Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cobalt Strike shellcode seems to be recognized as PE #28

Closed
zanemendoza123 opened this issue Feb 19, 2021 · 7 comments
Closed

Cobalt Strike shellcode seems to be recognized as PE #28

zanemendoza123 opened this issue Feb 19, 2021 · 7 comments

Comments

@zanemendoza123
Copy link

I installed PEZor by following the guide. To test PEzor, I generated a payload using the following:
image
And when I used PEzor on the generated payload, I got the following error:

# bash ../tools/PEzor/PEzor.sh beacon.bin            
 ________________
< PEzor!! v2.1.0 >
 ----------------
[...snip...]
[?] Processing beacon.bin
[?] PE detected: beacon.bin: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
[?] Building executable
[?] Executing donut

  [ Donut shellcode generator v0.9.3
  [ Copyright (c) 2019 TheWover, Odzhan

  [ Error : File is invalid.
cat: /tmp/shellcode.cpp.donut: No such file or directory

If I used Payload Generator just like below:
image
PEzor works fine and I don't see any error

# bash ../tools/PEzor/PEzor.sh payload.bin 
 ________________
< PEzor!! v2.1.0 >
 ----------------
[...snip...]
---------------------------------------------------------------------------
[?] Processing payload.bin
[?] Shellcode detected
[?] Building executable
[!] Done! Check payload.bin.packed.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

Any one here can shed some light on why I'm getting the error?
@zanemendoza123
Copy link
Author

zanemendoza123 commented Feb 20, 2021
edited

Managed to make it work by setting the IS_SHELLCODE variable to true. I'm not sure if this is the right fixed for my issue though. I'm not knowledgeable enough to debug all codes. I might I have broke something.

@phra
Copy link
Owner

phra commented Feb 22, 2021

[?] PE detected: beacon.bin: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

it seems that file, used by PEzor, recognizes your input as a PE file instead of raw shellcode. can you check why file believes that?

@zanemendoza123
Copy link
Author

Here's the output of file command on the raw shellcode

# file beacon.bin    
beacon.bin: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

@phra
Copy link
Owner

phra commented Mar 2, 2021
edited

based on https://malware.news/t/cobaltstrike-beacon-dll-your-no-ordinary-mz-header/34458 it seems that cobalt strike generates a shellcode that starts with a specially crafted DOS header and file reports it as a full PE based on that header. (https://github.com/phra/PEzor/blob/master/PEzor.sh#L222)

if confirmed, a solution would be to add a new command-line option to force the payload to be treated as raw shellcode despite the file output. anyway this issue doesn't appear when using hooks to customize generated artifacts.

@phra phra changed the title Error : File is invalid. Cobalt Strike shellcode seems to be recognized as PE Mar 2, 2021
@phra phra mentioned this issue Mar 10, 2021
Closed
@c14dd49h
Copy link

I have the same issue... any update of this topic?

@phra
Copy link
Owner

phra commented Mar 17, 2021

a workaround was posted by @zanemendoza123 above and a long-term solution was suggested by me. unfortunately i haven't worked on it, does someone mind to send a PR with the proposed fix? (i.e. add -shellcode command line option)

@zanemendoza123
Copy link
Author

Would like to close this issue since the CLI option -shellcode fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phra @c14dd49h @zanemendoza123