This is absolutely beautiful stuff that very few people will understand. I’m just putting it out here so that those who know can look at it and go “ah!”. This assembler code calls TerminateProcess by using the sysenter function. The first line of code executes a new process and stores its process handle in the variable called Handle.

Note that this code will only work on Windows XP since Win2K uses int 2e instead of sysenter to call the kernel. (Also won’t work on Vista as the syscall function number is different there — see this metasploit page for a table of the different system call numbers.)

  Handle := ExecNewProcess;
  asm
    push 0              // Exit code for the process we're terminating
    push Handle         // Handle of the process we're terminating
    push offset @@done  // Return address (not used)
    push offset @@done  // Return address

    mov eax, $101       // We want system function 0x101 = TerminateProcess
    mov edx, esp        // Save esp in edx so that syscall knows where our function parameters are
    mov ecx, offset @@done  // Save the address to return to in ecx

    sysenter           // Call the kernel!

    @@done:
    add esp, $0C       // Restore stack pointer
  end;