Last active
July 27, 2022 19:43
-
-
Save c0d3inj3cT/7630756 to your computer and use it in GitHub Desktop.
Revisions
-
c0d3inj3cT revised this gist
Nov 24, 2013 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,4 +26,4 @@ EDI - Buffer 00C81737 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 00C8173A 50 PUSH EAX 00C8173B FF75 F4 PUSH DWORD PTR SS:[EBP-C] 00C8173E C606 E9 MOV BYTE PTR DS:[ESI],0E9 ; write jump opcode to function pointer -
Nov 24, 2013 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ EDI - Buffer 00C81719 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00C8171C 2BC2 SUB EAX,EDX 00C8171E 2BC7 SUB EAX,EDI 00C81720 83E8 05 SUB EAX,5 ; eax = function pointer - buffer - 0x5 00C81723 8D0C3A LEA ECX,DWORD PTR DS:[EDX+EDI] ; buffer = buffer + 0x5 00C81726 8941 01 MOV DWORD PTR DS:[ECX+1],EAX ; write above calculated value of eax in the buffer 00C81729 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; malicious subroutine -
Nov 24, 2013 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,13 +15,13 @@ EDI - Buffer 00C81719 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00C8171C 2BC2 SUB EAX,EDX 00C8171E 2BC7 SUB EAX,EDI 00C81720 83E8 05 SUB EAX,5 ; eax = function pointer - buffer - 0x5 00C81723 8D0C3A LEA ECX,DWORD PTR DS:[EDX+EDI] ; buffer = buffer + 0x5 00C81726 8941 01 MOV DWORD PTR DS:[ECX+1],EAX ; write above calculated value of eax in the buffer 00C81729 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; malicious subroutine 00C8172C 2BC6 SUB EAX,ESI 00C8172E 83E8 05 SUB EAX,5 ; hooked api = hooked api - function pointer - 0x5 00C81731 C601 E9 MOV BYTE PTR DS:[ECX],0E9 ; write jump opcode to buffer 00C81734 8946 01 MOV DWORD PTR DS:[ESI+1],EAX ; write the above calculated hooked api value to the function pointer + 1 00C81737 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 00C8173A 50 PUSH EAX -
Nov 24, 2013 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,8 +15,8 @@ EDI - Buffer 00C81719 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00C8171C 2BC2 SUB EAX,EDX 00C8171E 2BC7 SUB EAX,EDI 00C81720 83E8 05 SUB EAX,5 ; eax = function pointer - buffer - 0x5 00C81723 8D0C3A LEA ECX,DWORD PTR DS:[EDX+EDI] ; buffer = buffer + 0x5 00C81726 8941 01 MOV DWORD PTR DS:[ECX+1],EAX ; write above calculated value of eax in the buffer 00C81729 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; malicious subroutine 00C8172C 2BC6 SUB EAX,ESI -
Nov 24, 2013 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,8 +15,8 @@ EDI - Buffer 00C81719 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00C8171C 2BC2 SUB EAX,EDX 00C8171E 2BC7 SUB EAX,EDI 00C81720 83E8 05 SUB EAX,5 ; eax = function pointer - buffer - 0x5 00C81723 8D0C3A LEA ECX,DWORD PTR DS:[EDX+EDI] ; buffer = buffer + 0x5 00C81726 8941 01 MOV DWORD PTR DS:[ECX+1],EAX ; write above calculated value of eax in the buffer 00C81729 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; malicious subroutine 00C8172C 2BC6 SUB EAX,ESI -
Nov 24, 2013 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ EDI - Buffer 00C81719 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00C8171C 2BC2 SUB EAX,EDX 00C8171E 2BC7 SUB EAX,EDI 00C81720 83E8 05 SUB EAX,5 ; eax = function pointer - buffer - 0x5 00C81723 8D0C3A LEA ECX,DWORD PTR DS:[EDX+EDI] ; buffer = buffer + 0x5 00C81726 8941 01 MOV DWORD PTR DS:[ECX+1],EAX ; write above calculated value of eax in the buffer 00C81729 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; malicious subroutine -
Nov 24, 2013 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ EDI - Buffer 00C81719 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00C8171C 2BC2 SUB EAX,EDX 00C8171E 2BC7 SUB EAX,EDI 00C81720 83E8 05 SUB EAX,5 ; eax = function pointer - buffer - 0x5 00C81723 8D0C3A LEA ECX,DWORD PTR DS:[EDX+EDI] ; buffer = buffer + 0x5 00C81726 8941 01 MOV DWORD PTR DS:[ECX+1],EAX ; write above calculated value of eax in the buffer 00C81729 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; malicious subroutine -
Nov 24, 2013 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ EDI - Buffer 00C81719 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00C8171C 2BC2 SUB EAX,EDX 00C8171E 2BC7 SUB EAX,EDI 00C81720 83E8 05 SUB EAX,5 ; eax = function pointer - buffer - 0x5 00C81723 8D0C3A LEA ECX,DWORD PTR DS:[EDX+EDI] ; buffer = buffer + 0x5 00C81726 8941 01 MOV DWORD PTR DS:[ECX+1],EAX ; write above calculated value of eax in the buffer 00C81729 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; malicious subroutine -
Nov 24, 2013 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,7 @@ EDI - Buffer 00C816FE 8B46 01 MOV EAX,DWORD PTR DS:[ESI+1] 00C81701 8D4430 05 LEA EAX,DWORD PTR DS:[EAX+ESI+5] 00C81705 EB 12 JMP SHORT 00C81719 00C81707 8D46 05 LEA EAX,DWORD PTR DS:[ESI+5] ; point eax to the 5th byte of the function 00C8170A A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; store 5 bytes from the function into the buffer 00C8170B A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00C8170C 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] ; edi = buffer -
Nov 24, 2013 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,29 @@ ESI - Function Pointer EDI - Buffer 00C816F9 803E E9 CMP BYTE PTR DS:[ESI],0E9 ; check if the first instruction of API is a jump instruction 00C816FC 75 09 JNZ SHORT 00C81707 00C816FE 8B46 01 MOV EAX,DWORD PTR DS:[ESI+1] 00C81701 8D4430 05 LEA EAX,DWORD PTR DS:[EAX+ESI+5] 00C81705 EB 12 JMP SHORT 00C81719 00C81707 8D46 05 LEA EAX,DWORD PTR DS:[ESI+5] ; point eax to the 5th byte of the function 00C8170A A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; store 5 bytes from the function into the buffer 00C8170B A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00C8170C 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] ; edi = buffer 00C8170F 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ; esi = function pointer 00C81712 C745 F8 05000000 MOV DWORD PTR SS:[EBP-8],5 00C81719 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00C8171C 2BC2 SUB EAX,EDX 00C8171E 2BC7 SUB EAX,EDI 00C81720 83E8 05 SUB EAX,5 ; eax = function pointer - buffer - 0x5 00C81723 8D0C3A LEA ECX,DWORD PTR DS:[EDX+EDI] ; buffer = buffer + 0x5 00C81726 8941 01 MOV DWORD PTR DS:[ECX+1],EAX ; write above calculated value of eax in the buffer 00C81729 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; malicious subroutine 00C8172C 2BC6 SUB EAX,ESI 00C8172E 83E8 05 SUB EAX,5 ; hooked api = hooked api - function pointer - 0x5 00C81731 C601 E9 MOV BYTE PTR DS:[ECX],0E9 ; write jump opcode to buffer 00C81734 8946 01 MOV DWORD PTR DS:[ESI+1],EAX ; write the above calculated hooked api value to the function pointer + 1 00C81737 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 00C8173A 50 PUSH EAX 00C8173B FF75 F4 PUSH DWORD PTR SS:[EBP-C] 00C8173E C606 E9 MOV BYTE PTR DS:[ESI],0E9 ; write jump opcode to function pointer