How can I detect shellcode on a compromised machine?

Teacher

Teacher

Professional
Messages
2,669
Reaction score
829
Points
113
c5da339d-be48-461d-aff7-29b3f594dee6.jpeg


Hello, cyberstalkers! Hello, random carders. In a previous article, we talked about what shell code is and how it is used by hackers. In today's article, you will learn how to detect shellcode on a compromised machine.

Go:

Hackers who value their freedom and reputation write shellcodes using techniques that hide their attack. For example, a typical intrusion detection system (IDS) typically scans all incoming network traffic for a structure specific to the shellcode.

If IDS finds such a structure, the packet containing this signature is destroyed before it reaches its destination. However, the weak point of IDS in this case is that if the traffic is encoded, then it will not be possible to recognize it. Now do you understand why encryption is so valuable?

How to detect shellcode

To analyze the sample, we will need certain tools:
  • IDA Pro (with plugins)
  • Ollydbg
  • PEiD (with Krypto ANALyzer)

Well, let's get started! First of all, we open the PEiD and load our sample there. Everything is as expected, no surprises. However, we remember that we are dealing with cryptography in malvari code, so we will try to run the Krypto ANALyzer plugin (it must be preloaded in PEiD). And here's what we see: signatures are detected.

Let's move on. We open IDA Pro and load the sample there, bypassing a lot of windows and uninformative information, pay attention to the resource table... Yes, there is nothing striking here either.

Perhaps we can try our luck in finding network activity? Hmm ... We launch Process Explorer, then select the process started by our malware, go to "Properties", click the Strings tab and simultaneously launch the Wireshark network shark. In the packet analysis window, you can find a GET request for a web resource http://www.practicalmalwareanalysis.com. The data on the Strings tab of the Process Explorer utility and the data extracted from the Wireshark package matched.

Let's go back to the IDA Pro disassembler. On the graphic diagram, we notice some interesting lines: the subroutine @0x00401300 loads a certain resource in binary form and applies the XOR operation for a certain value ‘;’. In the following screenshot, this is very clearly visible.

Below is a screenshot of the window from IDA Pro, where the instructions for XOR encryption are highlighted in yellow.

And we have a natural question: what key (cipher) is used for encoding and what exactly does it encode? Remembering what we found earlier, we can conclude that the‘; ' key is intended to decode a string containing the URL http://www.practicalmalwareanalysis.com.

So, we have determined which encryption algorithm is used and what data it encrypts. It's time to connect plugins that will help us with decoding. We will use the signature search tools FindCrypt2, Krypto ANALyzer, and IDA Entropy Plugin to identify other encoding mechanisms.

The KANAL plugin detected four addresses using characters from the string ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/. What do you think it's like? Yes, yes, my friend, you thought correctly — this set of characters is an alphabet, from which permutations are then made.

What about network traffic?It is encoded using the Base64 algorithm. Below is a screenshot from the OllyDbg debugger that illustrates the encoded strings.

And here is a screenshot from the same debugger, containing instructions that are responsible for the coding process itself.

Somewhere in the code, there is a function responsible for decoding information using the Base64 algorithm, and it is located at address 0x004010B1.

Let's look at this code in the diagram from IDA Pro. The key encoding characteristics are highlighted in yellow, namely: the maximum message length is 12 characters. In the algorithm description, the maximum length in Base64 is 16 bytes.

That's all for today. You're well done if you were able to read this article to the end, and it would be great if you could now repeat all the lab work without peeking.

Our series of articles on reverse engineering for beginners ends here. Of course, we have only covered the most basic and key aspects of malware analysis, and there are still a lot of topics worth talking about. You can continue this topic indefinitely and probably even write a whole book.

I hope, cyberstalkers, you were interested and now you know how to detect shellcode. You've learned something new and now you can imagine what it's like to work as a virus analyst.
 
6f5c1d2d-0f0e-4fd1-a580-9d5d1896e6d4.jpeg


Today we continue to study some hacking tricks and discover new concepts and definitions that will be useful to us in the future.

Go:

What is Shellcode?

Shellcode — this is part of the code embedded in a malicious program that allows you to get the command shell code, such as /bin/bash in UNIX-like operating systems, after infecting the target system of the victim. command.com in black-screen MS-DOS and cmd.exe in modern Microsoft Windows operating systems. Very often, shellcode is used as an exploit payload.

The shell code. Why is this necessary?

As you can see, it's not enough just to infect the system, exploit a vulnerability, or put down some system service. All these actions of hackers in many cases are aimed at obtaining admin access to the infected machine.

So the malware is just a way to get on the machine and get the shell, that is, control. And this is a direct way to drain confidential information, create botnet networks that turn the target system into a zombie, or simply perform other destructive functions on the hacked machine.

Shellcode is usually embedded in memory After that, control is transferred to the exploited program by exploiting software errors, such as stack overflow or heap buffer overflow, or using format string attacks.

Shellcode Management passed by overwriting the return address on the stack with the address of the embedded shellcode, overwriting the addresses of called functions, or changing interrupt handlers. The result of all this is the execution of shellcode that opens the command line for use by an attacker.

When exploiting a remote vulnerability(i.e., an exploit) the shellcode can open a pre-defined TCP port on the affected computer for further remote access to the command shell. This type of code is called a port binding shellcode.

If the shellcode is connected to the port of the attacker's computer (for the purpose of bypassing the firewall or leaking through NAT), then this code is called reverse shell shellcode.

Ways to run shellcode in memory

There are two ways to run shellcode in memory for execution:
  • The position-independent code method (PIC) is a code that uses a hard binding of binary code (i.e., code that runs in memory) to a specific address or data. The shellcode is essentially a PIC. Why is hard linking so important? The shell cannot know exactly where it will be located in RAM, because during the execution of different versions of a compromised program or malware, they can load the shellcode into different memory locations.
  • The Identifying Execution Location method means that the shellcode must dereference the base pointer when accessing data in a position-independent memory structure. Adding (ADD) or subtracting (Reduce) values from the base pointer allows you to safely access data that is part of the shellcode.
In the sequel, the article "How to detect shellcode on a machine" will soon be published on the forum.

Learning the basics of DarkNet. Stay tuned.
 
You must log in or register to reply here.

Similar threads

B
SpyNote X Pro v7.2.0.0 Cracked
Replies
0
Views
153
bigdog1
B
B
VioletRAT V 4.7
Replies
0
Views
283
bigdog1
B
B
Venom Pro 6.0.9 RAT Cracked[
Replies
0
Views
260
bigdog1
B
I
🫥 HOW TO BYPASS YOUTUBE ANTI ADBLOCK POPUP ♨️
Replies
0
Views
321
Ifrbs
I
Vektor T13
Virtual Machine Detection: How It Works and How It’s Bypassed
Replies
0
Views
278
Vektor T13
Vektor T13
Back
Top