search

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
4.58k stars 695 forks source link

umd.c #252

Closed albfflk closed 11 months ago

albfflk commented 1 year ago

Hello!

I found this project by accident and it's incredible! Congrats!

I'm not a programmer but I like to try look at code, I was wondering how complex would be to execute a custom sc from my own doing minimal changes on the code, I found one of your sources called umd.c / shellc0de.c that looks like good candidates to use with a custom windows shellc0de.

I saw lines like these which looks like user-mode:

`Util_ParseHexFileBuiltin("DEFAULT_WINX64_UMD_EXEC", pbExec, sizeof(pbExec), &cbExec);

{.sz = "DEFAULT_WINX64_STAGE23_VMM",.pb = (PBYTE)WINX64_STAGE23_VMM,.cb = sizeof(WINX64_STAGE23_VMM) }, `

The shellc0des looks like to be hardcoded at shellcde.h

Good candidates appears to be WINX64_UMD_EXEC and WINX64_STAGE23_VMM.

I guess that the first one is used when the user call UMD_WINX64_IAT_PSEXEC, wx64_pscmd or wx64_pscmd_user. Right?

The second is called everytime -kmd is passed maybe?

I just need to run my custom win shellc0de, is there an better option / workaround?

BTW, what is the idea of the -hook option? I understood it should hook IAT table for a specific process, but how the user pass the bycodes that will be replaced (such as with inline shellcode)? Or the idea is not this?

Do you have links to buy me a coffe or something like that? :>

Sorry for idiot questions.

ufrisk commented 1 year ago

Not idiot questions at all.

Unfortunately the user mode injects in PCILeech were never totally finished. I had problems locating a reliable way to place the hook that would work in all processes.

I stopped investigating this since the kernel implants were working already very reliably at that point in time and there weren't a big interest for user-mode only injects from others. The pure user-mode injects never went past the experimental stage.

The shellcodes are hardcoded in shellcode.h as you mention. They are compiled from sources in the pcileech_shellcode directory. It's easier to take a look at them that way. The one you mention is coded in wx64_umd_exec.asm / .c.

Sadly this was a while since I looked into this and it would take me some time to do it now again. I'm a bit busy with other things that are more prioritized for the free open source parts of my projects. If there is a professional need for this I could look into it a bit more again and make it to work in some scenarios though. Please let me know in that case.

Otherwise the kernel injects (including spawning user-mode processes) should be working, unless you have virtualization based security IOMMU enforced code integrity enabled.