2 replies to this topic

[0xDADA11C7]

This LoadPE shellcode

• Support TLS
• Don`t need relocation table

For using it you must to create next data structure:
 

Please Login or Register to see this Hidden Content

For using this shellcode you must patch it

Please Login or Register to see this Hidden Content

Main file - loadpe.asm

Please Login or Register to see this Hidden Content

Plugin for unchain SEH with restore original (system) handler exception and restore stack to original state (it can be changed by RTL start code)

Please Login or Register to see this Hidden Content

Plagin  for EOF (overlay) simulation for Сitadel і Zeus.

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content

Attached Files

•  LoadPE.shellcode.7z   10.45KB   36 downloads

Edited by 0xDADA11C7, 28 December 2014 - 11:29 PM.

[Jochen]

What's wrong with getting KernelBase like this , if you gonna use the PEB.

 

    proc GetKernel32
        MOV EAX, [FS:30h]
        MOV EAX, [EAX+0Ch]
        MOV EAX, [EAX+0Ch]
        MOV EAX, [EAX]
        MOV EAX, [EAX]
        MOV EAX, [EAX+18h]
        RET
        endp

 

 

[Tigerass]

@Jochen because you are getting it "by luck". Most of the time it will go well, but the order of the loaded modules isnt fixed. So some av for eg. Could change it.