Statistics
| Branch: | Tag: | Revision:

root / external / source / shellcode / windows / x86 / src / block / block_exitfunk.asm @ 6922

History | View | Annotate | Download (2.6 kB)

1 
;-----------------------------------------------------------------------------;
2 
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
3 
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
4 
; Version: 1.0 (24 July 2009)
5 
; Size: 31 bytes
6 
;-----------------------------------------------------------------------------;
7 
; kernel32.dll!SetUnhandledExceptionFilter (0xEA320EFE) - This exit function
8 
; will let the UnhandledExceptionFilter function perform its default handling
9 
; routine.
10 
;
11 
; kernel32.dll!ExitProcess (0x56A2B5F0) - This exit function will force the
12 
; process to terminate.
13 
;
14 
; kernel32.dll!ExitThread (0x0A2A1DE0) - This exit function will force the
15 
; current thread to terminate. On Windows 2008, Vista and 7 this function is
16 
; a forwarded export to ntdll.dll!RtlExitUserThread and as such cannot be
17 
; called by the api_call function.
18 
;
19 
; ntdll.dll!RtlExitUserThread (0x6F721347) - This exit function will force
20 
; the current thread to terminate. This function is not available on Windows
21 
; NT or 2000.
22 
;-----------------------------------------------------------------------------;
23 
; Windows 7               6.1
24 
; Windows Server 2008 R2  6.1   If the EXITFUNK is ExitThread we must call
25 
; Windows Server 2008     6.0   RtlExitUserThread instead.
26 
; Windows Vista           6.0 _______________________________________________
27 
; Windows Server 2003 R2  5.2
28 
; Windows Server 2003     5.2
29 
; Windows XP              5.1
30 
; Windows 2000            5.0
31 
; Windows NT4             4.0
32 
;-----------------------------------------------------------------------------;
33 
[BITS 32]
34 

    		
  

  

  

    
      35
    
    
      
; Input: EBP must be the address of 'api_call'.


    		
  

  

  

    
      36
    
    
      
; Output: None.


    		
  

  

  

    
      37
    
    
      
; Clobbers: EAX, EBX, (ESP will also be modified)


    		
  

  

  

    
      38
    
    
      
; Note: Execution is not expected to (successfully) continue past this block


    		
  

  

  

    
      39
    
    
      

    		
  

  

  

    
      40
    
    
      
exitfunk:


    		
  

  

  

    
      41
    
    
      
  mov ebx, 0x0A2A1DE0    ; The EXITFUNK as specified by user...


    		
  

  

  

    
      42
    
    
      
  push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )


    		
  

  

  

    
      43
    
    
      
  call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)


    		
  

  

  

    
      44
    
    
      
  cmp al, byte 6         ; If we are not running on Windows Vista, 2008 or 7


    		
  

  

  

    
      45
    
    
      
  jl short goodbye       ; Then just call the exit function...


    		
  

  

  

    
      46
    
    
      
  cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...


    		
  

  

  

    
      47
    
    
      
  jne short goodbye      ;


    		
  

  

  

    
      48
    
    
      
  mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread


    		
  

  

  

    
      49
    
    
      
goodbye:                 ; We now perform the actual call to the exit function


    		
  

  

  

    
      50
    
    
      
  push byte 0            ; push the exit function parameter


    		
  

  

  

    
      51
    
    
      
  push ebx               ; push the hash of the exit function


    		
  

  

  

    
      52
    
    
      
  call ebp               ; call EXITFUNK( 0 );