SHARE
TWEET

Reversed "BaseCreateStack"

waliedassar Nov 5th, 2012 193 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Reversed code of the kernel32 "BaseCreateStack" function. For educational purposes only.
  4.  
  5. int __stdcall BaseCreateStack(HANDLE hProcess,unsigned long CommitSize,unsigned long ReserveSize,void* pOut )
  6. {
  7.      unsigned long Page_Size=PEB->ReadOnlyStaticServerData->pData->PageSize;
  8.      IMAGE_NT_HEADERS* pNT=RtlImageNtHeader(PEB->ImageBaseAddress);
  9.      if(!pNT) return 0xC000007B; //ERROR_BAD_EXE_FORMAT
  10.      unsigned long loc_CommitSize=PNT->OptionalHeader->SizeOfStackCommit;
  11.      if(ReserveSize==0) ReserveSize=pNT->OptionalHeader->SizeOfStackReserve;
  12.      if(CommitSize==0) CommitSize=loc_CommitSize;
  13.      else
  14.      {
  15.          if(CommitSize>=ReserveSize)
  16.               ReserveSize=(CommitSize+0xFFFFF)&0xFFF00000;
  17.      }
  18.      /Enforce Alignment
  19.      CommitSize+=(Page_Size-1);
  20.      CommitSize&=~(Page_Size-1);
  21.  
  22.      unsigned long alloc_granularity=PEB->ReadOnlyStaticServerData->pData->Granularity;
  23.      ReserveSize+=(alloc_granularity-1);
  24.      ReserveSize&=(~alloc_granularity);
  25.  
  26.      if(PEB->MinimumStackCommit)
  27.      {
  28.          if(CommitSize<(PEB->MinimumStackCommit))
  29.          {
  30.              CommitSize=PEB->MinimumStackCommit;
  31.          }
  32.      }
  33.      //Here goes some more sanitization checks
  34.      unsigned long StackStartAddress=0;
  35.      int ret=ZwAllocateVirtualMemory(hProcess,&StackStartAddress,
  36.                                      0,&ReserveSize,MEM_RESERVE,PAGE_READWRITE);
  37.      if(ret<0) return ret;
  38.      //Here goes some code that Writes to output structure
  39.      unsigned long StackStartAddress+=(ReserveSize-COmmitSize);
  40.      StartStartAddress-=Page_Size; //Space for the PAGE_GUARD page
  41.      CommitSize+=Page_Size;
  42.      ret=ZwAllocateVirtualMemory(hProcess,&StackStartAddress,
  43.                                 0,&CommitSize,MEM_COMMIT,PAGE_READWRITE);
  44.      if(ret<0) return ret;
  45.      unsigned long old_prot;
  46.      ret=ZwProtectVirtualMemory(hProcess,&StackStartAddress,
  47.                                 &Page_Size,PAGE_READWRITE|PAGE_GUARD,&old_prot);
  48.      if(ret<0) return ret;
  49.      return 0;
  50. }
RAW Paste Data
Top