Shellcode Loaders

Secondary Categories: 02-Malware

Description:

Generally the execution methods of shellcode loader perform the following execution methods assuming the payload can already pass static analysis:

Anti Sandbox Checks
DLLs are unhooked
ETW and/or AMSI are patched
Memory Allocated via the NtAllocateVirtualMemory with RW permissions or a DLL is loaded for module stomping (overwriting a DLL)
Shellcode is placed into memory via NtWriteVirtualMemory
Memory permissions on the location of where the shellcode resides are changed to RX via NtProtectVirtualMemory

Once all this is completed the only thing we have to do is execute the shellcode. This portion is totally up to the creator of the payload.

Module Stomping & Thread Creation - This involves loading a DLL into a process, overwriting it with shellcode, and then creating a thread via NtCreateThreadEx so that the thread appears to be backed by a file on disk.
Thread Hijacking - This involves suspending a thread via NtSuspendThread, modifying it’s RIP to point to the shellcode via Nt[Get/Set]ContextThread, and then resuming the thread via NtResumeThread.
Windows Callback Functions — I genuinely have no idea what a callback function is or how they work, however, tons of them exist and how to utilize them to execute shellcode is documented here.
Asynchronous Procedure Calls (APCs) - This involves queuing an APC to a thread via NtQueueApcThread and then when the thread enters into an alertable state (if it is not already) it will execute the APC. In a local process we can force threads into an alertable state via the NtTestAlert API.

Thereis a great tool from FortyNorthSecurity that allows you to take a raw payload and convert it to different formats such as:

Title	URL
TymSpecial Shellcode Loader Example	https://github.com/ChadMotivation/TymSpecial
Scarecrow	https://github.com/optiv/ScareCrow
TikiTorch	https://github.com/rasta-mouse/TikiTorch
Shellcode Formatter	https://fortynorthsecurity.com/blog/quick-shellcode-modification/