Powered By GitBook
Writing and Compiling Shellcode in C
This is a quick lab to get familiar with the process of writing and compiling shellcode in C and is merely a personal conspectus of the paper From a C project, through assembly, to shellcode by hasherezade for vxunderground - go check it out for a deep dive on all the subtleties involved in this process, that will not be covered in these notes.
For the sake of this lab, we are going to turn a simple C program (that is provided by hasherezade in the aforementioned paper) that pops a message box, to shellcode and execute it by manually injecting it into an RWX memory location inside notepad.
Code samples used throughout this lab are written by hasherezade, unless stated otherwise.

Overview

Below is a quick overview of how writing and compiling shellcode in C works:
    1.
    Shellcode is written in C
    2.
    C code is compiled to a list of assembly instructions
    3.
    Assembly instructions are cleaned up and external dependencies removed
    4.
    Assembly is linked to a binary
    5.
    Shellcode is extracted from the binary
    6.
    This shellcode can now be injected/executed by leveraging code injection techniques

Walkthrough

    1.
    This lab is based on Visual Studio 2019 Community Edition.
    2.
    Program and shellcode in this lab targets x64 architecture.

1. Preparing Dev Environment

First of, let's start the Developer Command Prompt for VS 2019, which will set up our dev environment required for compiling and linking the C code used in this lab:
In my case, the said console is located here:
1
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\VsDevCmd.bat
Copied!
Let's start it like so:
1
cmd /k "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\VsDevCmd.bat"
Copied!

2. Generating Assembly Listing

Below are two C files that make up the program we will be converting to shellcode:
    c-shellcode.cpp - the program that pops a message box
    peb-lookup.h - header file required by the c-shellcode.cpp, which contains functions for resolving addresses for LoadLibraryA and GetProcAddress
c-shellcode.cpp
peb-lookup.h
1
#include <Windows.h>
2
#include "peb-lookup.h"
3
4
// It's worth noting that strings can be defined nside the .text section:
5
#pragma code_seg(".text")
6
7
__declspec(allocate(".text"))
8
wchar_t kernel32_str[] = L"kernel32.dll";
9
10
__declspec(allocate(".text"))
11
char load_lib_str[] = "LoadLibraryA";
12
13
int main()
14
{
15
// Stack based strings for libraries and functions the shellcode needs
16
wchar_t kernel32_dll_name[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0 };
17
char load_lib_name[] = { 'L','o','a','d','L','i','b','r','a','r','y','A',0 };
18
char get_proc_name[] = { 'G','e','t','P','r','o','c','A','d','d','r','e','s','s', 0 };
19
char user32_dll_name[] = { 'u','s','e','r','3','2','.','d','l','l', 0 };
20
char message_box_name[] = { 'M','e','s','s','a','g','e','B','o','x','W', 0 };
21
22
// stack based strings to be passed to the messagebox win api
23
wchar_t msg_content[] = { 'H','e','l','l','o', ' ', 'W','o','r','l','d','!', 0 };
24
wchar_t msg_title[] = { 'D','e','m','o','!', 0 };
25
26
// resolve kernel32 image base
27
LPVOID base = get_module_by_name((const LPWSTR)kernel32_dll_name);
28
if (!base) {
29
return 1;
30
}
31
32
// resolve loadlibraryA() address
33
LPVOID load_lib = get_func_by_name((HMODULE)base, (LPSTR)load_lib_name);
34
if (!load_lib) {
35
return 2;
36
}
37
38
// resolve getprocaddress() address
39
LPVOID get_proc = get_func_by_name((HMODULE)base, (LPSTR)get_proc_name);
40
if (!get_proc) {
41
return 3;
42
}
43
44
// loadlibrarya and getprocaddress function definitions
45
HMODULE(WINAPI * _LoadLibraryA)(LPCSTR lpLibFileName) = (HMODULE(WINAPI*)(LPCSTR))load_lib;
46
FARPROC(WINAPI * _GetProcAddress)(HMODULE hModule, LPCSTR lpProcName)
47
= (FARPROC(WINAPI*)(HMODULE, LPCSTR)) get_proc;
48
49
// load user32.dll
50
LPVOID u32_dll = _LoadLibraryA(user32_dll_name);
51
52
// messageboxw function definition
53
int (WINAPI * _MessageBoxW)(
54
_In_opt_ HWND hWnd,
55
_In_opt_ LPCWSTR lpText,
56
_In_opt_ LPCWSTR lpCaption,
57
_In_ UINT uType) = (int (WINAPI*)(
58
_In_opt_ HWND,
59
_In_opt_ LPCWSTR,
60
_In_opt_ LPCWSTR,
61
_In_ UINT)) _GetProcAddress((HMODULE)u32_dll, message_box_name);
62
63
if (_MessageBoxW == NULL) return 4;
64
65
66
// invoke the message box winapi
67
_MessageBoxW(0, msg_content, msg_title, MB_OK);
68
69
return 0;
70
}
Copied!
1
#pragma once
2
#include <Windows.h>
3
4
#ifndef __NTDLL_H__
5
6
#ifndef TO_LOWERCASE
7
#define TO_LOWERCASE(out, c1) (out = (c1 <= 'Z' && c1 >= 'A') ? c1 = (c1 - 'A') + 'a': c1)
8
#endif
9
10
11
typedef struct _UNICODE_STRING
12
{
13
USHORT Length;
14
USHORT MaximumLength;
15
PWSTR Buffer;
16
17
} UNICODE_STRING, * PUNICODE_STRING;
18
19
typedef struct _PEB_LDR_DATA
20
{
21
ULONG Length;
22
BOOLEAN Initialized;
23
HANDLE SsHandle;
24
LIST_ENTRY InLoadOrderModuleList;
25
LIST_ENTRY InMemoryOrderModuleList;
26
LIST_ENTRY InInitializationOrderModuleList;
27
PVOID EntryInProgress;
28
29
} PEB_LDR_DATA, * PPEB_LDR_DATA;
30
31
//here we don't want to use any functions imported form extenal modules
32
33
typedef struct _LDR_DATA_TABLE_ENTRY {
34
LIST_ENTRY InLoadOrderModuleList;
35
LIST_ENTRY InMemoryOrderModuleList;
36
LIST_ENTRY InInitializationOrderModuleList;
37
void* BaseAddress;
38
void* EntryPoint;
39
ULONG SizeOfImage;
40
UNICODE_STRING FullDllName;
41
UNICODE_STRING BaseDllName;
42
ULONG Flags;
43
SHORT LoadCount;
44
SHORT TlsIndex;
45
HANDLE SectionHandle;
46
ULONG CheckSum;
47
ULONG TimeDateStamp;
48
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
49
50
51
typedef struct _PEB
52
{
53
BOOLEAN InheritedAddressSpace;
54
BOOLEAN ReadImageFileExecOptions;
55
BOOLEAN BeingDebugged;
56
BOOLEAN SpareBool;
57
HANDLE Mutant;
58
59
PVOID ImageBaseAddress;
60
PPEB_LDR_DATA Ldr;
61
62
// [...] this is a fragment, more elements follow here
63
64
} PEB, * PPEB;
65
66
#endif //__NTDLL_H__
67
68
inline LPVOID get_module_by_name(WCHAR* module_name)
69
{
70
PPEB peb = NULL;
71
#if defined(_WIN64)
72
peb = (PPEB)__readgsqword(0x60);
73
#else
74
peb = (PPEB)__readfsdword(0x30);
75
#endif
76
PPEB_LDR_DATA ldr = peb->Ldr;
77
LIST_ENTRY list = ldr->InLoadOrderModuleList;
78
79
PLDR_DATA_TABLE_ENTRY Flink = *((PLDR_DATA_TABLE_ENTRY*)(&list));
80
PLDR_DATA_TABLE_ENTRY curr_module = Flink;
81
82
while (curr_module != NULL && curr_module->BaseAddress != NULL) {
83
if (curr_module->BaseDllName.Buffer == NULL) continue;
84
WCHAR* curr_name = curr_module->BaseDllName.Buffer;
85
86
size_t i = 0;
87
for (i = 0; module_name[i] != 0 && curr_name[i] != 0; i++) {
88
WCHAR c1, c2;
89
TO_LOWERCASE(c1, module_name[i]);
90
TO_LOWERCASE(c2, curr_name[i]);
91
if (c1 != c2) break;
92
}
93
if (module_name[i] == 0 && curr_name[i] == 0) {
94
//found
95
return curr_module->BaseAddress;
96
}
97
// not found, try next:
98
curr_module = (PLDR_DATA_TABLE_ENTRY)curr_module->InLoadOrderModuleList.Flink;
99
}
100
return NULL;
101
}
102
103
inline LPVOID get_func_by_name(LPVOID module, char* func_name)
104
{
105
IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)module;
106
if (idh->e_magic != IMAGE_DOS_SIGNATURE) {
107
return NULL;
108
}
109
IMAGE_NT_HEADERS* nt_headers = (IMAGE_NT_HEADERS*)((BYTE*)module + idh->e_lfanew);
110
IMAGE_DATA_DIRECTORY* exportsDir = &(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
111
if (exportsDir->VirtualAddress == NULL) {
112
return NULL;
113
}
114
115
DWORD expAddr = exportsDir->VirtualAddress;
116
IMAGE_EXPORT_DIRECTORY* exp = (IMAGE_EXPORT_DIRECTORY*)(expAddr + (ULONG_PTR)module);
117
SIZE_T namesCount = exp->NumberOfNames;
118
119
DWORD funcsListRVA = exp->AddressOfFunctions;
120
DWORD funcNamesListRVA = exp->AddressOfNames;
121
DWORD namesOrdsListRVA = exp->AddressOfNameOrdinals;
122
123
//go through names:
124
for (SIZE_T i = 0; i < namesCount; i++) {
125
DWORD* nameRVA = (DWORD*)(funcNamesListRVA + (BYTE*)module + i * sizeof(DWORD));
126
WORD* nameIndex = (WORD*)(namesOrdsListRVA + (BYTE*)module + i * sizeof(WORD));
127
DWORD* funcRVA = (DWORD*)(funcsListRVA + (BYTE*)module + (*nameIndex) * sizeof(DWORD));
128
129
LPSTR curr_name = (LPSTR)(*nameRVA + (BYTE*)module);
130
size_t k = 0;
131
for (k = 0; func_name[k] != 0 && curr_name[k] != 0; k++) {
132
if (func_name[k] != curr_name[k]) break;
133
}
134
if (func_name[k] == 0 && curr_name[k] == 0) {
135
//found
136
return (BYTE*)module + (*funcRVA);
137
}
138
}
139
return NULL;
140
}
Copied!
We can now convert the C code in c-shellcode.cpp to assembly instructions like so:
1
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx64\x64\cl.exe" /c /FA /GS- c-shellcode.cpp
Copied!
The switches' instruct the compiler to:
    /c - Prevent the automatic call to LINK
    /FA - Create a listing file containing assembler code for the provided C code
    /GS- - Turn off detection of some buffer overruns
Below shows how we compile the c-shellcode.cpp into c-shellcode.asm:
Assembly instructions are generated based on the c-shellcode.asm

3. Massaging Assembly Listing

Now that our C code has been convered to assembly in c-shellcode.asm, we need to clean up the file a bit, so we can link it to an .exe without errors and to avoid the shellcode from crashing. Specifically, we need to:
    1.
    Remove dependencies from external libraries
    2.
    Align stack
    3.
    Fix a simple syntax issue

3.1 Remove Exteranal Libraries

First off, we need to comment out or remove instructions to link this module with libraries libcmt and oldnames:
Comment out both includelib directives

3.2 Fix Stack Alignment

Add procedure AlignRSP right at the top of the first _TEXT segment in our c-shellcode.asm:
1
; https://github.com/mattifestation/PIC_Bindshell/blob/master/PIC_Bindshell/AdjustStack.asm
2
3
; AlignRSP is a simple call stub that ensures that the stack is 16-byte aligned prior
4
; to calling the entry point of the payload. This is necessary because 64-bit functions
5
; in Windows assume that they were called with 16-byte stack alignment. When amd64
6
; shellcode is executed, you can't be assured that you stack is 16-byte aligned. For example,
7
; if your shellcode lands with 8-byte stack alignment, any call to a Win32 function will likely
8
; crash upon calling any ASM instruction that utilizes XMM registers (which require 16-byte)
9
; alignment.
10
11
AlignRSP PROC
12
push rsi ; Preserve RSI since we're stomping on it
13
mov rsi, rsp ; Save the value of RSP so it can be restored
14
and rsp, 0FFFFFFFFFFFFFFF0h ; Align RSP to 16 bytes
15
sub rsp, 020h ; Allocate homing space for ExecutePayload
16
call main ; Call the entry point of the payload
17
mov rsp, rsi ; Restore the original value of RSP
18
pop rsi ; Restore RSI
19
ret ; Return to caller
20
AlignRSP ENDP
Copied!
Below shows how it should look like in the c-shellcode.asm:
Add AlignRSP at the top of _TEXT segment

3.3 Remove PDATA and XDATA Segments

Remove or comment out PDATA and XDATA segments as shown below:

3.4 Fix Syntax Issues

We need to change line mov rax, QWORD PTR gs:96 to mov rax, QWORD PTR gs:[96]:

4. Linking to an EXE

We are now ready to link the assembly listings inside c-shellcode.asm to get an executable c-shellcode.exe:
1
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx64\x64\ml64.exe" c-shellcode.asm /link /entry:AlignRSP
Copied!

5. Testing the EXE

We can now check that if c-shellcode.exe does what it was meant to - pops a message box:

6. Copying Out Shellcode

Once we have the c-shellcode.exe binary, we can extract the shellcode and execute it using any code injection technique, but for the sake of this lab, we will copy it out as a list of hex values and simply paste them into an RWX memory slot inside a notepad.exe.
Let's copy out the shellcode from the .text section, which in our case starts at 0x200 into the raw file:
If you are wondering how we found the shellcode location, look at the .text section - you can extract if from there too:

7. Testing Shellcode

Once the shellcode is copied, let's paste it to an RWX memory area (you can set any memory location to have permissions RWX with xdbg64) inside notepad, set RIP to that location and resume code execution in that location. If we did all the previous steps correctly, we should see our shellcode execute and pop the message box:
notepad.exe executing shellcode that pops a MessageBox as seen in xdbg64

References

Last modified 10mo ago