Executing Prepared ShellCode in Delphi

Post date: May 30, 2010 1:24:54 PM

Executing Prepared ShellCode in Delphi.

Study by Anskya.

Generally, ShellCode is prepared in ASM or C, In this example, Delphi is used to prepare and execute shellcode.

The following project creates the shellcode:

Copy the contents of the MessageBox to the clipboard for use in the second project.

procedure shellcode;

ASM

push ebp

mov ebp, esp

Sub esp, 80h

// Title 'By DNA32r'-> esi

mov byte PTR [ebp-19h], 42h // B

mov byte PTR [ebp-18h], 79h // y

mov byte PTR [ebp-17h], 20h //

mov byte PTR [ebp-16h], 44h // D

mov byte PTR [ebp-15h], 4EH // N

mov byte PTR [ebp-14h], 41H // A

mov byte PTR [ebp-13h], 33h // 3

mov byte PTR [ebp-12h], 32H // 2

mov byte PTR [ebp-11h], 72h // r

mov byte PTR [ebp-10h], 0h // 0x00

Lea esi, [ebp-19h]

// the contents of 'Hello World!' -> edi

mov byte PTR [ebp-0Dh], 68h // H

mov byte PTR [ebp-0Ch], 65H // e

mov byte PTR [ebp-0Bh], 6Ch // L

mov byte PTR [ebp-0Ah], 6Ch // L

mov byte PTR [ebp-09h], 6Fh // o

mov byte PTR [ebp-08h], 20h //

mov byte PTR [ebp-07h], 77h // w

mov byte PTR [ebp-06h], 6Fh // o

mov byte PTR [ebp-05h], 72h // r

mov byte PTR [ebp-04h], 6Ch // L

mov byte PTR [ebp-03h], 64h // d

mov byte PTR [ebp-02h], 21h //!

mov byte PTR [ebp-01h], 0h // 0x00

Lea edi, [ebp-0Dh]

push 0 // 0

push esi // title

push edi // content

push 0 // 0

// Win2k Sp4 MessageBoxA Address = 77DF3D81h

// You can retreive the MessageBoxA for other systems using the following code:

// ShowMessage (IntToHex (DWORD ( GetProcAddress (GetModuleHandle ('User32.dll'), 'MessageBoxA')), 8));

mov EAX, 77DF3D81h // the above address for MessageBoxA

call EAX

leave

End;

With the source code we need to convert 16 hex to

Copy the contents to the clipboard

Program Project2;

const

ShellCodeSize = $ 00,000,079;

shellcode: Array [0 .. ShellCodeSize-1] of byte =

$ 55, $ 8B, $ EC, $ 81, $ EC, $ 80, $ 00, $ 00,

$ 00, $ C6, $ 45, $ E7, $ 42, $ C6, $ 45, $ E8,

$ 79, $ C6, $ 45, $ E9, $ 20, $ C6, $ 45, $ EA,

$ 44, $ C6, $ 45, $ EB, $ 4E, $ C6, $ 45, $ EC,

$ 41, $ C6, $ 45, $ ED, $ 33, $ C6, $ 45, $ EE,

$ 32, $ C6, $ 45, $ EF, $ 72, $ C6, $ 45, $ F0,

$ 00, $ 8D, $ 75, $ E7, $ C6, $ 45, $ F3, $ 68,

$ C6, $ 45, $ F4, $ 65, $ C6, $ 45, $ F5, $ 6C,

$ C6, $ 45, $ F6, $ 6C, $ C6, $ 45, $ F7, $ 6F,

$ C6, $ 45, $ F8, $ 20, $ C6, $ 45, $ F9, $ 77,

$ C6, $ 45, $ FA, $ 6F, $ C6, $ 45, $ FB, $ 72,

$ C6, $ 45, $ FC, $ 6C, $ C6, $ 45, $ FD, $ 64,

$ C6, $ 45, $ FE, $ 21, $ C6, $ 45, $ FF, $ 00,

$ 8D, $ 7D, $ F3, $ 6A, $ 00, $ 56, $ 57, $ 6A,

$ 00, $ B8, $ 81, $ 3D, $ DF, $ 77, $ FF, $ D0,

$ C9

);

begin

ASM

Lea, EAX, shellcode

call EAX

End;

End.

This project code shows you how to use delphi to write shellcode.

This particular demonstration code can only be run on Win2k SP4 [Due to the hard-coded MessageBoxA address]

To modify it for other operating systems, change the MessageBoxA address as detailed in the code.