PEZor is no longer working with newer versions of Kali #90
Description
I did several tests with fresh kali versions:
2023.4
2022.1
2021.1
2019.4
The install.sh script runs more or less fine.
I fetched a fresh mimikatz.exe and used the first example to wrap it. I used the precompiled version as well as a self built one.
──(kali㉿kali)-[~/tools/PE-Loader/PEzor]
└─$ ./PEzor.sh -unhook -antidebug -text -self -sleep=10 mimikatz.exe -z 2 1 ⨯
________________
< PEzor!! v3.3.0 >
----------------
\ / \ //\
\ |\___/| / \// \\
/0 0 \__ / // | \ \
/ / \/_/ // | \ \
@_^_@'/ \/_ // | \ \
//_^_/ \/_ // | \ \
( //) | \/// | \ \
( / /) _|_ / ) // | \ _\
( // /) '/,_ _ _/ ( ; -. | _ _\.-~ .-~~~^-.
(( / / )) ,-{ _ `-.|.-~-. .~ `.
(( // / )) '/\ / ~-. _ .-~ .-~^-. \
(( /// )) `. { } / \ \
(( / )) .----~-.\ \-' .~ \ `. \^-.
///.----..> \ _ -~ `. ^-` ^-_
///-._ _ _ _ _ _ _}^ - - - - ~ ~-- ,.-~
/.-~
---------------------------------------------------------------------------
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
https://iwantmore.pizza/posts/PEzor4.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Self-executing payload
[?] Waiting 10 seconds before executing the payload
[?] Processing mimikatz.exe
./PEzor.sh: line 323: [: missing `]'
[?] PE detected: mimikatz.exe: PE32+ executable (console) x86-64, for MS Windows
[?] Building executable
[?] Executing donut
[ Donut shellcode generator v1 (built Dec 14 2023 02:10:45)
[ Copyright (c) 2019-2021 TheWover, Odzhan
[ Instance type : Embedded
[ Module file : "mimikatz.exe"
[ Entropy : Random names + Encryption
[ Compressed : aPLib (Reduced by 54%)
[ File type : EXE
[ Target CPU : x86+amd64
[ AMSI/WDLP/ETW : continue
[ PE Headers : overwrite
[ Shellcode : "/tmp/tmp.zVG1q34Pqt/shellcode.bin.donut"
[ Exit : Thread
In file included from /home/kali/tools/PE-Loader/PEzor/ApiSetMap.c:32:
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:160:34: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PPEB GetProcessEnvironmentBlock();
^
void
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:161:51: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PLDR_DATA_TABLE_ENTRY GetInMemoryOrderModuleList();
^
void
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.c:34:34: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PPEB GetProcessEnvironmentBlock()
^
void
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.c:50:51: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PLDR_DATA_TABLE_ENTRY GetInMemoryOrderModuleList()
^
void
4 warnings generated.
In file included from /home/kali/tools/PE-Loader/PEzor/loader.c:1:
In file included from /home/kali/tools/PE-Loader/PEzor/loader.h:7:
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:160:34: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PPEB GetProcessEnvironmentBlock();
^
void
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:161:51: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PLDR_DATA_TABLE_ENTRY GetInMemoryOrderModuleList();
^
void
In file included from /home/kali/tools/PE-Loader/PEzor/loader.c:1:
/home/kali/tools/PE-Loader/PEzor/loader.h:17:15: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
void RefreshPE();
^
void
/home/kali/tools/PE-Loader/PEzor/loader.c:4:15: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
void RefreshPE()
^
void
/home/kali/tools/PE-Loader/PEzor/loader.c:437:10: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]
if (((DWORD)lpProcName & 0xFFFF0000) == 0x00000000)
^~~~~~~~~~~~~~~~~
/home/kali/tools/PE-Loader/PEzor/loader.c:443:43: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]
uiAddressArray += ((IMAGE_ORDINAL((DWORD)lpProcName) - pExportDirectory->Base) * sizeof(DWORD));
^~~~~~~~~~~~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:8299:48: note: expanded from macro 'IMAGE_ORDINAL'
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
^~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:8270:35: note: expanded from macro 'IMAGE_ORDINAL64'
#define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffffull)
^~~~~~~
6 warnings generated.
x86_64-w64-mingw32-clang++ -O3 -Wl,-strip-all,-subsystem=windows -Wall -pedantic -D_WINX64 -DWIN_X64 -DUNHOOK -DANTIDEBUG -DSELFINJECT -D_TEXT_ -std=c++17 -static /home/kali/tools/PE-Loader/PEzor/inject.cpp /home/kali/tools/PE-Loader/PEzor/PEzor.cpp /tmp/tmp.zVG1q34Pqt/shellcode.cpp /tmp/tmp.zVG1q34Pqt/sleep.cpp /tmp/tmp.zVG1q34Pqt/ApiSetMap.o /tmp/tmp.zVG1q34Pqt/loader.o -o mimikatz.exe.packed.exe
[!] Done! Check mimikatz.exe.packed.exe: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
The packed exe gets created, but it is dead, nothing happens, despite a running process:
I tracked it down so far that until after the shellcode creation with donut, everything is fine. I can use the donut loader and run the shellcode from the temp folder and it starts mimikatz as expected.
So afterwards something is off.
I thought it might have something to do with python3 being upgraded to 3.11, so I did all steps manually and stayed with a 3.9.7 version. However, the results were the same.