Generating Shellcode from an exe?

Question

So recently I have been learning about low level programming languages (such as Assembly, which from my understanding is just symbolic binary) and have came across Shellcoding (e.g. "\x4D..." etc). I found out that you can input Shellcode into a C/C++ application and then execute it - my question is, is it possible to generate Shellcode from an existing exe application and then use this generated Shellcode in a C/C++ application? Have I misunderstood the possibilities of Shellcoding? Many thanks - a person with very limited knowledge on low level programming

Answer 1

Directly turning an .exe to shellcode is generally not straightforward as you might think. If you just open up an .exe and copy its bytes into "x\.." form, you'll end up with a blob that depends on the OS loader to set up sections, do relocations, and resolve imports.

You could write your shellcode in assembly (or in C, but compiled with special flags and minimal dependencies). Then, assemble/compile it into raw machine instructions.

Embed that byte array into your code (e.g., in a C program as "\x90\x90\x90...") and execute it.

Answer 2

Shellcode is machine code that's used as the payload of an exploit (such as a buffer overflow). Depending on the exploit it's used with, it may have limitations such as a maximum length, or certain byte values (e.g. zero) not allowed. There's no one-size-fits-all answer to what shellcode can be.

In general, though: yes, it's possible in principle to embed a complete program in shellcode. It could take the form of a small wrapper (probably hand-written in assembly) that writes the program to a new .exe file and then runs it, or it could use more-sophisticated techniques to replace the current program in memory. There are probably automated tools to create this sort of shellcode, though I don't know of any specifically.

However, the tone of your question makes me think you might be misunderstanding something important:

I found out that you can input Shellcode into a C/C++ application and then execute it

This is a bug, not a feature. Being able to inject new code into a running program, where the program isn't specifically meant to allow that, is a major security flaw. This sort of thing has been the root of a great many security breaches over the span of decades, and developers spend a great deal of effort trying to prevent it from happening.

If it's possible to inject shellcode into a program, the program is broken.

Answer 3

is it possible to generate Shellcode from an existing exe application and then use this generated Shellcode in a C/C++ application

Answer: No. Shellcode is base-independed, executable PE file has a huge amount of headers, etc, you cant execute it before doing some actions/

Shellcode - it is a very big question.

First of all, you need to know that function adresses of external libraries such as kernel32, user32 libs, etc, is stored in Import Adress Table, that filled by windows-loader in startup time. All memory workings is doing by addresses, that computing in compile stage. So you need to find addreses by yourself.

To call functions from shellcode you have to have your own loader of function addresses. This loader must to load kernel32.dll library, search for GetProcAddress function and fill IAT

You dont know what address your shellcode will be loaded, you can know it from such code, calling "delta-offset"

call    delta
 delta:
pop     ebp
sub     ebp,offset delta

Now in ebp an offset to real addreses, so to get a variable of function address you need to plus the offset, example:

lea eax, [variable]
add eax, ebp; adding a delta-offset
mov ecx, dword ptr DS:[eax]

To compile code for future use you should use something like FASM, after compiling use WinHex editor -> copy -> copy all -> GREP C source

And you will get something like "\x00\x28" etc, to call it you need to set Execution rights to your shellcode array and change an EIP by command handlers like jmp/call/etc

There are an example that shows in Windows-system Hello, World MessageBox

# include <stdlib.h>
# include <stdio.h>
# include <string.h>

# include <windows.h>


int
main(void)
{
  char *shellcode = "\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"
    "\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"
    "\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"
    "\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"
    "\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"
    "\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"
    "\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"
    "\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"
    "\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"
    "\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"
    "\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"
    "\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"
    "\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"
    "\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"
    "\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"
    "\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"
    "\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"
    "\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"
    "\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"
    "\x69\x74\x54\x53\xff\xd6\x57\xff\xd0";

  DWORD why_must_this_variable;
  BOOL ret = VirtualProtect (shellcode, strlen(shellcode),
    PAGE_EXECUTE_READWRITE, &why_must_this_variable);

  if (!ret) {
    printf ("VirtualProtect\n");
    return EXIT_FAILURE;
  }

  printf("strlen(shellcode)=%d\n", strlen(shellcode));

  ((void (*)(void))shellcode)();

  return EXIT_SUCCESS;
}

You probably looking for RunPE algorithm. This algorithm can execute PE executable inside another. You are openning another process, copying sections, fill IAT-table and resuming target process from new entrypoint. It is a code injection tecnhiques, used my a malware. So i will not explain how to realise it