The open source project pe_to_shellcode analysis
Polish researcher Aleksandra Doniec (@hasherezade on Twitter) at Malwarebytes has released the open source pe_to_shellcode project (github.com/hasherezade/pe_to_shellcode), which is a set of stubs written in x86 assembly language. A stub is actually shellcode, except that the payload usually used for loading is referred to as a stub. This open source project is a complete implementation of the lightweight application loader.
In this chapter, we will use the 32-bit version of this project.
In the previous chapter, we detailed that a lightweight application loader would require at least three tasks:
- Allocate new memory to mount the target EXE file by file mapping.
- Fix the IAT.
- Relocate addresses according to the relocation table.
The first task uses VirtualAlloc to request a block of memory; the second task uses LoadLibraryA to mount the DLL into dynamic memory and GetProcAddress to search for the correct address...
