Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ;;; w32k32bs:
- ;;; Windows 32-bit code to find kernel32.dll base via stack
- ;;; nota bene: enforce code alignment on 4-byte boundary BEFORE procedure
- ;;; insert own SEH handler @ w32k32bs_3C
- w32k32bs_00: xor eax, eax ; bytes: 31 C0
- w32k32bs_02: mov al, 0x33 ; bytes: B0 33
- w32k32bs_04: call w32k32bs_09 ; bytes: E8 00 00 00 00
- w32k32bs_09: pop ecx ; bytes: 59
- w32k32bs_0A: add ecx, eax ; bytes: 01 C1
- w32k32bs_0C: mov al, 0 ; bytes: B0 00
- w32k32bs_0E: push ecx ; bytes: 51
- w32k32bs_0F: push dword ptr fs:[eax] ; bytes: 64 FF 30
- w32k32bs_12: mov dword ptr fs:[eax], esp ; bytes: 64 89 20
- ;;; setup registers before main loop:
- ;;; eax - pointer to memory somewhere in kernel32.dll address space
- ;;; ebx - "MZ\x90\x00" signature
- ;;; ecx - safety counter (0x4000)
- ;;; edx = 0xFFFFFE00 (1K boundary alignment)
- w32k32bs_15: mov ecx, eax ; bytes: 89 C1
- w32k32bs_17: mov al, 8 ; bytes: B0 08
- w32k32bs_19: mov bl, 0x4D ; bytes: B3 4D
- w32k32bs_1B: mov bh, 0x5A ; bytes: B7 5A
- w32k32bs_1D: mov ch, 0x40 ; bytes: B5 40
- w32k32bs_1F: mov edx, 0xFFFFFE00 ; bytes: BA 00 FE FF FF
- w32k32bs_24: add eax, esp ; bytes: 01 E0
- w32k32bs_26: mov eax, dword ptr [eax] ; bytes: 8B 00
- ;;; main loop:
- ;;; backward search in 1K-aligned memory
- ;;; for "MZ\x90\x00" signature (actually, "MZ")
- w32k32bs_28: dec eax ; bytes: 48
- w32k32bs_29: and eax, edx ; bytes: 21 D0
- ;;; the only place where exception may occur:
- w32k32bs_2B: cmp word ptr [eax], bx ; bytes: 66 39 18
- ;;; alternative definition of following mnemonic:
- ;;; w32k32bs_2E: db 0x3E ; bytes: 3E
- ;;; w32k32bs_2F: je w32k32bs_54 ; bytes: 74 23
- ;;;
- w32k32bs_2E: ht je w32k32bs_54 ; bytes: 3E 74 23
- w32k32bs_31: dec ecx ; bytes: 49
- ;;; alternative definition of following mnemonic:
- ;;; w32k32bs_32: db 0x2E ; bytes: 2E
- ;;; w32k32bs_33: je w32k32bs_38 ; bytes: 74 03
- ;;;
- w32k32bs_32: hnt je w32k32bs_38 ; bytes: 2E 74 03
- w32k32bs_35: jmp w32k32bs_28 ; bytes: EB F1
- ;;; manual code alignment on 4-byte boundary
- w32k32bs_37: nop ; bytes: 90
- ;;; kernel32.dll base isn't found
- w32k32bs_38: xor eax, eax ; bytes: 31 C0
- w32k32bs_3A: jmp w32k32bs_54 ; bytes: EB 18
- ;;; own SEH handler
- ;;; nota bene: the only place where exception may be raised is w32k32bs_2B
- ;;; this handler does following:
- ;;; set thread context.eip to w32k32bs_28
- ;;; continue thread execution;
- w32k32bs_3C: xor eax, eax ; bytes: 31 C0
- w32k32bs_3E: mov al, 12 ; bytes: B0 0C
- w32k32bs_40: mov ecx, eax ; bytes: 89 C1
- w32k32bs_42: add ecx, esp ; bytes: 01 E1
- w32k32bs_44: mov ecx, dword ptr [ecx] ; bytes: 8B 09
- w32k32bs_46: mov al, 0xB8 ; bytes: B0 B8
- w32k32bs_48: add eax, ecx ; bytes: 01 C8
- w32k32bs_4A: mov ecx, dword ptr [eax] ; bytes: 8B 08
- w32k32bs_4C: xchg eax, ecx ; bytes: 91
- w32k32bs_4D: and al, 0xFC ; bytes: 24 FC
- w32k32bs_4F: mov dword ptr [ecx], eax ; bytes: 89 01
- w32k32bs_51: xor eax, eax ; bytes: 31 C0
- w32k32bs_53: ret ; bytes: C3
- ;;; after all, kernel32.dll base address is stored in EAX
- ;;; if jump was from w32k32bs_2E then kernel32.dll base is found and EAX isn't NULL
- ;;; if jump was from w32k32bs_3A then kernel32.dll base isn't found and EAX is NULL
- ;;; anyway, remove own SEH handler:
- w32k32bs_54: xor ecx, ecx ; bytes: 31 C9
- w32k32bs_56: pop dword ptr fs:[ecx] ; bytes: 64 8F 01
- ;;; nota bene: "pop ecx" (0x59) is shorter than "add esp, 4" (0x83 0xC4 0x04),
- ;;; but may be little bit slower
- w32k32bs_59: pop ecx ; bytes: 59
- w32k32bs_5A: nop ; bytes: 90
- w32k32bs_5B: nop ; bytes: 90
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
