pe_to_shellcode
pe_to_shellcode copied to clipboard
hasherezade
Donut works but pe2shc does not
Hello,
Im using the latest windows 10 and pe2shc version and my problem is, i cant get a successfull injection with pe2shc to work.
I have added my sample golang script, which uses createremotethread for injecting. If i do "donut -i calc.exe" and load it with my golang script, calc is popping up. But if i do "pe2shc calc.exe" and load it with my script, nothing happens. If i run the generated file from pe2shc and run it with a double click it works too.
package main
import (
"fmt"
"unsafe"
"syscall"
"os"
"bufio"
"io"
"golang.org/x/sys/windows"
)
func CreateProcess() *syscall.ProcessInformation{
var si syscall.StartupInfo
var pi syscall.ProcessInformation
commandLine, err := syscall.UTF16PtrFromString(`c:\windows\system32\notepad.exe`)
if err != nil {
fmt.Println(err)
}
err = syscall.CreateProcess(
nil,
commandLine,
nil,
nil,
false,
windows.CREATE_SUSPENDED | windows.CREATE_NO_WINDOW,
nil,
nil,
&si,
&pi)
if err != nil {
fmt.Println(err)
}
return &pi
}
func CreateRemoteThread(shellcode []byte) {
kernel32 := windows.NewLazySystemDLL("kernel32.dll")
virtualAllocEx := kernel32.NewProc("VirtualAllocEx")
virtualProtectEx := kernel32.NewProc("VirtualProtectEx")
writeProcessMemory := kernel32.NewProc("WriteProcessMemory")
createRemoteThread := kernel32.NewProc("CreateRemoteThread")
closeHandle := kernel32.NewProc("CloseHandle")
pi := CreateProcess()
oldProtect := windows.PAGE_READWRITE
lpBaseAddress, _, errVirtualAllocEx := virtualAllocEx.Call(uintptr(pi.Process), 0, uintptr(len(shellcode)), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE)
if errVirtualAllocEx.Error() != "The operation completed successfully." {
fmt.Sprintf("Error calling VirtualAllocEx:\r\n%s", errVirtualAllocEx.Error())
}
_, _, errWriteProcessMemory := writeProcessMemory.Call(uintptr(pi.Process), lpBaseAddress, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0)
if errWriteProcessMemory.Error() != "The operation completed successfully." {
fmt.Sprintf("Error calling WriteProcessMemory:\r\n%s", errWriteProcessMemory.Error())
}
_, _, errVirtualProtectEx := virtualProtectEx.Call(uintptr(pi.Process), lpBaseAddress, uintptr(len(shellcode)), windows.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect)))
if errVirtualProtectEx.Error() != "The operation completed successfully." {
fmt.Sprintf("Error calling VirtualProtectEx:\r\n%s", errVirtualProtectEx.Error())
}
_, _, errCreateRemoteThreadEx := createRemoteThread.Call(uintptr(pi.Process), 0, 0, lpBaseAddress, 0, 0, 0)
if errCreateRemoteThreadEx.Error() != "The operation completed successfully." {
fmt.Sprintf("Error calling CreateRemoteThreadEx:\r\n%s", errCreateRemoteThreadEx.Error())
}
_, _, errCloseHandle := closeHandle.Call(uintptr(pi.Process))
if errCloseHandle.Error() != "The operation completed successfully." {
fmt.Sprintf("Error calling CloseHandle:\r\n%s", errCloseHandle.Error())
}
fmt.Println("INJECTED!")
}
func main() {
file, err := os.Open("calc.shc.exe")
if err != nil {
fmt.Println(err)
return
}
defer file.Close()
// Get the file size
stat, err := file.Stat()
if err != nil {
fmt.Println(err)
return
}
// Read the file into a byte slice
shellcode := make([]byte, stat.Size())
_, err = bufio.NewReader(file).Read(shellcode)
if err != nil && err != io.EOF {
fmt.Println(err)
return
}
CreateRemoteThread(shellcode)
}
Hi! Thank you for reporting, I will check it whenever I get some free time.
ok, thank you for the update @Beykir ! I am glad that this is solved :)