My first

and Last

Shellcode Loader

Dobin Rutishauser

Red Team Lead, Raiffeisen Schweiz

Commsec Track

29 AUG

Slides: https://bit.ly/4dGhBXl

About Me

Developer // TerreActive

Pentester // Compass Security

Developer // UZH

SOC Analyst // Infoguard

RedTeam Lead // Raiffeisen

​

SSL/TLS Recommendations�// OWASP Switzerland

Burp Sentinel - Semi Automated Web Scanner�// BSides Vienna

Automated WAF Testing and XSS Detection�// OWASP Switzerland Barcamp

Fuzzing For Worms - AFL For Network Servers�// Area 41

Develop your own RAT - EDR & AV Defense�// Area 41

Avred - Analyzing and Reverse Engineering AV Signatures�// HITB

​

​

​

​

Memory Corruption Exploits & Mitigations�// BFH - Bern University of Applied Sciences

Gaining Access�// OST - Eastern Switzerland University of Applied Sciences

2

Loader

Content

How loader works

Payload detection & bypass

Make Shellcode & EXE Injection

Antivirus, 10min

​

Intro to Loader, 5min

EDR, 20min

​

Supermega & Cordyceps, 20min

​

​

01

02

03

04

Analysis & Conclusion

Anti-EDR, 5min+

​

05

EDR Input & Attacks

3

Loader

Intro

Intro

Target Audience

• RedTeamers
• Doing initial access with their C2 (CobaltStrike, Sliver, Havoc…)
• Have some EDR knowhow, but confused

​

Me:

• Not much interest in specific (detectable) anti-EDR techniques
• Interest in how stuff overall works

Create C2

Implant

???

Send .exe

to victim

Pack in

.exe

Profit

Loader

Motivation: Initial Access with C2

Loader

Motivation: Initial Access with C2

https://github.com/sevagas/Advanced_Initial_access_in_2024_OffensiveX/blob/main/breach_the_gates_extended.pdf

Loader

Why

“EDR bypass this”

“EDR bypass that”

“New EDR bypass technique”

“How i bypassed EDR”

“Usermode unhooking to bypass EDR”

​

• People dont understand EDR
• People dont know what they are bypassing
• People develop super advanced low level Anti-EDR techniques which create more telemetry than they solve

Loader

Processes

Program vs. Process

Code

Header

Data

Program.exe

Process

Windows Loader

Code

Data

Harddisk

RAM

Loader

File vs. Process Analysis

Code

Header

Data

Program.exe

Process

Code

Data

Antivirus

Signatures

Yara

File Hash

Imports

Disassembler

Decompiler

Memory scanning

Sandbox

EDR

Debugger

Static Analysis

Dynamic Analysis

Behaviour Analysis

Loader

Memory Region Permissions

Code

Header

Data

Program.exe

Process

Code

Data

Read, Execute

Read, Write

Loader

Memory Region Backed vs. Unbacked

Code

Header

Data

Program.exe

Process

Code

Data

Backed

Backed

VirtualAlloc’d

Unbacked

Loader

Loader

Process Memory Regions

Loader

Shellcode Loader Example

Shellcode: Calc

Loader

Shellcode: Calc

Loader

Shellcode: Loader

Need:

• Shellcode (payload)
• VirtualAlloc memory
• Copy shellcode to memory
• Exec memory

​

Loader

Shellcode Loader: 1/3 VirtualAlloc

Code

Data

RWX Region

VirtualAlloc(RWX)

Create new region in process

Payload

Loader

Shellcode Loader: 2/3 Copy

Code

Data

RWX Region

Copy Payload to RWX Region

Payload

Loader

Shellcode Loader: 3/3 Exec

Code

Data

RWX Region

execute payload

(shellcode / memory region)

Payload

Loader

Shellcode Loader Structure

• The payload / shellcode to execute
• In .data, .rdata, .text, from a file
• Encoded, encrypted, base64, xor’d…
• The writeable/executable memory
• VirtualAlloc()
• NtAllocateVirtualMemory()
• HeapAlloc()
• The copy
• for() loop
• memcpy() / memmove()
• RtlCopyMemory(), CopyMemory(), MoveMemory()
• The execution
• Just jmp to it: ((void(*)())exec)();
• CreateThread(), QueueUserWorkItem()
• QueueUserApc()
• Windows functions which use a callback
• Shellcode can be a reflective DLL

Alloc RWX

Decode

Copy

RWX

Shellcode

Exec

Loader

Shellcode Loader

In other languages

Shellcode Loader: .NET / C#

Loader

Shellcode Loader: Powershell

Loader

Shellcode Loader: VBA

Loader

Shellcode Loader: Remote Process Injection

Code

Data

RWX

Teams.exe

Process

Code

Data

Shellcode

Loader.exe

Process

OpenProcess()

VirtualAllocEx()

WriteProcessMemory()

Shellcode

Loader

Shellcode Loader: Remote Process Injection

Loader

Anti Virus Detection

Loader: Unencrypted Payload

Alloc RWX

Copy

RWX

Payload

Exec

Loader

Loader: Unencrypted Payload

Code

Data

Payload

Scan File

Signature Scan

loader.exe

AV

Write-File Event

OS

Loader

DEMO 1

DEMO: Show AV finds unencrypted metasploit

​

Loader

AntiVirus - Encrypted Payload

Loader: Unencrypted Payload

Alloc RWX

Copy

RWX

Payload

Encrypted

Exec

Loader

Loader: Encrypted payload

“Encryption” can be anything

• XOR
• ROT13
• ADD 1
• ZIP
• Base64

​

Theres no need to:

• AES, RC4 etc.
• Low entropy / steganography
• Hide it / steganogrphy / low entropy (like SVG, CSS, UUID, CSV)

Code

Data

Payload

Encrypted

Signature Scan

Loader

DEMO 2

DEMO: Show AV with encrypted metasploit

​

Loader

AntiVirus

AV Emulator

AV Emulator

AV Emulator:

• “Interpret” PE file
• Virtual CPU, Windows

​

​

It is not:

• Virtualization
• Sandbox
• Full Emulation (Bochs)
• Wine

Loader

AV Emulator

Emulate binary until condition is met

Signature Memory Scan after that

​

Cut-off condition:

• Time
• Number of instructions
• Number of API Calls
• Amount of memory used

Emulating

EXE

Cut-Off reached?

Memory Scan

Loader

Anti AV Emulator

Process

Anti

Emulation

Payload

Alloc

Copy

Exec

AV Emulation

Payload

Encrypted

Loader

Anti AV Emulator

Process

Anti

Emulation

Payload

Alloc

Copy

Exec

AV Emulation

Payload

Encrypted

Static Code Analysis

Loader

DEMO 3

DEMO: AV does NOT find encrypted metasploit with Anti-Emulation

​

• Show Anti-Emulation

Loader

Detection in Middleboxes

Dynamic Analysis

Middleboxes

Client

Email

Gateway

Web

Proxy

Teams

Sharepoint

Malware

AV

AV

AV

AV

Sandbox

Loader

Execution Guardrails

• AD Domain
• Username
• Installed Software
• IP Address

• Vmtools installed
• # CPUs, RAM
• Vmware Drivers

Execution guardrails:

​

• Environment check
• Environmental keying
• Sandbox / VM detection

Loader

Anti AV Emulator

Process

Execution

Guardrails

Payload

Alloc

Copy

Exec

Sandbox

Payload

Encrypted

Loader

Loader Design

Conclusion

Loader Summary

Process

Execution

Guardrails

Payload

Alloc

Copy

Exec

Middleboxes (off target)

Payload

Encrypted

Anti

Emulation

AV Emulator

Static Analysis

Loader

Loader Problem

Process

Execution

Guardrails

Payload

Alloc

Copy

Exec

Payload

Encrypted

Anti

Emulation

EDR

Telemetry

Memory Scan

Loader

EDR Fundamentals

EDR

EDR:

• Agent on each System
• Find malicious processes

Loader

EDR

EDR is blackbox

Many different EDR

Rapid development

​

Therefore:

• Focus on what the EDR sees
• Not the detections itself
• Whats the input?
• Create a framework to reason about EDR

EDR

​

Blackbox

Input

Alerts

Loader

EDR - Bubbles of Bane

File Scan

AV

Mem Scan

EDR

Behaviour

Telemetry

EDR

Signatures

Loader

EDR Input: Usermode-Hooks

Usermode Hooks

NtApi

kernel32.dll

OpenProcess

Ntdll.dll

NtOpenProcess

Kernel

NtOpenProcess

syscall

kernel32.dll

VirtualAllocEx

Ntdll.dll

NtAllocateVirtualMemory

Kernel

NtAllocateVirtualMemory

syscall

WinApi

Usermode Hook

Usermode Hook

Kernel

Loader

Usermode Hooks

EDR

Process

Ntdll.dll

Hooked

Windows

Kernel

Syscall

Usermode Hooks

Hook

DLL

Loader

Usermode Hooks: Patching ntdll.dll

App.exe

Kernel32.dll::

OpenProcess()

Ntdll.dll::

NtOpenProcess()

OS

Kernel

jmp callback

syscall

Amsi.dll

NtCreateFileTrampoline()

syscall

EDR

notify

Loader

Usermode Hooks

Typically hooked functions:

• VirtualAlloc, VirtualProtect
• MapViewOfFile, MapViewOfFile2
• VirtualAllocEx, VirtualProtectEx
• QueueUserAPC
• SetThreadContext
• WriteProcessMemory, ReadProcessMemory

​

Loader

EDR Input List

EDR Inputs

OS

Process

ntdll.dll

amsi.dll

EtwWrite()

syscall

pipe

Kernel Callbacks

ETW

ETW-TI

EDR

Usermode Hooks

Loader

EDR Input

Kernel Callbacks

Kernel Callbacks

void CreateProcessNotifyRoutine(parent_process, pid, createInfo)

void CreateThreadNotifyRoutine(ProcessId, ThreadId, Create);

void LoadImageNotifyRoutine(FullImageName, ProcessId, ImageInfo);

void ObCallback(RegistrationContext, PreInfo);

Loader

Kernel Callbacks

Loader

EDR Input

ETW

ETW

Loader

ETW Providers

Loader

ETW Providers, Loader relevant

Loader

ETW Provider: Microsoft-Windows-Kernel-Process

Microsoft-Windows-Kernel-Process: Provides events related to process creation and termination. It can help detect suspicious processes being spawned.

• Process Start/Stop
• Thread Start/Stop
• Image Load/Unload
• Some more

​

ProcessStart data:

• ProcessID
• CreateTime
• ParentProcessID
• ImageName

​

Basically same as Kernel Callbacks

Loader

ETW Provider: Microsoft-Windows-Security-Auditing

Loader

Two Sides of ETW

OS

Process

(Etw)EventWrite()

ETW

EDR

ETW

ETW

Loader

EDR Input

ETW-TI

ETW-TI

ETW-Threat Intelligence

The good shit

​

Few consumers (Defender?)

Req PPL’d and signed process

Loader

EDR Input

Query Process

Query Process Information

Most events only have very little information

• PID
• ThreadID
• What happened (Image allocation at address x)

​

​

Loader

EDR: Query Overview

OS

Process

ntdll.dll

amsi.dll

EtwWrite()

syscall

Kernel Callbacks

ETW

ETW-TI

AMSI

PEB

EPROCESS

File

Process Info

Memory Scan

File Scan

Process

Callstack

EDR

Loader

EDR: Query Process Information

Query Process Information:

• Parent Process Id
• Image filename (source exe)
• Command line parameters
• Loaded DLL’s

​

​

Note:

• PPID Spoofing
• Command line argument Spoofing

​

​

NtQueryInformationProcess()

Process

PEB

EPROCESS

Loader

EDR: Memory Scanning

Signature scan (like in files)

Performance intensive - only on trigger

Process

Code

Data

Loader

EDR: Callstack Analysis

Callstack:

• On NtApi Call (AMSI or syscall)
• List of addresses of all previous parent functions

Loader

EDR: Callstack Analysis

Process

ntdll.dll

amsi.dll

syscall

EDR

AMSI

Process

Callstack

OS

Stack

.text

Loader

Callstack analysis - Elastic

Elastic has callstack analysis rules for:

• Direct syscalls
• Callback-based evasion
• Module Stomping
• Library loading from unbacked region
• Process created from unbacked region

​

Callstack analysis for:

• VirtualAlloc, VirtualProtect
• MapViewOfFile, MapViewOfFile2
• VirtualAllocEx, VirtualProtectEx
• QueueUserAPC
• SetThreadContext
• WriteProcessMemory, ReadProcessMemory

Loader

EDR Performance

EDR Performance

If EDR is slow dev’s go to Mac. Cant let this happen.

Loader

Time in Event Processing

EDR

Input Events

Query Process Info (QPI)

time

Loader

Sysmon

• MD5 hashes of images
• Callstack (ProcessAccess)
• Current Working Directoy

Process

Kernel Callbacks

ETW

Process Info

Memory Scan

OS

ETW

Sysmon

Loader

EDR Example Attacks

Usermode-hook patch

Usermode Hooks

NtApi

kernel32.dll

OpenProcess

Ntdll.dll

NtOpenProcess

Kernel

NtOpenProcess

syscall

kernel32.dll

VirtualAllocEx

Ntdll.dll

NtAllocateVirtualMemory

Kernel

NtAllocateVirtualMemory

syscall

WinApi

Usermode Hook

Loader

Usermode-hook patch

Remove Userspace-Hooks by patching ntdll.dll

.text

ntdll.dll

EDR

sus?

VirtualProtect(ntdll.dll, RX->RW)

memcpy(ntdll.dll, …)

VirtualProtect(ntdll.dll, RW->RX)

Loader

“EDR bypass”

Usermode Hooks: Patching ntdll.dll

App.exe

Kernel32.dll::

OpenProcess()

Ntdll.dll::

NtOpenProcess()

OS

Kernel

jmp callback

syscall

Amsi.dll

NtCreateFileTrampoline()

syscall

EDR

Indirect Syscall

Direct Syscall

syscall

:-(

Loader

Callstack Spoofing

Callstack Spoofing

Callstack:

• List of addresses of all previous parent functions

Loader

Callstack Spoofing

Callstack patch: Modify process/thread stack return addresses

Loader

Callstack Spoofing

EDR

Stack

Process

Query Callstack

.text

OS

NtApi

Unbacked shellcode

Patch

Stack

Loader

Image Spoofing

Image Spoofing

.text

Start Suspended

Overwrite Memory

Resume Process

notepad.exe

C2

Loader

Module Stomping

Module Stomping

C2

openssl.dll

​

.text

LoadLibrary(“openssl.dll”)

Overwrite Memory

Start Thread

notepad.exe

Loader

Memory Encryption

Memory Encryption

.text

.data

Active

.text

encrypted

.data

encrypted

Sleep

EDR

Sleep()

Memory Scan

Loader

EDR Attacks Summary

EDR Attacks Overview

Loader

SuperMega Loader

Cordyceps Technique

Loader injection

Payload

encoded

Carrier

Loader

=

Loader

Putty, 7zip, ...

PIC, Shellcode

program.exe

Loader

Code Similarity Scanning

Malware Detection:

Code Similary Scanning

​

​

Compare code in EXE files with known bad

• Find new versions of malware
• Find code of existing malware in new files
• “Are QBot and PikaBot related?”
• “This looks like QBot”

Loader

Machine Learning

Machine Learning

1. Train Neural Network on malware files
2. ???
3. Profit?

​

But, what is the similarity in the following malware?

• Mimikatz
• CobaltStrike
• Nmap
• Metasploit
• Qbot
• Rubeus
• Psexec

Loader

Why file injection?

File injection:

• Harder to find the malicious code
• Lots of “code”
• Code similarity searches fail
• No “Good code stuffing”
• Existing Meta information in the PE
• Metadata like Company, Issuer
• Imports / IAT
• Whats the alternative?
• Write your own loader which results in a 5kb file?
• EXES generated from C2 frameworks?
• Burned Public loaders?

.text

7zip.exe

Loader

Shellcode

Loader

Basic File Injection

EXE

Header

.text

EXE

Header

.text

Loader

EXE

Header

.text

Loader

EXE

Header

.text

Loader

Plain

Overwrite main()

Middle of .text

Patch entry point

Middle of .text

Patch call

Mode = 1,1

Mode = 2,1

Loader

RedBackdoorer

https://github.com/mgeeky/ProtectMyTooling/blob/master/RedBackdoorer.py

Loader

Disassembled PE Entry Point (main)

Loader

SuperMega

Shellcode generation

SuperMega: Shellcode Creation

C

Shellcode

ASM Text

Loader

SuperMega: Shellcode Creation

char *dest = VirtualAlloc(

NULL, 202844, 0x3000, RW);

​

for (int n=0; n<202844; n++) {

dest[n] = supermega_payload[n];

}

​

if (MyVirtualProtect(

dest, 202844, RX, &res) == 0) {

return 7;

}

​

(*(void(*)())(dest))();

​

Loader

SuperMega: Shellcode Creation

.c

�Template

.c

​

Rendered

.asm

​

Compiled

.asm

​

Cleaned

.exe

​

Compiled

.bin

​

Shellcode

jinja2

cl.exe

masm_shc

ml64.exe

pefile

Loader

Demo

Demo SuperMega UI

• C -> ASM
• Phases
• Options

Loader

Cordyceps

Cordyceps Motivation

Improve “From C project, through assembly, to shellcode”

Goal:

• Less signaturable
• Less obviously malware

​

​

Make it look as genuine as possible

Loader

Cordyceps

Original Loader PEB Walk

PEB Walk

Calling functions in shellcode:

• Locate the PEB
• Access Ldr data structure: PEB->Ldr
• Traverse module list (find “ntdll.dll”)
• Get export table of module
• Resolve function address

Loader

PEB Walk

NtApi

kernel32.dll

VirtualAllocEx

Ntdll.dll

NtAllocateVirtualMemory

Kernel

NtAllocateVirtualMemory

syscall

WinApi

NO

PEB Walk

Find this

Loader

PEB Walk

Loader

PEB Walk

Loader

PEB Walk

• Why cant we call functions like the program itself?
• Avoiding the PEB walk

Loader

IAT calls

The normal way

IAT Call

Loader

IAT Call

.text

IAT

User32.dll

MessageBoxW()

Call iat:

MessageBoxW

Call User32.dll:

MessageBoxW()

Loader

IAT Call

Call IAT:

​

​

​

IAT:

Loader

IAT Call

​

​

​

​

0x140001017 + 0x1063 - 6 = 0x140002080

​

​

​

​

​

​

​

​

0x140002080

6 bytes

Loader

Cordyceps

IAT Reuse

Cordyceps: IAT reuse

IAT reuse:

• Goal: Get rid of PEB_WALK
• Solution: Relative call to IAT

Problem:

• MASM doesnt support relative call’s
• Solution: Patch shellcode in the infected binary

Loader

Cordyceps: IAT reuse

Loader

Cordyceps: IAT reuse

Loader

Cordyceps: IAT reuse

Loader

Cordyceps: IAT reuse

ASM Text

ASM Text

With Placeholder

loader.exe

Shellcode

With Placeholder

inject

Replace

placeholder

Shellcode

With Placeholder

C Loader

loader.exe

Shellcode

Fixed

IAT

Loader

Cordyceps: IAT reuse

• Find RVA of placeholder (\xd8\x4a\xcc\x09\x26\x9e)
• Find RVA of IAT entry (GetEnvironmentVariableW())
• Create relative “call” instruction
• Replace placeholder with “call” instruction

​

Note: This is not IAT hooking, its normal IAT usage

Loader

Cordyceps: IAT reuse

Replaced

RVA of call address + RVA IAT = call with offset

Loader

Demo

Demo SuperMega UI

• Templates

Loader

Cordyceps

.rdata Reuse

Problem: Shellcode Data Reference

Shellcode is code only

How to handle data? (function call arguments)

Loader

Problem: Shellcode Data Reference

Instruct compiler to push data on stack

Loader

Problem: Shellcode Data Reference

Or, alternatively:

• Interleave data in code
• Jump over it

​

Loader

Cordyceps: .rdata reuse

Both solutions look suspicious

​

Solution similar to IAT-reuse:

• Inject data into .rdata section
• Patch shellcode in exe to reference it
• Relative load

.rdata

.text

​

​

shellcode

ref

Inject code

Inject data

Shellcode data

Loader

Cordyceps: .rdata reuse

Loader

Cordyceps Technique

Cordyceps Technique

Cordyceps:

Inject shellcode into executable .text

​

Patch injected shellcode:

• IAT reuse
• .rdata reuse

​

Result: Cant differentiate from genuine program

• No IOC’s
• No shellcode detection possible

​

The restrictions of shellcode dont apply when EXE injections is performed

​

Like in “The last of us”

Loader

Demo 4

Demo: Demo 3 Metasploit Meterpreter execution

• Defender: No detection
• MDE: Detection

Loader

Anti EDR

Goal: Avoid Memory Scan Trigger

File Scan

AV

Mem Scan

EDR

Behaviour

Telemetry

EDR

File Carrier / Loader

With Encrypted Payload

Unencrypted Payload

Loader

EDR Design

• High performance required
• Little information available
• A lot of noise in the system

​

• Focus: Unbacked memory
• Unbacked RWX memory
• Threads starting in unbacked memory
• Calls into kernel from unbacked memory
• Unbacked RX memory (going RW)
• Backed = already AV Scanned

.code

VirtualAlloc

.code

Backed

Unbacked

Loader

EDR Deconditioning

What will trigger a Memory Scan?

Loader

Cordyceps

EDR deconditioning

EDR Deconditioning

Make EDR tired of scanning our memory

Copy carrier functionality

​

Sirallocalot:

• Do 10 times:
• Do 100 times:
• Alloc memory RW with shellcode_len
• Copy fake data into memory
• Change to RX
• Leave it for a bit
• Free 100

Loader

EDR Deconditioning

Like pavlov’s dogs

​

Ring the bell a lot

​

Loader

Demo 5

Demo with sirallocalot MDE

Loader

Conclusion

Basic Assumption

• It seems there is not enough information to identify loader based on telemetry
• Only Process / Thread / Image loads
• Loader doesnt use networking, file or registry access
• Telemetry may be there for loader mischief
• unbacked RW -> RX changes
• Modifying backed regions
• But not used

Loader

Self-Stomping

Loader is integrated in backed image section

• Makes it trustworthy

.text

​

​

​

SuperMega

Loader

Payload

Shellcode

Unbacked

C2 doing its thing

Loader

Bubbles of Bane

Supermega:

• No signature
• Or easy changeable
• Very little telemetry
• All look normal
• From backed memory
• Will not trigger mem scan
• But susceptible to on-demand mem scan
• pe-sieve, moneta

File Scan

AV

Mem Scan

EDR

Behaviour

Telemetry

EDR

Loader

Anti EDR Techniques used for SuperMega Loader

Loader

EDR Checkboxes for SuperMega Loader

Loader

Things to avoid in payload

Payload should not do fancy memory things

• No Stagers
• No Reflective DLL

Staged:

windows/meterpreter/reverse_http

​

Stageless:

windows/meterpreter_reverse_http

Loader

Loader vs. Payload

Loader

Payload

Loader loads the payload

• CobaltStrike, Sliver, Brute ratel, havoc…
• Give the payload best possible changes

​

C2 should protect itself

• Leave it to the experts
• Memory encryption
• Callstacks

Loader

EDR: Query Overview

OS

Process

ntdll.dll

amsi.dll

EtwWrite()

syscall

pipe

Kernel Callbacks

ETW

ETW-TI

EDR

AMSI

PEB

EPROCESS

File

Process Info

Memory Scan

File Scan

Process

Callstack

Loader

Loader Design

EXE

Loader

Execution

Guardrails

Payload

Alloc

Decode

Exec

Anti

Emulation

Payload

Encrypted

EDR

Deconditioning

When doing your own loader:

• EDR bypass really necessary? (usermode hook patching)
• Strong encryption / entropy really important?
• Focus on:
• Backed memory
• No RWX
• No RX -> RW
• Clean Callstacks
• Careful with process injection

Alternatives:

• DLL Sideloading

Loader

Correct Anti-EDR

SuperMega & Cordyceps

With Anti-Emulator, and sirallocalot EDR deconditioner

​

Is able to load:

Nonstaged Winhttp Metasploit with disabled stdapi, and CobaltStrike 4.9 default config

• On Win10/Win11 Defender with no alerts
• On Win11 MDE with low-rated alerts

​

As of August 2024

Loader

Outlook

• Execution Guardrails are very powerful
• Do them early
• Injecting shellcode into .exe’s is… nice
• Looks genuine. Can thwart automated analysis
• Makes manual analysis maybe a bit harder
• Different than creating your own malicious exe’s
• Different than shellcode inject through some other means
• Injecting shellcode into .dll’s is cool
• SuperMega loader is… ok
• Writing C to inject as shellcode into an .exe is a nice workflow to have
• Good against file based scanning
• Not a super special new anti EDR or memory scanning
• But difficult of being AV sig’ed
• RWX reuse maybe better against memory analysis tools
• Need framework for loader-chaining

Loader

My First and Last Shellcode Loader

​

My First Shellcode Loader

• Using Linux exploit development know-how
• Learning a lot about Windows

​

My Last Shellcode Loader

• Works forever
• Debugging sucks

Loader

Stuff

More details:

https://blog.deeb.ch/posts/how-edr-works

https://blog.deeb.ch/posts/exe-injection

https://blog.deeb.ch/posts/supermega

​

SuperMega Loader:

https://github.com/dobin/SuperMega

​

Soon:

https://github.com/dobin/RedEdr

​

Loader

References

Matt Hand - Evading EDR

https://github.com/hasherezade/masm_shc

From a C project through assembly, to shellcode

https://www.elastic.co/security-labs

https://github.com/mgeeky/ProtectMyTooling/blob/master/RedBackdoorer.py

Loader

Additoinal Loader Tricks

Self Stomping

• Inject dll in .text (pre-loaded, encrypted)
• Fixup:
• RW it (part of .text)
• Decrypt, apply reloc’s etc.
• RX it again
• Result: DLL in modified .text
• Backed memory region

.text

SuperMega

Loader

Payload DLL

Encrypted

.text

SuperMega

Loader

Payload DLL

Loader

Undersized alloc trick

VirtualProtect sets the permission of the page(s) (4kb)

Use size=1, get the other 4095 bytes for free

EDR will only scan 1 byte?

​

​

​

// Use size 1, still change all the page

VirtualProtect(shellcode_rw, 1, RX)

Loader

UPX as EXE

• UPX has RWX sections
• Obfuscate payload with Shikata ga nai obfuscator

Loader

Advanced C2

Loader

CobaltStrike

“Stub”

CobaltStrike

Backend

CobaltStrike

Caller

CobaltStrike 4.10

Proposal

Loader