Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ; insert own SEH handler @ w32k32b_5
- w32k32b_0: call w32k32b_1
- w32k32b_1: pop eax
- add eax, w32k32b_5 - w32k32b_1
- push eax
- xor eax, eax
- push dword [fs:eax]
- mov [fs:eax], esp
- ; setup registers before main loop:
- ; eax - pointer to memory somewhere in kernel32.dll address space
- ; bx - "MZ" signature
- ; ecx - safety counter
- w32k32b_2: lea ebx, [eax]
- lea ecx, [eax]
- mov bh, 0x5A
- mov bl, 0x4D
- mov ch, 64
- mov eax, [esp + 8]
- jmp w32k32b_4
- ; main loop:
- ; backwards search in 1K-aligned memory
- ; for "MZ" signature
- w32k32b_3: dec eax
- w32k32b_4: and ah, 0xFE
- xor al, al
- cmp [eax], bx
- je w32k32b_8
- dec ecx
- jz w32k32b_7
- jmp w32k32b_3
- ; SEH handler:
- ; thread_context.eip = w32k32b_3
- ; continue;
- w32k32b_5: xor eax, eax
- mov al, 0xB8
- mov ecx, [esp + 12]
- lea eax, [eax + ecx]
- call w32k32b_6
- w32k32b_6: pop ecx
- sub ecx, w32k32b_6 - w32k32b_3
- mov [eax], ecx
- xor eax, eax
- ret
- ; kernel32.dll base wasn't found
- w32k32b_7: xor eax, eax
- ; kernel32.dll base is found
- w32k32b_8: ;nop
- ; remove own SEH handler
- w32k32b_9: xor eax, eax
- pop dword [fs:eax]
- add esp, 4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
