Function hashed name
Arno0x opened this issue · 6 comments
Hi,
I want to use sRDI to convert a DLL that is managed code (.Net C#) with an exported function (using DllExport from RGiesecke.DllExport) to be used from unmanaged code. I need to call this specific exported function.
According to the Powershell ConvertTo-Shellcode script, I should be able to specify the function to call (and even pass it some arguments), however it is required to provide the hashed name of the function.
So I have 2 questions:
- Would this work even work knowing that the DLL I'll be using is a managed one with unmanaged exports ?
- How do I calculate the function hashed name ?
Thanks a lot for your help !
oh well, I found by myself:
-
To get the function hash: use functionToHash.py provided in sRDI repository
I used this function to get the hash of my exported function name, and there seems to be a problem though with some values of the hash, for instance the powershelll script ConvertTo-Shellcode raises an error for the hash being a negative value and not matching a proper "uint" value. -
Converting to shellcode a managed DLL with some exported function works, but then using the shellcode by injecting it using any usual means doesn't work.
1 - Feel free to provide an example function name that threw errors with the uint casting and I can check it out.
2 - Managed DLLs have not been tested. I suspect they would not work out of the box, but other loading techniques can be used if you need managed dll injection
As an exemple, here's a DLL with a "dbc2" exported function:
File Type: DLL
Section contains the following exports for dbc2LoaderWrapperCLR_x86.dll
00000000 characteristics
59E610D9 time date stamp Tue Oct 17 16:16:57 2017
0.00 version
1 ordinal base
1 number of functions
1 number of names
ordinal hint RVA name
1 0 000016A0 dbc2
Summary
3000 .data
1000 .gfids
7000 .rdata
1000 .reloc
10000 .text
Then I get the function hashname:
root@kali:~/Temp# python3 functionToHash.py dbc2
0xc59658c0
Eventually, calling the ConvertTo-Shellcode function:
c:\>powershell -c "ipmo .\ConvertTo-Shellcode.ps1; ConvertTo-Shellcode -File .\release_x86\dbc2LoaderWrapperCLR_x86.dll -FunctionHash 0xc59658c0"
Impossible de convertir l'argument «functionHash» (valeur «-980002624») de «ConvertToShellcode» en type «System.UInt32»: «Impossible de convertir la valeur «-980002624» en type «System.UInt32». Erreur: «Value was either too large or too small for a UInt32.»»
Au caractère C:\Temp\SecurityResearch\DropboxC2Loader\nativeWrapper\ConvertTo-Shellcode.ps1:584 : 5
+ [sRDI]::ConvertToShellcode($FileData, $FunctionHash, $UserDataBytes)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
Hope this helps...
Thanks for your time.
Forgot to mention, this is an unmanaged DLL.
Laying in bed and remembered this issue, sorry for the delay!
Seems to be an issue with PowerShell's handling of hex constants, but I've added a fix.
Hopefully it works now!
It works fine. Thank you for the fix !