BanMe
July 10th, 2009, 20:27
First off I would like to go over some finer details of The Indirect __stdcall feature I let on about..it is directly called,and it internally calls out to a given function.
here the full implementation
Here is how I use it:
1st off I create a Thread that is suspended.
Then When a Client Connects I call Native_DispatchRecaptureThread like this:
Here is the total code to the new Native_DispatchRecaptureThread:
which works by simply overwriting esp with my own stack that Im going to need to more carefully craft
this works cause if you remeber up top
the 3 pops in the CallOutRecaptureRoutine
first pop remove the return address increments esp+4 2nd pop gets the CallSite and Increments esp+4 and the 3rd pop gets the parameter passed in , after that I the push return address back onto stack and push the parameter to the CallSite before placing the call.
regards BanMe
here the full implementation
Code:
__declspec(naked) void CallOutRecaptureRoutine(__in void* FunctionPtr,__in_opt void* ...)
{
__asm
{
POP ECX //;pop return address
POP EDX //;pop function pointer
POP EAX //;pop parameter
PUSH ECX //;place function return back on stack
PUSH [EAX]
CALL EDX //;call function
XOR ECX,ECX //;zero ecx
ADD ECX,0x18 //;add 0x18
MOV EBX,DWORD PTR FS:[ECX] //;NtCurrentTeb to ebx
//;return the value of call of call to a generally
//;read/writable area Teb.NtTib.ArbritraryUserPointer
MOV DWORD PTR DS:[EBX+14],EAX
MOV EAX,0x7c90de3e
PUSH 0
PUSH -2
CALL EAX//Call NTSuspendThread..
}
}
Here is how I use it:
1st off I create a Thread that is suspended.
Code:
Status = RtlCreateUserThread(NtCurrentProcess(),0,true,0,0,0x4096,(PUSER_THREAD_START_ROUTINE)CallOutRecaptur eRoutine,0,&Reusable,&ClientId);
Then When a Client Connects I call Native_DispatchRecaptureThread like this:
Code:
Native_DispatchRecaptureThread(ServerHandleTable,(ULONG)CallOutRecaptureRoutine,(void*)&Message);
Here is the total code to the new Native_DispatchRecaptureThread:
Code:
//this function is supposed to emulate behavior similar to RtlRemoteCall but it still needs a little work.
NTSTATUS Native_DispatchRecaptureThread(__in void* ServerHandleTable,__in ULONG CallSite,__in void *Param)
{
ULONG HandleIndex = 0;
PVOID HeapPart = 0;
NTSTATUS Status = 0;
HANDLE DormantThread = INVALID_HANDLE_VALUE;
CONTEXT Context = {0};
DormantThread = Native_GetHandleTableHandle(ServerHandleTable,ObThread,ObTSuspended);
if(DormantThread != INVALID_HANDLE_VALUE)
{
Context.ContextFlags = CONTEXT_FULL;
HeapPart = RtlAllocateHeap(RtlProcessHeap(),0,0x4096);
*(ULONG*)HeapPart = CallSite+8;
*(ULONG*)((ULONG)HeapPart+4) = (ULONG)Native_AcceptConnectionRequest;
*(ULONG*)((ULONG)HeapPart+8) = (ULONG)&Param;
Status = NtGetContextThread(DormantThread,&Context);
Context.Esp = (ULONG)HeapPart;
Status = NtSetContextThread(DormantThread,&Context);
if(NT_SUCCESS(Status))
{
return NtResumeThread(DormantThread,0);
}
}
return STATUS_UNSUCCESSFUL;
}
which works by simply overwriting esp with my own stack that Im going to need to more carefully craft
this works cause if you remeber up top
the 3 pops in the CallOutRecaptureRoutine
first pop remove the return address increments esp+4 2nd pop gets the CallSite and Increments esp+4 and the 3rd pop gets the parameter passed in , after that I the push return address back onto stack and push the parameter to the CallSite before placing the call.
regards BanMe