waliedassar

Reversed "BaseCreateStack"

Nov 5th, 2012
311
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Reversed code of the kernel32 "BaseCreateStack" function. For educational purposes only.
  4.  
  5. int __stdcall BaseCreateStack(HANDLE hProcess,unsigned long CommitSize,unsigned long ReserveSize,void* pOut )
  6. {
  7.      unsigned long Page_Size=PEB->ReadOnlyStaticServerData->pData->PageSize;
  8.      IMAGE_NT_HEADERS* pNT=RtlImageNtHeader(PEB->ImageBaseAddress);
  9.      if(!pNT) return 0xC000007B; //ERROR_BAD_EXE_FORMAT
  10.      unsigned long loc_CommitSize=PNT->OptionalHeader->SizeOfStackCommit;
  11.      if(ReserveSize==0) ReserveSize=pNT->OptionalHeader->SizeOfStackReserve;
  12.      if(CommitSize==0) CommitSize=loc_CommitSize;
  13.      else
  14.      {
  15.          if(CommitSize>=ReserveSize)
  16.               ReserveSize=(CommitSize+0xFFFFF)&0xFFF00000;
  17.      }
  18.      /Enforce Alignment
  19.      CommitSize+=(Page_Size-1);
  20.      CommitSize&=~(Page_Size-1);
  21.  
  22.      unsigned long alloc_granularity=PEB->ReadOnlyStaticServerData->pData->Granularity;
  23.      ReserveSize+=(alloc_granularity-1);
  24.      ReserveSize&=(~alloc_granularity);
  25.  
  26.      if(PEB->MinimumStackCommit)
  27.      {
  28.          if(CommitSize<(PEB->MinimumStackCommit))
  29.          {
  30.              CommitSize=PEB->MinimumStackCommit;
  31.          }
  32.      }
  33.      //Here goes some more sanitization checks
  34.      unsigned long StackStartAddress=0;
  35.      int ret=ZwAllocateVirtualMemory(hProcess,&StackStartAddress,
  36.                                      0,&ReserveSize,MEM_RESERVE,PAGE_READWRITE);
  37.      if(ret<0) return ret;
  38.      //Here goes some code that Writes to output structure
  39.      unsigned long StackStartAddress+=(ReserveSize-COmmitSize);
  40.      StartStartAddress-=Page_Size; //Space for the PAGE_GUARD page
  41.      CommitSize+=Page_Size;
  42.      ret=ZwAllocateVirtualMemory(hProcess,&StackStartAddress,
  43.                                 0,&CommitSize,MEM_COMMIT,PAGE_READWRITE);
  44.      if(ret<0) return ret;
  45.      unsigned long old_prot;
  46.      ret=ZwProtectVirtualMemory(hProcess,&StackStartAddress,
  47.                                 &Page_Size,PAGE_READWRITE|PAGE_GUARD,&old_prot);
  48.      if(ret<0) return ret;
  49.      return 0;
  50. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×