From 66a3632a523192227e62b8e90c4379ea82e6b526 Mon Sep 17 00:00:00 2001 From: idiom Date: Tue, 10 Oct 2017 21:56:53 -0400 Subject: [PATCH] Adding support for x64 debugging. Minor updates. --- README.md | 21 ++++++++++++++++++++- blobrunner.c | 52 ++++++++++++++++++++++++++++++++++++++++----------- changelog.txt | 6 ++++++ 3 files changed, 67 insertions(+), 12 deletions(-) create mode 100644 changelog.txt diff --git a/README.md b/README.md index 06952b8..9c89b24 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,21 @@ __Build Steps__ - Open Visual Studio Command Prompt - Navigate to the directory where BlobRunner is checked out - - Build the executable by running: cl blobrunner.c + - Build the executable by running: + ``` + cl blobrunner.c + ``` + +### Building BlobRunner x64 + +Building the x64 version is virtually the same as above, but simply uses the x64 tooling. + - Open x64 Visual Studio Command Prompt + - Navigate to the directory where BlobRunner is checked out + - Build the executable by running: + ``` + cl /Feblobrunner64.exe /Foblobrunner64.out blobrunner.c + ``` + ## Usage @@ -45,6 +59,11 @@ Debug into file and don't pause before the jump. __Warning:__ Ensure you have a BlobRunner.exe shellcode.bin --nopause ``` +##### Debugging x64 Shellcode + +Inline assembly [isn't supported](https://msdn.microsoft.com/en-us/library/wbk4z78b.aspx) by the x64 compiler, so to support debugging into x64 shellcode the loader +creates a suspended thread which allows you to place a breakpoint at the thread entry, before the thread is resumed. + ##### Remote Debugging Shell Blobs (IDAPro) The process is virtually identical to debugging shellcode locally - with the exception that the you need to copy the shellcode file diff --git a/blobrunner.c b/blobrunner.c index ffb7df4..be75421 100644 --- a/blobrunner.c +++ b/blobrunner.c @@ -3,12 +3,16 @@ #include #include +#ifdef _WIN64 + #include +#endif + // Define bool typedef int bool; #define true 1 #define false 0 -char *_version = "0.0.1"; +char *_version = "0.0.2"; void banner(){ system("cls"); @@ -62,19 +66,45 @@ LPVOID process_file(char* inputfile_name){ void execute(LPVOID base, int offset, bool nopause, bool debug) { LPVOID entry; - + #ifdef _WIN64 + DWORD thread_id; + HANDLE thread_handle; + #endif + entry = (LPVOID)((int)base + offset); - printf(" [*] Entry: 0x%08x\n",entry); - if(nopause == false){ - printf("--- Press a key to jump into shellcode! ---\n"); - getchar(); - } - else{ - printf(" [*] Jumping to shellcode\n"); - } - __asm jmp entry; + #ifdef _WIN64 + + printf(" [*] Creating Suspended Thread...\n"); + thread_handle = CreateThread( + NULL, // Attributes + 0, // Stack size (Default) + entry, // Thread EP + NULL, // Arguments + 0x4, // Create Suspended + &thread_id); // Thread identifier + + if(thread_handle == NULL){ + printf(" [!] Error Creating thread..."); + return; + } + printf(" [*] Created Thread: [%d]\n", thread_id); + printf(" [*] Thread Entry: 0x%016x\n",entry); + printf(" [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n",entry); + getchar(); + ResumeThread(thread_handle); + #else + printf(" [*] Entry: 0x%08x\n",entry); + if(nopause == false){ + printf(" [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\n"); + getchar(); + } + else{ + printf(" [*] Jumping to shellcode\n"); + } + __asm jmp entry; + #endif } int main(int argc, char* argv[]) diff --git a/changelog.txt b/changelog.txt new file mode 100644 index 0000000..5cd954e --- /dev/null +++ b/changelog.txt @@ -0,0 +1,6 @@ +0.0.2 + - Added support for x64 debugging by using CreateThread and ResumeThread + - Minor updates + +0.0.1 + - Initial Version \ No newline at end of file