sizeof(IMAGE_DOS_HEADER), 1, inputFile);
193 |
194 | fseek(inputFile, dosHeader.e_lfanew, SEEK_SET);
195 |
196 | IMAGE_NT_HEADERS ntHeader;
197 | fread(&ntHeader, sizeof(IMAGE_NT_HEADERS), 1, inputFile);
198 |
199 | IMAGE_SECTION_HEADER sectionHeader;
200 | for (int i = 0; i < ntHeader.FileHeader.NumberOfSections; i++) {
201 | fread(§ionHeader, sizeof(IMAGE_SECTION_HEADER), 1, inputFile);
202 | if (strncmp((char*)sectionHeader.Name, section, 8) == 0) {
203 | char* buffer = (char*)malloc(sectionHeader.SizeOfRawData);
204 | fseek(inputFile, sectionHeader.PointerToRawData, SEEK_SET);
205 | fread(buffer, sectionHeader.SizeOfRawData, 1, inputFile);
206 | fwrite(buffer, sectionHeader.SizeOfRawData, 1, outputFile);
207 | free(buffer);
208 | fclose(outputFile);
209 | fclose(inputFile);
210 | return 0;
211 | }
212 | }
213 | fclose(outputFile);
214 | fclose(inputFile);
215 | return 3;
216 | }*/
217 |
218 | #elif defined(_LINUX)
219 |
220 | #define SYSCALL(...) inline_syscall(__VA_ARGS__)
221 |
222 | INLINE long inline_syscall(long syscall_number, long arg1, long arg2, long arg3, long arg4, long arg5) {
223 | long ret;
224 | #if defined(__x86_64__)
225 | __asm__ volatile (
226 | "mov %1, %%rax;"
227 | "mov %2, %%rdi;"
228 | "mov %3, %%rsi;"
229 | "mov %4, %%rdx;"
230 | "mov %5, %%r10;"
231 | "mov %6, %%r8;"
232 | "syscall;"
233 | "mov %%rax, %0;"
234 | : "=m" (ret)
235 | : "g" (syscall_number), "g" (arg1), "g" (arg2), "g" (arg3), "g" (arg4), "g" (arg5)
236 | : "%rax", "%rdi", "%rsi", "%rdx", "%r10", "%r8"
237 | );
238 | #elif defined(__i386__)
239 | __asm__ volatile (
240 | "mov %1, %%eax;"
241 | "mov %2, %%ebx;"
242 | "mov %3, %%ecx;"
243 | "mov %4, %%edx;"
244 | "mov %5, %%esi;"
245 | "mov %6, %%edi;"
246 | "int $0x80;"
247 | "mov %%eax, %0;"
248 | : "=m" (ret)
249 | : "g" (syscall_number), "g" (arg1), "g" (arg2), "g" (arg3), "g" (arg4), "g" (arg5)
250 | : "%eax", "%ebx", "%ecx", "%edx", "%esi", "%edi"
251 | );
252 | #elif defined(__arm__)
253 | __asm__ volatile (
254 | "mov r7, %1;"
255 | "mov r0, %2;"
256 | "mov r1, %3;"
257 | "mov r2, %4;"
258 | "mov r3, %5;"
259 | "mov r4, %6;"
260 | "swi 0;"
261 | "mov %0, r0;"
262 | : "=r" (ret)
263 | : "r" (syscall_number), "r" (arg1), "r" (arg2), "r" (arg3), "r" (arg4), "r" (arg5)
264 | : "r0", "r1", "r2", "r3", "r4", "r7"
265 | );
266 | #elif defined(__aarch64__)
267 | __asm__ volatile (
268 | "mov x8, %1;"
269 | "mov x0, %2;"
270 | "mov x1, %3;"
271 | "mov x2, %4;"
272 | "mov x3, %5;"
273 | "mov x4, %6;"
274 | "svc 0;"
275 | "mov %0, x0;"
276 | : "=r" (ret)
277 | : "r" (syscall_number), "r" (arg1), "r" (arg2), "r" (arg3), "r" (arg4), "r" (arg5)
278 | : "x0", "x1", "x2", "x3", "x4", "x8"
279 | );
280 | #else
281 | #error "Unsupported architecture"
282 | #endif
283 | return ret;
284 | }
285 | #endif
286 |
287 | #endif
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright [yyyy] [name of copyright owner]
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/Shellcode/shellcode.asm:
--------------------------------------------------------------------------------
1 | ; Listing generated by Microsoft (R) Optimizing Compiler Version 19.29.30154.0
2 |
3 | TITLE C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\Release\shellcode.obj
4 | .686P
5 | .XMM
6 | include listing.inc
7 | .model flat
8 |
9 | INCLUDELIB MSVCRT
10 | INCLUDELIB OLDNAMES
11 |
12 | PUBLIC ___local_stdio_printf_options
13 | PUBLIC __vfprintf_l
14 | PUBLIC _fprintf
15 | PUBLIC _printf
16 | PUBLIC ?shellcode@@YAHXZ ; shellcode
17 | PUBLIC ?shellcode_end@@YAXXZ ; shellcode_end
18 | PUBLIC _main
19 | PUBLIC ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA ; `__local_stdio_printf_options'::`2'::_OptionsStorage
20 | PUBLIC ??_C@_02GMLFBBN@wb@ ; `string'
21 | PUBLIC ??_C@_0O@NFBNADIO@shellcode?4bin@ ; `string'
22 | PUBLIC ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@ ; `string'
23 | PUBLIC ??_C@_0CK@CNHACEFP@?$FLi?$FN?5Shellcode?5size?3?5?$CFlu?0?5locate@ ; `string'
24 | PUBLIC ??_C@_0EF@MOLEIFGD@?$FLe?$FN?5Failed?5to?5dump?5shellcode?5to@ ; `string'
25 | PUBLIC ??_C@_0CM@JHEGLBMC@?$FLi?$FN?5Shellcode?5saved?5to?5file?5she@ ; `string'
26 | PUBLIC ??_C@_02JDPG@rb@ ; `string'
27 | PUBLIC ??_C@_0CN@KKANALMI@?$FLe?$FN?5Failed?5to?5allocate?5memory?5f@ ; `string'
28 | PUBLIC ??_C@_0BO@KJKJAGIL@?$FLe?$FN?5Failed?5to?5read?5shellcode?6@ ; `string'
29 | PUBLIC ??_C@_0CA@FFCIEFBF@?$FLi?$FN?5Loaded?5shellcode?5size?3?5?$CFld?6@ ; `string'
30 | PUBLIC ??_C@_0CI@GCOJCDBI@?$FLe?$FN?5Failed?5to?5change?5memory?5pro@ ; `string'
31 | PUBLIC ??_C@_0M@LDNOBAB@Result?3?5?$CFd?6@ ; `string'
32 | PUBLIC ??_C@_0CN@CMKKBCPN@Shellcode?5execution?5completed?5s@ ; `string'
33 | EXTRN __imp____acrt_iob_func:PROC
34 | EXTRN __imp__fclose:PROC
35 | EXTRN __imp__fopen:PROC
36 | EXTRN __imp__fread:PROC
37 | EXTRN __imp__fseek:PROC
38 | EXTRN __imp__ftell:PROC
39 | EXTRN __imp__fwrite:PROC
40 | EXTRN __imp____stdio_common_vfprintf:PROC
41 | EXTRN __imp__malloc:PROC
42 | EXTRN __imp__VirtualProtect@16:PROC
43 | EXTRN __imp__VirtualFree@12:PROC
44 | ; COMDAT ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA
45 | _BSS SEGMENT
46 | ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA DQ 01H DUP (?) ; `__local_stdio_printf_options'::`2'::_OptionsStorage
47 | _BSS ENDS
48 | ; COMDAT ??_C@_0CN@CMKKBCPN@Shellcode?5execution?5completed?5s@
49 | CONST SEGMENT
50 | ??_C@_0CN@CMKKBCPN@Shellcode?5execution?5completed?5s@ DB 'Shellcode exec'
51 | DB 'ution completed successfully.', 0aH, 00H ; `string'
52 | CONST ENDS
53 | ; COMDAT ??_C@_0M@LDNOBAB@Result?3?5?$CFd?6@
54 | CONST SEGMENT
55 | ??_C@_0M@LDNOBAB@Result?3?5?$CFd?6@ DB 'Result: %d', 0aH, 00H ; `string'
56 | CONST ENDS
57 | ; COMDAT ??_C@_0CI@GCOJCDBI@?$FLe?$FN?5Failed?5to?5change?5memory?5pro@
58 | CONST SEGMENT
59 | ??_C@_0CI@GCOJCDBI@?$FLe?$FN?5Failed?5to?5change?5memory?5pro@ DB '[e] Fa'
60 | DB 'iled to change memory protection', 0aH, 00H ; `string'
61 | CONST ENDS
62 | ; COMDAT ??_C@_0CA@FFCIEFBF@?$FLi?$FN?5Loaded?5shellcode?5size?3?5?$CFld?6@
63 | CONST SEGMENT
64 | ??_C@_0CA@FFCIEFBF@?$FLi?$FN?5Loaded?5shellcode?5size?3?5?$CFld?6@ DB '[i'
65 | DB '] Loaded shellcode size: %ld', 0aH, 00H ; `string'
66 | CONST ENDS
67 | ; COMDAT ??_C@_0BO@KJKJAGIL@?$FLe?$FN?5Failed?5to?5read?5shellcode?6@
68 | CONST SEGMENT
69 | ??_C@_0BO@KJKJAGIL@?$FLe?$FN?5Failed?5to?5read?5shellcode?6@ DB '[e] Fail'
70 | DB 'ed to read shellcode', 0aH, 00H ; `string'
71 | CONST ENDS
72 | ; COMDAT ??_C@_0CN@KKANALMI@?$FLe?$FN?5Failed?5to?5allocate?5memory?5f@
73 | CONST SEGMENT
74 | ??_C@_0CN@KKANALMI@?$FLe?$FN?5Failed?5to?5allocate?5memory?5f@ DB '[e] Fa'
75 | DB 'iled to allocate memory for shellcode', 0aH, 00H ; `string'
76 | CONST ENDS
77 | ; COMDAT ??_C@_02JDPG@rb@
78 | CONST SEGMENT
79 | ??_C@_02JDPG@rb@ DB 'rb', 00H ; `string'
80 | CONST ENDS
81 | ; COMDAT ??_C@_0CM@JHEGLBMC@?$FLi?$FN?5Shellcode?5saved?5to?5file?5she@
82 | CONST SEGMENT
83 | ??_C@_0CM@JHEGLBMC@?$FLi?$FN?5Shellcode?5saved?5to?5file?5she@ DB '[i] Sh'
84 | DB 'ellcode saved to file shellcode.bin.', 0aH, 00H ; `string'
85 | CONST ENDS
86 | ; COMDAT ??_C@_0EF@MOLEIFGD@?$FLe?$FN?5Failed?5to?5dump?5shellcode?5to@
87 | CONST SEGMENT
88 | ??_C@_0EF@MOLEIFGD@?$FLe?$FN?5Failed?5to?5dump?5shellcode?5to@ DB '[e] Fa'
89 | DB 'iled to dump shellcode to disk. Check your compiler settings.'
90 | DB 0aH, 00H ; `string'
91 | CONST ENDS
92 | ; COMDAT ??_C@_0CK@CNHACEFP@?$FLi?$FN?5Shellcode?5size?3?5?$CFlu?0?5locate@
93 | CONST SEGMENT
94 | ??_C@_0CK@CNHACEFP@?$FLi?$FN?5Shellcode?5size?3?5?$CFlu?0?5locate@ DB '[i'
95 | DB '] Shellcode size: %lu, located at 0x%p', 0aH, 00H ; `string'
96 | CONST ENDS
97 | ; COMDAT ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@
98 | CONST SEGMENT
99 | ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@ DB '[e] Fa'
100 | DB 'iled to open shellcode.bin', 0aH, 00H ; `string'
101 | CONST ENDS
102 | ; COMDAT ??_C@_0O@NFBNADIO@shellcode?4bin@
103 | CONST SEGMENT
104 | ??_C@_0O@NFBNADIO@shellcode?4bin@ DB 'shellcode.bin', 00H ; `string'
105 | CONST ENDS
106 | ; COMDAT ??_C@_02GMLFBBN@wb@
107 | CONST SEGMENT
108 | ??_C@_02GMLFBBN@wb@ DB 'wb', 00H ; `string'
109 | CONST ENDS
110 | ; COMDAT voltbl
111 | voltbl SEGMENT
112 | _volmd DW 0bH
113 | DW 0eH
114 | DW 015H
115 | DW 01aH
116 | DW 01dH
117 | DW 022H
118 | DW 027H
119 | DW 02aH
120 | DW 02dH
121 | DW 032H
122 | DW 035H
123 | DW 038H
124 | DW 03dH
125 | DW 040H
126 | DW 043H
127 | DW 048H
128 | DW 04bH
129 | DW 04eH
130 | DW 053H
131 | DW 056H
132 | DW 059H
133 | DW 05eH
134 | DW 061H
135 | DW 064H
136 | DW 069H
137 | DW 06cH
138 | DW 06fH
139 | DW 074H
140 | DW 077H
141 | DW 07aH
142 | DW 07fH
143 | DW 082H
144 | DW 085H
145 | DW 089H
146 | DW 08cH
147 | DW 08fH
148 | DW 092H
149 | DW 097H
150 | DW 09aH
151 | DW 09dH
152 | DW 0a2H
153 | DW 0a5H
154 | DW 0a8H
155 | DW 0adH
156 | DW 0b0H
157 | DW 0b3H
158 | DW 0b8H
159 | DW 0bbH
160 | DW 0beH
161 | DW 0c2H
162 | DW 0e8H
163 | DW 0edH
164 | DW 0faH
165 | DW 0107H
166 | DW 011aH
167 | DW 0124H
168 | DW 012fH
169 | DW 0136H
170 | voltbl ENDS
171 | ; COMDAT voltbl
172 | voltbl SEGMENT
173 | _volmd DB 031H
174 | DB 03aH
175 | DB 047H
176 | DB 054H
177 | DB 067H
178 | DB 071H
179 | DB 07cH
180 | DB 083H
181 | voltbl ENDS
182 | ; Function compile flags: /Ogsp
183 | ; COMDAT _main
184 | _TEXT SEGMENT
185 | _flOldProtect$ = -8 ; size = 4
186 | _fileSize$1$ = -4 ; size = 4
187 | _main PROC ; COMDAT
188 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp
189 | ; Line 74
190 | push ebp
191 | mov ebp, esp
192 | push ecx
193 | push ecx
194 | push ebx
195 | ; Line 76
196 | push OFFSET ??_C@_02GMLFBBN@wb@
197 | push OFFSET ??_C@_0O@NFBNADIO@shellcode?4bin@
198 | call DWORD PTR __imp__fopen
199 | mov ebx, eax
200 | pop ecx
201 | pop ecx
202 | ; Line 77
203 | test ebx, ebx
204 | jne SHORT $LN2@main
205 | ; Line 78
206 | push OFFSET ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@
207 | push 2
208 | call DWORD PTR __imp____acrt_iob_func
209 | pop ecx
210 | push eax
211 | call _fprintf
212 | pop ecx
213 | ; Line 79
214 | xor eax, eax
215 | pop ecx
216 | inc eax
217 | jmp $LN1@main
218 | $LN2@main:
219 | push esi
220 | push edi
221 | ; Line 81
222 | mov esi, OFFSET ?shellcode@@YAHXZ ; shellcode
223 | mov edi, OFFSET ?shellcode_end@@YAXXZ ; shellcode_end
224 | ; Line 82
225 | push esi
226 | sub edi, esi
227 | push edi
228 | push OFFSET ??_C@_0CK@CNHACEFP@?$FLi?$FN?5Shellcode?5size?3?5?$CFlu?0?5locate@
229 | call _printf
230 | ; Line 83
231 | push ebx
232 | push 1
233 | push edi
234 | push esi
235 | mov esi, DWORD PTR __imp__fwrite
236 | call esi
237 | ; Line 85
238 | push ebx
239 | push 1
240 | push edi
241 | push OFFSET ?shellcode@@YAHXZ ; shellcode
242 | call esi
243 | add esp, 44 ; 0000002cH
244 | test eax, eax
245 | jne SHORT $LN3@main
246 | ; Line 86
247 | push OFFSET ??_C@_0EF@MOLEIFGD@?$FLe?$FN?5Failed?5to?5dump?5shellcode?5to@
248 | push 2
249 | call DWORD PTR __imp____acrt_iob_func
250 | pop ecx
251 | push eax
252 | call _fprintf
253 | ; Line 87
254 | push ebx
255 | call DWORD PTR __imp__fclose
256 | ; Line 88
257 | jmp $LN13@main
258 | $LN3@main:
259 | ; Line 90
260 | push ebx
261 | mov ebx, DWORD PTR __imp__fclose
262 | call ebx
263 | ; Line 91
264 | mov DWORD PTR [esp], OFFSET ??_C@_0CM@JHEGLBMC@?$FLi?$FN?5Shellcode?5saved?5to?5file?5she@
265 | call _printf
266 | ; Line 93
267 | mov DWORD PTR [esp], OFFSET ??_C@_02JDPG@rb@
268 | push OFFSET ??_C@_0O@NFBNADIO@shellcode?4bin@
269 | call DWORD PTR __imp__fopen
270 | mov edi, eax
271 | pop ecx
272 | pop ecx
273 | ; Line 94
274 | test edi, edi
275 | jne SHORT $LN4@main
276 | ; Line 95
277 | push OFFSET ??_C@_0CC@CNIGJHCH@?$FLe?$FN?5Failed?5to?5open?5shellcode?4bi@
278 | push 2
279 | call DWORD PTR __imp____acrt_iob_func
280 | pop ecx
281 | push eax
282 | call _fprintf
283 | pop ecx
284 | ; Line 96
285 | jmp $LN12@main
286 | $LN4@main:
287 | ; Line 98
288 | mov esi, DWORD PTR __imp__fseek
289 | push 2
290 | push 0
291 | push edi
292 | call esi
293 | ; Line 99
294 | push edi
295 | call DWORD PTR __imp__ftell
296 | ; Line 100
297 | push 0
298 | push 0
299 | push edi
300 | mov DWORD PTR _fileSize$1$[ebp], eax
301 | call esi
302 | ; Line 102
303 | push DWORD PTR _fileSize$1$[ebp]
304 | call DWORD PTR __imp__malloc
305 | mov esi, eax
306 | add esp, 32 ; 00000020H
307 | ; Line 104
308 | test esi, esi
309 | jne SHORT $LN5@main
310 | ; Line 105
311 | push OFFSET ??_C@_0CN@KKANALMI@?$FLe?$FN?5Failed?5to?5allocate?5memory?5f@
312 | push 2
313 | call DWORD PTR __imp____acrt_iob_func
314 | pop ecx
315 | push eax
316 | call _fprintf
317 | ; Line 106
318 | push edi
319 | call ebx
320 | $LN13@main:
321 | ; Line 127
322 | add esp, 12 ; 0000000cH
323 | jmp $LN11@main
324 | $LN5@main:
325 | ; Line 109
326 | push edi
327 | push DWORD PTR _fileSize$1$[ebp]
328 | push 1
329 | push esi
330 | call DWORD PTR __imp__fread
331 | add esp, 16 ; 00000010H
332 | cmp eax, DWORD PTR _fileSize$1$[ebp]
333 | je SHORT $LN6@main
334 | ; Line 110
335 | push OFFSET ??_C@_0BO@KJKJAGIL@?$FLe?$FN?5Failed?5to?5read?5shellcode?6@
336 | push 2
337 | call DWORD PTR __imp____acrt_iob_func
338 | pop ecx
339 | push eax
340 | call _fprintf
341 | pop ecx
342 | pop ecx
343 | ; Line 112
344 | push 32768 ; 00008000H
345 | push 0
346 | push esi
347 | call DWORD PTR __imp__VirtualFree@12
348 | ; Line 116
349 | push edi
350 | call ebx
351 | $LN12@main:
352 | ; Line 127
353 | pop ecx
354 | jmp SHORT $LN11@main
355 | $LN6@main:
356 | ; Line 119
357 | push edi
358 | call ebx
359 | ; Line 120
360 | mov ebx, DWORD PTR _fileSize$1$[ebp]
361 | push ebx
362 | push OFFSET ??_C@_0CA@FFCIEFBF@?$FLi?$FN?5Loaded?5shellcode?5size?3?5?$CFld?6@
363 | call _printf
364 | add esp, 12 ; 0000000cH
365 | ; Line 124
366 | lea eax, DWORD PTR _flOldProtect$[ebp]
367 | push eax
368 | push 64 ; 00000040H
369 | push ebx
370 | push esi
371 | call DWORD PTR __imp__VirtualProtect@16
372 | test eax, eax
373 | jne SHORT $LN7@main
374 | ; Line 125
375 | push OFFSET ??_C@_0CI@GCOJCDBI@?$FLe?$FN?5Failed?5to?5change?5memory?5pro@
376 | push 2
377 | call DWORD PTR __imp____acrt_iob_func
378 | pop ecx
379 | push eax
380 | call _fprintf
381 | pop ecx
382 | pop ecx
383 | ; Line 126
384 | push 32768 ; 00008000H
385 | push 0
386 | push esi
387 | call DWORD PTR __imp__VirtualFree@12
388 | $LN11@main:
389 | ; Line 127
390 | xor eax, eax
391 | inc eax
392 | jmp SHORT $LN9@main
393 | $LN7@main:
394 | ; Line 138
395 | call esi
396 | push eax
397 | push OFFSET ??_C@_0M@LDNOBAB@Result?3?5?$CFd?6@
398 | call _printf
399 | ; Line 140
400 | push OFFSET ??_C@_0CN@CMKKBCPN@Shellcode?5execution?5completed?5s@
401 | call _printf
402 | add esp, 12 ; 0000000cH
403 | ; Line 142
404 | xor eax, eax
405 | $LN9@main:
406 | pop edi
407 | pop esi
408 | $LN1@main:
409 | pop ebx
410 | ; Line 143
411 | leave
412 | ret 0
413 | _main ENDP
414 | _TEXT ENDS
415 | ; Function compile flags: /Ogsp
416 | ; COMDAT ?shellcode_end@@YAXXZ
417 | shcode SEGMENT
418 | ?shellcode_end@@YAXXZ PROC ; shellcode_end, COMDAT
419 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp
420 | ; Line 70
421 | ret 0
422 | ?shellcode_end@@YAXXZ ENDP ; shellcode_end
423 | shcode ENDS
424 | ; Function compile flags: /Ogsp
425 | ; COMDAT ?shellcode@@YAHXZ
426 | shcode SEGMENT
427 | _temp$1 = -228 ; size = 128
428 | _msg$ = -100 ; size = 30
429 | _u32$ = -68 ; size = 30
430 | _curr_name$1$ = -36 ; size = 4
431 | _funcRVA$1$ = -36 ; size = 4
432 | tv1151 = -32 ; size = 4
433 | _handle$1$ = -32 ; size = 4
434 | $T2 = -28 ; size = 4
435 | $T3 = -28 ; size = 4
436 | tv1149 = -24 ; size = 4
437 | _base$1$ = -24 ; size = 4
438 | _funcRVA$1$ = -20 ; size = 4
439 | _curr_name$1$ = -20 ; size = 4
440 | _i$1$ = -16 ; size = 4
441 | tv1142 = -16 ; size = 4
442 | tv1141 = -12 ; size = 4
443 | tv1136 = -12 ; size = 4
444 | tv1137 = -8 ; size = 4
445 | _i$1$ = -8 ; size = 4
446 | _curr_module$1$ = -8 ; size = 4
447 | _a$1$ = -4 ; size = 4
448 | _a$1$ = -4 ; size = 4
449 | _i$4 = -4 ; size = 4
450 | _i$ = -4 ; size = 4
451 | ?shellcode@@YAHXZ PROC ; shellcode, COMDAT
452 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp
453 | ; Line 19
454 | push ebp
455 | mov ebp, esp
456 | sub esp, 228 ; 000000e4H
457 | ; Line 26
458 | xor edx, edx
459 | mov DWORD PTR _i$[ebp], edx
460 | ; Line 27
461 | mov eax, DWORD PTR _i$[ebp]
462 | push ebx
463 | xor ebx, ebx
464 | inc ebx
465 | mov BYTE PTR _u32$[ebp+eax], 117 ; 00000075H
466 | add DWORD PTR _i$[ebp], ebx
467 | mov eax, DWORD PTR _i$[ebp]
468 | push esi
469 | push edi
470 | mov BYTE PTR _u32$[ebp+eax], 115 ; 00000073H
471 | add DWORD PTR _i$[ebp], ebx
472 | mov eax, DWORD PTR _i$[ebp]
473 | mov BYTE PTR _u32$[ebp+eax], 101 ; 00000065H
474 | add DWORD PTR _i$[ebp], ebx
475 | mov eax, DWORD PTR _i$[ebp]
476 | mov BYTE PTR _u32$[ebp+eax], 114 ; 00000072H
477 | add DWORD PTR _i$[ebp], ebx
478 | mov eax, DWORD PTR _i$[ebp]
479 | mov BYTE PTR _u32$[ebp+eax], 51 ; 00000033H
480 | add DWORD PTR _i$[ebp], ebx
481 | mov eax, DWORD PTR _i$[ebp]
482 | mov BYTE PTR _u32$[ebp+eax], 50 ; 00000032H
483 | add DWORD PTR _i$[ebp], ebx
484 | ; Line 28
485 | mov eax, DWORD PTR _i$[ebp]
486 | mov BYTE PTR _u32$[ebp+eax], 46 ; 0000002eH
487 | add DWORD PTR _i$[ebp], ebx
488 | mov eax, DWORD PTR _i$[ebp]
489 | mov BYTE PTR _u32$[ebp+eax], 100 ; 00000064H
490 | add DWORD PTR _i$[ebp], ebx
491 | mov eax, DWORD PTR _i$[ebp]
492 | mov BYTE PTR _u32$[ebp+eax], 108 ; 0000006cH
493 | add DWORD PTR _i$[ebp], ebx
494 | mov eax, DWORD PTR _i$[ebp]
495 | mov BYTE PTR _u32$[ebp+eax], 108 ; 0000006cH
496 | add DWORD PTR _i$[ebp], ebx
497 | mov eax, DWORD PTR _i$[ebp]
498 | mov BYTE PTR _u32$[ebp+eax], dl
499 | add DWORD PTR _i$[ebp], ebx
500 | ; Line 29
501 | mov DWORD PTR _i$[ebp], edx
502 | ; Line 30
503 | mov eax, DWORD PTR _i$[ebp]
504 | mov BYTE PTR _msg$[ebp+eax], 116 ; 00000074H
505 | add DWORD PTR _i$[ebp], ebx
506 | mov eax, DWORD PTR _i$[ebp]
507 | mov BYTE PTR _msg$[ebp+eax], 101 ; 00000065H
508 | add DWORD PTR _i$[ebp], ebx
509 | mov eax, DWORD PTR _i$[ebp]
510 | mov BYTE PTR _msg$[ebp+eax], 115 ; 00000073H
511 | add DWORD PTR _i$[ebp], ebx
512 | mov eax, DWORD PTR _i$[ebp]
513 | mov BYTE PTR _msg$[ebp+eax], 116 ; 00000074H
514 | add DWORD PTR _i$[ebp], ebx
515 | mov eax, DWORD PTR _i$[ebp]
516 | mov BYTE PTR _msg$[ebp+eax], dl
517 | add DWORD PTR _i$[ebp], ebx
518 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h
519 | ; Line 133
520 | mov eax, DWORD PTR fs:48
521 | ; Line 139
522 | mov eax, DWORD PTR [eax+12]
523 | mov esi, DWORD PTR [eax+12]
524 | jmp $LN87@shellcode
525 | $LL7@shellcode:
526 | ; Line 141
527 | cmp DWORD PTR [esi+24], edx
528 | je $LN84@shellcode
529 | ; Line 142
530 | cmp DWORD PTR [esi+48], edx
531 | je $LN86@shellcode
532 | ; Line 145
533 | mov DWORD PTR _i$4[ebp], edx
534 | jmp SHORT $LN89@shellcode
535 | $LL11@shellcode:
536 | ; Line 146
537 | mov ecx, DWORD PTR _i$4[ebp]
538 | mov eax, DWORD PTR [esi+48]
539 | cmp WORD PTR [eax+ecx*2], 90 ; 0000005aH
540 | ja SHORT $LN15@shellcode
541 | mov ecx, DWORD PTR _i$4[ebp]
542 | mov eax, DWORD PTR [esi+48]
543 | cmp WORD PTR [eax+ecx*2], 65 ; 00000041H
544 | jb SHORT $LN15@shellcode
545 | mov ecx, DWORD PTR _i$4[ebp]
546 | mov eax, DWORD PTR [esi+48]
547 | mov ax, WORD PTR [eax+ecx*2]
548 | add ax, 32 ; 00000020H
549 | movzx ecx, ax
550 | jmp SHORT $LN16@shellcode
551 | $LN15@shellcode:
552 | mov ecx, DWORD PTR _i$4[ebp]
553 | mov eax, DWORD PTR [esi+48]
554 | movzx ecx, WORD PTR [eax+ecx*2]
555 | $LN16@shellcode:
556 | mov eax, DWORD PTR _i$4[ebp]
557 | mov WORD PTR _temp$1[ebp+eax*2], cx
558 | add DWORD PTR _i$4[ebp], ebx
559 | $LN89@shellcode:
560 | ; Line 145
561 | movzx eax, WORD PTR [esi+44]
562 | cmp DWORD PTR _i$4[ebp], eax
563 | jl SHORT $LL11@shellcode
564 | ; Line 61
565 | mov ax, WORD PTR _temp$1[ebp]
566 | mov edi, ebx
567 | mov ecx, edx
568 | mov ebx, edx
569 | test ax, ax
570 | je SHORT $LN82@shellcode
571 | movzx eax, ax
572 | mov esi, 65521 ; 0000fff1H
573 | $LL20@shellcode:
574 | ; Line 62
575 | movzx eax, ax
576 | add eax, edi
577 | cdq
578 | idiv esi
579 | mov edi, edx
580 | ; Line 63
581 | lea eax, DWORD PTR [ecx+edi]
582 | cdq
583 | idiv esi
584 | movzx eax, WORD PTR _temp$1[ebp+ebx*2+2]
585 | inc ebx
586 | mov ecx, edx
587 | test ax, ax
588 | jne SHORT $LL20@shellcode
589 | mov esi, DWORD PTR _curr_module$1$[ebp]
590 | ; Line 65
591 | shl ecx, 16 ; 00000010H
592 | or ecx, edi
593 | ; Line 148
594 | cmp ecx, 489227345 ; 1d290451H
595 | je SHORT $LN56@shellcode
596 | xor edx, edx
597 | $LN82@shellcode:
598 | ; Line 151
599 | mov esi, DWORD PTR [esi]
600 | xor ebx, ebx
601 | inc ebx
602 | $LN87@shellcode:
603 | ; Line 141
604 | mov DWORD PTR _curr_module$1$[ebp], esi
605 | $LN86@shellcode:
606 | test esi, esi
607 | jne $LL7@shellcode
608 | $LN84@shellcode:
609 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp
610 | ; Line 67
611 | xor eax, eax
612 | inc eax
613 | $LN1@shellcode:
614 | ; Line 68
615 | pop edi
616 | pop esi
617 | pop ebx
618 | leave
619 | ret 0
620 | $LN56@shellcode:
621 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h
622 | ; Line 149
623 | mov ecx, DWORD PTR [esi+24]
624 | mov DWORD PTR _base$1$[ebp], ecx
625 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp
626 | ; Line 48
627 | test ecx, ecx
628 | je SHORT $LN84@shellcode
629 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h
630 | ; Line 158
631 | mov eax, 23117 ; 00005a4dH
632 | cmp WORD PTR [ecx], ax
633 | jne SHORT $LN84@shellcode
634 | ; Line 162
635 | mov eax, DWORD PTR [ecx+60]
636 | mov eax, DWORD PTR [eax+ecx+120]
637 | test eax, eax
638 | je SHORT $LN84@shellcode
639 | ; Line 167
640 | mov ebx, DWORD PTR [eax+ecx+24]
641 | xor edx, edx
642 | mov DWORD PTR _i$1$[ebp], edx
643 | mov DWORD PTR $T2[ebp], ebx
644 | test ebx, ebx
645 | je SHORT $LN84@shellcode
646 | ; Line 169
647 | mov edi, DWORD PTR [eax+ecx+32]
648 | mov ebx, DWORD PTR [eax+ecx+36]
649 | add edi, ecx
650 | ; Line 170
651 | mov esi, DWORD PTR [eax+ecx+28]
652 | add ebx, ecx
653 | mov DWORD PTR tv1151[ebp], esi
654 | mov DWORD PTR tv1142[ebp], edi
655 | mov DWORD PTR tv1141[ebp], ebx
656 | $LL25@shellcode:
657 | movzx eax, WORD PTR [ebx]
658 | ; Line 60
659 | mov DWORD PTR _a$1$[ebp], 1
660 | ; Line 170
661 | lea eax, DWORD PTR [esi+eax*4]
662 | ; Line 60
663 | xor esi, esi
664 | ; Line 170
665 | add eax, ecx
666 | mov DWORD PTR _funcRVA$1$[ebp], eax
667 | ; Line 171
668 | mov eax, DWORD PTR [edi]
669 | add eax, ecx
670 | mov DWORD PTR _curr_name$1$[ebp], eax
671 | ; Line 61
672 | mov al, BYTE PTR [eax]
673 | test al, al
674 | je SHORT $LN81@shellcode
675 | mov ecx, DWORD PTR _curr_name$1$[ebp]
676 | ; Line 169
677 | mov edi, 65521 ; 0000fff1H
678 | mov ebx, DWORD PTR _a$1$[ebp]
679 | $LL33@shellcode:
680 | ; Line 62
681 | movsx eax, al
682 | add eax, ebx
683 | cdq
684 | idiv edi
685 | mov ebx, edx
686 | ; Line 63
687 | lea eax, DWORD PTR [esi+ebx]
688 | cdq
689 | idiv edi
690 | inc ecx
691 | mov esi, edx
692 | mov al, BYTE PTR [ecx]
693 | test al, al
694 | jne SHORT $LL33@shellcode
695 | mov ecx, DWORD PTR _base$1$[ebp]
696 | mov edi, DWORD PTR tv1142[ebp]
697 | mov DWORD PTR _a$1$[ebp], ebx
698 | mov ebx, DWORD PTR tv1141[ebp]
699 | ; Line 65
700 | shl esi, 16 ; 00000010H
701 | or esi, DWORD PTR _a$1$[ebp]
702 | ; Line 173
703 | cmp esi, 494994583 ; 1d810497H
704 | je SHORT $LN57@shellcode
705 | mov edx, DWORD PTR _i$1$[ebp]
706 | $LN81@shellcode:
707 | ; Line 167
708 | inc edx
709 | add ebx, 2
710 | add edi, 4
711 | mov DWORD PTR _i$1$[ebp], edx
712 | mov DWORD PTR tv1141[ebp], ebx
713 | mov DWORD PTR tv1142[ebp], edi
714 | cmp edx, DWORD PTR $T2[ebp]
715 | jae $LN84@shellcode
716 | mov esi, DWORD PTR tv1151[ebp]
717 | jmp SHORT $LL25@shellcode
718 | $LN57@shellcode:
719 | ; Line 173
720 | mov eax, DWORD PTR _funcRVA$1$[ebp]
721 | mov eax, DWORD PTR [eax]
722 | add eax, ecx
723 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp
724 | ; Line 50
725 | je $LN84@shellcode
726 | ; Line 51
727 | lea ecx, DWORD PTR _u32$[ebp]
728 | push ecx
729 | call eax
730 | pop ecx
731 | mov ecx, eax
732 | mov DWORD PTR _handle$1$[ebp], ecx
733 | ; Line 52
734 | test ecx, ecx
735 | je $LN84@shellcode
736 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shcutils.h
737 | ; Line 158
738 | mov eax, 23117 ; 00005a4dH
739 | cmp WORD PTR [ecx], ax
740 | jne $LN85@shellcode
741 | ; Line 162
742 | mov eax, DWORD PTR [ecx+60]
743 | mov eax, DWORD PTR [eax+ecx+120]
744 | test eax, eax
745 | je $LN85@shellcode
746 | ; Line 167
747 | mov ebx, DWORD PTR [eax+ecx+24]
748 | xor edx, edx
749 | mov DWORD PTR _i$1$[ebp], edx
750 | mov DWORD PTR $T3[ebp], ebx
751 | test ebx, ebx
752 | je $LN85@shellcode
753 | ; Line 169
754 | mov edi, DWORD PTR [eax+ecx+32]
755 | mov ebx, DWORD PTR [eax+ecx+36]
756 | add edi, ecx
757 | ; Line 170
758 | mov esi, DWORD PTR [eax+ecx+28]
759 | add ebx, ecx
760 | mov DWORD PTR tv1149[ebp], esi
761 | mov DWORD PTR tv1137[ebp], edi
762 | mov DWORD PTR tv1136[ebp], ebx
763 | $LL38@shellcode:
764 | movzx eax, WORD PTR [ebx]
765 | ; Line 60
766 | mov DWORD PTR _a$1$[ebp], 1
767 | ; Line 170
768 | lea eax, DWORD PTR [esi+eax*4]
769 | ; Line 60
770 | xor esi, esi
771 | ; Line 170
772 | add eax, ecx
773 | mov DWORD PTR _funcRVA$1$[ebp], eax
774 | ; Line 171
775 | mov eax, DWORD PTR [edi]
776 | add eax, ecx
777 | mov DWORD PTR _curr_name$1$[ebp], eax
778 | ; Line 61
779 | mov al, BYTE PTR [eax]
780 | test al, al
781 | je SHORT $LN80@shellcode
782 | mov ecx, DWORD PTR _curr_name$1$[ebp]
783 | ; Line 169
784 | mov edi, 65521 ; 0000fff1H
785 | mov ebx, DWORD PTR _a$1$[ebp]
786 | $LL46@shellcode:
787 | ; Line 62
788 | movsx eax, al
789 | add eax, ebx
790 | cdq
791 | idiv edi
792 | mov ebx, edx
793 | ; Line 63
794 | lea eax, DWORD PTR [esi+ebx]
795 | cdq
796 | idiv edi
797 | inc ecx
798 | mov esi, edx
799 | mov al, BYTE PTR [ecx]
800 | test al, al
801 | jne SHORT $LL46@shellcode
802 | mov ecx, DWORD PTR _handle$1$[ebp]
803 | mov edi, DWORD PTR tv1137[ebp]
804 | mov DWORD PTR _a$1$[ebp], ebx
805 | mov ebx, DWORD PTR tv1136[ebp]
806 | ; Line 65
807 | shl esi, 16 ; 00000010H
808 | or esi, DWORD PTR _a$1$[ebp]
809 | ; Line 173
810 | cmp esi, 427754544 ; 197f0430H
811 | je SHORT $LN58@shellcode
812 | mov edx, DWORD PTR _i$1$[ebp]
813 | $LN80@shellcode:
814 | ; Line 167
815 | inc edx
816 | add ebx, 2
817 | add edi, 4
818 | mov DWORD PTR _i$1$[ebp], edx
819 | mov DWORD PTR tv1136[ebp], ebx
820 | mov DWORD PTR tv1137[ebp], edi
821 | cmp edx, DWORD PTR $T3[ebp]
822 | jae SHORT $LN85@shellcode
823 | mov esi, DWORD PTR tv1149[ebp]
824 | jmp SHORT $LL38@shellcode
825 | $LN58@shellcode:
826 | ; Line 173
827 | mov eax, DWORD PTR _funcRVA$1$[ebp]
828 | mov eax, DWORD PTR [eax]
829 | add eax, ecx
830 | jmp SHORT $LN35@shellcode
831 | $LN85@shellcode:
832 | ; File C:\Users\admin\Documents\GitHub\ShellcodeLab\Shellcode\shellcode.cpp
833 | ; Line 54
834 | xor eax, eax
835 | $LN35@shellcode:
836 | push 0
837 | lea ecx, DWORD PTR _msg$[ebp]
838 | push ecx
839 | push ecx
840 | push 0
841 | call eax
842 | add esp, 16 ; 00000010H
843 | ; Line 55
844 | xor eax, eax
845 | jmp $LN1@shellcode
846 | ?shellcode@@YAHXZ ENDP ; shellcode
847 | shcode ENDS
848 | ; Function compile flags: /Ogsp
849 | ; COMDAT _printf
850 | _TEXT SEGMENT
851 | __Format$ = 8 ; size = 4
852 | _printf PROC ; COMDAT
853 | ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h
854 | ; Line 956
855 | push ebp
856 | mov ebp, esp
857 | ; Line 960
858 | lea eax, DWORD PTR __Format$[ebp+4]
859 | push eax
860 | push 0
861 | push DWORD PTR __Format$[ebp]
862 | push 1
863 | call DWORD PTR __imp____acrt_iob_func
864 | pop ecx
865 | push eax
866 | call __vfprintf_l
867 | add esp, 16 ; 00000010H
868 | ; Line 963
869 | pop ebp
870 | ret 0
871 | _printf ENDP
872 | _TEXT ENDS
873 | ; Function compile flags: /Ogsp
874 | ; COMDAT _fprintf
875 | _TEXT SEGMENT
876 | __Stream$ = 8 ; size = 4
877 | __Format$ = 12 ; size = 4
878 | _fprintf PROC ; COMDAT
879 | ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h
880 | ; Line 837
881 | push ebp
882 | mov ebp, esp
883 | ; Line 841
884 | lea eax, DWORD PTR __Format$[ebp+4]
885 | push eax
886 | push 0
887 | push DWORD PTR __Format$[ebp]
888 | push DWORD PTR __Stream$[ebp]
889 | call __vfprintf_l
890 | add esp, 16 ; 00000010H
891 | ; Line 844
892 | pop ebp
893 | ret 0
894 | _fprintf ENDP
895 | _TEXT ENDS
896 | ; Function compile flags: /Ogsp
897 | ; COMDAT __vfprintf_l
898 | _TEXT SEGMENT
899 | __Stream$ = 8 ; size = 4
900 | __Format$ = 12 ; size = 4
901 | __Locale$ = 16 ; size = 4
902 | __ArgList$ = 20 ; size = 4
903 | __vfprintf_l PROC ; COMDAT
904 | ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h
905 | ; Line 644
906 | push ebp
907 | mov ebp, esp
908 | ; Line 645
909 | push DWORD PTR __ArgList$[ebp]
910 | push DWORD PTR __Locale$[ebp]
911 | push DWORD PTR __Format$[ebp]
912 | push DWORD PTR __Stream$[ebp]
913 | call ___local_stdio_printf_options
914 | push DWORD PTR [eax+4]
915 | push DWORD PTR [eax]
916 | call DWORD PTR __imp____stdio_common_vfprintf
917 | add esp, 24 ; 00000018H
918 | ; Line 646
919 | pop ebp
920 | ret 0
921 | __vfprintf_l ENDP
922 | _TEXT ENDS
923 | ; Function compile flags: /Ogsp
924 | ; COMDAT ___local_stdio_printf_options
925 | _TEXT SEGMENT
926 | ___local_stdio_printf_options PROC ; COMDAT
927 | ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\corecrt_stdio_config.h
928 | ; Line 92
929 | mov eax, OFFSET ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA ; `__local_stdio_printf_options'::`2'::_OptionsStorage
930 | ; Line 93
931 | ret 0
932 | ___local_stdio_printf_options ENDP
933 | _TEXT ENDS
934 | END
935 |
--------------------------------------------------------------------------------
9 | 
14 | 
21 | 
27 | 
32 | 
37 |