prepare for x64

devseed · devseed · commit 68510bcda6ec · 2022-03-16T22:54:42.000+09:00
diff --git a/src/memdll/Makefile b/src/memdll/Makefile
@@ -64,13 +64,15 @@ libwinpe: libwinpe.c
 	rm -rf $(PREFIX)/*.exp
 
 win_injectmemdll_shellcodestub: win_injectmemdll.c libwinpe
-	python $@.py $< $(PREFIX)/libwinpe$(ARCH_POSTFIX)$(DLL_EXT) $(PREFIX)/_$<
+	python $@.py $< \
+		$(PREFIX)/libwinpe$(ARCH_POSTFIX)$(DLL_EXT)\
+		$(PREFIX)/_$(ARCH_POSTFIX)$<
 
 win_injectmemdll: win_injectmemdll_shellcodestub libwinpe
 	@echo \#\#building $@ ...
-	$(CC) $(PREFIX)/_$@.c -o $(PREFIX)/$@$(ARCH_POSTFIX)$(EXE_EXT)\
+	$(CC) $(PREFIX)/_$(ARCH_POSTFIX)$@.c \
+		-o $(PREFIX)/$@$(ARCH_POSTFIX)$(EXE_EXT)\
 		-llibwinpe$(ARCH_POSTFIX) \
 		$(CFLAGS) $(LDFLAGS) $(INCS) $(LIBS) $(LIBDIRS)
-	rm -rf $(PREFIX)/_$<
 
 .PHONY: all clean prepare libwinpe win_injectmemdll
diff --git a/src/memdll/win_injectmemdll.c b/src/memdll/win_injectmemdll.c
@@ -1,6 +1,6 @@
 /* 
     a tool to attach a dll inside a pe file
-    v0.1, developed by devseed
+    v0.2, developed by devseed
 */
 
 #include <stdio.h>
@@ -135,7 +135,7 @@ int main(int argc, char *argv[])
     if(argc < 3)
     {
         printf("usage: win_injectmemdll exepath dllpath [outpath]\n");
-        printf("v0.1, developed by devseed\n");
+        printf("v0.2, developed by devseed\n");
         return 0;
     }
 
diff --git a/src/memdll/win_injectmemdll_shellcodestub.py b/src/memdll/win_injectmemdll_shellcodestub.py
@@ -60,6 +60,56 @@ def gen_oepshellcode32():
 
 def gen_oepshellcode64():
    ks = Ks(KS_ARCH_X86, KS_MODE_64)
+   code_str = f"""
+      // for relative address, get the base of addr
+      call geteip; 
+      lea rbx, [rax-5];
+      push rcx;
+      push rdx;
+      push r8;
+      push r9;
+
+      // bind iat
+      lea r8, [rbx + exegetprocessaddress];
+      mov r8, [r8]; // iat
+      mov r8, [r8]; // iat->addr
+      lea rdx, [rbx + exeloadlibrarya];
+      mov rdx, [rdx]; // iat
+      mov rdx, [rdx]; // iat->addr
+      lea rcx, [rbx + dllbase]; // dllbase addr
+      mov rcx, [rcx]; // dllbase value
+      call [rbx + memiatbind];
+      
+      // call dll oep, for dll entry
+      xor r8, r8; // lpvReserved
+      xor rdx, rdx; 
+      inc rdx; // fdwReason, DLL_PROCESS_ATTACH
+      lea rcx, [rbx + dllbase];
+      mov rcx, [rcx]; // hinstDLL
+      call [rbx+dlloepva];
+
+      // jmp to origin oep
+      pop r9;
+      pop r8;
+      pop rdx;
+      pop rcx;
+      jmp [rbx+exeoepva];
+
+      geteip:
+      mov rax, [rsp]
+      ret
+
+      exeoepva: nop;nop;nop;nop;nop;nop;nop;nop;
+      dllbase: nop;nop;nop;nop;nop;nop;nop;nop;
+      dlloepva: nop;nop;nop;nop;nop;nop;nop;nop;
+      memiatbind: nop;nop;nop;nop;nop;nop;nop;nop;
+      exeloadlibrarya: nop;nop;nop;nop;nop;nop;nop;nop;
+      exegetprocessaddress: nop;nop;nop;nop;nop;nop;nop;nop;
+      """
+   print("gen_oepshellcode64", code_str)
+   payload, _ = ks.asm(code_str)
+   print("payload: ", [hex(x) for x in payload])
+   return payload
    pass
 
 def inject_shellcodestubs(srcpath, libwinpepath, targetpath):
@@ -71,7 +121,7 @@ def inject_shellcodestubs(srcpath, libwinpepath, targetpath):
    memiatshellcode = \
       pedll.get_content_from_virtual_address(
          memiatfunc.address, 0x200)
-   memiatshellcode = memiatshellcode[:memiatshellcode.index(0xC3)+1] # retn
+   # memiatshellcode = memiatshellcode[:memiatshellcode.index(0xC3)+1] # retn
 
    if pedll_oph.magic == lief.PE.PE_TYPE.PE32_PLUS:
       oepshellcode = gen_oepshellcode64()
@@ -98,7 +148,7 @@ def inject_shellcodestubs(srcpath, libwinpepath, targetpath):
 
 def debug():
    inject_shellcodestubs("win_injectmemdll.c", 
-      "./bin/libwinpe32.dll", 
+      "./bin/libwinpe64.dll", 
       "./bin/_win_injectmemdll.c")
    pass
 
@@ -111,6 +161,6 @@ def main():
    pass
 
 if __name__ == "__main__":
-   debug()
-   #main()
+   #debug()
+   main()
    pass
diff --git a/util/include/winpe.h b/util/include/winpe.h
@@ -333,18 +333,34 @@ size_t winpe_membindiat(void *mempe,
             &&  pOftThunk[j].u1.Function; j++) 
         {
             PROC addr = NULL;
-			if((pOftThunk[j].u1.Ordinal >>31) != 0x1) // use name
-			{
-				pFuncName=(PIMAGE_IMPORT_BY_NAME)(mempe +
-                    pOftThunk[j].u1.AddressOfData);
-                addr = pfnGetProcAddress(hmod, pFuncName->Name);
-
-			}
-			else // use ordinal
-			{
-				addr =GetProcAddress(hmod, 
-                (LPCSTR)(pOftThunk[j].u1.Ordinal & 0x0000ffff));
-			}
+            if(sizeof(size_t) > 4) // x64
+            {
+                if((pOftThunk[j].u1.Ordinal >> 63) != 0x1) // use name
+                {
+                    pFuncName=(PIMAGE_IMPORT_BY_NAME)(mempe +
+                        pOftThunk[j].u1.AddressOfData);
+                    addr = pfnGetProcAddress(hmod, pFuncName->Name);
+                }
+                else // use ordinal
+                {
+                    addr =pfnGetProcAddress(hmod, 
+                    (LPCSTR)(pOftThunk[j].u1.Ordinal & 0x000000000000ffff));
+                }
+            }
+            else // x86
+            {
+                if((pOftThunk[j].u1.Ordinal >>31) != 0x1) // use name
+                {
+                    pFuncName=(PIMAGE_IMPORT_BY_NAME)(mempe +
+                        pOftThunk[j].u1.AddressOfData);
+                    addr = pfnGetProcAddress(hmod, pFuncName->Name);
+                }
+                else // use ordinal
+                {
+                    addr =pfnGetProcAddress(hmod, 
+                    (LPCSTR)(pOftThunk[j].u1.Ordinal & 0x0000ffff));
+                }
+            }
             if(!addr) return 0;
             pFtThunk[j].u1.Function = (size_t)addr;
             iat_count++;
@@ -385,13 +401,26 @@ size_t winpe_memfindiat(void *mempe,
         for (int j=0; pFtThunk[j].u1.Function 
             &&  pOftThunk[j].u1.Function; j++) 
         {
-			if((pOftThunk[j].u1.Ordinal >>31) != 0x1) // use name
-			{
-				pFuncName=(PIMAGE_IMPORT_BY_NAME)(mempe +
-                    pOftThunk[j].u1.AddressOfData);
-                if(_stricmp(pFuncName->Name, funcname)==0) 
-                    return (size_t)&pFtThunk[j] - (size_t)mempe;
-			}
+            if(sizeof(size_t) > 4) // x64
+            {
+                if((pOftThunk[j].u1.Ordinal >>63) != 0x1) // use name
+                {
+                    pFuncName=(PIMAGE_IMPORT_BY_NAME)(mempe +
+                        pOftThunk[j].u1.AddressOfData);
+                    if(_stricmp(pFuncName->Name, funcname)==0) 
+                        return (size_t)&pFtThunk[j] - (size_t)mempe;
+                }
+            }
+            else // x86
+            {
+                if((pOftThunk[j].u1.Ordinal >>31) != 0x1) // use name
+                {
+                    pFuncName=(PIMAGE_IMPORT_BY_NAME)(mempe +
+                        pOftThunk[j].u1.AddressOfData);
+                    if(_stricmp(pFuncName->Name, funcname)==0) 
+                        return (size_t)&pFtThunk[j] - (size_t)mempe;
+                }
+            }
         }
     }
     return 0;

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`/*`
`2`	`2`	`a tool to attach a dll inside a pe file`
`3`		`- v0.1, developed by devseed`
	`3`	`+ v0.2, developed by devseed`
`4`	`4`	`*/`
`5`	`5`
`6`	`6`	`#include <stdio.h>`
`@@ -135,7 +135,7 @@ int main(int argc, char *argv[])`
`135`	`135`	`if(argc < 3)`
`136`	`136`	`{`
`137`	`137`	`printf("usage: win_injectmemdll exepath dllpath [outpath]\n");`
`138`		`- printf("v0.1, developed by devseed\n");`
	`138`	`+ printf("v0.2, developed by devseed\n");`
`139`	`139`	`return 0;`
`140`	`140`	`}`
`141`	`141`