optiv / freeze.rs Goto Github PK

Hi, I am looking to find a way to use freeze to encrypt cobalt payloads, I was attempting with golang version but didn't work, I now, I am trying to make this Rust version work.

I am facing this error posted below, it says "No such file or directory" }', build/src/build.rs:23:10
Could you help to understand what I am missing?
Thank you

[!] Selected Process to Suspend: notepad.exe
[] Encrypting Shellcode Using AES Encryption
[] Shellcode Encrypted
[*] Created new Rust project: 1
thread 'main' panicked at 'Failed to open Cargo.toml: Os { code: 3, kind: NotFound, message: "系统找不到指定的路径。" }', build\src/build.rs:30:10
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

Hello,

I'm testing your packer, and it seems that the embedded shellcode is not executing properly.

I generated the shellcode with the following command:
msfvenom --platform Windows -p windows/x64/exec CMD=calc.exe -f raw -o calc.raw

Then, I used Freeze.rs like this:

git clone https://github.com/optiv/Freeze.rs.git
cd Freeze.rs/
cargo run -- --Input calc.raw --console -O calc.exe

When executed, the packer is looping and spamming suspended Notepad.exe processes. The shellcode is thus not executed:

To make sure that the shellcode is working properly, I tested with RustPacker using the following command:
cargo run -- -f shared/calc.raw -i syscrt -e aes

This time, the shellcode is properly executed:

The target system I tested Freeze.rs against is a Windows 11 Pro 21H2.

All the best,
Nariod

sry,Is this the result of success?

Hello,

I wanted to inform you that I encountered some issues while using your program. The following errors were detected: E0405, E0412, E0432, E0433, E0463.

I found that these errors come with detailed explanations and that more information can be obtained by using the command rustc --explain E0405.

When attempting to compile typenum using the cargo build command, it was reported that there were 150 previous errors, and the command ultimately failed.

I hope you can assist me in resolving this issue. Thank you in advance for your efforts.

Best regards,

Hi,

I've tried a couple of payloads as I wasn't sure in which format they should be. From simple meterpreter, mimikatz and some .NET code. With the command

./Freeze-rs -c -p notepad.exe -I examples/psshell.bin -O psshell.exe

The code compiles, I can execute the code on Windows but the process crash. I can see notepad.exe started briefly before WerFault.exe . Similar if I use PELoader, it's starting the process and then all crashes. I wonder if the payload needs to be very specific or it's something else.

C:\Users\localadmin\Downloads>ps-freeze.exe
[*] Patching ETW...
[*] Created Suspended Process 9976
[*] Selected Module: ntdll.dll
[*] Creating Handle to Suspend Process
[*] Module's Base Address: 0x00007ffb519d0000
[*] Offset of .Text Section: 0x1000
[*] Full Address Mappuing: 0x7ffb519d1000
[*] Size: 1151438
[+] Parsing Our Proccess's Ntdll.dll Structure
[+] Restoring Our Proccess's Ntdll.dll .Text Space
[+] Hooks Flushed Out
[*] Repatching ETW...
[*] Executing Shellcode
[*] Calling NtAllocateVirutalMemory
[*] Calling NtWriteVirtualMemory
[*] Calling NtProtectVirtualMemory

C:\Users\localadmin\Downloads>