def sc_64_WinExec(exe):
dll = bytes("KERNEL32.DLL\x00".encode("utf-16-le"))
api = b"WinExec\x00"
if PY3 and isinstance(exe, str):
exe = bytes(exe.encode())
WinExec64_sc = x64.MultipleInstr()
WinExec64_sc += shellcraft.amd64.pushstr(dll)
WinExec64_sc += x64.Mov("RCX", "RSP")
WinExec64_sc += shellcraft.amd64.pushstr(api)
WinExec64_sc += x64.Mov("RDX", "RSP")
WinExec64_sc += x64.Call(":FUNC_GETPROCADDRESS64")
WinExec64_sc += x64.Mov("R10", "RAX")
WinExec64_sc += shellcraft.amd64.pushstr(exe)
WinExec64_sc += x64.Mov("RCX", "RSP")
WinExec64_sc += x64.Sub("RSP", 0x30)
WinExec64_sc += x64.And("RSP", -32)
WinExec64_sc += x64.Call("R10")
WinExec64_sc += x64.Label(":HERE")
WinExec64_sc += x64.Jmp(":HERE")
WinExec64_sc += windows.native_exec.nativeutils.GetProcAddress64 # Dirty infinite loop
#WinExec64_sc +=# x64.Ret(),
return WinExec64_sc.get_code()
def generate_64bits_execution_stub_from_syswow(x64shellcode):
"""shellcode must NOT end by a ret"""
current_process = windows.current_process
if not current_process.is_wow_64:
raise ValueError(
"Calling generate_64bits_execution_stub_from_syswow from non-syswow process"
)
transition64 = x64.MultipleInstr()
transition64 += x64.Call(":TOEXEC")
transition64 += x64.Mov("RDX", "RAX")
transition64 += x64.Shr("RDX", 32)
transition64 += x64.Retf32() # 32 bits return addr
transition64 += x64.Label(":TOEXEC")
x64shellcodeaddr = windows.current_process.allocator.write_code(
transition64.get_code() + x64shellcode)
transition = x86.MultipleInstr()
transition += x86.Call(CS_64bits, x64shellcodeaddr)
transition += x86.Ret()
stubaddr = windows.current_process.allocator.write_code(
transition.get_code())
exec_stub = ctypes.CFUNCTYPE(ULONG64)(stubaddr)
return exec_stub
def sc_64_LoadLibrary(dll_path):
dll = bytes("KERNEL32.DLL\x00".encode("utf-16-le"))
api = b"LoadLibraryA\x00"
if PY3 and isinstance(dll_path, str):
dll_path = bytes(dll_path.encode())
LoadLibrary64_sc = x64.MultipleInstr()
LoadLibrary64_sc += shellcraft.amd64.pushstr(dll)
LoadLibrary64_sc += x64.Mov("RCX", "RSP")
LoadLibrary64_sc += shellcraft.amd64.pushstr(api)
LoadLibrary64_sc += x64.Mov("RDX", "RSP")
LoadLibrary64_sc += x64.Call(":FUNC_GETPROCADDRESS64")
LoadLibrary64_sc += x64.Mov("R10", "RAX")
LoadLibrary64_sc += shellcraft.amd64.pushstr(dll_path)
LoadLibrary64_sc += x64.Mov("RCX", "RSP")
LoadLibrary64_sc += x64.Sub("RSP", 0x30)
LoadLibrary64_sc += x64.And("RSP", -32)
LoadLibrary64_sc += x64.Call("R10")
LoadLibrary64_sc += x64.Label(":HERE")
LoadLibrary64_sc += x64.Jmp(":HERE")
LoadLibrary64_sc += windows.native_exec.nativeutils.GetProcAddress64
return LoadLibrary64_sc.get_code()
def get_peb_addr(self):
dest = self.virtual_alloc(0x1000)
if self.bitness == 32:
store_peb = x86.MultipleInstr()
store_peb += x86.Mov('EAX', x86.mem('fs:[0x30]'))
store_peb += x86.Mov(x86.create_displacement(disp=dest), 'EAX')
store_peb += x86.Ret()
get_peb_code = store_peb.get_code()
self.write_memory(dest, "\x00" * 4)
self.write_memory(dest + 4, get_peb_code)
self.create_thread(dest + 4, 0)
time.sleep(0.01)
peb_addr = struct.unpack("<I", self.read_memory(dest, 4))[0]
return peb_addr
else:
store_peb = x64.MultipleInstr()
store_peb += x64.Mov('RAX', x64.mem('gs:[0x60]'))
store_peb += x64.Mov(x64.create_displacement(disp=dest), 'RAX')
store_peb += x64.Ret()
get_peb_code = store_peb.get_code()
self.write_memory(dest, "\x00" * 8)
self.write_memory(dest + 8, get_peb_code)
self.create_thread(dest + 8, 0)
time.sleep(0.01)
peb_addr = struct.unpack("<Q", self.read_memory(dest, 8))[0]
return peb_addr
def sc_64_AllocRWX(address, rwx_qword):
dll = "KERNEL32.DLL\x00".encode("utf-16-le")
api = "VirtualAlloc\x00"
AllocRWX64_sc = x64.MultipleInstr()
map(AllocRWX64_sc.__iadd__, [
shellcraft.amd64.pushstr(dll),
x64.Mov("RCX", "RSP"),
shellcraft.amd64.pushstr(api),
x64.Mov("RDX", "RSP"),
x64.Call(":FUNC_GETPROCADDRESS64"),
x64.Mov("R10", "RAX"),
x64.Mov("RCX", address),
x64.Mov("RDX", 0x1000),
x64.Mov("R8", MEM_COMMIT | MEM_RESERVE),
x64.Mov("R9", PAGE_EXECUTE_READWRITE),
x64.Sub("RSP", 0x30),
x64.And("RSP", -32),
x64.Call("R10"),
x64.Mov('RAX', rwx_qword),
x64.Mov("RCX", address),
x64.Mov(x64.mem('[RCX]'), 'RAX'),
x64.Call("RCX"),
windows.native_exec.nativeutils.GetProcAddress64,
])
return AllocRWX64_sc.get_code()
def generate_64bits_execution_stub_from_syswow(x64shellcode):
"""shellcode must NOT end by a ret"""
current_process = windows.current_process
if not current_process.is_wow_64:
raise ValueError(
"Calling generate_64bits_execution_stub_from_syswow from non-syswow process"
)
transition64 = x64.MultipleInstr()
transition64 += x64.Call(":TOEXEC")
transition64 += x64.Mov("RDX", "RAX")
transition64 += x64.Shr("RDX", 32)
transition64 += x64.Retf32() # 32 bits return addr
transition64 += x64.Label(":TOEXEC")
x64shellcodeaddr = thread_state.allocator.write_code(
transition64.get_code() + x64shellcode)
transition = x86.MultipleInstr()
transition += x86.Call(CS_64bits, x64shellcodeaddr)
# Reset the SS segment selector.
# We need to do that due to a bug in AMD CPUs with RETF & SS
# https://github.com/hakril/PythonForWindows/issues/10
# http://blog.rewolf.pl/blog/?p=1484
transition += x86.Mov("ECX", "SS")
transition += x86.Mov("SS", "ECX")
transition += x86.Ret()
stubaddr = thread_state.allocator.write_code(transition.get_code())
exec_stub = ctypes.CFUNCTYPE(ULONG64)(stubaddr)
return exec_stub
def register_alloc_memory(self):
ExAllocatePoolWithTag = self.kdbg.get_symbol_offset("nt!ExAllocatePoolWithTag")
if ExAllocatePoolWithTag is None:
raise ValueError("Could not resolve <ExAllocatePoolWithTag>")
INPUT_BUFFER_ALLOC_TYPE = x64.mem('[RCX]')
INPUT_BUFFER_ALLOC_SIZE = x64.mem('[RCX + 0x8]')
INPUT_BUFFER_ALLOC_TAG = x64.mem('[RCX + 0x10]')
Alloc_IOCTL = x64.MultipleInstr()
Alloc_IOCTL += x64.Cmp(self.IO_STACK_INPUT_BUFFER_LEN, 0x18)
Alloc_IOCTL += x64.Jnz(':FAIL')
Alloc_IOCTL += x64.Mov('RCX', self.IO_STACK_INPUT_BUFFER)
Alloc_IOCTL += x64.Mov('R8', INPUT_BUFFER_ALLOC_TAG)
Alloc_IOCTL += x64.Mov('RDX', INPUT_BUFFER_ALLOC_SIZE)
Alloc_IOCTL += x64.Mov('RCX', INPUT_BUFFER_ALLOC_TYPE)
Alloc_IOCTL += x64.Mov('RAX', ExAllocatePoolWithTag)
Alloc_IOCTL += x64.Call('RAX')
Alloc_IOCTL += x64.Mov('RBX', self.IRP_OUTPUT_BUFFER)
Alloc_IOCTL += x64.Mov(x64.mem('[RBX]'), 'RAX')
Alloc_IOCTL += x64.Xor('RAX', 'RAX')
Alloc_IOCTL += x64.Ret()
Alloc_IOCTL += x64.Label(":FAIL")
Alloc_IOCTL += x64.Mov('RAX', 0x0C000000D)
Alloc_IOCTL += x64.Ret()
self.upgrade_driver_add_new_ioctl_handler(DU_MEMALLOC_IOCTL, Alloc_IOCTL.get_code())
def perform_manual_getproc_loadlib_64_for_dbg(target, dll_name):
dll = "KERNEL32.DLL\x00".encode("utf-16-le")
api = "LoadLibraryA\x00"
dll_to_load = dll_name + "\x00"
RemoteManualLoadLibray = x64.MultipleInstr()
code = RemoteManualLoadLibray
code += x64.Mov("R15", "RCX")
code += x64.Mov("RCX", x64.mem("[R15 + 0]"))
code += x64.Mov("RDX", x64.mem("[R15 + 8]"))
code += x64.Call(":FUNC_GETPROCADDRESS64")
code += x64.Mov("RCX", x64.mem("[R15 + 0x10]"))
code += x64.Push("RCX")
code += x64.Push("RCX")
code += x64.Push("RCX")
code += x64.Call("RAX") # LoadLibrary
code += x64.Pop("RCX")
code += x64.Pop("RCX")
code += x64.Pop("RCX")
code += x64.Ret()
RemoteManualLoadLibray += nativeutils.GetProcAddress64
addr = target.virtual_alloc(0x1000)
addr2 = addr + len(dll)
addr3 = addr2 + len(api)
addr4 = addr3 + len(dll_to_load)
target.write_memory(addr, dll)
target.write_memory(addr2, api)
target.write_memory(addr3, dll_to_load)
target.write_qword(addr4, addr)
target.write_qword(addr4 + 8, addr2)
target.write_qword(addr4 + 0x10, addr3)
t = target.execute(RemoteManualLoadLibray.get_code(), addr4)
return t
def register_io_in(self):
in_ioctl = x64.MultipleInstr()
INPUT_BUFFER_SIZE = x64.mem('[RCX]')
INPUT_BUFFER_PORT = x64.mem('[RCX + 8]')
in_ioctl += x64.Cmp(self.IO_STACK_INPUT_BUFFER_LEN, 0x10) # size indicator / port
in_ioctl += x64.Jnz(":FAIL")
in_ioctl += x64.Mov('RCX', self.IO_STACK_INPUT_BUFFER)
in_ioctl += x64.Mov('RDX', INPUT_BUFFER_PORT)
in_ioctl += x64.Mov('RCX', INPUT_BUFFER_SIZE)
in_ioctl += x64.Cmp('RCX', 0x1)
in_ioctl += x64.Jnz(":OUT_2_OR_4")
in_ioctl += x64.In('AL', 'DX')
in_ioctl += x64.Jmp(':SUCCESS')
in_ioctl += x64.Label(":OUT_2_OR_4")
in_ioctl += x64.Cmp('RCX', 0x2)
in_ioctl += x64.Jnz(":OUT_4")
in_ioctl += x64.In('AX', 'DX')
in_ioctl += x64.Jmp(':SUCCESS')
in_ioctl += x64.Label(":OUT_4")
in_ioctl += x64.In('EAX', 'DX')
in_ioctl += x64.Label(":SUCCESS")
in_ioctl += x64.Mov('RDX', self.IRP_OUTPUT_BUFFER)
in_ioctl += x64.Mov(x64.mem('[RDX]'), 'RAX')
in_ioctl += x64.Xor('RAX', 'RAX')
in_ioctl += x64.Ret()
in_ioctl += x64.Label(":FAIL")
in_ioctl += x64.Mov('RAX', 0x0C000000D)
in_ioctl += x64.Ret()
self.upgrade_driver_add_new_ioctl_handler(DU_IN_IOCTL, in_ioctl.get_code())
def register_io_out(self):
out_ioctl = x64.MultipleInstr()
INPUT_BUFFER_SIZE = x64.mem('[RCX]')
INPUT_BUFFER_PORT = x64.mem('[RCX + 8]')
INPUT_BUFFER_VALUE = x64.mem('[RCX + 0x10]')
out_ioctl += x64.Cmp(self.IO_STACK_INPUT_BUFFER_LEN, 0x18) # size indicator / port / value
out_ioctl += x64.Jnz(":FAIL")
out_ioctl += x64.Mov('RCX', self.IO_STACK_INPUT_BUFFER)
out_ioctl += x64.Mov('RDX', INPUT_BUFFER_PORT)
out_ioctl += x64.Mov('RAX', INPUT_BUFFER_VALUE)
out_ioctl += x64.Mov('RCX', INPUT_BUFFER_SIZE)
out_ioctl += x64.Cmp('RCX', 0x1)
out_ioctl += x64.Jnz(":OUT_2_OR_4")
out_ioctl += x64.Out('DX', 'AL')
out_ioctl += x64.Jmp(':SUCCESS')
out_ioctl += x64.Label(":OUT_2_OR_4")
out_ioctl += x64.Cmp('RCX', 0x2)
out_ioctl += x64.Jnz(":OUT_4")
out_ioctl += x64.Out('DX', 'AX')
out_ioctl += x64.Jmp(':SUCCESS')
out_ioctl += x64.Label(":OUT_4")
out_ioctl += x64.Out('DX', 'EAX')
out_ioctl += x64.Label(":SUCCESS")
out_ioctl += x64.Xor('RAX', 'RAX')
out_ioctl += x64.Ret()
out_ioctl += x64.Label(":FAIL")
out_ioctl += x64.Mov('RAX', 0x0C000000D)
out_ioctl += x64.Ret()
self.upgrade_driver_add_new_ioctl_handler(DU_OUT_IOCTL, out_ioctl.get_code())
def test_x64_multiple_instr_add_instr_and_str():
res = x64.MultipleInstr()
res += x64.Nop()
res += "ret; ret; label :offset_3; ret"
res += x64.Nop()
res += x64.Label(":offset_5")
assert res.get_code() == b"\x90\xc3\xc3\xc3\x90"
assert res.labels == {":offset_3": 3, ":offset_5": 5}
def test_get_context_address_64(self, proc64):
code = x64.MultipleInstr()
code += x64.Mov("RAX", 0x4242424243434343)
code += x64.Label(":LOOP")
code += x64.Jmp(":LOOP")
t = proc64.execute(code.get_code())
time.sleep(0.5)
cont = t.context
assert cont.Rax == 0x4242424243434343
def test_get_context_address_64(self):
with Calc64() as calc:
code = x64.MultipleInstr()
code += x64.Mov("RAX", 0x4242424243434343)
code += x64.Label(":LOOP")
code += x64.Jmp(":LOOP")
t = calc.execute(code.get_code())
time.sleep(0.5)
cont = t.context
self.assertEqual(cont.Rax, 0x4242424243434343)
def sc_64_pushstr(s):
if not s.endswith('\0'):
s += '\0\0'
PushStr_sc = x64.MultipleInstr()
# TODO: Use xor_pair to avoid NULL
for block in cut(s, 8)[::-1]:
block += '\0' * (8 - len(block))
PushStr_sc += x64.Mov("RAX", u64(block))
PushStr_sc += x64.Push("RAX")
return PushStr_sc
def get_current_process_syswow_peb_addr():
current_process = windows.current_process
dest = current_process.allocator.reserve_size(8)
get_peb_64_code = x64.MultipleInstr()
get_peb_64_code += x64.Mov('RAX', x64.mem('gs:[0x60]'))
get_peb_64_code += x64.Mov(x64.create_displacement(disp=dest), 'RAX')
current_process.write_memory(dest, "\x00" * 8)
execute_64bits_code_from_syswow(get_peb_64_code.get_code())
peb_addr = struct.unpack("<Q", current_process.read_memory(dest, 8))[0]
return peb_addr
def test_execute_to_64(self, proc64):
with proc64.allocated_memory(0x1000) as addr:
shellcode = x64.MultipleInstr()
shellcode += x64.Mov('RAX', 0x4242424243434343)
shellcode += x64.Mov(x64.create_displacement(disp=addr), 'RAX')
shellcode += x64.Ret()
proc64.execute(shellcode.get_code())
time.sleep(0.1)
qword = proc64.read_qword(addr)
assert qword == 0x4242424243434343
def get_current_process_syswow_peb_addr():
current_process = windows.current_process
dest = current_process.virtual_alloc(0x1000)
get_peb_64_code = codecs.decode(b"65488B042560000000", 'hex')
store_peb = x64.MultipleInstr()
store_peb += x64.Mov(x64.create_displacement(disp=dest), 'RAX')
get_peb_64_code += store_peb.get_code()
current_process.write_memory(dest, "\x00" * 8)
windows.syswow64.execute_64bits_code_from_syswow(get_peb_64_code)
peb_addr = struct.unpack("<Q", current_process.read_memory(dest, 8))[0]
return peb_addr
def register_kernel_call(self):
# expect in buffer: the address to call and all dword to push on the stack
CCall_IOCTL = x64.MultipleInstr()
CCall_IOCTL += x64.Mov('RAX', self.IO_STACK_INPUT_BUFFER_LEN)
CCall_IOCTL += x64.Cmp('RAX', 0)
CCall_IOCTL += x64.Jz(":FAIL") # Need at least the function to call
CCall_IOCTL += x64.Mov('R15', 4 * 8) # Size to pop on the stack at the end (4 * push RDI)
CCall_IOCTL += x64.Mov('R10', self.IO_STACK_INPUT_BUFFER)
CCall_IOCTL += x64.Label(':PUSH_NEXT_ARG')
CCall_IOCTL += x64.Cmp('RAX', (8 * 5))
CCall_IOCTL += x64.Jbe(":SETUP_REG_ARGS")
CCall_IOCTL += x64.Sub('RAX', 8)
INPUT_BUFFER_NEXT_ARG = x64.create_displacement(base='R10', index='RAX')
CCall_IOCTL += x64.Mov('RBX', INPUT_BUFFER_NEXT_ARG)
CCall_IOCTL += x64.Push('RBX')
CCall_IOCTL += x64.Add('R15', 8) # Add at Size to pop on the stack at the end
CCall_IOCTL += x64.Jmp(':PUSH_NEXT_ARG')
CCall_IOCTL += x64.Label(":SETUP_REG_ARGS")
# Could be done in a loop
# But do I really want to generate x86 in a loop..
CCall_IOCTL += x64.Cmp('RAX', (8 * 5))
CCall_IOCTL += x64.Jz(":SETUP_4_ARGS")
CCall_IOCTL += x64.Cmp('RAX', (8 * 4))
CCall_IOCTL += x64.Jz(":SETUP_3_ARGS")
CCall_IOCTL += x64.Cmp('RAX', (8 * 3))
CCall_IOCTL += x64.Jz(":SETUP_2_ARGS")
CCall_IOCTL += x64.Cmp('RAX', (8 * 2))
CCall_IOCTL += x64.Jz(":SETUP_1_ARGS")
CCall_IOCTL += x64.Jmp(":SETUP_0_ARGS")
CCall_IOCTL += x64.Label(":SETUP_4_ARGS")
CCall_IOCTL += x64.Mov('R9', x64.mem('[R10 + 0x20]'))
CCall_IOCTL += x64.Label(":SETUP_3_ARGS")
CCall_IOCTL += x64.Mov('R8', x64.mem('[R10 + 0x18]'))
CCall_IOCTL += x64.Label(":SETUP_2_ARGS")
CCall_IOCTL += x64.Mov('RDX', x64.mem('[R10 + 0x10]'))
CCall_IOCTL += x64.Label(":SETUP_1_ARGS")
CCall_IOCTL += x64.Mov('RCX', x64.mem('[R10 + 8]'))
CCall_IOCTL += x64.Label(":SETUP_0_ARGS")
CCall_IOCTL += x64.Mov('RAX', x64.mem('[R10]'))
# Fix Reserve space (calling convention)
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Call('RAX')
CCall_IOCTL += x64.Mov('RDX', self.IRP_OUTPUT_BUFFER)
CCall_IOCTL += x64.Mov(x64.mem('[RDX]'), 'RAX')
CCall_IOCTL += x64.Xor('RAX', 'RAX')
CCall_IOCTL += x64.Add('RSP', 'R15')
CCall_IOCTL += x64.Ret()
CCall_IOCTL += x64.Label(":FAIL")
CCall_IOCTL += x64.Mov('RAX', 0x0C000000D)
CCall_IOCTL += x64.Ret()
self.upgrade_driver_add_new_ioctl_handler(DU_KCALL_IOCTL, CCall_IOCTL.get_code())
def test_execute_to_64(self):
with Calc64() as calc:
data = calc.virtual_alloc(0x1000)
shellcode = x64.MultipleInstr()
shellcode += x64.Mov('RAX', 0x4242424243434343)
shellcode += x64.Mov(x64.create_displacement(disp=data), 'RAX')
shellcode += x64.Ret()
calc.execute(shellcode.get_code())
time.sleep(0.1)
dword = struct.unpack("<Q", calc.read_memory(data, 8))[0]
self.assertEqual(dword, 0x4242424243434343)
def NtCreateThreadEx_32_to_64(process, addr, param):
NtCreateThreadEx = get_NtCreateThreadEx_syswow_addr()
create_thread = x64.MultipleInstr()
# Save registers
create_thread += x64.Push('RBX')
create_thread += x64.Push('RCX')
create_thread += x64.Push('RDX')
create_thread += x64.Push('RSI')
create_thread += x64.Push('RDI')
create_thread += x64.Push('R8')
create_thread += x64.Push('R9')
create_thread += x64.Push('R10')
create_thread += x64.Push('R11')
create_thread += x64.Push('R12')
create_thread += x64.Push('R13')
# Setup args
create_thread += x64.Push(0)
create_thread += x64.Mov('RCX', 'RSP') # Arg1
create_thread += x64.Mov('RDX', 0x1fffff) # Arg2
create_thread += x64.Mov('R8', 0) # Arg3
create_thread += x64.Mov('R9', process.handle) # Arg4
create_thread += x64.Mov('RAX', 0)
create_thread += x64.Push('RAX') # Arg11
create_thread += x64.Push('RAX') # Arg10
create_thread += x64.Push('RAX') # Arg9
create_thread += x64.Push('RAX') # Arg8
create_thread += x64.Push('RAX') # Arg7
create_thread += x64.Mov('RAX', param)
create_thread += x64.Push('RAX') # Arg6
create_thread += x64.Mov('RAX', addr)
create_thread += x64.Push('RAX') # Arg5
# reserve space for register (calling convention)
create_thread += x64.Push('R9')
create_thread += x64.Push('R8')
create_thread += x64.Push('RDX')
create_thread += x64.Push('RCX')
# Call
create_thread += x64.Mov('R13', NtCreateThreadEx)
create_thread += x64.Call('R13')
# Clean stack
create_thread += x64.Add('RSP', 12 * 8)
create_thread += x64.Pop('R13')
create_thread += x64.Pop('R12')
create_thread += x64.Pop('R11')
create_thread += x64.Pop('R10')
create_thread += x64.Pop('R9')
create_thread += x64.Pop('R8')
create_thread += x64.Pop('RDI')
create_thread += x64.Pop('RSI')
create_thread += x64.Pop('RDX')
create_thread += x64.Pop('RCX')
create_thread += x64.Pop('RBX')
return execute_64bits_code_from_syswow(create_thread.get_code())
def _upgrade_driver_inject_base_upgrade(self):
kldbgdrv = self.kldbgdrv
upgrade = x64.MultipleInstr()
# R14 : IOCODE
# RSI -> IO_STACK_LOCATION
# RDI -> IRP
upgrade = x64.MultipleInstr()
upgrade += x64.Cmp('R14', self.NORMAL_IO_CODE)
upgrade += x64.Jz(self.normal_io_offset - (self.init_driver_offset + len(upgrade.get_code())))
upgrade += x64.Mov('Rax', x64.create_displacement(disp=kldbgdrv + self.HANDLE_ARRAY_ADDR))
upgrade += x64.Label(":LOOP")
upgrade += x64.Mov('RCX', x64.create_displacement('RAX'))
upgrade += x64.Cmp('R14', 'RCX')
upgrade += x64.Jnz(':END')
upgrade += x64.Mov('RAX', x64.create_displacement('RAX', disp=8))
upgrade += x64.Call('RAX')
upgrade += x64.Mov('RBX', 'RAX')
upgrade += x64.JmpAt(kldbgdrv + self.normal_end_offset)
upgrade += x64.Label(":END")
upgrade += x64.Cmp('RCX', 0)
upgrade += x64.Jnz(':NEXT')
upgrade += x64.JmpAt(kldbgdrv + self.fail_offset)
upgrade += x64.Label(":NEXT")
upgrade += x64.Add('RAX', 0x10)
upgrade += x64.Jmp(':LOOP')
self.kdbg.write_pfv_memory(kldbgdrv + self.init_driver_offset, str(upgrade.get_code()))
# Write first array dest
self.write_pfv_ptr(kldbgdrv + self.HANDLE_ARRAY_ADDR, kldbgdrv + self.FIRST_ARRAY_ADDR)
self.write_pfv_ptr(kldbgdrv + self.FIRST_ARRAY_ADDR, 0)
self.write_pfv_ptr(kldbgdrv + self.FIRST_ARRAY_ADDR + 8, 0)
# Jump hijack
jump_init_function = x64.Jmp(self.init_driver_offset - (self.hijack_offset))
self.kdbg.write_pfv_memory(kldbgdrv + self.hijack_offset, str(jump_init_function.get_code()))
self.ioctl_array = kldbgdrv + self.FIRST_ARRAY_ADDR
self.ioctl_array_ptr = kldbgdrv + self.HANDLE_ARRAY_ADDR
self.next_code_addr = kldbgdrv + self.init_driver_offset + len(upgrade.get_code())
self.is_upgraded = True
def test_set_thread_context_64(self, proc64):
code = x64.MultipleInstr()
code += x64.Label(":LOOP")
code += x64.Jmp(":LOOP")
data_len = len(code.get_code())
code += x64.Ret()
t = proc64.execute(code.get_code())
time.sleep(0.1)
assert proc64.is_exit == False
t.suspend()
ctx = t.context
ctx.Rip += data_len
ctx.Rax = 0x11223344
t.set_context(ctx)
t.resume()
time.sleep(0.1)
assert t.exit_code == 0x11223344
def sc_64_LoadLibrary(dll_path):
dll = "KERNEL32.DLL\x00".encode("utf-16-le")
api = "LoadLibraryA\x00"
LoadLibrary64_sc = x64.MultipleInstr()
map(LoadLibrary64_sc.__iadd__, [
shellcraft.amd64.pushstr(dll),
x64.Mov("RCX", "RSP"),
shellcraft.amd64.pushstr(api),
x64.Mov("RDX", "RSP"),
x64.Call(":FUNC_GETPROCADDRESS64"),
x64.Mov("R10", "RAX"),
shellcraft.amd64.pushstr(dll_path),
x64.Mov("RCX", "RSP"),
x64.Sub("RSP", 0x30),
x64.And("RSP", -32),
x64.Call("R10"),
x64.Label(":HERE"),
x64.Jmp(":HERE"), # Dirty infinite loop
# x64.Ret(),
windows.native_exec.nativeutils.GetProcAddress64,
])
return LoadLibrary64_sc.get_code()
def genere_return_32bits_stub(ret_addr):
ret_32b = x64.MultipleInstr()
ret_32b += x64.Mov('RCX', (CS_32bits << 32) + ret_addr)
ret_32b += x64.Push('RCX')
ret_32b += x64.Retf32() # 32 bits return addr
return ret_32b.get_code()
def generate_syswow64_call(target, errcheck=None):
nb_args = len(target.prototype._argtypes_)
target_addr = get_syswow_ntdll_exports()[target.__name__]
argument_buffer_len = (nb_args * 8)
argument_buffer = windows.current_process.allocator.reserve_size(argument_buffer_len)
alignement_information = windows.current_process.allocator.reserve_size(8)
nb_args_on_stack = max(nb_args - 4, 0)
code_64b = x64.MultipleInstr()
# Save registers
code_64b += x64.Push('RBX')
code_64b += x64.Push('RCX')
code_64b += x64.Push('RDX')
code_64b += x64.Push('RSI')
code_64b += x64.Push('RDI')
code_64b += x64.Push('R8')
code_64b += x64.Push('R9')
code_64b += x64.Push('R10')
code_64b += x64.Push('R11')
code_64b += x64.Push('R12')
code_64b += x64.Push('R13')
# Alignment stuff :)
code_64b += x64.Mov('RCX', 'RSP')
code_64b += x64.And('RCX', 0x0f)
code_64b += x64.Mov(x64.deref(alignement_information), 'RCX')
code_64b += x64.Sub('RSP', 'RCX')
# retrieve argument from the argument buffer
if nb_args >= 1:
code_64b += x64.Mov('RCX', x64.create_displacement(disp=argument_buffer))
if nb_args >= 2:
code_64b += x64.Mov('RDX', x64.create_displacement(disp=argument_buffer + (8 * 1)))
if nb_args >= 3:
code_64b += x64.Mov('R8', x64.create_displacement(disp=argument_buffer + (8 * 2)))
if nb_args >= 4:
code_64b += x64.Mov('R9', x64.create_displacement(disp=argument_buffer + (8 * 3)))
for i in range(nb_args_on_stack):
code_64b += x64.Mov('RAX', x64.create_displacement(disp=argument_buffer + 8 * (nb_args - 1 - i)))
code_64b += x64.Push('RAX')
# reserve space for register (calling convention)
code_64b += x64.Push('R9')
code_64b += x64.Push('R8')
code_64b += x64.Push('RDX')
code_64b += x64.Push('RCX')
# Call
code_64b += x64.Mov('R13', target_addr)
code_64b += x64.Call('R13')
# Realign stack :)
code_64b += x64.Add('RSP', x64.deref(alignement_information))
# Clean stack
code_64b += x64.Add('RSP', (4 + nb_args_on_stack) * 8)
code_64b += x64.Pop('R13')
code_64b += x64.Pop('R12')
code_64b += x64.Pop('R11')
code_64b += x64.Pop('R10')
code_64b += x64.Pop('R9')
code_64b += x64.Pop('R8')
code_64b += x64.Pop('RDI')
code_64b += x64.Pop('RSI')
code_64b += x64.Pop('RDX')
code_64b += x64.Pop('RCX')
code_64b += x64.Pop('RBX')
code_64b += x64.Ret()
return try_generate_stub_target(code_64b.get_code(), argument_buffer, target, errcheck=errcheck)
sys.path.append(os.path.abspath(__file__ + "\..\.."))
import windows
import windows.test
import windows.native_exec.simple_x64 as x64
import windows.native_exec.nativeutils
from windows.generated_def.winstructs import *
GetProcAddress64 = windows.native_exec.nativeutils.GetProcAddress64
dll = "KERNEL32.DLL\x00".encode("utf-16-le")
api = "LoadLibraryA\x00"
dll_to_load = "SUCE"
RemoteManualLoadLibray = x64.MultipleInstr()
c = RemoteManualLoadLibray
c += x64.Mov("R15", "RCX")
c += x64.Mov("RCX", x64.mem("[R15 + 0]"))
c += x64.Mov("RDX", x64.mem("[R15 + 8]"))
c += x64.Call(":FUNC_GETPROCADDRESS64")
c += x64.Mov("RCX", x64.mem("[R15 + 0x10]"))
c += x64.Push("RCX")
c += x64.Push("RCX")
c += x64.Push("RCX")
c += x64.Call("RAX")
c += x64.Pop("RCX")
c += x64.Pop("RCX")
c += x64.Pop("RCX")
c += x64.Ret()
def generate_write_at(addr):
res = x64.MultipleInstr()
res += x64.Mov(x64.deref(addr), "RAX")
res += x64.Ret()
return res.get_code()
def generate_read_at(addr):
res = x64.MultipleInstr()
res += x64.Mov("RAX", x64.deref(addr))
res += x64.Ret()
return res.get_code()
def test_x64_instr_multiply():
res = x64.MultipleInstr()
res += (x64.Nop() * 5)
res += x64.Ret()
assert res.get_code() == b"\x90\x90\x90\x90\x90\xc3"
print("current process is {cp}".format(cp=windows.current_process))
print("current process is a <{cp.bitness}> bits process".format(cp=cp))
print("current process is a SysWow64 process ? <{cp.is_wow_64}>".format(cp=cp))
print("current process pid <{cp.pid}> and ppid <{cp.ppid}>".format(cp=cp))
print("Here are the current process threads: <{cp.threads}>".format(cp=cp))
print("Let's execute some native code ! (0x41 + 1)")
if windows.current_process.bitness == 32:
# Let's generate some native code
code = x86.MultipleInstr()
code += x86.Mov("Eax", 0x41)
code += x86.Inc("EAX")
code += x86.Ret()
else:
code = x64.MultipleInstr()
code += x64.Mov("RAX", 0x41)
code += x64.Inc("RAX")
code += x64.Ret()
native_code = code.get_code()
v = windows.current_process.execute(native_code)
print("Native code returned <{0}>".format(hex(v)))
print("Allocating memory in current process")
addr = cp.virtual_alloc(0x1000) # Default alloc is RWX (so secure !)
print("Allocated memory is at <{0}>".format(hex(addr)))
print("Writing 'SOME STUFF' in allocation memory")
cp.write_memory(addr, "SOME STUFF")
