Exetools

Exetools (https://forum.exetools.com/index.php)
-   x64 OS (https://forum.exetools.com/forumdisplay.php?f=44)
-   -   CodeCave in x64 (https://forum.exetools.com/showthread.php?t=20500)

RAMPage 03-30-2023 23:38
CodeCave in x64
 
Hello, I did 12 years ago redirecting the flow of execution was easy on a 32bit PE Executable, Change EP, to the code cave saving registers status executing code and then restoring them. In x64 i searching the way to.

Code:
hxxs://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves
The way to clear the registers, how I do this in x64? I was seeing PUSHAD and PUSHFD isnt in x64. Should I have to PUSH all registers and pop them off in x64?


Code:
x32

PUSHAD
PUSHFD
<CODE>
POPAD
POPFD
JMP Original Entry Point
Thanks :D

chessgod101 03-31-2023 02:20
Quote:
Should I have to PUSH all registers and pop them off in x64?
Yes. PUSHAD is not supported in x64, unfortunately. However, you could simply PUSH only the registers you are using in your cave to minimize size depending on your requirements.

Intel x86/x64 assembly reference:
Code:
https://cdrdv2-public.intel.com/774494/325462-sdm-vol-1-2abcd-3abcd.pdf

RAMPage 03-31-2023 10:32
Thanks @chessgod101 for your reply. So I have to try this but , reading some of intel arch manual,

PUSH RAX-R15 > PUSHAD
PUSHFQ > PUSHFD
<<Shellcode>>
POP RAX - R15
POPFQ

?

Where can I start learning Assembly and coding by practice?

And always, Thanks.

blue_devil 03-31-2023 14:47
Quote:
Originally Posted by RAMPage (Post 127425)
<snipped>

Where can I start learning Assembly and coding by practice?

And always, Thanks.
RAMPage, if you are new or 0 to INTEL's x86 architecture assembly, I can suggest you this book:

Quote:
http://www.egr.unlv.edu/~ed/assembly64.pdf
This is an ebook, and didn't published. And It covers 64bit architecture, pretty updated!

RAMPage 03-31-2023 19:01
Quote:
Originally Posted by blue_devil (Post 127427)
RAMPage, if you are new or 0 to INTEL's x86 architecture assembly, I can suggest you this book:



This is an ebook, and didn't published. And It covers 64bit architecture, pretty updated!
Thanks for sharing, I will have fun with this when I have some free time, Im in the need of putting my knowledge at practice, and this book im seeing it has quizes , so I appreciate it.

blue_devil 03-31-2023 19:48
@RAMPage, In the context of "code caves" I have found this piece of art from the depths of internet; you are welcome my friend:

Quote:
hXXps://legend.octopuslabs.io/archives/2390/2390.htm

RAMPage 04-01-2023 04:08
Quote:
Originally Posted by blue_devil (Post 127430)
@RAMPage, In the context of "code caves" I have found this piece of art from the depths of internet; you are welcome my friend:

Friend thats a great post, I really enjoy it.

What I was saying is something like this:

Code:
hxxs://dl.packetstormsecurity.net/papers/general/manual-backdooring.pdf
Now I will try to this in x64 with ASLR.::)

Stingered 04-01-2023 06:10
Another example from the Interneto:

hxxps://pastebin.com/34xCSrL2

vitriol 04-01-2023 06:37
Did something like this just recently with a friend.
We added a Section to the PE and patched the entry point with a jump to our entry code.
In case youre interested, the code is easy to read you can find it on my friends github;
https://github.com/XaFF-XaFF/CaveCarver

RAMPage 04-18-2023 06:04
Quote:
Originally Posted by vitriol (Post 127439)
Did something like this just recently with a friend.
We added a Section to the PE and patched the entry point with a jump to our entry code.
In case youre interested, the code is easy to read you can find it on my friends github;
https://github.com/XaFF-XaFF/CaveCarver

Didnt have the chance to see it , too much things in the house to do. Im looking foward to finishing this work , I have to see how to disable ASLR in a binary too

bolo2002 04-19-2023 22:39
Quote:
Originally Posted by blue_devil (Post 127430)
@RAMPage, In the context of "code caves" I have found this piece of art from the depths of internet; you are welcome my friend:
i'm still amazed that blogs like this are still alive with good tutorials,at those time,what happen to the author since 2012 is another question..

blue_devil 04-21-2023 16:30
Quote:
Originally Posted by bolo2002 (Post 127555)
i'm still amazed that blogs like this are still alive with good tutorials,at those time,what happen to the author since 2012 is another question..
I feel the same bolo2002! That's why I am trying to archive these kind of gems to webarchive. BTW, unfortunately I cannot access other tutorials of octopuslabs, they were somehow gone, but the link I have shared is working.

MarcElBichon 04-21-2023 17:59
Quote:
Originally Posted by blue_devil (Post 127559)
BTW, unfortunately I cannot access other tutorials of octopuslabs, they were somehow gone, but the link I have shared is working.
hXXps://legend.octopuslabs.io/sample-page.html

bolo2002 04-21-2023 23:11
Quote:
Originally Posted by MarcElBichon (Post 127560)
hXXps://legend.octopuslabs.io/sample-page.html
too late all is said ;)

bolo2002 04-21-2023 23:23
https://www.mirrored.to/files/INNBTOA9/flumy.zip_links


All times are GMT +8. The time now is 08:54.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX