Asm and Shellcode in CSharp


Author: Dave
Date: 08.21.10 - 6:14pm

I searched for a while but didnt see any examples. Maybe just allot of noise. Anyway a little screwing around and I was able to port the old VB6 CallWindowProc trick to CSharp for executing your own asm. Make sure to set the /unsafe flag :)

You can find more info on developing asm buffers to use in thiss technique in my other blog here. Basically just build it in C to some general rules and then rip the opcodes to a byte buffer. 

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;

namespace ConsoleApplication1 {
    class Program {

        [DllImport("user32")]
        private static extern int CallWindowProc
            (int lpPrevWndFunc, int hWnd, int Msg, int wParam, int lParam);

        
        public static unsafe int shl(int x){
            //8B45 0C        MOV EAX,DWORD PTR SS:[EBP+12]
            //D1E0           SHL EAX,1
            //C2 10 00       RETN 10h
            byte[] b = {0x8B, 0x45, 0x0C, 0xD1, 0xE0, 0xC2, 0x10, 0x00};
            fixed (byte* bb = &b[0])
            {
                int bi = (int)bb;
                return CallWindowProc(bi, x, 0, 0, 0);
            }
        }

        public static unsafe int shr(int x){
            //8B45 0C        MOV EAX,DWORD PTR SS:[EBP+12]
            //D1E8           SHR EAX,1
            //C2 10 00       RETN 10h
            byte[] b = {0x8B, 0x45, 0x0C, 0xD1, 0xE8, 0xC2, 0x10, 0x00};
            fixed (byte* bb = &b[0]) {
                int bi = (int)bb;
                return CallWindowProc(bi, x, 0, 0, 0);
            }
        }

        public static unsafe void CallShellcode() {

            byte[] calc_shellcode = { //skylined calc shellcode from google code
                0x31, 0xF6, 0x56, 0x64, 0x8B, 0x76, 0x30, 0x8B, 0x76, 0x0C, 0x8B, 
                0x76, 0x1C, 0x8B, 0x6E, 0x08, 0x8B, 0x36, 0x8B, 0x5D, 0x3C, 0x8B, 
                0x5C, 0x1D, 0x78, 0x01, 0xEB, 0x8B, 0x4B, 0x18, 0x67, 0xE3, 0xEC,
                0x8B, 0x7B, 0x20, 0x01, 0xEF, 0x8B, 0x7C, 0x8F, 0xFC, 0x01, 0xEF, 
                0x31, 0xC0, 0x99, 0x32, 0x17, 0x66, 0xC1, 0xCA, 0x01, 0xAE, 0x75, 
                0xF7, 0x66, 0x81, 0xFA, 0x10, 0xF5, 0xE0, 0xE2, 0x75, 0xCC, 0x8B, 
                0x53, 0x24, 0x01, 0xEA, 0x0F, 0xB7, 0x14, 0x4A, 0x8B, 0x7B, 0x1C, 
                0x01, 0xEF, 0x03, 0x2C, 0x97, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68, 
                0x63, 0x61, 0x6C, 0x63, 0x54, 0x87, 0x04, 0x24, 0x50, 0xFF, 0xD5, 
                0xC3
            };

            try {
                fixed (byte* bb = &calc_shellcode[0]) {
                    int bi = (int)bb;
                    CallWindowProc(bi, 0, 0, 0, 0);
                }
            }
            catch (Exception e) { }

        }

        static void Main(string[] args) {

            int a = shl(4);
            int b = shr(4);
            Console.WriteLine("shl(4)=" + a + " shr(4)=" + b);
            Console.WriteLine("Press any key to call skylines calc shellcode");
            Console.ReadKey();
            CallShellcode();
            
        
        }
    }
}



RSS Feed
About Me
Home

Posts:
Asm and Shellcode in CSharp
Fancy Return Address
Mem dump imports
Wingraph32 Replacement
PDF Stream Dumper
SWF Decompilation
IDC Dump Fix Patch
Malcode Call API by Hash
WinDbg Cheat Sheet
new tool - unlocreate
iDefense iDbg Debugger Library
new tool - Alloc/Free Logger
new tool - wininet hooks
GPG Automation
IDA Wingraph


Comments: (1)

On 08.22.10 - 2:36pm Dave wrote:
A little more playing... you can also do 
[DllImport("user32")]
private unsafe static extern int CallWindowProc
       (byte* lpPrevWndFunc, int hWnd, int Msg, int wParam, int lParam);

fixed (byte* bb = &b[0]){
     return CallWindowProc(bb, x, 0, 0, 0);
}

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Security Code