Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //http://waleedassar.blogspot.com
- //http://www.twitter.com/waleedassar
- //Reversed code of the kernel32 "BaseCreateStack" function. For educational purposes only.
- int __stdcall BaseCreateStack(HANDLE hProcess,unsigned long CommitSize,unsigned long ReserveSize,void* pOut )
- {
- unsigned long Page_Size=PEB->ReadOnlyStaticServerData->pData->PageSize;
- IMAGE_NT_HEADERS* pNT=RtlImageNtHeader(PEB->ImageBaseAddress);
- if(!pNT) return 0xC000007B; //ERROR_BAD_EXE_FORMAT
- unsigned long loc_CommitSize=PNT->OptionalHeader->SizeOfStackCommit;
- if(ReserveSize==0) ReserveSize=pNT->OptionalHeader->SizeOfStackReserve;
- if(CommitSize==0) CommitSize=loc_CommitSize;
- else
- {
- if(CommitSize>=ReserveSize)
- ReserveSize=(CommitSize+0xFFFFF)&0xFFF00000;
- }
- /Enforce Alignment
- CommitSize+=(Page_Size-1);
- CommitSize&=~(Page_Size-1);
- unsigned long alloc_granularity=PEB->ReadOnlyStaticServerData->pData->Granularity;
- ReserveSize+=(alloc_granularity-1);
- ReserveSize&=(~alloc_granularity);
- if(PEB->MinimumStackCommit)
- {
- if(CommitSize<(PEB->MinimumStackCommit))
- {
- CommitSize=PEB->MinimumStackCommit;
- }
- }
- //Here goes some more sanitization checks
- unsigned long StackStartAddress=0;
- int ret=ZwAllocateVirtualMemory(hProcess,&StackStartAddress,
- 0,&ReserveSize,MEM_RESERVE,PAGE_READWRITE);
- if(ret<0) return ret;
- //Here goes some code that Writes to output structure
- unsigned long StackStartAddress+=(ReserveSize-COmmitSize);
- StartStartAddress-=Page_Size; //Space for the PAGE_GUARD page
- CommitSize+=Page_Size;
- ret=ZwAllocateVirtualMemory(hProcess,&StackStartAddress,
- 0,&CommitSize,MEM_COMMIT,PAGE_READWRITE);
- if(ret<0) return ret;
- unsigned long old_prot;
- ret=ZwProtectVirtualMemory(hProcess,&StackStartAddress,
- &Page_Size,PAGE_READWRITE|PAGE_GUARD,&old_prot);
- if(ret<0) return ret;
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
