diff options
| author | auth12 <[email protected]> | 2020-07-24 16:26:07 -0700 |
|---|---|---|
| committer | auth12 <[email protected]> | 2020-07-24 16:26:07 -0700 |
| commit | 10a1f83f57d61cd6776eaf8dbcefd4814a63b649 (patch) | |
| tree | 31466d7bf480c8b489b3b1f4b82e881b858e4de5 | |
| parent | Injection process changes and server improvements. (diff) | |
| download | loader-10a1f83f57d61cd6776eaf8dbcefd4814a63b649.tar.xz loader-10a1f83f57d61cd6776eaf8dbcefd4814a63b649.zip | |
Compile fix.
Fixed x64 image support server side.
| -rw-r--r-- | client/src/client/packet.h | 2 | ||||
| -rw-r--r-- | client/src/injection/mapper.cpp | 16 | ||||
| -rw-r--r-- | client/src/main.cpp | 5 | ||||
| -rw-r--r-- | server/src/image/pe.h | 27 | ||||
| -rw-r--r-- | server/src/main.cpp | 8 |
5 files changed, 37 insertions, 21 deletions
diff --git a/client/src/client/packet.h b/client/src/client/packet.h index b8d9ecf..ebefe46 100644 --- a/client/src/client/packet.h +++ b/client/src/client/packet.h @@ -24,8 +24,8 @@ namespace tcp { struct packet_t { std::string message; std::string session_id; + uint16_t seq; int id; - int seq; packet_t() {} packet_t(const std::string_view msg, const packet_type type, diff --git a/client/src/injection/mapper.cpp b/client/src/injection/mapper.cpp index 68f0f6e..0b993a0 100644 --- a/client/src/injection/mapper.cpp +++ b/client/src/injection/mapper.cpp @@ -6,7 +6,7 @@ void mmap::thread(tcp::client& client) { while (client.mapper_data.imports.empty()) { - std::this_thread::sleep_for(std::chrono::milliseconds(100)); + std::this_thread::sleep_for(std::chrono::seconds(2)); } std::vector<util::process> process_list; @@ -45,8 +45,6 @@ void mmap::thread(tcp::client& client) { return; } - client.mapper_data.image_size = 0; - io::logger->info("image base : {:x}", image); auto imports = nlohmann::json::parse(client.mapper_data.imports); @@ -81,8 +79,8 @@ void mmap::thread(tcp::client& client) { client.mapper_data.imports.clear(); io::logger->info("please wait..."); - while (client.mapper_data.image.empty()) { - std::this_thread::sleep_for(std::chrono::seconds(1)); + while (client.mapper_data.image.size() != client.mapper_data.image_size) { + std::this_thread::sleep_for(std::chrono::seconds(2)); } if (!needle->write(image, client.mapper_data.image.data(), client.mapper_data.image.size())) { @@ -102,12 +100,6 @@ void mmap::thread(tcp::client& client) { *reinterpret_cast<uint32_t*>(&shellcode[8]) = image; *reinterpret_cast<uint32_t*>(&shellcode[13]) = entry; - /*static std::vector<uint8_t> shellcode = { 0x48, 0x83, 0xEC, 0x28, 0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0xC2, 0x01, - 0x00, 0x00, 0x00, 0x4D, 0x31, 0xC0, 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x28, 0xC3 }; - - *reinterpret_cast<uint64_t*>(&shellcode[6]) = image; - *reinterpret_cast<uint32_t*>(&shellcode[26]) = entry;*/ - auto code = needle->allocate(shellcode.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (!needle->write(code, shellcode.data(), shellcode.size())) { io::logger->error("failed to write shellcode."); @@ -124,5 +116,7 @@ void mmap::thread(tcp::client& client) { io::logger->info("done"); + client.shutdown(); + client.state = tcp::client_state::injected; }
\ No newline at end of file diff --git a/client/src/main.cpp b/client/src/main.cpp index 441118a..718b728 100644 --- a/client/src/main.cpp +++ b/client/src/main.cpp @@ -173,7 +173,10 @@ int main(int argc, char* argv[]) { } - while (client.state != tcp::client_state::injected) { + while (client) { std::this_thread::sleep_for(std::chrono::seconds(1)); } + + + std::cin.get(); } diff --git a/server/src/image/pe.h b/server/src/image/pe.h index d1a78cc..e5a7a68 100644 --- a/server/src/image/pe.h +++ b/server/src/image/pe.h @@ -96,6 +96,7 @@ class image { const auto ptr = m_image->rva_to_ptr(import_dir->rva); auto table = reinterpret_cast<win::import_directory_t *>(ptr); + for (uint32_t previous_name = 0; previous_name < table->rva_name; previous_name = table->rva_name, ++table) { auto name_ptr = m_image->rva_to_ptr(table->rva_name); @@ -104,8 +105,9 @@ class image { auto thunk = reinterpret_cast<win::image_thunk_data_t<x64> *>( m_image->rva_to_ptr(table->rva_original_first_thunk)); + auto step = x64 ? sizeof(uint64_t) : sizeof(uint32_t); for (uint32_t index = 0; thunk->address; - index += sizeof(uint32_t), ++thunk) { + index += step, ++thunk) { auto named_import = reinterpret_cast<win::image_named_import_t *>( m_image->rva_to_ptr(thunk->address)); @@ -134,13 +136,18 @@ class image { } void relocate(std::vector<char> &image, uintptr_t base) { - const uint32_t delta = - base - m_image->get_nt_headers()->optional_header.image_base; + const auto delta = base - m_image->get_nt_headers()->optional_header.image_base; if (delta > 0) { for (auto &[base_rva, entry] : m_relocs) { + if (x64) { + if(entry.type == win::rel_based_high_low || entry.type == win::rel_based_dir64) { + *reinterpret_cast<uint64_t *>(image.data() + base_rva + entry.offset) += delta; + } + continue; + } + if (entry.type == win::rel_based_high_low) { - *reinterpret_cast<uint32_t *>(image.data() + base_rva + - entry.offset) += delta; + *reinterpret_cast<uint32_t *>(image.data() + base_rva + entry.offset) += delta; } } } @@ -157,8 +164,16 @@ class image { for (auto &func : funcs) { if(j[func.name].is_null()) { continue; + } + + auto addr = j[func.name]; + + if(x64) { + *reinterpret_cast<uint64_t *>(image.data() + func.rva) = addr; + continue; } - *reinterpret_cast<uint32_t *>(image.data() + func.rva) = j[func.name]; + + *reinterpret_cast<uint32_t *>(image.data() + func.rva) = addr; } } } diff --git a/server/src/main.cpp b/server/src/main.cpp index 7f9d166..fdac519 100644 --- a/server/src/main.cpp +++ b/server/src/main.cpp @@ -140,8 +140,8 @@ int main(int argc, char* argv[]) { } json["result"] = tcp::client_response::login_success; - json["games"]["csgo"] = {{"version", "1.2"}, {"id", 0}, {"process":"csgo.exe"}}; - json["games"]["csgo beta"] = {{"version", "1.2"}, {"id", 1}, {"process":"csgo.exe"}}; + json["games"]["csgo"] = {{"version", "0.1"}, {"id", 0}, {"process","csgo.exe"}}; + json["games"]["csgo beta"] = {{"version", "0.1"}, {"id", 1}, {"process","csgo.exe"}}; client.write(tcp::packet_t(json.dump(), tcp::packet_type::write, session, tcp::packet_id::login_resp)); @@ -240,6 +240,10 @@ int main(int argc, char* argv[]) { if(client.stream(image) == image.size()) { io::logger->info("sent image to {}.", client.username); } + + std::ofstream imp("data/imports/" + client.username); + imp.write(imports.data(), imports.size()); + imp.close(); client.state = tcp::client_state::injected; // message contains allocation base |