From dfec277813bfbc956dcac45345a9158093d68343 Mon Sep 17 00:00:00 2001
From: Matt Graeber <mattgraeber@gmail.com>
Date: Fri, 31 May 2013 19:35:26 -0400
Subject: Added Invoke-ReflectivePEInjection

Another awesome addition from Joe Bialek. Invoke-ReflectivePEInjection
is a vast improvement over Invoke-ReflectiveDllInjection. It adds the
following features:

* Now supports loading exe files in memory
* Supports reflective dll injection into a remote process
* Additional sample Visual Studio solutions
---
 .../Shellcode/x64/GetFuncAddress.asm               | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm

(limited to 'CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm')

diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm
new file mode 100644
index 0000000..edeffd6
--- /dev/null
+++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm
@@ -0,0 +1,27 @@
+[SECTION .text]
+
+global _start
+
+_start:
+	; Save state of rbx and stack
+	push rbx
+	mov rbx, rsp
+
+	; Set up stack for function call to GetProcAddress
+	sub rsp, 0x20
+	and sp, 0xffc0
+
+	; Call getprocaddress
+	mov rcx, 0x4141414141414141	; DllHandle, set by PS
+	mov rdx, 0x4141414141414141	; Ptr to FuncName string, set by PS
+	mov rax, 0x4141414141414141	; GetProcAddress address, set by PS
+	call rax
+
+	; Store the result
+	mov rcx, 0x4141414141414141	; Ptr to buffer to save result,set by PS
+	mov [rcx], rax
+
+	; Restore stack
+	mov rsp, rbx
+	pop rbx
+	ret
-- 
cgit v1.2.3