Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
CreateRemoteThread Shellcode Injection
DLL Injection
Reflective DLL Injection
Shellcode Reflective DLL Injection
Process Doppelganging
Loading and Executing Shellcode From PE Resources
Process Hollowing and Portable Executable Relocations
APC Queue Code Injection
Early Bird APC Queue Code Injection
Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert
Shellcode Execution through Fibers
Shellcode Execution via CreateThreadpoolWait
Local Shellcode Execution without Windows APIs
Injecting to Remote Process via Thread Hijacking
SetWindowHookEx Code Injection
Finding Kernel32 Base and Function Addresses in Shellcode
Executing Shellcode with Inline Assembly in C/C++
Writing Custom Shellcode Encoders and Decoders
Backdooring PE Files with Shellcode
NtCreateSection + NtMapViewOfSection Code Injection
AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
Module Stomping for Shellcode Injection
PE Injection: Executing PEs inside Remote Processes
API Monitoring and Hooking for Offensive Tooling
Windows API Hooking
Import Adress Table (IAT) Hooking
DLL Injection via a Custom .NET Garbage Collector
Writing and Compiling Shellcode in C
Injecting .NET Assembly to an Unmanaged Process
Binary Exploitation
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Executing Shellcode with Inline Assembly in C/C++
It's possible to execute shellcode inline in a C/C++ program. The reason why it's good to have this technique in your arsenal is because it does not require you to allocate new RWX memory to copy your shellcode over to by using VirtualAlloc API which is heavily monitored by EDRs and can get you caught. Instead, the code will get embedded into the PE's .TEXT section which is executable by default as this is where the rest of your application's code resides.

Execution

Install mingw - I'm doing it via chocolatey pacakge manager:
1
choco install mingw
Copied!
Create a simple C program that includes the shellcode. In my case, I'm simply adding 4 NOP instructions and prior to that, I am printing out the string spotless, so I can easily identify the shellcode location when debugging the program:
inline-shellcode.c
1
#include <Windows.h>
2
#include <stdio.h>
3
​
4
int main() {
5
printf("spotless");
6
asm(".byte 0x90,0x90,0x90,0x90\n\t"
7
"ret\n\t");
8
return 0;
9
}
Copied!
Let's compile and link the code:
1
gcc -c .\inline-shellcode.c -o main.o; g++.exe .\main.o -o .\main.exe
Copied!
Debugging the code via xdbg, we can see where the string spotless is going to be printed out and straight after it, we have the 4 NOP instructions:

References

GitHub - Mr-Un1k0d3r/Shellcoding: Shellcoding utilities
GitHub
Previous
Finding Kernel32 Base and Function Addresses in Shellcode
Next
Writing Custom Shellcode Encoders and Decoders
Last modified 2yr ago
Copy link
Contents
Execution
References