Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-01-2017, 11:28
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
 
Join Date: Nov 2012
Location: Iran
Posts: 210
Rept. Given: 63
Rept. Rcvd 138 Times in 46 Posts
Thanks Given: 141
Thanks Rcvd at 184 Times in 85 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
Loader for x64 application ?

Hi friends
How to i create a loader for x64 application ?
Reply With Quote
  #2  
Old 02-01-2017, 12:12
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 517
Rept. Given: 2,151
Rept. Rcvd 677 Times in 213 Posts
Thanks Given: 606
Thanks Rcvd at 814 Times in 163 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
Here is a very simple example in Delphi. It creates a suspended process, gets the image base through the PEB header, and then uses WriteProcessMemory to patch the memory of the application, and then resumes the process. This will only work if you build it as an x64 application. I compiled this with xe7.

Code:
http://pastebin.com/fkCyzu5W
Uses Winapi.Windows.
__________________
"Real knowledge is to know the extent of one's ignorance." Confucius
Reply With Quote
The Following 2 Users Say Thank You to chessgod101 For This Useful Post:
niculaita (02-01-2017), ontryit (02-02-2017)
  #3  
Old 02-01-2017, 14:49
gigaman gigaman is offline
Friend
 
Join Date: Jun 2002
Posts: 86
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 14 Times in 11 Posts
gigaman Reputation: 4
I guess the answer would be "You do it the same way as you would for a 32bit application" (e.g. the way chessgod101 suggested), you just need to compile the loader as a 64bit executable as well.

While it is possible to achieve the same even from a 32bit loader - using undocumented functions like NtWow64WriteVirtualMemory64, it would be an unnecessary hassle.
Reply With Quote
  #4  
Old 02-01-2017, 18:31
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 867
Rept. Given: 325
Rept. Rcvd 217 Times in 111 Posts
Thanks Given: 168
Thanks Rcvd at 374 Times in 209 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
have a look over asmjit and/or blackbone libs
Reply With Quote
  #5  
Old 02-02-2017, 14:17
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 38
Thanks Rcvd at 188 Times in 50 Posts
mudlord Reputation: 69
Yes, use Xbyak or AsmJIT to build up the assembler/shellcode/code fragments, and then use Blackbone for the actual work. You could use something like mhook to make hook functions though and use NASM for pure 64bit assembler functions.

Blackbone is quite extensive and should be more than enough for your needs.
It assumes you know C++ though.
Same goes for Xbyak and AsmJit.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hooking WMI (.NET Application) aldente General Discussion 12 08-07-2012 01:32
Application invisibility UncleV General Discussion 4 03-08-2004 17:51


All times are GMT +8. The time now is 00:51.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )