82 lines
1.8 KiB
NASM
82 lines
1.8 KiB
NASM
title "Function call injection"
|
|
.486p
|
|
.xlist
|
|
include ks386.inc
|
|
include callconv.inc
|
|
.list
|
|
|
|
_TEXT SEGMENT PARA PUBLIC 'CODE'
|
|
ASSUME DS:FLAT, ES:FLAT, SS:NOTHING, FS:NOTHING, GS:NOTHING
|
|
|
|
page , 132
|
|
subttl "Function call injection"
|
|
|
|
extrn _DwPreFuncCall@4:near
|
|
extrn _PostFuncCall@4:near
|
|
|
|
;++
|
|
;
|
|
; SetupFuncCall
|
|
;
|
|
; Wraps all of the work needed to do an embedded function call
|
|
;
|
|
;--
|
|
cPublicProc _SetupFuncCall, 0
|
|
cPublicFpo 0,0
|
|
push eax
|
|
push ebp
|
|
mov ebp, esp
|
|
sub esp, 24
|
|
mov [ebp-4], eax
|
|
mov [ebp-8], ecx
|
|
mov [ebp-12], edx
|
|
mov [ebp-16], esi
|
|
mov [ebp-20], edi
|
|
|
|
; set up for our stack copy
|
|
lea eax, [ebp-24]
|
|
push eax
|
|
call _DwPreFuncCall@4
|
|
mov ecx, eax
|
|
|
|
; allocate our stack space
|
|
sub esp, eax
|
|
mov edx, [ebp-24]
|
|
mov edi, esp
|
|
mov esi, [edx]
|
|
|
|
; remember our return address
|
|
test ecx, ecx
|
|
mov eax, [eax+esi]
|
|
mov [ebp+4], eax
|
|
|
|
; if there's nothing to copy, then we won't actually copy the data or make the
|
|
; call
|
|
je Sfc10
|
|
|
|
; copy the stack data
|
|
rep movsb
|
|
|
|
; the address at TOS is the one we're going to call, so call it
|
|
pop eax
|
|
call eax
|
|
mov [ebp-4], eax
|
|
|
|
; clean up
|
|
Sfc10:
|
|
push [ebp-24]
|
|
call _PostFuncCall@4
|
|
mov eax, [ebp-4]
|
|
mov ecx, [ebp-8]
|
|
mov edx, [ebp-12]
|
|
mov esi, [ebp-16]
|
|
mov edi, [ebp-20]
|
|
mov esp, ebp
|
|
pop ebp
|
|
ret
|
|
|
|
stdENDP _SetupFuncCall
|
|
|
|
_TEXT ends
|
|
end
|