mirror of
https://github.com/wavestone-cdt/EDRSandblast.git
synced 2026-06-08 16:37:12 +00:00
Qazeer
71 lines
2.4 KiB
NASM
71 lines
2.4 KiB
NASM
.data
|
|
currentHash DWORD 0
|
|
|
|
.code
|
|
EXTERN SW2_GetSyscallNumber: PROC
|
|
|
|
WhisperMain PROC
|
|
pop rax
|
|
mov [rsp+ 8], rcx ; Save registers.
|
|
mov [rsp+16], rdx
|
|
mov [rsp+24], r8
|
|
mov [rsp+32], r9
|
|
sub rsp, 28h
|
|
mov ecx, currentHash
|
|
call SW2_GetSyscallNumber
|
|
add rsp, 28h
|
|
mov rcx, [rsp+ 8] ; Restore registers.
|
|
mov rdx, [rsp+16]
|
|
mov r8, [rsp+24]
|
|
mov r9, [rsp+32]
|
|
mov r10, rcx
|
|
syscall ; Issue syscall
|
|
ret
|
|
WhisperMain ENDP
|
|
|
|
NtGetNextProcess PROC
|
|
mov currentHash, 0CD50C4CCh ; Load function hash into global variable.
|
|
call WhisperMain ; Resolve function hash into syscall number and make the call
|
|
NtGetNextProcess ENDP
|
|
|
|
NtQueryInformationProcess PROC
|
|
mov currentHash, 055A17810h ; Load function hash into global variable.
|
|
call WhisperMain ; Resolve function hash into syscall number and make the call
|
|
NtQueryInformationProcess ENDP
|
|
|
|
NtClose PROC
|
|
mov currentHash, 054DEA057h ; Load function hash into global variable.
|
|
call WhisperMain ; Resolve function hash into syscall number and make the call
|
|
NtClose ENDP
|
|
|
|
NtAllocateVirtualMemory PROC
|
|
mov currentHash, 08708BDBBh ; Load function hash into global variable.
|
|
call WhisperMain ; Resolve function hash into syscall number and make the call
|
|
NtAllocateVirtualMemory ENDP
|
|
|
|
NtOpenProcess PROC
|
|
mov currentHash, 0FDBCE430h ; Load function hash into global variable.
|
|
call WhisperMain ; Resolve function hash into syscall number and make the call
|
|
NtOpenProcess ENDP
|
|
|
|
NtQueryVirtualMemory PROC
|
|
mov currentHash, 083906983h ; Load function hash into global variable.
|
|
call WhisperMain ; Resolve function hash into syscall number and make the call
|
|
NtQueryVirtualMemory ENDP
|
|
|
|
NtReadVirtualMemory PROC
|
|
mov currentHash, 0309A0DDEh ; Load function hash into global variable.
|
|
call WhisperMain ; Resolve function hash into syscall number and make the call
|
|
NtReadVirtualMemory ENDP
|
|
|
|
NtCreateFile PROC
|
|
mov currentHash, 086A15898h ; Load function hash into global variable.
|
|
call WhisperMain ; Resolve function hash into syscall number and make the call
|
|
NtCreateFile ENDP
|
|
|
|
NtWriteFile PROC
|
|
mov currentHash, 0B224DCF0h ; Load function hash into global variable.
|
|
call WhisperMain ; Resolve function hash into syscall number and make the call
|
|
NtWriteFile ENDP
|
|
|
|
end |