Adjust for x64 shellcode

LloydLabs / ntqueueapcthreadex-ntdll-gadget-injection

This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.

https://blog.syscall.party

MIT License

229 stars 33 forks source link

Adjust for x64 shellcode #1

Open vivami opened 1 year ago

vivami commented 1 year ago

I'm trying to get this to work for x64 shellcode. The gadget pop r64; ret has the same opcodes as pop r32; ret (afaik, could be mistaken). However, if I add x64 calc shellcode and compile it for x64, it doesn't seem to work. Any idea why, or what else needs to be adjusted?

Thanks :)

Nero22k commented 1 year ago

I got it to work by using pop rax; ret.

static BOOL gadget_match_valid(PBYTE pbAddress)
{
    return *pbAddress == 0x58 && *(pbAddress +1) == 0xC3;
}

That's the only thing I changed.

vivami commented 1 year ago

Awesome, that worked. Thanks!

LloydLabs commented 1 year ago

Hi both, I'll add x64 support to the main branch tomorrow. This is definitely an issue; so I'll keep it open for now until the changes are made.