Skip to content

Commit a08c420

Browse files
zeroSteinerzeroSteiner
committed
Add railgun definitions for local exploit relevant functions.
1 parent 2218063 commit a08c420

File tree

2 files changed

+21
-7
lines changed

2 files changed

+21
-7
lines changed

lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ class Def_kernel32
1111

1212
def self.create_dll(dll_path = 'kernel32')
1313
dll = DLL.new(dll_path, ApiConstants.manager)
14-
14+
1515
dll.add_function( 'GetConsoleWindow', 'LPVOID',[])
1616

1717
dll.add_function( 'ActivateActCtx', 'BOOL',[
@@ -496,7 +496,7 @@ def self.create_dll(dll_path = 'kernel32')
496496
["HANDLE","hProcess","in"],
497497
["PBLOB","lpThreadAttributes","in"],
498498
["DWORD","dwStackSize","in"],
499-
["PBLOB","lpStartAddress","in"],
499+
["LPVOID","lpStartAddress","in"],
500500
["PBLOB","lpParameter","in"],
501501
["DWORD","dwCreationFlags","in"],
502502
["PDWORD","lpThreadId","out"],

lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ntdll.rb

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,15 @@ class Def_ntdll
1212
def self.create_dll(dll_path = 'ntdll')
1313
dll = DLL.new(dll_path, ApiConstants.manager)
1414

15+
dll.add_function('NtAllocateVirtualMemory', 'DWORD',[
16+
["DWORD","ProcessHandle","in"],
17+
["PBLOB","BaseAddress","inout"],
18+
["PDWORD","ZeroBits","in"],
19+
["PBLOB","RegionSize","inout"],
20+
["DWORD","AllocationType","in"],
21+
["DWORD","Protect","in"]
22+
])
23+
1524
dll.add_function('NtClose', 'DWORD',[
1625
["DWORD","Handle","in"],
1726
])
@@ -33,13 +42,13 @@ def self.create_dll(dll_path = 'ntdll')
3342
dll.add_function('NtDeviceIoControlFile', 'DWORD',[
3443
["DWORD","FileHandle","in"],
3544
["DWORD","Event","in"],
36-
["PBLOB","ApcRoutine","in"],
37-
["PBLOB","ApcContext","in"],
38-
["PBLOB","IoStatusBlock","inout"],
45+
["LPVOID","ApcRoutine","in"],
46+
["LPVOID","ApcContext","in"],
47+
["PDWORD","IoStatusBlock","out"],
3948
["DWORD","IoControlCode","in"],
40-
["PBLOB","InputBuffer","in"],
49+
["LPVOID","InputBuffer","in"],
4150
["DWORD","InputBufferLength","in"],
42-
["PBLOB","OutputBuffer","inout"],
51+
["LPVOID","OutputBuffer","in"],
4352
["DWORD","OutputBufferLength","in"],
4453
])
4554

@@ -68,6 +77,11 @@ def self.create_dll(dll_path = 'ntdll')
6877
["PDWORD","ReturnLength","inout"],
6978
])
7079

80+
dll.add_function('NtQueryIntervalProfile', 'DWORD',[
81+
["DWORD","ProfileSource","in"],
82+
["PDWORD","Interval","out"],
83+
])
84+
7185
dll.add_function('NtQuerySystemInformation', 'DWORD',[
7286
["DWORD","SystemInformationClass","in"],
7387
["PBLOB","SystemInformation","inout"],

0 commit comments

Comments
 (0)