inject-assembly icon indicating copy to clipboard operation
inject-assembly copied to clipboard

Published 20 hours ago verified publisher icon kyleavery

no output after execution

Open ghost opened this issue 3 years ago • 11 comments

got no output after execution, tried to self inject and remote inject same thing. beacon acknolege the task but no output.

i have also tried on different process elevated and non elevated. any help ? may I uncomment verbose and error to check ?? thx

ghost avatar Jan 23 '22 17:01 ghost

Definitely try rebuilding with verbose and error uncommented, let me know what the output looks like then.

kyleavery avatar Feb 01 '22 16:02 kyleavery

Same issue, rebuilt with verbose and error already. (Was using cobalt strike 4.5) .NET tried to run: https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/master/set.cs image Please let me know if you need more input, thanks!

ScriptIdiot avatar Feb 02 '22 03:02 ScriptIdiot

Thanks for the debugging this problem, I know it's annoying when tools don't work as expected. Hopefully we can figure out what is causing this so I can fix it.

I tried the set.exe binary from that repo with CS 4.5 and it appears to work for me... image

Could you try injecting into a different process to see if that makes a difference? Depending on when you cloned the repo, I did have to make a small fix ~15 days ago.

My Beacon is on a Windows 10 x64 VM, and these are the relevant Malleable options I'm using:

process-inject {
    set userwx "false";
    set startrwx "false";
    set allocator "NtMapViewOfSection";
    set min_alloc "4096";
    execute {
        SetThreadContext;
        RtlCreateUserThread;
    }
}

kyleavery avatar Feb 02 '22 13:02 kyleavery

Thank you for testing for us. Tried with you profile settings with latest release, also disabled User-Defined Reflective Loader, PPID, blockdll but still no luck.

Thanks again.

ScriptIdiot avatar Feb 02 '22 14:02 ScriptIdiot

@ScriptIdiot Can you tell me more about the endpoint environment and what process you are injecting into?

kyleavery avatar Feb 02 '22 20:02 kyleavery

Windows 10 machine with only defender installed. Tried to inject to several process, such as powershell, all process with clr.dll after opening visual studio. Thanks

ScriptIdiot avatar Feb 03 '22 03:02 ScriptIdiot

Next you can try attaching WinDbg to the process and enabling CLR error catching, any information you get from that could help me understand what's going on.

kyleavery avatar Feb 05 '22 13:02 kyleavery

Been having the same issue, path length to the executable was effecting getting output (i.e /foo/bar/some/thing/assembly.exe) put the assembly in the root directory and recompiled with verbose error and there appears to be an issue changing memory perms of the target process, this included injecting into self. This was both medium and high integrity, out of 10 processes check only one didn't give this error

[+] AppDomain name: Microsoft.ServiceHub.Controller.exe
[+] Found PE header at 0x00000261FA2B0032 in region 0x00000261FA2B0000
Error changing memory protection: 0xc00000f2
Old prot: 0x1
[+] Found PE header at 0x00000261FA9E0033 in region 0x00000261FA9E0000
Error changing memory protection: 0xc00000f2
Old prot: 0x1

Target environment is: Windows 10 Pro 21H2 OS Build: 19044.1645

Edit: The old protect 0x1 is PAGE_NOACCESS so could this just a case of getting unlucky on the chosen process to inject into? Did have this error when injecting into self as well though

LarryCheech avatar May 03 '22 14:05 LarryCheech

@LarryCheech I'm going to revisit the issue this week. Schedule is finally cleared up and this is some good information to go off of. Thank you for taking a look!

kyleavery avatar Aug 15 '22 17:08 kyleavery

Any movement on this?

leebaird avatar Nov 01 '22 20:11 leebaird

Same issue, won't get any output when the path to executable is too long.

tvvoorst avatar May 17 '23 12:05 tvvoorst