How to pass arguments to main payload in run-PE (or any program written by libPeConv)? #56
Comments
|
I've looked into this, you can't simply do here's a quick demo: constexpr inline ptrdiff_t RealMainOffset = ...;
inline peconv::PatchBackup PayloadMainBackup;
const wchar_t* NewArgv[] = { L"....exe", L"--version" };
constexpr auto NewArgc = sizeof(NewArgv) / sizeof(NewArgv[0]);
inline auto RealEntryPoint = (int(*)(int , const wchar_t** , const char**))nullptr;
static int PayloadMainHook(int argc, const wchar_t** argv, const char** envp)
{
PayloadMainBackup.applyBackup();
argc = NewArgc;
argv = NewArgv;
return RealEntryPoint(argc, argv, envp);
}
int main()
{
// Load the PE normally
// ...
auto EntryPointOffset = peconv::get_entry_point_rva((BYTE*)PayloadModuleBase);
RealEntryPoint = (decltype(RealEntryPoint))(PayloadModuleBase + RealMainOffset);
peconv::redirect_to_local(RealEntryPoint, &PayloadMainHook, &PayloadMainBackup);
auto EntryPoint = (int(*)())(PayloadModuleBase + EntryPointOffset);
return EntryPoint();
}This for sure isn't convenient for a library, The way the library can approach this imo is doing some simple dynamic analysis on the crt main to find the real main and hook it, i think this is the best way instead of editing the args pushed to the host process. |
|
You need to hook Sometimes you will also have to patch #include <Windows.h>
#include <peconv.h>
#include <string>
#include <cstdint>
std::string gCmdLineA;
std::wstring gCmdLineW;
static const uint8_t pe[] = {
//...
};
LPWSTR
WINAPI
hGetCommandLineW(
VOID
) {
return gCmdLineW.data();
}
LPSTR
WINAPI
hGetCommandLineA(
VOID
) {
return gCmdLineA.data();
}
int main() {
wchar_t selfFileNameW[MAX_PATH]{};
char selfFileNameA[MAX_PATH]{};
if (GetModuleFileNameW(NULL, selfFileNameW, MAX_PATH)) {
gCmdLineW.push_back(L'"');
gCmdLineW.append(selfFileNameW, wcslen(selfFileNameW)); // The first arg is always quoted application path
gCmdLineW.push_back(L'"');
gCmdLineW += L" NewArg1 NewArg2"; // New arguments
gCmdLineW.push_back(L'\0'); // Null terminator
std::wcout << gCmdLineW << std::endl;
}
if (GetModuleFileNameA(NULL, selfFileNameA, MAX_PATH)) {
gCmdLineA.push_back('"');
gCmdLineA.append(selfFileNameA, strlen(selfFileNameA)); // The first arg is always quoted application path
gCmdLineA.push_back('"');
gCmdLineA += " NewArg1 NewArg2"; // New arguments
gCmdLineA.push_back('\0'); // Null terminator
std::cout << gCmdLineA << std::endl;
}
peconv::hooking_func_resolver resolver;
resolver.add_hook("GetCommandLineW", reinterpret_cast<FARPROC>(&hGetCommandLineW));
resolver.add_hook("GetCommandLineA", reinterpret_cast<FARPROC>(&hGetCommandLineA));
RtlAcquirePebLock();
PPEB peb = NtCurrentPeb();
RtlInitUnicodeString(&peb->ProcessParameters->CommandLine, gCmdLineW.data()); // Patching PEB
RtlReleasePebLock();
size_t vSize = 0;
BYTE* loadedPe = peconv::load_pe_executable(pe, sizeof(pe), vSize, &resolver);
// ...
}And with RunPE everything is much simpler: you just need to pass the arguments to |
Issue:
I have tried to pass arguments to a payload loaded by libpeconv but it wasn't possible directly. So i decided to go a little bit deeper and modified some stack related parts of the code, it was successful but this method is heavily relied on Non-standard methods and requires more or less complicated modifications on the main code.
Is there any possible ongoing features that are not yet published or any other methods that i could use for this matter?
The text was updated successfully, but these errors were encountered: