0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
win32/xp sp2 PEB ISbeingdebugged shellcode
[================================
win32/xp sp2 PEB ISbeingdebugged
================================
#name: win xp sp2 PEB ISbeingdebugged shellcode
#Date: 14.12.2009.
here is the ASM code made using masm32
if program is being run under debugger the shellcode wil start beeping :D
//////////////////////begin///////////////////////////////////////
.386
.model flat, stdcall
option casemap :none
INCLUDE C:\MASM32\INCLUDE\WINDOWS.INC
INCLUDE C:\MASM32\INCLUDE\KERNEL32.INC
INCLUDE C:\MASM32\INCLUDE\USER32.INC
INCLUDE C:\MASM32\INCLUDE\MASM32.INC
INCLUDELIB C:\MASM32\LIB\KERNEL32.LIB
INCLUDELIB C:\MASM32\LIB\USER32.LIB
INCLUDELIB C:\MASM32\LIB\MASM32.LIB
.data
ExitMsg DB "Enter to Exit", 0
.code
start:
assume fs:nothing
mov eax,fs:[30h]
mov eax, [eax+02h]
mov ebx, 7FFF8000h
add ebx,7FFF8000h
inc ebx
push 300h
push 200h
mov edx,7c837a8fh
cmp eax,ebx
jnz exit
call edx
exit:
invoke ExitProcess,NULL
end start
/////////////////////////////end///////////////////////////////
here is the dump of code using olly debugger
00401000 >/$ 64:A1 30000000 MOV EAX,DWORD PTR FS:[30]
00401006 |. 8B40 02 MOV EAX,DWORD PTR DS:[EAX+2]
00401009 |. BB 0080FF7F MOV EBX,7FFF8000
0040100E |. 81C3 0080FF7F ADD EBX,7FFF8000
00401014 |. 43 INC EBX
00401015 |. 68 00030000 PUSH 300 ; /Duration = 768. ms
0040101A |. 68 00020000 PUSH 200 ; |Frequency = 200 (512.)
0040101F |. BA 8F7A837C MOV EDX,kernel32.Beep ; |
00401024 |. 3BC3 CMP EAX,EBX ; |
00401026 |. 75 02 JNZ SHORT antidebu.0040102A ; |
00401028 |. FFD2 CALL EDX ; \Beep
0040102A |> 6A 00 PUSH 0 ; /ExitCode = 0
0040102C \. E8 01000000 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
00401031 CC INT3
00401032 .-FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess
here is the shellcode
\x64\xA1\x30\x00\x00\x00\x8B\x40\x02\xBB\x00\x80\xFF\x7F\x81\xC3\x00\x80\xFF\x7F\x43\x68\x00\x03\x00\x00\x68\x00\x02\x00\x00\xBA\x8F\x7A\x83\x7C\x3B\xC3\x75\x02\xFF\xD2\x6A\x00\xE8\x01\x00\x00\x00\xCC\xFF\x25\x00\x20\x40\x00
# 0day.today [2024-12-23] #