-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathutils.inc
159 lines (126 loc) · 2.84 KB
/
utils.inc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
extern GetModuleHandleA:PROC
extern GetProcAddress:PROC
extern ExitProcess:PROC
extern CloseHandle:PROC
OBJECT_ATTRIBUTES STRUCT
oLength QWORD ?
RootDirectory QWORD ?
ObjectName QWORD ?
Attributes QWORD ?
SecurityDescriptor QWORD ?
SecurityQualityOfService QWORD ?
OBJECT_ATTRIBUTES ENDS
CLIENT_ID STRUCT
UniqueProcess DWORD ?
UniqueThread QWORD ?
CLIENT_ID ENDS
.data
ObjAttr OBJECT_ATTRIBUTES <>
CID CLIENT_ID <>
HandleProcess QWORD 0
HandleThread QWORD 0
RemoteBuffer QWORD 0
NTDLLAddress QWORD 0
; /* DLL */
NTDLLString db "ntdll.dll",0
; /* Functions */
NtOpenProcessString db "NtOpenProcess",0
NtAllocateVirtualString db "NtAllocateVirtualMemory",0
NtWriteVirtualString db "NtWriteVirtualMemory",0
NtProtectVirtualString db "NtProtectVirtualMemory",0
NtCreateThreadString db "NtCreateThreadEx",0
NtWaitString db "NtWaitForSingleObject",0
.code
; /*
; This function checks the result of a function call and handles errors. Also it can copy the result to a buffer.
;
; * Parameters:
; * rcx - The result of the function call (QWORD)
; * rdx - The address of the buffer to store the result (QWORD) (OPTIONAL)
; */
CheckFunctionResult PROC
mov r10,rcx
mov r11,rdx
cmp r10,0
jz GotoExit
cmp r11,0
jz ReturnToMain
CopyBuffer:
; Copy the result to the buffer
mov [r11],r10
jmp ReturnToMain
GotoExit:
mov rdx,HandleThread
mov rcx,HandleProcess
jmp ExitProgram
ReturnToMain:
ret
CheckFunctionResult ENDP
; /*
; This function gets the address of a specific function from a module.
; * Parameters:
; * rcx - The address of the module (QWORD)
; * rdx - The name of the function (QWORD)
;
; Output:
; * rax - The address of the function
GetSpecificFunction PROC
cmp rcx,0
jz NotFoundParam
cmp rdx,0
jz NotFoundParam
; Prolog
push r13
push r14
push r15
sub rsp,38h
; Call GetProcAddress with Params
sub rsp,28h
call GetProcAddress
add rsp,28h
; Epilog
add rsp,38h
pop r15
pop r14
pop r13
jmp Return
NotFoundParam:
xor rax,rax
Return:
ret
GetSpecificFunction ENDP
; /*
; This function closes the handles and exits the program.
;
; * Parameters:
; * rcx - Thread's handle (QWORD)
; * rdx - Process's handle (QWORD)
; */
ExitProgram PROC
; Save Params
mov r13,rcx
mov r14,rdx
CheckHandleThread:
cmp r13,0
jz CheckHandleProcess
jmp CloseThreadHandle
CheckHandleProcess:
cmp r14,0
jz ExitTheProgram
jmp CloseProcessHandle
CloseThreadHandle:
sub rsp,28h
mov rcx,r13
call CloseHandle
add rsp,28h
jmp CheckHandleProcess
CloseProcessHandle:
sub rsp,28h
mov rcx,r14
call CloseHandle
add rsp,28h
ExitTheProgram:
sub rsp,28h
xor rcx,rcx
call ExitProcess
ExitProgram ENDP