HD Moore
49b7dcb30c
git-svn-id: file:///home/svn/framework3/trunk@6922 4d416f70-5f16-0410-b530-b9f4589650da
53 lines
2.6 KiB
NASM
53 lines
2.6 KiB
NASM
;-----------------------------------------------------------------------------;
|
|
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
|
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
|
; Version: 1.0 (24 July 2009)
|
|
; Size: 31 bytes
|
|
;-----------------------------------------------------------------------------;
|
|
; kernel32.dll!SetUnhandledExceptionFilter (0xEA320EFE) - This exit function
|
|
; will let the UnhandledExceptionFilter function perform its default handling
|
|
; routine.
|
|
;
|
|
; kernel32.dll!ExitProcess (0x56A2B5F0) - This exit function will force the
|
|
; process to terminate.
|
|
;
|
|
; kernel32.dll!ExitThread (0x0A2A1DE0) - This exit function will force the
|
|
; current thread to terminate. On Windows 2008, Vista and 7 this function is
|
|
; a forwarded export to ntdll.dll!RtlExitUserThread and as such cannot be
|
|
; called by the api_call function.
|
|
;
|
|
; ntdll.dll!RtlExitUserThread (0x6F721347) - This exit function will force
|
|
; the current thread to terminate. This function is not available on Windows
|
|
; NT or 2000.
|
|
;-----------------------------------------------------------------------------;
|
|
; Windows 7 6.1
|
|
; Windows Server 2008 R2 6.1 If the EXITFUNK is ExitThread we must call
|
|
; Windows Server 2008 6.0 RtlExitUserThread instead.
|
|
; Windows Vista 6.0 _______________________________________________
|
|
; Windows Server 2003 R2 5.2
|
|
; Windows Server 2003 5.2
|
|
; Windows XP 5.1
|
|
; Windows 2000 5.0
|
|
; Windows NT4 4.0
|
|
;-----------------------------------------------------------------------------;
|
|
[BITS 32]
|
|
|
|
; Input: EBP must be the address of 'api_call'.
|
|
; Output: None.
|
|
; Clobbers: EAX, EBX, (ESP will also be modified)
|
|
; Note: Execution is not expected to (successfully) continue past this block
|
|
|
|
exitfunk:
|
|
mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user...
|
|
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
|
|
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
|
|
cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7
|
|
jl short goodbye ; Then just call the exit function...
|
|
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
|
|
jne short goodbye ;
|
|
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
|
|
goodbye: ; We now perform the actual call to the exit function
|
|
push byte 0 ; push the exit function parameter
|
|
push ebx ; push the hash of the exit function
|
|
call ebp ; call EXITFUNK( 0 );
|