Tested On: Windows 11 Home 10.0.22621, Windows Server 2022 Standard 10.0.20348, Windows Server 2019 Datacenter 10.0.17763
Null-Free, PIC, and extremely small-size Windows x64 shellcode that pops calc.exe
program, can be used to test shellcode injection and/or code execution. The shellcode works by dynamically resolving the base address of kernel32.dll
via PEB
and ExportTable
method.
To resolve the base address of kernel32.dll
, the steps are as follows:
- Locate the address of
TEB
in the IntelGS
register - Locate the address of
PEB
in the TEB structure - Locate
_PEB_LDR_DATA
structure in PEB structure - Get the head of doubly-linked list
InMemoryOrderModuleList
- The 3rd entry of doubly-linked list InMemoryOrderModuleList:
program.exe(shellcode loading program) -> ntdll.dll -> kernel32.dll
- Find DllBase of the current module in
_LDR_DATA_TABLE_ENTRY structure
After getting the base address of kernel32.dll, parse kernel32.dll and locate WinExec
function. The steps are as follows:
- Locate the
Export Directory
- Get the
number of function names
and use it as an index - Locate the
Export Name Pointer Table
. - Use function name hashing approach to avoid the use of function name
- Compare the WinExec's hash with the current function's hash in the loop
- Get the address of WinExec, supply proper arguments, and call it.
Argument lpCmdLine is "calc.exe"
, argument uCmdShow
is 1
.
UINT WinExec(
[in] LPCSTR lpCmdLine,
[in] UINT uCmdShow
);