Lucas Leong wmliang
wmliang
/ x86_kernel_ret.asm
Created
December 4, 2016 19:26
— forked from zeroSteiner/x86_kernel_ret.asm
x86 Kernel Return to nt!KiSystemServicePostCall
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [BITS 32] | |
| ; This shellcode is meant to be executed in the kernel just after the token has | |
| ; been stolen. It walks up the stack looking for the first frame which returns | |
| ; to userland and returns into the one just before it. This is presumably | |
| ; nt!KiSystemServicePostCall which will clean up the operation before returning | |
| ; to userland. | |
| ; This shell code clobbers ecx, ebx and sets eax to 0 for the return value. |