Support remote thread execution?

hasherezade / pe_to_shellcode

Converts PE into a shellcode

https://www.youtube.com/watch?v=WQCiM0X11TA

BSD 2-Clause "Simplified" License

2.39k stars 433 forks source link

Support remote thread execution? #35

Open VoldeSec opened 1 year ago

VoldeSec commented 1 year ago

Let say if I inject the shellcode to remote process DLL. May I know if i can execute it using CreateRemoteThread? I tired but the remote process crashed immediately. Thanks!

hasherezade commented 1 year ago

Hi @VoldeSec ! First of all I need to know more details to investigate what could possibly have cause it.

Did your converted shellcode worked when you try to run it with the runshc32/64 application?
What did you use for making the injection, did you try injector32/64 from the package? BTW, it uses CreateRemoteThread : https://github.com/hasherezade/pe_to_shellcode/blob/0f606929eac1530a4fb39b9494a0d46f4c73eaed/injector/main.cpp#L47
What flags were set on the process into which you tried the injection?
Are you 100% sure that the process and the payload had the same bitness?

VoldeSec commented 1 year ago

Thanks @hasherezade ,

Yes tried with runshc and it works perfectly fine.
I am trying the module stomping, referenced to your another project "module_overloading". (already get rid of CFG). I will take a look on the injector and compare the difference.
I am using the same flag with you above and input the implant entrypoint to the LPTHREAD_START_ROUTINE . But the process still failed to execute and crashed. Do i
I already checked the memory and the payload had the exact same bitness in the target process e.g. calc.exe Thank you again for your prompt response!

hasherezade commented 1 year ago

@VoldeSec - does it work if you try to inject the same shellcode to the same process, but using injector32/64 (from the pe2shc release package)?

VoldeSec commented 1 year ago

@hasherezade Yes, it works by using the injector to inject (e.g. calc.exe and other PE to output file for PoC) remote process (i.e. cmd.exe)

hasherezade commented 1 year ago

I see, so if the shellcode works, and it can be injected with the original injector, then it seems to be a problem with your replacement injector. BTW, using module_overloading method for shellcode injection sounds odd, but I will need to analyze your code to really know what happens there.

VoldeSec commented 1 year ago

I have invited you in wire for further discussion. I am glad if you have time to give recommendation on the code. Thanks!

hasherezade commented 1 year ago

ok, I accepted your invite. Let's talk on Wire.

bird00101011 commented 5 months ago

休眠远程线程