Remove hardcoded blockapi hashes and ASM Blockapi

[dledda-r7]

This PR removes some old hardcoded block-api hashes and update some block api assembly block using the dedicated mixin.

Verification

• for each module ensure the generated hash is the same of the hardcoded one
• I quickly added a print(combined_asm) inside the generate_<payload> function and checked for the hashes
• You can use any other way to check that such as objdump of the PE before and after

[dledda-r7]

Not able to do generate here fixed

[dledda-r7]

Re-Drafting as I need to work on some more hard-coded thing which I hoped I would be able to bypass.

[smcintyre-r7]

I think you missed:

• metasploit-framework/lib/msf/core/payload/windows/reverse_tcp_dns.rb

  Line 145 in 07ce1aa

  push 0x56A2B5F0 ; hardcoded to exitprocess for size

• metasploit-framework/modules/payloads/stagers/windows/reverse_https_proxy.rb

  Line 137 in 07ce1aa

  jmphost_loc = p.index("\x68\x3a\x56\x79\xa7\xff\xd5") + 8 # push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) ; call ebp

Generally speaking in the future when you edit a line like the following, it would clean things up a bit to remove the comment since it's now redundant with the source code. I wouldn't bother going back and deleting all of these comments, but as you continue to make changes, and it's convenient, I'd drop them.

push #{Rex::Text.block_api_hash("kernel32.dll", "VirtualAllocEx")} ; hash( "kernel32.dll", "VirtualAllocEx" )

Also, would you mind making a list of modules that have had non-trivial changes that should be tested? Any module that was previously hard coding the block API should probably get a quick test to ensure that it's still working. Adding them as checklist items to the PR description would be great. I can get started going through those next week after the two I found that were missing updates are addressed as well.

[dledda-r7]

I think you missed:

• metasploit-framework/lib/msf/core/payload/windows/reverse_tcp_dns.rb

  Line 145 in 07ce1aa

  push 0x56A2B5F0 ; hardcoded to exitprocess for size

• metasploit-framework/modules/payloads/stagers/windows/reverse_https_proxy.rb

  Line 137 in 07ce1aa

  jmphost_loc = p.index("\x68\x3a\x56\x79\xa7\xff\xd5") + 8 # push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) ; call ebp

Generally speaking in the future when you edit a line like the following, it would clean things up a bit to remove the comment since it's now redundant with the source code. I wouldn't bother going back and deleting all of these comments, but as you continue to make changes, and it's convenient, I'd drop them.

push #{Rex::Text.block_api_hash("kernel32.dll", "VirtualAllocEx")} ; hash( "kernel32.dll", "VirtualAllocEx" )

Also, would you mind making a list of modules that have had non-trivial changes that should be tested? Any module that was previously hard coding the block API should probably get a quick test to ensure that it's still working. Adding them as checklist items to the PR description would be great. I can get started going through those next week after the two I found that were missing updates are addressed as well.

Good catch with the reverse_tcp_dns, I think the reverse_https_proxy need to be rewritten. working on that.

[dledda-r7]

So I re-wrote the reverse_https_proxy. but something in framework changed and we are not getting the second stage anymore, we are getting HTML with It Works so the payload is allocating that and jumping into it. Probably something some changes in the ReverseHttp handler...