2010-09-09 18:19:35 +00:00
|
|
|
# This file is part of Metasm, the Ruby assembly manipulation suite
|
|
|
|
# Copyright (C) 2006-2009 Yoann GUILLOT
|
|
|
|
#
|
|
|
|
# Licence is LGPL, see LICENCE in the top-level directory
|
|
|
|
|
|
|
|
# this script compiles a source file (asm or C) into a shellcode that will
|
|
|
|
# dynamically resolve the address of functions it uses
|
|
|
|
# windows only, supposes the shellcode is run in the address space of a process
|
|
|
|
# whose PEB allows to find all required libraries.
|
|
|
|
|
|
|
|
require 'metasm'
|
|
|
|
|
|
|
|
sc = Metasm::Shellcode.new(Metasm::Ia32.new)
|
|
|
|
|
|
|
|
case ARGV[0]
|
|
|
|
when /\.c(pp)?$/i
|
|
|
|
src_c = File.read(ARGV[0])
|
2013-08-30 21:28:33 +00:00
|
|
|
sc.assemble 'jmp main'
|
|
|
|
sc.compile_c src_c
|
2010-09-09 18:19:35 +00:00
|
|
|
when /\.asm$/i
|
2013-08-30 21:28:33 +00:00
|
|
|
src = File.read(ARGV[0])
|
|
|
|
sc.assemble src
|
2010-09-09 18:19:35 +00:00
|
|
|
when nil; abort "need sourcefile"
|
|
|
|
else abort "unknown srcfile extension"
|
|
|
|
end
|
|
|
|
|
|
|
|
# find external symbols needed by the shellcode
|
|
|
|
ext_syms = sc.encoded.reloc_externals
|
|
|
|
|
|
|
|
# resolver code
|
|
|
|
sc.parse <<EOS
|
|
|
|
get_libbase:
|
2013-08-30 21:28:33 +00:00
|
|
|
mov eax, fs:[0x30] // peb
|
|
|
|
mov eax, [eax+12] // peb_ldr
|
|
|
|
add eax, 12 // &inloadorder
|
2010-09-09 18:19:35 +00:00
|
|
|
libbase_loop:
|
2013-08-30 21:28:33 +00:00
|
|
|
mov eax, [eax] // next
|
|
|
|
mov edx, [eax+12*4] // basename ptr
|
|
|
|
mov cl, [edx+6]
|
|
|
|
shl ecx, 8
|
|
|
|
mov cl, [edx+4]
|
|
|
|
shl ecx, 8
|
|
|
|
mov cl, [edx+2]
|
|
|
|
shl ecx, 8
|
|
|
|
mov cl, [edx]
|
|
|
|
or ecx, 0x20202020 // downcase
|
|
|
|
cmp ecx, [esp+4]
|
|
|
|
jnz libbase_loop
|
|
|
|
mov eax, [eax+6*4] // baseaddr
|
|
|
|
ret 4
|
2010-09-09 18:19:35 +00:00
|
|
|
|
|
|
|
hash_name:
|
2013-08-30 21:28:33 +00:00
|
|
|
push ecx
|
|
|
|
push edx
|
|
|
|
xor eax, eax
|
|
|
|
xor ecx, ecx
|
|
|
|
mov edx, [esp+12]
|
|
|
|
dec edx
|
2010-09-09 18:19:35 +00:00
|
|
|
hash_loop:
|
2013-08-30 21:28:33 +00:00
|
|
|
ror eax, 0dh
|
|
|
|
add eax, ecx
|
|
|
|
inc edx
|
|
|
|
mov cl, [edx]
|
|
|
|
test cl, cl
|
|
|
|
jnz hash_loop
|
|
|
|
pop edx
|
|
|
|
pop ecx
|
|
|
|
ret 4
|
2010-09-09 18:19:35 +00:00
|
|
|
|
|
|
|
resolve_proc:
|
2013-08-30 21:28:33 +00:00
|
|
|
push ecx
|
|
|
|
push edx
|
|
|
|
push ebp
|
|
|
|
push dword ptr [esp+0x14] // arg_2
|
|
|
|
call get_libbase
|
|
|
|
mov ebp, eax // imagebase
|
|
|
|
add eax, [eax+0x3c] // coffhdr
|
|
|
|
mov edx, [eax+0x78] // exportdirectory
|
|
|
|
add edx, ebp
|
|
|
|
or ecx, -1
|
2010-09-09 18:19:35 +00:00
|
|
|
resolve_loop:
|
2013-08-30 21:28:33 +00:00
|
|
|
inc ecx
|
|
|
|
mov eax, [edx+0x20] // name
|
|
|
|
add eax, ebp
|
|
|
|
mov eax, [eax+4*ecx]
|
|
|
|
add eax, ebp
|
|
|
|
push eax
|
|
|
|
call hash_name
|
|
|
|
cmp eax, [esp+0x10] // cmp hash(name[i]), arg_1
|
|
|
|
jnz resolve_loop
|
|
|
|
mov eax, [edx+0x24] // ord
|
|
|
|
add eax, ebp
|
|
|
|
movzx ecx, word ptr [eax+2*ecx]
|
|
|
|
mov eax, [edx+0x1c] // func
|
|
|
|
add eax, ebp
|
|
|
|
mov eax, [eax+4*ecx] // func[ord[i]]
|
|
|
|
add eax, ebp
|
|
|
|
pop ebp
|
|
|
|
pop edx
|
|
|
|
pop ecx
|
|
|
|
ret 8
|
2010-09-09 18:19:35 +00:00
|
|
|
EOS
|
|
|
|
|
|
|
|
def hash_name(sym)
|
2013-08-30 21:28:33 +00:00
|
|
|
hash = 0
|
|
|
|
sym.each_byte { |char|
|
|
|
|
hash = (((hash >> 0xd) | (hash << (32-0xd))) + char) & 0xffff_ffff
|
|
|
|
}
|
|
|
|
hash
|
2010-09-09 18:19:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def lib_name(sym)
|
2013-08-30 21:28:33 +00:00
|
|
|
raise "unknown libname for #{sym}" if not lib = Metasm::WindowsExports::EXPORT[sym]
|
|
|
|
n = lib.downcase[0, 4].unpack('C*')
|
|
|
|
n[0] + (n[1]<<8) + (n[2] << 16) + (n[3] << 24)
|
2010-09-09 18:19:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# encode stub for each symbol
|
|
|
|
ext_syms.uniq.each { |sym|
|
2013-08-30 21:28:33 +00:00
|
|
|
next if sym == 'next_payload'
|
|
|
|
sc.parse <<EOS
|
2010-09-09 18:19:35 +00:00
|
|
|
#{sym}:
|
2013-08-30 21:28:33 +00:00
|
|
|
push #{lib_name(sym)}
|
|
|
|
push #{hash_name(sym)}
|
|
|
|
call resolve_proc
|
|
|
|
jmp eax
|
2010-09-09 18:19:35 +00:00
|
|
|
EOS
|
|
|
|
}
|
|
|
|
|
|
|
|
# marker to the next payload if the payload is a stager
|
|
|
|
sc.assemble "next_payload:"
|
|
|
|
|
|
|
|
# output to a file
|
|
|
|
sc.encode_file 'shellcode-dynlink.raw'
|
|
|
|
|
|
|
|
__END__
|
|
|
|
// sample payload
|
|
|
|
|
|
|
|
extern __stdcall int MessageBoxA(int, char*, char*, int);
|
|
|
|
extern void next_payload(void);
|
|
|
|
|
|
|
|
int main(void)
|
|
|
|
{
|
2013-08-30 21:28:33 +00:00
|
|
|
MessageBoxA(0, "Hello, world !", "Hi", 0);
|
|
|
|
next_payload();
|
2010-09-09 18:19:35 +00:00
|
|
|
}
|