NanoInvoke - La forma mas rapida de llamar a una API

La shellcode de unos 90bytes se encarga de recorrer el SAFEARRAY de VARIANTs metiendo en el stack los parámetros para el API. Además busca en la IAT del proceso la importación de DllFunctionCall() para obtener el puntero del API.

    'USER32
    Private Declare Function CallWindowProcW Lib "USER32" (ByRef first_asm As Currency, ByRef params() As Variant, ByVal lib As String, ByVal fnc As String, Optional ByVal null0 As Long = 0) As Long
    '---------------------------------------------------------------------------------------
    ' Author : Karcrack
    ' Date   : 12092013
    ' Credits: sonykuccio (http://hackhound.org/forums/topic/2790-vb6asm-%C2%B5callapi/)
    '---------------------------------------------------------------------------------------
     
    Public Function NanoInvoke(ByRef sLib As String, ByRef sFnc As String, ParamArray params() As Variant) As Long
        Dim asm(11)     As Currency
        Dim p()         As Variant
       
        If UBound(params) >= 0 Then p = params
     
        asm(0) = -881438862054780.1504@: asm(1) = -140193315782017.312@: asm(2) = 93112413858165.2867@: asm(3) = 593189448021741.0902@
        asm(4) = 843045704464075.3748@: asm(5) = -4834317066834.7356@: asm(6) = 260429944098681.7488@: asm(7) = 537140947255014.6699@
        asm(8) = 7683543183094.8624@: asm(9) = 598313605633923.5838@: asm(10) = -200740417519275.4208@: asm(11) = 109.8337@
     
        NanoInvoke = CallWindowProcW(asm(0), p, sLib, sFnc)
    End Function
    ' ASM Code: pastebin.com/5gnLv7xn

Modo de Uso:

        Call NanoInvoke("user32", "MessageBoxW", 0, StrPtr("test"), StrPtr("karcrack"), 0)
        Call NanoInvoke("kernel32", "ExitProcess", 0)

ASM Code:

 

    use32
    pushad
     
          mov  esi, $401000       ;WARNING: DEFAULT IMAGEBASE + SECTION SIZE
    @@:   lodsd                   ;EAX = [EDI];EDI+=4
          test eax, eax           ;Did we reach the end?
         je    .exit
          cmp  DWORD[eax], $83EC8B55
         jne   @B
          cmp  DWORD[eax+4], $8D560CEC
         jne   @B                 ;> Opcode matching, is it DllFunctionCall()?
     
          cdq                     ;EDX = 0
          push edx                ;v
          push edx                ;v
          push edx                ;> buffer
          push esp                ;Pointer to buffer
          push $40000             ;Reserved
          push DWORD[esp+$40]     ;Fnc
          push DWORD[esp+$40]     ;Lib
     
          push esp                ;APICall structure made in stack
          call eax                ;DllFunctionCall(APICall)
          add  esp, 7*4           ;Clear stack
     
          mov  edx, [esp+$24]     ;&SAFEARRAY
          mov  edx, [edx]         ;SAFEARRAY
          test edx, edx
         jz    .call
          mov  ecx, [edx+$10]     ;SAFEARRAY size Elements
          mov  esi, [edx+$C]      ;SAFEARRAY.pvData
          imul edi, ecx, $10      ;v
          add  esi, edi           ;>last variant
    @@:   sub  esi, $10           ;ESI = prev variant
          mov  ebx, [esi+$8]      ;EAX = VARIANT.lVal
          push ebx
          loopne @B               ;Repeat
     
    .call:call eax
     
    .exit:mov  [esp-$1C], eax     ;Save return
     
    popad
    ret 4*4

Código realizado por Karcrack