Re: Shellcode Help?
Code:
000007D0 68E803 push word 0x3e8
000007D3 0000 add [bx+si],al
000007D5 68BC02 push word 0x2bc
000007D8 0000 add [bx+si],al
000007DA FF15 call word [di]
So here's what part of the relevent disassembly looked like from ndisasm... You can see the value for the second param of the Beep function from kernel32.dll being pushed onto the stack (
0x3E8 = 1000, for a 1 second duration or 1000ms), as well as the frequency (
0x2BC = 700).
I wrote my own C++ program that got the address of the Beep function from kernel32.dll which returned
0x764531AF, which I suspected was
\xAF\x31\x45\x76 in shellcode.
Code:
GetProcAddress(
GetModuleHandle(L"kernel32.dll"),
"Beep"
);
After doing some tests I could not get a beep, so I wondered if this was all accurate information, and it seemed to be confirmed after I did some other tests to get the address for this function.
I'm using
Windows 8 x64 Pro with Media Center. Tested through VS to try some inline asm:
Code:
01258365 mov eax,dword ptr ds:[012612B4h]
0125836A push 3E8h
0125836F push 2EEh
01258374 call eax
This worked when ran directly in the debugger... Although this is not what I wanted, as that is not a usable address, if I was to convert this to shellcode:
So I tried substituting the actual function address from the
kernel32.dll module as
0x764531AF (
\xAF\x31\x45\x76) just to see, and no luck still even with putting that address in manually:
Code:
009163DA mov eax,764531AFh
009163DF push 3E8h
009163E4 push 2EEh
009163E9 call eax
*Which became this in shellcode:
Code:
\xB8\xAF\x31\x45\x76\x68\xE8\x03\x00\x00\x68\xEE\x02\x00\x00\xFF\xD0
edit:
NOTE: The inline asm worked for that address. But the shellcode derived from the disassembly did not... Just to clarify.
I tried anyways, because obviously the shellcode below as an example, was designed for XP SP3, and thus wouldn't work with my Win8 OS as shellcode is usually very OS dependent.
- XP SP3 Beep Function:
Code:
\x33\xC0\xB8 ... \x68\x00\x04\x00\x00\x68\x00\x03\x00\x00\xFF\xD0
Where the ... would indicate where the shellcode for the address to the function should be placed.
edit: Ahh.. This is annoying me, lol. I am determined to figure this out.
Even tried adding
\x33\xC0 to the beginning (instruction XOR EDX,EDX) to set EDX register to 0, but it did not work. I'm currently trying to set up XP in Hyper-V to do some testing there...
edit: In the meantime, I'm going to try testing on XP and Windows 7 to see what I can get to work. If anyone wants to try some inline asm in C++ here is the code I came up with for the Beep function from kernel32.dll... I will post variations.
You can pass a hardcoded value as the address to the function:
Code:
__asm
{
mov eax,dword ptr 0x764531AF // Kernel32.dll!76468543()
push 0x3E8 // Duration argument
push 0x2EE // Frequency argument
call eax // Call function
}
You can pass the address from the GetProcAddress() function:
Code:
PROC handle = GetProcAddress(
GetModuleHandle(L"kernel32.dll"),
"Beep"
);
cout << "Kernel32.dll Beep Func Address - 0x" << handle << endl;
__asm
{
mov eax,handle
push 0x3E8
push 0x2EE
call eax
}
Or put the function itself in directly to move the address into the EAX register:
Code:
__asm
{
mov eax,Beep
push 0x3E8
push 0x2EE
call eax
}
Keep in mind LIFO for the push instruction if you are wondering why it is reversed.
This was handy though, grabbing the address of a function, so I created a wrapper application for it in C using Code::Blocks.
edit: I was actually fooling around lots with inline asm in C++ for the last while, and it seems I am catching on quickly. ASM is actually a fairly simple language, if you know the rules. Here was my testing for bitshifting:
Code:
// 1
int x = 2;
__asm
{
mov eax,x
shr eax,2
mov x,eax
}
cout << x << endl;
// 2
int y = 2;
y >>= 2;
cout << y << endl;
Marked by the comments, // 1 and // 2 are the exact same thing really. Just thought I would share my examples. Bitshifting to the right by 2, from 2, gives 0. (And that's what this demonstrates.)
