search

optiv / ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.
2.71k stars 503 forks source link

panic: Call to VirtualProtect failed!!!!! #64

Closed b1gcat closed 2 years ago

b1gcat commented 2 years ago

Too strange, I use the command to generate payload it works fine , but I use the same command to generate new payload it failed, why? what make it happen. :<, it make me very sadly.

./ScareCrow -I ~/Desktop/payload.bin -nosign  -console

Y:\>OneNote.exe
[DEBUG] [+] Detected Version: 6.1
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
[DEBUG] [*] Overwriting shellcode String with Pointer's attributes
panic: Call to VirtualProtect failed!!!!!
b1gcat commented 2 years ago

very very strange, Today I use the command to generate new payload says another error: 

C:\Users\b1gcat>Y:\Word.exe
[DEBUG] [+] Detected Version: 6.1
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
[DEBUG] [*] Overwriting shellcode String with Pointer's attributes
Exception 0xc0000005 0x0 0x8c00008f000 0xc0000b1000
PC=0xc0000b1000

runtime.cgocall(0x45e800, 0x5bcb80)
        runtime/cgocall.go:157 +0x4a fp=0xc000079e18 sp=0xc000079de0 p

syscall.SyscallN(0xc0000b1000?, {0xc000079eb0?, 0x3?, 0x40c787?})
        runtime/syscall_windows.go:538 +0x109 fp=0xc000079e90 sp=0xc00
=0x459ba9
syscall.Syscall(0x4e004d?, 0xc00000e6c0?, 0x5?, 0x5?, 0x0?)
        runtime/syscall_windows.go:476 +0x3b fp=0xc000079ed8 sp=0xc000
0x45997b
main.main()
        __rIsmP1.go:1 +0x2c7 fp=0xc000079f80 sp=0xc000079ed8 pc=0x4bea
runtime.main()
        runtime/proc.go:250 +0x1fe fp=0xc000079fe0 sp=0xc000079f80 pc=
runtime.goexit()
        runtime/asm_amd64.s:1571 +0x1 fp=0xc000079fe8 sp=0xc000079fe0
1
rax     0xc0000b1000
rbx     0x5bcb80
rcx     0x0
rdi     0x7fffffde000
rsi     0xc000079e50
rbp     0xc000079e08
rsp     0x22fd58
r8      0x0
r9      0x0
r10     0x0
r11     0x202
r12     0x0
r13     0x0
r14     0xc00002a000
r15     0xffffffffffffffff
rip     0xc0000b1000
rflags  0x10297
cs      0x33
fs      0x53
gs      0x2b
Tylous commented 2 years ago

My first thoughts are: Does this happen with the other loaders? If you are using staged shellcode that could be the problem? Also since it's showing up as 6.1 which is the Windows 7/Server 2008 R2 area, there are known issues with unhooking as they are quite old. As a result, The unhook process might be skipped and instead, only the custom syscalls are used. (This is highlighted in the README file). Let me know the answer to the first two questions.

b1gcat commented 2 years ago

only

may be win7 problem

nzyuko commented 1 year ago

encountered the same on windows 10