flat assembler
Message board for the users of flat assembler.
Index
> Windows > shellcode error |
Author |
|
AlexP 19 Jan 2008, 23:52
The code isn't showing up for me, just bar
|
|||
19 Jan 2008, 23:52 |
|
asmrox 19 Jan 2008, 23:55
dont use ie
scroll it up and down. ...and what about my error? |
|||
19 Jan 2008, 23:55 |
|
AlexP 19 Jan 2008, 23:58
There we go, uhhh is shellcode supposed to be a string? I'm not getting something...
|
|||
19 Jan 2008, 23:58 |
|
asmrox 20 Jan 2008, 00:03
i copy it to virtualallocex'ed memory, and createremotethread it.
|
|||
20 Jan 2008, 00:03 |
|
AlexP 20 Jan 2008, 00:09
I wouldn't know anythin' about shellcode, don't even know what it does.
|
|||
20 Jan 2008, 00:09 |
|
LocoDelAssembly 20 Jan 2008, 01:21
asmrox, it is more harder that that... Or you are completely sure that at $0040308C there is an import table entry in the process you are injecting the code to pointing to MessageBox?
BTW, how did you inject the code? You just called VirtualAllocEx and used the pointer directly? I posted some links related to this topic somewhere, try searching code injection on the forum or WriteProcessMemory till you find my post. |
|||
20 Jan 2008, 01:21 |
|
asmrox 20 Jan 2008, 02:17
fund only this topic
i thought maybe addres should in big endian, but no, dont work. I tried with kernel32 wich must have static address: Code: format pe console section '.code' code readable executable push 1708 push 0 push 0x001F0FFF call [OpenProcess] mov ebx, eax push 0x00000040 push 0x00001000 push 32 push 0 push ebx call [VirtualAllocEx] mov esi, eax push 0 push 8 push shellcode push esi push ebx call [WriteProcessMemory] push 0 push 0 push 0 push esi push 0 push 0 push ebx call [CreateRemoteThread] push eax push f call [printf] retn -8 section '.data' data readable writeable f db '%p',13,10,0 old dd ? jump db 0xFF, 0x16 shellcode db 0x6A, 0x00, 0xFF, 0x15, 0x80, 0x30, 0x40, 0x00 section '.idata' import data readable dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table dd 0,0,0,RVA kernel32_name,RVA kernel32_table dd 0,0,0,RVA ntdll_name,RVA ntdll_table dd 0,0,0,RVA user32_name,RVA user32_table dd 5 dup 0 msvcrt_table: printf dd RVA _printf dd 0 kernel32_table: OpenProcess dd RVA _OpenProcess WriteProcessMemory dd RVA _WriteProcessMemory VirtualProtectEx dd RVA _VirtualProtectEx VirtualAllocEx dd RVA _VirtualAllocEx CreateRemoteThread dd RVA _CreateRemoteThread ExitProcess dd RVA _ExitProcess dd 0 ntdll_table: NtQuerySystemInformation dd RVA _NtQuerySystemInformation dd 0 user32_table: MessageBoxA dd RVA _MessageBoxA dd 0 msvcrt_name db 'msvcrt.dll',0 kernel32_name db 'kernel32.dll',0 ntdll_name db 'ntdll.dll',0 user32_name db 'user32.dll',0 _printf db 0,0,'printf',0 _VirtualProtectEx db 0,0,'VirtualProtectEx',0 _OpenProcess db 0,0,'OpenProcess',0 _WriteProcessMemory db 0,0,'WriteProcessMemory',0 _VirtualAllocEx db 0,0,'VirtualAllocEx',0 _CreateRemoteThread db 0,0,'CreateRemoteThread',0 _ExitProcess db 0,0,'ExitProcess',0 _NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0 _MessageBoxA db 0,0,'MessageBoxA',0 |
|||
20 Jan 2008, 02:17 |
|
LocoDelAssembly 20 Jan 2008, 03:44
Quote: call [printf] Jesus man, what I've told you in the other thread? ret first uses [ESP] as return address and later does "add esp, ret_operand". Also note that since ret does not sign extends the operand the result is that you increment ESP in $FFF8 units. In 16-bit world would have the effect of subtracting by eight but still wrong since instead of releasing the room occupied by the args you are duplicating it. Well, with that said now this problem in particular... Code: format pe console section '.code' code readable executable ; MODIFIED FOR TESTING: ;push 1708 ;push 0 ;push 0x001F0FFF ;call [OpenProcess] ;mov ebx, eax mov ebx, -1 push 0x00000040 push 0x00001000 push 32 push 0 push ebx call [VirtualAllocEx] mov esi, eax mov eax, [MessageBoxA] mov [shellcode.messageBox], eax push 0 push sizeof.shellcode push shellcode push esi push ebx call [WriteProcessMemory] push 0 push 0 push 0 push esi push 0 push 0 push ebx call [CreateRemoteThread] push eax push f call [printf] ; ret -8 ; if you want this program to crash itself silently without showing the MessageBox then uncomment the instruction add esp, 8 ret section '.data' data readable writeable f db '%p',13,10,0 shellcode: push 0 call @f db "Hello World ", 0 @@: call @f db "Is this supposed to be a shellcode?", 0 @@: push 0 call dword [.messageBox] ret .messageBox dd ? sizeof.shellcode = $ - shellcode section '.idata' import data readable dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table dd 0,0,0,RVA kernel32_name,RVA kernel32_table dd 0,0,0,RVA ntdll_name,RVA ntdll_table dd 0,0,0,RVA user32_name,RVA user32_table dd 5 dup 0 msvcrt_table: printf dd RVA _printf dd 0 kernel32_table: OpenProcess dd RVA _OpenProcess WriteProcessMemory dd RVA _WriteProcessMemory VirtualProtectEx dd RVA _VirtualProtectEx VirtualAllocEx dd RVA _VirtualAllocEx CreateRemoteThread dd RVA _CreateRemoteThread ExitProcess dd RVA _ExitProcess dd 0 ntdll_table: NtQuerySystemInformation dd RVA _NtQuerySystemInformation dd 0 user32_table: MessageBoxA dd RVA _MessageBoxA dd 0 msvcrt_name db 'msvcrt.dll',0 kernel32_name db 'kernel32.dll',0 ntdll_name db 'ntdll.dll',0 user32_name db 'user32.dll',0 _printf db 0,0,'printf',0 _VirtualProtectEx db 0,0,'VirtualProtectEx',0 _OpenProcess db 0,0,'OpenProcess',0 _WriteProcessMemory db 0,0,'WriteProcessMemory',0 _VirtualAllocEx db 0,0,'VirtualAllocEx',0 _CreateRemoteThread db 0,0,'CreateRemoteThread',0 _ExitProcess db 0,0,'ExitProcess',0 _NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0 _MessageBoxA db 0,0,'MessageBoxA',0 But it is somewhat unreliable, the "shellcode" as you call it must use LoadLibrary/GetProcAddress to get API function addresses. The exception is with Kernel32.dll that since it is always loaded it would be very strange that the address of, say, LoadLibrary in process A is different in process B. (The link I posted somewhere explains this fact and also provides many other methods of code injection). |
|||
20 Jan 2008, 03:44 |
|
asmrox 20 Jan 2008, 04:39
i found that link, but its only dll injection wich is easy.
|
|||
20 Jan 2008, 04:39 |
|
LocoDelAssembly 20 Jan 2008, 04:54
But Win9x/Me lacks of CreateRemoteThread so it shown techniques around this topic among others (like installing a hook) to inject the DLL as far as I can recall.
|
|||
20 Jan 2008, 04:54 |
|
asmfan 20 Jan 2008, 07:26
Goto study assembler, lame shellcoder
|
|||
20 Jan 2008, 07:26 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.