Understanding simple shellcode in detail

The sample we're analyzing today is an extremely simple example of shellcode injection. A defining characteristic of shellcode is its independence from environmental factors, such as location in memory and import / export tables.

< Image of goofy sample >

< Subtext sha256 >

The sample in question is part of the malware samples examined during Matt Kiely's PMAT course. It starts off as simple C# source code that loads an array of bytes at runtime. We can easily extract this blob using CyberChef:

< Image of CyberChef >

This presents us with a very small binary that lacks any obvious executable characteristics, like a PE header or any other script language indicators. We can use a tool like BlobRunner to examine this shellcode inside a debugger, but there are other tools that are more specialized for the task.

scdbg is a shellcode emulator that attempts to extract the core behavioral components of shellcode and summarize them for an analyst. For example, the shellcode buffer in this blog post ostensibly reaches out to a C2 domain.

Import shellcode into IDA

Define functions

Recognize TEB access

Import type libraries (x32 ms_sdk)

Know LDR_DATA_TABLE_ENTRY

Know that initlinks->flink becomes IMAGE_NT_HEADER

Know that IMAGE_EXPORTS_DIRECTORY exists

If you do not apply IMAGE_EXPORTS_DIRECTORY, IDA will apply the offset to module which is wrong

Arguments came from outside the function

jmp eax assembly does not show that there is a lot going on in the assembly

Show that the first argument initially is the argument to the function

Explain what the rest of the shellcode does