[codes=cpp]
// Hook ExitWindows to execute a command
VOID Hook(HANDLE hProcess)
{
asm
{
// BOOL WINAPI WriteProcessMemory(HANDLE hProcess, PVOID pvBaseAddress, PVOID pvBuffer, DWORD dwSize, PDWORD pdwNumberOfBytesWritten);
// Write code to target
PUSH NULL
MOV EAX, OFFSET End
SUB EAX, OFFSET Code
PUSH EAX
PUSH OFFSET _Code
PUSH ExitWindowsEx
PUSH hProcess
CALL DWORD PTR [WriteProcessMemory];
// Write True WinExec address to target
PUSH NULL
PUSH 4
LEA EAX, WinExec
PUSH EAX
MOV EAX, OFFSET _WinExec
SUB EAX, OFFSET _Code
ADD EAX, ExitWindowsEx
PUSH EAX
PUSH hProcess
CALL DWORD PTR [WriteProcessMemory];
// Return
RET 4
// Target code (Call WinExec to execute a command), address independent
Code:
MOV EAX, [ESP + 4]
PUSH EAX
CALL GetWinExec
WinExec:
EMIT 0
EMIT 0
EMIT 0
EMIT 0
GetWinExec:
POP EAX
CALL Call
EMIT 'R'
EMIT 'X'
EMIT 'P'
EMIT 'E'
EMIT '.'
EMIT 'E'
EMIT 'X'
EMIT 'E'
EMIT ' '
EMIT 'H'
EMIT 'E'
EMIT 'L'
EMIT 'P'
EMIT 0
Call:
CALL [EAX]
RET 8
_End:
}
}
[/codes]