Executable runs and the process dies shortly after, no beacon / shell
Closed this issue · 1 comments
Since the max shellcode size update (thank you for this, really looking forward to the tool), Alaris will build the payload (following your exact cobaltstrike steps to generate the SC, but the executable doesnt result in a beacon. All other payloads from CS work fine, so my setup is ok. ideas? watching the process is task manager shows it run for about 10 seconds and close, no endpoint security.
Alaris has some code that overwrites 500 bytes of the shellcode with null bytes after about 9 seconds or so.
// Overwrite shellcode with null bytes
Sleep(9999);
uint8_t overwrite[500];
NtWriteVirtualMemory(hProcess, mem, overwrite, sizeof(overwrite), 0);
I'm assuming this is your issue as you have large shellcode which, takes longer to load and execute within the hollowed process. Essentially, I'm clobbering 500B of you shellcode too soon. Feel free to comment this code out if you need or simply change the Sleep();
to a larger number.