Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

my shellcode run, but the src exe cann't execute #7

Open
Hello-xBugs opened this issue Dec 17, 2020 · 8 comments
Open

my shellcode run, but the src exe cann't execute #7

Hello-xBugs opened this issue Dec 17, 2020 · 8 comments

Comments

@Hello-xBugs
Copy link

my shellcode run, but the src exe cann't execute

@awgh
Copy link
Member

awgh commented Dec 17, 2020

@qiushifengyu I'm assuming you're injecting into a PE for Windows, because you said exe. On Windows, binjection will automatically add a JMP back to the original entry point to the end of your shellcode.

This is where the injection is happening:.
And this is the shellcode that is being appended to your shellcode.

There are two possibilities I can see:

  1. Your shellcode does not make it all the way to the JMP being added to the end of it. This is the most common cause of the issue you're describing. Perhaps your code is crashing or looping or attempting to RET to nowhere?
  2. The JMP being appended is actually running, but crashing or attempting to jump to the wrong address.

Are you able to step through the binjected binary in a debugger and see which of these is the case?

Thanks!

@Hello-xBugs
Copy link
Author

yes,I see.thank you very much,I will debug my shellcode。
thanks!

@awgh
Copy link
Member

awgh commented Dec 18, 2020

@qiushifengyu Please let me know which of those it turns out being. If it's number 1, I'll close the issue, but if it's number 2, I'll have to fix something :)

@Hello-xBugs
Copy link
Author

thanks a lot, I debuged my sc.I have RET before before jmp back. I use the SRDI make my dll to shell code

@Hello-xBugs
Copy link
Author

is the code cave completed?

@awgh
Copy link
Member

awgh commented Dec 23, 2020

Code cave detection is implemented, but not actually used for Windows. In our experiments, we found that changes to the windows compiler have basically removed most simple (continuous) code caves from PE binaries. We have not implemented code cave chaining yet, which is the only thing that might work on some programs.

The method we're currently using adds a new section. This seems to be the most stable.

@Hello-xBugs
Copy link
Author

yes,it is seems to be the most stable, but can't bypass AV

@1mansh0w
Copy link

@awgh First of all thank you and your team for binjection! 😊

I'm running into the same problem as @tooBugs: Shell code runs, but source file won't be executed

What's weird is that shell code and source file are both simple hello world programs, which work individually and don't crash.

Here are the steps to reproduce:

  1. Build this repo with make: https://github.com/1mansh0w/binjection-hello-world
  2. Create shell code with donut: donut ~/hello.x64.exe
  3. Inject shell code in source file with binjection: binjection -f ./hello.x64.exe -s ./loader.bin -o no_luck.exe
  4. Execute no_luck.exe on Windows 10 -> only shell code get's executed

I thought that maybe the source file cannot print the string to stdout, but is actually running - therefore I also tried an executable that creates a file, but also that didn't happen. The executable works fine individually.

Do you know what the issue could be here?

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants