forked from fengjixuchui/win32-shellcode
-
-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathwalk_peb.s
75 lines (68 loc) · 19.7 KB
/
walk_peb.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
; █ █
; █ █
; █ █
; █ █
; █ █
; █ █
; █ ▄▄▄▄▄▄▄▄▄▄ █
; ▄██▓▓▓▓▓▓▓▓▒██
; ██▓▓▓▓▓▓▓▓▓▓▓▓▒█
; ██▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒█
; ▄▄▄█████▓▓█████▄▄▄█████▓ ██████ █ ██ ▒█████
; ▓ ██▒ ▓▒▓█ ▀▓ ██▒ ▓▒▒██ ▒ ██ ▓██▒▒██▒ ██
; ▒ ▓██░ ▒░▒███ ▒ ▓██░ ▒░░ ▓██▄ ▓██ ▒██░▒██░ ██
; ░ ▓██▓ ░ ▒▓█ ▄░ ▓██▓ ░ ▒ ██▒▓▓█ ░██░▒██ ██
; ▒██▒ ░ ░▒████▒ ▒██▒ ░ ▒██████▒▒▒▒█████▓ ░ ████▓▒░
; ▒█░░▀▀▀░░▀▒░▀░▀▒▀░░▀▀▀▒▀▒▓▒▀▒▀░░▒▓▒▀▒▀▒▀░▀▒░▒░▒░
; ██░ ████░█░██░███░████░█░▒██░█░░░▒░█░█░███░█▒█▒░
; ░█ █ ░ ░ ┌───░──░──░┐ ░░░ ░ ░ ░ ░█░█
; █ ░ ░ │Access PEB│ ░ █░█
; █ └─────┬────┘ █
; █ ┌──────▼─────┐ █
; █ │Get PEB->Ldr│ █
; █ └──────┬─────┘ █
; █┌──────────────────▼─────────────────┐█
; █│ Access Ldr->InMemoryOrderModuleList│█
; █└──────────────────┬─────────────────┘█
; █ ┌─────────────▼───────────┐ █
; █ │Get LDR_DATA_TABLE_ENTRY │ █
; █ └─────┬───────────────▲───┘ █
; █ │ no █
; █ ┌─────────▼───────────────┴──────┐ █
; █ │ Is BaseDllName "kernel32.dll" ?│ █
; █ └─────────────────┬──────────────┘ █
; █ yes █
; █ ┌───────▼───────┐ █
; █ │Extract DllBase│ █
; █ └───────────────┘ █
; ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
; x86
mov ebp, esp ; Set up stack frame
add esp, 0xfffff9f0 ; Adjust stack to avoid NULL bytes
find_kernel32:
xor ecx, ecx ; ECX = 0
mov esi, fs:[ecx+30h] ; ESI = &(PEB) ([FS:0x30])
mov esi, [esi+0Ch] ; ESI = PEB->Ldr
mov esi, [esi+1Ch] ; ESI = PEB->Ldr.InMemoryOrderModuleList
next_module:
mov ebx, [esi+10h] ; EBX = InMemoryOrderModuleList[X].BaseAddress
mov edi, [esi+20h] ; EDI = InMemoryOrderModuleList[X].BaseDllName.Buffer
mov esi, [esi] ; ESI = InMemoryOrderModuleList[X].InMemoryOrderLinks.Flink
; Check if 13th Unicode character is NULL (kernel32.dll)
cmp word ptr [edi+12*2], 0 ; Check if 13th Unicode char is NULL (kernel32.dll)
jne next_module ; If not NULL, continue to the next module
; x86-64
mov rbp, rsp ; Set up stack frame
add rsp, 0xfffffffffffff9f0 ; Adjust stack to avoid NULL bytes
find_kernel32:
xor rcx, rcx ; RCX = 0
mov rsi, gs:[rcx+60h] ; RSI = &(PEB) ([GS:0x60])
mov rsi, [rsi+18h] ; RSI = PEB->Ldr
mov rsi, [rsi+10h] ; RSI = PEB->Ldr.InMemoryOrderModuleList
next_module:
mov rbx, [rsi+10h] ; RBX = InMemoryOrderModuleList[X].BaseAddress
mov rdi, [rsi+30h] ; RDI = InMemoryOrderModuleList[X].BaseDllName.Buffer
mov rsi, [rsi] ; RSI = InMemoryOrderModuleList[X].Flink
; Check if 13th Unicode character is NULL (kernel32.dll)
cmp word ptr [rdi+12*2], 0 ; Check if the 13th Unicode char (index 12) is NULL
jne next_module ; If not NULL, continue to the next module