search

optiv / ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.
2.71k stars 503 forks source link

Windows executables not in PATH #71

Closed mgeeky closed 1 year ago

mgeeky commented 1 year ago

Hi there @Tylous !

Thanks for bringing up freshly baked new version of terrific ScareCrow!

I was trying to run the latest v5.0 (taken from releases) on a Windows, just to see if I could plug it into ProtectMyTooling but I seem to be experiencing some issues with PATH and not found executables:

PS> .\ScareCrow.exe -Evasion None -Exec RtlCopy -I calc64.bin -Loader binary -O test.exe -outpath $(pwd) -encryptionmode ELZMA -noamsi -nosign

  _________                           _________
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     /
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/
        \/     \/     \/            \/        \/
                                                        (@Tyl0us)
        “Fear, you must understand is more than a mere obstacle.
        Fear is a TEACHER. the first one you ever had.”

[!] -O not needed. This loader type uses the name of the file they are spoofing
[!] Missing Garble... Downloading it now
[*] Encrypting Shellcode Using ELZMA Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Sleep Timer set for 2663 milliseconds
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With Outlook's Properties
[*] Compiling Payload
exit status 1: error obtaining VCS status: exit status 128
        Use -buildvcs=false to disable VCS stamping.

[+] Payload Compiled
2023/04/21 12:43:44 Error: open Outlook.exe: The system cannot find the file specified.

Thing is that anytime I try to run it, it will randomly run over predefined 8 executables spitting the same error. Now I wonder if this is something we should fixed by presetting PATH maybe?

Otherwise, is it possible to introduce a new flag that would disable metadata-preset functionality, like -nometadata? Leaving this decision up to the operator whether he wants to have executable's metadata prefilled. :)

Best regards, Mariusz.

Tylous commented 1 year ago

That's odd I will look into this. As for your meta data option, it's doable it just might take me a minute.

Tylous commented 1 year ago

update: In my test cases it seems like the file is actually there even though there is a "no such file or directory" message 


[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Patched AMSI Enabled
[+] Sleep Timer set for 2650 milliseconds
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With cmd's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing cmd.exe With a Fake Cert
[+] Signed File Created
[*] cmd.exe moved to /Users/meidelberg/Downloads/
[+] Binary Compiled
2023/04/21 14:52:47 open cmd.exe: no such file or directory```

Can you check if the file is actually there? Still investigating though
Tylous commented 1 year ago

Should have this all address shortly, sorry for the delay.

hastalamuerte commented 1 year ago

изображение same . every run is new name . in folder created a Excel Lync onenote folders..

plz provide some examples with descriptions of use. maybe some defenitions/block structure of commands will be easy to understand Thanks a lot

Tylous commented 1 year ago

Just pushed a small patch to fix this issue @mgeeky it should be fixed.

Tylous commented 1 year ago

Closing as this has been addressed. Feel free to reopen if this occurs again.

mgeeky commented 1 year ago

Hi @Tylous, sorry but it still fails to find a path for the template executable to copy its properties:

ScareCrow.exe -Evasion None -Exec RtlCopy -I calc64.bin -Loader binary -O test.exe -outpath $(pwd) -encryptionmode ELZMA -noamsi -nosign

  _________                           _________
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     /
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/
        \/     \/     \/            \/        \/
                                                        (@Tyl0us)
        “Fear, you must understand is more than a mere obstacle.
        Fear is a TEACHER. the first one you ever had.”

[!] -O not needed. This loader type uses the name of the file they are spoofing
[*] Encrypting Shellcode Using ELZMA Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Sleep Timer set for 2483 milliseconds
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With OneDrive's Properties
[*] Compiling Payload
exit status 1: # AOfralyJVTMHC/AOfralyJVTMHC
AOfralyJVTMHC\AOfralyJVTMHC.go:26:6: JNtLEuSnRKTNzoB redeclared in this block
        AOfralyJVTMHC\AOfralyJVTMHC.go:22:6: other declaration of JNtLEuSnRKTNzoB
AOfralyJVTMHC\AOfralyJVTMHC.go:27:21: no new variables on left side of :=
AOfralyJVTMHC\AOfralyJVTMHC.go:27:24: cannot use hex.DecodeString(JNtLEuSnRKTNzoB) (value of type []byte) as string value in assignment
AOfralyJVTMHC\AOfralyJVTMHC.go:43:43: AOfralyJVTMHC redeclared in this block
        AOfralyJVTMHC\AOfralyJVTMHC.go:43:21: other declaration of AOfralyJVTMHC
AOfralyJVTMHC\AOfralyJVTMHC.go:57:6: HAOfralyJVTMHC redeclared in this block
        AOfralyJVTMHC\AOfralyJVTMHC.go:43:6: other declaration of HAOfralyJVTMHC
AOfralyJVTMHC\AOfralyJVTMHC.go:57:61: AOfralyJVTMHC redeclared in this block
        AOfralyJVTMHC\AOfralyJVTMHC.go:57:21: other declaration of AOfralyJVTMHC
AOfralyJVTMHC\AOfralyJVTMHC.go:74:6: HAOfralyJVTMHC redeclared in this block
        AOfralyJVTMHC\AOfralyJVTMHC.go:43:6: other declaration of HAOfralyJVTMHC
AOfralyJVTMHC\AOfralyJVTMHC.go:74:43: AOfralyJVTMHC redeclared in this block
        AOfralyJVTMHC\AOfralyJVTMHC.go:74:21: other declaration of AOfralyJVTMHC
AOfralyJVTMHC\AOfralyJVTMHC.go:86:6: HAOfralyJVTMHC redeclared in this block
        AOfralyJVTMHC\AOfralyJVTMHC.go:43:6: other declaration of HAOfralyJVTMHC
AOfralyJVTMHC\AOfralyJVTMHC.go:88:6: HAOfralyJVTMHC redeclared in this block
        AOfralyJVTMHC\AOfralyJVTMHC.go:43:6: other declaration of HAOfralyJVTMHC
AOfralyJVTMHC\AOfralyJVTMHC.go:27:21: too many errors

[+] Payload Compiled
2023/05/17 00:22:06 Error: open OneDrive.exe: The system cannot find the file specified.

Can we have an option to disable this logic? Like the suggested -nometadata?

That would help out I guess!

Tylous commented 1 year ago

Odd let me take a look, this should of been resolved. Let me get back to you.