Created
April 18, 2018 22:33
-
-
Save ArcaneNibble/0236c273bbd3c01c22ae35066c5c4560 to your computer and use it in GitHub Desktop.
Calling Linux syscalls from WINE with bonus "Heaven's Gate"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global call_64_from_64 | |
global call_32_from_64 | |
global call_32_from_32 | |
section .text | |
call_64_from_64: | |
push rsi | |
push rdi | |
mov rax, 1 | |
mov rdi, 1 | |
mov rsi, rcx | |
mov rdx, 44 | |
syscall | |
pop rdi | |
pop rsi | |
ret | |
call_32_from_64: | |
push rbx | |
mov rax, 4 | |
mov rbx, 1 | |
; mov rcx, rcx | |
mov rdx, 44 | |
int 0x80 | |
pop rbx | |
ret | |
call_32_from_32: | |
push rbx | |
; Stash stack | |
mov [_stack_stash], rsp | |
lea rsp, [rdi + 0x80] | |
; Stash "how to get back" | |
mov r9, 0x3300000000 | |
or r9, _call32_return_64 | |
push r9 | |
push _call32_return_32 | |
; Set up far return/jump | |
push 0x23 | |
push _call_32_from_32 | |
db 0x48 ; REX | |
retf | |
_call32_return_64: | |
mov rsp, [_stack_stash] | |
pop rbx | |
ret | |
section .bss | |
_stack_stash: resq 1 | |
BITS 32 | |
section .text | |
_call32_return_32: | |
add esp, 4 | |
retf | |
_call_32_from_32: | |
mov eax, 4 | |
mov ebx, 1 | |
; mov ecx, ecx | |
mov edx, 44 | |
int 0x80 | |
ret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// nasm -f win64 asmbits2.asm | |
// x86_64-w64-mingw32-gcc -no-pie -ggdb -Wall -O2 -o llgames2.exe llgames2.c asmbits2.obj | |
#include <stdio.h> | |
#include <stdint.h> | |
#include <string.h> | |
#include <windows.h> | |
extern void call_64_from_64(void *buf); | |
extern void call_32_from_64(void *buf); | |
extern void call_32_from_32(void *buf); | |
int main(int argc, char **argv) { | |
printf("Hello world!\n"); | |
// printf("main is at %p\n", main); | |
char *buf = VirtualAlloc((void*)0x10000000, 16*1024, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
if (!buf) { | |
printf("VirtualAlloc failed!\n"); | |
return -1; | |
} | |
printf("buf = %p\n", buf); | |
strcpy(buf + 0x0, "Hello from 64-bit syscall from 64-bit code\n"); | |
strcpy(buf + 0x100, "Hello from 32-bit syscall from 64-bit code\n"); | |
// // strcpy(buf + 0x200, "Hello from 64-bit syscall from 32-bit code\n"); | |
strcpy(buf + 0x300, "Hello from 32-bit syscall from 32-bit code\n"); | |
call_64_from_64(buf + 0x0); | |
call_32_from_64(buf + 0x100); | |
call_32_from_32(buf + 0x300); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment