Comments (12)
That is very very odd. I am not sure why it calls back once and then dies... I'll take a look but does the following happen on both binary and control loaders?
atlas + CLRvoyance + scarecrow = 1 callback then dead
atlas + confuserEx + donut + scarecrow = 1 callback then dead
from scarecrow.
It is odd.
Both are confirmed with both binary and control (just reconfirmed them moments ago just to be safe)
from scarecrow.
could you provide me a link to the confuserEx repo you are using I see a couple out there.
from scarecrow.
This is the repo I used for the testing:
https://github.com/mkaring/ConfuserEx
I downloaded the 1.5 release binary
from scarecrow.
I am looking into this will update the thread as soon as I have info on it.
from scarecrow.
Awesome. Thanks for all the work you do on this! Let me know if I can help in any way.
from scarecrow.
Sorry, I've been off a bit, Circling back to this could you do the following to test?
Can you run something like process hacker 2 and monitor the process, when you execute it, does the process terminate?
Can you use binary with -console mode and paste the terminal output?
from scarecrow.
Hey sorry for the late reply. The process terminates immediately after the console finishes running. Originally the console output showed no errors but now I'm seeing the following:
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
[DEBUG] [*] Overwriting shellcode String with Pointer's attributes
Exception 0xc0000005 0x0 0x18 0x7ff9ec7811f0
PC=0x7ff9ec7811f0
signal arrived during external code execution
runtime.cgocall(0x7ff68783fd00, 0x7ff6879d6520)
runtime/cgocall.go:156 +0x4a fp=0xc000133dc0 sp=0xc000133d88 pc=0x7ff6877e392a
syscall.Syscall(0xc000372000, 0x0, 0x0, 0x0, 0x0)
runtime/syscall_windows.go:479 +0xf4 fp=0xc000133df8 sp=0xc000133dc0 pc=0x7ff68783aa54
syscall.Syscall(0x7ff6878e0050, 0xc00000e3c0, 0x5, 0x5, 0x0)
<autogenerated>:1 +0x2b fp=0xc000133e48 sp=0xc000133df8 pc=0x7ff687840bab
main.main()
BOQGcMfOIHZwwiD/OneDrive.go:613 +0x2677 fp=0xc000133f80 sp=0xc000133e48 pc=0x7ff6878a1857
runtime.main()
runtime/proc.go:255 +0x217 fp=0xc000133fe0 sp=0xc000133f80 pc=0x7ff6878167d7
runtime.goexit()
runtime/asm_amd64.s:1581 +0x1 fp=0xc000133fe8 sp=0xc000133fe0 pc=0x7ff68783e4c1
rax 0x1a6c73b0250
rbx 0x0
rcx 0x7ff98d316d8a
rdi 0x1a6c73b0250
rsi 0x1a6c738eb58
rbp 0x5021dfde10
rsp 0x5021dfdd90
r8 0x0
r9 0x1
r10 0x9
r11 0xa
r12 0x8
r13 0x48
r14 0x5021dfe4e0
r15 0x1
rip 0x7ff9ec7811f0
rflags 0x10206
cs 0x33
fs 0x53
gs 0x2b
This was using a binary loader and no confuserex (exported shellcode directly from mythic).
from scarecrow.
Okay, so that's different than it calling home once.
from scarecrow.
Just fyi, I run into the same issue with the latest scarecrow + atlas agent:
from scarecrow.
Bumping this thread is the shellcode in question staged or stageless?
from scarecrow.
Scarecrow 5.0 should address this.
from scarecrow.
Related Issues (20)
- Windows 10 bug HOT 3
- Windows defender new sandbox HOT 3
- Newest version v4.1 not working with msfvenom payload HOT 7
- Binary loader build HOT 5
- New Feature Request - ProxyAware
- '.exp' files are not the compiled Go files HOT 3
- panic: Call to VirtualProtect failed!!!!! HOT 4
- Delivery HTA with Loaders Control or Wscript not working HOT 12
- cmd.Run() failed with exit status 0xffffffff HOT 5
- Output to the user is incorrect when using the -O <file> option HOT 1
- runtime.cgocall() Issue HOT 2
- Is this project still working? experiencing issues loading several shellcodes HOT 11
- Output Types HOT 2
- Windows executables not in PATH HOT 8
- ProcessInjection crashes HOT 5
- Doc, docx, rtf HOT 1
- cmd.Run() failed with exit status 0xc0000135 HOT 4
- Still having issues with cmd.Run() failed with exit status 255 HOT 1
- Add Go Lib Requirement
- Errors running ScareCrow. Exit status 128 and exit status 255 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scarecrow.