API tools faq
paste
Advertisement
rockdrilla

Win32 kernel32 base via ESP

rockdrilla
Jul 26th, 2016
502
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 4.33 KB | None | 0 0
raw download clone embed print report
  1. ;;; w32k32bs:
  2. ;;; Windows 32-bit code to find kernel32.dll base via stack
  3.  
  4. ;;; nota bene: enforce code alignment on 4-byte boundary BEFORE procedure
  5.  
  6. ;;; insert own SEH handler @ w32k32bs_3C
  7.     w32k32bs_00:  xor     eax, eax                ; bytes: 31 C0
  8.     w32k32bs_02:  mov     al, 0x33                ; bytes: B0 33
  9.     w32k32bs_04:  call    w32k32bs_09             ; bytes: E8 00 00 00 00
  10.     w32k32bs_09:  pop     ecx                     ; bytes: 59
  11.     w32k32bs_0A:  add     ecx, eax                ; bytes: 01 C1
  12.     w32k32bs_0C:  mov     al, 0                   ; bytes: B0 00
  13.     w32k32bs_0E:  push    ecx                     ; bytes: 51
  14.     w32k32bs_0F:  push    dword ptr fs:[eax]      ; bytes: 64 FF 30
  15.     w32k32bs_12:  mov     dword ptr fs:[eax], esp ; bytes: 64 89 20
  16.  
  17. ;;; setup registers before main loop:
  18. ;;;   eax - pointer to memory somewhere in kernel32.dll address space
  19. ;;;   ebx - "MZ\x90\x00" signature
  20. ;;;   ecx - safety counter (0x4000)
  21. ;;;   edx = 0xFFFFFE00 (1K boundary alignment)
  22.     w32k32bs_15:  mov     ecx, eax             ; bytes: 89 C1
  23.     w32k32bs_17:  mov     al, 8                ; bytes: B0 08
  24.     w32k32bs_19:  mov     bl, 0x4D             ; bytes: B3 4D
  25.     w32k32bs_1B:  mov     bh, 0x5A             ; bytes: B7 5A
  26.     w32k32bs_1D:  mov     ch, 0x40             ; bytes: B5 40
  27.     w32k32bs_1F:  mov     edx, 0xFFFFFE00      ; bytes: BA 00 FE FF FF
  28.     w32k32bs_24:  add     eax, esp             ; bytes: 01 E0
  29.     w32k32bs_26:  mov     eax, dword ptr [eax] ; bytes: 8B 00
  30.  
  31. ;;; main loop:
  32. ;;;   backward search in 1K-aligned memory
  33. ;;;   for "MZ\x90\x00" signature (actually, "MZ")
  34.     w32k32bs_28:  dec     eax                ; bytes: 48
  35.     w32k32bs_29:  and     eax, edx           ; bytes: 21 D0
  36. ;;; the only place where exception may occur:
  37.     w32k32bs_2B:  cmp     word ptr [eax], bx ; bytes: 66 39 18
  38. ;;; alternative definition of following mnemonic:
  39. ;;; w32k32bs_2E:  db      0x3E               ; bytes: 3E
  40. ;;; w32k32bs_2F:  je      w32k32bs_54        ; bytes: 74 23
  41. ;;;
  42.     w32k32bs_2E:  ht je   w32k32bs_54        ; bytes: 3E 74 23
  43.     w32k32bs_31:  dec     ecx                ; bytes: 49
  44. ;;; alternative definition of following mnemonic:
  45. ;;; w32k32bs_32:  db      0x2E               ; bytes: 2E
  46. ;;; w32k32bs_33:  je      w32k32bs_38        ; bytes: 74 03
  47. ;;;
  48.     w32k32bs_32:  hnt je  w32k32bs_38        ; bytes: 2E 74 03
  49.     w32k32bs_35:  jmp     w32k32bs_28        ; bytes: EB F1
  50. ;;; manual code alignment on 4-byte boundary
  51.     w32k32bs_37:  nop                        ; bytes: 90
  52.  
  53. ;;; kernel32.dll base isn't found
  54.     w32k32bs_38:  xor     eax, eax    ; bytes: 31 C0
  55.     w32k32bs_3A:  jmp     w32k32bs_54 ; bytes: EB 18
  56.  
  57. ;;; own SEH handler
  58. ;;; nota bene: the only place where exception may be raised is w32k32bs_2B
  59. ;;; this handler does following:
  60. ;;;   set thread context.eip to w32k32bs_28
  61. ;;;   continue thread execution;
  62.     w32k32bs_3C:  xor     eax, eax             ; bytes: 31 C0
  63.     w32k32bs_3E:  mov     al, 12               ; bytes: B0 0C
  64.     w32k32bs_40:  mov     ecx, eax             ; bytes: 89 C1
  65.     w32k32bs_42:  add     ecx, esp             ; bytes: 01 E1
  66.     w32k32bs_44:  mov     ecx, dword ptr [ecx] ; bytes: 8B 09
  67.     w32k32bs_46:  mov     al, 0xB8             ; bytes: B0 B8
  68.     w32k32bs_48:  add     eax, ecx             ; bytes: 01 C8
  69.     w32k32bs_4A:  mov     ecx, dword ptr [eax] ; bytes: 8B 08
  70.     w32k32bs_4C:  xchg    eax, ecx             ; bytes: 91
  71.     w32k32bs_4D:  and     al, 0xFC             ; bytes: 24 FC
  72.     w32k32bs_4F:  mov     dword ptr [ecx], eax ; bytes: 89 01
  73.     w32k32bs_51:  xor     eax, eax             ; bytes: 31 C0
  74.     w32k32bs_53:  ret                          ; bytes: C3
  75.  
  76. ;;; after all, kernel32.dll base address is stored in EAX
  77. ;;; if jump was from w32k32bs_2E then kernel32.dll base is found and EAX isn't NULL
  78. ;;; if jump was from w32k32bs_3A then kernel32.dll base isn't found and EAX is NULL
  79. ;;; anyway, remove own SEH handler:
  80.     w32k32bs_54:  xor     ecx, ecx           ; bytes: 31 C9
  81.     w32k32bs_56:  pop     dword ptr fs:[ecx] ; bytes: 64 8F 01
  82. ;;; nota bene: "pop ecx" (0x59) is shorter than "add esp, 4" (0x83 0xC4 0x04),
  83. ;;; but may be little bit slower
  84.     w32k32bs_59:  pop     ecx                ; bytes: 59
  85.     w32k32bs_5A:  nop                        ; bytes: 90
  86.     w32k32bs_5B:  nop                        ; bytes: 90
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!