Skip to content

Commit

Permalink
change clang to llvm-mingw to make shellcode
Browse files Browse the repository at this point in the history
  • Loading branch information
YuriSizuku committed Apr 5, 2024
1 parent f2ff60c commit fed58d7
Show file tree
Hide file tree
Showing 15 changed files with 288 additions and 430 deletions.
29 changes: 29 additions & 0 deletions .github/workflows/build_wintools.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: build_wintools
on:
push: {tags: ['v*'] } # Push events to matching v*, i.e. v1.0, v20.15.10
pull_request:

permissions:
contents: write

jobs:
build_winexe_winmemdll:
runs-on: windows-2019
steps:
- name: pull and init
uses: actions/checkout@v3
with: {submodules: true}

- name: add msbuild to path
uses: microsoft/setup-msbuild@v1.1

- name: build target
run: .\project\winexe_winmemdll\release_msvc.bat

- name: upload release
uses: ncipollo/release-action@v1
if: github.event_name == 'push'
with:
artifacts: "./project/winexe_winmemdll/build/winmemdll32.exe,./project/winexe_winmemdll/build/winmemdll64.exe"
allowUpdates: "true"
token: ${{ secrets.GITHUB_TOKEN }}
171 changes: 57 additions & 114 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,76 +1,46 @@
# MemoryModule

![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/yurisizuku/memorymodule?color=green&label=MemoryModule)
![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/yurisizuku/memorymodule?color=green&label=MemoryModule)![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/YuriSizuku/MemoryModule/build_wintools.yml?label=build_wintools)

☘️ A tool to parse and load module in memory, as well as attach a DLL in EXE.
Most of the functions are inline, so that it can also be used in shellcode.
☘️ A flexible PE loader, loading module in memory.
Most of the functions can be inline, compatible for shellcode.

**compatible list:**

- [x] windows xp
- [x] windows 7
- [x] windows 8
- [x] windows 10
- [x] windows 11
- [x] linux wine

Now you don't need to use python to compile all of them, just use pre generated shellcode.
Also it support `cross-compile` on linux such as `codespaces`.
## build

## Compile
You can use `clang`(llvm-mingw), `gcc`(mingw-w64) or `tcc` and `msvc`(visual studio 2022) to compile.

### compile on windows

You can use `clang`, `gcc` or `tcc` and `msvc (visual studio 2019)`to compile,

here's a example for using `clang` to compile.
Here's a example for using `llvm-mingw`

```shell
git clone https://github.com/YuriSizuku/MemoryModule.git --recursive
cd MemoryModule/project/win_memdll
make winmemdll_shellcode # only if you want to generate ths shellcode
make ARCH=i686 # x86 release
make ARCH=x86_64 # x64 release
make ARCH=i686 DEBUG=1 # x86 debug
make ARCH=x86_64 DEBUG=1 # x64 debug
make winmemdll_shellcode # only if you want to generate shellcode
make winmemdll CC=i686-w64-mingw32-gcc BUILD_TYPE=32d # x86 debug
```

### compile on linux

You can also use `mingw` to compile on `linux` without generating shellcode by python.

```shell
sudo apt-get install mingw-w64
git clone https://github.com/YuriSizuku/MemoryModule.git --recursive
cd MemoryModule/project/win_memdll
make ARCH=i686 CC=i686-w64-mingw32-gcc # mingw x86 release
make ARCH=x86_64 CC=x86_64-w64-mingw32-gcc # mingw x64 release
```

If you want to develop on `codespaces`, here's the `c_cpp_properties.json` on vscode.
## Usage

```json
{
"configurations": [
{
"name": "Linux gcc i686 ",
"includePath": [
"${workspaceFolder}/**",
"${workspaceFolder}/depend/reversetool/src/c/include/**"
],
"defines": ["WINPE_IMPLEMENTATION", "WINPE_NOASM"],
"compilerPath": "/usr/bin/i686-w64-mingw32-gcc",
"cStandard": "c99",
"cppStandard": "c++11",
"intelliSenseMode": "windows-gcc-x86"
}
],
"version": 4
}
``` mermaid
%%{init: {'theme':'forest'}}%%
graph LR;
f1[winpe_findspace]
f2[winpe_memreloc];
f3[winpe_membindiat]
f4[winpe_membindtls]
f5[pfnDllMain]
f1 --> f2 --> f3 --> f4 --> f5
```

## Usage

### load DLL in memory

```c
Expand Down Expand Up @@ -100,85 +70,58 @@ free(mempe);
win_injectmemdll.exe exepath dllpath [outpath]
```

## MemoryModule API
### API

These functions are essential to load memory module in windows.

```c
/*
similar to LoadlibrayA, will call dllentry
will load the mempe in a valid imagebase
return hmodule base
*/
inline void* STDCALL winpe_memLoadLibrary(void *mempe);

/*
if imagebase==0, will load on mempe, or in imagebase
will load the mempe in a valid imagebase, flag as below:
WINPE_LDFLAG_MEMALLOC 0x1, will alloc memory to imagebase
WINPE_LDFLAG_MEMFIND 0x2, will find a valid space,
must combined with WINPE_LDFLAG_MEMALLOC
return hmodule base
*/
inline void* STDCALL winpe_memLoadLibraryEx(void *mempe,
size_t imagebase, DWORD flag,
PFN_LoadLibraryA pfnLoadLibraryA,
PFN_GetProcAddress pfnGetProcAddress);

/*
similar to FreeLibrary, will call dllentry
return true or false
*/
inline BOOL STDCALL winpe_memFreeLibrary(void *mempe);
See [winpe.h](https://github.com/YuriSizuku/ReverseTool/blob/master/src/winpe.h) in detail.

/*
FreeLibraryEx with VirtualFree custom function
return true or false
```c
/**
* load the origin rawpe file in memory buffer by mem align
* mempe means the pe in memory alignment
* @param pmemsize mempe buffer size
* @return mempe buf
*/
inline BOOL STDCALL winpe_memFreeLibraryEx(void *mempe,
PFN_LoadLibraryA pfnLoadLibraryA,
PFN_GetProcAddress pfnGetProcAddress);

/*
similar to GetProcAddress
return function va
WINPE_API
void* STDCALL winpe_memload_file(const char *path, size_t *pmemsize, bool_t same_align);

/**
* load the mempe in a valid imagebase, will call dll entry
* @param imagebase if 0, will load on mempe, else in imagebase
* @param flag WINPE_LDFLAG_MEMALLOC 0x1, will alloc memory to imagebase
* WINPE_LDFLAG_MEMFIND 0x2, will find a valid space,
* @return hmodule base
*/
inline PROC STDCALL winpe_memGetProcAddress(
void *mempe, const char *funcname);
WINPE_API
void* STDCALL winpe_memLoadLibraryEx(void *mempe, size_t imagebase, DWORD flag,
PFN_LoadLibraryA pfnLoadLibraryA, PFN_GetProcAddress pfnGetProcAddress);

// mempe internal functions
/*
load the origin rawpe in memory buffer by mem align
return memsize
/**
* similar to FreeLibrary, will call dll entry
* @return True on successful
*/
inline size_t winpe_memload(const void *rawpe, size_t rawsize,
void *mempe, size_t memsize, bool_t same_align);

WINPE_API
BOOL STDCALL winpe_memFreeLibrary(void *mempe);

/*
realoc the addrs for the mempe addr as image base
return realoc count
/**
* similar to GetProcAddress
* @return function va
*/
inline size_t winpe_memreloc(void *mempe, size_t newimagebase);
WINPE_API
PROC STDCALL winpe_memGetProcAddress(void *mempe, const char *funcname);

/*
load the iat for the mempe
return iat count
*/
inline size_t winpe_membindiat(void *mempe,
PFN_LoadLibraryA pfnLoadLibraryA,
PFN_GetProcAddress pfnGetProcAddress);

/*
exec the tls callbacks for the mempe, before dll oep load
reason is for function PIMAGE_TLS_CALLBACK
return tls count
/**
* use peb and ldr list, similar as GetModuleHandleA
* @return ldr module address
*/
inline size_t winpe_membindtls(void *mempe, DWORD reason);
WINPE_API
void* STDCALL winpe_findmodulea(const char *modulename)
{
return winpe_findmoduleaex(NULL, modulename);
}
```
See `winpe.h` for parsing and loading PE structure in detail.
## Known issues
- [x] attach x64 DLL to exe crash on calling some windows API
Expand Down
2 changes: 1 addition & 1 deletion depend/reversetool
135 changes: 0 additions & 135 deletions project/win_memdll/Makefile

This file was deleted.

Loading

0 comments on commit fed58d7

Please sign in to comment.