def sc_64_AllocRWX(address, rwx_qword):
dll = "KERNEL32.DLL\x00".encode("utf-16-le")
api = "VirtualAlloc\x00"
AllocRWX64_sc = x64.MultipleInstr()
map(AllocRWX64_sc.__iadd__, [
shellcraft.amd64.pushstr(dll),
x64.Mov("RCX", "RSP"),
shellcraft.amd64.pushstr(api),
x64.Mov("RDX", "RSP"),
x64.Call(":FUNC_GETPROCADDRESS64"),
x64.Mov("R10", "RAX"),
x64.Mov("RCX", address),
x64.Mov("RDX", 0x1000),
x64.Mov("R8", MEM_COMMIT | MEM_RESERVE),
x64.Mov("R9", PAGE_EXECUTE_READWRITE),
x64.Sub("RSP", 0x30),
x64.And("RSP", -32),
x64.Call("R10"),
x64.Mov('RAX', rwx_qword),
x64.Mov("RCX", address),
x64.Mov(x64.mem('[RCX]'), 'RAX'),
x64.Call("RCX"),
windows.native_exec.nativeutils.GetProcAddress64,
])
return AllocRWX64_sc.get_code()
def sc_64_LoadLibrary(dll_path):
dll = bytes("KERNEL32.DLL\x00".encode("utf-16-le"))
api = b"LoadLibraryA\x00"
if PY3 and isinstance(dll_path, str):
dll_path = bytes(dll_path.encode())
LoadLibrary64_sc = x64.MultipleInstr()
LoadLibrary64_sc += shellcraft.amd64.pushstr(dll)
LoadLibrary64_sc += x64.Mov("RCX", "RSP")
LoadLibrary64_sc += shellcraft.amd64.pushstr(api)
LoadLibrary64_sc += x64.Mov("RDX", "RSP")
LoadLibrary64_sc += x64.Call(":FUNC_GETPROCADDRESS64")
LoadLibrary64_sc += x64.Mov("R10", "RAX")
LoadLibrary64_sc += shellcraft.amd64.pushstr(dll_path)
LoadLibrary64_sc += x64.Mov("RCX", "RSP")
LoadLibrary64_sc += x64.Sub("RSP", 0x30)
LoadLibrary64_sc += x64.And("RSP", -32)
LoadLibrary64_sc += x64.Call("R10")
LoadLibrary64_sc += x64.Label(":HERE")
LoadLibrary64_sc += x64.Jmp(":HERE")
LoadLibrary64_sc += windows.native_exec.nativeutils.GetProcAddress64
return LoadLibrary64_sc.get_code()
def sc_64_WinExec(exe):
dll = bytes("KERNEL32.DLL\x00".encode("utf-16-le"))
api = b"WinExec\x00"
if PY3 and isinstance(exe, str):
exe = bytes(exe.encode())
WinExec64_sc = x64.MultipleInstr()
WinExec64_sc += shellcraft.amd64.pushstr(dll)
WinExec64_sc += x64.Mov("RCX", "RSP")
WinExec64_sc += shellcraft.amd64.pushstr(api)
WinExec64_sc += x64.Mov("RDX", "RSP")
WinExec64_sc += x64.Call(":FUNC_GETPROCADDRESS64")
WinExec64_sc += x64.Mov("R10", "RAX")
WinExec64_sc += shellcraft.amd64.pushstr(exe)
WinExec64_sc += x64.Mov("RCX", "RSP")
WinExec64_sc += x64.Sub("RSP", 0x30)
WinExec64_sc += x64.And("RSP", -32)
WinExec64_sc += x64.Call("R10")
WinExec64_sc += x64.Label(":HERE")
WinExec64_sc += x64.Jmp(":HERE")
WinExec64_sc += windows.native_exec.nativeutils.GetProcAddress64 # Dirty infinite loop
#WinExec64_sc +=# x64.Ret(),
return WinExec64_sc.get_code()
def sc_64_LoadLibrary(dll_path):
dll = "KERNEL32.DLL\x00".encode("utf-16-le")
api = "LoadLibraryA\x00"
LoadLibrary64_sc = x64.MultipleInstr()
map(LoadLibrary64_sc.__iadd__, [
shellcraft.amd64.pushstr(dll),
x64.Mov("RCX", "RSP"),
shellcraft.amd64.pushstr(api),
x64.Mov("RDX", "RSP"),
x64.Call(":FUNC_GETPROCADDRESS64"),
x64.Mov("R10", "RAX"),
shellcraft.amd64.pushstr(dll_path),
x64.Mov("RCX", "RSP"),
x64.Sub("RSP", 0x30),
x64.And("RSP", -32),
x64.Call("R10"),
x64.Label(":HERE"),
x64.Jmp(":HERE"), # Dirty infinite loop
# x64.Ret(),
windows.native_exec.nativeutils.GetProcAddress64,
])
return LoadLibrary64_sc.get_code()
def generate_syswow64_call(target, errcheck=None):
nb_args = len(target.prototype._argtypes_)
target_addr = get_syswow_ntdll_exports()[target.__name__]
argument_buffer_len = (nb_args * 8)
argument_buffer = windows.current_process.allocator.reserve_size(argument_buffer_len)
alignement_information = windows.current_process.allocator.reserve_size(8)
nb_args_on_stack = max(nb_args - 4, 0)
code_64b = x64.MultipleInstr()
# Save registers
code_64b += x64.Push('RBX')
code_64b += x64.Push('RCX')
code_64b += x64.Push('RDX')
code_64b += x64.Push('RSI')
code_64b += x64.Push('RDI')
code_64b += x64.Push('R8')
code_64b += x64.Push('R9')
code_64b += x64.Push('R10')
code_64b += x64.Push('R11')
code_64b += x64.Push('R12')
code_64b += x64.Push('R13')
# Alignment stuff :)
code_64b += x64.Mov('RCX', 'RSP')
code_64b += x64.And('RCX', 0x0f)
code_64b += x64.Mov(x64.deref(alignement_information), 'RCX')
code_64b += x64.Sub('RSP', 'RCX')
# retrieve argument from the argument buffer
if nb_args >= 1:
code_64b += x64.Mov('RCX', x64.create_displacement(disp=argument_buffer))
if nb_args >= 2:
code_64b += x64.Mov('RDX', x64.create_displacement(disp=argument_buffer + (8 * 1)))
if nb_args >= 3:
code_64b += x64.Mov('R8', x64.create_displacement(disp=argument_buffer + (8 * 2)))
if nb_args >= 4:
code_64b += x64.Mov('R9', x64.create_displacement(disp=argument_buffer + (8 * 3)))
for i in range(nb_args_on_stack):
code_64b += x64.Mov('RAX', x64.create_displacement(disp=argument_buffer + 8 * (nb_args - 1 - i)))
code_64b += x64.Push('RAX')
# reserve space for register (calling convention)
code_64b += x64.Push('R9')
code_64b += x64.Push('R8')
code_64b += x64.Push('RDX')
code_64b += x64.Push('RCX')
# Call
code_64b += x64.Mov('R13', target_addr)
code_64b += x64.Call('R13')
# Realign stack :)
code_64b += x64.Add('RSP', x64.deref(alignement_information))
# Clean stack
code_64b += x64.Add('RSP', (4 + nb_args_on_stack) * 8)
code_64b += x64.Pop('R13')
code_64b += x64.Pop('R12')
code_64b += x64.Pop('R11')
code_64b += x64.Pop('R10')
code_64b += x64.Pop('R9')
code_64b += x64.Pop('R8')
code_64b += x64.Pop('RDI')
code_64b += x64.Pop('RSI')
code_64b += x64.Pop('RDX')
code_64b += x64.Pop('RCX')
code_64b += x64.Pop('RBX')
code_64b += x64.Ret()
return try_generate_stub_target(code_64b.get_code(), argument_buffer, target, errcheck=errcheck)
GetProcAddress64 += x64.Inc("RCX")
GetProcAddress64 += x64.Rep + x64.CmpsB()
GetProcAddress64 += x64.Mov("EAX", "ECX")
GetProcAddress64 += x64.Pop("RCX")
GetProcAddress64 += x64.Inc("RCX")
GetProcAddress64 += x64.Test("RAX", "RAX")
GetProcAddress64 += x64.Jnz(":SEARCH_LOOP")
# Func FOUND !
GetProcAddress64 += x64.Dec("RCX")
GetProcAddress64 += x64.Pop("RAX") # ;Restore export_dir addr
GetProcAddress64 += x64.Mov(
"EDX", x64.mem("[RAX + 36]")) # ;EDX = AddressOfNameOrdinals RVX
GetProcAddress64 += x64.Add("RDX", "RBX")
GetProcAddress64 += x64.OperandSizeOverride + x64.Mov(
"ECX", x64.mem("[rdx + rcx * 2]")) # ; ecx = Ieme ordinal (short array)
GetProcAddress64 += x64.And('RCX', 0xffff)
GetProcAddress64 += x64.Mov("EDX",
x64.mem("[RAX + 28]")) # ; AddressOfFunctions RVA
GetProcAddress64 += x64.Add("RDX", "RBX")
GetProcAddress64 += x64.Mov("EDX", x64.mem("[RDX + RCX * 4]"))
GetProcAddress64 += x64.Add("RDX", "RBX")
GetProcAddress64 += x64.Mov("RAX", "RDX")
GetProcAddress64 += x64.Label(":RETURN")
GetProcAddress64 += x64.Pop("R13")
GetProcAddress64 += x64.Pop("R12")
GetProcAddress64 += x64.Pop("R11")
GetProcAddress64 += x64.Pop("R10")
GetProcAddress64 += x64.Pop("R9")
GetProcAddress64 += x64.Pop("R8")
GetProcAddress64 += x64.Pop("RDI")
GetProcAddress64 += x64.Pop("RSI")
