Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cannot execute the output file #4

Open
gfctam opened this issue Mar 25, 2022 · 6 comments
Open

cannot execute the output file #4

gfctam opened this issue Mar 25, 2022 · 6 comments

Comments

@gfctam
Copy link

gfctam commented Mar 25, 2022

I have run the command "nimcrypt -f mimikatz.exe -t pe -o mimi-pe.exe -u -e -g, and sucessfully output the exe.

But when I run mimi-pe.exe on the machine, it got the message "SIGSEGV: Illegal storage access. (Attempt to read from nil?)

image

May I get some insight on how to resolve this issue?

Thanks
@icyguider
Copy link
Owner

icyguider commented Mar 27, 2022
edited
Loading

Hello! I've tested Mimikatz with the arguments you are using on a few different Windows 10/Server 2019 systems and can't seem to replicate the issue.

To help figure out what's going on, could you please provide the following information?

  1. What version of Nim are you using for the tool?
  2. What build of Windows are you testing the output file on?
  3. Where did you get the Mimikatz binary you're using?

I'm hoping that with this information I can potentially replicate your error and then start to investigate why it's happening. Here's my answers to the above questions if you'd like to try and replicate my steps and see if that works for you:

  1. Nim 1.6.4
  2. Tested on Windows 10 21H2 (10.0.19044), 21H1 (10.0.19043), and Windows Server 2019 (10.0.17763)
  3. Downloaded latest Mimikatz source code from the official GitHub repo, compiled x64 release version using Visual Studio 2019.

Might also be worth testing another simple pe program like calc.exe to see if that works for you... that would help determine if the problem is Mimikatz specific or if it's a larger issue stemming from Nim/Windows compatibility with the compiled stub.

@Fankaren
Copy link

Hi @icyguider . I have the same problem.
image

Nim version 1.6.4:
image
build of Windows:
image
image

and also my laptop on winows10.
image

Thanks.

@Fankaren
Copy link

Fankaren commented Mar 28, 2022
edited
Loading

Later I try to use the -l parameter. The output file can execute currectly.
image
image

But I get the same issue when I obfuscate my CS_executable file using the same way :(
image

I thought the 0x00 byte is the matter.

Thank you.

@gfctam
Copy link
Author

gfctam commented Mar 30, 2022

Hi Guys,

My problem has resolved. The executable I was running trying to run is mimikatz, and the problem is 32bit/64 bit capabillity.

It means to run mimikatz in 64bit computer, the mimikatz must compile in 64bit to obfuscate with nimcrypto2.

@icyguider
Copy link
Owner

@gfctam That's great to hear. I'm glad you figured out the issue!

@Fankaren Thanks for your all the information and proactive debugging. Glad you got at least calc working. For the CS executable, are you using the x64 version? That seemed to fix the error for @gfctam, so hopefully it will do the same for you!

@tbaker57
Copy link

I also had the same problem ("SIGSEGV: Illegal storage access. (Attempt to read from nil?)") with a 64-bit CobaltStrike beacon (beacon.exe), but compiled with the Obfuscator LLVM option and '-t pe' [Defender seems to stomp on NimCrypt2 (produced without -l) binaries now even with a benign calc.exe payload]

Switching to the 'raw' CS beacon (beacon.bin) and using '-l -t raw' gave me a nice CS .exe which gets past Defender (at least it did today :-)

@obilodeau obilodeau mentioned this issue Jan 26, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tbaker57 @gfctam @Fankaren @icyguider