InflativeLoading: Dynamically convert a native EXE to PIC shellcode

convert a native EXE to shellcode

InflativeLoading

Background

Converting an exe to shellcode is one of my goals, in this way, some security tools like Mimikatz can be used with more flexibility. Though some tools like Donut already achieved it, I still want to create such a tool with my approach, and hopefully, it can bring some improvements.

Motivated and inspired by some classic and modern tools and techniques, InflativeLoading is a tool that can dynamically convert a native EXE to a PIC shellcode.

In short, InflativeLoading generates and appends a shellcode stub to a dumped PE main module.

The tool consists of two components: DumpPEFromMemory.exe and InflativeLoading.py.

Included Components

To convert a native EXE to shellcode, the following 2 components are required.

DumpPEFromMemory Project

DumpPEFromMemory.exe is used to get the in-memory version of the selected PE file. It works by creating a process in a suspended state and dumping the main module into a binary file (on your dev machine).

Why? A typical reflective loading process maps each section of a PE file into a newly allocated memory region. Regarding this, I have two concerns: Firstly, although the data of each section is fundamentally consistent whether it resides on disk or in memory, there might still be certain differences for special PE files or under specific circumstances.

// Code snippet from Maldev course
for (int i = 0; i < pPeHdrs->pImgNtHdrs->FileHeader.NumberOfSections; i++) {
memcpy(
(PVOID)(pPeBaseAddress + pPeHdrs->pImgSecHdr[i].VirtualAddress), // Distination: pPeBaseAddress + RVA
(PVOID)(pPeHdrs->pFileBuffer + pPeHdrs->pImgSecHdr[i].PointerToRawData), // Source: pPeHdrs->pFileBuffer + RVA
pPeHdrs->pImgSecHdr[i].SizeOfRawData // Size
);
}

Secondly, the content of the PE file already exists in the loader’s memory(Like a byte array), but the loader still allocates memory space again. The execution of DumpPEFromMemory is completed on the operator’s dev machine, the operator gets a dump of the PE file when it is loaded in memory. Although some data still requires updates, there is no need to allocate memory region on the victim’s machine.

In this way, rather than manually map a file, we only need to patch specific data regions like Import Directory, Base Relocation Table Directory, Delayed Load Import Descriptors Directory, etc.

The dumped main module will be saved as a binary file to append to the shellcode stub.

For instance, DumpPEFromMemory executes a classic tool mimikatz and dumps its main module into a binary file.

PS C:\Users\<...SNIP...>> .\DumpPEFromMemory.exe .\mimikatz.exe mimi.bin
[+] DONE
[+] Size Of The Image : 0x137000
Process PID: 12512
PEB Address:0000000000D41000
Image Base Address:00007FF69AA80000
Data successfully written to mimi.bin. Total bytes read: 0x137000

InflativeLoading Script

The script dynamically generates a shellcode stub and appends it to the dump file.

The shellcode completes the following tasks:

  1. Walk PEB and find kernel32.dll
  2. Update command line
  3. Parse kernel32.dll to get the address of LoadLibraryA, GetProcAddress function.
  4. Locate the prepended dump file with an offset
  5. Dynamically fix Import Directory, Base Relocation Table Directory, Delayed Load Import Descriptors Directory, etc.
  6. Transfer the execution to the entry point of the PE file.

For instance, use the script to read previously dumped mimikatz and supply the proper command line to dump credentials in LSASS:

Though the shellcode stub should be less than 1000 bytes typically, the script still pads the shellcode stub to 4096 bytes for alignment with the memory page boundary. Then the operator can easily set proper page permission for different memory regions.

Test Cases

Program Has GUI? Supplied Arguments? Successful Execution Execute Properly w Arguments
Simple custom C/C++ programs No No ✔️ N/A
calc.exe Yes No ✔️ N/A
mimikatz.exe No Yes ✔️ ✔️
PsExec No Yes ✔️ 🚫
mspaint.exe Yes No 🚫 N/A
Packed Programs No No 🚫 🚫

Dumped versions of calc.exe and mimikatz.exe can be found in the bin/ folder of the repository.

How To Use?

I believe you already went through both components of InflativeLoading, in summary:

  1. Use DumpPEFromMemory.exe to select a native EXE, and then dump the PE main module from memory into a bin file. Regarding the selection of EXE files, please refer to the Best Use Cases and Know Issues or Limitations section.
  2. Use the InflativeLoading.py script to append a shellcode stub for the dump file. You can choose to provide a command line and whether to execute the generated shellcode immediately. Currently, the user-supplied command line only works properly for a small set of programs.

Best Use Cases

Because InflativeLoading is in its early stage, not every exe is supported well.

✅ Native console program that does not rely on arguments, like custom C programs

✅ Native console program that has an interactive console/shell, like Mimikatz.

Capabilities

☑️ Support for normal native EXE

☑️ Support for EXE that has a Delayed Import Directory

☑️ Fix IAT

☑️ Fix Base Relocation Directory

☑️ Tests passed with classic programs like calc, mimikatz, PsExec, etc.

Download