search

icyguider / Shhhloader

Syscall Shellcode Loader (Work in Progress)
GNU General Public License v3.0
1.12k stars 181 forks source link

CurrentThread #3

Closed faheemadam closed 2 years ago

faheemadam commented 2 years ago

hi

so i managed to only get a cobalt beacon back when using CurrentThread method. i am not sure why the other methods are not working. if you can explain the steps to help. you debug it i will be happy to assist.

OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18363 N/A Build 18363

icyguider commented 2 years ago

Hi there.

I just tested the following with a stageless Cobalt Strike beacon (staged beacon for ProcessHollow) and confirmed they are working as expected:

Systems: Microsoft Windows 10 Enterprise Version 10.0.19043 Build 19043 Microsoft Windows Server 2019 Standard Evaluation Version 10.0.17763 Build 17763

Methods: RemoteThreadContext QueueUserAPC RemoteThreadSuspended ProcessHollow

If you have access to any of these systems, or can install a new trial version of windows in a VM, we might be able to tell if the issues you are experiencing are related to the windows version.

Otherwise, please enable the -v flag when running the python builder and see if there are any errors when running the executable. Also, maybe try using meterpreter to see if that is working or not on your system.

faheemadam commented 2 years ago

Directory of c:\ms\ms

02/11/2022 03:22 PM

. 02/11/2022 03:22 PM .. 02/11/2022 01:20 PM 2,656,048 MsMpEng_CurrentThread.exe 02/11/2022 01:17 PM 2,694,108 MsMpEng_ProcessHollow.exe 02/11/2022 01:18 PM 2,687,490 MsMpEng_QueueUserAPC.exe 02/11/2022 01:19 PM 2,688,906 MsMpEng_RemoteThreadContext.exe 02/11/2022 01:19 PM 2,657,854 MsMpEng_RemoteThreadSuspended.exe 5 File(s) 13,384,406 bytes 2 Dir(s) 59,452,194,816 bytes free

c:\ms\ms>MsMpEng_ProcessHollow.exe

c:\ms\ms>MsMpEng_QueueUserAPC.exe

c:\ms\ms>MsMpEng_RemoteThreadContext.exe

c:\ms\ms>MsMpEng_RemoteThreadSuspended.exe iDQDqBkYmuJxFWwDUpc FAILED to open the target process, exiting: c0000022

all were created with -v

faheemadam commented 2 years ago

C:\ms\ms>MsMpEng_CurrentThread.exe TwRnGCMzlWwLUTLuvme allocated memory in the current process sucessfully. JLjCubrrUPQEPTcuQCm wrote decoded payload to allocated memory successfully. PwhicpSvpArnCdpQRTV modified permissions successfully. CeAnEfycnKouBktpgbK created thread in current process successfully. PwhicpSvpArnCdpQRTV modified permissions successfully. NGAeOmPwUMpNgpKrxoM resumed created thread successfully.

faheemadam commented 2 years ago

[+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER [+] Using explorer.exe for RemoteThreadSuspended injection [+] Randomizing syscall names [+] Verbose messages enabled [+] Saved new stub to stub.cpp [+] Compiling new stub... [!] MsMpEng_RemoteThreadSuspended.exe has been compiled successfully!

[+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER [+] Using explorer.exe for RemoteThreadContext injection [+] Randomizing syscall names [+] Verbose messages enabled [+] Saved new stub to stub.cpp [+] Compiling new stub... [!] MsMpEng_RemoteThreadContext.exe has been compiled successfully!

[+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER [+] Using explorer.exe for QueueUserAPC injection [+] Randomizing syscall names [+] Verbose messages enabled [+] Saved new stub to stub.cpp [+] Compiling new stub... [!] MsMpEng_QueueUserAPC.exe has been compiled successfully!

[+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER [+] Using explorer.exe for process hollowing [+] Randomizing syscall names [+] Verbose messages enabled [+] Saved new stub to stub.cpp [+] Compiling new stub... [!] MsMpEng_ProcessHollow.exe has been compiled successfully!

[+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER [+] Randomizing syscall names [+] Verbose messages enabled [+] Saved new stub to stub.cpp [+] Compiling new stub... [!] MsMpEng_CurrentThread.exe has been compiled successfully!

icyguider commented 2 years ago

I downloaded and installed your specific build of Windows 10 (18363) in an attempt to debug your issue but I am unable to replicate it. All 4 of the remote injection methods are working for me on that build. Here is a video demonstrating this: https://www.youtube.com/watch?v=7cShLvk0GBA

If I had to guess, there is probably something going on related to your specific Windows machine or Cobalt Strike configuration. Unfortunately I don't think I will be able to help you debug that. I suggest trying other shellcode (E.x. Meterpreter, calc, etc) to see if it is indeed an issue with your Cobalt Strike configuration and trying another machine to see if it is indeed an issue with your particular computer.

I will be closing this issue as I am unable to replicate and therefore wont be able to help you further.