def perform_manual_getproc_loadlib_64_for_dbg(target, dll_name):
dll = "KERNEL32.DLL\x00".encode("utf-16-le")
api = "LoadLibraryA\x00"
dll_to_load = dll_name + "\x00"
RemoteManualLoadLibray = x64.MultipleInstr()
code = RemoteManualLoadLibray
code += x64.Mov("R15", "RCX")
code += x64.Mov("RCX", x64.mem("[R15 + 0]"))
code += x64.Mov("RDX", x64.mem("[R15 + 8]"))
code += x64.Call(":FUNC_GETPROCADDRESS64")
code += x64.Mov("RCX", x64.mem("[R15 + 0x10]"))
code += x64.Push("RCX")
code += x64.Push("RCX")
code += x64.Push("RCX")
code += x64.Call("RAX") # LoadLibrary
code += x64.Pop("RCX")
code += x64.Pop("RCX")
code += x64.Pop("RCX")
code += x64.Ret()
RemoteManualLoadLibray += nativeutils.GetProcAddress64
addr = target.virtual_alloc(0x1000)
addr2 = addr + len(dll)
addr3 = addr2 + len(api)
addr4 = addr3 + len(dll_to_load)
target.write_memory(addr, dll)
target.write_memory(addr2, api)
target.write_memory(addr3, dll_to_load)
target.write_qword(addr4, addr)
target.write_qword(addr4 + 8, addr2)
target.write_qword(addr4 + 0x10, addr3)
t = target.execute(RemoteManualLoadLibray.get_code(), addr4)
return t
def register_kernel_call(self):
# expect in buffer: the address to call and all dword to push on the stack
CCall_IOCTL = x64.MultipleInstr()
CCall_IOCTL += x64.Mov('RAX', self.IO_STACK_INPUT_BUFFER_LEN)
CCall_IOCTL += x64.Cmp('RAX', 0)
CCall_IOCTL += x64.Jz(":FAIL") # Need at least the function to call
CCall_IOCTL += x64.Mov('R15', 4 * 8) # Size to pop on the stack at the end (4 * push RDI)
CCall_IOCTL += x64.Mov('R10', self.IO_STACK_INPUT_BUFFER)
CCall_IOCTL += x64.Label(':PUSH_NEXT_ARG')
CCall_IOCTL += x64.Cmp('RAX', (8 * 5))
CCall_IOCTL += x64.Jbe(":SETUP_REG_ARGS")
CCall_IOCTL += x64.Sub('RAX', 8)
INPUT_BUFFER_NEXT_ARG = x64.create_displacement(base='R10', index='RAX')
CCall_IOCTL += x64.Mov('RBX', INPUT_BUFFER_NEXT_ARG)
CCall_IOCTL += x64.Push('RBX')
CCall_IOCTL += x64.Add('R15', 8) # Add at Size to pop on the stack at the end
CCall_IOCTL += x64.Jmp(':PUSH_NEXT_ARG')
CCall_IOCTL += x64.Label(":SETUP_REG_ARGS")
# Could be done in a loop
# But do I really want to generate x86 in a loop..
CCall_IOCTL += x64.Cmp('RAX', (8 * 5))
CCall_IOCTL += x64.Jz(":SETUP_4_ARGS")
CCall_IOCTL += x64.Cmp('RAX', (8 * 4))
CCall_IOCTL += x64.Jz(":SETUP_3_ARGS")
CCall_IOCTL += x64.Cmp('RAX', (8 * 3))
CCall_IOCTL += x64.Jz(":SETUP_2_ARGS")
CCall_IOCTL += x64.Cmp('RAX', (8 * 2))
CCall_IOCTL += x64.Jz(":SETUP_1_ARGS")
CCall_IOCTL += x64.Jmp(":SETUP_0_ARGS")
CCall_IOCTL += x64.Label(":SETUP_4_ARGS")
CCall_IOCTL += x64.Mov('R9', x64.mem('[R10 + 0x20]'))
CCall_IOCTL += x64.Label(":SETUP_3_ARGS")
CCall_IOCTL += x64.Mov('R8', x64.mem('[R10 + 0x18]'))
CCall_IOCTL += x64.Label(":SETUP_2_ARGS")
CCall_IOCTL += x64.Mov('RDX', x64.mem('[R10 + 0x10]'))
CCall_IOCTL += x64.Label(":SETUP_1_ARGS")
CCall_IOCTL += x64.Mov('RCX', x64.mem('[R10 + 8]'))
CCall_IOCTL += x64.Label(":SETUP_0_ARGS")
CCall_IOCTL += x64.Mov('RAX', x64.mem('[R10]'))
# Fix Reserve space (calling convention)
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Call('RAX')
CCall_IOCTL += x64.Mov('RDX', self.IRP_OUTPUT_BUFFER)
CCall_IOCTL += x64.Mov(x64.mem('[RDX]'), 'RAX')
CCall_IOCTL += x64.Xor('RAX', 'RAX')
CCall_IOCTL += x64.Add('RSP', 'R15')
CCall_IOCTL += x64.Ret()
CCall_IOCTL += x64.Label(":FAIL")
CCall_IOCTL += x64.Mov('RAX', 0x0C000000D)
CCall_IOCTL += x64.Ret()
self.upgrade_driver_add_new_ioctl_handler(DU_KCALL_IOCTL, CCall_IOCTL.get_code())
def sc_64_pushstr(s):
if not s.endswith('\0'):
s += '\0\0'
PushStr_sc = x64.MultipleInstr()
# TODO: Use xor_pair to avoid NULL
for block in cut(s, 8)[::-1]:
block += '\0' * (8 - len(block))
PushStr_sc += x64.Mov("RAX", u64(block))
PushStr_sc += x64.Push("RAX")
return PushStr_sc
from windows.generated_def.winstructs import *
GetProcAddress64 = windows.native_exec.nativeutils.GetProcAddress64
dll = "KERNEL32.DLL\x00".encode("utf-16-le")
api = "LoadLibraryA\x00"
dll_to_load = "SUCE"
RemoteManualLoadLibray = x64.MultipleInstr()
c = RemoteManualLoadLibray
c += x64.Mov("R15", "RCX")
c += x64.Mov("RCX", x64.mem("[R15 + 0]"))
c += x64.Mov("RDX", x64.mem("[R15 + 8]"))
c += x64.Call(":FUNC_GETPROCADDRESS64")
c += x64.Mov("RCX", x64.mem("[R15 + 0x10]"))
c += x64.Push("RCX")
c += x64.Push("RCX")
c += x64.Push("RCX")
c += x64.Call("RAX")
c += x64.Pop("RCX")
c += x64.Pop("RCX")
c += x64.Pop("RCX")
c += x64.Ret()
RemoteManualLoadLibray += GetProcAddress64
calc = windows.test.pop_calc_64(dwCreationFlags=CREATE_SUSPENDED)
addr = calc.virtual_alloc(0x1000)
addr2 = addr + len(dll)
addr3 = addr2 + len(api)
def generate_syswow64_call(target, errcheck=None):
nb_args = len(target.prototype._argtypes_)
target_addr = get_syswow_ntdll_exports()[target.__name__]
argument_buffer_len = (nb_args * 8)
argument_buffer = windows.current_process.allocator.reserve_size(argument_buffer_len)
alignement_information = windows.current_process.allocator.reserve_size(8)
nb_args_on_stack = max(nb_args - 4, 0)
code_64b = x64.MultipleInstr()
# Save registers
code_64b += x64.Push('RBX')
code_64b += x64.Push('RCX')
code_64b += x64.Push('RDX')
code_64b += x64.Push('RSI')
code_64b += x64.Push('RDI')
code_64b += x64.Push('R8')
code_64b += x64.Push('R9')
code_64b += x64.Push('R10')
code_64b += x64.Push('R11')
code_64b += x64.Push('R12')
code_64b += x64.Push('R13')
# Alignment stuff :)
code_64b += x64.Mov('RCX', 'RSP')
code_64b += x64.And('RCX', 0x0f)
code_64b += x64.Mov(x64.deref(alignement_information), 'RCX')
code_64b += x64.Sub('RSP', 'RCX')
# retrieve argument from the argument buffer
if nb_args >= 1:
code_64b += x64.Mov('RCX', x64.create_displacement(disp=argument_buffer))
if nb_args >= 2:
code_64b += x64.Mov('RDX', x64.create_displacement(disp=argument_buffer + (8 * 1)))
if nb_args >= 3:
code_64b += x64.Mov('R8', x64.create_displacement(disp=argument_buffer + (8 * 2)))
if nb_args >= 4:
code_64b += x64.Mov('R9', x64.create_displacement(disp=argument_buffer + (8 * 3)))
for i in range(nb_args_on_stack):
code_64b += x64.Mov('RAX', x64.create_displacement(disp=argument_buffer + 8 * (nb_args - 1 - i)))
code_64b += x64.Push('RAX')
# reserve space for register (calling convention)
code_64b += x64.Push('R9')
code_64b += x64.Push('R8')
code_64b += x64.Push('RDX')
code_64b += x64.Push('RCX')
# Call
code_64b += x64.Mov('R13', target_addr)
code_64b += x64.Call('R13')
# Realign stack :)
code_64b += x64.Add('RSP', x64.deref(alignement_information))
# Clean stack
code_64b += x64.Add('RSP', (4 + nb_args_on_stack) * 8)
code_64b += x64.Pop('R13')
code_64b += x64.Pop('R12')
code_64b += x64.Pop('R11')
code_64b += x64.Pop('R10')
code_64b += x64.Pop('R9')
code_64b += x64.Pop('R8')
code_64b += x64.Pop('RDI')
code_64b += x64.Pop('RSI')
code_64b += x64.Pop('RDX')
code_64b += x64.Pop('RCX')
code_64b += x64.Pop('RBX')
code_64b += x64.Ret()
return try_generate_stub_target(code_64b.get_code(), argument_buffer, target, errcheck=errcheck)
def NtCreateThreadEx_32_to_64(process, addr, param):
NtCreateThreadEx = get_NtCreateThreadEx_syswow_addr()
create_thread = x64.MultipleInstr()
# Save registers
create_thread += x64.Push('RBX')
create_thread += x64.Push('RCX')
create_thread += x64.Push('RDX')
create_thread += x64.Push('RSI')
create_thread += x64.Push('RDI')
create_thread += x64.Push('R8')
create_thread += x64.Push('R9')
create_thread += x64.Push('R10')
create_thread += x64.Push('R11')
create_thread += x64.Push('R12')
create_thread += x64.Push('R13')
# Setup args
create_thread += x64.Push(0)
create_thread += x64.Mov('RCX', 'RSP') # Arg1
create_thread += x64.Mov('RDX', 0x1fffff) # Arg2
create_thread += x64.Mov('R8', 0) # Arg3
create_thread += x64.Mov('R9', process.handle) # Arg4
create_thread += x64.Mov('RAX', 0)
create_thread += x64.Push('RAX') # Arg11
create_thread += x64.Push('RAX') # Arg10
create_thread += x64.Push('RAX') # Arg9
create_thread += x64.Push('RAX') # Arg8
create_thread += x64.Push('RAX') # Arg7
create_thread += x64.Mov('RAX', param)
create_thread += x64.Push('RAX') # Arg6
create_thread += x64.Mov('RAX', addr)
create_thread += x64.Push('RAX') # Arg5
# reserve space for register (calling convention)
create_thread += x64.Push('R9')
create_thread += x64.Push('R8')
create_thread += x64.Push('RDX')
create_thread += x64.Push('RCX')
# Call
create_thread += x64.Mov('R13', NtCreateThreadEx)
create_thread += x64.Call('R13')
# Clean stack
create_thread += x64.Add('RSP', 12 * 8)
create_thread += x64.Pop('R13')
create_thread += x64.Pop('R12')
create_thread += x64.Pop('R11')
create_thread += x64.Pop('R10')
create_thread += x64.Pop('R9')
create_thread += x64.Pop('R8')
create_thread += x64.Pop('RDI')
create_thread += x64.Pop('RSI')
create_thread += x64.Pop('RDX')
create_thread += x64.Pop('RCX')
create_thread += x64.Pop('RBX')
return execute_64bits_code_from_syswow(create_thread.get_code())
def genere_return_32bits_stub(ret_addr):
ret_32b = x64.MultipleInstr()
ret_32b += x64.Mov('RCX', (CS_32bits << 32) + ret_addr)
ret_32b += x64.Push('RCX')
ret_32b += x64.Retf32() # 32 bits return addr
return ret_32b.get_code()
import windows
import windows.native_exec.simple_x64 as x64
import windows.native_exec.simple_x86 as x86
from windows.generated_def.winstructs import *
StrlenW64 = x64.MultipleInstr()
StrlenW64 += x64.Label(":FUNC_STRLENW64")
StrlenW64 += x64.Push("RCX")
StrlenW64 += x64.Push("RDI")
StrlenW64 += x64.Mov("RDI", "RCX")
StrlenW64 += x64.Xor("RAX", "RAX")
StrlenW64 += x64.Xor("RCX", "RCX")
StrlenW64 += x64.Dec("RCX")
StrlenW64 += x64.Repne + x64.ScasW()
StrlenW64 += x64.Not("RCX")
StrlenW64 += x64.Dec("RCX")
StrlenW64 += x64.Mov("RAX", "RCX")
StrlenW64 += x64.Pop("RDI")
StrlenW64 += x64.Pop("RCX")
StrlenW64 += x64.Ret()
StrlenA64 = x64.MultipleInstr()
StrlenA64 += x64.Label(":FUNC_STRLENA64")
StrlenA64 += x64.Push("RCX")
StrlenA64 += x64.Push("RDI")
StrlenA64 += x64.Mov("RDI", "RCX")
StrlenA64 += x64.Xor("RAX", "RAX")
StrlenA64 += x64.Xor("RCX", "RCX")
StrlenA64 += x64.Dec("RCX")
StrlenA64 += x64.Repne + x64.ScasB()