Exetools  

Go Back   Exetools > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-30-2023, 23:38
RAMPage RAMPage is offline
Friend
 
Join Date: Mar 2023
Posts: 44
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 55
Thanks Rcvd at 23 Times in 12 Posts
RAMPage Reputation: 1
CodeCave in x64

Hello, I did 12 years ago redirecting the flow of execution was easy on a 32bit PE Executable, Change EP, to the code cave saving registers status executing code and then restoring them. In x64 i searching the way to.

Code:
hxxs://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves
The way to clear the registers, how I do this in x64? I was seeing PUSHAD and PUSHFD isnt in x64. Should I have to PUSH all registers and pop them off in x64?


Code:
x32

PUSHAD
PUSHFD
<CODE>
POPAD
POPFD
JMP Original Entry Point
Thanks
Reply With Quote
  #2  
Old 03-31-2023, 02:20
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,226
Rept. Rcvd 692 Times in 220 Posts
Thanks Given: 711
Thanks Rcvd at 945 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
Quote:
Should I have to PUSH all registers and pop them off in x64?
Yes. PUSHAD is not supported in x64, unfortunately. However, you could simply PUSH only the registers you are using in your cave to minimize size depending on your requirements.

Intel x86/x64 assembly reference:
Code:
https://cdrdv2-public.intel.com/774494/325462-sdm-vol-1-2abcd-3abcd.pdf
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler
Reply With Quote
The Following 2 Users Say Thank You to chessgod101 For This Useful Post:
niculaita (04-01-2023), tonyweb (04-19-2023)
  #3  
Old 03-31-2023, 10:32
RAMPage RAMPage is offline
Friend
 
Join Date: Mar 2023
Posts: 44
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 55
Thanks Rcvd at 23 Times in 12 Posts
RAMPage Reputation: 1
Thanks @chessgod101 for your reply. So I have to try this but , reading some of intel arch manual,

PUSH RAX-R15 > PUSHAD
PUSHFQ > PUSHFD
<<Shellcode>>
POP RAX - R15
POPFQ

?

Where can I start learning Assembly and coding by practice?

And always, Thanks.
Reply With Quote
  #4  
Old 03-31-2023, 14:47
blue_devil's Avatar
blue_devil blue_devil is offline
Family
 
Join Date: Dec 2011
Location: Observable Universe
Posts: 343
Rept. Given: 78
Rept. Rcvd 51 Times in 24 Posts
Thanks Given: 342
Thanks Rcvd at 496 Times in 168 Posts
blue_devil Reputation: 52
Quote:
Originally Posted by RAMPage View Post
<snipped>

Where can I start learning Assembly and coding by practice?

And always, Thanks.
RAMPage, if you are new or 0 to INTEL's x86 architecture assembly, I can suggest you this book:

Quote:
http://www.egr.unlv.edu/~ed/assembly64.pdf
This is an ebook, and didn't published. And It covers 64bit architecture, pretty updated!
Reply With Quote
The Following 2 Users Say Thank You to blue_devil For This Useful Post:
Artic (06-28-2023), RAMPage (03-31-2023)
  #5  
Old 03-31-2023, 19:01
RAMPage RAMPage is offline
Friend
 
Join Date: Mar 2023
Posts: 44
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 55
Thanks Rcvd at 23 Times in 12 Posts
RAMPage Reputation: 1
Quote:
Originally Posted by blue_devil View Post
RAMPage, if you are new or 0 to INTEL's x86 architecture assembly, I can suggest you this book:



This is an ebook, and didn't published. And It covers 64bit architecture, pretty updated!
Thanks for sharing, I will have fun with this when I have some free time, Im in the need of putting my knowledge at practice, and this book im seeing it has quizes , so I appreciate it.
Reply With Quote
  #6  
Old 03-31-2023, 19:48
blue_devil's Avatar
blue_devil blue_devil is offline
Family
 
Join Date: Dec 2011
Location: Observable Universe
Posts: 343
Rept. Given: 78
Rept. Rcvd 51 Times in 24 Posts
Thanks Given: 342
Thanks Rcvd at 496 Times in 168 Posts
blue_devil Reputation: 52
@RAMPage, In the context of "code caves" I have found this piece of art from the depths of internet; you are welcome my friend:

Quote:
hXXps://legend.octopuslabs.io/archives/2390/2390.htm
Reply With Quote
The Following User Says Thank You to blue_devil For This Useful Post:
RAMPage (04-01-2023)
  #7  
Old 04-01-2023, 04:08
RAMPage RAMPage is offline
Friend
 
Join Date: Mar 2023
Posts: 44
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 55
Thanks Rcvd at 23 Times in 12 Posts
RAMPage Reputation: 1
Quote:
Originally Posted by blue_devil View Post
@RAMPage, In the context of "code caves" I have found this piece of art from the depths of internet; you are welcome my friend:

Friend thats a great post, I really enjoy it.

What I was saying is something like this:

Code:
hxxs://dl.packetstormsecurity.net/papers/general/manual-backdooring.pdf
Now I will try to this in x64 with ASLR.:
Reply With Quote
The Following 2 Users Say Thank You to RAMPage For This Useful Post:
blue_devil (04-03-2023), niculaita (04-01-2023)
  #8  
Old 04-19-2023, 22:39
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 648
Rept. Given: 111
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 237
Thanks Rcvd at 246 Times in 158 Posts
bolo2002 Reputation: 14
Quote:
Originally Posted by blue_devil View Post
@RAMPage, In the context of "code caves" I have found this piece of art from the depths of internet; you are welcome my friend:
i'm still amazed that blogs like this are still alive with good tutorials,at those time,what happen to the author since 2012 is another question..
__________________
I like this forum!
Reply With Quote
  #9  
Old 04-21-2023, 16:30
blue_devil's Avatar
blue_devil blue_devil is offline
Family
 
Join Date: Dec 2011
Location: Observable Universe
Posts: 343
Rept. Given: 78
Rept. Rcvd 51 Times in 24 Posts
Thanks Given: 342
Thanks Rcvd at 496 Times in 168 Posts
blue_devil Reputation: 52
Quote:
Originally Posted by bolo2002 View Post
i'm still amazed that blogs like this are still alive with good tutorials,at those time,what happen to the author since 2012 is another question..
I feel the same bolo2002! That's why I am trying to archive these kind of gems to webarchive. BTW, unfortunately I cannot access other tutorials of octopuslabs, they were somehow gone, but the link I have shared is working.
Reply With Quote
  #10  
Old 04-21-2023, 17:59
MarcElBichon MarcElBichon is offline
VIP
 
Join Date: Jan 2002
Posts: 271
Rept. Given: 375
Rept. Rcvd 151 Times in 57 Posts
Thanks Given: 298
Thanks Rcvd at 274 Times in 90 Posts
MarcElBichon Reputation: 100-199 MarcElBichon Reputation: 100-199
Quote:
Originally Posted by blue_devil View Post
BTW, unfortunately I cannot access other tutorials of octopuslabs, they were somehow gone, but the link I have shared is working.
hXXps://legend.octopuslabs.io/sample-page.html

Last edited by MarcElBichon; 04-21-2023 at 18:04.
Reply With Quote
The Following User Says Thank You to MarcElBichon For This Useful Post:
blue_devil (04-25-2023)
  #11  
Old 04-21-2023, 23:11
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 648
Rept. Given: 111
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 237
Thanks Rcvd at 246 Times in 158 Posts
bolo2002 Reputation: 14
Quote:
Originally Posted by MarcElBichon View Post
hXXps://legend.octopuslabs.io/sample-page.html
too late all is said
__________________
I like this forum!
Reply With Quote
The Following User Says Thank You to bolo2002 For This Useful Post:
RAMPage (04-28-2023)
  #12  
Old 04-01-2023, 06:10
Stingered Stingered is offline
Banned User
 
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 296
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
Another example from the Interneto:

hxxps://pastebin.com/34xCSrL2
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
RAMPage (04-02-2023)
  #13  
Old 04-01-2023, 06:37
vitriol vitriol is offline
Friend
 
Join Date: Jan 2023
Posts: 5
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 19 Times in 5 Posts
vitriol Reputation: 1
Did something like this just recently with a friend.
We added a Section to the PE and patched the entry point with a jump to our entry code.
In case youre interested, the code is easy to read you can find it on my friends github;
https://github.com/XaFF-XaFF/CaveCarver
Reply With Quote
The Following 2 Users Say Thank You to vitriol For This Useful Post:
blue_devil (04-03-2023), RAMPage (04-02-2023)
  #14  
Old 04-18-2023, 06:04
RAMPage RAMPage is offline
Friend
 
Join Date: Mar 2023
Posts: 44
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 55
Thanks Rcvd at 23 Times in 12 Posts
RAMPage Reputation: 1
Quote:
Originally Posted by vitriol View Post
Did something like this just recently with a friend.
We added a Section to the PE and patched the entry point with a jump to our entry code.
In case youre interested, the code is easy to read you can find it on my friends github;
https://github.com/XaFF-XaFF/CaveCarver

Didnt have the chance to see it , too much things in the house to do. Im looking foward to finishing this work , I have to see how to disable ASLR in a binary too
Reply With Quote
  #15  
Old 04-21-2023, 23:23
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 648
Rept. Given: 111
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 237
Thanks Rcvd at 246 Times in 158 Posts
bolo2002 Reputation: 14
https://www.mirrored.to/files/INNBTOA9/flumy.zip_links
__________________
I like this forum!
Reply With Quote
The Following 2 Users Say Thank You to bolo2002 For This Useful Post:
RAMPage (04-28-2023), sendersu (07-17-2023)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT +8. The time now is 21:20.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )