ntqueueapcthreadex-ntdll-gadget-injection icon indicating copy to clipboard operation
ntqueueapcthreadex-ntdll-gadget-injection copied to clipboard

Published 20 hours ago verified publisher icon LloydLabs

Adjust for x64 shellcode

Open vivami opened this issue 1 year ago • 3 comments

I'm trying to get this to work for x64 shellcode. The gadget pop r64; ret has the same opcodes as pop r32; ret (afaik, could be mistaken). However, if I add x64 calc shellcode and compile it for x64, it doesn't seem to work. Any idea why, or what else needs to be adjusted?

Thanks :)

vivami avatar Mar 18 '23 13:03 vivami

I got it to work by using pop rax; ret.

static BOOL gadget_match_valid(PBYTE pbAddress)
{
    return *pbAddress == 0x58 && *(pbAddress +1) == 0xC3;
}

That's the only thing I changed.

Nero22k avatar Mar 21 '23 16:03 Nero22k

Awesome, that worked. Thanks!

vivami avatar Mar 21 '23 19:03 vivami

Hi both, I'll add x64 support to the main branch tomorrow. This is definitely an issue; so I'll keep it open for now until the changes are made.

LloydLabs avatar Mar 23 '23 00:03 LloydLabs