Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71477
XYLOPHAGE Research
Modifying/expanding PEPrivilege Escalation section to fit payloads
This does not seem like it's going to work. You can modify the data in the section, but (at least for 64 bit) the references from the .text code section are using pointers that are the distance from the end of the instruction to the variable data, in memory (after load). I cannot find any pointers to this offset, so we won't be able to find it at runtime. For example, the load of the 0xaaaaaaaa padding is done with a movsxd r13, <offset> instruction.
4c 63 2d 5a 19 00 00
where 0x0000195a is the offset from the end of the movsxd 7-byte instruction to the beginning of the pad of 0xaaaaaaaa.
To make this work, we would need a list of every place this type of offset is used, and then modify each offset to reflect where we moved the padding. I assumed this would be a relocation section, but I can't find the relocations.
Dumping assembly with objdump
Commands for dumping binary from DLLDynamic Link Library and using objdump (linux) to display Intel assembly
dd if=SilverFish.dll of=out.dll skip=3840 bs=1 count=256
objdump -D -S -l -b binary -M intel -m i386:x86-64 out.dll