search

hasherezade / pe_to_shellcode

Converts PE into a shellcode
https://www.youtube.com/watch?v=WQCiM0X11TA
BSD 2-Clause "Simplified" License
2.27k stars 423 forks source link

programs crash after shellcode execution #20

Closed coder2999 closed 3 years ago

coder2999 commented 3 years ago

A simple program compiled with VC2010 (settings: "Use MFC in a Static Library"):

#include <windows.h>
#pragma comment (lib, "user32.lib")
#ifdef _M_X64
int __fastcall wWinMain
#else
int __stdcall wWinMain
#endif
(
  HINSTANCE hInstance,
  HINSTANCE hPrevInstance,
  LPWSTR    lpCmdLine,
  int       nShowCmd
)
{
    MessageBoxW(0,0,0,0);
    return 0;
}

After conversion, I use "runshc" and "injector" to execute the shellcode, But after showing the message box, "runshc" will be exited without displaying return value, the process being injected will also be exited.

If I don't want this consequence, I have to call "SuspendThread()" before "return 0", but it means that the injection thread cannot be exited.

Should some special settings be made when compiling EXE files?

hasherezade commented 3 years ago

hi, are you sure it crashes, not just exits? can you share the full compiled application, so that I can check quickly your exact binary?

usually, when you compile the app, the main you wrote got wrapped, and gets called from inside another entry function added by the linker. so it may be that your app in reality calls the function ExitProcess after the wWinMain returns - and this will be the reason of its exit. In such case, there are many simple workarounds to prevent this - such as changing the entry point of your application, so that wWinMain will be called directly, unwrapped.

if you share your binary (you can drop it here), I can check if this was the case.

coder2999 commented 3 years ago

The problem is resolved. As you said, I must set ENTRYPOINT to wWinMain in linker settings. I use Windows Kernel Explorer to check threads:

When the message box is there, you will see a thread without module name: msg1

After clicking "OK", the thread is gone, but the process is still alive. msg2

So, maybe you can add this note to your README file to inform VC users. Thank you for your hard working!!!

coder2999 commented 3 years ago

An unimportant situation:

If I compile the code with WDK7, the converted shellcode does not work and crashes "runshc" (real crash, not "exit", no message box). If you are interested, you can check these files.

wdkexe.zip

hasherezade commented 3 years ago

If I compile the code with WDK7, the converted shellcode does not work and crashes "runshc" (real crash, not "exit", no message box). If you are interested, you can check these files.

wdkexe.zip

thank you, I will check it!

hasherezade commented 3 years ago

I checked your package:

wdkexe.zip

But didn't find any problems. Both executables converted properly, and none of them crashed during execution.

checked

This is my converted set, can you check if it works for you?

wdk.shc.zip

BTW - Are you sure that you didn't run by mistake the unconverted version? It is a common confusion, and if you do it, it will always crash...

coder2999 commented 3 years ago

I checked your package:

wdkexe.zip

But didn't find any problems. Both executables converted properly, and none of them crashed during execution.

checked

This is my converted set, can you check if it works for you?

wdk.shc.zip

BTW - Are you sure that you didn't run by mistake the unconverted version? It is a common confusion, and if you do it, it will always crash...

Yes, maybe I ran the original version, it works well in my system now.

hasherezade commented 3 years ago

Yes, maybe I ran the original version, it works well in my system now.

Cool, so if it is solved, I guess we can close this issue now?