Created
June 11, 2016 23:46
-
-
Save mrexodia/58ee64e960f7b57f1ea890b91dcf99be to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; struct LIST_HEAD //list_head points here { | |
| ; VEH_ENTRY* FLink; | |
| ; VEH_ENTRY* BLink; | |
| ; } | |
| ; | |
| ; struct VEH_ENTRY { //cur_entry points here | |
| ; VEH_ENTRY* FLink; | |
| ; VEH_ENTRY* BLink; | |
| ; DWORD Count; | |
| ; DWORD Alignment; | |
| ; ULONG_PTR VectoredHandler; | |
| ; } | |
| ; initialize | |
| list_head = LdrpVectorHandlerList + 8 | |
| cur_entry = [list_head] | |
| count = 0 | |
| log "--- VEH ---" | |
| ; walk the linked list | |
| loop: | |
| cmp cur_entry, list_head | |
| je break | |
| ; get and decode the handler | |
| encoded = [cur_entry + 8 + 8 + 4 + 4] | |
| count++ | |
| call decode_handler | |
| ; log the handler | |
| log "Handler {0}: {1}", count, decoded | |
| cur_entry = [cur_entry] | |
| jmp loop | |
| ; end of script | |
| break: | |
| log "--- END ---" | |
| ret | |
| ; calls RtlDecodePointer to decode the handler address | |
| decode_handler: | |
| ; backup registers that are modified by RtlDecodePointer | |
| push rax | |
| push rcx | |
| push rdx | |
| push r8 | |
| push r9 | |
| push r10 | |
| push r11 | |
| ; call RtlDecodePointer | |
| rcx = encoded | |
| push cip | |
| cip = RtlDecodePointer | |
| rtr | |
| step | |
| ; get decoded pointer | |
| decoded = rax | |
| ; restore registers | |
| pop r11 | |
| pop r10 | |
| pop r9 | |
| pop r8 | |
| pop rdx | |
| pop rcx | |
| pop rax | |
| ret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment