def register_io_out(self): out_ioctl = x64.MultipleInstr() INPUT_BUFFER_SIZE = x64.mem('[RCX]') INPUT_BUFFER_PORT = x64.mem('[RCX + 8]') INPUT_BUFFER_VALUE = x64.mem('[RCX + 0x10]') out_ioctl += x64.Cmp(self.IO_STACK_INPUT_BUFFER_LEN, 0x18) # size indicator / port / value out_ioctl += x64.Jnz(":FAIL") out_ioctl += x64.Mov('RCX', self.IO_STACK_INPUT_BUFFER) out_ioctl += x64.Mov('RDX', INPUT_BUFFER_PORT) out_ioctl += x64.Mov('RAX', INPUT_BUFFER_VALUE) out_ioctl += x64.Mov('RCX', INPUT_BUFFER_SIZE) out_ioctl += x64.Cmp('RCX', 0x1) out_ioctl += x64.Jnz(":OUT_2_OR_4") out_ioctl += x64.Out('DX', 'AL') out_ioctl += x64.Jmp(':SUCCESS') out_ioctl += x64.Label(":OUT_2_OR_4") out_ioctl += x64.Cmp('RCX', 0x2) out_ioctl += x64.Jnz(":OUT_4") out_ioctl += x64.Out('DX', 'AX') out_ioctl += x64.Jmp(':SUCCESS') out_ioctl += x64.Label(":OUT_4") out_ioctl += x64.Out('DX', 'EAX') out_ioctl += x64.Label(":SUCCESS") out_ioctl += x64.Xor('RAX', 'RAX') out_ioctl += x64.Ret() out_ioctl += x64.Label(":FAIL") out_ioctl += x64.Mov('RAX', 0x0C000000D) out_ioctl += x64.Ret() self.upgrade_driver_add_new_ioctl_handler(DU_OUT_IOCTL, out_ioctl.get_code())
def register_io_in(self): in_ioctl = x64.MultipleInstr() INPUT_BUFFER_SIZE = x64.mem('[RCX]') INPUT_BUFFER_PORT = x64.mem('[RCX + 8]') in_ioctl += x64.Cmp(self.IO_STACK_INPUT_BUFFER_LEN, 0x10) # size indicator / port in_ioctl += x64.Jnz(":FAIL") in_ioctl += x64.Mov('RCX', self.IO_STACK_INPUT_BUFFER) in_ioctl += x64.Mov('RDX', INPUT_BUFFER_PORT) in_ioctl += x64.Mov('RCX', INPUT_BUFFER_SIZE) in_ioctl += x64.Cmp('RCX', 0x1) in_ioctl += x64.Jnz(":OUT_2_OR_4") in_ioctl += x64.In('AL', 'DX') in_ioctl += x64.Jmp(':SUCCESS') in_ioctl += x64.Label(":OUT_2_OR_4") in_ioctl += x64.Cmp('RCX', 0x2) in_ioctl += x64.Jnz(":OUT_4") in_ioctl += x64.In('AX', 'DX') in_ioctl += x64.Jmp(':SUCCESS') in_ioctl += x64.Label(":OUT_4") in_ioctl += x64.In('EAX', 'DX') in_ioctl += x64.Label(":SUCCESS") in_ioctl += x64.Mov('RDX', self.IRP_OUTPUT_BUFFER) in_ioctl += x64.Mov(x64.mem('[RDX]'), 'RAX') in_ioctl += x64.Xor('RAX', 'RAX') in_ioctl += x64.Ret() in_ioctl += x64.Label(":FAIL") in_ioctl += x64.Mov('RAX', 0x0C000000D) in_ioctl += x64.Ret() self.upgrade_driver_add_new_ioctl_handler(DU_IN_IOCTL, in_ioctl.get_code())
def register_alloc_memory(self): ExAllocatePoolWithTag = self.kdbg.get_symbol_offset("nt!ExAllocatePoolWithTag") if ExAllocatePoolWithTag is None: raise ValueError("Could not resolve <ExAllocatePoolWithTag>") INPUT_BUFFER_ALLOC_TYPE = x64.mem('[RCX]') INPUT_BUFFER_ALLOC_SIZE = x64.mem('[RCX + 0x8]') INPUT_BUFFER_ALLOC_TAG = x64.mem('[RCX + 0x10]') Alloc_IOCTL = x64.MultipleInstr() Alloc_IOCTL += x64.Cmp(self.IO_STACK_INPUT_BUFFER_LEN, 0x18) Alloc_IOCTL += x64.Jnz(':FAIL') Alloc_IOCTL += x64.Mov('RCX', self.IO_STACK_INPUT_BUFFER) Alloc_IOCTL += x64.Mov('R8', INPUT_BUFFER_ALLOC_TAG) Alloc_IOCTL += x64.Mov('RDX', INPUT_BUFFER_ALLOC_SIZE) Alloc_IOCTL += x64.Mov('RCX', INPUT_BUFFER_ALLOC_TYPE) Alloc_IOCTL += x64.Mov('RAX', ExAllocatePoolWithTag) Alloc_IOCTL += x64.Call('RAX') Alloc_IOCTL += x64.Mov('RBX', self.IRP_OUTPUT_BUFFER) Alloc_IOCTL += x64.Mov(x64.mem('[RBX]'), 'RAX') Alloc_IOCTL += x64.Xor('RAX', 'RAX') Alloc_IOCTL += x64.Ret() Alloc_IOCTL += x64.Label(":FAIL") Alloc_IOCTL += x64.Mov('RAX', 0x0C000000D) Alloc_IOCTL += x64.Ret() self.upgrade_driver_add_new_ioctl_handler(DU_MEMALLOC_IOCTL, Alloc_IOCTL.get_code())
def register_kernel_call(self): # expect in buffer: the address to call and all dword to push on the stack CCall_IOCTL = x64.MultipleInstr() CCall_IOCTL += x64.Mov('RAX', self.IO_STACK_INPUT_BUFFER_LEN) CCall_IOCTL += x64.Cmp('RAX', 0) CCall_IOCTL += x64.Jz(":FAIL") # Need at least the function to call CCall_IOCTL += x64.Mov('R15', 4 * 8) # Size to pop on the stack at the end (4 * push RDI) CCall_IOCTL += x64.Mov('R10', self.IO_STACK_INPUT_BUFFER) CCall_IOCTL += x64.Label(':PUSH_NEXT_ARG') CCall_IOCTL += x64.Cmp('RAX', (8 * 5)) CCall_IOCTL += x64.Jbe(":SETUP_REG_ARGS") CCall_IOCTL += x64.Sub('RAX', 8) INPUT_BUFFER_NEXT_ARG = x64.create_displacement(base='R10', index='RAX') CCall_IOCTL += x64.Mov('RBX', INPUT_BUFFER_NEXT_ARG) CCall_IOCTL += x64.Push('RBX') CCall_IOCTL += x64.Add('R15', 8) # Add at Size to pop on the stack at the end CCall_IOCTL += x64.Jmp(':PUSH_NEXT_ARG') CCall_IOCTL += x64.Label(":SETUP_REG_ARGS") # Could be done in a loop # But do I really want to generate x86 in a loop.. CCall_IOCTL += x64.Cmp('RAX', (8 * 5)) CCall_IOCTL += x64.Jz(":SETUP_4_ARGS") CCall_IOCTL += x64.Cmp('RAX', (8 * 4)) CCall_IOCTL += x64.Jz(":SETUP_3_ARGS") CCall_IOCTL += x64.Cmp('RAX', (8 * 3)) CCall_IOCTL += x64.Jz(":SETUP_2_ARGS") CCall_IOCTL += x64.Cmp('RAX', (8 * 2)) CCall_IOCTL += x64.Jz(":SETUP_1_ARGS") CCall_IOCTL += x64.Jmp(":SETUP_0_ARGS") CCall_IOCTL += x64.Label(":SETUP_4_ARGS") CCall_IOCTL += x64.Mov('R9', x64.mem('[R10 + 0x20]')) CCall_IOCTL += x64.Label(":SETUP_3_ARGS") CCall_IOCTL += x64.Mov('R8', x64.mem('[R10 + 0x18]')) CCall_IOCTL += x64.Label(":SETUP_2_ARGS") CCall_IOCTL += x64.Mov('RDX', x64.mem('[R10 + 0x10]')) CCall_IOCTL += x64.Label(":SETUP_1_ARGS") CCall_IOCTL += x64.Mov('RCX', x64.mem('[R10 + 8]')) CCall_IOCTL += x64.Label(":SETUP_0_ARGS") CCall_IOCTL += x64.Mov('RAX', x64.mem('[R10]')) # Fix Reserve space (calling convention) CCall_IOCTL += x64.Push('RDI') CCall_IOCTL += x64.Push('RDI') CCall_IOCTL += x64.Push('RDI') CCall_IOCTL += x64.Push('RDI') CCall_IOCTL += x64.Call('RAX') CCall_IOCTL += x64.Mov('RDX', self.IRP_OUTPUT_BUFFER) CCall_IOCTL += x64.Mov(x64.mem('[RDX]'), 'RAX') CCall_IOCTL += x64.Xor('RAX', 'RAX') CCall_IOCTL += x64.Add('RSP', 'R15') CCall_IOCTL += x64.Ret() CCall_IOCTL += x64.Label(":FAIL") CCall_IOCTL += x64.Mov('RAX', 0x0C000000D) CCall_IOCTL += x64.Ret() self.upgrade_driver_add_new_ioctl_handler(DU_KCALL_IOCTL, CCall_IOCTL.get_code())
def get_peb_addr(self): dest = self.virtual_alloc(0x1000) if self.bitness == 32: store_peb = x86.MultipleInstr() store_peb += x86.Mov('EAX', x86.mem('fs:[0x30]')) store_peb += x86.Mov(x86.create_displacement(disp=dest), 'EAX') store_peb += x86.Ret() get_peb_code = store_peb.get_code() self.write_memory(dest, "\x00" * 4) self.write_memory(dest + 4, get_peb_code) self.create_thread(dest + 4, 0) time.sleep(0.01) peb_addr = struct.unpack("<I", self.read_memory(dest, 4))[0] return peb_addr else: store_peb = x64.MultipleInstr() store_peb += x64.Mov('RAX', x64.mem('gs:[0x60]')) store_peb += x64.Mov(x64.create_displacement(disp=dest), 'RAX') store_peb += x64.Ret() get_peb_code = store_peb.get_code() self.write_memory(dest, "\x00" * 8) self.write_memory(dest + 8, get_peb_code) self.create_thread(dest + 8, 0) time.sleep(0.01) peb_addr = struct.unpack("<Q", self.read_memory(dest, 8))[0] return peb_addr
def perform_manual_getproc_loadlib_64_for_dbg(target, dll_name): dll = "KERNEL32.DLL\x00".encode("utf-16-le") api = "LoadLibraryA\x00" dll_to_load = dll_name + "\x00" RemoteManualLoadLibray = x64.MultipleInstr() code = RemoteManualLoadLibray code += x64.Mov("R15", "RCX") code += x64.Mov("RCX", x64.mem("[R15 + 0]")) code += x64.Mov("RDX", x64.mem("[R15 + 8]")) code += x64.Call(":FUNC_GETPROCADDRESS64") code += x64.Mov("RCX", x64.mem("[R15 + 0x10]")) code += x64.Push("RCX") code += x64.Push("RCX") code += x64.Push("RCX") code += x64.Call("RAX") # LoadLibrary code += x64.Pop("RCX") code += x64.Pop("RCX") code += x64.Pop("RCX") code += x64.Ret() RemoteManualLoadLibray += nativeutils.GetProcAddress64 addr = target.virtual_alloc(0x1000) addr2 = addr + len(dll) addr3 = addr2 + len(api) addr4 = addr3 + len(dll_to_load) target.write_memory(addr, dll) target.write_memory(addr2, api) target.write_memory(addr3, dll_to_load) target.write_qword(addr4, addr) target.write_qword(addr4 + 8, addr2) target.write_qword(addr4 + 0x10, addr3) t = target.execute(RemoteManualLoadLibray.get_code(), addr4) return t
def test_execute_to_64(self, proc64): with proc64.allocated_memory(0x1000) as addr: shellcode = x64.MultipleInstr() shellcode += x64.Mov('RAX', 0x4242424243434343) shellcode += x64.Mov(x64.create_displacement(disp=addr), 'RAX') shellcode += x64.Ret() proc64.execute(shellcode.get_code()) time.sleep(0.1) qword = proc64.read_qword(addr) assert qword == 0x4242424243434343
def test_execute_to_64(self): with Calc64() as calc: data = calc.virtual_alloc(0x1000) shellcode = x64.MultipleInstr() shellcode += x64.Mov('RAX', 0x4242424243434343) shellcode += x64.Mov(x64.create_displacement(disp=data), 'RAX') shellcode += x64.Ret() calc.execute(shellcode.get_code()) time.sleep(0.1) dword = struct.unpack("<Q", calc.read_memory(data, 8))[0] self.assertEqual(dword, 0x4242424243434343)
def test_set_thread_context_64(self, proc64): code = x64.MultipleInstr() code += x64.Label(":LOOP") code += x64.Jmp(":LOOP") data_len = len(code.get_code()) code += x64.Ret() t = proc64.execute(code.get_code()) time.sleep(0.1) assert proc64.is_exit == False t.suspend() ctx = t.context ctx.Rip += data_len ctx.Rax = 0x11223344 t.set_context(ctx) t.resume() time.sleep(0.1) assert t.exit_code == 0x11223344
def generate_write_at(addr): res = x64.MultipleInstr() res += x64.Mov(x64.deref(addr), "RAX") res += x64.Ret() return res.get_code()
def generate_read_at(addr): res = x64.MultipleInstr() res += x64.Mov("RAX", x64.deref(addr)) res += x64.Ret() return res.get_code()
RemoteManualLoadLibray = x64.MultipleInstr() c = RemoteManualLoadLibray c += x64.Mov("R15", "RCX") c += x64.Mov("RCX", x64.mem("[R15 + 0]")) c += x64.Mov("RDX", x64.mem("[R15 + 8]")) c += x64.Call(":FUNC_GETPROCADDRESS64") c += x64.Mov("RCX", x64.mem("[R15 + 0x10]")) c += x64.Push("RCX") c += x64.Push("RCX") c += x64.Push("RCX") c += x64.Call("RAX") c += x64.Pop("RCX") c += x64.Pop("RCX") c += x64.Pop("RCX") c += x64.Ret() RemoteManualLoadLibray += GetProcAddress64 calc = windows.test.pop_calc_64(dwCreationFlags=CREATE_SUSPENDED) addr = calc.virtual_alloc(0x1000) addr2 = addr + len(dll) addr3 = addr2 + len(api) addr4 = addr3 + len(dll_to_load) calc.write_memory(addr, dll) calc.write_memory(addr2, api) calc.write_memory(addr3, dll_to_load) calc.write_qword(addr4, addr) calc.write_qword(addr4 + 8, addr2)
def generate_syswow64_call(target, errcheck=None): nb_args = len(target.prototype._argtypes_) target_addr = get_syswow_ntdll_exports()[target.__name__] argument_buffer_len = (nb_args * 8) argument_buffer = windows.current_process.allocator.reserve_size(argument_buffer_len) alignement_information = windows.current_process.allocator.reserve_size(8) nb_args_on_stack = max(nb_args - 4, 0) code_64b = x64.MultipleInstr() # Save registers code_64b += x64.Push('RBX') code_64b += x64.Push('RCX') code_64b += x64.Push('RDX') code_64b += x64.Push('RSI') code_64b += x64.Push('RDI') code_64b += x64.Push('R8') code_64b += x64.Push('R9') code_64b += x64.Push('R10') code_64b += x64.Push('R11') code_64b += x64.Push('R12') code_64b += x64.Push('R13') # Alignment stuff :) code_64b += x64.Mov('RCX', 'RSP') code_64b += x64.And('RCX', 0x0f) code_64b += x64.Mov(x64.deref(alignement_information), 'RCX') code_64b += x64.Sub('RSP', 'RCX') # retrieve argument from the argument buffer if nb_args >= 1: code_64b += x64.Mov('RCX', x64.create_displacement(disp=argument_buffer)) if nb_args >= 2: code_64b += x64.Mov('RDX', x64.create_displacement(disp=argument_buffer + (8 * 1))) if nb_args >= 3: code_64b += x64.Mov('R8', x64.create_displacement(disp=argument_buffer + (8 * 2))) if nb_args >= 4: code_64b += x64.Mov('R9', x64.create_displacement(disp=argument_buffer + (8 * 3))) for i in range(nb_args_on_stack): code_64b += x64.Mov('RAX', x64.create_displacement(disp=argument_buffer + 8 * (nb_args - 1 - i))) code_64b += x64.Push('RAX') # reserve space for register (calling convention) code_64b += x64.Push('R9') code_64b += x64.Push('R8') code_64b += x64.Push('RDX') code_64b += x64.Push('RCX') # Call code_64b += x64.Mov('R13', target_addr) code_64b += x64.Call('R13') # Realign stack :) code_64b += x64.Add('RSP', x64.deref(alignement_information)) # Clean stack code_64b += x64.Add('RSP', (4 + nb_args_on_stack) * 8) code_64b += x64.Pop('R13') code_64b += x64.Pop('R12') code_64b += x64.Pop('R11') code_64b += x64.Pop('R10') code_64b += x64.Pop('R9') code_64b += x64.Pop('R8') code_64b += x64.Pop('RDI') code_64b += x64.Pop('RSI') code_64b += x64.Pop('RDX') code_64b += x64.Pop('RCX') code_64b += x64.Pop('RBX') code_64b += x64.Ret() return try_generate_stub_target(code_64b.get_code(), argument_buffer, target, errcheck=errcheck)
class CurrentProcess(Process): """The current process""" get_peb = None get_peb_32_code = x86.MultipleInstr() get_peb_32_code += x86.Mov('EAX', x86.mem('fs:[0x30]')) get_peb_32_code += x86.Ret() get_peb_32_code = get_peb_32_code.get_code() get_peb_64_code = x64.MultipleInstr() get_peb_64_code += x64.Mov('RAX', x64.mem('gs:[0x60]')) get_peb_64_code += x64.Ret() get_peb_64_code = get_peb_64_code.get_code() allocator = native_exec.native_function.allocator def get_peb_builtin(self): if self.get_peb is not None: return self.get_peb if self.bitness == 32: get_peb = native_exec.create_function(self.get_peb_32_code, [PVOID]) else: get_peb = native_exec.create_function(self.get_peb_64_code, [PVOID]) self.get_peb = get_peb return get_peb def _get_handle(self): return winproxy.GetCurrentProcess() def __del__(self): pass @property def pid(self): """Process ID :type: int """ return os.getpid() # Is there a better way ? @utils.fixedpropety def ppid(self): """Parent Process ID :type: int """ return [p for p in windows.system.processes if p.pid == self.pid][0].ppid @utils.fixedpropety def peb(self): """The Process Environment Block of the current process :type: :class:`PEB` """ return PEB.from_address(self.get_peb_builtin()()) @utils.fixedpropety def bitness(self): """The bitness of the process :returns: int -- 32 or 64""" import platform bits = platform.architecture()[0] return int(bits[:2]) def virtual_alloc(self, size): """Allocate memory in the current process :returns: int """ return winproxy.VirtualAlloc(dwSize=size) def write_memory(self, addr, data): """Write data at addr""" buffertype = (c_char * len(data)).from_address(addr) buffertype[:len(data)] = data return True def read_memory(self, addr, size): """Read size from adddr""" dbgprint('Read CurrentProcess Memory', 'READMEM') buffer = (c_char * size).from_address(addr) return buffer[:] def create_thread(self, lpStartAddress, lpParameter, dwCreationFlags=0): """Create a new thread .. note:: CreateThread https://msdn.microsoft.com/en-us/library/windows/desktop/ms682453%28v=vs.85%29.aspx """ handle = winproxy.CreateThread(lpStartAddress=lpStartAddress, lpParameter=lpParameter, dwCreationFlags=dwCreationFlags) return WinThread._from_handle(handle) def exit(self, code=0): """Exit the process""" return winproxy.ExitProcess(code)
StrlenW64 = x64.MultipleInstr() StrlenW64 += x64.Label(":FUNC_STRLENW64") StrlenW64 += x64.Push("RCX") StrlenW64 += x64.Push("RDI") StrlenW64 += x64.Mov("RDI", "RCX") StrlenW64 += x64.Xor("RAX", "RAX") StrlenW64 += x64.Xor("RCX", "RCX") StrlenW64 += x64.Dec("RCX") StrlenW64 += x64.Repne + x64.ScasW() StrlenW64 += x64.Not("RCX") StrlenW64 += x64.Dec("RCX") StrlenW64 += x64.Mov("RAX", "RCX") StrlenW64 += x64.Pop("RDI") StrlenW64 += x64.Pop("RCX") StrlenW64 += x64.Ret() StrlenA64 = x64.MultipleInstr() StrlenA64 += x64.Label(":FUNC_STRLENA64") StrlenA64 += x64.Push("RCX") StrlenA64 += x64.Push("RDI") StrlenA64 += x64.Mov("RDI", "RCX") StrlenA64 += x64.Xor("RAX", "RAX") StrlenA64 += x64.Xor("RCX", "RCX") StrlenA64 += x64.Dec("RCX") StrlenA64 += x64.Repne + x64.ScasB() StrlenA64 += x64.Not("RCX") StrlenA64 += x64.Dec("RCX") StrlenA64 += x64.Mov("RAX", "RCX") StrlenA64 += x64.Pop("RDI") StrlenA64 += x64.Pop("RCX")
class CurrentProcess(Process): """The current process""" get_peb = None get_peb_32_code = x86.MultipleInstr() get_peb_32_code += x86.Mov('EAX', x86.mem('fs:[0x30]')) get_peb_32_code += x86.Ret() get_peb_32_code = get_peb_32_code.get_code() get_peb_64_code = x64.MultipleInstr() get_peb_64_code += x64.Mov('RAX', x64.mem('gs:[0x60]')) get_peb_64_code += x64.Ret() get_peb_64_code = get_peb_64_code.get_code() allocator = native_exec.native_function.allocator # Use RtlGetCurrentPeb ? def get_peb_builtin(self): if self.get_peb is not None: return self.get_peb if self.bitness == 32: get_peb = native_exec.create_function(self.get_peb_32_code, [PVOID]) else: get_peb = native_exec.create_function(self.get_peb_64_code, [PVOID]) self.get_peb = get_peb return get_peb def _get_handle(self): return winproxy.GetCurrentProcess() def __del__(self): pass @property def pid(self): """Process ID :type: :class:`int` """ return os.getpid() # Is there a better way ? @utils.fixedpropety def ppid(self): """Parent Process ID :type: :class:`int` """ return [p for p in windows.system.processes if p.pid == self.pid][0].ppid @utils.fixedpropety def peb(self): """The Process Environment Block of the current process :type: :class:`PEB` """ return PEB.from_address(self.get_peb_builtin()()) @utils.fixedpropety def bitness(self): """The bitness of the process :type: :class:`int` -- 32 or 64 """ import platform bits = platform.architecture()[0] return int(bits[:2]) def virtual_alloc(self, size, prot=PAGE_EXECUTE_READWRITE): """Allocate memory in the process :return: The address of the allocated memory :rtype: :class:`int` """ return winproxy.VirtualAlloc(dwSize=size, flProtect=prot) def virtual_free(self, addr): """Free memory in the process by virtual_alloc""" return winproxy.VirtualFree(addr) def write_memory(self, addr, data): """Write data at addr""" buffertype = (c_char * len(data)).from_address(addr) buffertype[:len(data)] = data return True def read_memory(self, addr, size): """Read ``size`` from ``addr`` :return: The data read :rtype: :class:`str` """ dbgprint('Read CurrentProcess Memory', 'READMEM') buffer = (c_char * size).from_address(addr) return buffer[:] def create_thread(self, lpStartAddress, lpParameter, dwCreationFlags=0): """Create a new thread :rtype: :class:`WinThread` or :class:`DeadThread` """ handle = winproxy.CreateThread(lpStartAddress=lpStartAddress, lpParameter=lpParameter, dwCreationFlags=dwCreationFlags) return WinThread._from_handle(handle) def execute(self, code, parameter=0): """Execute native code ``code`` in the current thread. :rtype: :class:`int` the return value of the native code""" f = windows.native_exec.create_function(code, [PVOID, PVOID]) return f(parameter) def exit(self, code=0): """Exit the process""" return winproxy.ExitProcess(code) def wait(self, timeout=INFINITE): """Raise :class:`ValueError` to prevent deadlock :D""" raise ValueError("wait() on current thread") @utils.fixedpropety def peb_syswow(self): """The 64bits PEB of a SysWow64 process :type: :class:`PEB` """ if not self.is_wow_64: raise ValueError("Not a syswow process") return windows.syswow64.get_current_process_syswow_peb()
def test_x64_instr_multiply(): res = x64.MultipleInstr() res += (x64.Nop() * 5) res += x64.Ret() assert res.get_code() == b"\x90\x90\x90\x90\x90\xc3"
print("current process is a SysWow64 process ? <{cp.is_wow_64}>".format(cp=cp)) print("current process pid <{cp.pid}> and ppid <{cp.ppid}>".format(cp=cp)) print("Here are the current process threads: <{cp.threads}>".format(cp=cp)) print("Let's execute some native code ! (0x41 + 1)") if windows.current_process.bitness == 32: # Let's generate some native code code = x86.MultipleInstr() code += x86.Mov("Eax", 0x41) code += x86.Inc("EAX") code += x86.Ret() else: code = x64.MultipleInstr() code += x64.Mov("RAX", 0x41) code += x64.Inc("RAX") code += x64.Ret() native_code = code.get_code() v = windows.current_process.execute(native_code) print("Native code returned <{0}>".format(hex(v))) print("Allocating memory in current process") addr = cp.virtual_alloc(0x1000) # Default alloc is RWX (so secure !) print("Allocated memory is at <{0}>".format(hex(addr))) print("Writing 'SOME STUFF' in allocation memory") cp.write_memory(addr, "SOME STUFF") print("Reading memory : <{0}>".format(repr(cp.read_memory(addr, 20))))