Commit f224b08

committed

+ 32bit ntdll-only shellcode

1 parent 8bcb3bb commit f224b08Copy full SHA for f224b08

File tree

4 files changed

+85

-20

lines changed

src
- handler.cpp
- hook.cpp
- shellcode
  - shellcode32.asm
  - shellcode64.asm

4 files changed

+85

-20

lines changed

`‎src/handler.cpp‎`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,6 @@ NTSTATUS on_create_proc_status(HANDLE parent_pid, HANDLE pid, BOOLEAN create) {`
`81`	`81`
`82`	`82`	`// get entrypoint va`
`83`	`83`	`if (a.b == bit::x32) {`
`84`		`- return status;`
`85`	`84`	`auto nt = addroffset(IMAGE_NT_HEADERS32, base, base->e_lfanew);`
`86`	`85`	`entrypoint = addroffset(void, base, nt->OptionalHeader.AddressOfEntryPoint);`
`87`	`86`	`}`

`‎src/hook.cpp‎`

Lines changed: 18 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -47,8 +47,19 @@ void hook32(void* func, void* target) {`
`47`	`47`	`target = addroffset(void, target, STUB_SIZE32);`
`48`	`48`
`49`	`49`	`void* module_file = target;`
`50`		`- const char module_file_str[] = "gi_agent.dll";`
`51`		`- write_str(&target, module_file_str);`
	`50`	`+ const wchar_t module_file_str[] = L"gi_agent.dll";`
	`51`	`+ write_wstr(&target, module_file_str);`
	`52`	`+`
	`53`	`+ // write UNICODE_STRING for module_file`
	`54`	`+ void* module_file_unicode = target;`
	`55`	`+ UNICODE_STRING32 module_file_unicode_str;`
	`56`	`+ // length (not including null terminator)`
	`57`	`+ module_file_unicode_str.Length = sizeof(module_file_str) - sizeof(module_file_str[0]);`
	`58`	`+ // maximum length (including null terminator)`
	`59`	`+ module_file_unicode_str.MaximumLength = sizeof(module_file_str);`
	`60`	`+ // buffer; ptr to actual wstr`
	`61`	`+ module_file_unicode_str.Buffer = towow64(module_file);`
	`62`	`+ write_type<UNICODE_STRING32>(&target, module_file_unicode_str);`
`52`	`63`
`53`	`64`	`// overwrite original code`
`54`	`65`	`// jmp shellcode`
`@@ -63,8 +74,9 @@ void hook32(void* func, void* target) {`
`63`	`74`	`write_type<UINT32>(&target, STUB_SIZE32);`
`64`	`75`
`65`	`76`	`write_bytes(&target, { 0x68 }); // push`
`66`		`- write_type<UINT32>(&target, towow64(module_file));`
	`77`	`+ write_type<UINT32>(&target, towow64(module_file_unicode));`
`67`	`78`
	`79`	`+ // not needed anymore but im keeping it so i dont have to change the shellcode :p`
`68`	`80`	`write_bytes(&target, { 0x68 }); // push`
`69`	`81`	`write_type<UINT32>(&target, sizeof(module_file_str));`
`70`	`82`
`@@ -93,14 +105,14 @@ void hook64(void* func, void* target) {`
`93`	`105`
`94`	`106`	`// write UNICODE_STRING for module_file`
`95`	`107`	`void* module_file_unicode = target;`
`96`		`- UNICODE_STRING module_file_unicode_str;`
	`108`	`+ UNICODE_STRING64 module_file_unicode_str;`
`97`	`109`	`// length (not including null terminator)`
`98`	`110`	`module_file_unicode_str.Length = sizeof(module_file_str) - sizeof(module_file_str[0]);`
`99`	`111`	`// maximum length (including null terminator)`
`100`	`112`	`module_file_unicode_str.MaximumLength = sizeof(module_file_str);`
`101`	`113`	`// buffer; ptr to actual wstr`
`102`		`- module_file_unicode_str.Buffer = reinterpret_cast<PWCH>(module_file);`
`103`		`- write_type<UNICODE_STRING>(&target, module_file_unicode_str);`
	`114`	`+ module_file_unicode_str.Buffer = reinterpret_cast<ULONGLONG>(module_file);`
	`115`	`+ write_type<UNICODE_STRING64>(&target, module_file_unicode_str);`
`104`	`116`
`105`	`117`	`// shellcode stub`
`106`	`118`	`void* shellcode_stub = target;`

`‎src/shellcode/shellcode32.asm‎`

Lines changed: 64 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ push ebp`
`26`	`26`	`movebp,esp ; frame pointer points to start of args`
`27`	`27`	`addebp, ptrsz`
`28`	`28`	`pushad ; we dont know what the target exe might expect from the windows loader environment`
	`29`	`+; so just save the entire environment`
`29`	`30`
`30`	`31`	`; traverse the teb/peb to get the kernel32 base address`
`31`	`32`
`@@ -38,11 +39,12 @@ mov ebx, [ecx] ; first entry is the exe image itself`
`38`	`39`	`movebx,[ebx+ listentry.flink] ; next entry is ntdll`
`39`	`40`	`cmpebx,ecx ; found end of list?`
`40`	`41`	`je .exit`
`41`		`-movebx,[ebx+ listentry.flink] ; and now kernel32`
`42`		`-cmpebx,ecx ; end of list?`
`43`		`-je .exit`
	`42`	`+; mov ebx, [ebx + listentry.flink] ; and now kernel32`
	`43`	`+; cmp ebx, ecx ; end of list?`
	`44`	`+; je .exit`
	`45`	`+`
`44`	`46`	`; difference between dllbase field and flink (where we land)`
`45`		`-; so ebx now holds the kernel32 base address`
	`47`	`+; so ebx now holds the ntdll base address`
`46`	`48`	`movebx,[ebx+ ldrentry.base - ldrentry.links]`
`47`	`49`
`48`	`50`	`; eip relative access on x86-32asm`
`@@ -55,18 +57,32 @@ call resolve_export`
`55`	`57`
`56`	`58`	`pusheax ; save virtualprotect addr for second call`
`57`	`59`
	`60`	`+; save original func ptr (modified in vprotect call)`
	`61`	`+push dword [ebp]`
	`62`	`+; save original code size`
	`63`	`+push dword [ebp+ ptrsz *3]`
	`64`	`+`
`58`	`65`	`; make original func writable`
`59`	`66`	`push0 ; space for old protect`
`60`	`67`	`pushesp ; old protect ptr`
`61`	`68`	`push4 ; PAGE_READWRITE`
`62`		`-push dword [ebp+ ptrsz *3] ; original code size (param)`
`63`		`-push dword [ebp] ; original func`
	`69`	`+leaedx,[ebp+ ptrsz 3] ; original code size `
	`70`	`+pushedx`
	`71`	`+pushebp ; original func *`
	`72`	`+push-1 ; current process pseudo-handle`
`64`	`73`	`calleax`
`65`	`74`
`66`	`75`	`testeax,eax`
`67`	`76`	`popedx ; old protect`
	`77`	`+; restore original code size`
	`78`	`+popeax`
	`79`	`+mov dword [ebp+ ptrsz *3],eax`
	`80`	`+; restore original func ptr`
	`81`	`+popeax`
	`82`	`+mov dword [ebp],eax`
`68`	`83`	`popeax ; saved virtual protect addr`
`69`		`-jz .exit`
	`84`	`+`
	`85`	`+jnz .exit`
`70`	`86`
`71`	`87`	`; restore original code (memcpy)`
`72`	`88`	`movecx,[ebp+ ptrsz *3] ; original code size (param)`
`@@ -77,17 +93,47 @@ rep movsb ; memcpy`
`77`	`93`
`78`	`94`	`; restore previous protection`
`79`	`95`
	`96`	`+; save original func ptr (modified in vprotect call)`
	`97`	`+push dword [ebp]`
	`98`	`+; save original code size`
	`99`	`+push dword [ebp+ ptrsz *3]`
	`100`	`+`
`80`	`101`	`push0 ; space for old protect`
`81`	`102`	`pushesp ; old protect ptr`
`82`	`103`	`pushedx ; new protect (previous value)`
`83`		`-push dword [ebp+ ptrsz *3] ; original code size (param)`
`84`		`-push dword [ebp] ; original func`
	`104`	`+leaedx,[ebp+ ptrsz 3] ; original code size `
	`105`	`+pushedx`
	`106`	`+pushebp ; original func *`
	`107`	`+push-1 ; current process pseudo-handle`
`85`	`108`	`calleax`
`86`	`109`
`87`	`110`	`addesp, ptrsz ; remove old page protection`
`88`	`111`
`89`	`112`	`testeax,eax`
`90`		`-jz .exit`
	`113`	`+`
	`114`	`+; restore original code size`
	`115`	`+popeax`
	`116`	`+mov dword [ebp+ ptrsz *3],eax`
	`117`	`+; restore original func ptr`
	`118`	`+popeax`
	`119`	`+mov dword [ebp],eax`
	`120`	`+`
	`121`	`+jnz .exit`
	`122`	`+`
	`123`	`+; check if k32 is loaded`
	`124`	`+; if not: exit`
	`125`	`+movedx,fs:[teb.peb] ; PEB from TEB`
	`126`	`+movedx,[edx+ peb.ldr] ; LDR from PEB`
	`127`	`+; the address of the pointer to the first entry`
	`128`	`+; last entry will point to this so we can check if the list is exhausted`
	`129`	`+leaecx,[edx+ ldr.modules + listentry.flink] ; addressof modules pointer`
	`130`	`+movedx,[ecx] ; first entry is the exe image itself`
	`131`	`+movedx,[edx+ listentry.flink] ; next entry is ntdll`
	`132`	`+cmpedx,ecx ; found end of list?`
	`133`	`+je .exit`
	`134`	`+movedx,[edx+ listentry.flink] ; and now kernel32`
	`135`	`+cmpedx,ecx ; end of list?`
	`136`	`+je .exit`
`91`	`137`
`92`	`138`	`; load library`
`93`	`139`
`@@ -101,9 +147,15 @@ push ebx`
`101`	`147`	`call resolve_export`
`102`	`148`
`103`	`149`	`movecx,[ebp+ ptrsz *2]`
	`150`	`+push0`
	`151`	`+pushesp ; return base address`
`104`	`152`	`pushecx ; dllname`
	`153`	`+push0 ; characteristics`
	`154`	`+push0 ; search path`
`105`	`155`	`calleax ; loadlibrarya`
`106`	`156`
	`157`	`+popeax ; dump return base addr`
	`158`	`+`
`107`	`159`	`.exit:`
`108`	`160`	`popad`
`109`	`161`	`popebp`
`@@ -168,8 +220,8 @@ pop esp`
`168`	`220`	`ret3* ptrsz ; cleanup arguments`
`169`	`221`
`170`	`222`	`; static data "segment"`
`171`		`-load_lib_str db "LoadLibraryA",0`
	`223`	`+load_lib_str db "LdrLoadDll",0`
`172`	`224`	`sz_load_lib_str equ $ - load_lib_str`
`173`	`225`
`174`		`-vprotect_str db "VirtualProtect",0`
	`226`	`+vprotect_str db "NtProtectVirtualMemory",0`
`175`	`227`	`sz_vprotect_str equ $ - vprotect_str`

`‎src/shellcode/shellcode64.asm‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,7 @@ test rax, rax`
`115`	`115`	`jnz .exit`
`116`	`116`
`117`	`117`	`; check if k32 is loaded`
`118`		`-; if not; exit`
	`118`	`+; if not: exit`
`119`	`119`	`movrdx,gs:[teb.peb] ; PEB from TEB`
`120`	`120`	`testrdx,rdx`
`121`	`121`	`jz .exit`
`@@ -138,6 +138,8 @@ mov rdx, [rdx + listentry.flink] ; kernel32`
`138`	`138`	`cmprdx,rcx ; end of list?`
`139`	`139`	`je .exit`
`140`	`140`
	`141`	`+; load library`
	`142`	`+`
`141`	`143`	`movrcx, sz_load_lib_str`
`142`	`144`	`leardx,[load_lib_str]`
`143`	`145`	`movr8,rbx ; base addr`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit f224b08

File tree

4 files changed

4 files changed

`‎src/handler.cpp‎`

`‎src/hook.cpp‎`

`‎src/shellcode/shellcode32.asm‎`

`‎src/shellcode/shellcode64.asm‎`

0 commit comments