From 185eef9d0bc4da36200220eea0172df951eaad36 Mon Sep 17 00:00:00 2001 From: devseed Date: Sun, 20 Mar 2022 18:24:57 +0900 Subject: [PATCH] fix x64 crash in dll attach by stack align 0x10 --- README.md | 20 +++++++------------- src/memdll/win_injectmemdll_shellcodestub.py | 5 ++++- 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 867d27a..424d37b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,5 @@ # MemoryModule A tool to parse and load module in memory, as well as attach a DLL in EXE. - Most of the functions are inline, so that it can also be used in shellcode. ## compile @@ -33,7 +32,7 @@ winpe_memFreeLibrary(memdll); // memory loadlibrary at specific address size_t targetaddr = sizeof(size_t) > 4 ? 0x140030000: 0x90000; -memdll = winpe_memLoadLibraryEx(memdll, targetaddr, +memdll = winpe_memLoadLibraryEx(mempe, targetaddr, WINPE_LDFLAG_MEMALLOC, (PFN_LoadLibraryA)winpe_findloadlibrarya(), (PFN_GetProcAddress)winpe_memGetProcAddress); winpe_memFreeLibrary(memdll); @@ -58,7 +57,6 @@ These functions are essential to load memory module in windows. will load the mempe in a valid imagebase return hmodule base */ -WINPEDEF WINPE_EXPORT inline void* STDCALL winpe_memLoadLibrary(void *mempe); /* @@ -69,7 +67,6 @@ inline void* STDCALL winpe_memLoadLibrary(void *mempe); must combined with WINPE_LDFLAG_MEMALLOC return hmodule base */ -WINPEDEF WINPE_EXPORT inline void* STDCALL winpe_memLoadLibraryEx(void *mempe, size_t imagebase, DWORD flag, PFN_LoadLibraryA pfnLoadLibraryA, @@ -79,14 +76,12 @@ inline void* STDCALL winpe_memLoadLibraryEx(void *mempe, similar to FreeLibrary, will call dllentry return true or false */ -WINPEDEF WINPE_EXPORT inline BOOL STDCALL winpe_memFreeLibrary(void *mempe); /* FreeLibraryEx with VirtualFree custom function return true or false */ -WINPEDEF WINPE_EXPORT inline BOOL STDCALL winpe_memFreeLibraryEx(void *mempe, PFN_LoadLibraryA pfnLoadLibraryA, PFN_GetProcAddress pfnGetProcAddress); @@ -95,7 +90,6 @@ inline BOOL STDCALL winpe_memFreeLibraryEx(void *mempe, similar to GetProcAddress return function va */ -WINPEDEF WINPE_EXPORT inline PROC STDCALL winpe_memGetProcAddress( void *mempe, const char *funcname); @@ -104,7 +98,7 @@ inline PROC STDCALL winpe_memGetProcAddress( load the origin rawpe in memory buffer by mem align return memsize */ -size_t winpe_memload(const void *rawpe, size_t rawsize, +inline size_t winpe_memload(const void *rawpe, size_t rawsize, void *mempe, size_t memsize, bool_t same_align); @@ -112,13 +106,13 @@ size_t winpe_memload(const void *rawpe, size_t rawsize, realoc the addrs for the mempe addr as image base return realoc count */ -size_t winpe_memreloc(void *mempe, size_t newimagebase); +inline size_t winpe_memreloc(void *mempe, size_t newimagebase); /* load the iat for the mempe return iat count */ -size_t winpe_membindiat(void *mempe, +inline size_t winpe_membindiat(void *mempe, PFN_LoadLibraryA pfnLoadLibraryA, PFN_GetProcAddress pfnGetProcAddress); ``` @@ -127,6 +121,6 @@ See `winpe.h` for parsing and loading PE structure in detail. ## known issues -* attach x64 DLL to exe crash on calling some windows API - - (load x64 DLL in memory after main function doesn't have this problem) +* ~~attach x64 DLL to exe crash on calling some windows API~~ + problem occured by `movaps xmm0, xmmword ptr ss:[rsp]` + fixed by stack memory align with 0x10 \ No newline at end of file diff --git a/src/memdll/win_injectmemdll_shellcodestub.py b/src/memdll/win_injectmemdll_shellcodestub.py index de070ca..c99d49b 100644 --- a/src/memdll/win_injectmemdll_shellcodestub.py +++ b/src/memdll/win_injectmemdll_shellcodestub.py @@ -5,7 +5,8 @@ history: v0.1, initial version v0.2, add more function for shellcode - v0.3, x86 and x64 no need to use exe's LoadLibraryA + v0.3, x86 and x64 no need to use exe's LoadLibraryA + v0.3.1, fix x64 attach dll crash by align stack with 0x10 """ import re import sys @@ -71,6 +72,7 @@ def gen_oepinit_code64(): push rdx; push r8; push r9; + sub rsp, 0x28; // this is for memory 0x10 align // bind iat lea rdx, [rbx + findloadlibrarya]; @@ -91,6 +93,7 @@ def gen_oepinit_code64(): call [rbx+dlloepva]; // jmp to origin oep + add rsp, 0x28; pop r9; pop r8; pop rdx;