Modular Python script that uses the Python keystone-engine
library to convert Intel (x86) assembly into Windows shellcode.
The shellcode does the following:
- Stores
Kernel32.dll
pointer into EBX andfind_function()
pointer into[ebp+0x04]
. - Acquires and stores pointers to required Win32 API calls into offsets
[ebp+0x10]
through[ebp+0x24]
. - Establishes socket connection to a listening port via
WSAStartup()
,WSASocketA()
, andWSAConnect()
. - Creates STARTUPINFO struct that inherits socket handles for standard input, output, and error.
- Creates a
powershell.exe
(orcmd.exe
) process with inherited handles viaCreateProcessA()
. - Gracefully exits upon closure via
TerminateProcess()
.
By default, the shellcode is returned in two formats:
- one large string of bytes
- a formatted string of 16-byte chunks
Usage: gen_rev.py [options]
Options:
<attackerIP> --> IP address to connect to (default: 127.0.0.1)
<attackerPort> --> Listening port to connect to (default: 443)
--cmd --> Target shell uses 'cmd.exe' instead of 'powershell.exe'
--dbg --> Execute shellcode, allowing attachment to the process
--help --> Return help message
(Note: the --dbg
arguments copies the shellcode into memory and attempts to execute it; this was used for debugging via WinDbg
)