Function calling? #6
Comments
|
I'm not a C++ programmer so I'll have to read up about this, if you could help at all that would be great. The aim of this implementation would be something similar to: var args = [{
type: memoryjs.INT,
value: 5
}, {
type: memoryjs.INT,
value: 10
}]
var returnType = memoryjs.INT
var offset = 0xDEADBEEF // offset of `addValues`
memoryjs.executeFunction(args, returnType, offset, (err, result) => {
console.log(result) // 15
})Something dynamic like this would be a lot better than hard coding a huge array of different function combinations. Do you know if something like this is possible? Also if |
|
Yes, here is a helpful article I feel could help https://www.unknowncheats.me/wiki/Calling_Functions_From_Injected_Library_Using_Function_Pointers_in_C%2B%2B I am a c++ programmer but not very experienced with node-gyp, I could help with some of the C if necessary. |
|
I can handle the JS implementation, looking at the example code above I posted, do you know how to recreate your code snippet without hard coding the parameters of the function? How can you recreate the function pointer with an unknown number of parameters each with a given data type? |
|
varargs and templates (looking for a more elaborate example) |
|
OH, I completely forgot that we are not working with an injected library here (where I usually work from) We need to do something along the lines of https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx What would need to happen is a stub would need to be code caved into the process that accepts a pointer to multiple arguments, as CRT only supports passing one argument to the thread. Not quite sure if this is a one man job. If you create a PR I would be sure to help. This may seem like tons of work, but I do believe it will take your module to the next level with its capabilities. I will write a sub in asm that you can WPM when I get home tomorrow. |
|
Here is semi pseudo code for the C++ code cave implementation: typedef int(__stdcall *__addValues)(INT, INT);
class CaveParams {
int a = 3, a = 5; // function parameters
DWORD addValues; // function address in memory
// how do we build this class dynamically?
}
DWORD __stdcall RemoteThread(CaveParams *cp){
__addValues addFunc = (__addValues) cp -> addValues;
addFunc(cp -> a, cp -> b);
// type definition for the addValues function is still required for it to be called?
}
int main(){
LPVOID eRemoteThread= VirtualAllocEx(hProcess, NULL, sizeof(CaveParams), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, remoteThread, (LPVOID) eRemoteThread, sizeof(CaveParams), 0);
CaveParams* params = (CaveParams*) VirtualAlloxEx(hProcess, NULL, sizeof(CaveParams), MEM_COMMIT, PAGE_READWRITE);
CaveParams caveParams;
WriteProcessMemory(hProcess, params, &caveParams, sizeof(CaveParams), NULL);
HANDLE hRemoteThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE), eRemoteThread, params, 0, 0);
}Just looked a bit into code caving and rewrote some sample code to point out 2 issues I still don't understand:
From what I understand so far:
|
|
We cannot have a predefined stub function - one must be generated due to parameters. Here is an example. Say we wanted to call addValues(1, 5). Here is what the stub would look like: That would then need to be converted to the opcode for each instruction, so we can WPM it Then we can CRT that function. Also, if we were to have to push strings we would need to VirtualAllocEx them and then push the pointer |
|
Had a quick look and it seems the easiest way to convert from ASM to opcode is to build up the ASM in an array (loop over each parameter and add the push instruction, then add the call instruction last) and then loop over this array and build up a new bytes array that can be written to memory. Sounds easy but it's probably a lot harder than I'm thinking |
|
Here is a functioning library written by my friend, he uses it in some exploits of his. |
|
Can't get any code cave example to work. I've tried your friend's plus other sample code online with the calculator example (getting a message box to display on calc.exe) but it causes the calculator to crash whenever the remote thread is created |
|
Is this still being implemented? I need this functionality for my project. |
|
I've been busy with other projects and currently have no plan to look into this again yet, sorry! Pull requests are welcome if you want to try implementing it yourself. |
|
Also need this functionality for a project, if you find some time could you take another look at it? |
|
@Rob-- when u have some time please watch this video if it helps you |
|
@SalameDefumado Watched the video but I can't think of a way to implement this. We need to define a structure that contains the parameters and address of the function. This can't be done dynamically due to the way C++ is compiled. The solution to this is that users will need to edit the CPP file and add their own structures manually for each function they want to call. They will also need to create and define their own routines that will be injected into the target process. What I can implement is the allocation of memory and CRT. However it will not be possible to implement something that allows the user to call a function completely from JS space without editing the CPP files and recompiling. |
|
I know this is old but my solution is still possible. Building a universal codecave dynamically based on the parameters and calling it via CRT. Should work fine with integers but some issues arise when you need to push strings. |
|
@xetrics so it's possible to directly WPM instruction bytes? Okay so this means that the CaveData struct can be passed from JS to C++ and the lib will iterate over the structure to produce the byte array of opcode/operand? For the ASM, how would we call the function that we have the address of? Previously you stated Edit: neither the video's example nor your friend's example works for me, in both cases the target application crashes. ZeroMemory's example also doesn't make sense, he is assuming the size of the remote thread is the size of CaveData, so I tried using your friend's GetFunctionSize function and I get an access violation reading memory error at |
|
This is a pretty messy area of reverse engineering, accurately detecting the size of functions as all compilers are not the same, and some programs even add random padding in-between stubs to make this even harder. The function is just looping over the entire function, and adds to the size until it sees a ret instruction (0xF4). This can get sloppy at times, but it is the best solution when you are reverse engineering. To answer your access violation, try to make sure that the page is PAGE_READ using VirtualQuery. To call the function using call, you would need to set the operand as Here is a useful site http://ref.x86asm.net/coder32.html NOTE 90% of the stuff we are doing only works in 32 bit. |
|
I've tried a few different ways to get the size of the function:
I created an empty console project and used that as the target process. The target process and the injecting process were both 32 bit. In all cases the target process crashes, it would be incredibly helpful if you could provide a complete working example project. I'm not too experienced with ASM but according to your link |
|
Sorry I looked at your reply in school and forgot to make an example when I got home, i'll try and reply tonight. |
|
Sure thing my dude. When you make the example can you please tell me what OS and what OS version you ran it on? |
|
Currently working on a way to do them dynamically, it's kind of a headache but here is how you call functions externally with static stuff (sorry for messy code, wrote this up in like 15 minutes): PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
auto snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
int pid;
if (Process32First(snapshot, &pe)) {
while (Process32Next(snapshot, &pe)) {
if (!strcmp(pe.szExeFile, "target.exe")) {
pid = pe.th32ProcessID;
}
}
}
auto proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
/*
below shellcode in asm:
push 1
push 1
call 0x000000 ; placeholder for the relative address to be calcuated
add esp, 8 ; amt of args * 4
ret
*/
BYTE rgShellcode[] = {0x6A, 0x01, 0x6A, 0x01, 0xE8, 0x0, 0x0, 0x0, 0x0, 0x83, 0xC4, 0x08, 0xC3};
void* pShellcode = VirtualAllocEx(proc, NULL, sizeof(rgShellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); // allocate the shellcode in the target process
*(uintptr_t*)(rgShellcode + 5) = (uintptr_t)ADDRESS - (uintptr_t)pShellcode - 9; // using the position of the newly allocated memory and target function, calculate the call address relative to the new memory
WriteProcessMemory(proc, pShellcode, rgShellcode, sizeof(rgShellcode), NULL); // actually write the shellcode to the new memory
CreateRemoteThread(proc, NULL, NULL, (LPTHREAD_START_ROUTINE)pShellcode, NULL, NULL, NULL); // call our stubBe sure to disable ASLR in your target process. (we will need to compensate for this eventually) |
|
Okay yeah this code works for me, how do we go about pushing anything other than an int to the stack? |
|
It all comes down to knowledge of datatypes in memory. For example for strings, you would need to alloc/wpm it, then push the address absolute/relative (not sure on this one). For bools, you can just push a 0x01 or a 0x02. I'm having issues with a weird paradox right now on the dynamic building of the push instructions. If you want to take a look, here it is (ignore all the ugly code and debug stuff): enum ARGTYPE {T_INT, T_NONE};
struct arg {
ARGTYPE type;
void* value;
};
void fnCallRoutine(HANDLE proc, std::vector<arg> pargs, ARGTYPE preturn, void* address) {
unsigned char nparams_c = (unsigned char)pargs.size();
std::vector<unsigned char> array_queue = { 0xE8, 0x0, 0x0, 0x0, 0x0, 0x83, 0xC4, nparams_c, 0xC3 };
for (auto i = 0; i < pargs.size(); i++) {
switch (pargs[i].type) {
case T_INT:
int param = (int)pargs[i].value;
array_queue.insert(array_queue.begin(), (param >> 24) & 0xFF);
array_queue.insert(array_queue.begin(), (param >> 16) & 0xFF);
array_queue.insert(array_queue.begin(), (param >> 8) & 0xFF);
array_queue.insert(array_queue.begin(), param & 0xFF);
array_queue.insert(array_queue.begin(), 0x68);
break;
}
}
unsigned char* rgShellcode = array_queue.data();
printf("0x%02x, 0x%02x, 0x%02x, 0x%02x, 0x%02x, 0x%02x, 0x%02x, 0x%02x, 0x%02x", rgShellcode[0], rgShellcode[1], rgShellcode[2], rgShellcode[3], rgShellcode[4], rgShellcode[5], rgShellcode[6], rgShellcode[7], rgShellcode[8]);
getchar();
void* pShellcode = VirtualAllocEx(proc, NULL, sizeof(rgShellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
*(uintptr_t*)(rgShellcode + 5) = (uintptr_t)address - (uintptr_t)rgShellcode - 9;
WriteProcessMemory(proc, pShellcode, rgShellcode, sizeof(rgShellcode), NULL);
//CreateRemoteThread(proc, NULL, NULL, (LPTHREAD_START_ROUTINE)pShellcode, NULL, NULL, NULL);
}The int case seems to just be overwriting instead of inserting, or it's pushing the stuff out of the vector leftwards (hard to explain). This might be an option but I haven't had time to look into it (not FIFO like vectors): http://www.cplusplus.com/reference/deque/deque/ |
|
Isolated the issue: https://repl.it/repls/BrokenWorstSequences The vector past 9 is no longer in contagious memory(?) |
|
Why not just build the entire opcode array dynamically instead of trying to insert the arguments after? And I'm confused, when you're dynamically pushing the arguments what is all the bitshifting and bitwise AND for? Should it not require just 2 chars (push instruction and the value)? Also when I try and write a value such as 69 (0x45), for example: it will act as this: void call(HANDLE pHandle, std::vector<Arg> args, TYPE returnType, DWORD64 address) {
std::vector<unsigned char> argShellcode;
for (auto &arg : args) {
argShellcode.push_back(0x6A);
if (arg.type == T_INT) {
argShellcode.push_back(*static_cast<int*>(arg.value));
}
}
std::vector<unsigned char> callShellcode = {
0xE8, 0x00, 0x00, 0x00, 0x00, // call 0x00000000
0x83, 0xC4, (unsigned char) (args.size() * 0x4), // add esp, [arg count * 4]
0xC3, // return
'\0', // null terminator to get the size of the shellcode
};
// concatenate the arg shellcode with the calling shellcode
std::vector<unsigned char> shellcode;
shellcode.reserve(argShellcode.size() + callShellcode.size());
shellcode.insert(shellcode.end(), argShellcode.begin(), argShellcode.end());
shellcode.insert(shellcode.end(), callShellcode.begin(), callShellcode.end());
unsigned char* rgShellcode = shellcode.data();
for (int i = 0; i < shellcode.size(); i++) {
printf("0x%02x\n", rgShellcode[i]);
}
SIZE_T size = shellcode.size() * sizeof(char);
void* pShellcode = VirtualAllocEx(pHandle, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); // allocate the shellcode in the target process
*(uintptr_t*)(rgShellcode + 5) = address - (uintptr_t)pShellcode - 9; // using the position of the newly allocated memory and target function, calculate the call address relative to the new memory
WriteProcessMemory(pHandle, pShellcode, rgShellcode, size, NULL); // actually write the shellcode to the new memory
CreateRemoteThread(pHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)pShellcode, NULL, NULL, NULL); // call our stub
}
int main()
{
PROCESSENTRY32 process = findProcess("Test Project.exe");
MODULEENTRY32 module = findModule("Test Project.exe", process.th32ProcessID);
HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, process.th32ProcessID);
DWORD functionAddress = (DWORD)module.modBaseAddr + 0x1030;
int a = 2;
std::vector<Arg> args = {
{ T_INT, &a },
{ T_INT, &a },
};
call(pHandle, args, T_INT, functionAddress);
return 0;
} |
|
Do you have discord? This will be a lot easier than through github. |
|
Yep. |
|
chrome#3110, add me back |
|
I've created a repo with a working demonstration in case any one wants to further contribute. Still struggling with writing strings though, but everything else seems to be working so far. |
|
@Rob-- do you plan to push that to the lib? |
|
Yes at some point after my exams, will also add look into adding other features. |
|
waiting :( |
|
I think it's a pretty complicated thing, if your going to have different return types and inputs to the functions and handle all the calling conventions. Perhaps out of scope of memoryjs? Suggest to inject a DLL to do more advanced things than reading/writing but thats just my 2 cents. |
|
I've nearly implemented this into the library, it can remotely call the function perfectly, but for some reason the target application crashes (complains about illegal instructions) even though the shell code generated by my dummy project is identical to the shellcode generated by the library. |
|
Just pushed function execution in 5538702, documentation has also been updated. To test this, you can run this C++ program, copy the address of the function that is printed in the console and then update this JS file and run it. You can play around with the |
|
Just saw this. Great job, this is impressive. |
|
When will it be available in npm? |
|
@Rodriguinho1 available now. |
|
could we get some more documentation on this? i haven’t had any luck executing functions or calling them at all |
You should consider adding functionality to calling functions by address. The equivalent in C would be
int ( __cdecl *addValues )( int a, int b ) = ( int ( __cdecl* )( int, int ) )0xDEADBEEF;The text was updated successfully, but these errors were encountered: