my shellcode run, but the src exe cann't execute

Binject / binjection

Injects additional machine instructions into various binary formats.

GNU General Public License v3.0

267 stars 30 forks source link

my shellcode run, but the src exe cann't execute #7

Open Hello-xBugs opened 3 years ago

Hello-xBugs commented 3 years ago

my shellcode run, but the src exe cann't execute

awgh commented 3 years ago

@qiushifengyu I'm assuming you're injecting into a PE for Windows, because you said exe. On Windows, binjection will automatically add a JMP back to the original entry point to the end of your shellcode.

This is where the injection is happening:. And this is the shellcode that is being appended to your shellcode.

There are two possibilities I can see: 1) Your shellcode does not make it all the way to the JMP being added to the end of it. This is the most common cause of the issue you're describing. Perhaps your code is crashing or looping or attempting to RET to nowhere? 2) The JMP being appended is actually running, but crashing or attempting to jump to the wrong address.

Are you able to step through the binjected binary in a debugger and see which of these is the case?

Thanks!

Hello-xBugs commented 3 years ago

yes,I see.thank you very much,I will debug my shellcode。 thanks!

awgh commented 3 years ago

@qiushifengyu Please let me know which of those it turns out being. If it's number 1, I'll close the issue, but if it's number 2, I'll have to fix something :)

Hello-xBugs commented 3 years ago

thanks a lot, I debuged my sc.I have RET before before jmp back. I use the SRDI make my dll to shell code

Hello-xBugs commented 3 years ago

is the code cave completed?

awgh commented 3 years ago

Code cave detection is implemented, but not actually used for Windows. In our experiments, we found that changes to the windows compiler have basically removed most simple (continuous) code caves from PE binaries. We have not implemented code cave chaining yet, which is the only thing that might work on some programs.

The method we're currently using adds a new section. This seems to be the most stable.

Hello-xBugs commented 3 years ago

yes，it is seems to be the most stable, but can't bypass AV

1mansh0w commented 2 years ago

@awgh First of all thank you and your team for binjection! 😊

I'm running into the same problem as @tooBugs: Shell code runs, but source file won't be executed

What's weird is that shell code and source file are both simple hello world programs, which work individually and don't crash.

Here are the steps to reproduce:

Build this repo with make: https://github.com/1mansh0w/binjection-hello-world
Create shell code with donut: donut ~/hello.x64.exe
Inject shell code in source file with binjection: binjection -f ./hello.x64.exe -s ./loader.bin -o no_luck.exe
Execute _noluck.exe on Windows 10 -> only shell code get's executed

I thought that maybe the source file cannot print the string to stdout, but is actually running - therefore I also tried an executable that creates a file, but also that didn't happen. The executable works fine individually.

Do you know what the issue could be here?

Thanks!