error Cannot open the file! (3) about libpeconv HOT 31 CLOSED

the error code is returned by i added GetLastError()

from libpeconv.

can you describe more about when exactly do you get this error?
is it at compilation time? which file is missing?
or is it when you deploy run_pe.exe with the paths to the target and to the payload?
please attach screenshots illustrating the problem.

from libpeconv.

from libpeconv.

This is not a compilation error, it may be an error related to the access to the file, or related with fact that it uses ANSI paths.
Try to check if the normal CreateFileA can open the same file.
Compile and test this snippet and tell me what output it gives you:
https://gist.github.com/hasherezade/78747fc724e68f055630882600eecc2b#file-main-cpp

from libpeconv.

this is the screenshot before

from libpeconv.

and when i use the snippet, it always output "OK" although the file is not exist, i don't know why, and i add a function GetFileSize in suitable place, i return -1, below is the screenshot

from libpeconv.

the system what i use is commando from fireeye, it is a little different from win10, but i have tested on a normal win10, it still remain me "Cannot open the file! (3)"

from libpeconv.

sorry, I forgot to add a check for attributes. please try to run the new version of the snippet: https://gist.github.com/hasherezade/78747fc724e68f055630882600eecc2b#file-main-cpp

from libpeconv.

it also always output "Can't open: .\xxx.exe : INVALID_FILE_ATTRIBUTES" whether the file exist or not, below are the screenshots


the abc.exe and the putty_x64.exe are in the same dir with the ConsoleApplication1.exe

from libpeconv.

i have adjusted the params of the CreateFileA() to the other normal form, but it also have the same output

from libpeconv.

ok. Can you try a unicode version?
https://gist.github.com/hasherezade/78747fc724e68f055630882600eecc2b#file-wmain-cpp
Maybe the path encoding is the problem.

from libpeconv.

yes, it's correct this time
when the files are not exist, it return
"Can't open: .\hello.exe : INVALID_FILE_ATTRIBUTES
Can't open: .\world.exe : INVALID_FILE_ATTRIBUTES"
when the files are exist, it return
"OK: ., attributes: 20
OK: .\putty_x64.exe, attributes: 20"
but the payload_path name only be read the first character when the file is exist
below is the screen



the current dir only have putty_x64.exe and abc.exe

from libpeconv.

i also have a problem, why the run_pe64.exe that you provided is valid, but the run_pe64.exe that i compiled is invalid, is it because my compile method?

from libpeconv.

Please check if the recent patch fixed the problem. If not, please check if those builds work for you:
run_pe32_64.zip

from libpeconv.

i download the latest code, compile it, it output "Incompatibile target subsystem!" this time, the subsystem of my payload is console, and the subsystem of this loader is also console

from libpeconv.

i try to commented the below code in run_pe.cpp
/*
if (payload_subs != IMAGE_SUBSYSTEM_WINDOWS_GUI //only a payload with GUI subsystem can be run by both GUI and CLI
&& target_subs != payload_subs)
{
printf("Incompatibile target subsystem!\n");
return false;
}
*/
but it will popup

from libpeconv.

and those builds you did recently also output "Incompatibile target subsystem!", but once again, the original builds can work correctly

from libpeconv.

You should not comment out this code! It is an important compatibility check! It is here for a valid purpose. If it passed to this stage, it means the original issue of not opening file is solved.

The "Incompatibile target subsystem!" is not a bug. It is just an info that your payload is incompatible with your target. You must use a payload with a GUI subsystem if you want to inject into a target with a GUI subsystem (such as calc). For checking a subsystem use a PE viewer such as PE-bear.

Check the Optional Header -> Subsystem in both payload and a target (the default target is calc):

If the subsystem of the payload is "Windows console", it just cannot be injected into target with subsystem "Windows GUI". The check that you commented out is meant to inform you about it, and prevent from further problems.

from libpeconv.

In some cases, you can enforce payload to be still injected, just by changing its subsystem in the header. In the past my loader was doing it, but it was causing problems in some cases, so I removed it. If you really want to try, you can change the target's subsystem manually in the PE editor (such as PE-bear) and it should work. Just change the value from 3 to 2. But only if you are sure that you want it.
In general is better to choose a different target instead.

from libpeconv.

BTW if you read the line that you commented out, you will find the same explanation as above:

//only a payload with GUI subsystem can be run by both GUI and CLI

from libpeconv.

i read the explanation, so i commented it, what i understand is "a GUI subsystem can be run by both GUI and CLI, and a CLI subsystem can only be run by CLI subsytem" :)
i was a little foolish...
Is it only the GUI subsystem can be inject to both GUI and CLI subsystem, the CLI subsystem can't be inject to either GUI or CLI subsystem?

from libpeconv.

thank you very much really for your help so far :)

from libpeconv.

Unfortunately it is not transitive. Payload with with GUI subsystem has lesser limitations, and can be injected to both GUI and CLI.
So:
GUI payload -> GUI or CLI target
CLI payload -> CLI target (only)

from libpeconv.

i have change my payload from console to GUI, and it can be inject successfully, thank you again brother

from libpeconv.

I'm glad that it worked, and thank you for reporting an issue with file opening! And input like yours is invaluable to make my tools better, so, thanks! :)

from libpeconv.

before i commented the below code
/*
if (payload_subs != IMAGE_SUBSYSTEM_WINDOWS_GUI //only a payload with GUI subsystem can be run by both GUI and CLI
&& target_subs != payload_subs)
{
printf("Incompatibile target subsystem!\n");
return false;
}
*/
and i choose svchost.exe as the target (i think it's console subsystem, because it has no GUI)
it also failed
but now i know the svchost.exe is GUI subsystem
thanks for your tool PE-bear

from libpeconv.

is there any windows utility is console subsystem?

from libpeconv.

is there any windows utility is console subsystem?

Try: C:\Windows\bfsvc.exe

from libpeconv.

Also:
C:\Windows\System32\PATHPING.exe
C:\Windows\System32\PING.exe
C:\Windows\System32\print.exe
C:\Windows\System32\qprocess.exe

There are some. PE-bear will help you to find more ;)

from libpeconv.

thanks a lot, my payload can be inject to c:\windows\bfsvc.exe successfully

from libpeconv.

cool! so, if all is sorted out, I think it's time to close this topic.

from libpeconv.