there's some problem when using x86 shellcode on win8.1 X64,maybe is the problem in dealing with the fun "GetProcAddressWithHash" ,the shellcode move the param to ecx, not using "push" I guess.

Is it currently possible to execute by ordinal after load? This would be a pretty neat feature combined with Cobalt Strike/DanderSpiritz, etc.

[UPDATE]

Just hit me that both of those have export names, would still be a nice feature though.

Hey, great project!

I just wanted to note that the native loader is set to use a hard coded dll path: "C:\Users\Nick\Documents\Projects\Throwback\Throwback2.5\bin\Persistence_InstallUtil_x64.dll"

Changing this string to argv[1] allows the NativeLoader to work as expected. This might have just been a commit mistake from testing. Just wanted to point it out. Thanks!

Source link:

Hi,

I want to use sRDI to convert a DLL that is managed code (.Net C#) with an exported function (using DllExport from RGiesecke.DllExport) to be used from unmanaged code. I need to call this specific exported function.

According to the Powershell ConvertTo-Shellcode script, I should be able to specify the function to call (and even pass it some arguments), however it is required to provide the hashed name of the function.

So I have 2 questions:

1. Would this work even work knowing that the DLL I'll be using is a managed one with unmanaged exports ?
2. How do I calculate the function hashed name ?

Thanks a lot for your help !

I pick out the hash calculation snippet from FunctionTest.cpp, and recreate a project with it, code as below:
#include "stdafx.h"
#include <Windows.h>

#define ROTR32(value, shift) (((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
DWORD HashFunctionName(LPSTR name) {
DWORD hash = 0;

do
{
	hash = ROTR32(hash, 13);
	hash += *name;
	name++;
} while (*(name - 1) != 0);

return hash;

}

int main(int argc, char **argv)
{
if (argc == 2) {
printf("0x%x\n", HashFunctionName(argv[1]));
}
return 0;
}

The output is clearly not right, what's wrong?

Hello, sRDI's Developers:
I am researching on Reflective DLL Injection, and use it for software protector.
However, I can't find Reflective DLL Injection asm source code, only shellcode over Google.
Hope you can give me it, help my study. Thank you.

On the short list of things the loading process still needs:

• TLS callback initialization
• Late imports (a fork of sRDI already has this, just needs merging)

Hey, I'm using your library to load a test compiled DLL as shellcode. To load I'm using the Native loader. everything was compiled using v141 toolset in VS2017.
The function does something simple and just echoes back a formatted string to OutputDebugString. Inside the function I've added a throw of std::exception and I'm not catching it in the respective catch clause or any other catch clause other than the ellipsis catch handler. The compiled code and shellcode are all x64 and it runs well aside from exception handling, which I saw the shellcode adds via a call to RtlAddFunctionTable.
Would love to hear what is done wrong in trying to catch the exception. Whether I need to add a hack to parse the exception structure or something the shellcode RDI needs to do to be able to handle specific exceptions.

DLLs cannot use FindResource when converted into shellcode. Same code works when not loaded using sRDI. Issue seems to be the same as TheWover/donut#70 where the PE stomping breaks the .rsrc section.
EDIT: Based on PE structure, not sure if there is a workaround other than disabling the SRDI_CLEARHEADER flag. Any ideas?
EDIT 2: Even with SRDI_CLEARHEADER it doesnt seem to work.

I've successfully compiled the TestDLL.dll, but the python script does not seem to work

%> python ConvertToShellcode.py ../Release/TestDLL.dll
Creating Shellcode: ../Release/TestDLL.bin
Traceback (most recent call last):
  File "ConvertToShellcode.py", line 24, in <module>
    main()
  File "ConvertToShellcode.py", line 19, in main
    converted_dll = ConvertToShellcode(dll, HashFunctionName(arguments.function_name))
  File "/tmp/sRDI-master/Python/ShellcodeRDI.py", line 43, in HashFunctionName
    functionHash += b
TypeError: unsupported operand type(s) for +=: 'int' and 'str'

How to release a dll loaded by sRDI similar to MemoryFreeLibrary dll

Fail when execute shellcode covert from golang dll

Environment: Win10 1709
DLL: C:\Windows\SysWOW64\user32.dll

1. I firstly use command python Python\ConvertToShellcode.py user32.dll convert user32.dll to user32.bin.
2. Then I change the code in Native\Loader.cpp to call API MessageBoxA after loading the user32.dll and compile the Native project using Visual Studio 2015 Debug x86.

	// Only set the first page to RWX
	// This is should sufficiently cover the sRDI shellcode up top
	if (VirtualProtect(finalShellcode, sysInfo.dwPageSize, PAGE_EXECUTE_READWRITE, &dwOldProtect1)) {
		RDI rdi = (RDI)(finalShellcode);

		printf("[+] Executing RDI\n");
 		UINT_PTR hLoadedDLL = rdi(); // Excute DLL

		free(finalShellcode); // Free the RDI blob. We no longer need it.

		/*Function exportedFunction = (Function)GetProcAddressR(hLoadedDLL, "SayGoodbye");
		if (exportedFunction) {
			printf("[+] Calling exported functon\n");
			exportedFunction();
		}*/
		MyMessageBoxA exportedFunction = (MyMessageBoxA)GetProcAddressR(hLoadedDLL, "MessageBoxA");
		if (exportedFunction) {
			printf("[+] Calling exported functon\n");
			exportedFunction(0, "Hello", "user32.dll message", 1);
		}
	}


----

typedef int (WINAPI *MyMessageBoxA)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);

3. Then use command Native.exe user32.bin to load the shellcode.
   The exe crashed and report a error :

0x7774CCC5 (ntdll.dll) (located at Native.exe) Exception: 0xC0000005: Access violation reading location 0x00000008.

I ensure that the GetProcAddressR return the correct address of MessageBoxA.

I found that the 0x7774CCC5 belongs to ntdll.dll!RtlAllocateHeap function:

Do you have comments that which possible cause this problem? My conclusion is that reflective loading a DLL written by ourselves works fine but loading a system dll(ntdll, user32..) will not work. It seems that there is something the loader doesn't handle when load the system dll into memory.

Hi,

How do you pass the 0x2 flag into the powershell ConvertTo-Shellcode.ps1 script?

When my program runs to this line of code, it takes a long time to return：
HMODULE hLoadedDLL = (HMODULE)rdi();
It's been running here for too long, what is the reason for this?

Hi there, I was unable to locate Invoke-Shellcode.ps1, was it removed?

Hello,

I'm having trouble converting sources to C or C++ with ConvertToShellcode.py

Indeed, when I try to convert some code into shellcode, I get an infinite loop when I test the shellcode on the generated .bin, even using the base dll of the TestDLL_x64.dll project:

python ConvertToShellcode.py TestDLL_x64.dll
Creating Shellcode: TestDLL_x64.bin

NativeLoader_x64.exe TestDLL_x64.bin
[+] Executing RDI
-> Infinite loop here

How can I solve this issue please?

this is my code
dllmain.cpp

#include <windows.h>
#include "template.h"

void go();

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
		go();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

void go()
{
	string sa = "sasas";

	static test<string>* t = new test<string>();
	printf("t ptr: 0x%x\n", t);
	t->add(&sa);
	printf("count: %d\n", t->count());
}

template.h

#pragma once
#include <stdio.h>
#include <map>
#include <string>
#include <windows.h>

using namespace std;

template <class T>
class test
{
public:
	test() = default;

	int add(T *ptr)
	{
		LPEXCEPTION_POINTERS info = NULL;
		DWORD code;
		__try
		{
			m_map[m_count] = ptr;
			return m_count++;
		}
		__except (code = GetExceptionCode(), info = GetExceptionInformation(), EXCEPTION_EXECUTE_HANDLER)
		{

			printf("Exception happene code: 0x%x, %d\n", code, info->ExceptionRecord->ExceptionInformation[1]);
			//info->ExceptionRecord->ExceptionInformation
			exit(0);
		}

	}

	int count()
	{
		return m_count;
	}

private:
	int m_count = 0;
	map<int, T*> m_map;
};

Natice Loader.cpp

...
	if (VirtualProtect(finalShellcode, sysInfo.dwPageSize, PAGE_EXECUTE_READWRITE, &dwOldProtect1)) {
		RDI rdi = (RDI)(finalShellcode);
		printf("[+] Executing RDI\n");
		HANDLE t = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)finalShellcode, NULL, 0, NULL);
		//WaitForSingleObject(t, INFINITE);
		getchar();
		free(finalShellcode); // Free the RDI blob. We no longer need it.
	}

when i remote inject via ProcessHacker work ok,but i use Native.exe load this dll is crash.
when i change static test<string>* t = new test<string>(); to test<string>* t = new test<string>(); in dllmain.cpp both work ok
the ptr always is NULL when i use static

this is result
ProcessHacker:

t ptr: 0xad7a0
count: 1

Native.exe Loader:

[+] File is a DLL, attempting to convert
[+] Successfully Converted
[+] Executing RDI
t ptr: 0x0
Exception happene code: 0xc0000005, 8

System environment: win7 x64

I use loaddll to convert wow64\user32 DLL loading will fail here. I don't know why,

if (alignedImageSize != AlignValueUp(lastSectionEnd, sysInfo.dwPageSize)) {
//It will return here, win10 is OK
return 0;
}

When running either ConvertTo-Shellcode in powershell or ConvertToShellcode(dll) in python the resulting shellcode causes the terminal to hang. This happens when executing the shellcode via Invoke-Shellcode or running the shellcode via Python's ctypes library. For reference, the dll I'm testing with is from https://github.com/CuckooEXE/PopCalc. Seems like a pretty simple dll which is written in C++. Still looking at the system calls currently, will update if I see something out of place.

Native/Loader.cpp:
Line 189 needs to be exchanged with Line 202.

Attempting to convert a simple DLL to shellcode, but receiving the following error. Am I doing something incorrect?

Note: DLL is 64bit

PS C:\Users\dev\Desktop\sRDI\PowerShell> Invoke-Shellcode -Shellcode (ConvertTo-Shellcode -File MessageBoxDLL.dll)
Add-Type : c:\Users\dev\AppData\Local\Temp\pn4hozhz\pn4hozhz.0.cs(65) : The name 'PE' does not exist in the current
context
c:\Users\dev\AppData\Local\Temp\pn4hozhz\pn4hozhz.0.cs(64) :
c:\Users\dev\AppData\Local\Temp\pn4hozhz\pn4hozhz.0.cs(65) : >>>         if (PE.Is64BitDLL(dllBytes))
c:\Users\dev\AppData\Local\Temp\pn4hozhz\pn4hozhz.0.cs(66) :         {
At C:\Users\dev\Desktop\sRDI\PowerShell\ConvertTo-Shellcode.ps1:353 char:5
+     Add-Type -TypeDefinition $Source -Language CSharp -CompilerParame ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Power...peCompilerError:AddTypeCompilerError) [Add-Type], Except
   ion
    + FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands.AddTypeCommand

Python 3 removed file().

flake8 testing of https://github.com/monoxgas/sRDI on Python 3.6.2

$ flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics

./Python/pefile.py:928:14: F821 undefined name 'exceptions'
						except exceptions.ValueError as e:
             ^
./Python/peutils.py:405:14: F821 undefined name 'file'
					sig_f = file( filename, 'rt' )
             ^

sRDI/Python$ cat bug.py
from ShellcodeRDI import *

dll = open("../testexploit.dll", 'rb').read()
shellcode = ConvertToShellcode(dll)

sRDI/Python$ python3 bug.py
Traceback (most recent call last):
  File "bug.py", line 4, in <module>
    shellcode = ConvertToShellcode(dll)
  File "sRDI/Python/ShellcodeRDI.py", line 212, in ConvertToShellcode
    return bootstrap + rdiShellcode + dllBytes + userData
TypeError: can't concat str to bytes

Fix is to change:
https://github.com/monoxgas/sRDI/blob/master/Python/ShellcodeRDI.py#L59

    rdiShellcode32 = b"\x83\xEC......

I suspect EncodeBlobs.py already does this so I didn't send a pull request.
Great project!

I am trying to use the SRDI_CLEARMEMORY flag, but I am having a couple of issues. First, if I try running the shellcode generated using the PIC code of ShellcodeRDI.c I don't get any call to VirtualFree and it seems that there is no visible effect on the allocated memory.
After reading the ShellcodeRDI.c, the code responsible for the memory cleaning looks like is the following:

if (flags & SRDI_CLEARMEMORY && pVirtualFree && pLocalFree) {
		if (!pVirtualFree((LPVOID)dllData, 0, 0x00008000))
		{
			pLocalFree((LPVOID)dllData);
		}
		
	}

However, it looks to me that pVirtualFree and pLocalFree are initialised but no value is assigned to them?
I tried modifying the code myself and added the following at line ~ 260 of ShellcodeRDI.c:

BYTE sLocalFree[] = { 'L', 'o', 'c', 'a', 'l', 'F', 'r', 'e', 'e' };
BYTE sVirtualFree[] = { 'V', 'i', 'r', 't', 'u', 'a', 'l', 'F', 'r', 'e', 'e' };

FILL_STRING_WITH_BUF(aString, sLocalFree);
pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pLocalFree);

FILL_STRING_WITH_BUF(aString, sVirtualFree);
pLdrGetProcAddress(library, &aString, 0, (PVOID*)&pVirtualFree);

Now, if I debug the program with something like x64dbg, I can see the invocation to VirtualFree but the following error is returned:

LocalFree fails as well with this:

The program I used to inject the sRDI shellcode is the DotNet loader in the main repository, where the ConvertToShellcode function is called with the 0x2 flag.

Am I doing something wrong here (except for spending my Sunday reading C code)?