#1
|
|||
|
|||
CodeCave in x64
Hello, I did 12 years ago redirecting the flow of execution was easy on a 32bit PE Executable, Change EP, to the code cave saving registers status executing code and then restoring them. In x64 i searching the way to.
Code:
hxxs://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves Code:
x32 PUSHAD PUSHFD <CODE> POPAD POPFD JMP Original Entry Point |
#2
|
||||
|
||||
Quote:
Intel x86/x64 assembly reference: Code:
https://cdrdv2-public.intel.com/774494/325462-sdm-vol-1-2abcd-3abcd.pdf
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler |
#3
|
|||
|
|||
Thanks @chessgod101 for your reply. So I have to try this but , reading some of intel arch manual,
PUSH RAX-R15 > PUSHAD PUSHFQ > PUSHFD <<Shellcode>> POP RAX - R15 POPFQ ? Where can I start learning Assembly and coding by practice? And always, Thanks. |
#4
|
||||
|
||||
Quote:
Quote:
|
#5
|
|||
|
|||
Thanks for sharing, I will have fun with this when I have some free time, Im in the need of putting my knowledge at practice, and this book im seeing it has quizes , so I appreciate it.
|
#6
|
||||
|
||||
@RAMPage, In the context of "code caves" I have found this piece of art from the depths of internet; you are welcome my friend:
Quote:
|
The Following User Says Thank You to blue_devil For This Useful Post: | ||
RAMPage (04-01-2023) |
#7
|
|||
|
|||
Quote:
Friend thats a great post, I really enjoy it. What I was saying is something like this: Code:
hxxs://dl.packetstormsecurity.net/papers/general/manual-backdooring.pdf |
The Following 2 Users Say Thank You to RAMPage For This Useful Post: | ||
blue_devil (04-03-2023), niculaita (04-01-2023) |
#8
|
|||
|
|||
Another example from the Interneto:
hxxps://pastebin.com/34xCSrL2 |
The Following User Says Thank You to Stingered For This Useful Post: | ||
RAMPage (04-02-2023) |
#9
|
|||
|
|||
Did something like this just recently with a friend.
We added a Section to the PE and patched the entry point with a jump to our entry code. In case youre interested, the code is easy to read you can find it on my friends github; https://github.com/XaFF-XaFF/CaveCarver |
The Following 2 Users Say Thank You to vitriol For This Useful Post: | ||
blue_devil (04-03-2023), RAMPage (04-02-2023) |
#10
|
|||
|
|||
Quote:
Didnt have the chance to see it , too much things in the house to do. Im looking foward to finishing this work , I have to see how to disable ASLR in a binary too |
#11
|
|||
|
|||
i'm still amazed that blogs like this are still alive with good tutorials,at those time,what happen to the author since 2012 is another question..
__________________
I like this forum! |
#12
|
||||
|
||||
I feel the same bolo2002! That's why I am trying to archive these kind of gems to webarchive. BTW, unfortunately I cannot access other tutorials of octopuslabs, they were somehow gone, but the link I have shared is working.
|
#13
|
|||
|
|||
hXXps://legend.octopuslabs.io/sample-page.html
Last edited by MarcElBichon; 04-21-2023 at 18:04. |
The Following User Says Thank You to MarcElBichon For This Useful Post: | ||
blue_devil (04-25-2023) |
#15
|
|||
|
|||
https://www.mirrored.to/files/INNBTOA9/flumy.zip_links
__________________
I like this forum! |
Thread Tools | |
Display Modes | |
|
|