Closed g4ngli0s closed 1 year ago
Hi, have you set execmethod='functionpointer' in moduleshifting.py?
Hi, thanks for your quick reply.
Yes, this is my config:
use_pyramid_for_delivery=True
is_shellcode_payload=True # True: shellcode - False: PE
FP_bytes=False # optional - if bytes are set requires using PE payload - set number of padding bytes to be added after the PE or shellcode to blend into False Positives (FPs)
execmethod='functionpointer'
payload_name = 'payload.bin'
hosting_dll_path="C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\b8493bec853ac702d2188091d76ccffa\\mscorlib.ni.dll"
tgtsection=".text"
OK gotcha, the right parameter is "funcpointer", not "functionpointer". I fixed the moduleshifting.py script also. Try "funcpointer" and it should work.
Thanks, it works now.
Hi, I am trying to reply your PoC but I get this error:
DEBUG: setting RW protection on address: 0x7ffc7d9ba000 DEBUG: Copied 284475 shellcode bytes to address: 0x7ffc7d9ba000 DEBUG: setting RX protection on address: 0x7ffc7d9ba000 ERROR: Shellcode execution method not recognized. Please use supported methods. Exiting...
I am using AceLdr with CobaltStrike 4.7.2. payload
Thanks in advance!