Module: Msf::Payload::Windows::BlockApi_x64

Included in:

AddrLoader_x64, BindNamedPipe_x64, BindTcp_x64, MigrateCommon_x64, ReflectivePELoader_x64, ReverseHttp_x64, ReverseNamedPipe_x64, ReverseTcp_x64

Defined in:

lib/msf/core/payload/windows/x64/block_api_x64.rb

Overview

Basic block_api stubs for Windows ARCH_X64 payloads

Instance Method Summary

• #asm_block_api(opts = {}) ⇒ Object
• #block_api_hash(mod, func, opts = {}) ⇒ Object
• #block_api_iv(opts = {}) ⇒ Object

Instance Method Details

#asm_block_api(opts = {}) ⇒ Object

# File 'lib/msf/core/payload/windows/x64/block_api_x64.rb', line 19

def asm_block_api(opts={})
  asm = Rex::Payloads::Shuffle.from_graphml_file(
    File.join(Msf::Config.install_root, 'data', 'shellcode', 'block_api.x64.graphml'),
    arch: ARCH_X64,
    name: 'api_call'
  )
  iv = opts.fetch(:block_api_iv) { block_api_iv }
  # Patch the assembly to set the correct IV
  # db 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00  =>  mov r9d, <iv>
  iv_bytes = [iv].pack('V').bytes.map { |b| "0x%02x" % b }.join(', ')
  unless asm.include?("db 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00")
    raise "Failed to patch block_api assembly with IV 0x#{iv.to_s(16).rjust(8, '0')} (#{iv_bytes})"
  end
  asm.sub!("db 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00", "db 0x41, 0xb9, #{iv_bytes}")
end

#block_api_hash(mod, func, opts = {}) ⇒ Object

# File 'lib/msf/core/payload/windows/x64/block_api_x64.rb', line 35

def block_api_hash(mod, func, opts={})
  iv = opts.fetch(:block_api_iv) { block_api_iv }
  Rex::Text.block_api_hash(mod, func, iv: iv)
end

#block_api_iv(opts = {}) ⇒ Object

# File 'lib/msf/core/payload/windows/x64/block_api_x64.rb', line 15

def block_api_iv(opts={})
  @block_api_iv ||= rand(0x100000000)
end