Closed hawaii67 closed 2 years ago
Hi @hawaii67. To help debug your issue, can you please provide the following information?
I went ahead and did verify that the QueueUserAPC, CurrentThread, RemoteThreadContext, and RemoteThreadSuspended execution methods are working for me with the following payloads:
However, I WAS able to replicate the exact same error you are getting when trying to use any of these execution methods with the shellcode from Mythic's Apollo Agent. My initial guess for why this is happening is that the stub is not correctly programmed to handle larger shellcode sizes (Apollo being 1.3 MB). This is why it'd be good to know what payload is failing for you and if any of the above ones that work for me also work for you.
Hi, I used only windows/x64/meterpreter/reverse_https payload. It is a syscall thinggy I think. On Win 10 20H2 19042 everything works fine, on 21H2 19044 not.
Here are the tests with 2 different windows versions:
I tried that specific payload on a Windows 21H2 Virtual Machine and it seems to be working as expected for me. Here's a quick video of me demonstrating this: https://www.youtube.com/watch?v=j_dWQs2xMvI
Based on your screenshot, It looks like you are building the exes on a Windows host? Perhaps that may be causing the issue you are seeing. I have always used this tool on Linux and I'm a bit surprised it even works on windows lol. Other than that I'm not quite sure what the issue could be as I tested this payload on 21H2, 21H1, 20H2 without any issues. If you could try compiling the exes on Linux and then test it again, you might have better success hopefully.
Also in my last post I said I was getting the same error as you with larger shellcodes, but I was mistaken. It was actually an error for the NtWriteVirtualMemory syscall. I fixed that issue last week and pushed the update to GitHub. Just wanted to clear that up since I was mistaken, but that shouldn't have affected the issue you're seeing regardless.
Aaah, here we go! You are right, generating the binary on Linux (Kali) is the way to go. Awesome! Grmpf.....now I feel a little bit stupid :-) But at least we know it partly works on Windows :-) Thanks for your time.
Yeah the tool was designed to only work with Linux so it's cool to see that it kinda works with windows lol.
Glad we figured out the problem though. Will be closing this issue. :)
Hey. For me only ProcessHollow works as shellcode execution method.
For all the other methods I receive an error while running the generated exe.
Generating:
Running:
:-(
Injecting in explorer.exe or notepad.exe doesn't make a difference.
Edit:
I traced it down to syscall to NtAllocateVirtualMemory. The return value is:
Please help!