Change thread creation to support x86->x64

source/common/arch/win/i386/base_inject.c

@@ -6,9 +6,9 @@
 
 // Simple trick to get the current meterpreters arch
 #ifdef _WIN64
-	DWORD dwMeterpreterArch = PROCESS_ARCH_X64;
+	const DWORD dwMeterpreterArch = PROCESS_ARCH_X64;
 #else
-	DWORD dwMeterpreterArch = PROCESS_ARCH_X86;
+	const DWORD dwMeterpreterArch = PROCESS_ARCH_X86;
 #endif
 
 // see '/msf3/external/source/shellcode/x86/migrate/executex64.asm'

source/common/arch/win/i386/base_inject.h

@@ -14,6 +14,8 @@
 #define MIGRATE_TECHNIQUE_REMOTETHREADWOW64	1
 #define MIGRATE_TECHNIQUE_APCQUEUE			2
 
+extern const DWORD dwMeterpreterArch;
+
 //===============================================================================================//
 
 // Definition of ntdll!NtQueueApcThread
@@ -73,11 +75,13 @@ typedef struct _WOW64CONTEXT
 
 //===============================================================================================//
 
-DWORD inject_via_apcthread( Remote * remote, Packet * response, HANDLE hProcess, DWORD dwProcessID, DWORD dwDestinationArch, LPVOID lpStartAddress, LPVOID lpParameter );
+DWORD inject_via_apcthread(Remote * remote, Packet * response, HANDLE hProcess, DWORD dwProcessID, DWORD dwDestinationArch, LPVOID lpStartAddress, LPVOID lpParameter);
+
+DWORD inject_via_remotethread(Remote * remote, Packet * response, HANDLE hProcess, DWORD dwDestinationArch, LPVOID lpStartAddress, LPVOID lpParameter);
 
-DWORD inject_via_remotethread( Remote * remote, Packet * response, HANDLE hProcess, DWORD dwDestinationArch, LPVOID lpStartAddress, LPVOID lpParameter );
+DWORD inject_via_remotethread_wow64(HANDLE hProcess, LPVOID lpStartAddress, LPVOID lpParameter, HANDLE * pThread);
 
-DWORD inject_dll( DWORD dwPid, LPVOID lpDllBuffer, DWORD dwDllLenght, char * cpCommandLine );
+DWORD inject_dll(DWORD dwPid, LPVOID lpDllBuffer, DWORD dwDllLenght, char * cpCommandLine);
 
 //===============================================================================================//
 #endif

source/extensions/stdapi/server/sys/eventlog/eventlog.c

@@ -28,7 +28,7 @@ DWORD request_sys_eventlog_open(Remote * remote, Packet * packet)
 			result = GetLastError();
 		}
 		else {
-			packet_add_tlv_uint(response, TLV_TYPE_EVENT_HANDLE, (DWORD)hEvent);
+			packet_add_tlv_qword(response, TLV_TYPE_EVENT_HANDLE, (QWORD)hEvent);
 		}
 	}
 
@@ -51,7 +51,7 @@ DWORD request_sys_eventlog_numrecords(Remote * remote, Packet * packet)
 	DWORD numRecords;
 	DWORD result = ERROR_SUCCESS;
 
-	hEvent = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_EVENT_HANDLE);
+	hEvent = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_EVENT_HANDLE);
 
 	if(!hEvent) {
 		result = ERROR_INVALID_PARAMETER;
@@ -88,7 +88,7 @@ DWORD request_sys_eventlog_read(Remote * remote, Packet * packet)
 	EVENTLOGRECORD * buf = NULL;
 	BYTE * str = NULL;
 
-	hEvent       = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_EVENT_HANDLE);
+	hEvent       = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_EVENT_HANDLE);
 	readFlags    = (DWORD)packet_get_tlv_value_uint(packet, TLV_TYPE_EVENT_READFLAGS);
 	recordOffset = (DWORD)packet_get_tlv_value_uint(packet, TLV_TYPE_EVENT_RECORDOFFSET);
 
@@ -159,7 +159,7 @@ DWORD request_sys_eventlog_oldest(Remote * remote, Packet * packet)
 {
 	Packet * response = packet_create_response(packet);
 	DWORD result = ERROR_SUCCESS;
-	HANDLE hEvent = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_EVENT_HANDLE);
+	HANDLE hEvent = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_EVENT_HANDLE);
 	DWORD oldest;
 
 	if(GetOldestEventLogRecord(hEvent, &oldest) == 0) {
@@ -187,7 +187,7 @@ DWORD request_sys_eventlog_clear(Remote * remote, Packet * packet)
 {
 	Packet * response = packet_create_response(packet);
 	DWORD result = ERROR_SUCCESS;
-	HANDLE hEvent = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_EVENT_HANDLE);
+	HANDLE hEvent = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_EVENT_HANDLE);
 
 	if(ClearEventLog(hEvent, NULL) == 0) {
 		result = GetLastError();
@@ -209,7 +209,7 @@ DWORD request_sys_eventlog_close(Remote * remote, Packet * packet)
 {
 	Packet * response = packet_create_response(packet);
 	DWORD result = ERROR_SUCCESS;
-	HANDLE hEvent = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_EVENT_HANDLE);
+	HANDLE hEvent = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_EVENT_HANDLE);
 
 	if(CloseEventLog(hEvent) == 0) {
 		result = GetLastError();

source/extensions/stdapi/server/sys/process/image.c

@@ -21,7 +21,7 @@ DWORD request_sys_process_image_load(Remote *remote, Packet *packet)
 	LPCSTR image;
 	HMODULE base;
 
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
 	image  = packet_get_tlv_value_string(packet, TLV_TYPE_IMAGE_FILE_PATH);
 
 	do
@@ -77,7 +77,7 @@ DWORD request_sys_process_image_get_proc_address(Remote *remote, Packet *packet)
 	LPCSTR procedure;
 	LPVOID address = NULL;
 
-	process   = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
+	process   = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
 	image     = packet_get_tlv_value_string(packet, TLV_TYPE_IMAGE_FILE);
 	procedure = packet_get_tlv_value_string(packet, TLV_TYPE_PROCEDURE_NAME);
 
@@ -122,8 +122,7 @@ DWORD request_sys_process_image_get_proc_address(Remote *remote, Packet *packet)
 		}
 
 		// Set the procedure address on the response
-		packet_add_tlv_uint(response, TLV_TYPE_PROCEDURE_ADDRESS, 
-				(DWORD)address);
+		packet_add_tlv_qword(response, TLV_TYPE_PROCEDURE_ADDRESS, (QWORD)address);
 
 	} while (0);
 
@@ -153,7 +152,7 @@ DWORD request_sys_process_image_unload(Remote *remote, Packet *packet)
 	LPVOID base;
 	DWORD result = ERROR_SUCCESS;
 
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
 	base   = (LPVOID)packet_get_tlv_value_uint(packet, TLV_TYPE_IMAGE_BASE);
 
 	do
@@ -205,7 +204,7 @@ DWORD request_sys_process_image_get_images(Remote *remote, Packet *packet)
 	DWORD needed = 0, actual, tries = 0;
 	DWORD index;
 
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
 
 	do
 	{

source/extensions/stdapi/server/sys/process/memory.c

@@ -1,13 +1,13 @@
 #include "precomp.h"
 
-/*
- * Allocates memory in the context of the supplied process.
- *
- * req: TLV_TYPE_HANDLE          - The process handle to allocate memory within.
- * req: TLV_TYPE_LENGTH          - The amount of memory to allocate.
- * req: TLV_TYPE_ALLOCATION_TYPE - The type of memory to allocate.
- * req: TLV_TYPE_PROTECTION      - The protection flags to allocate the memory with.
- * opt: TLV_TYPE_BASE_ADDRESS    - The address to allocate the memory at.
+/*!
+ * @brief Allocates memory in the context of the supplied process.
+ * @remark The 
+ *     - TLV_TYPE_HANDLE          - The process handle to allocate memory within.
+ *     - TLV_TYPE_LENGTH          - The amount of memory to allocate.
+ *     - TLV_TYPE_ALLOCATION_TYPE - The type of memory to allocate.
+ *     - TLV_TYPE_PROTECTION      - The protection flags to allocate the memory with.
+ *     - TLV_TYPE_BASE_ADDRESS    - The address to allocate the memory at.
  */
 DWORD request_sys_process_memory_allocate(Remote *remote, Packet *packet)
 {
@@ -19,17 +19,21 @@ DWORD request_sys_process_memory_allocate(Remote *remote, Packet *packet)
 	DWORD alloc, prot;
 
 	// Snag the TLV values
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
-	base   = (LPVOID)packet_get_tlv_value_uint(packet, TLV_TYPE_BASE_ADDRESS);
-	size   = (SIZE_T)packet_get_tlv_value_uint(packet, TLV_TYPE_LENGTH);
-	alloc  = packet_get_tlv_value_uint(packet, TLV_TYPE_ALLOCATION_TYPE);
-	prot   = packet_get_tlv_value_uint(packet, TLV_TYPE_PROTECTION);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
+	base = (LPVOID)packet_get_tlv_value_qword(packet, TLV_TYPE_BASE_ADDRESS);
+	size = (SIZE_T)packet_get_tlv_value_uint(packet, TLV_TYPE_LENGTH);
+	alloc = packet_get_tlv_value_uint(packet, TLV_TYPE_ALLOCATION_TYPE);
+	prot = packet_get_tlv_value_uint(packet, TLV_TYPE_PROTECTION);
 
 	// Allocate the memory
 	if ((base = VirtualAllocEx(handle, base, size, alloc, prot)))
-		packet_add_tlv_uint(response, TLV_TYPE_BASE_ADDRESS, (DWORD)base);
+	{
+		packet_add_tlv_qword(response, TLV_TYPE_BASE_ADDRESS, (QWORD)base);
+	}
 	else
+	{
 		result = GetLastError();
+	}
 
 	// Transmit the response
 	packet_transmit_response(result, remote, response);
@@ -52,8 +56,8 @@ DWORD request_sys_process_memory_free(Remote *remote, Packet *packet)
 	LPVOID base;
 	DWORD result = ERROR_SUCCESS;
 
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
-	base   = (LPVOID)packet_get_tlv_value_uint(packet, TLV_TYPE_BASE_ADDRESS);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
+	base   = (LPVOID)packet_get_tlv_value_qword(packet, TLV_TYPE_BASE_ADDRESS);
 	size   = packet_get_tlv_value_uint(packet, TLV_TYPE_LENGTH);
 
 	// Free the memory
@@ -84,8 +88,8 @@ DWORD request_sys_process_memory_read(Remote *remote, Packet *packet)
 	SIZE_T bytesRead = 0;
 	DWORD result = ERROR_SUCCESS;
 
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
-	base   = (LPVOID)packet_get_tlv_value_uint(packet, TLV_TYPE_BASE_ADDRESS);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
+	base   = (LPVOID)packet_get_tlv_value_qword(packet, TLV_TYPE_BASE_ADDRESS);
 	size   = packet_get_tlv_value_uint(packet, TLV_TYPE_LENGTH);
 
 	do
@@ -147,8 +151,8 @@ DWORD request_sys_process_memory_write(Remote *remote, Packet *packet)
 	size_t written = 0;
 	Tlv data;
 
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
-	base   = (LPVOID)packet_get_tlv_value_uint(packet, TLV_TYPE_BASE_ADDRESS);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
+	base   = (LPVOID)packet_get_tlv_value_qword(packet, TLV_TYPE_BASE_ADDRESS);
 
 	do
 	{
@@ -196,8 +200,8 @@ DWORD request_sys_process_memory_query(Remote *remote, Packet *packet)
 	DWORD result = ERROR_SUCCESS;
 	SIZE_T size = 0;
 
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
-	base   = (LPVOID)packet_get_tlv_value_uint(packet, TLV_TYPE_BASE_ADDRESS);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
+	base   = (LPVOID)packet_get_tlv_value_qword(packet, TLV_TYPE_BASE_ADDRESS);
 
 	// Zero the info buffer
 	memset(&info, 0, sizeof(info));
@@ -219,20 +223,13 @@ DWORD request_sys_process_memory_query(Remote *remote, Packet *packet)
 		}
 
 		// Pass the parameters back to the requestor
-		packet_add_tlv_uint(response, TLV_TYPE_BASE_ADDRESS,
-				(DWORD)info.BaseAddress);
-		packet_add_tlv_uint(response, TLV_TYPE_ALLOC_BASE_ADDRESS,
-				(DWORD)info.AllocationBase);
-		packet_add_tlv_uint(response, TLV_TYPE_ALLOC_PROTECTION,
-				info.AllocationProtect);
-		packet_add_tlv_uint(response, TLV_TYPE_LENGTH,
-				(DWORD)info.RegionSize);
-		packet_add_tlv_uint(response, TLV_TYPE_MEMORY_STATE,
-				(DWORD)info.State);
-		packet_add_tlv_uint(response, TLV_TYPE_PROTECTION,
-				info.Protect);
-		packet_add_tlv_uint(response, TLV_TYPE_MEMORY_TYPE,
-				info.Type);
+		packet_add_tlv_qword(response, TLV_TYPE_BASE_ADDRESS,	(QWORD)info.BaseAddress);
+		packet_add_tlv_qword(response, TLV_TYPE_ALLOC_BASE_ADDRESS, (QWORD)info.AllocationBase);
+		packet_add_tlv_uint(response, TLV_TYPE_ALLOC_PROTECTION, info.AllocationProtect);
+		packet_add_tlv_uint(response, TLV_TYPE_LENGTH, (DWORD)info.RegionSize);
+		packet_add_tlv_uint(response, TLV_TYPE_MEMORY_STATE, (DWORD)info.State);
+		packet_add_tlv_uint(response, TLV_TYPE_PROTECTION, info.Protect);
+		packet_add_tlv_uint(response, TLV_TYPE_MEMORY_TYPE, info.Type);
 
 	} while (0);
 
@@ -259,8 +256,8 @@ DWORD request_sys_process_memory_protect(Remote *remote, Packet *packet)
 	DWORD prot, old;
 	DWORD result = ERROR_SUCCESS;
 
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
-	base   = (LPVOID)packet_get_tlv_value_uint(packet, TLV_TYPE_BASE_ADDRESS);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
+	base   = (LPVOID)packet_get_tlv_value_qword(packet, TLV_TYPE_BASE_ADDRESS);
 	size   = packet_get_tlv_value_uint(packet, TLV_TYPE_LENGTH);
 	prot   = packet_get_tlv_value_uint(packet, TLV_TYPE_PROTECTION);
 
@@ -307,7 +304,7 @@ DWORD request_sys_process_memory_lock(Remote *remote, Packet *packet)
 	SIZE_T size;
 	DWORD result = ERROR_SUCCESS;
 
-	base = (LPVOID)packet_get_tlv_value_uint(packet, TLV_TYPE_BASE_ADDRESS);
+	base = (LPVOID)packet_get_tlv_value_qword(packet, TLV_TYPE_BASE_ADDRESS);
 	size = packet_get_tlv_value_uint(packet, TLV_TYPE_LENGTH);
 
 	if (!VirtualLock(base, size))
@@ -332,7 +329,7 @@ DWORD request_sys_process_memory_unlock(Remote *remote, Packet *packet)
 	SIZE_T size;
 	DWORD result = ERROR_SUCCESS;
 
-	base = (LPVOID)packet_get_tlv_value_uint(packet, TLV_TYPE_BASE_ADDRESS);
+	base = (LPVOID)packet_get_tlv_value_qword(packet, TLV_TYPE_BASE_ADDRESS);
 	size = packet_get_tlv_value_uint(packet, TLV_TYPE_LENGTH);
 
 	if (!VirtualUnlock(base, size))

source/extensions/stdapi/server/sys/process/process.c

@@ -39,17 +39,15 @@ DWORD request_sys_process_attach(Remote *remote, Packet *packet)
 	// Otherwise, attach.
 	else
 	{
-		BOOLEAN inherit = packet_get_tlv_value_bool(packet,
-				TLV_TYPE_INHERIT);
-		DWORD permission = packet_get_tlv_value_uint(packet,
-				TLV_TYPE_PROCESS_PERMS);
+		BOOLEAN inherit = packet_get_tlv_value_bool(packet, TLV_TYPE_INHERIT);
+		DWORD permission = packet_get_tlv_value_uint(packet, TLV_TYPE_PROCESS_PERMS);
 
 		handle = OpenProcess(permission, inherit, pid);
 	}
 
 	// If we have a handle, add it to the response
 	if (handle)
-		packet_add_tlv_uint(response, TLV_TYPE_HANDLE, (DWORD)handle);
+		packet_add_tlv_qword(response, TLV_TYPE_HANDLE, (QWORD)handle);
 	else
 		result = GetLastError();
 #else
@@ -72,7 +70,7 @@ DWORD request_sys_process_close(Remote *remote, Packet *packet)
 	Packet *response = packet_create_response(packet);
 	HANDLE handle;
 	DWORD result = ERROR_SUCCESS;
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
 
 
 	if (handle)
@@ -572,7 +570,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
 			// Add the process identifier to the response packet
 			packet_add_tlv_uint(response, TLV_TYPE_PID, pi.dwProcessId);
 
-			packet_add_tlv_uint(response, TLV_TYPE_PROCESS_HANDLE,(DWORD)pi.hProcess);
+			packet_add_tlv_qword(response, TLV_TYPE_PROCESS_HANDLE, (QWORD)pi.hProcess);
 
 			CloseHandle(pi.hThread);
 		}
@@ -794,7 +792,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
 		default:
 			dprintf("child pid is %d\n", pid);
 			packet_add_tlv_uint(response, TLV_TYPE_PID, (DWORD)pid);
-			packet_add_tlv_uint(response, TLV_TYPE_PROCESS_HANDLE, (DWORD)pid);
+			packet_add_tlv_qword(response, TLV_TYPE_PROCESS_HANDLE, (QWORD)pid);
 			if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED) {
 				if(have_pty) {
 					dprintf("child channelized\n");
@@ -963,7 +961,7 @@ DWORD request_sys_process_get_info(Remote *remote, Packet *packet)
 	DWORD needed;
 	CHAR path[1024], name[256];
 
-	handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
+	handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
 
 	do
 	{
@@ -1244,7 +1242,7 @@ DWORD request_sys_process_wait(Remote *remote, Packet *packet)
 	HANDLE handle     = NULL;
 	DWORD result      = ERROR_INVALID_PARAMETER;
 
-	handle = (HANDLE)packet_get_tlv_value_uint( packet, TLV_TYPE_HANDLE );
+	handle = (HANDLE)packet_get_tlv_value_qword( packet, TLV_TYPE_HANDLE );
 #ifdef _WIN32
 
 	if( handle )