metasploit-framework

https://github.com/rapid7/metasploit-framework

Ruby

Metasploit Framework

Rex::Payloads::Win32::Kernel::Stager.sud_syscall_hook

XP SP2/2K3 SP1 ONLY

Returns a kernel-mode stager that transitions from r0 to r3 by placing
code in an unused portion of SharedUserData and then pointing the
SystemCall attribute to that unused portion.  This has the effect of
causing the custom code to be called every time a user-mode process
tries to make a system call.  The returned payload also checks to make
sure that it's running in the context of lsass before actually running
the embedded payload.

Source | Google | Stack overflow

Edit

git clone [email protected]:rapid7/metasploit-framework.git

cd metasploit-framework

open lib/rex/payloads/win32/kernel/stager.rb

Contribute

# Make a new branch

git checkout -b -your-name--update-docs-Rex--Payloads--Win32--Kernel--Stager-sud_syscall_hook-for-pr

# Commit to git

git add lib/rex/payloads/win32/kernel/stager.rbgit commit -m "better docs for Rex::Payloads::Win32::Kernel::Stager.sud_syscall_hook"

# Open pull request

gem install hub # on a mac you can `brew install hub`

hub fork

git push <your name> -your-name--update-docs-Rex--Payloads--Win32--Kernel--Stager-sud_syscall_hook-for-pr

hub pull-request

# Celebrate!