search

TheWover / donut

Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
BSD 3-Clause "New" or "Revised" License
3.53k stars 628 forks source link

Crystal binary not working #122

Open lap1nou opened 1 year ago

lap1nou commented 1 year ago

Hello,

First of all thank you for this amazing tool.

I'm struggling to create a shellcode from a binary compiled using the Crystal programming language (https://crystal-lang.org/). Crystal is a recent compiled language, as I understood the code is translated to LLVM, and then compiled (using MSVC in my case) (ref: https://crystal-lang.org/2015/03/04/internals/).

Here is the source code of my Crystal program:

File.write("C:\\Users\\User\\test.txt", "This is the file content")

The code itself is working, and I tried with a "normal" C program and Donut is working fine, here is all the steps I take:

1) I compile my Crystal binary using this command: crystal.exe build -d .\test.cr, this produce a binary called test.exe, this binary has a .reloc section and I enabled the debug build using the -d flag. 2) I use donut like this: .\donut.exe -i .\test.exe, this gives me a file called loader.bin 3) I then try to use this shellcode with the default shellcode runner: .\inject_local.exe ..\loader.bin, but no file are created

If you want I can provide you a binary directly, and if you don't want to spend time on this issue I will understand, Crystal is not yet very well known, and I understand you will not try to support all languages of the world.

Regards.

lap1nou commented 1 year ago

Here is the output of the debug mode in case it can be useful:

PS C:\Users\User\donut> .\donut.exe -i .\test.exe

  [ Donut shellcode generator v1 (built Mar 11 2023 12:16:37)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

DEBUG: donut.c:1817:get_opt(): Arg type for h;?, help : None
DEBUG: donut.c:1817:get_opt(): Arg type for a, arch : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for b, bypass : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for k, headers : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for c, class : String
DEBUG: donut.c:1817:get_opt(): Arg type for d, domain : String
DEBUG: donut.c:1817:get_opt(): Arg type for e, entropy : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for f, format : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for i, input;file : String
DEBUG: donut.c:1894:get_opt(): Found match
DEBUG: donut.c:1912:get_opt(): Parsing .\test.exe

DEBUG: donut.c:1925:get_opt(): Copying .\test.exe to output
DEBUG: donut.c:1817:get_opt(): Arg type for m, method;function : String
DEBUG: donut.c:1817:get_opt(): Arg type for n, modname : String
DEBUG: donut.c:1817:get_opt(): Arg type for j, decoy : String
DEBUG: donut.c:1817:get_opt(): Arg type for o, output : String
DEBUG: donut.c:1817:get_opt(): Arg type for p, params;args : String
DEBUG: donut.c:1817:get_opt(): Arg type for r, runtime : String
DEBUG: donut.c:1817:get_opt(): Arg type for s, server : String
DEBUG: donut.c:1817:get_opt(): Arg type for t, thread : Flag
DEBUG: donut.c:1817:get_opt(): Arg type for w, unicode : Flag
DEBUG: donut.c:1817:get_opt(): Arg type for x, exit : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for y, oep;fork : Hexadecimal
DEBUG: donut.c:1817:get_opt(): Arg type for z, compress : Decimal
DEBUG: donut.c:1575:DonutCreate(): Entering.
DEBUG: donut.c:1347:validate_loader_cfg(): Validating loader configuration.
DEBUG: donut.c:1450:validate_loader_cfg(): Loader configuration passed validation.
DEBUG: donut.c:474:read_file_info(): Entering.
DEBUG: donut.c:482:read_file_info(): Checking extension of .\test.exe
DEBUG: donut.c:490:read_file_info(): Extension is ".exe"
DEBUG: donut.c:506:read_file_info(): File is EXE
DEBUG: donut.c:518:read_file_info(): Mapping .\test.exe into memory
DEBUG: donut.c:262:map_file(): Entering.
DEBUG: donut.c:546:read_file_info(): Checking characteristics
DEBUG: donut.c:597:read_file_info(): Leaving with error :  0
DEBUG: donut.c:1516:validate_file_cfg(): Validating configuration for input file.
DEBUG: donut.c:1558:validate_file_cfg(): Validation passed.
DEBUG: donut.c:689:build_module(): Entering.
DEBUG: donut.c:703:build_module(): Assigning 2403328 bytes of 000002690B770000 to data
DEBUG: donut.c:710:build_module(): Allocating 2404656 bytes of memory for DONUT_MODULE
DEBUG: donut.c:794:build_module(): Copying data to module
DEBUG: donut.c:806:build_module(): Leaving with error :  0
DEBUG: donut.c:826:build_instance(): Entering.
DEBUG: donut.c:829:build_instance(): Allocating memory for instance
DEBUG: donut.c:836:build_instance(): The size of module is 2404656 bytes. Adding to size of instance.
DEBUG: donut.c:839:build_instance(): Total length of instance : 2409408
DEBUG: donut.c:870:build_instance(): Generating random key for instance
DEBUG: donut.c:879:build_instance(): Generating random key for module
DEBUG: donut.c:888:build_instance(): Generating random string to verify decryption
DEBUG: donut.c:895:build_instance(): Generating random IV for Maru hash
DEBUG: donut.c:903:build_instance(): Generating hashes for API using IV: A2C29EA8B9E10E17
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : LoadLibraryA           = 899811C3629617B1
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetProcAddress         = B8FEC1A5DF6AF617
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetModuleHandleA       = 9B8273CBF1F8CB2F
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : VirtualAlloc           = 42711CB811A2E776
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : VirtualFree            = A48AAA89565858F7
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : VirtualQuery           = EF553D8E03C74C82
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : VirtualProtect         = 602366033C00A0B3
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : Sleep                  = 6AD22F6136FB14FD
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : MultiByteToWideChar    = CBE439E0F37AAEBD
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetUserDefaultLCID     = E77DFEC24629CF95
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : WaitForSingleObject    = C48554C18E33252A
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : CreateThread           = BE2B2A265E9C2258
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : CreateFileA            = 215C65924D68DAC7
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetFileSizeEx          = B191D876400CD4BF
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetThreadContext       = 8EC05CC4DA2114E1
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetCurrentThread       = D93339F4E5CC1A37
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetCurrentProcess      = 9F62D868E859BFD9
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetCommandLineA        = 34EE41D5626FE262
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetCommandLineW        = D5ACF8EF8F896BE4
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : HeapAlloc              = 960605E0A4B417B4
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : HeapReAlloc            = C946DBCF003DE294
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetProcessHeap         = 31A61E6288513978
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : HeapFree               = 5C648D6AAB35D0CE
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetLastError           = 583A6684749BB923
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : CloseHandle            = 9C3EDDC3EE852954
DEBUG: donut.c:916:build_instance(): Hash for shell32.dll     : CommandLineToArgvW     = DDC4350C6E3413C9
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayCreate        = 77D04F7F1E1717F0
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayCreateVector  = FB2A4E7DA4C5FD23
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayPutElement    = 1276F5A840DAE095
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayDestroy       = 0FEDD0632D55374B
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayGetLBound     = 7EC1B0F19AD7A299
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayGetUBound     = C6C2A5020E5C1006
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SysAllocString         = DC1FE6AF3D3E056D
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SysFreeString          = 60B156584B2BC0F7
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : LoadTypeLib            = B5A6760D74A5F0A5
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetCrackUrlA      = E4449831327088C2
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetOpenA          = 1679D62DD44DE558
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetConnectA       = 28F5894093B194AC
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetSetOptionA     = 065C9B4555AE1245
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetReadFile       = 6C0CA47E3A1642AD
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetQueryDataAvailable = FBEE4DC77784C8A4
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetCloseHandle    = E728F03A8EB8A0D8
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : HttpOpenRequestA       = 34086C47298D6BCB
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : HttpSendRequestA       = B9357CE84A13D552
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : HttpQueryInfoA         = 977EFCAA7FDD0515
DEBUG: donut.c:916:build_instance(): Hash for mscoree.dll     : CorBindToRuntime       = 85243C6FE59AE306
DEBUG: donut.c:916:build_instance(): Hash for mscoree.dll     : CLRCreateInstance      = 5A63F1DD6D561D11
DEBUG: donut.c:916:build_instance(): Hash for ole32.dll       : CoInitializeEx         = 7C5F848AE143FAE3
DEBUG: donut.c:916:build_instance(): Hash for ole32.dll       : CoCreateInstance       = 242F8382755DBC7B
DEBUG: donut.c:916:build_instance(): Hash for ole32.dll       : CoUninitialize         = 71B8D50B695AB87E
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlEqualUnicodeString  = F962773B547A060F
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlEqualString         = 46D80DA45C8ABE03
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlUnicodeStringToAnsiString = DE0C014F7C1B7967
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlInitUnicodeString   = 9B74A1977A276A8F
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlExitUserThread      = C0DA5CDA3F0E4F1B
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlExitUserProcess     = 409F303B4F9FEB48
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlCreateUnicodeString = 6DDB7EC7337A30A1
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlGetCompressionWorkSpaceSize = 1D37073E82850F4E
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlDecompressBuffer    = AA377AAE3C5E2ABD
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : NtContinue             = 4159309699554454
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : NtCreateSection        = D44B82E52BC6F110
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : NtMapViewOfSection     = CE54C3360CC70AB9
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : NtUnmapViewOfSection   = 597C97A827799E9B
DEBUG: donut.c:919:build_instance(): Setting number of API to 63
DEBUG: donut.c:922:build_instance(): Setting DLL names to ole32;oleaut32;wininet;mscoree;shell32
DEBUG: donut.c:965:build_instance(): Copying strings required to bypass AMSI
DEBUG: donut.c:973:build_instance(): Copying strings required to bypass WLDP
DEBUG: donut.c:979:build_instance(): Copying strings required to bypass ETW
DEBUG: donut.c:1052:build_instance(): Copying module data to instance
DEBUG: donut.c:1058:build_instance(): Encrypting instance
DEBUG: donut.c:1076:build_instance(): Leaving with error :  0
DEBUG: donut.c:1251:build_loader(): Inserting opcodes
DEBUG: donut.c:1300:build_loader(): Copying 25077 bytes of x86 + amd64 shellcode
DEBUG: donut.c:1124:save_loader(): Saving instance 000002690BC25040 to file. 2409408 bytes.
DEBUG: donut.c:1095:save_file(): Entering.
DEBUG: donut.c:1099:save_file(): Writing 2409408 bytes of 000002690BC25040 to instance
DEBUG: donut.c:1104:save_file(): Leaving with error :  0
DEBUG: donut.c:1176:save_loader(): Saving loader as binary
DEBUG: donut.c:1213:save_loader(): Leaving with error :  0
DEBUG: donut.c:1610:DonutCreate(): Leaving with error :  0
  [ Instance type : Embedded
  [ Module file   : ".\test.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP/ETW : continue
  [ PE Headers    : overwrite
  [ Shellcode     : "loader.bin"
  [ Exit          : Thread
DEBUG: donut.c:1626:DonutDelete(): Entering.
DEBUG: donut.c:1632:DonutDelete(): Releasing memory for module.
DEBUG: donut.c:1638:DonutDelete(): Releasing memory for configuration.
DEBUG: donut.c:1644:DonutDelete(): Releasing memory for loader.
DEBUG: donut.c:311:unmap_file(): Unmapping input file.
DEBUG: donut.c:316:unmap_file(): Closing input file.
DEBUG: donut.c:1650:DonutDelete(): Leaving.
PS C:\Users\User\donut> .\loader .\instance
Running...
DEBUG: loader.c:46:DonutLoader(): sizeof(DONUT_INSTANCE)        : 4752

DEBUG: loader.c:47:DonutLoader(): offsetof(DONUT_INSTANCE, api) : 48

DEBUG: loader.c:116:MainProc(): Maru IV : A2C29EA8B9E10E17
DEBUG: loader.c:119:MainProc(): Resolving address for VirtualAlloc() : 42711CB811A2E776
DEBUG: loader.c:123:MainProc(): Resolving address for VirtualFree() : A48AAA89565858F7
DEBUG: loader.c:127:MainProc(): Resolving address for RtlExitUserProcess() : 409F303B4F9FEB48
DEBUG: loader.c:140:MainProc(): VirtualAlloc : 00007FF843FD3F00 VirtualFree : 00007FF843FD4AE0
DEBUG: loader.c:142:MainProc(): Allocating 2409408 bytes of RW memory
DEBUG: loader.c:154:MainProc(): Copying 2409408 bytes of data to memory 000001C434D70000
DEBUG: loader.c:158:MainProc(): Zero initializing PDONUT_ASSEMBLY
DEBUG: loader.c:167:MainProc(): Decrypting 2409408 bytes of instance
DEBUG: loader.c:174:MainProc(): Generating hash to verify decryption
DEBUG: loader.c:176:MainProc(): Instance : 658304F9341DD20A | Result : 658304F9341DD20A
DEBUG: loader.c:183:MainProc(): Resolving LoadLibraryA
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: ole32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF842420000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: oleaut32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded oleaut32.dll via LoadLibrary at 0x00007FF8444F0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: wininet.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded wininet.dll via LoadLibrary at 0x00007FF82C2F0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: mscoree.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded mscoree.dll via LoadLibrary at 0x00007FF8183B0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: shell32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded shell32.dll via LoadLibrary at 0x00007FF843680000
DEBUG: loader.c:203:MainProc(): Resolving 63 API
DEBUG: loader.c:206:MainProc(): Resolving API address for B8FEC1A5DF6AF617
DEBUG: loader.c:206:MainProc(): Resolving API address for 9B8273CBF1F8CB2F
DEBUG: loader.c:206:MainProc(): Resolving API address for 42711CB811A2E776
DEBUG: loader.c:206:MainProc(): Resolving API address for A48AAA89565858F7
DEBUG: loader.c:206:MainProc(): Resolving API address for EF553D8E03C74C82
DEBUG: loader.c:206:MainProc(): Resolving API address for 602366033C00A0B3
DEBUG: loader.c:206:MainProc(): Resolving API address for 6AD22F6136FB14FD
DEBUG: loader.c:206:MainProc(): Resolving API address for CBE439E0F37AAEBD
DEBUG: loader.c:206:MainProc(): Resolving API address for E77DFEC24629CF95
DEBUG: loader.c:206:MainProc(): Resolving API address for C48554C18E33252A
DEBUG: loader.c:206:MainProc(): Resolving API address for BE2B2A265E9C2258
DEBUG: loader.c:206:MainProc(): Resolving API address for 215C65924D68DAC7
DEBUG: loader.c:206:MainProc(): Resolving API address for B191D876400CD4BF
DEBUG: loader.c:206:MainProc(): Resolving API address for 8EC05CC4DA2114E1
DEBUG: loader.c:206:MainProc(): Resolving API address for D93339F4E5CC1A37
DEBUG: loader.c:206:MainProc(): Resolving API address for 9F62D868E859BFD9
DEBUG: loader.c:206:MainProc(): Resolving API address for 34EE41D5626FE262
DEBUG: loader.c:206:MainProc(): Resolving API address for D5ACF8EF8F896BE4
DEBUG: loader.c:206:MainProc(): Resolving API address for 960605E0A4B417B4
DEBUG: loader.c:206:MainProc(): Resolving API address for C946DBCF003DE294
DEBUG: loader.c:206:MainProc(): Resolving API address for 31A61E6288513978
DEBUG: loader.c:206:MainProc(): Resolving API address for 5C648D6AAB35D0CE
DEBUG: loader.c:206:MainProc(): Resolving API address for 583A6684749BB923
DEBUG: loader.c:206:MainProc(): Resolving API address for 9C3EDDC3EE852954
DEBUG: loader.c:206:MainProc(): Resolving API address for DDC4350C6E3413C9
DEBUG: loader.c:206:MainProc(): Resolving API address for 77D04F7F1E1717F0
DEBUG: loader.c:206:MainProc(): Resolving API address for FB2A4E7DA4C5FD23
DEBUG: loader.c:206:MainProc(): Resolving API address for 1276F5A840DAE095
DEBUG: loader.c:206:MainProc(): Resolving API address for 0FEDD0632D55374B
DEBUG: loader.c:206:MainProc(): Resolving API address for 7EC1B0F19AD7A299
DEBUG: loader.c:206:MainProc(): Resolving API address for C6C2A5020E5C1006
DEBUG: loader.c:206:MainProc(): Resolving API address for DC1FE6AF3D3E056D
DEBUG: loader.c:206:MainProc(): Resolving API address for 60B156584B2BC0F7
DEBUG: loader.c:206:MainProc(): Resolving API address for B5A6760D74A5F0A5
DEBUG: loader.c:206:MainProc(): Resolving API address for E4449831327088C2
DEBUG: loader.c:206:MainProc(): Resolving API address for 1679D62DD44DE558
DEBUG: loader.c:206:MainProc(): Resolving API address for 28F5894093B194AC
DEBUG: loader.c:206:MainProc(): Resolving API address for 065C9B4555AE1245
DEBUG: loader.c:206:MainProc(): Resolving API address for 6C0CA47E3A1642AD
DEBUG: loader.c:206:MainProc(): Resolving API address for FBEE4DC77784C8A4
DEBUG: loader.c:206:MainProc(): Resolving API address for E728F03A8EB8A0D8
DEBUG: loader.c:206:MainProc(): Resolving API address for 34086C47298D6BCB
DEBUG: loader.c:206:MainProc(): Resolving API address for B9357CE84A13D552
DEBUG: loader.c:206:MainProc(): Resolving API address for 977EFCAA7FDD0515
DEBUG: loader.c:206:MainProc(): Resolving API address for 85243C6FE59AE306
DEBUG: loader.c:206:MainProc(): Resolving API address for 5A63F1DD6D561D11
DEBUG: loader.c:206:MainProc(): Resolving API address for 7C5F848AE143FAE3
DEBUG: loader.c:206:MainProc(): Resolving API address for 242F8382755DBC7B
DEBUG: loader.c:206:MainProc(): Resolving API address for 71B8D50B695AB87E
DEBUG: loader.c:206:MainProc(): Resolving API address for F962773B547A060F
DEBUG: loader.c:206:MainProc(): Resolving API address for 46D80DA45C8ABE03
DEBUG: loader.c:206:MainProc(): Resolving API address for DE0C014F7C1B7967
DEBUG: loader.c:206:MainProc(): Resolving API address for 9B74A1977A276A8F
DEBUG: loader.c:206:MainProc(): Resolving API address for C0DA5CDA3F0E4F1B
DEBUG: loader.c:206:MainProc(): Resolving API address for 409F303B4F9FEB48
DEBUG: loader.c:206:MainProc(): Resolving API address for 6DDB7EC7337A30A1
DEBUG: loader.c:206:MainProc(): Resolving API address for 1D37073E82850F4E
DEBUG: loader.c:206:MainProc(): Resolving API address for AA377AAE3C5E2ABD
DEBUG: loader.c:206:MainProc(): Resolving API address for 4159309699554454
DEBUG: loader.c:206:MainProc(): Resolving API address for D44B82E52BC6F110
DEBUG: loader.c:206:MainProc(): Resolving API address for CE54C3360CC70AB9
DEBUG: loader.c:206:MainProc(): Resolving API address for 597C97A827799E9B
DEBUG: loader.c:238:MainProc(): Module is embedded.
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: amsi.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded amsi.dll via LoadLibrary at 0x00007FF8301B0000
DEBUG: bypass.c:103:DisableAMSI(): Length of AmsiScanBufferStub is 36 bytes.
DEBUG: bypass.c:113:DisableAMSI(): Overwriting AmsiScanBuffer
DEBUG: bypass.c:128:DisableAMSI(): Length of AmsiScanStringStub is 36 bytes.
DEBUG: bypass.c:138:DisableAMSI(): Overwriting AmsiScanString
DEBUG: loader.c:246:MainProc(): DisableAMSI OK
DEBUG: loader.c:252:MainProc(): DisableWLDP OK
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: ntdll.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF844610000
DEBUG: bypass.c:383:DisableETW(): Overwriting EtwEventWrite
DEBUG: loader.c:258:MainProc(): DisableETW OK
DEBUG: loader.c:311:MainProc(): Checking type of module
DEBUG: inmem_pe.c:114:RunPE(): Creating section of size 3919872 (0x3bd000) bytes for file
DEBUG: inmem_pe.c:127:RunPE(): Creating section to store PE.
DEBUG: inmem_pe.c:128:RunPE(): Requesting section size: 3919872
DEBUG: inmem_pe.c:131:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:182:RunPE(): Mapping local view of section to store PE.
DEBUG: inmem_pe.c:184:RunPE(): View size: 3919872
DEBUG: inmem_pe.c:188:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:191:RunPE(): Mapped to address: 000001C4351B0000
DEBUG: inmem_pe.c:211:RunPE(): Copying Headers
DEBUG: inmem_pe.c:212:RunPE(): nt->FileHeader.SizeOfOptionalHeader: 240
DEBUG: inmem_pe.c:213:RunPE(): nt->OptionalHeader.SizeOfHeaders: 1024
DEBUG: inmem_pe.c:215:RunPE(): Copying first section
DEBUG: inmem_pe.c:216:RunPE(): Copying 1024 bytes
DEBUG: inmem_pe.c:219:RunPE(): DOS Signature (Magic): 00005a4d, 000001C4351B0000
DEBUG: inmem_pe.c:220:RunPE(): NT Signature: 4550, 000001C4351B0108
DEBUG: inmem_pe.c:222:RunPE(): Updating ImageBase to final base address
DEBUG: inmem_pe.c:224:RunPE(): Updated ImageBase: 1942216179712X
DEBUG: inmem_pe.c:226:RunPE(): Copying each section to memory: 000001C4351B0000
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .text
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x1000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x400
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x48
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0x14D400
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .rdata
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x14F000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x14D800
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x18
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0xEEE00
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .data
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x23E000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x23C600
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x80
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0x1200
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .pdata
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x3AE000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x23D800
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x0
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0xC400
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: _RDATA
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x3BB000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x249C00
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x92
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0x200
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .reloc
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x3BC000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x249E00
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x0
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0xE00
DEBUG: inmem_pe.c:251:RunPE(): Sections copied.
DEBUG: inmem_pe.c:254:RunPE(): Image Relocation Offset: 0x000001C2F51B0000
DEBUG: inmem_pe.c:257:RunPE(): Applying Relocations
DEBUG: inmem_pe.c:291:RunPE(): Processing the Import Table
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: ADVAPI32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF843F00000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: CRYPTBASE.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded CRYPTBASE.dll via LoadLibrary at 0x00007FF841160000
DEBUG: peb.c:67:FindReference(): Calling GetProcAddress(SystemFunction036)
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: KERNEL32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF843FC0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: dbghelp.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded dbghelp.dll via LoadLibrary at 0x00007FF833AF0000
DEBUG: inmem_pe.c:384:RunPE(): Wiping Headers from memory
DEBUG: inmem_pe.c:399:RunPE(): Unmapping temporary local view of section to persist changes.
DEBUG: inmem_pe.c:401:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:406:RunPE(): No relocation information present, so using preferred address...
DEBUG: inmem_pe.c:411:RunPE(): Mapping writecopy local view of section to execute PE.
DEBUG: inmem_pe.c:413:RunPE(): View size: 3919872
DEBUG: inmem_pe.c:414:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:417:RunPE(): Mapped to address: 000001C4351B0000
DEBUG: inmem_pe.c:422:RunPE(): Pre-marking module as WC to avoid padding between PE sections staying RWX.
DEBUG: inmem_pe.c:425:RunPE(): Setting permissions for each PE section
DEBUG: inmem_pe.c:458:RunPE(): Section name: .text
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x1000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C4351B1000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0x14E000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x20
DEBUG: inmem_pe.c:458:RunPE(): Section name: .rdata
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x14F000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C4352FF000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0xEF000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:458:RunPE(): Section name: .data
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x23E000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C4353EE000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0x170000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x8
DEBUG: inmem_pe.c:458:RunPE(): Section name: .pdata
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x3AE000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C43555E000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0xD000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:458:RunPE(): Section name: _RDATA
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x3BB000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C43556B000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0x1000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:458:RunPE(): Section name: .reloc
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x3BC000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C43556C000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0xE00
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:469:RunPE(): Setting permissions of module headers to READONLY (4096 bytes)
DEBUG: inmem_pe.c:580:RunPE(): Executing entrypoint: 000001C435271F04