nettitude / RunPE

C# Reflective loader for unmanaged binaries.
BSD 3-Clause "New" or "Revised" License
416 stars 64 forks source link

execute whoami.exe failed #2

Open 0xlane opened 3 years ago

0xlane commented 3 years ago

attempt to execute whoami.exe, but no output:

> .\RunPE.exe C:\Windows\System32\whoami.exe
[*] Running: C:\Windows\System32\whoami.exe with no args
[*] Mapping PE into memory
[*] Mapped PE Base Address: 0x1060000
[*] No more blocks to map
[*] Mapped PE EntryPoint: 0x106D2B0
[+] Finished mapping PE file

[*] Original module: RunPE.exe
[*] Original module: ntdll.dll
[*] Original module: MSCOREE.DLL
[*] Original module: KERNEL32.dll
[*] Original module: KERNELBASE.dll
[*] Original module: ADVAPI32.dll
[*] Original module: msvcrt.dll
[*] Original module: sechost.dll
[*] Original module: RPCRT4.dll
[*] Original module: mscoreei.dll
[*] Original module: SHLWAPI.dll
[*] Original module: kernel.appcore.dll
[*] Original module: VERSION.dll
[*] Original module: clr.dll
[*] Original module: USER32.dll
[*] Original module: win32u.dll
[*] Original module: VCRUNTIME140_CLR0400.dll
[*] Original module: ucrtbase_clr0400.dll
[*] Original module: GDI32.dll
[*] Original module: gdi32full.dll
[*] Original module: msvcp_win.dll
[*] Original module: ucrtbase.dll
[*] Original module: IMM32.DLL
[*] Original module: mscorlib.ni.dll
[*] Original module: ole32.dll
[*] Original module: combase.dll
[*] Original module: bcryptPrimitives.dll
[*] Original module: clrjit.dll
[*] Original module: System.ni.dll
[*] Original module: System.Core.ni.dll
[*] Original module: psapi.dll
[+] Loaded ADVAPI32.dll
[+] Patching ADVAPI32.dll!LookupPrivilegeDisplayNameW, to: 0x7FFF2A606E80
[+] Patching ADVAPI32.dll!LookupPrivilegeNameW, to: 0x7FFF2A6071D0
[+] Patching ADVAPI32.dll!GetSidIdentifierAuthority, to: 0x7FFF2A5DB9E0
[+] Patching ADVAPI32.dll!LookupAccountSidW, to: 0x7FFF2A5D66F0
[+] Patching ADVAPI32.dll!GetLengthSid, to: 0x7FFF2A5D6870
[+] Patching ADVAPI32.dll!OpenProcessToken, to: 0x7FFF2A5D6940
[+] Patching ADVAPI32.dll!IsValidSid, to: 0x7FFF2A5D6C30
[+] Patching ADVAPI32.dll!CopySid, to: 0x7FFF2A5D6AD0
[+] Patching ADVAPI32.dll!GetSidSubAuthority, to: 0x7FFF2A5D6EC0
[+] Patching ADVAPI32.dll!GetSidSubAuthorityCount, to: 0x7FFF2A5D6E50
[+] Patching ADVAPI32.dll!AdjustTokenPrivileges, to: 0x7FFF2A5D77B0
[+] Patching ADVAPI32.dll!LookupPrivilegeValueW, to: 0x7FFF2A5CF980
[+] Patching ADVAPI32.dll!GetTokenInformation, to: 0x7FFF2A5D5F70
[+] Patching ADVAPI32.dll!InitializeSid, to: 0x7FFF2A5DAEB0
[+] Patching ADVAPI32.dll!EqualSid, to: 0x7FFF2A5D7BE0
[*] End of functions for ADVAPI32.dll

[+] Loaded KERNEL32.dll
[+] Patching KERNEL32.dll!CloseHandle, to: 0x7FFF2ACD48E0
[+] Patching KERNEL32.dll!LocalFree, to: 0x7FFF2ACC7B60
[+] Patching KERNEL32.dll!SetLastError, to: 0x7FFF2ACC5CB0
[+] Patching KERNEL32.dll!FileTimeToSystemTime, to: 0x7FFF2ACD5050
[+] Patching KERNEL32.dll!GetTimeFormatW, to: 0x7FFF2ACCF1C0
[+] Patching KERNEL32.dll!GetModuleFileNameW, to: 0x7FFF2ACCDF20
[+] Patching KERNEL32.dll!HeapSize, to: 0x7FFF2B7A56D0
[+] Patching KERNEL32.dll!HeapReAlloc, to: 0x7FFF2B7AC9A0
[+] Patching KERNEL32.dll!HeapAlloc, to: 0x7FFF2B7A6C80
[+] Patching KERNEL32.dll!HeapValidate, to: 0x7FFF2ACCC0F0
[+] Patching KERNEL32.dll!HeapFree, to: 0x7FFF2ACC5570
[+] Patching KERNEL32.dll!GetProcessHeap, to: 0x7FFF2ACC5BB0
[+] Patching KERNEL32.dll!GetConsoleOutputCP, to: 0x7FFF2ACD5300
[+] Patching KERNEL32.dll!HeapSetInformation, to: 0x7FFF2ACD03E0
[+] Patching KERNEL32.dll!WriteConsoleW, to: 0x7FFF2ACD53C0
[+] Patching KERNEL32.dll!CompareStringA, to: 0x7FFF2ACCD620
[+] Patching KERNEL32.dll!GetThreadLocale, to: 0x7FFF2ACCA0F0
[+] Patching KERNEL32.dll!CompareStringW, to: 0x7FFF2ACCC6A0
[+] Patching KERNEL32.dll!lstrlenW, to: 0x7FFF2ACC7000
[+] Patching KERNEL32.dll!GetStdHandle, to: 0x7FFF2ACCD490
[+] Patching KERNEL32.dll!GetConsoleMode, to: 0x7FFF2ACD52F0
[+] Patching KERNEL32.dll!GetFileType, to: 0x7FFF2ACD4DB0
[+] Patching KERNEL32.dll!WideCharToMultiByte, to: 0x7FFF2ACC5B30
[+] Patching KERNEL32.dll!FormatMessageW, to: 0x7FFF2ACCC890
[+] Patching KERNEL32.dll!TerminateProcess, to: 0x7FFF2ACD0760
[+] Patching KERNEL32.dll!UnhandledExceptionFilter, to: 0x7FFF2ACEB9D0
[+] Patching KERNEL32.dll!GetTickCount, to: 0x7FFF2ACC5640
[+] Patching KERNEL32.dll!GetSystemTimeAsFileTime, to: 0x7FFF2ACC7B80
[+] Patching KERNEL32.dll!GetCurrentThreadId, to: 0x7FFF2ACC5550
[+] Patching KERNEL32.dll!GetCurrentProcessId, to: 0x7FFF2ACD4890
[+] Patching KERNEL32.dll!QueryPerformanceCounter, to: 0x7FFF2ACC5C10
[+] Patching KERNEL32.dll!GetModuleHandleW, to: 0x7FFF2ACCD130
[+] Patching KERNEL32.dll!SetUnhandledExceptionFilter, to: 0x7FFF2ACCFE00
[+] Patching KERNEL32.dll!SleepConditionVariableSRW, to: 0x7FFF2943AB40
[+] Patching KERNEL32.dll!WakeAllConditionVariable, to: 0x7FFF2B7DD3D0
[+] Patching KERNEL32.dll!AcquireSRWLockExclusive, to: 0x7FFF2B7ADC30
[+] Patching KERNEL32.dll!ReleaseSRWLockExclusive, to: 0x7FFF2B7B0B10
[+] Patching KERNEL32.dll!Sleep, to: 0x7FFF2ACCADA0
[+] Patching KERNEL32.dll!GetCurrentProcess, to: 0x7FFF2ACD4880
[+] Patching KERNEL32.dll!SetThreadUILanguage, to: 0x7FFF2ACCC610
[+] Patching KERNEL32.dll!GetLastError, to: 0x7FFF2ACC5BF0
[+] Patching KERNEL32.dll!ExitProcess, to: 0x7FFF2ACCE0A0
[*] End of functions for KERNEL32.dll

[+] Loaded msvcrt.dll
[+] Patching msvcrt.dll!fprintf, to: 0x7FFF2AC574B0
[+] Patching msvcrt.dll!fflush, to: 0x7FFF2AC572B0
[+] Patching msvcrt.dll!wcstok, to: 0x7FFF2AC6E4F0
[+] Patching msvcrt.dll!_get_osfhandle, to: 0x7FFF2AC2C990
[+] Patching msvcrt.dll!_fileno, to: 0x7FFF2AC57000
[+] Patching msvcrt.dll!wcstoul, to: 0x7FFF2AC15570
[+] Patching msvcrt.dll!wcstol, to: 0x7FFF2AC154F0
[+] Patching msvcrt.dll!wcstod, to: 0x7FFF2AC14EB0
[+] Patching msvcrt.dll!_errno, to: 0x7FFF2AC17D60
[+] Patching msvcrt.dll!_memicmp, to: 0x7FFF2AC6A500
[+] Patching msvcrt.dll!?terminate@@YAXXZ, to: 0x7FFF2AC1AE00
[+] Patching msvcrt.dll!??1type_info@@UEAA@XZ, to: 0x7FFF2AC24040
[+] Patching msvcrt.dll!_onexit, to: 0x7FFF2AC3A990
[+] Patching msvcrt.dll!__dllonexit, to: 0x7FFF2AC3A8B0
[+] Patching msvcrt.dll!_unlock, to: 0x7FFF2AC4B280
[+] Patching msvcrt.dll!_lock, to: 0x7FFF2AC4B040
[+] Patching msvcrt.dll!_commode, to: 0x7FFF2ACA56D8
[+] Patching msvcrt.dll!_fmode, to: 0x7FFF2ACA467C
[+] Patching msvcrt.dll!__C_specific_handler, to: 0x7FFF2AC37F60
[+] Patching msvcrt.dll!_initterm, to: 0x7FFF2AC4A510
[+] Patching msvcrt.dll!__setusermatherr, to: 0x7FFF2AC78160
[+] Patching msvcrt.dll!_cexit, to: 0x7FFF2AC4A210
[+] Patching msvcrt.dll!_exit, to: 0x7FFF2AC4A0D0
[+] Patching msvcrt.dll!exit, to: 0x7FFF2AC4A7D0
[+] Patching msvcrt.dll!__set_app_type, to: 0x7FFF2AC3B130
[+] Patching msvcrt.dll!__wgetmainargs, to: 0x7FFF2AC17A50
[+] Patching msvcrt.dll!_amsg_exit, to: 0x7FFF2AC4A190
[+] Patching msvcrt.dll!_XcptFilter, to: 0x7FFF2AC37D70
[+] Patching msvcrt.dll!_CxxThrowException, to: 0x7FFF2AC1AE80
[+] Patching msvcrt.dll!_callnewh, to: 0x7FFF2AC29280
[+] Patching msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z, to: 0x7FFF2AC1A6C0
[+] Patching msvcrt.dll!malloc, to: 0x7FFF2AC29CD0
[+] Patching msvcrt.dll!free, to: 0x7FFF2AC29C80
[+] Patching msvcrt.dll!memmove_s, to: 0x7FFF2AC6CF70
[+] Patching msvcrt.dll!??0exception@@QEAA@AEBV0@@Z, to: 0x7FFF2AC1A6E0
[+] Patching msvcrt.dll!??0exception@@QEAA@AEBQEBD@Z, to: 0x7FFF2AC1A640
[+] Patching msvcrt.dll!??0exception@@QEAA@XZ, to: 0x7FFF2AC1A770
[+] Patching msvcrt.dll!??1exception@@UEAA@XZ, to: 0x7FFF2AC1A7D0
[+] Patching msvcrt.dll!?what@exception@@UEBAPEBDXZ, to: 0x7FFF2AC1AA90
[+] Patching msvcrt.dll!memcpy_s, to: 0x7FFF2AC6CED0
[+] Patching msvcrt.dll!_ultow, to: 0x7FFF2AC12E10
[+] Patching msvcrt.dll!_vsnwprintf, to: 0x7FFF2AC5AD20
[+] Patching msvcrt.dll!__CxxFrameHandler3, to: 0x7FFF2AC1B560
[+] Patching msvcrt.dll!__iob_func, to: 0x7FFF2AC4CF40
[+] Patching msvcrt.dll!memset, to: 0x7FFF2AC84680
[*] End of functions for msvcrt.dll

[+] Loaded ntdll.dll
[+] Patching ntdll.dll!RtlVerifyVersionInfo, to: 0x7FFF2B809AE0
[+] Patching ntdll.dll!RtlCaptureContext, to: 0x7FFF2B82FEA0
[+] Patching ntdll.dll!RtlLookupFunctionEntry, to: 0x7FFF2B7B3E50
[+] Patching ntdll.dll!VerSetConditionMask, to: 0x7FFF2B7FF670
[+] Patching ntdll.dll!RtlVirtualUnwind, to: 0x7FFF2B7B20B0
[*] End of functions for ntdll.dll

[+] Loaded USER32.dll
[+] Patching USER32.dll!LoadStringW, to: 0x7FFF2AE77FD0
[+] Patching USER32.dll!CharLowerW, to: 0x7FFF2AE81D60
[+] Patching USER32.dll!CharUpperW, to: 0x7FFF2AE76B50
[*] End of functions for USER32.dll

[+] Loaded WS2_32.dll
[*] End of functions for WS2_32.dll

[+] Loaded SHLWAPI.dll
[+] Patching SHLWAPI.dll!StrStrW, to: 0x7FFF2B52F8E0
[+] Patching SHLWAPI.dll!StrStrIW, to: 0x7FFF2B526A50
[+] Patching SHLWAPI.dll!StrChrW, to: 0x7FFF2B5262A0
[+] Patching SHLWAPI.dll!StrChrIW, to: 0x7FFF2B527FB0
[*] End of functions for SHLWAPI.dll

[+] Loaded VERSION.dll
[+] Patching VERSION.dll!VerQueryValueW, to: 0x7FFF207F1050
[+] Patching VERSION.dll!GetFileVersionInfoExW, to: 0x7FFF207F1070
[+] Patching VERSION.dll!GetFileVersionInfoSizeExW, to: 0x7FFF207F1090
[*] End of functions for VERSION.dll

[+] Loaded AUTHZ.dll
[+] Patching AUTHZ.dll!FreeClaimDefinitions, to: 0x7FFF27CE1130
[+] Patching AUTHZ.dll!InitializeClaimDictionary, to: 0x7FFF27CE13B0
[+] Patching AUTHZ.dll!GetClaimDefinitions, to: 0x7FFF27CE1200
[+] Patching AUTHZ.dll!FreeClaimDictionary, to: 0x7FFF27CE11E0
[*] End of functions for AUTHZ.dll

[+] Loaded SspiCli.dll
[+] Patching SspiCli.dll!LsaConnectUntrusted, to: 0x7FFF28D8A6A0
[+] Patching SspiCli.dll!LsaLookupAuthenticationPackage, to: 0x7FFF28D83B80
[+] Patching SspiCli.dll!LsaCallAuthenticationPackage, to: 0x7FFF28D83A20
[+] Patching SspiCli.dll!GetUserNameExW, to: 0x7FFF28D88020
[*] End of functions for SspiCli.dll

[+] Loaded wkscli.dll
[+] Patching wkscli.dll!NetGetJoinInformation, to: 0x7FFF280B16F0
[*] End of functions for wkscli.dll

[+] Loaded netutils.dll
[+] Patching netutils.dll!NetApiBufferFree, to: 0x7FFF283F1060
[*] End of functions for netutils.dll

[*] End of DLLs
[+] Finished resolving imports

[*] PEB Base Address: 0xAC1000
[*] PEB RTL_USER_PROCESS_PARAMETERS Struct Pointer Address: 0xAC1020
[*] PEB RTL_USER_PROCESS_PARAMETERS Struct Pointer: 0xD021F0
[*] CommandLine String Pointer Pointer: 0x13640296
[*] CommandLine String Pointer: 0x13641904
[*] Image String Pointer Pointer: 0x13640280
[*] Image String Pointer: 0x13641784
[*] Length Pointer: 0x13640288
[*] Length Value: 0xB8 (184)
[*] MaxLength Pointer: 0x13640290
[*] MaxLength Value: 0xBA (186)
[*] Current args read from PEB: "C:\Users\Thin0\source\repos\RunPE\RunPE\bin\Debug\RunPE.exe" C:\Windows\System32\whoami.exe
[*] Current image read from PEB: C:\Users\Thin0\source\repos\RunPE\RunPE\bin\Debug\RunPE.exe
[*] Patching CommandLine string pointer...
[+] Patched pointer at 0xD02268 to 0xDC61A0
[*] Patching Image string pointer...
[+] Patched pointer at 0xD02258 to 0xDC5FC0
[*] Patching Length...
[*] Patching MaximumLength...
[*] PEB Base Address: 0xAC1000
[*] PEB RTL_USER_PROCESS_PARAMETERS Struct Pointer Address: 0xAC1020
[*] PEB RTL_USER_PROCESS_PARAMETERS Struct Pointer: 0xD021F0
[*] CommandLine String Pointer Pointer: 0x13640296
[*] CommandLine String Pointer: 0x14442912
[*] Image String Pointer Pointer: 0x13640280
[*] Image String Pointer: 0x14442432
[*] Length Pointer: 0x13640288
[*] Length Value: 0x21 (33)
[*] MaxLength Pointer: 0x13640290
[*] MaxLength Value: 0x21 (33)
[*] New args read from PEB: "C:\Windows\System32\whoami.exe"
[*] New image read from PEB: C:\Windows\System32\whoami.exe
[*] New length read from PEB: 33
[*] New maxlength read from PEB: 33
[+] Finished Patching PEB

[+] Patching GetCommandLine API Call...
[*] String bytes: 22 0 43 0 3A 0 5C 0 55 0 73 0 65 0 72 0 73 0 5C 0 54 0 68 0 69 0 6E 0 30 0 5C 0 73 0 6F 0 75 0 72 0 63 0 65 0 5C 0 72 0 65 0 70 0 6F 0 73 0 5C 0 52 0 75 0 6E 0 50 0 45 0 5C 0 52 0 75 0 6E 0 50 0 45 0 5C 0 62 0 69 0 6E 0 5C 0 44 0
[*] String encoding determined to be: System.Text.UTF8Encoding
[*] Old GetCommandLine return value: 0xD028B0
[*] New String Address: 0xDC54D0
[*] Patching kernelbase!GetCommandLineW
[*] PatchBytes: 0x48 0xB8 0xD0 0x54 0xDC 0x0 0x0 0x0 0x0 0x0 0xC3
[*] PatchBytes Len: 11
[*] kernelbase!GetCommandLineW API function at: 0x7FFF29447B40
[*] Original bytes: 0x48 0x8B 0x5 0x91 0x43 0x21 0x0 0xC3 0xCC 0xCC 0xCC
[*] Changed protections on kernelbase!GetCommandLineW to RW
[+] Patched function kernelbase!GetCommandLineW
[*] Reverted memory protections on kernelbase!GetCommandLineW
[*] New GetCommandLine return value: 0xDC54D0
[*] Patched CommandLine string from GetCommandLine API call: "C:\Windows\System32\whoami.exe"
[+] Finished Patching API Calls

[*] kernelbase!ExitThread API function at: 0x7FFF2B7DCEF0
[*] Patching kernelbase!TerminateProcess, redirecting flow to kernelbase!ExitThread
[*] Patching kernelbase!TerminateProcess
[*] PatchBytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] PatchBytes Len: 19
[*] kernelbase!TerminateProcess API function at: 0x7FFF2944B320
[*] Original bytes: 0x48 0x89 0x5C 0x24 0x8 0x57 0x48 0x83 0xEC 0x20 0x8B 0xFA 0x48 0x8B 0xD9 0x48 0x85 0xC9 0xF
[*] Changed protections on kernelbase!TerminateProcess to RW
[+] Patched function kernelbase!TerminateProcess
[*] Reverted memory protections on kernelbase!TerminateProcess
[*] Patching mscoree!CorExitProcess, redirecting flow to kernelbase!ExitThread
[*] Patching mscoree!CorExitProcess
[*] PatchBytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] PatchBytes Len: 19
[*] mscoree!CorExitProcess API function at: 0x7FFF01DD7450
[*] Original bytes: 0x40 0x53 0x48 0x83 0xEC 0x20 0x48 0x83 0x64 0x24 0x38 0x0 0x8B 0xD9 0x48 0x8D 0x4C 0x24 0x38
[*] Changed protections on mscoree!CorExitProcess to RW
[+] Patched function mscoree!CorExitProcess
[*] Reverted memory protections on mscoree!CorExitProcess
[*] Patching ntdll!NtTerminateProcess, redirecting flow to kernelbase!ExitThread
[*] Patching ntdll!NtTerminateProcess
[*] PatchBytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] PatchBytes Len: 19
[*] ntdll!NtTerminateProcess API function at: 0x7FFF2B82C310
[*] Original bytes: 0x4C 0x8B 0xD1 0xB8 0x2C 0x0 0x0 0x0 0xF6 0x4 0x25 0x8 0x3 0xFE 0x7F 0x1 0x75 0x3 0xF
[*] Changed protections on ntdll!NtTerminateProcess to RW
[+] Patched function ntdll!NtTerminateProcess
[*] Reverted memory protections on ntdll!NtTerminateProcess
[*] Patching ntdll!RtlExitUserProcess, redirecting flow to kernelbase!ExitThread
[*] Patching ntdll!RtlExitUserProcess
[*] PatchBytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] PatchBytes Len: 19
[*] ntdll!RtlExitUserProcess API function at: 0x7FFF2B7F3BD0
[*] Original bytes: 0x40 0x53 0x48 0x83 0xEC 0x20 0x8B 0xD9 0xE8 0x33 0xD4 0x1 0x0 0x65 0x48 0x8B 0x4 0x25 0x30
[*] Changed protections on ntdll!RtlExitUserProcess to RW
[+] Patched function ntdll!RtlExitUserProcess
[*] Reverted memory protections on ntdll!RtlExitUserProcess
[+] Exit functions patched

[*] Creating STDOut Pipes to redirect to
[+] Created File Descriptor pipes:
        [*] Read: 0x2F0
        [*] Write: 0x2F4
[*] Creating STDIn Pipes to redirect to
[+] Created File Descriptor pipes:
        [*] Read: 0x2F8
        [*] Write: 0x2FC
[+] SetStdHandle STDOUT to 0x2F4
[+] SetStdHandle STDERROR to 0x2F4
[+] SetStdHandle STDIN to 0x2FC

[*] Performing extra environmental patches
[*] Patching the main module base address in the PEB to 0x1060000
[*] Address of main module base address in PEB: 0xAC1010
[*] Main module base address read from PEB: 0x8C0000
[-] Unable to change memory protections to RW for modification on address: 0xAC1010
[-] Unable to patch main module base address in PEB at: 0xAC1010

[*] Patching kernelbase!GetModuleHandleW to return base address of loaded PE if called with NULL
[*] New func at: 0x1080000
[*] Patching kernelbase!GetModuleHandleW
[*] PatchBytes: 0x48 0xB8 0x0 0x0 0x8 0x1 0x0 0x0 0x0 0x0 0xFF 0xE0
[*] PatchBytes Len: 12
[*] kernelbase!GetModuleHandleW API function at: 0x7FFF294008C0
[*] Original bytes: 0x48 0x89 0x5C 0x24 0x10 0x57 0x48 0x83 0xEC 0x30 0x33 0xDB
[*] Changed protections on kernelbase!GetModuleHandleW to RW
[+] Patched function kernelbase!GetModuleHandleW
[*] Reverted memory protections on kernelbase!GetModuleHandleW

[*] Executing loaded PE

 [*] Reverting patch to kernelbase!TerminateProcess
[*] Patching kernelbase!TerminateProcess
[*] PatchBytes: 0x48 0x89 0x5C 0x24 0x8 0x57 0x48 0x83 0xEC 0x20 0x8B 0xFA 0x48 0x8B 0xD9 0x48 0x85 0xC9 0xF
[*] PatchBytes Len: 19
[*] kernelbase!TerminateProcess API function at: 0x7FFF2944B320
[*] Original bytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] Changed protections on kernelbase!TerminateProcess to RW
[+] Patched function kernelbase!TerminateProcess
[*] Reverted memory protections on kernelbase!TerminateProcess
[*] Reverting patch to mscoree!CorExitProcess
[*] Patching mscoree!CorExitProcess
[*] PatchBytes: 0x40 0x53 0x48 0x83 0xEC 0x20 0x48 0x83 0x64 0x24 0x38 0x0 0x8B 0xD9 0x48 0x8D 0x4C 0x24 0x38
[*] PatchBytes Len: 19
[*] mscoree!CorExitProcess API function at: 0x7FFF01DD7450
[*] Original bytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] Changed protections on mscoree!CorExitProcess to RW
[+] Patched function mscoree!CorExitProcess
[*] Reverted memory protections on mscoree!CorExitProcess
[*] Reverting patch to ntdll!NtTerminateProcess
[*] Patching ntdll!NtTerminateProcess
[*] PatchBytes: 0x4C 0x8B 0xD1 0xB8 0x2C 0x0 0x0 0x0 0xF6 0x4 0x25 0x8 0x3 0xFE 0x7F 0x1 0x75 0x3 0xF
[*] PatchBytes Len: 19
[*] ntdll!NtTerminateProcess API function at: 0x7FFF2B82C310
[*] Original bytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] Changed protections on ntdll!NtTerminateProcess to RW
[+] Patched function ntdll!NtTerminateProcess
[*] Reverted memory protections on ntdll!NtTerminateProcess
[*] Reverting patch to ntdll!RtlExitUserProcess
[*] Patching ntdll!RtlExitUserProcess
[*] PatchBytes: 0x40 0x53 0x48 0x83 0xEC 0x20 0x8B 0xD9 0xE8 0x33 0xD4 0x1 0x0 0x65 0x48 0x8B 0x4 0x25 0x30
[*] PatchBytes Len: 19
[*] ntdll!RtlExitUserProcess API function at: 0x7FFF2B7F3BD0
[*] Original bytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] Changed protections on ntdll!RtlExitUserProcess to RW
[+] Patched function ntdll!RtlExitUserProcess
[*] Reverted memory protections on ntdll!RtlExitUserProcess
[+] Exit patches reverted

[*] Reverting patch to kernelbase!GetModuleHandleW
[*] Patching kernelbase!GetModuleHandleW
[*] PatchBytes: 0x48 0x89 0x5C 0x24 0x10 0x57 0x48 0x83 0xEC 0x30 0x33 0xDB
[*] PatchBytes Len: 12
[*] kernelbase!GetModuleHandleW API function at: 0x7FFF294008C0
[*] Original bytes: 0x48 0xB8 0x0 0x0 0x8 0x1 0x0 0x0 0x0 0x0 0xFF 0xE0
[*] Changed protections on kernelbase!GetModuleHandleW to RW
[+] Patched function kernelbase!GetModuleHandleW
[*] Reverted memory protections on kernelbase!GetModuleHandleW
[+] Extra API patches reverted

[*] Reverting patch to main module base address in PEB at: 0x11276304
[-] Unable to change memory protections to RW for modification on address: 0xAC1010
[-] Unable to revert patch to main module base address in PEB at: 0x11276304
[*] Reset StdError, StdOut, StdIn
[+] SetStdHandle STDOUT to 0x54
[+] SetStdHandle STDERROR to 0x58
[+] SetStdHandle STDIN to 0x4C
[*] Closing StdOut pipes
[+] CloseHandle write
[+] CloseHandle read
[-] Unable to read from 'subprocess' pipe
[*] Closing StdIn pipes
[+] CloseHandle write
[+] CloseHandle read
[*] Closing StdOut pipes
[+] CloseHandle write
[+] CloseHandle read
[*] Closing StdIn pipes
[+] CloseHandle write
[+] CloseHandle read
[*] Reverting patch to kernelbase!GetCommandLineW
[*] Patching kernelbase!GetCommandLineW
[*] PatchBytes: 0x48 0x8B 0x5 0x91 0x43 0x21 0x0 0xC3 0xCC 0xCC 0xCC
[*] PatchBytes Len: 11
[*] kernelbase!GetCommandLineW API function at: 0x7FFF29447B40
[*] Original bytes: 0x48 0xB8 0xD0 0x54 0xDC 0x0 0x0 0x0 0x0 0x0 0xC3
[*] Changed protections on kernelbase!GetCommandLineW to RW
[+] Patched function kernelbase!GetCommandLineW
[*] Reverted memory protections on kernelbase!GetCommandLineW
[*] Reverting patch to command line string pointer
[+] Patched pointer at 0xD02268 to 0xD028B0
[*] Reverting patch to image string pointer
[+] Patched pointer at 0xD02258 to 0xD02838
[*] Reverting patch to command line string length
[*] Patching command line string max length
[+] Args reverted

[*] Zeroing out and freeing loaded PE image at 0x1060000 with size: 0x16000
[*] PE artifacts cleared from memory

[*] Cleaning up loaded DLLs
[*] Freeing WS2_32.dll at 0x7FFF2B580000
[*] Freeing AUTHZ.dll at 0x7FFF27CC0000
[*] Freeing SspiCli.dll at 0x7FFF28D80000
[*] Freeing wkscli.dll at 0x7FFF280B0000
[*] Freeing netutils.dll at 0x7FFF283F0000
[*] Freeing clbcatq.dll at 0x7FFF2A280000
[+] Loaded DLLs cleaned up

[*] Retrieving the 'subprocess' stdout & stderr

------------------------ EXE OUTPUT -------------------------

--------------------- END OF EXE OUTPUT ---------------------

[+] End of RunPE
riskydissonance commented 1 year ago

This is a known issue for some really old binaries like whoami.exe and ipconfig.exe. that we haven't been able to get to the bottom of. It appears to be binaries which use _iob to get stdio data.

Most other old binaries still work and anything we've tried that is 'new', i.e. offensive tooling we've compiled ourselves, has worked. We'll take a look at this again but it's a bit of a rabbit hole.