public static byte[] GetExitMethod(EExitFunc method, EPlatform platform, EArquitecture arq) { switch (platform) { case EPlatform.Windows: { switch (arq) { case EArquitecture.x86: { string function = ""; switch (method) { case EExitFunc.Process: function = "ExitProcess"; break; case EExitFunc.Thread: function = "ExitThread"; break; default: return(null); } /* * ;; eax = GetProcAddress(ebx, "ExitProcess") * push edi * push 01737365h * dec byte ptr [esp + 3h] * push 'corP' * push 'tixE' * push esp * push ebx * call esi */ byte[] shell1 = AsmHelper.StringToAsmX86(function); //0x68,0x50,0x72,0x6f,0x63,0x68,0x45,0x78, 0x69,0x74, /* * ;; ExitProcess(NULL); * push edi * call eax */ byte[] shell2 = new byte[] { 0x54, 0x53, 0xff, 0xd6, 0x57, 0xff, 0xd0 }; return(shell1.Concat(shell2)); } } break; } } return(null); }
public static byte[] GetExitMethod(EExitFunc method, EPlatform platform, EArquitecture arq) { switch (platform) { case EPlatform.Windows: { switch (arq) { case EArquitecture.x86: { string function = ""; switch (method) { case EExitFunc.Process: function = "ExitProcess"; break; case EExitFunc.Thread: function = "ExitThread"; break; default: return null; } /* ;; eax = GetProcAddress(ebx, "ExitProcess") push edi push 01737365h dec byte ptr [esp + 3h] push 'corP' push 'tixE' push esp push ebx call esi */ byte[] shell1 = AsmHelper.StringToAsmX86(function); //0x68,0x50,0x72,0x6f,0x63,0x68,0x45,0x78, 0x69,0x74, /* ;; ExitProcess(NULL); push edi call eax */ byte[] shell2 = new byte[] { 0x54,0x53,0xff,0xd6,0x57,0xff,0xd0 }; return shell1.Concat(shell2); } } break; } } return null; }