fix x64 crash in dll attach by stack align 0x10

Author: devseed

README.md

@@ -1,6 +1,5 @@
 # MemoryModule
 A tool to parse and load module in memory, as well as attach a DLL in EXE.
-
 Most of the functions are inline, so that it can also be used in shellcode.
 
 ## compile
@@ -33,7 +32,7 @@ winpe_memFreeLibrary(memdll);
 
 // memory loadlibrary at specific address
 size_t targetaddr = sizeof(size_t) > 4 ? 0x140030000: 0x90000;
-memdll = winpe_memLoadLibraryEx(memdll, targetaddr, 
+memdll = winpe_memLoadLibraryEx(mempe, targetaddr, 
     WINPE_LDFLAG_MEMALLOC, (PFN_LoadLibraryA)winpe_findloadlibrarya(), 
     (PFN_GetProcAddress)winpe_memGetProcAddress);
 winpe_memFreeLibrary(memdll);
@@ -58,7 +57,6 @@ These functions are essential to load memory module in windows.
   will load the mempe in a valid imagebase
     return hmodule base
 */
-WINPEDEF WINPE_EXPORT
 inline void* STDCALL winpe_memLoadLibrary(void *mempe);
 
 /*
@@ -69,7 +67,6 @@ inline void* STDCALL winpe_memLoadLibrary(void *mempe);
         must combined with WINPE_LDFLAG_MEMALLOC
     return hmodule base
 */
-WINPEDEF WINPE_EXPORT
 inline void* STDCALL winpe_memLoadLibraryEx(void *mempe, 
     size_t imagebase, DWORD flag,
     PFN_LoadLibraryA pfnLoadLibraryA, 
@@ -79,14 +76,12 @@ inline void* STDCALL winpe_memLoadLibraryEx(void *mempe,
    similar to FreeLibrary, will call dllentry
      return true or false
 */
-WINPEDEF WINPE_EXPORT
 inline BOOL STDCALL winpe_memFreeLibrary(void *mempe);
 
 /*
    FreeLibraryEx with VirtualFree custom function
      return true or false
 */
-WINPEDEF WINPE_EXPORT
 inline BOOL STDCALL winpe_memFreeLibraryEx(void *mempe, 
     PFN_LoadLibraryA pfnLoadLibraryA, 
     PFN_GetProcAddress pfnGetProcAddress);
@@ -95,7 +90,6 @@ inline BOOL STDCALL winpe_memFreeLibraryEx(void *mempe,
    similar to GetProcAddress
      return function va
 */
-WINPEDEF WINPE_EXPORT
 inline PROC STDCALL winpe_memGetProcAddress(
     void *mempe, const char *funcname);
 
@@ -104,21 +98,21 @@ inline PROC STDCALL winpe_memGetProcAddress(
   load the origin rawpe in memory buffer by mem align
     return memsize
 */
-size_t winpe_memload(const void *rawpe, size_t rawsize, 
+inline size_t winpe_memload(const void *rawpe, size_t rawsize, 
     void *mempe, size_t memsize, bool_t same_align);
 
 
 /*
   realoc the addrs for the mempe addr as image base
     return realoc count
 */
-size_t winpe_memreloc(void *mempe, size_t newimagebase);
+inline size_t winpe_memreloc(void *mempe, size_t newimagebase);
 
 /*
   load the iat for the mempe
     return iat count
 */
-size_t winpe_membindiat(void *mempe, 
+inline size_t winpe_membindiat(void *mempe, 
     PFN_LoadLibraryA pfnLoadLibraryA, 
     PFN_GetProcAddress pfnGetProcAddress);
 ```
@@ -127,6 +121,6 @@ See `winpe.h`  for parsing and loading PE structure in detail.
 
 ## known issues
 
-*  attach x64 DLL to exe crash on calling some windows API
-
-  (load x64 DLL in memory after main function doesn't have this problem)
+* ~~attach x64 DLL to exe crash on calling some windows API~~
+  problem occured  by `movaps xmm0, xmmword ptr ss:[rsp]`
+  fixed by stack memory align with 0x10

src/memdll/win_injectmemdll_shellcodestub.py

@@ -5,7 +5,8 @@
    history:
       v0.1, initial version
       v0.2, add more function for shellcode
-      v0.3, x86 and x64 no need to use exe's LoadLibraryA 
+      v0.3, x86 and x64 no need to use exe's LoadLibraryA
+      v0.3.1, fix x64 attach dll crash by align stack with 0x10
 """
 import re
 import sys
@@ -71,6 +72,7 @@ def gen_oepinit_code64():
       push rdx;
       push r8;
       push r9;
+      sub rsp, 0x28; // this is for memory 0x10 align
 
       // bind iat
       lea rdx, [rbx + findloadlibrarya];
@@ -91,6 +93,7 @@ def gen_oepinit_code64():
       call [rbx+dlloepva];
 
       // jmp to origin oep
+      add rsp, 0x28;
       pop r9;
       pop r8;
       pop rdx;