AvengerPL Posted May 8, 2013 Share Posted May 8, 2013 Simple MessageBox in AutoIt.expandcollapse popup#cs =========================================================================================== Description ..... Execute MessageBox via shellcode. Shellcode size .. 51 bytes Author .......... Avenger =========================================================================================== ------------------------------------------------------------------------------------------- push 0x0020206f push 0x6c6c6548 mov ebx, esp push 0x0020786f push 0x42656761 push 0x7373654d mov ecx, esp xor eax, eax push eax push ebx push ecx push eax mov esi, 0x77d7050b call esi xor eax, eax mov eax, 0x7c81caa2 call eax ------------------------------------------------------------------------------------------- #ce $SHELLCODE = "0x686F2020006848656C6C" & _ "89E3" & _ "686F7820006861676542684D657373" & _ "89E1" & _ "31C0" & _ "50" & _ "53" & _ "51" & _ "50" & _ "BE0B05D777" & _ "FFD6" & _ "31C0" & _ "B8A2CA817C" & _ "FFD0" $SHELLCODE_BUFFER = DllStructCreate("BYTE[51]") $PUT_SHELLCODE_TO_BUFFER = DllStructSetData($SHELLCODE_BUFFER, 1, $SHELLCODE) $SHELLCODE_EXECUTE = DllCall("user32.dll", "lresult", "CallWindowProc", "ptr", DllStructGetPtr($SHELLCODE_BUFFER))UDF here: http://autoit.xaa.pl/download/file.php?id=522Enjoy! [font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font] Link to comment Share on other sites More sharing options...
FireFox Posted May 8, 2013 Share Posted May 8, 2013 If this is a script to make autoit crash then it's a good example Link to comment Share on other sites More sharing options...
AvengerPL Posted May 8, 2013 Author Share Posted May 8, 2013 Script crash because you must change MessageBox and ExitProcess address in shellcode. [font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font] Link to comment Share on other sites More sharing options...
Shaggi Posted May 10, 2013 Share Posted May 10, 2013 Script crash because you must change MessageBox and ExitProcess address in shellcode. Why call exitprocess from the asm? autoit has to free it's own resources firstly. Also you can use DllCallAddress instead of callwindowproc. Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG Link to comment Share on other sites More sharing options...
AvengerPL Posted May 11, 2013 Author Share Posted May 11, 2013 Why call exitprocess from the asm? autoit has to free it's own resources firstly. Also you can use DllCallAddress instead of callwindowproc. ExitProcess shellcode should be performed. Yes, you're right. DllCalAddress also be used. [font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font] Link to comment Share on other sites More sharing options...
guinness Posted May 11, 2013 Share Posted May 11, 2013 Have you applied the necessary fixes as stated above? UDF List: _AdapterConnections() • _AlwaysRun() • _AppMon() • _AppMonEx() • _ArrayFilter/_ArrayReduce • _BinaryBin() • _CheckMsgBox() • _CmdLineRaw() • _ContextMenu() • _ConvertLHWebColor()/_ConvertSHWebColor() • _DesktopDimensions() • _DisplayPassword() • _DotNet_Load()/_DotNet_Unload() • _Fibonacci() • _FileCompare() • _FileCompareContents() • _FileNameByHandle() • _FilePrefix/SRE() • _FindInFile() • _GetBackgroundColor()/_SetBackgroundColor() • _GetConrolID() • _GetCtrlClass() • _GetDirectoryFormat() • _GetDriveMediaType() • _GetFilename()/_GetFilenameExt() • _GetHardwareID() • _GetIP() • _GetIP_Country() • _GetOSLanguage() • _GetSavedSource() • _GetStringSize() • _GetSystemPaths() • _GetURLImage() • _GIFImage() • _GoogleWeather() • _GUICtrlCreateGroup() • _GUICtrlListBox_CreateArray() • _GUICtrlListView_CreateArray() • _GUICtrlListView_SaveCSV() • _GUICtrlListView_SaveHTML() • _GUICtrlListView_SaveTxt() • _GUICtrlListView_SaveXML() • _GUICtrlMenu_Recent() • _GUICtrlMenu_SetItemImage() • _GUICtrlTreeView_CreateArray() • _GUIDisable() • _GUIImageList_SetIconFromHandle() • _GUIRegisterMsg() • _GUISetIcon() • _Icon_Clear()/_Icon_Set() • _IdleTime() • _InetGet() • _InetGetGUI() • _InetGetProgress() • _IPDetails() • _IsFileOlder() • _IsGUID() • _IsHex() • _IsPalindrome() • _IsRegKey() • _IsStringRegExp() • _IsSystemDrive() • _IsUPX() • _IsValidType() • _IsWebColor() • _Language() • _Log() • _MicrosoftInternetConnectivity() • _MSDNDataType() • _PathFull/GetRelative/Split() • _PathSplitEx() • _PrintFromArray() • _ProgressSetMarquee() • _ReDim() • _RockPaperScissors()/_RockPaperScissorsLizardSpock() • _ScrollingCredits • _SelfDelete() • _SelfRename() • _SelfUpdate() • _SendTo() • _ShellAll() • _ShellFile() • _ShellFolder() • _SingletonHWID() • _SingletonPID() • _Startup() • _StringCompact() • _StringIsValid() • _StringRegExpMetaCharacters() • _StringReplaceWholeWord() • _StringStripChars() • _Temperature() • _TrialPeriod() • _UKToUSDate()/_USToUKDate() • _WinAPI_Create_CTL_CODE() • _WinAPI_CreateGUID() • _WMIDateStringToDate()/_DateToWMIDateString() • Au3 script parsing • AutoIt Search • AutoIt3 Portable • AutoIt3WrapperToPragma • AutoItWinGetTitle()/AutoItWinSetTitle() • Coding • DirToHTML5 • FileInstallr • FileReadLastChars() • GeoIP database • GUI - Only Close Button • GUI Examples • GUICtrlDeleteImage() • GUICtrlGetBkColor() • GUICtrlGetStyle() • GUIEvents • GUIGetBkColor() • Int_Parse() & Int_TryParse() • IsISBN() • LockFile() • Mapping CtrlIDs • OOP in AutoIt • ParseHeadersToSciTE() • PasswordValid • PasteBin • Posts Per Day • PreExpand • Protect Globals • Queue() • Resource Update • ResourcesEx • SciTE Jump • Settings INI • SHELLHOOK • Shunting-Yard • Signature Creator • Stack() • Stopwatch() • StringAddLF()/StringStripLF() • StringEOLToCRLF() • VSCROLL • WM_COPYDATA • More Examples... Updated: 22/04/2018 Link to comment Share on other sites More sharing options...
AvengerPL Posted May 11, 2013 Author Share Posted May 11, 2013 Have you applied the necessary fixes as stated above? No, because I think it is a good example [font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font] Link to comment Share on other sites More sharing options...
guinness Posted May 11, 2013 Share Posted May 11, 2013 No, because I think it is a good example I think you need to re-read the constructive comments again AvengerPL. UDF List: _AdapterConnections() • _AlwaysRun() • _AppMon() • _AppMonEx() • _ArrayFilter/_ArrayReduce • _BinaryBin() • _CheckMsgBox() • _CmdLineRaw() • _ContextMenu() • _ConvertLHWebColor()/_ConvertSHWebColor() • _DesktopDimensions() • _DisplayPassword() • _DotNet_Load()/_DotNet_Unload() • _Fibonacci() • _FileCompare() • _FileCompareContents() • _FileNameByHandle() • _FilePrefix/SRE() • _FindInFile() • _GetBackgroundColor()/_SetBackgroundColor() • _GetConrolID() • _GetCtrlClass() • _GetDirectoryFormat() • _GetDriveMediaType() • _GetFilename()/_GetFilenameExt() • _GetHardwareID() • _GetIP() • _GetIP_Country() • _GetOSLanguage() • _GetSavedSource() • _GetStringSize() • _GetSystemPaths() • _GetURLImage() • _GIFImage() • _GoogleWeather() • _GUICtrlCreateGroup() • _GUICtrlListBox_CreateArray() • _GUICtrlListView_CreateArray() • _GUICtrlListView_SaveCSV() • _GUICtrlListView_SaveHTML() • _GUICtrlListView_SaveTxt() • _GUICtrlListView_SaveXML() • _GUICtrlMenu_Recent() • _GUICtrlMenu_SetItemImage() • _GUICtrlTreeView_CreateArray() • _GUIDisable() • _GUIImageList_SetIconFromHandle() • _GUIRegisterMsg() • _GUISetIcon() • _Icon_Clear()/_Icon_Set() • _IdleTime() • _InetGet() • _InetGetGUI() • _InetGetProgress() • _IPDetails() • _IsFileOlder() • _IsGUID() • _IsHex() • _IsPalindrome() • _IsRegKey() • _IsStringRegExp() • _IsSystemDrive() • _IsUPX() • _IsValidType() • _IsWebColor() • _Language() • _Log() • _MicrosoftInternetConnectivity() • _MSDNDataType() • _PathFull/GetRelative/Split() • _PathSplitEx() • _PrintFromArray() • _ProgressSetMarquee() • _ReDim() • _RockPaperScissors()/_RockPaperScissorsLizardSpock() • _ScrollingCredits • _SelfDelete() • _SelfRename() • _SelfUpdate() • _SendTo() • _ShellAll() • _ShellFile() • _ShellFolder() • _SingletonHWID() • _SingletonPID() • _Startup() • _StringCompact() • _StringIsValid() • _StringRegExpMetaCharacters() • _StringReplaceWholeWord() • _StringStripChars() • _Temperature() • _TrialPeriod() • _UKToUSDate()/_USToUKDate() • _WinAPI_Create_CTL_CODE() • _WinAPI_CreateGUID() • _WMIDateStringToDate()/_DateToWMIDateString() • Au3 script parsing • AutoIt Search • AutoIt3 Portable • AutoIt3WrapperToPragma • AutoItWinGetTitle()/AutoItWinSetTitle() • Coding • DirToHTML5 • FileInstallr • FileReadLastChars() • GeoIP database • GUI - Only Close Button • GUI Examples • GUICtrlDeleteImage() • GUICtrlGetBkColor() • GUICtrlGetStyle() • GUIEvents • GUIGetBkColor() • Int_Parse() & Int_TryParse() • IsISBN() • LockFile() • Mapping CtrlIDs • OOP in AutoIt • ParseHeadersToSciTE() • PasswordValid • PasteBin • Posts Per Day • PreExpand • Protect Globals • Queue() • Resource Update • ResourcesEx • SciTE Jump • Settings INI • SHELLHOOK • Shunting-Yard • Signature Creator • Stack() • Stopwatch() • StringAddLF()/StringStripLF() • StringEOLToCRLF() • VSCROLL • WM_COPYDATA • More Examples... Updated: 22/04/2018 Link to comment Share on other sites More sharing options...
AvengerPL Posted May 12, 2013 Author Share Posted May 12, 2013 I think you need to re-read the constructive comments again AvengerPL. I'm sorry but my english is not good because I'm from Poland and I use Google Translate to translate your's answers :-) You could simply write what you mean? [font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font] Link to comment Share on other sites More sharing options...
Shaggi Posted May 12, 2013 Share Posted May 12, 2013 ExitProcess shellcode should be performed. Yes, you're right. DllCalAddress also be used. What if... you wanted to continue the program after the messagebox? A more interesting case where this is useful is, if you create a thread on the assembly instead. Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG Link to comment Share on other sites More sharing options...
wakillon Posted May 12, 2013 Share Posted May 12, 2013 No, because I think it is a good example If it's a good example, why _GetTickCount function return always 0 and with the next function, i get an APPCRASH for autoit3.exe ? AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
AvengerPL Posted May 13, 2013 Author Share Posted May 13, 2013 If it's a good example, why _GetTickCount function return always 0 and with the next function, i get an APPCRASH for autoit3.exe ? For me everything is working properly. #include <ShellcodeFunctions.au3> MsgBox(64,"TickCount",_GetTickCount()) MsgBox(64,"ACP",_GetACP()) [font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font] Link to comment Share on other sites More sharing options...
Danyfirex Posted May 13, 2013 Share Posted May 13, 2013 (edited) your code going to crash. try something like this: expandcollapse popup#include <winapi.au3> #include <Memory.au3> $pRemoteCode = _MemVirtualAlloc(0, 512, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE) $CodeBuffer = DllStructCreate("byte[512]", $pRemoteCode) $MessageBoxAddress = DllCall("Kernel32.dll", "ptr", "GetProcAddress", "ptr", _WinAPI_GetModuleHandle("user32.dll"), "str", "MessageBoxW") $MessageBoxAddress = $MessageBoxAddress[0] $texto="hola Mundo" $titulo="Titulo" Local $tDataBuffer = DllStructCreate("wchar texto[" & StringLen($texto) + 1 & "]") Local $tDataBuffer2 = DllStructCreate("wchar titulo[" & StringLen($titulo) + 1 & "]") DllStructSetData($tDataBuffer, "texto", $texto) DllStructSetData($tDataBuffer2, "titulo", $titulo) Local $Opcode $Opcode &= "0x" $Opcode &= "68" & SwapEndian(2) $Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer2, 1)) $Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer, 1)) $Opcode &= "68" & SwapEndian(0) $Opcode &= "B8" & SwapEndian($MessageBoxAddress) $Opcode &= "FFD0" $Opcode &= "C3" DllStructSetData($CodeBuffer, 1, $Opcode) ;Local $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($CodeBuffer), "int", 0, "int", 0, "int", 0, "int", 0) local $Ret=DllCallAddress("int",DllStructGetPtr($CodeBuffer)) Consolewrite(@CRLF & $Ret[0] & @CRLF) Msgbox(0,"","Normal Msgbox") Func SwapEndian($hex) Return Hex(Binary($hex)) EndFunc ;==>SwapEndian if you want only OP-code should be Dynamically code. saludos Edited May 13, 2013 by Danyfirex Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut Link to comment Share on other sites More sharing options...
Shaggi Posted May 14, 2013 Share Posted May 14, 2013 your code going to crash. try something like this: expandcollapse popup#include <winapi.au3> #include <Memory.au3> $pRemoteCode = _MemVirtualAlloc(0, 512, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE) $CodeBuffer = DllStructCreate("byte[512]", $pRemoteCode) $MessageBoxAddress = DllCall("Kernel32.dll", "ptr", "GetProcAddress", "ptr", _WinAPI_GetModuleHandle("user32.dll"), "str", "MessageBoxW") $MessageBoxAddress = $MessageBoxAddress[0] $texto="hola Mundo" $titulo="Titulo" Local $tDataBuffer = DllStructCreate("wchar texto[" & StringLen($texto) + 1 & "]") Local $tDataBuffer2 = DllStructCreate("wchar titulo[" & StringLen($titulo) + 1 & "]") DllStructSetData($tDataBuffer, "texto", $texto) DllStructSetData($tDataBuffer2, "titulo", $titulo) Local $Opcode $Opcode &= "0x" $Opcode &= "68" & SwapEndian(2) $Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer2, 1)) $Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer, 1)) $Opcode &= "68" & SwapEndian(0) $Opcode &= "B8" & SwapEndian($MessageBoxAddress) $Opcode &= "FFD0" $Opcode &= "C3" DllStructSetData($CodeBuffer, 1, $Opcode) ;Local $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($CodeBuffer), "int", 0, "int", 0, "int", 0, "int", 0) local $Ret=DllCallAddress("int",DllStructGetPtr($CodeBuffer)) Consolewrite(@CRLF & $Ret[0] & @CRLF) Msgbox(0,"","Normal Msgbox") Func SwapEndian($hex) Return Hex(Binary($hex)) EndFunc ;==>SwapEndian if you want only OP-code should be Dynamically code. saludos Yeee thats how i like it (have i seen that code before?) Danyfirex 1 Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG Link to comment Share on other sites More sharing options...
Danyfirex Posted May 14, 2013 Share Posted May 14, 2013 Yeee thats how i like it (have i seen that code before?) sure. maybe he should see your good msgbox thread script regards Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now