Freeze icon indicating copy to clipboard operation
Freeze copied to clipboard

Published 20 hours ago verified publisher icon optiv

No Output in Windows

Open DarknightCanada opened this issue 2 years ago • 12 comments

Hello,

The tool does not generate any output in Windows. It works fine in Linux but in Windows no.

` ___________ _ /_ ____ ____ ________ ____ | ) _ __ _/ __ _/ __ \_ // __
| \ | | /\ /\ / / /\ / _ / || _ >_ >____ \___ > / / / / / (@Tyl0us) Soon they will learn that revenge is a dish... best served COLD...

[!] Missing Garble... Downloading it now exec: no command: [] Encrypting Shellcode Using AES Encryption [+] Shellcode Encrypted [!] Selected Process to Suspend: notepad.exe [+] Loader Compiled [] Compiling Payload exec: no command: [+] Payload loader.exe Compiled`

Even though it says payload compiled but no output

DarknightCanada avatar Oct 07 '22 12:10 DarknightCanada

Looks to be an issue related to where garble is put. I'll have to make some changes for windows...

Tylous avatar Oct 15 '22 00:10 Tylous

Hi man! Any plans on supporting Windows anytime soon? :)

Would love to add support for your Freeze in my ProtectMyTooling but currently its impossible :(

mgeeky avatar Dec 07 '22 19:12 mgeeky

Apologies for the delay. I am in the process of updating multiple tools including this one. For right now I've heard from people that using it with WSL on Windows works fine. I am not sure if that's been thoroughly tested but it might be a workaround atm. If you want to test that for me and let me know it can help me with developing a fix.

Tylous avatar Dec 09 '22 19:12 Tylous

Ack! Will try it out, thanks :)

mgeeky avatar Dec 09 '22 20:12 mgeeky

@mgeeky did that work for you or do I need to retool it?

Tylous avatar Dec 21 '22 22:12 Tylous

Aaaay sorry Matt, didn't try it yet. Last days were from hell for me. Christmas coming now so unsure if I can sit down to this :(

mgeeky avatar Dec 21 '22 23:12 mgeeky

@Tylous Do you mind looking the the pull request #9 ? I think it would close this issue and make it works with @mgeeky ProtectMyTooling tool.

HopHouse avatar May 16 '23 17:05 HopHouse

Hi @HopHouse - thanks for picking this up!

Tried compiling your fork and using it with PMT, but no joy:

cmd> D:\dev2\ProtectMyTooling\contrib\Freeze\Freeze.exe -I "calc64.bin" -O "foo.exe"

[.] Command returned:
------------------------------
        ___________
                \_   _____/______   ____   ____ ________ ____
                 |    __) \_  __ \_/ __ \_/ __ \\___   // __ \
                 |     \   |  | \/\  ___/\  ___/ /    /\  ___/
                 \___  /   |__|    \___  >\___  >_____ \\___  >
                     \/                \/     \/      \/    \/
                                                (@Tyl0us)
                Soon they will learn that revenge is a dish... best served COLD...

        [!] Missing Garble... Downloading it now
        [+] Executed code:
        $env:GOBINB=$GOBIN;
        $env:GOBIN="d:\test\.lib";
        go install mvdan.cc/garble@latest
        $env:GOBIN=$GOBINB;
        $env:GOBINB=$null


        [!] Selected Process to Suspend: notepad.exe
        [+] Loader Compiled
        [+] Executed code:
        $env:GOPRIVATEB=go env GOPRIVATE;
        go env -w GOPRIVATE=*
        $env:GOOS="windows";
        $env:GOARCH="amd64";
        d:\test\.lib\garble.exe -seed=random -literals build -o "foo.exe"
        go env -w GOPRIVATE=$GOPRIVATEB;
        $env:GOPRIVATEB=$null

        [*] Compiling Payload
        go list error: exit status 1: go: cannot find main module, but found .git/config in d:\test
                to create a module there, run:
                cd ..\.. && go mod init

        [+] Payload foo.exe Compiled

Looks like there needs to be more setup made ahead to satisfy golang dynamic compilation requirements.

mgeeky avatar May 16 '23 22:05 mgeeky

Let me take a look at this as well. I will get back to you all shortly.

Tylous avatar May 18 '23 03:05 Tylous

After looking at it @mgeeky its something I need to tweak ahead of time. @HopHouse I appreciate your pull request but it didn't work for me. I will work on addressing this shortly.

Tylous avatar May 18 '23 21:05 Tylous

@mgeeky I had the same error but in order to not alter the code to much I found an alternative. You have to git clone the project and then execute Freeze from inside the directory.

Worked for me.

HopHouse avatar Jun 09 '23 15:06 HopHouse

Running into the same error, even when from inside the cloned repo after a fresh build and having go and garble installed... image

C:\Tools\TA0005 Defense Evasion\Freeze>"C:\Tools\TA0005 Defense Evasion\Freeze\Freeze.exe" -I ".\beacon.exe" -O ".\freeze_beacon.exe" -process "MsMpEng.exe" -sandbox

        ___________
        \_   _____/______   ____   ____ ________ ____
         |    __) \_  __ \_/ __ \_/ __ \\___   // __ \
         |     \   |  | \/\  ___/\  ___/ /    /\  ___/
         \___  /   |__|    \___  >\___  >_____ \\___  >
             \/                \/     \/      \/    \/
                                        (@Tyl0us)
        Soon they will learn that revenge is a dish... best served COLD...

[!] Missing Garble... Downloading it now
exec: no command:
[!] Selected Process to Suspend: MsMpEng.exe
[+] Loader Compiled
[*] Compiling Payload
exec: no command:
[+] Payload .\freeze_beacon.exe Compiled

C:\Tools\TA0005 Defense Evasion\Freeze>garble
Garble obfuscates Go code by wrapping the Go toolchain.

        garble [garble flags] command [go flags] [go arguments]

For example, to build an obfuscated program:

        garble build ./cmd/foo

pr0b3r7 avatar Aug 04 '23 02:08 pr0b3r7