Windows Shellcode Testing [SOLVED]

[Stolas]

Hello,

I've been writing shellcode and exploits for a while now.
As have I reversed a lot of code and am I more than just familiar with the malware concept (analysing and writing).
But, I've (almost)never written Windows C code myself. I've done it all on *nix, so I am aware of the concepts.
Now however, I need to get something to run on Windows. For a project I am working on I need Eicar 2.0, so I've been writing on a metamorphic engine. It builds the program code by taking extra info from the stack. However I can't get into this to technical (due to NDA's).

Bottom line, I am having an issue with executing code in a read-only segment (stack) on the Windows System.
This is due to a varia of known restrictions. But I thought I could tackle them using the VirtualProtect function (that's mprotect in Windows right?).
The piece of code I am running is:

Code Select Expand


int main(int argc...) {
   char *program_code;
   program_code = malloc(shell_length);
   write_opcodes_by_strealing_data_of_the_stacks(program_code);

   VirtualProtect(program_code, shell_length, PAGE_EXECUTE_READWRITE, NULL);
   (*(void(*)()) program_code)();
  return 0;
}

It's mostly a POC this code. The only acctual code I am running is the VirtualProtect and the *(void(*)()) part.
But the program_code part is malloc'd. The shell_length is random and between that it writes opcodes as "\x90", "\x31\xD8\x31\xC3" etc etc. I've checked the code that is build in memory with IDA Free. This all goes right, and the constructed code is correct (32bit).
But when I try to execute it with the *(void(*) part it fails. So, what am I missing? NX Bit? DEP? Somekind of Windows Fu?

I _hope_ someone can tell me this.

Thanks
 - Stolas


----| Solved
I feel really stupid, I've fixed the issue. I was working with the wrong Endianess.

[ostendali]

little endiane! ;)