Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Execution fails when using '--stomp-headers' #3

Open
A32AN opened this issue Sep 8, 2021 · 2 comments
Open

Execution fails when using '--stomp-headers' #3

A32AN opened this issue Sep 8, 2021 · 2 comments

Comments

@A32AN
Copy link

A32AN commented Sep 8, 2021
edited
Loading

Hi,

I'm seeing failures when using the "--stomp-headers" arguments. I'm using the following command line:
ExecuteAssembly --dotnetassembly /tmp/Seatbelt.exe --unlink-modules --etw --asmi --stomp-headers

Which results in something like this:
[] Tasked beacon to run: @Args
[] Tasked beacon to spawn x86 features to: %windir%\SysWOW64\ScriptRunner.exe
[] Tasked beacon to spawn x64 features to: %windir%\sysnative\ScriptRunner.exe
[] Tasked beacon to spawn .NET Assembly /tmp/Seatbelt.exe'
[+] host called home, sent: 85 bytes
[+] host called home, sent: 480116 bytes
[+] received output:
[]:-----------------------------------------
[i]: .NET Assembly Length: 548352 bytes
[+]: Parsing Arguments
: [i]: Args count: 1
[+]: Base64 Decoding & Decompressing .NET Assembly...
[+]: Base64 Decoding & Decompressing Done.
[]:-----------------------------------------
[+]: Patching ETW...
[+]: Retrieving EtwEvenWrite Address from NTDLL...
[+]: NTDLL.DLL Module Base Address: 0xfeea0000
[+]: EtwEvenWrite Export located at Address: 0xfeef2d50
[+]: Patching EtwEvenWrite 0xfeef2d50
[+]: ETW Patchine Done.
[]:-----------------------------------------
[+]: Enumerating Loaded CLR versions
[+]: Scanning for any loaded modules with the name 'clr', 'mscoree'...
[+] Unlinking CLR related modules from PEB
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
[i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
[i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll
[i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
[]:-----------------------------------------
[+]: Obtaining a handle of the current process: 820
[+]: Scanning for PE DOS Header 'MZ...' pattern...
[i]: 9 PE DOS Headers found.
[+]: Stomping 9 PE DOS headers:
[i]: Stomping MZ Header: 0xbfefeb80
[-]: Not a valid PE DOS Header
[i]: Stomping MZ Header: 0x10009ac0
[i]: Stomping MZ Header: 0x6a7a0009
[i]: Stomping MZ Header: 0x6a7c2ed9
[i]: Stomping MZ Header: 0x6a9e0000
[i]: Stomping MZ Header: 0x6aa03cd0
[i]: Stomping MZ Header: 0x6c50ccb0
[i]: Stomping MZ Header: 0x6c600000
[i]: Stomping MZ Header: 0x6cfd0080
[*]:-----------------------------------------
[!] pMethodInfo->Invoke_3(...) failed, hr = 80131604
[!]: Something went wrong.

If I leave out the --stomp-headers it all works flawlessly.
EDIT: If i switch to the PEB walking methods header stomping works fine
@med0x2e
Copy link
Owner

med0x2e commented Sep 16, 2021

Interesting, which Windows version and build you tried the "syscall" version of executeassembly on ?

@A32AN
Copy link
Author

A32AN commented Sep 17, 2021

It's a 64 bit installation of Windows 10 Enterprise.
Build number = 10.0.18363.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@med0x2e @A32AN