Reflective Loader as payload

[Atsika]

Hi,
Reflective loaders like Cobalt Strike's beacon or Metasploit's meterpreter don't callback home.
Beacon seems alive but not calling back home.

Also nothing on wireshark.
Do you have an idea of why ?
Thanks in advance

[hasherezade]

Hi, I see that the error was on referencing the token? I think the reason is the parameters that are passed to the newly created process are incomplete. Some of the components are not filled:

process_ghosting/process_env.cpp

Lines 139 to 151 in cc51f9c

	NTSTATUS status = RtlCreateProcessParametersEx(
	&params,
	(PUNICODE_STRING)&uTargetPath,
	(PUNICODE_STRING)&uDllDir,
	(PUNICODE_STRING)&uCurrentDir,
	(PUNICODE_STRING)&uTargetPath,
	environment,
	(PUNICODE_STRING)&uWindowName,
	nullptr,
	nullptr,
	nullptr,
	RTL_USER_PROC_PARAMS_NORMALIZED
	);

This is because the PoC is not finished, I added only those components that were essential for making the process run.
It will be fixed in the future, as mentioned here: #2

[Atsika]

I understand now. How can I try to find missing parameters ?

[hasherezade]

The problem is, it is not that easy. By parameters I mean not just some particular values, but structures that have to be initialized in a proper way, and filled manually. It will require some research about how those parameters are set in the original process creation. And it is not documented, so it will take some digging. It is on my TODO, but I currently have some more urgent work.

[hasherezade]

For now what I can offer you is trying a similar method, which does not require it: transacted_hollowing. Please let me know if it works for you (it should).

[Atsika]

Alright, I got you.
Since process is created using CreateProcessInternalW most of the process parameters and environment are set.
I'll give it a try.
Thanks for your help.