Confusing CLI Options Description
capt-meelo opened this issue · comments
Meelo commented
CLI options description states that -self
is not compatible with -sgn
.
# PEzor <-32|-64> [options...] <SHELLCODE>
OPTIONS
-h Show usage and exits
-32 Force 32-bit executable
-64 Force 64-bit executable
-debug Generate a debug build
-unhook User-land hooks removal
-antidebug Add anti-debug checks
-syscalls Use raw syscalls [64-bit only] [Windows 10 only]
-sgn Encode the provided shellcode with sgn
-text Store shellcode in .text section instead of .data
-rx Allocate RX memory for shellcode
-self Execute the shellcode in the same thread [requires RX shellcode, not compatible with -sgn]
-sleep=N Sleeps for N seconds before unpacking the shellcode
-format=FORMAT Outputs result in specified FORMAT (exe, dll, reflective-dll, service-exe, service-dll, dotnet, dotnet-createsection, dotnet-pinvoke)
However, using both -self
and -sgn
works.
┌──(root💀kali)-[~/beaconator/output]
└─# PEzor.sh -64 -self -sgn -format=exe /root/shellcode.bin
________________
< PEzor!! v2.1.0 >
----------------
\ / \ //\
\ |\___/| / \// \\
/0 0 \__ / // | \ \
/ / \/_/ // | \ \
@_^_@'/ \/_ // | \ \
//_^_/ \/_ // | \ \
( //) | \/// | \ \
( / /) _|_ / ) // | \ _\
( // /) '/,_ _ _/ ( ; -. | _ _\.-~ .-~~~^-.
(( / / )) ,-{ _ `-.|.-~-. .~ `.
(( // / )) '/\ / ~-. _ .-~ .-~^-. \
(( /// )) `. { } / \ \
(( / )) .----~-.\ \-' .~ \ `. \^-.
///.----..> \ _ -~ `. ^-` ^-_
///-._ _ _ _ _ _ _}^ - - - - ~ ~-- ,.-~
/.-~
---------------------------------------------------------------------------
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
---------------------------------------------------------------------------
[?] Forcing 64-bit architecture
[?] Self-executing payload
[?] Final shellcode will be encoded with sgn
[?] Output format: exe
[?] Processing /root/shellcode.bin
[?] Shellcode detected
[?] Building executable
[?] Executing sgn
__ _ __ __ _
___ / / (_) /_____ _/ /____ _ ___ ____ _ ___ ___ _(_)
(_-</ _ \/ / '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ /
/___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========
┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない
[*] Input: /tmp/shellcode.bin.donut
[*] Input Size: 261632
[*] Outfile: /tmp/shellcode.bin
[+] Final size: 261758
[+] All done \(^O^)/
[!] Done! Check /root/shellcode.bin.packed.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Digging in the below code shows that -rx
and -sgn
are not compatible.
if [ $RX = true ] && [ $SGN = true ]; then
echo '[x] Error: cannot encode the shellcode when self-executing the payload'
exit 1
fi
I'm not sure if the CLI option description for -self
is wrong or the code shown above is wrong.
Francesco Soncina commented
thanks for noticing a potential inconsistency, do you mind to send a PR?
Meelo commented
I don't mind sending a PR. But first I need to know which one is correct. From the below, which of them are not compatible?
-sgn
and-self
-sgn
and-rx
Francesco Soncina commented
the second one