Executing Prepared ShellCode in Delphi

posted 30 May 2010 06:24 by Delphi Basics
Executing Prepared ShellCode in Delphi.
Study by Anskya.

Generally, ShellCode is prepared in ASM or C, In this example, Delphi is used to prepare and execute shellcode.

The following project creates the shellcode:
Copy the contents of the MessageBox to the clipboard for use in the second project.

procedure shellcode;
ASM
push ebp
mov ebp, esp
Sub esp, 80h
// Title 'By DNA32r'-> esi
mov byte PTR [ebp-19h], 42h // B
mov byte PTR [ebp-18h], 79h // y
mov byte PTR [ebp-17h], 20h //
mov byte PTR [ebp-16h], 44h // D
mov byte PTR [ebp-15h], 4EH // N
mov byte PTR [ebp-14h], 41H // A
mov byte PTR [ebp-13h], 33h // 3
mov byte PTR [ebp-12h], 32H // 2
mov byte PTR [ebp-11h], 72h // r
mov byte PTR [ebp-10h], 0h // 0x00
Lea esi, [ebp-19h]
// the contents of 'Hello World!' -> edi
mov byte PTR [ebp-0Dh], 68h // H
mov byte PTR [ebp-0Ch], 65H // e
mov byte PTR [ebp-0Bh], 6Ch // L
mov byte PTR [ebp-0Ah], 6Ch // L
mov byte PTR [ebp-09h], 6Fh // o
mov byte PTR [ebp-08h], 20h //
mov byte PTR [ebp-07h], 77h // w
mov byte PTR [ebp-06h], 6Fh // o
mov byte PTR [ebp-05h], 72h // r
mov byte PTR [ebp-04h], 6Ch // L
mov byte PTR [ebp-03h], 64h // d
mov byte PTR [ebp-02h], 21h //!
mov byte PTR [ebp-01h], 0h // 0x00
Lea edi, [ebp-0Dh]

push 0 // 0
push esi // title
push edi // content
push 0 // 0
// Win2k Sp4 MessageBoxA Address = 77DF3D81h
// You can retreive the MessageBoxA for other systems using the following code:
// ShowMessage (IntToHex (DWORD ( GetProcAddress (GetModuleHandle ('User32.dll'), 'MessageBoxA')), 8));
mov EAX, 77DF3D81h // the above address for MessageBoxA
call EAX
leave
End;

With the source code we need to convert 16 hex to
Copy the contents to the clipboard

Program Project2;

const
ShellCodeSize = $ 00,000,079;

shellcode: Array [0 .. ShellCodeSize-1] of byte =
(
$ 55, $ 8B, $ EC, $ 81, $ EC, $ 80, $ 00, $ 00,
$ 00, $ C6, $ 45, $ E7, $ 42, $ C6, $ 45, $ E8,
$ 79, $ C6, $ 45, $ E9, $ 20, $ C6, $ 45, $ EA,
$ 44, $ C6, $ 45, $ EB, $ 4E, $ C6, $ 45, $ EC,
$ 41, $ C6, $ 45, $ ED, $ 33, $ C6, $ 45, $ EE,
$ 32, $ C6, $ 45, $ EF, $ 72, $ C6, $ 45, $ F0,
$ 00, $ 8D, $ 75, $ E7, $ C6, $ 45, $ F3, $ 68,
$ C6, $ 45, $ F4, $ 65, $ C6, $ 45, $ F5, $ 6C,
$ C6, $ 45, $ F6, $ 6C, $ C6, $ 45, $ F7, $ 6F,
$ C6, $ 45, $ F8, $ 20, $ C6, $ 45, $ F9, $ 77,
$ C6, $ 45, $ FA, $ 6F, $ C6, $ 45, $ FB, $ 72,
$ C6, $ 45, $ FC, $ 6C, $ C6, $ 45, $ FD, $ 64,
$ C6, $ 45, $ FE, $ 21, $ C6, $ 45, $ FF, $ 00,
$ 8D, $ 7D, $ F3, $ 6A, $ 00, $ 56, $ 57, $ 6A,
$ 00, $ B8, $ 81, $ 3D, $ DF, $ 77, $ FF, $ D0,
$ C9
);

begin
ASM
Lea, EAX, shellcode
call EAX
End;
End.

This project code shows you how to use delphi to write shellcode.
This particular demonstration code can only be run on Win2k SP4 [Due to the hard-coded MessageBoxA address]
To modify it for other operating systems, change the MessageBoxA address as detailed in the code.
Comments