Beyond EXE: A PoC Exploring Code Execution Flexibility

PoC – EXE or DLL or ShellCode

This is just a simple silly PoC demonstrating an executable “exe” file that can be used like exe, DLL, or shellcode

Steps

  1. Create an “exe” which has no imports (not resolved when loading the exe as dll), no CRT, no GS, etc.
  2. Embed a shellcode that pops “calc.exe” into “.text” section.
  3. Create 1 exported function “test” that just executes the embedded shellcode.
  4. Set the “main” function in exe as an entrypoint.
  5. Function “main” only excutes the exported func “test”.
  6. Compile the exe as release build.
  7. Create a polyglot DOS Header that is valid but also works as a 64-bit shellcode jumping to the first exported func of exe (raw offset) – nasm.
  8. Compile the polyglot DOS/SC Header: nasm.exe -f bin .\polyglot_DOS_shellcode_x64.asm -o .\polyglot_DOS_shellcode_x64.bin
  9. Replace the DOS header of compiled EXE with our compiled polyglot_DOS_shellcode_x64.bin (first 60 bytes).

This way we should have a valid exe, that can be loaded as DLL with callable exported func “test” and we also have a valid shellcode.

Result

  1. It can be executed as a normal app.
  2. It can be loaded as dll and the export function “test” can be invoked.
  3. It can be run via rundll32.exe.
  4. It can be executed as a shellcode right from the beggining of DOS (MZ) header that works as sc polyglot stub.

Download