ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute.
When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in
C:\Windows\System32\. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack.
To do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges.
Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid detection by non-userland, hook-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid detection by any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions.
ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialization vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without any issue because the process we load into will look for those export functions and not worry about DLLMain being there.
During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things:
limelighterto create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option.
When signing the loader with microsoft.com, using them against WINDOWS DEFENDER ATP products may not be as effective as they can validate the cert as it belongs to them. If you are using a loader against a windows product possibly use a different domain.
With these files and the go code, ScareCrow will cross compile them into DLLs using the c-shared library option. Once the DLL is compiled, it is obfuscated into a broken base64 string that will be embedded into a file. This allows for the file to be remotely pulled, accessed, and programmatically executed.
ScareCrow now requires golang 1.16.1 or later to compile loaders. If you are running an older version please to version 1.16.1 or later.
See for new versions: https://golang.org/dl/.
The first step as always is to clone the repo. Before you compile ScareCrow, you'll need to install the dependencies.
To install them, run following commands:
go get github.com/fatih/color go get github.com/yeka/zip go get github.com/josephspurrier/goversioninfo
Make sure that the following are installed on your OS:
openssl osslsigncode mingw-w64
Then build it
go build ScareCrow.go
In addition ScareCrow utilizes Garble for obfuscating all loaders.
Note: Several of the dependencies do not play well on Windows when compiling, because of this it is recommended to compile your loaders on OSX or Linux.
./ScareCrow -h _________ _________ / _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __ \_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ / / \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) / /_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/ \/ \/ \/ \/ \/ (@Tyl0us) “Fear, you must understand is more than a mere obstacle. Fear is a TEACHER. the first one you ever had.” Usage of ./ScareCrow: -I string Path to the raw 64-bit shellcode. -Loader string Sets the type of process that will sideload the malicious payload: [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading) [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated. [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions. [*] excel - Loads into a hidden Excel process using a JScript loader. [*] msiexec - Loads into MSIexec process using a JScript loader. [*] wscript - Loads into WScript process using a JScript loader. (default "binary") -O string Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required. -configfile string The path to a json based configuration file to generate custom file attributes. This will not use the default ones. -console Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature. -delivery string Generates a one-liner command to download and execute the payload remotely: [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel, and Wscript Loaders). [*] hta - Generates a blank hta file containing the loader along with an MSHTA command to execute the loader remotely in the background (Compatible with Control and Excel Loaders). [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel, and Wscript Loaders). -domain string The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) -injection string Enables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path). -noamsi Disables the AMSI patching that prevents AMSI BuffferScanner. -noetw Disables the ETW patching that prevents ETW events from being generated. -nosign Disables file signing, making -domain/-valid/-password parameters not required. -nosleep Disables the sleep delay before the loader unhooks and executes the shellcode. -outpath string The path to put the final Payload/Loader once it's compiled. -password string The password for code signing cert. Required when -valid is used. -sandbox Enables sandbox evasion using IsDomainJoined calls. -sha256 Provides the SHA256 value of the loaders (This is useful for tracking) -unmodified When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default) -url string URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/) -valid string The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.
The Loader determines the type of technique to load the shellcode into the target system. If no Loader option is chosen, ScareCrow will just compile a standard DLL file, that can be used by rundll32, regsvr32, or other techniques that utilize a DLL. ScareCrow utilizes three different types of loaders to load shellcode into memory:
ScareCrow can also generate binary based payloads if needed by using the
-Loader command line option. These binaries do not benefit from any side-by-side loading techniques but serve as an additional technique to execute shellcode depending on the situation.
ScareCrow utilizes a technique to first create the process and then move it into the background. This does two things, first it helps keep the process hidden and second, avoids being detected by any EDR product. Spawning a process right away in the background can be very suspiciousness and an indicator of maliciousness. ScareCrow does this by calling the ‘GetConsoleWindow’ and ‘ShowWindow’ Windows function after the process is created and the EDR’s hooks are loaded, and then changes the windows attributes to hidden. ScareCrow utilizes these APIs rather than using the traditional
-ldflags -H=windowsgui as this is highly signatured and classified in most security products as an Indicator of Compromise.
-console command-line option is selected, ScareCrow will not hide the process in the background. Instead, ScareCrow will add several debug messages displaying what the loader is doing.
ScareCrow contains the ability to do process injection attacks. To avoid any hooking or detection in either the loader process or the injected process itself, ScareCrow first unhooks the loader process as it would normally, to ensure there are no hooks in the process. Once completed, the loader will then spawn the process specified in the creation command. Once spawned, the loader will then create a handle to the process to retrieve a list of loaded DLLs. Once it finds DLLs, it will enumerate the base address of each DLL in the remote process. Using the function WriteProcessMemory the loader will then write the bytes of the system DLLs stored on disk (since they are “clean” of EDR hooks) without the need to change the memory permissions first. ScareCrow uses WriteProcessMemory because this function contains a feature primarily used in debugging where even if a section of memory is read-only, if everything is correct in the call to WriteProcessMemory, it will temporarily change the permission to read-write, update the memory section and then restore the original permissions. Once this is done, the loader can inject shellcode into the spawned process with no issue, as there are no EDR hooks in either process.
This option can be used with any of the loader options. To enable process injection, use the
-injection command-line option along with the full path to the process you want to use to inject into. When putting the path in as an argument, it is important to either surround the full path with
"" or use double
\ for each directory in the path.
ScareCrow contains the ability to patch AMSI (Antimalware Scan Interface) and ETW functions, preventing any event from being generated by the process.
AMSI is a Windows native API that allows Windows Defender (or other antimalware products) to interface deep in the Windows operating system and provide enhanced protection, specifically around in-memory-based attacks. AMSI allows security products to better detect malicious indicators and help stop threats. Since AMSI is native to Windows products don't need to "hook" AMSI rather they load the necessary DLL to in order to gain enhanced insight into the process. Because of this ScareCrow loads the AMSI.dll dll and then patches, to ensure that any results from the scanning interface come back clean. Patching AMSI is default in all loaders, if you wish to not patch AMSI use the
-noamsi command-line option to disable it in your loader.
ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is also a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. Patching ETW is now default in all loaders, if you wish to not patch ETW use the
-noetw command-line option to disable it in your loader.
Currently, these options only work for the parent process, if the
-injection command-line option is used the primary process will patch AMSI and ETW but the injected process
The deliver command line argument allows you to generate a command or string of code (in the macro case) to remotely pull the file from a remote source to the victim’s host. These delivery methods include:
While ScareCrow has an extensive list of file attributes, there are some circumstances where a custom (maybe environment-specific) set of attributes is required. To accommodate this, ScareCrow allows for the inputting of a JSON file containing attributes. Using the
-configfile command-line option, ScareCrow will use these attributes and filename instead of the pre-existing ones in ScareCrow. The file
main.json contains a sample template of what the JSON structure needs to be to properly work. Note whatever you use as the "InternalName" will be the file name.
Since ScareCrow creates unique loaders that can also be embedded in scripts or other files for delivery, ScareCrow has the ability to provide you the hashes of all artifacts, using the