Didier Stevens

Friday 9 September 2011

DEP Enforcing Shellcode

Filed under: My Software — Didier Stevens @ 7:25

I developed shellcode that enforces permanent DEP when it is injected inside a process:

This is for my Brucon workshop. More details to be posted later.

BITS 32

KERNEL32_HASH equ 0x000d4e88
KERNEL32_NUMBER_OF_FUNCTIONS equ 1
KERNEL32_SETPROCESSDEPPOLICY_HASH equ 0x06f26f66

PROCESS_DEP_ENABLE equ 1

segment .text
	call geteip
geteip:
	pop ebx

  ; Setup environment
	lea esi, [KERNEL32_FUNCTIONS_TABLE-geteip+ebx]
	push esi
	lea esi, [KERNEL32_HASHES_TABLE-geteip+ebx]
	push esi
	push KERNEL32_NUMBER_OF_FUNCTIONS
	push KERNEL32_HASH
	call LookupFunctions

	; Enable permanent DEP in current process
	push PROCESS_DEP_ENABLE
	call [KERNEL32_SETPROCESSDEPPOLICY-geteip+ebx]

	ret

%include "sc-api-functions.asm"

KERNEL32_HASHES_TABLE:
	dd KERNEL32_SETPROCESSDEPPOLICY_HASH

KERNEL32_FUNCTIONS_TABLE:
KERNEL32_SETPROCESSDEPPOLICY dd 0x00000000

1 Comment »

  1. [...] further as usual and wrote some shellcode implementing this functionality. Go Didier! Check it out here. Categories: Allgemeines Tags: assembler, DEP, patching, trojan Comments (0) Trackbacks [...]

    Pingback by Brundle Lab » Trojanizing an application… for good — Monday 12 September 2011 @ 12:51


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 236 other followers

%d bloggers like this: