Error using syscalls

Question

Error using syscalls

hawaii67 opened this issue 4 years ago · comments

This is the command I use :

PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz.exe -z 2

and I get these errors:

In file included from /root/scripts/_AV/PEzor/inject.cpp:7: In file included from /root/scripts/_AV/PEzor/deps/inline_syscall/include/in_memory_init.hpp:20: /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:35:27: error: no type named 'uint32_t' in namespace 'std' inline constexpr std::uint32_t hash(const char* str) noexcept ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:37:14: error: no type named 'uint32_t' in namespace 'std' std::uint32_t value = 2166136261; ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:45:38: error: no type named 'uint32_t' in namespace 'std' value = static_cast<std::uint32_t>((value ^ c) * 16777619ull); ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:49:15: error: use of undeclared identifier 'syscall_entry_full' constexpr syscall_entry_full::syscall_entry_full(std::uint32_t hash_) noexcept ^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:49:68: error: use of undeclared identifier 'hash_'; did you mean 'hash'? constexpr syscall_entry_full::syscall_entry_full(std::uint32_t hash_) noexcept ^~~~~ hash /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:35:36: note: 'hash' declared here inline constexpr std::uint32_t hash(const char* str) noexcept ^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:58:23: error: no type named 'uint32_t' in namespace 'std' template<std::uint32_t Hash> ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:61:42: error: unknown type name 'JM_INLINE_SYSCALL_ENTRY_TYPE' "_sysc")]] inline static JM_INLINE_SYSCALL_ENTRY_TYPE entry{ Hash }; ^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:77:9: error: no type named 'int32_t' in namespace 'std' JM_INLINE_SYSCALL_STUB(std::uint32_t id) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:40: note: expanded from macro 'JM_INLINE_SYSCALL_STUB' JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(__VA_ARGS__) noexcept ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:77:37: error: no type named 'uint32_t' in namespace 'std' JM_INLINE_SYSCALL_STUB(std::uint32_t id) ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:56: note: expanded from macro 'JM_INLINE_SYSCALL_STUB' JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(__VA_ARGS__) noexcept ^~~~~~~~~~~ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:87:18: error: no type named 'int32_t' in namespace 'std' std::int32_t status; ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:102:9: error: no type named 'int32_t' in namespace 'std' JM_INLINE_SYSCALL_STUB(std::uint32_t id, T1 _1) . . . .

Can anybody help please?

hawaii67 · Answer 1 · Wed Dec 02 2020 15:53:05 GMT+0800 (China Standard Time)

Ok, I found that inline_syscall.hpp seems to be the culprit.
It has been modified 11 days ago. With an old version it seems to work (I took a backuped copy of the deps directory).
So running install.sh now should cause the same problem.
Can anybody confirm please?

Grem25 · Answer 2 · Tue Dec 08 2020 01:20:00 GMT+0800 (China Standard Time)

@hawaii67 I can confirm you that using the old inline_syscall.hpp file from his original repo located there

https://github.com/JustasMasiulis/inline_syscall/blob/master/include/inline_syscall.hpp

It's working well.

hawaii67 · Answer 3 · Tue Dec 08 2020 02:50:16 GMT+0800 (China Standard Time)

Thank you Grem25 !

Francesco Soncina · Answer 4 · Thu Dec 10 2020 05:41:17 GMT+0800 (China Standard Time)

i have sent this PR #24, can you check that it works for you?

hawaii67 · Answer 5 · Thu Dec 10 2020 15:13:49 GMT+0800 (China Standard Time)

Sorry, not working.

git checkout 24238544b510d8f85ca38de3a43bc41fa8cfe380 brings this error mesage:

fatal: reference is not a tree: 24238544b510d8f85ca38de3a43bc41fa8cfe380

Francesco Soncina · Answer 6 · Thu Dec 10 2020 21:22:12 GMT+0800 (China Standard Time)

delete the deps/inline_syscall folder before re-running the script.

hawaii67 · Answer 7 · Thu Dec 10 2020 21:30:15 GMT+0800 (China Standard Time)

Beleive me, I did:

./install.sh

Hit:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 https://linux.teamviewer.com/deb stable InRelease
Hit:3 https://deb.nodesource.com/node_8.x jessie InRelease
Hit:4 https://download.docker.com/linux/debian buster InRelease
Get:5 https://packages.microsoft.com/ubuntu/16.04/prod xenial InRelease [4,003 B]
Hit:6 https://packages.microsoft.com/repos/microsoft-debian-stretch-prod stretch InRelease
Hit:8 https://download.sublimetext.com apt/stable/ InRelease
Get:7 http://ftp.halifax.rwth-aachen.de/kali kali-rolling InRelease [30.5 kB]
Get:10 https://packages.microsoft.com/ubuntu/16.04/prod xenial/main amd64 Packages [175 kB]
Hit:9 https://packagecloud.io/firstlookmedia/code/debian bullseye InRelease
Get:11 http://ftp.halifax.rwth-aachen.de/kali kali-rolling/main amd64 Packages [17.0 MB]
Get:12 http://ftp.halifax.rwth-aachen.de/kali kali-rolling/main i386 Packages [16.9 MB]
Fetched 34.1 MB in 5s (7,354 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
24 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree
Reading state information... Done
autotools-dev is already the newest version (20180224.1).
build-essential is already the newest version (12.8).
clang is already the newest version (1:9.0-49.1).
cmake is already the newest version (3.18.4-1).
cowsay is already the newest version (3.03+dfsg2-8).
git is already the newest version (1:2.29.2-1).
golang is already the newest version (2:1.15~1).
libcapstone-dev is already the newest version (4.0.1+really+3.0.5-2+b1).
libssl-dev is already the newest version (1.1.1h-1).
mingw-w64 is already the newest version (8.0.0-1).
mono-devel is already the newest version (6.8.0.105+dfsg-3).
unzip is already the newest version (6.0-25).
wget is already the newest version (1.20.3-1+b3).
0 upgraded, 0 newly installed, 0 to remove and 24 not upgraded.
Cloning into 'inline_syscall'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 85 (delta 3), reused 0 (delta 0), pack-reused 77
Receiving objects: 100% (85/85), 26.80 KiB | 784.00 KiB/s, done.
Resolving deltas: 100% (42/42), done.
fatal: reference is not a tree: 24238544b510d8f85ca38de3a43bc41fa8cfe380
`

Francesco Soncina · Answer 8 · Thu Dec 10 2020 21:42:46 GMT+0800 (China Standard Time)

cd inline_syscall was missing.

hawaii67 · Answer 9 · Thu Dec 10 2020 21:55:56 GMT+0800 (China Standard Time)

Perfect. It Works. Thank you.