metasploit-framework

https://github.com/rapid7/metasploit-framework

Ruby

Metasploit Framework

Rex::Payloads::Win32::Kernel::Stager.stager_sysenter_hook

Works on Vista, Server 2008 and 7.

Full assembly source at:
/msf3/external/source/shellcode/windows/x86/src/kernel/stager_sysenter_hook.asm

This payload works as follows:
* Our sysenter handler and ring3 stagers are copied over to safe location.
* The SYSENTER_EIP_MSR is patched to point to our sysenter handler.
* The ring0 thread we are in is placed in a halted state.
* Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.
* The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.
* If NX is enabled we patch the respective page table entry to disable it for the ring3 code.
* Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.
* If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.

Source | Google | Stack overflow

Edit

git clone [email protected]:rapid7/metasploit-framework.git

cd metasploit-framework

open lib/rex/payloads/win32/kernel/stager.rb

Contribute

# Make a new branch

git checkout -b -your-name--update-docs-Rex--Payloads--Win32--Kernel--Stager-stager_sysenter_hook-for-pr

# Commit to git

git add lib/rex/payloads/win32/kernel/stager.rbgit commit -m "better docs for Rex::Payloads::Win32::Kernel::Stager.stager_sysenter_hook"

# Open pull request

gem install hub # on a mac you can `brew install hub`

hub fork

git push <your name> -your-name--update-docs-Rex--Payloads--Win32--Kernel--Stager-stager_sysenter_hook-for-pr

hub pull-request

# Celebrate!