This is absolutely beautiful stuff that very few people will understand. I’m just putting it out here so that those who know can look at it and go “ah!”. This assembler code calls TerminateProcess by using the sysenter function. The first line of code executes a new process and stores its process handle in the variable called Handle.
Note that this code will only work on Windows XP since Win2K uses int 2e instead of sysenter to call the kernel. (Also won’t work on Vista as the syscall function number is different there — see this metasploit page for a table of the different system call numbers.)
Handle := ExecNewProcess; asm push 0 // Exit code for the process we're terminating push Handle // Handle of the process we're terminating push offset @@done // Return address (not used) push offset @@done // Return address mov eax, $101 // We want system function 0x101 = TerminateProcess mov edx, esp // Save esp in edx so that syscall knows where our function parameters are mov ecx, offset @@done // Save the address to return to in ecx sysenter // Call the kernel! @@done: add esp, $0C // Restore stack pointer end;