-
-
Notifications
You must be signed in to change notification settings - Fork 198
/
Copy pathtls_aoiOSDET.asm
112 lines (93 loc) · 2.21 KB
/
tls_aoiOSDET.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
; TLS PE where AddressOfIndex is used to patch turn an import descriptor to a terminator
; the OS' different behaviors will alterate imports loading
; Ange Albertini, BSD LICENCE 2011-2013
%include 'consts.inc'
%include 'headers.inc'
istruc IMAGE_DATA_DIRECTORY_16
at IMAGE_DATA_DIRECTORY_16.ImportsVA, dd Import_Descriptor - IMAGEBASE
at IMAGE_DATA_DIRECTORY_16.TLSVA, dd Image_Tls_Directory32 - IMAGEBASE
iend
%include 'section_1fa.inc'
EntryPoint:
mov eax, [__imp__MessageBoxA]
cmp eax, hnMessageBoxA - IMAGEBASE
jz W7
_
push MsgXP
jmp end_
_
W7:
push MsgW7
end_:
call [__imp__printf]
add esp, 1 * 4
_
push 0
call [__imp__ExitProcess]
tls:
_c
MsgW7 db " * TLS AoI => W7", 0ah, 0
MsgXP db " * TLS AoI => XP", 0ah, 0
_d
Import_Descriptor:
_import_descriptor kernel32.dll
_import_descriptor msvcrt.dll
;user32.dll_DESCRIPTOR:
istruc IMAGE_IMPORT_DESCRIPTOR
at IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk, dd user32.dll_hintnames - IMAGEBASE
at IMAGE_IMPORT_DESCRIPTOR.Name1
AddressOfIndex:
dd user32.dll - IMAGEBASE
at IMAGE_IMPORT_DESCRIPTOR.FirstThunk , dd user32.dll_iat - IMAGEBASE
iend
istruc IMAGE_IMPORT_DESCRIPTOR
iend
_d
kernel32.dll_hintnames:
dd hnExitProcess - IMAGEBASE
dd 0
user32.dll_hintnames:
dd hnMessageBoxA - IMAGEBASE
dd 0
msvcrt.dll_hintnames:
dd hnprintf - IMAGEBASE
dd 0
_d
hnExitProcess:
dw 0
db 'ExitProcess', 0
hnMessageBoxA:
dw 0
db 'MessageBoxA', 0
hnprintf:
dw 0
db 'printf', 0
_d
kernel32.dll_iat:
__imp__ExitProcess:
dd hnExitProcess - IMAGEBASE
dd 0
user32.dll_iat:
__imp__MessageBoxA:
dd hnMessageBoxA - IMAGEBASE
dd 0
msvcrt.dll_iat:
__imp__printf:
dd hnprintf - IMAGEBASE
dd 0
_d
kernel32.dll db 'kernel32.dll', 0
user32.dll db 'user32.dll', 0
msvcrt.dll db 'msvcrt.dll', 0
_d
Image_Tls_Directory32:
istruc IMAGE_TLS_DIRECTORY32
at IMAGE_TLS_DIRECTORY32.AddressOfIndex, dd AddressOfIndex
at IMAGE_TLS_DIRECTORY32.AddressOfCallBacks, dd CallBacks
iend
_d
CallBacks:
dd tls
dd 0
_d
align FILEALIGN, db 0