Comments (13)
Might wanna try my program,SharpUnhooker.
Not only unhooks the whole API DLL, but it also disables AMSI (if loaded) and ETW.
And also, usually "variable set and unused" is only a warning (in most programming languages).
from scarecrow.
Thank you, @GetRektBoy724 . Thank you for Csharp code. Very useful! Another one in C code is https://github.com/rsmudge/unhook-bof
But it would be great to integrate this code safely in this project. As it simplifies the pipeline very nicely :)
Indeed, "variable set and unused" is usually a warning, but in Goland seems to be a hard error :(
from scarecrow.
Thank you, @GetRektBoy724 . Thank you for Csharp code. Very useful! Another one in C code is https://github.com/rsmudge/unhook-bof
But it would be great to integrate this code safely in this project. As it simplifies the pipeline very nicely :)
from scarecrow.
Hello,
thank you for providing such a great framework! Amazing work.
Unfortunately, the DLL Refresher code is detected by some AV, for example: NOD32. Example command:
../ScareCrow/ScareCrow -I beacon-sourcepoint-test1.bin -Loader dll -etw -domain www.microsoft.com
When I disabled refreshing and ETW, the DLL bypasses NOD32 though. I tried modifying the Struct.go, but editing is pretty hard due to "variable set and unused" compilation error.
Any chance that you can implement ETW and Refresher functionality as reflected (encrypted) DLL files? My Goland skills cannot do that in this language :(
thanks
Rafal
I could look to make it a encrypted DLL in the next update however I do not think would stop the detection. What happens if you use the refresh with say wscript or control loaders? Does the same issue occur?
from scarecrow.
Hello @Tylous,
thank you again for the tool. I tried binary, DLL and wscript. NOD32 detected all of them with the same signature Kryptik.E or something similar. It was a static AV file check, no execution was required.
I checked deeper with DLL function. I found that this function triggers the detection:
func {{.Variables.Reloading}}(name string) error {
{{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile(name)
if {{.Variables.error}} != nil {
return {{.Variables.error}}
}
[...]
When I removed the content of this function detection stopped. The same happened when I used 'unmodified' flag. I attempted to check what exactly triggers detection, but modification of this code is pretty hard and time-consuming due to the error message ("declared but unused"). I changed "PAGE_EXECUTE_READWRITE" memory flag too, but this did not impact the detection.
I thought if this functionality is encrypted and loaded as reflective DLL, no signature can match it, especially as your tool will make the encryption unique every time it runs. Anyway, this is just an idea. If I am wrong, apologies!
thanks
from scarecrow.
hmmm interesting. If it is this, try changing the variable name to adsfa
and replace if {{.Variables.error}} != nil { return {{.Variables.error}} }
with if {{.Variables.error}} != nil { }
from scarecrow.
I am sorry, @Tylous . I think you misunderstood me.
I meant the whole function starting with
func {{.Variables.Reloading}}(name string) error {
The function contains the reference to:
{{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile(name)
[...]
{{.Variables.x}} := {{.Variables.file}}.Section(".text")
[...]
{{.Variables.loaddll}}, {{.Variables.error}} := windows.LoadDLL(name)
[...]
{{.Variables.runfunc}}, _ := NtProtectVirtualMemory(
[...]
Apologies if I did not make myself clear.
from scarecrow.
All good, I think I have an idea of what to do. Gonna start building and testing this week.
from scarecrow.
All good, I think I have an idea of what to do. Gonna start building and testing this week.
Great stuff. Much appreciated, @Tylous !
from scarecrow.
Update: I am working on an updated version to address this and some other things. Please bare with me, while I test it all.
from scarecrow.
Should be addressed in Patch 3.0
from scarecrow.
Thank you very much, @Tylous !
from scarecrow.
Closing this issue if there are further issues related to this feel free to re-open.
from scarecrow.
Related Issues (20)
- Windows 10 bug HOT 3
- Windows defender new sandbox HOT 3
- Newest version v4.1 not working with msfvenom payload HOT 7
- Binary loader build HOT 5
- New Feature Request - ProxyAware
- '.exp' files are not the compiled Go files HOT 3
- panic: Call to VirtualProtect failed!!!!! HOT 4
- Delivery HTA with Loaders Control or Wscript not working HOT 12
- cmd.Run() failed with exit status 0xffffffff HOT 5
- Output to the user is incorrect when using the -O <file> option HOT 1
- runtime.cgocall() Issue HOT 2
- Is this project still working? experiencing issues loading several shellcodes HOT 11
- Output Types HOT 2
- Windows executables not in PATH HOT 8
- ProcessInjection crashes HOT 5
- Doc, docx, rtf HOT 1
- cmd.Run() failed with exit status 0xc0000135 HOT 4
- Still having issues with cmd.Run() failed with exit status 255 HOT 1
- Add Go Lib Requirement
- Errors running ScareCrow. Exit status 128 and exit status 255 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scarecrow.