Beyond EXE: A PoC Exploring Code Execution Flexibility
PoC – EXE or DLL or ShellCode
This is just a simple silly PoC demonstrating an executable “exe” file that can be used like exe, DLL, or shellcode…
Steps
- Create an “exe” which has no imports (not resolved when loading the exe as dll), no CRT, no GS, etc.
- Embed a shellcode that pops “calc.exe” into “.text” section.
- Create 1 exported function “test” that just executes the embedded shellcode.
- Set the “main” function in exe as an entrypoint.
- Function “main” only excutes the exported func “test”.
- Compile the exe as release build.
- Create a polyglot DOS Header that is valid but also works as a 64-bit shellcode jumping to the first exported func of exe (raw offset) – nasm.
- Compile the polyglot DOS/SC Header: nasm.exe -f bin .\polyglot_DOS_shellcode_x64.asm -o .\polyglot_DOS_shellcode_x64.bin
- Replace the DOS header of compiled EXE with our compiled polyglot_DOS_shellcode_x64.bin (first 60 bytes).
This way we should have a valid exe, that can be loaded as DLL with callable exported func “test” and we also have a valid shellcode.
Result
- It can be executed as a normal app.
- It can be loaded as dll and the export function “test” can be invoked.
- It can be run via rundll32.exe.
- It can be executed as a shellcode right from the beggining of DOS (MZ) header that works as sc polyglot stub.