Hi! As i mentioned in #73 im trying to fix PEzor because it will be the main tool which i want to use in my master thesis ;)

I already fix:

• Problem with installation by changing 37line in install.sh to: go install github.com/EgeBalci/sgn@latest &&
• Problem with SYSCALLS Type Conversion Error using fix from #64

After that i created a small C# app which just starts notepad.exe:

using System;
using System.Diagnostics;

namespace ConsoleApp1
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Starting notepad.exe");
            Process.Start("notepad.exe");
        }
    }
}

Then im trying to use PEzor to obfuscate it:

┌──(root💀kali)-[/home/kali/Tools/PEzor]
└─# ./PEzor.sh -sgn -unhook -antidebug -text -sleep=1 test.exe -z 2 
(logo stripped)
[?] Final shellcode will be encoded with sgn
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Waiting 1 seconds before executing the payload
[?] Processing test.exe
[?] PE detected: test.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
[?] Building executable
[?] Executing donut

  [ Donut shellcode generator v0.9.3 (built Apr 13 2022 10:17:43)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "test.exe"
  [ Entropy       : Random names + Encryption
  [ Compressed    : aPLib (Reduced by 58%)
  [ File type     : .NET EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP     : continue
  [ PE Headers    : overwrite
  [ Shellcode     : "/tmp/tmp.HKc29PdaD7/shellcode.bin.donut"
  [ Exit          : Thread
[?] Executing sgn
       __   _ __        __                               _ 
  ___ / /  (_) /_____ _/ /____ _  ___ ____ _  ___  ___ _(_)
 (_-</ _ \/ /  '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ / 
/___/_//_/_/_/\_\\_,_/\__/\_,_/  \_, /\_,_/ /_//_/\_,_/_/  
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========  
    ┻━┻ ︵ヽ(`Д´)ﾉ︵ ┻━┻           (ノ ゜Д゜)ノ ︵ 仕方がない

[*] Input: /tmp/tmp.HKc29PdaD7/shellcode.bin.donut
[*] Input Size: 29526
[*] Outfile: /tmp/tmp.HKc29PdaD7/shellcode.bin
[+] Final size: 29680
[+] All done ＼(＾O＾)／
/home/kali/Tools/PEzor/inject.cpp:257:17: warning: cast between incompatible calling conventions 'cdecl' and 'stdcall'; calls through this pointer may abort at runtime [-Wcast-calling-convention]
                (LPTHREAD_START_ROUTINE)executor,
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/kali/Tools/PEzor/inject.cpp:71:6: note: consider defining 'executor' with the 'stdcall' calling convention                                                                                                                             
void executor(void (*shellcode)(void)) {
     ^
     __attribute__((stdcall))                                                                                                                                                                                                                
1 warning generated.                                                                                                                                                                                                                         
[!] Done! Check test.exe.packed.exe: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Unless after trying to run created test.exe.packed.exe theres no output and notepad.exe wont show.
Maybe im using it wrong? Its very strange that my friend have old installation of PEzor and the same app with the same command after obfuscation works properely.

Im assume that due chagnes in sgn, go and other dependencies fresh installation of (even fixed) PEzor is broken.
Lets talk @phra how to fix it. Please, do not close my issue too fast.
I want to use exactly that tool in my master thesis :)

Regards!

make -f Makefile.mingw
rm -f exe2h exe2h.exe loader.bin instance donut.o hash.o encrypt.o format.o clib.o hash encrypt donut hash.exe encrypt.exe donut.exe lib/libdonut.a lib/libdonut.so loader.exe loader32.exe loader64.exe inject32.exe inject64.exe inject_local32.exe inject_local64.exe

RELEASE

gcc -I include loader/exe2h/exe2h.c -oexe2h
x86_64-w64-mingw32-gcc -I include loader/exe2h/exe2h.c loader/exe2h/mmap-windows.c -lshlwapi -oexe2h.exe
i686-w64-mingw32-gcc -DBYPASS_AMSI_B -DBYPASS_WLDP_A -DBYPASS_ETW_B -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib loader/loader.c loader/depack.c loader/clib.c hash.c encrypt.c -I include -oloader.exe
In file included from loader/loader.h:97,
from loader/loader.c:32:
loader/peb.h:214:16: error: redefinition of ‘struct _PROCESSOR_NUMBER’
214 | typedef struct _PROCESSOR_NUMBER {
| ^~~~~~~~~~~~~~~~~
In file included from /usr/share/mingw-w64/include/minwindef.h:163,
from /usr/share/mingw-w64/include/windef.h:9,
from /usr/share/mingw-w64/include/windows.h:69,
from loader/loader.h:41:
/usr/share/mingw-w64/include/winnt.h:9435:16: note: originally defined here
9435 | typedef struct _PROCESSOR_NUMBER {
| ^~~~~~~~~~~~~~~~~
loader/peb.h:218:3: error: conflicting types for ‘PROCESSOR_NUMBER’; have ‘struct _PROCESSOR_NUMBER’
218 | } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
| ^~~~~~~~~~~~~~~~
/usr/share/mingw-w64/include/winnt.h:9439:3: note: previous declaration of ‘PROCESSOR_NUMBER’ with type ‘PROCESSOR_NUMBER’
9439 | } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
| ^~~~~~~~~~~~~~~~
loader/peb.h:218:22: error: conflicting types for ‘PPROCESSOR_NUMBER’; have ‘struct _PROCESSOR_NUMBER *’
218 | } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
| ^~~~~~~~~~~~~~~~~
/usr/share/mingw-w64/include/winnt.h:9439:22: note: previous declaration of ‘PPROCESSOR_NUMBER’ with type ‘PPROCESSOR_NUMBER’ {aka ‘struct _PROCESSOR_NUMBER *’}
9439 | } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
| ^~~~~~~~~~~~~~~~~
In file included from loader/winapi.h:36,
from loader/loader.h:98:
loader/bypass.h:38:1: warning: parameter names (without types) in function declaration
38 | BOOL DisableAMSI(PDONUT_INSTANCE);
| ^~~~
loader/bypass.h:41:1: warning: parameter names (without types) in function declaration
41 | BOOL DisableWLDP(PDONUT_INSTANCE);
| ^~~~
loader/bypass.h:44:1: warning: parameter names (without types) in function declaration
44 | BOOL DisableETW(PDONUT_INSTANCE);
| ^~~~
In file included from loader/loader.c:385:
loader/inmem_pe.c: In function ‘RunPE’:
loader/inmem_pe.c:223:39: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
223 | ntnew->OptionalHeader.ImageBase = (ULONGLONG)cs;
| ^
make: *** [Makefile.mingw:9: donut] Error 1

< PEzor!! v3.1.2 >

  \                    / \  //\
   \    |\___/|      /   \//  \\
        /0  0  \__  /    //  | \ \    
       /     /  \/_/    //   |  \  \  
       @_^_@'/   \/_   //    |   \   \ 
       //_^_/     \/_ //     |    \    \
    ( //) |        \///      |     \     \
  ( / /) _|_ /   )  //       |      \     _\
( // /) '/,_ _ _/  ( ; -.    |    _ _\.-~        .-~~~^-.

(( / / )) ,-{ _ -.|.-~-. .~ .
(( // / )) '/\ / -. _ .- .-^-.
(( /// )) . { } / \ \ (( / )) .----~-.\ \-' .~ \ . ^-.
///.----..> \ _ - . ^- ^-_
///-._ _ _ _ _ _ _}^ - - - - ~ -- ,.-
/.-~

Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
https://iwantmore.pizza/posts/PEzor4.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

x86_64-w64-mingw32-clang++ is missing from $PATH. Check https://github.com/tpoechtrager/wclang to learn how to install it

示例中的 PEzor.sh -format=reflective-dll mimikatz/x64/mimikatz.exe -z 2 -p '"log c:\users\public\mimi.out" "token::whoami" "exit"' 执行失败,
报错信息: /usr/bin/x86_64-w64-mingw32-ld: /tmp/PEzor-33ee1a.o:(.text+0xa0): multiple definition of `main'; /tmp/hello-c0ed7c.o:(.text+0x10): first defined here
clang: error: linker command failed with exit code 1 (use -v to see invocation)

From this command:

./PEzor.sh -64 -sgn -unhook -antidebug -text -syscalls -sleep=7 payload.bin

PEzor!! v3.0.3

Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
https://iwantmore.pizza/posts/PEzor4.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

[?] Forcing 64-bit architecture
[?] Final shellcode will be encoded with sgn
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Syscalls enabled
[?] Waiting 7 seconds before executing the payload
[?] Processing /media/sf_FUD/aaapayload/payload.bin
[?] PE detected: /media/sf_FUD/aaapayload/payload.bin: data
[?] Building executable
[?] Executing donut

[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan

usage: donut [options] <EXE/DLL/VBS/JS>

   Only the finest artisanal donuts are made of shells.

               -MODULE OPTIONS-

   -n <name>            Module name for HTTP staging. If entropy is enabled, this is generated randomly.
   -s <server>          HTTP server that will host the donut module.
   -e <level>           Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)

               -PIC/SHELLCODE OPTIONS-

   -a <arch>            Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
   -b <level>           Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
   -o <path>            Output file to save loader. Default is "loader.bin"
   -f <format>          Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
   -y <addr>            Create thread for loader and continue execution at <addr> supplied.
   -x <action>          Exiting. 1=Exit thread (default), 2=Exit process

               -FILE OPTIONS-

   -c <namespace.class> Optional class name. (required for .NET DLL)
   -d <name>            AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
   -m <method | api>    Optional method or function for DLL. (a method is required for .NET DLL)
   -p <arguments>       Optional parameters/command line inside quotations for DLL method/function or EXE.
   -w                   Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
   -r <version>         CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
   -t                   Execute the entrypoint of an unmanaged EXE as a thread.
   -z <engine>          Pack/Compress file. 1=None, 2=aPLib

examples:

donut c2.dll
donut -a1 -cTestClass -mRunProcess -pnotepad.exe loader.dll
donut loader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/

[?] Executing sgn
__ _ __ __ _
___ / / () /_____ / /__ _ ___ ____ _ ___ ___ ()
(-</ _ / / '/ _ / __/ _ / / _ / _ / / _ / _ / / /___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/ ========[Author:-Ege-Balcı-]====/___/=======v2.0.0========= ┻━┻ ︵ヽ(Д´)ﾉ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない

2021/08/13 08:44:56 [MAIN] ERROR: open /tmp/shellcode.bin.donut: no such file or directory
od: /tmp/shellcode.bin: No such file or directory
/root/tools/PEzor/inject.cpp:7:14: fatal error: 'deps/inline_syscall/include/in_memory_init.hpp' file not found
#include "deps/inline_syscall/include/in_memory_init.hpp"
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.

[?] Payload will be put in .text section
[?] Final shellcode will be encoded with sgn
[?] Waiting 10 seconds before executing the payload
[?] Processing -obfuscate
[x] ERROR: -obfuscate doesn't exist

what happened here?

CLI options description states that -self is not compatible with -sgn.

# PEzor <-32|-64> [options...] <SHELLCODE>

OPTIONS
  -h                        Show usage and exits
  -32                       Force 32-bit executable
  -64                       Force 64-bit executable
  -debug                    Generate a debug build
  -unhook                   User-land hooks removal
  -antidebug                Add anti-debug checks
  -syscalls                 Use raw syscalls [64-bit only] [Windows 10 only]
  -sgn                      Encode the provided shellcode with sgn
  -text                     Store shellcode in .text section instead of .data
  -rx                       Allocate RX memory for shellcode
  -self                     Execute the shellcode in the same thread [requires RX shellcode, not compatible with -sgn]
  -sleep=N                  Sleeps for N seconds before unpacking the shellcode
  -format=FORMAT            Outputs result in specified FORMAT (exe, dll, reflective-dll, service-exe, service-dll, dotnet, dotnet-createsection, dotnet-pinvoke)

However, using both -self and -sgn works.

┌──(root💀kali)-[~/beaconator/output]
└─# PEzor.sh -64 -self -sgn -format=exe /root/shellcode.bin
 ________________
< PEzor!! v2.1.0 >
 ----------------
      \                    / \  //\
       \    |\___/|      /   \//  \\
            /0  0  \__  /    //  | \ \    
           /     /  \/_/    //   |  \  \  
           @_^_@'/   \/_   //    |   \   \ 
           //_^_/     \/_ //     |    \    \
        ( //) |        \///      |     \     \
      ( / /) _|_ /   )  //       |      \     _\
    ( // /) '/,_ _ _/  ( ; -.    |    _ _\.-~        .-~~~^-.
  (( / / )) ,-{        _      `-.|.-~-.           .~         `.
 (( // / ))  '/\      /                 ~-. _ .-~      .-~^-.  \
 (( /// ))      `.   {            }                   /      \  \
  (( / ))     .----~-.\        \-'                 .~         \  `. \^-.
             ///.----..>        \             _ -~             `.  ^-`  ^-_
               ///-._ _ _ _ _ _ _}^ - - - - ~                     ~-- ,.-~
                                                                  /.-~
---------------------------------------------------------------------------
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
---------------------------------------------------------------------------
[?] Forcing 64-bit architecture
[?] Self-executing payload
[?] Final shellcode will be encoded with sgn
[?] Output format: exe
[?] Processing /root/shellcode.bin
[?] Shellcode detected
[?] Building executable
[?] Executing sgn
       __   _ __        __                               _ 
  ___ / /  (_) /_____ _/ /____ _  ___ ____ _  ___  ___ _(_)
 (_-</ _ \/ /  '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ / 
/___/_//_/_/_/\_\\_,_/\__/\_,_/  \_, /\_,_/ /_//_/\_,_/_/  
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========  
    ┻━┻ ︵ヽ(`Д´)ﾉ︵ ┻━┻           (ノ ゜Д゜)ノ ︵ 仕方がない

[*] Input: /tmp/shellcode.bin.donut
[*] Input Size: 261632
[*] Outfile: /tmp/shellcode.bin
[+] Final size: 261758
[+] All done ＼(＾O＾)／
[!] Done! Check /root/shellcode.bin.packed.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

Digging in the below code shows that -rx and -sgn are not compatible.

if [ $RX = true ] && [ $SGN = true ]; then
    echo '[x] Error: cannot encode the shellcode when self-executing the payload'
    exit 1
fi

I'm not sure if the CLI option description for -self is wrong or the code shown above is wrong.

PEZor generates a 20Kb stageless beacon.exe rather than the ~220Kb file size and it fails to execute correctly.

PEZor output

PEzor
-sgn
-64
-unhook
-format=exe
/tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba

Executing PEzor
PEzor!! v2.1.0

Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

[?] Final shellcode will be encoded with sgn
[?] Forcing 64-bit architecture
[?] Unhook enabled
[?] Output format: exe
[?] Processing /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba
[?] PE detected: /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
[?] Building executable
[?] Executing donut

[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan

usage: donut [options] <EXE/DLL/VBS/JS>

   Only the finest artisanal donuts are made of shells.

               -MODULE OPTIONS-

   -n <name>            Module name for HTTP staging. If entropy is enabled, this is generated randomly.
   -s <server>          HTTP server that will host the donut module.
   -e <level>           Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)

               -PIC/SHELLCODE OPTIONS-

   -a <arch>            Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
   -b <level>           Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
   -o <path>            Output file to save loader. Default is "loader.bin"
   -f <format>          Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
   -y <addr>            Create thread for loader and continue execution at <addr> supplied.
   -x <action>          Exiting. 1=Exit thread (default), 2=Exit process

               -FILE OPTIONS-

   -c <namespace.class> Optional class name. (required for .NET DLL)
   -d <name>            AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
   -m <method | api>    Optional method or function for DLL. (a method is required for .NET DLL)
   -p <arguments>       Optional parameters/command line inside quotations for DLL method/function or EXE.
   -w                   Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
   -r <version>         CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
   -t                   Execute the entrypoint of an unmanaged EXE as a thread.
   -z <engine>          Pack/Compress file. 1=None, 2=aPLib

examples:

donut c2.dll
donut -a1 -cTestClass -mRunProcess -pnotepad.exe loader.dll
donut loader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/

[?] Executing sgn
__ _ __ __ _
___ / / () /_____ / /__ _ ___ ____ _ ___ ___ ()
(-</ _ / / '/ _ / __/ _ / / _ / _ / / _ / _ / / /___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/ ========[Author:-Ege-Balcı-]====/___/=======v2.0.0========= ┻�┻ ︵ヽ(Д´)ﾉ︵ â”»â”�â”» (ノ ゜Д゜)ノ ︵ 仕方ã�Œã�ªã�„

[!] Done! Check /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba.packed.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
PEzor generated EXE /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba.packed.exe

Files in /tmp

-rw-r--r-- 1 root root 262656 Mar 10 13:53 /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba
-rwxr-xr-x 1 root root 19968 Mar 10 13:53 /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba.packed.exe

Even after following the install reference i can't get sgn to work on debian.

sgn is missing from $PATH.

What am i doing wrong.

Hi, I picked up the following errors (below) while installing your program -It should be noted that the rest of the install reported ok messages.

I am using a clean dist-upgraded 2019 version of Kali.

I pre installed Wclang project as per your webpage advice in the /Opt directory.
I added the install location to my $PATH.
Tested x86_64-w64-mingw32-clang++ -o hello.exe hello.cpp and it worked!!.
I then pre-installed donut-shellcode using the pip3 command.

I then installed your program in the /Opt directory and ran the bash install.sh command as root and adding your export path to my $PATH as well. However when I ran the command: bash PEzor.sh -unhook -syscall -sgn winshell64.exe I also received the following second set of error messages...

Regards T.

[ 48%] Building CXX object llvm/keystone/CMakeFiles/keystone.dir//lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp.o
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp: In function ‘unsigned int getRelocType64(llvm_ks::MCContext&, llvm_ks::SMLoc, llvm_ks::MCSymbolRefExpr::VariantKind, X86_64RelType, bool)’:
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:94:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
94 | switch (Type) {
| ^~~~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:106:3: note: here
106 | case MCSymbolRefExpr::VK_GOT:
| ^~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:107:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
107 | switch (Type) {
| ^~~~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:117:3: note: here
117 | case MCSymbolRefExpr::VK_GOTOFF:
| ^~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:123:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
123 | switch (Type) {
| ^~~~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:133:3: note: here
133 | case MCSymbolRefExpr::VK_DTPOFF:
| ^~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:135:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
135 | switch (Type) {
| ^~~~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:145:3: note: here
145 | case MCSymbolRefExpr::VK_SIZE:
| ^~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:147:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
147 | switch (Type) {
| ^~~~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:157:3: note: here
157 | case MCSymbolRefExpr::VK_TLSGD:
| ^~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp: In function ‘unsigned int getRelocType32(llvm_ks::MCSymbolRefExpr::VariantKind, X86_32RelType, bool)’:
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:198:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
198 | switch (Type) {
| ^~~~~~
/opt/PEzor/deps/keystone/llvm/lib/Target/X86/MCTargetDesc/X86ELFObjectWriter.cpp:206:3: note: here
206 | case MCSymbolRefExpr::VK_GOT:
| ^~~~
[ 49%] Building CXX object llvm/keystone/CMakeFiles/keystone.dir//lib/Target/X86/MCTargetDesc/X86MCAsmInfo.cpp.o

[ 51%] Building CXX object llvm/keystone/CMakeFiles/keystone.dir/ks.cpp.o
/opt/PEzor/deps/keystone/llvm/keystone/ks.cpp: In function ‘ks_err ks_option(ks_engine*, ks_opt_type, size_t)’:
/opt/PEzor/deps/keystone/llvm/keystone/ks.cpp:536:38: warning: this statement may fall through [-Wimplicit-fallthrough=]
536 | ks->MAI->setRadix(16);
| ~~~~~~~~~~~~~~~~~^~~~
/opt/PEzor/deps/keystone/llvm/keystone/ks.cpp:537:17: note: here
537 | case KS_OPT_SYNTAX_NASM:
| ^~~~
/opt/PEzor/deps/keystone/llvm/keystone/ks.cpp:544:38: warning: this statement may fall through [-Wimplicit-fallthrough=]
544 | ks->MAI->setRadix(16);
| ~~~~~~~~~~~~~~~~~^~~~
/opt/PEzor/deps/keystone/llvm/keystone/ks.cpp:545:17: note: here
545 | case KS_OPT_SYNTAX_GAS:
| ^~~~
[ 52%] Building CXX object llvm/keystone/CMakeFiles/keystone.dir/EVMMapping.cpp.o

n file included from /opt/PEzor/inject.cpp:7:
In file included from /opt/PEzor/deps/inline_syscall/include/in_memory_init.hpp:20:
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:35:27: error: no type named 'uint32_t' in namespace 'std'
inline constexpr std::uint32_t hash(const char* str) noexcept
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:37:14: error: no type named 'uint32_t' in namespace 'std'
std::uint32_t value = 2166136261;
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:45:38: error: no type named 'uint32_t' in namespace 'std'
value = static_caststd::uint32_t((value ^ c) * 16777619ull);
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:49:15: error: use of undeclared identifier 'syscall_entry_full'
constexpr syscall_entry_full::syscall_entry_full(std::uint32_t hash_) noexcept
^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:49:68: error: use of undeclared identifier 'hash_'; did you mean 'hash'?
constexpr syscall_entry_full::syscall_entry_full(std::uint32_t hash_) noexcept
^~~~~
hash
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:35:36: note: 'hash' declared here
inline constexpr std::uint32_t hash(const char* str) noexcept
^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:58:23: error: no type named 'uint32_t' in namespace 'std'
template<std::uint32_t Hash>
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:61:42: error: unknown type name 'JM_INLINE_SYSCALL_ENTRY_TYPE'
"_sysc")]] inline static JM_INLINE_SYSCALL_ENTRY_TYPE entry{ Hash };
^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:77:9: error: no type named 'int32_t' in namespace 'std'
JM_INLINE_SYSCALL_STUB(std::uint32_t id)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:40: note: expanded from macro 'JM_INLINE_SYSCALL_STUB'
JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(VA_ARGS) noexcept
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:77:37: error: no type named 'uint32_t' in namespace 'std'
JM_INLINE_SYSCALL_STUB(std::uint32_t id)
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:56: note: expanded from macro 'JM_INLINE_SYSCALL_STUB'
JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(VA_ARGS) noexcept
^~~~~~~~~~~
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:87:18: error: no type named 'int32_t' in namespace 'std'
std::int32_t status;
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:102:9: error: no type named 'int32_t' in namespace 'std'
JM_INLINE_SYSCALL_STUB(std::uint32_t id, T1 _1)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:40: note: expanded from macro 'JM_INLINE_SYSCALL_STUB'
JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(VA_ARGS) noexcept
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:102:37: error: no type named 'uint32_t' in namespace 'std'
JM_INLINE_SYSCALL_STUB(std::uint32_t id, T1 _1)
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:56: note: expanded from macro 'JM_INLINE_SYSCALL_STUB'
JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(VA_ARGS) noexcept
^~~~~~~~~~~
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:112:18: error: no type named 'int32_t' in namespace 'std'
std::int32_t status;
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:127:9: error: no type named 'int32_t' in namespace 'std'
JM_INLINE_SYSCALL_STUB(std::uint32_t id, T1 _1, T2 _2)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:40: note: expanded from macro 'JM_INLINE_SYSCALL_STUB'
JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(VA_ARGS) noexcept
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:127:37: error: no type named 'uint32_t' in namespace 'std'
JM_INLINE_SYSCALL_STUB(std::uint32_t id, T1 _1, T2 _2)
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:56: note: expanded from macro 'JM_INLINE_SYSCALL_STUB'
JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(VA_ARGS) noexcept
^~~~~~~~~~~
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:136:18: error: no type named 'int32_t' in namespace 'std'
std::int32_t status;
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:151:9: error: no type named 'int32_t' in namespace 'std'
JM_INLINE_SYSCALL_STUB(std::uint32_t id, T1 _1, T2 _2, T3 _3)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:40: note: expanded from macro 'JM_INLINE_SYSCALL_STUB'
JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(VA_ARGS) noexcept
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:151:37: error: no type named 'uint32_t' in namespace 'std'
JM_INLINE_SYSCALL_STUB(std::uint32_t id, T1 _1, T2 _2, T3 _3)
~~~~~^
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:56: note: expanded from macro 'JM_INLINE_SYSCALL_STUB'
JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(VA_ARGS) noexcept
^~~~~~~~~~~
/opt/PEzor/deps/inline_syscall/include/inline_syscall.hpp:160:18: error: no type named 'int32_t' in namespace 'std'

kali# PEzor.sh -unhook -antidebug -text -self -sleep=120 mimikatz.exe -z 2
PEzor!! v2.1.0

Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Self-executing payload
[?] Waiting 120 seconds before executing the payload
[?] Processing mimikatz.exe
[?] PE detected: mimikatz.exe: PE32+ executable (console) x86-64, for MS Windows
[?] Building executable
[?] Executing donut

[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan

[ Instance type : Embedded
[ Module file : "mimikatz.exe"
[ Entropy : Random names + Encryption
[ Compressed : aPLib (Reduced by 54%)
[ File type : EXE
[ Target CPU : x86+amd64
[ AMSI/WDLP : continue
[ Shellcode : "/tmp/shellcode.bin.donut"
In file included from /home/pentest/PEzor/ApiSetMap.c:32:
In file included from /home/pentest/PEzor/ApiSetMap.h:37:
In file included from /usr/x86_64-w64-mingw32/include/windows.h:69:
In file included from /usr/x86_64-w64-mingw32/include/windef.h:8:
In file included from /usr/x86_64-w64-mingw32/include/minwindef.h:146:
In file included from /usr/x86_64-w64-mingw32/include/winnt.h:26:
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:625:1: error: invalid operand in inline asm: 'mov$(${0:z} %gs:$1, $0 $| $0, %gs:$1$)'
__buildreadseg(__readgsqword, unsigned __int64, "gs")
^
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:145:14: note: expanded from macro '__buildreadseg'
asm ("mov{%z[ret] %%" z ":%[offset], %[ret] | %[ret], %%" z ":%[offset]}"
^
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:625:1: error: invalid operand in inline asm: 'mov$(${0:z} %gs:$1, $0 $| $0, %gs:$1$)'
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:145:14: note: expanded from macro '__buildreadseg'
asm ("mov{%z[ret] %%" z ":%[offset], %[ret] | %[ret], %%" z ":%[offset]}"
^
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:625:1: error: invalid operand in inline asm: 'mov$(${0:z} %gs:$1, $0 $| $0, %gs:$1$)'
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:145:14: note: expanded from macro '__buildreadseg'
asm ("mov{%z[ret] %%" z ":%[offset], %[ret] | %[ret], %%" z ":%[offset]}"
^
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:625:1: error: invalid operand in inline asm: 'mov$(${0:z} %gs:$1, $0 $| $0, %gs:$1$)'
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:145:14: note: expanded from macro '__buildreadseg'
asm ("mov{%z[ret] %%" z ":%[offset], %[ret] | %[ret], %%" z ":%[offset]}"
^
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:625:1: error: invalid operand in inline asm: 'mov$(${0:z} %gs:$1, $0 $| $0, %gs:$1$)'
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:145:14: note: expanded from macro '__buildreadseg'
asm ("mov{%z[ret] %%" z ":%[offset], %[ret] | %[ret], %%" z ":%[offset]}"
^
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:625:1: error: invalid operand in inline asm: 'mov$(${0:z} %gs:$1, $0 $| $0, %gs:$1$)'
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:145:14: note: expanded from macro '__buildreadseg'
asm ("mov{%z[ret] %%" z ":%[offset], %[ret] | %[ret], %%" z ":%[offset]}"
^
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:625:1: error: invalid operand in inline asm: 'mov$(${0:z} %gs:$1, $0 $| $0, %gs:$1$)'
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:145:14: note: expanded from macro '__buildreadseg'
asm ("mov{%z[ret] %%" z ":%[offset], %[ret] | %[ret], %%" z ":%[offset]}"
^
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:625:1: error: invalid operand in inline asm: 'mov$(${0:z} %gs:$1, $0 $| $0, %gs:$1$)'
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:145:14: note: expanded from macro '__buildreadseg'
asm ("mov{%z[ret] %%" z ":%[offset], %[ret] | %[ret], %%" z ":%[offset]}"
^
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:625:1: error: invalid operand in inline asm: 'mov$(${0:z} %gs:$1, $0 $| $0, %gs:$1$)'
/usr/x86_64-w64-mingw32/include/psdk_inc/intrin-impl.h:145:14: note: expanded from macro '__buildreadseg'
asm ("mov{%z[ret] %%" z ":%[offset], %[ret] | %[ret], %%" z ":%[offset]}"
^
9 errors generated.
clang: error: no such file or directory: '/tmp/ApiSetMap.o'
clang: error: no such file or directory: '/tmp/loader.o'

$ PEzor -unhook -antidebug -text -self -rx -sleep=120 mimikatz/x64/mimikatz.exe

< PEzor!! v3.0.0 >

  \                    / \  //\
   \    |\___/|      /   \//  \\
        /0  0  \__  /    //  | \ \    
       /     /  \/_/    //   |  \  \  
       @_^_@'/   \/_   //    |   \   \ 
       //_^_/     \/_ //     |    \    \
    ( //) |        \///      |     \     \
  ( / /) _|_ /   )  //       |      \     _\
( // /) '/,_ _ _/  ( ; -.    |    _ _\.-~        .-~~~^-.

(( / / )) ,-{ _ -.|.-~-. .~ .
(( // / )) '/\ / -. _ .- .-^-.
(( /// )) . { } / \ \ (( / )) .----~-.\ \-' .~ \ . ^-.
///.----..> \ _ - . ^- ^-_
///-._ _ _ _ _ _ _}^ - - - - ~ -- ,.-
/.-~

Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Self-executing payload
[?] Allocating RX memory for execution
[*] Warning: -rx supports RX shellcode only
[?] Waiting 120 seconds before executing the payload
[?] Processing mimikatz/x64/mimikatz.exe
[?] PE detected: mimikatz/x64/mimikatz.exe: PE32+ executable (console) x86-64, for MS Windows
[?] Building executable
[?] Executing donut

[ Donut shellcode generator v0.9.3 (built Jul 8 2021 19:48:53)
[ Copyright (c) 2019-2021 TheWover, Odzhan

[ Instance type : Embedded
[ Module file : "mimikatz/x64/mimikatz.exe"
[ Entropy : Random names + Encryption
[ File type : EXE
[ Target CPU : x86+amd64
[ AMSI/WDLP : continue
[ PE Headers : overwrite
[ Shellcode : "/tmp/shellcode.bin.donut"
[ Exit : Thread
/home/utente/PEzor/loader.c:437:10: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]
if (((DWORD)lpProcName & 0xFFFF0000) == 0x00000000)
^~~~~~~~~~~~~~~~~
/home/utente/PEzor/loader.c:443:43: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]
uiAddressArray += ((IMAGE_ORDINAL((DWORD)lpProcName) - pExportDirectory->Base) * sizeof(DWORD));
^~~~~~~~~~~~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:7220:48: note: expanded from macro 'IMAGE_ORDINAL'
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
^~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:7191:35: note: expanded from macro 'IMAGE_ORDINAL64'
#define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffffull)
^~~~~~~
2 warnings generated.
/home/utente/PEzor/inject.cpp:98:16: error: cannot initialize return object of type 'LPVOID' (aka 'void *') with an rvalue of type 'int'
return (*func)();
^~~~~~~~~
1 error generated.

using Linux kalidev 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-1kali1 (2021-06-25) x86_64 GNU/Linux
did
sudo bash install.sh
all went fine no error or anything during the installation process.
did a reboot
either using a C# code or mimikatz.exe (from website) im getting this error
i do something wrong or miss anything ?
thanks

Hi phra,

I'm running cobalt strike 4.2, kali (latest), and installed PEzor in the opt directory. when I run PEZor and pack an executable it works great. Execute-Assembly and tadaaaa... with the aggressor script, nothing happens:

[*] Tasked beacon to execute in-memory with args: '"coffee" "exit"'

Am I missing something here? Do I need to install it in a specific directory?

Cheers,
Luk

You need to hide the cmd window for the generated .exe

You can use the below function:

FreeConsole();

https://docs.microsoft.com/en-us/windows/console/freeconsole

Try changing this file: https://github.com/phra/PEzor/blob/master/PEzor.cpp

int _main(int argc, char** argv) { FreeConsole(); #ifdef _DEBUG_

to fix the issue:

1. do not wait for threads in DllMain
2. export dummy function StartW
3. execute with rundll32 calc.dll,StartW

This is the command I use :

PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz.exe -z 2

and I get these errors:

In file included from /root/scripts/_AV/PEzor/inject.cpp:7: In file included from /root/scripts/_AV/PEzor/deps/inline_syscall/include/in_memory_init.hpp:20: /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:35:27: error: no type named 'uint32_t' in namespace 'std' inline constexpr std::uint32_t hash(const char* str) noexcept ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:37:14: error: no type named 'uint32_t' in namespace 'std' std::uint32_t value = 2166136261; ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:45:38: error: no type named 'uint32_t' in namespace 'std' value = static_cast<std::uint32_t>((value ^ c) * 16777619ull); ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:49:15: error: use of undeclared identifier 'syscall_entry_full' constexpr syscall_entry_full::syscall_entry_full(std::uint32_t hash_) noexcept ^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:49:68: error: use of undeclared identifier 'hash_'; did you mean 'hash'? constexpr syscall_entry_full::syscall_entry_full(std::uint32_t hash_) noexcept ^~~~~ hash /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:35:36: note: 'hash' declared here inline constexpr std::uint32_t hash(const char* str) noexcept ^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:58:23: error: no type named 'uint32_t' in namespace 'std' template<std::uint32_t Hash> ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:61:42: error: unknown type name 'JM_INLINE_SYSCALL_ENTRY_TYPE' "_sysc")]] inline static JM_INLINE_SYSCALL_ENTRY_TYPE entry{ Hash }; ^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:77:9: error: no type named 'int32_t' in namespace 'std' JM_INLINE_SYSCALL_STUB(std::uint32_t id) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:40: note: expanded from macro 'JM_INLINE_SYSCALL_STUB' JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(__VA_ARGS__) noexcept ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:77:37: error: no type named 'uint32_t' in namespace 'std' JM_INLINE_SYSCALL_STUB(std::uint32_t id) ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:30:56: note: expanded from macro 'JM_INLINE_SYSCALL_STUB' JM_INLINE_SYSCALL_FORCEINLINE std::int32_t syscall(__VA_ARGS__) noexcept ^~~~~~~~~~~ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:87:18: error: no type named 'int32_t' in namespace 'std' std::int32_t status; ~~~~~^ /root/scripts/_AV/PEzor/deps/inline_syscall/include/inline_syscall.hpp:102:9: error: no type named 'int32_t' in namespace 'std' JM_INLINE_SYSCALL_STUB(std::uint32_t id, T1 _1) . . . .

Can anybody help please?

Hi, I got this issue and I'm getting crazy trying to fix it

PEzor -sgn -text -syscalls -sleep=120 test.exe 

[SNIP]
---------------------------------------------------------------------------
[?] Final shellcode will be encoded with sgn
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Waiting 1 seconds before executing the payload
[?] Processing mimikatz.exe
[?] PE detected: mimikatz.exe: PE32+ executable (console) x86-64, for MS Windows
[?] Building executable
[?] Executing donut
donut: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by donut)
[?] Executing sgn
       __   _ __        __                               _ 
  ___ / /  (_) /_____ _/ /____ _  ___ ____ _  ___  ___ _(_)
 (_-</ _ \/ /  '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ / 
/___/_//_/_/_/\_\\_,_/\__/\_,_/  \_, /\_,_/ /_//_/\_,_/_/  
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========  
    ┻━┻ ︵ヽ(`Д´)ﾉ︵ ┻━┻           (ノ ゜Д゜)ノ ︵ 仕方がない

2022/06/07 00:19:25 [MAIN] ERROR: open /tmp/tmp.nSgbOtvqPL/shellcode.bin.donut: no such file or directory
od: /tmp/tmp.nSgbOtvqPL/shellcode.bin: No existe el fichero o el directorio
/opt/PEzor/loader.c:437:10: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]
    if (((DWORD)lpProcName & 0xFFFF0000) == 0x00000000)
         ^~~~~~~~~~~~~~~~~
/opt/PEzor/loader.c:443:43: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]
        uiAddressArray += ((IMAGE_ORDINAL((DWORD)lpProcName) - pExportDirectory->Base) * sizeof(DWORD));
                                          ^~~~~~~~~~~~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:7220:48: note: expanded from macro 'IMAGE_ORDINAL'
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
                                               ^~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:7191:35: note: expanded from macro 'IMAGE_ORDINAL64'
#define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffffull)
                                  ^~~~~~~
2 warnings generated.

[?] Forcing 64-bit architecture
[?] Debug build enabled
[?] Syscalls enabled
[?] Output format: exe
[?] Processing /home/ghostfevil/Desktop/Temp/shellcode.bin
[?] PE detected: /home/ghostfevil/Desktop/Temp/shellcode.bin: data
[?] Building executable
[?] Executing donut

[ Donut shellcode generator v0.9.3 (built Jul 14 2021 22:56:53)
[ Copyright (c) 2019-2021 TheWover, Odzhan

[ Error : File is invalid.
od: /tmp/shellcode.bin.donut: No such file or directory

Hey there. Great tool! I was testing some generated dotnet binaries with metasploit's execute assembly module and noticed arguments don't seem to do anything.

Here's a screenshot. Notice the binary runs but the arguments aren't used.

Using the -p flag to hardcode arguments in seems to work just fine

If I had to guess, this might be caused by a mismatch in function signatures between what Metasploit thinks the assembly would have (Main(string args[])) and the actual main function of the assembly. In this case: wmain(int argc, wchar_t * argv[])

When creating shellcode this error shows

I reported it in this issue TheWover/donut#81 and I made a PR but since PEzor uses the release we will have to wait for the deployment or compile it.

The details are explained in the issue but in PEzor it occurs when sgn is not used and the generated shellcode has a certain size.

For those who don't want to compile their own I implemented a dirty trick:

After the shellcode is generated

add these lines:

sed -i 's/\\x00;/\\x00";\n/' $TMP_DIR/shellcode.cpp.donut
sed -i ':a;N;$!ba;s/"\n";/";\n/' $TMP_DIR/shellcode.cpp.donut

I am using Ubuntu 20.04

When executing ./install.sh I get the following error:
./install.sh: line 6: cd: too many arguments

Line 386 and 387 of PEzor.sh is missing the "$" in front of BLOB.packed.
https://github.com/phra/PEzor/blob/master/PEzor.sh#L386
The final result is then put in the local directory as "BLOB.packed.$extension" (e.g. "./BLOB.packed.exe") instead of the target dir, because its treated as file not variable.

Nothing major, but wanted to report it

The program depends on keystone engine. Please be aware of the license.

when I run like this: PEzor.sh -unhook -antidebug -text -self -sleep=120 mimikatz/x64/mimikatz.exe -z 2 ,it works very well;
but when I run like this: PEzor.sh -unhook -antidebug -text -self -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p coffee exit, it output nothing,so I can't run with "-p",can you tell me why ? thank you !

`[?] Anti-debug enabled
[?] Syscalls enabled
[?] Payload will be put in .text section
[?] Final shellcode will be encoded with sgn
[?] Waiting 5 seconds before executing the payload
[?] Processing binaries/JuicyPotato.exe
[?] PE detected: binaries/JuicyPotato.exe: PE32+ executable (console) x86-64, for MS Windows
[?] Executing donut

[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan

usage: donut [options] <EXE/DLL/VBS/JS>

   Only the finest artisanal donuts are made of shells.

               -MODULE OPTIONS-

   -n <name>            Module name for HTTP staging. If entropy is enabled, this is generated randomly.
   -s <server>          HTTP server that will host the donut module.
   -e <level>           Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)

               -PIC/SHELLCODE OPTIONS-

   -a <arch>            Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
   -b <level>           Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
   -o <path>            Output file to save loader. Default is "loader.bin"
   -f <format>          Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
   -y <addr>            Create thread for loader and continue execution at <addr> supplied.
   -x <action>          Exiting. 1=Exit thread (default), 2=Exit process

               -FILE OPTIONS-

   -c <namespace.class> Optional class name. (required for .NET DLL)
   -d <name>            AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
   -m <method | api>    Optional method or function for DLL. (a method is required for .NET DLL)
   -p <arguments>       Optional parameters/command line inside quotations for DLL method/function or EXE.
   -w                   Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
   -r <version>         CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
   -t                   Execute the entrypoint of an unmanaged EXE as a thread.
   -z <engine>          Pack/Compress file. 1=None, 2=aPLib

examples:

donut c2.dll
donut -a1 -cTestClass -mRunProcess -pnotepad.exe loader.dll
donut loader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/

[?] Executing sgn
__ _ __ __ _
___ / / () /_____ / /__ _ ___ ____ _ ___ ___ ()
(-</ _ / / '/ _ / __/ _ / / _ / _ / / _ / _ / / /___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/ ========[Author:-Ege-Balcı-]====/___/=======v2.0.0========= ┻━┻ ︵ヽ(Д´)ﾉ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない

2020/09/20 22:32:56 [MAIN] ERROR: open /tmp/shellcode.bin.donut: no such file or directory
`

any idea how to deal with this error? I am pretty sure I installed donut and also add it to the PATH

I installed PEZor by following the guide. To test PEzor, I generated a payload using the following:

And when I used PEzor on the generated payload, I got the following error:

# bash ../tools/PEzor/PEzor.sh beacon.bin            
 ________________
< PEzor!! v2.1.0 >
 ----------------
[...snip...]
[?] Processing beacon.bin
[?] PE detected: beacon.bin: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
[?] Building executable
[?] Executing donut

  [ Donut shellcode generator v0.9.3
  [ Copyright (c) 2019 TheWover, Odzhan

  [ Error : File is invalid.
cat: /tmp/shellcode.cpp.donut: No such file or directory

If I used Payload Generator just like below:

PEzor works fine and I don't see any error

# bash ../tools/PEzor/PEzor.sh payload.bin 
 ________________
< PEzor!! v2.1.0 >
 ----------------
[...snip...]
---------------------------------------------------------------------------
[?] Processing payload.bin
[?] Shellcode detected
[?] Building executable
[!] Done! Check payload.bin.packed.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

Any one here can shed some light on why I'm getting the error?

[?] Building .NET executable
PEzor.sh: 370: Syntax error: word unexpected (expecting ")")
root@vps158041:~/PEzor# sh PEzor.sh -sgn -unhook -antidebug
-text -sleep=120 -format=dotnet apollo.exe

https://www.cobaltstrike.com/downloads/beacon.h -->> https://download.cobaltstrike.com/downloads/beacon.h

https://www.cobaltstrike.com/blog/cobalt-strike-infrastructure-changes/

Both the README and app description of -sleep is:

 -sleep=N                  Sleeps for N seconds before unpacking the shellcode

However, the -sleep option appears to sleep for milliseconds instead of seconds when executing.

I would like to know, how do I install it on windows?

Latest Kali with recent updates.
Installing like:

$ git clone https://github.com/phra/PEzor.git 1 ⨯
$ cd PEzor
$ sudo bash install.sh

Install the project...
-- Install configuration: "Release"
-- Installing: /usr/local/lib/pkgconfig/keystone.pc
-- Installing: /usr/local/include/keystone
-- Installing: /usr/local/include/keystone/arm64.h
-- Installing: /usr/local/include/keystone/keystone.h
-- Installing: /usr/local/include/keystone/arm.h
-- Installing: /usr/local/include/keystone/x86.h
-- Installing: /usr/local/include/keystone/hexagon.h
-- Installing: /usr/local/include/keystone/ppc.h
-- Installing: /usr/local/include/keystone/evm.h
-- Installing: /usr/local/include/keystone/mips.h
-- Installing: /usr/local/include/keystone/systemz.h
-- Installing: /usr/local/include/keystone/sparc.h
-- Installing: /usr/local/lib/libkeystone.a
-- Installing: /usr/local/bin/kstool
go: go.mod file not found in current directory or any parent directory.
'go get' is no longer supported outside a module.
To build and install a command, use 'go install' with a version,
like 'go install example.com/cmd@latest'
For more information, see https://golang.org/doc/go-get-install-deprecation
or run 'go help get' or 'go help install'.

cat: /tmp/tmp.vJ55FjhxGT/shellcode.cs: No such file or directory
/tmp/tmp.vJ55FjhxGT/Global.cs(3,15): error CS1519: Unexpected symbol `}' in class, struct, or interface member declaration
Compilation failed: 1 error(s), 0 warnings

Could not covert to dotnet while it worked few months ago. Just reinstalled a new version then failed.

I tried installing wclang with cmake -DCMAKE_INSTALL_PREFIX=prefix_PEzor and cmake -DCMAKE_INSTALL_PREFIX=_prefix_PEzor however when I do this it does not seem to add it it to path still

inject.cpp:232 does not have enough type information?

# bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=2 seatbelt64.exe -z 2
PEzor!! v3.1.2
---------------------------------------------------------------------------
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
https://iwantmore.pizza/posts/PEzor4.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
---------------------------------------------------------------------------
[?] Final shellcode will be encoded with sgn
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Syscalls enabled
[?] Waiting 2 seconds before executing the payload
[?] Processing seatbelt64.exe
[?] PE detected: seatbelt64.exe: PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
[?] Building executable
[?] Executing donut 2

  [ Donut shellcode generator v0.9.3
  [ Copyright (c) 2019 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "seatbelt64.exe"
  [ Entropy       : Random names + Encryption
  [ Compressed    : aPLib (Reduced by 65%)
  [ File type     : .NET EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP     : continue
  [ Shellcode     : "/tmp/tmp.zdwC7updla/shellcode.bin.donut"
[?] Executing sgn
       __   _ __        __                               _
  ___ / /  (_) /_____ _/ /____ _  ___ ____ _  ___  ___ _(_)
 (_-</ _ \/ /  '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ /
/___/_//_/_/_/\_\\_,_/\__/\_,_/  \_, /\_,_/ /_//_/\_,_/_/
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========
    ┻━┻ ︵ヽ(`Д´)ﾉ︵ ┻━┻           (ノ ゜Д゜)ノ ︵ 仕方がない

[*] Input: /tmp/tmp.zdwC7updla/shellcode.bin.donut
[*] Input Size: 245209
[*] Outfile: /tmp/tmp.zdwC7updla/shellcode.bin
[+] Final size: 245290
[+] All done ＼(＾O＾)／
/root/Repos/PEzor/inject.cpp:232:22: error: no matching function for call to object of type '::jm::syscall_function<decltype(NtCreateThreadEx)>' (aka 'syscall_function<long (void **, unsigned long, _OBJECT_ATTRIBUTES *, void *, void *, void *, unsigned long, unsigned long long, unsigned long long, unsigned long long, _PS_ATTRIBUTE_LIST *)>')
            status = INLINE_SYSCALL(NtCreateThreadEx)(
                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/Repos/PEzor/deps/inline_syscall/include/inline_syscall.hpp:26:5: note: expanded from macro 'INLINE_SYSCALL'
    INLINE_SYSCALL_MANUAL(               \
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/Repos/PEzor/deps/inline_syscall/include/inline_syscall.hpp:44:5: note: expanded from macro 'INLINE_SYSCALL_MANUAL'
    ::jm::syscall_function<decltype(function_pointer)> { syscall_id }
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/Repos/PEzor/deps/inline_syscall/include/inline_syscall.hpp:70:18: note: candidate function not viable: no known conversion from 'void (void (*)())' to 'void *' for 5th argument
        inline R operator()(Args... args) const noexcept;
                 ^
1 error generated.

the following command fails to execute

PEzor -sgn -self -64 -text -unhook -debug -antidebug -sleep=15 -format=dotnet shell.exe -z 2

I think the compile command should add -static-libstdc++ -static-libgcc

https://github.com/jthuraisamy/SysWhispers

x86_64-w64-mingw32-clang++ is missing from $PATH. Check https://github.com/tpoechtrager/wclang to learn how to install it

Function inject_shellcode_self in inject.cpp doesn't properly call NtCreateThreadEx when SYSCALLS is defined.

ERROR:

PEzor/inject.cpp:232:22: error: no matching function for call to object of type '::jm::syscall_function<decltype(NtCreateThreadEx)>' (aka 'syscall_function<long (void **, unsigned long, _OBJECT_ATTRIBUTES *, void *, void *, void *, unsigned long, unsigned long long, unsigned long long, unsigned long long, _PS_ATTRIBUTE_LIST *)>')

FIX:

    #elif SYSCALLS
        status = INLINE_SYSCALL(NtCreateThreadEx)(
            phThread,
            THREAD_ALL_ACCESS,
            nullptr,
            (HANDLE)-1,
            (void*)executor,   //<----------------CHANGE THIS LINE (Cast to void  pointer)
            allocation,
            THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER,
            0,
            0,
            0,
            nullptr);

        if (NT_FAIL(status) || !*phThread)
        {
            #ifdef _DEBUG_
            wprintf(L"ERROR: NtCreateThreadEx = 0x%x\n", status);
            #endif
            return NULL;
        }

I did several tests with fresh kali versions:
2023.4
2022.1
2021.1
2019.4

The install.sh script runs more or less fine.
I fetched a fresh mimikatz.exe and used the first example to wrap it. I used the precompiled version as well as a self built one.

──(kali㉿kali)-[~/tools/PE-Loader/PEzor]
└─$ ./PEzor.sh -unhook -antidebug -text -self -sleep=10 mimikatz.exe -z 2                                                                                                                                                 1 ⨯
 ________________
< PEzor!! v3.3.0 >
 ----------------
      \                    / \  //\
       \    |\___/|      /   \//  \\
            /0  0  \__  /    //  | \ \    
           /     /  \/_/    //   |  \  \  
           @_^_@'/   \/_   //    |   \   \ 
           //_^_/     \/_ //     |    \    \
        ( //) |        \///      |     \     \
      ( / /) _|_ /   )  //       |      \     _\
    ( // /) '/,_ _ _/  ( ; -.    |    _ _\.-~        .-~~~^-.
  (( / / )) ,-{        _      `-.|.-~-.           .~         `.
 (( // / ))  '/\      /                 ~-. _ .-~      .-~^-.  \
 (( /// ))      `.   {            }                   /      \  \
  (( / ))     .----~-.\        \-'                 .~         \  `. \^-.
             ///.----..>        \             _ -~             `.  ^-`  ^-_
               ///-._ _ _ _ _ _ _}^ - - - - ~                     ~-- ,.-~
                                                                  /.-~
---------------------------------------------------------------------------
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
https://iwantmore.pizza/posts/PEzor4.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Self-executing payload
[?] Waiting 10 seconds before executing the payload
[?] Processing mimikatz.exe
./PEzor.sh: line 323: [: missing `]'
[?] PE detected: mimikatz.exe: PE32+ executable (console) x86-64, for MS Windows
[?] Building executable
[?] Executing donut

  [ Donut shellcode generator v1 (built Dec 14 2023 02:10:45)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "mimikatz.exe"
  [ Entropy       : Random names + Encryption
  [ Compressed    : aPLib (Reduced by 54%)
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP/ETW : continue
  [ PE Headers    : overwrite
  [ Shellcode     : "/tmp/tmp.zVG1q34Pqt/shellcode.bin.donut"
  [ Exit          : Thread
In file included from /home/kali/tools/PE-Loader/PEzor/ApiSetMap.c:32:
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:160:34: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PPEB GetProcessEnvironmentBlock();
                                 ^
                                  void                                                                                                                                                                                        
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:161:51: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                             
__PLDR_DATA_TABLE_ENTRY GetInMemoryOrderModuleList();
                                                  ^
                                                   void                                                                                                                                                                       
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.c:34:34: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                              
__PPEB GetProcessEnvironmentBlock()
                                 ^
                                  void                                                                                                                                                                                        
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.c:50:51: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                              
__PLDR_DATA_TABLE_ENTRY GetInMemoryOrderModuleList()
                                                  ^
                                                   void                                                                                                                                                                       
4 warnings generated.                                                                                                                                                                                                         
In file included from /home/kali/tools/PE-Loader/PEzor/loader.c:1:
In file included from /home/kali/tools/PE-Loader/PEzor/loader.h:7:
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:160:34: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
__PPEB GetProcessEnvironmentBlock();
                                 ^
                                  void                                                                                                                                                                                        
/home/kali/tools/PE-Loader/PEzor/ApiSetMap.h:161:51: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                             
__PLDR_DATA_TABLE_ENTRY GetInMemoryOrderModuleList();
                                                  ^
                                                   void                                                                                                                                                                       
In file included from /home/kali/tools/PE-Loader/PEzor/loader.c:1:                                                                                                                                                            
/home/kali/tools/PE-Loader/PEzor/loader.h:17:15: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
void RefreshPE();
              ^
               void                                                                                                                                                                                                           
/home/kali/tools/PE-Loader/PEzor/loader.c:4:15: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]                                                                  
void RefreshPE()
              ^
               void                                                                                                                                                                                                           
/home/kali/tools/PE-Loader/PEzor/loader.c:437:10: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]                                                     
    if (((DWORD)lpProcName & 0xFFFF0000) == 0x00000000)
         ^~~~~~~~~~~~~~~~~
/home/kali/tools/PE-Loader/PEzor/loader.c:443:43: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]                                                     
        uiAddressArray += ((IMAGE_ORDINAL((DWORD)lpProcName) - pExportDirectory->Base) * sizeof(DWORD));
                                          ^~~~~~~~~~~~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:8299:48: note: expanded from macro 'IMAGE_ORDINAL'                                                                                                                                    
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
                                               ^~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:8270:35: note: expanded from macro 'IMAGE_ORDINAL64'                                                                                                                                  
#define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffffull)
                                  ^~~~~~~
6 warnings generated.                                                                                                                                                                                                         
x86_64-w64-mingw32-clang++ -O3 -Wl,-strip-all,-subsystem=windows -Wall -pedantic -D_WINX64 -DWIN_X64 -DUNHOOK -DANTIDEBUG -DSELFINJECT -D_TEXT_ -std=c++17 -static /home/kali/tools/PE-Loader/PEzor/inject.cpp /home/kali/tools/PE-Loader/PEzor/PEzor.cpp /tmp/tmp.zVG1q34Pqt/shellcode.cpp /tmp/tmp.zVG1q34Pqt/sleep.cpp /tmp/tmp.zVG1q34Pqt/ApiSetMap.o /tmp/tmp.zVG1q34Pqt/loader.o -o mimikatz.exe.packed.exe
[!] Done! Check mimikatz.exe.packed.exe: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

The packed exe gets created, but it is dead, nothing happens, despite a running process:

I tracked it down so far that until after the shellcode creation with donut, everything is fine. I can use the donut loader and run the shellcode from the temp folder and it starts mimikatz as expected.
So afterwards something is off.
I thought it might have something to do with python3 being upgraded to 3.11, so I did all steps manually and stayed with a 3.9.7 version. However, the results were the same.

When trying to use PEzor on a exe, it gives an error on calling donut:

od: /tmp/tmp.a9kqst7yVg/shellcode.bin.donut: No such file or directory

On https://github.com/phra/PEzor/blob/master/PEzor.sh#L340 because the parameter "-i" doesnt exist at all for donut.

# bash PEzor.sh -unhook -antidebug -text -self Seatbelt-a.exe -z 2
PEzor!! v3.1.2
---------------------------------------------------------------------------
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
https://iwantmore.pizza/posts/PEzor4.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Self-executing payload
[?] Processing Seatbelt-a.exe
[?] PE detected: Seatbelt-a.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
[?] Building executable
[?] Executing donut 1

  [ Donut shellcode generator v0.9.3
  [ Copyright (c) 2019 TheWover, Odzhan

 usage: donut [options] <EXE/DLL/VBS/JS>

       Only the finest artisanal donuts are made of shells.

                   -MODULE OPTIONS-

       -n <name>            Module name for HTTP staging. If entropy is enabled, this is generated randomly.
       -s <server>          HTTP server that will host the donut module.
       -e <level>           Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)

                   -PIC/SHELLCODE OPTIONS-

       -a <arch>            Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
       -b <level>           Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
       -o <path>            Output file to save loader. Default is "loader.bin"
       -f <format>          Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
       -y <addr>            Create thread for loader and continue execution at <addr> supplied.
       -x <action>          Exiting. 1=Exit thread (default), 2=Exit process

                   -FILE OPTIONS-

       -c <namespace.class> Optional class name. (required for .NET DLL)
       -d <name>            AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
       -m <method | api>    Optional method or function for DLL. (a method is required for .NET DLL)
       -p <arguments>       Optional parameters/command line inside quotations for DLL method/function or EXE.
       -w                   Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
       -r <version>         CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
       -t                   Execute the entrypoint of an unmanaged EXE as a thread.
       -z <engine>          Pack/Compress file. 1=None, 2=aPLib

 examples:

    donut c2.dll
    donut -a1 -cTestClass -mRunProcess -pnotepad.exe loader.dll
    donut loader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
od: /tmp/tmp.a9kqst7yVg/shellcode.bin.donut: No such file or directory
[!] Done! Check Seatbelt-a.exe.packed.exe: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

A exe is generated, but it too small and doesnt print anything when being executed.

Hi,

I've generated PEzor payloads following some examples on the GitHub readme, and the good news is AV happily ignores them! However, they always leave a blank command window open, and if it's closed the beacon dies. Am I doing this wrong?

Here's what I used to generate the beacon I have running in the lab right now:

Pezor -sgn -unhook -antidebug -text -syscalls -64 rawcode.bin

In the PEzor.sh file, it uses od to write the bytes onto shellcode.cpp. Would it be possible to use xxd -i instead?

[?] Final shellcode will be encoded with sgn
[?] Unhook enabled
[?] Syscalls enabled
[?] Processing -obfuscate
[x] ERROR: -obfuscate doesn't exist

If I run

./PEzor.sh -sgn -unhook -antidebug -text -syscalls Payload.raw

I get the following error message:

PEzor/inject.cpp:232:22: error: no matching function for call to object of type '::jm::syscall_function<decltype(NtCreateThreadEx)>' (aka 'syscall_function<long (void **, unsigned long, _OBJECT_ATTRIBUTES *, void *, void *, void *, unsigned long, unsigned long long, unsigned long long, unsigned long long, _PS_ATTRIBUTE_LIST *)>')

Version:
< PEzor!! v3.1.2 >

Without the syscalls option it works fine.

Full error messages:

[] Input: /tmp/tmp.88gcJlbCLQ/shellcode.bin.donut
[] Input Size: 715
[*] Outfile: /tmp/tmp.88gcJlbCLQ/shellcode.bin
[+] Final size: 818
[+] All done ＼(＾O＾)／
PEzor/loader.c:437:10: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]
if (((DWORD)lpProcName & 0xFFFF0000) == 0x00000000)
^~~~~~~~~~~~~~~~~
PEzor/loader.c:443:43: warning: cast to smaller integer type 'DWORD' (aka 'unsigned long') from 'PCHAR' (aka 'char *') [-Wpointer-to-int-cast]
uiAddressArray += ((IMAGE_ORDINAL((DWORD)lpProcName) - pExportDirectory->Base) * sizeof(DWORD));
^~~~~~~~~~~~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:7286:48: note: expanded from macro 'IMAGE_ORDINAL'
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
^~~~~~~
/usr/x86_64-w64-mingw32/include/winnt.h:7257:35: note: expanded from macro 'IMAGE_ORDINAL64'
#define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffffull)
^~~~~~~
2 warnings generated.

PEzor/inject.cpp:232:22: error: no matching function for call to object of type '::jm::syscall_function<decltype(NtCreateThreadEx)>' (aka 'syscall_function<long (void **, unsigned long, _OBJECT_ATTRIBUTES *, void *, void *, void *, unsigned long, unsigned long long, unsigned long long, unsigned long long, _PS_ATTRIBUTE_LIST )>')
status = INLINE_SYSCALL(NtCreateThreadEx)(
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PEzor/deps/inline_syscall/include/inline_syscall.hpp:26:5: note: expanded from macro 'INLINE_SYSCALL'
INLINE_SYSCALL_MANUAL(
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PEzor/deps/inline_syscall/include/inline_syscall.hpp:44:5: note: expanded from macro 'INLINE_SYSCALL_MANUAL'
::jm::syscall_function<decltype(function_pointer)> { syscall_id }
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PEzor/deps/inline_syscall/include/inline_syscall.hpp:70:18: note: candidate function not viable: no known conversion from 'void (void ()())' to 'void *' for 5th argument
inline R operator()(Args... args) const noexcept;
^
1 error generated.

0x0 ：
maybe we shoud not use %CURRENT_DIR in line 279 of PEzor.sh
Because these are two absolute paths, at least on my machine
%CURRENT_DIR => /root/Downloads/PEzor
${BLOB%%.exe} => /root/Downloads/out/Mimikatz.packed.exe
so , i guess u must be know whate happened next

0x1:
How about supporting the applications generated by MSF?
When I use MSF to generate the application, it tells me that it lacks relocation information

Thank you for reading, this is all

Executing PEzor
[19:09:34] Uncaught exception: java.io.IOException: Cannot run program "PEzor": error=2, No such file or directory at utils.cna:5
[19:09:34] expected iterator (@array or &closure)--received: $null at PEzor.cna:173
[19:09:34] Uncaught exception: java.lang.StringIndexOutOfBoundsException: String index out of range: 0 at utils.cna:49

from script console of Cobalt.