Hooka icon indicating copy to clipboard operation
Hooka copied to clipboard
verified publisher icon D3Ext

Unable to compile

Open NightFuryPrime opened this issue 1 year ago • 12 comments

here is compilation log

[*] Obtaining shellcode from loader.bin

Shellcode is in raw format Using XOR to encrypt the shellcode

[*] Defining evasion techniques...

[] Using ntqueueapcthreadex technique to execute shellcode [] Obfuscating variables and functions... [*] Compiling shellcode loader...

Payload format is set to EXE Using Golang compiler [-] Error while compiling loader! 2024/11/22 13:33:37 exit status 1

any ides?

NightFuryPrime avatar Nov 22 '24 12:11 NightFuryPrime

Could you provide me the whole command you executed?

D3Ext avatar Nov 23 '24 17:11 D3Ext

PS C:\Users\Administrator\Downloads\Hooka-main\build> .\hooka.exe -i .\encrypt.bin -o load.exe

| | | | ___ ___ | | __ __ _ | | | || | / _ \ / _ \ | |/ / / ` | | | | _ | | () | | () | | < | (| | || || || _/ _/ ||_\ _,| ()

[*] Obtaining shellcode from .\encrypt.bin

Shellcode is in raw format

[] Defining evasion techniques... [] Using suspendedprocess technique to execute shellcode [] Obfuscating variables and functions... [] Compiling shellcode loader...

Payload format is set to EXE [-] Error while compiling loader! 2024/11/25 09:36:30 exit status 1

output using verbose switch

PS C:\Users\Administrator\Downloads\Hooka-main\build> .\hooka.exe -i .\encrypt.bin -o load.exe -v

| | | | ___ ___ | | __ __ _ | | | || | / _ \ / _ \ | |/ / / ` | | | | _ | | () | | () | | < | (| | || || || _/ _/ ||_\ _,| ()

[*] Obtaining shellcode from .\encrypt.bin

Shellcode is in raw format Shellcode encryption is currently disabled

[*] Defining evasion techniques...

Adding AMSI patch... Adding ETW patch... Adding unhooking function...

[] Using suspendedprocess technique to execute shellcode [] Obfuscating variables and functions... [*] Compiling shellcode loader...

Payload format is set to EXE Using Golang compiler [-] Error while compiling loader! 2024/11/25 09:37:11 exit status 1

generating shellcode from .exe

PS C:\Users\Administrator\Downloads\Hooka-main\build> .\hooka.exe -i .\HelloWorlds.exe -o ld.exe

| | | | ___ ___ | | __ __ _ | | | || | / _ \ / _ \ | |/ / / ` | | | | _ | | () | | () | | < | (| | || || || _/ _/ ||_\ _,| ()

[*] Obtaining shellcode from .\HelloWorlds.exe

Converting EXE to shellcode using Donut

[] Defining evasion techniques... [] Using suspendedprocess technique to execute shellcode [] Obfuscating variables and functions... [] Compiling shellcode loader...

Payload format is set to EXE [-] Error while compiling loader! 2024/11/25 10:12:31 exit status 1

NightFuryPrime avatar Nov 25 '24 08:11 NightFuryPrime

Okay. I will try to fix it as soon as possible. Anyway, I have tested it in Linux even though it should also work fine in Windows.

D3Ext avatar Nov 25 '24 09:11 D3Ext

I've analysed the code and I've discovered that the main problem is that the generated loader is always randomized (variables, functions, etc), but in Windows, the functions used to generate those random values doesn't work as it should and therefore produces the compiling error. I will fix it for Windows as soon as possible

D3Ext avatar Nov 25 '24 12:11 D3Ext

Now it seems fine. Let me know if it works for you, in order to close this issue.

D3Ext avatar Nov 25 '24 12:11 D3Ext

new update fixed the issue, many thanks

EDIT: C:\Users\Legend\Downloads\Hooka-main\build>hooka_windows_amd64.exe --calc -o test.exe

| | | | ___ ___ | | __ __ _ | | | || | / _ \ / _ \ | |/ / / ` | | | | _ | | () | | () | | < | (| | || || || _/ _/ ||_\ _,| ()

[*] Using calc.exe shellcode

[] Defining evasion techniques... [] Using suspendedprocess technique to execute shellcode [] Obfuscating variables and functions... [] Compiling shellcode loader...

Payload format is set to EXE 2721792 bytes written to test.exe

[+] Loader file entropy: 6.907725190531362 [+] Checksums:

MD5: ab6048ce93d82588723b2a97b8e0100f SHA1: e24e30ead2f2b4e1cadf21c21758ef73a15f3923 SHA256: ab21c825303c96233f7bd16644071f795a729d1a803e95e6c0b4f8801cd707d0

[+] Shellcode loader has been successfully generated image

got this error while running calc dummy test

EDIT2: using rawshellcode works fine EDIT3:

C:\Users\Legend\Downloads\Hooka-main\build>hooka_windows_amd64.exe -i encrypted -o RTSM.exe --exec NtQueueApcThreadEx --unhook peruns --strings

| | | | ___ ___ | | __ __ _ | | | || | / _ \ / _ \ | |/ / / ` | | | | _ | | () | | () | | < | (| | || || || _/ _/ ||_\ _,| ()

[*] Obtaining shellcode from encrypted

Shellcode is in raw format

[] Defining evasion techniques... [] Using ntqueueapcthreadex technique to execute shellcode [] Obfuscating variables and functions... [] Compiling shellcode loader...

Payload format is set to EXE 2861056 bytes written to RTSM.exe

[+] Loader file entropy: 6.949814728298452 [+] Checksums:

MD5: cd3a7f693852be04c9e0c4a5746b4781 SHA1: 6e2c993f80fc835899a4185d6e67c90ab182da3d SHA256: 701a3007d102686f2beecc55d0331dfe58b32f514864ff6d36289bffc0a7f082

[+] Shellcode loader has been successfully generated

Problem: File still creates notepad.exe and somehow crashes the loader/application

NightFuryPrime avatar Nov 25 '24 14:11 NightFuryPrime

I see that your input shellcode is called "encrypted". Is it AES encryption or anything similar? In case you want to encrypt the shellcode you should use the --enc flag because if you have encrypted your shellcode it has to be decrypted later, before executing it.

D3Ext avatar Nov 25 '24 19:11 D3Ext

I also have to say that some injection techniques are more stable than others. For example NtCreateThreadEx and the default SuspendedProcess are much more stable.

D3Ext avatar Nov 25 '24 19:11 D3Ext

Anyway, I have paid more attention to the error image and it seems that one Windows API function is not being resolved properly. I will also see if that is the problem

D3Ext avatar Nov 25 '24 19:11 D3Ext

I see that your input shellcode is called "encrypted". Is it AES encryption or anything similar? In case you want to encrypt the shellcode you should use the --enc flag because if you have encrypted your shellcode it has to be decrypted later, before executing it.

encrypted file in this scenario means that part of the payload (strings) were "encrypted/obfuscated" internally by base64. but same issues were encountered without encryption/obfuscation.

NtCreateThreadEx and SuspendedProcess are detected during execution via WD Avira and Eset. also AMSI patch i think is not working properly.

another bug found that i cant remove amsi and etw patch from loader, output gets corrupted during runtime

NightFuryPrime avatar Nov 25 '24 20:11 NightFuryPrime

OK, I will also test different scenarios with and without AMSI patching. Sorry for the bugs. Try it on Linux and it may work, at least it never gave me errors.

D3Ext avatar Nov 25 '24 21:11 D3Ext

i think i would open new issue for each bug i find separately, it would be better way to track issues.

OK, I will also test different scenarios with and without AMSI patching. Sorry for the bugs. Try it on Linux and it may work, at least it never gave me errors.

i mainly use Win OS for testing, and bugs are expected :) tool is still in development so there is still room for improvement

NightFuryPrime avatar Nov 26 '24 11:11 NightFuryPrime