# Running Shellcode Directly From Binary File (Demo)



## AceInfinity (Jan 21, 2012)

Alright, so for experimental purposes and for what I have been working on the past while. Originally the deal was to execute the Beep function from kernel32.dll. I spent time through many exceptions and odd errors, until I finally got a beep.


```
Beep(700, 1000);
```


```
000007D0 68E803 push word 0x3e8
000007D3 0000 add [bx+si],al
000007D5 68BC02 push word 0x2bc
000007D8 0000 add [bx+si],al
000007DA FF15 call word [di]
```
Here's what part of the relevent disassembly looked like from ndisasm... You can see the value for the second param of the Beep function from kernel32.dll being pushed onto the stack (0x3E8 = 1000, for a 1 second duration or 1000ms), as well as the frequency (0x2BC = 700).

I wrote my own C++ program that got the address of the Beep function from kernel32.dll which returned *0x764531AF*, which I suspected was *\xAF\x31\x45\x76* in shellcode.


```
GetProcAddress(
    GetModuleHandle(L"kernel32.dll"),
    "Beep"
);
```
I tested the address through some inline asm via C++:

```
__asm
{
    mov eax,dword ptr 0x764531AF // Kernel32.dll!76468543()
    push 0x3E8 // Duration argument
    push 0x2EE // Frequency argument
    call eax // Call function
}
```


```
009163DA    mov eax,764531AFh
009163DF    push 3E8h
009163E4    push 2EEh
009163E9    call eax
```
And it worked. So the address was confirmed to be the right one. 

Here was the final product:

```
\xB8\xAF\x31\x45\x76\x68\xE8\x03\x00\x00\x68\xEE\x02\x00\x00\xFF\xD0
```
Similarly in XP x86 (SP3), was tested shellcode that looked somewhat like this, (*Note: excluding the address of the function for the byte order of the shellcode below, because it is insignificant as it's probably not going to be the same address for _you_ if you were to test.):


```
\x33\xC0\xB8 ... \x68\x00\x04\x00\x00\x68\x00\x03\x00\x00\xFF\xD0
```
And it all worked, however segmentation faults were being thrown by a program I wrote in C that was to argument the shellcode and execute it at runtime, so I figured that I would add a *ret* instruction to the end which fixed all problems; \xC3.










Here was the demonstration of my program written in C for executing shellcode embedded within .bin files:

ExecShellCode Demo - AceInfinity - YouTube

I was fooling around with some various stuff in C++ earlier. I plan on seeing what I can do for pumping a set of byte instructions into a dummy program via C# just for the fun of it and learning later on... However, in the meantime, this is a POC, and is by no means "finished" yet as far as I am concerned...

I want to dynamically create a child process to run the shellcode in instead of having it run in the main parent process as the host for execution, or maybe even a dummy thread using the CreateThread or CreateRemoteThread functions.

You'll also see another program I wrote which is used as a utility for easily grabbing the address of a function within a module called *GetProcAddr*.

I increased the buffer size to keep a place for the shellcode to be when it is executed at a size of *(1024 * 10) bytes* in size. Thus, that would be the max number of bytes you could expect to execute at runtime. 

*Architecture*: Intel x86-64 (64 Bit)
*OS*: Windows 8 Pro (with Media Center)

Take note that shellcode is highly OS and Architecture dependent usually, therefore debugging my program to run _other_ shellcode usually does not work.

For one example I did I was pointed to address 0x0028D71A as the problem when debugging the thrown exception via Visual Studio:

```
0028D716    xor         edx,edx  
0028D718    dec         eax  
0028D71A    mov         edx,dword ptr [edx+60h]
```


```
0xC0000005: Access violation reading location 0x00000060.
```
So after EAX gets set to 0x00000000, the dec instruction subtracts one from the destination operand being the EAX register... Reading about the dec instruction, it treats all integers as unsigned datatypes too, which makes sense, being that the instruction is to subtract from the value.

Just thought I would share my work here. My intention was to just share my experience on this, as well as information/knowledge for any of those curious.

The program I created to fetch the address of the function from a specified module was extended to display the shellcode for that relevent address as well:










Simple enough by using bitwise operations.


----------

