An Experiment In Performing Remote Calls on x64

[Nytro]

[h=1]An Experiment In Performing Remote Calls on x64[/h]

Posted on May 4, 2014 by admin

Recently I was trying to do something more than just executing code in the context of a remote process: I wanted to call a function remotely, including supplying arguments, and have the program continue execution afterwards. What I will present in this post is what I have quickly come up with to achieve the task. There certainly are edge cases (discussed at the end) where the code will run into issues, but the general logic of it is

• Suspend all threads in the target process. This is achieved in the code with a call to the NtSuspendProcess native API.
  
• Allocate space in the process that will contain the x64 assembly code which will set up the parameters and stack to perform the call.
  
• Save all registers that will be used in performing the call. The example code does not save flags, but a full implementation will want to do that as well.
  
• Write in the parameters following the Windows x64 ABI (first four parameters in RCX, RDX, R8, and R9) respectively, with the rest on the stack. The caller will have to know and supply the stack offset to the other parameters.
  
• Set up the trampoline to perform the call.
  
• Resume the process via NtResumeProcess and let the call happen.
  
• Save the result of the call and continue execution.
  

Articol: An Experiment In Performing Remote Calls on x64 | RCE Endeavors