In the previous shellcode tutorial, I'm using linux as my environment. After research and google for a while, I think it's time to write something about windows shellcode.
The most significant difference between linux shellcode and windows shellcode is that when writing linux shellcode we use system call to achieve the goal we want. However, in windows, the system call will various in different version. Therefore, when writing windows shellcode, we have to use windows API to achieve the goal.
There are several ways to get the windows API address and the most simple one is using GetProcAddress() and LoadLibraryA() in kernel32.dll.
I use the following C program to demonstrate how to use these two API.
#include <windows.h> #include <stdio.h> int main() { unsigned int api_addr = 0; api_addr = GetProcAddress(LoadLibraryA("kernel32.dll"), "ExitProcess"); printf("address 0x%x\n", api_addr); }
In the above example the api_addr will contains the virtual address of ExitProcess().
P.S You can get more information of windows API in MSDN.
After knowing the address of ExitProcess, it's time to write a simple shellcode that will exit the program.
.global _main _main: pushl $0; movl $0xdeadbeef, %ebx; call *%ebx;
In the above assembly code, you have to change the $0xdeadbeef to the API address the previous C program output to you. And the reason why using call *%ebx instead of call $0xdeadbeef is that when using call $0xdeadbeef the assembler will compile the code into a relative call instead of a direct call; therefore the result may not be what we are expected. I have mentioned this in the previous post. If you want u can check here.
http://mike820324.blogspot.com/2011/05/shell-code.html
This post is only a brief introduction of windows shellcode, I will post more advanced technique and shellcode later these days.