This is a simple GUI for executing machinecode in text form, or as one would say uncompiled shellcode. The application makes use of a trick to execute binaries from memory. What is mapped to memory first, is a standard minimal shellcode executer looking like this;
#include <stdio.h> #include <string.h> #include <stdlib.h> char code[] = "the shellcode"; int main(int argc, char **argv) { ((void (*)())code)(); return 0; }
However, I compiled it in Visual Studio with 10240 bytes of junk (00's), so the actual executer does absolutely nothing in itself, but can receive as much as 10240 bytes of code. Now we can write our custom shellcode into the right memory location and execute the memory-mapped shellcode executer that now holds our shellcode. Btw, the execute-from-memory trick originates from trancexx; http://www.autoitscr...412-run-binary/ which again probably learned from; http://www.joachim-b...ll-from-memory/
The memory-mapped exe is located inside the GUI as a resource. It is named SHELLCODE and is of type RCDATA. Check with a PE editor. Alternatively it could have been embedded in the actual script.
So how do we execute the testing code?
- Paste the code directly in the input field and press execute. Code can be in the usual form; "xFCx33xD2xB2x30x64xFFx32x5Ax8B" or "FC33D2B23064FF325A8B". All non-hexadecimal characters are automatically stripped out, so just paste the code but without any comments.
- Open and execute a text file with code in the form as specified in #1.
- Open and execute a binary file containing the shellcode.
More shellcode explanantion might be necessary, but I'm really not very experienced with shellcoding, and am therefore not the right person to. But this is one of the things I found hard to grasp when looking at this the first time, how to test it. I am not saying this is something great to have when developing shellcode. I am just saying it might be usefull when getting your hands dirty for the first time, and learning. For instance you have some shellcode that opens a messagebox, but the address is wrong and you want to change it and test without recompiling or debugging. Or you have some basic shellcode that executes a Beep or calc.exe, that you want to fiddle with. Preferrably run all this inside a virtual machine when testing (and maybe most easily done in nt5.x). For some serious tracing, a debugger would be necessary anyway, so this is inherently very limitied in usefullness. But it is fun to learn, and sometimes practical testing is a good and funny part of it..
Of course one could have compiled a cli executer that would take the textual machinecode as an argument, but that's a different method.
The method used here is almost the same as patching an executable on-disk. Except we already know where to inject the code and don't need to worry about cleaning up afterwards. And to clarify, this is NOT about executing exploits! It is about observing what would otherwise happen after an exploit has worked (ie the payload execution in the metasploit world).
Included in the download is a "universal" sample written by Berend-Jan "SkyLined" Wever that launches calc.exe and is at 100 bytes.
Btw, disassembling of shellcode is nice with ndisasm.
New version 2; http://reboot.pro/fi...ellcodeexecgui/ (better described)