Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

win32/xp sp2 PEB ISbeingdebugged shellcode

🗓️ 14 Dec 2009 00:00:00Reported by 73oType 
zdt
 zdt🔗 0day.today👁 23 Views

Win XP SP2 PEB ISbeingdebugged shellcode using masm32, beeps if run under debugge

Code
================================
win32/xp sp2 PEB ISbeingdebugged
================================

#name: win xp sp2 PEB ISbeingdebugged shellcode
 
#Date: 14.12.2009.
 
here is the ASM code made using masm32
 
 
if program is being run under debugger the shellcode wil start beeping :D
//////////////////////begin///////////////////////////////////////
 
.386
.model flat, stdcall
option casemap :none
INCLUDE  C:\MASM32\INCLUDE\WINDOWS.INC
INCLUDE  C:\MASM32\INCLUDE\KERNEL32.INC
INCLUDE  C:\MASM32\INCLUDE\USER32.INC
INCLUDE  C:\MASM32\INCLUDE\MASM32.INC
INCLUDELIB  C:\MASM32\LIB\KERNEL32.LIB
INCLUDELIB  C:\MASM32\LIB\USER32.LIB
INCLUDELIB  C:\MASM32\LIB\MASM32.LIB
 
 
    .data
ExitMsg  DB "Enter to Exit", 0
 
  .code
 start:
assume fs:nothing
mov eax,fs:[30h]
mov     eax, [eax+02h]
mov ebx, 7FFF8000h
add ebx,7FFF8000h
inc ebx
push 300h
push 200h
mov edx,7c837a8fh
cmp eax,ebx
jnz exit
call edx
exit:
invoke ExitProcess,NULL
 
 
end start
 
 
/////////////////////////////end///////////////////////////////
 
here is the dump of code using olly debugger
 
 
00401000 >/$ 64:A1 30000000 MOV EAX,DWORD PTR FS:[30]
00401006  |. 8B40 02        MOV EAX,DWORD PTR DS:[EAX+2]
00401009  |. BB 0080FF7F    MOV EBX,7FFF8000
0040100E  |. 81C3 0080FF7F  ADD EBX,7FFF8000
00401014  |. 43             INC EBX
00401015  |. 68 00030000    PUSH 300                                 ; /Duration = 768. ms
0040101A  |. 68 00020000    PUSH 200                                 ; |Frequency = 200 (512.)
0040101F  |. BA 8F7A837C    MOV EDX,kernel32.Beep                    ; |
00401024  |. 3BC3           CMP EAX,EBX                              ; |
00401026  |. 75 02          JNZ SHORT antidebu.0040102A              ; |
00401028  |. FFD2           CALL EDX                                 ; \Beep
0040102A  |> 6A 00          PUSH 0                                   ; /ExitCode = 0
0040102C  \. E8 01000000    CALL <JMP.&kernel32.ExitProcess>         ; \ExitProcess
00401031     CC             INT3
00401032   .-FF25 00204000  JMP DWORD PTR DS:[<&kernel32.ExitProcess>;  kernel32.ExitProcess
 
 
 
 
 
 
here is the shellcode
\x64\xA1\x30\x00\x00\x00\x8B\x40\x02\xBB\x00\x80\xFF\x7F\x81\xC3\x00\x80\xFF\x7F\x43\x68\x00\x03\x00\x00\x68\x00\x02\x00\x00\xBA\x8F\x7A\x83\x7C\x3B\xC3\x75\x02\xFF\xD2\x6A\x00\xE8\x01\x00\x00\x00\xCC\xFF\x25\x00\x20\x40\x00



#  0day.today [2018-04-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Dec 2009 00:00Current
7High risk
Vulners AI Score7
win xp sp2pebisbeingdebuggedshellcodemasm32debuggerbeeping
23