I developed shellcode that enforces permanent DEP when it is injected inside a process:
This is for my Brucon workshop. More details to be posted later.
BITS 32 KERNEL32_HASH equ 0x000d4e88 KERNEL32_NUMBER_OF_FUNCTIONS equ 1 KERNEL32_SETPROCESSDEPPOLICY_HASH equ 0x06f26f66 PROCESS_DEP_ENABLE equ 1 segment .text call geteip geteip: pop ebx ; Setup environment lea esi, [KERNEL32_FUNCTIONS_TABLE-geteip+ebx] push esi lea esi, [KERNEL32_HASHES_TABLE-geteip+ebx] push esi push KERNEL32_NUMBER_OF_FUNCTIONS push KERNEL32_HASH call LookupFunctions ; Enable permanent DEP in current process push PROCESS_DEP_ENABLE call [KERNEL32_SETPROCESSDEPPOLICY-geteip+ebx] ret %include "sc-api-functions.asm" KERNEL32_HASHES_TABLE: dd KERNEL32_SETPROCESSDEPPOLICY_HASH KERNEL32_FUNCTIONS_TABLE: KERNEL32_SETPROCESSDEPPOLICY dd 0x00000000
[…] further as usual and wrote some shellcode implementing this functionality. Go Didier! Check it out here. Categories: Allgemeines Tags: assembler, DEP, patching, trojan Comments (0) Trackbacks […]
Pingback by Brundle Lab » Trojanizing an application… for good — Monday 12 September 2011 @ 12:51