Security
Reader small image

You're reading from  Windows APT Warfare

Product typeBook
Published inMar 2023
Reading LevelIntermediate
PublisherPackt
ISBN-139781804618110
Edition1st Edition
Languages
C++
Tools
MiniGW
Concepts
Cybersecurity
Right arrow
Author (1)
Sheng-Hao Ma
Sheng-Hao Ma
author image
Sheng-Hao Ma

Sheng-Hao Ma is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has served as a speaker and instructor for various international conferences and organizations such as Black Hat USA, DEFCON, CODE BLUE, HITB, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education.
Read more about Sheng-Hao Ma

Right arrow

Shellcode Technique – Exported Function Parsing

In this chapter, we will learn how to get the desired API address from loaded dynamic link library (DLL) modules so that we can master the knowledge necessary to write shellcode to execute in Windows memory. To do so, we will first learn about the export address table (EAT) structure in PE, build our own DLL parser, and write new Windows shellcode from scratch in x86. Once we have finished this chapter, we will be able to develop a Windows shellcode generator in Python, which we can later call to use to achieve the desired functionality.

In this chapter, we’re going to cover the following main topics:

  • EATs in PE
  • Examples of a DLL file analyzer
  • Examples of writing shellcode in x86
  • A shellcode generator in Python

Sample programs

The sample programs mentioned in this chapter are available on the GitHub website. Readers can download the exercises at the following URL: https://github.com/PacktPublishing/Windows-APT-Warfare/tree/main/chapter%2304.

EATs in PE

In Chapter 3, Dynamic API Calling – Thread, Process, and Environment Information, we successfully explored dynamic memory to get to the image base of the desired system module. These loaded PE modules are also loaded into dynamic memory through file mapping. Once we get the address of a DLL, then we can use the API’s GetProcAddress to get the address of the specific function it exports.

So, here a new question comes to mind: is there any difference in the binary structure between PE programs with export functions (DLL) and PE programs without export functions?

Figure 4.1 is dllToTest.c, an example of streamlined DLL module source code under the Chapter#4 folder of the GitHub project:

Figure 4.1 – Sample of simple DLL code

Figure 4.1 – Sample of simple DLL code

On line 16 of the code is a standard DLL entry function. When this DLL module is first mounted to the process, the global string variable, sz_Message, is modified to Hello Hackers!.

Back to lines...

Examples of a DLL file analyzer

The following examples are from the peExportParser project in the Chapter#4 folder of the GitHub project. In order to save space, this book only extracts the highlighted code; please refer to the full source code to see the full project, which is publicly available in this book's repository.

Let’s put what we have learned in practice and try to scan the entire DLL module for named functions in a purely static situation. As the analysis will be done in a purely static state, the first challenge will be that the entire EAT contains all its data as RVAs (i.e., dynamic file-mapped offsets). Therefore, we need to construct a function to help us automate the conversion of RVAs back into offsets relative to the current static file contents to capture the data correctly. Figure 4.10 shows a simple function, rvaToOffset, that helps us with this process:

Figure 4.10 – The code of the rvaToOffset function

Figure 4.10 – The code of the rvaToOffset function

In Chapter...

Examples of writing shellcode in x86

Now that we have covered the Windows PE implementation for static memory distribution and dynamic memory arrangement, and how to successfully call the system function pointer, we will begin this section with a further discussion on using what we have learned to develop 32-bit shellcode with x86 commands on our own.

The following example is the 32b_shellcode.asm source code in the Chapter#4 folder of the GitHub project. In order to save space, this book only extracts the highlighted code; please refer to the full project for the complete source code.

As this is a demonstration of 32-bit shellcode development, we need to use a compiler to help us translate the x86 script into machine code that the chip can read. It is recommended that readers practice this section by downloading the open source x86 assembler Moska (github.com/aaaddress1/moska) written by the author of this book, which can compile any x86 script based on the Keystone engine and...

A shellcode generator in Python

We have now attempted to write minimalist 32-bit shellcode ourselves, and readers will recognize the large number of structural offsets that need to be remembered in the process. In practice, this can make the development process difficult if there are complex task requirements. For this reason, many free community tools have been designed to automate shellcode generation – for example, Metasploit. In this section, we will try to develop a more convenient tool that can generate shellcode directly from C/C++ code.

The following example is the shellDev.py source code from the Chapter#4 folder of the GitHub project. In order to save space, this book only extracts the highlighted code; please refer to the full source code to see all the details of the project:

Figure 4.20 – Usage of shellDev.py

Figure 4.20 – Usage of shellDev.py

We mentioned in Chapter 1, From Source to Binaries – The Journey of a C Program, that there are at least three...

Summary

In this chapter, we learned about the details of export functions and how to build our own DLL parser without relying on the Windows GetProcAddress function, crawl through dynamic memory for export functions, and write our own Windows shellcode. Finally, we can even develop a shellcode generator via Python. With this knowledge and these skills, we will be able to develop our own testing tools for penetration testing in the future, rather than being limited to the tools already developed.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 7 of 17
Next Chapter
You have been reading a chapter from
Windows APT Warfare
Published in: Mar 2023Publisher: PacktISBN-13: 9781804618110
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Sheng-Hao Ma

Sheng-Hao Ma is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has served as a speaker and instructor for various international conferences and organizations such as Black Hat USA, DEFCON, CODE BLUE, HITB, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education.
Read more about Sheng-Hao Ma

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages