ERROR: Shellcode execution method not recognized.

naksyn / ModuleShifting

Stealthier variation of Module Stomping and Module Overloading injection techniques that reduces memory IoCs. Implemented in Python ctypes

Apache License 2.0

106 stars 12 forks source link

ERROR: Shellcode execution method not recognized. #1

Closed g4ngli0s closed 1 year ago

g4ngli0s commented 1 year ago

Hi, I am trying to reply your PoC but I get this error:

DEBUG: setting RW protection on address: 0x7ffc7d9ba000 DEBUG: Copied 284475 shellcode bytes to address: 0x7ffc7d9ba000 DEBUG: setting RX protection on address: 0x7ffc7d9ba000 ERROR: Shellcode execution method not recognized. Please use supported methods. Exiting...

I am using AceLdr with CobaltStrike 4.7.2. payload

Thanks in advance!

naksyn commented 1 year ago

Hi, have you set execmethod='functionpointer' in moduleshifting.py?

g4ngli0s commented 1 year ago

Hi, thanks for your quick reply.

Yes, this is my config:

use_pyramid_for_delivery=True
is_shellcode_payload=True  # True: shellcode - False: PE
FP_bytes=False # optional - if bytes are set requires using PE payload - set number of padding bytes to be added after the PE or shellcode to blend into False Positives (FPs)
execmethod='functionpointer'
payload_name = 'payload.bin'
hosting_dll_path="C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\b8493bec853ac702d2188091d76ccffa\\mscorlib.ni.dll"
tgtsection=".text"

naksyn commented 1 year ago

OK gotcha, the right parameter is "funcpointer", not "functionpointer". I fixed the moduleshifting.py script also. Try "funcpointer" and it should work.

g4ngli0s commented 1 year ago

Thanks, it works now.