Rsp adjustment breaks shellcode return

TheWover / donut

Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters

BSD 3-Clause "New" or "Revised" License

3.53k stars 628 forks source link

Rsp adjustment breaks shellcode return #141

Closed wwh1004 closed 3 weeks ago

wwh1004 commented 11 months ago

Just use demo .NET assembly and example usage, it doesn't work.

donut --arch:amd64 --class:TestClass --method:RunProcess --args:"notepad.exe calc" --input:DemoCreateProcess.dll

Until the shellcode is finished, RtlExitUserThread is not called anywhere. Then process will crash because invalid instruction before 'call loader' will be executed. Is it a bug?

wwh1004 commented 11 months ago

It seems that the new code is causing the ret not to work.

See commit: https://github.com/TheWover/donut/commit/257977cc98ab2e0da6ae00eae5628c60cb1ad60b pr: https://github.com/TheWover/donut/pull/90

pop     rcx
and     rsp, 0xFFFFFFFFFFFFFFF0

ret can't really return to shellcode caller.