simple windows shellcode - invoke message box

l_sheba

1.67/5 (3 votes)

25 Apr 2010CPOL

22.9K

:laugh: :laugh: :laugh: This trick will show you how shellcode works (in a simple way). First, create a Win32 application, and delete all generated code in your main.cpp and leave the _tWinMain block empty and return 0. And then, put MessageBox function, make all parameters zero. The code...

:laugh: :laugh: :laugh:
This trick will show you how shellcode works (in a simple way).
First, create a Win32 application, and delete all generated code in your main.cpp and leave the _tWinMain block empty and return 0. And then, put MessageBox function, make all parameters zero. The code in main.cpp should be like this:

//include files ommitted
int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
	MessageBox(0,0,0,0);
	int a = 0;//dummy, to place a breakpoint
	return 0;
}

Set breakpoint at int a = 0, build, and debug. The program will stop at the breakpoint, and show disassembly. the disassembly showing these codes:

ASM

int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
004113B0 55               push        ebp  
004113B1 8B EC            mov         ebp,esp 
004113B3 81 EC CC 00 00 00 sub         esp,0CCh 
004113B9 53               push        ebx  
004113BA 56               push        esi  
004113BB 57               push        edi  
004113BC 8D BD 34 FF FF FF lea         edi,[ebp-0CCh] 
004113C2 B9 33 00 00 00   mov         ecx,33h 
004113C7 B8 CC CC CC CC   mov         eax,0CCCCCCCCh 
004113CC F3 AB            rep stos    dword ptr es:[edi] 
    
    MessageBox(0,0,0,0);
004113CE 8B F4            mov         esi,esp 
004113D0 6A 00            push        0    
004113D2 6A 00            push        0    
004113D4 6A 00            push        0    
004113D6 6A 00            push        0    
004113D8 FF 15 40 83 41 00 call        dword ptr [__imp__MessageBoxW@16 (418340h)] 
004113DE 3B F4            cmp         esi,esp 
004113E0 E8 5B FD FF FF   call        @ILT+315(__RTC_CheckEsp) (411140h) 
    int a = 0;
004113E5 C7 45 F8 00 00 00 00 mov         dword ptr [a],0 
    return 0;
004113EC 33 C0            xor         eax,eax 
}

copy and paste these lines to a text editor:

ASM

004113CE 8B F4            mov         esi,esp 
004113D0 6A 00            push        0    
004113D2 6A 00            push        0    
004113D4 6A 00            push        0    
004113D6 6A 00            push        0    
004113D8 FF 15 40 83 41 00 call        dword ptr [__imp__MessageBoxW@16

and get the hex values (8B F4 6A 00 ... until FF 15 40 83 41 00), and convert it to string. The result would be like this:

char* shellcode ="\x8B\xF4\x6A\x00\x6A\x00\x6A\x00\x6A\x00\xFF\x15\x40\x83\x41\x00";

Back to main.cpp, declare a pointer to function, delete the MessageBox function and the dummy variable. And here is the final code:

//include files omitted
int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
	typedef void (* FUNC_PTR)();
	char* shellcode ="\x8B\xF4\x6A\x00\x6A\x00\x6A\x00\x6A\x00\xFF\x15\x40\x83\x41\x00";
	FUNC_PTR p = (FUNC_PTR)shellcode;
	p();
	return 0;
}

Build and run the program, and it will show a message box (plus an unhandled exception message) ;P .

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)