Created
March 17, 2020 19:36
-
-
Save kspalaiologos/c2af17e675092961c227093323e59cb7 to your computer and use it in GitHub Desktop.
A terrible abomination that disguises as syscalls for Win32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| LONG __stdcall handler(EXCEPTION_POINTERS * ExceptionInfo) { | |
| HMODULE library; | |
| FARPROC procedure; | |
| DWORD old_esp, return_adress; | |
| if (ExceptionInfo->ExceptionRecord->ExceptionCode != EXCEPTION_ILLEGAL_INSTRUCTION) { | |
| return 0; | |
| } | |
| library = (HMODULE)ExceptionInfo->ContextRecord->Eax; | |
| if (!library) { | |
| library = LoadLibraryA((LPCSTR)ExceptionInfo->ContextRecord->Ebx); | |
| } | |
| procedure = GetProcAddress(library, (LPCSTR)ExceptionInfo->ContextRecord->Esi); | |
| old_esp = ExceptionInfo->ContextRecord->Esp; | |
| return_adress = ExceptionInfo->ContextRecord->Ecx; | |
| __asm mov esi, procedure | |
| __asm mov eax, library | |
| __asm mov esp, old_esp | |
| __asm jmp return_adress | |
| return 1; | |
| } | |
| int main() { | |
| const char * libname = "kernel32.dll"; | |
| const char * procname = "ExitProcess"; | |
| SetUnhandledExceptionFilter(handler); | |
| __asm xor eax, eax; | |
| __asm mov ebx, libname; | |
| __asm mov esi, procname; | |
| __asm mov ecx, over; | |
| __asm ud2; // Tick! A syscall | |
| __asm over: | |
| __asm push 2137 | |
| __asm call esi | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment