Skip to content
This repository has been archived by the owner on Sep 1, 2022. It is now read-only.

Latest commit

 

History

History
10 lines (8 loc) · 2.22 KB

tech.md

File metadata and controls

10 lines (8 loc) · 2.22 KB

special case docs

this page documents special edge cases used by doxastica, mostly so i don't forget in future

  • --flag-mscoree: this flag causes special behaviour in ldr to inject-before-executing a .net executable. .net loads executables in a wierd way: the entrypoint function is a stub which goes ot mscoree!CorExeMain. This doesn't actually seem to get called: if you do the usual ebfe loop and restore the entrypoint, the proces just dies. Instead, we need to restore by inserting shellcode which manually resolves and calls CorExeMain manually. This is --flag-mscoree.
  • --flag-snakesalive: this was made for a one-off bypass of a security product. The target intercepted and blocked the usual CreateRemoteThread / SuspendThread games, but failed to protect against writing to a process that was suspended on creation. This writes and inserts shellcode which manually calls LoadLibrary to our target dll, relying on the fact that kernel32 is always at the same address between processes in a single boot.
  • cs_magicmirror(pid): this is a work-in-progress which copies the entire dll image from one process' memory space to another, fixes imports and relocs (modified reflectiveloader) and calls dllmain. this seems to work but somehow poops itself on sprintf. invoke with magicmirror(pid)
  • darksign.reflect_disk, darksign.reflect: these functions allow you to load a dll from memory (darksign.reflect(dll_Raw_data)) or from a dll (darksign.reflect_disk(filename)). these will be loaded into the current process
  • darksign.hollow: this is a test function attempting to hollow out the current process, and replace the in-memory image with new code, downloaded or otherwise. needs some work, stuck on msvcrt initialization.
  • call / cs_call: this allows direct calls to arbitrary functions from within the lua VM: simply pass the first argument as the address of the call location (__stdcall only, 32-bit only for now) and the rest of the parameters as you would normally call the function, and this will proxy your arguments onto a virtual stack and call the function, freeing the shellcode cave after. string/binary arguments are also supportd (lua_tostring will give us a pointer, which we marshal into a UINT_PTR and pass as if it were an integer)