Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NtQueueApcThreadEx call crash #13

Open
guervild opened this issue May 8, 2022 · 0 comments
Open

NtQueueApcThreadEx call crash #13

guervild opened this issue May 8, 2022 · 0 comments

Comments

@guervild
Copy link

guervild commented May 8, 2022
edited
Loading

Hello

Following our discussion on Slack. Do not hesitate to contact me if i can help.

Describe the bug
The program crashed when using NtQueueApcThreadEx Syscall.

I think the problem is linked to how i pass the parameters.

To Reproduce
To generate the code i use a tool i made, the code can be found here: https://github.com/guervild/uru/blob/main/data/templates/injector/windows/bananaphone/local/NtQueueApcThreadEx-Local/functions.go.tmpl

behavior

[INFO]    Loading bananaphone
[INFO]    Loading kernel32.dll
[INFO]    Loading GetCurrentThread procedure...
[INFO]    Try to allocate memory
[INFO]    Allocated 1379777 bytes at 1902622343168
[DEBUG]   Copying shellcode to memory...
[INFO]    Try to change memory protection to PAGE_EXECUTE_READ
[INFO]    Try to execute the shellcode
[DEBUG]   Got handle to current thread: 18446744073709551614
Exception 0xe06d7363 0x19930520 0xc00022d8a8 0x7ffd10c14f69
PC=0x7ffd10c14f69

runtime: unknown pc 0x7ffd10c14f69
stack: frame={sp:0xc00022d6c0, fp:0x0} stack=[0xc000180000,0xc000380000)
0x000000c00022d5c0:  0x0000000000000000  0x0000000000000023
0x000000c00022d5d0:  0x1ea2dada00000000  0x00007ffd12eda36f
0x000000c00022d5e0:  0x0000000000000000  0x00000000805bf4c6
0x000000c00022d5f0:  0x000000000000000d  0x000001bafbbf0000
0x000000c00022d600:  0x0000000000000000  0x00007ffd12ef0b31
0x000000c00022d610:  0x000001bafbb18eb0  0x006f006400000000
0x000000c00022d620:  0x0000000000000011  0x0000000000000040
0x000000c00022d630:  0x000001bafbbf02e4  0x000001bafbbf0000
0x000000c00022d640:  0x000001bafbbf1140  0x000001bafbb294e0
0x000000c00022d650:  0x000001bafbb18eb0  0x00007ffd12f13a0d
0x000000c00022d660:  0x00000000000b001d  0x00000000000000c4
0x000000c00022d670:  0x000001bafbb190b0  0x0000000000000110
0x000000c00022d680:  0x0000000000000000  0x0000000000000000
0x000000c00022d690:  0x0000342af9b3f101  0x000001bafbbf1140
0x000000c00022d6a0:  0x00007ffcf80a7000  0x000000c00022d8a8
0x000000c00022d6b0:  0x000000c00022d800  0x00007ffd10c14f69
0x000000c00022d6c0: <0x0000000000000110  0x00007ffcf80b9a50
0x000000c00022d6d0:  0x0000000000000000  0x000000c00022d780
0x000000c00022d6e0:  0x00000009e06d7363  0x0000000000000000
0x000000c00022d6f0:  0x00007ffd10c14f69  0x0069002000000004
0x000000c00022d700:  0x0000000019930520  0x000000c00022d8a8
0x000000c00022d710:  0x00007ffcf80b9a50  0x00007ffcf8080000
0x000000c00022d720:  0x0000000000000001  0x0000000000000000 
0x000000c00022d730:  0x0000000000000000  0x000000c00022d800
0x000000c00022d740:  0x000000c00022d810  0x00007ffd12f04a5f
0x000000c00022d750:  0x000000c00022d8a8  0x000000c000000000
0x000000c00022d760:  0x000000c00022d870  0x00007ffd10c0edb3
0x000000c00022d770:  0x00007ffcf80bd000  0x00007ffcf8080000
0x000000c00022d780:  0x0000031985f133a7  0x000000c00022d890
0x000000c00022d790:  0x00007ffcf80b9a50  0x00007ffd1122af2d
0x000000c00022d7a0:  0x0000000000000002  0x0000005200000000
0x000000c00022d7b0:  0x0000000000000000  0x0000000000000000
runtime: unknown pc 0x7ffd10c14f69
stack: frame={sp:0xc00022d6c0, fp:0x0} stack=[0xc000180000,0xc000380000)
0x000000c00022d5c0:  0x0000000000000000  0x0000000000000023
0x000000c00022d5d0:  0x1ea2dada00000000  0x00007ffd12eda36f
0x000000c00022d5e0:  0x0000000000000000  0x00000000805bf4c6
0x000000c00022d5f0:  0x000000000000000d  0x000001bafbbf0000 
0x000000c00022d600:  0x0000000000000000  0x00007ffd12ef0b31
0x000000c00022d610:  0x000001bafbb18eb0  0x006f006400000000
0x000000c00022d620:  0x0000000000000011  0x0000000000000040
0x000000c00022d630:  0x000001bafbbf02e4  0x000001bafbbf0000
0x000000c00022d640:  0x000001bafbbf1140  0x000001bafbb294e0
0x000000c00022d650:  0x000001bafbb18eb0  0x00007ffd12f13a0d
0x000000c00022d660:  0x00000000000b001d  0x00000000000000c4
0x000000c00022d670:  0x000001bafbb190b0  0x0000000000000110
0x000000c00022d680:  0x0000000000000000  0x0000000000000000
0x000000c00022d690:  0x0000342af9b3f101  0x000001bafbbf1140
0x000000c00022d6a0:  0x00007ffcf80a7000  0x000000c00022d8a8
0x000000c00022d6b0:  0x000000c00022d800  0x00007ffd10c14f69
0x000000c00022d6c0: <0x0000000000000110  0x00007ffcf80b9a50
0x000000c00022d6d0:  0x0000000000000000  0x000000c00022d780
0x000000c00022d6e0:  0x00000009e06d7363  0x0000000000000000
0x000000c00022d6f0:  0x00007ffd10c14f69  0x0069002000000004
0x000000c00022d700:  0x0000000019930520  0x000000c00022d8a8
0x000000c00022d710:  0x00007ffcf80b9a50  0x00007ffcf8080000
0x000000c00022d720:  0x0000000000000001  0x0000000000000000
0x000000c00022d730:  0x0000000000000000  0x000000c00022d800
0x000000c00022d740:  0x000000c00022d810  0x00007ffd12f04a5f
0x000000c00022d750:  0x000000c00022d8a8  0x000000c000000000
0x000000c00022d760:  0x000000c00022d870  0x00007ffd10c0edb3
0x000000c00022d770:  0x00007ffcf80bd000  0x00007ffcf8080000 
0x000000c00022d780:  0x0000031985f133a7  0x000000c00022d890
0x000000c00022d790:  0x00007ffcf80b9a50  0x00007ffd1122af2d
0x000000c00022d7a0:  0x0000000000000002  0x0000005200000000
0x000000c00022d7b0:  0x0000000000000000  0x0000000000000000
rax     0xc00022d1c0
rcx     0xc00022d020
rdi     0xc00022d8a8
rbp     0xc00022d800
rsp     0xc00022d6c0
r8      0xc00022d200
r9      0x342af9b3e991
r10     0x7ffd12eec3c8
r11     0x7ffd1039a000
r12     0x0
r13     0x1
r14     0x7ffcf80a7000
r15     0x0
rip     0x7ffd10c14f69
rflags  0x206
cs      0x33
fs      0x53
gs      0x2b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@guervild