From a129190b5db5a1ff8b3d3ebf3f5dc5ea7f7aee8b Mon Sep 17 00:00:00 2001 From: hugsy Date: Sun, 12 Nov 2023 13:44:55 -0800 Subject: [PATCH] added arm support because why not --- .github/Invoke-VisualStudio.ps1 | 4 + .github/workflows/build.yml | 2 + CMakeLists.txt | 8 +- Modules/Binary/Include/Win32/PE.hpp | 2 +- Modules/Binary/Source/Win32/PE.cpp | 2 +- Modules/Binary/Tests/pwn_binary_pe.cpp | 4 +- Modules/Common/CMakeLists.txt | 19 ++- Modules/Common/Include/Architecture.hpp | 3 +- Modules/Process/CMakeLists.txt | 7 +- Modules/Process/Source/Win32/Memory.cpp | 2 +- Modules/Process/Source/Win32/Process.cpp | 4 +- Modules/Process/Source/Win32/Thread.cpp | 18 ++- .../Process/Source/Win32/asm/arm/get_teb.asm | 20 +++ .../Source/Win32/asm/arm/trampoline.asm | 19 +++ Modules/Registry/CMakeLists.txt | 3 +- Modules/Registry/Tests/CMakeLists.txt | 13 +- Modules/Remote/Source/Win32/ALPC.cpp | 2 +- Modules/Security/CMakeLists.txt | 6 +- Modules/Security/Tests/CMakeLists.txt | 1 + Modules/Service/CMakeLists.txt | 2 +- Modules/Shellcode/CMakeLists.txt | 1 + Modules/Shellcode/Source/Win32/Kernel.cpp | 141 ++++++++++-------- .../Win32/asm/arm/copy_system_token.asm | 9 ++ Modules/Symbols/CMakeLists.txt | 5 +- Modules/System/CMakeLists.txt | 4 + Tools/Win32/CMakeLists.txt | 6 +- 26 files changed, 206 insertions(+), 101 deletions(-) create mode 100644 Modules/Process/Source/Win32/asm/arm/get_teb.asm create mode 100644 Modules/Process/Source/Win32/asm/arm/trampoline.asm create mode 100644 Modules/Shellcode/Source/Win32/asm/arm/copy_system_token.asm diff --git a/.github/Invoke-VisualStudio.ps1 b/.github/Invoke-VisualStudio.ps1 index 1cc74e62..09e73c9d 100644 --- a/.github/Invoke-VisualStudio.ps1 +++ b/.github/Invoke-VisualStudio.ps1 @@ -35,3 +35,7 @@ Function Invoke-VisualStudio2022x64 { Function Invoke-VisualStudio2022arm64 { Invoke-CmdScript "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsamd64_arm64.bat" } + +Function Invoke-VisualStudio2022arm { + Invoke-CmdScript "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsamd64_arm.bat" +} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a6c04a2a..e7535644 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,6 +28,8 @@ jobs: - {os: windows-latest, arch: x86, config: RelWithDebInfo, build: full} - {os: windows-latest, arch: arm64, config: Debug, build: full} - {os: windows-latest, arch: arm64, config: RelWithDebInfo, build: full} + - {os: windows-latest, arch: arm, config: Debug, build: full} + - {os: windows-latest, arch: arm, config: RelWithDebInfo, build: full} - {os: ubuntu-latest, arch: x64, config: Debug, build: full} - {os: ubuntu-latest, arch: x64, config: RelWithDebInfo, build: full} diff --git a/CMakeLists.txt b/CMakeLists.txt index 29ff93b4..a56a6fcf 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -116,12 +116,14 @@ if(PWN_INCLUDE_DISASSEMBLER) endif(PWN_INCLUDE_DISASSEMBLER) if(MSVC) - if("${CMAKE_GENERATOR_PLATFORM}" STREQUAL "arm64") - enable_language(CXX ASM_MARMASM) - elseif("${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64") + if("${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64") enable_language(CXX ASM_MASM) elseif("${CMAKE_GENERATOR_PLATFORM}" STREQUAL "win32") enable_language(CXX ASM_MASM) + elseif("${CMAKE_GENERATOR_PLATFORM}" STREQUAL "arm") + enable_language(CXX ASM_MARMASM) + elseif("${CMAKE_GENERATOR_PLATFORM}" STREQUAL "arm64") + enable_language(CXX ASM_MARMASM) endif() else() enable_language(CXX ASM_NASM) diff --git a/Modules/Binary/Include/Win32/PE.hpp b/Modules/Binary/Include/Win32/PE.hpp index 4dbb818b..beb160ef 100644 --- a/Modules/Binary/Include/Win32/PE.hpp +++ b/Modules/Binary/Include/Win32/PE.hpp @@ -101,7 +101,7 @@ class PE struct PeExceptionTableEntry : IMAGE_RUNTIME_FUNCTION_ENTRY { -#if defined(_ARM64_) +#if defined(_ARM_) || defined(_ARM64_) DWORD EndAddress {}; #endif usize Size; diff --git a/Modules/Binary/Source/Win32/PE.cpp b/Modules/Binary/Source/Win32/PE.cpp index dbfacc18..6d8ae04b 100644 --- a/Modules/Binary/Source/Win32/PE.cpp +++ b/Modules/Binary/Source/Win32/PE.cpp @@ -497,7 +497,7 @@ PE::FillException() return; } -#if defined(_ARM64_) +#if defined(_ARM_) || defined(_ARM64_) // TODO adjust from `Flags` field value, based on `ARM64_FNPDATA_FLAGS` DWORD EndAddress {e.BeginAddress + e.FunctionLength}; #else diff --git a/Modules/Binary/Tests/pwn_binary_pe.cpp b/Modules/Binary/Tests/pwn_binary_pe.cpp index 51401cb0..f3eb4fc0 100644 --- a/Modules/Binary/Tests/pwn_binary_pe.cpp +++ b/Modules/Binary/Tests/pwn_binary_pe.cpp @@ -62,9 +62,9 @@ TEST_CASE("Native PE file parser", "[" NS "]") { REQUIRE(entry.BeginAddress != 0); REQUIRE(entry.EndAddress != 0); -#ifndef _ARM64_ +#if !defined(_ARM64_) && !defined(_ARM_) REQUIRE(entry.UnwindInfoAddress != 0); -#endif // _ARM64_ +#endif // !_ARM64_ && !_ARM_ } } diff --git a/Modules/Common/CMakeLists.txt b/Modules/Common/CMakeLists.txt index dcb24879..c9ff710c 100644 --- a/Modules/Common/CMakeLists.txt +++ b/Modules/Common/CMakeLists.txt @@ -45,11 +45,19 @@ if(WIN32) target_compile_options(${PROJECT_NAME} PUBLIC + $<$: /Zc:__cplusplus - $<$>:$<$:/fsanitize=address>> - $,/sdl /WX /Gy /Gm- /permissive-,/WX /Zi /Zf /Gm /Gm- /permissive- > + /EHsc + $, + /sdl /WX /Gy /Gm- /permissive-, + /WX /Zi /Zf /Gm /Gm- /permissive- + > /diagnostics:caret /ZH:SHA_256 + + # ASAN only supported for Intel + $<$:$<$:/fsanitize=address>> + $<$:$<$:/fsanitize=address>> > PRIVATE ) @@ -60,8 +68,13 @@ if(WIN32) target_link_options(${PROJECT_NAME} PUBLIC - $<$>:$<$:/InferAsanLibs>> + # Link ASAN for debug + $<$:$<$:/InferAsanLibs>> + $<$:$<$:/InferAsanLibs>> + + # Fix issues with SAFESEH linking for 32b $<$:/SAFESEH:NO> + $<$:/SAFESEH:NO> ) target_link_libraries(${PROJECT_NAME} diff --git a/Modules/Common/Include/Architecture.hpp b/Modules/Common/Include/Architecture.hpp index f7c8a38c..c030415a 100644 --- a/Modules/Common/Include/Architecture.hpp +++ b/Modules/Common/Include/Architecture.hpp @@ -100,11 +100,12 @@ struct Architecture /// ///@brief Supported architecture declarations /// -static constexpr CMap Architectures { +static constexpr CMap Architectures { {{ {"x64"sv, {"X86_64"sv, ArchitectureType::x64, 8, Endianess::little}}, {"x86"sv, {"X86_32"sv, ArchitectureType::x86, 4, Endianess::little}}, {"arm64"sv, {"ARM_AARCH64"sv, ArchitectureType::arm64, 8, Endianess::little}}, + {"arm"sv, {"ARM_AARCH64"sv, ArchitectureType::arm, 4, Endianess::little}}, }}, }; diff --git a/Modules/Process/CMakeLists.txt b/Modules/Process/CMakeLists.txt index 88563b4a..32f74439 100644 --- a/Modules/Process/CMakeLists.txt +++ b/Modules/Process/CMakeLists.txt @@ -13,6 +13,8 @@ elseif("${CMAKE_GENERATOR_PLATFORM}" STREQUAL win32) set(ASM_DIR ${SOURCE_DIR}/Win32/asm/x86) elseif("${CMAKE_GENERATOR_PLATFORM}" STREQUAL arm64) set(ASM_DIR ${SOURCE_DIR}/Win32/asm/arm64) +elseif("${CMAKE_GENERATOR_PLATFORM}" STREQUAL arm) + set(ASM_DIR ${SOURCE_DIR}/Win32/asm/arm) else() message(FATAL_ERROR "Unknown arch ${CMAKE_GENERATOR_PLATFORM}") endif() @@ -38,8 +40,9 @@ add_library(${PROJECT_NAME} STATIC ${SOURCE_FILES}) add_dependencies(${PROJECT_NAME} ${DEPS}) add_library(PWN::${PROJECT_NAME} ALIAS ${PROJECT_NAME}) target_include_directories(${PROJECT_NAME} PUBLIC ${INTERFACE_DIR} PRIVATE ${HEADER_DIR}) -target_compile_definitions(${PROJECT_NAME} PUBLIC) -target_link_libraries(${PROJECT_NAME} PUBLIC ${DEPS} Userenv.lib) + +# target_compile_definitions(${PROJECT_NAME} PUBLIC) +target_link_libraries(${PROJECT_NAME} PUBLIC ${DEPS} Userenv.lib Ole32.lib) install(DIRECTORY ${INTERFACE_DIR} DESTINATION ${CMAKE_PROJECT_NAME}) diff --git a/Modules/Process/Source/Win32/Memory.cpp b/Modules/Process/Source/Win32/Memory.cpp index 2833a142..af06499a 100644 --- a/Modules/Process/Source/Win32/Memory.cpp +++ b/Modules/Process/Source/Win32/Memory.cpp @@ -132,7 +132,7 @@ Memory::QueryInternal( MemoryInformationClass, Buffer.get(), Size, - &ReturnLength); + (PSIZE_T)&ReturnLength); if ( NT_SUCCESS(Status) ) { break; diff --git a/Modules/Process/Source/Win32/Process.cpp b/Modules/Process/Source/Win32/Process.cpp index 41839d6f..e8a27081 100644 --- a/Modules/Process/Source/Win32/Process.cpp +++ b/Modules/Process/Source/Win32/Process.cpp @@ -702,7 +702,7 @@ AppContainer::AppContainer( // build the startup info // usize size = 0; - ::InitializeProcThreadAttributeList(nullptr, 1, 0, &size); + ::InitializeProcThreadAttributeList(nullptr, 1, 0, (PSIZE_T)&size); if ( size == 0u ) { throw std::runtime_error("InitializeProcThreadAttributeList() failed"); @@ -711,7 +711,7 @@ AppContainer::AppContainer( m_StartupInfo.StartupInfo.cb = sizeof(STARTUPINFOEX); m_StartupInfo.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)::new u8[size]; - if ( ::InitializeProcThreadAttributeList(m_StartupInfo.lpAttributeList, 1, 0, &size) == 0 ) + if ( ::InitializeProcThreadAttributeList(m_StartupInfo.lpAttributeList, 1, 0, (PSIZE_T)&size) == 0 ) { throw std::runtime_error("InitializeProcThreadAttributeList() failed"); } diff --git a/Modules/Process/Source/Win32/Thread.cpp b/Modules/Process/Source/Win32/Thread.cpp index 2d0ef8bc..5431b789 100644 --- a/Modules/Process/Source/Win32/Thread.cpp +++ b/Modules/Process/Source/Win32/Thread.cpp @@ -24,13 +24,12 @@ constexpr int WINDOWS_VERSION_22H2 = 19045; EXTERN_C_START -#ifndef _M_ARM64 -bool -GetTeb(uptr* teb); +#if defined(_ARM64_) || defined(_ARM_) + +// +// TODO those are not working yet +// -usize -GetTebLength(); -#else bool GetTeb(uptr* teb) { @@ -42,6 +41,13 @@ GetTebLength() { return 0; } + +#else +bool +GetTeb(uptr* teb); + +usize +GetTebLength(); #endif // _M_ARM64 EXTERN_C_END diff --git a/Modules/Process/Source/Win32/asm/arm/get_teb.asm b/Modules/Process/Source/Win32/asm/arm/get_teb.asm new file mode 100644 index 00000000..acfc4603 --- /dev/null +++ b/Modules/Process/Source/Win32/asm/arm/get_teb.asm @@ -0,0 +1,20 @@ + GLOBAL GetPeb + GLOBAL GetPebLength + +CODE + + +GetPeb PROC PUBLIC EXPORT + ;;; TODO + BX LR +GetPeb ENDP +GetPeb_end:: + +GetPebLength PROC PUBLIC EXPORT + ;;; TODO + BX LR +GetPebLength ENDP + +ENDS + + END diff --git a/Modules/Process/Source/Win32/asm/arm/trampoline.asm b/Modules/Process/Source/Win32/asm/arm/trampoline.asm new file mode 100644 index 00000000..d9a8eff8 --- /dev/null +++ b/Modules/Process/Source/Win32/asm/arm/trampoline.asm @@ -0,0 +1,19 @@ + GLOBAL GoToTrampoline + GLOBAL GoToTrampolineLength + +CODE + +GoToTrampoline PROC PUBLIC EXPORT + ;;; TODO + bx lr +GoToTrampoline ENDP +GoToTrampoline_end:: + +GoToTrampolineLength PROC PUBLIC EXPORT + ;;; TODO + bx lr +GoToTrampolineLength ENDP + +ENDS + + END diff --git a/Modules/Registry/CMakeLists.txt b/Modules/Registry/CMakeLists.txt index dbf7d654..77233336 100644 --- a/Modules/Registry/CMakeLists.txt +++ b/Modules/Registry/CMakeLists.txt @@ -1,4 +1,5 @@ if(NOT WIN32) + message(STATUS "The Registry module is only available for Windows") return() endif() @@ -20,7 +21,7 @@ add_dependencies(${PROJECT_NAME} PWN::Common) add_library(PWN::${PROJECT_NAME} ALIAS ${PROJECT_NAME}) target_include_directories(${PROJECT_NAME} PUBLIC ${INTERFACE_DIR} PRIVATE ${HEADER_DIR}) target_compile_definitions(${PROJECT_NAME} PUBLIC) -target_link_libraries(${PROJECT_NAME} PUBLIC PWN::Common) +target_link_libraries(${PROJECT_NAME} PUBLIC PWN::Common AdvApi32.lib) install(DIRECTORY ${INTERFACE_DIR} DESTINATION ${CMAKE_PROJECT_NAME}) diff --git a/Modules/Registry/Tests/CMakeLists.txt b/Modules/Registry/Tests/CMakeLists.txt index e622a0b2..e18aeea5 100644 --- a/Modules/Registry/Tests/CMakeLists.txt +++ b/Modules/Registry/Tests/CMakeLists.txt @@ -1,19 +1,12 @@ enable_testing() set(TEST_EXECUTABLE_NAME tests_pwn_${PROJECT_NAME}) -list(APPEND SOURCE_FILES - ${TEST_DIR}/main.cpp - ${TEST_DIR}/pwn_win_registry.cpp -) - -add_executable(${TEST_EXECUTABLE_NAME} ${SOURCE_FILES}) +add_executable(${TEST_EXECUTABLE_NAME} ${TEST_DIR}/main.cpp ${TEST_DIR}/pwn_win_registry.cpp) add_executable(PWN::Tests::${PROJECT_NAME} ALIAS ${TEST_EXECUTABLE_NAME}) add_dependencies(${TEST_EXECUTABLE_NAME} PWN::Deps::Catch2 PWN::${PROJECT_NAME}) +target_include_directories(${TEST_EXECUTABLE_NAME} PUBLIC $) target_link_libraries(${TEST_EXECUTABLE_NAME} PUBLIC Catch2::Catch2WithMain PWN::${PROJECT_NAME}) - -if(WIN32) - target_link_options(${TEST_EXECUTABLE_NAME} PUBLIC /SUBSYSTEM:Console) -endif(WIN32) +target_link_options(${TEST_EXECUTABLE_NAME} PUBLIC /SUBSYSTEM:Console) add_test(NAME ${TEST_EXECUTABLE_NAME} COMMAND $) set_tests_properties(${TEST_EXECUTABLE_NAME} PROPERTIES LABELS Common LABELS Registry) diff --git a/Modules/Remote/Source/Win32/ALPC.cpp b/Modules/Remote/Source/Win32/ALPC.cpp index 610d11e2..f276fd09 100644 --- a/Modules/Remote/Source/Win32/ALPC.cpp +++ b/Modules/Remote/Source/Win32/ALPC.cpp @@ -138,7 +138,7 @@ Base::SendAndReceive(HANDLE hSocket, Message& MsgIn) MsgIn.Get(), nullptr, reinterpret_cast(lpRawMsgOut.get()), - &dwMsgOutLen, + (PSIZE_T)&dwMsgOutLen, nullptr, nullptr); if ( !NT_SUCCESS(Status) ) diff --git a/Modules/Security/CMakeLists.txt b/Modules/Security/CMakeLists.txt index 1785440f..2f4273cb 100644 --- a/Modules/Security/CMakeLists.txt +++ b/Modules/Security/CMakeLists.txt @@ -20,7 +20,11 @@ add_dependencies(${PROJECT_NAME} PWN::Common PWN::System) add_library(PWN::${PROJECT_NAME} ALIAS ${PROJECT_NAME}) target_include_directories(${PROJECT_NAME} PUBLIC ${INTERFACE_DIR} ../System/Include PRIVATE ${HEADER_DIR}) target_compile_definitions(${PROJECT_NAME} PUBLIC) -target_link_libraries(${PROJECT_NAME} PUBLIC PWN::Common) +target_link_libraries(${PROJECT_NAME} + PUBLIC + PWN::Common + Advapi32.lib +) install(DIRECTORY ${INTERFACE_DIR} DESTINATION ${CMAKE_PROJECT_NAME}) diff --git a/Modules/Security/Tests/CMakeLists.txt b/Modules/Security/Tests/CMakeLists.txt index d8604e4f..2a8eaad1 100644 --- a/Modules/Security/Tests/CMakeLists.txt +++ b/Modules/Security/Tests/CMakeLists.txt @@ -13,6 +13,7 @@ target_link_libraries(${TEST_EXECUTABLE_NAME} PUBLIC Catch2::Catch2WithMain PWN: if(WIN32) target_link_options(${TEST_EXECUTABLE_NAME} PUBLIC /SUBSYSTEM:Console) + target_link_libraries(${TEST_EXECUTABLE_NAME} PUBLIC AdvApi32.lib) endif(WIN32) add_test(NAME ${TEST_EXECUTABLE_NAME} COMMAND $) diff --git a/Modules/Service/CMakeLists.txt b/Modules/Service/CMakeLists.txt index 3bddf25b..698e1a02 100644 --- a/Modules/Service/CMakeLists.txt +++ b/Modules/Service/CMakeLists.txt @@ -20,7 +20,7 @@ add_dependencies(${PROJECT_NAME} PWN::Common) add_library(PWN::${PROJECT_NAME} ALIAS ${PROJECT_NAME}) target_include_directories(${PROJECT_NAME} PUBLIC ${INTERFACE_DIR} PRIVATE ${HEADER_DIR}) target_compile_definitions(${PROJECT_NAME} PUBLIC) -target_link_libraries(${PROJECT_NAME} PUBLIC PWN::Common) +target_link_libraries(${PROJECT_NAME} PUBLIC PWN::Common AdvApi32.lib) install(DIRECTORY ${INTERFACE_DIR} DESTINATION ${CMAKE_PROJECT_NAME}) diff --git a/Modules/Shellcode/CMakeLists.txt b/Modules/Shellcode/CMakeLists.txt index 4ee9f372..dadf3b02 100644 --- a/Modules/Shellcode/CMakeLists.txt +++ b/Modules/Shellcode/CMakeLists.txt @@ -14,6 +14,7 @@ if(WIN32) $<$:${SOURCE_DIR}/Win32/asm/x64/copy_system_token.asm> $<$:${SOURCE_DIR}/Win32/asm/x86/copy_system_token.asm> $<$:${SOURCE_DIR}/Win32/asm/arm64/copy_system_token.asm> + $<$:${SOURCE_DIR}/Win32/asm/arm/copy_system_token.asm> ) else() return() diff --git a/Modules/Shellcode/Source/Win32/Kernel.cpp b/Modules/Shellcode/Source/Win32/Kernel.cpp index 10a2f165..79b0e000 100644 --- a/Modules/Shellcode/Source/Win32/Kernel.cpp +++ b/Modules/Shellcode/Source/Win32/Kernel.cpp @@ -1,62 +1,79 @@ -#include "Win32/Kernel.hpp" - -#include - -#include "Log.hpp" -#include "Utils.hpp" - - -#if 0 -// Win10 RS6 x64 -#define CURRENT_ETHREAD 0x0188 -#define EPROCESS_OFFSET 0x00b8 -#define PROCESSID_OFFSET 0x02e8 -#define EPROCESS_FLINK_OFFSET 0x02f0 -#define TOKEN_OFFSET 0x0360 -#define SYSTEM_PID 4 -#endif - -// WINDOWS 8.1 -#if 0 -#define CURRENT_ETHREAD 0x0188 -#define EPROCESS_OFFSET 0x00b8 -#define PROCESSID_OFFSET 0x02e0 -#define FLINK_OFFSET 0x02e8 -#define TOKEN_OFFSET 0x0348 -#define SYSTEM_PID 0x4 -#endif - - -EXTERN_C_START -void -CopySystemToken(); - -usize -CopySystemTokenLength(); -EXTERN_C_END - - -namespace pwn::Shellcode::Kernel -{ - -std::vector -DebugBreak() -{ - std::vector res(sizeof(uptr)); - std::fill(res.begin(), res.end(), 0xcc); - return res; -} - - -std::vector -StealSystemToken() -{ - const usize sz = CopySystemTokenLength(); - std::vector sc(Utils::align(sz, 16)); - std::fill(sc.begin(), sc.end(), 0xcc); - RtlCopyMemory(sc.data(), &CopySystemToken, sz); - return sc; -} - - -} // namespace pwn::Shellcode::Kernel +#include "Win32/Kernel.hpp" + +#include + +#include "Log.hpp" +#include "Utils.hpp" + + +#if 0 +// Win10 RS6 x64 +#define CURRENT_ETHREAD 0x0188 +#define EPROCESS_OFFSET 0x00b8 +#define PROCESSID_OFFSET 0x02e8 +#define EPROCESS_FLINK_OFFSET 0x02f0 +#define TOKEN_OFFSET 0x0360 +#define SYSTEM_PID 4 +#endif + +// WINDOWS 8.1 +#if 0 +#define CURRENT_ETHREAD 0x0188 +#define EPROCESS_OFFSET 0x00b8 +#define PROCESSID_OFFSET 0x02e0 +#define FLINK_OFFSET 0x02e8 +#define TOKEN_OFFSET 0x0348 +#define SYSTEM_PID 0x4 +#endif + + +#if defined(_ARM_) +EXTERN_C +void +CopySystemToken() +{ +} + +EXTERN_C +usize +CopySystemTokenLength() +{ + return -1; +} + +#else + +EXTERN_C +void +CopySystemToken(); + +EXTERN_C +usize +CopySystemTokenLength(); +#endif + + +namespace pwn::Shellcode::Kernel +{ + +std::vector +DebugBreak() +{ + std::vector res(sizeof(uptr)); + std::fill(res.begin(), res.end(), 0xcc); + return res; +} + + +std::vector +StealSystemToken() +{ + const usize sz = CopySystemTokenLength(); + std::vector sc(Utils::align(sz, 16)); + std::fill(sc.begin(), sc.end(), 0xcc); + RtlCopyMemory(sc.data(), &CopySystemToken, sz); + return sc; +} + + +} // namespace pwn::Shellcode::Kernel diff --git a/Modules/Shellcode/Source/Win32/asm/arm/copy_system_token.asm b/Modules/Shellcode/Source/Win32/asm/arm/copy_system_token.asm new file mode 100644 index 00000000..baef44ed --- /dev/null +++ b/Modules/Shellcode/Source/Win32/asm/arm/copy_system_token.asm @@ -0,0 +1,9 @@ + + +CODE + + + +ENDS + + END diff --git a/Modules/Symbols/CMakeLists.txt b/Modules/Symbols/CMakeLists.txt index f08a70c3..294c5a16 100644 --- a/Modules/Symbols/CMakeLists.txt +++ b/Modules/Symbols/CMakeLists.txt @@ -17,7 +17,10 @@ if(WIN32) list(APPEND SOURCE_FILES ${SOURCE_DIR}/Win32/Symbols.cpp ) - set(DEPS PWN::Common PWN::Network) + set(DEPS + PWN::Common + PWN::Network + ) else() return() endif(WIN32) diff --git a/Modules/System/CMakeLists.txt b/Modules/System/CMakeLists.txt index 9d1dbc79..642f7f93 100644 --- a/Modules/System/CMakeLists.txt +++ b/Modules/System/CMakeLists.txt @@ -27,6 +27,10 @@ target_include_directories(${PROJECT_NAME} PUBLIC ${INTERFACE_DIR} PRIVATE ${HEA target_compile_definitions(${PROJECT_NAME} PUBLIC) target_link_libraries(${PROJECT_NAME} PUBLIC ${DEPS}) +if(WIN32) + target_link_libraries(${PROJECT_NAME} PUBLIC AdvApi32.lib) +endif(WIN32) + install(DIRECTORY ${INTERFACE_DIR} DESTINATION ${CMAKE_PROJECT_NAME}) if(PWN_BUILD_TESTING) diff --git a/Tools/Win32/CMakeLists.txt b/Tools/Win32/CMakeLists.txt index 30eb5fd9..1de3763e 100644 --- a/Tools/Win32/CMakeLists.txt +++ b/Tools/Win32/CMakeLists.txt @@ -26,12 +26,14 @@ foreach(TOOL_DIR ${WIN32_TOOLS}) target_compile_definitions(${TOOL_DIR} PUBLIC PWN_BUILD_FOR_WINDOWS) target_compile_options(${TOOL_DIR} PUBLIC - $<$>:$<$:/fsanitize=address>> + $<$:$<$:/fsanitize=address>> + $<$:$<$:/fsanitize=address>> ) target_link_options(${TOOL_DIR} PUBLIC - $<$>:$<$:/InferAsanLibs>> + $<$:$<$:/InferAsanLibs>> + $<$:$<$:/InferAsanLibs>> ) target_compile_options(${TOOL_DIR} PRIVATE $) target_compile_definitions(${TOOL_DIR} PRIVATE $)