initial mingw-w64 port

Signed-off-by: lns <matzeton@googlemail.com>
author: lns <matzeton@googlemail.com> 2019-02-01 16:03:19 +0100
committer: lns <matzeton@googlemail.com> 2019-02-01 16:03:19 +0100
commit: fa3e3d19b41b4846edb9a5efa0352c81413842cd (patch)
tree: 5053d372f9eed7b179fb069ed7580419c1460e9a
parent: a9f09b3697e34e2073aef849a1b853774b65e2c7 (diff)
3 files changed, 197 insertions, 20 deletions
diff --git a/Makefile b/Makefile
index 4267106..db144b2 100644
--- a/Makefile
+++ b/Makefile
@@ -1,12 +1,32 @@
 CD := cd
+LN := ln
 MAKE := make
 RM := rm
 AS := nasm
-CC := gcc
+ifneq ($(BUILD_MINGW32),)
+CC := i686-w64-mingw32-gcc
+SF := .exe
+else
+CC ?= gcc
+endif
+SF ?= $(SUFFIX)
+ifneq ($(NASM_FMT32),)
+NF32 := $(NASM_FMT32)
+else
+NF32 := elf32
+endif
+ifneq ($(NASM_FMT64),)
+NF64 := $(NASM_FMT64)
+else
+NF64 := elf64
+endif
 STRIP := strip
 LBITS := $(shell getconf LONG_BIT)
 CFLAGS += -Wall -O0 -g
-OCFLAGS += -zexecstack -znorelro -fno-stack-protector -fno-pie -ggdb -static
+OCFLAGS := -fno-stack-protector -fno-pie -ggdb -static
+ifeq ($(BUILD_MINGW32),)
+OCFLAGS += -zexecstack -znorelro
+endif
 ECFLAGS += -Wall -O2 -ggdb
 X86_FLAGS = -m32 -mpreferred-stack-boundary=2
 X64_FLAGS = -m64 -mpreferred-stack-boundary=4
@@ -22,22 +42,28 @@ endif
 main: $(TARGETS)
 
 exec_payload: exec_payload.c
-	$(CC) $(ECFLAGS) -m32 -o $@ $<
+	$(CC) $(ECFLAGS) -m32 -o $@$(SF) $<
+ifneq ($(SF),)
+	$(LN) -f -s $@$(SF) $@
+endif
 
 exec_payload_x64: exec_payload.c
-	$(CC) $(ECFLAGS) -m64 -o $@ $<
+	$(CC) $(ECFLAGS) -m64 -o $@$(SF) $<
 
 exec_payload_bin.o: exec_payload
-	$(STRIP) -s $<
-	$(AS) -felf32 -o $@ exec_crypter.asm
+	$(STRIP) -s $<$(SF)
+	$(AS) -f$(NF32) -o $@ exec_crypter.asm
 
 exec_crypter: exec_payload_bin.o exec_crypter.c
 	$(CC) $(ECFLAGS) -m32 -D_NOTASKID=1 -o $@.o -c $@.c
 	$(CC) $(ECFLAGS) -m32 -D_NOTASKID=1 -o $@ $(patsubst %.c,%.o,$^)
+ifneq ($(SF),)
+	$(LN) -f -s $@$(SF) $@
+endif
 
 exec_payload_x64_bin.o: exec_payload_x64
 	$(STRIP) -s $<
-	$(AS) -felf64 -o $@ exec_crypter_x64.asm
+	$(AS) -f$(NF64) -o $@ exec_crypter_x64.asm
 
 exec_crypter_x64: exec_payload_x64_bin.o exec_crypter.c
 	$(CC) $(ECFLAGS) -m64 -D_NOTASKID=1 -o $@.o -c exec_crypter.c
@@ -61,8 +87,14 @@ rebuild: clean all
 
 clean:
 	$(RM) -f *.o
-	$(RM) -f $(TARGETS) $(patsubst %,%_x64,$(TARGETS))
+	$(RM) -f $(TARGETS)
+ifneq ($(SF),)
+	$(RM) -f $(patsubst %,%$(SF),$(TARGETS))
+endif
 	$(RM) -f exec_payload_x64 exec_crypter_x64 overflow_x64 overflow_tcp_x64 sc-test_x64
+ifneq ($(SF),)
+	$(RM) -f exec_payload_x64$(SF) exec_crypter_x64$(SF) overflow_x64$(SF) overflow_tcp_x64$(SF) sc-test_x64$(SF)
+endif
 	$(MAKE) -C crypter clean
 	$(MAKE) -C shellcode clean
 
diff --git a/exec_crypter.c b/exec_crypter.c
index 4a85deb..af0f29a 100644
--- a/exec_crypter.c
+++ b/exec_crypter.c
@@ -6,8 +6,26 @@
 #include <string.h>         /* mem*() */
 #include <fcntl.h>          /* open() */
 #include <sys/stat.h>       /* fstat(), struct stat */
+#ifndef _WIN32
 #include <sys/sendfile.h>   /* sendfile() */
 #include <sys/mman.h>       /* mmap(), munmap() */
+#define SSIZET_FMT "%zd"
+#define OPEN_FLAGS 0x0
+#else
+#include <unistd.h>         /* pread, pwrite for sendfile impl */
+#include <assert.h>         /* assert() */
+#include <io.h>
+#include <windows.h>
+#include <sys/types.h>
+#define random rand
+#define srandom srand
+#define SSIZET_FMT "%ld"
+#define OPEN_FLAGS O_BINARY /* force open file in binary mode (ignore NUL bytes) */
+/* mingw-w64 uses different symbol name mangeling */
+#define _exec_payload_start exec_payload_start
+#define _exec_payload_end   exec_payload_end
+#define _exec_payload_size  exec_payload_size
+#endif
 #include <sys/time.h>       /* gettimeofday() */
 #include <limits.h>         /* LONG_MAX */
 #include <libgen.h>         /* basename() */
@@ -17,14 +35,124 @@ extern uint8_t _exec_payload_start[];
 extern uint8_t _exec_payload_end[];
 extern uint32_t _exec_payload_size;
 
+/* __attribute__ won't work for MSVC */
+#define MEH_ATTR __attribute__((packed, gcc_struct))
+
 typedef struct MyExecHeader {
     uint32_t marker;
     uint32_t xorkey[XOR_KEYLEN];
     uint8_t payload[0];
-} __attribute__((packed, gcc_struct)) MyExecHeader;
+} MEH_ATTR MyExecHeader;
+
+#ifdef _WIN32
+static long int sendfile(int out_fd, int in_fd,
+                         off_t *offset, size_t count)
+{
+    uint8_t buf[BUFSIZ*4];
+    ssize_t rsiz, wsiz = 0, temp;
+    assert( !offset ); /* we don't support offsets, cuz not required atm */
+
+    do {
+        rsiz = read(in_fd, buf, sizeof buf);
+        if (rsiz < 0)
+            return -1;
+        temp = write(out_fd, buf, rsiz);
+        if (temp < 0)
+            return -1;
+        wsiz += temp;
+    } while (rsiz > 0 && temp > 0);
+
+    return wsiz;
+}
+
+/* from: https://github.com/m-labs/uclibc-lm32/blob/master/utils/mmap-windows.c */
+#define PROT_READ     0x1
+#define PROT_WRITE    0x2
+/* This flag is only available in WinXP+ */
+#ifdef FILE_MAP_EXECUTE
+#define PROT_EXEC     0x4
+#else
+#define PROT_EXEC        0x0
+#define FILE_MAP_EXECUTE 0
+#endif
+
+#define MAP_SHARED    0x01
+#define MAP_PRIVATE   0x02
+#define MAP_ANONYMOUS 0x20
+#define MAP_ANON      MAP_ANONYMOUS
+#define MAP_FAILED    ((void *) -1)
+
+#ifdef __USE_FILE_OFFSET64
+# define DWORD_HI(x) (x >> 32)
+# define DWORD_LO(x) ((x) & 0xffffffff)
+#else
+# define DWORD_HI(x) (0)
+# define DWORD_LO(x) (x)
+#endif
+
+static void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
+{
+	if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
+		return MAP_FAILED;
+	if (fd == -1) {
+		if (!(flags & MAP_ANON) || offset)
+			return MAP_FAILED;
+	} else if (flags & MAP_ANON)
+		return MAP_FAILED;
+
+	DWORD flProtect;
+	if (prot & PROT_WRITE) {
+		if (prot & PROT_EXEC)
+			flProtect = PAGE_EXECUTE_READWRITE;
+		else
+			flProtect = PAGE_READWRITE;
+	} else if (prot & PROT_EXEC) {
+		if (prot & PROT_READ)
+			flProtect = PAGE_EXECUTE_READ;
+		else if (prot & PROT_EXEC)
+			flProtect = PAGE_EXECUTE;
+	} else
+		flProtect = PAGE_READONLY;
+
+	off_t end = length + offset;
+	HANDLE mmap_fd, h;
+	if (fd == -1)
+		mmap_fd = INVALID_HANDLE_VALUE;
+	else
+		mmap_fd = (HANDLE)_get_osfhandle(fd);
+	h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL);
+	if (h == NULL)
+		return MAP_FAILED;
+
+	DWORD dwDesiredAccess;
+	if (prot & PROT_WRITE)
+		dwDesiredAccess = FILE_MAP_WRITE;
+	else
+		dwDesiredAccess = FILE_MAP_READ;
+	if (prot & PROT_EXEC)
+		dwDesiredAccess |= FILE_MAP_EXECUTE;
+	if (flags & MAP_PRIVATE)
+		dwDesiredAccess |= FILE_MAP_COPY;
+	void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
+	if (ret == NULL) {
+		CloseHandle(h);
+		ret = MAP_FAILED;
+	}
+	return ret;
+}
+
+static void munmap(void *addr, size_t length)
+{
+	UnmapViewOfFile(addr);
+	/* ruh-ro, we leaked handle from CreateFileMapping() ... */
+}
+/* EoF C&P */
+
+#endif /* _WIN32 */
 
 static uint8_t *
-findMarker(uint8_t *buf, size_t siz) {
+findMarker(uint8_t *buf, size_t siz)
+{
     size_t i;
 
     for (i = 3; i < siz; ++i) {
@@ -118,22 +246,30 @@ int main(int argc, char **argv) {
            _exec_payload_size);
 
     snprintf(new_path, sizeof new_path, "./.%s", basename(argv[0]));
-    arg0_fd = open(argv[0], O_RDONLY, 0);
-    new_fd = open(new_path, O_RDWR | O_CREAT | O_EXCL,
+    arg0_fd = open(argv[0], O_RDONLY | OPEN_FLAGS, 0);
+    new_fd = open(new_path, O_RDWR | O_CREAT | O_EXCL | OPEN_FLAGS,
                   S_IRWXU | S_IRWXG | S_IRWXO);
 
     printf("\n[fd]\n"
-           "arg0.: %d\n"
-           "new..: %d\n",
-           arg0_fd, new_fd);
+           "arg0.: %d '%s'\n"
+           "new..: %d '%s'\n",
+           arg0_fd, argv[0],
+           new_fd, new_path);
 
-    if (arg0_fd < 0 || new_fd < 0)
+    if (arg0_fd < 0 || new_fd < 0) {
+        perror("open");
         return 1;
-    if (fstat(arg0_fd, &arg0_statbuf))
+    }
+    if (fstat(arg0_fd, &arg0_statbuf)) {
+        perror("fstat");
         return 1;
+    }
     if (sendfile(new_fd, arg0_fd, NULL,
                  arg0_statbuf.st_size) != arg0_statbuf.st_size)
+    {
+        perror("sendfile");
         return 1;
+    }
     close(arg0_fd);
 
     mmap_exec = (uint8_t *) mmap(NULL, arg0_statbuf.st_size, PROT_READ | PROT_WRITE,
@@ -172,13 +308,13 @@ int main(int argc, char **argv) {
         snprintf(exec_path, sizeof exec_path, "%.*s_",
                 (int) sizeof exec_path - 2, new_path);
 
-        exec_fd = open(exec_path, O_RDWR | O_CREAT,
+        exec_fd = open(exec_path, O_RDWR | O_CREAT | OPEN_FLAGS,
                        S_IRWXU | S_IRWXG | S_IRWXO);
         if (exec_fd < 0)
             return 1;
 
         exec_off = my_ehdr->payload - mmap_exec;
-        printf("Extracted %zd\n",
+        printf("Extracted " SSIZET_FMT "\n",
                sendfile(exec_fd, new_fd, &exec_off, _exec_payload_size));
 
         close(exec_fd);
@@ -193,7 +329,10 @@ int main(int argc, char **argv) {
     munmap(mmap_exec, arg0_statbuf.st_size);
     close(new_fd);
 
-    rename(new_path, argv[0]);
+    if (rename(new_path, argv[0])) {
+        perror("rename");
+        return 1;
+    }
 
     return 0;
 }
diff --git a/overflow_tcp.c b/overflow_tcp.c
index 24af99e..618132f 100644
--- a/overflow_tcp.c
+++ b/overflow_tcp.c
@@ -1,9 +1,15 @@
+#ifdef _WIN32
+#include <ws2tcpip.h>
+#include <windows.h>
+#endif
 #include <stdlib.h>
 #include <stdio.h>
 #include <sys/types.h>
+#ifndef _WIN32
 #include <sys/socket.h>
 #include <sys/wait.h>
 #include <netinet/in.h>
+#endif
 #include <string.h>
 #include <unistd.h>
author	lns <matzeton@googlemail.com>	2019-02-01 16:03:19 +0100
committer	lns <matzeton@googlemail.com>	2019-02-01 16:03:19 +0100
commit	fa3e3d19b41b4846edb9a5efa0352c81413842cd (patch)
tree	5053d372f9eed7b179fb069ed7580419c1460e9a
parent	a9f09b3697e34e2073aef849a1b853774b65e2c7 (diff)