'Obtaining shellcode from exe

According to this article the executable part is in .text, According to this article the executable part is in .text and .rodata, is it possible to grab the bytes in .text and convert them to a shellcode then injecting it into a process



pe = pefile.PE(sys.argv[1])

def grab_executable_code():
    ops = ""
    for section in pe.sections:
        print (section.Name.decode('utf-8'), hex(section.VirtualAddress),
                hex(section.Misc_VirtualSize),section.SizeOfRawData)

        if section.Name == b'.text\x00\x00\x00':
            for i,item in enumerate(bytearray(section.get_data())):
                if len(hex(item)) < 4:
                    ops += f"\\x0{hex(item)[2:]}"
                else:
                    ops += f"\\{hex(item)[1:]}"

            return ops

something like this, but when I try to inject the resulting shellcode I do not get any results but in windbg preview I don't see any errors


************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 
ModLoad: 00000000`00400000 00000000`00414000   image00000000`00400000
ModLoad: 00007ffa`0a230000 00007ffa`0a425000   ntdll.dll
ModLoad: 00007ffa`094d0000 00007ffa`0958e000   C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffa`07d50000 00007ffa`08019000   C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffa`09720000 00007ffa`097be000   C:\Windows\System32\msvcrt.dll
ModLoad: 00000000`6fc40000 00000000`6fda4000   C:\Program Files\mingw-w64\x86_64-8.1.0-win32-seh-rt_v6-rev0\mingw64\bin\libstdc++-6.dll
ModLoad: 00007ffa`08a50000 00007ffa`08bf1000   C:\Windows\System32\USER32.dll
ModLoad: 00007ffa`07a10000 00007ffa`07a32000   C:\Windows\System32\win32u.dll
ModLoad: 00007ffa`095a0000 00007ffa`095cb000   C:\Windows\System32\GDI32.dll
ModLoad: 00007ffa`07af0000 00007ffa`07bfb000   C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffa`081e0000 00007ffa`0827d000   C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffa`07c50000 00007ffa`07d50000   C:\Windows\System32\ucrtbase.dll
ModLoad: 00000000`61440000 00000000`6145b000   C:\Program Files\mingw-w64\x86_64-8.1.0-win32-seh-rt_v6-rev0\mingw64\bin\libgcc_s_seh-1.dll
(17f0.a4c): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffa`0a3006b0 cc              int     3
0:000> g
ModLoad: 00007ffa`08a20000 00007ffa`08a50000   C:\Windows\System32\IMM32.DLL
ntdll!RtlUserThreadStart:
00007ffa`0a282630 4883ec78        sub     rsp,78h

The exe I am using is a compiled "hello world" program written in c++ and compiled with g++

The injection method is obtained from ired.team (Virtualalloc) and I tested it with a shellcode generated from msfvenom and works fine but not with the shellcode from the python script

My best guess is that the entry point for the executable code is not specified therefore the shellcode does not run but I could be wrong

portable-executableshellcode


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions