# MessageBox Shellcode Writing shellcode to display a message box might seem a bit pointless but it includes all the elements needed to write more complex shellcode, such as a reverse shell. To display a message box we are required to do the following: * Find the base address of `kernel32.dll`. * Resolve the `GetProcAddress` VMA. * Call `GetProcAddress` to get the VMA of `LoadLibraryA`. * Load the `user32.dll` module using a `LoadLibraryA` call. * Call `GetProcAddress` to get the VMA of `MessageBoxA`. * Call `MessageBoxA` to display our message. * Call `GetProcAddress` to get the VMA of `TerminateProcess`. * Call `TerminateProcess` to terminate our process. We have discussed all of these in previous sections, the shellcode is presented in the following small chunks. Whilst working through these sections you should test it with Windbg preview, using the workflow presented or your own. As you build the shellcode up, insert breakpoints and examine registers and memory to ensure what you expect to be there is there. ## Groundwork The first chunk has been discussed in depth and will not be discussed further. It locates `kernel32.dll`, resolves the VMA of `GetProcAddress` and prepares us for the rest of the shellcode: {% code title="Starter assembly" overflow="wrap" lineNumbers="true" %} ```nasm BITS 64 SECTION .text global main main: push rbp ; and rsp, 0FFFFFFFFFFFFFFF0h ; Align the stack to a multiple of 16 bytes mov rbp, rsp ; sub rsp, 0x64 ; 100 bytes of shadow space find_kernel32: xor rcx, rcx ; RCX = 0 mov rax, [gs:rcx + 0x60] ; RAX = PEB mov rax, [rax + 0x18] ; RAX = PEB->Ldr mov rsi, [rax + 0x20] ; RSI = PEB->Ldr.InMemOrder lodsq ; RAX = Second module(NTDLL) xchg rax, rsi ; RAX = RSI, RSI = RAX lodsq ; RAX = Third(kernel32) mov rbx, [rax + 0x20] ; RBX = Base address get_function_address: lea rsi, [rel get_function + 0x41414141] ; POP the function address in to RSI sub rsi, 0x41414141 ; mov [rbp-0x20], rsi ; [RBP-0x20] = get_function address jmp start ; get_function: xor r8, r8 ; R8 = 0 mov r8d, [rbx + 0x3c] ; R8D = DOS->e_lfanew offset mov rdx, r8 ; RDX = DOS->e_lfanew add rdx, rbx ; RDX = PE Header add rdx, 0x44 ; add 0x44 to RDX to avoid null bytes add rdx, 0x44 ; add 0x44 to RDX to avoid null bytes mov r8d, [rdx] ; R8D = Offset export table - was [rdx + 0x88] add r8, rbx ; R8 = Export table xor rsi, rsi ; Clear RSI mov esi, [r8 + 0x20] ; RSI = Offset namestable add rsi, rbx ; RSI = Names table xor rcx, rcx ; RCX = 0 next_function_name: inc rcx ; Increment the ordinal xor rax, rax ; RAX = 0 mov eax, [rsi + rcx * 4] ; Get name offset add rax, rbx ; Get function name cmp qword [rax], r9 ; Does it match the function name in R9 ? jnz next_function_name ; found_function: xor rsi, rsi ; RSI = 0 mov esi, [r8 + 0x24] ; ESI = Offset ordinals add rsi, rbx ; RSI = Ordinals table mov cx, [rsi + rcx * 2] ; Number of function xor rsi, rsi ; RSI = 0 mov esi, [r8 + 0x1c] ; Offset address table add rsi, rbx ; ESI = Address table xor rdx, rdx ; RDX = 0 mov edx, [rsi + rcx * 4] ; EDX = Pointer(offset) add rdx, rbx ; RDX = Function Address mov rdi, rdx ; Save Function Address in RDI ret ; start: get_getprocaddress: mov r9, 0x41636f7250746547 ; GetProcA (in ASCII AcorPteG) call QWORD [rbp-0x20] ; CALL get_function mov [rbp-0x18], rdi ; [RBP-0x18] = *GetProcAddress ``` {% endcode %} This shellcode snippet can be used as a foundation for a lot of user land shellcode. ## LoadLibraryA The next snippet will get the VMA of `LoadLibraryA`. We will do this by calling the `GetProcAddress` function. The syntax for this call is shown below: {% code title="GetProcAddress syntax" %} ```c FARPROC GetProcAddress( [in] HMODULE hModule, [in] LPCSTR lpProcName ); ``` {% endcode %} Remember, when calling a function in 64-bit Windows the first parameter is passed in via the `rcx` register, and the second parameter is passed in using the `rdx` register: 1. The `hModule` parameter is passed in the `rcx` register. 2. The `lpProcName` parameter is passed in the `rdx` register. `hModule` is the module/DLL where the function resides, in this case `kernel32.dll` (we already have the base address for this module in `rbx`). `lProcName` is a pointer to a string; this means we need to place "LoadLibraryA" somewhere in memory and put a pointer to it in `rdx`: {% code title="Calling LoadLibraryA" lineNumbers="true" %} ```nasm call_getprocaddress_loadlibrarya: mov [rbp-0x28], rbx ; [RBP-0x28] = Kernel32 base address mov rcx, [rbp-0x28] ; RCX = hModule = Kernel32 base address mov rax, 0x41797261 ; push rax ; mov rax, 0x7262694c64616f4c ; push rax ; mov rdx, rsp ; RDX = lpProcName = LoadLibraryA sub rsp, 0x2c ; Allocate stack space for the function call ; (+ alignment) call [rbp-0x18] ; CALL GetProcAddress add rsp, 0x2c ; Clean up allocated space add rsp, 0x10 ; Clean up LoadLibraryA on stack mov [rbp-0x30], rax ; [RBP=0x30] = *LoadLibraryA ``` {% endcode %} On line `2` we store the base address of `kernel32` in the memory at `rbx-0x28`. This isn't strictly necessary in this instance but there might be times when we may need to reference it later. On line `3` the base address is placed in to `rcx` which is the `hModule` parameter. The string "LoadLibraryA" is pushed on to the stack in reverse order and a pointer to the string is moved in to `rdx` via `rsp` (which points to the string that was just pushed on to the stack). This is done on lines `4` through `8`. The call is made on line `11` and the return value (the VMA of the function) is stored in `[rbx-0x30]` on line `14`. We now have a reference to the `LoadLibraryA` function. ## User32.DLL This snippet uses the `LoadLibraryA` function to load the `user32.dll` module in to memory and return the base address. We will use this to locate the VMA for the `MessageBoxA` function. The syntax for this call is shown below: {% code title="LoadLibraryA syntax" %} ```c HMODULE LoadLibraryA( [in] LPCSTR lpLibFileName ); ``` {% endcode %} This call is very simple and only has one paramater, which is a pointer to a string and is moved in to the `rcx` register: {% code title="Loading user32.dll" lineNumbers="true" %} ```nasm call_loadlibrarya_user32.dll: mov rax, 0x6c6c ; PUSH user32.dll push rax ; mov rax, 0x642e323372657375 ; push rax ; mov rcx, rsp ; RCX = lpLibFileName = user32.dll sub rsp, 0x2c ; Allocate stack space for the function call (+ allignment) call [rbp-0x30] ; CALL LoadLibraryA add rsp, 0x2c ; Clean up allocated space add rsp, 0x10 ; Clean up user32.dll on stack ``` {% endcode %} Lines `2` through `6` push the string on to the stack and move the pointer in to the `rcx` register. Line `8` calls `LoadLibraryA` (remember from the previous section that `[rbp-0x30]` holds the address for the function `LoadLibraryA`. The function returns the base address of the module in the `rax` register, which we will use next. ## MessageBoxA The next snippet gets the VMA of `MessageBoxA` by calling the `GetProcAddress` function. This should be familiar by now and does not require any explanation: {% code title="Locate VMA of MessageBoxA" lineNumbers="true" %} ```nasm call_getprocaddress_messageboxa: mov rcx, rax ; RCX = hModule = User32 base address mov rax, 0x41786f ; push rax ; mov rax, 0x426567617373654d ; push rax ; mov rdx, rsp ; RDX = lpProcName = MessageBoxA sub rsp, 0x2c ; Allocate stack space for the function call (+ alignment) call [rbp-0x18] ; CALL GetProcAddress add rsp, 0x2c ; Clean up allocated space add rsp, 0x10 ; Clean up MessageBoxA on stack mov r10, rax ; R10 = *MessageBoxA ``` {% endcode %} Finally we make the call to `MessageBoxA`. The syntax for the call is shown below: {% code title="MessageBoxA syntax" %} ```c int MessageBoxA( [in, optional] HWND hWnd, [in, optional] LPCSTR lpText, [in, optional] LPCSTR lpCaption, [in] UINT uType ); ``` {% endcode %} This was discussed in the *Calling Conventions* section, but let's recap. When calling the `MessageBoxA` function: 1. The `hWnd` parameter is passed in the `rcx` register. 2. The `lpText` parameter is passed in the `rdx` register. 3. The `lpCaption` parameter is passed in the `r8` register. 4. The `uType` parameter is passed in the `r9` register. The shellcode is shown below: {% code title="Calling MessageBoxA" lineNumbers="true" %} ```nasm ; the address of MessageBoxA is in r10 call_messagebox: xor rax, rax ; RAX = 0 mov rcx, rax ; RCX = hWnd = NULL mov r9, rax ; R9 = uType = NULL (default) mov rax, 0x6e6f697461 ; PUSH string on to the stack push rax ; . mov rax, 0x74696f6c70784520 ; . push rax ; . mov rax, 0x73776f646e695720 ; . push rax ; . mov rax, 0x6465636e61766441 ; . push rax ; --- mov rdx, rsp ; RDX = lpText mov r8, rdx ; R8 = lpCaption sub rsp, 0x2c ; align the stack for the call call r10 ; CALL R10 (MessageBoxA) ``` {% endcode %} ## Exercises 1. Complete the shellcode to call the `TerminateProcess` function. 2. Write the MessageBox shellcode out and debug it in Windbg Preview. 3. Change the `MessageBoxA` call for a `WinExec` call. 4. Tidy up the shellcode; the `LoadLibraryA` function is not needed for exercise 2.