Can't use -syscalls
dobin opened this issue · comments
inject.cpp:232 does not have enough type information?
# bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=2 seatbelt64.exe -z 2
PEzor!! v3.1.2
---------------------------------------------------------------------------
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
https://iwantmore.pizza/posts/PEzor4.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
---------------------------------------------------------------------------
[?] Final shellcode will be encoded with sgn
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Syscalls enabled
[?] Waiting 2 seconds before executing the payload
[?] Processing seatbelt64.exe
[?] PE detected: seatbelt64.exe: PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
[?] Building executable
[?] Executing donut 2
[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan
[ Instance type : Embedded
[ Module file : "seatbelt64.exe"
[ Entropy : Random names + Encryption
[ Compressed : aPLib (Reduced by 65%)
[ File type : .NET EXE
[ Target CPU : x86+amd64
[ AMSI/WDLP : continue
[ Shellcode : "/tmp/tmp.zdwC7updla/shellcode.bin.donut"
[?] Executing sgn
__ _ __ __ _
___ / / (_) /_____ _/ /____ _ ___ ____ _ ___ ___ _(_)
(_-</ _ \/ / '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ /
/___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========
┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない
[*] Input: /tmp/tmp.zdwC7updla/shellcode.bin.donut
[*] Input Size: 245209
[*] Outfile: /tmp/tmp.zdwC7updla/shellcode.bin
[+] Final size: 245290
[+] All done \(^O^)/
/root/Repos/PEzor/inject.cpp:232:22: error: no matching function for call to object of type '::jm::syscall_function<decltype(NtCreateThreadEx)>' (aka 'syscall_function<long (void **, unsigned long, _OBJECT_ATTRIBUTES *, void *, void *, void *, unsigned long, unsigned long long, unsigned long long, unsigned long long, _PS_ATTRIBUTE_LIST *)>')
status = INLINE_SYSCALL(NtCreateThreadEx)(
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/Repos/PEzor/deps/inline_syscall/include/inline_syscall.hpp:26:5: note: expanded from macro 'INLINE_SYSCALL'
INLINE_SYSCALL_MANUAL( \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/Repos/PEzor/deps/inline_syscall/include/inline_syscall.hpp:44:5: note: expanded from macro 'INLINE_SYSCALL_MANUAL'
::jm::syscall_function<decltype(function_pointer)> { syscall_id }
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/Repos/PEzor/deps/inline_syscall/include/inline_syscall.hpp:70:18: note: candidate function not viable: no known conversion from 'void (void (*)())' to 'void *' for 5th argument
inline R operator()(Args... args) const noexcept;
^
1 error generated.
it seems related to https://github.com/JustasMasiulis/inline_syscall project.
implementing #26 would solve the issue.
can you retry with latest version in the master branch and reopen if still applicable?