Hello my friends, I’m starting to write malware. Currently, I’m testing the Process Hollowing technique, so I need a payload to write into the process memory.
So… Shellcode is the hexadecimal representation of the assembly instructions?
Exemple of a payload (Python): payload = (b"\xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9\xb1\x33\x31/.....)
My question is how do I create this payload? Is it possible to transform a .exe file in this HEX format and then inject into another process? Or can I transform a python script into this HEX format?
Not gonna lie… I’m very confuse on how programmers create payloads in this HEX format… So any help is welcomed. Also, I apologize if this is a nooby question… But i could not find answers.
Thanks for the amazing links.
My objective is not to write my own shellcode, but to inject an already existing .exe into memory.
So it appears I have to get the HEX values of the .text section of the PE file… I’m going to start working on this.
MsfVenom can create this payloads… but what i want is to create one for a custom exe… not their ready reverse tcp…
If anyone knows any good material on this topic, please post links. This is very cools concepts, but hard to find information
The value of decimal 144 can be represented in different ways depending on the context. If you want its hex value, it is 0x90. If you want the instruction associated with hex 0x90, it is nop. These are just representations of the same thing. When dealing with low level values and instructions like this, hex is the most common and preferred representation.
Creating the payload depends on what kind you want. If you want shellcode, it is usually written in assembly and assembled in the target architectural instruction set like x86 Intel, ARM, or MIPS. Alternatively, shellcode can be compiled from a higher level language like C or C++.
A Windows PE file is an executable file format that is the result of assembled and linked assembly or the compilation of a higher level language. The values that make up the PE file can be (and usually is preferred to be) represented as hex. If you open a PE file in a hex editor, you can see its values represented as hex. Again, hex is just a representation of a value. Since PE files are a specific file format, you need to follow the rules of the file format so that it can run properly. Yes, you can inject it into another process but you need to inject it properly rather than just naively copying it.
This may or may not be correct. If you are attempting to just copy a typical PE file’s .text section into an external process and then execute it, it will not work because there are dependencies. Process hollowing doesn’t require much knowledge of PE file internals but you should know at least the basics to achieve it.
Now I’m going to be blunt. You’re confused because you severely lack the fundamental computer science knowledge that lets you do what you want to do. Understanding the definition of “hex” is computer science 101 so not even knowing that puts you right at the bottom. Take a step back and actually build up your basic knowledge.