jadeite/injector/src/payload.asm

BITS 64

main: ; Replacement entry point
    push rbp
    mov rbp, rsp
    sub rsp, 10h + 90h


    call GetKernel32ModuleHandle
    mov [rbp - 8h], rax   ; kernel32.dll

    mov rcx, rax
    call GetAddressOf_GetProcAddress
    mov [rbp - 10h], rax  ; *GetProcAddress


    mov rcx, [rbp - 8h]   ; kernel32.dll
    lea rdx, [rel s_LoadLibraryA]
    mov rax, [rbp - 10h]  ; *GetProcAddress
    call rax              ; rax = *LoadLibraryA

    lea rcx, [rel dllPath]
    call rax              ; LoadLibraryA(dllPath)


    add rsp, 10h + 90h
    pop rbp
    ret


; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode
GetKernel32ModuleHandle:
    mov rax, gs:[60h]
    mov rax, [rax + 18h]
    mov rax, [rax + 20h]
    mov rax, [rax]
    mov rax, [rax]
    mov rax, [rax + 20h]
    ret


GetAddressOf_GetProcAddress:
    mov eax, [rcx + 3ch]
    add rax, rcx
    lea rax, [rax + 88h]

    mov edx, [rax]
    lea rax, [rcx + rdx]

    mov edx, [rax + 18h]
    mov r8d, [rax + 20h]
    lea r8, [rcx + r8]

    mov r10, 41636f7250746547h ; "GetProcA"
    mov r11, 0073736572646441h ; "Address\0"

.1:
    mov r9d, [r8]
    lea r9, [rcx + r9]

    ; Function name comparision
    cmp r10, [r9]
    jnz .2
    cmp r11, [r9 + 7]
    jnz .2

    ; Found GetProcAddress
    neg rdx
    mov r10d, [rax + 18h]
    lea rdx, [r10 + rdx]

    mov r10d, [rax + 24h]
    lea r10, [rcx + r10]
    movzx rdx, word [r10 + rdx * 2]

    mov r10d, [rax + 1ch]
    lea r10, [rcx + r10]

    mov r10d, [r10 + rdx * 4]

    lea rax, [rcx + r10] ; Function address
    jmp .end

.2:
    add r8, 4
    dec rdx
    jnz .1

.end:
    ret


; Strings
s_LoadLibraryA:  db "LoadLibraryA", 0

dllPath:
    ; This will be filled out by the injector
    ; Path to the dll to inject into the launcher
Initial commit 2023-06-05 21:23:08 +00:00			`BITS 64`

			`main: ; Replacement entry point`
			`push rbp`
			`mov rbp, rsp`
			`sub rsp, 10h + 90h`


			`call GetKernel32ModuleHandle`
			`mov [rbp - 8h], rax ; kernel32.dll`

			`mov rcx, rax`
			`call GetAddressOf_GetProcAddress`
			`mov [rbp - 10h], rax ; *GetProcAddress`


			`mov rcx, [rbp - 8h] ; kernel32.dll`
			`lea rdx, [rel s_LoadLibraryA]`
			`mov rax, [rbp - 10h] ; *GetProcAddress`
			`call rax ; rax = *LoadLibraryA`

			`lea rcx, [rel dllPath]`
			`call rax ; LoadLibraryA(dllPath)`


			`add rsp, 10h + 90h`
			`pop rbp`
			`ret`


			`; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode`
			`GetKernel32ModuleHandle:`
			`mov rax, gs:[60h]`
			`mov rax, [rax + 18h]`
			`mov rax, [rax + 20h]`
			`mov rax, [rax]`
			`mov rax, [rax]`
			`mov rax, [rax + 20h]`
			`ret`


			`GetAddressOf_GetProcAddress:`
			`mov eax, [rcx + 3ch]`
			`add rax, rcx`
			`lea rax, [rax + 88h]`

			`mov edx, [rax]`
			`lea rax, [rcx + rdx]`

			`mov edx, [rax + 18h]`
			`mov r8d, [rax + 20h]`
			`lea r8, [rcx + r8]`

			`mov r10, 41636f7250746547h ; "GetProcA"`
			`mov r11, 0073736572646441h ; "Address\0"`

Use NASM local labels 2023-06-24 22:51:18 +00:00			`.1:`
Initial commit 2023-06-05 21:23:08 +00:00			`mov r9d, [r8]`
			`lea r9, [rcx + r9]`

			`; Function name comparision`
			`cmp r10, [r9]`
Use NASM local labels 2023-06-24 22:51:18 +00:00			`jnz .2`
Initial commit 2023-06-05 21:23:08 +00:00			`cmp r11, [r9 + 7]`
Use NASM local labels 2023-06-24 22:51:18 +00:00			`jnz .2`
Initial commit 2023-06-05 21:23:08 +00:00
			`; Found GetProcAddress`
			`neg rdx`
			`mov r10d, [rax + 18h]`
			`lea rdx, [r10 + rdx]`

			`mov r10d, [rax + 24h]`
			`lea r10, [rcx + r10]`
			`movzx rdx, word [r10 + rdx * 2]`

			`mov r10d, [rax + 1ch]`
			`lea r10, [rcx + r10]`

			`mov r10d, [r10 + rdx * 4]`

			`lea rax, [rcx + r10] ; Function address`
Use NASM local labels 2023-06-24 22:51:18 +00:00			`jmp .end`
Initial commit 2023-06-05 21:23:08 +00:00
Use NASM local labels 2023-06-24 22:51:18 +00:00			`.2:`
Initial commit 2023-06-05 21:23:08 +00:00			`add r8, 4`
			`dec rdx`
Use NASM local labels 2023-06-24 22:51:18 +00:00			`jnz .1`
Initial commit 2023-06-05 21:23:08 +00:00
Use NASM local labels 2023-06-24 22:51:18 +00:00			`.end:`
Initial commit 2023-06-05 21:23:08 +00:00			`ret`


			`; Strings`
			`s_LoadLibraryA: db "LoadLibraryA", 0`

			`dllPath:`
			`; This will be filled out by the injector`
			`; Path to the dll to inject into the launcher`