timwhitez starred EXE-or-DLL-or-ShellCode
2024-9-14 01:15:46 Author: github.com(查看原文) 阅读量:3 收藏

This is just a simple silly PoC demonstrating executable "exe" file that can be used like exe, dll or shellcode...

Steps

  1. Create an "exe" which has no imports (not resolved when loading the exe as dll), no CRT, no GS, etc.
  2. Embed a shellcode that pops "calc.exe" into ".text" section.
  3. Create 1 exported function "test" that just executes the embedded shellcode.
  4. Set the "main" function in exe as an entrypoint.
  5. Function "main" only excutes the exported func "test".
  6. Compile the exe as release build.
  7. Create a polyglot DOS Header that is valid but also works as a 64-bit shellcode jumping to the first exported func of exe (raw offset) - nasm.
  8. Compile the polyglot DOS/SC Header: nasm.exe -f bin .\polyglot_DOS_shellcode_x64.asm -o .\polyglot_DOS_shellcode_x64.bin
  9. Replace the DOS header of compiled EXE with our compiled polyglot_DOS_shellcode_x64.bin (first 60 bytes).

This way we should have a valid exe, that can be loaded as DLL with callable exported func "test" and we also have a valid shellcode.

Result

  1. It can be executed as a normal app.
  2. It can be loaded as dll and the export function "test" can be invoked.
  3. It can be run via rundll32.exe.
  4. It can be executed as a shellcode right from the beggining of DOS (MZ) header that works as sc polyglot stub.
PoC_exe_dll_sc.mp4

文章来源: https://github.com/Dump-GUY/EXE-or-DLL-or-ShellCode
如有侵权请联系:admin#unsafe.sh