]
04-25-2013, 02:09 AM
Alright, so in a mental debate on which area of the forum I should post this in, it was decided that this is "enough" of a suitable place for it. What I am trying to do is to compile a shellcode string (representing a set of instructions), that is to call the Beep function from kernel32.dll in Windows.
I was able to get a message box to show, as well as the beep in XP SP3... But I can't get this to work with Win8 x64.
This is what I am trying to simulate if you will:
So I used from NASM suite, the NDISASM.exe utility to disassemble a test compiled binary in C++ with Visual Studio and got this result:
As you can see in this portion of the disassembly, there is the arguments for the function being pushed onto the stack starting with the duration, and then the frequency (with consideration to LIFO).
I created wrote and debugged a tidbit of C++ code to retrieve the address of the Beep function from the kernel32.dll:
Which gave me this address ~ 0x764531AF, which I suspect would be the equivalent of 0xAF 0x31 0x45 0x76 in shellcode, in that endianess.
![[Image: k0DCxfA.png]](http://i.imgur.com/k0DCxfA.png)
After pointing to this address with my shellcode string, I still couldn't get a beep, so I went back to the start and verified that my address was correct. I even wrote inline asm block in C++ to verify that this address was pointing to the Beep function in the dll...
Worked like a charm. But my byte code did not:
Initially I wrote some inline asm, without the hard coded address, which gave values that I couldn't really use.
I managed to get a beep in XP SP3, but this would not work in Win8 x64 obviously as shellcode is usually very OS dependent.
Any ideas on where my shellcode is wrong?
edit: I have fixed this by adding a ret, and now I'm trying to get notepad and calc to execute. For some reason calc crashes the host afterwards, but the new independent process created is entirely fine. I think to avoid the main program from crashing I'll be compiling and executing the shellcode on a remote thread and do some other things there.
I was able to get a message box to show, as well as the beep in XP SP3... But I can't get this to work with Win8 x64.
This is what I am trying to simulate if you will:
Hidden Content
So I used from NASM suite, the NDISASM.exe utility to disassemble a test compiled binary in C++ with Visual Studio and got this result:
Hidden Content
As you can see in this portion of the disassembly, there is the arguments for the function being pushed onto the stack starting with the duration, and then the frequency (with consideration to LIFO).
I created wrote and debugged a tidbit of C++ code to retrieve the address of the Beep function from the kernel32.dll:
Hidden Content
Which gave me this address ~ 0x764531AF, which I suspect would be the equivalent of 0xAF 0x31 0x45 0x76 in shellcode, in that endianess.
After pointing to this address with my shellcode string, I still couldn't get a beep, so I went back to the start and verified that my address was correct. I even wrote inline asm block in C++ to verify that this address was pointing to the Beep function in the dll...
Hidden Content
Hidden Content
Worked like a charm. But my byte code did not:
Hidden Content
Initially I wrote some inline asm, without the hard coded address, which gave values that I couldn't really use.
I managed to get a beep in XP SP3, but this would not work in Win8 x64 obviously as shellcode is usually very OS dependent.
Any ideas on where my shellcode is wrong?
edit: I have fixed this by adding a ret, and now I'm trying to get notepad and calc to execute. For some reason calc crashes the host afterwards, but the new independent process created is entirely fine. I think to avoid the main program from crashing I'll be compiling and executing the shellcode on a remote thread and do some other things there.
