Windows x86 POC

Author: Josh Lospinoso

Gargoyle.sln

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Gargoyle", "Gargoyle.vcxproj", "{76CDDD0D-EA56-4AA9-9B94-41390A34AB23}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x86 = Debug|x86
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{76CDDD0D-EA56-4AA9-9B94-41390A34AB23}.Debug|x86.ActiveCfg = Debug|Win32
+		{76CDDD0D-EA56-4AA9-9B94-41390A34AB23}.Debug|x86.Build.0 = Debug|Win32
+		{76CDDD0D-EA56-4AA9-9B94-41390A34AB23}.Release|x86.ActiveCfg = Release|Win32
+		{76CDDD0D-EA56-4AA9-9B94-41390A34AB23}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

Gargoyle.vcxproj

@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{76CDDD0D-EA56-4AA9-9B94-41390A34AB23}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>Gargoyle</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ItemGroup>
+    <CustomBuild Include="setup.nasm">
+      <FileType>Document</FileType>
+      <Message>Assembling setup.nasm</Message>
+      <Command>nasm -f bin setup.nasm -o $(Configuration)\setup.pic</Command>
+      <Outputs>$(Configuration)\setup.pic</Outputs>
+    </CustomBuild>
+    <CustomBuild Include="gadget.nasm">
+      <FileType>Document</FileType>
+      <Message>Assembling gadget.nasm</Message>
+      <Command>nasm -f bin gadget.nasm -o $(Configuration)\gadget.pic</Command>
+      <Outputs>$(Configuration)\gadget.pic</Outputs>
+    </CustomBuild>
+  </ItemGroup>
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

Gargoyle.vcxproj.filters

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <CustomBuild Include="setup.nasm" />
+  </ItemGroup>
+</Project>

README.md

@@ -4,6 +4,32 @@
 # How it works
 ![gargoyle infographic](https://github.com/JLospinoso/gargoyle/raw/master/infographic.png)
 
-# Building from source
+# Build from source
+
+*gargoyle* is only implemented for 32-bit Windows (64-bit Windows on Windows is fine). You must have the following installed:
+
+* [Visual Studio](https://www.visualstudio.com/downloads/): 2015 Community is tested, but it may work for other versions.
+* [Netwide Assembler](http://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D) v2.12.02 x64 is tested, but it may work for other versions. Make sure `nasm.exe` is on your path.
+
+Clone *gargoyle*:
+
+```sh
+git clone https://github.com/JLospinoso/gargoyle.git
+```
+
+Open `Gargoyle.sln`, build, and run. There is some harness code in `main.cpp` that configures the following three components:
+
+* *gargoyle* stack trampoline, stack, and configuration (read/write memory on the heap)
+* *gargoyle* position independent code (PIC) that receives the ROP gadget/stack trampoline and runs arbitrary code
+* A ROP gadget. If you have `mshtml.dll`, *gargoyle* will load it into memory and use it. If it is not available, you will have to tell *gargoyle* to allocate its own (3-byte) ROP gadget on the heap:
+
+```cpp
+// main.cpp
+auto use_mshtml{ true };
+auto gadget_memory = get_gadget(use_mshtml, gadget_pic_path);
+```
+
+Every 5 seconds, gargoyle will pop up an empty message box then unmark itself executable. For fun, use [Sysinternals's excellent VMMap tool](https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx) to examine when *gargoyle*'s PIC is executable. If a message box is active, *gargoyle* will be executable. If it is not, *gargoyle* should not be executable. The PIC's address is printed to `stdout` just before the harness calls into the PIC.
 
 # More information
+Blog post coming soon at [lospi.net](https://jlospinoso.github.io/).

gadget.nasm

@@ -0,0 +1,5 @@
+BITS 32
+
+	pop eax
+	pop esp
+	ret

main.cpp

@@ -0,0 +1,129 @@
+#include <vector>
+#include <tuple>
+#include <fstream>
+#include <iostream>
+#include "Windows.h"
+#include <psapi.h>
+
+using namespace std;
+
+namespace {
+  typedef void(*callable)(void*);
+  constexpr DWORD invocation_interval_ms = 5 * 1000;
+  constexpr size_t stack_size = 0x10000;
+
+  struct SetupConfiguration {
+    uint32_t initialized;
+    void* setup_address;
+    uint32_t setup_length;
+    void* VirtualProtectEx;
+    void* WaitForSingleObjectEx;
+    void* CreateWaitableTimer;
+    void* SetWaitableTimer;
+    void* MessageBox;
+    void* tramp_addr;
+    void* sleep_handle;
+    uint32_t interval;
+    void* target;
+    uint8_t shadow[8];
+  };
+
+  struct StackTrampoline {
+    void* VirtualProtectEx;
+    void* return_address;
+    void* current_process;
+    void* address;
+    uint32_t size;
+    uint32_t protections;
+    void* old_protections_ptr;
+    uint32_t old_protections;
+    void* setup_config;
+  };
+
+  struct Workspace {
+    SetupConfiguration config;
+    uint8_t stack[stack_size];
+    StackTrampoline tramp;
+  };
+}
+
+Workspace& allocate_workspace() {
+  auto result = VirtualAllocEx(GetCurrentProcess(), nullptr, sizeof(Workspace), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+  if (!result) throw runtime_error("Couldn't VirtualAllocEx: " + GetLastError());
+  RtlSecureZeroMemory(result, sizeof(Workspace));
+  return *static_cast<Workspace*>(result);
+}
+
+tuple<void*, size_t> allocate_pic(const string& filename) {
+  fstream file_stream{ filename, fstream::in | fstream::ate | fstream::binary };
+  if (!file_stream) throw runtime_error("Couldn't open " + filename);
+  auto pic_size = static_cast<size_t>(file_stream.tellg());
+  file_stream.seekg(0, fstream::beg);
+  auto pic = VirtualAllocEx(GetCurrentProcess(), nullptr, pic_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+  if (!pic) throw runtime_error("Couldn't VirtualAllocEx: " + GetLastError());
+  file_stream.read(static_cast<char*>(pic), pic_size);
+  file_stream.close();
+  DWORD old_protection;
+  auto prot_result = VirtualProtectEx(GetCurrentProcess(), pic, pic_size, PAGE_EXECUTE_READ, &old_protection);
+  if (!prot_result) throw runtime_error("Couldn't VirtualProtectEx: " + GetLastError());
+  return { pic, pic_size };
+}
+
+void* get_gadget(bool use_mshtml, const string& gadget_pic_path) {
+  if (use_mshtml) {
+    auto mshtml_base = reinterpret_cast<uint8_t*>(LoadLibraryA("mshtml.dll"));
+    return mshtml_base + 7165405;
+  } else {
+    void* memory; size_t size;
+    tie(memory, size) = allocate_pic(gadget_pic_path);
+    return memory;
+  }
+}
+
+void launch(const string& setup_pic_path, const string& gadget_pic_path) {
+  void* setup_memory; size_t setup_size;
+  tie(setup_memory, setup_size) = allocate_pic(setup_pic_path);
+
+  auto use_mshtml{ true };
+  auto gadget_memory = get_gadget(use_mshtml, gadget_pic_path);
+
+  auto& scratch_memory = allocate_workspace();
+  auto& config = scratch_memory.config;
+  auto& tramp = scratch_memory.tramp;
+
+  tramp.old_protections_ptr = &tramp.old_protections;
+  tramp.protections = PAGE_EXECUTE_READ;
+  tramp.current_process = GetCurrentProcess();
+  tramp.VirtualProtectEx = VirtualProtectEx;
+  tramp.size = static_cast<uint32_t>(setup_size);
+  tramp.address = setup_memory;
+  tramp.return_address = setup_memory;
+  tramp.setup_config = &config;
+
+  config.setup_address = setup_memory;
+  config.setup_length = static_cast<uint32_t>(setup_size);
+  config.VirtualProtectEx = VirtualProtectEx;
+  config.WaitForSingleObjectEx = WaitForSingleObjectEx;
+  config.CreateWaitableTimer = CreateWaitableTimerW;
+  config.SetWaitableTimer = SetWaitableTimer;
+  config.MessageBox = MessageBox;
+  config.tramp_addr = &tramp;
+  config.interval = invocation_interval_ms;
+  config.target = gadget_memory;
+
+  printf("Gargoyle PIC located at --> %p\n", setup_memory);
+  printf("ROP gadget located at ----> %p\n", gadget_memory);
+  printf("Scratch memory located ---> %p\n", &scratch_memory);
+  printf("Top of stack -------------> %p\n", &scratch_memory.stack);
+  printf("Trampoline cast location -> %p\n", &scratch_memory.tramp);
+
+  reinterpret_cast<callable>(setup_memory)(&config);
+}
+
+int main() {
+  try {
+    launch("setup.pic", "gadget.pic");
+  } catch (exception& e) {
+    cerr << "Exception caught: " << e.what() << endl;
+  }
+}