{"id":336894,"date":"2023-08-27T14:18:52","date_gmt":"2023-08-27T14:18:52","guid":{"rendered":"https:\/\/rednode.com\/?p=336894"},"modified":"2023-08-27T14:28:42","modified_gmt":"2023-08-27T14:28:42","slug":"potential-of-shellcode-execution","status":"publish","type":"post","link":"https:\/\/rednode.com\/insights\/potential-of-shellcode-execution\/","title":{"rendered":"Malware: Unpacking the Potential of Shellcode Execution"},"content":{"rendered":"\n<p>In this modern world, Malware infection is still one of the biggest threats to individuals and organizations. There are different ways used by cyber criminals to get their <a href=\"https:\/\/rednode.com\/insights\/everything-about-web-malware\/\" data-type=\"link\" data-id=\"https:\/\/rednode.com\/insights\/everything-about-web-malware\/\">malware<\/a> into someone&#8217;s computer. One of the most quickly used methods is called &#8220;Shellcode Execution + Social Engineering.&#8221;, It&#8217;s also called &#8220;Shellcode Runner&#8221;. On the 27th of August, 2023, I had a live session with some cybersecurity enthusiasts where I explained how the shellcode execution actually works. In this post, we&#8217;re going to take a practical look at the same piece of code that shows how this technique works. <\/p>\n\n\n\n<p>Note: This simple code could be elevated to full-fledged malware. The code provided here is only for educational purposes.<\/p>\n\n\n\n<p><strong>Original code:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"711\" src=\"https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-1-1024x711.png\" alt=\"Shellcode Execution\" class=\"wp-image-336896\" title=\"\" srcset=\"https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-1-1024x711.png 1024w, https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-1-300x208.png 300w, https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-1-768x533.png 768w, https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-1.png 1278w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2><br>Table of Contents<\/h2><nav><ul><li class=\"\"><a href=\"#lets-break-it-down\">Let&#8217;s Break it Down<\/a><ul><li class=\"\"><a href=\"#headers-and-typedefs\">Headers and Typedefs<\/a><\/li><li class=\"\"><a href=\"#the-malicious-code-shellcode\">The Malicious Code(Shellcode)<\/a><\/li><li class=\"\"><a href=\"#calling-function-dynamically\">Calling Function Dynamically<\/a><\/li><li class=\"\"><a href=\"#memory-allocation-and-memory-permission\">Memory Allocation and Memory Permission<\/a><\/li><li class=\"\"><a href=\"#shellcode-execution-and-cleanup\">Shellcode Execution and Cleanup<\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#what-else-cybercriminals-can-do\">What Else Cybercriminals Can Do?<\/a><\/li><li class=\"\"><a href=\"#why-should-you-care\">Why Should You Care?<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"lets-break-it-down\">Let&#8217;s Break it Down<\/h3>\n\n\n\n<p>Before discussing the threats of this code, let&#8217;s understand what this code is actually doing.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"headers-and-typedefs\">Headers and Typedefs<\/h4>\n\n\n\n<ol>\n<li><code>#include &lt;windows.h&gt;<\/code>  header file are included to access many other WinAPI functions.<\/li>\n\n\n\n<li><code><a href=\"https:\/\/www.cprogramming.com\/tutorial\/typedef.html\" data-type=\"link\" data-id=\"https:\/\/www.cprogramming.com\/tutorial\/typedef.html\" rel=\"nofollow noopener\" target=\"_blank\">typedef<\/a><\/code> defined a new data type called <code>pVirtualAlloc<\/code>, This is actually pointing to <code><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/memoryapi\/nf-memoryapi-virtualalloc\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/memoryapi\/nf-memoryapi-virtualalloc\" target=\"_blank\" rel=\"noopener\">VirtualAlloc<\/a><\/code> function that allocates memory.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-malicious-code-shellcode\">The Malicious Code(Shellcode)<\/h4>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"400\" src=\"https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-2-1024x400.png\" alt=\"\" class=\"wp-image-336897\" title=\"\" srcset=\"https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-2-1024x400.png 1024w, https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-2-300x117.png 300w, https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-2-768x300.png 768w, https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-2.png 1052w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><code>unsigned char msf_shellcode[]<\/code>: What we see here is hex code, the actual malicious code(shellcode) generated by <a href=\"https:\/\/www.rapid7.com\/products\/metasploit\/\" data-type=\"link\" data-id=\"https:\/\/www.rapid7.com\/products\/metasploit\/\" target=\"_blank\" rel=\"noopener\">Metasploit&#8217;s<\/a> msfvenom, in our case, it is just executing <code>calc.exe<\/code> for demonstration. This shellcode will be copied to a memory that we will allocate later.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"calling-function-dynamically\">Calling Function Dynamically<\/h4>\n\n\n\n<p>Antivirus usually doesn&#8217;t take VirtualAlloc normally. So, To evade static analysis, The <code>GetProcAddress<\/code> function is used to find the address of <code>VirtualAlloc<\/code>, even though this is not an effective evasion method. To evade antivirus during the shellcode execution, Cyber criminals usually use various programming techniques.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"memory-allocation-and-memory-permission\">Memory Allocation and Memory Permission<\/h4>\n\n\n\n<p>Before executing the shellcode, enough memory needs to be allocated, then copy the shellcode to that memory address and make the memory executable. Here is how it&#8217;s working:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"103\" src=\"https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-3-1024x103.png\" alt=\"\" class=\"wp-image-336899\" title=\"\" srcset=\"https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-3-1024x103.png 1024w, https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-3-300x30.png 300w, https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-3-768x77.png 768w, https:\/\/rednode.com\/wp-content\/uploads\/2023\/08\/image-3.png 1051w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ol>\n<li>In line 34, <code>VirtualAlloc<\/code> function used to allocate a block of memory with the permission of <code>PAGE_READWRITE<\/code>.<\/li>\n\n\n\n<li>In line 37, <code>RtlMoveMemory<\/code> is used to copy the shellcode from <code>msf_shellcode[]<\/code> previously allocated memory.<\/li>\n\n\n\n<li>In line 38, <code>VirtualProtect<\/code> function is used to make the allocated memory executable.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"shellcode-execution-and-cleanup\">Shellcode Execution and Cleanup<\/h4>\n\n\n\n<ol>\n<li><code>CreateThread<\/code>: In line 39, a new thread is created by <code>CreateThread<\/code>  function to execute the shellcode. <\/li>\n\n\n\n<li><code>WaitForSingleObject<\/code>: This function is used to wait for the shellcode execution to finish.<\/li>\n\n\n\n<li><code>CloseHandle<\/code>: After execution of the shellcode, the handle thread is closed.<\/li>\n<\/ol>\n\n\n\n<p>The example shellcode execution C source, if compiled and executed in Windows machines, dynamically locates function, allocates memory, copies the shellcode to that memory, makes the memory executable, and executes it. It is simple \u2026 right? Nothing else can be done? Let&#8217;s see.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-else-cybercriminals-can-do\">What Else Cybercriminals Can Do?<\/h3>\n\n\n\n<p>The code provided is only a slight glance into the world of shellcode execution. The adversary can add additional functionalities for their malicious purpose, for example:<\/p>\n\n\n\n<ol>\n<li><strong>Keylogging:<\/strong> They can add a few lines to record keystrokes to capture sensitive information like passwords.<\/li>\n\n\n\n<li><strong>Remote Control:<\/strong> This simple malware can be equipped to give attackers full control over the victim&#8217;s computer.<\/li>\n\n\n\n<li><strong>Persistent:<\/strong> With a legit Windows API function, attackers can add functionality to start the application automatically when booting.<\/li>\n\n\n\n<li><strong>Anti-detection Techniques:<\/strong> To help adversaries bypass antivirus, shellcode, and function calls can be encrypted. <\/li>\n\n\n\n<li><strong>Ransomware Capabilities: <\/strong>These kinds of freely available code can be modified to add ransomware functionality.<\/li>\n<\/ol>\n\n\n\n<p>Many more features can be added by attackers to turn this into a fully-fledged malware. Especially placing the c2 shellcode and making it persistent, which means complete control of the victim machines if executed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"why-should-you-care\">Why Should You Care?<\/h3>\n\n\n\n<p>Two types of hackers use Malware. 1st, Black hat hackers these hackers after your sensitive data. Conversely, White hat hackers like RedNode, also called Red Teamer, use the same method as adversaries to test your security strength to help you defend. Understanding how malware works is the first step to protect against it. The sample code provided in this article has no self-defending mechanisms. If you test it on your personal or corporate machine, your antivirus will immediately catch it. Is that making you bulletproof, and then all defensive go to your blue or internal team? No. How about advanced malware? If you are still unhappy, let our red team <a href=\"https:\/\/rednode.com\/contact\/\" data-type=\"page\" data-id=\"159\">test your defense<\/a> and see how strong it is!<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this modern world, Malware infection is still one of the biggest threats to individuals and organizations. There are different ways used by cyber criminals to get their malware into someone&#8217;s computer. One of the most quickly used methods is called &#8220;Shellcode Execution + Social Engineering.&#8221;, It&#8217;s also called &#8220;Shellcode Runner&#8221;. On the 27th of &#8230; <a title=\"Malware: Unpacking the Potential of Shellcode Execution\" class=\"read-more\" href=\"https:\/\/rednode.com\/insights\/potential-of-shellcode-execution\/\" aria-label=\"More on Malware: Unpacking the Potential of Shellcode Execution\">Read more<\/a><\/p>\n","protected":false},"author":7,"featured_media":336901,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,6],"tags":[],"_links":{"self":[{"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/posts\/336894"}],"collection":[{"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/comments?post=336894"}],"version-history":[{"count":10,"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/posts\/336894\/revisions"}],"predecessor-version":[{"id":336920,"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/posts\/336894\/revisions\/336920"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/media\/336901"}],"wp:attachment":[{"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/media?parent=336894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/categories?post=336894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rednode.com\/wp-json\/wp\/v2\/tags?post=336894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}