SharpBlock failed with error: Failed to read memory, PartialCopy

Question

SharpBlock failed with error: Failed to read memory, PartialCopy

Closed this issue 4 years ago · 2 comments

Hi,

When executing the following command I get an error:

SharpBlock.exe -w -e C:\...\test.exe
SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x86_64

[+] in-proc amsi 0x00007ff9ef520000
[+] in-proc ntdll 0x00007ffa11230000
[+] Launched process C:\...\test.exe with PID 17896
[!] SharpBlock failed with error Failed to read memory, PartialCopy
   at SharpSploit.Execution.DynamicInvoke.Native.NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, IntPtr Buffer, UInt32& NumberOfBytesToRead)
   at SharpBlock.Program.ReadBytes(IntPtr hProcess, IntPtr address, Int32 size) in C:\...\SharpBlock-master\Program.cs:line 373
   at SharpBlock.Program.ReadMovAddress(IntPtr hProcess, IntPtr address) in C:\...\SharpBlock-master\Program.cs:line 161
   at SharpBlock.Program.UpdateCommandLine(IntPtr hProcess, String args) in C:\...\SharpBlock-master\Program.cs:line 192
   at SharpBlock.Program.Main(String[] args) in C:\...\SharpBlock-master\Program.cs:line 763

I'm trying to execude a simple c# script that executes a reverse shell using shellcode (Program.cs) in order to test an EDR.

What am I doing wrong?

Thx for the awsome project

Answer 1 · 2021-02-02T09:16:44.000Z

Hard to tell without debugging. How have you compiled the test.exe, is it x64 or x86? Architecture should match the child process.

Answer 2 · 2021-02-02T21:14:28.000Z

my bad, I was using the x86 version instead of the x64 :)