Idov31
commented
2 years ago Thank you for this issue, and I'm glad that you like my blog post. Honestly I didn't tried that on explorer but it is very weird and I will try to dig into it.
About notepad and the majority of the processes: That is a behavior I saw as well but weirdly it doesn't happen all the time, most of the time when I tried that on notepad it just restarted itself and on a binary I created it just finished its run normally.
My speculation is that the remote process except a handle and gets nothing and therefore crashes, I think that if the shellcode will return value (even of INVALID_HANDLE_VALUE) the remote process won't crash (but again - that is my speculation and I need to check it out before I say it as a fact).
The shellcode I used is the simplest shellcode that generated with msfvenom. I recommend to check it will shellcode of Cobalt Strike beacon or metasploit's agent and see the result.
[UPDATE] I tried to play around a bit with it and test several shellcodes (including metasploit agent & reverse shell) and tried to change the return value but for some reason it still crashed (I wasn't able to recreate the crash without execution).
Because it crashes (I still think that the return value is the issue) the host process after execution I would recommend to spawn your own process (e.g. notepad, svchost ) and inject your shellcode to it.
I didn't find any other processes that the injection crashes the process without the shellcode to be executed so if you find any - let me know!
Also, if you have a fix for it create a pull request and I'll happily review it :)
First of all, thanks for your work and publishing it along with the very interesting blog post.
I've been playing a bit with your POC, especially the Rust version, and there is something I'm not fully getting. Depending on the victim process, I get the following results:
I've tried with a custom shellcode and by changing the targeted function in kernel32.dll but I always get the same results. So my questions are: