Fails to resolve symbol for inlineExecute-Assemblyx64.o
zeroSteiner opened this issue · 9 comments
The COFFLoader fails with a symbol error when executing inlineExecute-Assemblyx64.o. I know that the invocation is incorrect because there are 11 arguments that need to be passed, but before the COFF file is executed, the runtime environment fails the loading process due to a symbol error. When I inspect the COFF file with Binary Ninja, I don't see the import that fails ($SG100868) referenced which is making me think this may be a parsing issue.
Z:\Repositories\metasploit-payloads\c\meterpreter\source\extensions\bofloader\COFFLoader>COFFLoader64.exe go Z:\Repositories\InlineExecute-Assembly\inlineExecuteAssembly\inlineExecute-Assemblyx64.o
Got contents of COFF file
Running/Parsing the COFF file
Machine 0x8664
Number of sections: 7
TimeDateStamp : 60E72CC6
PointerToSymbolTable : 0x2986
NumberOfSymbols: 143
OptionalHeaderSize: 0
Characteristics: 0
Name: .drectve
VirtualSize: 0x0
VirtualAddress: 0x0
SizeOfRawData: 0x5D
PointerToRelocations: 0x0
PointerToRawData: 0x12C
NumberOfRelocations: 0
Characteristics: 100a00
Allocating 0x0 bytes
Allocated section 0 at 00007ff467160000
Name: .debug$S
VirtualSize: 0x0
VirtualAddress: 0x0
SizeOfRawData: 0x88
PointerToRelocations: 0x0
PointerToRawData: 0x189
NumberOfRelocations: 0
Characteristics: 42100040
Allocating 0x0 bytes
Allocated section 1 at 00007ff467150000
Name: .text$mn
VirtualSize: 0x0
VirtualAddress: 0x0
SizeOfRawData: 0x16A0
PointerToRelocations: 0x18B1
PointerToRawData: 0x211
NumberOfRelocations: 190
Characteristics: 60500020
Allocating 0x0 bytes
Allocated section 2 at 00007ff467140000
Name: .xdata
VirtualSize: 0x0
VirtualAddress: 0x0
SizeOfRawData: 0x44
PointerToRelocations: 0x0
PointerToRawData: 0x201D
NumberOfRelocations: 0
Characteristics: 40300040
Allocating 0x0 bytes
Allocated section 3 at 00007ff467130000
Name: .pdata
VirtualSize: 0x0
VirtualAddress: 0x0
SizeOfRawData: 0x60
PointerToRelocations: 0x20C1
PointerToRawData: 0x2061
NumberOfRelocations: 24
Characteristics: 40300040
Allocating 0x0 bytes
Allocated section 4 at 00007ff467120000
Name: .data
VirtualSize: 0x0
VirtualAddress: 0x0
SizeOfRawData: 0x79D
PointerToRelocations: 0x0
PointerToRawData: 0x21B1
NumberOfRelocations: 0
Characteristics: c0500040
Allocating 0x0 bytes
Allocated section 5 at 00007ff467110000
Name: .chks64
VirtualSize: 0x0
VirtualAddress: 0x0
SizeOfRawData: 0x38
PointerToRelocations: 0x0
PointerToRawData: 0x294E
NumberOfRelocations: 0
Characteristics: a00
Allocating 0x0 bytes
Allocated section 6 at 00007ff467100000
Doing Relocations of section: 0
Doing Relocations of section: 1
Doing Relocations of section: 2
VirtualAddress: 0x20
SymbolTableIndex: 0x1B
Type: 0x4
SymPtr: 0x19E
SymVal: __imp_KERNEL32$CreateMailslotA
SectionNumber: 0x0
Yep its an external symbol
Library: KERNEL32
Function: CreateMailslotA
Handle: 0xe9bf0000
ProcAddress: 0x00007ff8e9c0b410
Doing function relocation
Relative address : 0xfffaffdc
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0x8D
SymbolTableIndex: 0x17
Type: 0x4
SymPtr: 0x134
SymVal: __imp_KERNEL32$GetProcessHeap
SectionNumber: 0x0
Yep its an external symbol
Library: KERNEL32
Function: GetProcessHeap
Handle: 0xe9bf0000
ProcAddress: 0x00007ff8e9c05880
Doing function relocation
Relative address : 0xfffaff77
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0xA0
SymbolTableIndex: 0x18
Type: 0x4
SymPtr: 0x152
SymVal: __imp_KERNEL32$HeapAlloc
SectionNumber: 0x0
Yep its an external symbol
Library: KERNEL32
Function: HeapAlloc
Handle: 0xe9bf0000
ProcAddress: 0x00007ff8ec19f2a0
Doing function relocation
Relative address : 0xfffaff6c
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0xB7
SymbolTableIndex: 0x13
Type: 0x4
SymPtr: 0xDD
SymVal: __imp_MSVCRT$memset
SectionNumber: 0x0
Yep its an external symbol
Library: MSVCRT
Function: memset
Handle: 0xec030000
ProcAddress: 0x00007ff8ec0a4cc0
Doing function relocation
Relative address : 0xfffaff5d
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0xCF
SymbolTableIndex: 0x1E
Type: 0x4
SymPtr: 0x1F4
SymVal: __imp_KERNEL32$CreateEventA
SectionNumber: 0x0
Yep its an external symbol
Library: KERNEL32
Function: CreateEventA
Handle: 0xe9bf0000
ProcAddress: 0x00007ff8e9c120d0
Doing function relocation
Relative address : 0xfffaff4d
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0x12C
SymbolTableIndex: 0x1C
Type: 0x4
SymPtr: 0x1BD
SymVal: __imp_KERNEL32$GetMailslotInfo
SectionNumber: 0x0
Yep its an external symbol
Library: KERNEL32
Function: GetMailslotInfo
Handle: 0xe9bf0000
ProcAddress: 0x00007ff8e9c4b540
Doing function relocation
Relative address : 0xfffafef8
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0x16D
SymbolTableIndex: 0x19
Type: 0x4
SymPtr: 0x16B
SymVal: __imp_KERNEL32$lstrlenA
SectionNumber: 0x0
Yep its an external symbol
Library: KERNEL32
Function: lstrlenA
Handle: 0xe9bf0000
ProcAddress: 0x00007ff8e9c09e40
Doing function relocation
Relative address : 0xfffafebf
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0x184
SymbolTableIndex: 0x1F
Type: 0x4
SymPtr: 0x210
SymVal: __imp_KERNEL32$GlobalAlloc
SectionNumber: 0x0
Yep its an external symbol
Library: KERNEL32
Function: GlobalAlloc
Handle: 0xe9bf0000
ProcAddress: 0x00007ff8e9c084c0
Doing function relocation
Relative address : 0xfffafeb0
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0x1D4
SymbolTableIndex: 0x1D
Type: 0x4
SymPtr: 0x1DC
SymVal: __imp_KERNEL32$ReadFile
SectionNumber: 0x0
Yep its an external symbol
Library: KERNEL32
Function: ReadFile
Handle: 0xe9bf0000
ProcAddress: 0x00007ff8e9c126a0
Doing function relocation
Relative address : 0xfffafe68
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0x1EA
SymbolTableIndex: 0x20
Type: 0x4
SymPtr: 0x22B
SymVal: __imp_KERNEL32$GlobalFree
SectionNumber: 0x0
Yep its an external symbol
Library: KERNEL32
Function: GlobalFree
Handle: 0xe9bf0000
ProcAddress: 0x00007ff8e9c057b0
Doing function relocation
Relative address : 0xfffafe5a
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0x1FC
SymbolTableIndex: 0x14
Type: 0x4
SymPtr: 0xF1
SymVal: __imp_MSVCRT$strlen
SectionNumber: 0x0
Yep its an external symbol
Library: MSVCRT
Function: strlen
Handle: 0xec030000
ProcAddress: 0x00007ff8ec08d6f0
Doing function relocation
Relative address : 0xfffafe50
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0x212
SymbolTableIndex: 0x14
Type: 0x4
SymPtr: 0xF1
SymVal: __imp_MSVCRT$strlen
SectionNumber: 0x0
Yep its an external symbol
Library: MSVCRT
Function: strlen
Handle: 0xec030000
ProcAddress: 0x00007ff8ec08d6f0
Doing function relocation
Relative address : 0xfffafe42
ValueNumber: 0x0
SectionNumber: 0x0
VirtualAddress: 0x22C
SymbolTableIndex: 0x55
Type: 0x4
SymPtr: 0x535
SymVal: $SG100868
SectionNumber: 0x6
Failed to resolve symbol
Returning
Failed to run/parse the COFF file
Can you test out the changes in the new https://github.com/trustedsec/COFFLoader/tree/invokeassembly_branch it should work for invoke assembly now, but I need to test out a bunch of other BOFs to make sure I didn't break anything.
Should note I made sure it processed, and tried to run, but I didn't spend the time to generate the argument string to actually try to run it with an assembly.
Yeah, I think that did the trick. I see that it's at least resolving the entry point and then executing it. Sounds like I made it as far as you did. I'm still working through the BOF arguments but I think that's an issue on my end. Thanks for your help on this!
Yep no problem, once either one of us successfully run an assembly with it I'll merge it into master. Will probably spend some time tomorrow night or this weekend testing it out, if I get it running I'll let you know.
I looked into it a bit more and I think there's still something off. I added DebugBreak between these two lines
Lines 443 to 444 in 5a5a56d
FindVersion function, it's actually calling MakeSlot. That's making me think there could be an issue in how the relocations are being processed.Ok, so from comparing the FindVersion and the VirtualAddress I think I found and fixed the issue. Should work with visual studio object files (tested with the ScreenshotBOF and a few others) let me know if it works now, I still haven't spent the time to actually test out invokeAssembly with the right args, if you happen to have a example let me know and I can change the test harness to take a text file as an argument to actually test it.
That did the trick, it's working now. Thanks a lot for your help on this.
Sweet will merge the changes into main then, thanks for letting me know the issue.
merged