Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pull in changes from ReflectiveDLLInjection to support direct syscalls (2) #694

Merged
merged 5 commits into from
Jan 19, 2024
Merged

Pull in changes from ReflectiveDLLInjection to support direct syscalls (2) #694

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7082431
Pull in changes from ReflectiveDLLInjection to support direct syscalls
cdelafuente-r7 Nov 3, 2023
a5e33d1
Remove include DirectSyscall.c
cdelafuente-r7 Jan 10, 2024
1556007
Update ReflectiveDLLInjection submodule to pull in Win10/8 x86 fix
cdelafuente-r7 Jan 12, 2024
83fa146
Update ReflectiveDLLInjection submodule to pull in new trampoline det…
cdelafuente-r7 Jan 16, 2024
c7abd47
Update the ReflectiveDLLInjection submodule to the upstream repository
cdelafuente-r7 Jan 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion c/meterpreter/source/ReflectiveDLLInjection
Open in desktop
Submodule ReflectiveDLLInjection updated 18 files
+53 −53 common/ReflectiveDLLInjection.h
+17 −0 cortex.yaml
+350 −260 dll/reflective_dll.vcxproj
+42 −28 dll/reflective_dll.vcxproj.filters
+167 −0 dll/src/DirectSyscall.c
+212 −0 dll/src/DirectSyscall.h
+49 −0 dll/src/GateTrampoline32.asm
+45 −0 dll/src/GateTrampoline32.s
+47 −0 dll/src/GateTrampoline64.asm
+47 −0 dll/src/GateTrampoline64.s
+46 −87 dll/src/ReflectiveLoader.c
+16 −166 dll/src/ReflectiveLoader.h
+317 −255 inject/inject.vcxproj
+34 −34 inject/inject.vcxproj.filters
+6 −5 inject/src/Inject.c
+2 −1 inject/src/LoadLibraryR.c
+10 −0 inject/src/LoadLibraryR.h
+14 −9 rdi.sln
Empty file modified c/meterpreter/source/common/common_command_ids.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/dump_sam/dump_sam.def
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/extapi/ntds.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/headers.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/libpefile.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/libpefile.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/libpeinfect.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/libpeinfect.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/libpeinfect_obfuscator.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/libpeinfect_obfuscator.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/libpetool.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/libpetool.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/peinjector.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/peinjector.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/peinjector_bridge.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/peinjector/peinjector_bridge.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/powershell/powershell.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/powershell/powershell.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/powershell/powershell_bindings.cpp
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/powershell/powershell_bindings.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/powershell/powershell_bridge.cpp
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/powershell/powershell_bridge.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/priv/elevate.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/priv/elevate.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/priv/namedpipe_efs.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/priv/priv.rc
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/priv/resource.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/python/python_commands.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/python/python_commands.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/python/python_main.c
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/python/python_meterpreter_binding.c
100755 → 100644
View file
Open in desktop
Empty file.
104 changes: 52 additions & 52 deletions c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
100755 → 100644
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,32 +220,32 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput )
#ifdef _WIN64
switch( dwStackSizeInElements )
{
case 0: pOutput->qwReturnValue = function( 00 )(); break;
case 1: pOutput->qwReturnValue = function( 01 )( p(0) ); break;
case 2: pOutput->qwReturnValue = function( 02 )( p(0), p(1) ); break;
case 3: pOutput->qwReturnValue = function( 03 )( p(0), p(1), p(2) ); break;
case 4: pOutput->qwReturnValue = function( 04 )( p(0), p(1), p(2), p(3) );break;
case 5: pOutput->qwReturnValue = function( 05 )( p(0), p(1), p(2), p(3), p(4) );break;
case 6: pOutput->qwReturnValue = function( 06 )( p(0), p(1), p(2), p(3), p(4), p(5) );break;
case 7: pOutput->qwReturnValue = function( 07 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6) );break;
case 8: pOutput->qwReturnValue = function( 08 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7) );break;
case 9: pOutput->qwReturnValue = function( 09 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8) );break;
case 10: pOutput->qwReturnValue = function( 10 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9) );break;
case 11: pOutput->qwReturnValue = function( 11 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10) );break;
case 12: pOutput->qwReturnValue = function( 12 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11) );break;
case 13: pOutput->qwReturnValue = function( 13 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12) );break;
case 14: pOutput->qwReturnValue = function( 14 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13) );break;
case 15: pOutput->qwReturnValue = function( 15 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14) );break;
case 16: pOutput->qwReturnValue = function( 16 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15) );break;
case 17: pOutput->qwReturnValue = function( 17 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16) );break;
case 18: pOutput->qwReturnValue = function( 18 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17) );break;
case 19: pOutput->qwReturnValue = function( 19 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18) );break;
case 20: pOutput->qwReturnValue = function( 20 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19) );break;
case 21: pOutput->qwReturnValue = function( 21 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20) );break;
case 22: pOutput->qwReturnValue = function( 22 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21) );break;
case 23: pOutput->qwReturnValue = function( 23 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22) );break;
case 24: pOutput->qwReturnValue = function( 24 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23) );break;
case 25: pOutput->qwReturnValue = function( 25 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23), p(24) );break;
case 0: pOutput->qwReturnValue = stdcall_func( 00 )(); break;
case 1: pOutput->qwReturnValue = stdcall_func( 01 )( p(0) ); break;
case 2: pOutput->qwReturnValue = stdcall_func( 02 )( p(0), p(1) ); break;
case 3: pOutput->qwReturnValue = stdcall_func( 03 )( p(0), p(1), p(2) ); break;
case 4: pOutput->qwReturnValue = stdcall_func( 04 )( p(0), p(1), p(2), p(3) );break;
case 5: pOutput->qwReturnValue = stdcall_func( 05 )( p(0), p(1), p(2), p(3), p(4) );break;
case 6: pOutput->qwReturnValue = stdcall_func( 06 )( p(0), p(1), p(2), p(3), p(4), p(5) );break;
case 7: pOutput->qwReturnValue = stdcall_func( 07 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6) );break;
case 8: pOutput->qwReturnValue = stdcall_func( 08 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7) );break;
case 9: pOutput->qwReturnValue = stdcall_func( 09 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8) );break;
case 10: pOutput->qwReturnValue = stdcall_func( 10 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9) );break;
case 11: pOutput->qwReturnValue = stdcall_func( 11 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10) );break;
case 12: pOutput->qwReturnValue = stdcall_func( 12 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11) );break;
case 13: pOutput->qwReturnValue = stdcall_func( 13 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12) );break;
case 14: pOutput->qwReturnValue = stdcall_func( 14 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13) );break;
case 15: pOutput->qwReturnValue = stdcall_func( 15 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14) );break;
case 16: pOutput->qwReturnValue = stdcall_func( 16 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15) );break;
case 17: pOutput->qwReturnValue = stdcall_func( 17 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16) );break;
case 18: pOutput->qwReturnValue = stdcall_func( 18 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17) );break;
case 19: pOutput->qwReturnValue = stdcall_func( 19 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18) );break;
case 20: pOutput->qwReturnValue = stdcall_func( 20 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19) );break;
case 21: pOutput->qwReturnValue = stdcall_func( 21 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20) );break;
case 22: pOutput->qwReturnValue = stdcall_func( 22 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21) );break;
case 23: pOutput->qwReturnValue = stdcall_func( 23 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22) );break;
case 24: pOutput->qwReturnValue = stdcall_func( 24 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23) );break;
case 25: pOutput->qwReturnValue = stdcall_func( 25 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23), p(24) );break;

default:
dprintf( "[RAILGUN] railgun_call: Can't call function: dwStackSizeInElements (%d) is > 25", dwStackSizeInElements );
Expand Down Expand Up @@ -295,32 +295,32 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput )
} else { // STDCALL
switch( dwStackSizeInElements )
{
case 0: pOutput->qwReturnValue = function( 00 )(); break;
case 1: pOutput->qwReturnValue = function( 01 )( p(0) ); break;
case 2: pOutput->qwReturnValue = function( 02 )( p(0), p(1) ); break;
case 3: pOutput->qwReturnValue = function( 03 )( p(0), p(1), p(2) ); break;
case 4: pOutput->qwReturnValue = function( 04 )( p(0), p(1), p(2), p(3) );break;
case 5: pOutput->qwReturnValue = function( 05 )( p(0), p(1), p(2), p(3), p(4) );break;
case 6: pOutput->qwReturnValue = function( 06 )( p(0), p(1), p(2), p(3), p(4), p(5) );break;
case 7: pOutput->qwReturnValue = function( 07 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6) );break;
case 8: pOutput->qwReturnValue = function( 08 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7) );break;
case 9: pOutput->qwReturnValue = function( 09 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8) );break;
case 10: pOutput->qwReturnValue = function( 10 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9) );break;
case 11: pOutput->qwReturnValue = function( 11 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10) );break;
case 12: pOutput->qwReturnValue = function( 12 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11) );break;
case 13: pOutput->qwReturnValue = function( 13 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12) );break;
case 14: pOutput->qwReturnValue = function( 14 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13) );break;
case 15: pOutput->qwReturnValue = function( 15 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14) );break;
case 16: pOutput->qwReturnValue = function( 16 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15) );break;
case 17: pOutput->qwReturnValue = function( 17 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16) );break;
case 18: pOutput->qwReturnValue = function( 18 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17) );break;
case 19: pOutput->qwReturnValue = function( 19 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18) );break;
case 20: pOutput->qwReturnValue = function( 20 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19) );break;
case 21: pOutput->qwReturnValue = function( 21 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20) );break;
case 22: pOutput->qwReturnValue = function( 22 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21) );break;
case 23: pOutput->qwReturnValue = function( 23 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22) );break;
case 24: pOutput->qwReturnValue = function( 24 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23) );break;
case 25: pOutput->qwReturnValue = function( 25 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23), p(24) );break;
case 0: pOutput->qwReturnValue = stdcall_func( 00 )(); break;
case 1: pOutput->qwReturnValue = stdcall_func( 01 )( p(0) ); break;
case 2: pOutput->qwReturnValue = stdcall_func( 02 )( p(0), p(1) ); break;
case 3: pOutput->qwReturnValue = stdcall_func( 03 )( p(0), p(1), p(2) ); break;
case 4: pOutput->qwReturnValue = stdcall_func( 04 )( p(0), p(1), p(2), p(3) );break;
case 5: pOutput->qwReturnValue = stdcall_func( 05 )( p(0), p(1), p(2), p(3), p(4) );break;
case 6: pOutput->qwReturnValue = stdcall_func( 06 )( p(0), p(1), p(2), p(3), p(4), p(5) );break;
case 7: pOutput->qwReturnValue = stdcall_func( 07 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6) );break;
case 8: pOutput->qwReturnValue = stdcall_func( 08 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7) );break;
case 9: pOutput->qwReturnValue = stdcall_func( 09 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8) );break;
case 10: pOutput->qwReturnValue = stdcall_func( 10 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9) );break;
case 11: pOutput->qwReturnValue = stdcall_func( 11 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10) );break;
case 12: pOutput->qwReturnValue = stdcall_func( 12 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11) );break;
case 13: pOutput->qwReturnValue = stdcall_func( 13 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12) );break;
case 14: pOutput->qwReturnValue = stdcall_func( 14 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13) );break;
case 15: pOutput->qwReturnValue = stdcall_func( 15 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14) );break;
case 16: pOutput->qwReturnValue = stdcall_func( 16 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15) );break;
case 17: pOutput->qwReturnValue = stdcall_func( 17 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16) );break;
case 18: pOutput->qwReturnValue = stdcall_func( 18 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17) );break;
case 19: pOutput->qwReturnValue = stdcall_func( 19 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18) );break;
case 20: pOutput->qwReturnValue = stdcall_func( 20 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19) );break;
case 21: pOutput->qwReturnValue = stdcall_func( 21 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20) );break;
case 22: pOutput->qwReturnValue = stdcall_func( 22 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21) );break;
case 23: pOutput->qwReturnValue = stdcall_func( 23 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22) );break;
case 24: pOutput->qwReturnValue = stdcall_func( 24 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23) );break;
case 25: pOutput->qwReturnValue = stdcall_func( 25 )( p(0), p(1), p(2), p(3), p(4), p(5), p(6), p(7), p(8), p(9), p(10), p(11), p(12), p(13), p(14), p(15), p(16), p(17), p(18), p(19), p(20), p(21), p(22), p(23), p(24) );break;

default:
dprintf( "[RAILGUN] railgun_call: Can't call function: dwStackSizeInElements (%d) is > 25", dwStackSizeInElements );
Expand Down
2 changes: 1 addition & 1 deletion c/meterpreter/source/extensions/stdapi/server/railgun/railgun.h
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ typedef struct _RAILGUN_OUTPUT
} RAILGUN_OUTPUT;

#define p(i) (ULONG_PTR)pStack[i]
#define function(i) ((STDCALL_FUNC_##i)pFuncAddr)
#define stdcall_func(i) ((STDCALL_FUNC_##i)pFuncAddr)
#define cdecl_func(i) ((CDECL_FUNC_##i)pFuncAddr)

typedef ULONG_PTR (__stdcall * STDCALL_FUNC_00)( VOID );
Expand Down
Empty file modified c/meterpreter/source/extensions/stdapi/server/stdapi.c
100644 → 100755
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/stdapi/stdapi.h
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/winpmem/winpmem.cpp
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified c/meterpreter/source/extensions/winpmem/winpmem.h
100755 → 100644
View file
Open in desktop
Empty file.
4 changes: 4 additions & 0 deletions c/meterpreter/source/metsrv/metsrv.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@
#include "remote_dispatch.h"
#include "libloader.h"

#define EXITFUNC_SEH 0xEA320EFE
#define EXITFUNC_THREAD 0x0A2A1DE0
#define EXITFUNC_PROCESS 0x56A2B5F0

#include "../ReflectiveDLLInjection/inject/src/GetProcAddressR.h"
#include "../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
#include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.h"
Expand Down
Empty file modified c/meterpreter/source/metsrv/server_pivot_named_pipe.c
100755 → 100644
View file
Open in desktop
Empty file.
3 changes: 3 additions & 0 deletions c/meterpreter/workspace/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,8 @@ if(BUILD_METSRV)
set(MET_SERVERS metsrv)
endif()

set(MET_RDI_ASM ReflectiveDLLInjection)

set(
MET_DLLS
${MET_SERVERS}
Expand All @@ -234,6 +236,7 @@ set(

set(
MET_PROJECTS
${MET_RDI_ASM}
${MET_LIBS}
${MET_DLLS}
)
Expand Down
19 changes: 19 additions & 0 deletions c/meterpreter/workspace/ReflectiveDLLInjection/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
cmake_minimum_required(VERSION 3.15.7 FATAL_ERROR)

set(PROJECT_NAME ReflectiveDLLInjection)

project(${PROJECT_NAME} ASM)

set(SRC_DIR ../../source/ReflectiveDLLInjection/dll/src)
if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
set(SRC_FILES ${SRC_DIR}/GateTrampoline64.s)
elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(i386|i686)")
set(SRC_FILES ${SRC_DIR}/GateTrampoline32.s)
endif()

set_property(DIRECTORY PROPERTY COMPILE_DEFINITIONS)
set_property(DIRECTORY PROPERTY INCLUDE_DIRECTORIES)
set(CMAKE_ASM_FLAGS_RELEASE_INIT "")
set(CMAKE_ASM_FLAGS_RELEASE "")

add_library(${PROJECT_NAME} ${SRC_FILES})
12 changes: 12 additions & 0 deletions c/meterpreter/workspace/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,16 +187,28 @@
</Lib>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\source\ReflectiveDLLInjection\dll\src\ColdGate.c" />
<ClCompile Include="..\..\source\ReflectiveDLLInjection\inject\src\GetProcAddressR.c" />
<ClCompile Include="..\..\source\ReflectiveDLLInjection\inject\src\LoadLibraryR.c" />
<ClCompile Include="..\..\source\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\source\ReflectiveDLLInjection\dll\src\ColdGate.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\inject\src\GetProcAddressR.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\inject\src\LoadLibraryR.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
</ItemGroup>
<ItemGroup>
<MASM Include="..\..\source\ReflectiveDLLInjection\dll\src\GateTrampoline32.asm">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</MASM>
<MASM Include="..\..\source\ReflectiveDLLInjection\dll\src\GateTrampoline64.asm">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
</MASM>
</ItemGroup>
<Choose>
<When Condition="'$(Platform)'=='Win32'" />
</Choose>
Expand Down
2 changes: 1 addition & 1 deletion c/meterpreter/workspace/dump_sam/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ if(MSVC)
endif()

set(LINK_LIBS psapi rpcrt4)
target_link_libraries(${PROJECT_NAME} ${LINK_LIBS})
target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM})
if(MSVC)
target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070")
endif()
Expand Down
Loading