Public Pastes
Guest

Shellcode_K32_Module

By: a guest on Mar 3rd, 2010  |  syntax: ASM (NASM)  |  size: 1.03 KB  |  hits: 1,192  |  expires: Never
download  |  raw  |  embed  |  report abuse
This paste has a previous version, view the difference. Copied
  1. find_kernel32:
  2.         mov     ecx, [esp+8]
  3.         push    esi
  4.         push    ebp
  5.         xor     eax, eax
  6.         mov     esi, [FS:eax+0x30]      ;ESI = &(PEB)
  7.         mov     esi, [esi+0x0C]         ;ESI = PEB->Ldr
  8.         mov     esi, [esi+0x1C]         ;ESI = PEB->Ldr.InInitOrder (first module)
  9. next_module:
  10.         mov     ebp, [esi+0x08]         ;EBP = InInitOrder[X].base_address
  11.         mov     edi, [esi+0x20]         ;EDI = InInitOrder[X].module_name (unicode)
  12.         mov     esi, [esi]              ;ESI = InInitOrder[X].flink == NextModule
  13.         cmp     BYTE[edi+12*2], al      ;Len(module_name) = 12?
  14.        jne      next_module
  15.         cmp     BYTE[edi], 0x6B         ;module_name starts by 'k'?
  16.        je       find_kernel32_finished
  17.         cmp     BYTE[edi], 0x4B         ;module_name starts by 'K'?
  18.        je       find_kernel32_finished
  19.        jmp      next_module
  20. find_kernel32_finished:
  21.         mov     [ecx], ebp              ;[ECX] = K32 Base Address
  22.         pop     ebp
  23.         pop     esi
  24.         ret
create a new version of this paste RAW Paste Data