Windows MASM / Domain Member
| Author | __Thanat0s__ |
| Platform | Windows |
| Language | MASM |
| Technique | Domain Member |
Code
; #########################################
; Compare the variable Computername & Logonserver
; if they are the same ( except the // ) you are
; not logged to a domain controller
_isdomain:
push ebp
mov ebp,esp
push ebx
jmp runit
len_computername dd 13
;str_computername db "COMPUTERNAME="
;str_computername db 78,66,64,93,88,89,72,95,67,76,64,72,48
len_logonserver dd 14
;str_logonserver db "LOGONSERVER=\\"
;str_logonserver db 66,65,73,65,64,93,75,92,88,75,92,51,82,82
runit:
call _getenvnoapi ; Retrieve location of env and size
push eax
push ecx
; Get computername
invokel _findstr, eax, ecx, str_computername + 1, dword [len_computername]
mov esi,eax
pop ecx
pop eax
push esi
; Get LogonSvr
invokel _findstr, eax, ecx, str_logonserver + 1, dword [len_logonserver]
; validate the loggon server..
pop esi
mov edi, eax
mov eax,0
test edi,edi ; On linux (vine) .. no computername, avoid crash
jz _nodomain
mov eax,edi
call _strlenw
mov ecx,eax
rep cmpsb
mov eax,0
CMP ecx,0
jz _nodomain ; if the computer is equal to the domain then .. no domain
inc eax ; Eax = 1 ... domain logged
_nodomain:
pop ebx
mov esp,ebp
pop ebp
ret
; #########################################
_getenvnoapi:
; Retrieve the memory offset of the environnement variables apiless.
; Out: Eax offset buffer
; Out: Ecx len buffer
mov eax, [fs:0x30] ; Get PEB
mov eax, [eax + 0x10] ; Get ProcessParameters
mov esi, [eax + 0x48] ; Get Environment
mov edx,esi
.scan_end:
lodsd ; Scan for next 0x0 X 4
cmp eax,0
jne .scan_end
sub esi, edx
mov ecx,esi
mov eax,edx
ret
; #########################################
_findstr:
; Find a string
; Return 0 in eax if not found
; In stack [ebp+0x08] : Offset Buffer
; In stack [ebp+0x0c] : Size Buffer
; In stack [ebp+0x10] : Offset Pattern
; In stack [ebp+0x14] : Size Pattern
; Out eax : Offset of string END
; Warning max 256 bytes... NO CHECK !
push ebp
mov ebp,esp
sub esp, 512
mov esi, dword [ebp + 0x10] ; Convert Ascii to Unicode
lea edi, [ebp- 512] ; Env is in unicode in memory
mov dword [ebp + 0x10], edi
mov ecx, [ebp+0x14]
mov edx,ecx
strtouni:
lodsb
xor al, [xor_key]
stosb
xor eax,eax
stosb
loop strtouni
shl dword [ebp+0x14], 1 ; Update size * 2
mov edx,dword [ebp+0x0c] ; Len of Buffer to Seek
sub edx,dword [ebp+0x14] ; Len of string to Seek
std
iter:
mov esi, [ebp+0x08] ; Buffer to Seek
add esi, edx ; Got to end - N
mov edi, [ebp+0x10] ; Buffer to pattern
mov ecx, dword [ebp+0x14] ; Size to compare
dec ecx
add esi, ecx ; Got to buffer + Size
add edi, ecx ; Got to pattern + Size
inc ecx
repe cmpsb ; compare string...
jcxz found ; If compare the same number we wins
sub edx,2
; N = N - 1 ( x2 Since unicode )
; could be optimised for unicode... but....
jnz iter ; Until N = 0
mov eax,0
jmp findstr_end
found:
add esi,1 ; Pad x2 unicode...
add esi, dword [ebp+0x14] ; Go to "after" the found string
mov eax,esi
findstr_end:
cld
mov esp,ebp
pop ebp
retn 16
; #########################################
; Get string len wide
; eax, string, return eax, len
_strlenw: ; eax: a string ending in 0
push ebx
push eax ; cache eax
.strloopw:
mov bx, word [eax]
cmp bx, 0
je .strretw ; return len if bl == 0
inc eax ; inc eax ; else eax++
jmp .strloopw
.strretw:
pop ebx ; ebx = cached eax
sub eax, ebx ; eax -= ebx
pop ebx
inc eax
ret ; eax = len
_getenvnoapi:
; Out: Eax offset buffer
; Out: Ecx len buffer
mov eax, [fs:0x30] ; Get PEB
mov eax, [eax + 0x10] ; Get ProcessParameters
mov esi, [eax + 0x48] ; Get Environment
mov edx,esi
.scan_end:
lodsd ; Scan for next 0x0 X 4
cmp eax,0
jne .scan_end
sub esi, edx
mov ecx,esi
mov eax,edx
retCreated
January 30, 2023
Last Revised
April 22, 2024