This is a reference repository that can help you to understand basic shellcoding concepts (for Windows).
- A few shellcode samples to learn how it's written (some assembly, some C++).
- A script to help with creation of the shellcode.
- The payloads in raw binary format.
- The payloads in a C-style array format.
- calc: written in pure assembly, specifically MASM (Microsoft's "Macro Assembler"). Simply opens the calculator app. Similar to the one found in the MSFVenom toolkit.
- msgbox: written in C++. Pops a message box.
- reverse_shell: A basic reverse shell payload that redirects the input and output of a command prompt process (spawned via Win32 CreateProcess) into a TCP socket. For testing purposes this payload will reach out to localhost 4444. You can listen on this port with say, netcat, if you want to mess around with it (i.e. something like
nc -l 127.0.0.1 4444
will work). If you want to have it connect to a different socket you can modify the stack string at the beginning of the rshell_impl() function as well as the host port. - screenshot: Creates an in-memory screen capture and writes it to a file called ss.bmp in the working directory of the victim process.
I'd highly recommend messing around with the source code and building it yourself. Unfortunately, shellcode is rather tricky when it comes to the build process. You cannot simply hit build and expect everything to work. Take note of the fact that there is a Python script called scn_dump in the scripts folder that will extract the .text section from a given executable and dump it into a file of your choosing. You'll need this.
This pertains to the MASM shellcode found here (like calc.asm). to turn it into shellcode, you'll first need to open up the Visual Studio x64 Native Tools Command Prompt that comes with every install of Visual Studio. Next, do the following:
ml64.exe /c calc.asm
this will run Microsoft's MASM assembler on the file and produce a COFF object file.link.exe /entry:calc /subsystem:console calc.obj
invoke Microsoft's native linker on the object file to create a PE.scn_dump.py calc.exe calc.bin
use the Python script included in this repo to dump the .text section of the PE into a .bin file.- Load and execute the .bin using whatever method you want. It'll work as long as the page has execute perms.
This pertains to the shellcode here written in C++ (i.e. reverse_shell.cpp and msgbox.cpp). They make use of inline assembly for stack alignment purposes, which means we can't use MSVC to compile them (MSVC does not natively support inline assembly for 64 bit programs). To compile, you'll need 64 bit G++ (the C++ version of GCC basically) installed on your Windows machine. Run these commands:
x86_64-w64-mingw32-g++ <FILE> -Os -nostdlib -s -masm=intel -fPIC -o shellcode.exe
replace <FILE> with the name of the .cpp file.scn_dump.py shellcode.exe shellcode.bin
This will dump the .text section, allowing it to be loaded and executed.