Jektor utility focuses on shellcode injection techniques to demonstrate methods that malware may use to execute shellcode on a victim system
Anti-virus detection?
Pre-pending a set of NOPs to a Msfvenom XOR encrypted shellcode payload while using dynamic function address resolutions seems to bypass Windows Defender.
Jektor makes use of dynamic function address resolutions using LoadLibrary and GetProcessAddress to make static analysis more difficult.
Important functions such as VirtualAlloc are not directly called which makes debugging and dumping the shellcode through breakpoints more difficult.
Local shellcode execution via CreateThread
On Windows when you want to create a new thread for the current process you can call the CreateThread function, this is the most basic technique for executing malicious code or shellcode within a process. You can simply allocate a region of memory for your shellcode, move your shellcode into the allocated region, and then call CreateThread with a pointer to the address of the allocated region. When you call CreateThread you pass the lpStartAddress parameter which is a pointer to the application-defined function that will be executed by the newly created thread.
After the memory region for the shellcode payload is allocated as RWX and the payload is moved into it, you can easily discover this region of memory by looking for any region of memory in the process that is marked as RWX, then if you inspect it you can seen the shellcode payload was moved into it, highlighted below are the first five bytes of the shellcode payload that executes a calculator on the victim system.
Hunting for RWX regions of memory is a quick way to identify potentially malicious activity on your system. Keep in mind, actors can also allocate a memory region as PAGE_READWRITE, write their shellcode into it, and then switch it to exectuable via VirtualProtect later on, this can help evade detection of a PAGE_EXECUTE_READWRITE memory region.
Remote shellcode execution via CreateRemoteThread
Another technique to create threads for shellcode execution is to call the CreateRemoteThread function, this will allow you to create threads remotely in another process. But the catch is that you will also want to allocate and write the shellcode payload into the remote process as well, since you’ll create a thread remotely that executes the payloads address that’s allocated within that process. In order to allocate the payload remotely, you’ll need to use the VirtualAllocEx function, this function is different from VirtualAlloc in that it can allocate memory regions in remote processes. To do this, Jektor creates a new process with the CREATE_NO_WINDOW flag set using CreateProcessW, this is used to spawn a new hidden notepad process. One the new process is spawned it remotely allocated memory in it and then uses WriteProcessMemory to write the shellcode payload into the allocated memory region. After this it calls CreateRemoteThread to execute the shellcode payload.
Local shellcode execution via EnumTimeFormatsEx
EnumTimeFormatsEx
is a Windows API function that enumerates provided time formats, it’s useful for executing shellcode because it’s first parameter accepts a user-defined pointer that gets executed.
BOOL EnumTimeFormatsEx(
[in] TIMEFMT_ENUMPROCEX lpTimeFmtEnumProcEx,
[in, optional] LPCWSTR lpLocaleName,
[in] DWORD dwFlags,
[in] LPARAM lParam
);
Local shellcode execution via CreateFiber
MSDN defines a fiber as a unit of execution that needs to be manually scheduled by an application. Similar to using CreateThread for executing shellcode, we can instead use Fibers. We convert our processes main thread into a fiber, allocate our shellcode, and execute it by calling SwitchToFiber which executes the new fiber we created.
Local shellcode execution via QueueUserAPC
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…