donut icon indicating copy to clipboard operation
donut copied to clipboard
verified publisher icon TheWover

Rsp adjustment breaks shellcode return

Open wwh1004 opened this issue 2 years ago • 1 comments

Just use demo .NET assembly and example usage, it doesn't work.

donut --arch:amd64 --class:TestClass --method:RunProcess --args:"notepad.exe calc" --input:DemoCreateProcess.dll

Until the shellcode is finished, RtlExitUserThread is not called anywhere. Then process will crash because invalid instruction before 'call loader' will be executed. Is it a bug?

image

wwh1004 avatar Nov 02 '23 15:11 wwh1004

It seems that the new code is causing the ret not to work.

See commit: https://github.com/TheWover/donut/commit/257977cc98ab2e0da6ae00eae5628c60cb1ad60b pr: https://github.com/TheWover/donut/pull/90

pop     rcx
and     rsp, 0xFFFFFFFFFFFFFFF0

ret can't really return to shellcode caller.

wwh1004 avatar Nov 02 '23 16:11 wwh1004