Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crystal binary not working #122

Open
lap1nou opened this issue Mar 9, 2023 · 1 comment
Open

Crystal binary not working #122

lap1nou opened this issue Mar 9, 2023 · 1 comment

Comments

@lap1nou
Copy link

lap1nou commented Mar 9, 2023

Hello,

First of all thank you for this amazing tool.

I'm struggling to create a shellcode from a binary compiled using the Crystal programming language (https://crystal-lang.org/). Crystal is a recent compiled language, as I understood the code is translated to LLVM, and then compiled (using MSVC in my case) (ref: https://crystal-lang.org/2015/03/04/internals/).

Here is the source code of my Crystal program:

File.write("C:\\Users\\User\\test.txt", "This is the file content")

The code itself is working, and I tried with a "normal" C program and Donut is working fine, here is all the steps I take:

  1. I compile my Crystal binary using this command: crystal.exe build -d .\test.cr, this produce a binary called test.exe, this binary has a .reloc section and I enabled the debug build using the -d flag.
  2. I use donut like this: .\donut.exe -i .\test.exe, this gives me a file called loader.bin
  3. I then try to use this shellcode with the default shellcode runner: .\inject_local.exe ..\loader.bin, but no file are created

If you want I can provide you a binary directly, and if you don't want to spend time on this issue I will understand, Crystal is not yet very well known, and I understand you will not try to support all languages of the world.

Regards.
@lap1nou
Copy link
Author

lap1nou commented Mar 11, 2023

Here is the output of the debug mode in case it can be useful:

PS C:\Users\User\donut> .\donut.exe -i .\test.exe

  [ Donut shellcode generator v1 (built Mar 11 2023 12:16:37)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

DEBUG: donut.c:1817:get_opt(): Arg type for h;?, help : None
DEBUG: donut.c:1817:get_opt(): Arg type for a, arch : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for b, bypass : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for k, headers : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for c, class : String
DEBUG: donut.c:1817:get_opt(): Arg type for d, domain : String
DEBUG: donut.c:1817:get_opt(): Arg type for e, entropy : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for f, format : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for i, input;file : String
DEBUG: donut.c:1894:get_opt(): Found match
DEBUG: donut.c:1912:get_opt(): Parsing .\test.exe

DEBUG: donut.c:1925:get_opt(): Copying .\test.exe to output
DEBUG: donut.c:1817:get_opt(): Arg type for m, method;function : String
DEBUG: donut.c:1817:get_opt(): Arg type for n, modname : String
DEBUG: donut.c:1817:get_opt(): Arg type for j, decoy : String
DEBUG: donut.c:1817:get_opt(): Arg type for o, output : String
DEBUG: donut.c:1817:get_opt(): Arg type for p, params;args : String
DEBUG: donut.c:1817:get_opt(): Arg type for r, runtime : String
DEBUG: donut.c:1817:get_opt(): Arg type for s, server : String
DEBUG: donut.c:1817:get_opt(): Arg type for t, thread : Flag
DEBUG: donut.c:1817:get_opt(): Arg type for w, unicode : Flag
DEBUG: donut.c:1817:get_opt(): Arg type for x, exit : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for y, oep;fork : Hexadecimal
DEBUG: donut.c:1817:get_opt(): Arg type for z, compress : Decimal
DEBUG: donut.c:1575:DonutCreate(): Entering.
DEBUG: donut.c:1347:validate_loader_cfg(): Validating loader configuration.
DEBUG: donut.c:1450:validate_loader_cfg(): Loader configuration passed validation.
DEBUG: donut.c:474:read_file_info(): Entering.
DEBUG: donut.c:482:read_file_info(): Checking extension of .\test.exe
DEBUG: donut.c:490:read_file_info(): Extension is ".exe"
DEBUG: donut.c:506:read_file_info(): File is EXE
DEBUG: donut.c:518:read_file_info(): Mapping .\test.exe into memory
DEBUG: donut.c:262:map_file(): Entering.
DEBUG: donut.c:546:read_file_info(): Checking characteristics
DEBUG: donut.c:597:read_file_info(): Leaving with error :  0
DEBUG: donut.c:1516:validate_file_cfg(): Validating configuration for input file.
DEBUG: donut.c:1558:validate_file_cfg(): Validation passed.
DEBUG: donut.c:689:build_module(): Entering.
DEBUG: donut.c:703:build_module(): Assigning 2403328 bytes of 000002690B770000 to data
DEBUG: donut.c:710:build_module(): Allocating 2404656 bytes of memory for DONUT_MODULE
DEBUG: donut.c:794:build_module(): Copying data to module
DEBUG: donut.c:806:build_module(): Leaving with error :  0
DEBUG: donut.c:826:build_instance(): Entering.
DEBUG: donut.c:829:build_instance(): Allocating memory for instance
DEBUG: donut.c:836:build_instance(): The size of module is 2404656 bytes. Adding to size of instance.
DEBUG: donut.c:839:build_instance(): Total length of instance : 2409408
DEBUG: donut.c:870:build_instance(): Generating random key for instance
DEBUG: donut.c:879:build_instance(): Generating random key for module
DEBUG: donut.c:888:build_instance(): Generating random string to verify decryption
DEBUG: donut.c:895:build_instance(): Generating random IV for Maru hash
DEBUG: donut.c:903:build_instance(): Generating hashes for API using IV: A2C29EA8B9E10E17
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : LoadLibraryA           = 899811C3629617B1
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetProcAddress         = B8FEC1A5DF6AF617
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetModuleHandleA       = 9B8273CBF1F8CB2F
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : VirtualAlloc           = 42711CB811A2E776
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : VirtualFree            = A48AAA89565858F7
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : VirtualQuery           = EF553D8E03C74C82
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : VirtualProtect         = 602366033C00A0B3
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : Sleep                  = 6AD22F6136FB14FD
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : MultiByteToWideChar    = CBE439E0F37AAEBD
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetUserDefaultLCID     = E77DFEC24629CF95
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : WaitForSingleObject    = C48554C18E33252A
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : CreateThread           = BE2B2A265E9C2258
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : CreateFileA            = 215C65924D68DAC7
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetFileSizeEx          = B191D876400CD4BF
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetThreadContext       = 8EC05CC4DA2114E1
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetCurrentThread       = D93339F4E5CC1A37
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetCurrentProcess      = 9F62D868E859BFD9
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetCommandLineA        = 34EE41D5626FE262
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetCommandLineW        = D5ACF8EF8F896BE4
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : HeapAlloc              = 960605E0A4B417B4
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : HeapReAlloc            = C946DBCF003DE294
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetProcessHeap         = 31A61E6288513978
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : HeapFree               = 5C648D6AAB35D0CE
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : GetLastError           = 583A6684749BB923
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll    : CloseHandle            = 9C3EDDC3EE852954
DEBUG: donut.c:916:build_instance(): Hash for shell32.dll     : CommandLineToArgvW     = DDC4350C6E3413C9
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayCreate        = 77D04F7F1E1717F0
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayCreateVector  = FB2A4E7DA4C5FD23
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayPutElement    = 1276F5A840DAE095
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayDestroy       = 0FEDD0632D55374B
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayGetLBound     = 7EC1B0F19AD7A299
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SafeArrayGetUBound     = C6C2A5020E5C1006
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SysAllocString         = DC1FE6AF3D3E056D
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : SysFreeString          = 60B156584B2BC0F7
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll    : LoadTypeLib            = B5A6760D74A5F0A5
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetCrackUrlA      = E4449831327088C2
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetOpenA          = 1679D62DD44DE558
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetConnectA       = 28F5894093B194AC
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetSetOptionA     = 065C9B4555AE1245
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetReadFile       = 6C0CA47E3A1642AD
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetQueryDataAvailable = FBEE4DC77784C8A4
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : InternetCloseHandle    = E728F03A8EB8A0D8
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : HttpOpenRequestA       = 34086C47298D6BCB
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : HttpSendRequestA       = B9357CE84A13D552
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll     : HttpQueryInfoA         = 977EFCAA7FDD0515
DEBUG: donut.c:916:build_instance(): Hash for mscoree.dll     : CorBindToRuntime       = 85243C6FE59AE306
DEBUG: donut.c:916:build_instance(): Hash for mscoree.dll     : CLRCreateInstance      = 5A63F1DD6D561D11
DEBUG: donut.c:916:build_instance(): Hash for ole32.dll       : CoInitializeEx         = 7C5F848AE143FAE3
DEBUG: donut.c:916:build_instance(): Hash for ole32.dll       : CoCreateInstance       = 242F8382755DBC7B
DEBUG: donut.c:916:build_instance(): Hash for ole32.dll       : CoUninitialize         = 71B8D50B695AB87E
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlEqualUnicodeString  = F962773B547A060F
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlEqualString         = 46D80DA45C8ABE03
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlUnicodeStringToAnsiString = DE0C014F7C1B7967
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlInitUnicodeString   = 9B74A1977A276A8F
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlExitUserThread      = C0DA5CDA3F0E4F1B
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlExitUserProcess     = 409F303B4F9FEB48
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlCreateUnicodeString = 6DDB7EC7337A30A1
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlGetCompressionWorkSpaceSize = 1D37073E82850F4E
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : RtlDecompressBuffer    = AA377AAE3C5E2ABD
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : NtContinue             = 4159309699554454
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : NtCreateSection        = D44B82E52BC6F110
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : NtMapViewOfSection     = CE54C3360CC70AB9
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll       : NtUnmapViewOfSection   = 597C97A827799E9B
DEBUG: donut.c:919:build_instance(): Setting number of API to 63
DEBUG: donut.c:922:build_instance(): Setting DLL names to ole32;oleaut32;wininet;mscoree;shell32
DEBUG: donut.c:965:build_instance(): Copying strings required to bypass AMSI
DEBUG: donut.c:973:build_instance(): Copying strings required to bypass WLDP
DEBUG: donut.c:979:build_instance(): Copying strings required to bypass ETW
DEBUG: donut.c:1052:build_instance(): Copying module data to instance
DEBUG: donut.c:1058:build_instance(): Encrypting instance
DEBUG: donut.c:1076:build_instance(): Leaving with error :  0
DEBUG: donut.c:1251:build_loader(): Inserting opcodes
DEBUG: donut.c:1300:build_loader(): Copying 25077 bytes of x86 + amd64 shellcode
DEBUG: donut.c:1124:save_loader(): Saving instance 000002690BC25040 to file. 2409408 bytes.
DEBUG: donut.c:1095:save_file(): Entering.
DEBUG: donut.c:1099:save_file(): Writing 2409408 bytes of 000002690BC25040 to instance
DEBUG: donut.c:1104:save_file(): Leaving with error :  0
DEBUG: donut.c:1176:save_loader(): Saving loader as binary
DEBUG: donut.c:1213:save_loader(): Leaving with error :  0
DEBUG: donut.c:1610:DonutCreate(): Leaving with error :  0
  [ Instance type : Embedded
  [ Module file   : ".\test.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP/ETW : continue
  [ PE Headers    : overwrite
  [ Shellcode     : "loader.bin"
  [ Exit          : Thread
DEBUG: donut.c:1626:DonutDelete(): Entering.
DEBUG: donut.c:1632:DonutDelete(): Releasing memory for module.
DEBUG: donut.c:1638:DonutDelete(): Releasing memory for configuration.
DEBUG: donut.c:1644:DonutDelete(): Releasing memory for loader.
DEBUG: donut.c:311:unmap_file(): Unmapping input file.
DEBUG: donut.c:316:unmap_file(): Closing input file.
DEBUG: donut.c:1650:DonutDelete(): Leaving.

PS C:\Users\User\donut> .\loader .\instance
Running...
DEBUG: loader.c:46:DonutLoader(): sizeof(DONUT_INSTANCE)        : 4752

DEBUG: loader.c:47:DonutLoader(): offsetof(DONUT_INSTANCE, api) : 48

DEBUG: loader.c:116:MainProc(): Maru IV : A2C29EA8B9E10E17
DEBUG: loader.c:119:MainProc(): Resolving address for VirtualAlloc() : 42711CB811A2E776
DEBUG: loader.c:123:MainProc(): Resolving address for VirtualFree() : A48AAA89565858F7
DEBUG: loader.c:127:MainProc(): Resolving address for RtlExitUserProcess() : 409F303B4F9FEB48
DEBUG: loader.c:140:MainProc(): VirtualAlloc : 00007FF843FD3F00 VirtualFree : 00007FF843FD4AE0
DEBUG: loader.c:142:MainProc(): Allocating 2409408 bytes of RW memory
DEBUG: loader.c:154:MainProc(): Copying 2409408 bytes of data to memory 000001C434D70000
DEBUG: loader.c:158:MainProc(): Zero initializing PDONUT_ASSEMBLY
DEBUG: loader.c:167:MainProc(): Decrypting 2409408 bytes of instance
DEBUG: loader.c:174:MainProc(): Generating hash to verify decryption
DEBUG: loader.c:176:MainProc(): Instance : 658304F9341DD20A | Result : 658304F9341DD20A
DEBUG: loader.c:183:MainProc(): Resolving LoadLibraryA
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: ole32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF842420000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: oleaut32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded oleaut32.dll via LoadLibrary at 0x00007FF8444F0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: wininet.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded wininet.dll via LoadLibrary at 0x00007FF82C2F0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: mscoree.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded mscoree.dll via LoadLibrary at 0x00007FF8183B0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: shell32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded shell32.dll via LoadLibrary at 0x00007FF843680000
DEBUG: loader.c:203:MainProc(): Resolving 63 API
DEBUG: loader.c:206:MainProc(): Resolving API address for B8FEC1A5DF6AF617
DEBUG: loader.c:206:MainProc(): Resolving API address for 9B8273CBF1F8CB2F
DEBUG: loader.c:206:MainProc(): Resolving API address for 42711CB811A2E776
DEBUG: loader.c:206:MainProc(): Resolving API address for A48AAA89565858F7
DEBUG: loader.c:206:MainProc(): Resolving API address for EF553D8E03C74C82
DEBUG: loader.c:206:MainProc(): Resolving API address for 602366033C00A0B3
DEBUG: loader.c:206:MainProc(): Resolving API address for 6AD22F6136FB14FD
DEBUG: loader.c:206:MainProc(): Resolving API address for CBE439E0F37AAEBD
DEBUG: loader.c:206:MainProc(): Resolving API address for E77DFEC24629CF95
DEBUG: loader.c:206:MainProc(): Resolving API address for C48554C18E33252A
DEBUG: loader.c:206:MainProc(): Resolving API address for BE2B2A265E9C2258
DEBUG: loader.c:206:MainProc(): Resolving API address for 215C65924D68DAC7
DEBUG: loader.c:206:MainProc(): Resolving API address for B191D876400CD4BF
DEBUG: loader.c:206:MainProc(): Resolving API address for 8EC05CC4DA2114E1
DEBUG: loader.c:206:MainProc(): Resolving API address for D93339F4E5CC1A37
DEBUG: loader.c:206:MainProc(): Resolving API address for 9F62D868E859BFD9
DEBUG: loader.c:206:MainProc(): Resolving API address for 34EE41D5626FE262
DEBUG: loader.c:206:MainProc(): Resolving API address for D5ACF8EF8F896BE4
DEBUG: loader.c:206:MainProc(): Resolving API address for 960605E0A4B417B4
DEBUG: loader.c:206:MainProc(): Resolving API address for C946DBCF003DE294
DEBUG: loader.c:206:MainProc(): Resolving API address for 31A61E6288513978
DEBUG: loader.c:206:MainProc(): Resolving API address for 5C648D6AAB35D0CE
DEBUG: loader.c:206:MainProc(): Resolving API address for 583A6684749BB923
DEBUG: loader.c:206:MainProc(): Resolving API address for 9C3EDDC3EE852954
DEBUG: loader.c:206:MainProc(): Resolving API address for DDC4350C6E3413C9
DEBUG: loader.c:206:MainProc(): Resolving API address for 77D04F7F1E1717F0
DEBUG: loader.c:206:MainProc(): Resolving API address for FB2A4E7DA4C5FD23
DEBUG: loader.c:206:MainProc(): Resolving API address for 1276F5A840DAE095
DEBUG: loader.c:206:MainProc(): Resolving API address for 0FEDD0632D55374B
DEBUG: loader.c:206:MainProc(): Resolving API address for 7EC1B0F19AD7A299
DEBUG: loader.c:206:MainProc(): Resolving API address for C6C2A5020E5C1006
DEBUG: loader.c:206:MainProc(): Resolving API address for DC1FE6AF3D3E056D
DEBUG: loader.c:206:MainProc(): Resolving API address for 60B156584B2BC0F7
DEBUG: loader.c:206:MainProc(): Resolving API address for B5A6760D74A5F0A5
DEBUG: loader.c:206:MainProc(): Resolving API address for E4449831327088C2
DEBUG: loader.c:206:MainProc(): Resolving API address for 1679D62DD44DE558
DEBUG: loader.c:206:MainProc(): Resolving API address for 28F5894093B194AC
DEBUG: loader.c:206:MainProc(): Resolving API address for 065C9B4555AE1245
DEBUG: loader.c:206:MainProc(): Resolving API address for 6C0CA47E3A1642AD
DEBUG: loader.c:206:MainProc(): Resolving API address for FBEE4DC77784C8A4
DEBUG: loader.c:206:MainProc(): Resolving API address for E728F03A8EB8A0D8
DEBUG: loader.c:206:MainProc(): Resolving API address for 34086C47298D6BCB
DEBUG: loader.c:206:MainProc(): Resolving API address for B9357CE84A13D552
DEBUG: loader.c:206:MainProc(): Resolving API address for 977EFCAA7FDD0515
DEBUG: loader.c:206:MainProc(): Resolving API address for 85243C6FE59AE306
DEBUG: loader.c:206:MainProc(): Resolving API address for 5A63F1DD6D561D11
DEBUG: loader.c:206:MainProc(): Resolving API address for 7C5F848AE143FAE3
DEBUG: loader.c:206:MainProc(): Resolving API address for 242F8382755DBC7B
DEBUG: loader.c:206:MainProc(): Resolving API address for 71B8D50B695AB87E
DEBUG: loader.c:206:MainProc(): Resolving API address for F962773B547A060F
DEBUG: loader.c:206:MainProc(): Resolving API address for 46D80DA45C8ABE03
DEBUG: loader.c:206:MainProc(): Resolving API address for DE0C014F7C1B7967
DEBUG: loader.c:206:MainProc(): Resolving API address for 9B74A1977A276A8F
DEBUG: loader.c:206:MainProc(): Resolving API address for C0DA5CDA3F0E4F1B
DEBUG: loader.c:206:MainProc(): Resolving API address for 409F303B4F9FEB48
DEBUG: loader.c:206:MainProc(): Resolving API address for 6DDB7EC7337A30A1
DEBUG: loader.c:206:MainProc(): Resolving API address for 1D37073E82850F4E
DEBUG: loader.c:206:MainProc(): Resolving API address for AA377AAE3C5E2ABD
DEBUG: loader.c:206:MainProc(): Resolving API address for 4159309699554454
DEBUG: loader.c:206:MainProc(): Resolving API address for D44B82E52BC6F110
DEBUG: loader.c:206:MainProc(): Resolving API address for CE54C3360CC70AB9
DEBUG: loader.c:206:MainProc(): Resolving API address for 597C97A827799E9B
DEBUG: loader.c:238:MainProc(): Module is embedded.
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: amsi.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded amsi.dll via LoadLibrary at 0x00007FF8301B0000
DEBUG: bypass.c:103:DisableAMSI(): Length of AmsiScanBufferStub is 36 bytes.
DEBUG: bypass.c:113:DisableAMSI(): Overwriting AmsiScanBuffer
DEBUG: bypass.c:128:DisableAMSI(): Length of AmsiScanStringStub is 36 bytes.
DEBUG: bypass.c:138:DisableAMSI(): Overwriting AmsiScanString
DEBUG: loader.c:246:MainProc(): DisableAMSI OK
DEBUG: loader.c:252:MainProc(): DisableWLDP OK
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: ntdll.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF844610000
DEBUG: bypass.c:383:DisableETW(): Overwriting EtwEventWrite
DEBUG: loader.c:258:MainProc(): DisableETW OK
DEBUG: loader.c:311:MainProc(): Checking type of module
DEBUG: inmem_pe.c:114:RunPE(): Creating section of size 3919872 (0x3bd000) bytes for file
DEBUG: inmem_pe.c:127:RunPE(): Creating section to store PE.
DEBUG: inmem_pe.c:128:RunPE(): Requesting section size: 3919872
DEBUG: inmem_pe.c:131:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:182:RunPE(): Mapping local view of section to store PE.
DEBUG: inmem_pe.c:184:RunPE(): View size: 3919872
DEBUG: inmem_pe.c:188:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:191:RunPE(): Mapped to address: 000001C4351B0000
DEBUG: inmem_pe.c:211:RunPE(): Copying Headers
DEBUG: inmem_pe.c:212:RunPE(): nt->FileHeader.SizeOfOptionalHeader: 240
DEBUG: inmem_pe.c:213:RunPE(): nt->OptionalHeader.SizeOfHeaders: 1024
DEBUG: inmem_pe.c:215:RunPE(): Copying first section
DEBUG: inmem_pe.c:216:RunPE(): Copying 1024 bytes
DEBUG: inmem_pe.c:219:RunPE(): DOS Signature (Magic): 00005a4d, 000001C4351B0000
DEBUG: inmem_pe.c:220:RunPE(): NT Signature: 4550, 000001C4351B0108
DEBUG: inmem_pe.c:222:RunPE(): Updating ImageBase to final base address
DEBUG: inmem_pe.c:224:RunPE(): Updated ImageBase: 1942216179712X
DEBUG: inmem_pe.c:226:RunPE(): Copying each section to memory: 000001C4351B0000
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .text
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x1000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x400
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x48
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0x14D400
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .rdata
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x14F000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x14D800
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x18
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0xEEE00
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .data
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x23E000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x23C600
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x80
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0x1200
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .pdata
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x3AE000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x23D800
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x0
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0xC400
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: _RDATA
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x3BB000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x249C00
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x92
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0x200
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .reloc
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x3BC000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x249E00
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x0
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0xE00
DEBUG: inmem_pe.c:251:RunPE(): Sections copied.
DEBUG: inmem_pe.c:254:RunPE(): Image Relocation Offset: 0x000001C2F51B0000
DEBUG: inmem_pe.c:257:RunPE(): Applying Relocations
DEBUG: inmem_pe.c:291:RunPE(): Processing the Import Table
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: ADVAPI32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF843F00000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: CRYPTBASE.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded CRYPTBASE.dll via LoadLibrary at 0x00007FF841160000
DEBUG: peb.c:67:FindReference(): Calling GetProcAddress(SystemFunction036)
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: KERNEL32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF843FC0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: dbghelp.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded dbghelp.dll via LoadLibrary at 0x00007FF833AF0000
DEBUG: inmem_pe.c:384:RunPE(): Wiping Headers from memory
DEBUG: inmem_pe.c:399:RunPE(): Unmapping temporary local view of section to persist changes.
DEBUG: inmem_pe.c:401:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:406:RunPE(): No relocation information present, so using preferred address...
DEBUG: inmem_pe.c:411:RunPE(): Mapping writecopy local view of section to execute PE.
DEBUG: inmem_pe.c:413:RunPE(): View size: 3919872
DEBUG: inmem_pe.c:414:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:417:RunPE(): Mapped to address: 000001C4351B0000
DEBUG: inmem_pe.c:422:RunPE(): Pre-marking module as WC to avoid padding between PE sections staying RWX.
DEBUG: inmem_pe.c:425:RunPE(): Setting permissions for each PE section
DEBUG: inmem_pe.c:458:RunPE(): Section name: .text
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x1000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C4351B1000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0x14E000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x20
DEBUG: inmem_pe.c:458:RunPE(): Section name: .rdata
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x14F000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C4352FF000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0xEF000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:458:RunPE(): Section name: .data
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x23E000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C4353EE000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0x170000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x8
DEBUG: inmem_pe.c:458:RunPE(): Section name: .pdata
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x3AE000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C43555E000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0xD000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:458:RunPE(): Section name: _RDATA
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x3BB000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C43556B000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0x1000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:458:RunPE(): Section name: .reloc
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x3BC000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C43556C000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0xE00
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:469:RunPE(): Setting permissions of module headers to READONLY (4096 bytes)
DEBUG: inmem_pe.c:580:RunPE(): Executing entrypoint: 000001C435271F04

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lap1nou