Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PEZor is no longer working with newer versions of Kali #90

Open
LuemmelSec opened this issue Dec 14, 2023 · 3 comments
Open

PEZor is no longer working with newer versions of Kali #90

LuemmelSec opened this issue Dec 14, 2023 · 3 comments

Comments

@LuemmelSec
Copy link

I did several tests with fresh kali versions:
2023.4
2022.1
2021.1
2019.4

The install.sh script runs more or less fine.
I fetched a fresh mimikatz.exe and used the first example to wrap it. I used the precompiled version as well as a self built one.

──(kali㉿kali)-[~/tools/PE-Loader/PEzor]
└─$ ./PEzor.sh -unhook -antidebug -text -self -sleep=10 mimikatz.exe -z 2                                                                                                                                                 1 ⨯
 ________________
< PEzor!! v3.3.0 >
 ----------------
      \                    / \  //\
       \    |\___/|      /   \//  \\
            /0  0  \__  /    //  | \ \    
           /     /  \/_/    //   |  \  \  
           @_^_@'/   \/_   //    |   \   \ 
           //_^_/     \/_ //     |    \    \
        ( //) |        \///      |     \     \
      ( / /) _|_ /   )  //       |      \     _\
    ( // /) '/,_ _ _/  ( ; -.    |    _ _\.-~        .-~~~^-.
  (( / / )) ,-{        _      `-.|.-~-.           .~         `.
 (( // / ))  '/\      /                 ~-. _ .-~      .-~^-.  \
 (( /// ))      `.   {            }                   /      \  \
  (( / ))     .----~-.\        \-'                 .~         \  `. \^-.
             ///.----..>        \             _ -~             `.  ^-`  ^-_
               ///-._ _ _ _ _ _ _}^ - - - - ~                     ~-- ,.-~
                                                                  /.-~
---------------------------------------------------------------------------
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
https://iwantmore.pizza/posts/PEzor4.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Self-executing payload
[?] Waiting 10 seconds before executing the payload
[?] Processing mimikatz.exe
./PEzor.sh: line 323: [: missing `]'
[?] PE detected: mimikatz.exe: PE32+ executable (console) x86-64, for MS Windows
[?] Building executable
[?] Executing donut

  [ Donut shellcode generator v1 (built Dec 14 2023 02:10:45)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "mimikatz.exe"
  [ Entropy       : Random names + Encryption
  [ Compressed    : aPLib (Reduced by 54%)
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP/ETW : continue
  [ PE Headers    : overwrite
  [ Shellcode     : "/tmp/tmp.zVG1q34Pqt/shellcode.bin.donut"
  [ Exit          : Thread
In file included from /home/kali/tools/PE-Loader/PEzor/ApiSetMap.c:32:
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:160:34: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PPEB GetProcessEnvironmentBlock();
                                 ^
                                  void                                                                                                                                                                                        
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:161:51: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                             
__PLDR_DATA_TABLE_ENTRY GetInMemoryOrderModuleList();
                                                  ^
                                                   void                                                                                                                                                                       
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.c:34:34: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                              
__PPEB GetProcessEnvironmentBlock()
                                 ^
                                  void                                                                                                                                                                                        
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.c:50:51: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                              
__PLDR_DATA_TABLE_ENTRY GetInMemoryOrderModuleList()
                                                  ^
                                                   void                                                                                                                                                                       
4 warnings generated.                                                                                                                                                                                                         
In file included from /home/kali/tools/PE-Loader/PEzor/loader.c:1:
In file included from /home/kali/tools/PE-Loader/PEzor/loader.h:7:
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:160:34: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PPEB GetProcessEnvironmentBlock();
                                 ^
                                  void                                                                                                                                                                                        
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:161:51: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                             
__PLDR_DATA_TABLE_ENTRY GetInMemoryOrderModuleList();
                                                  ^
                                                   void                                                                                                                                                                       
In file included from /home/kali/tools/PE-Loader/PEzor/loader.c:1:                                                                                                                                                            
/home/kali/tools/PE-Loader/PEzor/loader.h:17:15: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
void RefreshPE();
              ^
               void                                                                                                                                                                                                           
/home/kali/tools/PE-Loader/PEzor/loader.c:4:15: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                                  
void RefreshPE()
              ^
               void                                                                                                                                                                                                           
/home/kali/tools/PE-Loader/PEzor/loader.c:437:10: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]                                                     
    if (((DWORD)lpProcName & 0xFFFF0000) == 0x00000000)
         ^~~~~~~~~~~~~~~~~
/home/kali/tools/PE-Loader/PEzor/loader.c:443:43: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]                                                     
        uiAddressArray += ((IMAGE_ORDINAL((DWORD)lpProcName) - pExportDirectory->Base) * sizeof(DWORD));
                                          ^~~~~~~~~~~~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:8299:48: note: expanded from macro 'IMAGE_ORDINAL'                                                                                                                                    
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
                                               ^~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:8270:35: note: expanded from macro 'IMAGE_ORDINAL64'                                                                                                                                  
#define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffffull)
                                  ^~~~~~~
6 warnings generated.                                                                                                                                                                                                         
x86_64-w64-mingw32-clang++ -O3 -Wl,-strip-all,-subsystem=windows -Wall -pedantic -D_WINX64 -DWIN_X64 -DUNHOOK -DANTIDEBUG -DSELFINJECT -D_TEXT_ -std=c++17 -static /home/kali/tools/PE-Loader/PEzor/inject.cpp /home/kali/tools/PE-Loader/PEzor/PEzor.cpp /tmp/tmp.zVG1q34Pqt/shellcode.cpp /tmp/tmp.zVG1q34Pqt/sleep.cpp /tmp/tmp.zVG1q34Pqt/ApiSetMap.o /tmp/tmp.zVG1q34Pqt/loader.o -o mimikatz.exe.packed.exe
[!] Done! Check mimikatz.exe.packed.exe: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

The packed exe gets created, but it is dead, nothing happens, despite a running process:
image

I tracked it down so far that until after the shellcode creation with donut, everything is fine. I can use the donut loader and run the shellcode from the temp folder and it starts mimikatz as expected.
So afterwards something is off.
I thought it might have something to do with python3 being upgraded to 3.11, so I did all steps manually and stayed with a 3.9.7 version. However, the results were the same.
@phra
Copy link
Owner

phra commented Dec 14, 2023

I can see a probable typo based on ./PEzor.sh: line 323: [: missing ]'`, I'll have a look.

@LuemmelSec
Copy link
Author

I also looked at this, but think it was only text.

@ryh123
Copy link

ryh123 commented Mar 21, 2024

i also have same problem ,mimikatz has started ,but it cannot be used normally,please how to solve

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phra @ryh123 @LuemmelSec