![]() You can see it includes the $t6Y variable (which is the new thread running the shellcode), and the 0xFFFFFFFF indicates “wait forever.”įinally, after all these nested layers, obfuscation and abstractions, the malware has loaded shellcode into memory and executed it. This will “block” execution and patiently wait for the shellcode to finish executing. Ultimately, this executes the shellcode!įollowing that, we see one more call to run the WaitForSingleObject Win32 API function. This CreateThread call is invoked with the $sC6US memory address-which as we now know, contains the shellcode. Next, a $t6Y variable is created, again reaching for and calling a Win32 API call, this time specifically CreateThread. Gaining access to run the Win32 API functions allows it to do things like allocate memory, copy and move memory, or other peculiar things that we will see in the code very soon.įor our own understanding, we should mentally rename this function to something like: Ultimately, this gives PowerShell much more power. This is all done by using “reflection,” the ability that allows PowerShell to perform some introspection and lookup already-defined procedures. The name of the DLL this function is a part of, and the Win32 API function itself that should be called, are the two values passed in as parameters to this sOH function. In the current context, it searches for where the System.dll might be loaded and uses that to find a desired function name within other DLLs that it could then execute. ![]() It uses a technique to “reflectively” search for the address of Win32 API calls, so that PowerShell has the capability to run these core, internal, procedures known to lower-level operating systems. The soH function takes in two parameters. The SightsĪt the very start of the PowerShell syntax, we see: This does a few checks to ensure the payload being used for the target is appropriate. It also includes many arguments, like -nop (do not instantiate with a startup profile), -w hidden (yet again, do not create a window), -noni (do not run in interactive mode) and finally -c (execute a single command and exit).Īt this point, we’ve finally made it into the string of code that is passed into PowerShell. The /min argument seems to be added for just extra measure-the application would start minimized (if, for some reason, a window were to be created with the /b argument).įollowing that, we see powershell.exe is the application started. That start command that follows will spin off a new program, again with the /b to enforce no window is created. c means “run a single command and exit”, which explains that the rest of this code will actually execute. The /b argument to cmd.exe means “Start the application without creating a new window” so our hacker is trying to hide. In our “weaponized” analogy, we can call these beginning pieces of the payload, the trigger. When executed, it will start cmd.exe with the parameters and arguments that follow. That value will be put in place where the %COMSPEC% syntax is. The value of this is: C:\Windows\System32\cmd.exe In the case here, we see an environment variable being referenced, %COMSPEC%. In cmd.exe batch scripting, variables are indicated like %varname%, with the variable name wrapped in percent-signs on either side. ![]() Variables in PowerShell are denoted by a “$varname” syntax, with the name of the variable being prefixed by a dollar sign. PowerShell will be introduced here in just a moment, but first we have to discuss the differences in syntax. In the world we live in now, developers and security professionals prefer to work in PowerShell, a much more modern command-line shell and language. cmd.exe is the default command-line interpreter for Windows operating systems, but it is an older utility that dates back to DOS (or the Disk Operating System). ![]() Batch scripts are interpreted and executed by the Windows command prompt, or the “cmd.exe” program. The first thing to note is that this took the form of a Windows “batch” script, or a file with a. We will move through the code in a procedural fashion, taking one line at a time and understanding the syntax. While at first glance this looks like gibberish, we can take it apart and understand what is really happening here.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |