search

optiv / ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.
2.71k stars 503 forks source link

ProcessInjection crashes #72

Closed rotarydrone closed 1 year ago

rotarydrone commented 1 year ago

Test system is Windows 10 10.0.19045 Build 19045. Loader hangs then crashes before injecting remote process, the last debug message printed is "Creating Handle to Remote Process". No AV/EDR, this is a testbed VM with Defender ripped out.

[DEBUG] [+] Detected Version: 10
[DEBUG] [*] Creating Remote Process: 12384
[DEBUG] [*] Creating Handle to Remote Process

Used beacon/calc shellcode for testing: 

msfvenom --platform windows --arch x64  -p windows/x64/exec CMD=calc.exe -b '\x00\x0A\x0D' -f raw -o sc.bin 

./ScareCrow -Evasion None -Exec ProcessInjection -Loader binary -encryptionmode RC4 -I sc.bin -nosleep -domain microsoft.com -injection "C:\Windows\notepad.exe" -console
rotarydrone commented 1 year ago

Clarification - the target process isn't left lingering so it also seems to crash. I haven't debugged much so far.

Tylous commented 1 year ago

Question do you only see 3 debug statements are there more?

rotarydrone commented 1 year ago

Just those three before the loader and target process crash

Tylous commented 1 year ago

It has to do with your path try C:\Windows\System32\notepad.exe instead of C:\Windows\notepad.exe image

rotarydrone commented 1 year ago

Right, it was failing wither way. But... I was running it from a read-only shared folder in my VM. Copying to C:\ drive and everything works fine. Close as "operator error"? 😄