Classic Shellcode Execution
Shellcode Execution
Technique Details
Description
Malicious code is executed into our local process and executed directly from memory, often bypassing disk-based detection mechanisms.
Dependencies
Windows.h
Mitigations
Memory Protection Policies
– Enable Data Execution Prevention (DEP) to prevent execution from writable memory regions.
– Use Control Flow Guard (CFG) to detect and stop indirect function calls to suspicious memory locations.
– Enable Data Execution Prevention (DEP) to prevent execution from writable memory regions.
– Use Control Flow Guard (CFG) to detect and stop indirect function calls to suspicious memory locations.
📝 Add Note
Steps
– Define Shellcode
The payload (shellcode[]) is a byte array with machine code (e.g., Meterpreter payload).
– Allocate Memory
VirtualAlloc() reserves and commits a memory region with PAGE_READWRITE permission.
– Copy Shellcode
RtlMoveMemory() copies the shellcode into the allocated buffer.
– Make Memory Executable
VirtualProtect() changes the memory protection to PAGE_EXECUTE_READ.
– Create Thread to Run Shellcode
CreateThread() starts a new thread at the beginning of the shellcode buffer.
– Wait for Execution
WaitForSingleObject() blocks the main thread until the shellcode thread finishes.
The payload (shellcode[]) is a byte array with machine code (e.g., Meterpreter payload).
– Allocate Memory
VirtualAlloc() reserves and commits a memory region with PAGE_READWRITE permission.
– Copy Shellcode
RtlMoveMemory() copies the shellcode into the allocated buffer.
– Make Memory Executable
VirtualProtect() changes the memory protection to PAGE_EXECUTE_READ.
– Create Thread to Run Shellcode
CreateThread() starts a new thread at the beginning of the shellcode buffer.
– Wait for Execution
WaitForSingleObject() blocks the main thread until the shellcode thread finishes.
Code
- C++
- Rust
⚠️ Note: The Rust code examples shown here are not exhaustively tested in all environments or edge cases.
Proof of Concept
Leave a Reply
You must be logged in to post a comment.